Merge branch 'master' into dependabot/maven/hbase-agent/org.eclipse.j…

…etty-jetty-http-12.0.12

README.md

@@ -58,7 +58,7 @@ Ranger is built using [Apache Maven](https://maven.apache.org/). To run Ranger:
 
 2. On the root folder, please execute the following Maven command:
 
-   `mvn clean compile package install`
+   `mvn clean install`
 
    `mvn eclipse:eclipse`
 

agents-audit/pom.xml

@@ -28,8 +28,6 @@
     <name>Audit Component</name>
     <description>Auth Audit</description>
     <properties>
-        <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
-        <checkstyle.skip>false</checkstyle.skip>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <securesm.version>1.2</securesm.version>
     </properties>

agents-audit/src/main/java/org/apache/ranger/audit/destination/ElasticSearchAuditDestination.java

@@ -49,6 +49,7 @@
 import javax.security.auth.kerberos.KerberosTicket;
 
 import java.io.File;
+import java.io.IOException;
 import java.security.PrivilegedActionException;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -319,32 +320,30 @@ private String connectionString() {
     }
 
     private RestHighLevelClient newClient() {
+        RestHighLevelClient restHighLevelClient = null;
+
         try {
             if (StringUtils.isNotBlank(user) && StringUtils.isNotBlank(password) && password.contains("keytab") && new File(password).exists()) {
                 subject = CredentialsProviderUtil.login(user, password);
             }
 
             RestClientBuilder restClientBuilder = getRestClientBuilder(hosts, protocol, user, password, port);
+            restHighLevelClient = new RestHighLevelClient(restClientBuilder);
+            boolean exists = false;
 
-            try (RestHighLevelClient restHighLevelClient = new RestHighLevelClient(restClientBuilder)) {
-                LOG.debug("Initialized client");
-
-                boolean exists = false;
-
-                try {
-                    exists = restHighLevelClient.indices().open(new OpenIndexRequest(this.index), RequestOptions.DEFAULT).isShardsAcknowledged();
-                } catch (Exception e) {
-                    LOG.warn("Error validating index {}", this.index);
-                }
-
-                if (exists) {
-                    LOG.debug("Index exists");
-                } else {
-                    LOG.info("Index does not exist");
-                }
+            try {
+                exists = restHighLevelClient.indices().open(new OpenIndexRequest(this.index), RequestOptions.DEFAULT).isShardsAcknowledged();
+            } catch (Exception e) {
+                LOG.warn("Error validating index {}", this.index);
+            }
 
-                return restHighLevelClient;
+            if (exists) {
+                LOG.debug("Index exists");
+            } else {
+                LOG.info("Index does not exist");
             }
+
+            return restHighLevelClient;
         } catch (Throwable t) {
             lastLoggedAt.updateAndGet(lastLoggedAt -> {
                 long now     = System.currentTimeMillis();
@@ -358,6 +357,16 @@ private RestHighLevelClient newClient() {
                     return lastLoggedAt;
                 }
             });
+
+            if (restHighLevelClient != null) {
+                try {
+                    restHighLevelClient.close();
+                    LOG.debug("Closed RestHighLevelClient after failure");
+                } catch (IOException e) {
+                    LOG.warn("Error closing RestHighLevelClient: {}", e.getMessage(), e);
+                }
+            }
+
             return null;
         }
     }

agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditFileQueueSpool.java

@@ -692,6 +692,10 @@ void appendToDoneFile(AuditIndexRecord indexRecord) throws IOException {
                             try {
                                 AuditIndexRecord record = MiscUtil.fromJson(line, AuditIndexRecord.class);
 
+                                if (record == null) {
+                                    continue;
+                                }
+
                                 logFile     = new File(record.getFilePath());
                                 archiveFile = new File(archiveFolder, logFile.getName());
 

agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditFileSpool.java

@@ -678,6 +678,10 @@ void appendToDoneFile(AuditIndexRecord indexRecord) throws IOException {
                             try {
                                 AuditIndexRecord record = MiscUtil.fromJson(line, AuditIndexRecord.class);
 
+                                if (record == null) {
+                                    continue;
+                                }
+
                                 logFile     = new File(record.getFilePath());
                                 archiveFile = new File(archiveFolder, logFile.getName());
 

agents-common/pom.xml

@@ -28,8 +28,6 @@
     <name>Common library for Plugins</name>
     <description>Plugins Common</description>
     <properties>
-        <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
-        <checkstyle.skip>false</checkstyle.skip>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
     <dependencies>

agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java

@@ -32,6 +32,7 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
 
 public class RangerPluginConfig extends RangerConfiguration {
@@ -62,6 +63,10 @@ public class RangerPluginConfig extends RangerConfiguration {
     private       Set<String>               serviceAdmins       = Collections.emptySet();
 
     public RangerPluginConfig(String serviceType, String serviceName, String appId, String clusterName, String clusterType, RangerPolicyEngineOptions policyEngineOptions) {
+        this(serviceType, serviceName, appId, clusterName, clusterType, null, policyEngineOptions);
+    }
+
+    public RangerPluginConfig(String serviceType, String serviceName, String appId, String clusterName, String clusterType, List<File> additionalConfigFiles, RangerPolicyEngineOptions policyEngineOptions) {
         super();
 
         addResourcesForServiceType(serviceType);
@@ -73,6 +78,16 @@ public RangerPluginConfig(String serviceType, String serviceName, String appId,
 
         addResourcesForServiceName(this.serviceType, this.serviceName);
 
