You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2021/03/22 18:36:59 UTC
[ranger] branch master updated: RANGER-3218: User getting denied
even after having tag based policy
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 0737fe8 RANGER-3218: User getting denied even after having tag based policy
0737fe8 is described below
commit 0737fe845c6406af8388d0ef57d0071a8e06dea1
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Mon Mar 22 11:04:43 2021 -0700
RANGER-3218: User getting denied even after having tag based policy
---
.../ranger/plugin/policyengine/PolicyEngine.java | 65 +++--
.../policyengine/RangerPolicyRepository.java | 40 +--
.../ranger/plugin/service/RangerBasePlugin.java | 2 +-
.../apache/ranger/plugin/util/ServicePolicies.java | 22 ++
.../apache/ranger/biz/RangerPolicyAdminCache.java | 142 +----------
.../java/org/apache/ranger/biz/ServiceDBStore.java | 271 +++++++++++++++++++--
.../java/org/apache/ranger/rest/ServiceREST.java | 155 +-----------
.../org/apache/ranger/rest/TestServiceREST.java | 2 -
8 files changed, 342 insertions(+), 357 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
index 9d79520..f536335 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
@@ -594,7 +594,7 @@ public class PolicyEngine {
List<RangerPolicyDelta> defaultZoneDeltas = new ArrayList<>();
List<RangerPolicyDelta> defaultZoneDeltasForTagPolicies = new ArrayList<>();
- getDeltasSortedByZones(servicePolicies, defaultZoneDeltas, defaultZoneDeltasForTagPolicies);
+ getDeltasSortedByZones(other, servicePolicies, defaultZoneDeltas, defaultZoneDeltasForTagPolicies);
if (other.policyRepository != null && CollectionUtils.isNotEmpty(defaultZoneDeltas)) {
this.policyRepository = new RangerPolicyRepository(other.policyRepository, defaultZoneDeltas, policyVersion);
@@ -604,6 +604,10 @@ public class PolicyEngine {
if (servicePolicies.getTagPolicies() != null && CollectionUtils.isNotEmpty(defaultZoneDeltasForTagPolicies)) {
if (other.tagPolicyRepository == null) {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Current policy-engine does not have any tagPolicyRepository");
+ }
// Only creates are expected
List<RangerPolicy> tagPolicies = new ArrayList<>();
@@ -619,9 +623,15 @@ public class PolicyEngine {
this.tagPolicyRepository = new RangerPolicyRepository(servicePolicies.getTagPolicies(), this.pluginContext, servicePolicies.getServiceDef(), servicePolicies.getServiceName());
} else {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Current policy-engine has a tagPolicyRepository");
+ }
this.tagPolicyRepository = new RangerPolicyRepository(other.tagPolicyRepository, defaultZoneDeltasForTagPolicies, policyVersion);
}
} else {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Either no associated tag repository or no changes to tag policies");
+ }
this.tagPolicyRepository = shareWith(other.tagPolicyRepository);
}
@@ -777,42 +787,32 @@ public class PolicyEngine {
}
void updatePolicyEngine(ServicePolicies servicePolicies) {
-
- long policyVersion = servicePolicies.getPolicyVersion() != null ? servicePolicies.getPolicyVersion() : -1L;
List<RangerPolicyDelta> defaultZoneDeltas = new ArrayList<>();
List<RangerPolicyDelta> defaultZoneDeltasForTagPolicies = new ArrayList<>();
- getDeltasSortedByZones(servicePolicies, defaultZoneDeltas, defaultZoneDeltasForTagPolicies);
+ getDeltasSortedByZones(this, servicePolicies, defaultZoneDeltas, defaultZoneDeltasForTagPolicies);
if (this.policyRepository != null && CollectionUtils.isNotEmpty(defaultZoneDeltas)) {
- this.policyRepository.reinit(defaultZoneDeltas, policyVersion);
+ this.policyRepository.reinit(defaultZoneDeltas);
}
if (servicePolicies.getTagPolicies() != null && CollectionUtils.isNotEmpty(defaultZoneDeltasForTagPolicies)) {
if (this.tagPolicyRepository != null) {
- this.tagPolicyRepository.reinit(defaultZoneDeltasForTagPolicies, policyVersion);
+ this.tagPolicyRepository.reinit(defaultZoneDeltasForTagPolicies);
} else {
LOG.error("No previous tagPolicyRepository to update! Should not have come here!!");
}
}
- // Set all repositories to shared
- if (policyRepository != null) {
- policyRepository.setShared();
- }
- for (RangerPolicyRepository zoneRepository : zonePolicyRepositories.values()) {
- if (zoneRepository != null) {
- zoneRepository.setShared();
- }
- }
- if (tagPolicyRepository != null) {
- tagPolicyRepository.setShared();
- }
-
reorderPolicyEvaluators();
}
- private void getDeltasSortedByZones(ServicePolicies servicePolicies, List<RangerPolicyDelta> defaultZoneDeltas, List<RangerPolicyDelta> defaultZoneDeltasForTagPolicies) {
+ private void getDeltasSortedByZones(PolicyEngine current, ServicePolicies servicePolicies, List<RangerPolicyDelta> defaultZoneDeltas, List<RangerPolicyDelta> defaultZoneDeltasForTagPolicies) {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> getDeltasSortedByZones()");
+ }
+
long policyVersion = servicePolicies.getPolicyVersion() != null ? servicePolicies.getPolicyVersion() : -1L;
if (CollectionUtils.isNotEmpty(defaultZoneDeltas)) {
@@ -850,12 +850,20 @@ public class PolicyEngine {
}
}
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Security zones found in the service-policies:[" + zoneDeltasMap.keySet() + "]");
