You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2022/07/08 07:13:46 UTC
[ranger] branch master updated: RANGER-3814: fix for incorrect result from IS_IN_ROLE(roleName) condition
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new ad472b373 RANGER-3814: fix for incorrect result from IS_IN_ROLE(roleName) condition
ad472b373 is described below
commit ad472b3738c2424f62a81087937ab358e3efc0f9
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Wed Jun 29 11:27:36 2022 -0700
RANGER-3814: fix for incorrect result from IS_IN_ROLE(roleName) condition
---
.../RangerDefaultPolicyEvaluator.java | 14 ++++----
.../service/RangerDefaultRequestProcessor.java | 9 ++++-
.../policyengine/test_policyengine_with_roles.json | 42 ++++++++++++++++++++--
3 files changed, 56 insertions(+), 9 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index c514a86a3..235e84477 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -840,12 +840,14 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
}
- if (userRoles !=null) {
- for (String userRole : userRoles) {
- accesses = aclSummary.getRolesAccessInfo().get(userRole);
- accessResult = lookupAccess(userRole, accessType, accesses);
- if (accessResult != null) {
- break;
+ if (accessResult == null) {
+ if (userRoles != null) {
+ for (String userRole : userRoles) {
+ accesses = aclSummary.getRolesAccessInfo().get(userRole);
+ accessResult = lookupAccess(userRole, accessType, accesses);
+ if (accessResult != null) {
+ break;
+ }
}
}
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
index ac9ce8faa..636d09038 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
@@ -49,8 +49,11 @@ public class RangerDefaultRequestProcessor implements RangerAccessRequestProcess
public void preProcess(RangerAccessRequest request) {
setResourceServiceDef(request);
+
+ RangerAccessRequestImpl reqImpl = null;
+
if (request instanceof RangerAccessRequestImpl) {
- RangerAccessRequestImpl reqImpl = (RangerAccessRequestImpl) request;
+ reqImpl = (RangerAccessRequestImpl) request;
if (reqImpl.getClientIPAddress() == null) {
reqImpl.extractAndSetClientIPAddress(policyEngine.getUseForwardedIPAddress(), policyEngine.getTrustedProxyAddresses());
@@ -78,6 +81,10 @@ public class RangerDefaultRequestProcessor implements RangerAccessRequestProcess
Set<String> roles = request.getUserRoles();
if (CollectionUtils.isEmpty(roles)) {
roles = policyEngine.getPluginContext().getAuthContext().getRolesForUserAndGroups(request.getUser(), request.getUserGroups());
+
+ if (reqImpl != null && roles != null && !roles.isEmpty()) {
+ reqImpl.setUserRoles(roles);
+ }
}
if (CollectionUtils.isNotEmpty(roles)) {
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json b/agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json
index c8352cc3b..3f8fca0d0 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json
@@ -90,6 +90,9 @@
"lock"
]
}
+ ],
+ "policyConditions":[
+ { "name": "expression", "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator" }
]
},
"policies": [
@@ -162,10 +165,17 @@
"delegateAdmin": false
}
]
+ },
+ {
+ "id": 3, "name": "db=hr-fin", "isEnabled": true, "isAuditEnabled": true, "isDenyAllElse": true,
+ "resources": { "database": { "values": [ "hr-fin"] } },
+ "policyItems": [
+ { "accesses": [ { "type": "create" } ], "groups": [ "public"], "conditions": [ { "type": "expression", "values": [ "IS_IN_ROLE('fin-admin') && IS_IN_ROLE('hr-admin') "] } ] }
+ ]
}
],
- "userRoles": {"role-user1": ["fin-admin", "hr-admin"]},
- "groupRoles": {"role-group1": ["fin-group", "hr-group"]},
+ "userRoles": {"role-user1": ["fin-admin", "hr-admin"], "admin-user": [ "fin-admin", "hr-admin" ], "fin-user": [ "fin-admin"], "hr-user": [ "hr-admin"] },
+ "groupRoles": {"role-group1": ["fin-group", "hr-group"], "admin-group": [ "fin-admin", "hr-admin" ] },
"tests": [
{"name":"ALLOW 'create database default default ;' for user='role-user1'",
"request":{
@@ -208,6 +218,34 @@
"accessType":"create","user":"user2","userGroups":[],"requestData":"create database default ; for user2"
},
"result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ },
+ { "name": "ALLOW 'create database hr-fin;' for user=admin-user",
+ "request": {
+ "resource": { "elements": { "database": "hr-fin" } },
+ "accessType": "create", "user": "admin-user", "requestData": "create database hr-fin; for admin-user"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":3}
+ },
+ { "name": "ALLOW 'create database hr-fin;' for group=admin-group",
+ "request": {
+ "resource": { "elements": { "database": "hr-fin" } },
+ "accessType": "create", "user": "test-user1", "userGroups": [ "admin-group" ], "requestData": "create database hr-fin; for group=admin-group"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":3}
+ },
+ { "name": "DENY 'create database hr-fin;' for fin-user",
+ "request": {
+ "resource": { "elements": { "database": "hr-fin" } },
+ "accessType": "create", "user": "fin-user", "requestData": "create database hr-fin; for fin-user"
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": 3}
+ },
+ { "name": "DENY 'create database hr-fin;' for hr-user",
+ "request": {
+ "resource": { "elements": { "database": "hr-fin" } },
+ "accessType": "create", "user": "hr-user", "requestData": "create database hr-fin; for hr-user"
+ },
+ "result": { "isAudited": true, "isAllowed": false, "policyId": 3}
}
]
}
\ No newline at end of file