Repository: ranger Updated Branches: refs/heads/ranger-1.1 327bd905b -> 452bf480c
RANGER-2207: Allow resources to appear in column mask policies without being visible in access policies Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/452bf480 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/452bf480 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/452bf480 Branch: refs/heads/ranger-1.1 Commit: 452bf480cb27c11db3beed058d45094d51b25edb Parents: 327bd90 Author: Abhay Kulkarni <akulka...@hortonworks.com> Authored: Fri Oct 12 16:45:44 2018 -0700 Committer: Abhay Kulkarni <akulka...@hortonworks.com> Committed: Fri Oct 12 17:14:13 2018 -0700 ---------------------------------------------------------------------- .../plugin/errors/ValidationErrorCode.java | 1 + .../validation/RangerServiceDefHelper.java | 12 ++++++++ .../validation/RangerServiceDefValidator.java | 32 ++++++++++++++++++++ .../plugin/service/RangerBaseService.java | 2 +- .../ranger/plugin/util/ServiceDefUtil.java | 8 +++-- .../TestRangerServiceDefValidator.java | 24 +++++++++++++++ .../ranger/services/hdfs/RangerServiceHdfs.java | 2 +- .../scripts/models/BackboneFormDataType.js | 13 +++++--- .../src/main/webapp/scripts/utils/XAUtils.js | 16 ++++++++++ 9 files changed, 100 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/452bf480/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java index 3cd7876..9b9ccd1 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java @@ -63,6 +63,7 @@ public enum ValidationErrorCode { SERVICE_DEF_VALIDATION_ERR_ENUM_DEF_NULL_ENUM_ELEMENT(2020, "An enum element in enum element collection of enum [{0}] is null"), SERVICE_DEF_VALIDATION_ERR_INVALID_SERVICE_RESOURCE_LEVELS(2021, "Resource-def levels are not in increasing order in an hierarchy"), SERVICE_DEF_VALIDATION_ERR_NOT_LOWERCASE_NAME(2022, "{0}:[{1}] Invalid resource name. Resource name should consist of only lowercase, hyphen or underscore characters"), + SERVICE_DEF_VALIDATION_ERR_INVALID_MANADORY_VALUE_FOR_SERVICE_RESOURCE(2023, "{0} cannot be mandatory because {1}(parent) is not mandatory"), // POLICY VALIDATION POLICY_VALIDATION_ERR_UNSUPPORTED_ACTION(3001, "Internal error: method signature isValid(Long) is only supported for DELETE"), http://git-wip-us.apache.org/repos/asf/ranger/blob/452bf480/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java index 6cb55c2..6df5d8d 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java @@ -183,6 +183,18 @@ public class RangerServiceDefHelper { return _delegate.getResourceHierarchies(policyType); } + public Set<List<RangerResourceDef>> filterHierarchies_containsOnlyMandatoryResources(Integer policyType) { + Set<List<RangerResourceDef>> hierarchies = getResourceHierarchies(policyType); + Set<List<RangerResourceDef>> result = new HashSet<List<RangerResourceDef>>(hierarchies.size()); + for (List<RangerResourceDef> aHierarchy : hierarchies) { + Set<String> mandatoryResources = getMandatoryResourceNames(aHierarchy); + if (aHierarchy.size() == mandatoryResources.size()) { + result.add(aHierarchy); + } + } + return result; + } + public Set<List<RangerResourceDef>> getResourceHierarchies(Integer policyType, Collection<String> keys) { Set<List<RangerResourceDef>> ret = new HashSet<List<RangerResourceDef>>(); http://git-wip-us.apache.org/repos/asf/ranger/blob/452bf480/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefValidator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefValidator.java index 45821e8..6a1b3e1 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefValidator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefValidator.java @@ -599,6 +599,38 @@ public class RangerServiceDefValidator extends RangerValidator { } } } + // If a resource is not mandatory, then it cannot be non-leaf in any hierarchy (RANGER-2207) + List<RangerResourceDef> resources = serviceDef.getResources(); + List<String> resourceNames = new ArrayList<>(resources.size()); + for (RangerResourceDef resourceDef : resources) { + resourceNames.add(resourceDef.getName()); + } + for (String resourceName : resourceNames) { + for (int policyType : RangerPolicy.POLICY_TYPES) { + Set<List<RangerResourceDef>> hierarchies = defHelper.getResourceHierarchies(policyType); + for (List<RangerResourceDef> aHierarchy : hierarchies) { + boolean foundOptionalResource = false; + for (RangerResourceDef resourceDef : aHierarchy) { + if (!foundOptionalResource) { + if (resourceDef.getName().equalsIgnoreCase(resourceName) && !Boolean.TRUE.equals(resourceDef.getMandatory())) { + foundOptionalResource = true; + } + } else { + if (Boolean.TRUE.equals(resourceDef.getMandatory())) { + valid = false; + ValidationErrorCode error = ValidationErrorCode.SERVICE_DEF_VALIDATION_ERR_INVALID_MANADORY_VALUE_FOR_SERVICE_RESOURCE; + failures.add(new ValidationFailureDetailsBuilder() + .field(resourceDef.getName()) + .isSemanticallyIncorrect() + .errorCode(error.getErrorCode()) + .becauseOf(error.getMessage(resourceDef.getName(), resourceName)) + .build()); + } + } + } + } + } + } if(LOG.isDebugEnabled()) { LOG.debug(String.format("<== RangerServiceDefValidator.isValidResourceGraph(%s, %s): %s", serviceDef, failures, valid)); http://git-wip-us.apache.org/repos/asf/ranger/blob/452bf480/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java index 342b381..8d4e16f 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java @@ -125,7 +125,7 @@ public abstract class RangerBaseService { try { // we need to create one policy for each resource hierarchy RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef); - for (List<RangerServiceDef.RangerResourceDef> aHierarchy : serviceDefHelper.getResourceHierarchies(RangerPolicy.POLICY_TYPE_ACCESS)) { + for (List<RangerServiceDef.RangerResourceDef> aHierarchy : serviceDefHelper.filterHierarchies_containsOnlyMandatoryResources(RangerPolicy.POLICY_TYPE_ACCESS)) { RangerPolicy policy = getDefaultPolicy(aHierarchy); if (policy != null) { ret.add(policy); http://git-wip-us.apache.org/repos/asf/ranger/blob/452bf480/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java index f8994a7..e91fbff 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java @@ -261,7 +261,10 @@ public class ServiceDefUtil { private static RangerResourceDef mergeResourceDef(RangerResourceDef base, RangerResourceDef delta) { RangerResourceDef ret = new RangerResourceDef(base); - // retain base values for: itemId, name, type, level, parent, mandatory, lookupSupported + // retain base values for: itemId, name, type, level, parent, lookupSupported + + if(Boolean.TRUE.equals(delta.getMandatory())) + ret.setMandatory(delta.getMandatory()); if(delta.getRecursiveSupported() != null) ret.setRecursiveSupported(delta.getRecursiveSupported()); @@ -288,8 +291,7 @@ public class ServiceDefUtil { if(StringUtils.isNotEmpty(delta.getValidationMessage())) ret.setValidationMessage(delta.getValidationMessage()); - if(StringUtils.isNotEmpty(delta.getUiHint())) - ret.setUiHint(delta.getUiHint()); + ret.setUiHint(delta.getUiHint()); if(StringUtils.isNotEmpty(delta.getLabel())) ret.setLabel(delta.getLabel()); http://git-wip-us.apache.org/repos/asf/ranger/blob/452bf480/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefValidator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefValidator.java b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefValidator.java index f4e29c7..810d5bc 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefValidator.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefValidator.java @@ -491,6 +491,30 @@ public class TestRangerServiceDefValidator { _failures.clear(); assertFalse("Graph was valid!", _validator.isValidResourceGraph(_serviceDef, _failures)); assertFalse(_failures.isEmpty()); _utils.checkFailureForSemanticError(_failures, "resource graph"); + + data_bad = new Object[][] { + // { name, excludesSupported, recursiveSupported, mandatory, reg-exp, parent-level, level } + { "db", null, null, null, null, "" , -10 }, // -ve level is ok + { "table", null, null, true, null, "db", 0 }, // 0 level is ok; mandatory true here, but not at parent level? + { "column", null, null, null, null, "table", 10 }, // level is null! + { "udf", null, null, null, null, "db", 0 }, // should not conflict as it belong to a different hierarchy + }; + resourceDefs = _utils.createResourceDefs(data_bad); + when(_serviceDef.getResources()).thenReturn(resourceDefs); + _failures.clear(); assertFalse(_validator.isValidResourceGraph(_serviceDef, _failures)); + assertFalse(_failures.isEmpty()); + + data_good = new