+ }
+
for (Map.Entry<String, List<RangerPolicyDelta>> entry : zoneDeltasMap.entrySet()) {
final String zoneName = entry.getKey();
final List<RangerPolicyDelta> zoneDeltas = entry.getValue();
- final RangerPolicyRepository otherRepository = this.zonePolicyRepositories.get(zoneName);
+ final RangerPolicyRepository otherRepository = current.zonePolicyRepositories.get(zoneName);
final RangerPolicyRepository policyRepository;
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("zoneName:[" + zoneName + "], zoneDeltas:[" + Arrays.toString(zoneDeltas.toArray()) + "], doesOtherRepositoryExist:[" + (otherRepository != null) + "]");
+ }
+
if (CollectionUtils.isNotEmpty(zoneDeltas)) {
if (otherRepository == null) {
List<RangerPolicy> policies = new ArrayList<>();
@@ -870,7 +878,7 @@ public class PolicyEngine {
servicePolicies.getSecurityZones().get(zoneName).setPolicies(policies);
- policyRepository = new RangerPolicyRepository(servicePolicies, this.pluginContext, zoneName);
+ policyRepository = new RangerPolicyRepository(servicePolicies, current.pluginContext, zoneName);
} else {
policyRepository = new RangerPolicyRepository(otherRepository, zoneDeltas, policyVersion);
}
@@ -884,6 +892,10 @@ public class PolicyEngine {
List<RangerPolicyDelta> unzonedDeltas = servicePolicies.getPolicyDeltas();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("ServicePolicies.policyDeltas:[" + Arrays.toString(servicePolicies.getPolicyDeltas().toArray()) + "]");
+ }
+
for (RangerPolicyDelta delta : unzonedDeltas) {
if (servicePolicies.getServiceDef().getName().equals(delta.getServiceType())) {
defaultZoneDeltas.add(delta);
@@ -891,6 +903,15 @@ public class PolicyEngine {
defaultZoneDeltasForTagPolicies.add(delta);
}
}
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("defaultZoneDeltas:[" + Arrays.toString(defaultZoneDeltas.toArray()) + "]");
+ LOG.debug("defaultZoneDeltasForTagPolicies:[" + Arrays.toString(defaultZoneDeltasForTagPolicies.toArray()) + "]");
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== getDeltasSortedByZones()");
+ }
}
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index df93bd5..f92cd3f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -159,9 +159,9 @@ public class RangerPolicyRepository {
final boolean isExistingPolicies = CollectionUtils.isNotEmpty(this.policies);
- List<RangerContextEnricher> newContextEnrichers = updateResourceTrie(deltas, policyVersion);
+ updateResourceTrie(deltas);
- if (newContextEnrichers != null && CollectionUtils.isNotEmpty(this.policies)) {
+ if (CollectionUtils.isNotEmpty(this.policies)) {
this.contextEnrichers = isExistingPolicies ? shareWith(other) : buildContextEnrichers(options);
} else {
this.contextEnrichers = null;
@@ -1432,23 +1432,21 @@ public class RangerPolicyRepository {
}
}
- void reinit(List<RangerPolicyDelta> deltas, long policyVersion) {
+ void reinit(List<RangerPolicyDelta> deltas) {
final boolean isExistingPolicies = CollectionUtils.isNotEmpty(this.policies);
- List<RangerContextEnricher> newContextEnrichers = updateResourceTrie(deltas, policyVersion);
+ updateResourceTrie(deltas);
- if (newContextEnrichers != null && CollectionUtils.isNotEmpty(this.policies)) {
- this.contextEnrichers = isExistingPolicies ? newContextEnrichers : buildContextEnrichers(options);
+ if (StringUtils.isEmpty(zoneName) && CollectionUtils.isNotEmpty(this.policies)) {
+ if (!isExistingPolicies) {
+ this.contextEnrichers = buildContextEnrichers(options);
+ }
} else {
this.contextEnrichers = null;
}
}
- private List<RangerContextEnricher> updateResourceTrie(List<RangerPolicyDelta> deltas, long policyVersion) {
-
- final List<RangerContextEnricher> ret;
-
- final boolean isExistingPolicies = CollectionUtils.isNotEmpty(this.policies);
+ private void updateResourceTrie(List<RangerPolicyDelta> deltas) {
boolean[] flags = new boolean[RangerPolicy.POLICY_TYPES.length];
@@ -1540,25 +1538,5 @@ public class RangerPolicyRepository {
entry.getValue().wrapUpUpdate();
}
}
-
- if (StringUtils.isEmpty(zoneName)) {
- if (isExistingPolicies) {
- if (CollectionUtils.isNotEmpty(this.policies)) {
- ret = this.contextEnrichers; // Handled by caller
- } else {
- ret = null;
- }
- } else {
- if (CollectionUtils.isNotEmpty(this.policies)) {
- ret = new ArrayList<>(); // Handled by caller
- } else {
- ret = null;
- }
- }
- } else {
- ret = null;
- }
-
- return ret;
}
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index fda57f9..1be440b 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -295,7 +295,7 @@ public class RangerBasePlugin {
pluginContext.notifyAuthContextChanged();
- if (oldPolicyEngine != null) {
+ if (oldPolicyEngine != null && oldPolicyEngine != newPolicyEngine) {
((RangerPolicyEngineImpl) oldPolicyEngine).releaseResources(!isPolicyEngineShared);
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
index c3d7816..5c9c6db 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
@@ -20,6 +20,7 @@
package org.apache.ranger.plugin.util;
+import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
@@ -31,6 +32,8 @@ import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlRootElement;
