diff --git a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java index 69b43f2dc3..4fa9c48df8 100755 --- a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java @@ -1602,7 +1602,7 @@ private PList getUnscrubbedProjects(SearchFilter filter) { if (isSharedWithMe) { groups = validationDBProvider.getGroupsForUser(userName); - roles = validationDBProvider.getRolesForUser(userName); + roles = validationDBProvider.getRolesForUserAndGroups(userName, groups); } for (RangerProject project : result.getList()) { @@ -1635,7 +1635,7 @@ private PList getUnscrubbedDatasets(SearchFilter filter) { if (isSharedWithMe) { groups = validationDBProvider.getGroupsForUser(userName); - roles = validationDBProvider.getRolesForUser(userName); + roles = validationDBProvider.getRolesForUserAndGroups(userName, groups); } for (RangerDataset dataset : result.getList()) { diff --git a/security-admin/src/main/java/org/apache/ranger/biz/GdsPolicyAdminCache.java b/security-admin/src/main/java/org/apache/ranger/biz/GdsPolicyAdminCache.java index 97d4b25792..41056c9c23 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/GdsPolicyAdminCache.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/GdsPolicyAdminCache.java @@ -22,6 +22,7 @@ import org.apache.commons.collections.CollectionUtils; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.policyengine.gds.GdsPolicyEngine; import org.apache.ranger.plugin.util.ServicePolicies; import org.slf4j.Logger; @@ -89,8 +90,12 @@ private boolean hasReference(RangerPolicy policy, String user, Collection getRolesForUser(String userName) { return rolesUtil != null && rolesUtil.getUserRoleMapping() != null ? rolesUtil.getUserRoleMapping().get(userName) : null; } + public Set getRolesForUserAndGroups(String userName, Collection groups) { + RangerRolesUtil rolesUtil = initGetRolesUtil(); + Set ret = getRolesForUser(userName); + + if (rolesUtil != null) { + final Map> groupRoleMapping = rolesUtil.getGroupRoleMapping(); + + if (MapUtils.isNotEmpty(groupRoleMapping)) { + if (CollectionUtils.isNotEmpty(groups)) { + for (String group : groups) { + ret = addRoles(ret, groupRoleMapping.get(group)); + } + } + + ret = addRoles(ret, groupRoleMapping.get(RangerPolicyEngine.GROUP_PUBLIC)); + } + } + + return ret; + } + public Set getAccessTypes(String serviceName) { List accessTypes = daoMgr.getXXAccessTypeDef().getNamesByServiceName(serviceName); Set ret = new HashSet<>(accessTypes); @@ -266,4 +292,16 @@ private RangerRolesUtil initGetRolesUtil() { return ret; } + + private Set addRoles(Set allRoles, Set rolesToAdd) { + if (CollectionUtils.isNotEmpty(rolesToAdd)) { + if (allRoles == null) { + allRoles = new HashSet<>(); + } + + allRoles.addAll(rolesToAdd); + } + + return allRoles; + } } diff --git a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDataProvider.java b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDataProvider.java index 2c8721e1e0..f8efaa677b 100644 --- a/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDataProvider.java +++ b/security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDataProvider.java @@ -23,6 +23,7 @@ import org.apache.ranger.plugin.model.RangerGds.RangerDataset; import org.apache.ranger.plugin.model.RangerGds.RangerProject; +import java.util.Collection; import java.util.Set; public abstract class RangerGdsValidationDataProvider { @@ -57,6 +58,8 @@ public RangerGdsValidationDataProvider() { public abstract Set getRolesForUser(String userName); + public abstract Set getRolesForUserAndGroups(String userName, Collection groups); + public abstract Set getAccessTypes(String serviceName); public abstract Set getMaskTypes(String serviceName);