[ranger] branch master updated: RANGER-2618 : Restrict rolename change when a policy & another role with that role exist

Thu, 17 Oct 2019 04:43:31 -0700 

This is an automated email from the ASF dual-hosted git repository.

nikhil pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new c267ee7  RANGER-2618 : Restrict rolename change when a policy & 
another role with that role exist
c267ee7 is described below

commit c267ee7ef05078eea77770f7a4701d3189d05ca1
Author: Nikhil P <[email protected]>
AuthorDate: Thu Oct 17 17:08:17 2019 +0530

    RANGER-2618 : Restrict rolename change when a policy & another role with 
that role exist
---
 .../main/java/org/apache/ranger/biz/RoleDBStore.java | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git 
a/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java 
b/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
index 0854ff2..213639a 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
@@ -122,6 +122,10 @@ public class RoleDBStore implements RoleStore {
             throw restErrorUtil.createRESTException("role with id: " + 
role.getId() + " does not exist");
         }
 
+               if (!role.getName().equals(xxRole.getName())) { // ensure only 
if role name is changed
+                       ensureRoleNameUpdateAllowed(xxRole.getName());
+               }
+
         Gson gsonBuilder = new 
GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z").create();
         RangerRole oldRole = gsonBuilder.fromJson(xxRole.getRoleText(), 
RangerRole.class);
 
@@ -145,7 +149,21 @@ public class RoleDBStore implements RoleStore {
         return role;
     }
 
-    @Override
+       private void ensureRoleNameUpdateAllowed(String roleName) throws 
Exception {
+               boolean roleNotInPolicy = ensureRoleNotInPolicy(roleName);
+               if (!roleNotInPolicy) {
+                       throw new Exception(
+                                       "Rolename for '" + roleName + "' can 
not be updated as it is referenced in one or more policies");
+               }
+
+               boolean roleNotInOtherRole = ensureRoleNotInRole(roleName);
+               if (!roleNotInOtherRole) {
+                       throw new Exception("Rolename for '" + roleName
+                                       + "' can not be updated as it is 
referenced in one or more other roles");
+               }
+       }
+
+       @Override
     public void deleteRole(String roleName) throws Exception {
         XXRole xxRole = daoMgr.getXXRole().findByRoleName(roleName);
         if (xxRole == null) {

Reply via email to