ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject incubator-ranger git commit: RANGER-436 policy item with empty access list is valid if delegated admin is true
Date Tue, 28 Apr 2015 06:13:51 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/master aac45d633 -> 101d17673


RANGER-436 policy item with empty access list is valid if delegated admin is true

Signed-off-by: Madhan Neethiraj <madhan@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/101d1767
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/101d1767
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/101d1767

Branch: refs/heads/master
Commit: 101d17673d553dbd2c2369837a8243ab8727bc30
Parents: aac45d6
Author: Alok Lal <alal@hortonworks.com>
Authored: Mon Apr 27 22:42:31 2015 -0700
Committer: Madhan Neethiraj <madhan@apache.org>
Committed: Mon Apr 27 22:59:48 2015 -0700

----------------------------------------------------------------------
 .../model/validation/RangerPolicyValidator.java   | 18 +++++++++++-------
 .../validation/TestRangerPolicyValidator.java     | 12 ++++++++++++
 2 files changed, 23 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/101d1767/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
index 991b641..1d7f450 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
@@ -479,14 +479,18 @@ public class RangerPolicyValidator extends RangerValidator {
 		if (policyItem == null) {
 			LOG.debug("policy item was null!");
 		} else {
-			// access items collection can't be empty and should be otherwise valid
+			// access items collection can't be empty (unless delegated admin is true) and should
be otherwise valid
 			if (CollectionUtils.isEmpty(policyItem.getAccesses())) {
-				failures.add(new ValidationFailureDetailsBuilder()
-					.field("policy item accesses")
-					.isMissing()
-					.becauseOf("policy items accesses collection was null")
-					.build());
-				valid = false;
+				if (!Boolean.TRUE.equals(policyItem.getDelegateAdmin())) {
+					failures.add(new ValidationFailureDetailsBuilder()
+						.field("policy item accesses")
+						.isMissing()
+						.becauseOf("policy items accesses collection was null")
+						.build());
+					valid = false;
+				} else {
+					LOG.debug("policy item collection was null but delegated admin is true. Ok");
+				}
 			} else {
 				valid = isValidItemAccesses(policyItem.getAccesses(), failures, serviceDef) &&
valid;
 			}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/101d1767/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
index 90d7c06..2fd1d6a 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
@@ -490,6 +490,18 @@ public class TestRangerPolicyValidator {
 	}
 	
 	@Test
+	public void test_isValidPolicyItem_happPath() {
+		// A policy item with no access is valid if it has delegated admin turned on and one user/group
specified.
+		RangerPolicyItem policyItem = mock(RangerPolicyItem.class);
+		when(policyItem.getAccesses()).thenReturn(null);
+		when(policyItem.getDelegateAdmin()).thenReturn(true);
+		// create a non-empty user-list
+		List<String> users = Arrays.asList("user1");
+		when(policyItem.getUsers()).thenReturn(users);
+		_failures.clear(); assertTrue(_validator.isValidPolicyItem(policyItem, _failures, _serviceDef));
+		assertTrue(_failures.isEmpty());
+	}
+	@Test
 	public void test_isValidItemAccesses_happyPath() {
 		
 		// happy path


Mime
View raw message