You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2022/06/15 15:58:09 UTC
[ranger] branch ranger-2.3 updated: RANGER-3779: conditions enhancement to support macros IS_IN_ANY_GROUP, IS_IN_ANY_ROLE, HAS_TAGS
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch ranger-2.3
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.3 by this push:
new 03338d668 RANGER-3779: conditions enhancement to support macros IS_IN_ANY_GROUP, IS_IN_ANY_ROLE, HAS_TAGS
03338d668 is described below
commit 03338d66847a0ec73ab8b08687c485e17d079e73
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Thu May 26 16:53:27 2022 -0700
RANGER-3779: conditions enhancement to support macros IS_IN_ANY_GROUP, IS_IN_ANY_ROLE, HAS_TAGS
(cherry picked from commit 56ccd79bd2840ce9b0b1c7a40dc671f76a88975f)
---
.../policyengine/RangerRequestScriptEvaluator.java | 24 ++++++++++++++++++++++
.../ranger/plugin/util/RangerCommonConstants.java | 6 ++++++
.../RangerRequestScriptEvaluatorTest.java | 6 ++++++
3 files changed, 36 insertions(+)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
index 96be80ca1..a674ac54d 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
@@ -715,6 +715,12 @@ public final class RangerRequestScriptEvaluator {
return tags.containsKey(tagName);
}
+ public boolean hasAnyTag() {
+ init();
+
+ return !tags.isEmpty();
+ }
+
public boolean hasUserAttr(String attrName) {
init();
@@ -768,6 +774,18 @@ public final class RangerRequestScriptEvaluator {
return userRoles.contains(roleName);
}
+ public boolean isInAnyGroup() {
+ init();
+
+ return !userGroups.isEmpty();
+ }
+
+ public boolean isInAnyRole() {
+ init();
+
+ return !userRoles.isEmpty();
+ }
+
private void init() {
if (!initDone) {
RangerUserStore userStore = RangerAccessRequestUtil.getRequestUserStoreFromContext(accessRequest.getContext());
@@ -1046,11 +1064,17 @@ public final class RangerRequestScriptEvaluator {
ret.put(SCRIPT_MACRO_USER_ATTR_NAMES_CSV, "ctx.userAttrNamesCsv()");
ret.put(SCRIPT_MACRO_USER_ATTR_NAMES_Q_CSV, "ctx.userAttrNamesCsvQ()");
ret.put(SCRIPT_MACRO_HAS_TAG, "ctx.hasTag");
+ ret.put(SCRIPT_MACRO_HAS_ANY_TAG, "ctx.hasAnyTag()");
+ ret.put(SCRIPT_MACRO_HAS_NO_TAG, "!ctx.hasAnyTag()");
ret.put(SCRIPT_MACRO_HAS_USER_ATTR, "ctx.hasUserAttr");
ret.put(SCRIPT_MACRO_HAS_UG_ATTR, "ctx.hasUgAttr");
ret.put(SCRIPT_MACRO_HAS_TAG_ATTR, "ctx.hasTagAttr");
ret.put(SCRIPT_MACRO_IS_IN_GROUP, "ctx.isInGroup");
ret.put(SCRIPT_MACRO_IS_IN_ROLE, "ctx.isInRole");
+ ret.put(SCRIPT_MACRO_IS_IN_ANY_GROUP, "ctx.isInAnyGroup()");
+ ret.put(SCRIPT_MACRO_IS_IN_ANY_ROLE, "ctx.isInAnyRole()");
+ ret.put(SCRIPT_MACRO_IS_NOT_IN_ANY_GROUP, "!ctx.isInAnyGroup()");
+ ret.put(SCRIPT_MACRO_IS_NOT_IN_ANY_ROLE, "!ctx.isInAnyRole()");
return ret;
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java
index a372ea019..6239f0761 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java
@@ -116,9 +116,15 @@ public class RangerCommonConstants {
public static final String SCRIPT_MACRO_USER_ATTR_NAMES_CSV = "USER_ATTR_NAMES_CSV";
public static final String SCRIPT_MACRO_USER_ATTR_NAMES_Q_CSV = "USER_ATTR_NAMES_Q_CSV";
public static final String SCRIPT_MACRO_HAS_TAG = "HAS_TAG";
+ public static final String SCRIPT_MACRO_HAS_ANY_TAG = "HAS_ANY_TAG";
+ public static final String SCRIPT_MACRO_HAS_NO_TAG = "HAS_NO_TAG";
public static final String SCRIPT_MACRO_HAS_USER_ATTR = "HAS_USER_ATTR";