import org.apache.commons.collections.MapUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicyDelta;
import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -48,6 +51,7 @@ import org.codehaus.jackson.map.annotate.JsonSerialize;
@XmlAccessorType(XmlAccessType.FIELD)
public class ServicePolicies implements java.io.Serializable {
private static final long serialVersionUID = 1L;
+ private static final Log LOG = LogFactory.getLog(ServicePolicies.class);
private String serviceName;
private Long serviceId;
@@ -408,11 +412,21 @@ public class ServicePolicies implements java.io.Serializable {
final List<RangerPolicy> newTagPolicies;
if (servicePolicies.getTagPolicies() != null) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("applyingDeltas for tag policies");
+ }
newTagPolicies = RangerPolicyDeltaUtil.applyDeltas(oldTagPolicies, servicePolicies.getPolicyDeltas(), servicePolicies.getTagPolicies().getServiceDef().getName());
} else {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("No need to apply deltas for tag policies");
+ }
newTagPolicies = oldTagPolicies;
}
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("New tag policies:[" + Arrays.toString(newTagPolicies.toArray()) + "]");
+ }
+
if (ret.getTagPolicies() != null) {
ret.getTagPolicies().setPolicies(newTagPolicies);
}
@@ -427,8 +441,16 @@ public class ServicePolicies implements java.io.Serializable {
List<RangerPolicy> zoneResourcePolicies = policyEngine.getResourcePolicies(zoneName);
// There are no separate tag-policy-repositories for each zone
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Applying deltas for security-zone:[" + zoneName + "]");
+ }
+
final List<RangerPolicy> newZonePolicies = RangerPolicyDeltaUtil.applyDeltas(zoneResourcePolicies, zoneInfo.getPolicyDeltas(), servicePolicies.getServiceDef().getName());
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("New resource policies for security-zone:[" + zoneName + "], zoneResourcePolicies:[" + Arrays.toString(newZonePolicies.toArray())+ "]");
+ }
+
SecurityZoneInfo newZoneInfo = new SecurityZoneInfo();
newZoneInfo.setZoneName(zoneName);
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
index fd5b147..120a329 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
@@ -19,21 +19,13 @@
package org.apache.ranger.biz;
-import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
-import java.util.List;
import java.util.Map;
-import org.apache.commons.collections.CollectionUtils;
-import org.apache.commons.collections.MapUtils;
-import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
-import org.apache.ranger.plugin.model.RangerPolicy;
-import org.apache.ranger.plugin.model.RangerPolicyDelta;
-import org.apache.ranger.plugin.model.RangerSecurityZone;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.store.RoleStore;
import org.apache.ranger.plugin.policyengine.RangerPluginContext;
@@ -50,15 +42,14 @@ public class RangerPolicyAdminCache {
private final Map<String, RangerPolicyAdmin> policyAdminCache = Collections.synchronizedMap(new HashMap<>());
final RangerPolicyAdmin getServicePoliciesAdmin(String serviceName, ServiceStore svcStore, RoleStore roleStore, SecurityZoneStore zoneStore, RangerPolicyEngineOptions options) {
- RangerPolicyAdmin ret = null;
if (serviceName == null || svcStore == null || roleStore == null || zoneStore == null) {
LOG.warn("Cannot get policy-admin for null serviceName or serviceStore or roleStore or zoneStore");
- return ret;
+ return null;
}
- ret = policyAdminCache.get(serviceName);
+ RangerPolicyAdmin ret = policyAdminCache.get(serviceName);
long policyVersion;
long roleVersion;
@@ -87,17 +78,10 @@ public class RangerPolicyAdminCache {
}
}
- ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, policyVersion, false);
+ ServicePolicies policies = svcStore.getServicePoliciesIfUpdated(serviceName, policyVersion, ServiceDBStore.isSupportsPolicyDeltas());
if (policies != null) {
- if (policies.getPolicyVersion() != null && !policies.getPolicyVersion().equals(policyVersion)) {
- ServicePolicies updatedServicePolicies = getUpdatedServicePolicies(serviceName, policies, svcStore, zoneStore);
-
- ret = addOrUpdatePolicyAdmin(ret, updatedServicePolicies, roles, options);
- } else {
- LOG.error("policies object is null or its version is null for getPolicyAdmin(" + serviceName + ") !!");
- LOG.error("Returning old policy admin");
- }
+ ret = addOrUpdatePolicyAdmin(ret, policies, roles, options);
} else {
if (ret == null) {
LOG.error("getPolicyAdmin(" + serviceName + "): failed to get any policies from service-store");
@@ -107,8 +91,8 @@ public class RangerPolicyAdminCache {
}
}
}
- } catch (Exception excp) {
- LOG.error("getPolicyAdmin(" + serviceName + "): failed to get latest policies from service-store", excp);
+ } catch (Exception exception) {
+ LOG.error("getPolicyAdmin(" + serviceName + "): failed to get latest policies from service-store", exception);
}
if (ret == null) {
LOG.error("Policy-engine is not built! Returning null policy-engine!");
@@ -154,7 +138,7 @@ public class RangerPolicyAdminCache {
}
}
policyAdminCache.put(policies.getServiceName(), ret);
