This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch RANGER-3923 in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 809ba9be73754b9d0abeaf5a6b561488d2cb3f37 Author: Madhan Neethiraj <mad...@apache.org> AuthorDate: Fri Oct 6 01:16:14 2023 -0700 RANGER-4462: dataShare update/delete should be allowed for users with service-admin/zone-admin privilege as well --- .../src/main/python/sample_gds_client.py | 7 +- .../java/org/apache/ranger/biz/GdsDBStore.java | 130 ++++++++++++--------- .../ranger/validation/RangerGdsValidator.java | 129 ++++++++++---------- 3 files changed, 145 insertions(+), 121 deletions(-) diff --git a/ranger-examples/sample-client/src/main/python/sample_gds_client.py b/ranger-examples/sample-client/src/main/python/sample_gds_client.py index 890b2a2d8..ceca4ac02 100644 --- a/ranger-examples/sample-client/src/main/python/sample_gds_client.py +++ b/ranger-examples/sample-client/src/main/python/sample_gds_client.py @@ -109,7 +109,7 @@ hdfs_resource_1 = gds.add_shared_resource(hdfs_resource_1) print(f' created shared resource: {hdfs_resource_1}') -dshid_1 = RangerDataShareInDataset({ 'dataShareId': hive_share_1.id, 'datasetId': dataset_1.id, 'status': GdsShareStatus.GRANTED, 'validitySchedule': { 'startTime': '2023/01/01', 'endTime': '2023/04/01' } }) +dshid_1 = RangerDataShareInDataset({ 'dataShareId': hive_share_1.id, 'datasetId': dataset_1.id, 'status': GdsShareStatus.REQUESTED, 'validitySchedule': { 'startTime': '2023/01/01', 'endTime': '2023/04/01' } }) dshid_2 = RangerDataShareInDataset({ 'dataShareId': hdfs_share_1.id, 'datasetId': dataset_2.id, 'status': GdsShareStatus.REQUESTED }) print(f'Adding data_share_in_dataset: ') @@ -120,6 +120,11 @@ print(f'Adding data_share_in_dataset: ') dshid_2 = gds.add_data_share_in_dataset(dshid_2) print(f' created data_share_in_dataset: {dshid_2}') +print(f'Updating data_share_in_dataset: id={dshid_1.id}') +dshid_1.status = GdsShareStatus.GRANTED +dshid_1 = gds.update_data_share_in_dataset(dshid_1.id, dshid_1) +print(f' updated data_share_in_dataset: {dshid_1}') + print(f'Updating data_share_in_dataset: id={dshid_1.id}') dshid_1.status = GdsShareStatus.ACTIVE dshid_1 = gds.update_data_share_in_dataset(dshid_1.id, dshid_1) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java index 8a2b7f6c5..6a37da62a 100755 --- a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java @@ -169,7 +169,7 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public RangerDataset createDataset(RangerDataset dataset) throws Exception { + public RangerDataset createDataset(RangerDataset dataset) { LOG.debug("==> createDataset({})", dataset); validator.validateCreate(dataset); @@ -196,7 +196,7 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public RangerDataset updateDataset(RangerDataset dataset) throws Exception { + public RangerDataset updateDataset(RangerDataset dataset) { LOG.debug("==> updateDataset({})", dataset); RangerDataset existing = null; @@ -234,12 +234,14 @@ public class GdsDBStore extends AbstractGdsStore { validator.validateDelete(datasetId, existing); - deleteDatasetPolicies(existing); - datasetService.delete(existing); + if (existing != null) { + deleteDatasetPolicies(existing); + datasetService.delete(existing); - datasetService.createObjectHistory(null, existing, RangerServiceService.OPERATION_DELETE_CONTEXT); + datasetService.createObjectHistory(null, existing, RangerServiceService.OPERATION_DELETE_CONTEXT); - updateGlobalVersion(RANGER_GLOBAL_STATE_NAME_DATASET); + updateGlobalVersion(RANGER_GLOBAL_STATE_NAME_DATASET); + } LOG.debug("<== deleteDataset({})", datasetId); } @@ -282,7 +284,7 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public PList<String> getDatasetNames(SearchFilter filter) throws Exception { + public