public static final String SCRIPT_MACRO_HAS_UG_ATTR = "HAS_UG_ATTR";
public static final String SCRIPT_MACRO_HAS_TAG_ATTR = "HAS_TAG_ATTR";
public static final String SCRIPT_MACRO_IS_IN_GROUP = "IS_IN_GROUP";
public static final String SCRIPT_MACRO_IS_IN_ROLE = "IS_IN_ROLE";
+ public static final String SCRIPT_MACRO_IS_IN_ANY_GROUP = "IS_IN_ANY_GROUP";
+ public static final String SCRIPT_MACRO_IS_IN_ANY_ROLE = "IS_IN_ANY_ROLE";
+ public static final String SCRIPT_MACRO_IS_NOT_IN_ANY_GROUP = "IS_NOT_IN_ANY_GROUP";
+ public static final String SCRIPT_MACRO_IS_NOT_IN_ANY_ROLE = "IS_NOT_IN_ANY_ROLE";
}
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java
index 97b92ef78..f66611f19 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java
@@ -84,6 +84,8 @@ public class RangerRequestScriptEvaluatorTest {
Assert.assertTrue("test: IS_IN_GROUP(test-group1)", (Boolean)evaluator.evaluateScript(scriptEngine, "IS_IN_GROUP('test-group1')"));
Assert.assertTrue("test: IS_IN_GROUP(test-group2)", (Boolean)evaluator.evaluateScript(scriptEngine, "IS_IN_GROUP('test-group2')"));
Assert.assertFalse("test: IS_IN_GROUP(notExists)", (Boolean)evaluator.evaluateScript(scriptEngine, "IS_IN_GROUP('notExists')"));
+ Assert.assertTrue("test: IS_IN_ANY_GROUP", (Boolean)evaluator.evaluateScript(scriptEngine, "IS_IN_ANY_GROUP"));
+ Assert.assertFalse("test: IS_NOT_IN_ANY_GROUP", (Boolean)evaluator.evaluateScript(scriptEngine, "IS_NOT_IN_ANY_GROUP"));
Assert.assertTrue("test: UG['test-group1'].dept is 'ENGG'", (Boolean) evaluator.evaluateScript(scriptEngine, "UG['test-group1'].dept == 'ENGG'"));
Assert.assertTrue("test: UG['test-group1'].site is 10", (Boolean) evaluator.evaluateScript(scriptEngine, "UG['test-group1'].site == 10"));
@@ -95,6 +97,8 @@ public class RangerRequestScriptEvaluatorTest {
Assert.assertTrue("test: IS_IN_ROLE(test-role1)", (Boolean)evaluator.evaluateScript(scriptEngine, "IS_IN_ROLE('test-role1')"));
Assert.assertTrue("test: IS_IN_ROLE(test-role2)", (Boolean)evaluator.evaluateScript(scriptEngine, "IS_IN_ROLE('test-role2')"));
Assert.assertFalse("test: IS_IN_ROLE(notExists)", (Boolean)evaluator.evaluateScript(scriptEngine, "IS_IN_ROLE('notExists')"));
+ Assert.assertTrue("test: IS_IN_ANY_ROLE", (Boolean)evaluator.evaluateScript(scriptEngine, "IS_IN_ANY_ROLE"));
+ Assert.assertFalse("test: IS_NOT_IN_ANY_ROLE", (Boolean)evaluator.evaluateScript(scriptEngine, "IS_NOT_IN_ANY_ROLE"));
Assert.assertTrue("test: UGA.sVal['dept'] is 'ENGG'", (Boolean)evaluator.evaluateScript(scriptEngine, "UGA.sVal['dept'] == 'ENGG'"));
Assert.assertTrue("test: UGA.sVal['site'] is 10", (Boolean) evaluator.evaluateScript(scriptEngine, "UGA.sVal['site'] == 10"));
@@ -130,6 +134,8 @@ public class RangerRequestScriptEvaluatorTest {
Assert.assertTrue("test: HAS_TAG(PII)", (Boolean) evaluator.evaluateScript(scriptEngine, "HAS_TAG('PII')"));
Assert.assertTrue("test: HAS_TAG(PCI)", (Boolean) evaluator.evaluateScript(scriptEngine, "HAS_TAG('PCI')"));
Assert.assertFalse("test: HAS_TAG(notExists)", (Boolean) evaluator.evaluateScript(scriptEngine, "HAS_TAG('notExists')"));
+ Assert.assertTrue("test: HAS_ANY_TAG", (Boolean) evaluator.evaluateScript(scriptEngine, "HAS_ANY_TAG"));
+ Assert.assertFalse("test: HAS_NO_TAG", (Boolean) evaluator.evaluateScript(scriptEngine, "HAS_NO_TAG"));
}