RANGER-1090 : Revoke command with grant option does not disable delegated admin permission for users/groups in the corresponding policy
Signed-off-by: Gautam Borad <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/3a0b69e3 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/3a0b69e3 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/3a0b69e3 Branch: refs/heads/master Commit: 3a0b69e38a72827df26719e565b43d5bfc33d7c6 Parents: 0f0f1d3 Author: pradeep agrawal <[email protected]> Authored: Mon Jul 18 11:37:18 2016 +0530 Committer: Gautam Borad <[email protected]> Committed: Tue Jul 19 17:39:55 2016 +0530 ---------------------------------------------------------------------- .../org/apache/ranger/rest/ServiceRESTUtil.java | 40 +++++++++++++------- 1 file changed, 26 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3a0b69e3/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java index d794565..e84a1aa 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java @@ -115,9 +115,9 @@ public class ServiceRESTUtil { appliedRangerPolicy.getPolicyItems().add(appliedRangerPolicyItem); - //List<RangerPolicy.RangerPolicyItem> appliedRangerPolicyItems = appliedRangerPolicy.getPolicyItems(); - processApplyPolicyForItemType(existingRangerPolicy, appliedRangerPolicy, POLICYITEM_TYPE.ALLOW); - /*if (CollectionUtils.isNotEmpty(appliedRangerPolicyItems)) { + List<RangerPolicy.RangerPolicyItem> appliedRangerPolicyItems = appliedRangerPolicy.getPolicyItems(); + //processApplyPolicyForItemType(existingRangerPolicy, appliedRangerPolicy, POLICYITEM_TYPE.ALLOW); + if (CollectionUtils.isNotEmpty(appliedRangerPolicyItems)) { Set<String> users = new HashSet<String>(); Set<String> groups = new HashSet<String>(); @@ -135,11 +135,17 @@ public class ServiceRESTUtil { for (String user : appliedPolicyItemsUser) { RangerPolicy.RangerPolicyItem[] rangerPolicyItems = userPolicyItems.get(user); if(rangerPolicyItems!=null && rangerPolicyItems.length>0){ - removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()], tempPolicyItem.getAccesses()); - if(!CollectionUtils.isEmpty(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].getAccesses())){ - rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(revokeRequest.getDelegateAdmin()); - }else{ - rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(Boolean.FALSE); + if(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()]!=null){ + removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()], tempPolicyItem.getAccesses()); + if(!CollectionUtils.isEmpty(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].getAccesses())){ + rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(revokeRequest.getDelegateAdmin()); + }else{ + rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(Boolean.FALSE); + } + } + if(rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()]!=null){ + removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()], tempPolicyItem.getAccesses()); + rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()].setDelegateAdmin(Boolean.FALSE); } } } @@ -149,11 +155,17 @@ public class ServiceRESTUtil { for (String group : appliedPolicyItemsGroup) { RangerPolicy.RangerPolicyItem[] rangerPolicyItems = groupPolicyItems.get(group); if(rangerPolicyItems!=null && rangerPolicyItems.length>0){ - removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()], tempPolicyItem.getAccesses()); - if(!CollectionUtils.isEmpty(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].getAccesses())){ - rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(revokeRequest.getDelegateAdmin()); - }else{ - rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(Boolean.FALSE); + if(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()]!=null){ + removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()], tempPolicyItem.getAccesses()); + if(!CollectionUtils.isEmpty(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].getAccesses())){ + rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(revokeRequest.getDelegateAdmin()); + }else{ + rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(Boolean.FALSE); + } + } + if(rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()]!=null){ + removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()], tempPolicyItem.getAccesses()); + rangerPolicyItems[POLICYITEM_TYPE.DENY_EXCEPTIONS.ordinal()].setDelegateAdmin(Boolean.FALSE); } } } @@ -161,7 +173,7 @@ public class ServiceRESTUtil { // Add modified/new policyItems back to existing policy mergeProcessedPolicyItems(existingRangerPolicy, userPolicyItems, groupPolicyItems); compactPolicy(existingRangerPolicy); - }*/ + } policyUpdated = true; }