Object[][] { + // { name, excludesSupported, recursiveSupported, mandatory, reg-exp, parent-level, level } + { "db", null, null, true, null, "" , -10 }, // -ve level is ok + { "table", null, null, null, null, "db", 0 }, // 0 level is ok; mandatory true here, but not at parent level? + { "column", null, null, null, null, "table", 10 }, // level is null! + { "udf", null, null, true, null, "db", 0 }, // should not conflict as it belong to a different hierarchy + }; + resourceDefs = _utils.createResourceDefs(data_good); + when(_serviceDef.getResources()).thenReturn(resourceDefs); + _failures.clear(); assertTrue(_validator.isValidResourceGraph(_serviceDef, _failures)); + assertTrue(_failures.isEmpty()); } @Test http://git-wip-us.apache.org/repos/asf/ranger/blob/452bf480/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java ---------------------------------------------------------------------- diff --git a/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java b/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java index 22ecabf..f89d14b 100644 --- a/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java +++ b/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java @@ -145,7 +145,7 @@ public class RangerServiceHdfs extends RangerBaseService { try { // we need to create one policy for keyadmin user for audit to HDFS RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef); - for (List<RangerServiceDef.RangerResourceDef> aHierarchy : serviceDefHelper.getResourceHierarchies(RangerPolicy.POLICY_TYPE_ACCESS)) { + for (List<RangerServiceDef.RangerResourceDef> aHierarchy : serviceDefHelper.filterHierarchies_containsOnlyMandatoryResources(RangerPolicy.POLICY_TYPE_ACCESS)) { RangerPolicy policy = getPolicyForKMSAudit(aHierarchy); if (policy != null) { ret.add(policy); http://git-wip-us.apache.org/repos/asf/ranger/blob/452bf480/security-admin/src/main/webapp/scripts/models/BackboneFormDataType.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/models/BackboneFormDataType.js b/security-admin/src/main/webapp/scripts/models/BackboneFormDataType.js index 1329eb2..22a418d 100644 --- a/security-admin/src/main/webapp/scripts/models/BackboneFormDataType.js +++ b/security-admin/src/main/webapp/scripts/models/BackboneFormDataType.js @@ -48,7 +48,6 @@ define(function(require) { return configs; } } - configs = _.sortBy(configs, function(m){ return m.itemId }); return configs; }; var getValidators = function(formObj, v){ @@ -70,8 +69,13 @@ define(function(require) { }; //Get configs for perticular policy type - configs = getResourceConfigs(configs) - + configs = getResourceConfigs(configs); + configs = _.sortBy(configs, function(m){ return m.itemId }); + configs = _.filter(configs, function(m){ + if(! _.isUndefined(m.uiHint) && ! XAUtils.hideIfNull(m, form)){ + return m; + } + }) var samelevelFieldCreated = []; _.each(configs, function(v, k,config) { if (v != null) { @@ -89,10 +93,9 @@ define(function(require) { } break; } - if($.inArray(v.parent, samelevelFieldCreated) >= 0){ + if($.inArray(v.parent, samelevelFieldCreated) >= 0){ return; } - if( isPolicyForm ){ var resourceOpts = {}; formObj.type = 'Resource'; http://git-wip-us.apache.org/repos/asf/ranger/blob/452bf480/security-admin/src/main/webapp/scripts/utils/XAUtils.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/utils/XAUtils.js b/security-admin/src/main/webapp/scripts/utils/XAUtils.js index d9366a1..bb88ec3 100644 --- a/security-admin/src/main/webapp/scripts/utils/XAUtils.js +++ b/security-admin/src/main/webapp/scripts/utils/XAUtils.js @@ -1262,6 +1262,22 @@ define(function(require) { } return singleValue; }; + XAUtils.hideIfNull = function(obj, form){ + //resorces hide show + var hideIfNull = false; + if(!_.isEmpty(obj.uiHint)){ + var UIHint = JSON.parse(obj.uiHint); + if(!_.isUndefined(form.model.get('resources')) && !_.isEmpty(form.model.get('resources')) && + _.has(form.model.get('resources'), obj.name)){ + hideIfNull = false; + }else{ + if(!_.isUndefined(UIHint.hideIfNull) && ! obj.mandatory){ + hideIfNull = UIHint.hideIfNull; + } + } + } + return hideIfNull; + }; XAUtils.getBaseUrl = function (){ if(!window.location.origin){ window.location.origin = window.location.protocol + "//" + window.location.hostname + (window.location.port ? ':' + window.location.port: '');