This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch RANGER-3923 in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/RANGER-3923 by this push: new a370f46d2 RANGER-4324: updated dataset retrieval API to enforce acl a370f46d2 is described below commit a370f46d2845ccb0f486a8fd9d3f5e2ebac45e6b Author: Subhrat Chaudhary <such...@yahoo.com> AuthorDate: Wed Sep 13 00:25:09 2023 -0700 RANGER-4324: updated dataset retrieval API to enforce acl Signed-off-by: Madhan Neethiraj <mad...@apache.org> --- .../apache/ranger/plugin/util/SearchFilter.java | 1 + .../java/org/apache/ranger/biz/GdsDBStore.java | 27 +++++++++++++++++++++- .../org/apache/ranger/common/RangerSearchUtil.java | 1 + 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java index 440bb4c24..1a1a78064 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java @@ -111,6 +111,7 @@ public class SearchFilter { public static final String OWNER_TYPE = "ownerType"; // search: valid-values(user, group, role) public static final String DATA_SHARE_IN_DATASET_ID = "dataShareInDatasetId"; // search, sort public static final String DATASET_IN_PROJECT_ID = "datasetInProjectId"; // search, sort + public static final String GDS_PERMISSION = "gdsPermission"; // search, sort private Map<String, String> params; private int startIndex; diff --git a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java index d2bd0789d..55c8495e4 100755 --- a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java @@ -244,11 +244,30 @@ public class GdsDBStore extends AbstractGdsStore { public PList<RangerDataset> searchDatasets(SearchFilter filter) throws Exception { LOG.debug("==> searchDatasets({})", filter); + String gdsPermissionStr = filter.getParam(SearchFilter.GDS_PERMISSION); + GdsPermission gdsPermission = null; + + if (StringUtils.isNotEmpty(gdsPermissionStr)) { + try { + gdsPermission = GdsPermission.valueOf(gdsPermissionStr); + } catch (IllegalArgumentException ex) { + LOG.info("Ignoring invalid GdsPermission: {}", gdsPermissionStr); + } + } + + if (gdsPermission == null) { + gdsPermission = GdsPermission.VIEW; + } + RangerDatasetList result = datasetService.searchDatasets(filter); List<RangerDataset> datasets = new ArrayList<>(); for (RangerDataset dataset : result.getList()) { - if (dataset != null && validator.hasPermission(dataset.getAcl(), GdsPermission.VIEW)) { + if (dataset != null && validator.hasPermission(dataset.getAcl(), gdsPermission)) { + if (gdsPermission.equals(GdsPermission.LIST)) { + scrubForListing(dataset); + } + datasets.add(dataset); } } @@ -260,6 +279,12 @@ public class GdsDBStore extends AbstractGdsStore { return ret; } + private void scrubForListing(RangerDataset dataset) { + dataset.setAcl(null); + dataset.setOptions(null); + dataset.setAdditionalInfo(null); + } + @Override public RangerProject createProject(RangerProject project) throws Exception { LOG.debug("==> createProject({})", project); diff --git a/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java b/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java index 059954b46..51da7d15d 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java @@ -109,6 +109,7 @@ public class RangerSearchUtil extends SearchUtil { ret.setParam(SearchFilter.PROFILE_NAME, request.getParameter(SearchFilter.PROFILE_NAME)); ret.setParam(SearchFilter.OWNER_NAME, request.getParameter(SearchFilter.OWNER_NAME)); ret.setParam(SearchFilter.OWNER_TYPE, request.getParameter(SearchFilter.OWNER_TYPE)); + ret.setParam(SearchFilter.GDS_PERMISSION, request.getParameter(SearchFilter.GDS_PERMISSION)); extractCommonCriteriasForFilter(request, ret, sortFields);