RANGER-5628: Support for actions in Ozone Service Definition#995
Open
fmorg-git wants to merge 5 commits into
Open
RANGER-5628: Support for actions in Ozone Service Definition#995fmorg-git wants to merge 5 commits into
fmorg-git wants to merge 5 commits into
Conversation
added 5 commits
June 3, 2026 14:54
Generated-By: Cursor, Claude Code and then with additional manual updates.
Generated-By: Cursor, Claude Code and then with additional manual updates.
Generated-By: Cursor
…ions, and ensure actions wrap around instead of scrolling horizontally indefinitely. It also fixes latent React hook violations of having useState within a conditional (CommonComponents.jsx) and a loop (Editable.jsx). It also ensures that the action field only shows up in the Policy Conditions section, not on the overall Resource Policy. Generated-By: Cursor, Claude Code
Generated-By: Cursor, Claude Code
kumaab
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR extends Ranger’s Ozone support to optionally evaluate fine-grained S3-style actions (e.g., GetObject, PutObjectTagging) in addition to existing permission checks, enabling upcoming Ozone STS use cases. It also updates the React policy editor UX to manage action-matches as a per-permission-row condition and to filter available actions based on selected permissions/resources.
Changes:
- Add backend action matching for inline policies and policy item conditions (including wildcard/prefix matching) and propagate Ozone STS “S3 action” into Ranger requests.
- Update Ozone service definition to include an
action-matchespolicy condition, plus an admin DB patch to roll out updated policy conditions. - UI updates to edit
action-matchesper permission row, filter action choices based on permissions/resource depth, and fix React hook rule violations.
Reviewed changes
Copilot reviewed 26 out of 26 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| security-admin/src/main/webapp/react-webapp/src/views/PolicyListing/PolicyPermissionItem.jsx | Pass action-filtering context into per-row conditions UI; prune stale action conditions; adjust select menu behavior. |
| security-admin/src/main/webapp/react-webapp/src/views/PolicyListing/PolicyConditionsComp.jsx | Exclude per-row-only conditions from the policy-level modal; safer uiHint parsing/cleaning. |
| security-admin/src/main/webapp/react-webapp/src/views/PolicyListing/AddUpdatePolicyForm.jsx | Hide per-row-only conditions when displaying policy-level conditions summary. |
| security-admin/src/main/webapp/react-webapp/src/views/GovernedData/Datashare/DatashareDetailLayout.jsx | Hide per-row-only conditions in governed datashare condition display. |
| security-admin/src/main/webapp/react-webapp/src/views/GovernedData/Dataset/AccessGrantForm.jsx | Hide per-row-only conditions in governed dataset condition display. |
| security-admin/src/main/webapp/react-webapp/src/utils/policyConditionUtils.js | New shared utilities for condition parsing/cleaning, leaf-resource detection, and action option filtering. |
| security-admin/src/main/webapp/react-webapp/src/utils/actionRequirements/registry.js | New registry for bundling action-to-permission requirement maps referenced by uiHint. |
| security-admin/src/main/webapp/react-webapp/src/utils/actionRequirements/ozone.json | New Ozone action-to-permission requirement mapping used to filter UI action choices. |
| security-admin/src/main/webapp/react-webapp/src/styles/style.css | Allow action chips/badges to wrap within the policy permission table. |
| security-admin/src/main/webapp/react-webapp/src/hooks/usePruneStaleConditions.js | New hook to keep per-row action-matches selections valid as permissions/resources change. |
| security-admin/src/main/webapp/react-webapp/src/components/Editable.jsx | Refactor per-row conditions popover rendering; add action filtering + safer uiHint parsing + wrapping select styles. |
| security-admin/src/main/webapp/react-webapp/src/components/CommonComponents.jsx | Add wrapping react-select styles for multi-value chips. |
| security-admin/src/main/java/org/apache/ranger/patch/PatchForOzoneServiceDefPolicyConditionUpdate_J10065.java | New patch to update Ozone service-def policy conditions in DB. |
| pom.xml | Bump Ozone version; add an Ozone staging repository. |
| plugin-ozone/src/test/resources/om_dev_ozone.json | Add test policy fixture entries used by new authorizer tests. |
| plugin-ozone/src/test/java/org/apache/ranger/authorization/ozone/authorizer/TestRangerOzoneAuthorizer.java | Add tests verifying S3 actions propagate into inline grants and affect access checks. |
| plugin-ozone/src/main/java/org/apache/ranger/authorization/ozone/authorizer/RangerOzoneAuthorizer.java | Pass RequestContext S3 action into Ranger request; propagate grant actions into inline policy grants. |
| dev-support/checkstyle-suppressions.xml | Suppress TypeName for the new patch class. |
| agents-common/src/test/resources/policyevaluator/test_inline_policies_ozone.json | Add inline-policy evaluation test cases for action restrictions/wildcards. |
| agents-common/src/test/java/org/apache/ranger/plugin/util/RangerActionListMatcherTest.java | New unit tests for action list wildcard/prefix/exact behavior and bypass semantics. |
| agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerActionMatcherTest.java | New tests for policy-condition evaluator behavior with actions/wildcards/bypass. |
| agents-common/src/main/resources/service-defs/ranger-servicedef-ozone.json | Add action-matches policy condition def with options + requirements file reference. |
| agents-common/src/main/java/org/apache/ranger/plugin/util/RangerActionListMatcher.java | New utility to match request actions against exact/prefix/wildcard patterns with bypass on blank request action. |
| agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerInlinePolicyEvaluator.java | Enforce optional action restrictions on inline policy grants. |
| agents-common/src/main/java/org/apache/ranger/plugin/model/RangerInlinePolicy.java | Extend inline grant model to carry optional actions. |
| agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerActionMatcher.java | New policy condition evaluator for action-matches. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+63
to
+66
| useEffect(() => { | ||
| if (!formValues[attrName] || !isArray(formValues[attrName])) { | ||
| return; | ||
| } |
Comment on lines
+895
to
+899
| <repository> | ||
| <id>apache-ozone-staging</id> | ||
| <name>Apache Ozone 2.1.1 RC0 Staging</name> | ||
| <url>https://repository.apache.org/content/repositories/orgapacheozone-1062/</url> | ||
| </repository> |
| isMulti: true, | ||
| // Portal menus to body (see Editable CONDITION_POPOVER_SELECT_PROPS) | ||
| // so a long Action list with ALL permission does not jump the page. | ||
| menuPortalTarget: document.body, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
For upcoming Ozone STS feature, we need the ability to identify what actions are allowed for an STS token (ex GetObject, GetObjectTagging, PutObject, etc), in addition to the less granular existing permission system (read, write, create, etc). This ticket updates the Ranger policy evaluation to keep the existing permission evaluation for legacy reasons, and add optional action evaluation via policy condition in the UI. If the resource policy has an action and an action is supplied in the RequestContext, they must match (in addition to the permissions). If no action is identified in the resource policy, then all actions are allowed and only the permissions are required.
Also there are several UI updates:
CommonComponents.jsx) and a loop (Editable.jsx).The UI updates are implemented in a way such that the hdfs service definition can later make use of the filtering actions by permissions behavior.
The majority of this code was generated with Cursor and Claude Code, with some manual modifications afterward by me. I have broken into reviewable commits - please let me know if this needs to be more than one PR.
https://issues.apache.org/jira/browse/RANGER-5628
How was this patch tested?
manual testing locally in Ranger docker, also end-to-end smoke tests locally with Ozone and Ranger