Skip to content

RANGER-5628: Gate Ozone action-matches policy behind feature flags#1072

Open
ramackri wants to merge 12 commits into
ranger-2.9from
RANGER-ozone-action-policy-feature-flag
Open

RANGER-5628: Gate Ozone action-matches policy behind feature flags#1072
ramackri wants to merge 12 commits into
ranger-2.9from
RANGER-ozone-action-policy-feature-flag

Conversation

@ramackri

@ramackri ramackri commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

Aligns Ozone action-matches gating (RANGER-5628) with the single-property design from master PR #1073 (RANGER-5687), adapted for ranger-2.9.

One property controls everything (default off):

Property File
ranger.servicedef.ozone.enableActionMatcherInPoliciesCondition ranger-admin-site.xml / ranger-admin-default-site.xml

Propagates via service-def option enableActionMatcherInPoliciesCondition to:

  • Admin UIRangerServiceDefService.applyActionMatcherInPoliciesConditionHiddenOption() filters or restores action-matches when serving the ozone service-def API
  • Ozone pluginRangerOzoneAuthorizer.isOzoneActionPolicyEnabled() reads the option from the downloaded service-def
  • STS / inline — action gating is confined to plugin-ozone; generic RangerInlinePolicyEvaluator always evaluates actions if present on a grant
  • DB patch J10065 — applies embedded policy conditions and persists enableActionMatcherInPoliciesCondition in def_options; excludes action-matches when flag is off at patch time

Runtime fix (commit 4107076af)

After J10065 persists enableActionMatcherInPoliciesCondition=false in DB def_options, admin site config is authoritative at runtime (same fix as #1073 c345373fe):

  • Setting the property to true in ranger-admin-site.xml and restarting Admin takes effect even when DB still has false
  • action-matches is restored from the embedded ozone service-def when enabled but missing from DB (e.g. J10065 removed it earlier)
  • No manual def_options SQL or re-running J10065 is required for Admin UI / API behavior

Audit: When flag is off, authorizer sets request.action to coarse access type (read/write) so Solr access is populated (pre-5628 behavior). S3 action is used only when flag is on.

Related: Builds on Ozone action-matches work (#1054 / PatchForOzoneServiceDefPolicyConditionUpdate_J10065).

Ozone action-policy gating (isOzoneActionPolicyEnabled)

isOzoneActionPolicyEnabled(plugin) is a private helper in RangerOzoneAuthorizer that answers: should this OM enforce fine-grained S3 actions (e.g. GetObject, PutObject) or only coarse Ozone permissions (read, write, list)?

It reads enableActionMatcherInPoliciesCondition from plugin.getServiceDef().getOptions() (populated by Admin from site config). Default is false.

All gating stays in plugin-ozone — not in agents-common.

Customer enablement

Upgrade 2.8.0 → 2.9.0

Ranger 2.8.0 does not have this feature flag. On upgrade to 2.9.0, patch J10065 runs once during DB upgrade. Behavior depends on ranger.servicedef.ozone.enableActionMatcherInPoliciesCondition at first 2.9 Admin startup.

Path A — Flag OFF (default)

  1. Upgrade 2.8 → 2.9 (leave flag unset / false).
  2. J10065 writes enableActionMatcherInPoliciesCondition=false to def_options and removes action-matches from the stored ozone service-def.
  3. Restart Admin and Ozone OM.

Path B — Flag ON at upgrade

  1. Before first 2.9 Admin start, set property to true in ranger-admin-site.xml.
  2. Upgrade and run DB scripts — J10065 keeps action-matches and persists option true.
  3. Restart Admin and Ozone OM.

Enable later (upgraded 2.9 with flag OFF → turn feature ON)

With commit 4107076af:

  1. Set in ranger-admin-site.xml:
    <property>
      <name>ranger.servicedef.ozone.enableActionMatcherInPoliciesCondition</name>
      <value>true</value>
    </property>
  2. Restart Ranger Admin, then Ozone OM.
  3. Verify ozone service-def API shows enableActionMatcherInPoliciesCondition: true and action-matches in policyConditions.

No manual def_options update is required for Admin UI / API / plugin service-def download. DB def_options may still show false until something persists an update — runtime serving uses admin config.

