This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 2c8a947 RANGER-2430 : Zoneadmin User is able to create policy for
those services which is not associated to zone
2c8a947 is described below
commit 2c8a947f800d705867f5f6a22e6d738b3c5a3d19
Author: Bhavik Patel <[email protected]>
AuthorDate: Mon May 20 15:49:38 2019 +0530
RANGER-2430 : Zoneadmin User is able to create policy for those services
which is not associated to zone
Signed-off-by: Pradeep <[email protected]>
---
.../ranger/plugin/errors/ValidationErrorCode.java | 1 +
.../model/validation/RangerPolicyValidator.java | 12 ++++
.../validation/TestRangerPolicyValidator.java | 64 ++++++++++++++++++++++
3 files changed, 77 insertions(+)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
index 3111037..800b3c4 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
@@ -98,6 +98,7 @@ public enum ValidationErrorCode {
POLICY_VALIDATION_ERR_POLICY_INVALID_PRIORITY(3030, "Invalid priority
value"),
POLICY_VALIDATION_ERR_UPDATE_ZONE_NAME_NOT_ALLOWED(3032, "Update of Zone
name from={0} to={1} in policy is not supported"),
POLICY_VALIDATION_ERR_NONEXISTANT_ZONE_NAME(3033, "Non-existent Zone
name={0} in policy create"),
+ POLICY_VALIDATION_ERR_SERVICE_NOT_ASSOCIATED_TO_ZONE(3048, "Service name =
{0} is not associated to Zone name = {1}"),
// SECURITY_ZONE Validations
SECURITY_ZONE_VALIDATION_ERR_UNSUPPORTED_ACTION(3034, "Internal error:
unsupported action[{0}]; isValid() is only supported for DELETE"),
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
index 990aab0..5316bae 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
@@ -210,6 +210,18 @@ public class RangerPolicyValidator extends RangerValidator
{
.build());
valid = false;
}
+ List<String> tagSvcList = zone.getTagServices();
+ Set<String> svcNameSet =
zone.getServices().keySet();
+ if(!svcNameSet.contains(serviceName) &&
!tagSvcList.contains(serviceName)){
+ ValidationErrorCode error =
ValidationErrorCode.POLICY_VALIDATION_ERR_SERVICE_NOT_ASSOCIATED_TO_ZONE;
+ failures.add(new
ValidationFailureDetailsBuilder()
+ .field("zoneName")
+
.isSemanticallyIncorrect()
+
.becauseOf(error.getMessage(serviceName, zoneName))
+
.errorCode(error.getErrorCode())
+ .build());
+ valid = false;
+ }
}
if (StringUtils.isBlank(policyName)) {
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
index 2c1de4e..e6d90a4 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
@@ -806,6 +806,70 @@ public class TestRangerPolicyValidator {
_utils.checkFailureForSemanticError(_failures, "policy
resources", "missing mandatory");
}
+ @Test
+ public final void test_isValidServiceWithZone_happyPath() throws
Exception{
+ boolean isAdmin = true;
+ when(_policy.getId()).thenReturn(1L);
+ when(_policy.getName()).thenReturn("my-all");
+ when(_policy.getService()).thenReturn("hdfssvc");
+ when(_policy.getZoneName()).thenReturn("zone1");
+ when(_policy.getResources()).thenReturn(null);
+ when(_policy.getIsAuditEnabled()).thenReturn(Boolean.TRUE);
+ when(_policy.getIsEnabled()).thenReturn(Boolean.FALSE);
+ RangerService service = new RangerService();
+ service.setType("service-type");
+ service.setId(2L);
+ Action action = Action.CREATE;
+ List<String> tagSvcList = new ArrayList<String>();
+ tagSvcList.add("hdfssvc");
+ when(_store.getServiceByName("hdfssvc")).thenReturn(service);
+ RangerSecurityZone securityZone = new RangerSecurityZone();
+ securityZone.setName("zone1");
+ securityZone.setId(1L);
+ securityZone.setTagServices(tagSvcList);
+ when(_store.getSecurityZone("zone1")).thenReturn(securityZone);
+ when(_store.getPolicyId(2L, "my-all", 1L)).thenReturn(null);
+ RangerServiceDef svcDef = new RangerServiceDef();
+ svcDef.setName("my-svc-def");
+
when(_store.getServiceDefByName("service-type")).thenReturn(svcDef);
+ RangerPolicyResourceSignature policySignature =
mock(RangerPolicyResourceSignature.class);
+
when(_factory.createPolicyResourceSignature(_policy)).thenReturn(policySignature);
+ Assert.assertTrue(_validator.isValid(_policy, action, isAdmin,
_failures));
+ }
+
+ @Test
+ public final void test_isValidServiceWithZone_failurePath() throws
Exception{
+ boolean isAdmin = true;
+ when(_policy.getId()).thenReturn(1L);
+ when(_policy.getName()).thenReturn("my-all");
+ when(_policy.getService()).thenReturn("hdfssvc1");
+ when(_policy.getZoneName()).thenReturn("zone1");
+ when(_policy.getResources()).thenReturn(null);
+ when(_policy.getIsAuditEnabled()).thenReturn(Boolean.TRUE);
+ when(_policy.getIsEnabled()).thenReturn(Boolean.FALSE);
+ RangerService service = new RangerService();
+ service.setType("service-type");
+ service.setId(2L);
+ Action action = Action.CREATE;
+ List<String> tagSvcList = new ArrayList<String>();
+ tagSvcList.add("hdfssvc");
+ when(_store.getServiceByName("hdfssvc1")).thenReturn(service);
+ RangerSecurityZone securityZone = new RangerSecurityZone();
+ securityZone.setName("zone1");
+ securityZone.setId(1L);
+ securityZone.setTagServices(tagSvcList);
+ when(_store.getSecurityZone("zone1")).thenReturn(securityZone);
+ when(_store.getPolicyId(2L, "my-all", 1L)).thenReturn(null);
+ RangerServiceDef svcDef = new RangerServiceDef();
+ svcDef.setName("my-svc-def");
+
when(_store.getServiceDefByName("service-type")).thenReturn(svcDef);
+ RangerPolicyResourceSignature policySignature =
mock(RangerPolicyResourceSignature.class);
+
when(_factory.createPolicyResourceSignature(_policy)).thenReturn(policySignature);
+ boolean isValid = _validator.isValid(_policy, action, isAdmin,
_failures);
+ Assert.assertFalse(isValid);
+ Assert.assertEquals(_failures.get(0)._errorCode, 3048);
+ Assert.assertEquals(_failures.get(0)._reason,"Service name =
hdfssvc1 is not associated to Zone name = zone1");
+ }
private ValidationTestUtils _utils = new ValidationTestUtils();
private List<ValidationFailureDetails> _failures = new
ArrayList<ValidationFailureDetails>();
