This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch RANGER-3923 in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/RANGER-3923 by this push: new 3056b6cbb RANGER-3923: removed RangerDataset.admins and RangerProject.admins; replaced RangerDataShare.admins with RangerDataShare.acl 3056b6cbb is described below commit 3056b6cbb5caa9890c1deb88bf28ed079c33d549 Author: Madhan Neethiraj <mad...@apache.org> AuthorDate: Fri Jul 7 00:34:49 2023 -0700 RANGER-3923: removed RangerDataset.admins and RangerProject.admins; replaced RangerDataShare.admins with RangerDataShare.acl --- .../org/apache/ranger/plugin/model/RangerGds.java | 32 +++---- .../main/python/apache_ranger/model/ranger_gds.py | 12 +-- .../src/main/python/sample_gds_client.py | 14 +-- .../optimized/current/ranger_core_db_mysql.sql | 4 +- .../optimized/current/ranger_core_db_postgres.sql | 4 +- .../org/apache/ranger/entity/XXGdsDataShare.java | 14 +-- .../org/apache/ranger/entity/XXGdsDataset.java | 11 +-- .../org/apache/ranger/entity/XXGdsProject.java | 11 +-- .../ranger/service/RangerGdsDataShareService.java | 5 +- .../ranger/service/RangerGdsDatasetService.java | 2 - .../ranger/service/RangerGdsProjectService.java | 2 - .../ranger/validation/RangerGdsValidator.java | 100 ++++++++++++++------- 12 files changed, 103 insertions(+), 108 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerGds.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerGds.java index b735da97a..d53762b06 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerGds.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerGds.java @@ -88,10 +88,9 @@ public class RangerGds { public static class RangerDataset extends RangerGdsBaseModelObject implements java.io.Serializable { private static final long serialVersionUID = 1L; - private String name; - private List<RangerPrincipal> admins; - private RangerGdsObjectACL acl; - private String termsOfUse; + private String name; + private RangerGdsObjectACL acl; + private String termsOfUse; public RangerDataset() { } @@ -99,10 +98,6 @@ public class RangerGds { public void setName(String name) { this.name = name; } - public List<RangerPrincipal> getAdmins() { return admins; } - - public void setAdmins(List<RangerPrincipal> admins) { this.admins = admins; } - public RangerGdsObjectACL getAcl() { return acl; } public void setAcl(RangerGdsObjectACL acl) { this.acl = acl; } @@ -118,7 +113,6 @@ public class RangerGds { super.toString(sb); sb.append("name={").append(name).append("} ") - .append("admin={").append(admins).append("} ") .append("acl={").append(acl).append("} ") .append("termsOfUse={").append(termsOfUse).append("} ") .append("}"); @@ -135,10 +129,9 @@ public class RangerGds { public static class RangerProject extends RangerGdsBaseModelObject implements java.io.Serializable { private static final long serialVersionUID = 1L; - private String name; - private List<RangerPrincipal> admins; - private RangerGdsObjectACL acl; - private String termsOfUse; + private String name; + private RangerGdsObjectACL acl; + private String termsOfUse; public RangerProject() { } @@ -146,10 +139,6 @@ public class RangerGds { public void setName(String name) { this.name = name; } - public List<RangerPrincipal> getAdmins() { return admins; } - - public void setAdmins(List<RangerPrincipal> admins) { this.admins = admins; } - public RangerGdsObjectACL getAcl() { return acl; } public void setAcl(RangerGdsObjectACL acl) { this.acl = acl; } @@ -165,7 +154,6 @@ public class RangerGds { super.toString(sb); sb.append("name={").append(name).append("} ") - .append("admins={").append(admins).append("} ") .append("acl={").append(acl).append("} ") .append("termsOfUse={").append(termsOfUse).append("} ") .append("}"); @@ -183,7 +171,7 @@ public class RangerGds { private static final long serialVersionUID = 1L; private String name; - private List<RangerPrincipal> admins; + private RangerGdsObjectACL acl; private String service; private String zone; private String conditionExpr; @@ -197,9 +185,9 @@ public class RangerGds { public void setName(String name) { this.name = name; } - public List<RangerPrincipal> getAdmins() { return admins; } + public RangerGdsObjectACL getAcl() { return acl; } - public void setAdmins(List<RangerPrincipal> admins) { this.admins = admins; } + public void setAcl(RangerGdsObjectACL acl) { this.acl = acl; } public String getService() { return service; } @@ -240,7 +228,7 @@ public class RangerGds { super.toString(sb); sb.append("name={").append(name).append("} ") - .append("admins={").append(admins).append("} ") + .append("acl={").append(acl).append("} ") .append("service={").append(service).append("} ") .append("zone={").append(zone).append("} ") .append("conditionExpr={").append(conditionExpr).append("} ") diff --git a/intg/src/main/python/apache_ranger/model/ranger_gds.py b/intg/src/main/python/apache_ranger/model/ranger_gds.py index f1572738c..cd8aac8e6 100644 --- a/intg/src/main/python/apache_ranger/model/ranger_gds.py +++ b/intg/src/main/python/apache_ranger/model/ranger_gds.py @@ -80,15 +80,13 @@ class RangerDataset(RangerGdsBaseModelObject): RangerGdsBaseModelObject.__init__(self, attrs) self.name = attrs.get('name') - self.admins = attrs.get('admins') self.acl = attrs.get('acl') self.termsOfUse = attrs.get('termsOfUse') def type_coerce_attrs(self): super(RangerDataset, self).type_coerce_attrs() - self.admins = type_coerce_list(self.admins, RangerPrincipal) - self.acl = type_coerce_dict(self.acl, RangerGdsObjectACL) + self.acl = type_coerce_dict(self.acl, RangerGdsObjectACL) class RangerProject(RangerGdsBaseModelObject): @@ -99,15 +97,13 @@ class RangerProject(RangerGdsBaseModelObject): RangerGdsBaseModelObject.__init__(self, attrs) self.name = attrs.get('name') - self.admins = attrs.get('admins') self.acl = attrs.get('acl') self.termsOfUse = attrs.get('termsOfUse') def type_coerce_attrs(self): super(RangerProject, self).type_coerce_attrs() - self.admins = type_coerce_list(self.admins, RangerPrincipal) - self.acl = type_coerce_dict(self.acl, RangerGdsObjectACL) + self.acl = type_coerce_dict(self.acl, RangerGdsObjectACL) class RangerDataShare(RangerGdsBaseModelObject): @@ -118,7 +114,7 @@ class RangerDataShare(RangerGdsBaseModelObject): RangerGdsBaseModelObject.__init__(self, attrs) self.name = attrs.get('name') - self.admins = attrs.get('admins') + self.acl = attrs.get('acl') self.service = attrs.get('service') self.zone = attrs.get('zone') self.conditionExpr = attrs.get('conditionExpr') @@ -129,7 +125,7 @@ class RangerDataShare(RangerGdsBaseModelObject): def type_coerce_attrs(self): super(RangerDataShare, self).type_coerce_attrs() - self.admins = type_coerce_list(self.admins, RangerPrincipal) + self.acl = type_coerce_dict(self.acl, RangerGdsObjectACL) self.defaultMasks = type_coerce_dict(self.defaultMasks, RangerPolicyItemDataMaskInfo) diff --git a/ranger-examples/sample-client/src/main/python/sample_gds_client.py b/ranger-examples/sample-client/src/main/python/sample_gds_client.py index 35e80609a..e40e0736f 100644 --- a/ranger-examples/sample-client/src/main/python/sample_gds_client.py +++ b/ranger-examples/sample-client/src/main/python/sample_gds_client.py @@ -29,21 +29,23 @@ ranger_auth = ('admin', 'rangerR0cks!') ranger = RangerClient(ranger_url, ranger_auth) gds = RangerGdsClient(ranger) +userJohnDoe = RangerPrincipal({ 'type': PrincipalType.USER, 'name': 'John.Doe' }) -dataset_1 = RangerDataset({ 'name': 'dataset-1', 'description': 'the first dataset!', 'admins': [ { 'type': PrincipalType.USER, 'name': 'John.Doe' } ], 'acl': {}, 'termsOfUse': None }) -dataset_2 = RangerDataset({ 'name': 'dataset-2', 'description': 'the second dataset!', 'admins': [ { 'type': PrincipalType.GROUP, 'name': 'sales' } ], 'acl': {}, 'termsOfUse': None }) -project_1 = RangerProject({ 'name': 'project-1', 'description': 'the first project!', 'admins': [ { 'type': PrincipalType.USER, 'name': 'Diane.Scott' } ], 'acl': {}, 'termsOfUse': None }) -project_2 = RangerProject({ 'name': 'project-2', 'description': 'the second project!', 'admins': [ { 'type': PrincipalType.GROUP, 'name': 'marketing' } ], 'acl': {}, 'termsOfUse': None }) +dataset_1 = RangerDataset({ 'name': 'dataset-1', 'description': 'the first dataset!', 'acl': { 'users': { 'John.Doe': GdsPermission.ADMIN } }, 'termsOfUse': None }) +dataset_2 = RangerDataset({ 'name': 'dataset-2', 'description': 'the second dataset!', 'acl': { 'groups': { 'sales': GdsPermission.ADMIN } }, 'termsOfUse': None }) -hive_share_1 = RangerDataShare({ 'name': 'datashare-1', 