You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2023/04/17 04:43:11 UTC

[ranger] branch master updated: RANGER-4177: fail policy create/update when it references non-existing users/groups/roles

This is an automated email from the ASF dual-hosted git repository.

madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 9c523c204 RANGER-4177: fail policy create/update when it references non-existing users/groups/roles
9c523c204 is described below

commit 9c523c204c125df903d17ad72d2a89181a522b93
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Fri Apr 7 17:22:11 2023 -0700

    RANGER-4177: fail policy create/update when it references non-existing users/groups/roles
---
 .../java/org/apache/ranger/biz/PolicyRefUpdater.java | 14 +++++++++-----
 .../java/org/apache/ranger/biz/RangerBizUtil.java    |  7 +++++++
 .../java/org/apache/ranger/biz/ServiceDBStore.java   |  8 ++++----
 .../security/context/RangerAdminOpContext.java       |  8 ++++++++
 .../filter/RangerSecurityContextFormationFilter.java | 20 ++++++++++++++++++++
 5 files changed, 48 insertions(+), 9 deletions(-)

diff --git a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
index 4581112fe..83f662518 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
@@ -98,7 +98,7 @@ public class PolicyRefUpdater {
 	@Autowired
 	RESTErrorUtil restErrorUtil;
 
-	public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy, XXServiceDef xServiceDef, boolean isDefaultPolicy) throws Exception {
+	public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy, XXServiceDef xServiceDef, boolean createPrincipalsIfAbsent) throws Exception {
 		if(policy == null) {
 			return;
 		}
@@ -169,7 +169,11 @@ public class PolicyRefUpdater {
 		}
 		daoMgr.getXXPolicyRefResource().batchCreate(xPolResources);
 
-		final boolean isAdmin = rangerBizUtil.checkAdminAccess() || isDefaultPolicy;
+		if (createPrincipalsIfAbsent && !rangerBizUtil.checkAdminAccess()) {
+			LOG.warn("policy=" + policy.getName() + ": createPrincipalIfAbsent=true, but current user does not have admin privileges!");
+
+			createPrincipalsIfAbsent = false;
+		}
 
 		List<XXPolicyRefRole> xPolRoles = new ArrayList<>();
 		for (String role : roleNames) {
@@ -178,7 +182,7 @@ public class PolicyRefUpdater {
 			}
 			PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.ROLE, role, xPolicy);
 			if (!associator.doAssociate(false)) {
-				if (isAdmin) {
+				if (createPrincipalsIfAbsent) {
 					rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator);
 				} else {
 					VXResponse gjResponse = new VXResponse();
@@ -198,7 +202,7 @@ public class PolicyRefUpdater {
 
 			PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.GROUP, group, xPolicy);
 			if (!associator.doAssociate(false)) {
-				if (isAdmin) {
+				if (createPrincipalsIfAbsent) {
 					rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator);
 				} else {
 					VXResponse gjResponse = new VXResponse();
@@ -215,7 +219,7 @@ public class PolicyRefUpdater {
 			}
 			PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.USER, user, xPolicy);
 			if (!associator.doAssociate(false)) {
-				if (isAdmin) {
+				if (createPrincipalsIfAbsent) {
 					rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator);
 				} else {
 					VXResponse gjResponse = new VXResponse();
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index f9294c1e1..155fa357d 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -1538,6 +1538,13 @@ public class RangerBizUtil {
 		return isBulkMode();
 	}
 
+	public boolean getCreatePrincipalsIfAbsent() {
+		RangerAdminOpContext opContext = RangerContextHolder.getOpContext();
+		Boolean              ret       = opContext != null ? opContext.getCreatePrincipalsIfAbsent() : null;
+
+		return ret != null ? ret : false;
+	}
+
 	//should be used only in bulk operation like importPolicies, policies delete.
 	public void bulkModeOnlyFlushAndClear() {
 		if (batchClearEnabled) {
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 14f937bee..e52a92e04 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -2000,7 +2000,7 @@ public class ServiceDBStore extends AbstractServiceStore {
 
 	@Override
 	public RangerPolicy createPolicy(RangerPolicy policy) throws Exception {
-		return createPolicy(policy, false);
+		return createPolicy(policy, bizUtil.getCreatePrincipalsIfAbsent());
 	}
 
 	@Override
@@ -2008,7 +2008,7 @@ public class ServiceDBStore extends AbstractServiceStore {
 		return createPolicy(policy, true);
 	}
 
