You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2023/04/17 04:43:11 UTC
[ranger] branch master updated: RANGER-4177: fail policy create/update when it references non-existing users/groups/roles
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 9c523c204 RANGER-4177: fail policy create/update when it references non-existing users/groups/roles
9c523c204 is described below
commit 9c523c204c125df903d17ad72d2a89181a522b93
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Fri Apr 7 17:22:11 2023 -0700
RANGER-4177: fail policy create/update when it references non-existing users/groups/roles
---
.../java/org/apache/ranger/biz/PolicyRefUpdater.java | 14 +++++++++-----
.../java/org/apache/ranger/biz/RangerBizUtil.java | 7 +++++++
.../java/org/apache/ranger/biz/ServiceDBStore.java | 8 ++++----
.../security/context/RangerAdminOpContext.java | 8 ++++++++
.../filter/RangerSecurityContextFormationFilter.java | 20 ++++++++++++++++++++
5 files changed, 48 insertions(+), 9 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
index 4581112fe..83f662518 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
@@ -98,7 +98,7 @@ public class PolicyRefUpdater {
@Autowired
RESTErrorUtil restErrorUtil;
- public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy, XXServiceDef xServiceDef, boolean isDefaultPolicy) throws Exception {
+ public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy, XXServiceDef xServiceDef, boolean createPrincipalsIfAbsent) throws Exception {
if(policy == null) {
return;
}
@@ -169,7 +169,11 @@ public class PolicyRefUpdater {
}
daoMgr.getXXPolicyRefResource().batchCreate(xPolResources);
- final boolean isAdmin = rangerBizUtil.checkAdminAccess() || isDefaultPolicy;
+ if (createPrincipalsIfAbsent && !rangerBizUtil.checkAdminAccess()) {
+ LOG.warn("policy=" + policy.getName() + ": createPrincipalIfAbsent=true, but current user does not have admin privileges!");
+
+ createPrincipalsIfAbsent = false;
+ }
List<XXPolicyRefRole> xPolRoles = new ArrayList<>();
for (String role : roleNames) {
@@ -178,7 +182,7 @@ public class PolicyRefUpdater {
}
PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.ROLE, role, xPolicy);
if (!associator.doAssociate(false)) {
- if (isAdmin) {
+ if (createPrincipalsIfAbsent) {
rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator);
} else {
VXResponse gjResponse = new VXResponse();
@@ -198,7 +202,7 @@ public class PolicyRefUpdater {
PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.GROUP, group, xPolicy);
if (!associator.doAssociate(false)) {
- if (isAdmin) {
+ if (createPrincipalsIfAbsent) {
rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator);
} else {
VXResponse gjResponse = new VXResponse();
@@ -215,7 +219,7 @@ public class PolicyRefUpdater {
}
PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.USER, user, xPolicy);
if (!associator.doAssociate(false)) {
- if (isAdmin) {
+ if (createPrincipalsIfAbsent) {
rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator);
} else {
VXResponse gjResponse = new VXResponse();
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index f9294c1e1..155fa357d 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -1538,6 +1538,13 @@ public class RangerBizUtil {
return isBulkMode();
}
+ public boolean getCreatePrincipalsIfAbsent() {
+ RangerAdminOpContext opContext = RangerContextHolder.getOpContext();
+ Boolean ret = opContext != null ? opContext.getCreatePrincipalsIfAbsent() : null;
+
+ return ret != null ? ret : false;
+ }
+
//should be used only in bulk operation like importPolicies, policies delete.
