You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2023/05/30 06:42:01 UTC
[ranger] branch RANGER-3923 updated (f7a8dabb7 -> 066948660)
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a change to branch RANGER-3923
in repository https://gitbox.apache.org/repos/asf/ranger.git
from f7a8dabb7 Merge branch 'master' into RANGER-3923
add 8a1435199 RANGER-4240: optimized removal of x_auth_sess entries while deleting an user
add d1a5ee36a RANGER-4241: Fix sql patch 65 syntax issue for oracle db
add b6049ce73 RANGER-4219: Grant permission in Impala engine not working with {user} in ranger policy
add 6efa1f306 RANGER-4244: security-zone REST APIs to return status code 409 in case of simultaneous update calls
add b1a493290 RANGER-4023: fixed implicit addition of userStoreEnricher for references to user/group attributes in dataMask expressions
add 21c6e24e6 RANGER-4103 : Fix for improving logout mechanism in Ranger react code base.
add 56db102e8 RANGER-4245: Upgrade derby, spring-ldap and testng libraries
add 44a82e408 RANGER-4128: updated importTags API to use the service name specified in the URL for all service-resources
add 717158e88 RANGER-4063 Editable Search Filter (tokenizer) in Ranger React
add 4c68c8549 RANGER-3947 fix thread leak in SolrCollectionBootstrapper
new 066948660 Merge branch 'master' into RANGER-3923
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../RangerDefaultPolicyEvaluator.java | 31 +-
.../apache/ranger/plugin/util/ServiceDefUtil.java | 16 +
.../ranger/plugin/util/ServiceDefUtilTest.java | 28 +
.../server/tomcat/SolrCollectionBootstrapper.java | 8 +
pom.xml | 6 +-
...n-x_rms_service_resource-resource_signature.sql | 3 +-
.../main/java/org/apache/ranger/biz/XUserMgr.java | 14 +-
.../org/apache/ranger/db/XXAuthSessionDao.java | 13 +
.../java/org/apache/ranger/rest/PublicAPIsv2.java | 8 +
.../org/apache/ranger/rest/SecurityZoneREST.java | 18 +
.../main/resources/META-INF/jpa_named_queries.xml | 8 +
.../src/main/webapp/react-webapp/src/App.jsx | 1 +
.../src/components/CommonComponents.jsx | 12 +-
.../react-webapp/src/components/XATableLayout.jsx | 6 +-
.../structured-filter/react-datepicker/calendar.js | 33 +
.../react-datepicker/date_input.js | 6 +-
.../react-datepicker/datepicker.js | 4 +
.../react-typeahead/tokenizer/index.js | 114 +-
.../react-typeahead/tokenizer/token.js | 75 +-
.../react-typeahead/typeahead/index.js | 65 +-
.../webapp/react-webapp/src/hooks/usePrompt.js | 1 -
.../main/webapp/react-webapp/src/styles/style.css | 325 +--
.../main/webapp/react-webapp/src/utils/XAEnums.js | 69 +-
.../main/webapp/react-webapp/src/utils/XAUtils.js | 109 +-
.../src/views/AuditEvent/AccessLogs.jsx | 46 +-
.../src/views/AuditEvent/AccessLogsTable.jsx | 2 +-
.../src/views/AuditEvent/AdminLogs.jsx | 30 +-
.../src/views/AuditEvent/AdminLogs/PolicyLogs.jsx | 2430 ++++++++++----------
.../AuditEvent/AdminLogs/SecurityZonelogs.jsx | 236 +-
.../src/views/AuditEvent/LoginSessionsLogs.jsx | 30 +-
.../src/views/AuditEvent/PluginStatusLogs.jsx | 31 +-
.../src/views/AuditEvent/PluginsLog.jsx | 30 +-
.../react-webapp/src/views/AuditEvent/UserSync.jsx | 36 +-
.../src/views/Encryption/KeyManager.jsx | 29 +-
.../webapp/react-webapp/src/views/ErrorPage.jsx | 21 +-
.../main/webapp/react-webapp/src/views/Header.jsx | 62 +-
.../main/webapp/react-webapp/src/views/Layout.jsx | 42 +-
.../src/views/PermissionsModule/Permissions.jsx | 35 +-
.../src/views/PolicyListing/PolicyListing.jsx | 75 +-
.../src/views/Reports/SearchPolicyTable.jsx | 4 +-
.../src/views/ServiceManager/ServiceDefinition.jsx | 4 +
.../src/views/ServiceManager/ServiceForm.jsx | 8 +-
.../groups_details/GroupListing.jsx | 37 +-
.../UserGroupRoleListing/role_details/RoleForm.jsx | 10 +-
.../role_details/RoleListing.jsx | 42 +-
.../users_details/UserListing.jsx | 60 +-
.../java/org/apache/ranger/biz/TestXUserMgr.java | 4 -
47 files changed, 2229 insertions(+), 2048 deletions(-)
[ranger] 01/01: Merge branch 'master' into RANGER-3923
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch RANGER-3923
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 06694866098bc0b14cf800a9e167ab4e866a0113
Merge: f7a8dabb7 4c68c8549
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Mon May 29 23:16:34 2023 -0700
Merge branch 'master' into RANGER-3923
.../RangerDefaultPolicyEvaluator.java | 31 +-
.../apache/ranger/plugin/util/ServiceDefUtil.java | 16 +
.../ranger/plugin/util/ServiceDefUtilTest.java | 28 +
