NIFI-4614: - Updating the types of resources that are filtered out for viewing purposes. Updates include resources with no values and resources that contain wildcards.

This closes #2277. Signed-off-by: Bryan Bende <bbende@apache.org>
2017-11-17 14:05:49 -05:00 · 2017-11-17 14:05:49 -05:00 · ff5325b923
parent 439e13a8d5
commit ff5325b923
2 changed files with 90 additions and 1 deletions
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerBasePluginWithPolicies.java
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerBasePluginWithPolicies.java
@ -47,6 +47,8 @@ public class RangerBasePluginWithPolicies extends RangerBasePlugin {

    private static final Logger logger = LoggerFactory.getLogger(RangerBasePluginWithPolicies.class);

+    private final static String WILDCARD_ASTERISK = "*";
+
    private UserGroupProvider userGroupProvider;
    private AtomicReference<PolicyLookup> policies = new AtomicReference<>(new PolicyLookup());

@ -110,9 +112,26 @@ public class RangerBasePluginWithPolicies extends RangerBasePlugin {
                // get all the resources for this policy - excludes/recursive support disabled
                final Set<String> resources = policy.getResources().values().stream()
                        .filter(resource -> {
+                            final boolean isMissingResource;
+                            final boolean isWildcard;
+                            if (resource.getValues() == null) {
+                                isMissingResource = true;
+                                isWildcard = false;
+                            } else {
+                                isMissingResource = false;
+                                isWildcard = resource.getValues().stream().anyMatch(value -> value.contains(WILDCARD_ASTERISK));
+                            }
+
                            final boolean isExclude = Boolean.TRUE.equals(resource.getIsExcludes());
                            final boolean isRecursive =  Boolean.TRUE.equals(resource.getIsRecursive());

+                            if (isMissingResource) {
+                                logger.warn("Encountered resources missing values. Skipping policy for viewing purposes. Will still be used for access decisions.");
+                            }
+                            if (isWildcard) {
+                                logger.warn(String.format("Resources [%s] include a wildcard value. Skipping policy for viewing purposes. "
+                                        + "Will still be used for access decisions.", StringUtils.join(resource.getValues(), ", ")));
+                            }
                            if (isExclude) {
                                logger.warn(String.format("Resources [%s] marked as an exclude policy. Skipping policy for viewing purposes. "
                                        + "Will still be used for access decisions.", StringUtils.join(resource.getValues(), ", ")));
@ -122,7 +141,7 @@ public class RangerBasePluginWithPolicies extends RangerBasePlugin {
                                        + "Will still be used for access decisions.", StringUtils.join(resource.getValues(), ", ")));
                            }

-                            return !isExclude && !isRecursive;
+                            return !isMissingResource && !isWildcard && !isExclude && !isRecursive;
                        })
                        .flatMap(resource -> resource.getValues().stream())
                        .collect(Collectors.toSet());
--- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerBasePluginWithPolicies.java
+++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerBasePluginWithPolicies.java
@ -199,6 +199,76 @@ public class TestRangerBasePluginWithPolicies {
        assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ));
    }

+    @Test
+    public void testMissingResourceValue() {
+        final String resourceIdentifier1 = "/resource-1";
+        RangerPolicyResource resource1 = new RangerPolicyResource();
+
+        final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
+        policy1Resources.put(resourceIdentifier1, resource1);
+
+        final RangerPolicyItem policy1Item = new RangerPolicyItem();
+        policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
+
+        final RangerPolicy policy1 = new RangerPolicy();
+        policy1.setResources(policy1Resources);
+        policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
+
+        final List<RangerPolicy> policies = new ArrayList<>();
+        policies.add(policy1);
+
+        final RangerServiceDef serviceDef = new RangerServiceDef();
+        serviceDef.setName("nifi");
+
+        final ServicePolicies servicePolicies = new ServicePolicies();
+        servicePolicies.setPolicies(policies);
+        servicePolicies.setServiceDef(serviceDef);
+
+        // set all the policies in the plugin
+        final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
+        pluginWithPolicies.setPolicies(servicePolicies);
+
+        // ensure the policy was skipped
+        assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
+        assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
+        assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
+    }
+
+    @Test
+    public void testWildcardResourceValue() {
+        final String resourceIdentifier1 = "*";
+        RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
+
+        final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
+        policy1Resources.put(resourceIdentifier1, resource1);
+
+        final RangerPolicyItem policy1Item = new RangerPolicyItem();
+        policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
+
+        final RangerPolicy policy1 = new RangerPolicy();
+        policy1.setResources(policy1Resources);
+        policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
+
+        final List<RangerPolicy> policies = new ArrayList<>();
+        policies.add(policy1);
+
+        final RangerServiceDef serviceDef = new RangerServiceDef();
+        serviceDef.setName("nifi");
+
+        final ServicePolicies servicePolicies = new ServicePolicies();
+        servicePolicies.setPolicies(policies);
+        servicePolicies.setServiceDef(serviceDef);
+
+        // set all the policies in the plugin
+        final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
+        pluginWithPolicies.setPolicies(servicePolicies);
+
+        // ensure the policy was skipped
+        assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
+        assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
+        assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
+    }
+
    @Test
    public void testExcludesPolicy() {
        final String resourceIdentifier1 = "/resource-1";