RANGER-4585:Support multiple columns policy creation in ranger for Gr…

…ant / Revoke request

security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java

@@ -1255,7 +1255,7 @@ public RESTResponse grantAccess(@PathParam("serviceName") String serviceName, Gr
 					String               userName   = grantRequest.getGrantor();
 					Set<String>          userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
 					String				 ownerUser  = grantRequest.getOwnerUser();
-					RangerAccessResource resource   = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()), ownerUser);
+					RangerAccessResource resource   = new RangerAccessResourceImpl(getAccessResourceObjectMap(grantRequest.getResource()), ownerUser);
 					Set<String>			 accessTypes = grantRequest.getAccessTypes();
 					VXUser               vxUser = xUserService.getXUserByUserName(userName);
 
@@ -1300,10 +1300,7 @@ public RESTResponse grantAccess(@PathParam("serviceName") String serviceName, Gr
 
 						if(! CollectionUtils.isEmpty(resourceNames)) {
 							for(String resourceName : resourceNames) {
-								RangerPolicyResource policyResource = new RangerPolicyResource((String) resource.getValue(resourceName));
-								policyResource.setIsRecursive(grantRequest.getIsRecursive());
-
-								policyResources.put(resourceName, policyResource);
+								policyResources.put(resourceName, getPolicyResource(resource.getValue(resourceName), grantRequest));
 							}
 						}
 						policy.setResources(policyResources);
@@ -1376,7 +1373,7 @@ public RESTResponse secureGrantAccess(@PathParam("serviceName") String serviceNa
 					Set<String>          userGroups = grantRequest.getGrantorGroups();
 					String				 ownerUser  = grantRequest.getOwnerUser();
 
-					RangerAccessResource resource   = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()), ownerUser);
+					RangerAccessResource resource   = new RangerAccessResourceImpl(getAccessResourceObjectMap(grantRequest.getResource()), ownerUser);
 					Set<String>			 accessTypes = grantRequest.getAccessTypes();
 					String               zoneName   = getRangerAdminZoneName(serviceName, grantRequest);
 
@@ -1417,10 +1414,7 @@ public RESTResponse secureGrantAccess(@PathParam("serviceName") String serviceNa
 
 							if(! CollectionUtils.isEmpty(resourceNames)) {
 								for(String resourceName : resourceNames) {
-									RangerPolicyResource policyResource = new RangerPolicyResource((String) resource.getValue(resourceName));
-									policyResource.setIsRecursive(grantRequest.getIsRecursive());
-
-									policyResources.put(resourceName, policyResource);
+									policyResources.put(resourceName, getPolicyResource(resource.getValue(resourceName), grantRequest));
 								}
 							}
 							policy.setResources(policyResources);
@@ -1493,7 +1487,7 @@ public RESTResponse revokeAccess(@PathParam("serviceName") String serviceName, G
 					String               userName   = revokeRequest.getGrantor();
 					Set<String>          userGroups = CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups()) ? revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
 					String				 ownerUser  = revokeRequest.getOwnerUser();
-					RangerAccessResource resource   = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()), ownerUser);
+					RangerAccessResource resource   = new RangerAccessResourceImpl(getAccessResourceObjectMap(revokeRequest.getResource()), ownerUser);
 					Set<String>			 accessTypes = revokeRequest.getAccessTypes();
 					VXUser vxUser = xUserService.getXUserByUserName(userName);
 
@@ -1578,7 +1572,7 @@ public RESTResponse secureRevokeAccess(@PathParam("serviceName") String serviceN
 					Set<String> userGroups = revokeRequest.getGrantorGroups();
 					String ownerUser = revokeRequest.getOwnerUser();
 
-					RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()), ownerUser);
+					RangerAccessResource resource = new RangerAccessResourceImpl(getAccessResourceObjectMap(revokeRequest.getResource()), ownerUser);
 					Set<String>			 accessTypes = revokeRequest.getAccessTypes();
 					String               zoneName = getRangerAdminZoneName(serviceName, revokeRequest);
 
@@ -4013,6 +4007,37 @@ public List<RangerPurgeResult> purgeRecords(@QueryParam("type") String recordTyp
 		return ret;
 	}
 