PList<String> getDatasetNames(SearchFilter filter) { LOG.debug("==> getDatasetNames({})", filter); PList<RangerDataset> datasets = searchDatasets(filter); @@ -302,7 +304,7 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public PList<RangerDataset> searchDatasets(SearchFilter filter) throws Exception { + public PList<RangerDataset> searchDatasets(SearchFilter filter) { LOG.debug("==> searchDatasets({})", filter); PList<RangerDataset> ret = getUnscrubbedDatasets(filter); @@ -452,7 +454,7 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public RangerProject createProject(RangerProject project) throws Exception { + public RangerProject createProject(RangerProject project) { LOG.debug("==> createProject({})", project); validator.validateCreate(project); @@ -479,7 +481,7 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public RangerProject updateProject(RangerProject project) throws Exception { + public RangerProject updateProject(RangerProject project) { LOG.debug("==> updateProject({})", project); RangerProject existing = null; @@ -517,12 +519,14 @@ public class GdsDBStore extends AbstractGdsStore { validator.validateDelete(projectId, existing); - deleteProjectPolicies(existing); - projectService.delete(existing); + if (existing != null) { + deleteProjectPolicies(existing); + projectService.delete(existing); - projectService.createObjectHistory(null, existing, RangerServiceService.OPERATION_DELETE_CONTEXT); + projectService.createObjectHistory(null, existing, RangerServiceService.OPERATION_DELETE_CONTEXT); - updateGlobalVersion(RANGER_GLOBAL_STATE_NAME_PROJECT); + updateGlobalVersion(RANGER_GLOBAL_STATE_NAME_PROJECT); + } LOG.debug("<== deleteProject({})", projectId); } @@ -533,7 +537,9 @@ public class GdsDBStore extends AbstractGdsStore { RangerProject ret = projectService.read(projectId); - // TODO: enforce RangerProject.acl + if (ret != null && !validator.hasPermission(ret.getAcl(), GdsPermission.VIEW)) { + throw new Exception("no permission on project id=" + projectId); + } LOG.debug("<== getProject({}): ret={}", projectId, ret); @@ -553,7 +559,9 @@ public class GdsDBStore extends AbstractGdsStore { RangerProject ret = projectService.getPopulatedViewObject(existing); - // TODO: enforce RangerProject.acl + if (ret != null && !validator.hasPermission(ret.getAcl(), GdsPermission.VIEW)) { + throw new Exception("no permission on project name=" + name); + } LOG.debug("<== getProjectByName({}): ret={}", name, ret); @@ -561,7 +569,7 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public PList<String> getProjectNames(SearchFilter filter) throws Exception { + public PList<String> getProjectNames(SearchFilter filter) { LOG.debug("==> getProjectNames({})", filter); PList<RangerProject> projects = searchProjects(filter); @@ -581,19 +589,23 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public PList<RangerProject> searchProjects(SearchFilter filter) throws Exception { + public PList<RangerProject> searchProjects(SearchFilter filter) { LOG.debug("==> searchProjects({})", filter); - int maxRows = filter.getMaxRows(); + int maxRows = filter.getMaxRows(); int startIndex = filter.getStartIndex(); + filter.setStartIndex(0); filter.setMaxRows(0); - RangerProjectList result = projectService.searchProjects(filter); - List<RangerProject> projects = new ArrayList<>(); + GdsPermission gdsPermission = getGdsPermissionFromFilter(filter); + RangerProjectList result = projectService.searchProjects(filter); + List<RangerProject> projects = new ArrayList<>(); for (RangerProject project : result.getList()) { - // TODO: enforce RangerProject.acl + if (gdsPermission.equals(GdsPermission.LIST)) { + scrubProjectForListing(project); + } projects.add(project); } @@ -695,7 +707,7 @@ public class GdsDBStore