From commits-return-4360-archive-asf-public=cust-asf.ponee.io@ranger.apache.org Wed Mar 28 05:11:16 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 24A0A18064E for ; Wed, 28 Mar 2018 05:11:15 +0200 (CEST) Received: (qmail 95276 invoked by uid 500); 28 Mar 2018 03:11:14 -0000 Mailing-List: contact commits-help@ranger.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ranger.apache.org Delivered-To: mailing list commits@ranger.apache.org Received: (qmail 95267 invoked by uid 99); 28 Mar 2018 03:11:14 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 Mar 2018 03:11:14 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 3E028F68B8; Wed, 28 Mar 2018 03:11:14 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: abhay@apache.org To: commits@ranger.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: ranger git commit: RANGER-2045: Hive table columns with no explicit allow policy are listed with 'desc table' command Date: Wed, 28 Mar 2018 03:11:14 +0000 (UTC) Repository: ranger Updated Branches: refs/heads/master b2295a5e2 -> 358540dcf RANGER-2045: Hive table columns with no explicit allow policy are listed with 'desc table' command Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/358540dc Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/358540dc Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/358540dc Branch: refs/heads/master Commit: 358540dcfbaa78da2cae1c41e81fde983e91e510 Parents: b2295a5 Author: Abhay Kulkarni Authored: Tue Mar 27 17:46:02 2018 -0700 Committer: Abhay Kulkarni Committed: Tue Mar 27 17:46:02 2018 -0700 ---------------------------------------------------------------------- .../RangerDefaultPolicyEvaluator.java | 31 ++++++++++++-------- 1 file changed, 18 insertions(+), 13 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/358540dc/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 55938b1..56dc0f6 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -198,26 +198,31 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator if (!result.getIsAccessDetermined() || !result.getIsAuditedDetermined()) { RangerPolicyResourceMatcher.MatchType matchType; + final boolean isMatched; if (RangerTagAccessRequest.class.isInstance(request)) { matchType = ((RangerTagAccessRequest) request).getMatchType(); + if (matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT + && !request.isAccessTypeAny() + && request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) { + if (LOG.isDebugEnabled()) { + LOG.debug("Setting matchType from DESCENDANT to SELF, so that any DENY policy-items will take effect."); + } + matchType = RangerPolicyResourceMatcher.MatchType.SELF; + } + isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; } else { matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE; + if (request.isAccessTypeAny()) { + isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; + } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) { + isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT; + } else { + isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR; + } } - final boolean isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;; - if (isMatched) { - if (RangerTagAccessRequest.class.isInstance(request)) { - if (matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT - && !request.isAccessTypeAny() - && request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) { - if (LOG.isDebugEnabled()) { - LOG.debug("Setting matchType from DESCENDANT to SELF, so that any DENY policy-items will take effect."); - } - matchType = RangerPolicyResourceMatcher.MatchType.SELF; - } - } if (!result.getIsAuditedDetermined()) { if (isAuditEnabled()) { result.setIsAudited(true); @@ -367,7 +372,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE; } - final boolean isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;; + final boolean isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; if (isMatched) {