This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch RANGER-3923 in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 06694866098bc0b14cf800a9e167ab4e866a0113 Merge: f7a8dabb7 4c68c8549 Author: Madhan Neethiraj <mad...@apache.org> AuthorDate: Mon May 29 23:16:34 2023 -0700 Merge branch 'master' into RANGER-3923 .../RangerDefaultPolicyEvaluator.java | 31 +- .../apache/ranger/plugin/util/ServiceDefUtil.java | 16 + .../ranger/plugin/util/ServiceDefUtilTest.java | 28 + .../server/tomcat/SolrCollectionBootstrapper.java | 8 + pom.xml | 6 +- ...n-x_rms_service_resource-resource_signature.sql | 3 +- .../main/java/org/apache/ranger/biz/XUserMgr.java | 14 +- .../org/apache/ranger/db/XXAuthSessionDao.java | 13 + .../java/org/apache/ranger/rest/PublicAPIsv2.java | 8 + .../org/apache/ranger/rest/SecurityZoneREST.java | 18 + .../main/resources/META-INF/jpa_named_queries.xml | 8 + .../src/main/webapp/react-webapp/src/App.jsx | 1 + .../src/components/CommonComponents.jsx | 12 +- .../react-webapp/src/components/XATableLayout.jsx | 6 +- .../structured-filter/react-datepicker/calendar.js | 33 + .../react-datepicker/date_input.js | 6 +- .../react-datepicker/datepicker.js | 4 + .../react-typeahead/tokenizer/index.js | 114 +- .../react-typeahead/tokenizer/token.js | 75 +- .../react-typeahead/typeahead/index.js | 65 +- .../webapp/react-webapp/src/hooks/usePrompt.js | 1 - .../main/webapp/react-webapp/src/styles/style.css | 325 +-- .../main/webapp/react-webapp/src/utils/XAEnums.js | 69 +- .../main/webapp/react-webapp/src/utils/XAUtils.js | 109 +- .../src/views/AuditEvent/AccessLogs.jsx | 46 +- .../src/views/AuditEvent/AccessLogsTable.jsx | 2 +- .../src/views/AuditEvent/AdminLogs.jsx | 30 +- .../src/views/AuditEvent/AdminLogs/PolicyLogs.jsx | 2430 ++++++++++---------- .../AuditEvent/AdminLogs/SecurityZonelogs.jsx | 236 +- .../src/views/AuditEvent/LoginSessionsLogs.jsx | 30 +- .../src/views/AuditEvent/PluginStatusLogs.jsx | 31 +- .../src/views/AuditEvent/PluginsLog.jsx | 30 +- .../react-webapp/src/views/AuditEvent/UserSync.jsx | 36 +- .../src/views/Encryption/KeyManager.jsx | 29 +- .../webapp/react-webapp/src/views/ErrorPage.jsx | 21 +- .../main/webapp/react-webapp/src/views/Header.jsx | 62 +- .../main/webapp/react-webapp/src/views/Layout.jsx | 42 +- .../src/views/PermissionsModule/Permissions.jsx | 35 +- .../src/views/PolicyListing/PolicyListing.jsx | 75 +- .../src/views/Reports/SearchPolicyTable.jsx | 4 +- .../src/views/ServiceManager/ServiceDefinition.jsx | 4 + .../src/views/ServiceManager/ServiceForm.jsx | 8 +- .../groups_details/GroupListing.jsx | 37 +- .../UserGroupRoleListing/role_details/RoleForm.jsx | 10 +- .../role_details/RoleListing.jsx | 42 +- .../users_details/UserListing.jsx | 60 +- .../java/org/apache/ranger/biz/TestXUserMgr.java | 4 - 47 files changed, 2229 insertions(+), 2048 deletions(-) diff --cc agents-common/src/test/java/org/apache/ranger/plugin/util/ServiceDefUtilTest.java index 147cdaf2b,03aebb220..36f0b6af6 --- a/agents-common/src/test/java/org/apache/ranger/plugin/util/ServiceDefUtilTest.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/util/ServiceDefUtilTest.java @@@ -274,131 -253,34 +274,159 @@@ public class ServiceDefUtilTest } @Test + public void testNormalizeAccessTypeDefs() throws Exception { + try (InputStream inStream = this.getClass().getResourceAsStream("/test_servicedef-normalize.json")) { + InputStreamReader reader = new InputStreamReader(inStream); + ServicePolicies policies = gsonBuilder.fromJson(reader, ServicePolicies.class); + + RangerAccessTypeDef serviceMarkerAll = getAccessType(policies.getServiceDef().getMarkerAccessTypes(), ACCESS_TYPE_MARKER_ALL); + RangerAccessTypeDef tagMarkerAll = getAccessType(policies.getTagPolicies().getServiceDef().getMarkerAccessTypes(), ACCESS_TYPE_MARKER_ALL); + + assertNotEquals("accessType count", policies.getServiceDef().getAccessTypes().size(), policies.getTagPolicies().getServiceDef().getAccessTypes().size()); + assertNotEquals("impliedGrants: _ALL", new HashSet<>(serviceMarkerAll.getImpliedGrants()), new HashSet<>(tagMarkerAll.getImpliedGrants())); + assertNotEquals("dataMask.accessType count", policies.getServiceDef().getDataMaskDef().getAccessTypes().size(), policies.getTagPolicies().getServiceDef().getDataMaskDef().getAccessTypes().size()); + assertNotEquals("rowFilter.accessType count", policies.getServiceDef().getRowFilterDef().getAccessTypes().size(), policies.getTagPolicies().getServiceDef().getRowFilterDef().getAccessTypes().size()); + + ServiceDefUtil.normalizeAccessTypeDefs(policies.getTagPolicies().getServiceDef(), policies.getServiceDef().getName()); + + serviceMarkerAll = getAccessType(policies.getServiceDef().getMarkerAccessTypes(), ACCESS_TYPE_MARKER_ALL); + tagMarkerAll = getAccessType(policies.getTagPolicies().getServiceDef().getMarkerAccessTypes(), ACCESS_TYPE_MARKER_ALL); + + assertEquals("accessType count", policies.getServiceDef().getAccessTypes().size(), policies.getTagPolicies().getServiceDef().getAccessTypes().size()); + assertEquals("impliedGrants: _ALL", new HashSet<>(serviceMarkerAll.getImpliedGrants()), new HashSet<>(tagMarkerAll.getImpliedGrants())); + assertEquals("dataMask.accessType count", policies.getServiceDef().getDataMaskDef().getAccessTypes().size(), policies.getTagPolicies().getServiceDef().getDataMaskDef().getAccessTypes().size()); + assertEquals("rowFilter.accessType count", 0, policies.getTagPolicies().getServiceDef().getRowFilterDef().getAccessTypes().size()); + } + } + + private RangerAccessTypeDef getAccessType(List<RangerAccessTypeDef> accessTypeDefs, String accessType) { + RangerAccessTypeDef ret = null; + + if (accessTypeDefs != null) { + for (RangerAccessTypeDef accessTypeDef : accessTypeDefs) { + if (StringUtils.equals(accessTypeDef.getName(), accessType)) { + ret = accessTypeDef; + + break; + } + } + } + + return ret; + } + + @Test + public void testAccessTypeMarkers() { + RangerAccessTypeDef create = new RangerAccessTypeDef(1L, "create", "create", null, null, AccessTypeCategory.CREATE); + RangerAccessTypeDef select = new RangerAccessTypeDef(2L, "select", "select", null, null, AccessTypeCategory.READ); + RangerAccessTypeDef update = new RangerAccessTypeDef(3L, "update", "update", null, null, AccessTypeCategory.UPDATE); + RangerAccessTypeDef delete = new RangerAccessTypeDef(4L, "delete", "delete", null, null, AccessTypeCategory.DELETE); + RangerAccessTypeDef manage = new RangerAccessTypeDef(5L, "manage", "manage", null, null, AccessTypeCategory.MANAGE); + RangerAccessTypeDef read = new RangerAccessTypeDef(6L, "read", "read", null, null, AccessTypeCategory.READ); + RangerAccessTypeDef write = new RangerAccessTypeDef(7L, "write", "write", null, null, AccessTypeCategory.UPDATE); + RangerAccessTypeDef execute = new RangerAccessTypeDef(8L, "execute", "execute", null, null, null); + Set<String> allNames = toSet(create.getName(), select.getName(), update.getName(), delete.getName(), manage.getName(), read.getName(), write.getName(), execute.getName()); + + // 6 marker access-types should be populated with impliedGrants + List<RangerAccessTypeDef> accessTypeDefs = Arrays.asList(create, select, update, delete, manage, read, write, execute); + List<RangerAccessTypeDef> markerTypeDefs = ServiceDefUtil.getMarkerAccessTypes(accessTypeDefs); + assertEquals("markerTypeDefs count", 6, markerTypeDefs.size()); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_CREATE, toSet(create.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_CREATE)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_READ, toSet(select.getName(), read.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_READ)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_UPDATE, toSet(update.getName(), write.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_UPDATE)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_DELETE, toSet(delete.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_DELETE)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_MANAGE, toSet(manage.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_MANAGE)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_ALL, allNames, getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_ALL)); + + // 2 marker access-types should be populated with impliedGrants: _CREATE, _ALL + accessTypeDefs = new ArrayList<>(Collections.singleton(create)); + markerTypeDefs = ServiceDefUtil.getMarkerAccessTypes(accessTypeDefs); + assertEquals("markerTypeDefs count", 6, markerTypeDefs.size()); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_CREATE, toSet(create.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_CREATE)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_READ, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_READ)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_UPDATE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_UPDATE)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_DELETE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_DELETE)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_MANAGE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_MANAGE)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_ALL, toSet(create.