RANGER-5362:Restrict security zone visibility to its owner.

security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql

@@ -13,6 +13,7 @@
 -- See the License for the specific language governing permissions and
 -- limitations under the License.
 
+DROP VIEW IF EXISTS `vx_security_zone_user`;
 DROP VIEW IF EXISTS `vx_principal`;
 DROP TABLE IF EXISTS `x_rms_mapping_provider`;
 DROP TABLE IF EXISTS `x_rms_resource_mapping`;
@@ -1614,6 +1615,33 @@ CREATE INDEX x_policy_label_label_map_id ON x_policy_label_map(id);
 
 CREATE VIEW vx_principal as (SELECT u.user_name AS principal_name, 0 AS principal_type, u.status status, u.is_visible is_visible, u.other_attributes other_attributes, u.create_time create_time, u.update_time update_time, u.added_by_id added_by_id, u.upd_by_id upd_by_id FROM x_user u) UNION (SELECT g.group_name principal_name, 1 AS principal_type, g.status status, g.is_visible is_visible, g.other_attributes other_attributes, g.create_time create_time, g.update_time update_time, g.added_by_id added_by_id, g.upd_by_id upd_by_id FROM x_group g) UNION (SELECT r.name principal_name, 2 AS principal_name, 1 status, 1 is_visible, null other_attributes, r.create_time create_time, r.update_time update_time, r.added_by_id added_by_id, r.upd_by_id upd_by_id FROM x_role r);
 
+DROP VIEW IF EXISTS `vx_security_zone_user`;
+CREATE VIEW vx_security_zone_user AS
+SELECT DISTINCT sz.id AS zone_id, sz.name AS zone_name, refu.user_id AS user_id, 0 AS access_type
+FROM x_security_zone sz INNER JOIN x_security_zone_ref_user refu ON sz.id = refu.zone_id
+WHERE refu.user_id IS NOT NULL
+UNION
+SELECT DISTINCT sz.id AS zone_id, sz.name AS zone_name, gu.user_id AS user_id, 1 AS access_type
+FROM x_security_zone sz INNER JOIN x_security_zone_ref_group refg ON sz.id = refg.zone_id
+INNER JOIN x_group_users gu ON refg.group_id = gu.p_group_id
+WHERE gu.user_id IS NOT NULL
+UNION
+SELECT DISTINCT sz.id AS zone_id, sz.name AS zone_name, rru.user_id AS user_id, 2 AS access_type
+FROM x_security_zone sz INNER JOIN x_security_zone_ref_role refr ON sz.id = refr.zone_id
+INNER JOIN x_role_ref_user rru ON refr.role_id = rru.role_id
+WHERE rru.user_id IS NOT NULL
+UNION
+SELECT DISTINCT sz.id AS zone_id, sz.name AS zone_name, gu.user_id AS user_id, 3 AS access_type
+FROM x_security_zone sz INNER JOIN x_security_zone_ref_role refr ON sz.id = refr.zone_id
+INNER JOIN x_role_ref_group rrg ON refr.role_id = rrg.role_id
+INNER JOIN x_group_users gu ON rrg.group_id = gu.p_group_id
+WHERE gu.user_id IS NOT NULL
+UNION
+SELECT DISTINCT sz.id AS zone_id, sz.name AS zone_name, u.id AS user_id, 4 AS access_type
+FROM x_security_zone sz INNER JOIN x_security_zone_ref_group refg ON sz.id = refg.zone_id
+CROSS JOIN x_user u
+WHERE refg.group_name = 'public';
+
 DELIMITER $$
 DROP PROCEDURE if exists getXportalUIdByLoginId$$
 CREATE PROCEDURE `getXportalUIdByLoginId`(IN input_val VARCHAR(100), OUT myid BIGINT)

