(ranger) branch master updated: RANGER-5000: Add validations to ensure that the policy items are properly formed during dataset policy creation / edit

Wed, 04 Dec 2024 15:25:33 -0800 

This is an automated email from the ASF dual-hosted git repository.

rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 6988b3157 RANGER-5000: Add validations to ensure that the policy items 
are properly formed during dataset policy creation / edit
6988b3157 is described below

commit 6988b315790a61180a341677fc732523c63ca8bd
Author: Radhika Kundam <[email protected]>
AuthorDate: Wed Nov 20 14:51:09 2024 -0800

    RANGER-5000: Add validations to ensure that the policy items are properly 
formed during dataset policy creation / edit
    
    Signed-off-by: Ramesh Mani <[email protected]>
---
 .../ranger/plugin/errors/ValidationErrorCode.java  |  1 +
 .../java/org/apache/ranger/biz/GdsDBStore.java     |  1 +
 .../ranger/validation/RangerGdsValidator.java      | 56 ++++++++++++++++++++++
 3 files changed, 58 insertions(+)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
index 13a362437..2753001c8 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
@@ -109,6 +109,7 @@ public enum ValidationErrorCode {
     POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_ROLE(3055, "policy items role was 
null"),
     POLICY_VALIDATION_ERR_DUPLICATE_VALUES_FOR_RESOURCE(3056, "Values for the 
resource={0} contained a duplicate value={1}. Ensure all values for a resource 
are unique"),
     POLICY_VALIDATION_ERR_INVALID_SERVICE_TYPE(4009," Invalid service type 
[{0}] provided for service [{1}]"),
+    POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_ACCESS_TYPE(4010, "policy items 
access object has empty or null values for type"),
 
     // SECURITY_ZONE Validations
     SECURITY_ZONE_VALIDATION_ERR_UNSUPPORTED_ACTION(3034, "Internal error: 
unsupported action[{0}]; isValid() is only supported for DELETE"),
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java 
b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
index 768192e84..11983a272 100755
--- a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
@@ -1826,6 +1826,7 @@ public class GdsDBStore extends AbstractGdsStore {
     }
 
     private void prepareDatasetPolicy(RangerDataset dataset, RangerPolicy 
policy) {
+        validator.validateCreateOrUpdate(policy);
         policy.setName("DATASET: " + dataset.getName() + 
GDS_POLICY_NAME_TIMESTAMP_SEP + System.currentTimeMillis());
         policy.setDescription("Policy for dataset: " + dataset.getName());
         policy.setServiceType(EMBEDDED_SERVICEDEF_GDS_NAME);
diff --git 
a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
 
b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
index 627056bfd..4ee7b97ab 100755
--- 
a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
+++ 
b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
@@ -35,6 +35,8 @@ import 
org.apache.ranger.plugin.model.RangerGds.RangerGdsMaskInfo;
 import org.apache.ranger.plugin.model.RangerGds.RangerGdsObjectACL;
 import org.apache.ranger.plugin.model.RangerGds.RangerProject;
 import org.apache.ranger.plugin.model.RangerGds.RangerSharedResource;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
 import 
org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
 import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
@@ -688,6 +690,23 @@ public class RangerGdsValidator {
         LOG.debug("<== validateDelete(dipId={}, existing={})", dipId, 
existing);
     }
 
+    public void validateCreateOrUpdate(RangerPolicy policy) {
+        LOG.debug("==> validateCreateOrUpdate(policy={})", policy);
+        if (policy == null || 
CollectionUtils.isEmpty(policy.getPolicyItems())) {
+            return;
+        }
+
+        ValidationResult result   = new ValidationResult();
+        List<RangerPolicyItem> policyItems = policy.getPolicyItems();
+
+        validatePolicyItems(policyItems, result);
+
+        if (!result.isSuccess()) {
+            result.throwRESTException();
+        }
+        LOG.debug("<== validateCreateOrUpdate(policy={})", policy);
+    }
+
     public GdsPermission getGdsPermissionForUser(RangerGds.RangerGdsObjectACL 
acl, String user) {
         if (dataProvider.isAdminUser()) {
             return GdsPermission.ADMIN;
@@ -838,6 +857,43 @@ public class RangerGdsValidator {
         }
     }
 
+    private void validatePolicyItems(List<RangerPolicyItem> policyItems, 
ValidationResult result) {
+        if (CollectionUtils.isEmpty(policyItems)) {
+            return;
+        }
+
+        for (RangerPolicyItem policyItem : policyItems) {
+            if (policyItem == null) {
+                addValidationFailure(result, 
ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_ITEM);
+                continue;
+            }
+
+            boolean hasNoPrincipals = 
CollectionUtils.isEmpty(policyItem.getUsers()) && 
CollectionUtils.isEmpty(policyItem.getGroups()) && 
CollectionUtils.isEmpty(policyItem.getRoles());
+            boolean hasInvalidUsers = policyItem.getUsers() != null && 
policyItem.getUsers().stream().anyMatch(StringUtils::isBlank);
+            boolean hasInvalidGroups = policyItem.getGroups() != null && 
policyItem.getGroups().stream().anyMatch(StringUtils::isBlank);
+            boolean hasInvalidRoles = policyItem.getRoles() != null && 
policyItem.getRoles().stream().anyMatch(StringUtils::isBlank);
+
+            if (hasNoPrincipals || hasInvalidUsers || hasInvalidGroups || 
hasInvalidRoles) {
+                addValidationFailure(result, 
ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_USER_AND_GROUPS);
+            }
+
+            if (CollectionUtils.isEmpty(policyItem.getAccesses()) || 
policyItem.getAccesses().contains(null)) {
+                addValidationFailure(result, 
ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_ACCESS);
+                continue;
+            }
+
+            boolean hasInvalidAccesses = 
policyItem.getAccesses().stream().anyMatch(itemAccess -> 
StringUtils.isBlank(itemAccess.getType()));
+
+            if (hasInvalidAccesses) {
+                addValidationFailure(result, 
ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_ACCESS_TYPE);
+            }
+        }
+    }
+
+    private void addValidationFailure(ValidationResult result, 
ValidationErrorCode errorCode) {
+        result.addValidationFailure(new ValidationFailureDetails(errorCode, 
"policy items"));
+    }
+
     private void validateAcl(RangerGdsObjectACL acl, String fieldName, 
ValidationResult result) {
         if (acl != null) {
             if (MapUtils.isNotEmpty(acl.getUsers())) {

Reply via email to