- if (oldPolicyAdmin != null) {
+ if (oldPolicyAdmin != null && oldPolicyAdmin != ret) {
oldPolicyAdmin.releaseResources(!isPolicyEngineShared);
}
} else {
@@ -169,117 +153,7 @@ public class RangerPolicyAdminCache {
RangerServiceDef serviceDef = policies.getServiceDef();
String serviceType = (serviceDef != null) ? serviceDef.getName() : "";
RangerPluginContext rangerPluginContext = new RangerPluginContext(new RangerPluginConfig(serviceType, null, "ranger-admin", null, null, options));
- RangerPolicyAdmin ret = new RangerPolicyAdminImpl(policies, rangerPluginContext, roles);
-
- return ret;
- }
-
- private ServicePolicies getUpdatedServicePolicies(String serviceName, ServicePolicies policies, ServiceStore svcStore, SecurityZoneStore zoneStore) throws Exception{
- ServicePolicies ret = policies;
-
- if (ret == null) {
- ret = svcStore.getServicePoliciesIfUpdated(serviceName, -1L, false);
- }
-
- if (zoneStore != null) {
- Map<String, RangerSecurityZone.RangerSecurityZoneService> securityZones = zoneStore.getSecurityZonesForService(serviceName);
-
- if (MapUtils.isNotEmpty(securityZones)) {
- ret = getUpdatedServicePoliciesForZones(ret, securityZones);
- }
- }
-
- return ret;
- }
-
- public static ServicePolicies getUpdatedServicePoliciesForZones(ServicePolicies servicePolicies, Map<String, RangerSecurityZone.RangerSecurityZoneService> securityZones) {
- final ServicePolicies ret;
-
- if (MapUtils.isNotEmpty(securityZones)) {
- ret = new ServicePolicies();
-
- ret.setServiceName(servicePolicies.getServiceName());
- ret.setServiceId(servicePolicies.getServiceId());
- ret.setPolicyVersion(servicePolicies.getPolicyVersion());
- ret.setPolicyUpdateTime(servicePolicies.getPolicyUpdateTime());
- ret.setServiceDef(servicePolicies.getServiceDef());
- ret.setAuditMode(servicePolicies.getAuditMode());
- ret.setTagPolicies(servicePolicies.getTagPolicies());
- ret.setServiceConfig(servicePolicies.getServiceConfig());
-
- Map<String, ServicePolicies.SecurityZoneInfo> securityZonesInfo = new HashMap<>();
-
- if (CollectionUtils.isEmpty(servicePolicies.getPolicyDeltas())) {
- List<RangerPolicy> allPolicies = new ArrayList<>(servicePolicies.getPolicies());
-
- for (Map.Entry<String, RangerSecurityZone.RangerSecurityZoneService> entry : securityZones.entrySet()) {
- List<RangerPolicy> zonePolicies = extractZonePolicies(allPolicies, entry.getKey());
-
- if (CollectionUtils.isNotEmpty(zonePolicies)) {
- allPolicies.removeAll(zonePolicies);
- }
-
- ServicePolicies.SecurityZoneInfo securityZoneInfo = new ServicePolicies.SecurityZoneInfo();
-
- securityZoneInfo.setZoneName(entry.getKey());
- securityZoneInfo.setPolicies(zonePolicies);
- securityZoneInfo.setResources(entry.getValue().getResources());
- securityZoneInfo.setContainsAssociatedTagService(false);
- securityZonesInfo.put(entry.getKey(), securityZoneInfo);
- }
- ret.setPolicies(allPolicies);
- } else {
- List<RangerPolicyDelta> allPolicyDeltas = new ArrayList<>(servicePolicies.getPolicyDeltas());
-
- for (Map.Entry<String, RangerSecurityZone.RangerSecurityZoneService> entry : securityZones.entrySet()) {
- List<RangerPolicyDelta> zonePolicyDeltas = extractZonePolicyDeltas(allPolicyDeltas, entry.getKey());
-
- if (CollectionUtils.isNotEmpty(zonePolicyDeltas)) {
- allPolicyDeltas.removeAll(zonePolicyDeltas);
- }
-
- ServicePolicies.SecurityZoneInfo securityZoneInfo = new ServicePolicies.SecurityZoneInfo();
-
- securityZoneInfo.setZoneName(entry.getKey());
- securityZoneInfo.setPolicyDeltas(zonePolicyDeltas);
- securityZoneInfo.setResources(entry.getValue().getResources());
- securityZoneInfo.setContainsAssociatedTagService(false);
- securityZonesInfo.put(entry.getKey(), securityZoneInfo);
- }
-
- ret.setPolicyDeltas(allPolicyDeltas);
- }
-
- ret.setSecurityZones(securityZonesInfo);
- } else {
- ret = servicePolicies;
- }
-
- return ret;
- }
-
- private static List<RangerPolicy> extractZonePolicies(final List<RangerPolicy> allPolicies, final String zoneName) {
- final List<RangerPolicy> ret = new ArrayList<>();
-
- for (RangerPolicy policy : allPolicies) {
- if (policy.getIsEnabled() && StringUtils.equals(policy.getZoneName(), zoneName)) {
- ret.add(policy);
- }
- }
-
- return ret;
- }
-
- private static List<RangerPolicyDelta> extractZonePolicyDeltas(final List<RangerPolicyDelta> allPolicyDeltas, final String zoneName) {
- final List<RangerPolicyDelta> ret = new ArrayList<>();
-
- for (RangerPolicyDelta delta : allPolicyDeltas) {
- if (StringUtils.equals(delta.getZoneName(), zoneName)) {
- ret.add(delta);
- }
- }
-
- return ret;
+ return new RangerPolicyAdminImpl(policies, rangerPluginContext, roles);
}
}
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index ec788af..a7871ed 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -2775,31 +2775,65 @@ public class ServiceDBStore extends AbstractServiceStore {
if (ret != null) {
if (LOG.isDebugEnabled()) {
- LOG.debug("Checking if resource-service:[" + ret.getServiceName() +"] is disabled");
+ LOG.debug("Checking if resource-service:[" + ret.getServiceName() + "] is disabled");
}
if (!serviceDbObj.getIsenabled()) {
ret = ServicePolicies.copyHeader(ret);
