You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2021/09/07 17:52:13 UTC
[ranger] branch ranger-2.2 updated: RANGER-3402: updated
getResourceACLs() to avoid references to collections in RangerPolicy
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new 1bf7a8c RANGER-3402: updated getResourceACLs() to avoid references to collections in RangerPolicy
1bf7a8c is described below
commit 1bf7a8c76a2d6d4616307052733f42ac65b8ea47
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Tue Sep 7 08:42:12 2021 -0700
RANGER-3402: updated getResourceACLs() to avoid references to collections in RangerPolicy
(cherry picked from commit 43e3e833cc2a03c4e5ab92e6e41c04847d7193a6)
---
.../apache/ranger/plugin/model/RangerPolicy.java | 10 ++++++
.../policyengine/RangerPolicyEngineImpl.java | 38 +++++++++++++++++++---
2 files changed, 44 insertions(+), 4 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
index cca18ca..ea40999 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
@@ -1552,6 +1552,12 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
setValueExpr(valueExpr);
}
+ public RangerPolicyItemDataMaskInfo(RangerPolicyItemDataMaskInfo that) {
+ this.dataMaskType = that.dataMaskType;
+ this.conditionExpr = that.conditionExpr;
+ this.valueExpr = that.valueExpr;
+ }
+
public String getDataMaskType() {
return dataMaskType;
}
@@ -1651,6 +1657,10 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
setFilterExpr(filterExpr);
}
+ public RangerPolicyItemRowFilterInfo(RangerPolicyItemRowFilterInfo that) {
+ this.filterExpr = that.filterExpr;
+ }
+
public String getFilterExpr() {
return filterExpr;
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index c92b550..b6ab72c 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -30,6 +30,8 @@ import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.contextenricher.RangerTagForEval;
import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult;
@@ -1230,9 +1232,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
boolean isConditional = policyIdForTemporalTags.contains(evaluator.getId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;
for (RowFilterResult rowFilterResult : aclSummary.getRowFilters()) {
- if (isConditional && !rowFilterResult.getIsConditional()) {
- rowFilterResult = new RowFilterResult(rowFilterResult);
+ rowFilterResult = copyRowFilter(rowFilterResult);
+ if (isConditional) {
rowFilterResult.setIsConditional(true);
}
@@ -1248,9 +1250,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
boolean isConditional = policyIdForTemporalTags.contains(evaluator.getId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;
for (DataMaskResult dataMaskResult : aclSummary.getDataMasks()) {
- if (isConditional && !dataMaskResult.getIsConditional()) {
- dataMaskResult = new DataMaskResult(dataMaskResult);
+ dataMaskResult = copyDataMask(dataMaskResult);
+ if (isConditional) {
dataMaskResult.setIsConditional(true);
}
@@ -1259,6 +1261,34 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
}
+ private DataMaskResult copyDataMask(DataMaskResult dataMask) {
+ DataMaskResult ret = new DataMaskResult(copyStrings(dataMask.getUsers()),
+ copyStrings(dataMask.getGroups()),
+ copyStrings(dataMask.getRoles()),
+ copyStrings(dataMask.getAccessTypes()),
+ new RangerPolicyItemDataMaskInfo(dataMask.getMaskInfo()));
+
+ ret.setIsConditional(dataMask.getIsConditional());
+
+ return ret;
+ }
+
+ private RowFilterResult copyRowFilter(RowFilterResult rowFilter) {
+ RowFilterResult ret = new RowFilterResult(copyStrings(rowFilter.getUsers()),
+ copyStrings(rowFilter.getGroups()),
+ copyStrings(rowFilter.getRoles()),
+ copyStrings(rowFilter.getAccessTypes()),
+ new RangerPolicyItemRowFilterInfo(rowFilter.getFilterInfo()));
+
+ ret.setIsConditional(rowFilter.getIsConditional());
+
+ return ret;
+ }
+
+ private Set<String> copyStrings(Set<String> values) {
+ return values != null ? new HashSet<>(values) : null;
+ }
+
private static class ServiceConfig {
private final Set<String> auditExcludedUsers;
private final Set<String> auditExcludedGroups;