RANGER-4805: removed Atlas permissions in tag-based policies

Signed-off-by: Madhan Neethiraj <[email protected]>

agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java

@@ -42,6 +42,7 @@ public class RangerServiceDef extends RangerBaseModelObject implements java.io.S
 
 	public static final String OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES = "enableDenyAndExceptionsInPolicies";
 	public static final String OPTION_ENABLE_IMPLICIT_CONDITION_EXPRESSION   = "enableImplicitConditionExpression";
+	public static final String OPTION_ENABLE_TAG_BASED_POLICIES = "enableTagBasedPolicies";
 
 	private String                         name;
 	private String                         displayName;

agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java

@@ -27,6 +27,7 @@
 import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.model.RangerServiceDef;
 import org.apache.ranger.plugin.util.SearchFilter;
+import org.apache.ranger.plugin.util.ServiceDefUtil;
 import org.apache.ranger.services.tag.RangerServiceTag;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -65,7 +66,9 @@ public void updateTagServiceDefForAccessTypes() throws Exception {
 		}
 		List<RangerServiceDef> allServiceDefs = getServiceDefs(new SearchFilter());
 		for (RangerServiceDef serviceDef : allServiceDefs) {
-			updateTagServiceDefForUpdatingAccessTypes(serviceDef);
+			if (ServiceDefUtil.getOption_enableTagBasedPolicies(serviceDef, config)) {
+				updateTagServiceDefForUpdatingAccessTypes(serviceDef);
+			}
 		}
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("<== ServiceDefDBStore.updateTagServiceDefForAccessTypes()");

agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java

@@ -107,6 +107,17 @@ public static boolean getOption_enableDenyAndExceptionsInPolicies(RangerServiceD
         return ret;
     }
 
+    public static boolean getOption_enableTagBasedPolicies(RangerServiceDef serviceDef, Configuration config) {
+        boolean ret = false;
+
+        if(serviceDef != null) {
+            boolean defaultValue = config == null || config.getBoolean("ranger.servicedef.enableTagBasedPolicies", true);
+            ret = ServiceDefUtil.getBooleanValue(serviceDef.getOptions(), RangerServiceDef.OPTION_ENABLE_TAG_BASED_POLICIES, defaultValue);
+        }
+
+        return ret;
+    }
+
     public static RangerDataMaskTypeDef getDataMaskType(RangerServiceDef serviceDef, String typeName) {
         RangerDataMaskTypeDef ret = null;
 

agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json

@@ -21,8 +21,8 @@
 				"wildCard": "true",
 				"ignoreCase": "true"
 			},
-			"label": "Type Catagory",
-			"description": "Type Catagory"
+			"label": "Type Category",
+			"description": "Type Category"
 		},
 		{
 			"itemId": 2,
@@ -502,6 +502,7 @@
 		}
 	],
 	"options": {
-		"enableDenyAndExceptionsInPolicies": "true"
+		"enableDenyAndExceptionsInPolicies": "true",
+		"enableTagBasedPolicies":"false"
 	}
 }

security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql

@@ -2090,4 +2090,5 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active
 INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10060',UTC_TIMESTAMP(),'Ranger 3.0.0',UTC_TIMESTAMP(),'localhost','Y');
 INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10061',UTC_TIMESTAMP(),'Ranger 3.0.0',UTC_TIMESTAMP(),'localhost','Y');
 INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10062',UTC_TIMESTAMP(),'Ranger 3.0.0',UTC_TIMESTAMP(),'localhost','Y');
+INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10063',UTC_TIMESTAMP(),'Ranger 3.0.0',UTC_TIMESTAMP(),'localhost','Y');
 INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');

