This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new b313331c5 RANGER-5407: fix incorrect permissions in default policies
of Atlas service (#749)
b313331c5 is described below
commit b313331c57cc2eb2e5f986026d3407e888b82cc0
Author: Rakesh Gupta <[email protected]>
AuthorDate: Tue Dec 2 22:00:30 2025 +0530
RANGER-5407: fix incorrect permissions in default policies of Atlas service
(#749)
---
dev-support/checkstyle-suppressions.xml | 1 +
.../ranger/services/atlas/RangerServiceAtlas.java | 7 +-
.../optimized/current/ranger_core_db_mysql.sql | 1 +
.../optimized/current/ranger_core_db_oracle.sql | 1 +
.../optimized/current/ranger_core_db_postgres.sql | 1 +
.../current/ranger_core_db_sqlanywhere.sql | 2 +
.../optimized/current/ranger_core_db_sqlserver.sql | 1 +
...chForAtlasPolicyUpdateForEntityRead_J10064.java | 155 +++++++++++++++++++++
8 files changed, 167 insertions(+), 2 deletions(-)
diff --git a/dev-support/checkstyle-suppressions.xml
b/dev-support/checkstyle-suppressions.xml
index 624016707..a95423277 100644
--- a/dev-support/checkstyle-suppressions.xml
+++ b/dev-support/checkstyle-suppressions.xml
@@ -90,4 +90,5 @@
<suppress files="PatchPreSql_058_ForUpdateToUniqueResoureceSignature_J10053"
checks="TypeName"/>
<suppress files="PatchSetAccessTypeCategory_J10061" checks="TypeName"/>
<suppress files="PatchTagModulePermission_J10005" checks="TypeName"/>
+ <suppress files="PatchForAtlasPolicyUpdateForEntityRead_J10064"
checks="TypeName"/>
</suppressions>
diff --git
a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
index fbb91f274..9ed82b4d0 100644
---
a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
+++
b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
@@ -160,7 +160,10 @@ public List<RangerPolicy> getDefaultRangerPolicies()
throws Exception {
}
// 2. add a policy-item for rangertagsync user with 'entity-read'
permission in the policy for 'entity-type'
- if (policyResources.containsKey(RESOURCE_ENTITY_TYPE) &&
!policyResources.containsKey(RESOURCE_CLASSIFICATION)) {
+ final boolean isNonEntityResourceType =
policyResources.containsKey(RESOURCE_CLASSIFICATION)
+ || policyResources.containsKey(RESOURCE_ENTITY_LABEL) ||
policyResources.containsKey(RESOURCE_ENTITY_BUSINESS_METADATA);
+
+ if (policyResources.containsKey(RESOURCE_ENTITY_TYPE) &&
!isNonEntityResourceType) {
RangerPolicyItem policyItemForTagSyncUser = new
RangerPolicyItem();
policyItemForTagSyncUser.setUsers(Collections.singletonList(tagSyncUser));
@@ -181,7 +184,7 @@ public List<RangerPolicy> getDefaultRangerPolicies() throws
Exception {
if (defaultPolicy.getName().contains("all")
&&
policyResources.containsKey(RangerServiceAtlas.RESOURCE_ENTITY_TYPE)
- && StringUtils.isNotBlank(lookUpUser) &&
!policyResources.containsKey(RESOURCE_CLASSIFICATION)) {
+ && StringUtils.isNotBlank(lookUpUser) &&
!isNonEntityResourceType) {
RangerPolicyItem policyItemForLookupUser = new
RangerPolicyItem();
policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
diff --git a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
index f0448738e..debcc9422 100644
--- a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
+++ b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
@@ -2099,4 +2099,5 @@ INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10061',UTC_TIMESTAMP(),'Ranger 3.0.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10062',UTC_TIMESTAMP(),'Ranger 3.0.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10063',UTC_TIMESTAMP(),'Ranger 3.0.0',UTC_TIMESTAMP(),'localhost','Y');
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10064',UTC_TIMESTAMP(),'Ranger 3.0.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('JAVA_PATCHES',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
diff --git
a/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
b/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
index 64e998e24..0e9f5dc36 100644
--- a/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
+++ b/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
@@ -2322,5 +2322,6 @@ INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,act
INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10061',sys_extract_utc(systimestamp),'Ranger
3.0.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10062',sys_extract_utc(systimestamp),'Ranger
3.0.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10063',sys_extract_utc(systimestamp),'Ranger
3.0.0',sys_extract_utc(systimestamp),'localhost','Y');
+INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10064',sys_extract_utc(systimestamp),'Ranger
3.0.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'JAVA_PATCHES',sys_extract_utc(systimestamp),'Ranger
1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
commit;
diff --git
a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
index 8b0d8ae6e..49a956ebf 100644
--- a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
+++ b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
@@ -2255,6 +2255,7 @@ INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10061',current_timestamp,'Ranger 3.0.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10062',current_timestamp,'Ranger 3.0.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10063',current_timestamp,'Ranger 3.0.0',current_timestamp,'localhost','Y');
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10064',current_timestamp,'Ranger 3.0.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('JAVA_PATCHES',current_timestamp,'Ranger
1.0.0',current_timestamp,'localhost','Y');
DROP VIEW IF EXISTS vx_principal;
diff --git
a/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
b/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
index 259225314..d1c35a5f4 100644
---
a/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
+++
b/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
