Merge branch 'apache:master' into ranger-5080

agents-audit/pom.xml

@@ -28,8 +28,6 @@
     <name>Audit Component</name>
     <description>Auth Audit</description>
     <properties>
-        <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
-        <checkstyle.skip>false</checkstyle.skip>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <securesm.version>1.2</securesm.version>
     </properties>

agents-common/pom.xml

@@ -28,8 +28,6 @@
     <name>Common library for Plugins</name>
     <description>Plugins Common</description>
     <properties>
-        <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
-        <checkstyle.skip>false</checkstyle.skip>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
     <dependencies>

agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java

@@ -32,6 +32,7 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
 
 public class RangerPluginConfig extends RangerConfiguration {
@@ -62,6 +63,10 @@ public class RangerPluginConfig extends RangerConfiguration {
     private       Set<String>               serviceAdmins       = Collections.emptySet();
 
     public RangerPluginConfig(String serviceType, String serviceName, String appId, String clusterName, String clusterType, RangerPolicyEngineOptions policyEngineOptions) {
+        this(serviceType, serviceName, appId, clusterName, clusterType, null, policyEngineOptions);
+    }
+
+    public RangerPluginConfig(String serviceType, String serviceName, String appId, String clusterName, String clusterType, List<File> additionalConfigFiles, RangerPolicyEngineOptions policyEngineOptions) {
         super();
 
         addResourcesForServiceType(serviceType);
@@ -73,6 +78,16 @@ public RangerPluginConfig(String serviceType, String serviceName, String appId,
 
         addResourcesForServiceName(this.serviceType, this.serviceName);
 
+        if (additionalConfigFiles != null) {
+            for (File configFile : additionalConfigFiles) {
+                try {
+                    addResource(configFile.toURI().toURL());
+                } catch (Throwable t) {
+                    LOG.warn("failed to load configurations from {}", configFile, t);
+                }
+            }
+        }
+
         String trustedProxyAddressString = this.get(propertyPrefix + ".trusted.proxy.ipaddresses");
 
         if (StringUtil.isEmpty(clusterName)) {

agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java

@@ -26,6 +26,7 @@
 import org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
 import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem;
 import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
@@ -50,7 +51,7 @@
 public class RangerPolicyValidator extends RangerValidator {
     private static final Logger LOG = LoggerFactory.getLogger(RangerPolicyValidator.class);
 
-    private static final List<String> INVALID_ITEMS = new ArrayList<>(Arrays.asList("null", "NULL", "Null", null));
+    private static final Set<String> INVALID_POLICY_ITEM_VALUES = new HashSet<>(Arrays.asList("null", "NULL", "Null", null, ""));
 
     public RangerPolicyValidator(ServiceStore store) {
         super(store);
@@ -430,6 +431,14 @@ boolean isValid(RangerPolicy policy, Action action, boolean isAdmin, List<Valida
                     valid = isValidPolicyItems(policy.getDenyPolicyItems(), failures, serviceDef) && valid;
                     valid = isValidPolicyItems(policy.getAllowExceptions(), failures, serviceDef) && valid;
                     valid = isValidPolicyItems(policy.getDenyExceptions(), failures, serviceDef) && valid;
+
+                    @SuppressWarnings("unchecked")
+                    List<RangerPolicyItem> dataMaskPolicyItems = (List<RangerPolicyItem>) (List<?>) policy.getDataMaskPolicyItems();
+                    valid = isValidPolicyItems(dataMaskPolicyItems, failures, serviceDef) && valid;
+
+                    @SuppressWarnings("unchecked")
+                    List<RangerPolicyItem> rowFilterPolicyItems = (List<RangerPolicyItem>) (List<?>) policy.getRowFilterPolicyItems();
+                    valid = isValidPolicyItems(rowFilterPolicyItems, failures, serviceDef) && valid;
                 }
             }
 
