You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ve...@apache.org on 2019/08/01 18:45:40 UTC
[ranger] 01/02: RANGER-2517: UI changes for policy to implicitly
deny all accesses not explicitly allowed by it.
This is an automated email from the ASF dual-hosted git repository.
vel pushed a commit to branch ranger-2.0
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 77e70cbbc29c23657d41a231927d559cc349aead
Author: Nitin Galave <ni...@apache.org>
AuthorDate: Wed Jul 31 18:29:08 2019 +0530
RANGER-2517: UI changes for policy to implicitly deny all accesses not explicitly allowed by it.
(cherry picked from commit 630d4b7cd112094df1ac9fe55261c112094a9d97)
---
.../webapp/scripts/modules/globalize/message/en.js | 1 +
.../scripts/views/policies/RangerPolicyForm.js | 50 +++++++++++++++++++---
.../scripts/views/policies/RangerPolicyRO.js | 11 ++++-
security-admin/src/main/webapp/styles/xa.css | 6 +++
.../templates/policies/RangerPolicyForm_tmpl.html | 6 +++
.../templates/policies/RangerPolicyRO_tmpl.html | 42 ++++++++++++------
6 files changed, 95 insertions(+), 21 deletions(-)
diff --git a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
index 8078829..c320fdb 100644
--- a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
+++ b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
@@ -64,6 +64,7 @@ define(function(require) {
groups : 'Groups',
group : 'Groups',
auditLogging : 'Audit Logging',
+ isDenyAllElse : 'Deny All Other Accesses',
encrypted : 'Encrypt',
resourceType : 'Resource Type',
description : 'Description',
diff --git a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js
index a862dde..e2bd6ed 100644
--- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js
+++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js
@@ -113,7 +113,8 @@ define(function(require){
'allowExcludePerm' : '[data-js="allowExcludePerm"]',
'policyTimeBtn' : '[data-js="policyTimeBtn"]',
'policyConditions' : '[data-js="customPolicyConditions"]',
- 'conditionData' : '[data-id="conditionData"]'
+ 'conditionData' : '[data-id="conditionData"]',
+ 'isDenyAllElse' : '[data-js="isDenyAllElse"]',
},
/** fields for the form
*/
@@ -142,10 +143,13 @@ define(function(require){
if(!_.isUndefined(this.initilializePathPlugin) && this.initilializePathPlugin){
this.initializePathPlugins(this.pathPluginOpts);
}
- this.renderCustomFields();
+ if(XAUtil.isAccessPolicy(this.model.get('policyType'))){
+ this.evdenyAccessChange();
+ }
if(!this.model.isNew()){
this.setUpSwitches();
}
+ this.renderCustomFields();
//checkParent
this.renderParentChildHideShow();
@@ -321,6 +325,22 @@ define(function(require){
evIsEnabledChange : function(form, fieldEditor){
XAUtil.checkDirtyFieldForToggle(fieldEditor.$el);
},
+ evdenyAccessChange : function(){
+ var that =this;
+ this.$el.find(this.ui.isDenyAllElse).toggles({
+ on : that.model.has('isDenyAllElse') ? that.model.get('isDenyAllElse') : false,
+ text : {on : 'True', off : 'False' },
+ width : 80,
+ }).on('click', function(e){
+ XAUtil.checkDirtyFieldForToggle(that.$el.find(that.ui.isDenyAllElse));
+ if(that.$el.find(that.ui.isDenyAllElse).find('.toggle-slide').hasClass('active')) {
+ that.$el.find(that.ui.denyConditionItems).hide();
+ } else {
+ that.$el.find(that.ui.denyConditionItems).show();
+ }
+ });
+
+ },
setupForm : function() {
if(!this.model.isNew()){
this.selectedResourceTypes = {};
@@ -393,7 +413,10 @@ define(function(require){
if( !enableDenyAndExceptionsInPolicies ){
this.$el.find(this.ui.allowExcludePerm).hide();
this.$el.find(this.ui.denyConditionItems).remove();
- }
+ }
+ if(enableDenyAndExceptionsInPolicies && this.$el.find(this.ui.isDenyAllElse).find('.toggle-slide').hasClass('active')){
+ this.$el.find(this.ui.denyConditionItems).hide();
+ }
that.$('[data-customfields="groupPerms"]').html(new PermissionList({
collection : that.formInputList,
@@ -578,10 +601,20 @@ define(function(require){
}else if( XAUtil.isRowFilterPolicy(this.model.get('policyType')) ){
this.model.set('rowFilterPolicyItems', this.setPermissionsToColl(this.formInputList, new RangerPolicyItem()));
}else{
+ if(this.$el.find(this.ui.isDenyAllElse).find('.toggle-slide').hasClass('active')) {
+ this.model.set('isDenyAllElse',true);
+ } else {
+ this.model.set('isDenyAllElse',false);
+ }
this.model.set('policyItems', this.setPermissionsToColl(this.formInputList, new RangerPolicyItem()));
- this.model.set('denyPolicyItems', this.setPermissionsToColl(this.formInputDenyList, new RangerPolicyItem()));
this.model.set('allowExceptions', this.setPermissionsToColl(this.formInputAllowExceptionList, new RangerPolicyItem()));
- this.model.set('denyExceptions', this.setPermissionsToColl(this.formInputDenyExceptionList, new RangerPolicyItem()));
+ if(!this.model.get('isDenyAllElse')){
+ this.model.set('denyPolicyItems', this.setPermissionsToColl(this.formInputDenyList, new RangerPolicyItem()));
+ this.model.set('denyExceptions', this.setPermissionsToColl(this.formInputDenyExceptionList, new RangerPolicyItem()));
+ }else{
+ this.model.set('denyPolicyItems',[]);
+ this.model.set('denyExceptions',[]);
+ }
}
this.model.set('service',this.rangerService.get('name'));
var policyName = this.model.get('name');
@@ -592,6 +625,7 @@ define(function(require){
if(this.model.has('policyPriority')){
this.model.set('policyPriority', this.model.get('policyPriority') ? 1 : 0);
}
+
},
setPermissionsToColl : function(list, policyItemList) {
list.each(function(m){
@@ -917,7 +951,11 @@ define(function(require){
return obj;
},
getPolicyBaseFieldNames : function(){
- return ['description','isAuditEnabled'];
+ var baseField = ['description','isAuditEnabled', 'isDenyAllElse'];
+ if(XAUtil.isMaskingPolicy(this.model.get('policyType')) || XAUtil.isRowFilterPolicy(this.model.get('policyType'))){
+ baseField = _.without(baseField, 'isDenyAllElse');
+ }
+ return baseField;
},
getResources : function(){
if(XAUtil.isMaskingPolicy(this.model.get('policyType'))){
diff --git a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js
index e9fcd7d..af024e2 100644
--- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js
+++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js
@@ -49,7 +49,8 @@ define(function(require) {
return {
PolicyDetails: this.policyDetails,
isDelegatAdmin: isDelegatAdminChk,
- policyType: policyType.label
+ policyType: policyType.label,
+ isDenyAllElse : this.policy.has('isDenyAllElse') && !_.isUndefined(this.policy.get('isDenyAllElse')) ? true : false,
};
},
@@ -177,6 +178,9 @@ define(function(require) {
if(this.policy.has('conditions') && this.policy.get('conditions').length > 0 && self.serviceDef){
details.conditions = XAUtils.getPolicyConditionDetails(this.policy.get('conditions'), self.serviceDef);
}
+ if(this.policy.has('isDenyAllElse')) {
+ details.isDenyAllElse = this.policy.get('isDenyAllElse') ? 'TRUE' : 'FALSE';
