[ranger] 01/02: RANGER-2517: UI changes for policy to implicitly deny all accesses not explicitly allowed by it.

vel Thu, 01 Aug 2019 11:45:42 -0700

This is an automated email from the ASF dual-hosted git repository.

vel pushed a commit to branch ranger-2.0
in repository https://gitbox.apache.org/repos/asf/ranger.git


commit 77e70cbbc29c23657d41a231927d559cc349aead
Author: Nitin Galave <ni3gal...@apache.org>
AuthorDate: Wed Jul 31 18:29:08 2019 +0530

    RANGER-2517: UI changes for policy to implicitly deny all accesses not 
explicitly allowed by it.
    
    (cherry picked from commit 630d4b7cd112094df1ac9fe55261c112094a9d97)
---
 .../webapp/scripts/modules/globalize/message/en.js |  1 +
 .../scripts/views/policies/RangerPolicyForm.js     | 50 +++++++++++++++++++---
 .../scripts/views/policies/RangerPolicyRO.js       | 11 ++++-
 security-admin/src/main/webapp/styles/xa.css       |  6 +++
 .../templates/policies/RangerPolicyForm_tmpl.html  |  6 +++
 .../templates/policies/RangerPolicyRO_tmpl.html    | 42 ++++++++++++------
 6 files changed, 95 insertions(+), 21 deletions(-)

diff --git 
a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js 
b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
index 8078829..c320fdb 100644
--- a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
+++ b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
@@ -64,6 +64,7 @@ define(function(require) {
                                groups                                          
: 'Groups',
                                group                                           
: 'Groups',
                                auditLogging                            : 
'Audit Logging',
+                               isDenyAllElse                           : 'Deny 
All Other Accesses',
                                encrypted                                       
: 'Encrypt',
                                resourceType                            : 
'Resource Type',
                                description                             : 
'Description',
diff --git 
a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js 
b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js
index a862dde..e2bd6ed 100644
--- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js
+++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js
@@ -113,7 +113,8 @@ define(function(require){
                        'allowExcludePerm' : '[data-js="allowExcludePerm"]',
                'policyTimeBtn'      : '[data-js="policyTimeBtn"]',
                        'policyConditions' : 
'[data-js="customPolicyConditions"]',
-            'conditionData' : '[data-id="conditionData"]'
+            'conditionData' : '[data-id="conditionData"]',
+            'isDenyAllElse' : '[data-js="isDenyAllElse"]',
                },
                /** fields for the form
                */
@@ -142,10 +143,13 @@ define(function(require){
                         if(!_.isUndefined(this.initilializePathPlugin) && 
this.initilializePathPlugin){
                                this.initializePathPlugins(this.pathPluginOpts);
                        }
-                       this.renderCustomFields();
+                       if(XAUtil.isAccessPolicy(this.model.get('policyType'))){
+                               this.evdenyAccessChange();
+                       }
                        if(!this.model.isNew()){
                                this.setUpSwitches();
                        }
+                       this.renderCustomFields();
                        //checkParent
                        this.renderParentChildHideShow();
 
@@ -321,6 +325,22 @@ define(function(require){
                evIsEnabledChange : function(form, fieldEditor){
                        XAUtil.checkDirtyFieldForToggle(fieldEditor.$el);
                },
+               evdenyAccessChange : function(){
+                       var that =this;
+                       this.$el.find(this.ui.isDenyAllElse).toggles({
+                               on : that.model.has('isDenyAllElse') ? 
that.model.get('isDenyAllElse') : false,
+                               text : {on : 'True', off : 'False' },
+                               width : 80,
+                       }).on('click', function(e){
+                               
XAUtil.checkDirtyFieldForToggle(that.$el.find(that.ui.isDenyAllElse));
+                               
if(that.$el.find(that.ui.isDenyAllElse).find('.toggle-slide').hasClass('active'))
 {
+                                       
that.$el.find(that.ui.denyConditionItems).hide();
+                               } else {
+                                       
that.$el.find(that.ui.denyConditionItems).show();
+                               }
+                       });
+
+               },
                setupForm : function() {
                        if(!this.model.isNew()){
                                this.selectedResourceTypes = {};
@@ -393,7 +413,10 @@ define(function(require){
                        if( !enableDenyAndExceptionsInPolicies ){
                                this.$el.find(this.ui.allowExcludePerm).hide();
                                
this.$el.find(this.ui.denyConditionItems).remove();
-                       } 
+                       }
+                       if(enableDenyAndExceptionsInPolicies && 
this.$el.find(this.ui.isDenyAllElse).find('.toggle-slide').hasClass('active')){
+                               
this.$el.find(this.ui.denyConditionItems).hide();
+                       }
        
