ramackri opened a new pull request, #1072:
URL: https://github.com/apache/ranger/pull/1072

   ## Summary
   
   This PR gates Ozone `action-matches` policy support behind feature flags 
(default **off**), as requested for the 2.9 release. When disabled, the Admin 
UI does not expose the Action condition, the Ozone authorizer does not pass S3 
action context, and DB patch `J10065` skips the ozone service-def update on 
first run. When enabled, all three layers activate together.
   
   **Related:** Builds on Ozone action-matches work (#1054 / 
`PatchForOzoneServiceDefPolicyConditionUpdate_J10065`).
   
   ## Feature flags (default `false`)
   
   | Layer | Property | File |
   |-------|----------|------|
   | Ranger Admin + DB patch | `ranger.ozone.action.policy.enabled` | 
`ranger-admin-default-site.xml` / `ranger-admin-site.xml` |
   | Ozone authorizer plugin | `ranger.plugin.ozone.action.policy.enabled` | 
`ranger-ozone-security.xml` |
   | Admin UI (read via profile API) | `ozoneActionPolicyEnabled` | 
`/service/users/profile` → `configProperties` |
   
   ## File changes and rationale
   
   ### Admin / DB
   - **`ranger-admin-default-site.xml`** — New property 
`ranger.ozone.action.policy.enabled` (default `false`).
   - **`UserREST.java`** — Exposes `ozoneActionPolicyEnabled` in user profile 
`configProperties` so the React UI can gate Action controls without a separate 
API.
   - **`PatchForOzoneServiceDefPolicyConditionUpdate_J10065.java`** — Checks 
`ranger.ozone.action.policy.enabled` before `updateOzoneServiceDef()`. Patch 
still records `J10065` in `x_db_version_h` on first run even when skipped 
(existing Ranger patch semantics).
   
   ### Admin UI (React)
   - **`policyConditionUtils.js`** — `isOzoneActionPolicyEnabled()`, 
`filterPolicyConditionsForFeatureFlags()`, and `isPerRowCondition()` gated on 
the profile flag.
   - **`PolicyPermissionItem.jsx`** — Filters service-def policy conditions 
through the feature-flag helper before rendering per-row **Policy Conditions** 
(Action appears in the popover as **Action:**).
   
   ### Ozone plugin
   - **`ranger-ozone-security.xml`** — New property 
`ranger.plugin.ozone.action.policy.enabled` (default `false`).
   - **`RangerOzoneAuthorizer.java`** — Sets S3 action on authorize context 
only when plugin flag is enabled.
   - **`TestRangerOzoneAuthorizer.java`** — Unit tests for flag on/off behavior.
   
   ### Docker / testing (dev-support)
   - **`test-ozone-action-feature-flag.sh`** — E2E script: login, profile flag, 
ozone service-def info, ozone-om health.
   - **`test-ozone-action-patch-quick-rule.sh`** — Lab script for `J10065` 
patch gating (delete patch rows, flag OFF/ON, run `db_setup.py -javapatch`).
   - **`OZONE-ACTION-POLICY-FEATURE-FLAG-TESTING.md`** — Full upgrade/E2E test 
matrix and troubleshooting.
   - **`README.md`** — Links to testing docs and scripts.
   - **`ranger-ozone-plugin-install.properties`** — Log4j audit for docker 
(Solr audit workaround during smoke tests).
   - **`.env`** — `RANGER_DB_TYPE=postgres` for docker smoke.
   
   ## DB patch behavior (`J10065`)
   
   | DB state | Flag at first patch run | Patch runs? | Service-def updated? |
   |----------|-------------------------|-------------|----------------------|
   | No `J10065` row | OFF | Yes, once | No |
   | No `J10065` row | ON | Yes, once | Yes |
   | `J10065` active=Y | OFF or ON | No | Only if updated in a prior run |
   
   **Note:** Enabling the flag after `J10065` is already applied does **not** 
re-run the patch; it only enables UI + authorizer.
   
   ## Test plan
   
   ### Unit tests
   - [x] `plugin-ozone`: `mvn test -Dtest=TestRangerOzoneAuthorizer` — flag 
on/off authorizer behavior
   
   ### Backend / API (flag OFF)
   - [x] Default `ranger.ozone.action.policy.enabled=false` (no site override)
   - [x] `GET /service/users/profile` → `ozoneActionPolicyEnabled=false`
   - [x] `EXPECT_ENABLED=false 
./scripts/ozone/test-ozone-action-feature-flag.sh` — PASS
   - [x] Ozone OM reachable (HTTP 200)
   
   ### Backend / API (flag ON)
   - [x] Set `ranger.ozone.action.policy.enabled=true` in 
`ranger-admin-site.xml`
   - [x] Set `ranger.plugin.ozone.action.policy.enabled=true` in 
`ranger-ozone-security.xml`
   - [x] Restart admin + `ozone-om`
   - [x] `GET /service/users/profile` → `ozoneActionPolicyEnabled=true`
   - [x] `EXPECT_ENABLED=true 
./scripts/ozone/test-ozone-action-feature-flag.sh` — PASS
   
   ### DB upgrade / patch lab (quick rule)
   - [x] Delete `J10065` + `JAVA_PATCHES` rows, flag **OFF**, `db_setup.py 
-javapatch` → `J10065` inserted (`active=Y`), patch skips service-def update
   - [x] Delete rows again, flag **ON**, `db_setup.py -javapatch` → `J10065` 
inserted, patch applies service-def update
   - [x] `./scripts/ozone/test-ozone-action-patch-quick-rule.sh both` — PASS
   
   ### Manual UI testing
   - [x] Verified profile API: `ozoneActionPolicyEnabled=true` when admin flag 
enabled
   - [x] **Flag ON:** Ozone policy edit (`#/service/10/policies/38/edit`) → 
Allow Conditions row → **Policy Conditions** popover shows **Action:** (with 
**Permissions** selected on the row)
   - [x] **Flag OFF:** Action not shown in per-row Policy Conditions popover 
(after logout/login to refresh profile)
   - [x] Confirmed Action is **not** in the top-level **Policy Conditions :** 
modal (by design; per-row only)
   
   ### Upgrade path (existing smoke DB)
   - [x] Existing Postgres with prior `JAVA_PATCHES` applied — upgrade scenario 
validated via E2E OFF/ON without requiring fresh DB
   
   ## How to verify locally
   
   ```bash
   cd dev-support/ranger-docker
   
   # E2E profile + OM checks
   EXPECT_ENABLED=false ./scripts/ozone/test-ozone-action-feature-flag.sh
   EXPECT_ENABLED=true  ./scripts/ozone/test-ozone-action-feature-flag.sh
   
   # Patch gating lab test (disposable DB only)
   RUN_E2E=false ./scripts/ozone/test-ozone-action-patch-quick-rule.sh both
   ```
   
   See 
`dev-support/ranger-docker/scripts/ozone/OZONE-ACTION-POLICY-FEATURE-FLAG-TESTING.md`
 for the full matrix.
   
   ## Enabling in production
   
   1. Set `ranger.ozone.action.policy.enabled=true` in `ranger-admin-site.xml` 
before or after upgrade (if `J10065` not yet applied, set before first admin 
start to apply service-def update).
   2. Set `ranger.plugin.ozone.action.policy.enabled=true` in 
`ranger-ozone-security.xml` on Ozone OM nodes.
   3. Restart Ranger Admin and Ozone plugin services.
   4. Users must re-login for UI to read updated `ozoneActionPolicyEnabled` 
from profile.
   
   
   Made with [Cursor](https://cursor.com)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to