@@ -1052,6 +1061,20 @@ boolean isValidPolicyItem(RangerPolicyItem policyItem, List<ValidationFailureDet
         if (policyItem == null) {
             LOG.debug("policy item was null!");
         } else {
+            if (policyItem instanceof RangerDataMaskPolicyItem) {
+                RangerPolicyItemDataMaskInfo dataMaskInfo = ((RangerDataMaskPolicyItem) policyItem).getDataMaskInfo();
+                if (StringUtils.isBlank(dataMaskInfo.getDataMaskType())) {
+                    ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_ITEM;
+                    failures.add(new ValidationFailureDetailsBuilder()
+                            .field("policy item datamask-type")
+                            .isMissing()
+                            .becauseOf(error.getMessage("policy item datamask-type"))
+                            .errorCode(error.getErrorCode())
+                            .build());
+
+                    valid = false;
+                }
+            }
             // access items collection can't be empty (unless delegated admin is true) and should be otherwise valid
             if (CollectionUtils.isEmpty(policyItem.getAccesses())) {
                 if (!Boolean.TRUE.equals(policyItem.getDelegateAdmin())) {
@@ -1089,7 +1112,7 @@ boolean isValidPolicyItem(RangerPolicyItem policyItem, List<ValidationFailureDet
                 removeDuplicates(policyItem.getGroups());
                 removeDuplicates(policyItem.getRoles());
 
-                if (CollectionUtils.isNotEmpty(policyItem.getUsers()) && CollectionUtils.containsAny(policyItem.getUsers(), INVALID_ITEMS)) {
+                if (CollectionUtils.isNotEmpty(policyItem.getUsers()) && CollectionUtils.containsAny(policyItem.getUsers(), INVALID_POLICY_ITEM_VALUES)) {
                     ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_USER;
 
                     failures.add(new ValidationFailureDetailsBuilder()
@@ -1102,7 +1125,7 @@ boolean isValidPolicyItem(RangerPolicyItem policyItem, List<ValidationFailureDet
                     valid = false;
                 }
 
-                if (CollectionUtils.isNotEmpty(policyItem.getGroups()) && CollectionUtils.containsAny(policyItem.getGroups(), INVALID_ITEMS)) {
+                if (CollectionUtils.isNotEmpty(policyItem.getGroups()) && CollectionUtils.containsAny(policyItem.getGroups(), INVALID_POLICY_ITEM_VALUES)) {
                     ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_GROUP;
 
                     failures.add(new ValidationFailureDetailsBuilder()
@@ -1115,7 +1138,7 @@ boolean isValidPolicyItem(RangerPolicyItem policyItem, List<ValidationFailureDet
                     valid = false;
                 }
 
-                if (CollectionUtils.isNotEmpty(policyItem.getRoles()) && CollectionUtils.containsAny(policyItem.getRoles(), INVALID_ITEMS)) {
+                if (CollectionUtils.isNotEmpty(policyItem.getRoles()) && CollectionUtils.containsAny(policyItem.getRoles(), INVALID_POLICY_ITEM_VALUES)) {
                     ValidationErrorCode error = ValidationErrorCode.POLICY_VALIDATION_ERR_NULL_POLICY_ITEM_ROLE;
 
                     failures.add(new ValidationFailureDetailsBuilder()
@@ -1281,6 +1304,7 @@ private static void removeDuplicates(List<String> values) {
 
         HashSet<String> uniqueElements = new HashSet<>();
 
+        values.replaceAll(e -> e == null ? null : e.trim());
         values.removeIf(e -> !uniqueElements.add(e));
     }
 }

agents-cred/pom.xml

@@ -28,8 +28,6 @@
     <name>Credential Support</name>
     <description>Plugins Common</description>
     <properties>
-        <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
-        <checkstyle.skip>false</checkstyle.skip>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
     <dependencies>

agents-installer/pom.xml

@@ -28,8 +28,6 @@
     <name>Installer Support Component</name>
     <description>Security Plugins Installer</description>
     <properties>
-        <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
-        <checkstyle.skip>false</checkstyle.skip>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
     <dependencies>

credentialbuilder/pom.xml

@@ -27,10 +27,6 @@
     <packaging>jar</packaging>
     <name>Credential Builder</name>
     <description>Credential Builder for non-hadoop java codebase</description>
-    <properties>
-        <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
-        <checkstyle.skip>false</checkstyle.skip>
-    </properties>
     <dependencies>
         <dependency>
             <groupId>com.fasterxml.woodstox</groupId>

