[ranger] branch RANGER-3923 updated: RANGER-4324: updated dataset retrieval API to enforce acl

Wed, 13 Sep 2023 00:27:08 -0700 

This is an automated email from the ASF dual-hosted git repository.

madhan pushed a commit to branch RANGER-3923
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/RANGER-3923 by this push:
     new a370f46d2 RANGER-4324: updated dataset retrieval API to enforce acl
a370f46d2 is described below

commit a370f46d2845ccb0f486a8fd9d3f5e2ebac45e6b
Author: Subhrat Chaudhary <such...@yahoo.com>
AuthorDate: Wed Sep 13 00:25:09 2023 -0700

    RANGER-4324: updated dataset retrieval API to enforce acl
    
    Signed-off-by: Madhan Neethiraj <mad...@apache.org>
---
 .../apache/ranger/plugin/util/SearchFilter.java    |  1 +
 .../java/org/apache/ranger/biz/GdsDBStore.java     | 27 +++++++++++++++++++++-
 .../org/apache/ranger/common/RangerSearchUtil.java |  1 +
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
b/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java
index 440bb4c24..1a1a78064 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java
@@ -111,6 +111,7 @@ public class SearchFilter {
        public static final String OWNER_TYPE               = "ownerType";      
      // search: valid-values(user, group, role)
        public static final String DATA_SHARE_IN_DATASET_ID = 
"dataShareInDatasetId"; // search, sort
        public static final String DATASET_IN_PROJECT_ID    = 
"datasetInProjectId";   // search, sort
+       public static final String GDS_PERMISSION           = "gdsPermission";  
 // search, sort
 
        private Map<String, String> params;
        private int                 startIndex;
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java 
b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
index d2bd0789d..55c8495e4 100755
--- a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
@@ -244,11 +244,30 @@ public class GdsDBStore extends AbstractGdsStore {
     public PList<RangerDataset> searchDatasets(SearchFilter filter) throws 
Exception {
         LOG.debug("==> searchDatasets({})", filter);
 
+        String        gdsPermissionStr = 
filter.getParam(SearchFilter.GDS_PERMISSION);
+        GdsPermission gdsPermission    = null;
+
+        if (StringUtils.isNotEmpty(gdsPermissionStr)) {
+            try {
+                gdsPermission = GdsPermission.valueOf(gdsPermissionStr);
+            } catch (IllegalArgumentException ex) {
+                LOG.info("Ignoring invalid GdsPermission: {}", 
gdsPermissionStr);
+            }
+        }
+
+        if (gdsPermission == null) {
+            gdsPermission = GdsPermission.VIEW;
+        }
+
         RangerDatasetList   result   = datasetService.searchDatasets(filter);
         List<RangerDataset> datasets = new ArrayList<>();
 
         for (RangerDataset dataset : result.getList()) {
-            if (dataset != null && validator.hasPermission(dataset.getAcl(), 
GdsPermission.VIEW)) {
+            if (dataset != null && validator.hasPermission(dataset.getAcl(), 
gdsPermission)) {
+                if (gdsPermission.equals(GdsPermission.LIST)) {
+                    scrubForListing(dataset);
+                }
+
                 datasets.add(dataset);
             }
         }
@@ -260,6 +279,12 @@ public class GdsDBStore extends AbstractGdsStore {
         return ret;
     }
 
+    private void scrubForListing(RangerDataset dataset) {
+        dataset.setAcl(null);
+        dataset.setOptions(null);
+        dataset.setAdditionalInfo(null);
+    }
+
     @Override
     public RangerProject createProject(RangerProject project) throws Exception 
{
         LOG.debug("==> createProject({})", project);
diff --git 
a/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java 
b/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java
index 059954b46..51da7d15d 100644
--- 
a/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java
+++ 
b/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java
@@ -109,6 +109,7 @@ public class RangerSearchUtil extends SearchUtil {
                ret.setParam(SearchFilter.PROFILE_NAME, 
request.getParameter(SearchFilter.PROFILE_NAME));
                ret.setParam(SearchFilter.OWNER_NAME, 
request.getParameter(SearchFilter.OWNER_NAME));
                ret.setParam(SearchFilter.OWNER_TYPE, 
request.getParameter(SearchFilter.OWNER_TYPE));
+               ret.setParam(SearchFilter.GDS_PERMISSION, 
request.getParameter(SearchFilter.GDS_PERMISSION));
 
                extractCommonCriteriasForFilter(request, ret, sortFields);

Reply via email to