'description': 'the first datashare!', 'admins': [ { 'type': PrincipalType.USER, 'name': 'Sandy.Williams' } ], 'termsOfUse': None }) +project_1 = RangerProject({ 'name': 'project-1', 'description': 'the first project!', 'acl': { 'users': { 'Diane.Scott': GdsPermission.ADMIN } }, 'termsOfUse': None }) +project_2 = RangerProject({ 'name': 'project-2', 'description': 'the second project!', 'acl': { 'groups': { 'marketing': GdsPermission.ADMIN } }, 'termsOfUse': None }) + +hive_share_1 = RangerDataShare({ 'name': 'datashare-1', 'description': 'the first datashare!', 'acl': { 'users': { 'Sandy.Williams': GdsPermission.ADMIN } }, 'termsOfUse': None }) hive_share_1.service = 'dev_hive' hive_share_1.zone = None hive_share_1.conditionExpr = "HAS_TAG('SCAN_COMPLETE')" hive_share_1.defaultAccessTypes = [ '_READ' ] hive_share_1.defaultMasks = { 'HAS_TAG("PII")': { 'dataMaskType': 'MASK' } } -hdfs_share_1 = RangerDataShare({ 'name': 'datashare-2', 'description': 'the second datashare!', 'admins': [ { 'type': PrincipalType.GROUP, 'name': 'finance' } ], 'termsOfUse': None }) +hdfs_share_1 = RangerDataShare({ 'name': 'datashare-2', 'description': 'the second datashare!', 'acl': { 'groups': { 'finance': GdsPermission.ADMIN } }, 'termsOfUse': None }) hdfs_share_1.service = 'dev_hdfs' hdfs_share_1.zone = None hdfs_share_1.conditionExpr = "HAS_TAG('SCAN_COMPLETE')" diff --git a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql index 12262dfc5..b4e3f57b8 100644 --- a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql +++ b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql @@ -1712,7 +1712,6 @@ CREATE TABLE `x_gds_dataset` ( , `is_enabled` TINYINT(1) NOT NULL DEFAULT '1' , `name` VARCHAR(512) NOT NULL , `description` TEXT NULL DEFAULT NULL - , `admins` TEXT NOT NULL , `acl` TEXT NULL DEFAULT NULL , `terms_of_use` TEXT NULL DEFAULT NULL , `options` TEXT NULL DEFAULT NULL @@ -1735,7 +1734,6 @@ CREATE TABLE `x_gds_project` ( , `is_enabled` TINYINT(1) NOT NULL DEFAULT '1' , `name` VARCHAR(512) NOT NULL , `description` TEXT NULL DEFAULT NULL - , `admins` TEXT NOT NULL , `acl` TEXT NULL DEFAULT NULL , `terms_of_use` TEXT NULL DEFAULT NULL , `options` TEXT NULL DEFAULT NULL @@ -1758,7 +1756,7 @@ CREATE TABLE `x_gds_data_share`( , `is_enabled` TINYINT(1) NOT NULL DEFAULT '1' , `name` VARCHAR(512) NOT NULL , `description` TEXT NULL DEFAULT NULL - , `admins` TEXT NOT NULL + , `acl` TEXT NOT NULL , `service_id` BIGINT(20) NOT NULL , `zone_id` BIGINT(20) NOT NULL , `condition_expr` TEXT NULL diff --git a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql index bb2569d84..6b82aead4 100644 --- a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql +++ b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql @@ -1701,7 +1701,6 @@ CREATE TABLE x_gds_dataset ( , is_enabled BOOLEAN NOT NULL DEFAULT '1' , name VARCHAR(512) NOT NULL , description TEXT NULL DEFAULT NULL - , admins TEXT NOT NULL , acl TEXT NULL DEFAULT NULL , terms_of_use TEXT NULL DEFAULT NULL , options TEXT NULL DEFAULT NULL @@ -1726,7 +1725,6 @@ CREATE TABLE x_gds_project ( , is_enabled BOOLEAN NOT NULL DEFAULT '1' , name VARCHAR(512) NOT NULL , description TEXT NULL DEFAULT NULL - , admins TEXT NOT NULL , acl TEXT NULL DEFAULT NULL , terms_of_use TEXT NULL DEFAULT NULL , options TEXT NULL DEFAULT NULL @@ -1751,7 +1749,7 @@ CREATE TABLE x_gds_data_share( , is_enabled BOOLEAN NOT NULL DEFAULT '1' , name VARCHAR(512) NOT NULL , description TEXT NULL DEFAULT NULL - , admins TEXT NOT NULL + , acl TEXT NOT NULL , service_id BIGINT NOT NULL , zone_id BIGINT NOT NULL , condition_expr TEXT NULL diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXGdsDataShare.java b/security-admin/src/main/java/org/apache/ranger/entity/XXGdsDataShare.java index d3abada0d..1d2f6a189 100644 --- a/security-admin/src/main/java/org/apache/ranger/entity/XXGdsDataShare.java +++ b/security-admin/src/main/java/org/apache/ranger/entity/XXGdsDataShare.java @@ -61,8 +61,8 @@ public class XXGdsDataShare extends XXDBBase implements Serializable { @Column(name = "description") protected String description; - @Column(name = "admins") - protected String admins; + @Column(name = "acl") + protected String acl; @Column(name = "condition_expr") protected String conditionExpr; @@ -117,9 +117,9 @@ public class XXGdsDataShare extends XXDBBase implements Serializable { public void setDescription(String description) { this.description = description; } - public String getAdmins() { return admins; } + public String getAcl() { return acl; } - public void setAdmins(String admins) { this.admins = admins; } + public void setAcl(String acl) { this.acl = acl; } public String getConditionExpr() { return conditionExpr; } @@ -150,7 +150,7 @@ public class XXGdsDataShare extends XXDBBase implements Serializable { @Override public int hashCode() { - return Objects.hash(id, guid, version, isEnabled, serviceId, zoneId, name, description, admins, conditionExpr, defaultAccessTypes, defaultMasks, termsOfUse, options, additionalInfo); + return Objects.hash(id, guid, version, isEnabled, serviceId, zoneId, name, description, acl, conditionExpr, defaultAccessTypes, defaultMasks, termsOfUse, options, additionalInfo); } @Override @@ -173,7 +173,7 @@ public class XXGdsDataShare extends XXDBBase implements Serializable { Objects.equals(zoneId, other.zoneId) && Objects.equals(name, other.name) && Objects.equals(description, other.description) && - Objects.equals(admins, other.admins) && + Objects.equals(acl, other.acl) && Objects.equals(conditionExpr, other.conditionExpr) && Objects.equals(defaultAccessTypes, other.defaultAccessTypes) && Objects.equals(defaultMasks, other.defaultMasks) && @@ -198,7 +198,7 @@ public class XXGdsDataShare extends XXDBBase implements Serializable { .append("zoneId={").append(zoneId).append("} ") .append("name={").append(name).append("} ") .append("description={").append(description).append("} ") - .append("admins={").append(admins).append("} ") + .append("acl={").append(acl).append("} ") .append("conditionExpr={").append(conditionExpr).append("} ") .append("defaultAccessTypes={").append(defaultAccessTypes).append("} ") .append("defaultMasks={").append(defaultMasks).append("} ") diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXGdsDataset.java b/security-admin/src/main/java/org/apache/ranger/entity/XXGdsDataset.java index 3a722f044..6fdc5be95 100644 --- a/security-admin/src/main/java/org/apache/ranger/entity/XXGdsDataset.java +++ b/security-admin/src/main/java/org/apache/ranger/entity/XXGdsDataset.java @@ -55,9 +55,6 @@ public class XXGdsDataset extends XXDBBase implements Serializable { @Column(name = "description") protected String description; - @Column(name = "admins") - protected String admins; - @Column(name = "acl") protected String acl; @@ -97,10 +94,6 @@ public class XXGdsDataset extends XXDBBase implements Serializable { public void setDescription(String description) { this.description = description; } - public String getAdmins() { return admins; } - - public void setAdmins(String admins) { this.admins = admins; } - public String getAcl() { return acl; } public void setAcl(String acl) { this.acl = acl; } @@ -122,7 +115,7 @@ public class XXGdsDataset extends XXDBBase implements Serializable { @Override public int hashCode() { - return Objects.hash(id, guid, version, isEnabled, name, description, admins, acl, termsOfUse, options, additionalInfo); + return Objects.hash(id, guid, version, isEnabled, name, description, acl, termsOfUse, options, additionalInfo); } @Override @@ -143,7 +136,6 @@ public class XXGdsDataset extends XXDBBase implements Serializable { Objects.equals(isEnabled, other.isEnabled) && Objects.equals(name, other.name) && Objects.equals(description, other.description) && - Objects.equals(admins, other.admins) && Objects.equals(acl, other.acl) && Objects.equals(termsOfUse, other.termsOfUse) && Objects.equals(options, other.options) && @@ -164,7 +156,6 @@ public class XXGdsDataset extends XXDBBase implements Serializable { .append("isEnabled={").append(isEnabled).append("} ") .append("name={").append(name).append("} ") .append("description={").append(description).append("} ") - .append("admins={").append(admins).append("} ") .append("condition={").append(acl).append("} ") .append("acl={").append(acl).append("} ") .append("termsOfUse={").append(termsOfUse).append("} ") diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXGdsProject.java b/security-admin/src/main/java/org/apache/ranger/entity/XXGdsProject.java index 84c9169c7..566fdac96 