This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch RANGER-3923
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit bee247bd42ce542b00cbffe8a27e41180443dfa4
Author: prashant <prashantsatam...@gmail.com>
AuthorDate: Wed Oct 4 16:45:25 2023 +0530
RANGER-4455: updated RangerGdsValidator to account for permissions assigned
to public group
Signed-off-by: Madhan Neethiraj <mad...@apache.org>
---
.../ranger/validation/RangerGdsValidator.java | 49 +++++++++++++---------
1 file changed, 30 insertions(+), 19 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
index be5ac56e6..d9f204eef 100755
---
a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
+++
b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
@@ -22,6 +22,7 @@ import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.RESTErrorUtil;
+import org.apache.ranger.common.RangerConstants;
import org.apache.ranger.plugin.errors.ValidationErrorCode;
import org.apache.ranger.plugin.model.RangerGds;
import org.apache.ranger.plugin.model.RangerGds.GdsPermission;
@@ -62,21 +63,23 @@ public class RangerGdsValidator {
GdsPermission permission = GdsPermission.NONE;
- if (acl.getUsers() != null) {
+ if (acl.getUsers() != null) {
permission = getHigherPrivilegePermission(permission,
acl.getUsers().get(user));
- }
+ }
+
+ if (acl.getGroups() != null) {
+ permission = getHigherPrivilegePermission(permission,
acl.getGroups().get(RangerConstants.GROUP_PUBLIC));
- if (acl.getGroups() != null) {
- Set<String> groups =
dataProvider.getGroupsForUser(user);
+ Set<String> groups = dataProvider.getGroupsForUser(user);
if (CollectionUtils.isNotEmpty(groups)) {
for (String group : groups) {
permission = getHigherPrivilegePermission(permission,
acl.getGroups().get(group));
}
}
- }
+ }
- if (acl.getRoles() != null) {
+ if (acl.getRoles() != null) {
Set<String> roles = dataProvider.getRolesForUser(user);
if (CollectionUtils.isNotEmpty(roles)) {
@@ -84,9 +87,9 @@ public class RangerGdsValidator {
permission = getHigherPrivilegePermission(permission,
acl.getRoles().get(role));
}
}
- }
+ }
- return permission;
+ return permission;
}
public void validateCreate(RangerDataset dataset) {
@@ -564,13 +567,17 @@ public class RangerGdsValidator {
}
if (!ret && acl.getGroups() != null) {
- Set<String> userGroups =
dataProvider.getGroupsForUser(userName);
+ ret =
isAllowed(acl.getGroups().get(RangerConstants.GROUP_PUBLIC), permission);
- for (String userGroup : userGroups) {
- ret = isAllowed(acl.getGroups().get(userGroup),
permission);
+ if(!ret) {
+ Set<String> userGroups =
dataProvider.getGroupsForUser(userName);
- if (ret) {
- break;
+ for (String userGroup : userGroups) {
+ ret = isAllowed(acl.getGroups().get(userGroup),
permission);
+
+ if (ret) {
+ break;
+ }
}
}
}
@@ -648,14 +655,18 @@ public class RangerGdsValidator {
}
if (!isAdmin && MapUtils.isNotEmpty(acl.getGroups())) {
- Set<String> userGroups =
dataProvider.getGroupsForUser(userName);
+ isAdmin =
isAllowed(acl.getGroups().get(RangerConstants.GROUP_PUBLIC),
GdsPermission.ADMIN);
- if (userGroups != null) {
- for (String userGroup : userGroups) {
- isAdmin = isAllowed(acl.getGroups().get(userGroup),
GdsPermission.ADMIN);
+ if (!isAdmin) {
+ Set<String> userGroups =
dataProvider.getGroupsForUser(userName);
- if (isAdmin) {
- break;
+ if (userGroups != null) {
+ for (String userGroup : userGroups) {
+ isAdmin =
isAllowed(acl.getGroups().get(userGroup), GdsPermission.ADMIN);
+
+ if (isAdmin) {
+ break;
+ }
}
}
}