-	public RangerPolicy createPolicy(RangerPolicy policy, boolean isDefaultPolicy) throws Exception {
+	public RangerPolicy createPolicy(RangerPolicy policy, boolean createPrincipalsIfAbsent) throws Exception {
 
 		RangerService service = getServiceByName(policy.getService());
 
@@ -2057,7 +2057,7 @@ public class ServiceDBStore extends AbstractServiceStore {
 		}
 
 		XXPolicy xCreatedPolicy = daoMgr.getXXPolicy().getById(policy.getId());
-		policyRefUpdater.createNewPolMappingForRefTable(policy, xCreatedPolicy, xServiceDef, isDefaultPolicy);
+		policyRefUpdater.createNewPolMappingForRefTable(policy, xCreatedPolicy, xServiceDef, createPrincipalsIfAbsent);
 		createOrMapLabels(xCreatedPolicy, uniquePolicyLabels);
 		RangerPolicy createdPolicy = policyService.getPopulatedViewObject(xCreatedPolicy);
 
@@ -2230,7 +2230,7 @@ public class ServiceDBStore extends AbstractServiceStore {
 		policyRefUpdater.cleanupRefTables(policy);
 		deleteExistingPolicyLabel(policy);
 
-		policyRefUpdater.createNewPolMappingForRefTable(policy, newUpdPolicy, xServiceDef, false);
+		policyRefUpdater.createNewPolMappingForRefTable(policy, newUpdPolicy, xServiceDef, bizUtil.getCreatePrincipalsIfAbsent());
 		createOrMapLabels(newUpdPolicy, uniquePolicyLabels);
 		RangerPolicy updPolicy = policyService.getPopulatedViewObject(newUpdPolicy);
 
diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAdminOpContext.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAdminOpContext.java
index a447882ab..c1d13ac1e 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAdminOpContext.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAdminOpContext.java
@@ -24,6 +24,7 @@ import java.io.Serializable;
 public class RangerAdminOpContext implements Serializable {
 	private static final long serialVersionUID = 1L;
 	private boolean bulkModeContext = false;
+	private Boolean createPrincipalsIfAbsent = null;
 
 	public boolean isBulkModeContext() {
 		return bulkModeContext;
@@ -33,4 +34,11 @@ public class RangerAdminOpContext implements Serializable {
 		this.bulkModeContext = bulkMode;
 	}
 
+	public Boolean getCreatePrincipalsIfAbsent() {
+		return createPrincipalsIfAbsent;
+	}
+
+	public void setCreatePrincipalsIfAbsent(Boolean createPrincipalsIfAbsent) {
+		this.createPrincipalsIfAbsent = createPrincipalsIfAbsent;
+	}
 }
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
index 782fe1173..fee1d5895 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
@@ -40,6 +40,7 @@ import org.apache.ranger.common.PropertiesUtil;
 import org.apache.ranger.common.RequestContext;
 import org.apache.ranger.common.UserSessionBase;
 import org.apache.ranger.entity.XXAuthSession;
+import org.apache.ranger.security.context.RangerAdminOpContext;
 import org.apache.ranger.security.context.RangerContextHolder;
 import org.apache.ranger.security.context.RangerSecurityContext;
 import org.apache.ranger.util.RestUtil;
@@ -132,6 +133,9 @@ public class RangerSecurityContextFormationFilter extends GenericFilterBean {
 
 				context.setUserSession(userSession);
 			}
+
+			setupAdminOpContext(request);
+
 			HttpServletResponse res = (HttpServletResponse)response;
 			res.setHeader("Cache-Control", "no-cache, no-store, max-age=0, must-revalidate");
 			res.setHeader("X-Frame-Options", "DENY" );
@@ -148,6 +152,22 @@ public class RangerSecurityContextFormationFilter extends GenericFilterBean {
 		}
 	}
 
+	private void setupAdminOpContext(ServletRequest request) {
+		Object attrCreatePrincipalsIfAbsent = request.getParameter("createPrincipalsIfAbsent");
+
+		if (attrCreatePrincipalsIfAbsent != null) {
+			RangerAdminOpContext opContext = RangerContextHolder.getOpContext();
+
+			if (opContext == null) {
+				opContext = new RangerAdminOpContext();
+
+				RangerContextHolder.setOpContext(opContext);
+			}
+
+			opContext.setCreatePrincipalsIfAbsent(Boolean.parseBoolean(attrCreatePrincipalsIfAbsent.toString()));
+		}
+	}
+
 	private int getAuthType(HttpServletRequest request) {
 		int authType;
 		Object ssoEnabledObj = request.getAttribute("ssoEnabled");