You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2021/09/12 18:32:21 UTC
[ranger] branch ranger-2.2 updated: RANGER-3397: Update ACL
computation to (optionally) expand Ranger Roles to users and groups and
include chained-plugins in ACL computation - Part 3
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new b1dcfb4 RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 3
b1dcfb4 is described below
commit b1dcfb42f942273de17bba58ab4c94cd3990b4f2
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Sun Sep 12 09:52:52 2021 -0700
RANGER-3397: Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation - Part 3
---
.../plugin/policyengine/RangerResourceACLs.java | 6 ++--
.../ranger/plugin/service/RangerBasePlugin.java | 36 +++++++++++-----------
2 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
index eb12543..aa49507 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
@@ -176,7 +176,7 @@ public class RangerResourceACLs {
sb.append("permissions={");
for (Map.Entry<String, AccessResult> permission : entry.getValue().entrySet()) {
sb.append("{Permission=").append(permission.getKey()).append(", value=").append(permission.getValue()).append("},");
- sb.append("{RangerPolicyID=").append(permission.getValue().getPolicy().getId()).append("},");
+ sb.append("{RangerPolicyID=").append(permission.getValue().getPolicy() == null ? null : permission.getValue().getPolicy().getId()).append("},");
}
sb.append("},");
}
@@ -188,7 +188,7 @@ public class RangerResourceACLs {
sb.append("permissions={");
for (Map.Entry<String, AccessResult> permission : entry.getValue().entrySet()) {
sb.append("{Permission=").append(permission.getKey()).append(", value=").append(permission.getValue()).append("}, ");
- sb.append("{RangerPolicy ID=").append(permission.getValue().getPolicy().getId()).append("},");
+ sb.append("{RangerPolicy ID=").append(permission.getValue().getPolicy() == null ? null : permission.getValue().getPolicy().getId()).append("},");
}
sb.append("},");
}
@@ -200,7 +200,7 @@ public class RangerResourceACLs {
sb.append("permissions={");
for (Map.Entry<String, AccessResult> permission : entry.getValue().entrySet()) {
sb.append("{Permission=").append(permission.getKey()).append(", value=").append(permission.getValue()).append("}, ");
- sb.append("{RangerPolicy ID=").append(permission.getValue().getPolicy().getId()).append("},");
+ sb.append("{RangerPolicy ID=").append(permission.getValue().getPolicy() == null ? null : permission.getValue().getPolicy().getId()).append("},");
}
sb.append("},");
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 99c48d0..57a4b4b 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -994,6 +994,23 @@ public class RangerBasePlugin {
return ret;
}
+ public static RangerResourceACLs getMergedResourceACLs(RangerResourceACLs baseACLs, RangerResourceACLs chainedACLs) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerBasePlugin.getMergedResourceACLs()");
+ LOG.debug("baseACLs:[" + baseACLs + "]");
+ LOG.debug("chainedACLS:[" + chainedACLs + "]");
+ }
+
+ overrideACLs(chainedACLs, baseACLs, RangerRolesUtil.ROLES_FOR.USER);
+ overrideACLs(chainedACLs, baseACLs, RangerRolesUtil.ROLES_FOR.GROUP);
+ overrideACLs(chainedACLs, baseACLs, RangerRolesUtil.ROLES_FOR.ROLE);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerBasePlugin.getMergedResourceACLs() : ret:[" + baseACLs + "]");
+ }
+ return baseACLs;
+ }
+
private RangerAdminClient getAdminClient() throws Exception {
PolicyRefresher refresher = this.refresher;
RangerAdminClient admin = refresher == null ? null : refresher.getRangerAdminClient();
@@ -1068,24 +1085,7 @@ public class RangerBasePlugin {
}
}
- private RangerResourceACLs getMergedResourceACLs(RangerResourceACLs baseACLs, RangerResourceACLs chainedACLs) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("==> RangerBasePlugin.getMergedResourceACLs()");
- LOG.debug("baseACLs:[" + baseACLs + "]");
- LOG.debug("chainedACLS:[" + chainedACLs + "]");
- }
-
- overrideACLs(chainedACLs, baseACLs, RangerRolesUtil.ROLES_FOR.USER);
- overrideACLs(chainedACLs, baseACLs, RangerRolesUtil.ROLES_FOR.GROUP);
- overrideACLs(chainedACLs, baseACLs, RangerRolesUtil.ROLES_FOR.ROLE);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("<== RangerBasePlugin.getMergedResourceACLs() : ret:[" + baseACLs + "]");
- }
- return baseACLs;
- }
-
- private void overrideACLs(final RangerResourceACLs chainedResourceACLs, RangerResourceACLs baseResourceACLs, final RangerRolesUtil.ROLES_FOR userType) {
+ private static void overrideACLs(final RangerResourceACLs chainedResourceACLs, RangerResourceACLs baseResourceACLs, final RangerRolesUtil.ROLES_FOR userType) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerBasePlugin.overrideACLs(isUser=" + userType.name() + ")");
}