This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch RANGER-3923
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 809ba9be73754b9d0abeaf5a6b561488d2cb3f37
Author: Madhan Neethiraj <mad...@apache.org>
AuthorDate: Fri Oct 6 01:16:14 2023 -0700
RANGER-4462: dataShare update/delete should be allowed for users with
service-admin/zone-admin privilege as well
---
.../src/main/python/sample_gds_client.py | 7 +-
.../java/org/apache/ranger/biz/GdsDBStore.java | 130 ++++++++++++---------
.../ranger/validation/RangerGdsValidator.java | 129 ++++++++++----------
3 files changed, 145 insertions(+), 121 deletions(-)
diff --git a/ranger-examples/sample-client/src/main/python/sample_gds_client.py
b/ranger-examples/sample-client/src/main/python/sample_gds_client.py
index 890b2a2d8..ceca4ac02 100644
--- a/ranger-examples/sample-client/src/main/python/sample_gds_client.py
+++ b/ranger-examples/sample-client/src/main/python/sample_gds_client.py
@@ -109,7 +109,7 @@ hdfs_resource_1 = gds.add_shared_resource(hdfs_resource_1)
print(f' created shared resource: {hdfs_resource_1}')
-dshid_1 = RangerDataShareInDataset({ 'dataShareId': hive_share_1.id,
'datasetId': dataset_1.id, 'status': GdsShareStatus.GRANTED,
'validitySchedule': { 'startTime': '2023/01/01', 'endTime': '2023/04/01' } })
+dshid_1 = RangerDataShareInDataset({ 'dataShareId': hive_share_1.id,
'datasetId': dataset_1.id, 'status': GdsShareStatus.REQUESTED,
'validitySchedule': { 'startTime': '2023/01/01', 'endTime': '2023/04/01' } })
dshid_2 = RangerDataShareInDataset({ 'dataShareId': hdfs_share_1.id,
'datasetId': dataset_2.id, 'status': GdsShareStatus.REQUESTED })
print(f'Adding data_share_in_dataset: ')
@@ -120,6 +120,11 @@ print(f'Adding data_share_in_dataset: ')
dshid_2 = gds.add_data_share_in_dataset(dshid_2)
print(f' created data_share_in_dataset: {dshid_2}')
+print(f'Updating data_share_in_dataset: id={dshid_1.id}')
+dshid_1.status = GdsShareStatus.GRANTED
+dshid_1 = gds.update_data_share_in_dataset(dshid_1.id, dshid_1)
+print(f' updated data_share_in_dataset: {dshid_1}')
+
print(f'Updating data_share_in_dataset: id={dshid_1.id}')
dshid_1.status = GdsShareStatus.ACTIVE
dshid_1 = gds.update_data_share_in_dataset(dshid_1.id, dshid_1)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
index 8a2b7f6c5..6a37da62a 100755
--- a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
@@ -169,7 +169,7 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public RangerDataset createDataset(RangerDataset dataset) throws Exception
{
+ public RangerDataset createDataset(RangerDataset dataset) {
LOG.debug("==> createDataset({})", dataset);
validator.validateCreate(dataset);
@@ -196,7 +196,7 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public RangerDataset updateDataset(RangerDataset dataset) throws Exception
{
+ public RangerDataset updateDataset(RangerDataset dataset) {
LOG.debug("==> updateDataset({})", dataset);
RangerDataset existing = null;
@@ -234,12 +234,14 @@ public class GdsDBStore extends AbstractGdsStore {
validator.validateDelete(datasetId, existing);
- deleteDatasetPolicies(existing);
- datasetService.delete(existing);
+ if (existing != null) {
+ deleteDatasetPolicies(existing);
+ datasetService.delete(existing);
- datasetService.createObjectHistory(null, existing,
RangerServiceService.OPERATION_DELETE_CONTEXT);
+ datasetService.createObjectHistory(null, existing,
RangerServiceService.OPERATION_DELETE_CONTEXT);
- updateGlobalVersion(RANGER_GLOBAL_STATE_NAME_DATASET);
+ updateGlobalVersion(RANGER_GLOBAL_STATE_NAME_DATASET);
+ }
LOG.debug("<== deleteDataset({})", datasetId);
}
@@ -282,7 +284,7 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public PList<String> getDatasetNames(SearchFilter filter) throws Exception
{
+ public PList<String> getDatasetNames(SearchFilter filter) {
