RANGER-882 : Policy engine initialization should handle incorrect val…

…ues in policies
yzhou2001 · Mar 23, 2016 · 9b1fa33 · 9b1fa33
1 parent d242dd6
commit 9b1fa33
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 10 deletions.
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java b/agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
@@ -87,8 +87,9 @@ public enum ValidationErrorCode {
     POLICY_VALIDATION_ERR_POLICY_ITEM_ACCESS_TYPE_DENY(3023, "Currently deny access types are not supported. Access type is set to deny."),
     POLICY_VALIDATION_ERR_INVALID_RESOURCE_NO_COMPATIBLE_HIERARCHY_SINGLE(3024, "Invalid resources specified. {0} policy can specify values for the following resources: {1}"),
     POLICY_VALIDATION_ERR_INVALID_RESOURCE_MISSING_MANDATORY_SINGLE(3025, "Invalid resources specified. {0} policy must specify values for the following resources: {1}"),
-    POLICY_VALIDATION_ERR_POLICY_UPDATE_MOVE_SERVICE_NOT_ALLOWED(3026, "attempt to move policy id={0} from service={1} to service={2} is not allowed"),
-    POLICY_VALIDATION_ERR_POLICY_TYPE_CHANGE_NOT_ALLOWED(3027, "attempt to change type of policy id={0} from type={1} to type={2} is not allowed"),
+    POLICY_VALIDATION_ERR_MISSING_RESOURCE_LIST(3026, "Resource list was empty or contains null. At least one resource must be specified"),
+    POLICY_VALIDATION_ERR_POLICY_UPDATE_MOVE_SERVICE_NOT_ALLOWED(3027, "attempt to move policy id={0} from service={1} to service={2} is not allowed"),
+    POLICY_VALIDATION_ERR_POLICY_TYPE_CHANGE_NOT_ALLOWED(3028, "attempt to change type of policy id={0} from type={1} to type={2} is not allowed"),
     ;
 
 

diff --git a/...common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java b/...common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
@@ -606,6 +606,28 @@ boolean isValidResourceValues(Map<String, RangerPolicyResource> resourceMap, Lis
 		for (Map.Entry<String, RangerPolicyResource> entry : resourceMap.entrySet()) {
 			String name = entry.getKey();
 			RangerPolicyResource policyResource = entry.getValue();
+			if(policyResource != null && CollectionUtils.isNotEmpty(policyResource.getValues())){
+				Set<String> resources = new HashSet<String>(policyResource.getValues());
+				for (String aValue : resources) {
+					if (StringUtils.isBlank(aValue)) {
+						policyResource.getValues().remove(aValue);
+					}
+				}
+			}
+			if(CollectionUtils.isEmpty(policyResource.getValues())){
+				ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_MISSING_RESOURCE_LIST;
+				if(LOG.isDebugEnabled()) {
+					LOG.debug(String.format("Resource list was empty or contains null: value[%s], resource-name[%s], service-def-name[%s]", policyResource.getValues(), name, serviceDef.getName()));
+				}
+				failures.add(new ValidationFailureDetailsBuilder()
+					.field("resource-values")
+					.subField(name)
+					.isMissing()
+					.becauseOf(error.getMessage(name))
+					.errorCode(error.getErrorCode())
+					.build());
+				valid=false;
+			}
 			if (validationRegExMap.containsKey(name) && policyResource != null && CollectionUtils.isNotEmpty(policyResource.getValues())) {
 				String regEx = validationRegExMap.get(name);
 				for (String aValue : policyResource.getValues()) {

diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -2407,14 +2407,17 @@ private void createNewResourcesForPolicy(RangerPolicy policy, XXPolicy xPolicy,
 			xPolRes = daoMgr.getXXPolicyResource().create(xPolRes);
 
 			List<String> values = policyRes.getValues();
-			for(int i = 0; i < values.size(); i++) {
-				XXPolicyResourceMap xPolResMap = new XXPolicyResourceMap();
-				xPolResMap = (XXPolicyResourceMap) rangerAuditFields.populateAuditFields(xPolResMap, xPolRes);
-				xPolResMap.setResourceId(xPolRes.getId());
-				xPolResMap.setValue(values.get(i));
-				xPolResMap.setOrder(i);
-
-				xPolResMap = daoMgr.getXXPolicyResourceMap().create(xPolResMap);
+			if(CollectionUtils.isNotEmpty(values)){
+				for(int i = 0; i < values.size(); i++) {
+					if(values.get(i)!=null){
+						XXPolicyResourceMap xPolResMap = new XXPolicyResourceMap();
+						xPolResMap = (XXPolicyResourceMap) rangerAuditFields.populateAuditFields(xPolResMap, xPolRes);
+						xPolResMap.setResourceId(xPolRes.getId());
+						xPolResMap.setValue(values.get(i));
+						xPolResMap.setOrder(i);
+						xPolResMap = daoMgr.getXXPolicyResourceMap().create(xPolResMap);
+					}
+				}
 			}
 		}
 	}