diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index cffd177bec..cc9df27d62 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -1255,7 +1255,7 @@ public RESTResponse grantAccess(@PathParam("serviceName") String serviceName, Gr String userName = grantRequest.getGrantor(); Set userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName); String ownerUser = grantRequest.getOwnerUser(); - RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()), ownerUser); + RangerAccessResource resource = new RangerAccessResourceImpl(getAccessResourceObjectMap(grantRequest.getResource()), ownerUser); Set accessTypes = grantRequest.getAccessTypes(); VXUser vxUser = xUserService.getXUserByUserName(userName); @@ -1300,10 +1300,7 @@ public RESTResponse grantAccess(@PathParam("serviceName") String serviceName, Gr if(! CollectionUtils.isEmpty(resourceNames)) { for(String resourceName : resourceNames) { - RangerPolicyResource policyResource = new RangerPolicyResource((String) resource.getValue(resourceName)); - policyResource.setIsRecursive(grantRequest.getIsRecursive()); - - policyResources.put(resourceName, policyResource); + policyResources.put(resourceName, getPolicyResource(resource.getValue(resourceName), grantRequest)); } } policy.setResources(policyResources); @@ -1376,7 +1373,7 @@ public RESTResponse secureGrantAccess(@PathParam("serviceName") String serviceNa Set userGroups = grantRequest.getGrantorGroups(); String ownerUser = grantRequest.getOwnerUser(); - RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()), ownerUser); + RangerAccessResource resource = new RangerAccessResourceImpl(getAccessResourceObjectMap(grantRequest.getResource()), ownerUser); Set accessTypes = grantRequest.getAccessTypes(); String zoneName = getRangerAdminZoneName(serviceName, grantRequest); @@ -1417,10 +1414,7 @@ public RESTResponse secureGrantAccess(@PathParam("serviceName") String serviceNa if(! CollectionUtils.isEmpty(resourceNames)) { for(String resourceName : resourceNames) { - RangerPolicyResource policyResource = new RangerPolicyResource((String) resource.getValue(resourceName)); - policyResource.setIsRecursive(grantRequest.getIsRecursive()); - - policyResources.put(resourceName, policyResource); + policyResources.put(resourceName, getPolicyResource(resource.getValue(resourceName), grantRequest)); } } policy.setResources(policyResources); @@ -1493,7 +1487,7 @@ public RESTResponse revokeAccess(@PathParam("serviceName") String serviceName, G String userName = revokeRequest.getGrantor(); Set userGroups = CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups()) ? revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName); String ownerUser = revokeRequest.getOwnerUser(); - RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()), ownerUser); + RangerAccessResource resource = new RangerAccessResourceImpl(getAccessResourceObjectMap(revokeRequest.getResource()), ownerUser); Set accessTypes = revokeRequest.getAccessTypes(); VXUser vxUser = xUserService.getXUserByUserName(userName); @@ -1578,7 +1572,7 @@ public RESTResponse secureRevokeAccess(@PathParam("serviceName") String serviceN Set userGroups = revokeRequest.getGrantorGroups(); String ownerUser = revokeRequest.getOwnerUser(); - RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()), ownerUser); + RangerAccessResource resource = new RangerAccessResourceImpl(getAccessResourceObjectMap(revokeRequest.getResource()), ownerUser); Set accessTypes = revokeRequest.getAccessTypes(); String zoneName = getRangerAdminZoneName(serviceName, revokeRequest); @@ -4013,6 +4007,37 @@ public List purgeRecords(@QueryParam("type") String recordTyp return ret; } + public RangerPolicyResource getPolicyResource(Object resourceName, GrantRevokeRequest grantRequest) { + RangerPolicyResource ret; + if (resourceName instanceof List) { + List resourceValues = (List) resourceName; + ret = new RangerPolicyResource(resourceValues, false, grantRequest.getIsRecursive()); + } else { + ret = new RangerPolicyResource((String) resourceName); + ret.setIsRecursive(grantRequest.getIsRecursive()); + } + return ret; + } + + public static Map getAccessResourceObjectMap(Map map) { + Map ret = null; + + if (map != null) { + ret = new HashMap<>(map.size()); + + for (Map.Entry e : map.entrySet()) { + if (e.getValue().contains(",")) { + List values = Arrays.asList(e.getValue().split(",")); + ret.put(e.getKey(),values); + } else { + ret.put(e.getKey(), e.getValue()); + } + } + } + + return ret; + } + private HashMap getCSRFPropertiesMap(HttpServletRequest request) { HashMap map = new HashMap(); map.put(isCSRF_ENABLED, PropertiesUtil.getBooleanProperty(isCSRF_ENABLED, true)); diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java index d049f9949b..a630e575bf 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java @@ -21,19 +21,13 @@ import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; -import java.util.ArrayList; -import java.util.Date; -import java.util.HashMap; -import java.util.HashSet; -import java.util.LinkedHashMap; -import java.util.List; -import java.util.Map; -import java.util.Set; +import java.util.*; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.ws.rs.WebApplicationException; +import org.apache.commons.collections.CollectionUtils; import org.apache.commons.io.IOUtils; import org.apache.commons.lang.StringUtils; import org.apache.ranger.admin.client.datatype.RESTResponse; @@ -78,6 +72,8 @@ import org.apache.ranger.plugin.model.validation.RangerPolicyValidator; import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator; import org.apache.ranger.plugin.model.validation.RangerServiceValidator; +import org.apache.ranger.plugin.policyengine.RangerAccessResource; +import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl; import org.apache.ranger.plugin.service.ResourceLookupContext; import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; @@ -820,6 +816,73 @@ public void test14grantAccess() throws Exception { request); } + @Test + public void test14_1_grantAccessWithMultiColumns() throws Exception { + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + + String serviceName = "HIVE"; + Set userList = new HashSet(); + userList.add("user1"); + userList.add("user2"); + userList.add("user3"); + + Map grantResource = new HashMap<>(); + grantResource.put("database", "demo"); + grantResource.put("table", "testtbl"); + grantResource.put("column", "column1,column2,colum3"); + GrantRevokeRequest grantRequestObj = new GrantRevokeRequest(); + + grantRequestObj.setResource(grantResource); + grantRequestObj.setUsers(userList); + grantRequestObj.setAccessTypes(new HashSet<>(Arrays.asList("select"))); + grantRequestObj.setDelegateAdmin(true); + grantRequestObj.setEnableAudit(true); + grantRequestObj.setGrantor("systest"); + grantRequestObj.setIsRecursive(true); + + RangerAccessResource resource = new RangerAccessResourceImpl(serviceREST.getAccessResourceObjectMap(grantRequestObj.getResource()), "systest"); + + RangerPolicy createPolicy = new RangerPolicy(); + createPolicy.setService(serviceName); + createPolicy.setName("grant-" + System.currentTimeMillis()); + createPolicy.setDescription("created by grant"); + createPolicy.setIsAuditEnabled(grantRequestObj.getEnableAudit()); + + Map policyResources = new HashMap<>(); + Set resourceNames = resource.getKeys(); + + if (!CollectionUtils.isEmpty(resourceNames)) { + for (String resourceName : resourceNames) { + policyResources.put(resourceName, serviceREST.getPolicyResource(resource.getValue(resourceName), grantRequestObj)); + } + } + createPolicy.setResources(policyResources); + + RangerPolicyItem policyItem = new RangerPolicyItem(); + policyItem.setDelegateAdmin(grantRequestObj.getDelegateAdmin()); + policyItem.getUsers().addAll(grantRequestObj.getUsers()); + for (String accessType : grantRequestObj.getAccessTypes()) { + policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE)); + } + createPolicy.getPolicyItems().add(policyItem); + createPolicy.setZoneName(null); + + List grantColumns = (List) resource.getValue("column"); + Map policyResourceMap = createPolicy.getResources(); + List createdPolicyColumns = policyResourceMap.get("column").getValues(); + + Assert.assertTrue(createdPolicyColumns.containsAll(grantColumns)); + + Mockito.when( + serviceUtil.isValidateHttpsAuthentication(serviceName, request)) + .thenReturn(false); + RESTResponse restResponse = serviceREST.grantAccess(serviceName, + grantRequestObj, request); + Assert.assertNotNull(restResponse); + Mockito.verify(serviceUtil).isValidateHttpsAuthentication(serviceName, + request); + } + @Test public void test15revokeAccess() throws Exception { HttpServletRequest request = Mockito.mock(HttpServletRequest.class);