LOG.debug("==> getDatasetNames({})", filter);
PList<RangerDataset> datasets = searchDatasets(filter);
@@ -302,7 +304,7 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public PList<RangerDataset> searchDatasets(SearchFilter filter) throws
Exception {
+ public PList<RangerDataset> searchDatasets(SearchFilter filter) {
LOG.debug("==> searchDatasets({})", filter);
PList<RangerDataset> ret = getUnscrubbedDatasets(filter);
@@ -452,7 +454,7 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public RangerProject createProject(RangerProject project) throws Exception
{
+ public RangerProject createProject(RangerProject project) {
LOG.debug("==> createProject({})", project);
validator.validateCreate(project);
@@ -479,7 +481,7 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public RangerProject updateProject(RangerProject project) throws Exception
{
+ public RangerProject updateProject(RangerProject project) {
LOG.debug("==> updateProject({})", project);
RangerProject existing = null;
@@ -517,12 +519,14 @@ public class GdsDBStore extends AbstractGdsStore {
validator.validateDelete(projectId, existing);
- deleteProjectPolicies(existing);
- projectService.delete(existing);
+ if (existing != null) {
+ deleteProjectPolicies(existing);
+ projectService.delete(existing);
- projectService.createObjectHistory(null, existing,
RangerServiceService.OPERATION_DELETE_CONTEXT);
+ projectService.createObjectHistory(null, existing,
RangerServiceService.OPERATION_DELETE_CONTEXT);
- updateGlobalVersion(RANGER_GLOBAL_STATE_NAME_PROJECT);
+ updateGlobalVersion(RANGER_GLOBAL_STATE_NAME_PROJECT);
+ }
LOG.debug("<== deleteProject({})", projectId);
}
@@ -533,7 +537,9 @@ public class GdsDBStore extends AbstractGdsStore {
RangerProject ret = projectService.read(projectId);
- // TODO: enforce RangerProject.acl
+ if (ret != null && !validator.hasPermission(ret.getAcl(),
GdsPermission.VIEW)) {
+ throw new Exception("no permission on project id=" + projectId);
+ }
LOG.debug("<== getProject({}): ret={}", projectId, ret);
@@ -553,7 +559,9 @@ public class GdsDBStore extends AbstractGdsStore {
RangerProject ret = projectService.getPopulatedViewObject(existing);
- // TODO: enforce RangerProject.acl
+ if (ret != null && !validator.hasPermission(ret.getAcl(),
GdsPermission.VIEW)) {
+ throw new Exception("no permission on project name=" + name);
+ }
LOG.debug("<== getProjectByName({}): ret={}", name, ret);
@@ -561,7 +569,7 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public PList<String> getProjectNames(SearchFilter filter) throws Exception
{
+ public PList<String> getProjectNames(SearchFilter filter) {
LOG.debug("==> getProjectNames({})", filter);
PList<RangerProject> projects = searchProjects(filter);
@@ -581,19 +589,23 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public PList<RangerProject> searchProjects(SearchFilter filter) throws
Exception {
+ public PList<RangerProject> searchProjects(SearchFilter filter) {
LOG.debug("==> searchProjects({})", filter);
- int maxRows = filter.getMaxRows();
+ int maxRows = filter.getMaxRows();
int startIndex = filter.getStartIndex();
+
filter.setStartIndex(0);
filter.setMaxRows(0);
- RangerProjectList result = projectService.searchProjects(filter);
- List<RangerProject> projects = new ArrayList<>();
+ GdsPermission gdsPermission = getGdsPermissionFromFilter(filter);
+ RangerProjectList result =
projectService.searchProjects(filter);
+ List<RangerProject> projects = new ArrayList<>();
for (RangerProject project : result.getList()) {
- // TODO: enforce RangerProject.acl
+ if (gdsPermission.equals(GdsPermission.LIST)) {
+ scrubProjectForListing(project);
+ }
projects.add(project);
}
@@ -695,7 +707,7 @@ public class GdsDBStore extends AbstractGdsStore {
RangerProject project = projectService.read(projectId);
