This is an automated email from the ASF dual-hosted git repository. vel pushed a commit to branch ranger-2.0 in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 77e70cbbc29c23657d41a231927d559cc349aead Author: Nitin Galave <ni3gal...@apache.org> AuthorDate: Wed Jul 31 18:29:08 2019 +0530 RANGER-2517: UI changes for policy to implicitly deny all accesses not explicitly allowed by it. (cherry picked from commit 630d4b7cd112094df1ac9fe55261c112094a9d97) --- .../webapp/scripts/modules/globalize/message/en.js | 1 + .../scripts/views/policies/RangerPolicyForm.js | 50 +++++++++++++++++++--- .../scripts/views/policies/RangerPolicyRO.js | 11 ++++- security-admin/src/main/webapp/styles/xa.css | 6 +++ .../templates/policies/RangerPolicyForm_tmpl.html | 6 +++ .../templates/policies/RangerPolicyRO_tmpl.html | 42 ++++++++++++------ 6 files changed, 95 insertions(+), 21 deletions(-) diff --git a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js index 8078829..c320fdb 100644 --- a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js +++ b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js @@ -64,6 +64,7 @@ define(function(require) { groups : 'Groups', group : 'Groups', auditLogging : 'Audit Logging', + isDenyAllElse : 'Deny All Other Accesses', encrypted : 'Encrypt', resourceType : 'Resource Type', description : 'Description', diff --git a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js index a862dde..e2bd6ed 100644 --- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js +++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js @@ -113,7 +113,8 @@ define(function(require){ 'allowExcludePerm' : '[data-js="allowExcludePerm"]', 'policyTimeBtn' : '[data-js="policyTimeBtn"]', 'policyConditions' : '[data-js="customPolicyConditions"]', - 'conditionData' : '[data-id="conditionData"]' + 'conditionData' : '[data-id="conditionData"]', + 'isDenyAllElse' : '[data-js="isDenyAllElse"]', }, /** fields for the form */ @@ -142,10 +143,13 @@ define(function(require){ if(!_.isUndefined(this.initilializePathPlugin) && this.initilializePathPlugin){ this.initializePathPlugins(this.pathPluginOpts); } - this.renderCustomFields(); + if(XAUtil.isAccessPolicy(this.model.get('policyType'))){ + this.evdenyAccessChange(); + } if(!this.model.isNew()){ this.setUpSwitches(); } + this.renderCustomFields(); //checkParent this.renderParentChildHideShow(); @@ -321,6 +325,22 @@ define(function(require){ evIsEnabledChange : function(form, fieldEditor){ XAUtil.checkDirtyFieldForToggle(fieldEditor.$el); }, + evdenyAccessChange : function(){ + var that =this; + this.$el.find(this.ui.isDenyAllElse).toggles({ + on : that.model.has('isDenyAllElse') ? that.model.get('isDenyAllElse') : false, + text : {on : 'True', off : 'False' }, + width : 80, + }).on('click', function(e){ + XAUtil.checkDirtyFieldForToggle(that.$el.find(that.ui.isDenyAllElse)); + if(that.$el.find(that.ui.isDenyAllElse).find('.toggle-slide').hasClass('active')) { + that.$el.find(that.ui.denyConditionItems).hide(); + } else { + that.$el.find(that.ui.denyConditionItems).show(); + } + }); + + }, setupForm : function() { if(!this.model.isNew()){ this.selectedResourceTypes = {}; @@ -393,7 +413,10 @@ define(function(require){ if( !enableDenyAndExceptionsInPolicies ){ this.$el.find(this.ui.allowExcludePerm).hide(); this.$el.find(this.ui.denyConditionItems).remove(); - } + } + if(enableDenyAndExceptionsInPolicies && this.$el.find(this.ui.isDenyAllElse).find('.toggle-slide').hasClass('active')){ + this.$el.find(this.ui.denyConditionItems).hide(); + } that.$('[data-customfields="groupPerms"]').html(new PermissionList({ collection : that.formInputList, @@ -578,10 +601,20 @@ define(function(require){ }else if( XAUtil.isRowFilterPolicy(this.model.get('policyType')) ){ this.model.set('rowFilterPolicyItems', this.setPermissionsToColl(this.formInputList, new RangerPolicyItem())); }else{ + if(this.$el.find(this.ui.isDenyAllElse).find('.toggle-slide').hasClass('active')) { + this.model.set('isDenyAllElse',true); + } else { + this.model.set('isDenyAllElse',false); + } this.model.set('policyItems', this.setPermissionsToColl(this.formInputList, new RangerPolicyItem())); - this.model.set('denyPolicyItems', this.setPermissionsToColl(this.formInputDenyList, new RangerPolicyItem())); this.model.set('allowExceptions', this.setPermissionsToColl(this.formInputAllowExceptionList, new RangerPolicyItem())); - this.model.set('denyExceptions', this.setPermissionsToColl(this.formInputDenyExceptionList, new RangerPolicyItem())); + if(!this.model.get('isDenyAllElse')){ + this.model.set('denyPolicyItems', this.setPermissionsToColl(this.formInputDenyList, new RangerPolicyItem())); + this.model.set('denyExceptions', this.setPermissionsToColl(this.formInputDenyExceptionList, new RangerPolicyItem())); + }else{ + this.model.set('denyPolicyItems',[]); + this.model.set('denyExceptions',[]); + } } this.model.set('service',this.rangerService.get('name')); var policyName = this.model.get('name'); @@ -592,6 +625,7 @@ define(function(require){ if(this.model.has('policyPriority')){ this.model.set('policyPriority', this.model.get('policyPriority') ? 