You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2021/09/07 17:52:13 UTC
[ranger] branch ranger-2.2 updated: RANGER-3402: updated getResourceACLs() to avoid references to collections in RangerPolicy

This is an automated email from the ASF dual-hosted git repository.

madhan pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/ranger-2.2 by this push:
     new 1bf7a8c  RANGER-3402: updated getResourceACLs() to avoid references to collections in RangerPolicy
1bf7a8c is described below

commit 1bf7a8c76a2d6d4616307052733f42ac65b8ea47
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Tue Sep 7 08:42:12 2021 -0700

    RANGER-3402: updated getResourceACLs() to avoid references to collections in RangerPolicy
    
    (cherry picked from commit 43e3e833cc2a03c4e5ab92e6e41c04847d7193a6)
---
 .../apache/ranger/plugin/model/RangerPolicy.java   | 10 ++++++
 .../policyengine/RangerPolicyEngineImpl.java       | 38 +++++++++++++++++++---
 2 files changed, 44 insertions(+), 4 deletions(-)

diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
index cca18ca..ea40999 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
@@ -1552,6 +1552,12 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
 			setValueExpr(valueExpr);
 		}
 
+		public RangerPolicyItemDataMaskInfo(RangerPolicyItemDataMaskInfo that) {
+			this.dataMaskType  = that.dataMaskType;
+			this.conditionExpr = that.conditionExpr;
+			this.valueExpr     = that.valueExpr;
+		}
+
 		public String getDataMaskType() {
 			return dataMaskType;
 		}
@@ -1651,6 +1657,10 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
 			setFilterExpr(filterExpr);
 		}
 
+		public RangerPolicyItemRowFilterInfo(RangerPolicyItemRowFilterInfo that) {
+			this.filterExpr = that.filterExpr;
+		}
+
 		public String getFilterExpr() {
 			return filterExpr;
 		}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index c92b550..b6ab72c 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -30,6 +30,8 @@ import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
 import org.apache.ranger.authorization.utils.StringUtil;
 import org.apache.ranger.plugin.contextenricher.RangerTagForEval;
 import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo;
 import org.apache.ranger.plugin.model.RangerServiceDef;
 import org.apache.ranger.plugin.policyengine.RangerResourceACLs.DataMaskResult;
 import org.apache.ranger.plugin.policyengine.RangerResourceACLs.RowFilterResult;
@@ -1230,9 +1232,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 			boolean isConditional = policyIdForTemporalTags.contains(evaluator.getId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;
 
 			for (RowFilterResult rowFilterResult : aclSummary.getRowFilters()) {
-				if (isConditional && !rowFilterResult.getIsConditional()) {
-					rowFilterResult = new RowFilterResult(rowFilterResult);
+				rowFilterResult = copyRowFilter(rowFilterResult);
 
+				if (isConditional) {
 					rowFilterResult.setIsConditional(true);
 				}
 
@@ -1248,9 +1250,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 			boolean isConditional = policyIdForTemporalTags.contains(evaluator.getId()) || evaluator.getValidityScheduleEvaluatorsCount() != 0;
 
 			for (DataMaskResult dataMaskResult : aclSummary.getDataMasks()) {
-				if (isConditional && !dataMaskResult.getIsConditional()) {
-					dataMaskResult = new DataMaskResult(dataMaskResult);
+				dataMaskResult = copyDataMask(dataMaskResult);
 
+				if (isConditional) {
 					dataMaskResult.setIsConditional(true);
 				}
 
@@ -1259,6 +1261,34 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 		}
 	}
 
+	private DataMaskResult copyDataMask(DataMaskResult dataMask) {
+		DataMaskResult ret = new DataMaskResult(copyStrings(dataMask.getUsers()),
+												copyStrings(dataMask.getGroups()),
+												copyStrings(dataMask.getRoles()),
+												copyStrings(dataMask.getAccessTypes()),
+												new RangerPolicyItemDataMaskInfo(dataMask.getMaskInfo()));
+
+		ret.setIsConditional(dataMask.getIsConditional());
+
+		return ret;
+	}
+
+	private RowFilterResult copyRowFilter(RowFilterResult rowFilter) {
+		RowFilterResult ret = new RowFilterResult(copyStrings(rowFilter.getUsers()),
+												  copyStrings(rowFilter.getGroups()),
+												  copyStrings(rowFilter.getRoles()),
+												  copyStrings(rowFilter.getAccessTypes()),
+												  new RangerPolicyItemRowFilterInfo(rowFilter.getFilterInfo()));
+
+		ret.setIsConditional(rowFilter.getIsConditional());
+
+		return ret;
+	}
+
+	private Set<String> copyStrings(Set<String> values) {
+		return values != null ? new HashSet<>(values) : null;
+	}
+
 	private static class ServiceConfig {
 		private final Set<String> auditExcludedUsers;
 		private final Set<String> auditExcludedGroups;