This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new b1a493290 RANGER-4023: fixed implicit addition of userStoreEnricher
for references to user/group attributes in dataMask expressions
b1a493290 is described below
commit b1a493290f137e52398b86006bf551e5e073906d
Author: Subhrat Chaudhary <[email protected]>
AuthorDate: Sun May 21 11:22:33 2023 -0700
RANGER-4023: fixed implicit addition of userStoreEnricher for references to
user/group attributes in dataMask expressions
Signed-off-by: Madhan Neethiraj <[email protected]>
---
.../apache/ranger/plugin/util/ServiceDefUtil.java | 16 ++++++++++++
.../ranger/plugin/util/ServiceDefUtilTest.java | 29 ++++++++++++++++++++++
2 files changed, 45 insertions(+)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java
index 4808dfd83..01c4a8283 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java
@@ -28,8 +28,10 @@ import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition;
import
org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo;
+import
org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicyDelta;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef;
@@ -687,6 +689,20 @@ public class ServiceDefUtil {
ret =
RangerRequestExprResolver.hasUserGroupAttributeInExpression(filterExpr);
}
+
+ if (!ret && policyItem instanceof RangerDataMaskPolicyItem) {
+ RangerDataMaskPolicyItem dataMaskPolicyItem =
(RangerDataMaskPolicyItem) policyItem;
+ RangerPolicyItemDataMaskInfo dataMaskInfo =
dataMaskPolicyItem.getDataMaskInfo();
+ String maskedValue = dataMaskInfo
!= null ? dataMaskInfo.getValueExpr() : null;
+
+ ret =
RangerRequestExprResolver.hasUserGroupAttributeInExpression(maskedValue);
+
+ if (!ret) {
+ String maskCondition = dataMaskInfo != null ?
dataMaskInfo.getConditionExpr() : null;
+
+ ret =
RangerRequestExprResolver.hasUserGroupAttributeInExpression(maskCondition);
+ }
+ }
}
return ret;
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/util/ServiceDefUtilTest.java
b/agents-common/src/test/java/org/apache/ranger/plugin/util/ServiceDefUtilTest.java
index 3cd42f44f..03aebb220 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/util/ServiceDefUtilTest.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/util/ServiceDefUtilTest.java
@@ -252,6 +252,35 @@ public class ServiceDefUtilTest {
}
}
+ @Test
+ public void testPolicyItemDataMaskExprUserGroupRef() {
+ for (String attrExpr : UGA_ATTR_EXPRESSIONS) {
+ String filterExpr = "${{" + attrExpr + "}}";
+ ServicePolicies svcPolicies = getServicePolicies();
+ RangerPolicy policy = getPolicy(svcPolicies);
+
+
policy.getDataMaskPolicyItems().get(0).setDataMaskInfo(new
RangerPolicyItemDataMaskInfo("CUSTOM", "", "CASE WHEN dept in (" + filterExpr +
")THEN {col} ELSE '0' END"));
+
+ svcPolicies.getPolicies().add(policy);
+ assertTrue("policy data-mask refers to user/group
attribute: " + filterExpr,
ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies,
RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
+
+
svcPolicies.getServiceDef().getContextEnrichers().clear();
+ svcPolicies.getPolicies().clear();
+ svcPolicies.getPolicyDeltas().add(new
RangerPolicyDelta(1L, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE, 1L,
policy));
+ assertTrue("policy-delta data-mask refers to user/group
attribute: " + filterExpr,
ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies,
RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
+
+
svcPolicies.getServiceDef().getContextEnrichers().clear();
+ svcPolicies.getPolicyDeltas().clear();
+ svcPolicies.getSecurityZones().put("zone1",
getSecurityZoneInfo("zone1"));
+
svcPolicies.getSecurityZones().get("zone1").getPolicies().add(policy);
+ assertTrue("zone-policy data-mask refers to user/group
attribute: " + filterExpr,
ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies,
RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
+
+
svcPolicies.getServiceDef().getContextEnrichers().clear();
+
svcPolicies.getSecurityZones().get("zone1").getPolicies().clear();
+
svcPolicies.getSecurityZones().get("zone1").getPolicyDeltas().add(new
RangerPolicyDelta(1L, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE, 1L,
policy));
+ assertTrue("zone-policy-delta data-mask refers to
user/group attribute: " + filterExpr,
ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies,
RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
+ }
+ }
private ServicePolicies getServicePolicies() {
ServicePolicies ret = new ServicePolicies();
