You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2020/12/03 21:46:44 UTC
[ranger] branch ranger-2.2 updated: RANGER-3098: Updates to
validity period of tag are not reflected in Ranger database
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new bf342aa RANGER-3098: Updates to validity period of tag are not reflected in Ranger database
bf342aa is described below
commit bf342aa72d1caedc8ebea58676597d002f161dbb
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Wed Dec 2 16:42:42 2020 -0800
RANGER-3098: Updates to validity period of tag are not reflected in Ranger database
---
.../plugin/contextenricher/RangerTagEnricher.java | 12 ++++++--
.../hbase/RangerAuthorizationCoprocessor.java | 1 -
.../apache/ranger/db/XXServiceVersionInfoDao.java | 32 ++++++++++++----------
.../apache/ranger/rest/ServiceTagsProcessor.java | 21 ++++++++------
4 files changed, 38 insertions(+), 28 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index fc73194..d1afd6f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -54,6 +54,7 @@ import java.io.Writer;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
+import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
@@ -637,7 +638,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
if (ret == null) {
ret = new HashSet<>();
}
- ret.addAll(getTagsForServiceResource(enrichedServiceTags.getServiceTags(), resourceMatcher.getServiceResource(), matchType));
+ ret.addAll(getTagsForServiceResource(request.getAccessTime(), enrichedServiceTags.getServiceTags(), resourceMatcher.getServiceResource(), matchType));
}
}
@@ -746,7 +747,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
return ret;
}
- private static Set<RangerTagForEval> getTagsForServiceResource(final ServiceTags serviceTags, final RangerServiceResource serviceResource, final RangerPolicyResourceMatcher.MatchType matchType) {
+ private static Set<RangerTagForEval> getTagsForServiceResource(Date accessTime, final ServiceTags serviceTags, final RangerServiceResource serviceResource, final RangerPolicyResourceMatcher.MatchType matchType) {
Set<RangerTagForEval> ret = new HashSet<>();
final Long resourceId = serviceResource.getId();
@@ -763,12 +764,17 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
if (CollectionUtils.isNotEmpty(tagIds)) {
+ accessTime = accessTime == null ? new Date() : accessTime;
+
for (Long tagId : tagIds) {
RangerTag tag = tags.get(tagId);
if (tag != null) {
- ret.add(new RangerTagForEval(tag, matchType));
+ RangerTagForEval tagForEval = new RangerTagForEval(tag, matchType);
+ if (tagForEval.isApplicable(accessTime)) {
+ ret.add(tagForEval);
+ }
}
}
} else {
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index b9dd52e..924c531 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -49,7 +49,6 @@ import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.UserProvider;
import org.apache.hadoop.hbase.security.access.*;
import org.apache.hadoop.hbase.security.access.Permission.Action;
-import org.apache.hadoop.hbase.security.access.Permission.Builder;
import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.shaded.protobuf.ResponseConverter;
import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.CleanupBulkLoadRequest;
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXServiceVersionInfoDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXServiceVersionInfoDao.java
index b18f8f2..072dd89 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXServiceVersionInfoDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXServiceVersionInfoDao.java
@@ -136,28 +136,30 @@ public class XXServiceVersionInfoDao extends BaseDao<XXServiceVersionInfo> {
private void updateTagVersionAndTagUpdateTime(List<XXServiceVersionInfo> serviceVersionInfos, Long resourceId, Long tagId) {