- } else if (ret.getTagPolicies() != null) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking if tag-service:[" + ret.getTagPolicies().getServiceName() +"] is disabled");
- }
- String tagServiceName = ret.getTagPolicies().getServiceName();
- if (StringUtils.isNotEmpty(tagServiceName)) {
- XXService tagService = daoMgr.getXXService().findByName(tagServiceName);
- if (tagService == null || !tagService.getIsenabled()) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("tag-service:[" + tagServiceName +"] is disabled");
+ ret.setTagPolicies(null);
+ } else {
+ boolean isTagServiceActive = true;
+
+ if (ret.getTagPolicies() != null) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking if tag-service:[" + ret.getTagPolicies().getServiceName() + "] is disabled");
+ }
+ String tagServiceName = ret.getTagPolicies().getServiceName();
+
+ if (StringUtils.isNotEmpty(tagServiceName)) {
+ XXService tagService = daoMgr.getXXService().findByName(tagServiceName);
+ if (tagService == null || !tagService.getIsenabled()) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("tag-service:[" + tagServiceName + "] is disabled");
+ }
+ isTagServiceActive = false;
}
- ServicePolicies copy = ServicePolicies.copyHeader(ret);
- copy.setTagPolicies(null);
- List<RangerPolicy> copyPolicies = ret.getPolicies() != null ? new ArrayList<>(ret.getPolicies()) : null;
- List<RangerPolicyDelta> copyPolicyDeltas = ret.getPolicyDeltas() != null ? new ArrayList<>(ret.getPolicyDeltas()) : null;
- copy.setPolicies(copyPolicies);
- copy.setPolicyDeltas(copyPolicyDeltas);
- ret = copy;
+ } else {
+ isTagServiceActive = false;
}
+ } else {
+ isTagServiceActive = false;
}
+
+ if (!isTagServiceActive) {
+ ServicePolicies copy = ServicePolicies.copyHeader(ret);
+ copy.setTagPolicies(null);
+ List<RangerPolicy> copyPolicies = ret.getPolicies() != null ? new ArrayList<>(ret.getPolicies()) : null;
+ List<RangerPolicyDelta> copyPolicyDeltas = ret.getPolicyDeltas() != null ? new ArrayList<>(ret.getPolicyDeltas()) : null;
+ copy.setPolicies(copyPolicies);
+ copy.setPolicyDeltas(copyPolicyDeltas);
+ ret = copy;
+ }
+ }
+
+ Map<String, RangerSecurityZone.RangerSecurityZoneService> securityZones = securityZoneStore.getSecurityZonesForService(serviceName);
+ ServicePolicies updatedServicePolicies = ret;
+ if (MapUtils.isNotEmpty(securityZones)) {
+ updatedServicePolicies = getUpdatedServicePoliciesForZones(ret, securityZones);
+ patchAssociatedTagServiceInSecurityZoneInfos(updatedServicePolicies);
+ }
+
+ if (lastKnownVersion == null || lastKnownVersion == -1L || needsBackwardCompatibility) {
+ ret = filterServicePolicies(updatedServicePolicies);
+ } else {
+ ret = updatedServicePolicies;
+ }
+
+ ret.setServiceConfig(getServiceConfigForPlugin(ret.getServiceId()));
+
+ if (ret.getTagPolicies() != null && ret.getTagPolicies().getServiceId() != null) {
+ ret.getTagPolicies().setServiceConfig(getServiceConfigForPlugin(ret.getTagPolicies().getServiceId()));
}
+
}
if (LOG.isDebugEnabled()) {
@@ -5517,4 +5551,205 @@ public class ServiceDBStore extends AbstractServiceStore {
}
}
}
+
+ private static ServicePolicies getUpdatedServicePoliciesForZones(ServicePolicies servicePolicies, Map<String, RangerSecurityZone.RangerSecurityZoneService> securityZones) {
+ final ServicePolicies ret;
+
+ if (MapUtils.isNotEmpty(securityZones)) {
+ ret = new ServicePolicies();
+
+ ret.setServiceDef(servicePolicies.getServiceDef());
+ ret.setServiceId(servicePolicies.getServiceId());
+ ret.setServiceName(servicePolicies.getServiceName());
+ ret.setAuditMode(servicePolicies.getAuditMode());
+ ret.setPolicyVersion(servicePolicies.getPolicyVersion());
+ ret.setPolicyUpdateTime(servicePolicies.getPolicyUpdateTime());
+ ret.setTagPolicies(servicePolicies.getTagPolicies());
+
+ Map<String, ServicePolicies.SecurityZoneInfo> securityZonesInfo = new HashMap<>();
+
+ if (CollectionUtils.isEmpty(servicePolicies.getPolicyDeltas())) {
+ List<RangerPolicy> allPolicies = new ArrayList<>(servicePolicies.getPolicies());
+
+ for (Map.Entry<String, RangerSecurityZone.RangerSecurityZoneService> entry : securityZones.entrySet()) {
+ List<RangerPolicy> zonePolicies = extractZonePolicies(allPolicies, entry.getKey());
+
+ if (CollectionUtils.isNotEmpty(zonePolicies)) {
+ allPolicies.removeAll(zonePolicies);
+ }
+
+ ServicePolicies.SecurityZoneInfo securityZoneInfo = new ServicePolicies.SecurityZoneInfo();
+
+ securityZoneInfo.setZoneName(entry.getKey());
+ securityZoneInfo.setPolicies(zonePolicies);
+ securityZoneInfo.setResources(entry.getValue().getResources());
+ securityZoneInfo.setContainsAssociatedTagService(false);
+ securityZonesInfo.put(entry.getKey(), securityZoneInfo);
+ }
+
+ ret.setPolicies(allPolicies);
+ } else {
+ List<RangerPolicyDelta> allPolicyDeltas = new ArrayList<>(servicePolicies.getPolicyDeltas());
+
+ for (Map.Entry<String, RangerSecurityZone.RangerSecurityZoneService> entry : securityZones.entrySet()) {
+ List<RangerPolicyDelta> zonePolicyDeltas = extractZonePolicyDeltas(allPolicyDeltas, entry.getKey());
+
+ if (CollectionUtils.isNotEmpty(zonePolicyDeltas)) {
+ allPolicyDeltas.removeAll(zonePolicyDeltas);
+ }
+
