From ff5325b923b63ceb3ba964233e2cbe05bff3e920 Mon Sep 17 00:00:00 2001 From: Matt Gilman Date: Fri, 17 Nov 2017 14:05:49 -0500 Subject: [PATCH] NIFI-4614: - Updating the types of resources that are filtered out for viewing purposes. Updates include resources with no values and resources that contain wildcards. This closes #2277. Signed-off-by: Bryan Bende --- .../RangerBasePluginWithPolicies.java | 21 +++++- .../TestRangerBasePluginWithPolicies.java | 70 +++++++++++++++++++ 2 files changed, 90 insertions(+), 1 deletion(-) diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerBasePluginWithPolicies.java b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerBasePluginWithPolicies.java index c74a7d1b9d..e06c0ebdf3 100644 --- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerBasePluginWithPolicies.java +++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerBasePluginWithPolicies.java @@ -47,6 +47,8 @@ public class RangerBasePluginWithPolicies extends RangerBasePlugin { private static final Logger logger = LoggerFactory.getLogger(RangerBasePluginWithPolicies.class); + private final static String WILDCARD_ASTERISK = "*"; + private UserGroupProvider userGroupProvider; private AtomicReference policies = new AtomicReference<>(new PolicyLookup()); @@ -110,9 +112,26 @@ public class RangerBasePluginWithPolicies extends RangerBasePlugin { // get all the resources for this policy - excludes/recursive support disabled final Set resources = policy.getResources().values().stream() .filter(resource -> { + final boolean isMissingResource; + final boolean isWildcard; + if (resource.getValues() == null) { + isMissingResource = true; + isWildcard = false; + } else { + isMissingResource = false; + isWildcard = resource.getValues().stream().anyMatch(value -> value.contains(WILDCARD_ASTERISK)); + } + final boolean isExclude = Boolean.TRUE.equals(resource.getIsExcludes()); final boolean isRecursive = Boolean.TRUE.equals(resource.getIsRecursive()); + if (isMissingResource) { + logger.warn("Encountered resources missing values. Skipping policy for viewing purposes. Will still be used for access decisions."); + } + if (isWildcard) { + logger.warn(String.format("Resources [%s] include a wildcard value. Skipping policy for viewing purposes. " + + "Will still be used for access decisions.", StringUtils.join(resource.getValues(), ", "))); + } if (isExclude) { logger.warn(String.format("Resources [%s] marked as an exclude policy. Skipping policy for viewing purposes. " + "Will still be used for access decisions.", StringUtils.join(resource.getValues(), ", "))); @@ -122,7 +141,7 @@ public class RangerBasePluginWithPolicies extends RangerBasePlugin { + "Will still be used for access decisions.", StringUtils.join(resource.getValues(), ", "))); } - return !isExclude && !isRecursive; + return !isMissingResource && !isWildcard && !isExclude && !isRecursive; }) .flatMap(resource -> resource.getValues().stream()) .collect(Collectors.toSet()); diff --git a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerBasePluginWithPolicies.java b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerBasePluginWithPolicies.java index a9f38ba369..2e6a89de79 100644 --- a/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerBasePluginWithPolicies.java +++ b/nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerBasePluginWithPolicies.java @@ -199,6 +199,76 @@ public class TestRangerBasePluginWithPolicies { assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ)); } + @Test + public void testMissingResourceValue() { + final String resourceIdentifier1 = "/resource-1"; + RangerPolicyResource resource1 = new RangerPolicyResource(); + + final Map policy1Resources = new HashMap<>(); + policy1Resources.put(resourceIdentifier1, resource1); + + final RangerPolicyItem policy1Item = new RangerPolicyItem(); + policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList())); + + final RangerPolicy policy1 = new RangerPolicy(); + policy1.setResources(policy1Resources); + policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList())); + + final List policies = new ArrayList<>(); + policies.add(policy1); + + final RangerServiceDef serviceDef = new RangerServiceDef(); + serviceDef.setName("nifi"); + + final ServicePolicies servicePolicies = new ServicePolicies(); + servicePolicies.setPolicies(policies); + servicePolicies.setServiceDef(serviceDef); + + // set all the policies in the plugin + final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi"); + pluginWithPolicies.setPolicies(servicePolicies); + + // ensure the policy was skipped + assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE)); + assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty()); + assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE)); + } + + @Test + public void testWildcardResourceValue() { + final String resourceIdentifier1 = "*"; + RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1); + + final Map policy1Resources = new HashMap<>(); + policy1Resources.put(resourceIdentifier1, resource1); + + final RangerPolicyItem policy1Item = new RangerPolicyItem(); + policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList())); + + final RangerPolicy policy1 = new RangerPolicy(); + policy1.setResources(policy1Resources); + policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList())); + + final List policies = new ArrayList<>(); + policies.add(policy1); + + final RangerServiceDef serviceDef = new RangerServiceDef(); + serviceDef.setName("nifi"); + + final ServicePolicies servicePolicies = new ServicePolicies(); + servicePolicies.setPolicies(policies); + servicePolicies.setServiceDef(serviceDef); + + // set all the policies in the plugin + final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi"); + pluginWithPolicies.setPolicies(servicePolicies); + + // ensure the policy was skipped + assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE)); + assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty()); + assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE)); + } + @Test public void testExcludesPolicy() { final String resourceIdentifier1 = "/resource-1";