Upgrade 2.9 → 3.0 (same J10065 patch id)

If 2.9 ran J10065 with flag OFF:

  • x_db_version_h marks J10065 applied
  • DB has enableActionMatcherInPoliciesCondition=false
  • action-matches removed from stored service-def

On 3.0 upgrade with flag ON in ranger-admin-site.xml:

  • J10065 is skipped (already applied)
  • With runtime fix (#1073 / this PR), admin config wins after restart — same as the 2.9 late-enable path above

Quick reference

Scenario What to do
2.8 → 2.9, no action policies needed Path A — default flag OFF
2.8 → 2.9, need action policies immediately Path B — flag true before first 2.9 Admin start
Already on 2.9 flag OFF, enable later Set site XML true + restart Admin (runtime fix)
2.9 → 3.0, J10065 already ran OFF Set site XML true on 3.0 + restart Admin (runtime fix on both branches)
J10065 ran OFF, need DB row re-insert only Do not re-run J10065 (error 2007); optional ops SQL if policies reference deleted condition def

Test plan

Unit tests

  • mvn test -pl security-admin -am -Dtest=TestRangerServiceDefService -Dsurefire.failIfNoSpecifiedTests=false
  • testOzoneActionPolicyConfigTrueOverridesStoredFalseOption — config=true, DB option=false → served true
  • testOzoneActionPolicyConfigTrueRestoresMissingActionMatchesCondition — config=true, condition stripped → restored
  • mvn test -pl plugin-ozone -Dtest=TestRangerOzoneAuthorizer
  • mvn verify -pl agents-common,plugin-ozone (Checkstyle, PMD, SpotBugs, RAT)

Manual — flag OFF / ON

  • Ozone service-def API reflects flag; authorization works; legacy policies do not hang UI
  • Flag ON: Action condition in UI; policy save/download; plugin eval

J10065 patch

  • Flag OFF → action-matches removed when no policies reference it
  • Flag OFF with referencing policies → patch blocked
  • Flag ON at fresh install → action-matches present

@ramackri
ramackri force-pushed the RANGER-ozone-action-policy-feature-flag branch from 75df8fd to b0f263e Compare July 14, 2026 16:54
@fmorg-git

Copy link
Copy Markdown
Contributor

hi @ramackri - thanks for this. Per discussion internally, it seems a lot of knobs for the user to configure. Please give me a couple hours to see if I can improve this. Thanks. (Also, thanks for the fix I identified for accessType)

@fmorg-git

Copy link
Copy Markdown
Contributor

hi all - it appears it is possible to do this with one flag - please see this PR #1073. Can you please check it out to see if it looks good? It looks good from my local testing.

@ramackri
ramackri force-pushed the RANGER-ozone-action-policy-feature-flag branch 4 times, most recently from 5630553 to 9be9a47 Compare July 15, 2026 07:18
ramk added 6 commits July 16, 2026 08:50
## Summary

This PR gates Ozone `action-matches` policy support behind feature flags (default **off**), as requested for the 2.9 release (RANGER-5628). When disabled, the Admin UI does not expose the Action condition, the Ozone authorizer does not evaluate S3 actions for policy, and DB patch `J10065` skips the ozone service-def update on first run. When enabled, all three layers activate together.

**Audit note:** When the plugin flag is **off**, the authorizer still sets `request.action` to the coarse access type (`read`/`write`) so Solr audit `access` is populated (pre-5628 behavior). S3 action is used only when the flag is **on**.

**Related:** Builds on Ozone action-matches work (#1054 / `PatchForOzoneServiceDefPolicyConditionUpdate_J10065`).

## Feature flags (default `false`)

| Layer | Property | Configuration file |
|-------|----------|-------------------|
| Ranger Admin + DB patch | `ranger.ozone.action.policy.enabled` | `ranger-admin-default-site.xml` / `ranger-admin-site.xml` |
| Ozone authorizer plugin | `ranger.plugin.ozone.action.policy.enabled` | `ranger-ozone-security.xml` |
| Admin UI (via profile API) | `ozoneActionPolicyEnabled` | `GET /service/users/profile` → `configProperties` |