+ ServicePolicies.SecurityZoneInfo securityZoneInfo = new ServicePolicies.SecurityZoneInfo();
+
+ securityZoneInfo.setZoneName(entry.getKey());
+ securityZoneInfo.setPolicyDeltas(zonePolicyDeltas);
+ securityZoneInfo.setResources(entry.getValue().getResources());
+ securityZoneInfo.setContainsAssociatedTagService(false);
+ securityZonesInfo.put(entry.getKey(), securityZoneInfo);
+ }
+
+ ret.setPolicyDeltas(allPolicyDeltas);
+ }
+
+ ret.setSecurityZones(securityZonesInfo);
+ } else {
+ ret = servicePolicies;
+ }
+
+ return ret;
+ }
+
+ private void patchAssociatedTagServiceInSecurityZoneInfos(ServicePolicies servicePolicies) {
+ if (servicePolicies != null && MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
+
+ // Get list of zones that associated tag-service (if any) is associated with
+ List<String> zonesInAssociatedTagService = new ArrayList<>();
+
+ String tagServiceName = servicePolicies.getTagPolicies() != null ? servicePolicies.getTagPolicies().getServiceName() : null;
+
+ if (StringUtils.isNotEmpty(tagServiceName)) {
+ try {
+ RangerService tagService = getServiceByName(tagServiceName);
+ if (tagService != null && tagService.getIsEnabled()) {
+ zonesInAssociatedTagService = daoMgr.getXXSecurityZoneDao().findZonesByTagServiceName(tagServiceName);
+ }
+ } catch (Exception exception) {
+ LOG.warn("Could not get service associated with [" + tagServiceName + "]", exception);
+ }
+ }
+
+ if (CollectionUtils.isNotEmpty(zonesInAssociatedTagService)) {
+ for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> entry : servicePolicies.getSecurityZones().entrySet()) {
+ String zoneName = entry.getKey();
+ ServicePolicies.SecurityZoneInfo securityZoneInfo = entry.getValue();
+
+ securityZoneInfo.setContainsAssociatedTagService(zonesInAssociatedTagService.contains(zoneName));
+ }
+ }
+ }
+ }
+
+ private static List<RangerPolicy> extractZonePolicies(final List<RangerPolicy> allPolicies, final String zoneName) {
+ final List<RangerPolicy> ret = new ArrayList<>();
+
+ for (RangerPolicy policy : allPolicies) {
+ if (policy.getIsEnabled() && StringUtils.equals(policy.getZoneName(), zoneName)) {
+ ret.add(policy);
+ }
+ }
+
+ return ret;
+ }
+
+ private static List<RangerPolicyDelta> extractZonePolicyDeltas(final List<RangerPolicyDelta> allPolicyDeltas, final String zoneName) {
+ final List<RangerPolicyDelta> ret = new ArrayList<>();
+
+ for (RangerPolicyDelta delta : allPolicyDeltas) {
+ if (StringUtils.equals(delta.getZoneName(), zoneName) && !StringUtils.equals(delta.getServiceType(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME)) {
+ ret.add(delta);
+ }
+ }
+
+ return ret;
+ }
+
+ private ServicePolicies filterServicePolicies(ServicePolicies servicePolicies) {
+ ServicePolicies ret = null;
+ boolean containsDisabledResourcePolicies = false;
+ boolean containsDisabledTagPolicies = false;
+
+ if (servicePolicies != null) {
+ List<RangerPolicy> policies = null;
+
+ policies = servicePolicies.getPolicies();
+ if (CollectionUtils.isNotEmpty(policies)) {
+ for (RangerPolicy policy : policies) {
+ if (!policy.getIsEnabled()) {
+ containsDisabledResourcePolicies = true;
+ break;
+ }
+ }
+ }
+
+ if (servicePolicies.getTagPolicies() != null) {
+ policies = servicePolicies.getTagPolicies().getPolicies();
+ if (CollectionUtils.isNotEmpty(policies)) {
+ for (RangerPolicy policy : policies) {
+ if (!policy.getIsEnabled()) {
+ containsDisabledTagPolicies = true;
+ break;
+ }
+ }
+ }
+ }
+
+ if (!containsDisabledResourcePolicies && !containsDisabledTagPolicies) {
+ ret = servicePolicies;
+ } else {
+ ret = new ServicePolicies();
+
+ ret.setServiceDef(servicePolicies.getServiceDef());
+ ret.setServiceId(servicePolicies.getServiceId());
+ ret.setServiceName(servicePolicies.getServiceName());
+ ret.setPolicyVersion(servicePolicies.getPolicyVersion());
+ ret.setPolicyUpdateTime(servicePolicies.getPolicyUpdateTime());
+ ret.setPolicies(servicePolicies.getPolicies());
+ ret.setTagPolicies(servicePolicies.getTagPolicies());
+ ret.setSecurityZones(servicePolicies.getSecurityZones());
+
+ if (containsDisabledResourcePolicies) {
+ List<RangerPolicy> filteredPolicies = new ArrayList<RangerPolicy>();
+ for (RangerPolicy policy : servicePolicies.getPolicies()) {
+ if (policy.getIsEnabled()) {
+ filteredPolicies.add(policy);
+ }
+ }
+ ret.setPolicies(filteredPolicies);
+ }
+
+ if (containsDisabledTagPolicies) {
+ ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies();
+
+ tagPolicies.setServiceDef(servicePolicies.getTagPolicies().getServiceDef());
+ tagPolicies.setServiceId(servicePolicies.getTagPolicies().getServiceId());
+ tagPolicies.setServiceName(servicePolicies.getTagPolicies().getServiceName());
+ tagPolicies.setPolicyVersion(servicePolicies.getTagPolicies().getPolicyVersion());
+ tagPolicies.setPolicyUpdateTime(servicePolicies.getTagPolicies().getPolicyUpdateTime());
+
+ List<RangerPolicy> filteredPolicies = new ArrayList<RangerPolicy>();
+ for (RangerPolicy policy : servicePolicies.getTagPolicies().getPolicies()) {
+ if (policy.getIsEnabled()) {
+ filteredPolicies.add(policy);
+ }
+ }
+ tagPolicies.setPolicies(filteredPolicies);
+
+ ret.setTagPolicies(tagPolicies);
+ }
+ }
+ }