.../server/tomcat/SolrCollectionBootstrapper.java | 8 +
pom.xml | 6 +-
...n-x_rms_service_resource-resource_signature.sql | 3 +-
.../main/java/org/apache/ranger/biz/XUserMgr.java | 14 +-
.../org/apache/ranger/db/XXAuthSessionDao.java | 13 +
.../java/org/apache/ranger/rest/PublicAPIsv2.java | 8 +
.../org/apache/ranger/rest/SecurityZoneREST.java | 18 +
.../main/resources/META-INF/jpa_named_queries.xml | 8 +
.../src/main/webapp/react-webapp/src/App.jsx | 1 +
.../src/components/CommonComponents.jsx | 12 +-
.../react-webapp/src/components/XATableLayout.jsx | 6 +-
.../structured-filter/react-datepicker/calendar.js | 33 +
.../react-datepicker/date_input.js | 6 +-
.../react-datepicker/datepicker.js | 4 +
.../react-typeahead/tokenizer/index.js | 114 +-
.../react-typeahead/tokenizer/token.js | 75 +-
.../react-typeahead/typeahead/index.js | 65 +-
.../webapp/react-webapp/src/hooks/usePrompt.js | 1 -
.../main/webapp/react-webapp/src/styles/style.css | 325 +--
.../main/webapp/react-webapp/src/utils/XAEnums.js | 69 +-
.../main/webapp/react-webapp/src/utils/XAUtils.js | 109 +-
.../src/views/AuditEvent/AccessLogs.jsx | 46 +-
.../src/views/AuditEvent/AccessLogsTable.jsx | 2 +-
.../src/views/AuditEvent/AdminLogs.jsx | 30 +-
.../src/views/AuditEvent/AdminLogs/PolicyLogs.jsx | 2430 ++++++++++----------
.../AuditEvent/AdminLogs/SecurityZonelogs.jsx | 236 +-
.../src/views/AuditEvent/LoginSessionsLogs.jsx | 30 +-
.../src/views/AuditEvent/PluginStatusLogs.jsx | 31 +-
.../src/views/AuditEvent/PluginsLog.jsx | 30 +-
.../react-webapp/src/views/AuditEvent/UserSync.jsx | 36 +-
.../src/views/Encryption/KeyManager.jsx | 29 +-
.../webapp/react-webapp/src/views/ErrorPage.jsx | 21 +-
.../main/webapp/react-webapp/src/views/Header.jsx | 62 +-
.../main/webapp/react-webapp/src/views/Layout.jsx | 42 +-
.../src/views/PermissionsModule/Permissions.jsx | 35 +-
.../src/views/PolicyListing/PolicyListing.jsx | 75 +-
.../src/views/Reports/SearchPolicyTable.jsx | 4 +-
.../src/views/ServiceManager/ServiceDefinition.jsx | 4 +
.../src/views/ServiceManager/ServiceForm.jsx | 8 +-
.../groups_details/GroupListing.jsx | 37 +-
.../UserGroupRoleListing/role_details/RoleForm.jsx | 10 +-
.../role_details/RoleListing.jsx | 42 +-
.../users_details/UserListing.jsx | 60 +-
.../java/org/apache/ranger/biz/TestXUserMgr.java | 4 -
47 files changed, 2229 insertions(+), 2048 deletions(-)
diff --cc agents-common/src/test/java/org/apache/ranger/plugin/util/ServiceDefUtilTest.java
index 147cdaf2b,03aebb220..36f0b6af6
--- a/agents-common/src/test/java/org/apache/ranger/plugin/util/ServiceDefUtilTest.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/util/ServiceDefUtilTest.java
@@@ -274,131 -253,34 +274,159 @@@ public class ServiceDefUtilTest
}
@Test
+ public void testNormalizeAccessTypeDefs() throws Exception {
+ try (InputStream inStream = this.getClass().getResourceAsStream("/test_servicedef-normalize.json")) {
+ InputStreamReader reader = new InputStreamReader(inStream);
+ ServicePolicies policies = gsonBuilder.fromJson(reader, ServicePolicies.class);
+
+ RangerAccessTypeDef serviceMarkerAll = getAccessType(policies.getServiceDef().getMarkerAccessTypes(), ACCESS_TYPE_MARKER_ALL);
+ RangerAccessTypeDef tagMarkerAll = getAccessType(policies.getTagPolicies().getServiceDef().getMarkerAccessTypes(), ACCESS_TYPE_MARKER_ALL);
+
+ assertNotEquals("accessType count", policies.getServiceDef().getAccessTypes().size(), policies.getTagPolicies().getServiceDef().getAccessTypes().size());
+ assertNotEquals("impliedGrants: _ALL", new HashSet<>(serviceMarkerAll.getImpliedGrants()), new HashSet<>(tagMarkerAll.getImpliedGrants()));
+ assertNotEquals("dataMask.accessType count", policies.getServiceDef().getDataMaskDef().getAccessTypes().size(), policies.getTagPolicies().getServiceDef().getDataMaskDef().getAccessTypes().size());
+ assertNotEquals("rowFilter.accessType count", policies.getServiceDef().getRowFilterDef().getAccessTypes().size(), policies.getTagPolicies().getServiceDef().getRowFilterDef().getAccessTypes().size());
+
+ ServiceDefUtil.normalizeAccessTypeDefs(policies.getTagPolicies().getServiceDef(), policies.getServiceDef().getName());
+
+ serviceMarkerAll = getAccessType(policies.getServiceDef().getMarkerAccessTypes(), ACCESS_TYPE_MARKER_ALL);
+ tagMarkerAll = getAccessType(policies.getTagPolicies().getServiceDef().getMarkerAccessTypes(), ACCESS_TYPE_MARKER_ALL);
+
+ assertEquals("accessType count", policies.getServiceDef().getAccessTypes().size(), policies.getTagPolicies().getServiceDef().getAccessTypes().size());
