This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch RANGER-3923
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/RANGER-3923 by this push:
new 8fe7e5af3 RANGER-4324: enforce ACLs specified in RangerDataSet
8fe7e5af3 is described below
commit 8fe7e5af368cc4765fdceace7ed5f63f2010a040
Author: Prashant Satam <[email protected]>
AuthorDate: Wed Aug 16 14:39:04 2023 +0530
RANGER-4324: enforce ACLs specified in RangerDataSet
Signed-off-by: Madhan Neethiraj <[email protected]>
---
.../java/org/apache/ranger/biz/GdsDBStore.java | 26 ++--
.../ranger/validation/RangerGdsValidator.java | 147 ++++++++++++++-------
2 files changed, 116 insertions(+), 57 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
old mode 100644
new mode 100755
index 1991a3dca..d2bd0789d
--- a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
@@ -31,6 +31,7 @@ import org.apache.ranger.entity.XXGdsDataShareInDataset;
import org.apache.ranger.entity.XXGdsDataset;
import org.apache.ranger.entity.XXGdsDatasetInProject;
import org.apache.ranger.entity.XXGdsProject;
+import org.apache.ranger.plugin.model.RangerGds.GdsPermission;
import org.apache.ranger.plugin.model.RangerGds.RangerDataShare;
import org.apache.ranger.plugin.model.RangerGds.RangerDataShareInDataset;
import org.apache.ranger.plugin.model.RangerGds.RangerDataset;
@@ -60,6 +61,7 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import javax.annotation.PostConstruct;
+
import java.util.*;
import static
org.apache.ranger.db.XXGlobalStateDao.RANGER_GLOBAL_STATE_NAME_DATASET;
@@ -100,7 +102,6 @@ public class GdsDBStore extends AbstractGdsStore {
@Autowired
GUIDUtil guidUtil;
-
@PostConstruct
public void initStore() {
if (LOG.isDebugEnabled()) {
@@ -187,7 +188,10 @@ public class GdsDBStore extends AbstractGdsStore {
RangerDataset ret = datasetService.read(datasetId);
- // TODO: enforce RangerDataset.acl
+
+ if (ret != null && !validator.hasPermission(ret.getAcl(),
GdsPermission.VIEW)) {
+ throw new Exception("no permission on dataset id=" + datasetId);
+ }
LOG.debug("<== getDataset({}): ret={}", datasetId, ret);
@@ -207,7 +211,9 @@ public class GdsDBStore extends AbstractGdsStore {
RangerDataset ret = datasetService.getPopulatedViewObject(existing);
- // TODO: enforce RangerDataset.acl
+ if (ret != null && !validator.hasPermission(ret.getAcl(),
GdsPermission.VIEW)) {
+ throw new Exception("no permission on dataset name=" + name);
+ }
LOG.debug("<== getDatasetByName({}): ret={}", name, ret);
@@ -222,9 +228,9 @@ public class GdsDBStore extends AbstractGdsStore {
List<String> names = new ArrayList<>();
for (RangerDataset dataset : result.getList()) {
- // TODO: enforce RangerDataset.acl
-
- names.add(dataset.getName());
+ if (dataset != null && validator.hasPermission(dataset.getAcl(),
GdsPermission.LIST)) {
+ names.add(dataset.getName());
+ }
}
PList<String> ret = new PList<>(names, 0, names.size(), names.size(),
names.size(), result.getSortType(), result.getSortBy());
@@ -242,9 +248,9 @@ public class GdsDBStore extends AbstractGdsStore {
List<RangerDataset> datasets = new ArrayList<>();
for (RangerDataset dataset : result.getList()) {
- // TODO: enforce RangerDataset.acl
-
- datasets.add(dataset);
+ if (dataset != null && validator.hasPermission(dataset.getAcl(),
GdsPermission.VIEW)) {
+ datasets.add(dataset);
+ }
}
PList<RangerDataset> ret = new PList<>(datasets, 0, datasets.size(),
datasets.size(), datasets.size(), result.getSortBy(), result.getSortType());
@@ -254,7 +260,6 @@ public class GdsDBStore extends AbstractGdsStore {
return ret;
}
-
@Override
public RangerProject createProject(RangerProject project) throws Exception
{
LOG.debug("==> createProject({})", project);
@@ -802,4 +807,5 @@ public class GdsDBStore extends AbstractGdsStore {
}
}
}
+
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
old mode 100644
new mode 100755
index 88fc64c98..374ac046d
---
a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
+++
b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
@@ -519,6 +519,46 @@ public class RangerGdsValidator {
LOG.debug("<== validateDelete(dsInProjectId={}, existing={})",
dsInProjectId, existing);
}
+ public boolean hasPermission(RangerGdsObjectACL acl, GdsPermission
permission) {
