NIFI-4614: - Updating the types of resources that are filtered out for viewing purposes. Updates include resources with no values and resources that contain wildcards.

This closes #2277.

Signed-off-by: Bryan Bende <bbende@apache.org>

nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/main/java/org/apache/nifi/ranger/authorization/RangerBasePluginWithPolicies.java

@@ -47,6 +47,8 @@ public class RangerBasePluginWithPolicies extends RangerBasePlugin {
 
     private static final Logger logger = LoggerFactory.getLogger(RangerBasePluginWithPolicies.class);
 
+    private final static String WILDCARD_ASTERISK = "*";
+
     private UserGroupProvider userGroupProvider;
     private AtomicReference<PolicyLookup> policies = new AtomicReference<>(new PolicyLookup());
 
@@ -110,9 +112,26 @@ public class RangerBasePluginWithPolicies extends RangerBasePlugin {
                 // get all the resources for this policy - excludes/recursive support disabled
                 final Set<String> resources = policy.getResources().values().stream()
                         .filter(resource -> {
+                            final boolean isMissingResource;
+                            final boolean isWildcard;
+                            if (resource.getValues() == null) {
+                                isMissingResource = true;
+                                isWildcard = false;
+                            } else {
+                                isMissingResource = false;
+                                isWildcard = resource.getValues().stream().anyMatch(value -> value.contains(WILDCARD_ASTERISK));
+                            }
+
                             final boolean isExclude = Boolean.TRUE.equals(resource.getIsExcludes());
                             final boolean isRecursive =  Boolean.TRUE.equals(resource.getIsRecursive());
 
+                            if (isMissingResource) {
+                                logger.warn("Encountered resources missing values. Skipping policy for viewing purposes. Will still be used for access decisions.");
+                            }
+                            if (isWildcard) {
+                                logger.warn(String.format("Resources [%s] include a wildcard value. Skipping policy for viewing purposes. "
+                                        + "Will still be used for access decisions.", StringUtils.join(resource.getValues(), ", ")));
+                            }
                             if (isExclude) {
                                 logger.warn(String.format("Resources [%s] marked as an exclude policy. Skipping policy for viewing purposes. "
                                         + "Will still be used for access decisions.", StringUtils.join(resource.getValues(), ", ")));
@@ -122,7 +141,7 @@ public class RangerBasePluginWithPolicies extends RangerBasePlugin {
                                         + "Will still be used for access decisions.", StringUtils.join(resource.getValues(), ", ")));
                             }
 
-                            return !isExclude && !isRecursive;
+                            return !isMissingResource && !isWildcard && !isExclude && !isRecursive;
                         })
                         .flatMap(resource -> resource.getValues().stream())
                         .collect(Collectors.toSet());

nifi-nar-bundles/nifi-ranger-bundle/nifi-ranger-plugin/src/test/java/org/apache/nifi/ranger/authorization/TestRangerBasePluginWithPolicies.java

@@ -199,6 +199,76 @@ public class TestRangerBasePluginWithPolicies {
         assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.READ));
     }
 
+    @Test
+    public void testMissingResourceValue() {
+        final String resourceIdentifier1 = "/resource-1";
+        RangerPolicyResource resource1 = new RangerPolicyResource();
+
+        final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
+        policy1Resources.put(resourceIdentifier1, resource1);
+
+        final RangerPolicyItem policy1Item = new RangerPolicyItem();
+        policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
+
+        final RangerPolicy policy1 = new RangerPolicy();
+        policy1.setResources(policy1Resources);
+        policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
+
+        final List<RangerPolicy> policies = new ArrayList<>();
+        policies.add(policy1);
+
+        final RangerServiceDef serviceDef = new RangerServiceDef();
+        serviceDef.setName("nifi");
+
+        final ServicePolicies servicePolicies = new ServicePolicies();
+        servicePolicies.setPolicies(policies);
+        servicePolicies.setServiceDef(serviceDef);
+
+        // set all the policies in the plugin
+        final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
+        pluginWithPolicies.setPolicies(servicePolicies);
+
+        // ensure the policy was skipped
+        assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
+        assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
+        assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
+    }
+
+    @Test
+    public void testWildcardResourceValue() {
+        final String resourceIdentifier1 = "*";
+        RangerPolicyResource resource1 = new RangerPolicyResource(resourceIdentifier1);
+
+        final Map<String, RangerPolicyResource> policy1Resources = new HashMap<>();
+        policy1Resources.put(resourceIdentifier1, resource1);
+
+        final RangerPolicyItem policy1Item = new RangerPolicyItem();
+        policy1Item.setAccesses(Stream.of(new RangerPolicyItemAccess("WRITE")).collect(Collectors.toList()));
+
+        final RangerPolicy policy1 = new RangerPolicy();
+        policy1.setResources(policy1Resources);
+        policy1.setPolicyItems(Stream.of(policy1Item).collect(Collectors.toList()));
+
+        final List<RangerPolicy> policies = new ArrayList<>();
+        policies.add(policy1);
+
+        final RangerServiceDef serviceDef = new RangerServiceDef();
+        serviceDef.setName("nifi");
+
+        final ServicePolicies servicePolicies = new ServicePolicies();
+        servicePolicies.setPolicies(policies);
+        servicePolicies.setServiceDef(serviceDef);
+
+        // set all the policies in the plugin
+        final RangerBasePluginWithPolicies pluginWithPolicies = new RangerBasePluginWithPolicies("nifi", "nifi");
+        pluginWithPolicies.setPolicies(servicePolicies);
+
+        // ensure the policy was skipped
+        assertFalse(pluginWithPolicies.doesPolicyExist(resourceIdentifier1, RequestAction.WRITE));
+        assertTrue(pluginWithPolicies.getAccessPolicies().isEmpty());
+        assertNull(pluginWithPolicies.getAccessPolicy(resourceIdentifier1, RequestAction.WRITE));
+    }
+
     @Test
     public void testExcludesPolicy() {
         final String resourceIdentifier1 = "/resource-1";