dev-support/checkstyle-suppressions.xml

@@ -25,6 +25,69 @@
   <suppress files="AuditFileCacheProviderSpool.java" checks="TypeName"/>
   <suppress files="AuthzAuditEvent.java" checks="StaticVariableName"/>
   <suppress files="buildks.java" checks="TypeName"/>
+  <suppress files="BaseDao.java" checks="StaticVariableName"/>
+  <suppress files="ContextUtil.java" checks="HideUtilityClassConstructor"/>
+  <suppress files="MapUtil.java" checks="HideUtilityClassConstructor"/>
+  <suppress files="PolicyRefUpdater.java" checks="TypeName"/>
+  <suppress files="RangerAdminTagEnricher.java" checks="StaticVariableName"/>
+  <suppress files="RangerCommonEnums.java" checks="HideUtilityClassConstructor"/>
+  <suppress files="RangerConstants.java" checks="TypeName"/>
   <suppress files="RangerRolesUtil.java" checks="TypeName"/>
+  <suppress files="SearchField.java" checks="TypeName"/>
+  <suppress files="ServiceDBStore.java" checks="StaticVariableName"/>
+  <suppress files="ServiceDBStore.java" checks="TypeName"/>
+  <suppress files="SortField.java" checks="TypeName"/>
   <suppress files="SPOOL_FILE_STATUS.java" checks="TypeName"/>
+  <suppress files="TagDBStore.java" checks="StaticVariableName"/>
+  <suppress files="TagDBStore.java" checks="TypeName"/>
+  <suppress files="TimedEventUtil.java" checks="HideUtilityClassConstructor"/>
+  <suppress files="PatchAssignSecurityZonePersmissionToAdmin_J10026.java" checks="TypeName"/>
+  <suppress files="PatchAtlasForClassificationResource_J10047" checks="TypeName"/>
+  <suppress files="PatchForAllServiceDefForPolicyConditionUpdate_J10060" checks="TypeName"/>
+  <suppress files="PatchForAllServiceDefUpdateForDefaultAuditFilters_J10049" checks="TypeName"/>
+  <suppress files="PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012" checks="TypeName"/>
+  <suppress files="PatchForAtlasAdminAudits_J10043" checks="TypeName"/>
+  <suppress files="PatchForAtlasResourceAndAccessTypeUpdate_J10016" checks="TypeName"/>
+  <suppress files="PatchForAtlasServiceDefUpdate_J10013" checks="TypeName"/>
+  <suppress files="PatchForAtlasToAddEntityLabelAndBusinessMetadata_J10034" checks="TypeName"/>
+  <suppress files="PatchForAtlasToAddTypeRead_J10040" checks="TypeName"/>
+  <suppress files="PatchForDefaultAuidtFilters_J10050" checks="TypeName"/>
+  <suppress files="PatchForExternalUserStatusUpdate_J10056" checks="TypeName"/>
+  <suppress files="PatchForHBaseDefaultPolicyUpdate_J10045" checks="TypeName"/>
+  <suppress files="PatchForHBaseServiceDefUpdate_J10035" checks="TypeName"/>
+  <suppress files="PatchForHiveServiceDefUpdate_J10006" checks="TypeName"/>
+  <suppress files="PatchForHiveServiceDefUpdate_J10007" checks="TypeName"/>
+  <suppress files="PatchForHiveServiceDefUpdate_J10009" checks="TypeName"/>
+  <suppress files="PatchForHiveServiceDefUpdate_J10010" checks="TypeName"/>
+  <suppress files="PatchForHiveServiceDefUpdate_J10017" checks="TypeName"/>
+  <suppress files="PatchForHiveServiceDefUpdate_J10027" checks="TypeName"/>
+  <suppress files="PatchForHiveServiceDefUpdate_J10030" checks="TypeName"/>
+  <suppress files="PatchForKafkaServiceDefUpdate_J10015" checks="TypeName"/>
+  <suppress files="PatchForKafkaServiceDefUpdate_J10025" checks="TypeName"/>
+  <suppress files="PatchForKafkaServiceDefUpdate_J10033" checks="TypeName"/>
+  <suppress files="PatchForMigratingOldRegimePolicyJson_J10046" checks="TypeName"/>
+  <suppress files="PatchForMigratingRangerServiceResource_J10037" checks="TypeName"/>
+  <suppress files="PatchForNifiResourceUpdateExclude_J10011" checks="TypeName"/>
+  <suppress files="PatchForOzoneDefaultPoliciesUpdate_J10044" checks="TypeName"/>
+  <suppress files="PatchForOzoneServiceDefConfigUpdate_J10051" checks="TypeName"/>
+  <suppress files="PatchForOzoneServiceDefUpdate_J10041" checks="TypeName"/>
+  <suppress files="PatchForPrestoToSupportPresto333_J10038" checks="TypeName"/>
+  <suppress files="PatchForServiceVersionInfo_J10004" checks="TypeName"/>
+  <suppress files="PatchForSolrSvcDefAndPoliciesUpdate_J10055" checks="TypeName"/>
+  <suppress files="PatchForSyncSourceUpdate_J10054" checks="TypeName"/>
+  <suppress files="PatchForTagServiceDefUpdate_J10008" checks="TypeName"/>
+  <suppress files="PatchForTagServiceDefUpdate_J10028" checks="TypeName"/>
+  <suppress files="PatchForTrinoSvcDefUpdate_J10062" checks="TypeName"/>
+  <suppress files="PatchForUpdatingAtlasSvcDefAndTagPolicies_J10063" checks="TypeName"/>
+  <suppress files="PatchForUpdatingPolicyJson_J10019" checks="TypeName"/>
+  <suppress files="PatchForUpdatingTagsJson_J10020" checks="TypeName"/>
+  <suppress files="PatchForXGlobalState_J10036" checks="TypeName"/>
+  <suppress files="PatchGrantAuditPermissionToKeyRoleUser_J10014" checks="TypeName"/>
+  <suppress files="PatchMigration_J10002" checks="TypeName"/>
+  <suppress files="PatchPasswordEncryption_J10001" checks="TypeName"/>
+  <suppress files="PatchPermissionModel_J10003" checks="TypeName"/>
+  <suppress files="PatchPreSql_057_ForUpdateToUniqueGUID_J10052" checks="TypeName"/>
+  <suppress files="PatchPreSql_058_ForUpdateToUniqueResoureceSignature_J10053" checks="TypeName"/>
+  <suppress files="PatchSetAccessTypeCategory_J10061" checks="TypeName"/>
+  <suppress files="PatchTagModulePermission_J10005" checks="TypeName"/>
 </suppressions>

