You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2020/12/03 21:46:44 UTC

[ranger] branch ranger-2.2 updated: RANGER-3098: Updates to validity period of tag are not reflected in Ranger database

This is an automated email from the ASF dual-hosted git repository.

abhay pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/ranger-2.2 by this push:
     new bf342aa  RANGER-3098: Updates to validity period of tag are not reflected in Ranger database
bf342aa is described below

commit bf342aa72d1caedc8ebea58676597d002f161dbb
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Wed Dec 2 16:42:42 2020 -0800

    RANGER-3098: Updates to validity period of tag are not reflected in Ranger database
---
 .../plugin/contextenricher/RangerTagEnricher.java  | 12 ++++++--
 .../hbase/RangerAuthorizationCoprocessor.java      |  1 -
 .../apache/ranger/db/XXServiceVersionInfoDao.java  | 32 ++++++++++++----------
 .../apache/ranger/rest/ServiceTagsProcessor.java   | 21 ++++++++------
 4 files changed, 38 insertions(+), 28 deletions(-)

diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index fc73194..d1afd6f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -54,6 +54,7 @@ import java.io.Writer;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -637,7 +638,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
 						if (ret == null) {
 							ret = new HashSet<>();
 						}
-						ret.addAll(getTagsForServiceResource(enrichedServiceTags.getServiceTags(), resourceMatcher.getServiceResource(), matchType));
+						ret.addAll(getTagsForServiceResource(request.getAccessTime(), enrichedServiceTags.getServiceTags(), resourceMatcher.getServiceResource(), matchType));
 					}
 
 				}
@@ -746,7 +747,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
 		return ret;
 	}
 
-	private static Set<RangerTagForEval> getTagsForServiceResource(final ServiceTags serviceTags, final RangerServiceResource serviceResource, final RangerPolicyResourceMatcher.MatchType matchType) {
+	private static Set<RangerTagForEval> getTagsForServiceResource(Date accessTime, final ServiceTags serviceTags, final RangerServiceResource serviceResource, final RangerPolicyResourceMatcher.MatchType matchType) {
 		Set<RangerTagForEval> ret = new HashSet<>();
 
 		final Long resourceId                        = serviceResource.getId();
@@ -763,12 +764,17 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
 
 			if (CollectionUtils.isNotEmpty(tagIds)) {
 
+				accessTime = accessTime == null ? new Date() : accessTime;
+
 				for (Long tagId : tagIds) {
 
 					RangerTag tag = tags.get(tagId);
 
 					if (tag != null) {
-						ret.add(new RangerTagForEval(tag, matchType));
+						RangerTagForEval tagForEval = new RangerTagForEval(tag, matchType);
+						if (tagForEval.isApplicable(accessTime)) {
+							ret.add(tagForEval);
+						}
 					}
 				}
 			} else {
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index b9dd52e..924c531 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -49,7 +49,6 @@ import org.apache.hadoop.hbase.security.User;
 import org.apache.hadoop.hbase.security.UserProvider;
 import org.apache.hadoop.hbase.security.access.*;
 import org.apache.hadoop.hbase.security.access.Permission.Action;
-import org.apache.hadoop.hbase.security.access.Permission.Builder;
 import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
 import org.apache.hadoop.hbase.shaded.protobuf.ResponseConverter;
 import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.CleanupBulkLoadRequest;
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXServiceVersionInfoDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXServiceVersionInfoDao.java
index b18f8f2..072dd89 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXServiceVersionInfoDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXServiceVersionInfoDao.java
@@ -136,28 +136,30 @@ public class XXServiceVersionInfoDao extends BaseDao<XXServiceVersionInfo> {
 
 	private void updateTagVersionAndTagUpdateTime(List<XXServiceVersionInfo> serviceVersionInfos, Long resourceId, Long tagId) {
 
-		if(CollectionUtils.isNotEmpty(serviceVersionInfos) || (resourceId == null && tagId == null)) {
+		if (resourceId != null || tagId != null) {
+			if (CollectionUtils.isNotEmpty(serviceVersionInfos)) {
 
