This is an automated email from the ASF dual-hosted git repository.

madhan pushed a commit to branch ranger-2.3
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/ranger-2.3 by this push:
     new 9ae7256  RANGER-3676: support {OWNER} macro in tag-based policies
9ae7256 is described below

commit 9ae72563d717ecdfe736918a4f255c7c68155901
Author: Madhan Neethiraj <[email protected]>
AuthorDate: Mon Mar 21 12:09:42 2022 -0700

    RANGER-3676: support {OWNER} macro in tag-based policies
    
    (cherry picked from commit 0d076a0bae37fda198350faee09188be1673c010)
---
 .../plugin/policyengine/RangerTagAccessRequest.java      |  7 ++++---
 .../ranger/plugin/policyengine/RangerTagResource.java    |  6 ++++++
 .../test_policyengine_tag_hive_filebased.json            | 16 +++++++++++++++-
 3 files changed, 25 insertions(+), 4 deletions(-)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
index ebe85e9..4b2d706 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
@@ -31,8 +31,11 @@ import java.util.Map;
 public class RangerTagAccessRequest extends RangerAccessRequestImpl {
        private final RangerPolicyResourceMatcher.MatchType matchType;
        public RangerTagAccessRequest(RangerTagForEval resourceTag, 
RangerServiceDef tagServiceDef, RangerAccessRequest request) {
+               String owner = request.getResource() != null ? 
request.getResource().getOwnerUser() : null;
+
                matchType = resourceTag.getMatchType();
-               super.setResource(new RangerTagResource(resourceTag.getType(), 
tagServiceDef));
+
+               super.setResource(new RangerTagResource(resourceTag.getType(), 
tagServiceDef, owner));
                super.setUser(request.getUser());
                super.setUserGroups(request.getUserGroups());
                super.setUserRoles(request.getUserRoles());
@@ -47,8 +50,6 @@ public class RangerTagAccessRequest extends 
RangerAccessRequestImpl {
                
RangerAccessRequestUtil.setCurrentResourceInContext(request.getContext(), 
request.getResource());
                
RangerAccessRequestUtil.setCurrentUserInContext(request.getContext(), 
request.getUser());
 
-               String owner = request.getResource() != null ? 
request.getResource().getOwnerUser() : null;
-
                if (StringUtils.isNotEmpty(owner)) {
                        
RangerAccessRequestUtil.setOwnerInContext(request.getContext(), owner);
                }
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java
index 39e190c..b6ab66b 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java
@@ -30,4 +30,10 @@ public class RangerTagResource extends 
RangerAccessResourceImpl {
                super.setValue(KEY_TAG, tagType);
                super.setServiceDef(tagServiceDef);
        }
+
+       public RangerTagResource(String tagType, RangerServiceDef 
tagServiceDef, String ownerUser) {
+               super.setValue(KEY_TAG, tagType);
+               super.setServiceDef(tagServiceDef);
+               super.setOwnerUser(ownerUser);
+       }
 }
diff --git 
a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
 
b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
index fad08e7..b3ca12e 100644
--- 
a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
+++ 
b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
@@ -201,7 +201,7 @@
         ]
         ,
         "denyExceptions":[
-          
{"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", 
"user1"],"groups":[],"delegateAdmin":false,
+          
{"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1", 
"{OWNER}"],"groups":[],"delegateAdmin":false,
             "conditions":[{
               "type":"expression",
               "values":["if ( ctx.isAccessedBefore('activation_date') ) 
ctx.result = true;"]
@@ -277,6 +277,20 @@
       },
       "result":{"isAudited":true,"isAllowed":false,"policyId":4}
     },
+    {"name":"ALLOW 'select address from employee.personal;' for user2, the 
{OWNER}, using RESTRICTED-FINAL tag",
+      "request":{
+        "resource":{"elements":{"database":"employee", "table":"personal", 
"column":"address"}, "ownerUser": "user2"},
+        
"accessType":"select","user":"user2","userGroups":[],"requestData":"select 
address from employee.personal;' for user2"
+      },
+      "result":{"isAudited":true,"isAllowed":true,"policyId":101}
+    },
+    {"name":"DENY 'select address from employee.personal;' for user3, 
owner=user2, using RESTRICTED-FINAL tag",
+      "request":{
+        "resource":{"elements":{"database":"employee", "table":"personal", 
"column":"address"}, "ownerUser": "user2"},
+        
"accessType":"select","user":"user3","userGroups":[],"requestData":"select 
address from employee.personal;' for user2"
+      },
+      "result":{"isAudited":true,"isAllowed":false,"policyId":4}
+    },
     {"name":"ALLOW 'select name from employee.personal;' for user1 - no tag",
       "request":{
         "resource":{"elements":{"database":"employee", "table":"personal", 
"column":"name"}},

Reply via email to