security-admin/db/mysql/patches/077-create-view-security-zone-user.sql

@@ -0,0 +1,41 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements.  See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License.  You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+DROP VIEW IF EXISTS `vx_security_zone_user`;
+CREATE VIEW vx_security_zone_user AS
+SELECT DISTINCT sz.id AS zone_id, sz.name AS zone_name, refu.user_id AS user_id, 0 AS access_type
+FROM x_security_zone sz INNER JOIN x_security_zone_ref_user refu ON sz.id = refu.zone_id
+WHERE refu.user_id IS NOT NULL
+UNION
+SELECT DISTINCT sz.id AS zone_id, sz.name AS zone_name, gu.user_id AS user_id, 1 AS access_type
+FROM x_security_zone sz INNER JOIN x_security_zone_ref_group refg ON sz.id = refg.zone_id
+INNER JOIN x_group_users gu ON refg.group_id = gu.p_group_id
+WHERE gu.user_id IS NOT NULL
+UNION
+SELECT DISTINCT sz.id AS zone_id, sz.name AS zone_name, rru.user_id AS user_id, 2 AS access_type
+FROM x_security_zone sz INNER JOIN x_security_zone_ref_role refr ON sz.id = refr.zone_id
+INNER JOIN x_role_ref_user rru ON refr.role_id = rru.role_id
+WHERE rru.user_id IS NOT NULL
+UNION
+SELECT DISTINCT sz.id AS zone_id, sz.name AS zone_name, gu.user_id AS user_id, 3 AS access_type
+FROM x_security_zone sz INNER JOIN x_security_zone_ref_role refr ON sz.id = refr.zone_id
+INNER JOIN x_role_ref_group rrg ON refr.role_id = rrg.role_id
+INNER JOIN x_group_users gu ON rrg.group_id = gu.p_group_id
+WHERE gu.user_id IS NOT NULL
+UNION
+SELECT DISTINCT sz.id AS zone_id, sz.name AS zone_name, u.id AS user_id, 4 AS access_type
+FROM x_security_zone sz INNER JOIN x_security_zone_ref_group refg ON sz.id = refg.zone_id
+CROSS JOIN x_user u
+WHERE refg.group_name = 'public';

security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql

@@ -2145,6 +2145,29 @@ CREATE VIEW vx_principal as
         (SELECT g.group_name AS principal_name, 1 AS principal_type, g.status AS status, g.is_visible AS is_visible, g.other_attributes AS other_attributes, g.create_time AS create_time, g.update_time AS update_time, g.added_by_id AS added_by_id, g.upd_by_id AS upd_by_id FROM x_group g) UNION ALL
         (SELECT r.name       AS principal_name, 2 AS principal_type, 1        AS status, 1            AS is_visible, null               AS other_attributes, r.create_time AS create_time, r.update_time AS update_time, r.added_by_id AS added_by_id, r.upd_by_id AS upd_by_id FROM x_role r);
 
+DROP VIEW vx_security_zone_user;
+CREATE OR REPLACE VIEW vx_security_zone_user AS
+        (SELECT sz.id AS zone_id, sz.name AS zone_name, refu.user_id AS user_id, 0 AS access_type
+         FROM x_security_zone sz INNER JOIN x_security_zone_ref_user refu ON sz.id = refu.zone_id
+         WHERE refu.user_id IS NOT NULL) UNION
+        (SELECT sz.id AS zone_id, sz.name AS zone_name, gu.user_id AS user_id, 1 AS access_type
+         FROM x_security_zone sz INNER JOIN x_security_zone_ref_group refg ON sz.id = refg.zone_id
+         INNER JOIN x_group_users gu ON refg.group_id = gu.p_group_id
+         WHERE gu.user_id IS NOT NULL) UNION
+        (SELECT sz.id AS zone_id, sz.name AS zone_name, rru.user_id AS user_id, 2 AS access_type
+         FROM x_security_zone sz INNER JOIN x_security_zone_ref_role refr ON sz.id = refr.zone_id
+         INNER JOIN x_role_ref_user rru ON refr.role_id = rru.role_id
+         WHERE rru.user_id IS NOT NULL) UNION
+        (SELECT sz.id AS zone_id, sz.name AS zone_name, gu.user_id AS user_id, 3 AS access_type
+         FROM x_security_zone sz INNER JOIN x_security_zone_ref_role refr ON sz.id = refr.zone_id
+         INNER JOIN x_role_ref_group rrg ON refr.role_id = rrg.role_id
+         INNER JOIN x_group_users gu ON rrg.group_id = gu.p_group_id
+         WHERE gu.user_id IS NOT NULL) UNION
+        (SELECT sz.id AS zone_id, sz.name AS zone_name, u.id AS user_id, 4 AS access_type
+         FROM x_security_zone sz INNER JOIN x_security_zone_ref_group refg ON sz.id = refg.zone_id
+         CROSS JOIN x_user u
+         WHERE refg.group_name = 'public');
+
 commit;
 
