mneethiraj commented on code in PR #766:
URL: https://github.com/apache/ranger/pull/766#discussion_r2608510605
##########
plugin-ozone/src/main/java/org/apache/ranger/authorization/ozone/authorizer/RangerOzoneAuthorizer.java:
##########
@@ -188,6 +213,55 @@ public boolean checkAccess(IOzoneObj ozoneObject,
RequestContext context) {
return returnValue;
}
+ @Override
+ public String generateAssumeRoleSessionPolicy(AssumeRoleRequest
assumeRoleRequest) throws OMException {
+ LOG.debug("==>
RangerOzoneAuthorizer.generateAssumeRoleSessionPolicy(assumeRoleRequest={})",
assumeRoleRequest);
+
+ if (assumeRoleRequest == null) {
+ throw new OMException("invalid request: null",
OMException.ResultCodes.INVALID_REQUEST);
+ } else if (assumeRoleRequest.getClientUgi() == null) {
+ throw new OMException("invalid request: request.clientUgi null",
OMException.ResultCodes.INVALID_REQUEST);
+ } else if (assumeRoleRequest.getTargetRoleName() == null) {
+ throw new OMException("invalid request: request.targetRoleName
null", OMException.ResultCodes.INVALID_REQUEST);
+ }
+
+ RangerBasePlugin plugin = rangerPlugin;
+
+ if (plugin == null) {
+ throw new OMException("Ranger authorizer not initialized",
OMException.ResultCodes.INTERNAL_ERROR);
+ }
+
+ UserGroupInformation ugi = assumeRoleRequest.getClientUgi();
+ RangerAccessResourceImpl resource = new
RangerAccessResourceImpl(Collections.singletonMap(KEY_RESOURCE_ROLE,
assumeRoleRequest.getTargetRoleName()));
+ RangerAccessRequestImpl request = new
RangerAccessRequestImpl(resource, ACCESS_TYPE_ASSUME_ROLE,
ugi.getShortUserName(), Sets.newHashSet(ugi.getGroupNames()), null);
+
+ try {
+ RangerAccessResult result = plugin.isAccessAllowed(request);
+
+ if (result != null && result.getIsAccessDetermined() &&
result.getIsAllowed()) {
+ RangerInlinePolicy inlinePolicy = new
RangerInlinePolicy(RangerPrincipal.PREFIX_ROLE +
assumeRoleRequest.getTargetRoleName(), RangerInlinePolicy.Mode.INLINE, null,
ugi.getShortUserName());
+
+ if (CollectionUtils.isNotEmpty(assumeRoleRequest.getGrants()))
{
+
inlinePolicy.setGrants(assumeRoleRequest.getGrants().stream().map(g ->
toRangerGrant(g,
plugin)).filter(Objects::nonNull).collect(Collectors.toList()));
Review Comment:
@fmorg-git - `checkAccess()` is mandated to ensure that only accesses
granted to the role can be permissible with the session-policy. Performing the
same for all grants in AssumeRoleRequest is unnecessary:
- as it involves additional authorization checks for all resources and
permissions included in grants
- as the permission for the role could change between AssumeRoleRequest
processing and use of the returned session-policy to access a resource
- as the context of AssumeRoleRequest call and subsequent resource access
using the session-policy could be different (like different IP addresses),
which could in turn impact the authorization, for example, if the role was
granted access from specific IP addresses only
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
