You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2022/03/22 07:12:32 UTC

[ranger] branch ranger-2.3 updated: RANGER-3676: support {OWNER} macro in tag-based policies

This is an automated email from the ASF dual-hosted git repository.

madhan pushed a commit to branch ranger-2.3
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/ranger-2.3 by this push:
     new 9ae7256  RANGER-3676: support {OWNER} macro in tag-based policies
9ae7256 is described below

commit 9ae72563d717ecdfe736918a4f255c7c68155901
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Mon Mar 21 12:09:42 2022 -0700

    RANGER-3676: support {OWNER} macro in tag-based policies
    
    (cherry picked from commit 0d076a0bae37fda198350faee09188be1673c010)
---
 .../plugin/policyengine/RangerTagAccessRequest.java      |  7 ++++---
 .../ranger/plugin/policyengine/RangerTagResource.java    |  6 ++++++
 .../test_policyengine_tag_hive_filebased.json            | 16 +++++++++++++++-
 3 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
index ebe85e9..4b2d706 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
@@ -31,8 +31,11 @@ import java.util.Map;
 public class RangerTagAccessRequest extends RangerAccessRequestImpl {
 	private final RangerPolicyResourceMatcher.MatchType matchType;
 	public RangerTagAccessRequest(RangerTagForEval resourceTag, RangerServiceDef tagServiceDef, RangerAccessRequest request) {
+		String owner = request.getResource() != null ? request.getResource().getOwnerUser() : null;
+
 		matchType = resourceTag.getMatchType();
-		super.setResource(new RangerTagResource(resourceTag.getType(), tagServiceDef));
+
+		super.setResource(new RangerTagResource(resourceTag.getType(), tagServiceDef, owner));
 		super.setUser(request.getUser());
 		super.setUserGroups(request.getUserGroups());
 		super.setUserRoles(request.getUserRoles());
@@ -47,8 +50,6 @@ public class RangerTagAccessRequest extends RangerAccessRequestImpl {
 		RangerAccessRequestUtil.setCurrentResourceInContext(request.getContext(), request.getResource());
 		RangerAccessRequestUtil.setCurrentUserInContext(request.getContext(), request.getUser());
 
-		String owner = request.getResource() != null ? request.getResource().getOwnerUser() : null;
-
 		if (StringUtils.isNotEmpty(owner)) {
 			RangerAccessRequestUtil.setOwnerInContext(request.getContext(), owner);
 		}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java
index 39e190c..b6ab66b 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java
@@ -30,4 +30,10 @@ public class RangerTagResource extends RangerAccessResourceImpl {
 		super.setValue(KEY_TAG, tagType);
 		super.setServiceDef(tagServiceDef);
 	}
+
+	public RangerTagResource(String tagType, RangerServiceDef tagServiceDef, String ownerUser) {
+		super.setValue(KEY_TAG, tagType);
+		super.setServiceDef(tagServiceDef);
+		super.setOwnerUser(ownerUser);
+	}
 }
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
index fad08e7..b3ca12e 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
@@ -201,7 +201,7 @@
         ]
         ,
         "denyExceptions":[
-          {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1"],"groups":[],"delegateAdmin":false,
+          {"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive", "user1", "{OWNER}"],"groups":[],"delegateAdmin":false,
             "conditions":[{
               "type":"expression",
               "values":["if ( ctx.isAccessedBefore('activation_date') ) ctx.result = true;"]
@@ -277,6 +277,20 @@
       },
       "result":{"isAudited":true,"isAllowed":false,"policyId":4}
     },
+    {"name":"ALLOW 'select address from employee.personal;' for user2, the {OWNER}, using RESTRICTED-FINAL tag",
+      "request":{
+        "resource":{"elements":{"database":"employee", "table":"personal", "column":"address"}, "ownerUser": "user2"},
+        "accessType":"select","user":"user2","userGroups":[],"requestData":"select address from employee.personal;' for user2"
+      },
+      "result":{"isAudited":true,"isAllowed":true,"policyId":101}
+    },
+    {"name":"DENY 'select address from employee.personal;' for user3, owner=user2, using RESTRICTED-FINAL tag",
+      "request":{
+        "resource":{"elements":{"database":"employee", "table":"personal", "column":"address"}, "ownerUser": "user2"},
+        "accessType":"select","user":"user3","userGroups":[],"requestData":"select address from employee.personal;' for user2"
+      },
+      "result":{"isAudited":true,"isAllowed":false,"policyId":4}
+    },
     {"name":"ALLOW 'select name from employee.personal;' for user1 - no tag",
       "request":{
         "resource":{"elements":{"database":"employee", "table":"personal", "column":"name"}},