+ boolean ret = dataProvider.isAdminUser();
+
+ if (!ret && acl != null) {
+ String userName = dataProvider.getCurrentUserLoginId();
+
+ if (acl.getUsers() != null) {
+ ret = isAllowed(acl.getUsers().get(userName), permission);
+ }
+
+ if (!ret && acl.getGroups() != null) {
+ Set<String> userGroups =
dataProvider.getGroupsForUser(userName);
+
+ for (String userGroup : userGroups) {
+ ret = isAllowed(acl.getGroups().get(userGroup),
permission);
+
+ if (ret) {
+ break;
+ }
+ }
+ }
+
+ if (!ret && acl.getRoles() != null) {
+ Set<String> userRoles = dataProvider.getRolesForUser(userName);
+
+ if (userRoles != null) {
+ for (String userRole : userRoles) {
+ ret = isAllowed(acl.getRoles().get(userRole),
permission);
+
+ if (ret) {
+ break;
+ }
+ }
+ }
+ }
+ }
+
+ return ret;
+ }
+
private void validateAcl(RangerGdsObjectACL acl, String fieldName,
ValidationResult result) {
if (acl != null) {
if (MapUtils.isNotEmpty(acl.getUsers())) {
@@ -569,67 +609,34 @@ public class RangerGdsValidator {
boolean isAdmin = false;
if (acl != null) {
- Set<String> userGroups = null;
- Set<String> userRoles = null;
-
if (MapUtils.isNotEmpty(acl.getUsers())) {
- for (Map.Entry<String, GdsPermission> entry :
acl.getUsers().entrySet()) {
- GdsPermission permission = entry.getValue();
-
- if (permission != GdsPermission.ADMIN) {
- continue;
- }
-
- if (StringUtils.equals(userName, entry.getKey())) {
- isAdmin = true;
-
- break;
- }
- }
+ isAdmin = isAllowed(acl.getUsers().get(userName),
GdsPermission.ADMIN);
}
if (!isAdmin && MapUtils.isNotEmpty(acl.getGroups())) {
- for (Map.Entry<String, GdsPermission> entry :
acl.getGroups().entrySet()) {
- String groupName = entry.getKey();
- GdsPermission permission = entry.getValue();
-
- if (permission != GdsPermission.ADMIN) {
- continue;
- }
+ Set<String> userGroups =
dataProvider.getGroupsForUser(userName);
- if (userGroups == null) {
- userGroups = dataProvider.getGroupsForUser(userName);
- }
-
- if (userGroups != null && userGroups.contains(groupName)) {
- isAdmin = true;
+ if (userGroups != null) {
+ for (String userGroup : userGroups) {
+ isAdmin = isAllowed(acl.getGroups().get(userGroup),
GdsPermission.ADMIN);
- break;
+ if (isAdmin) {
+ break;
+ }
}
}
}
if (!isAdmin && MapUtils.isNotEmpty(acl.getRoles())) {
- for (Map.Entry<String, GdsPermission> entry :
acl.getRoles().entrySet()) {
- String roleName = entry.getKey();
- GdsPermission permission = entry.getValue();
+ Set<String> userRoles =
dataProvider.getRolesForUser(userName);
- if (permission != GdsPermission.ADMIN) {
- continue;
- }
+ if (userRoles != null) {
+ for (String userRole : userRoles) {
+ isAdmin = isAllowed(acl.getRoles().get(userRole),
GdsPermission.ADMIN);
- if (userRoles == null) {
- if (userGroups == null) {
- userGroups =
dataProvider.getGroupsForUser(userName);
+ if (isAdmin) {
+ break;
}
-
- userRoles = dataProvider.getRolesForUser(userName);
- }
-
- if (userRoles != null && userRoles.contains(roleName)) {
- isAdmin = true;
-
- break;
}
}
}
@@ -696,6 +703,52 @@ public class RangerGdsValidator {
}
}
+ private boolean isAllowed(GdsPermission hasPermission, GdsPermission
accessPermission) {
+ final boolean ret;
+
+ switch (accessPermission) {
+ case ADMIN:
+ ret = hasPermission == GdsPermission.ADMIN;
+ break;
+
+ case POLICY_ADMIN:
+ ret = hasPermission == GdsPermission.POLICY_ADMIN ||
+ hasPermission == GdsPermission.ADMIN;
+ break;
+
+ case AUDIT:
+ ret = hasPermission == GdsPermission.AUDIT ||
+ hasPermission == GdsPermission.POLICY_ADMIN ||
+ hasPermission == GdsPermission.ADMIN;
+ break;
+
+ case VIEW:
+ ret = hasPermission == GdsPermission.VIEW ||
+ hasPermission == GdsPermission.AUDIT ||
+ hasPermission == GdsPermission.POLICY_ADMIN ||
+ hasPermission == GdsPermission.ADMIN;
+ break;
+
+ case LIST:
+ ret = hasPermission == GdsPermission.LIST ||
+ hasPermission == GdsPermission.VIEW ||
+ hasPermission == GdsPermission.AUDIT ||
+ hasPermission == GdsPermission.POLICY_ADMIN ||
+ hasPermission == GdsPermission.ADMIN;
+ break;
+
+ case NONE:
+ ret = true;
+ break;
+
+ default:
+ ret = false;
+ break;
+ }
+
+ return ret;
+ }
+
public class ValidationResult {
private final List<ValidationFailureDetails> validationFailures = new
ArrayList<>();
