You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/04/28 08:13:51 UTC
incubator-ranger git commit: RANGER-436 policy item with empty access
list is valid if delegated admin is true
Repository: incubator-ranger
Updated Branches:
refs/heads/master aac45d633 -> 101d17673
RANGER-436 policy item with empty access list is valid if delegated admin is true
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/101d1767
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/101d1767
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/101d1767
Branch: refs/heads/master
Commit: 101d17673d553dbd2c2369837a8243ab8727bc30
Parents: aac45d6
Author: Alok Lal <al...@hortonworks.com>
Authored: Mon Apr 27 22:42:31 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Mon Apr 27 22:59:48 2015 -0700
----------------------------------------------------------------------
.../model/validation/RangerPolicyValidator.java | 18 +++++++++++-------
.../validation/TestRangerPolicyValidator.java | 12 ++++++++++++
2 files changed, 23 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/101d1767/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
index 991b641..1d7f450 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
@@ -479,14 +479,18 @@ public class RangerPolicyValidator extends RangerValidator {
if (policyItem == null) {
LOG.debug("policy item was null!");
} else {
- // access items collection can't be empty and should be otherwise valid
+ // access items collection can't be empty (unless delegated admin is true) and should be otherwise valid
if (CollectionUtils.isEmpty(policyItem.getAccesses())) {
- failures.add(new ValidationFailureDetailsBuilder()
- .field("policy item accesses")
- .isMissing()
- .becauseOf("policy items accesses collection was null")
- .build());
- valid = false;
+ if (!Boolean.TRUE.equals(policyItem.getDelegateAdmin())) {
+ failures.add(new ValidationFailureDetailsBuilder()
+ .field("policy item accesses")
+ .isMissing()
+ .becauseOf("policy items accesses collection was null")
+ .build());
+ valid = false;
+ } else {
+ LOG.debug("policy item collection was null but delegated admin is true. Ok");
+ }
} else {
valid = isValidItemAccesses(policyItem.getAccesses(), failures, serviceDef) && valid;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/101d1767/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
index 90d7c06..2fd1d6a 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
@@ -490,6 +490,18 @@ public class TestRangerPolicyValidator {
}
@Test
+ public void test_isValidPolicyItem_happPath() {
+ // A policy item with no access is valid if it has delegated admin turned on and one user/group specified.
+ RangerPolicyItem policyItem = mock(RangerPolicyItem.class);
+ when(policyItem.getAccesses()).thenReturn(null);
+ when(policyItem.getDelegateAdmin()).thenReturn(true);
+ // create a non-empty user-list
+ List<String> users = Arrays.asList("user1");
+ when(policyItem.getUsers()).thenReturn(users);
+ _failures.clear(); assertTrue(_validator.isValidPolicyItem(policyItem, _failures, _serviceDef));
+ assertTrue(_failures.isEmpty());
+ }
+ @Test
public void test_isValidItemAccesses_happyPath() {
// happy path