RANGER-4669: updated GDS APIs for retreiving datasets shared with the…

… caller to consider roles assigned to user

Signed-off-by: Madhan Neethiraj <[email protected]>

security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java

@@ -1602,7 +1602,7 @@ private PList<RangerProject> getUnscrubbedProjects(SearchFilter filter) {
 
         if (isSharedWithMe) {
             groups = validationDBProvider.getGroupsForUser(userName);
-            roles  = validationDBProvider.getRolesForUser(userName);
+            roles  = validationDBProvider.getRolesForUserAndGroups(userName, groups);
         }
 
         for (RangerProject project : result.getList()) {
@@ -1635,7 +1635,7 @@ private PList<RangerDataset> getUnscrubbedDatasets(SearchFilter filter) {
 
         if (isSharedWithMe) {
             groups = validationDBProvider.getGroupsForUser(userName);
-            roles  = validationDBProvider.getRolesForUser(userName);
+            roles  = validationDBProvider.getRolesForUserAndGroups(userName, groups);
         }
 
         for (RangerDataset dataset : result.getList()) {

security-admin/src/main/java/org/apache/ranger/biz/GdsPolicyAdminCache.java

@@ -22,6 +22,7 @@
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
 import org.apache.ranger.plugin.policyengine.gds.GdsPolicyEngine;
 import org.apache.ranger.plugin.util.ServicePolicies;
 import org.slf4j.Logger;
@@ -89,8 +90,12 @@ private boolean hasReference(RangerPolicy policy, String user, Collection<String
 
                 ret = policyItem.getUsers() != null && policyItem.getUsers().contains(user);
 
-                if (!ret && groups != null && policyItem.getGroups() != null) {
-                    ret = CollectionUtils.containsAny(groups, policyItem.getGroups());
+                if (!ret && policyItem.getGroups() != null) {
+                    ret = policyItem.getGroups().contains(RangerPolicyEngine.GROUP_PUBLIC);
+
+                    if (!ret && groups != null) {
+                        ret = CollectionUtils.containsAny(groups, policyItem.getGroups());
+                    }
                 }
 
                 if (!ret && roles != null && policyItem.getRoles() != null) {

security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDBProvider.java

@@ -17,6 +17,8 @@
 
 package org.apache.ranger.validation;
 
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
 import org.apache.ranger.biz.RangerBizUtil;
 import org.apache.ranger.biz.RoleDBStore;
 import org.apache.ranger.biz.ServiceMgr;
@@ -29,6 +31,7 @@
 import org.apache.ranger.plugin.model.RangerGds.RangerProject;
 import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
 import org.apache.ranger.plugin.model.RangerService;
+import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
 import org.apache.ranger.plugin.util.RangerRoles;
 import org.apache.ranger.plugin.util.RangerRolesUtil;
 import org.apache.ranger.plugin.util.ServiceDefUtil;
@@ -41,9 +44,11 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
+import java.util.Collection;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
+import java.util.Map;
 
 import static org.apache.ranger.db.XXGlobalStateDao.RANGER_GLOBAL_STATE_NAME_ROLE;
 
@@ -164,6 +169,27 @@ public Set<String> getRolesForUser(String userName) {
         return rolesUtil != null && rolesUtil.getUserRoleMapping() != null ? rolesUtil.getUserRoleMapping().get(userName) : null;
     }
 
+    public Set<String> getRolesForUserAndGroups(String userName, Collection<String> groups) {
+        RangerRolesUtil rolesUtil = initGetRolesUtil();
+        Set<String>     ret       = getRolesForUser(userName);
+
+        if (rolesUtil != null) {
+            final Map<String, Set<String>> groupRoleMapping = rolesUtil.getGroupRoleMapping();
+
+            if (MapUtils.isNotEmpty(groupRoleMapping)) {
+                if (CollectionUtils.isNotEmpty(groups)) {
+                    for (String group : groups) {
+                        ret = addRoles(ret, groupRoleMapping.get(group));
+                    }
+                }
+
+                ret = addRoles(ret, groupRoleMapping.get(RangerPolicyEngine.GROUP_PUBLIC));
+            }
+        }
+
+        return ret;
+    }
+
     public Set<String> getAccessTypes(String serviceName) {
         List<String> accessTypes = daoMgr.getXXAccessTypeDef().getNamesByServiceName(serviceName);
         Set<String>  ret         = new HashSet<>(accessTypes);
@@ -266,4 +292,16 @@ private RangerRolesUtil initGetRolesUtil() {
 
         return ret;
     }
+
+    private Set<String> addRoles(Set<String> allRoles, Set<String> rolesToAdd) {
+        if (CollectionUtils.isNotEmpty(rolesToAdd)) {
+            if (allRoles == null) {
+                allRoles = new HashSet<>();
+            }
+
+            allRoles.addAll(rolesToAdd);
+        }
+
+        return allRoles;
+    }
 }

security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDataProvider.java

@@ -23,6 +23,7 @@
 import org.apache.ranger.plugin.model.RangerGds.RangerDataset;
 import org.apache.ranger.plugin.model.RangerGds.RangerProject;
 
+import java.util.Collection;
 import java.util.Set;
 
 public abstract class RangerGdsValidationDataProvider {
@@ -57,6 +58,8 @@ public RangerGdsValidationDataProvider() {
 
     public abstract Set<String> getRolesForUser(String userName);
 
+    public abstract Set<String> getRolesForUserAndGroups(String userName, Collection<String> groups);
+
     public abstract Set<String> getAccessTypes(String serviceName);
 
     public abstract Set<String> getMaskTypes(String serviceName);