+ assertEquals("impliedGrants: _ALL", new HashSet<>(serviceMarkerAll.getImpliedGrants()), new HashSet<>(tagMarkerAll.getImpliedGrants()));
+ assertEquals("dataMask.accessType count", policies.getServiceDef().getDataMaskDef().getAccessTypes().size(), policies.getTagPolicies().getServiceDef().getDataMaskDef().getAccessTypes().size());
+ assertEquals("rowFilter.accessType count", 0, policies.getTagPolicies().getServiceDef().getRowFilterDef().getAccessTypes().size());
+ }
+ }
+
+ private RangerAccessTypeDef getAccessType(List<RangerAccessTypeDef> accessTypeDefs, String accessType) {
+ RangerAccessTypeDef ret = null;
+
+ if (accessTypeDefs != null) {
+ for (RangerAccessTypeDef accessTypeDef : accessTypeDefs) {
+ if (StringUtils.equals(accessTypeDef.getName(), accessType)) {
+ ret = accessTypeDef;
+
+ break;
+ }
+ }
+ }
+
+ return ret;
+ }
+
+ @Test
+ public void testAccessTypeMarkers() {
+ RangerAccessTypeDef create = new RangerAccessTypeDef(1L, "create", "create", null, null, AccessTypeCategory.CREATE);
+ RangerAccessTypeDef select = new RangerAccessTypeDef(2L, "select", "select", null, null, AccessTypeCategory.READ);
+ RangerAccessTypeDef update = new RangerAccessTypeDef(3L, "update", "update", null, null, AccessTypeCategory.UPDATE);
+ RangerAccessTypeDef delete = new RangerAccessTypeDef(4L, "delete", "delete", null, null, AccessTypeCategory.DELETE);
+ RangerAccessTypeDef manage = new RangerAccessTypeDef(5L, "manage", "manage", null, null, AccessTypeCategory.MANAGE);
+ RangerAccessTypeDef read = new RangerAccessTypeDef(6L, "read", "read", null, null, AccessTypeCategory.READ);
+ RangerAccessTypeDef write = new RangerAccessTypeDef(7L, "write", "write", null, null, AccessTypeCategory.UPDATE);
+ RangerAccessTypeDef execute = new RangerAccessTypeDef(8L, "execute", "execute", null, null, null);
+ Set<String> allNames = toSet(create.getName(), select.getName(), update.getName(), delete.getName(), manage.getName(), read.getName(), write.getName(), execute.getName());
+
+ // 6 marker access-types should be populated with impliedGrants
+ List<RangerAccessTypeDef> accessTypeDefs = Arrays.asList(create, select, update, delete, manage, read, write, execute);
+ List<RangerAccessTypeDef> markerTypeDefs = ServiceDefUtil.getMarkerAccessTypes(accessTypeDefs);
+ assertEquals("markerTypeDefs count", 6, markerTypeDefs.size());
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_CREATE, toSet(create.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_CREATE));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_READ, toSet(select.getName(), read.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_READ));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_UPDATE, toSet(update.getName(), write.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_UPDATE));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_DELETE, toSet(delete.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_DELETE));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_MANAGE, toSet(manage.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_MANAGE));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_ALL, allNames, getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_ALL));
+
+ // 2 marker access-types should be populated with impliedGrants: _CREATE, _ALL
+ accessTypeDefs = new ArrayList<>(Collections.singleton(create));
+ markerTypeDefs = ServiceDefUtil.getMarkerAccessTypes(accessTypeDefs);
+ assertEquals("markerTypeDefs count", 6, markerTypeDefs.size());
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_CREATE, toSet(create.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_CREATE));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_READ, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_READ));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_UPDATE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_UPDATE));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_DELETE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_DELETE));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_MANAGE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_MANAGE));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_ALL, toSet(create.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_ALL));
+
+ // 2 marker access-types should be populated with impliedGrants: _READ, _ALL
+ accessTypeDefs = new ArrayList<>(Arrays.asList(select, read));
