----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/75004/#review226644 -----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java Line 1002 (original), 1011 (patched) <https://reviews.apache.org/r/75004/#comment314908> Consider moving this to a static, to avoid instantiation on every call to isValidPolicyItem(). private static final Set<String> INVALID_POLICY_ITEM_VALUES = new HashSet<>(Arrays.asList("null", "NULL", "Null", null, "")); Also, consider replacing the following with a call to invalidItems.contains(), as shown: - CollectionUtils.containsAny(policyItem.getUsers(), INVALID_POLICY_ITEM_VALUES) => INVALID_POLICY_ITEM_VALUES.contains(policyItem.getUsers()) - CollectionUtils.containsAny(policyItem.getGroups(), INVALID_POLICY_ITEM_VALUES) => INVALID_POLICY_ITEM_VALUES.contains(policyItem.getGroups()) - CollectionUtils.containsAny(policyItem.getRoles(), INVALID_POLICY_ITEM_VALUES) => INVALID_POLICY_ITEM_VALUES.contains(policyItem.getRoles()) agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java Lines 1031 (patched) <https://reviews.apache.org/r/75004/#comment314907> Empty row-filter should be allowed, as this used to exclude row-filter for specific users/groups/roles. Consider following items to allow the owner of a table to see all rows in the table, other users should only see rows having column status as 'ACTIVE': - users=[{OWNER}], rowFilterInfo.filterExpr="" - groups=[public], rowFilterInfo.filterExpr="status = 'ACTIVE'" - Madhan Neethiraj On July 9, 2024, 12:46 p.m., Rakesh Gupta wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/75004/ > ----------------------------------------------------------- > > (Updated July 9, 2024, 12:46 p.m.) > > > Review request for ranger, Dineshkumar Yadav, Kishor Gollapalliwar, Abhay > Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, > sanket shelar, Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-4795 > https://issues.apache.org/jira/browse/RANGER-4795 > > > Repository: ranger > > > Description > ------- > > There is an inconsistency between Ranger API and UI not doing the same > validation for Policy creation. > > Policy creation API should fail when a policy with all empty values and along > with [""] or ["null"] in policyItem --> users, groups and roles. > > Similar validation should be applied for data masking and row filter Policy. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java > d73d91b36 > > > Diff: https://reviews.apache.org/r/75004/diff/3/ > > > Testing > ------- > > Verified while creating/updating Policy API fails, when users, groups, roles, > data masking, and row filter fields are all empty values or contain arrays > with empty strings (e.g. [""]) within the policy items. > > > Thanks, > > Rakesh Gupta > >