 insert into x_portal_user (id,CREATE_TIME, UPDATE_TIME,FIRST_NAME, LAST_NAME, PUB_SCR_NAME, LOGIN_ID, PASSWORD, EMAIL, STATUS) values (X_PORTAL_USER_SEQ.NEXTVAL, sys_extract_utc(systimestamp), sys_extract_utc(systimestamp), 'Admin', '', 'Admin', 'admin', 'ceb4f32325eda6142bd65215f4c0f371', '', 1);

security-admin/db/oracle/patches/077-create-view-security-zone-user.sql

@@ -0,0 +1,37 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements.  See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License.  You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+CREATE OR REPLACE VIEW vx_security_zone_user AS
+        (SELECT sz.id AS zone_id, sz.name AS zone_name, refu.user_id AS user_id, 0 AS access_type
+         FROM x_security_zone sz INNER JOIN x_security_zone_ref_user refu ON sz.id = refu.zone_id
+         WHERE refu.user_id IS NOT NULL) UNION
+        (SELECT sz.id AS zone_id, sz.name AS zone_name, gu.user_id AS user_id, 1 AS access_type
+         FROM x_security_zone sz INNER JOIN x_security_zone_ref_group refg ON sz.id = refg.zone_id
+         INNER JOIN x_group_users gu ON refg.group_id = gu.p_group_id
+         WHERE gu.user_id IS NOT NULL) UNION
+        (SELECT sz.id AS zone_id, sz.name AS zone_name, rru.user_id AS user_id, 2 AS access_type
+         FROM x_security_zone sz INNER JOIN x_security_zone_ref_role refr ON sz.id = refr.zone_id
+         INNER JOIN x_role_ref_user rru ON refr.role_id = rru.role_id
+         WHERE rru.user_id IS NOT NULL) UNION
+        (SELECT sz.id AS zone_id, sz.name AS zone_name, gu.user_id AS user_id, 3 AS access_type
+         FROM x_security_zone sz INNER JOIN x_security_zone_ref_role refr ON sz.id = refr.zone_id
+         INNER JOIN x_role_ref_group rrg ON refr.role_id = rrg.role_id
+         INNER JOIN x_group_users gu ON rrg.group_id = gu.p_group_id
+         WHERE gu.user_id IS NOT NULL) UNION
+        (SELECT sz.id AS zone_id, sz.name AS zone_name, u.id AS user_id, 4 AS access_type
+         FROM x_security_zone sz INNER JOIN x_security_zone_ref_group refg ON sz.id = refg.zone_id
+         CROSS JOIN x_user u
+         WHERE refg.group_name = 'public');
+exit;