+        if (additionalConfigFiles != null) {
+            for (File configFile : additionalConfigFiles) {
+                try {
+                    addResource(configFile.toURI().toURL());
+                } catch (Throwable t) {
+                    LOG.warn("failed to load configurations from {}", configFile, t);
+                }
+            }
+        }
+
         String trustedProxyAddressString = this.get(propertyPrefix + ".trusted.proxy.ipaddresses");
 
         if (StringUtil.isEmpty(clusterName)) {

agents-common/src/main/java/org/apache/ranger/plugin/geo/BinarySearchTree.java

@@ -28,7 +28,7 @@ public BinarySearchTree() {
     }
 
     public void insert(final T value) {
-        Node<T> node = new Node<T>(value);
+        Node<T> node = new Node<>(value);
 
         if (root == null) {
             root = node;
@@ -104,7 +104,7 @@ void setRoot(final Node<T> newRoot) {
     }
 
     void rebalance() {
-        Node<T> dummy = new Node<T>(null);
+        Node<T> dummy = new Node<>(null);
 
         dummy.setRight(root);
 

agents-common/src/main/java/org/apache/ranger/plugin/geo/RangerGeolocationDatabase.java

@@ -82,7 +82,7 @@ public BinarySearchTree<RangerGeolocationData, Long> getData() {
     }
 
     public void setData(final BinarySearchTree<RangerGeolocationData, Long> dataArg) {
-        data = dataArg != null ? dataArg : new BinarySearchTree<RangerGeolocationData, Long>();
+        data = dataArg != null ? dataArg : new BinarySearchTree<>();
     }
 
     public void dump(ValuePrinter<RangerGeolocationData> processor) {

agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java

@@ -2543,22 +2543,20 @@ public int hashCode() {
         public boolean equals(Object obj) {
             if (this == obj) {
                 return true;
-            }
-            if (obj == null) {
+            } else if (obj == null) {
                 return false;
-            }
-            if (getClass() != obj.getClass()) {
+            } else if (getClass() != obj.getClass()) {
                 return false;
             }
+
             RangerPolicyConditionDef other = (RangerPolicyConditionDef) obj;
             if (itemId == null) {
                 if (other.itemId != null) {
                     return false;
                 }
-            } else if (other.itemId != null || !itemId.equals(other.itemId)) {
+            } else if (!itemId.equals(other.itemId)) {
                 return false;
             }
-
             if (description == null) {
                 if (other.description != null) {
                     return false;

agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java

@@ -26,6 +26,7 @@
 import org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem;
 import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
@@ -50,7 +51,7 @@
 public class RangerPolicyValidator extends RangerValidator {
     private static final Logger LOG = LoggerFactory.getLogger(RangerPolicyValidator.class);
 
-    private static final List<String> INVALID_ITEMS = new ArrayList<>(Arrays.asList("null", "NULL", "Null", null));
+    private static final Set<String> INVALID_POLICY_ITEM_VALUES = new HashSet<>(Arrays.asList("null", "NULL", "Null", null, ""));
 
     public RangerPolicyValidator(ServiceStore store) {
         super(store);
@@ -430,6 +431,14 @@ boolean isValid(RangerPolicy policy, Action action, boolean isAdmin, List<Valida
                     valid = isValidPolicyItems(policy.getDenyPolicyItems(), failures, serviceDef) && valid;
                     valid = isValidPolicyItems(policy.getAllowExceptions(), failures, serviceDef) && valid;
                     valid = isValidPolicyItems(policy.getDenyExceptions(), failures, serviceDef) && valid;
+
+                    @SuppressWarnings("unchecked")
+                    List<RangerPolicyItem> dataMaskPolicyItems = (List<RangerPolicyItem>) (List<?>) policy.getDataMaskPolicyItems();
+                    valid = isValidPolicyItems(dataMaskPolicyItems, failures, serviceDef) && valid;
+
+                    @SuppressWarnings("unchecked")
+                    List<RangerPolicyItem> rowFilterPolicyItems = (List<RangerPolicyItem>) (List<?>) policy.getRowFilterPolicyItems();
+                    valid = isValidPolicyItems(rowFilterPolicyItems, failures, serviceDef) && valid;
                 }
             }
 