                         that.$('[data-customfields="groupPerms"]').html(new 
PermissionList({
                                 collection : that.formInputList,
@@ -578,10 +601,20 @@ define(function(require){
                        }else if( 
XAUtil.isRowFilterPolicy(this.model.get('policyType')) ){
                                this.model.set('rowFilterPolicyItems', 
this.setPermissionsToColl(this.formInputList, new RangerPolicyItem()));
                        }else{
+                   
if(this.$el.find(this.ui.isDenyAllElse).find('.toggle-slide').hasClass('active'))
 {
+                       this.model.set('isDenyAllElse',true);
+                   } else {
+                       this.model.set('isDenyAllElse',false);
+                   }
                                this.model.set('policyItems', 
this.setPermissionsToColl(this.formInputList, new RangerPolicyItem()));
-                               this.model.set('denyPolicyItems', 
this.setPermissionsToColl(this.formInputDenyList, new RangerPolicyItem()));
                                this.model.set('allowExceptions', 
this.setPermissionsToColl(this.formInputAllowExceptionList, new 
RangerPolicyItem()));
-                               this.model.set('denyExceptions', 
this.setPermissionsToColl(this.formInputDenyExceptionList, new 
RangerPolicyItem()));
+                               if(!this.model.get('isDenyAllElse')){
+                                       this.model.set('denyPolicyItems', 
this.setPermissionsToColl(this.formInputDenyList, new RangerPolicyItem()));
+                                       this.model.set('denyExceptions', 
this.setPermissionsToColl(this.formInputDenyExceptionList, new 
RangerPolicyItem()));
+                               }else{
+                                       this.model.set('denyPolicyItems',[]);
+                                       this.model.set('denyExceptions',[]);
+                               }
                        }
                        
this.model.set('service',this.rangerService.get('name'));
             var policyName = this.model.get('name');
@@ -592,6 +625,7 @@ define(function(require){
                         if(this.model.has('policyPriority')){
                                 this.model.set('policyPriority', 
this.model.get('policyPriority') ? 1 : 0);
                         }
+
                },
                setPermissionsToColl : function(list, policyItemList) {
                        list.each(function(m){
@@ -917,7 +951,11 @@ define(function(require){
                        return obj;
                },
                getPolicyBaseFieldNames : function(){
-                        return ['description','isAuditEnabled'];
+                       var baseField = ['description','isAuditEnabled', 
'isDenyAllElse'];
+                       if(XAUtil.isMaskingPolicy(this.model.get('policyType')) 
|| XAUtil.isRowFilterPolicy(this.model.get('policyType'))){
+                               baseField = _.without(baseField, 
'isDenyAllElse');
+                       }
+                       return baseField;
                },
                getResources : function(){
                        
if(XAUtil.isMaskingPolicy(this.model.get('policyType'))){
diff --git 
a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 
b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js
index e9fcd7d..af024e2 100644
--- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js
+++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js
@@ -49,7 +49,8 @@ define(function(require) {
                        return {
                                PolicyDetails: this.policyDetails,
                 isDelegatAdmin: isDelegatAdminChk,
-                policyType: policyType.label
+                policyType: policyType.label,
+                isDenyAllElse : this.policy.has('isDenyAllElse') && 
!_.isUndefined(this.policy.get('isDenyAllElse')) ? true : false,
                        };
                },
 
@@ -177,6 +178,9 @@ define(function(require) {
             if(this.policy.has('conditions') && 
this.policy.get('conditions').length > 0 && self.serviceDef){
                 details.conditions = 
XAUtils.getPolicyConditionDetails(this.policy.get('conditions'), 
self.serviceDef);
             }
+            if(this.policy.has('isDenyAllElse')) {
+               details.isDenyAllElse = this.policy.get('isDenyAllElse') ? 
'TRUE' : 'FALSE';
+            }
                        //get policyItems
                        this.createPolicyItems();
                        
