RANGER-5628: Gate Ozone action-matches policy behind feature flags#1072
Open
ramackri wants to merge 12 commits into
Open
RANGER-5628: Gate Ozone action-matches policy behind feature flags#1072ramackri wants to merge 12 commits into
ramackri wants to merge 12 commits into
Conversation
ramackri
force-pushed
the
RANGER-ozone-action-policy-feature-flag
branch
from
July 14, 2026 16:54
75df8fd to
b0f263e
Compare
Contributor
|
hi @ramackri - thanks for this. Per discussion internally, it seems a lot of knobs for the user to configure. Please give me a couple hours to see if I can improve this. Thanks. (Also, thanks for the fix I identified for |
vperiasamy
requested review from
dineshkumar-yadav,
fimugdha and
pradeepagrawal8184
July 14, 2026 17:54
Contributor
|
hi all - it appears it is possible to do this with one flag - please see this PR #1073. Can you please check it out to see if it looks good? It looks good from my local testing. |
ramackri
force-pushed
the
RANGER-ozone-action-policy-feature-flag
branch
4 times, most recently
from
July 15, 2026 07:18
5630553 to
9be9a47
Compare
added 6 commits
July 16, 2026 08:50
## Summary This PR gates Ozone `action-matches` policy support behind feature flags (default **off**), as requested for the 2.9 release (RANGER-5628). When disabled, the Admin UI does not expose the Action condition, the Ozone authorizer does not evaluate S3 actions for policy, and DB patch `J10065` skips the ozone service-def update on first run. When enabled, all three layers activate together. **Audit note:** When the plugin flag is **off**, the authorizer still sets `request.action` to the coarse access type (`read`/`write`) so Solr audit `access` is populated (pre-5628 behavior). S3 action is used only when the flag is **on**. **Related:** Builds on Ozone action-matches work (#1054 / `PatchForOzoneServiceDefPolicyConditionUpdate_J10065`). ## Feature flags (default `false`) | Layer | Property | Configuration file | |-------|----------|-------------------| | Ranger Admin + DB patch | `ranger.ozone.action.policy.enabled` | `ranger-admin-default-site.xml` / `ranger-admin-site.xml` | | Ozone authorizer plugin | `ranger.plugin.ozone.action.policy.enabled` | `ranger-ozone-security.xml` | | Admin UI (via profile API) | `ozoneActionPolicyEnabled` | `GET /service/users/profile` → `configProperties` | ## File changes and rationale | File | Why | |------|-----| | `ranger-admin-default-site.xml` | Default admin flag `false` for new installs | | `UserREST.java` | Expose `ozoneActionPolicyEnabled` in user profile for React UI gating | | `PatchForOzoneServiceDefPolicyConditionUpdate_J10065.java` | Skip ozone service-def update when admin flag is `false` on first patch run | | `policyConditionUtils.js` | Gate `action-matches` in UI via profile flag | | `PolicyPermissionItem.jsx` | Apply feature-flag filter to per-row Policy Conditions column | | `ranger-ozone-security.xml` | Default plugin flag `false` | | `RangerOzoneAuthorizer.java` | Flag on: S3 action for policy + audit; flag off: coarse access type for audit only | | `TestRangerOzoneAuthorizer.java` | Unit tests for flag on/off authorizer behavior | ## Audit behavior (Solr) | Solr field | Source | Flag OFF | Flag ON | |------------|--------|----------|---------| | `action` | `request.accessType` | `read` / `write` | `read` / `write` | | `access` | `request.action` | `read` / `write` (coarse) | S3 action (`GetObject`, etc.) | Without the audit fix, flag OFF left `access` empty (`null`). This change restores pre-5628 audit semantics when the flag is off. ## DB patch behavior (`J10065`) | DB state | Flag at first patch run | Patch runs? | Service-def updated? | |----------|-------------------------|-------------|----------------------| | No `J10065` row | OFF | Yes, once | No | | No `J10065` row | ON | Yes, once | Yes | | `J10065` active=Y | OFF or ON | No | Only if updated in a prior run | ## Test plan - Profile API: `ozoneActionPolicyEnabled` true/false - UI: Action in per-row Policy Conditions popover (not service edit / top-level modal) - Plugin: flag off/on authorization behavior - Solr audit: `access` coarse when off, S3 action when on - Unit tests: `TestRangerOzoneAuthorizer` PASS
Move enableOzoneActionPolicy handling out of RangerInlinePolicyEvaluator into RangerOzoneAuthorizer, including legacy session-policy sanitization and a unit test for flag-off behavior with embedded grant actions.
Checks service-def API for enableOzoneActionPolicy and optional ozone CLI smoke.
ramackri
force-pushed
the
RANGER-ozone-action-policy-feature-flag
branch
from
July 16, 2026 03:33
9be9a47 to
451d297
Compare
The ozone action-policy feature flag is covered by unit tests; keep ranger-docker changes out of this backport.
ramackri
force-pushed
the
RANGER-ozone-action-policy-feature-flag
branch
2 times, most recently
from
July 16, 2026 06:00
de121da to
877623c
Compare
Rename enableOzoneActionPolicy to enableActionMatcherInPoliciesCondition and admin config to ranger.servicedef.ozone.enableActionMatcherInPoliciesCondition. Non-ozone service defs always get false; ozone reads site config. Addresses PR review from fimugdha.
ramackri
force-pushed
the
RANGER-ozone-action-policy-feature-flag
branch
from
July 16, 2026 18:35
d89b2f2 to
f2aacf8
Compare
added 4 commits
July 17, 2026 08:05
On upgrade, sync enableActionMatcherInPoliciesCondition from admin config into ozone def_options, remove legacy enableOzoneActionPolicy, and strip both keys from non-ozone service defs so stale DB options cannot override site.xml.