if (!validator.hasPermission(project.getAcl(), GdsPermission.AUDIT)) {
- throw
restErrorUtil.create403RESTException(NOT_AUTHORIZED_TO_VIEW_DATASET_POLICIES);
+ throw
restErrorUtil.create403RESTException(NOT_AUTHORIZED_TO_VIEW_PROJECT_POLICIES);
}
XXGdsProjectPolicyMap existing =
daoMgr.getXXGdsProjectPolicyMap().getProjectPolicyMap(projectId, policyId);
@@ -720,7 +732,7 @@ public class GdsDBStore extends AbstractGdsStore {
RangerProject project = projectService.read(projectId);
if (!validator.hasPermission(project.getAcl(), GdsPermission.AUDIT)) {
- throw
restErrorUtil.create403RESTException(NOT_AUTHORIZED_TO_VIEW_DATASET_POLICIES);
+ throw
restErrorUtil.create403RESTException(NOT_AUTHORIZED_TO_VIEW_PROJECT_POLICIES);
}
List<Long> policyIds =
daoMgr.getXXGdsProjectPolicyMap().getProjectPolicyIds(projectId);
@@ -740,7 +752,7 @@ public class GdsDBStore extends AbstractGdsStore {
@Override
- public RangerDataShare createDataShare(RangerDataShare dataShare) throws
Exception {
+ public RangerDataShare createDataShare(RangerDataShare dataShare) {
LOG.debug("==> createDataShare({})", dataShare);
validator.validateCreate(dataShare);
@@ -767,7 +779,7 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public RangerDataShare updateDataShare(RangerDataShare dataShare) throws
Exception {
+ public RangerDataShare updateDataShare(RangerDataShare dataShare) {
LOG.debug("==> updateDataShare({})", dataShare);
RangerDataShare existing = null;
@@ -792,7 +804,7 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public void deleteDataShare(Long dataShareId, boolean forceDelete) throws
Exception {
+ public void deleteDataShare(Long dataShareId, boolean forceDelete) {
LOG.debug("==> deleteDataShare(dataShareId: {}, forceDelete: {})",
dataShareId, forceDelete);
RangerDataShare existing = null;
@@ -810,17 +822,19 @@ public class GdsDBStore extends AbstractGdsStore {
removeSharedResourcesForDataShare(dataShareId);
}
- dataShareService.delete(existing);
+ if (existing != null) {
+ dataShareService.delete(existing);
- dataShareService.createObjectHistory(null, existing,
RangerServiceService.OPERATION_DELETE_CONTEXT);
+ dataShareService.createObjectHistory(null, existing,
RangerServiceService.OPERATION_DELETE_CONTEXT);
- updateGlobalVersion(RANGER_GLOBAL_STATE_NAME_DATA_SHARE);
+ updateGlobalVersion(RANGER_GLOBAL_STATE_NAME_DATA_SHARE);
+ }
LOG.debug("<== deleteDataShare(dataShareId: {}, forceDelete: {})",
dataShareId, forceDelete);
}
@Override
- public RangerDataShare getDataShare(Long dataShareId) throws Exception {
+ public RangerDataShare getDataShare(Long dataShareId) {
LOG.debug("==> getDataShare({})", dataShareId);
RangerDataShare ret = dataShareService.read(dataShareId);
@@ -833,7 +847,7 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public PList<RangerDataShare> searchDataShares(SearchFilter filter) throws
Exception {
+ public PList<RangerDataShare> searchDataShares(SearchFilter filter) {
LOG.debug("==> searchDataShares({})", filter);
int maxRows = filter.getMaxRows();
@@ -860,7 +874,7 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public RangerSharedResource addSharedResource(RangerSharedResource
resource) throws Exception {
+ public RangerSharedResource addSharedResource(RangerSharedResource
resource) {
LOG.debug("==> addSharedResource({})", resource);
validator.validateCreate(resource);
@@ -879,7 +893,7 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public RangerSharedResource updateSharedResource(RangerSharedResource
resource) throws Exception {
+ public RangerSharedResource updateSharedResource(RangerSharedResource
resource) {
LOG.debug("==> updateSharedResource({})", resource);
RangerSharedResource existing = null;
@@ -902,7 +916,7 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public void removeSharedResource(Long sharedResourceId) throws Exception {