security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql

@@ -2063,5 +2063,6 @@ INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,act
 INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10060',sys_extract_utc(systimestamp),'Ranger 3.0.0',sys_extract_utc(systimestamp),'localhost','Y');
 INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10061',sys_extract_utc(systimestamp),'Ranger 3.0.0',sys_extract_utc(systimestamp),'localhost','Y');
 INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10062',sys_extract_utc(systimestamp),'Ranger 3.0.0',sys_extract_utc(systimestamp),'localhost','Y');
+INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10063',sys_extract_utc(systimestamp),'Ranger 3.0.0',sys_extract_utc(systimestamp),'localhost','Y');
 INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'JAVA_PATCHES',sys_extract_utc(systimestamp),'Ranger 1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
 commit;

security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql

@@ -2246,6 +2246,7 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active
 INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10060',current_timestamp,'Ranger 3.0.0',current_timestamp,'localhost','Y');
 INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10061',current_timestamp,'Ranger 3.0.0',current_timestamp,'localhost','Y');
 INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10062',current_timestamp,'Ranger 3.0.0',current_timestamp,'localhost','Y');
+INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10063',current_timestamp,'Ranger 3.0.0',current_timestamp,'localhost','Y');
 INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y');
 
 DROP VIEW IF EXISTS vx_principal;

security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql

@@ -2434,6 +2434,8 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active
 GO
 INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10062',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
 GO
+INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10063',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
+GO
 INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
 GO
 exit

security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql

@@ -4220,5 +4220,6 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active
 INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10060',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
 INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10061',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
 INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10062',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
+INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10063',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
 INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
 GO

security-admin/src/main/java/org/apache/ranger/patch/PatchForUpdatingAtlasSvcDefAndTagPolicies_J10063.java

