ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ab...@apache.org
Subject ranger git commit: RANGER-2066: Fix regression
Date Wed, 18 Apr 2018 21:09:25 GMT
Repository: ranger
Updated Branches:
  refs/heads/master bc2cd5e00 -> 24579e084


RANGER-2066: Fix regression


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/24579e08
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/24579e08
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/24579e08

Branch: refs/heads/master
Commit: 24579e08490b5caf764608c258c3d1befe513017
Parents: bc2cd5e
Author: Abhay Kulkarni <akulkarni@hortonworks.com>
Authored: Wed Apr 18 13:48:49 2018 -0700
Committer: Abhay Kulkarni <akulkarni@hortonworks.com>
Committed: Wed Apr 18 13:48:49 2018 -0700

----------------------------------------------------------------------
 .../RangerDefaultPolicyEvaluator.java           | 12 ++--
 .../hbase/RangerAuthorizationCoprocessor.java   | 65 +++++++++++++-------
 2 files changed, 49 insertions(+), 28 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/24579e08/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 46c409f..c3a9760 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -466,13 +466,11 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 				result.setReason(reason);
 			}
 		} else {
-			if (matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT || result.getAccessRequest().isAccessTypeAny())
{
-				if (!result.getIsAllowed()) { // if access is not yet allowed by another policy
-					result.setIsAllowed(true);
-					result.setPolicyPriority(getPolicyPriority());
-					result.setPolicyId(getId());
-					result.setReason(reason);
-				}
+			if (!result.getIsAllowed()) { // if access is not yet allowed by another policy
+				result.setIsAllowed(true);
+				result.setPolicyPriority(getPolicyPriority());
+				result.setPolicyId(getId());
+				result.setReason(reason);
 			}
 		}
 	}

http://git-wip-us.apache.org/repos/asf/ranger/blob/24579e08/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index 8952752..d85339a 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -394,53 +394,75 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 			Set<String> columns = anEntry.getValue();
 			if (columns == null || columns.isEmpty()) {
 				LOG.debug("evaluateAccess: columns collection null or empty, ok.  Family level access
is desired.");
+
 				session.column(null) // zap stale column from prior iteration of this loop, if any
 						.buildRequest()
 						.authorize();
 				AuthzAuditEvent auditEvent = auditHandler.getAndDiscardMostRecentEvent(); // capture
it only for success
+
+				final boolean isColumnFamilyAuthorized = session.isAuthorized();
+
+				if (auditEvent != null) {
+					if (isColumnFamilyAuthorized) {
+						familyLevelAccessEvents.add(auditEvent);
+					} else {
+						if (deniedEvent == null) { // we need to capture just one denial event
+							LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure
audit event.");
+							deniedEvent = auditEvent;
+						}
+					}
+				}
+				if (LOG.isDebugEnabled()) {
+					LOG.debug("evaluateAccess: family level access for [" + family + "] is evaluated to
" + isColumnFamilyAuthorized + ". Checking if [" + family + "] descendants have access.");
+				}
+				session.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS)
+						.buildRequest()
+						.authorize();
+				auditEvent = auditHandler.getAndDiscardMostRecentEvent(); // capture it only for failure
 				if (session.isAuthorized()) {
-					somethingIsAccessible = true;
 					if (LOG.isDebugEnabled()) {
-						LOG.debug("evaluateAccess: has family level access [" + family + "]. Checking if ["
+ family + "] descendants have access.");
+						LOG.debug("evaluateAccess: [" + family + "] descendants have access");
 					}
-					session.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS)
-							.buildRequest()
-							.authorize();
-					auditEvent = auditHandler.getAndDiscardMostRecentEvent(); // capture it only for failure
-					if (session.isAuthorized()) {
-						if (LOG.isDebugEnabled()) {
-							LOG.debug("evaluateAccess: [" + family + "] descendants have access");
-						}
+					somethingIsAccessible = true;
+					if (isColumnFamilyAuthorized) {
 						familesAccessAllowed.add(family);
 						if (auditEvent != null) {
 							LOG.debug("evaluateAccess: adding to family-level-access-granted-event-set");
 							familyLevelAccessEvents.add(auditEvent);
 						}
 					} else {
+						familesAccessIndeterminate.add(family);
 						if (LOG.isDebugEnabled()) {
 							LOG.debug("evaluateAccess: has partial access (of some type) in family [" + family
+ "]");
 						}
 						everythingIsAccessible = false;
-						familesAccessIndeterminate.add(family);
 						if (auditEvent != null && deniedEvent == null) { // we need to capture just
one denial event
 							LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure
audit event.");
 							deniedEvent = auditEvent;
 						}
 					}
-					// Restore the headMatch setting
-					session.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF);
 				} else {
-					if (LOG.isDebugEnabled()) {
-						LOG.debug("evaluateAccess: has no access of [" + access + "] type in family [" + family
+ "]");
-					}
 					everythingIsAccessible = false;
-					familesAccessDenied.add(family);
-					denialReason = String.format("Insufficient permissions for user ‘%s',action: %s, tableName:%s,
family:%s.", user.getName(), operation, table, family);
-					if (auditEvent != null && deniedEvent == null) { // we need to capture just
one denial event
-						LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure
audit event.");
-						deniedEvent = auditEvent;
+					if (isColumnFamilyAuthorized) {
+						somethingIsAccessible = true;
+						familesAccessIndeterminate.add(family);
+						if (LOG.isDebugEnabled()) {
+							LOG.debug("evaluateAccess: has partial access (of some type) in family [" + family
+ "]");
+						}
+						if (auditEvent != null && deniedEvent == null) { // we need to capture just
one denial event
+							LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure
audit event.");
+							deniedEvent = auditEvent;
+						}
+					} else {
+						if (LOG.isDebugEnabled()) {
+							LOG.debug("evaluateAccess: has no access of [" + access + "] type in family [" + family
+ "]");
+						}
+						familesAccessDenied.add(family);
+						denialReason = String.format("Insufficient permissions for user ‘%s',action: %s,
tableName:%s, family:%s.", user.getName(), operation, table, family);
 					}
 				}
+				// Restore the headMatch setting
+				session.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF);
 			} else {
 				LOG.debug("evaluateAccess: columns collection not empty.  Skipping Family level check,
will do finer level access check.");
 				Set<String> accessibleColumns = new HashSet<String>(); // will be used in
to populate our results cache for the filter
@@ -467,6 +489,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 						if (LOG.isDebugEnabled()) {
 							LOG.debug("evaluateAccess: no column level access [" + family + ", " + column + "]");
 						}
+						somethingIsAccessible = false;
  						everythingIsAccessible = false;
  						denialReason = String.format("Insufficient permissions for user ‘%s',action: %s,
tableName:%s, family:%s, column: %s", user.getName(), operation, table, family, column);
 						if (auditEvent != null && deniedEvent == null) { // we need to capture just
one denial event


Mime
View raw message