@@ -2446,6 +2446,8 @@ INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active
GO
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10063',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
GO
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10064',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
+GO
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('JAVA_PATCHES',CURRENT_TIMESTAMP,'Ranger
1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
GO
exit
diff --git
a/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
b/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
index f0861b64a..b01132410 100644
--- a/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
+++ b/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
@@ -4736,5 +4736,6 @@ INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10061',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10062',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10063',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10064',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('JAVA_PATCHES',CURRENT_TIMESTAMP,'Ranger
1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
GO
diff --git
a/security-admin/src/main/java/org/apache/ranger/patch/PatchForAtlasPolicyUpdateForEntityRead_J10064.java
b/security-admin/src/main/java/org/apache/ranger/patch/PatchForAtlasPolicyUpdateForEntityRead_J10064.java
new file mode 100644
index 000000000..fe20dbbb4
--- /dev/null
+++
b/security-admin/src/main/java/org/apache/ranger/patch/PatchForAtlasPolicyUpdateForEntityRead_J10064.java
@@ -0,0 +1,155 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.patch;
+
+import org.apache.ranger.biz.ServiceDBStore;
+import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.entity.XXPolicy;
+import org.apache.ranger.entity.XXService;
+import org.apache.ranger.entity.XXServiceDef;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
+import org.apache.ranger.util.CLIUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+
+@Component
+public class PatchForAtlasPolicyUpdateForEntityRead_J10064 extends
org.apache.ranger.patch.BaseLoader {
+ private static final Logger logger =
LoggerFactory.getLogger(PatchForAtlasPolicyUpdateForEntityRead_J10064.class);
+
+ private static final String RESOURCE_ENTITY_TYPE =
"entity-type";
+ private static final String ENTITY_READ =
"entity-read";
+ private static final String RESOURCE_ENTITY_LABEL =
"entity-label";
+ private static final String RESOURCE_ENTITY_BUSINESS_METADATA =
"entity-business-metadata";
+
+ @Autowired
+ RangerDaoManager daoMgr;
+
+ @Autowired
+ ServiceDBStore svcDBStore;
+
+ public static void main(String[] args) {
+ logger.info("main()");
+
+ try {
+ PatchForAtlasPolicyUpdateForEntityRead_J10064 loader =
(PatchForAtlasPolicyUpdateForEntityRead_J10064)
CLIUtil.getBean(PatchForAtlasPolicyUpdateForEntityRead_J10064.class);
+
+ loader.init();
+
+ while (loader.isMoreToProcess()) {
+ loader.load();
+ }
+
+ logger.info("Load complete. Exiting!!!");
+
+ System.exit(0);
+ } catch (Exception e) {
+ logger.error("Error loading", e);
+
+ System.exit(1);
+ }
+ }
+
+ @Override
+ public void init() throws Exception {
+ // Do Nothing
+ }
+
+ @Override
+ public void printStats() {
+ logger.info("PatchForAtlasPolicyUpdateForEntityRead_J10064 Logs");
+ }
+
+ @Override
+ public void execLoad() {
+ logger.info("==>
PatchForAtlasPolicyUpdateForEntityRead_J10064.execLoad()");
+
+ try {
+ updateAtlasPolicyForEntityReadAccessType();
+ } catch (Exception e) {
+ throw new RuntimeException("Error while updating " +
EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME + " service-def", e);
+ }
+
+ logger.info("<==
PatchForAtlasPolicyUpdateForEntityRead_J10064.execLoad()");
+ }
+
+ private boolean removeIfEntityReadPermissionExist(RangerPolicyItem item) {
+ return item.getAccesses().removeIf(itemAccess ->
itemAccess.getType().equals(ENTITY_READ));
+ }
+
+ private void updateAtlasPolicyForEntityReadAccessType() throws Exception {
+ logger.info("==> updateAtlasPolicyForEntityReadAccessType() ");
+
+ XXServiceDef xXServiceDefObj =
daoMgr.getXXServiceDef().findByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME);
+
+ if (xXServiceDefObj == null) {
+ logger.debug("ServiceDef not found with name :{}",
EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME);
+
+ return;
+ }
+
+ Long xServiceDefId = xXServiceDefObj.getId();
+ List<XXService> xxServices =
daoMgr.getXXService().findByServiceDefId(xServiceDefId);
+
+ for (XXService xxService : xxServices) {
+ List<XXPolicy> xxPolicies =
daoMgr.getXXPolicy().findByServiceId(xxService.getId());
+
+ for (XXPolicy xxPolicy : xxPolicies) {
+ RangerPolicy rPolicy = svcDBStore.getPolicy(xxPolicy.getId());
+
+ final Map<String, RangerPolicyResource> policyResources =
rPolicy.getResources();
+ final boolean isNonEntityResourceType =
policyResources.containsKey(RESOURCE_ENTITY_LABEL)
+ ||
policyResources.containsKey(RESOURCE_ENTITY_BUSINESS_METADATA);
+ boolean isUpdated = false;
+
+ if (policyResources.containsKey(RESOURCE_ENTITY_TYPE) &&
isNonEntityResourceType) {
+ List<RangerPolicyItem> policyItems =
rPolicy.getPolicyItems();
+ if (policyItems != null) {
+ Iterator<RangerPolicyItem> itemIterator =
policyItems.iterator();
+ while (itemIterator.hasNext()) {
+ RangerPolicyItem item = itemIterator.next();
+ if (removeIfEntityReadPermissionExist(item)) {
+ if (item.getAccesses().isEmpty()) {
+ itemIterator.remove();
+ logger.debug("Removing empty policy item
from policy ID: {}", rPolicy.getId());
+ }
+ isUpdated = true;
+ }
+ }
+ }
+ }
+
+ if (isUpdated) {
+ svcDBStore.updatePolicy(rPolicy);
+
logger.info("PatchForAtlasPolicyUpdateForEntityRead_J10064: updated policy
(id={}, name={}) to remove {} permission",
+ rPolicy.getId(), rPolicy.getName(), ENTITY_READ);
+ }
+ }
+ }
+
+ logger.info("<== updateAtlasPolicyForEntityReadAccessType() ");
+ }
+}