extends AbstractGdsStore { RangerProject project = projectService.read(projectId); if (!validator.hasPermission(project.getAcl(), GdsPermission.AUDIT)) { - throw restErrorUtil.create403RESTException(NOT_AUTHORIZED_TO_VIEW_DATASET_POLICIES); + throw restErrorUtil.create403RESTException(NOT_AUTHORIZED_TO_VIEW_PROJECT_POLICIES); } XXGdsProjectPolicyMap existing = daoMgr.getXXGdsProjectPolicyMap().getProjectPolicyMap(projectId, policyId); @@ -720,7 +732,7 @@ public class GdsDBStore extends AbstractGdsStore { RangerProject project = projectService.read(projectId); if (!validator.hasPermission(project.getAcl(), GdsPermission.AUDIT)) { - throw restErrorUtil.create403RESTException(NOT_AUTHORIZED_TO_VIEW_DATASET_POLICIES); + throw restErrorUtil.create403RESTException(NOT_AUTHORIZED_TO_VIEW_PROJECT_POLICIES); } List<Long> policyIds = daoMgr.getXXGdsProjectPolicyMap().getProjectPolicyIds(projectId); @@ -740,7 +752,7 @@ public class GdsDBStore extends AbstractGdsStore { @Override - public RangerDataShare createDataShare(RangerDataShare dataShare) throws Exception { + public RangerDataShare createDataShare(RangerDataShare dataShare) { LOG.debug("==> createDataShare({})", dataShare); validator.validateCreate(dataShare); @@ -767,7 +779,7 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public RangerDataShare updateDataShare(RangerDataShare dataShare) throws Exception { + public RangerDataShare updateDataShare(RangerDataShare dataShare) { LOG.debug("==> updateDataShare({})", dataShare); RangerDataShare existing = null; @@ -792,7 +804,7 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public void deleteDataShare(Long dataShareId, boolean forceDelete) throws Exception { + public void deleteDataShare(Long dataShareId, boolean forceDelete) { LOG.debug("==> deleteDataShare(dataShareId: {}, forceDelete: {})", dataShareId, forceDelete); RangerDataShare existing = null; @@ -810,17 +822,19 @@ public class GdsDBStore extends AbstractGdsStore { removeSharedResourcesForDataShare(dataShareId); } - dataShareService.delete(existing); + if (existing != null) { + dataShareService.delete(existing); - dataShareService.createObjectHistory(null, existing, RangerServiceService.OPERATION_DELETE_CONTEXT); + dataShareService.createObjectHistory(null, existing, RangerServiceService.OPERATION_DELETE_CONTEXT); - updateGlobalVersion(RANGER_GLOBAL_STATE_NAME_DATA_SHARE); + updateGlobalVersion(RANGER_GLOBAL_STATE_NAME_DATA_SHARE); + } LOG.debug("<== deleteDataShare(dataShareId: {}, forceDelete: {})", dataShareId, forceDelete); } @Override - public RangerDataShare getDataShare(Long dataShareId) throws Exception { + public RangerDataShare getDataShare(Long dataShareId) { LOG.debug("==> getDataShare({})", dataShareId); RangerDataShare ret = dataShareService.read(dataShareId); @@ -833,7 +847,7 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public PList<RangerDataShare> searchDataShares(SearchFilter filter) throws Exception { + public PList<RangerDataShare> searchDataShares(SearchFilter filter) { LOG.debug("==> searchDataShares({})", filter); int maxRows = filter.getMaxRows(); @@ -860,7 +874,7 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public RangerSharedResource addSharedResource(RangerSharedResource resource) throws Exception { + public RangerSharedResource addSharedResource(RangerSharedResource resource) { LOG.debug("==> addSharedResource({})", resource); validator.validateCreate(resource); @@ -879,7 +893,7 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public RangerSharedResource updateSharedResource(RangerSharedResource resource) throws Exception { + public RangerSharedResource updateSharedResource(RangerSharedResource resource) { LOG.debug("==> updateSharedResource({})", resource); RangerSharedResource existing = null; @@ -902,7 +916,7 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public void removeSharedResource(Long sharedResourceId) throws Exception { + public void removeSharedResource(Long sharedResourceId) { LOG.debug("==> removeSharedResource({})", sharedResourceId); @@ -916,15 +930,17 @@ public class GdsDBStore extends AbstractGdsStore { validator.validateDelete(sharedResourceId, existing); - sharedResourceService.delete(existing); + if (existing != null) { + sharedResourceService.delete(existing); - sharedResourceService.createObjectHistory(null, existing, RangerServiceService.OPERATION_DELETE_CONTEXT); + sharedResourceService.createObjectHistory(null, existing, RangerServiceService.OPERATION_DELETE_CONTEXT); + } LOG.debug("<== removeSharedResource({})", sharedResourceId); } @Override - public RangerSharedResource getSharedResource(Long sharedResourceId) throws Exception { + public RangerSharedResource getSharedResource(Long sharedResourceId) { LOG.debug("==> getSharedResource({})", sharedResourceId); RangerSharedResource ret = sharedResourceService.read(sharedResourceId); @@ -937,7 +953,7 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public PList<RangerSharedResource> searchSharedResources(SearchFilter filter) throws Exception { + public PList<RangerSharedResource> searchSharedResources(SearchFilter filter) { LOG.debug("==> searchSharedResources({})", filter); int maxRows = filter.getMaxRows(); @@ -975,7 +991,7 @@ public class GdsDBStore extends AbstractGdsStore { throw new Exception("data share '" + dataShareInDataset.getDataShareId() + "' already shared with dataset " + dataShareInDataset.getDatasetId() + " - id=" + existing.getId()); } - // TODO: enforce RangerDataShareInDataset.acl + validator.validateCreate(dataShareInDataset); if (StringUtils.isBlank(dataShareInDataset.getGuid())) { dataShareInDataset.setGuid(guidUtil.genGUID()); @@ -991,12 +1007,12 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public RangerDataShareInDataset updateDataShareInDataset(RangerDataShareInDataset dataShareInDataset) throws Exception { + public RangerDataShareInDataset updateDataShareInDataset(RangerDataShareInDataset dataShareInDataset) { LOG.debug("==> updateDataShareInDataset({})", dataShareInDataset); RangerDataShareInDataset existing = dataShareInDatasetService.read(dataShareInDataset.getId()); - // TODO: enforce RangerDataShareInDataset.acl + validator.validateUpdate(dataShareInDataset, existing); RangerDataShareInDataset ret = dataShareInDatasetService.update(dataShareInDataset); @@ -1008,12 +1024,12 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public void removeDataShareInDataset(Long dataShareInDatasetId) throws Exception { + public void removeDataShareInDataset(Long dataShareInDatasetId) { LOG.debug("==> removeDataShareInDataset({})", dataShareInDatasetId); RangerDataShareInDataset existing = dataShareInDatasetService.read(dataShareInDatasetId); - // TODO: enforce RangerDataShareInDataset.acl + validator.validateDelete(dataShareInDatasetId, existing); dataShareInDatasetService.delete(existing); @@ -1023,7 +1039,7 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public RangerDataShareInDataset getDataShareInDataset(Long dataShareInDatasetId) throws Exception { + public RangerDataShareInDataset getDataShareInDataset(Long dataShareInDatasetId) { LOG.debug("==> getDataShareInDataset({})", dataShareInDatasetId); RangerDataShareInDataset ret = dataShareInDatasetService.read(dataShareInDatasetId); @@ -1034,7 +1050,7 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public PList<RangerDataShareInDataset> searchDataShareInDatasets(SearchFilter filter) throws Exception { + public PList<RangerDataShareInDataset> searchDataShareInDatasets(SearchFilter