Repository: incubator-ranger Updated Branches: refs/heads/master d242dd6e9 -> 9b1fa33ce
RANGER-882 : Policy engine initialization should handle incorrect values in policies Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/9b1fa33c Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/9b1fa33c Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/9b1fa33c Branch: refs/heads/master Commit: 9b1fa33ce0326fb19e8641f0a3b105c8b714f8b5 Parents: d242dd6 Author: Pradeep Agrawal <[email protected]> Authored: Wed Mar 23 14:03:20 2016 +0530 Committer: Gautam Borad <[email protected]> Committed: Wed Mar 23 14:19:59 2016 +0530 ---------------------------------------------------------------------- .../plugin/errors/ValidationErrorCode.java | 5 +++-- .../model/validation/RangerPolicyValidator.java | 22 ++++++++++++++++++++ .../org/apache/ranger/biz/ServiceDBStore.java | 19 ++++++++++------- 3 files changed, 36 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9b1fa33c/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java index 6ac82f5..556f8b3 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java @@ -87,8 +87,9 @@ public enum ValidationErrorCode { POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_DENY(3023, "Currently deny access types are not supported. Access type is set to deny."), POLICY_VALIDATION_ERR_INVALID_RESOURCE_NO_COMPATIBLE_HIERARCHY_SINGLE(3024, "Invalid resources specified. {0} policy can specify values for the following resources: {1}"), POLICY_VALIDATION_ERR_INVALID_RESOURCE_MISSING_MANDATORY_SINGLE(3025, "Invalid resources specified. {0} policy must specify values for the following resources: {1}"), - POLICY_VALIDATION_ERR_POLICY_UPDATE_MOVE_SERVICE_NOT_ALLOWED(3026, "attempt to move policy id={0} from service={1} to service={2} is not allowed"), - POLICY_VALIDATION_ERR_POLICY_TYPE_CHANGE_NOT_ALLOWED(3027, "attempt to change type of policy id={0} from type={1} to type={2} is not allowed"), + POLICY_VALIDATION_ERR_MISSING_RESOURCE_LIST(3026, "Resource list was empty or contains null. At least one resource must be specified"), + POLICY_VALIDATION_ERR_POLICY_UPDATE_MOVE_SERVICE_NOT_ALLOWED(3027, "attempt to move policy id={0} from service={1} to service={2} is not allowed"), + POLICY_VALIDATION_ERR_POLICY_TYPE_CHANGE_NOT_ALLOWED(3028, "attempt to change type of policy id={0} from type={1} to type={2} is not allowed"), ; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9b1fa33c/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java index d354ac7..5933a33 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java @@ -606,6 +606,28 @@ public class RangerPolicyValidator extends RangerValidator { for (Map.Entry<String, RangerPolicyResource> entry : resourceMap.entrySet()) { String name = entry.getKey(); RangerPolicyResource policyResource = entry.getValue(); + if(policyResource != null && CollectionUtils.isNotEmpty(policyResource.getValues())){ + Set<String> resources = new HashSet<String>(policyResource.getValues()); + for (String aValue : resources) { + if (StringUtils.isBlank(aValue)) { + policyResource.getValues().remove(aValue); + } + } + } + if(CollectionUtils.isEmpty(policyResource.getValues())){ + ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_RESOURCE_LIST; + if(LOG.isDebugEnabled()) { + LOG.debug(String.format("Resource list was empty or contains null: value[%s], resource-name[%s], service-def-name[%s]", policyResource.getValues(), name, serviceDef.getName())); + } + failures.add(new ValidationFailureDetailsBuilder() + .field("resource-values") + .subField(name) + .isMissing() + .becauseOf(error.getMessage(name)) + .errorCode(error.getErrorCode()) + .build()); + valid=false; + } if (validationRegExMap.containsKey(name) && policyResource != null && CollectionUtils.isNotEmpty(policyResource.getValues())) { String regEx = validationRegExMap.get(name); for (String aValue : policyResource.getValues()) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9b1fa33c/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 8699d5a..77203dc 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -2407,14 +2407,17 @@ public class ServiceDBStore extends AbstractServiceStore { xPolRes = daoMgr.getXXPolicyResource().create(xPolRes); List<String> values = policyRes.getValues(); - for(int i = 0; i < values.size(); i++) { - XXPolicyResourceMap xPolResMap = new XXPolicyResourceMap(); - xPolResMap = (XXPolicyResourceMap) rangerAuditFields.populateAuditFields(xPolResMap, xPolRes); - xPolResMap.setResourceId(xPolRes.getId()); - xPolResMap.setValue(values.get(i)); - xPolResMap.setOrder(i); - - xPolResMap = daoMgr.getXXPolicyResourceMap().create(xPolResMap); + if(CollectionUtils.isNotEmpty(values)){ + for(int i = 0; i < values.size(); i++) { + if(values.get(i)!=null){ + XXPolicyResourceMap xPolResMap = new XXPolicyResourceMap(); + xPolResMap = (XXPolicyResourceMap) rangerAuditFields.populateAuditFields(xPolResMap, xPolRes); + xPolResMap.setResourceId(xPolRes.getId()); + xPolResMap.setValue(values.get(i)); + xPolResMap.setOrder(i); + xPolResMap = daoMgr.getXXPolicyResourceMap().create(xPolResMap); + } + } } } }
