Re: [PR] RANGER-5178: Update callers of executeOnTransactionCommit to check for existence of objects [ranger]

Wed, 02 Apr 2025 19:41:47 -0700 


mneethiraj commented on code in PR #554:
URL: https://github.com/apache/ranger/pull/554#discussion_r2025945263


##########
security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java:
##########
@@ -516,42 +516,50 @@ private Long createPrincipal(String user) {
             return ret;
         }
 
+        private boolean doesPolicyExist(XXPolicy xPolicy) {
+            return daoMgr.getXXPolicy().getById(xPolicy.getId()) != null;
+        }
+
         private void createPolicyAssociation(Long id, String name) {
             LOG.debug("===> 
PolicyPrincipalAssociator.createPolicyAssociation(policyId={}, type={}, 
name={}, id={})", xPolicy.getId(), type.name(), name, id);
 
-            switch (type) {
-                case USER: {
-                    XXPolicyRefUser xPolUser = 
rangerAuditFields.populateAuditFields(new XXPolicyRefUser(), xPolicy);
+            if (doesPolicyExist(xPolicy)) {

Review Comment:
   In addition to checking for existence of policy, shouldn't existence of 
user/group/role be checked as well?
   
   ```
   if (doesPolicyExist(xPolicy) && doesPrincipalExist(name, type)) {
   ```



##########
security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java:
##########
@@ -345,45 +345,63 @@ private Long createPrincipal(String user) {
             return ret;
         }
 
+        private boolean doesPrincipalExist(String name, 
PolicyRefUpdater.PRINCIPAL_TYPE type) {
+            switch (type) {
+                case USER:
+                    return daoMgr.getXXUser().findByUserName(name) != null;
+                case GROUP:
+                    return daoMgr.getXXGroup().findByGroupName(name) != null;
+                case ROLE:
+                    return daoMgr.getXXRole().findByRoleName(name) != null;
+                default:
+                    break;
+            }
+            return false;
+        }
+
         private void createRoleAssociation(Long id, String name) {
             LOG.debug("===> 
RolePrincipalAssociator.createRoleAssociation(roleId={}, type={}, name={}, 
id={})", roleId, type.name(), name, id);
 
-            switch (type) {
-                case USER: {
-                    XXRoleRefUser xRoleRefUser = 
rangerAuditFields.populateAuditFieldsForCreate(new XXRoleRefUser());
+            if (doesPrincipalExist(name, type)) {

Review Comment:
   In addition to checking for existence of principal (user/group/role), 
shouldn't existence of role be checked as well?
   
   ```
   if (doesRoleExist(id) && doesPrincipalExist(name, type)) {
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to