embeddedwebserver/pom.xml

@@ -28,8 +28,6 @@
     <name>Embedded Web Server Invoker</name>
     <description>Embedded Web Server Invoker</description>
     <properties>
-        <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
-        <checkstyle.skip>false</checkstyle.skip>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
     <dependencies>

hbase-agent/pom.xml

@@ -28,8 +28,6 @@
     <name>HBase Security Plugin</name>
     <description>HBase Security Plugins</description>
     <properties>
-        <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
-        <checkstyle.skip>false</checkstyle.skip>
         <hbase.jetty.version>9.4.51.v20230217</hbase.jetty.version>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>

hdfs-agent/pom.xml

@@ -28,8 +28,6 @@
     <name>Hdfs Security Plugin</name>
     <description>Hdfs Security Plugins</description>
     <properties>
-        <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
-        <checkstyle.skip>false</checkstyle.skip>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
     <dependencies>

hive-agent/pom.xml

@@ -28,8 +28,6 @@
     <name>Hive Security Plugin</name>
     <description>Hive Security Plugins</description>
     <properties>
-        <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
-        <checkstyle.skip>false</checkstyle.skip>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
     <dependencies>

intg/pom.xml

@@ -25,10 +25,6 @@
     </parent>
 
     <artifactId>ranger-intg</artifactId>
-    <properties>
-        <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
-        <checkstyle.skip>false</checkstyle.skip>
-    </properties>
     <dependencies>
         <dependency>
             <groupId>org.apache.ranger</groupId>

jisql/pom.xml

@@ -28,8 +28,6 @@
     <name>Jdbc SQL Connector</name>
     <description>Jdbc SQL Connector to execute sql statement in any db</description>
     <properties>
-        <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
-        <checkstyle.skip>false</checkstyle.skip>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
     <dependencies>

kms/pom.xml

@@ -26,10 +26,6 @@
     <packaging>jar</packaging>
     <name>Key Management Service</name>
     <description>Key Management Service</description>
-    <properties>
-        <checkstyle.failOnViolation>true</checkstyle.failOnViolation>
-        <checkstyle.skip>false</checkstyle.skip>
-    </properties>
     <dependencies>
         <dependency>
             <groupId>asm</groupId>