Repository: incubator-ranger Updated Branches: refs/heads/ranger-0.5 d762ebd56 -> bc776c0cd
RANGER-882 : Policy engine initialization should handle incorrect values in policies Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/bc776c0c Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/bc776c0c Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/bc776c0c Branch: refs/heads/ranger-0.5 Commit: bc776c0cdcc32b225d1418525afa7b8ea6e809d8 Parents: d762ebd Author: Pradeep Agrawal <[email protected]> Authored: Wed Mar 23 08:28:20 2016 +0530 Committer: Gautam Borad <[email protected]> Committed: Wed Mar 23 14:18:50 2016 +0530 ---------------------------------------------------------------------- .../plugin/errors/ValidationErrorCode.java | 1 + .../model/validation/RangerPolicyValidator.java | 22 ++++++++++++++++++++ .../org/apache/ranger/biz/ServiceDBStore.java | 19 ++++++++++------- 3 files changed, 34 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bc776c0c/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java index 72f7205..2f9117e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java @@ -87,6 +87,7 @@ public enum ValidationErrorCode { POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_DENY(3023, "Currently deny access types are not supported. Access type is set to deny."), POLICY_VALIDATION_ERR_INVALID_RESOURCE_NO_COMPATIBLE_HIERARCHY_SINGLE(3024, "Invalid resources specified. {0} policy can specify values for the following resources: {1}"), POLICY_VALIDATION_ERR_INVALID_RESOURCE_MISSING_MANDATORY_SINGLE(3025, "Invalid resources specified. {0} policy must specify values for the following resources: {1}"), + POLICY_VALIDATION_ERR_MISSING_RESOURCE_LIST(3026, "Resource list was empty or contains null. At least one resource must be specified"), ; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bc776c0c/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java index 66768c2..2bbff05 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java @@ -559,6 +559,28 @@ public class RangerPolicyValidator extends RangerValidator { for (Map.Entry<String, RangerPolicyResource> entry : resourceMap.entrySet()) { String name = entry.getKey(); RangerPolicyResource policyResource = entry.getValue(); + if(policyResource != null && CollectionUtils.isNotEmpty(policyResource.getValues())){ + Set<String> resources = new HashSet<String>(policyResource.getValues()); + for (String aValue : resources) { + if (StringUtils.isBlank(aValue)) { + policyResource.getValues().remove(aValue); + } + } + } + if(CollectionUtils.isEmpty(policyResource.getValues())){ + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_RESOURCE_LIST; + if(LOG.isDebugEnabled()) { + LOG.debug(String.format("Resource list was empty or contains null: value[%s], resource-name[%s], service-def-name[%s]", policyResource.getValues(), name, serviceDef.getName())); + } + failures.add(new ValidationFailureDetailsBuilder() + .field("resource-values") + .subField(name) + .isMissing() + .becauseOf(error.getMessage(name)) + .errorCode(error.getErrorCode()) + .build()); + valid=false; + } if (validationRegExMap.containsKey(name) && policyResource != null && CollectionUtils.isNotEmpty(policyResource.getValues())) { String regEx = validationRegExMap.get(name); for (String aValue : policyResource.getValues()) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bc776c0c/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 1720063..6fc6ff1 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -1997,14 +1997,17 @@ public class ServiceDBStore implements ServiceStore { xPolRes = daoMgr.getXXPolicyResource().create(xPolRes); List<String> values = policyRes.getValues(); - for(int i = 0; i < values.size(); i++) { - XXPolicyResourceMap xPolResMap = new XXPolicyResourceMap(); - xPolResMap = (XXPolicyResourceMap) rangerAuditFields.populateAuditFields(xPolResMap, xPolRes); - xPolResMap.setResourceId(xPolRes.getId()); - xPolResMap.setValue(values.get(i)); - xPolResMap.setOrder(i); - - xPolResMap = daoMgr.getXXPolicyResourceMap().create(xPolResMap); + if(CollectionUtils.isNotEmpty(values)){ + for(int i = 0; i < values.size(); i++) { + if(values.get(i)!=null){ + XXPolicyResourceMap xPolResMap = new XXPolicyResourceMap(); + xPolResMap = (XXPolicyResourceMap) rangerAuditFields.populateAuditFields(xPolResMap, xPolRes); + xPolResMap.setResourceId(xPolRes.getId()); + xPolResMap.setValue(values.get(i)); + xPolResMap.setOrder(i); + xPolResMap = daoMgr.getXXPolicyResourceMap().create(xPolResMap); + } + } } } }