-			final ServiceDBStore.VERSION_TYPE versionType = ServiceDBStore.VERSION_TYPE.TAG_VERSION;
-			final ServiceTags.TagsChangeType  tagChangeType;
+				final ServiceDBStore.VERSION_TYPE versionType = ServiceDBStore.VERSION_TYPE.TAG_VERSION;
+				final ServiceTags.TagsChangeType tagChangeType;
 
-			if (tagId == null) {
-				tagChangeType = ServiceTags.TagsChangeType.SERVICE_RESOURCE_UPDATE;
-			} else if (resourceId == null) {
-				tagChangeType = ServiceTags.TagsChangeType.TAG_UPDATE;
-			} else {
-				tagChangeType = ServiceTags.TagsChangeType.TAG_RESOURCE_MAP_UPDATE;
-			}
+				if (tagId == null) {
+					tagChangeType = ServiceTags.TagsChangeType.SERVICE_RESOURCE_UPDATE;
+				} else if (resourceId == null) {
+					tagChangeType = ServiceTags.TagsChangeType.TAG_UPDATE;
+				} else {
+					tagChangeType = ServiceTags.TagsChangeType.TAG_RESOURCE_MAP_UPDATE;
+				}
 
-			for (XXServiceVersionInfo serviceVersionInfo : serviceVersionInfos) {
+				for (XXServiceVersionInfo serviceVersionInfo : serviceVersionInfos) {
 
-				final Long     serviceId             = serviceVersionInfo.getServiceId();
-				final Runnable serviceVersionUpdater = new ServiceDBStore.ServiceVersionUpdater(daoManager, serviceId, versionType, tagChangeType, resourceId, tagId);
+					final Long serviceId = serviceVersionInfo.getServiceId();
+					final Runnable serviceVersionUpdater = new ServiceDBStore.ServiceVersionUpdater(daoManager, serviceId, versionType, tagChangeType, resourceId, tagId);
 
-				daoManager.getRangerTransactionSynchronizationAdapter().executeOnTransactionCommit(serviceVersionUpdater);
+					daoManager.getRangerTransactionSynchronizationAdapter().executeOnTransactionCommit(serviceVersionUpdater);
+				}
 			}
 		} else {
-			LOG.warn("Unexpected empty list of serviceVersionInfos and/or null value for resourceId and tagId");
+			LOG.warn("Both resourceId and tagId are null! Should not have come here!");
 		}
 
 	}
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java
index 9c19bb0..67ae779 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java
@@ -198,6 +198,7 @@ public class ServiceTagsProcessor {
 				}
 
 				List<RangerTag> tagsToRetain = new ArrayList<RangerTag>();
+				boolean         isAnyTagUpdated = false;
 
 				List<Long> tagIds = entry.getValue();
 				try {
@@ -251,18 +252,15 @@ public class ServiceTagsProcessor {
 								tagsToRetain.add(newTag);
 
 							} else {
-								// Keep this tag, but update it with attribute-values from incoming tag
+								// Keep this tag, but update it with attribute-values and validity schedules from incoming tag
 								tagsToRetain.add(matchingTag);
 
-								if (StringUtils.equals(incomingTag.getGuid(), matchingTag.getGuid())) {
-									// matching tag was found because of Guid match
-									if (LOG.isDebugEnabled()) {
-										LOG.debug("Updating existing private tag with id=" + matchingTag.getId());
-									}
-									// update private tag with new values
-									incomingTag.setId(matchingTag.getId());
-									tagStore.updateTag(incomingTag);
+								if (LOG.isDebugEnabled()) {
+									LOG.debug("Updating existing private tag with id=" + matchingTag.getId());
 								}
+								incomingTag.setId(matchingTag.getId());
+								tagStore.updateTag(incomingTag);
+								isAnyTagUpdated = true;
 							}
 						} else { // shared model
 							if (isResourcePrivateTag(matchingTag)) {
@@ -295,6 +293,8 @@ public class ServiceTagsProcessor {
 									tagResourceMap.setResourceId(resourceInStore.getId());
 
 									tagResourceMap = tagStore.createTagResourceMap(tagResourceMap);
+								} else {
+									isAnyTagUpdated = true;
 								}
 
 							}
@@ -331,6 +331,9 @@ public class ServiceTagsProcessor {
 						throw exception;
 					}
 				}
+				if (isAnyTagUpdated) {
+					tagStore.refreshServiceResource(resourceInStore.getId());
+				}
 			}
 		}