## File changes and rationale

| File | Why |
|------|-----|
| `ranger-admin-default-site.xml` | Default admin flag `false` for new installs |
| `UserREST.java` | Expose `ozoneActionPolicyEnabled` in user profile for React UI gating |
| `PatchForOzoneServiceDefPolicyConditionUpdate_J10065.java` | Skip ozone service-def update when admin flag is `false` on first patch run |
| `policyConditionUtils.js` | Gate `action-matches` in UI via profile flag |
| `PolicyPermissionItem.jsx` | Apply feature-flag filter to per-row Policy Conditions column |
| `ranger-ozone-security.xml` | Default plugin flag `false` |
| `RangerOzoneAuthorizer.java` | Flag on: S3 action for policy + audit; flag off: coarse access type for audit only |
| `TestRangerOzoneAuthorizer.java` | Unit tests for flag on/off authorizer behavior |

## Audit behavior (Solr)

| Solr field | Source | Flag OFF | Flag ON |
|------------|--------|----------|---------|
| `action` | `request.accessType` | `read` / `write` | `read` / `write` |
| `access` | `request.action` | `read` / `write` (coarse) | S3 action (`GetObject`, etc.) |

Without the audit fix, flag OFF left `access` empty (`null`). This change restores pre-5628 audit semantics when the flag is off.

## DB patch behavior (`J10065`)

| DB state | Flag at first patch run | Patch runs? | Service-def updated? |
|----------|-------------------------|-------------|----------------------|
| No `J10065` row | OFF | Yes, once | No |
| No `J10065` row | ON | Yes, once | Yes |
| `J10065` active=Y | OFF or ON | No | Only if updated in a prior run |

## Test plan

- Profile API: `ozoneActionPolicyEnabled` true/false
- UI: Action in per-row Policy Conditions popover (not service edit / top-level modal)
- Plugin: flag off/on authorization behavior
- Solr audit: `access` coarse when off, S3 action when on
- Unit tests: `TestRangerOzoneAuthorizer` PASS
Use ranger.servicedef.enableOzoneActionPolicy as the sole feature flag,
propagated via service-def option to Admin UI, plugin, inline/STS paths,
and J10065 patch filtering. Matches master PR #1073 approach for ranger-2.9.
Move enableOzoneActionPolicy handling out of RangerInlinePolicyEvaluator
into RangerOzoneAuthorizer, including legacy session-policy sanitization
and a unit test for flag-off behavior with embedded grant actions.
…ges.

Rebase onto ranger-2.9 and use ServiceDefUtil.getBooleanValue in plugin-ozone and security-admin per PR #1073 review (615d632).
Checks service-def API for enableOzoneActionPolicy and optional ozone CLI smoke.
@ramackri
ramackri force-pushed the RANGER-ozone-action-policy-feature-flag branch from 9be9a47 to 451d297 Compare July 16, 2026 03:33
The ozone action-policy feature flag is covered by unit tests; keep
ranger-docker changes out of this backport.
@ramackri
ramackri force-pushed the RANGER-ozone-action-policy-feature-flag branch 2 times, most recently from de121da to 877623c Compare July 16, 2026 06:00
Rename enableOzoneActionPolicy to enableActionMatcherInPoliciesCondition and
admin config to ranger.servicedef.ozone.enableActionMatcherInPoliciesCondition.
Non-ozone service defs always get false; ozone reads site config.
Addresses PR review from fimugdha.
@ramackri
ramackri force-pushed the RANGER-ozone-action-policy-feature-flag branch from d89b2f2 to f2aacf8 Compare July 16, 2026 18:35
ramk added 4 commits July 17, 2026 08:05
On upgrade, sync enableActionMatcherInPoliciesCondition from admin config into ozone def_options, remove legacy enableOzoneActionPolicy, and strip both keys from non-ozone service defs so stale DB options cannot override site.xml.
The action-matcher option is ozone-scoped and unreleased; upgrade only needs to sync ozone def_options and remove the interim enableOzoneActionPolicy key there.
The unreleased interim option is not present in stock 2.9/3.0 DBs; J10065 only needs to persist enableActionMatcherInPoliciesCondition on ozone def_options.
Stale def_options from an earlier J10065 run could override
ranger.servicedef.ozone.enableActionMatcherInPoliciesCondition,
hiding action-matches in Admin UI and ozone authorizer even when the flag was set true.

Admin config is now authoritative when serving the ozone service-def, and action-matches
is restored from the embedded def when enabled but missing from DB.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants