You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2019/08/28 23:21:56 UTC
[ranger] branch master updated: RANGER-2548: Ranger-admin updates
to ensure owner information in GrantRevokeData is correctly consumed
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new b2cebfd RANGER-2548: Ranger-admin updates to ensure owner information in GrantRevokeData is correctly consumed
b2cebfd is described below
commit b2cebfd75f7c813651a37db76dc85a67e5e5536e
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Wed Aug 28 16:15:42 2019 -0700
RANGER-2548: Ranger-admin updates to ensure owner information in GrantRevokeData is correctly consumed
---
.../policyengine/RangerPolicyEngineImpl.java | 20 ++++++++--
.../policyengine/RangerTagAccessRequest.java | 6 +++
.../RangerDefaultPolicyEvaluator.java | 44 +++++++++-------------
.../RangerDefaultPolicyItemEvaluator.java | 21 +++++------
.../RangerOptimizedPolicyEvaluator.java | 12 +++---
.../policyevaluator/RangerPolicyItemEvaluator.java | 2 +-
.../ranger/plugin/service/RangerAuthContext.java | 7 ++++
.../plugin/util/RangerAccessRequestUtil.java | 5 ++-
.../java/org/apache/ranger/rest/ServiceREST.java | 12 ++----
9 files changed, 70 insertions(+), 59 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index daa62f4..51cd658 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -439,6 +439,12 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
RangerAccessRequestUtil.setCurrentUserRolesInContext(request.getContext(), roles);
}
+ String owner = request.getResource() != null ? request.getResource().getOwnerUser() : null;
+
+ if (StringUtils.isNotEmpty(owner)) {
+ RangerAccessRequestUtil.setOwnerInContext(request.getContext(), owner);
+ }
+
List<RangerContextEnricher> enrichers = allContextEnrichers;
if(!CollectionUtils.isEmpty(enrichers)) {
@@ -879,7 +885,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
/*
- * This API is used by ranger-admin
+ * This API is used by ranger-admin - kept for backward compatibility
*/
@Override
@@ -897,6 +903,10 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
return ret;
}
+ /*
+ * This API is used by ranger-admin
+ */
+
@Override
public boolean isAccessAllowed(RangerPolicy policy, String user, Set<String> userGroups, Set<String> roles, String accessType) {
if (LOG.isDebugEnabled()) {
@@ -1071,6 +1081,10 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
return ret;
}
+ /*
+ * This API is used by ranger-admin
+ */
+
@Override
public List<RangerPolicy> getMatchingPolicies(RangerAccessRequest request) {
if (LOG.isDebugEnabled()) {
@@ -1145,7 +1159,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
/*
- * This API is used by ranger-admin
+ * This API is used by plugin code, but never used
*/
@Override
@@ -1219,7 +1233,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
/*
- * This API is used by test-code; checks only policies within default security-zone
+ * This API is used only by test-code; checks only policies within default security-zone
*/
@Override
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
index cf590f9..ee605e8 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
@@ -20,6 +20,7 @@
package org.apache.ranger.plugin.policyengine;
+import org.apache.commons.lang.StringUtils;
import org.apache.ranger.plugin.contextenricher.RangerTagForEval;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
@@ -45,6 +46,11 @@ public class RangerTagAccessRequest extends RangerAccessRequestImpl {
RangerAccessRequestUtil.setCurrentResourceInContext(request.getContext(), request.getResource());
RangerAccessRequestUtil.setCurrentUserInContext(request.getContext(), request.getUser());
+ String owner = request.getResource() != null ? request.getResource().getOwnerUser() : null;
+
+ if (StringUtils.isNotEmpty(owner)) {
+ RangerAccessRequestUtil.setOwnerInContext(request.getContext(), owner);
+ }
super.setContext(requestContext);
super.setClientType(request.getClientType());
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index ecd6cb7..4c1402a 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -54,7 +54,6 @@ import org.apache.ranger.plugin.policyengine.RangerTagAccessRequest;
import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
-import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.ServiceDefUtil;
@@ -340,10 +339,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + roles + ", " + accessType + ")");
}
- Map<String, Object> evalContext = new HashMap<>();
- RangerAccessRequestUtil.setCurrentUserInContext(evalContext, user);
-
- boolean ret = isAccessAllowed(user, userGroups, roles, accessType) && isMatch(resource, evalContext);
+ boolean ret = isAccessAllowed(user, userGroups, roles, resource.getOwnerUser(), accessType) && isMatch(resource, null);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + roles + ", " + accessType + "): " + ret);
@@ -362,10 +358,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")");
}
- Map<String, Object> evalContext = new HashMap<>();
- RangerAccessRequestUtil.setCurrentUserInContext(evalContext, user);
-
- boolean ret = isAccessAllowed(user, userGroups, null, accessType) && isMatch(resources, evalContext);
+ boolean ret = isAccessAllowed(user, userGroups, null, user, accessType) && isMatch(resources, null);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
@@ -380,10 +373,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + policy.getId() + ", " + user + ", " + userGroups + ", " + roles + ", " + accessType + ")");
}
- Map<String, Object> evalContext = new HashMap<>();
- RangerAccessRequestUtil.setCurrentUserInContext(evalContext, user);
-
- boolean ret = isAccessAllowed(user, userGroups, roles, accessType) && isMatch(policy, evalContext);
+ boolean ret = isAccessAllowed(user, userGroups, roles, user, accessType) && isMatch(policy, null);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + policy.getId() + ", " + user + ", " + userGroups + ", " + roles + ", " + accessType + "): " + ret);
@@ -724,9 +714,9 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
return ret;
}
- protected RangerPolicyItemEvaluator getDeterminingPolicyItem(String user, Set<String> userGroups, Set<String> roles, String accessType) {
+ protected RangerPolicyItemEvaluator getDeterminingPolicyItem(String user, Set<String> userGroups, Set<String> roles, String owner, String accessType) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerDefaultPolicyEvaluator.getDeterminingPolicyItem(" + user + ", " + userGroups + ", " + roles + ", " + accessType + ")");
+ LOG.debug("==> RangerDefaultPolicyEvaluator.getDeterminingPolicyItem(" + user + ", " + userGroups + ", " + roles + ", " + owner + ", " + accessType + ")");
}
RangerPolicyItemEvaluator ret = null;
@@ -735,14 +725,14 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
* 1. if a deny matches without hitting any deny-exception, return that
* 2. if an allow matches without hitting any allow-exception, return that
*/
- ret = getMatchingPolicyItem(user, userGroups, roles, accessType, denyEvaluators, denyExceptionEvaluators);
+ ret = getMatchingPolicyItem(user, userGroups, roles, owner, accessType, denyEvaluators, denyExceptionEvaluators);
if(ret == null) {
- ret = getMatchingPolicyItem(user, userGroups, roles, accessType, allowEvaluators, allowExceptionEvaluators);
+ ret = getMatchingPolicyItem(user, userGroups, roles, owner, accessType, allowEvaluators, allowExceptionEvaluators);
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerDefaultPolicyEvaluator.getDeterminingPolicyItem(" + user + ", " + userGroups + ", " + roles + ", " + accessType + "): " + ret);
+ LOG.debug("<== RangerDefaultPolicyEvaluator.getDeterminingPolicyItem(" + user + ", " + userGroups + ", " + roles + ", " + owner + ", " + accessType + "): " + ret);
}
return ret;
@@ -800,9 +790,9 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
return ret;
}
- protected boolean isAccessAllowed(String user, Set<String> userGroups, Set<String> roles, String accessType) {
+ protected boolean isAccessAllowed(String user, Set<String> userGroups, Set<String> roles, String owner, String accessType) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + roles + ", " + accessType + ")");
+ LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + roles + ", " + owner + ", " + accessType + ")");
}
boolean ret = false;
@@ -827,7 +817,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
LOG.debug("Using policyItemEvaluators for checking if access is allowed. PolicyId=[" + getId() +"]");
}
- RangerPolicyItemEvaluator item = this.getDeterminingPolicyItem(user, userGroups, roles, accessType);
+ RangerPolicyItemEvaluator item = this.getDeterminingPolicyItem(user, userGroups, roles, owner, accessType);
if (item != null && item.getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW) {
ret = true;
@@ -837,7 +827,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
RangerPerfTracer.log(perf);
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + roles + ", " + accessType + "): " + ret);
+ LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + roles + ", " + owner + ", " + accessType + "): " + ret);
}
return ret;
@@ -1166,16 +1156,16 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
return ret;
}
- private <T extends RangerPolicyItemEvaluator> T getMatchingPolicyItem(String user, Set<String> userGroups, Set<String> roles, String accessType, List<T> evaluators, List<T> exceptionEvaluators) {
+ private <T extends RangerPolicyItemEvaluator> T getMatchingPolicyItem(String user, Set<String> userGroups, Set<String> roles, String owner, String accessType, List<T> evaluators, List<T> exceptionEvaluators) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerDefaultPolicyEvaluator.getMatchingPolicyItem(" + user + ", " + userGroups + ", " + roles + ", " + accessType + ")");
+ LOG.debug("==> RangerDefaultPolicyEvaluator.getMatchingPolicyItem(" + user + ", " + userGroups + ", " + roles + ", " + owner + ", " + accessType + ")");
}
T ret = null;
if(CollectionUtils.isNotEmpty(evaluators)) {
for (T evaluator : evaluators) {
- if(evaluator.matchUserGroup(user, userGroups, roles) && evaluator.matchAccessType(accessType)) {
+ if(evaluator.matchUserGroupAndOwner(user, userGroups, roles, owner) && evaluator.matchAccessType(accessType)) {
ret = evaluator;
break;
@@ -1185,7 +1175,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
if(ret != null && CollectionUtils.isNotEmpty(exceptionEvaluators)) {
for (T exceptionEvaluator : exceptionEvaluators) {
- if(exceptionEvaluator.matchUserGroup(user, userGroups, roles) && exceptionEvaluator.matchAccessType(accessType)) {
+ if(exceptionEvaluator.matchUserGroupAndOwner(user, userGroups, roles, owner) && exceptionEvaluator.matchAccessType(accessType)) {
if(LOG.isDebugEnabled()) {
LOG.debug("RangerDefaultPolicyEvaluator.getMatchingPolicyItem(" + user + ", " + userGroups + ", " + accessType + "): found exception policyItem(" + exceptionEvaluator.getPolicyItem() + "); ignoring the matchedPolicyItem(" + ret.getPolicyItem() + ")");
}
@@ -1198,7 +1188,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerDefaultPolicyEvaluator.getMatchingPolicyItem(" + user + ", " + userGroups + ", " + roles + ", " + accessType + "): " + ret);
+ LOG.debug("<== RangerDefaultPolicyEvaluator.getMatchingPolicyItem(" + user + ", " + userGroups + ", " + roles + ", " + owner + ", " + accessType + "): " + ret);
}
return ret;
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
index 5bbbece..90d96d9 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
@@ -160,9 +160,9 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv
}
@Override
- public boolean matchUserGroup(String user, Set<String> userGroups, Set<String> roles) {
+ public boolean matchUserGroupAndOwner(String user, Set<String> userGroups, Set<String> roles, String owner) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerDefaultPolicyItemEvaluator.matchUserGroup(" + policyItem + ", " + user + ", " + userGroups + ", " + roles + ")");
+ LOG.debug("==> RangerDefaultPolicyItemEvaluator.matchUserGroup(" + policyItem + ", " + user + ", " + userGroups + ", " + roles + ", " + owner + ")");
}
boolean ret = false;
@@ -171,7 +171,6 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv
if(!ret && user != null && policyItem.getUsers() != null) {
ret = hasCurrentUser || policyItem.getUsers().contains(user);
}
-
if(!ret && userGroups != null && policyItem.getGroups() != null) {
ret = policyItem.getGroups().contains(RangerPolicyEngine.GROUP_PUBLIC) ||
!Collections.disjoint(policyItem.getGroups(), userGroups);
@@ -179,10 +178,13 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv
if (!ret && CollectionUtils.isNotEmpty(roles) && CollectionUtils.isNotEmpty(policyItem.getRoles())) {
ret = !Collections.disjoint(policyItem.getRoles(), roles);
}
+ if (!ret && hasResourceOwner) {
+ ret = user != null && user.equals(owner);
+ }
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerDefaultPolicyItemEvaluator.matchUserGroup(" + policyItem + ", " + user + ", " + userGroups + ", " + roles + "): " + ret);
+ LOG.debug("<== RangerDefaultPolicyItemEvaluator.matchUserGroup(" + policyItem + ", " + user + ", " + userGroups + ", " + roles + ", " + owner + "): " + ret);
}
return ret;
@@ -198,20 +200,15 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv
String user = request.getUser();
Set<String> userGroups = request.getUserGroups();
- if (hasResourceOwner) {
- RangerAccessResource accessedResource = request.getResource();
- String resourceOwner = accessedResource != null ? accessedResource.getOwnerUser() : null;
+ RangerAccessResource accessedResource = request.getResource();
+ String resourceOwner = accessedResource != null ? accessedResource.getOwnerUser() : null;
- if (user != null && resourceOwner != null && user.equals(resourceOwner)) {
- ret = true;
- }
- }
if (!ret) {
Set<String> roles = null;
if (CollectionUtils.isNotEmpty(policyItem.getRoles())) {
roles = RangerAccessRequestUtil.getCurrentUserRolesFromContext(request.getContext());
}
- ret = matchUserGroup(user, userGroups, roles);
+ ret = matchUserGroupAndOwner(user, userGroups, roles, resourceOwner);
}
if(LOG.isDebugEnabled()) {
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
index 00c0d42..bac076c 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
@@ -234,15 +234,15 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator
}
@Override
- protected boolean isAccessAllowed(String user, Set<String> userGroups, Set<String> roles, String accessType) {
+ protected boolean isAccessAllowed(String user, Set<String> userGroups, Set<String> roles, String owner, String accessType) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + roles + ", " + accessType + ")");
+ LOG.debug("==> RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + roles + ", " + owner + ", " + accessType + ")");
}
- boolean ret = hasMatchablePolicyItem(user, userGroups, roles, accessType) && super.isAccessAllowed(user, userGroups, roles, accessType);
+ boolean ret = hasMatchablePolicyItem(user, userGroups, roles, owner, accessType) && super.isAccessAllowed(user, userGroups, roles, owner, accessType);
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + roles + ", " + accessType + "): " + ret);
+ LOG.debug("<== RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + roles + ", " + owner + ", " + accessType + "): " + ret);
}
return ret;
@@ -281,7 +281,7 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator
return ret;
}
- private boolean hasMatchablePolicyItem(String user, Set<String> userGroups, Set<String> rolesFromContext, String accessType) {
+ private boolean hasMatchablePolicyItem(String user, Set<String> userGroups, Set<String> rolesFromContext, String owner, String accessType) {
boolean ret = false;
boolean hasRole = false;
@@ -291,7 +291,7 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator
}
}
- if (hasPublicGroup || hasCurrentUser || users.contains(user) || CollectionUtils.containsAny(groups, userGroups) || hasRole) {
+ if (hasPublicGroup || hasCurrentUser || users.contains(user) || CollectionUtils.containsAny(groups, userGroups) || hasRole || (hasResourceOwner && StringUtils.equals(user, owner))) {
boolean isAdminAccess = StringUtils.equals(accessType, RangerPolicyEngine.ADMIN_ACCESS);
if(isAdminAccess) {
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
index ec3950f..1a2ea4c 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
@@ -53,7 +53,7 @@ public interface RangerPolicyItemEvaluator {
boolean isMatch(RangerAccessRequest request);
