[ranger] branch master updated: RANGER-3597 :User role should not be able to modify the Policy

Fri, 28 Jan 2022 21:26:44 -0800 

This is an automated email from the ASF dual-hosted git repository.

pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 5543215  RANGER-3597 :User role should not be able to modify the Policy
5543215 is described below

commit 5543215307b232ea54c037ebad4001819bb6a519
Author: Dineshkumar Yadav <dineshkumar.ya...@outlook.com>
AuthorDate: Mon Jan 24 09:56:18 2022 +0530

    RANGER-3597 :User role should not be able to modify the Policy
    
    Signed-off-by: pradeep <prad...@apache.org>
---
 .../org/apache/ranger/biz/RangerPolicyAdminImpl.java  | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git 
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
index 852bf26..df75db1 100644
--- 
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
+++ 
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
@@ -259,16 +259,11 @@ public class RangerPolicyAdminImpl implements 
RangerPolicyAdmin {
 
         boolean ret = false;
 
-        if (accessTypes == null) {
-            LOG.error("Could not get added access-types for policy-id:[" + 
policy.getId() + "]");
-        } else if (accessTypes.isEmpty()) {
-            if (LOG.isDebugEnabled()) {
-                LOG.debug("No need to check any access-types for delegated 
admin check");
-            }
-            ret = true;
+        if (CollectionUtils.isEmpty(accessTypes)) {
+            LOG.error("Could not get access-types for policy-id:[" + 
policy.getId() + "]");
         } else {
             if (LOG.isDebugEnabled()) {
-                LOG.debug("Checking admin-access for the access-types:[" + 
accessTypes + "]");
+                LOG.debug("Checking delegate-admin access for the 
access-types:[" + accessTypes + "]");
             }
 
             // RANGER-3082
@@ -726,6 +721,7 @@ public class RangerPolicyAdminImpl implements 
RangerPolicyAdmin {
     private Set<String> getAllAccessTypes(RangerPolicy policy, 
RangerServiceDef serviceDef) {
         Set<String> ret = new HashSet<>();
 
+        boolean     isValid = true;
         Map<String, Collection<String>> expandedAccesses = 
ServiceDefUtil.getExpandedImpliedGrants(serviceDef);
 
         if (MapUtils.isNotEmpty(expandedAccesses)) {
@@ -773,6 +769,10 @@ public class RangerPolicyAdminImpl implements 
RangerPolicyAdmin {
                 }
             } else {
                 LOG.error("Unknown policy-type :[" + policyType + "], 
returning empty access-type set");
+                isValid = false;
+            }
+            if (isValid && ret.isEmpty()) {
+                ret.add(RangerPolicyEngine.ADMIN_ACCESS);
             }
         }
         return ret;
@@ -797,6 +797,9 @@ public class RangerPolicyAdminImpl implements 
RangerPolicyAdmin {
         ret.addAll(getAccessTypesDiff(newGroupAccesses, oldGroupAccesses));
         ret.addAll(getAccessTypesDiff(newRoleAccesses, oldRoleAccesses));
 
+        if (ret.isEmpty()) {
+            ret.add(RangerPolicyEngine.ADMIN_ACCESS);
+        }
         return ret;
     }

Reply via email to