You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2021/01/06 23:59:32 UTC
[ranger] branch ranger-2.2 updated: RANGER-3122: Support delegate-admin for specific permissions - Part 2

This is an automated email from the ASF dual-hosted git repository.

abhay pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/ranger-2.2 by this push:
     new 1a0fb59  RANGER-3122: Support delegate-admin for specific permissions - Part 2
1a0fb59 is described below

commit 1a0fb59ce12064b60d98e234103aa8308639995f
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Wed Jan 6 15:43:22 2021 -0800

    RANGER-3122: Support delegate-admin for specific permissions - Part 2
---
 .../apache/ranger/biz/RangerPolicyAdminImpl.java   | 87 ++++++++++++++--------
 1 file changed, 58 insertions(+), 29 deletions(-)

diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
index d868e39..eb332ac 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
@@ -163,18 +163,27 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin {
             Map<String, RangerPolicyResource> modifiedPolicyResources = getPolicyResourcesWithMacrosReplaced(policy.getResources(), wildcardEvalContext);
             Set<String> accessTypes = getAllAccessTypes(policy, getServiceDef());
 
-            for (RangerPolicyEvaluator evaluator : matchedRepository.getPolicyEvaluators()) {
-                Set<String> allowedAccesses = evaluator.getAllowedAccesses(modifiedPolicyResources, user, userGroups, roles, accessTypes, evalContext);
-                if (CollectionUtils.isNotEmpty(allowedAccesses)) {
-                    accessTypes.removeAll(allowedAccesses);
-                    if (CollectionUtils.isEmpty(accessTypes)) {
-                        ret = true;
-                        break;
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("Checking admin-access for the access-types:[" + accessTypes + "]");
+            }
+
+            if (CollectionUtils.isEmpty(accessTypes)) {
+                LOG.info("access-types to check for admin-access are empty!! Allowing admin access!!");
+                ret = true;
+            } else {
+                for (RangerPolicyEvaluator evaluator : matchedRepository.getPolicyEvaluators()) {
+                    Set<String> allowedAccesses = evaluator.getAllowedAccesses(modifiedPolicyResources, user, userGroups, roles, accessTypes, evalContext);
+                    if (CollectionUtils.isNotEmpty(allowedAccesses)) {
+                        accessTypes.removeAll(allowedAccesses);
+                        if (CollectionUtils.isEmpty(accessTypes)) {
+                            ret = true;
+                            break;
+                        }
                     }
                 }
-            }
-            if (CollectionUtils.isNotEmpty(accessTypes)) {
-                LOG.info("Accesses : " + accessTypes + " are not authorized for the policy:[" + policy.getId() + "] by any of delegated-admin policies");
+                if (CollectionUtils.isNotEmpty(accessTypes)) {
+                    LOG.info("Accesses : " + accessTypes + " are not authorized for the policy:[" + policy.getId() + "] by any of delegated-admin policies");
+                }
             }
         }
 
@@ -513,29 +522,49 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin {
 
         if (MapUtils.isNotEmpty(expandedAccesses)) {
 
-            for (RangerPolicy.RangerPolicyItem item : policy.getPolicyItems()) {
-                List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
-                for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
-                    ret.addAll(expandedAccesses.get(access.getType()));
+            Integer policyType = policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType();
+
+            if (policyType == RangerPolicy.POLICY_TYPE_ACCESS) {
+                for (RangerPolicy.RangerPolicyItem item : policy.getPolicyItems()) {
+                    List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
+                    for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
+                        ret.addAll(expandedAccesses.get(access.getType()));
+                    }
                 }
-            }
-            for (RangerPolicy.RangerPolicyItem item : policy.getDenyPolicyItems()) {
-                List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
-                for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
-                    ret.addAll(expandedAccesses.get(access.getType()));
+                for (RangerPolicy.RangerPolicyItem item : policy.getDenyPolicyItems()) {
+                    List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
+                    for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
+                        ret.addAll(expandedAccesses.get(access.getType()));
+                    }
                 }
-            }
-            for (RangerPolicy.RangerPolicyItem item : policy.getAllowExceptions()) {
-                List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
-                for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
-                    ret.addAll(expandedAccesses.get(access.getType()));
+                for (RangerPolicy.RangerPolicyItem item : policy.getAllowExceptions()) {
+                    List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
+                    for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
+                        ret.addAll(expandedAccesses.get(access.getType()));
+                    }
                 }
-            }
-            for (RangerPolicy.RangerPolicyItem item : policy.getDenyExceptions()) {
-                List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
-                for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
-                    ret.addAll(expandedAccesses.get(access.getType()));
+                for (RangerPolicy.RangerPolicyItem item : policy.getDenyExceptions()) {
+                    List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
+                    for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
+                        ret.addAll(expandedAccesses.get(access.getType()));
+                    }
+                }
+            } else if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK) {
+                for (RangerPolicy.RangerPolicyItem item : policy.getDataMaskPolicyItems()) {
+                    List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
+                    for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
+                        ret.addAll(expandedAccesses.get(access.getType()));
+                    }
+                }
+            } else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
+                for (RangerPolicy.RangerPolicyItem item : policy.getRowFilterPolicyItems()) {
+                    List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
+                    for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
+                        ret.addAll(expandedAccesses.get(access.getType()));
+                    }
                 }
+            } else {
+                LOG.error("Unknown policy-type :[" + policyType + "], returning empty access-type set");
             }
         }
         return ret;