+ public void removeSharedResource(Long sharedResourceId) {
LOG.debug("==> removeSharedResource({})", sharedResourceId);
@@ -916,15 +930,17 @@ public class GdsDBStore extends AbstractGdsStore {
validator.validateDelete(sharedResourceId, existing);
- sharedResourceService.delete(existing);
+ if (existing != null) {
+ sharedResourceService.delete(existing);
- sharedResourceService.createObjectHistory(null, existing,
RangerServiceService.OPERATION_DELETE_CONTEXT);
+ sharedResourceService.createObjectHistory(null, existing,
RangerServiceService.OPERATION_DELETE_CONTEXT);
+ }
LOG.debug("<== removeSharedResource({})", sharedResourceId);
}
@Override
- public RangerSharedResource getSharedResource(Long sharedResourceId)
throws Exception {
+ public RangerSharedResource getSharedResource(Long sharedResourceId) {
LOG.debug("==> getSharedResource({})", sharedResourceId);
RangerSharedResource ret =
sharedResourceService.read(sharedResourceId);
@@ -937,7 +953,7 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public PList<RangerSharedResource> searchSharedResources(SearchFilter
filter) throws Exception {
+ public PList<RangerSharedResource> searchSharedResources(SearchFilter
filter) {
LOG.debug("==> searchSharedResources({})", filter);
int maxRows = filter.getMaxRows();
@@ -975,7 +991,7 @@ public class GdsDBStore extends AbstractGdsStore {
throw new Exception("data share '" +
dataShareInDataset.getDataShareId() + "' already shared with dataset " +
dataShareInDataset.getDatasetId() + " - id=" + existing.getId());
}
- // TODO: enforce RangerDataShareInDataset.acl
+ validator.validateCreate(dataShareInDataset);
if (StringUtils.isBlank(dataShareInDataset.getGuid())) {
dataShareInDataset.setGuid(guidUtil.genGUID());
@@ -991,12 +1007,12 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public RangerDataShareInDataset
updateDataShareInDataset(RangerDataShareInDataset dataShareInDataset) throws
Exception {
+ public RangerDataShareInDataset
updateDataShareInDataset(RangerDataShareInDataset dataShareInDataset) {
LOG.debug("==> updateDataShareInDataset({})", dataShareInDataset);
RangerDataShareInDataset existing =
dataShareInDatasetService.read(dataShareInDataset.getId());
- // TODO: enforce RangerDataShareInDataset.acl
+ validator.validateUpdate(dataShareInDataset, existing);
RangerDataShareInDataset ret =
dataShareInDatasetService.update(dataShareInDataset);
@@ -1008,12 +1024,12 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public void removeDataShareInDataset(Long dataShareInDatasetId) throws
Exception {
+ public void removeDataShareInDataset(Long dataShareInDatasetId) {
LOG.debug("==> removeDataShareInDataset({})", dataShareInDatasetId);
RangerDataShareInDataset existing =
dataShareInDatasetService.read(dataShareInDatasetId);
- // TODO: enforce RangerDataShareInDataset.acl
+ validator.validateDelete(dataShareInDatasetId, existing);
dataShareInDatasetService.delete(existing);
@@ -1023,7 +1039,7 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public RangerDataShareInDataset getDataShareInDataset(Long
dataShareInDatasetId) throws Exception {
+ public RangerDataShareInDataset getDataShareInDataset(Long
dataShareInDatasetId) {
LOG.debug("==> getDataShareInDataset({})", dataShareInDatasetId);
RangerDataShareInDataset ret =
dataShareInDatasetService.read(dataShareInDatasetId);
@@ -1034,7 +1050,7 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public PList<RangerDataShareInDataset>
searchDataShareInDatasets(SearchFilter filter) throws Exception {
+ public PList<RangerDataShareInDataset>
searchDataShareInDatasets(SearchFilter filter) {
LOG.debug("==> searchDataShareInDatasets({})", filter);
int maxRows = filter.getMaxRows();
@@ -1071,7 +1087,7 @@ public class GdsDBStore extends AbstractGdsStore {
throw new Exception("dataset '" + datasetInProject.getDatasetId()