@@ -1052,6 +1061,20 @@ boolean isValidPolicyItem(RangerPolicyItem policyItem, List<ValidationFailureDet
         if (policyItem == null) {
             LOG.debug("policy item was null!");
         } else {
+            if (policyItem instanceof RangerDataMaskPolicyItem) {
+                RangerPolicyItemDataMaskInfo dataMaskInfo = ((RangerDataMaskPolicyItem) policyItem).getDataMaskInfo();
+                if (StringUtils.isBlank(dataMaskInfo.getDataMaskType())) {
+                    ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_ITEM;
+                    failures.add(new ValidationFailureDetailsBuilder()
+                            .field("policy item datamask-type")
+                            .isMissing()
+                            .becauseOf(error.getMessage("policy item datamask-type"))
+                            .errorCode(error.getErrorCode())
+                            .build());
+
+                    valid = false;
+                }
+            }
             // access items collection can't be empty (unless delegated admin is true) and should be otherwise valid
             if (CollectionUtils.isEmpty(policyItem.getAccesses())) {
                 if (!Boolean.TRUE.equals(policyItem.getDelegateAdmin())) {
@@ -1089,7 +1112,7 @@ boolean isValidPolicyItem(RangerPolicyItem policyItem, List<ValidationFailureDet
                 removeDuplicates(policyItem.getGroups());
                 removeDuplicates(policyItem.getRoles());
 
-                if (CollectionUtils.isNotEmpty(policyItem.getUsers()) && CollectionUtils.containsAny(policyItem.getUsers(), INVALID_ITEMS)) {
+                if (CollectionUtils.isNotEmpty(policyItem.getUsers()) && CollectionUtils.containsAny(policyItem.getUsers(), INVALID_POLICY_ITEM_VALUES)) {
                     ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_USER;
 
                     failures.add(new ValidationFailureDetailsBuilder()
@@ -1102,7 +1125,7 @@ boolean isValidPolicyItem(RangerPolicyItem policyItem, List<ValidationFailureDet
                     valid = false;
                 }
 
-                if (CollectionUtils.isNotEmpty(policyItem.getGroups()) && CollectionUtils.containsAny(policyItem.getGroups(), INVALID_ITEMS)) {
+                if (CollectionUtils.isNotEmpty(policyItem.getGroups()) && CollectionUtils.containsAny(policyItem.getGroups(), INVALID_POLICY_ITEM_VALUES)) {
                     ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_GROUP;
 
                     failures.add(new ValidationFailureDetailsBuilder()
@@ -1115,7 +1138,7 @@ boolean isValidPolicyItem(RangerPolicyItem policyItem, List<ValidationFailureDet
                     valid = false;
                 }
 
-                if (CollectionUtils.isNotEmpty(policyItem.getRoles()) && CollectionUtils.containsAny(policyItem.getRoles(), INVALID_ITEMS)) {
+                if (CollectionUtils.isNotEmpty(policyItem.getRoles()) && CollectionUtils.containsAny(policyItem.getRoles(), INVALID_POLICY_ITEM_VALUES)) {
                     ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_ROLE;
 
                     failures.add(new ValidationFailureDetailsBuilder()
@@ -1281,6 +1304,7 @@ private static void removeDuplicates(List<String> values) {
 
         HashSet<String> uniqueElements = new HashSet<>();
 
+        values.replaceAll(e -> e == null ? null : e.trim());
         values.removeIf(e -> !uniqueElements.add(e));
     }
 }

agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsProjectEvaluator.java

@@ -44,7 +44,7 @@
 import java.util.Set;
 
 public class GdsProjectEvaluator {
-    private static final Logger LOG = LoggerFactory.getLogger(GdsDatasetEvaluator.class);
+    private static final Logger LOG = LoggerFactory.getLogger(GdsProjectEvaluator.class);
 
     public static final GdsProjectEvalOrderComparator EVAL_ORDER_COMPARATOR = new GdsProjectEvalOrderComparator();
 

agents-cred/pom.xml

@@ -28,8 +28,6 @@
     <name>Credential Support</name>
     <description>Plugins Common</description>
     <properties>
-        <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
-        <checkstyle.skip>false</checkstyle.skip>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
     <dependencies>

agents-installer/pom.xml

@@ -28,8 +28,6 @@
     <name>Installer Support Component</name>
     <description>Security Plugins Installer</description>
     <properties>
-        <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
-        <checkstyle.skip>false</checkstyle.skip>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
     <dependencies>

credentialbuilder/pom.xml

@@ -27,10 +27,6 @@
     <packaging>jar</packaging>
     <name>Credential Builder</name>
     <description>Credential Builder for non-hadoop java codebase</description>
-    <properties>
-        <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
-        <checkstyle.skip>false</checkstyle.skip>
-    </properties>
     <dependencies>
         <dependency>
             <groupId>com.fasterxml.woodstox</groupId>