filter) { LOG.debug("==> searchDataShareInDatasets({})", filter); int maxRows = filter.getMaxRows(); @@ -1071,7 +1087,7 @@ public class GdsDBStore extends AbstractGdsStore { throw new Exception("dataset '" + datasetInProject.getDatasetId() + "' already shared with project " + datasetInProject.getProjectId() + " - id=" + existing.getId()); } - // TODO: enforce RangerDatasetInProject.acl + validator.validateCreate(datasetInProject); if (StringUtils.isBlank(datasetInProject.getGuid())) { datasetInProject.setGuid(guidUtil.genGUID()); @@ -1087,12 +1103,12 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public RangerDatasetInProject updateDatasetInProject(RangerDatasetInProject datasetInProject) throws Exception { + public RangerDatasetInProject updateDatasetInProject(RangerDatasetInProject datasetInProject) { LOG.debug("==> updateDatasetInProject({})", datasetInProject); RangerDatasetInProject existing = datasetInProjectService.read(datasetInProject.getId()); - // TODO: enforce RangerDatasetInProject.acl + validator.validateUpdate(datasetInProject, existing); RangerDatasetInProject ret = datasetInProjectService.update(datasetInProject); @@ -1104,12 +1120,12 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public void removeDatasetInProject(Long datasetInProjectId) throws Exception { + public void removeDatasetInProject(Long datasetInProjectId) { LOG.debug("==> removeDatasetInProject({})", datasetInProjectId); RangerDatasetInProject existing = datasetInProjectService.read(datasetInProjectId); - // TODO: enforce RangerDatasetInProject.acl + validator.validateDelete(datasetInProjectId, existing); datasetInProjectService.delete(existing); @@ -1119,7 +1135,7 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public RangerDatasetInProject getDatasetInProject(Long datasetInProjectId) throws Exception { + public RangerDatasetInProject getDatasetInProject(Long datasetInProjectId) { LOG.debug("==> getDatasetInProject({})", datasetInProjectId); RangerDatasetInProject ret = datasetInProjectService.read(datasetInProjectId); @@ -1132,7 +1148,7 @@ public class GdsDBStore extends AbstractGdsStore { } @Override - public PList<RangerDatasetInProject> searchDatasetInProjects(SearchFilter filter) throws Exception { + public PList<RangerDatasetInProject> searchDatasetInProjects(SearchFilter filter) { LOG.debug("==> searchDatasetInProjects({})", filter); int maxRows = filter.getMaxRows(); @@ -1273,7 +1289,7 @@ public class GdsDBStore extends AbstractGdsStore { return ret; } - private PList<RangerDataset> getUnscrubbedDatasets(SearchFilter filter) throws Exception { + private PList<RangerDataset> getUnscrubbedDatasets(SearchFilter filter) { int maxRows = filter.getMaxRows(); int startIndex = filter.getStartIndex(); @@ -1322,6 +1338,12 @@ public class GdsDBStore extends AbstractGdsStore { dataset.setAdditionalInfo(null); } + private void scrubProjectForListing(RangerProject project) { + project.setAcl(null); + project.setOptions(null); + project.setAdditionalInfo(null); + } + private void removeDshInDsForDataShare(Long dataShareId) { SearchFilter filter = new SearchFilter(SearchFilter.DATA_SHARE_ID, dataShareId.toString()); RangerDataShareInDatasetList dshInDsList = dataShareInDatasetService.searchDataShareInDatasets(filter); diff --git a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java index d9f204eef..95ef62cfa 100755 --- a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java +++ b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java @@ -56,42 +56,6 @@ public class RangerGdsValidator { this.dataProvider = dataProvider; } - public GdsPermission getGdsPermissionForUser(RangerGds.RangerGdsObjectACL acl, String user) { - if (dataProvider.isAdminUser()) { - return GdsPermission.ADMIN; - } - - GdsPermission permission = GdsPermission.NONE; - - if (acl.getUsers() != null) { - permission = getHigherPrivilegePermission(permission, acl.getUsers().get(user)); - } - - if (acl.getGroups() != null) { - permission = getHigherPrivilegePermission(permission, acl.getGroups().get(RangerConstants.GROUP_PUBLIC)); - - Set<String> groups = dataProvider.getGroupsForUser(user); - - if (CollectionUtils.isNotEmpty(groups)) { - for (String group : groups) { - permission = getHigherPrivilegePermission(permission, acl.getGroups().get(group)); - } - } - } - - if (acl.getRoles() != null) { - Set<String> roles = dataProvider.getRolesForUser(user); - - if (CollectionUtils.isNotEmpty(roles)) { - for (String role : roles) { - permission = getHigherPrivilegePermission(permission, acl.getRoles().get(role)); - } - } - } - - return permission; - } - public void validateCreate(RangerDataset dataset) { LOG.debug("==> validateCreate(dataset={})", dataset); @@ -119,10 +83,7 @@ public class RangerGdsValidator { if (existing == null) { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATASET_NAME_NOT_FOUND, "name", dataset.getName())); } else { - if (!dataProvider.isAdminUser()) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "dataset", existing.getName(), existing.getAcl(), result); - } - + validateDatasetAdmin(existing, result); validateAcl(dataset.getAcl(), "acl", result); } @@ -141,9 +102,7 @@ public class RangerGdsValidator { if (existing == null) { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATASET_ID_NOT_FOUND, "id", datasetId)); } else { - if (!dataProvider.isAdminUser()) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "dataset", existing.getName(), existing.getAcl(), result); - } + validateDatasetAdmin(existing, result); } if (!result.isSuccess()) { @@ -180,10 +139,7 @@ public class RangerGdsValidator { if (existing == null) { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_PROJECT_NAME_NOT_FOUND, "name", project.getName())); } else { - if (!dataProvider.isAdminUser()) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "project", existing.getName(), existing.getAcl(), result); - } - + validateProjectAdmin(existing, result); validateAcl(project.getAcl(), "acl", result); } @@ -202,9 +158,7 @@ public class RangerGdsValidator { if (existing == null) { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_PROJECT_ID_NOT_FOUND, "id", projectId)); } else { - if (!dataProvider.isAdminUser()) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "project", existing.getName(), existing.getAcl(), result); - } + validateProjectAdmin(existing, result); } if (!result.isSuccess()) { @@ -245,10 +199,7 @@ public class RangerGdsValidator { if (existing == null) { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATA_SHARE_NAME_NOT_FOUND, "name", dataShare.getName())); } else { - if (!dataProvider.isAdminUser()) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", existing.getName(), existing.getAcl(), result); - } - + validateDataShareAdmin(existing, result); validateAcl(dataShare.getAcl(), "acl", result); validateAccessTypes(dataShare.getService(), "defaultAccessTypes", dataShare.getDefaultAccessTypes(), result); validateMaskTypes(dataShare.getService(), "defaultMasks", dataShare.getDefaultMasks(), result); @@ -269,9 +220,7 @@ public class RangerGdsValidator { if (existing == null) { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATA_SHARE_ID_NOT_FOUND, "id", dataShareId)); } else { - if (!dataProvider.isAdminUser()) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", existing.getName(), existing.getAcl(), result); - } + validateDataShareAdmin(existing, result); } if (!result.isSuccess()) { @@ -295,9 +244,7 @@ public class RangerGdsValidator { if (existing != null) { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_SHARED_RESOURCE_NAME_CONFLICT, "name", resource.getName(), dataShare.getName(), existing)); } else { - if (!dataProvider.isAdminUser() && !dataProvider.isServiceAdmin(dataShare.getService()) && !dataProvider.isZoneAdmin(dataShare.getZone())) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", dataShare.getName(), dataShare.getAcl(), result); - } + validateDataShareAdmin(dataShare, result); } } @@ -321,9 +268,7 @@ public class RangerGdsValidator { if (dataShare == null) { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATA_SHARE_ID_NOT_FOUND, "dataShareId", resource.getDataShareId())); } else { - if (!dataProvider.isAdminUser() && !dataProvider.isServiceAdmin(dataShare.getService()) && !dataProvider.isZoneAdmin(dataShare.getZone())) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", dataShare.getName(), dataShare.getAcl(), result); - } + validateDataShareAdmin(dataShare, result); } } @@ -347,9 +292,7 @@ public class RangerGdsValidator { if (dataShare == null) { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATA_SHARE_ID_NOT_FOUND, "dataShareId", existing.getDataShareId())); } else { - if (!dataProvider.isAdminUser() && !dataProvider.isServiceAdmin(dataShare.getService()) && !dataProvider.isZoneAdmin(dataShare.getZone())) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", dataShare.getName(), dataShare.getAcl(), result); - } + validateDataShareAdmin(dataShare, result); } } @@ -556,6 +499,42 @@ public class RangerGdsValidator { LOG.debug("<== validateDelete(dsInProjectId={}, existing={})", dsInProjectId, existing); } + public GdsPermission getGdsPermissionForUser(RangerGds.RangerGdsObjectACL acl, String user) { + if (dataProvider.isAdminUser()) { + return GdsPermission.ADMIN; + } + + GdsPermission permission = GdsPermission.NONE; + + if (acl.getUsers() != null) { + permission = getHigherPrivilegePermission(permission, acl.getUsers().get(user)); + } + + if (acl.getGroups() != null) { + permission = getHigherPrivilegePermission(permission, acl.getGroups().get(RangerConstants.GROUP_PUBLIC)); + + Set<String> groups = dataProvider.getGroupsForUser(user); + + if (CollectionUtils.isNotEmpty(groups)) { + for (String group : groups) { + permission = getHigherPrivilegePermission(permission, acl.getGroups().get(group)); + } + } + } + + if (acl.getRoles() != null) { + Set<String> roles = dataProvider.getRolesForUser(user); + + if (CollectionUtils.isNotEmpty(roles)) { + for (String role : roles) { + permission = getHigherPrivilegePermission(permission, acl.getRoles().get(role)); + } + } + } + + return permission; + } + public boolean hasPermission(RangerGdsObjectACL acl, GdsPermission permission) { boolean ret = dataProvider.isAdminUser(); @@ -600,6 +579,24 @@ public class RangerGdsValidator { return ret; } + private void validateDatasetAdmin(RangerDataset dataset, ValidationResult result) { + if (!dataProvider.isAdminUser()) { + validateAdmin(dataProvider.getCurrentUserLoginId(), "dataset", dataset.getName(), dataset.getAcl(), result); + } + } + + private void validateProjectAdmin(RangerProject project, ValidationResult result) { + if (!dataProvider.isAdminUser()) { + validateAdmin(dataProvider.getCurrentUserLoginId(), "project", project.getName(), project.getAcl(), result); + } + } + + private void validateDataShareAdmin(RangerDataShare dataShare, ValidationResult result) { + if (!dataProvider.isAdminUser() && !dataProvider.isServiceAdmin(dataShare.getService()) && !dataProvider.isZoneAdmin(dataShare.getZone())) { + validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", dataShare.getName(), dataShare.getAcl(), result); + } + } + private void validateAcl(RangerGdsObjectACL acl, String fieldName, ValidationResult result) { if (acl != null) { if (MapUtils.isNotEmpty(acl.getUsers())) {