+ "' already shared with project " + datasetInProject.getProjectId() + " - id="
+ existing.getId());
}
- // TODO: enforce RangerDatasetInProject.acl
+ validator.validateCreate(datasetInProject);
if (StringUtils.isBlank(datasetInProject.getGuid())) {
datasetInProject.setGuid(guidUtil.genGUID());
@@ -1087,12 +1103,12 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public RangerDatasetInProject
updateDatasetInProject(RangerDatasetInProject datasetInProject) throws
Exception {
+ public RangerDatasetInProject
updateDatasetInProject(RangerDatasetInProject datasetInProject) {
LOG.debug("==> updateDatasetInProject({})", datasetInProject);
RangerDatasetInProject existing =
datasetInProjectService.read(datasetInProject.getId());
- // TODO: enforce RangerDatasetInProject.acl
+ validator.validateUpdate(datasetInProject, existing);
RangerDatasetInProject ret =
datasetInProjectService.update(datasetInProject);
@@ -1104,12 +1120,12 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public void removeDatasetInProject(Long datasetInProjectId) throws
Exception {
+ public void removeDatasetInProject(Long datasetInProjectId) {
LOG.debug("==> removeDatasetInProject({})", datasetInProjectId);
RangerDatasetInProject existing =
datasetInProjectService.read(datasetInProjectId);
- // TODO: enforce RangerDatasetInProject.acl
+ validator.validateDelete(datasetInProjectId, existing);
datasetInProjectService.delete(existing);
@@ -1119,7 +1135,7 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public RangerDatasetInProject getDatasetInProject(Long datasetInProjectId)
throws Exception {
+ public RangerDatasetInProject getDatasetInProject(Long datasetInProjectId)
{
LOG.debug("==> getDatasetInProject({})", datasetInProjectId);
RangerDatasetInProject ret =
datasetInProjectService.read(datasetInProjectId);
@@ -1132,7 +1148,7 @@ public class GdsDBStore extends AbstractGdsStore {
}
@Override
- public PList<RangerDatasetInProject> searchDatasetInProjects(SearchFilter
filter) throws Exception {
+ public PList<RangerDatasetInProject> searchDatasetInProjects(SearchFilter
filter) {
LOG.debug("==> searchDatasetInProjects({})", filter);
int maxRows = filter.getMaxRows();
@@ -1273,7 +1289,7 @@ public class GdsDBStore extends AbstractGdsStore {
return ret;
}
- private PList<RangerDataset> getUnscrubbedDatasets(SearchFilter filter)
throws Exception {
+ private PList<RangerDataset> getUnscrubbedDatasets(SearchFilter filter) {
int maxRows = filter.getMaxRows();
int startIndex = filter.getStartIndex();
@@ -1322,6 +1338,12 @@ public class GdsDBStore extends AbstractGdsStore {
dataset.setAdditionalInfo(null);
}
+ private void scrubProjectForListing(RangerProject project) {
+ project.setAcl(null);
+ project.setOptions(null);
+ project.setAdditionalInfo(null);
+ }
+
private void removeDshInDsForDataShare(Long dataShareId) {
SearchFilter filter = new
SearchFilter(SearchFilter.DATA_SHARE_ID, dataShareId.toString());
RangerDataShareInDatasetList dshInDsList =
dataShareInDatasetService.searchDataShareInDatasets(filter);
diff --git
a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
index d9f204eef..95ef62cfa 100755
---
a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
+++
b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
@@ -56,42 +56,6 @@ public class RangerGdsValidator {
this.dataProvider = dataProvider;
}
- public GdsPermission getGdsPermissionForUser(RangerGds.RangerGdsObjectACL
acl, String user) {
- if (dataProvider.isAdminUser()) {
- return GdsPermission.ADMIN;
- }
-
- GdsPermission permission = GdsPermission.NONE;
-
- if (acl.getUsers() != null) {
- permission = getHigherPrivilegePermission(permission,
acl.getUsers().get(user));
- }
-
- if (acl.getGroups() != null) {
- permission = getHigherPrivilegePermission(permission,
acl.getGroups().get(RangerConstants.GROUP_PUBLIC));
