ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rm...@apache.org
Subject incubator-ranger git commit: RANGER-1126 : Authorization checks for non existent file/directory should not be recursive in Ranger Hive authorizer
Date Mon, 24 Oct 2016 23:29:04 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/ranger-0.6 4a64c4fa1 -> ecfa86caa


RANGER-1126 : Authorization checks for non existent file/directory should not be recursive
in Ranger Hive authorizer


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/ecfa86ca
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/ecfa86ca
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/ecfa86ca

Branch: refs/heads/ranger-0.6
Commit: ecfa86caa1fea9e58c8d175bb48e667a64077397
Parents: 4a64c4f
Author: rmani <rmani@hortonworks.com>
Authored: Wed Jul 27 14:40:28 2016 -0700
Committer: rmani <rmani@hortonworks.com>
Committed: Mon Oct 24 16:28:31 2016 -0700

----------------------------------------------------------------------
 .../hive/authorizer/RangerHiveAuthorizer.java   | 22 ++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ecfa86ca/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 9329020..ae4c237 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -1006,14 +1006,24 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase
{
             try {
                 Path       filePath   = new Path(uri);
                 FileSystem fs         = FileSystem.get(filePath.toUri(), conf);
-                // Path       path       = FileUtils.getPathOrParentThatExists(fs, filePath);
-                // FileStatus fileStatus = fs.getFileStatus(path);
-                FileStatus fileStatus = FileUtils.getPathOrParentThatExists(fs, filePath);
+                FileStatus[] filestat = fs.globStatus(filePath);
 
-                if (FileUtils.isOwnerOfFileHierarchy(fs, fileStatus, userName)) {
+                if(filestat != null && filestat.length > 0) {
+                    ret = true;
+
+                    for(FileStatus file : filestat) {
+                        ret = FileUtils.isOwnerOfFileHierarchy(fs, file, userName) ||
+                              FileUtils.isActionPermittedForFileHierarchy(fs, file, userName,
action);
+
+                        if(! ret) {
+                            break;
+                        }
+                     }
+                } else { // if given path does not exist then check for parent
+                    FileStatus file = FileUtils.getPathOrParentThatExists(fs, filePath);
+
+                    FileUtils.checkFileAccessWithImpersonation(fs, file, action, userName);
                     ret = true;
-                } else {
-                    ret = FileUtils.isActionPermittedForFileHierarchy(fs, fileStatus, userName,
action);
                 }
             } catch(Exception excp) {
                 LOG.error("Error getting permissions for " + uri, excp);


Mime
View raw message