100644 --- a/security-admin/src/main/java/org/apache/ranger/entity/XXGdsProject.java +++ b/security-admin/src/main/java/org/apache/ranger/entity/XXGdsProject.java @@ -55,9 +55,6 @@ public class XXGdsProject extends XXDBBase implements Serializable { @Column(name = "description") protected String description; - @Column(name = "admins") - protected String admins; - @Column(name = "acl") protected String acl; @@ -96,10 +93,6 @@ public class XXGdsProject extends XXDBBase implements Serializable { public void setDescription(String description) { this.description = description; } - public String getAdmins() { return admins; } - - public void setAdmins(String admins) { this.admins = admins; } - public String getAcl() { return acl; } public void setAcl(String acl) { this.acl = acl; } @@ -121,7 +114,7 @@ public class XXGdsProject extends XXDBBase implements Serializable { @Override public int hashCode() { - return Objects.hash(id, guid, version, isEnabled, name, description, admins, acl, termsOfUse, options, additionalInfo); + return Objects.hash(id, guid, version, isEnabled, name, description, acl, termsOfUse, options, additionalInfo); } @Override @@ -142,7 +135,6 @@ public class XXGdsProject extends XXDBBase implements Serializable { Objects.equals(isEnabled, other.isEnabled) && Objects.equals(name, other.name) && Objects.equals(description, other.description) && - Objects.equals(admins, other.admins) && Objects.equals(acl, other.acl) && Objects.equals(termsOfUse, other.termsOfUse) && Objects.equals(options, other.options) && @@ -163,7 +155,6 @@ public class XXGdsProject extends XXDBBase implements Serializable { .append("isEnabled={").append(isEnabled).append("} ") .append("name={").append(name).append("} ") .append("description={").append(description).append("} ") - .append("admins={").append(admins).append("} ") .append("condition={").append(acl).append("} ") .append("termsOfUse={").append(termsOfUse).append("} ") .append("options={").append(options).append("} ") diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerGdsDataShareService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerGdsDataShareService.java index 3c212284b..a07fb9ea7 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerGdsDataShareService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerGdsDataShareService.java @@ -28,6 +28,7 @@ import org.apache.ranger.common.SortField; import org.apache.ranger.entity.XXGdsDataShare; import org.apache.ranger.entity.XXSecurityZone; import org.apache.ranger.entity.XXService; +import org.apache.ranger.plugin.model.RangerGds; import org.apache.ranger.plugin.model.RangerGds.RangerDataShare; import org.apache.ranger.plugin.model.RangerSecurityZone; import org.apache.ranger.plugin.util.SearchFilter; @@ -221,7 +222,7 @@ public class RangerGdsDataShareService extends RangerGdsBaseModelService<XXGdsDa xObj.setIsEnabled(vObj.getIsEnabled()); xObj.setName(vObj.getName()); xObj.setDescription(vObj.getDescription()); - xObj.setAdmins(JsonUtils.listToJson(vObj.getAdmins())); + xObj.setAcl(JsonUtils.objectToJson(vObj.getAcl())); xObj.setServiceId(xService.getId()); xObj.setZoneId(zoneId); xObj.setConditionExpr(vObj.getConditionExpr()); @@ -247,7 +248,7 @@ public class RangerGdsDataShareService extends RangerGdsBaseModelService<XXGdsDa vObj.setVersion(xObj.getVersion()); vObj.setName(xObj.getName()); vObj.setDescription(xObj.getDescription()); - vObj.setAdmins(JsonUtils.jsonToRangerPrincipalList(xObj.getAdmins())); + vObj.setAcl(JsonUtils.jsonToObject(xObj.getAcl(), RangerGds.RangerGdsObjectACL.class)); vObj.setService(serviceName); vObj.setZone(zoneName); vObj.setConditionExpr(xObj.getConditionExpr()); diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerGdsDatasetService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerGdsDatasetService.java index 09c28cced..747cc9f17 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerGdsDatasetService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerGdsDatasetService.java @@ -158,7 +158,6 @@ public class RangerGdsDatasetService extends RangerGdsBaseModelService<XXGdsData xObj.setIsEnabled(vObj.getIsEnabled()); xObj.setName(vObj.getName()); xObj.setDescription(vObj.getDescription()); - xObj.setAdmins(JsonUtils.listToJson(vObj.getAdmins())); xObj.setAcl(JsonUtils.objectToJson(vObj.getAcl())); xObj.setTermsOfUse(vObj.getTermsOfUse()); xObj.setOptions(JsonUtils.mapToJson(vObj.getOptions())); @@ -174,7 +173,6 @@ public class RangerGdsDatasetService extends RangerGdsBaseModelService<XXGdsData vObj.setVersion(xObj.getVersion()); vObj.setName(xObj.getName()); vObj.setDescription(xObj.getDescription()); - vObj.setAdmins(JsonUtils.jsonToRangerPrincipalList(xObj.getAdmins())); vObj.setAcl(JsonUtils.jsonToObject(xObj.getAcl(), RangerGds.RangerGdsObjectACL.class)); vObj.setTermsOfUse(xObj.getTermsOfUse()); vObj.setOptions(JsonUtils.jsonToMapStringString(xObj.getOptions())); diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerGdsProjectService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerGdsProjectService.java index 2aa7a1ea8..8c0ddc65d 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerGdsProjectService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerGdsProjectService.java @@ -158,7 +158,6 @@ public class RangerGdsProjectService extends RangerGdsBaseModelService<XXGdsProj xObj.setIsEnabled(vObj.getIsEnabled()); xObj.setName(vObj.getName()); xObj.setDescription(vObj.getDescription()); - xObj.setAdmins(JsonUtils.listToJson(vObj.getAdmins())); xObj.setAcl(JsonUtils.objectToJson(vObj.getAcl())); xObj.setTermsOfUse(vObj.getTermsOfUse()); xObj.setOptions(JsonUtils.mapToJson(vObj.getOptions())); @@ -174,7 +173,6 @@ public class RangerGdsProjectService extends RangerGdsBaseModelService<XXGdsProj vObj.setVersion(xObj.getVersion()); vObj.setName(xObj.getName()); vObj.setDescription(xObj.getDescription()); - vObj.setAdmins(JsonUtils.jsonToRangerPrincipalList(xObj.getAdmins())); vObj.setAcl(JsonUtils.jsonToObject(xObj.getAcl(), RangerGds.RangerGdsObjectACL.class)); vObj.setTermsOfUse(xObj.getTermsOfUse()); vObj.setOptions(JsonUtils.jsonToMapStringString(xObj.getOptions())); diff --git a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java index 3c6dd1fdf..55da4a238 100644 --- a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java +++ b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java @@ -17,11 +17,13 @@ package org.apache.ranger.validation; +import org.apache.commons.collections.MapUtils; import org.apache.commons.lang.StringUtils; import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.plugin.errors.ValidationErrorCode; import org.apache.ranger.plugin.model.RangerGds; +import org.apache.ranger.plugin.model.RangerGds.GdsPermission; import org.apache.ranger.plugin.model.RangerGds.RangerDataShareInDataset; import org.apache.ranger.plugin.model.RangerGds.RangerDataShare; import org.apache.ranger.plugin.model.RangerGds.RangerDatasetInProject; @@ -64,7 +66,6 @@ public class RangerGdsValidator { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATASET_NAME_CONFLICT, "name", dataset.getName(), existing)); } - validatePrincipals(dataset.getAdmins(), "admins", result); validateAcl(dataset.getAcl(), "acl", result); if (!result.isSuccess()) { @@ -83,10 +84,9 @@ public class RangerGdsValidator { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATASET_NAME_NOT_FOUND, "name", dataset.getName())); } else { if (!dataProvider.isAdminUser()) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "dataset", existing.getName(), existing.getAdmins(), result); + validateAdmin(dataProvider.getCurrentUserLoginId(), "dataset", existing.getName(), existing.getAcl(), result); } - validatePrincipals(dataset.getAdmins(), "admins", result); validateAcl(dataset.getAcl(), "acl", result); } @@ -106,7 +106,7 @@ public class RangerGdsValidator { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATASET_ID_NOT_FOUND, "id", datasetId)); } else { if (!dataProvider.isAdminUser()) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "dataset", existing.getName(), existing.getAdmins(), result); + validateAdmin(dataProvider.getCurrentUserLoginId(), "dataset", existing.getName(), existing.getAcl(), result); } } @@ -127,7 +127,6 @@ public class RangerGdsValidator { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_PROJECT_NAME_CONFLICT, "name", project.getName(), existing)); } - validatePrincipals(project.getAdmins(), "admins", result); validateAcl(project.getAcl(), "acl", result); if (!result.isSuccess()) { @@ -146,10 +145,9 @@ public class RangerGdsValidator { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_PROJECT_NAME_NOT_FOUND, "name", project.getName())); } else { if (!dataProvider.isAdminUser()) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "project", existing.getName(), existing.getAdmins(), result); + validateAdmin(dataProvider.getCurrentUserLoginId(), "project", existing.getName(), existing.getAcl(), result); } - validatePrincipals(project.getAdmins(), "admins", result); validateAcl(project.getAcl(), "acl", result); } @@ -169,7 +167,7 @@ public class RangerGdsValidator { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_PROJECT_ID_NOT_FOUND, "id", projectId)); } else { if (!dataProvider.isAdminUser()) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "project", existing.getName(), existing.getAdmins(), result); + validateAdmin(dataProvider.getCurrentUserLoginId(), "project", existing.getName(), existing.getAcl(), result); } } @@ -192,7 +190,7 @@ public class RangerGdsValidator { validateServiceZoneAdmin(dataShare.getService(), dataShare.getZone(), result); - validatePrincipals(dataShare.getAdmins(), "admins", result); + validateAcl(dataShare.getAcl(), "acl", result); validateAccessTypes(dataShare.getService(), "defaultAccessTypes", dataShare.getDefaultAccessTypes(), result); validateMaskTypes(dataShare.getService(), "defaultMasks", dataShare.getDefaultMasks(), result); @@ -212,10 +210,10 @@ public class RangerGdsValidator { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATA_SHARE_NAME_NOT_FOUND, "name", dataShare.getName())); } else { if (!dataProvider.isAdminUser()) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", existing.getName(), existing.getAdmins(), result); + validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", existing.getName(), existing.getAcl(), result); } - validatePrincipals(dataShare.getAdmins(), "admins", result); + validateAcl(dataShare.getAcl(), "acl", result); validateAccessTypes(dataShare.getService(), "defaultAccessTypes", dataShare.getDefaultAccessTypes(), result); validateMaskTypes(dataShare.getService(), "defaultMasks", dataShare.getDefaultMasks(), result); } @@ -236,7 +234,7 @@ public class RangerGdsValidator { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATA_SHARE_ID_NOT_FOUND, "id", dataShareId)); } else { if (!dataProvider.isAdminUser()) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", existing.getName(), existing.getAdmins(), result); + validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", existing.getName(), existing.getAcl(), result); } } @@ -262,7 +260,7 @@ public class RangerGdsValidator { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_SHARED_RESOURCE_NAME_CONFLICT, "name", resource.getName(), dataShare.getName(), existing)); } else { if (!dataProvider.isAdminUser() && !dataProvider.isServiceAdmin(dataShare.getService()) && !dataProvider.isZoneAdmin(dataShare.getZone())) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", dataShare.getName(), dataShare.getAdmins(), result); + validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", dataShare.getName(), dataShare.getAcl(), result); } } } @@ -288,7 +286,7 @@ public class RangerGdsValidator { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATA_SHARE_ID_NOT_FOUND, "dataShareId", resource.getDataShareId())); } else { if (!dataProvider.isAdminUser() && !dataProvider.isServiceAdmin(dataShare.getService()) && !dataProvider.isZoneAdmin(dataShare.getZone())) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", dataShare.getName(), dataShare.getAdmins(), result); + validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", dataShare.getName(), dataShare.getAcl(), result); } } } @@ -314,7 +312,7 @@ public class RangerGdsValidator { result.addValidationFailure(new ValidationFailureDetails(ValidationErrorCode.GDS_VALIDATION_ERR_DATA_SHARE_ID_NOT_FOUND, "dataShareId", existing.getDataShareId())); } else { if (!dataProvider.isAdminUser() && !dataProvider.isServiceAdmin(dataShare.getService()) && !dataProvider.isZoneAdmin(dataShare.getZone())) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", dataShare.getName(), dataShare.getAdmins(), result); + validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", dataShare.getName(), dataShare.getAcl(), result); } } } @@ -343,7 +341,7 @@ public class RangerGdsValidator { if (dataShare != null) { if (!dataProvider.isAdminUser() && !dataProvider.isServiceAdmin(dataShare.getService()) && !dataProvider.isZoneAdmin(dataShare.getZone())) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", dataShare.getName(), dataShare.getAdmins(), result); + validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", dataShare.getName(), dataShare.getAcl(), result); } } @@ -428,11 +426,11 @@ public class RangerGdsValidator { if (requireDataShareAdmin) { if (!dataProvider.isAdminUser() && !dataProvider.isServiceAdmin(dataShare.getService()) && !dataProvider.isZoneAdmin(dataShare.getZone())) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", dataShare.getName(), dataShare.getAdmins(), result); + validateAdmin(dataProvider.getCurrentUserLoginId(), "datashare", dataShare.getName(), dataShare.getAcl(), result); } } else if (requireDatasetAdmin) { if (!dataProvider.isAdminUser()) { - validateAdmin(dataProvider.getCurrentUserLoginId(), "dataset", dataset.getName(), dataset.getAdmins(), result); + validateAdmin(dataProvider.getCurrentUserLoginId(), "dataset", dataset.getName(), dataset.getAcl(), result); } } else { // must be either a dataset admin or a datashare admin // TODO: @@ -544,19 +542,19 @@ public class RangerGdsValidator { private void validateAcl(RangerGdsObjectACL acl, String fieldName, ValidationResult result) { if (acl != null) { - if (acl.getUsers() != null) { + if (MapUtils.isNotEmpty(acl.getUsers())) { for (String userName : acl.getUsers().keySet()) { validateUser(userName, fieldName, result); } } - if (acl.getGroups() != null) { + if (MapUtils.isNotEmpty(acl.getGroups())) { for (String groupName : acl.getGroups().keySet()) { validateGroup(groupName, fieldName, result); } } - if (acl.getRoles() != null) { + if (MapUtils.isNotEmpty(acl.getRoles())) { for (String roleName : acl.getRoles().keySet()) { validateRole(roleName, fieldName, result); } @@ -588,23 +586,59 @@ public class RangerGdsValidator { } } - private void validateAdmin(String userName, String objType, String objName, List<RangerPrincipal> admins, ValidationResult result) { + private void validateAdmin(String userName, String objType, String objName, RangerGdsObjectACL acl, ValidationResult result) { boolean isAdmin = false; - if (admins != null) { + if (acl != null) { Set<String> userGroups = null; Set<String> userRoles = null; - for (RangerPrincipal admin : admins) { - if (admin.getType() == RangerPrincipal.PrincipalType.USER) { - isAdmin = StringUtils.equals(userName, admin.getName()); - } else if (admin.getType() == RangerPrincipal.PrincipalType.GROUP) { + if (MapUtils.isNotEmpty(acl.getUsers())) { + for (Map.Entry<String, GdsPermission> entry : acl.getUsers().entrySet()) { + GdsPermission permission = entry.getValue(); + + if (permission != GdsPermission.ADMIN) { + continue; + } + + if (StringUtils.equals(userName, entry.getKey())) { + isAdmin = true; + + break; + } + } + } + + if (!isAdmin && MapUtils.isNotEmpty(acl.getGroups())) { + for (Map.Entry<String, GdsPermission> entry : acl.getGroups().entrySet()) { + String groupName = entry.getKey(); + GdsPermission permission = entry.getValue(); + + if (permission != GdsPermission.ADMIN) { + continue; + } + if (userGroups == null) { userGroups = dataProvider.getGroupsForUser(userName); } - isAdmin = userGroups.contains(admin.getName()); - } else if (admin.getType() == RangerPrincipal.PrincipalType.ROLE) { + if (userGroups != null && userGroups.contains(groupName)) { + isAdmin = true; + + break; + } + } + } + + if (!isAdmin && MapUtils.isNotEmpty(acl.getRoles())) { + for (Map.Entry<String, GdsPermission> entry : acl.getRoles().entrySet()) { + String roleName = entry.getKey(); + GdsPermission permission = entry.getValue(); + + if (permission != GdsPermission.ADMIN) { + continue; + } + if (userRoles == null) { if (userGroups == null) { userGroups = dataProvider.getGroupsForUser(userName); @@ -613,11 +647,11 @@ public class RangerGdsValidator { userRoles = dataProvider.getRolesForUser(userName); } - isAdmin = userRoles != null && userRoles.contains(admin.getName()); - } + if (userRoles != null && userRoles.contains(roleName)) { + isAdmin = true; - if (isAdmin) { - break; + break; + } } } }