+	public RangerPolicyResource getPolicyResource(Object resourceName, GrantRevokeRequest grantRequest) {
+		RangerPolicyResource ret;
+		if (resourceName instanceof List) {
+			List<String> resourceValues = (List<String>) resourceName;
+			ret = new RangerPolicyResource(resourceValues, false, grantRequest.getIsRecursive());
+		} else {
+			ret = new RangerPolicyResource((String) resourceName);
+			ret.setIsRecursive(grantRequest.getIsRecursive());
+		}
+		return ret;
+	}
+
+	public static Map<String, Object> getAccessResourceObjectMap(Map<String, String> map) {
+		Map<String, Object> ret = null;
+
+		if (map != null) {
+			ret = new HashMap<>(map.size());
+
+			for (Map.Entry<String, String> e : map.entrySet()) {
+				if (e.getValue().contains(",")) {
+					List<String> values = Arrays.asList(e.getValue().split(","));
+					ret.put(e.getKey(),values);
+				} else {
+					ret.put(e.getKey(), e.getValue());
+				}
+			}
+		}
+
+		return ret;
+	}
+
 	private HashMap<String, Object> getCSRFPropertiesMap(HttpServletRequest request) {
 		HashMap<String, Object> map = new HashMap<String, Object>();
 		map.put(isCSRF_ENABLED, PropertiesUtil.getBooleanProperty(isCSRF_ENABLED, true));

security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java

@@ -21,19 +21,13 @@
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.LinkedHashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.ws.rs.WebApplicationException;
 
+import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.ranger.admin.client.datatype.RESTResponse;
@@ -78,6 +72,8 @@
 import org.apache.ranger.plugin.model.validation.RangerPolicyValidator;
 import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator;
 import org.apache.ranger.plugin.model.validation.RangerServiceValidator;
+import org.apache.ranger.plugin.policyengine.RangerAccessResource;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl;
 import org.apache.ranger.plugin.service.ResourceLookupContext;
 import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
@@ -820,6 +816,73 @@ public void test14grantAccess() throws Exception {
 				request);
 	}
 
+	@Test
+	public void test14_1_grantAccessWithMultiColumns() throws Exception {
+		HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+
+		String serviceName = "HIVE";
+		Set<String> userList = new HashSet<String>();
+		userList.add("user1");
+		userList.add("user2");
+		userList.add("user3");
+
+		Map<String, String> grantResource = new HashMap<>();
+		grantResource.put("database", "demo");
+		grantResource.put("table", "testtbl");
+		grantResource.put("column", "column1,column2,colum3");
+		GrantRevokeRequest grantRequestObj = new GrantRevokeRequest();
+
+		grantRequestObj.setResource(grantResource);
+		grantRequestObj.setUsers(userList);
+		grantRequestObj.setAccessTypes(new HashSet<>(Arrays.asList("select")));
+		grantRequestObj.setDelegateAdmin(true);
+		grantRequestObj.setEnableAudit(true);
+		grantRequestObj.setGrantor("systest");
+		grantRequestObj.setIsRecursive(true);
+
+		RangerAccessResource resource = new RangerAccessResourceImpl(serviceREST.getAccessResourceObjectMap(grantRequestObj.getResource()), "systest");
+
+		RangerPolicy createPolicy = new RangerPolicy();
+		createPolicy.setService(serviceName);
+		createPolicy.setName("grant-" + System.currentTimeMillis());
+		createPolicy.setDescription("created by grant");
+		createPolicy.setIsAuditEnabled(grantRequestObj.getEnableAudit());
+
+		Map<String, RangerPolicyResource> policyResources = new HashMap<>();
+		Set<String> resourceNames = resource.getKeys();
+
+		if (!CollectionUtils.isEmpty(resourceNames)) {
+			for (String resourceName : resourceNames) {
+				policyResources.put(resourceName, serviceREST.getPolicyResource(resource.getValue(resourceName), grantRequestObj));
+			}
+		}
+		createPolicy.setResources(policyResources);
+
+		RangerPolicyItem policyItem = new RangerPolicyItem();
+		policyItem.setDelegateAdmin(grantRequestObj.getDelegateAdmin());
+		policyItem.getUsers().addAll(grantRequestObj.getUsers());
+		for (String accessType : grantRequestObj.getAccessTypes()) {
+			policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE));
+		}
+		createPolicy.getPolicyItems().add(policyItem);
+		createPolicy.setZoneName(null);
+
+		List<String> grantColumns = (List<String>) resource.getValue("column");
+		Map<String, RangerPolicyResource> policyResourceMap = createPolicy.getResources();
+		List<String> createdPolicyColumns = policyResourceMap.get("column").getValues();
+
+		Assert.assertTrue(createdPolicyColumns.containsAll(grantColumns));
+
+		Mockito.when(
+						serviceUtil.isValidateHttpsAuthentication(serviceName, request))
+				.thenReturn(false);
+		RESTResponse restResponse = serviceREST.grantAccess(serviceName,
+				grantRequestObj, request);
+		Assert.assertNotNull(restResponse);
+		Mockito.verify(serviceUtil).isValidateHttpsAuthentication(serviceName,
+				request);
+	}
+
 	@Test
 	public void test15revokeAccess() throws Exception {
 		HttpServletRequest request = Mockito.mock(HttpServletRequest.class);