public void bulkModeOnlyFlushAndClear() {
if (batchClearEnabled) {
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 14f937bee..e52a92e04 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -2000,7 +2000,7 @@ public class ServiceDBStore extends AbstractServiceStore {
@Override
public RangerPolicy createPolicy(RangerPolicy policy) throws Exception {
- return createPolicy(policy, false);
+ return createPolicy(policy, bizUtil.getCreatePrincipalsIfAbsent());
}
@Override
@@ -2008,7 +2008,7 @@ public class ServiceDBStore extends AbstractServiceStore {
return createPolicy(policy, true);
}
- public RangerPolicy createPolicy(RangerPolicy policy, boolean isDefaultPolicy) throws Exception {
+ public RangerPolicy createPolicy(RangerPolicy policy, boolean createPrincipalsIfAbsent) throws Exception {
RangerService service = getServiceByName(policy.getService());
@@ -2057,7 +2057,7 @@ public class ServiceDBStore extends AbstractServiceStore {
}
XXPolicy xCreatedPolicy = daoMgr.getXXPolicy().getById(policy.getId());
- policyRefUpdater.createNewPolMappingForRefTable(policy, xCreatedPolicy, xServiceDef, isDefaultPolicy);
+ policyRefUpdater.createNewPolMappingForRefTable(policy, xCreatedPolicy, xServiceDef, createPrincipalsIfAbsent);
createOrMapLabels(xCreatedPolicy, uniquePolicyLabels);
RangerPolicy createdPolicy = policyService.getPopulatedViewObject(xCreatedPolicy);
@@ -2230,7 +2230,7 @@ public class ServiceDBStore extends AbstractServiceStore {
policyRefUpdater.cleanupRefTables(policy);
deleteExistingPolicyLabel(policy);
- policyRefUpdater.createNewPolMappingForRefTable(policy, newUpdPolicy, xServiceDef, false);
+ policyRefUpdater.createNewPolMappingForRefTable(policy, newUpdPolicy, xServiceDef, bizUtil.getCreatePrincipalsIfAbsent());
createOrMapLabels(newUpdPolicy, uniquePolicyLabels);
RangerPolicy updPolicy = policyService.getPopulatedViewObject(newUpdPolicy);
diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAdminOpContext.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAdminOpContext.java
index a447882ab..c1d13ac1e 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAdminOpContext.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAdminOpContext.java
@@ -24,6 +24,7 @@ import java.io.Serializable;
public class RangerAdminOpContext implements Serializable {
private static final long serialVersionUID = 1L;
private boolean bulkModeContext = false;
+ private Boolean createPrincipalsIfAbsent = null;
public boolean isBulkModeContext() {
return bulkModeContext;
@@ -33,4 +34,11 @@ public class RangerAdminOpContext implements Serializable {
this.bulkModeContext = bulkMode;
}
+ public Boolean getCreatePrincipalsIfAbsent() {
+ return createPrincipalsIfAbsent;
+ }
+
+ public void setCreatePrincipalsIfAbsent(Boolean createPrincipalsIfAbsent) {
+ this.createPrincipalsIfAbsent = createPrincipalsIfAbsent;
+ }
}
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
index 782fe1173..fee1d5895 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
@@ -40,6 +40,7 @@ import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.RequestContext;
import org.apache.ranger.common.UserSessionBase;
import org.apache.ranger.entity.XXAuthSession;
+import org.apache.ranger.security.context.RangerAdminOpContext;
import org.apache.ranger.security.context.RangerContextHolder;
import org.apache.ranger.security.context.RangerSecurityContext;
import org.apache.ranger.util.RestUtil;
@@ -132,6 +133,9 @@ public class RangerSecurityContextFormationFilter extends GenericFilterBean {
context.setUserSession(userSession);
}
+
+ setupAdminOpContext(request);
+
HttpServletResponse res = (HttpServletResponse)response;
res.setHeader("Cache-Control", "no-cache, no-store, max-age=0, must-revalidate");
res.setHeader("X-Frame-Options", "DENY" );
@@ -148,6 +152,22 @@ public class RangerSecurityContextFormationFilter extends GenericFilterBean {
}
}
+ private void setupAdminOpContext(ServletRequest request) {
+ Object attrCreatePrincipalsIfAbsent = request.getParameter("createPrincipalsIfAbsent");
+
+ if (attrCreatePrincipalsIfAbsent != null) {
+ RangerAdminOpContext opContext = RangerContextHolder.getOpContext();
+
+ if (opContext == null) {
+ opContext = new RangerAdminOpContext();
+
+ RangerContextHolder.setOpContext(opContext);
+ }
+
+ opContext.setCreatePrincipalsIfAbsent(Boolean.parseBoolean(attrCreatePrincipalsIfAbsent.toString()));
+ }
+ }
+
private int getAuthType(HttpServletRequest request) {
int authType;
Object ssoEnabledObj = request.getAttribute("ssoEnabled");