This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new b1a493290 RANGER-4023: fixed implicit addition of userStoreEnricher for references to user/group attributes in dataMask expressions b1a493290 is described below commit b1a493290f137e52398b86006bf551e5e073906d Author: Subhrat Chaudhary <such...@yahoo.com> AuthorDate: Sun May 21 11:22:33 2023 -0700 RANGER-4023: fixed implicit addition of userStoreEnricher for references to user/group attributes in dataMask expressions Signed-off-by: Madhan Neethiraj <mad...@apache.org> --- .../apache/ranger/plugin/util/ServiceDefUtil.java | 16 ++++++++++++ .../ranger/plugin/util/ServiceDefUtilTest.java | 29 ++++++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java index 4808dfd83..01c4a8283 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java @@ -28,8 +28,10 @@ import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem; import org.apache.ranger.plugin.model.RangerPolicyDelta; import org.apache.ranger.plugin.model.RangerServiceDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef; @@ -687,6 +689,20 @@ public class ServiceDefUtil { ret = RangerRequestExprResolver.hasUserGroupAttributeInExpression(filterExpr); } + + if (!ret && policyItem instanceof RangerDataMaskPolicyItem) { + RangerDataMaskPolicyItem dataMaskPolicyItem = (RangerDataMaskPolicyItem) policyItem; + RangerPolicyItemDataMaskInfo dataMaskInfo = dataMaskPolicyItem.getDataMaskInfo(); + String maskedValue = dataMaskInfo != null ? dataMaskInfo.getValueExpr() : null; + + ret = RangerRequestExprResolver.hasUserGroupAttributeInExpression(maskedValue); + + if (!ret) { + String maskCondition = dataMaskInfo != null ? dataMaskInfo.getConditionExpr() : null; + + ret = RangerRequestExprResolver.hasUserGroupAttributeInExpression(maskCondition); + } + } } return ret; diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/util/ServiceDefUtilTest.java b/agents-common/src/test/java/org/apache/ranger/plugin/util/ServiceDefUtilTest.java index 3cd42f44f..03aebb220 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/util/ServiceDefUtilTest.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/util/ServiceDefUtilTest.java @@ -252,6 +252,35 @@ public class ServiceDefUtilTest { } } + @Test + public void testPolicyItemDataMaskExprUserGroupRef() { + for (String attrExpr : UGA_ATTR_EXPRESSIONS) { + String filterExpr = "${{" + attrExpr + "}}"; + ServicePolicies svcPolicies = getServicePolicies(); + RangerPolicy policy = getPolicy(svcPolicies); + + policy.getDataMaskPolicyItems().get(0).setDataMaskInfo(new RangerPolicyItemDataMaskInfo("CUSTOM", "", "CASE WHEN dept in (" + filterExpr + ")THEN {col} ELSE '0' END")); + + svcPolicies.getPolicies().add(policy); + assertTrue("policy data-mask refers to user/group attribute: " + filterExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000")); + + svcPolicies.getServiceDef().getContextEnrichers().clear(); + svcPolicies.getPolicies().clear(); + svcPolicies.getPolicyDeltas().add(new RangerPolicyDelta(1L, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE, 1L, policy)); + assertTrue("policy-delta data-mask refers to user/group attribute: " + filterExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000")); + + svcPolicies.getServiceDef().getContextEnrichers().clear(); + svcPolicies.getPolicyDeltas().clear(); + svcPolicies.getSecurityZones().put("zone1", getSecurityZoneInfo("zone1")); + svcPolicies.getSecurityZones().get("zone1").getPolicies().add(policy); + assertTrue("zone-policy data-mask refers to user/group attribute: " + filterExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000")); + + svcPolicies.getServiceDef().getContextEnrichers().clear(); + svcPolicies.getSecurityZones().get("zone1").getPolicies().clear(); + svcPolicies.getSecurityZones().get("zone1").getPolicyDeltas().add(new RangerPolicyDelta(1L, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE, 1L, policy)); + assertTrue("zone-policy-delta data-mask refers to user/group attribute: " + filterExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000")); + } + } private ServicePolicies getServicePolicies() { ServicePolicies ret = new ServicePolicies();