- boolean matchUserGroup(String user, Set<String> userGroups, Set<String> roles);
+ boolean matchUserGroupAndOwner(String user, Set<String> userGroups, Set<String> roles, String owner);
boolean matchAccessType(String accessType);
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
index 02f3431..3d0f107 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
@@ -21,6 +21,7 @@ package org.apache.ranger.plugin.service;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
@@ -187,6 +188,12 @@ public class RangerAuthContext implements RangerPolicyEngine {
RangerAccessRequestUtil.setCurrentUserRolesInContext(request.getContext(), roles);
}
+ String owner = request.getResource() != null ? request.getResource().getOwnerUser() : null;
+
+ if (StringUtils.isNotEmpty(owner)) {
+ RangerAccessRequestUtil.setOwnerInContext(request.getContext(), owner);
+ }
+
if (MapUtils.isNotEmpty(requestContextEnrichers)) {
for (Map.Entry<RangerContextEnricher, Object> entry : requestContextEnrichers.entrySet()) {
if (entry.getValue() instanceof RangerContextEnricher && entry.getKey().equals(entry.getValue())) {
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
index c8276f1..bd980ce 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
@@ -40,6 +40,7 @@ public class RangerAccessRequestUtil {
public static final String KEY_CONTEXT_REQUESTED_RESOURCES = "REQUESTED_RESOURCES";
public static final String KEY_TOKEN_NAMESPACE = "token:";
public static final String KEY_USER = "USER";
+ public static final String KEY_OWNER = "OWNER";
public static final String KEY_ROLES = "ROLES";
public static void setRequestTagsInContext(Map<String, Object> context, Set<RangerTagForEval> tags) {
@@ -133,7 +134,9 @@ public class RangerAccessRequestUtil {
public static void setCurrentUserInContext(Map<String, Object> context, String user) {
setTokenInContext(context, KEY_USER, user);
}
-
+ public static void setOwnerInContext(Map<String, Object> context, String owner) {
+ setTokenInContext(context, KEY_OWNER, owner);
+ }
public static String getCurrentUserFromContext(Map<String, Object> context) {
Object ret = getTokenFromContext(context, KEY_USER);
return ret != null ? ret.toString() : "";
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index bb825b8..3d44315 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -113,7 +113,6 @@ import org.apache.ranger.plugin.store.PList;
import org.apache.ranger.plugin.store.ServiceStore;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.JsonUtilsV2;
-import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.SearchFilter;
import org.apache.ranger.plugin.util.ServicePolicies;
@@ -148,6 +147,7 @@ import com.google.gson.JsonSyntaxException;
import com.sun.jersey.core.header.FormDataContentDisposition;
import com.sun.jersey.multipart.FormDataParam;
+
@Path("plugins")
@Component
@Scope("request")
@@ -3216,10 +3216,7 @@ public class ServiceREST {
RangerPolicy ret = null;
RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
- Map<String, Object> evalContext = new HashMap<String, Object>();
- RangerAccessRequestUtil.setCurrentUserInContext(evalContext, user);
-
- List<RangerPolicy> policies = policyEngine != null ? policyEngine.getExactMatchPolicies(resource, evalContext) : null;
+ List<RangerPolicy> policies = policyEngine != null ? policyEngine.getExactMatchPolicies(resource, null) : null;
if(CollectionUtils.isNotEmpty(policies)) {
// at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store
@@ -3241,10 +3238,7 @@ public class ServiceREST {
RangerPolicy ret = null;
RangerPolicyEngine policyEngine = getPolicyEngine(policy.getService());
- Map<String, Object> evalContext = new HashMap<String, Object>();
- RangerAccessRequestUtil.setCurrentUserInContext(evalContext, user);
-
- List<RangerPolicy> policies = policyEngine != null ? policyEngine.getExactMatchPolicies(policy, evalContext) : null;
+ List<RangerPolicy> policies = policyEngine != null ? policyEngine.getExactMatchPolicies(policy, null) : null;
if(CollectionUtils.isNotEmpty(policies)) {
// at this point, ret is a policy in policy-engine; the caller might update the policy (for grant/revoke); so get a copy from the store