+
+ return ret;
+ }
+
+
}
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 8381842..dd58e05 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -65,7 +65,6 @@ import org.apache.ranger.biz.AssetMgr;
import org.apache.ranger.biz.PolicyRefUpdater;
import org.apache.ranger.biz.RangerPolicyAdmin;
import org.apache.ranger.biz.RangerBizUtil;
-import org.apache.ranger.biz.RangerPolicyAdminCache;
import org.apache.ranger.biz.RangerPolicyAdminCacheForEngineOptions;
import org.apache.ranger.biz.RoleDBStore;
import org.apache.ranger.biz.SecurityZoneDBStore;
@@ -102,7 +101,6 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.model.RangerPolicyDelta;
import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
-import org.apache.ranger.plugin.model.RangerSecurityZone;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.ServiceDeleteResponse;
@@ -3030,32 +3028,14 @@ public class ServiceREST {
if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePoliciesIfUpdated(serviceName=" + serviceName + ",lastKnownVersion=" + lastKnownVersion + ",lastActivationTime=" + lastActivationTime + ")");
}
- ServicePolicies servicePolicies = svcStore.getServicePoliciesIfUpdated(serviceName, lastKnownVersion, !supportsPolicyDeltas);
+ ret = svcStore.getServicePoliciesIfUpdated(serviceName, lastKnownVersion, !supportsPolicyDeltas);
- if (servicePolicies == null) {
+ if (ret == null) {
downloadedVersion = lastKnownVersion;
httpCode = HttpServletResponse.SC_NOT_MODIFIED;
logMsg = "No change since last update";
} else {
- Map<String, RangerSecurityZone.RangerSecurityZoneService> securityZones = zoneStore.getSecurityZonesForService(serviceName);
- ServicePolicies updatedServicePolicies = servicePolicies;
- if (MapUtils.isNotEmpty(securityZones)) {
- updatedServicePolicies = RangerPolicyAdminCache.getUpdatedServicePoliciesForZones(servicePolicies, securityZones);
- patchAssociatedTagServiceInSecurityZoneInfos(updatedServicePolicies);
- }
- downloadedVersion = updatedServicePolicies.getPolicyVersion();
- if (lastKnownVersion == -1L || !supportsPolicyDeltas) {
- ret = filterServicePolicies(updatedServicePolicies);
- } else {
- ret = updatedServicePolicies;
- }
-
- ret.setServiceConfig(svcStore.getServiceConfigForPlugin(ret.getServiceId()));
-
- if (ret.getTagPolicies() != null && ret.getTagPolicies().getServiceId() != null) {
- ret.getTagPolicies().setServiceConfig(svcStore.getServiceConfigForPlugin(ret.getTagPolicies().getServiceId()));
- }
-
+ downloadedVersion = ret.getPolicyVersion();
httpCode = HttpServletResponse.SC_OK;
logMsg = "Returning " + (ret.getPolicies() != null ? ret.getPolicies().size() : (ret.getPolicyDeltas() != null ? ret.getPolicyDeltas().size() : 0)) + " policies. Policy version=" + ret.getPolicyVersion();
}
@@ -3159,30 +3139,13 @@ public class ServiceREST {
}
}
if (isAllowed) {
- ServicePolicies servicePolicies = svcStore.getServicePoliciesIfUpdated(serviceName, lastKnownVersion, !supportsPolicyDeltas);
- if (servicePolicies == null) {
+ ret = svcStore.getServicePoliciesIfUpdated(serviceName, lastKnownVersion, !supportsPolicyDeltas);
+ if (ret == null) {
downloadedVersion = lastKnownVersion;
httpCode = HttpServletResponse.SC_NOT_MODIFIED;
logMsg = "No change since last update";
} else {
- Map<String, RangerSecurityZone.RangerSecurityZoneService> securityZones = zoneStore.getSecurityZonesForService(serviceName);
- ServicePolicies updatedServicePolicies = servicePolicies;
- if (MapUtils.isNotEmpty(securityZones)) {
- updatedServicePolicies = RangerPolicyAdminCache.getUpdatedServicePoliciesForZones(servicePolicies, securityZones);
- patchAssociatedTagServiceInSecurityZoneInfos(updatedServicePolicies);
- }
- downloadedVersion = updatedServicePolicies.getPolicyVersion();
- if (lastKnownVersion == -1L || !supportsPolicyDeltas) {
- ret = filterServicePolicies(updatedServicePolicies);
- } else {
- ret = updatedServicePolicies;
- }
-
- ret.setServiceConfig(svcStore.getServiceConfigForPlugin(ret.getServiceId()));
-
- if (ret.getTagPolicies() != null && ret.getTagPolicies().getServiceId() != null) {
- ret.getTagPolicies().setServiceConfig(svcStore.getServiceConfigForPlugin(ret.getTagPolicies().getServiceId()));
- }
+ downloadedVersion = ret.getPolicyVersion();
httpCode = HttpServletResponse.SC_OK;
logMsg = "Returning " + (ret.getPolicies() != null ? ret.getPolicies().size() : (ret.getPolicyDeltas() != null ? ret.getPolicyDeltas().size() : 0)) + " policies. Policy version=" + ret.getPolicyVersion();
@@ -3825,85 +3788,6 @@ public class ServiceREST {
return ret;
}
- private ServicePolicies filterServicePolicies(ServicePolicies servicePolicies) {
- ServicePolicies ret = null;
- boolean containsDisabledResourcePolicies = false;
- boolean containsDisabledTagPolicies = false;
-
- if (servicePolicies != null) {
- List<RangerPolicy> policies = null;
-
- policies = servicePolicies.getPolicies();
- if (CollectionUtils.isNotEmpty(policies)) {
- for (RangerPolicy policy : policies) {
- if (!policy.getIsEnabled()) {
- containsDisabledResourcePolicies = true;
- break;
- }
- }
- }
-
- if (servicePolicies.getTagPolicies() != null) {
- policies = servicePolicies.getTagPolicies().getPolicies();
