RANGER-5215 : Policy authorisation fails for Ranger Plugins in case of users/groups converted by Ranger userysnc as per given Regex

[dhavalshah9131]

What changes were proposed in this pull request?

Problem Statement:

Currently, when Ranger Usersync is configured with case conversion and special character replacement using regex, it transforms the original user/group names from the source (e.g., AD/LDAP) before storing them in the Ranger Admin database.

Example:

Original name in LDAP/AD: John-jacobs
Usersync configuration:

• ranger.usersync.ldap.username.caseconversion = lower
• ranger.usersync.mapping.username.regex = s/[-]/_/g
• Transformed and stored name in Ranger: john_jacobs

Issue:

If a Ranger plugin (e.g., Hive) uses the original name John-jacobs during authorization checks, it fails because Ranger Admin only recognizes the transformed name john_jacobs.

Error Example:

Permission denied: user [John-jacobs] does not have [SELECT] privilege on [vehicle/cars/*]
Solution:

To ensure consistency, the same transformation logic used by Usersync must also be applied on the plugin side before authorization. This transformation should be made available as a utility library packaged with the plugins.

Configurability:

This feature must be configurable at the plugin level via a property (e.g., ranger.plugin..supports.name.transformation), allowing users to enable or disable it based on their environment needs.

In ranger-admin-site.xml

ranger.plugins.ldap.username.caseconversion
ranger.plugins.ldap.groupname.caseconversion
ranger.plugins.mapping.username.handler
ranger.plugins.mapping.groupname.handler
ranger.plugins.mapping.regex.separator
ranger.plugins.mapping.username.regex
ranger.plugins.mapping.groupname.regex

How was this patch tested?

(Please explain how this patch was tested. Ex: unit tests, manual tests)
1.) Build successful with unit test.
2.) Manul testing

[Copilot]

Pull Request Overview

This PR addresses the issue where Ranger plugins fail authorization due to differences in user/group name formatting between the source (e.g., LDAP/AD) and the Ranger Admin database. The changes introduce a shared utility (ugsync-util) and corresponding configuration constants to apply consistent name transformations on the plugin side. Key changes include:

• Updating various plugin assembly XML files to include the ugsync-util dependency.
• Enhancing the RangerDefaultRequestProcessor and RangerBasePlugin to apply case conversion and regex-based name transformations using a new Mapper instance.
• Adding new constants and a model (UgsyncNameTransformRules) to support the name transformation configuration.

Reviewed Changes

Copilot reviewed 41 out of 41 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
distro/src/main/assembly/*.xml	Added for ugsync-util in several plugin and agent assembly definitions.
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java	Updated to copy service configuration including new name transformation settings.
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java	Added new constants for name transformation configuration.
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java	Added logic to perform user and group name transformation based on config settings.
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java	Introduced configuration loading for name transformation and Mapper instantiation.
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java	Added getters and setters for transformation Mapper and case conversion strings.
agents-common/src/main/java/org/apache/ranger/plugin/model/UgsyncNameTransformRules.java	New model to encapsulate name transformation rules.
agents-common/pom.xml	Added dependency on ugsync-util with necessary exclusions.

Comments suppressed due to low confidence (2)

agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java:1288

• Consider using getDeclaredConstructor().newInstance() instead of newInstance() for instantiating the Mapper, to follow modern Java instantiation practices.

Mapper userNameRegExInst = regExClass.newInstance();

agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java:1308

• Consider using getDeclaredConstructor().newInstance() instead of newInstance() for instantiating the Mapper, to follow modern Java instantiation practices.

Mapper groupNameRegExInst = regExClass.newInstance();

[rameeshm]

@dhavalshah9131 Please correct the JIRA description as it has Typo.
RANGER-5215 : Policy authorization fails for Ranger Plugins in case of users/groups converted by Ranger userysnc as per given Regex

[fateh288]

I have one more refactoring suggestion, but other than that it looks good

[fateh288]

LGTM !!

[mneethiraj]

To be consistent with rest of the sources, have initialization of Logger instances at the beginning of the class.

[dhavalshah9131]

Hi @mneethiraj ,

LOG seems to be private. As per steps mentioned RANGER-5018 it gets shfited after public variables.

[mneethiraj]

Are libraries log4j-api and log4j-over-slf4j needed in ugsync-util module? If not, please remove these dependencies.

[mneethiraj]

I suggest moving new members to RangerAuthContext class.

[mneethiraj]

Methods getNameTransformationRules() and getAllRegexPatternsConfig() don't seem to be used. Please review and remove.

[mneethiraj]

This is referenced from this class, and its test class TestRegEx. I suggest changing visibility to package-private i.e. remove public. Btw, there is a typo in the test class package name: org.apache.ranger.ugsynutil.transform => org.apache.ranger.ugsyncutil.transform (missing c in ugsyncutil).

[mneethiraj]

Replace use of String.format with parameterized log message.

[mneethiraj]

Consider avoiding string comparision on every authz call; instead have the configured parsed to a boolean in RangerAuthContext and access boolean from here.

[mneethiraj]

Consider avoiding string comparision on every authz call, and for each group; instead have the configured parsed to a boolean in RangerAuthContext and access boolean from here.

[mneethiraj]

When groupNameTransformInst is null, return at line 202 will result in case-conversion to be not applied. Please review and update.