@@ -0,0 +1,236 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.patch;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.biz.ServiceDBStore;
+import org.apache.ranger.common.JSONUtil;
+import org.apache.ranger.common.StringUtil;
+import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.entity.XXAccessTypeDef;
+import org.apache.ranger.entity.XXPolicy;
+import org.apache.ranger.entity.XXServiceDef;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
+import org.apache.ranger.util.CLIUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+@Component
+public class PatchForUpdatingAtlasSvcDefAndTagPolicies_J10063 extends BaseLoader {
+	private static final Logger logger = LoggerFactory
+			.getLogger(PatchForUpdatingAtlasSvcDefAndTagPolicies_J10063.class);
+
+	@Autowired
+	RangerDaoManager daoMgr;
+
+	@Autowired
+	JSONUtil jsonUtil;
+
+	@Autowired
+	StringUtil stringUtil;
+
+	@Autowired
+	ServiceDBStore svcStore;
+
+	public static void main(String[] args) {
+		logger.info("main()");
+		try {
+			PatchForUpdatingAtlasSvcDefAndTagPolicies_J10063 loader = (PatchForUpdatingAtlasSvcDefAndTagPolicies_J10063) CLIUtil
+					.getBean(PatchForUpdatingAtlasSvcDefAndTagPolicies_J10063.class);
+			loader.init();
+			while (loader.isMoreToProcess()) {
+				loader.load();
+			}
+			logger.info("Load complete. Exiting.");
+			System.exit(0);
+		} catch (Exception e) {
+			logger.error("Error loading", e);
+			System.exit(1);
+		}
+	}
+
+	@Override
+	public void printStats() {
+		logger.info("PatchForUpdatingAtlasSvcDefAndTagPolicies_J10063 data ");
+	}
+
+	@Override
+	public void execLoad() {
+		logger.info("==> PatchForUpdatingAtlasSvcDefAndTagPolicies_J10063.execLoad()");
+		try {
+			if (updateAtlasServiceDef()) {
+				disableAtlasAccessForTagPolicies();
+			}
+		} catch (Exception e) {
+			logger.error("Error while updateTagServiceDef()data.", e);
+			System.exit(1);
+		}
+		logger.info("<== PatchForUpdatingAtlasSvcDefAndTagPolicies_J10063.execLoad()");
+	}
+
+	@Override
+	public void init() throws Exception {
+		// Do Nothing
+	}
+
+	private boolean updateAtlasServiceDef() throws Exception {
+		logger.info("==> PatchForUpdatingAtlasSvcDefAndTagPolicies_J10063.updateAtlasServiceDef()");
+		RangerServiceDef embeddedAtlasServiceDef;
+		XXServiceDef xXServiceDefObj;
+
+		embeddedAtlasServiceDef = EmbeddedServiceDefsUtil.instance()
+				.getEmbeddedServiceDef(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME);
+
+		if (embeddedAtlasServiceDef != null) {
+			xXServiceDefObj = daoMgr.getXXServiceDef().findByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME);
+
+			if (xXServiceDefObj != null) {
+				String jsonStrUpdate = xXServiceDefObj.getDefOptions();
+				Map<String, String> serviceDefOptionsUpdate = jsonStringToMap(jsonStrUpdate);
+				if (serviceDefOptionsUpdate == null) {
+					serviceDefOptionsUpdate = new HashMap<>();
+				}
+				serviceDefOptionsUpdate.put(RangerServiceDef.OPTION_ENABLE_TAG_BASED_POLICIES, "false");
+				xXServiceDefObj.setDefOptions(mapToJsonString(serviceDefOptionsUpdate));
+				daoMgr.getXXServiceDef().update(xXServiceDefObj);
+			} else {
+				logger.error("Atlas service-definition does not exist in the Ranger DAO.");
+				return false;
+			}
+		} else {
+			logger.error("The embedded Atlas service-definition does not exist.");
+			return false;
+		}
+		logger.info("<== PatchForUpdatingAtlasSvcDefAndTagPolicies_J10063.updateAtlasServiceDef()");
+		return true;
+	}
+
+	private void disableAtlasAccessForTagPolicies() throws Exception {
+		logger.info("==> PatchForUpdatingAtlasSvcDefAndTagPolicies_J10063.disableAtlasAccessForTagPolicies()");
+		RangerServiceDef embeddedTagServiceDef = EmbeddedServiceDefsUtil.instance()
+				.getEmbeddedServiceDef(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME);
+		if (embeddedTagServiceDef != null) {
+			List<XXPolicy> xxPolicies = daoMgr.getXXPolicy().findByServiceDefId(embeddedTagServiceDef.getId());
+			if (CollectionUtils.isNotEmpty(xxPolicies)) {
+				for (XXPolicy xxPolicy : xxPolicies) {
+					RangerPolicy rPolicy = svcStore.getPolicy(xxPolicy.getId());
+					if (CollectionUtils.isNotEmpty(rPolicy.getPolicyItems()) || CollectionUtils.isNotEmpty(rPolicy.getAllowExceptions())
+							|| CollectionUtils.isNotEmpty(rPolicy.getDenyPolicyItems()) || CollectionUtils.isNotEmpty(rPolicy.getDenyExceptions())) {