- if (CollectionUtils.isNotEmpty(policies)) {
- for (RangerPolicy policy : policies) {
- if (!policy.getIsEnabled()) {
- containsDisabledTagPolicies = true;
- break;
- }
- }
- }
- }
-
- if (!containsDisabledResourcePolicies && !containsDisabledTagPolicies) {
- ret = servicePolicies;
- } else {
- ret = new ServicePolicies();
-
- ret.setServiceDef(servicePolicies.getServiceDef());
- ret.setServiceId(servicePolicies.getServiceId());
- ret.setServiceName(servicePolicies.getServiceName());
- ret.setPolicyVersion(servicePolicies.getPolicyVersion());
- ret.setPolicyUpdateTime(servicePolicies.getPolicyUpdateTime());
- ret.setPolicies(servicePolicies.getPolicies());
- ret.setTagPolicies(servicePolicies.getTagPolicies());
- ret.setSecurityZones(servicePolicies.getSecurityZones());
-
- if (containsDisabledResourcePolicies) {
- List<RangerPolicy> filteredPolicies = new ArrayList<RangerPolicy>();
- for (RangerPolicy policy : servicePolicies.getPolicies()) {
- if (policy.getIsEnabled()) {
- filteredPolicies.add(policy);
- }
- }
- ret.setPolicies(filteredPolicies);
- }
-
- if (containsDisabledTagPolicies) {
- ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies();
-
- tagPolicies.setServiceDef(servicePolicies.getTagPolicies().getServiceDef());
- tagPolicies.setServiceId(servicePolicies.getTagPolicies().getServiceId());
- tagPolicies.setServiceName(servicePolicies.getTagPolicies().getServiceName());
- tagPolicies.setPolicyVersion(servicePolicies.getTagPolicies().getPolicyVersion());
- tagPolicies.setPolicyUpdateTime(servicePolicies.getTagPolicies().getPolicyUpdateTime());
-
- List<RangerPolicy> filteredPolicies = new ArrayList<RangerPolicy>();
- for (RangerPolicy policy : servicePolicies.getTagPolicies().getPolicies()) {
- if (policy.getIsEnabled()) {
- filteredPolicies.add(policy);
- }
- }
- tagPolicies.setPolicies(filteredPolicies);
-
- ret.setTagPolicies(tagPolicies);
- }
- }
- }
-
- return ret;
- }
-
private void validateGrantRevokeRequest(GrantRevokeRequest request, final boolean hasAdminPrivilege, final String loggedInUser) {
if (request != null) {
validateUsersGroupsAndRoles(request.getUsers(),request.getGroups(), request.getRoles());
@@ -4050,33 +3934,6 @@ public class ServiceREST {
}
}
- private void patchAssociatedTagServiceInSecurityZoneInfos(ServicePolicies servicePolicies) {
- if (servicePolicies != null && MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) {
- // Get list of zones that associated tag-service (if any) is associated with
- List<String> zonesInAssociatedTagService = new ArrayList<>();
-
- String tagServiceName = servicePolicies.getTagPolicies() != null ? servicePolicies.getTagPolicies().getServiceName() : null;
- if (StringUtils.isNotEmpty(tagServiceName)) {
- try {
- RangerService tagService = svcStore.getServiceByName(tagServiceName);
- if (tagService != null && tagService.getIsEnabled()) {
- zonesInAssociatedTagService = daoManager.getXXSecurityZoneDao().findZonesByTagServiceName(tagServiceName);
- }
- } catch (Exception exception) {
- LOG.warn("Could not get service associated with [" + tagServiceName + "]", exception);
- }
- }
- if (CollectionUtils.isNotEmpty(zonesInAssociatedTagService)) {
- for (Map.Entry<String, ServicePolicies.SecurityZoneInfo> entry : servicePolicies.getSecurityZones().entrySet()) {
- String zoneName = entry.getKey();
- ServicePolicies.SecurityZoneInfo securityZoneInfo = entry.getValue();
-
- securityZoneInfo.setContainsAssociatedTagService(zonesInAssociatedTagService.contains(zoneName));
- }
- }
- }
- }
-
private void scheduleCreateOrGetTagService(RangerService resourceService) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> scheduleCreateOrGetTagService(resourceService=" + resourceService.getName() + ")");
diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
index 09d3bea..582dcbc 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
@@ -1891,7 +1891,6 @@ public class TestServiceREST {
String pluginId = "1";
Mockito.when(serviceUtil.isValidateHttpsAuthentication(serviceName, request)).thenReturn(true);
Mockito.when(svcStore.getServicePoliciesIfUpdated(Mockito.anyString(), Mockito.anyLong(), Mockito.anyBoolean())).thenReturn(servicePolicies);
- Mockito.when(zoneStore.getSecurityZonesForService(serviceName)).thenReturn(null);
ServicePolicies dbServicePolicies = serviceREST.getServicePoliciesIfUpdated(serviceName, lastKnownVersion, 0L,
pluginId, "", "", true, capabilityVector, request);
Assert.assertNotNull(dbServicePolicies);
@@ -1967,7 +1966,6 @@ public class TestServiceREST {
Mockito.when(svcStore.getServiceByNameForDP(serviceName)).thenReturn(rs);
Mockito.when(bizUtil.isUserAllowed(rs, ServiceREST.Allowed_User_List_For_Grant_Revoke)).thenReturn(true);
Mockito.when(svcStore.getServicePoliciesIfUpdated(Mockito.anyString(), Mockito.anyLong(), Mockito.anyBoolean())).thenReturn(sp);
- Mockito.when(zoneStore.getSecurityZonesForService(serviceName)).thenReturn(null);
ServicePolicies dbServiceSecurePolicies = serviceREST.getSecureServicePoliciesIfUpdated(serviceName,
lastKnownVersion, 0L, pluginId, "", "", true, capabilityVector, request);
Assert.assertNotNull(dbServiceSecurePolicies);