1 : 0); } + }, setPermissionsToColl : function(list, policyItemList) { list.each(function(m){ @@ -917,7 +951,11 @@ define(function(require){ return obj; }, getPolicyBaseFieldNames : function(){ - return ['description','isAuditEnabled']; + var baseField = ['description','isAuditEnabled', 'isDenyAllElse']; + if(XAUtil.isMaskingPolicy(this.model.get('policyType')) || XAUtil.isRowFilterPolicy(this.model.get('policyType'))){ + baseField = _.without(baseField, 'isDenyAllElse'); + } + return baseField; }, getResources : function(){ if(XAUtil.isMaskingPolicy(this.model.get('policyType'))){ diff --git a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js index e9fcd7d..af024e2 100644 --- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js +++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js @@ -49,7 +49,8 @@ define(function(require) { return { PolicyDetails: this.policyDetails, isDelegatAdmin: isDelegatAdminChk, - policyType: policyType.label + policyType: policyType.label, + isDenyAllElse : this.policy.has('isDenyAllElse') && !_.isUndefined(this.policy.get('isDenyAllElse')) ? true : false, }; }, @@ -177,6 +178,9 @@ define(function(require) { if(this.policy.has('conditions') && this.policy.get('conditions').length > 0 && self.serviceDef){ details.conditions = XAUtils.getPolicyConditionDetails(this.policy.get('conditions'), self.serviceDef); } + if(this.policy.has('isDenyAllElse')) { + details.isDenyAllElse = this.policy.get('isDenyAllElse') ? 'TRUE' : 'FALSE'; + } //get policyItems this.createPolicyItems(); @@ -198,6 +202,11 @@ define(function(require) { items.push({'itemName': 'allowExceptions',title : 'Exclude from Allow Conditions'}, {'itemName': 'denyPolicyItems',title : 'Deny Condition'}, {'itemName': 'denyExceptions',title : 'Exclude from Deny Conditions'}); + if(this.policy.has('isDenyAllElse') && this.policy.get('isDenyAllElse')){ + items = _.reject(items, function(m){ + return m.itemName == 'denyPolicyItems' || m.itemName == 'denyExceptions' + }) + } } _.each(items, function(item){ if(!_.isUndefined(this.policy.get(item.itemName))){ diff --git a/security-admin/src/main/webapp/styles/xa.css b/security-admin/src/main/webapp/styles/xa.css index 3f39024..ee637d2 100644 --- a/security-admin/src/main/webapp/styles/xa.css +++ b/security-admin/src/main/webapp/styles/xa.css @@ -2807,3 +2807,9 @@ div#zoneServiceAccordion table thead { padding: 9px 15px; background-color: white; } + +.deny-all-else { + margin-top: 16px; + margin-bottom: 15px; + padding: 9px 0; +} diff --git a/security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html b/security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html index 7436829..ffea44d 100644 --- a/security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html +++ b/security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html @@ -101,6 +101,12 @@ language governing permissions and limitations under the License. --}} {{/compare}} </div> {{#compare "Allow" "eq" conditionType}} + <div> + <div class="toggle-xa control-group"> + <label class="control-label"> Deny All Other Accesses : </label> + <div data-js="isDenyAllElse" class="toggle controls"></div> + </div> + </div> <div data-js="denyConditionItems"> <p class="wrap-header bold formHeader">Deny Conditions :</p> diff --git a/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html b/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html index f8c6bce..c36dc26 100644 --- a/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html +++ b/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html @@ -66,6 +66,20 @@ <span class="label label-inverse pull-right">{{PolicyDetails.isEnabled}}</span> </td> </tr> + <tr> + <td> + {{tt 'lbl.policyLabels'}} + </td> + <td> + {{#ifCond PolicyDetails.policyLabels.length '==' "0"}} + -- + {{else}} + {{#each PolicyDetails.policyLabels}} + <span class="label label-inverse ">{{this}}</span> + {{/each}} + {{/ifCond}} + </td> + </tr> {{#each PolicyDetails.resources}} <tr> <td> @@ -102,20 +116,6 @@ <span class="label label-info">{{PolicyDetails.isAuditEnabled}}</span> </td> </tr> - <tr> - <td> - {{tt 'lbl.policyLabels'}} - </td> - <td> - {{#ifCond PolicyDetails.policyLabels.length '==' "0"}} - -- - {{else}} - {{#each PolicyDetails.policyLabels}} - <span class="label label-inverse ">{{this}}</span> - {{/each}} - {{/ifCond}} - </td> - </tr> <tr> {{#if PolicyDetails.zoneName}} <td>{{tt 'lbl.zoneName'}}</td> @@ -267,6 +267,20 @@ </tbody> </table> </div> + {{#compare "Exclude from Allow Conditions" "eq" this.title}} + {{#if ../../isDenyAllElse}} + <div class="deny-all-else"> + <tr> + <td> + <b>{{tt 'lbl.isDenyAllElse'}} : </b> + </td> + <td> + <span class="label label-inverse">{{ ../../../ PolicyDetails.isDenyAllElse}}</span> + </td> + </tr> + </div> + {{/if}} + {{/compare}} {{/each}} <div class="updateInfo row-fluid"> <div class="pull-left">