-
- Set<String> groups = dataProvider.getGroupsForUser(user);
-
- if (CollectionUtils.isNotEmpty(groups)) {
- for (String group : groups) {
- permission = getHigherPrivilegePermission(permission,
acl.getGroups().get(group));
- }
- }
- }
-
- if (acl.getRoles() != null) {
- Set<String> roles = dataProvider.getRolesForUser(user);
-
- if (CollectionUtils.isNotEmpty(roles)) {
- for (String role : roles) {
- permission = getHigherPrivilegePermission(permission,
acl.getRoles().get(role));
- }
- }
- }
-
- return permission;
- }
-
public void validateCreate(RangerDataset dataset) {
LOG.debug("==> validateCreate(dataset={})", dataset);
@@ -119,10 +83,7 @@ public class RangerGdsValidator {
if (existing == null) {
result.addValidationFailure(new
ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATASET_NAME_NOT_FOUND,
"name", dataset.getName()));
} else {
- if (!dataProvider.isAdminUser()) {
- validateAdmin(dataProvider.getCurrentUserLoginId(), "dataset",
existing.getName(), existing.getAcl(), result);
- }
-
+ validateDatasetAdmin(existing, result);
validateAcl(dataset.getAcl(), "acl", result);
}
@@ -141,9 +102,7 @@ public class RangerGdsValidator {
if (existing == null) {
result.addValidationFailure(new
ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATASET_ID_NOT_FOUND,
"id", datasetId));
} else {
- if (!dataProvider.isAdminUser()) {
- validateAdmin(dataProvider.getCurrentUserLoginId(), "dataset",
existing.getName(), existing.getAcl(), result);
- }
+ validateDatasetAdmin(existing, result);
}
if (!result.isSuccess()) {
@@ -180,10 +139,7 @@ public class RangerGdsValidator {
if (existing == null) {
result.addValidationFailure(new
ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_PROJECT_NAME_NOT_FOUND,
"name", project.getName()));
} else {
- if (!dataProvider.isAdminUser()) {
- validateAdmin(dataProvider.getCurrentUserLoginId(), "project",
existing.getName(), existing.getAcl(), result);
- }
-
+ validateProjectAdmin(existing, result);
validateAcl(project.getAcl(), "acl", result);
}
@@ -202,9 +158,7 @@ public class RangerGdsValidator {
if (existing == null) {
result.addValidationFailure(new
ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_PROJECT_ID_NOT_FOUND,
"id", projectId));
} else {
- if (!dataProvider.isAdminUser()) {
- validateAdmin(dataProvider.getCurrentUserLoginId(), "project",
existing.getName(), existing.getAcl(), result);
- }
+ validateProjectAdmin(existing, result);
}
if (!result.isSuccess()) {
@@ -245,10 +199,7 @@ public class RangerGdsValidator {
if (existing == null) {
result.addValidationFailure(new
ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATA_SHARE_NAME_NOT_FOUND,
"name", dataShare.getName()));
} else {
- if (!dataProvider.isAdminUser()) {
- validateAdmin(dataProvider.getCurrentUserLoginId(),
"datashare", existing.getName(), existing.getAcl(), result);
- }
-
+ validateDataShareAdmin(existing, result);
validateAcl(dataShare.getAcl(), "acl", result);
validateAccessTypes(dataShare.getService(), "defaultAccessTypes",
dataShare.getDefaultAccessTypes(), result);
validateMaskTypes(dataShare.getService(), "defaultMasks",
dataShare.getDefaultMasks(), result);
@@ -269,9 +220,7 @@ public class RangerGdsValidator {
if (existing == null) {
result.addValidationFailure(new
ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATA_SHARE_ID_NOT_FOUND,
"id", dataShareId));
} else {
- if (!dataProvider.isAdminUser()) {
- validateAdmin(dataProvider.getCurrentUserLoginId(),
"datashare", existing.getName(), existing.getAcl(), result);
- }
+ validateDataShareAdmin(existing, result);
}
if (!result.isSuccess()) {
@@ -295,9 +244,7 @@ public class RangerGdsValidator {
if (existing != null) {
result.addValidationFailure(new
ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_SHARED_RESOURCE_NAME_CONFLICT,
