RANGER-551 Policy Validation: If resource levels are not valid for any hierarchy then checks about missing mandatory levels should be skipped
Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/59810b2d Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/59810b2d Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/59810b2d Branch: refs/heads/HDP-2.3.2-groupid Commit: 59810b2dccfb93f708705f8e13b181d07a0b639b Parents: 4d3192f Author: Alok Lal <[email protected]> Authored: Fri Jun 12 16:29:04 2015 -0700 Committer: Alok Lal <[email protected]> Committed: Wed Sep 2 13:09:42 2015 -0700 ---------------------------------------------------------------------- .../model/validation/RangerPolicyValidator.java | 38 ++++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/59810b2d/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java index d27b667..84f750d 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java @@ -322,26 +322,26 @@ public class RangerPolicyValidator extends RangerValidator { valid = false; } else { if (LOG.isDebugEnabled()) { - LOG.debug("isValidResourceNames: Found compatible hierarchies: " + toStringHierarchies_all(candidateHierarchies, defHelper)); + LOG.debug("isValidResourceNames: Found [" + candidateHierarchies.size() + "] compatible hierarchies: " + toStringHierarchies_all(candidateHierarchies, defHelper)); } - } - /* - * Among the candidate hierarchies there should be at least one for which policy specifies all of the mandatory resources. Note that there could be multiple - * hierarchies that meet that criteria, e.g. a hive policy that specified only DB. It is not clear if it belongs to DB->UDF or DB->TBL->COL hierarchy. - * However, if both UDF and TBL were required then we can detect that policy does not specify mandatory levels for any of the candidate hierarchies. - */ - Set<List<RangerResourceDef>> validHierarchies = filterHierarchies_mandatoryResourcesSpecifiedInPolicy(policyResources, candidateHierarchies, defHelper); - if (validHierarchies.isEmpty()) { - failures.add(new ValidationFailureDetailsBuilder() - .field("resources") - .subField("missing mandatory") - .isSemanticallyIncorrect() - .becauseOf("policy is missing required resources. Mandatory fields of potential hierarchies are: " + toStringHierarchies_mandatory(candidateHierarchies, defHelper)) - .build()); - valid = false; - } else { - if (LOG.isDebugEnabled()) { - LOG.debug("isValidResourceNames: Found hierarchies with all mandatory fields specified: " + toStringHierarchies_mandatory(validHierarchies, defHelper)); + /* + * Among the candidate hierarchies there should be at least one for which policy specifies all of the mandatory resources. Note that there could be multiple + * hierarchies that meet that criteria, e.g. a hive policy that specified only DB. It is not clear if it belongs to DB->UDF or DB->TBL->COL hierarchy. + * However, if both UDF and TBL were required then we can detect that policy does not specify mandatory levels for any of the candidate hierarchies. + */ + Set<List<RangerResourceDef>> validHierarchies = filterHierarchies_mandatoryResourcesSpecifiedInPolicy(policyResources, candidateHierarchies, defHelper); + if (validHierarchies.isEmpty()) { + failures.add(new ValidationFailureDetailsBuilder() + .field("resources") + .subField("missing mandatory") + .isSemanticallyIncorrect() + .becauseOf("policy is missing required resources. Mandatory fields of potential hierarchies are: " + toStringHierarchies_mandatory(candidateHierarchies, defHelper)) + .build()); + valid = false; + } else { + if (LOG.isDebugEnabled()) { + LOG.debug("isValidResourceNames: Found hierarchies with all mandatory fields specified: " + toStringHierarchies_mandatory(validHierarchies, defHelper)); + } } } }