@@ -198,6 +202,11 @@ define(function(require) {
                 items.push({'itemName': 'allowExceptions',title : 'Exclude 
from Allow Conditions'},
                           {'itemName': 'denyPolicyItems',title : 'Deny 
Condition'},
                           {'itemName': 'denyExceptions',title : 'Exclude from 
Deny Conditions'});
+                if(this.policy.has('isDenyAllElse') && 
this.policy.get('isDenyAllElse')){
+                       items = _.reject(items, function(m){
+                               return m.itemName == 'denyPolicyItems' || 
m.itemName == 'denyExceptions'
+                       })
+                }
             }
                        _.each(items, function(item){
                 if(!_.isUndefined(this.policy.get(item.itemName))){
diff --git a/security-admin/src/main/webapp/styles/xa.css 
b/security-admin/src/main/webapp/styles/xa.css
index 3f39024..ee637d2 100644
--- a/security-admin/src/main/webapp/styles/xa.css
+++ b/security-admin/src/main/webapp/styles/xa.css
@@ -2807,3 +2807,9 @@ div#zoneServiceAccordion table thead {
   padding: 9px 15px;
   background-color: white;
 }
+
+.deny-all-else {
+  margin-top: 16px;
+  margin-bottom: 15px;
+  padding: 9px 0;
+}
diff --git 
a/security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html 
b/security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html
index 7436829..ffea44d 100644
--- 
a/security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html
+++ 
b/security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html
@@ -101,6 +101,12 @@ language governing permissions and limitations under the 
License. --}}
                                {{/compare}}
                        </div>
                        {{#compare "Allow" "eq" conditionType}}
+                               <div>
+                                       <div class="toggle-xa control-group">
+                                               <label class="control-label"> 
Deny All Other Accesses : </label>
+                                               <div data-js="isDenyAllElse" 
class="toggle controls"></div>
+                                       </div>
+                               </div>
                                <div data-js="denyConditionItems">
                                        <p class="wrap-header bold 
formHeader">Deny Conditions :</p>
                                        &nbsp;
diff --git 
a/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html 
b/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html
index f8c6bce..c36dc26 100644
--- a/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html
+++ b/security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html
@@ -66,6 +66,20 @@
           <span class="label label-inverse 
pull-right">{{PolicyDetails.isEnabled}}</span>
         </td>
       </tr>
+      <tr>
+        <td>
+          {{tt 'lbl.policyLabels'}}
+        </td>
+        <td>
+        {{#ifCond PolicyDetails.policyLabels.length '==' "0"}}
+          --
+        {{else}}
+          {{#each PolicyDetails.policyLabels}}
+            <span class="label label-inverse ">{{this}}</span>
+          {{/each}}
+        {{/ifCond}}
+        </td>
+      </tr>
       {{#each PolicyDetails.resources}}
       <tr>
         <td>
@@ -102,20 +116,6 @@
           <span class="label 
label-info">{{PolicyDetails.isAuditEnabled}}</span>
         </td>
       </tr>
-      <tr>
-        <td>
-          {{tt 'lbl.policyLabels'}}
-        </td>
-        <td>
-        {{#ifCond PolicyDetails.policyLabels.length '==' "0"}}
-                --
-        {{else}}
-                        {{#each PolicyDetails.policyLabels}}
-                                <span class="label label-inverse 
">{{this}}</span>
-                        {{/each}}
-        {{/ifCond}}
-        </td>
-      </tr>
         <tr>
             {{#if PolicyDetails.zoneName}}
                 <td>{{tt 'lbl.zoneName'}}</td>
@@ -267,6 +267,20 @@
            </tbody>
          </table>
        </div>
+  {{#compare "Exclude from Allow Conditions" "eq" this.title}}
+    {{#if ../../isDenyAllElse}}
+      <div class="deny-all-else">
+        <tr>
+          <td>
+            <b>{{tt 'lbl.isDenyAllElse'}} : </b>
+          </td>
+          <td>
+            <span class="label label-inverse">{{ ../../../  
PolicyDetails.isDenyAllElse}}</span>
+          </td>
+        </tr>
+      </div>
+    {{/if}}
+  {{/compare}}
 {{/each}}
 <div class="updateInfo row-fluid">
   <div class="pull-left">

[ranger] 01/02: RANGER-2517: UI changes for policy to implicitly deny all accesses not explicitly allowed by it.

Reply via email to