security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql

@@ -2260,3 +2260,64 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active
 
 DROP VIEW IF EXISTS vx_principal;
 CREATE VIEW vx_principal as (SELECT u.user_name AS principal_name, 0 AS principal_type, u.status status, u.is_visible is_visible, u.other_attributes other_attributes, u.create_time create_time, u.update_time update_time, u.added_by_id added_by_id, u.upd_by_id upd_by_id FROM x_user u) UNION (SELECT g.group_name principal_name, 1 AS principal_type, g.status status, g.is_visible is_visible, g.other_attributes other_attributes, g.create_time create_time, g.update_time update_time, g.added_by_id added_by_id, g.upd_by_id upd_by_id FROM x_group g) UNION (SELECT r.name principal_name, 2 AS principal_name, 1 status, 1 is_visible, null other_attributes, r.create_time create_time, r.update_time update_time, r.added_by_id added_by_id, r.upd_by_id upd_by_id FROM x_role r);
+
+CREATE VIEW vx_security_zone_user AS
+(
+    SELECT DISTINCT
+        sz.id AS zone_id,
+        sz.name AS zone_name,
+        refu.user_id AS user_id,
+        0 AS access_type
+    FROM x_security_zone sz
+    INNER JOIN x_security_zone_ref_user refu ON sz.id = refu.zone_id
+    WHERE refu.user_id IS NOT NULL
+)
+UNION
+(
+    SELECT DISTINCT
+        sz.id AS zone_id,
+        sz.name AS zone_name,
+        gu.user_id AS user_id,
+        1 AS access_type
+    FROM x_security_zone sz
+    INNER JOIN x_security_zone_ref_group refg ON sz.id = refg.zone_id
+    INNER JOIN x_group_users gu ON refg.group_id = gu.p_group_id
+    WHERE gu.user_id IS NOT NULL
+)
+UNION
+(
+    SELECT DISTINCT
+        sz.id AS zone_id,
+        sz.name AS zone_name,
+        rru.user_id AS user_id,
+        2 AS access_type
+    FROM x_security_zone sz
+    INNER JOIN x_security_zone_ref_role refr ON sz.id = refr.zone_id
+    INNER JOIN x_role_ref_user rru ON refr.role_id = rru.role_id
+    WHERE rru.user_id IS NOT NULL
+)
+UNION
+(
+    SELECT DISTINCT
+        sz.id AS zone_id,
+        sz.name AS zone_name,
+        gu.user_id AS user_id,
+        3 AS access_type
+    FROM x_security_zone sz
+    INNER JOIN x_security_zone_ref_role refr ON sz.id = refr.zone_id
+    INNER JOIN x_role_ref_group rrg ON refr.role_id = rrg.role_id
+    INNER JOIN x_group_users gu ON rrg.group_id = gu.p_group_id
+    WHERE gu.user_id IS NOT NULL
+)
+UNION
+(
+    SELECT DISTINCT
+        sz.id AS zone_id,
+        sz.name AS zone_name,
+        u.id AS user_id,
+        4 AS access_type
+    FROM x_security_zone sz
+    INNER JOIN x_security_zone_ref_group refg ON sz.id = refg.zone_id
+    CROSS JOIN x_user u
+    WHERE refg.group_name = 'public'
+);

security-admin/db/postgres/patches/077-create-view-security-zone-user.sql

@@ -0,0 +1,76 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements.  See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License.  You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+DROP VIEW IF EXISTS vx_security_zone_user;
+CREATE VIEW vx_security_zone_user AS
+(
+    SELECT DISTINCT
+        sz.id AS zone_id,
+        sz.name AS zone_name,
+        refu.user_id AS user_id,
+        0 AS access_type
+    FROM x_security_zone sz
+    INNER JOIN x_security_zone_ref_user refu ON sz.id = refu.zone_id
+    WHERE refu.user_id IS NOT NULL
+)
+UNION
+(
+    SELECT DISTINCT
+        sz.id AS zone_id,
+        sz.name AS zone_name,
+        gu.user_id AS user_id,
+        1 AS access_type
+    FROM x_security_zone sz
+    INNER JOIN x_security_zone_ref_group refg ON sz.id = refg.zone_id
+    INNER JOIN x_group_users gu ON refg.group_id = gu.p_group_id
+    WHERE gu.user_id IS NOT NULL
+)
+UNION
+(
+    SELECT DISTINCT
+        sz.id AS zone_id,
+        sz.name AS zone_name,
+        rru.user_id AS user_id,
+        2 AS access_type
+    FROM x_security_zone sz
+    INNER JOIN x_security_zone_ref_role refr ON sz.id = refr.zone_id
+    INNER JOIN x_role_ref_user rru ON refr.role_id = rru.role_id
+    WHERE rru.user_id IS NOT NULL
+)
+UNION
+(
+    SELECT DISTINCT
+        sz.id AS zone_id,
+        sz.name AS zone_name,
+        gu.user_id AS user_id,
+        3 AS access_type
+    FROM x_security_zone sz
+    INNER JOIN x_security_zone_ref_role refr ON sz.id = refr.zone_id
+    INNER JOIN x_role_ref_group rrg ON refr.role_id = rrg.role_id
+    INNER JOIN x_group_users gu ON rrg.group_id = gu.p_group_id
+    WHERE gu.user_id IS NOT NULL
+)
+UNION
+(
+    SELECT DISTINCT
+        sz.id AS zone_id,
+        sz.name AS zone_name,
+        u.id AS user_id,
+        4 AS access_type
+    FROM x_security_zone sz
+    INNER JOIN x_security_zone_ref_group refg ON sz.id = refg.zone_id
+    CROSS JOIN x_user u
+    WHERE refg.group_name = 'public'
+);