"name", resource.getName(), dataShare.getName(), existing));
} else {
- if (!dataProvider.isAdminUser() &&
!dataProvider.isServiceAdmin(dataShare.getService()) &&
!dataProvider.isZoneAdmin(dataShare.getZone())) {
- validateAdmin(dataProvider.getCurrentUserLoginId(),
"datashare", dataShare.getName(), dataShare.getAcl(), result);
- }
+ validateDataShareAdmin(dataShare, result);
}
}
@@ -321,9 +268,7 @@ public class RangerGdsValidator {
if (dataShare == null) {
result.addValidationFailure(new
ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATA_SHARE_ID_NOT_FOUND,
"dataShareId", resource.getDataShareId()));
} else {
- if (!dataProvider.isAdminUser() &&
!dataProvider.isServiceAdmin(dataShare.getService()) &&
!dataProvider.isZoneAdmin(dataShare.getZone())) {
- validateAdmin(dataProvider.getCurrentUserLoginId(),
"datashare", dataShare.getName(), dataShare.getAcl(), result);
- }
+ validateDataShareAdmin(dataShare, result);
}
}
@@ -347,9 +292,7 @@ public class RangerGdsValidator {
if (dataShare == null) {
result.addValidationFailure(new
ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATA_SHARE_ID_NOT_FOUND,
"dataShareId", existing.getDataShareId()));
} else {
- if (!dataProvider.isAdminUser() &&
!dataProvider.isServiceAdmin(dataShare.getService()) &&
!dataProvider.isZoneAdmin(dataShare.getZone())) {
- validateAdmin(dataProvider.getCurrentUserLoginId(),
"datashare", dataShare.getName(), dataShare.getAcl(), result);
- }
+ validateDataShareAdmin(dataShare, result);
}
}
@@ -556,6 +499,42 @@ public class RangerGdsValidator {
LOG.debug("<== validateDelete(dsInProjectId={}, existing={})",
dsInProjectId, existing);
}
+ public GdsPermission getGdsPermissionForUser(RangerGds.RangerGdsObjectACL
acl, String user) {
+ if (dataProvider.isAdminUser()) {
+ return GdsPermission.ADMIN;
+ }
+
+ GdsPermission permission = GdsPermission.NONE;
+
+ if (acl.getUsers() != null) {
+ permission = getHigherPrivilegePermission(permission,
acl.getUsers().get(user));
+ }
+
+ if (acl.getGroups() != null) {
+ permission = getHigherPrivilegePermission(permission,
acl.getGroups().get(RangerConstants.GROUP_PUBLIC));
+
+ Set<String> groups = dataProvider.getGroupsForUser(user);
+
+ if (CollectionUtils.isNotEmpty(groups)) {
+ for (String group : groups) {
+ permission = getHigherPrivilegePermission(permission,
acl.getGroups().get(group));
+ }
+ }
+ }
+
+ if (acl.getRoles() != null) {
+ Set<String> roles = dataProvider.getRolesForUser(user);
+
+ if (CollectionUtils.isNotEmpty(roles)) {
+ for (String role : roles) {
+ permission = getHigherPrivilegePermission(permission,
acl.getRoles().get(role));
+ }
+ }
+ }
+
+ return permission;
+ }
+
public boolean hasPermission(RangerGdsObjectACL acl, GdsPermission
permission) {
boolean ret = dataProvider.isAdminUser();
@@ -600,6 +579,24 @@ public class RangerGdsValidator {
return ret;
}
+ private void validateDatasetAdmin(RangerDataset dataset, ValidationResult
result) {
+ if (!dataProvider.isAdminUser()) {
+ validateAdmin(dataProvider.getCurrentUserLoginId(), "dataset",
dataset.getName(), dataset.getAcl(), result);
+ }
+ }
+
+ private void validateProjectAdmin(RangerProject project, ValidationResult
result) {
+ if (!dataProvider.isAdminUser()) {
+ validateAdmin(dataProvider.getCurrentUserLoginId(), "project",
project.getName(), project.getAcl(), result);
+ }
+ }
+
+ private void validateDataShareAdmin(RangerDataShare dataShare,
ValidationResult result) {
+ if (!dataProvider.isAdminUser() &&
!dataProvider.isServiceAdmin(dataShare.getService()) &&
!dataProvider.isZoneAdmin(dataShare.getZone())) {
+ validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare",
dataShare.getName(), dataShare.getAcl(), result);
+ }
+ }
+
private void validateAcl(RangerGdsObjectACL acl, String fieldName,
ValidationResult result) {
if (acl != null) {
if (MapUtils.isNotEmpty(acl.getUsers())) {
