incubator-ranger git commit: RANGER-436 policy item with empty access list is valid if delegated admin is true

Mon, 27 Apr 2015 23:14:31 -0700 

Repository: incubator-ranger
Updated Branches:
  refs/heads/master aac45d633 -> 101d17673


RANGER-436 policy item with empty access list is valid if delegated admin is 
true

Signed-off-by: Madhan Neethiraj <[email protected]>


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/101d1767
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/101d1767
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/101d1767

Branch: refs/heads/master
Commit: 101d17673d553dbd2c2369837a8243ab8727bc30
Parents: aac45d6
Author: Alok Lal <[email protected]>
Authored: Mon Apr 27 22:42:31 2015 -0700
Committer: Madhan Neethiraj <[email protected]>
Committed: Mon Apr 27 22:59:48 2015 -0700

----------------------------------------------------------------------
 .../model/validation/RangerPolicyValidator.java   | 18 +++++++++++-------
 .../validation/TestRangerPolicyValidator.java     | 12 ++++++++++++
 2 files changed, 23 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/101d1767/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
----------------------------------------------------------------------
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
index 991b641..1d7f450 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
@@ -479,14 +479,18 @@ public class RangerPolicyValidator extends 
RangerValidator {
                if (policyItem == null) {
                        LOG.debug("policy item was null!");
                } else {
-                       // access items collection can't be empty and should be 
otherwise valid
+                       // access items collection can't be empty (unless 
delegated admin is true) and should be otherwise valid
                        if (CollectionUtils.isEmpty(policyItem.getAccesses())) {
-                               failures.add(new 
ValidationFailureDetailsBuilder()
-                                       .field("policy item accesses")
-                                       .isMissing()
-                                       .becauseOf("policy items accesses 
collection was null")
-                                       .build());
-                               valid = false;
+                               if 
(!Boolean.TRUE.equals(policyItem.getDelegateAdmin())) {
+                                       failures.add(new 
ValidationFailureDetailsBuilder()
+                                               .field("policy item accesses")
+                                               .isMissing()
+                                               .becauseOf("policy items 
accesses collection was null")
+                                               .build());
+                                       valid = false;
+                               } else {
+                                       LOG.debug("policy item collection was 
null but delegated admin is true. Ok");
+                               }
                        } else {
                                valid = 
isValidItemAccesses(policyItem.getAccesses(), failures, serviceDef) && valid;
                        }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/101d1767/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
----------------------------------------------------------------------
diff --git 
a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
 
b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
index 90d7c06..2fd1d6a 100644
--- 
a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
+++ 
b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
@@ -490,6 +490,18 @@ public class TestRangerPolicyValidator {
        }
        
        @Test
+       public void test_isValidPolicyItem_happPath() {
+               // A policy item with no access is valid if it has delegated 
admin turned on and one user/group specified.
+               RangerPolicyItem policyItem = mock(RangerPolicyItem.class);
+               when(policyItem.getAccesses()).thenReturn(null);
+               when(policyItem.getDelegateAdmin()).thenReturn(true);
+               // create a non-empty user-list
+               List<String> users = Arrays.asList("user1");
+               when(policyItem.getUsers()).thenReturn(users);
+               _failures.clear(); 
assertTrue(_validator.isValidPolicyItem(policyItem, _failures, _serviceDef));
+               assertTrue(_failures.isEmpty());
+       }
+       @Test
        public void test_isValidItemAccesses_happyPath() {
                
                // happy path

Reply via email to