From 840b4ab3cf10a6a62582119443b9a99cf70521b3 Mon Sep 17 00:00:00 2001 From: Rakesh Gupta Date: Wed, 3 Dec 2025 12:16:12 +0530 Subject: [PATCH] RANGER-5407: In Atlas Service for some of the default policies wrong permissions seen --- .../services/atlas/RangerServiceAtlas.java | 7 +- .../current/ranger_core_db_mysql.sql | 1 + .../current/ranger_core_db_oracle.sql | 1 + .../current/ranger_core_db_postgres.sql | 1 + .../current/ranger_core_db_sqlanywhere.sql | 2 + .../current/ranger_core_db_sqlserver.sql | 1 + ...AtlasPolicyUpdateForEntityRead_J10064.java | 155 ++++++++++++++++++ 7 files changed, 166 insertions(+), 2 deletions(-) create mode 100644 security-admin/src/main/java/org/apache/ranger/patch/PatchForAtlasPolicyUpdateForEntityRead_J10064.java diff --git a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java index 2b94e23c05..a1b72f248d 100644 --- a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java +++ b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java @@ -175,7 +175,10 @@ public List getDefaultRangerPolicies() throws Exception { } // 2. add a policy-item for rangertagsync user with 'entity-read' permission in the policy for 'entity-type' - if (policyResources.containsKey(RESOURCE_ENTITY_TYPE) && !policyResources.containsKey(RESOURCE_CLASSIFICATION)) { + final boolean isNonEntityResourceType = policyResources.containsKey(RESOURCE_CLASSIFICATION) + || policyResources.containsKey(RESOURCE_ENTITY_LABEL) || policyResources.containsKey(RESOURCE_ENTITY_BUSINESS_METADATA); + + if (policyResources.containsKey(RESOURCE_ENTITY_TYPE) && !isNonEntityResourceType) { RangerPolicyItem policyItemForTagSyncUser = new RangerPolicyItem(); policyItemForTagSyncUser.setUsers(Collections.singletonList(tagSyncUser)); @@ -196,7 +199,7 @@ public List getDefaultRangerPolicies() throws Exception { if (defaultPolicy.getName().contains("all") && policyResources.containsKey(RangerServiceAtlas.RESOURCE_ENTITY_TYPE) - && StringUtils.isNotBlank(lookUpUser) && !policyResources.containsKey(RESOURCE_CLASSIFICATION)) { + && StringUtils.isNotBlank(lookUpUser) && !isNonEntityResourceType) { RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem(); policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser)); policyItemForLookupUser.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_ENTITY_READ))); diff --git a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql index 73ad546112..2648e22756 100644 --- a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql +++ b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql @@ -1886,4 +1886,5 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10061',UTC_TIMESTAMP(),'Ranger 2.5.0',UTC_TIMESTAMP(),'localhost','Y'); INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10062',UTC_TIMESTAMP(),'Ranger 2.5.0',UTC_TIMESTAMP(),'localhost','Y'); INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10063',UTC_TIMESTAMP(),'Ranger 2.5.0',UTC_TIMESTAMP(),'localhost','Y'); +INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10064',UTC_TIMESTAMP(),'Ranger 2.5.0',UTC_TIMESTAMP(),'localhost','Y'); INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y'); diff --git a/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql b/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql index 40f71e28b9..57bb66fa6b 100644 --- a/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql +++ b/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql @@ -2077,5 +2077,6 @@ INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,act INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10061',sys_extract_utc(systimestamp),'Ranger 2.5.0',sys_extract_utc(systimestamp),'localhost','Y'); INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10062',sys_extract_utc(systimestamp),'Ranger 2.5.0',sys_extract_utc(systimestamp),'localhost','Y'); INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10063',sys_extract_utc(systimestamp),'Ranger 2.5.0',sys_extract_utc(systimestamp),'localhost','Y'); +INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10064',sys_extract_utc(systimestamp),'Ranger 2.5.0',sys_extract_utc(systimestamp),'localhost','Y'); INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'JAVA_PATCHES',sys_extract_utc(systimestamp),'Ranger 1.0.0',sys_extract_utc(systimestamp),'localhost','Y'); commit; diff --git a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql index 980f22f140..230c6e9f30 100644 --- a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql +++ b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql @@ -2025,4 +2025,5 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10061',current_timestamp,'Ranger 2.5.0',current_timestamp,'localhost','Y'); INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10062',current_timestamp,'Ranger 2.5.0',current_timestamp,'localhost','Y'); INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10063',current_timestamp,'Ranger 2.5.0',current_timestamp,'localhost','Y'); +INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10064',current_timestamp,'Ranger 2.5.0',current_timestamp,'localhost','Y'); INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y'); diff --git a/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql b/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql index 9c05513177..f6ceca876b 100644 --- a/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql +++ b/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql @@ -2452,6 +2452,8 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active GO INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10063',CURRENT_TIMESTAMP,'Ranger 2.5.0',CURRENT_TIMESTAMP,'localhost','Y'); GO +INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10064',CURRENT_TIMESTAMP,'Ranger 2.5.0',CURRENT_TIMESTAMP,'localhost','Y'); +GO INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y'); GO exit diff --git a/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql b/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql index 8aea57bead..941f980eb2 100644 --- a/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql +++ b/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql @@ -4236,5 +4236,6 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10061',CURRENT_TIMESTAMP,'Ranger 2.5.0',CURRENT_TIMESTAMP,'localhost','Y'); INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10062',CURRENT_TIMESTAMP,'Ranger 2.5.0',CURRENT_TIMESTAMP,'localhost','Y'); INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10063',CURRENT_TIMESTAMP,'Ranger 2.5.0',CURRENT_TIMESTAMP,'localhost','Y'); +INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10064',CURRENT_TIMESTAMP,'Ranger 2.5.0',CURRENT_TIMESTAMP,'localhost','Y'); INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y'); GO diff --git a/security-admin/src/main/java/org/apache/ranger/patch/PatchForAtlasPolicyUpdateForEntityRead_J10064.java b/security-admin/src/main/java/org/apache/ranger/patch/PatchForAtlasPolicyUpdateForEntityRead_J10064.java new file mode 100644 index 0000000000..fe20dbbb4e --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/patch/PatchForAtlasPolicyUpdateForEntityRead_J10064.java @@ -0,0 +1,155 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ranger.patch; + +import org.apache.ranger.biz.ServiceDBStore; +import org.apache.ranger.db.RangerDaoManager; +import org.apache.ranger.entity.XXPolicy; +import org.apache.ranger.entity.XXService; +import org.apache.ranger.entity.XXServiceDef; +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource; +import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; +import org.apache.ranger.util.CLIUtil; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +import java.util.Iterator; +import java.util.List; +import java.util.Map; + +@Component +public class PatchForAtlasPolicyUpdateForEntityRead_J10064 extends org.apache.ranger.patch.BaseLoader { + private static final Logger logger = LoggerFactory.getLogger(PatchForAtlasPolicyUpdateForEntityRead_J10064.class); + + private static final String RESOURCE_ENTITY_TYPE = "entity-type"; + private static final String ENTITY_READ = "entity-read"; + private static final String RESOURCE_ENTITY_LABEL = "entity-label"; + private static final String RESOURCE_ENTITY_BUSINESS_METADATA = "entity-business-metadata"; + + @Autowired + RangerDaoManager daoMgr; + + @Autowired + ServiceDBStore svcDBStore; + + public static void main(String[] args) { + logger.info("main()"); + + try { + PatchForAtlasPolicyUpdateForEntityRead_J10064 loader = (PatchForAtlasPolicyUpdateForEntityRead_J10064) CLIUtil.getBean(PatchForAtlasPolicyUpdateForEntityRead_J10064.class); + + loader.init(); + + while (loader.isMoreToProcess()) { + loader.load(); + } + + logger.info("Load complete. Exiting!!!"); + + System.exit(0); + } catch (Exception e) { + logger.error("Error loading", e); + + System.exit(1); + } + } + + @Override + public void init() throws Exception { + // Do Nothing + } + + @Override + public void printStats() { + logger.info("PatchForAtlasPolicyUpdateForEntityRead_J10064 Logs"); + } + + @Override + public void execLoad() { + logger.info("==> PatchForAtlasPolicyUpdateForEntityRead_J10064.execLoad()"); + + try { + updateAtlasPolicyForEntityReadAccessType(); + } catch (Exception e) { + throw new RuntimeException("Error while updating " + EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME + " service-def", e); + } + + logger.info("<== PatchForAtlasPolicyUpdateForEntityRead_J10064.execLoad()"); + } + + private boolean removeIfEntityReadPermissionExist(RangerPolicyItem item) { + return item.getAccesses().removeIf(itemAccess -> itemAccess.getType().equals(ENTITY_READ)); + } + + private void updateAtlasPolicyForEntityReadAccessType() throws Exception { + logger.info("==> updateAtlasPolicyForEntityReadAccessType() "); + + XXServiceDef xXServiceDefObj = daoMgr.getXXServiceDef().findByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME); + + if (xXServiceDefObj == null) { + logger.debug("ServiceDef not found with name :{}", EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME); + + return; + } + + Long xServiceDefId = xXServiceDefObj.getId(); + List xxServices = daoMgr.getXXService().findByServiceDefId(xServiceDefId); + + for (XXService xxService : xxServices) { + List xxPolicies = daoMgr.getXXPolicy().findByServiceId(xxService.getId()); + + for (XXPolicy xxPolicy : xxPolicies) { + RangerPolicy rPolicy = svcDBStore.getPolicy(xxPolicy.getId()); + + final Map policyResources = rPolicy.getResources(); + final boolean isNonEntityResourceType = policyResources.containsKey(RESOURCE_ENTITY_LABEL) + || policyResources.containsKey(RESOURCE_ENTITY_BUSINESS_METADATA); + boolean isUpdated = false; + + if (policyResources.containsKey(RESOURCE_ENTITY_TYPE) && isNonEntityResourceType) { + List policyItems = rPolicy.getPolicyItems(); + if (policyItems != null) { + Iterator itemIterator = policyItems.iterator(); + while (itemIterator.hasNext()) { + RangerPolicyItem item = itemIterator.next(); + if (removeIfEntityReadPermissionExist(item)) { + if (item.getAccesses().isEmpty()) { + itemIterator.remove(); + logger.debug("Removing empty policy item from policy ID: {}", rPolicy.getId()); + } + isUpdated = true; + } + } + } + } + + if (isUpdated) { + svcDBStore.updatePolicy(rPolicy); + logger.info("PatchForAtlasPolicyUpdateForEntityRead_J10064: updated policy (id={}, name={}) to remove {} permission", + rPolicy.getId(), rPolicy.getName(), ENTITY_READ); + } + } + } + + logger.info("<== updateAtlasPolicyForEntityReadAccessType() "); + } +}