+ }
//get policyItems
this.createPolicyItems();
@@ -198,6 +202,11 @@ define(function(require) {
items.push({'itemName': 'allowExceptions',title : 'Exclude from Allow Conditions'},
{'itemName': 'denyPolicyItems',title : 'Deny Condition'},
{'itemName': 'denyExceptions',title : 'Exclude from Deny Conditions'});
+ if(this.policy.has('isDenyAllElse') && this.policy.get('isDenyAllElse')){
+ items = _.reject(items, function(m){
+ return m.itemName == 'denyPolicyItems' || m.itemName == 'denyExceptions'
+ })
+ }
}
_.each(items, function(item){
if(!_.isUndefined(this.policy.get(item.itemName))){
diff --git a/security-admin/src/main/webapp/styles/xa.css b/security-admin/src/main/webapp/styles/xa.css
index 3f39024..ee637d2 100644
--- a/security-admin/src/main/webapp/styles/xa.css
+++ b/security-admin/src/main/webapp/styles/xa.css
@@ -2807,3 +2807,9 @@ div#zoneServiceAccordion table thead {
padding: 9px 15px;
background-color: white;
}
+
+.deny-all-else {
+ margin-top: 16px;
+ margin-bottom: 15px;
+ padding: 9px 0;
+}
diff --git a/security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html b/security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html
index 7436829..ffea44d 100644
--- a/security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html
+++ b/security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html
@@ -101,6 +101,12 @@ language governing permissions and limitations under the License. --}}
{{/compare}}
</div>
{{#compare "Allow" "eq" conditionType}}
+ <div>
+ <div class="toggle-xa control-group">
+ <label class="control-label"> Deny All Other Accesses : </label>
+ <div data-js="isDenyAllElse" class="toggle controls"></div>
+ </div>
+ </div>
<div data-js="denyConditionItems">
<p class="wrap-header bold formHeader">Deny Conditions :</p>
diff --git a/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html b/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html
index f8c6bce..c36dc26 100644
--- a/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html
+++ b/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html
@@ -66,6 +66,20 @@
<span class="label label-inverse pull-right">{{PolicyDetails.isEnabled}}</span>
</td>
</tr>
+ <tr>
+ <td>
+ {{tt 'lbl.policyLabels'}}
+ </td>
+ <td>
+ {{#ifCond PolicyDetails.policyLabels.length '==' "0"}}
+ --
+ {{else}}
+ {{#each PolicyDetails.policyLabels}}
+ <span class="label label-inverse ">{{this}}</span>
+ {{/each}}
+ {{/ifCond}}
+ </td>
+ </tr>
{{#each PolicyDetails.resources}}
<tr>
<td>
@@ -102,20 +116,6 @@
<span class="label label-info">{{PolicyDetails.isAuditEnabled}}</span>
</td>
</tr>
- <tr>
- <td>
- {{tt 'lbl.policyLabels'}}
- </td>
- <td>
- {{#ifCond PolicyDetails.policyLabels.length '==' "0"}}
- --
- {{else}}
- {{#each PolicyDetails.policyLabels}}
- <span class="label label-inverse ">{{this}}</span>
- {{/each}}
- {{/ifCond}}
- </td>
- </tr>
<tr>
{{#if PolicyDetails.zoneName}}
<td>{{tt 'lbl.zoneName'}}</td>
@@ -267,6 +267,20 @@
</tbody>
</table>
</div>
+ {{#compare "Exclude from Allow Conditions" "eq" this.title}}
+ {{#if ../../isDenyAllElse}}
+ <div class="deny-all-else">
+ <tr>
+ <td>
+ <b>{{tt 'lbl.isDenyAllElse'}} : </b>
+ </td>
+ <td>
+ <span class="label label-inverse">{{ ../../../ PolicyDetails.isDenyAllElse}}</span>
+ </td>
+ </tr>
+ </div>
+ {{/if}}
+ {{/compare}}
{{/each}}
<div class="updateInfo row-fluid">
<div class="pull-left">