- if(CollectionUtils.isNotEmpty(serviceVersionInfos) || (resourceId == null && tagId == null)) {
+ if (resourceId != null || tagId != null) {
+ if (CollectionUtils.isNotEmpty(serviceVersionInfos)) {
- final ServiceDBStore.VERSION_TYPE versionType = ServiceDBStore.VERSION_TYPE.TAG_VERSION;
- final ServiceTags.TagsChangeType tagChangeType;
+ final ServiceDBStore.VERSION_TYPE versionType = ServiceDBStore.VERSION_TYPE.TAG_VERSION;
+ final ServiceTags.TagsChangeType tagChangeType;
- if (tagId == null) {
- tagChangeType = ServiceTags.TagsChangeType.SERVICE_RESOURCE_UPDATE;
- } else if (resourceId == null) {
- tagChangeType = ServiceTags.TagsChangeType.TAG_UPDATE;
- } else {
- tagChangeType = ServiceTags.TagsChangeType.TAG_RESOURCE_MAP_UPDATE;
- }
+ if (tagId == null) {
+ tagChangeType = ServiceTags.TagsChangeType.SERVICE_RESOURCE_UPDATE;
+ } else if (resourceId == null) {
+ tagChangeType = ServiceTags.TagsChangeType.TAG_UPDATE;
+ } else {
+ tagChangeType = ServiceTags.TagsChangeType.TAG_RESOURCE_MAP_UPDATE;
+ }
- for (XXServiceVersionInfo serviceVersionInfo : serviceVersionInfos) {
+ for (XXServiceVersionInfo serviceVersionInfo : serviceVersionInfos) {
- final Long serviceId = serviceVersionInfo.getServiceId();
- final Runnable serviceVersionUpdater = new ServiceDBStore.ServiceVersionUpdater(daoManager, serviceId, versionType, tagChangeType, resourceId, tagId);
+ final Long serviceId = serviceVersionInfo.getServiceId();
+ final Runnable serviceVersionUpdater = new ServiceDBStore.ServiceVersionUpdater(daoManager, serviceId, versionType, tagChangeType, resourceId, tagId);
- daoManager.getRangerTransactionSynchronizationAdapter().executeOnTransactionCommit(serviceVersionUpdater);
+ daoManager.getRangerTransactionSynchronizationAdapter().executeOnTransactionCommit(serviceVersionUpdater);
+ }
}
} else {
- LOG.warn("Unexpected empty list of serviceVersionInfos and/or null value for resourceId and tagId");
+ LOG.warn("Both resourceId and tagId are null! Should not have come here!");
}
}
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java
index 9c19bb0..67ae779 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java
@@ -198,6 +198,7 @@ public class ServiceTagsProcessor {
}
List<RangerTag> tagsToRetain = new ArrayList<RangerTag>();
+ boolean isAnyTagUpdated = false;
List<Long> tagIds = entry.getValue();
try {
@@ -251,18 +252,15 @@ public class ServiceTagsProcessor {
tagsToRetain.add(newTag);
} else {
- // Keep this tag, but update it with attribute-values from incoming tag
+ // Keep this tag, but update it with attribute-values and validity schedules from incoming tag
tagsToRetain.add(matchingTag);
- if (StringUtils.equals(incomingTag.getGuid(), matchingTag.getGuid())) {
- // matching tag was found because of Guid match
- if (LOG.isDebugEnabled()) {
- LOG.debug("Updating existing private tag with id=" + matchingTag.getId());
- }
- // update private tag with new values
- incomingTag.setId(matchingTag.getId());
- tagStore.updateTag(incomingTag);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Updating existing private tag with id=" + matchingTag.getId());
}
+ incomingTag.setId(matchingTag.getId());
+ tagStore.updateTag(incomingTag);
+ isAnyTagUpdated = true;
}
} else { // shared model
if (isResourcePrivateTag(matchingTag)) {
@@ -295,6 +293,8 @@ public class ServiceTagsProcessor {
tagResourceMap.setResourceId(resourceInStore.getId());
tagResourceMap = tagStore.createTagResourceMap(tagResourceMap);
+ } else {
+ isAnyTagUpdated = true;
}
}
@@ -331,6 +331,9 @@ public class ServiceTagsProcessor {
throw exception;
}
}
+ if (isAnyTagUpdated) {
+ tagStore.refreshServiceResource(resourceInStore.getId());
+ }
}
}