+ markerTypeDefs = ServiceDefUtil.getMarkerAccessTypes(accessTypeDefs);
+ assertEquals("markerTypeDefs count", 6, markerTypeDefs.size());
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_CREATE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_CREATE));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_READ, toSet(select.getName(), read.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_READ));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_UPDATE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_UPDATE));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_DELETE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_DELETE));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_MANAGE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_MANAGE));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_ALL, toSet(select.getName(), read.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_ALL));
+
+ // accessTypes with no category should be added to _ALL
+ accessTypeDefs = new ArrayList<>(Collections.singleton(execute));
+ markerTypeDefs = ServiceDefUtil.getMarkerAccessTypes(accessTypeDefs);
+ assertEquals("markerTypeDefs count", 6, markerTypeDefs.size()); // 1 marker access-types should be added: _ALL
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_CREATE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_CREATE));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_READ, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_READ));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_UPDATE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_UPDATE));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_DELETE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_DELETE));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_MANAGE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_MANAGE));
+ assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_ALL, toSet(execute.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_ALL));
+ }
+
+ private Set<String> getImpliedGrants(List<RangerAccessTypeDef> accessTypeDefs, String accessType) {
+ Set<String> ret = null;
+
+ if (accessTypeDefs != null) {
+ for (RangerAccessTypeDef accessTypeDef : accessTypeDefs) {
+ if (StringUtils.equals(accessTypeDef.getName(), accessType)) {
+ ret = new HashSet<>(accessTypeDef.getImpliedGrants());
+
+ break;
+ }
+ }
+ }
+
+ return ret;
+ }
+
+ private Set<String> toSet(String...values) {
+ Set<String> ret = new HashSet<>();
+
+ if (values != null) {
+ for (String value : values) {
+ ret.add(value);
+ }
+ }
+
+ return ret;
+ }
+ public void testPolicyItemDataMaskExprUserGroupRef() {
+ for (String attrExpr : UGA_ATTR_EXPRESSIONS) {
+ String filterExpr = "${{" + attrExpr + "}}";
+ ServicePolicies svcPolicies = getServicePolicies();
+ RangerPolicy policy = getPolicy(svcPolicies);
+
+ policy.getDataMaskPolicyItems().get(0).setDataMaskInfo(new RangerPolicyItemDataMaskInfo("CUSTOM", "", "CASE WHEN dept in (" + filterExpr + ")THEN {col} ELSE '0' END"));
+
+ svcPolicies.getPolicies().add(policy);
+ assertTrue("policy data-mask refers to user/group attribute: " + filterExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
+
+ svcPolicies.getServiceDef().getContextEnrichers().clear();
+ svcPolicies.getPolicies().clear();
+ svcPolicies.getPolicyDeltas().add(new RangerPolicyDelta(1L, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE, 1L, policy));
+ assertTrue("policy-delta data-mask refers to user/group attribute: " + filterExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
+
+ svcPolicies.getServiceDef().getContextEnrichers().clear();
+ svcPolicies.getPolicyDeltas().clear();
+ svcPolicies.getSecurityZones().put("zone1", getSecurityZoneInfo("zone1"));
+ svcPolicies.getSecurityZones().get("zone1").getPolicies().add(policy);
+ assertTrue("zone-policy data-mask refers to user/group attribute: " + filterExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
+
+ svcPolicies.getServiceDef().getContextEnrichers().clear();
+ svcPolicies.getSecurityZones().get("zone1").getPolicies().clear();
+ svcPolicies.getSecurityZones().get("zone1").getPolicyDeltas().add(new RangerPolicyDelta(1L, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE, 1L, policy));
+ assertTrue("zone-policy-delta data-mask refers to user/group attribute: " + filterExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000"));
+ }
+ }
private ServicePolicies getServicePolicies() {
ServicePolicies ret = new ServicePolicies();