[
https://issues.apache.org/jira/browse/RANGER-5000?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17899902#comment-17899902
]
Radhika Kundam commented on RANGER-5000:
----------------------------------------
Patch: [https://reviews.apache.org/r/75280/]
Dataset policy creation works even when the policy items are not properly
formed in the policy.With this patch it'll validate policy items while creating
policy. And below are the validations included.
UseCase-1: Null policy items
"policyItems": [
null
]
Error Msg: "msgDesc": "[ Validation failure: error code[3019], reason[policy
items object was null], field[policy items], subfield[null], type[]]",
UseCase-2: No principals or Principals object with empty or no values
"policyItems": [
{
"delegateAdmin": false,
"accesses": [
{
"type": "_ALL",
"isAllowed": null
}
]
}
]
"policyItems": [
{
"delegateAdmin": false,
"accesses": [
{
"type": "_ALL",
"isAllowed": null
}
],
"users": [
" "
]
}
"policyItems": [
{
"delegateAdmin": false,
"accesses": [
{
"type": "_ALL",
"isAllowed": null
}
],
"users": [
]
}
]
Error Msg: "msgDesc": "[ Validation failure: error code[3020], reason[All of
users, user-groups and roles collections on the policy item were null/empty],
field[policy items], subfield[null], type[]]"
UseCase-3: Access object with no or empty access type
"policyItems": [
{
"delegateAdmin": false,
"accesses": [
{
"isAllowed": true
}
],
"users": [
"hive"
]
}
]
"policyItems": [
{
"delegateAdmin": false,
"accesses": [
{
"type": " ",
"isAllowed": true
}
],
"users": [
"hive"
]
}
]
Error Msg: "msgDesc": "[ Validation failure: error code[4010], reason[policy
items access object has empty or null values for type], field[policy items],
subfield[null], type[]]"
Note: No validation exists for isAllowed being null, as it will default to true
if isAllowed is passed as NULL.
> Add validations to ensure that the policy items are properly formed during
> dataset policy creation / edit
> ---------------------------------------------------------------------------------------------------------
>
> Key: RANGER-5000
> URL: https://issues.apache.org/jira/browse/RANGER-5000
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Abhishek
> Assignee: Radhika Kundam
> Priority: Major
>
> *Problem statement*
> Dataset policy creation works even when the policy items are not properly
> formed in the policy.
> *Steps to reproduce*
> 1. Create a dataset
> 2. Make a POST request to
> \{BASE_URL}/service/gds/dataset/\{DATASET_ID}/policy using the following
> payload
> {code:java}
> {
> "id":149,
> "guid":"aa020de3-a433-46c3-b082-5a9330f64c4a",
> "isEnabled":true,
> "createdBy":"Admin",
> "updatedBy":"Admin",
> "createTime":1731577607000,
> "updateTime":1731577607000,
> "version":1,
> "service":"_gds",
> "name":"DATASET: test_dataset_1_gckcvky@1731577606501",
> "policyType":0,
> "policyPriority":0,
> "description":"Policy for dataset: test_dataset_1_gckcvky",
>
> "resourceSignature":"a2ba2622d4ea10daf494c293d9896b5764319e836b891a4eca6eb5d03b816e69",
> "isAuditEnabled":true,
> "resources":{
> "dataset-id":{
> "values":[
> "12"
> ],
> "isExcludes":false,
> "isRecursive":false
> }
> },
> "policyItems":[
> {
> "users":[
> "hrt_10"
> ],
> "delegateAdmin":false
> }
> ],
> "serviceType":"gds",
> "isDenyAllElse":false
> } {code}
> The policy creation is allowed, even though the access types are not present
> in the policyItems.
> Similarly, if the users/groups/roles section is missing in the policyItems
> field and only accessTypes are present, still the policy creation works fine.
> This issue is present with the PUT
> \{BASE_URL}/service/gds/dataset/\{DATASET_ID}/policy/\{POLICY_ID} API
> endpoint as well.
> *Expectation*
> Validations have to be added to ensure that the policy items are properly
> formed during dataset policy creation / edit via API.
> Such validations are already present for dataset policy creation / update via
> UI.
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
