ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject incubator-ranger git commit: Revert "RANGER-877: Exceptions in policies: allowExceptions should implicitly deny; denyExceptions should implicitly allow"
Date Thu, 07 Apr 2016 21:10:37 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/master 9c4d8e9cd -> 6cd0dbfc0


Revert "RANGER-877: Exceptions in policies: allowExceptions should implicitly deny; denyExceptions
should implicitly allow"

This reverts commit 46c2f94abd0b95b8b9da741b9cdb21a9422c009b.


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/6cd0dbfc
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/6cd0dbfc
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/6cd0dbfc

Branch: refs/heads/master
Commit: 6cd0dbfc00f6ceb5ec16550c8f23e23d4f9deb29
Parents: 9c4d8e9
Author: Madhan Neethiraj <madhan@apache.org>
Authored: Thu Apr 7 11:07:20 2016 -0700
Committer: Madhan Neethiraj <madhan@apache.org>
Committed: Thu Apr 7 14:09:07 2016 -0700

----------------------------------------------------------------------
 .../RangerDefaultPolicyEvaluator.java           | 24 --------------------
 .../test_policyengine_tag_hive.json             |  4 ++--
 .../test_policyengine_tag_hive_filebased.json   |  8 +++----
 3 files changed, 6 insertions(+), 30 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6cd0dbfc/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 2b26218..368a695 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -814,16 +814,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 		if(isPolicyItemTypeEnabled(serviceDef, policyItemType)) {
 			if (policyItemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW) {
 				policyItems = policy.getPolicyItems();
-
-				if (isPolicyItemTypeEnabled(serviceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS))
{
-					policyItems = mergeLists(policyItems, policy.getDenyExceptions());
-				}
 			} else if (policyItemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY) {
 				policyItems = policy.getDenyPolicyItems();
-
-				if (isPolicyItemTypeEnabled(serviceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS))
{
-					policyItems = mergeLists(policyItems, policy.getAllowExceptions());
-				}
 			} else if (policyItemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS)
{
 				policyItems = policy.getAllowExceptions();
 			} else if (policyItemType == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS)
{
@@ -999,20 +991,4 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 
         return ret;
 	}
-
-	private <T> List<T> mergeLists(List<T> list1, List<T> list2) {
-		List<T> ret = null;
-
-		if(CollectionUtils.isEmpty(list1)) {
-			ret = list2;
-		} else if(CollectionUtils.isEmpty(list2)) {
-			ret = list1;
-		} else {
-			ret = new ArrayList<T>(list1);
-
-			ret.addAll(list2);
-		}
-
-		return ret;
-	}
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6cd0dbfc/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
index 2628863..fab93f6 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
@@ -238,7 +238,7 @@
         "accessType":"select","user":"dataloader","userGroups":[],"requestData":"select ssn
from employee.personal;' for dataloader",
         "context": {"TAGS":"[{\"type\":\"EXPIRES_ON\", \"attributes\":{\"expiry_date\":\"2015/08/10\"}}]"}
       },
-      "result":{"isAudited":true,"isAllowed":true,"policyId":5}
+      "result":{"isAudited":true,"isAllowed":true,"policyId":101}
     },
     {"name":"ALLOW 'select ssn from employee.personal;' for user1",
       "request":{
@@ -303,7 +303,7 @@
         "accessType":"","user":"hive","userGroups":[],"requestData":"use default",
         "context": {"TAGS":"[{\"type\":\"PII-FINAL\", \"attributes\":{\"expiry\":\"2026/06/15\"}}]"}
       },
-      "result":{"isAudited":true,"isAllowed":true,"policyId":3}
+      "result":{"isAudited":true,"isAllowed":true,"policyId":101}
     },
     {"name":"DENY 'use default;' for user1",
       "request":{

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6cd0dbfc/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
index 167a157..443ee53 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
@@ -233,7 +233,7 @@
         "resource":{"elements":{"database":"employee", "table":"personal", "column":"emp-number"}},
         "accessType":"select","user":"dataloader","userGroups":[],"requestData":"select emp-number
from employee.personal;' for dataloader"
       },
-      "result":{"isAudited":true,"isAllowed":true,"policyId":5}
+      "result":{"isAudited":true,"isAllowed":true,"policyId":101}
     },
     {"name":"DENY 'select salary from employee.personal;' for user1 using EXPIRES_ON tag",
       "request":{
@@ -268,14 +268,14 @@
         "resource":{"elements":{"database":"default", "table":"table1", "column":"name"}},
         "accessType":"select","user":"hive","userGroups":[],"requestData":"select name from
default.table1;' for hive"
       },
-      "result":{"isAudited":true,"isAllowed":true,"policyId":3}
+      "result":{"isAudited":true,"isAllowed":true,"policyId":2}
     },
     {"name":"ALLOW 'desc default.table1;' for hive using PII, PII-FINAL tags",
       "request":{
         "resource":{"elements":{"database":"default", "table":"table1"}},
         "accessType":"","user":"hive","userGroups":[],"requestData":"desc default.table1;'
for hive"
       },
-      "result":{"isAudited":true,"isAllowed":true,"policyId":3}
+      "result":{"isAudited":true,"isAllowed":true,"policyId":2}
     },
     {"name":"DENY 'desc default.table2;' for user1 using PII-FINAL tag",
       "request":{
@@ -296,7 +296,7 @@
         "resource":{"elements":{"database":"default", "table":"table3", "column":"name"}},
         "accessType":"select","user":"hive","userGroups":[],"requestData":"select name from
default.table3 for user hive"
       },
-      "result":{"isAudited":true,"isAllowed":true,"policyId":3}
+      "result":{"isAudited":true,"isAllowed":true,"policyId":2}
     }
 
   ]


Mime
View raw message