You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2019/05/21 05:28:15 UTC

[ranger] branch master updated: RANGER-2430 : Zoneadmin User is able to create policy for those services which is not associated to zone

This is an automated email from the ASF dual-hosted git repository.

pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 2c8a947  RANGER-2430 : Zoneadmin User is able to create policy for those services which is not associated to zone
2c8a947 is described below

commit 2c8a947f800d705867f5f6a22e6d738b3c5a3d19
Author: Bhavik Patel <bh...@gmail.com>
AuthorDate: Mon May 20 15:49:38 2019 +0530

    RANGER-2430 : Zoneadmin User is able to create policy for those services which is not associated to zone
    
    Signed-off-by: Pradeep <pr...@apache.org>
---
 .../ranger/plugin/errors/ValidationErrorCode.java  |  1 +
 .../model/validation/RangerPolicyValidator.java    | 12 ++++
 .../validation/TestRangerPolicyValidator.java      | 64 ++++++++++++++++++++++
 3 files changed, 77 insertions(+)

diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
index 3111037..800b3c4 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
@@ -98,6 +98,7 @@ public enum ValidationErrorCode {
     POLICY_VALIDATION_ERR_POLICY_INVALID_PRIORITY(3030, "Invalid priority value"),
     POLICY_VALIDATION_ERR_UPDATE_ZONE_NAME_NOT_ALLOWED(3032, "Update of Zone name from={0} to={1} in policy is not supported"),
     POLICY_VALIDATION_ERR_NONEXISTANT_ZONE_NAME(3033, "Non-existent Zone name={0} in policy create"),
+    POLICY_VALIDATION_ERR_SERVICE_NOT_ASSOCIATED_TO_ZONE(3048, "Service name = {0} is not associated to Zone name = {1}"),
 
     // SECURITY_ZONE Validations
     SECURITY_ZONE_VALIDATION_ERR_UNSUPPORTED_ACTION(3034, "Internal error: unsupported action[{0}]; isValid() is only supported for DELETE"),
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
index 990aab0..5316bae 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
@@ -210,6 +210,18 @@ public class RangerPolicyValidator extends RangerValidator {
 							.build());
 					valid = false;
 				}
+				List<String> tagSvcList = zone.getTagServices();
+				Set<String> svcNameSet = zone.getServices().keySet();
+				if(!svcNameSet.contains(serviceName) && !tagSvcList.contains(serviceName)){
+					ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_SERVICE_NOT_ASSOCIATED_TO_ZONE;
+					failures.add(new ValidationFailureDetailsBuilder()
+							.field("zoneName")
+							.isSemanticallyIncorrect()
+							.becauseOf(error.getMessage(serviceName, zoneName))
+							.errorCode(error.getErrorCode())
+							.build());
+					valid = false;
+				}
 			}
 
 			if (StringUtils.isBlank(policyName)) {
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
index 2c1de4e..e6d90a4 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
@@ -806,6 +806,70 @@ public class TestRangerPolicyValidator {
 		_utils.checkFailureForSemanticError(_failures, "policy resources", "missing mandatory");
 	}
 	
+	@Test
+	public final void test_isValidServiceWithZone_happyPath() throws Exception{
+		boolean isAdmin = true;
+		when(_policy.getId()).thenReturn(1L);
+		when(_policy.getName()).thenReturn("my-all");
+		when(_policy.getService()).thenReturn("hdfssvc");
+		when(_policy.getZoneName()).thenReturn("zone1");
+		when(_policy.getResources()).thenReturn(null);
+		when(_policy.getIsAuditEnabled()).thenReturn(Boolean.TRUE);
+		when(_policy.getIsEnabled()).thenReturn(Boolean.FALSE);
+		RangerService service = new RangerService();
+		service.setType("service-type");
+		service.setId(2L);
+		Action action = Action.CREATE;
+		List<String> tagSvcList = new ArrayList<String>();
+		tagSvcList.add("hdfssvc");
+		when(_store.getServiceByName("hdfssvc")).thenReturn(service);
+		RangerSecurityZone securityZone = new RangerSecurityZone();
+		securityZone.setName("zone1");
+		securityZone.setId(1L);
+		securityZone.setTagServices(tagSvcList);
+		when(_store.getSecurityZone("zone1")).thenReturn(securityZone);
+		when(_store.getPolicyId(2L, "my-all", 1L)).thenReturn(null);
+		RangerServiceDef svcDef = new RangerServiceDef();
+		svcDef.setName("my-svc-def");
+		when(_store.getServiceDefByName("service-type")).thenReturn(svcDef);
+		RangerPolicyResourceSignature policySignature = mock(RangerPolicyResourceSignature.class);
+		when(_factory.createPolicyResourceSignature(_policy)).thenReturn(policySignature);
+		Assert.assertTrue(_validator.isValid(_policy, action, isAdmin, _failures));
+	}
+
+	@Test
+	public final void test_isValidServiceWithZone_failurePath() throws Exception{
+		boolean isAdmin = true;
+		when(_policy.getId()).thenReturn(1L);
+		when(_policy.getName()).thenReturn("my-all");
+		when(_policy.getService()).thenReturn("hdfssvc1");
+		when(_policy.getZoneName()).thenReturn("zone1");
+		when(_policy.getResources()).thenReturn(null);
+		when(_policy.getIsAuditEnabled()).thenReturn(Boolean.TRUE);
+		when(_policy.getIsEnabled()).thenReturn(Boolean.FALSE);
+		RangerService service = new RangerService();
+		service.setType("service-type");
+		service.setId(2L);
+		Action action = Action.CREATE;
+		List<String> tagSvcList = new ArrayList<String>();
+		tagSvcList.add("hdfssvc");
+		when(_store.getServiceByName("hdfssvc1")).thenReturn(service);
+		RangerSecurityZone securityZone = new RangerSecurityZone();
+		securityZone.setName("zone1");
+		securityZone.setId(1L);
+		securityZone.setTagServices(tagSvcList);
+		when(_store.getSecurityZone("zone1")).thenReturn(securityZone);
+		when(_store.getPolicyId(2L, "my-all", 1L)).thenReturn(null);
+		RangerServiceDef svcDef = new RangerServiceDef();
+		svcDef.setName("my-svc-def");
+		when(_store.getServiceDefByName("service-type")).thenReturn(svcDef);
+		RangerPolicyResourceSignature policySignature = mock(RangerPolicyResourceSignature.class);
+		when(_factory.createPolicyResourceSignature(_policy)).thenReturn(policySignature);
+		boolean isValid = _validator.isValid(_policy, action, isAdmin, _failures);
+		Assert.assertFalse(isValid);
+		Assert.assertEquals(_failures.get(0)._errorCode, 3048);
+		Assert.assertEquals(_failures.get(0)._reason,"Service name = hdfssvc1 is not associated to Zone name = zone1");
+	}
 	
 	private ValidationTestUtils _utils = new ValidationTestUtils();
 	private List<ValidationFailureDetails> _failures = new ArrayList<ValidationFailureDetails>();