The action-matcher option is ozone-scoped and unreleased; upgrade only needs to sync ozone def_options and remove the interim enableOzoneActionPolicy key there.
The unreleased interim option is not present in stock 2.9/3.0 DBs; J10065 only needs to persist enableActionMatcherInPoliciesCondition on ozone def_options.
Stale def_options from an earlier J10065 run could override ranger.servicedef.ozone.enableActionMatcherInPoliciesCondition, hiding action-matches in Admin UI and ozone authorizer even when the flag was set true. Admin config is now authoritative when serving the ozone service-def, and action-matches is restored from the embedded def when enabled but missing from DB.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Aligns Ozone
action-matchesgating (RANGER-5628) with the single-property design from master PR #1073 (RANGER-5687), adapted forranger-2.9.One property controls everything (default off):
ranger.servicedef.ozone.enableActionMatcherInPoliciesConditionranger-admin-site.xml/ranger-admin-default-site.xmlPropagates via service-def option
enableActionMatcherInPoliciesConditionto:RangerServiceDefService.applyActionMatcherInPoliciesConditionHiddenOption()filters or restoresaction-matcheswhen serving the ozone service-def APIRangerOzoneAuthorizer.isOzoneActionPolicyEnabled()reads the option from the downloaded service-defplugin-ozone; genericRangerInlinePolicyEvaluatoralways evaluates actions if present on a grantenableActionMatcherInPoliciesConditionindef_options; excludesaction-matcheswhen flag is off at patch timeRuntime fix (commit
4107076af)After J10065 persists
enableActionMatcherInPoliciesCondition=falsein DBdef_options, admin site config is authoritative at runtime (same fix as #1073c345373fe):trueinranger-admin-site.xmland restarting Admin takes effect even when DB still hasfalseaction-matchesis restored from the embedded ozone service-def when enabled but missing from DB (e.g. J10065 removed it earlier)def_optionsSQL or re-running J10065 is required for Admin UI / API behaviorAudit: When flag is off, authorizer sets
request.actionto coarse access type (read/write) so Solraccessis populated (pre-5628 behavior). S3 action is used only when flag is on.Related: Builds on Ozone action-matches work (#1054 /
PatchForOzoneServiceDefPolicyConditionUpdate_J10065).Ozone action-policy gating (
isOzoneActionPolicyEnabled)isOzoneActionPolicyEnabled(plugin)is a private helper inRangerOzoneAuthorizerthat answers: should this OM enforce fine-grained S3 actions (e.g.GetObject,PutObject) or only coarse Ozone permissions (read,write,list)?It reads
enableActionMatcherInPoliciesConditionfromplugin.getServiceDef().getOptions()(populated by Admin from site config). Default isfalse.All gating stays in
plugin-ozone— not inagents-common.Customer enablement
Upgrade 2.8.0 → 2.9.0
Ranger 2.8.0 does not have this feature flag. On upgrade to 2.9.0, patch J10065 runs once during DB upgrade. Behavior depends on
ranger.servicedef.ozone.enableActionMatcherInPoliciesConditionat first 2.9 Admin startup.Path A — Flag OFF (default)
false).enableActionMatcherInPoliciesCondition=falsetodef_optionsand removesaction-matchesfrom the stored ozone service-def.Path B — Flag ON at upgrade
trueinranger-admin-site.xml.action-matchesand persists optiontrue.Enable later (upgraded 2.9 with flag OFF → turn feature ON)
With commit
4107076af:ranger-admin-site.xml:enableActionMatcherInPoliciesCondition: trueandaction-matchesinpolicyConditions.No manual
def_optionsupdate is required for Admin UI / API / plugin service-def download. DBdef_optionsmay still showfalseuntil something persists an update — runtime serving uses admin config.Upgrade 2.9 → 3.0 (same J10065 patch id)
If 2.9 ran J10065 with flag OFF:
x_db_version_hmarks J10065 appliedenableActionMatcherInPoliciesCondition=falseaction-matchesremoved from stored service-defOn 3.0 upgrade with flag ON in
ranger-admin-site.xml:Quick reference
truebefore first 2.9 Admin starttrue+ restart Admin (runtime fix)trueon 3.0 + restart Admin (runtime fix on both branches)Test plan
Unit tests
mvn test -pl security-admin -am -Dtest=TestRangerServiceDefService -Dsurefire.failIfNoSpecifiedTests=falsetestOzoneActionPolicyConfigTrueOverridesStoredFalseOption— config=true, DB option=false → served truetestOzoneActionPolicyConfigTrueRestoresMissingActionMatchesCondition— config=true, condition stripped → restoredmvn test -pl plugin-ozone -Dtest=TestRangerOzoneAuthorizermvn verify -pl agents-common,plugin-ozone(Checkstyle, PMD, SpotBugs, RAT)Manual — flag OFF / ON
J10065 patch
action-matchesremoved when no policies reference itaction-matchespresent