Re: [PR] RANGER-5130:DatSet policies fail to authorize when condition expression is present [ranger]

Wed, 05 Feb 2025 19:10:29 -0800 


mneethiraj commented on code in PR #528:
URL: https://github.com/apache/ranger/pull/528#discussion_r1944032450


##########
security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java:
##########
@@ -2134,7 +2134,7 @@ private RangerPolicyItem 
transformGrantToPolicyItem(RangerGrant grant) {
         }
 
         if (CollectionUtils.isNotEmpty(conditions)) {
-            policyItem.setConditions(conditions.stream().map(condition -> new 
RangerPolicyItemCondition(GDS_POLICY_EXPR_CONDITION, 
Collections.singletonList(condition))).collect(Collectors.toList()));
+            policyItem.setConditions(conditions.stream().map(condition -> new 
RangerPolicyItemCondition(GDS_POLICY_VALIDITY_SCHEDULE_CONDITION, 
Collections.singletonList(condition))).collect(Collectors.toList()));

Review Comment:
   @rameeshm - 'conditions' will have expressions like
   ```
   USER.state = 'CA'
   
   IS_IN_GROUP('sales') && IS_IN_ROLE('manager')
   ```
   
   To support validitySchedules in grants, I suggest adding member 
`RangerGrant.validitySchedules`, and then add it to policyItem.conditions as 
shown below:
   
   ```
   List<RangerPolicyItemCondition> conditions = new ArrayList<>();
   
   if (CollectionUtils.isNotEmpty(grant.getConditions())) {
       grant.getConditions().stream().map(expr -> new 
RangerPolicyItemCondition(GDS_POLICY_EXPR_CONDITION, 
Collections.singletonList(expr))).forEach(conditions::add));
   }
   
   if (CollectionUtils.isNotEmpty(grant.getValiditySchdules())) {
       grant.getValiditySchdules().stream().map(schedule -> new 
RangerPolicyItemCondition(GDS_POLICY_VALIDITY_SCHEDULE_CONDITION, 
Collections.singletonList(schedule))).forEach(conditions::add));
   }
   
   policyItem.setConditions(conditions);
   ```
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to