You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2019/05/21 05:28:15 UTC
[ranger] branch master updated: RANGER-2430 : Zoneadmin User is
able to create policy for those services which is not associated to zone
This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 2c8a947 RANGER-2430 : Zoneadmin User is able to create policy for those services which is not associated to zone
2c8a947 is described below
commit 2c8a947f800d705867f5f6a22e6d738b3c5a3d19
Author: Bhavik Patel <bh...@gmail.com>
AuthorDate: Mon May 20 15:49:38 2019 +0530
RANGER-2430 : Zoneadmin User is able to create policy for those services which is not associated to zone
Signed-off-by: Pradeep <pr...@apache.org>
---
.../ranger/plugin/errors/ValidationErrorCode.java | 1 +
.../model/validation/RangerPolicyValidator.java | 12 ++++
.../validation/TestRangerPolicyValidator.java | 64 ++++++++++++++++++++++
3 files changed, 77 insertions(+)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
index 3111037..800b3c4 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
@@ -98,6 +98,7 @@ public enum ValidationErrorCode {
POLICY_VALIDATION_ERR_POLICY_INVALID_PRIORITY(3030, "Invalid priority value"),
POLICY_VALIDATION_ERR_UPDATE_ZONE_NAME_NOT_ALLOWED(3032, "Update of Zone name from={0} to={1} in policy is not supported"),
POLICY_VALIDATION_ERR_NONEXISTANT_ZONE_NAME(3033, "Non-existent Zone name={0} in policy create"),
+ POLICY_VALIDATION_ERR_SERVICE_NOT_ASSOCIATED_TO_ZONE(3048, "Service name = {0} is not associated to Zone name = {1}"),
// SECURITY_ZONE Validations
SECURITY_ZONE_VALIDATION_ERR_UNSUPPORTED_ACTION(3034, "Internal error: unsupported action[{0}]; isValid() is only supported for DELETE"),
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
index 990aab0..5316bae 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
@@ -210,6 +210,18 @@ public class RangerPolicyValidator extends RangerValidator {
.build());
valid = false;
}
+ List<String> tagSvcList = zone.getTagServices();
+ Set<String> svcNameSet = zone.getServices().keySet();
+ if(!svcNameSet.contains(serviceName) && !tagSvcList.contains(serviceName)){
+ ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_SERVICE_NOT_ASSOCIATED_TO_ZONE;
+ failures.add(new ValidationFailureDetailsBuilder()
+ .field("zoneName")
+ .isSemanticallyIncorrect()
+ .becauseOf(error.getMessage(serviceName, zoneName))
+ .errorCode(error.getErrorCode())
+ .build());
+ valid = false;
+ }
}
if (StringUtils.isBlank(policyName)) {
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
index 2c1de4e..e6d90a4 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
@@ -806,6 +806,70 @@ public class TestRangerPolicyValidator {
_utils.checkFailureForSemanticError(_failures, "policy resources", "missing mandatory");
}
+ @Test
+ public final void test_isValidServiceWithZone_happyPath() throws Exception{
+ boolean isAdmin = true;
+ when(_policy.getId()).thenReturn(1L);
+ when(_policy.getName()).thenReturn("my-all");
+ when(_policy.getService()).thenReturn("hdfssvc");
+ when(_policy.getZoneName()).thenReturn("zone1");
+ when(_policy.getResources()).thenReturn(null);
+ when(_policy.getIsAuditEnabled()).thenReturn(Boolean.TRUE);
+ when(_policy.getIsEnabled()).thenReturn(Boolean.FALSE);
+ RangerService service = new RangerService();
+ service.setType("service-type");
+ service.setId(2L);
+ Action action = Action.CREATE;
+ List<String> tagSvcList = new ArrayList<String>();
+ tagSvcList.add("hdfssvc");
+ when(_store.getServiceByName("hdfssvc")).thenReturn(service);
+ RangerSecurityZone securityZone = new RangerSecurityZone();
+ securityZone.setName("zone1");
+ securityZone.setId(1L);
+ securityZone.setTagServices(tagSvcList);
+ when(_store.getSecurityZone("zone1")).thenReturn(securityZone);
+ when(_store.getPolicyId(2L, "my-all", 1L)).thenReturn(null);
+ RangerServiceDef svcDef = new RangerServiceDef();
+ svcDef.setName("my-svc-def");
+ when(_store.getServiceDefByName("service-type")).thenReturn(svcDef);
+ RangerPolicyResourceSignature policySignature = mock(RangerPolicyResourceSignature.class);
+ when(_factory.createPolicyResourceSignature(_policy)).thenReturn(policySignature);
+ Assert.assertTrue(_validator.isValid(_policy, action, isAdmin, _failures));
+ }
+
+ @Test
+ public final void test_isValidServiceWithZone_failurePath() throws Exception{
+ boolean isAdmin = true;
+ when(_policy.getId()).thenReturn(1L);
+ when(_policy.getName()).thenReturn("my-all");
+ when(_policy.getService()).thenReturn("hdfssvc1");
+ when(_policy.getZoneName()).thenReturn("zone1");
+ when(_policy.getResources()).thenReturn(null);
+ when(_policy.getIsAuditEnabled()).thenReturn(Boolean.TRUE);
+ when(_policy.getIsEnabled()).thenReturn(Boolean.FALSE);
+ RangerService service = new RangerService();
+ service.setType("service-type");
+ service.setId(2L);
+ Action action = Action.CREATE;
+ List<String> tagSvcList = new ArrayList<String>();
+ tagSvcList.add("hdfssvc");
+ when(_store.getServiceByName("hdfssvc1")).thenReturn(service);
+ RangerSecurityZone securityZone = new RangerSecurityZone();
+ securityZone.setName("zone1");
+ securityZone.setId(1L);
+ securityZone.setTagServices(tagSvcList);
+ when(_store.getSecurityZone("zone1")).thenReturn(securityZone);
+ when(_store.getPolicyId(2L, "my-all", 1L)).thenReturn(null);
+ RangerServiceDef svcDef = new RangerServiceDef();
+ svcDef.setName("my-svc-def");
+ when(_store.getServiceDefByName("service-type")).thenReturn(svcDef);
+ RangerPolicyResourceSignature policySignature = mock(RangerPolicyResourceSignature.class);
+ when(_factory.createPolicyResourceSignature(_policy)).thenReturn(policySignature);
+ boolean isValid = _validator.isValid(_policy, action, isAdmin, _failures);
+ Assert.assertFalse(isValid);
+ Assert.assertEquals(_failures.get(0)._errorCode, 3048);
+ Assert.assertEquals(_failures.get(0)._reason,"Service name = hdfssvc1 is not associated to Zone name = zone1");
+ }
private ValidationTestUtils _utils = new ValidationTestUtils();
private List<ValidationFailureDetails> _failures = new ArrayList<ValidationFailureDetails>();