RANGER-4669: updated GDS APIs for retreiving datasets shared with the caller to consider roles assigned to user
Signed-off-by: Madhan Neethiraj <madhan@apache.org>
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
index 69b43f2..4fa9c48 100755
--- a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
@@ -1602,7 +1602,7 @@
if (isSharedWithMe) {
groups = validationDBProvider.getGroupsForUser(userName);
- roles = validationDBProvider.getRolesForUser(userName);
+ roles = validationDBProvider.getRolesForUserAndGroups(userName, groups);
}
for (RangerProject project : result.getList()) {
@@ -1635,7 +1635,7 @@
if (isSharedWithMe) {
groups = validationDBProvider.getGroupsForUser(userName);
- roles = validationDBProvider.getRolesForUser(userName);
+ roles = validationDBProvider.getRolesForUserAndGroups(userName, groups);
}
for (RangerDataset dataset : result.getList()) {
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/GdsPolicyAdminCache.java b/security-admin/src/main/java/org/apache/ranger/biz/GdsPolicyAdminCache.java
index 97d4b25..41056c9 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/GdsPolicyAdminCache.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/GdsPolicyAdminCache.java
@@ -22,6 +22,7 @@
import org.apache.commons.collections.CollectionUtils;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.gds.GdsPolicyEngine;
import org.apache.ranger.plugin.util.ServicePolicies;
import org.slf4j.Logger;
@@ -89,8 +90,12 @@
ret = policyItem.getUsers() != null && policyItem.getUsers().contains(user);
- if (!ret && groups != null && policyItem.getGroups() != null) {
- ret = CollectionUtils.containsAny(groups, policyItem.getGroups());
+ if (!ret && policyItem.getGroups() != null) {
+ ret = policyItem.getGroups().contains(RangerPolicyEngine.GROUP_PUBLIC);
+
+ if (!ret && groups != null) {
+ ret = CollectionUtils.containsAny(groups, policyItem.getGroups());
+ }
}
if (!ret && roles != null && policyItem.getRoles() != null) {
diff --git a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDBProvider.java b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDBProvider.java
index 30d2317..43e73f9 100644
--- a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDBProvider.java
+++ b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDBProvider.java
@@ -17,6 +17,8 @@
package org.apache.ranger.validation;
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
import org.apache.ranger.biz.RangerBizUtil;
import org.apache.ranger.biz.RoleDBStore;
import org.apache.ranger.biz.ServiceMgr;
@@ -29,6 +31,7 @@
import org.apache.ranger.plugin.model.RangerGds.RangerProject;
import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
import org.apache.ranger.plugin.model.RangerService;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.util.RangerRoles;
import org.apache.ranger.plugin.util.RangerRolesUtil;
import org.apache.ranger.plugin.util.ServiceDefUtil;
@@ -41,9 +44,11 @@
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
+import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
+import java.util.Map;
import static org.apache.ranger.db.XXGlobalStateDao.RANGER_GLOBAL_STATE_NAME_ROLE;
@@ -164,6 +169,27 @@
return rolesUtil != null && rolesUtil.getUserRoleMapping() != null ? rolesUtil.getUserRoleMapping().get(userName) : null;
}
+ public Set<String> getRolesForUserAndGroups(String userName, Collection<String> groups) {
+ RangerRolesUtil rolesUtil = initGetRolesUtil();
+ Set<String> ret = getRolesForUser(userName);
+
+ if (rolesUtil != null) {
+ final Map<String, Set<String>> groupRoleMapping = rolesUtil.getGroupRoleMapping();
+
+ if (MapUtils.isNotEmpty(groupRoleMapping)) {
+ if (CollectionUtils.isNotEmpty(groups)) {
+ for (String group : groups) {
+ ret = addRoles(ret, groupRoleMapping.get(group));
+ }
+ }
+
+ ret = addRoles(ret, groupRoleMapping.get(RangerPolicyEngine.GROUP_PUBLIC));
+ }
+ }
+
+ return ret;
+ }
+
public Set<String> getAccessTypes(String serviceName) {
List<String> accessTypes = daoMgr.getXXAccessTypeDef().getNamesByServiceName(serviceName);
Set<String> ret = new HashSet<>(accessTypes);
@@ -266,4 +292,16 @@
return ret;
}
+
+ private Set<String> addRoles(Set<String> allRoles, Set<String> rolesToAdd) {
+ if (CollectionUtils.isNotEmpty(rolesToAdd)) {
+ if (allRoles == null) {
+ allRoles = new HashSet<>();
+ }
+
+ allRoles.addAll(rolesToAdd);
+ }
+
+ return allRoles;
+ }
}
diff --git a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDataProvider.java b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDataProvider.java
index 2c8721e..f8efaa6 100644
--- a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDataProvider.java
+++ b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDataProvider.java
@@ -23,6 +23,7 @@
import org.apache.ranger.plugin.model.RangerGds.RangerDataset;
import org.apache.ranger.plugin.model.RangerGds.RangerProject;
+import java.util.Collection;
import java.util.Set;
public abstract class RangerGdsValidationDataProvider {
@@ -57,6 +58,8 @@
public abstract Set<String> getRolesForUser(String userName);
+ public abstract Set<String> getRolesForUserAndGroups(String userName, Collection<String> groups);
+
public abstract Set<String> getAccessTypes(String serviceName);
public abstract Set<String> getMaskTypes(String serviceName);
