You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2021/01/06 23:59:32 UTC
[ranger] branch ranger-2.2 updated: RANGER-3122: Support
delegate-admin for specific permissions - Part 2
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new 1a0fb59 RANGER-3122: Support delegate-admin for specific permissions - Part 2
1a0fb59 is described below
commit 1a0fb59ce12064b60d98e234103aa8308639995f
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Wed Jan 6 15:43:22 2021 -0800
RANGER-3122: Support delegate-admin for specific permissions - Part 2
---
.../apache/ranger/biz/RangerPolicyAdminImpl.java | 87 ++++++++++++++--------
1 file changed, 58 insertions(+), 29 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
index d868e39..eb332ac 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
@@ -163,18 +163,27 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin {
Map<String, RangerPolicyResource> modifiedPolicyResources = getPolicyResourcesWithMacrosReplaced(policy.getResources(), wildcardEvalContext);
Set<String> accessTypes = getAllAccessTypes(policy, getServiceDef());
- for (RangerPolicyEvaluator evaluator : matchedRepository.getPolicyEvaluators()) {
- Set<String> allowedAccesses = evaluator.getAllowedAccesses(modifiedPolicyResources, user, userGroups, roles, accessTypes, evalContext);
- if (CollectionUtils.isNotEmpty(allowedAccesses)) {
- accessTypes.removeAll(allowedAccesses);
- if (CollectionUtils.isEmpty(accessTypes)) {
- ret = true;
- break;
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking admin-access for the access-types:[" + accessTypes + "]");
+ }
+
+ if (CollectionUtils.isEmpty(accessTypes)) {
+ LOG.info("access-types to check for admin-access are empty!! Allowing admin access!!");
+ ret = true;
+ } else {
+ for (RangerPolicyEvaluator evaluator : matchedRepository.getPolicyEvaluators()) {
+ Set<String> allowedAccesses = evaluator.getAllowedAccesses(modifiedPolicyResources, user, userGroups, roles, accessTypes, evalContext);
+ if (CollectionUtils.isNotEmpty(allowedAccesses)) {
+ accessTypes.removeAll(allowedAccesses);
+ if (CollectionUtils.isEmpty(accessTypes)) {
+ ret = true;
+ break;
+ }
}
}
- }
- if (CollectionUtils.isNotEmpty(accessTypes)) {
- LOG.info("Accesses : " + accessTypes + " are not authorized for the policy:[" + policy.getId() + "] by any of delegated-admin policies");
+ if (CollectionUtils.isNotEmpty(accessTypes)) {
+ LOG.info("Accesses : " + accessTypes + " are not authorized for the policy:[" + policy.getId() + "] by any of delegated-admin policies");
+ }
}
}
@@ -513,29 +522,49 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin {
if (MapUtils.isNotEmpty(expandedAccesses)) {
- for (RangerPolicy.RangerPolicyItem item : policy.getPolicyItems()) {
- List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
- for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
- ret.addAll(expandedAccesses.get(access.getType()));
+ Integer policyType = policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType();
+
+ if (policyType == RangerPolicy.POLICY_TYPE_ACCESS) {
+ for (RangerPolicy.RangerPolicyItem item : policy.getPolicyItems()) {
+ List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
+ for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
+ ret.addAll(expandedAccesses.get(access.getType()));
+ }
}
- }
- for (RangerPolicy.RangerPolicyItem item : policy.getDenyPolicyItems()) {
- List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
- for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
- ret.addAll(expandedAccesses.get(access.getType()));
+ for (RangerPolicy.RangerPolicyItem item : policy.getDenyPolicyItems()) {
+ List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
+ for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
+ ret.addAll(expandedAccesses.get(access.getType()));
+ }
}
- }
- for (RangerPolicy.RangerPolicyItem item : policy.getAllowExceptions()) {
- List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
- for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
- ret.addAll(expandedAccesses.get(access.getType()));
+ for (RangerPolicy.RangerPolicyItem item : policy.getAllowExceptions()) {
+ List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
+ for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
+ ret.addAll(expandedAccesses.get(access.getType()));
+ }
}
- }
- for (RangerPolicy.RangerPolicyItem item : policy.getDenyExceptions()) {
- List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
- for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
- ret.addAll(expandedAccesses.get(access.getType()));
+ for (RangerPolicy.RangerPolicyItem item : policy.getDenyExceptions()) {
+ List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
+ for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
+ ret.addAll(expandedAccesses.get(access.getType()));
+ }
+ }
+ } else if (policyType == RangerPolicy.POLICY_TYPE_DATAMASK) {
+ for (RangerPolicy.RangerPolicyItem item : policy.getDataMaskPolicyItems()) {
+ List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
+ for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
+ ret.addAll(expandedAccesses.get(access.getType()));
+ }
+ }
+ } else if (policyType == RangerPolicy.POLICY_TYPE_ROWFILTER) {
+ for (RangerPolicy.RangerPolicyItem item : policy.getRowFilterPolicyItems()) {
+ List<RangerPolicy.RangerPolicyItemAccess> accesses = item.getAccesses();
+ for (RangerPolicy.RangerPolicyItemAccess access : accesses) {
+ ret.addAll(expandedAccesses.get(access.getType()));
+ }
}
+ } else {
+ LOG.error("Unknown policy-type :[" + policyType + "], returning empty access-type set");
}
}
return ret;