Re: Review Request 75280: RANGER-5000: Add validations to ensure that the policy items are properly formed during dataset policy creation / edit

[Radhika Kundam]

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/75280/
-----------------------------------------------------------

(Updated Dec. 2, 2024, 9:18 a.m.)


Review request for ranger, Madhan Neethiraj and Ramesh Mani.


Bugs: RANGER-5000
    https://issues.apache.org/jira/browse/RANGER-5000


Repository: ranger


Description
-------

Dataset policy creation works even when the policy items are not properly 
formed in the policy.With this patch it'll validate policy items while creating 
policy. And below are the validations included.

UseCase-1: Null policy items
---------
"policyItems": [
  null
]
Error Msg: "msgDesc": "[ Validation failure: error code[3019], reason[policy 
items object was null], field[policy items], subfield[null], type[]]",

UseCase-2: No principals or Principals object with empty or no values
---------
"policyItems": [
  {
    "delegateAdmin": false,
    "accesses": [
      {
        "type": "_ALL",
        "isAllowed": null
      }
    ]
  }
]
 
"policyItems": [
  {
    "delegateAdmin": false,
    "accesses": [
      {
        "type": "_ALL",
        "isAllowed": null
      }
    ],
    "users": [
      " "
    ]
  }

"policyItems": [
  {
    "delegateAdmin": false,
    "accesses": [
      {
        "type": "_ALL",
        "isAllowed": null
      }
    ],
    "users": [
      
    ]
  }
]
Error Msg: "msgDesc": "[ Validation failure: error code[3020], reason[All of 
users,  user-groups and roles collections on the policy item were null/empty], 
field[policy items], subfield[null], type[]]"

UseCase-3: Null or Empty Access Object
---------
"policyItems": [
  {
    "delegateAdmin": false,
    "accesses": [],
    "users": [
      "hive"
    ]
  }
]

"policyItems": [
  {
    "delegateAdmin": false,
    "accesses": [null],
    "users": [
      "hive"
    ]
  }
]
Error Msg: "msgDesc": "[ Validation failure: error code[3021], reason[policy 
items access object was null], field[policy items], subfield[null], type[]]"


UseCase-4: Access object with no or empty access type
---------
"policyItems": [
  {
    "delegateAdmin": false,
    "accesses": [
      {
        "isAllowed": true
      }
    ],
    "users": [
      "hive"
    ]
  }
]

"policyItems": [
  {
    "delegateAdmin": false,
    "accesses": [
      {
        "type": " ",
        "isAllowed": true
      }
    ],
    "users": [
      "hive"
    ]
  }
]
Error Msg: "msgDesc": "[ Validation failure: error code[4010], reason[policy 
items access object has empty or null values for type], field[policy items], 
subfield[null], type[]]"

Note: No validation exists for isAllowed being null, as it will default to true 
if isAllowed is passed as NULL.


Diffs (updated)
-----

  
agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
 13a362437 
  security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java 768192e84 
  
security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
 627056bfd 


Diff: https://reviews.apache.org/r/75280/diff/2/

Changes: https://reviews.apache.org/r/75280/diff/1-2/


Testing
-------

Tested locally.


Thanks,

Radhika Kundam