+						updateAccessTypeForTagPolicies(rPolicy.getPolicyItems());
+						updateAccessTypeForTagPolicies(rPolicy.getAllowExceptions());
+						updateAccessTypeForTagPolicies(rPolicy.getDenyPolicyItems());
+						updateAccessTypeForTagPolicies(rPolicy.getDenyExceptions());
+						svcStore.updatePolicy(rPolicy);
+					}
+				}
+			}
+		} else {
+			logger.error("The embedded Tag service-definition does not exist.");
+		}
+
+		// delete XXAccessTypeDef records of tagDef where name startWith Atlas
+		List<XXAccessTypeDef> xxAccessTypes = daoMgr.getXXAccessTypeDef().findByServiceDefId(embeddedTagServiceDef.getId());
+		for (XXAccessTypeDef xAccess : xxAccessTypes) {
+			if (xAccess != null && xAccess.getName().startsWith(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME)) {
+				svcStore.deleteXXAccessTypeDef(xAccess);
+			}
+		}
+		logger.info("<== PatchForUpdatingAtlasSvcDefAndTagPolicies_J10063.disableAtlasAccessForTagPolicies()");
+	}
+
+	private void updateAccessTypeForTagPolicies(List<RangerPolicyItem> policyItems) throws Exception {
+		logger.info("==> PatchForDisableAccessTypeForTagPolicies_J10063.updateAccessTypeForTagPolicies() "+policyItems);
+		if (CollectionUtils.isEmpty(policyItems)) {
+			logger.info("==> PatchForDisableAccessTypeForTagPolicies_J10063.updateAccessTypeForTagPolicies() policy items collection was null/empty");
+		} else {
+			List<RangerPolicy.RangerPolicyItem> removePolicyItem = new ArrayList<RangerPolicy.RangerPolicyItem>();
+			for (RangerPolicyItem policyItem : policyItems) {
+				if (policyItem != null && policyItem.getAccesses() != null) {
+					List<RangerPolicy.RangerPolicyItemAccess> accessesToRemove = new ArrayList<RangerPolicy.RangerPolicyItemAccess>();
+					for (RangerPolicyItemAccess access : policyItem.getAccesses()) {
+						if (access != null) {
+							String[] svcDefAccType = access.getType().split(":");
+							String serviceDefName = svcDefAccType.length > 0 ? svcDefAccType[0] : null;
+							if (serviceDefName != null && serviceDefName.equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME)) {
+								accessesToRemove.add(access);
+							}
+						}
+					}
+					policyItem.getAccesses().removeAll(accessesToRemove);
+				}
+				if(policyItem != null && CollectionUtils.isEmpty(policyItem.getAccesses())) {
+					removePolicyItem.add(policyItem);
+				}
+			}
+			policyItems.removeAll(removePolicyItem);
+		}
+		logger.info("<== PatchForDisableAccessTypeForTagPolicies_J10063.updateAccessTypeForTagPolicies() "+policyItems);
+	}
+
+	private String mapToJsonString(Map<String, String> map) {
+		String ret = null;
+		if (map != null) {
+			try {
+				ret = jsonUtil.readMapToString(map);
+			} catch (Exception ex) {
+				logger.warn("mapToJsonString() failed to convert map: " + map, ex);
+			}
+		}
+		return ret;
+	}
+
+	private Map<String, String> jsonStringToMap(String jsonStr) {
+		Map<String, String> ret = null;
+		if (!StringUtils.isEmpty(jsonStr)) {
+			try {
+				ret = jsonUtil.jsonToMap(jsonStr);
+			} catch (Exception ex) {
+				// fallback to earlier format: "name1=value1;name2=value2"
+				for (String optionString : jsonStr.split(";")) {
+					if (StringUtils.isEmpty(optionString)) {
+						continue;
+					}
+					String[] nvArr = optionString.split("=");
+					String name = (nvArr.length > 0) ? nvArr[0].trim() : null;
+					String value = (nvArr.length > 1) ? nvArr[1].trim() : null;
+					if (StringUtils.isEmpty(name)) {
+						continue;
+					}
+					if (ret == null) {
+						ret = new HashMap<>();
+					}
+					ret.put(name, value);
+				}
+			}
+		}
+		return ret;
+	}
+
+}

security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java

@@ -72,6 +72,15 @@ protected RangerServiceDef mapEntityToViewBean(RangerServiceDef vObj, XXServiceD
 			ret.setOptions(serviceDefOptions);
 		}
 
+		if (serviceDefOptions.get(RangerServiceDef.OPTION_ENABLE_TAG_BASED_POLICIES) == null) {
+			boolean enableTagBasedPoliciesHiddenOption = config.getBoolean("ranger.servicedef.enableTagBasedPolicies", true);
+			if (enableTagBasedPoliciesHiddenOption) {
+				serviceDefOptions.put(RangerServiceDef.OPTION_ENABLE_TAG_BASED_POLICIES, "true");
+			} else {
+				serviceDefOptions.put(RangerServiceDef.OPTION_ENABLE_TAG_BASED_POLICIES, "false");
+			}
+			ret.setOptions(serviceDefOptions);
+		}
 		return ret;
 	}