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_ALL)); + + // 2 marker access-types should be populated with impliedGrants: _READ, _ALL + accessTypeDefs = new ArrayList<>(Arrays.asList(select, read)); + markerTypeDefs = ServiceDefUtil.getMarkerAccessTypes(accessTypeDefs); + assertEquals("markerTypeDefs count", 6, markerTypeDefs.size()); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_CREATE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_CREATE)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_READ, toSet(select.getName(), read.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_READ)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_UPDATE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_UPDATE)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_DELETE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_DELETE)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_MANAGE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_MANAGE)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_ALL, toSet(select.getName(), read.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_ALL)); + + // accessTypes with no category should be added to _ALL + accessTypeDefs = new ArrayList<>(Collections.singleton(execute)); + markerTypeDefs = ServiceDefUtil.getMarkerAccessTypes(accessTypeDefs); + assertEquals("markerTypeDefs count", 6, markerTypeDefs.size()); // 1 marker access-types should be added: _ALL + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_CREATE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_CREATE)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_READ, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_READ)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_UPDATE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_UPDATE)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_DELETE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_DELETE)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_MANAGE, Collections.emptySet(), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_MANAGE)); + assertEquals("impliedGrants in " + ACCESS_TYPE_MARKER_ALL, toSet(execute.getName()), getImpliedGrants(markerTypeDefs, ACCESS_TYPE_MARKER_ALL)); + } + + private Set<String> getImpliedGrants(List<RangerAccessTypeDef> accessTypeDefs, String accessType) { + Set<String> ret = null; + + if (accessTypeDefs != null) { + for (RangerAccessTypeDef accessTypeDef : accessTypeDefs) { + if (StringUtils.equals(accessTypeDef.getName(), accessType)) { + ret = new HashSet<>(accessTypeDef.getImpliedGrants()); + + break; + } + } + } + + return ret; + } + + private Set<String> toSet(String...values) { + Set<String> ret = new HashSet<>(); + + if (values != null) { + for (String value : values) { + ret.add(value); + } + } + + return ret; + } + public void testPolicyItemDataMaskExprUserGroupRef() { + for (String attrExpr : UGA_ATTR_EXPRESSIONS) { + String filterExpr = "${{" + attrExpr + "}}"; + ServicePolicies svcPolicies = getServicePolicies(); + RangerPolicy policy = getPolicy(svcPolicies); + + policy.getDataMaskPolicyItems().get(0).setDataMaskInfo(new RangerPolicyItemDataMaskInfo("CUSTOM", "", "CASE WHEN dept in (" + filterExpr + ")THEN {col} ELSE '0' END")); + + svcPolicies.getPolicies().add(policy); + assertTrue("policy data-mask refers to user/group attribute: " + filterExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000")); + + svcPolicies.getServiceDef().getContextEnrichers().clear(); + svcPolicies.getPolicies().clear(); + svcPolicies.getPolicyDeltas().add(new RangerPolicyDelta(1L, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE, 1L, policy)); + assertTrue("policy-delta data-mask refers to user/group attribute: " + filterExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000")); + + svcPolicies.getServiceDef().getContextEnrichers().clear(); + svcPolicies.getPolicyDeltas().clear(); + svcPolicies.getSecurityZones().put("zone1", getSecurityZoneInfo("zone1")); + svcPolicies.getSecurityZones().get("zone1").getPolicies().add(policy); + assertTrue("zone-policy data-mask refers to user/group attribute: " + filterExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000")); + + svcPolicies.getServiceDef().getContextEnrichers().clear(); + svcPolicies.getSecurityZones().get("zone1").getPolicies().clear(); + svcPolicies.getSecurityZones().get("zone1").getPolicyDeltas().add(new RangerPolicyDelta(1L, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE, 1L, policy)); + assertTrue("zone-policy-delta data-mask refers to user/group attribute: " + filterExpr, ServiceDefUtil.addUserStoreEnricherIfNeeded(svcPolicies, RangerAdminUserStoreRetriever.class.getCanonicalName(), "60000")); + } + } private ServicePolicies getServicePolicies() { ServicePolicies ret = new ServicePolicies();