You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2022/03/22 07:11:46 UTC
[ranger] branch master updated: RANGER-3676: support {OWNER} macro in tag-based policies
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 0d076a0 RANGER-3676: support {OWNER} macro in tag-based policies
0d076a0 is described below
commit 0d076a0bae37fda198350faee09188be1673c010
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Mon Mar 21 12:09:42 2022 -0700
RANGER-3676: support {OWNER} macro in tag-based policies
---
.../plugin/policyengine/RangerTagAccessRequest.java | 7 ++++---
.../ranger/plugin/policyengine/RangerTagResource.java | 6 ++++++
.../test_policyengine_tag_hive_filebased.json | 16 +++++++++++++++-
3 files changed, 25 insertions(+), 4 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
index ebe85e9..4b2d706 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
@@ -31,8 +31,11 @@ import java.util.Map;
public class RangerTagAccessRequest extends RangerAccessRequestImpl {
private final RangerPolicyResourceMatcher.MatchType matchType;
public RangerTagAccessRequest(RangerTagForEval resourceTag, RangerServiceDef tagServiceDef, RangerAccessRequest request) {
+ String owner = request.getResource() != null ? request.getResource().getOwnerUser() : null;
+
matchType = resourceTag.getMatchType();
- super.setResource(new RangerTagResource(resourceTag.getType(), tagServiceDef));
+
+ super.setResource(new RangerTagResource(resourceTag.getType(), tagServiceDef, owner));
super.setUser(request.getUser());
super.setUserGroups(request.getUserGroups());
super.setUserRoles(request.getUserRoles());
@@ -47,8 +50,6 @@ public class RangerTagAccessRequest extends RangerAccessRequestImpl {
RangerAccessRequestUtil.setCurrentResourceInContext(request.getContext(), request.getResource());
RangerAccessRequestUtil.setCurrentUserInContext(request.getContext(), request.getUser());
- String owner = request.getResource() != null ? request.getResource().getOwnerUser() : null;
-
if (StringUtils.isNotEmpty(owner)) {
RangerAccessRequestUtil.setOwnerInContext(request.getContext(), owner);
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java
index 39e190c..b6ab66b 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java
@@ -30,4 +30,10 @@ public class RangerTagResource extends RangerAccessResourceImpl {
super.setValue(KEY_TAG, tagType);
super.setServiceDef(tagServiceDef);
}
+
+ public RangerTagResource(String tagType, RangerServiceDef tagServiceDef, String ownerUser) {
+ super.setValue(KEY_TAG, tagType);
+ super.setServiceDef(tagServiceDef);
+ super.setOwnerUser(ownerUser);
+ }
}
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
index fad08e7..b3ca12e 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
@@ -201,7 +201,7 @@
]
,
"denyExceptions":[
- {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1"],"groups":[],"delegateAdmin":false,
+ {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1", "{OWNER}"],"groups":[],"delegateAdmin":false,
"conditions":[{
"type":"expression",
"values":["if ( ctx.isAccessedBefore('activation_date') ) ctx.result = true;"]
@@ -277,6 +277,20 @@
},
"result":{"isAudited":true,"isAllowed":false,"policyId":4}
},
+ {"name":"ALLOW 'select address from employee.personal;' for user2, the {OWNER}, using RESTRICTED-FINAL tag",
+ "request":{
+ "resource":{"elements":{"database":"employee", "table":"personal", "column":"address"}, "ownerUser": "user2"},
+ "accessType":"select","user":"user2","userGroups":[],"requestData":"select address from employee.personal;' for user2"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":101}
+ },
+ {"name":"DENY 'select address from employee.personal;' for user3, owner=user2, using RESTRICTED-FINAL tag",
+ "request":{
+ "resource":{"elements":{"database":"employee", "table":"personal", "column":"address"}, "ownerUser": "user2"},
+ "accessType":"select","user":"user3","userGroups":[],"requestData":"select address from employee.personal;' for user2"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":4}
+ },
{"name":"ALLOW 'select name from employee.personal;' for user1 - no tag",
"request":{
"resource":{"elements":{"database":"employee", "table":"personal", "column":"name"}},