You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "star (Jira)" <ji...@apache.org> on 2020/03/20 15:57:00 UTC

[jira] [Resolved] (RANGER-2760) Bugs about wildcard evaluator incremental updates

     [ https://issues.apache.org/jira/browse/RANGER-2760?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

star resolved RANGER-2760.
--------------------------
    Resolution: Won't Fix

meged with RANGER-2761.

> Bugs about wildcard evaluator incremental updates 
> --------------------------------------------------
>
>                 Key: RANGER-2760
>                 URL: https://issues.apache.org/jira/browse/RANGER-2760
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: 2.0.0
>            Reporter: star
>            Assignee: star
>            Priority: Major
>         Attachments: RANGER-2760.patch
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> When incrementally update wildcard policies, it will not cause any effect. Reproduce steps:
>    1. Create a policy A to grant Peter select access to database test and table t. Verify Peter did have select access.
>    2. Create a policy B to deny Peter select access to all database and table. Verify Peter is rejected select access to database test and table t.
>    3. Delete deny rule from  policy B and expecting that Peter again has select access. However it is does not happen.
> The bug is caused by following code.
>  
> {code:java}
> //RangerResourceTrie
> boolean removeWildcardEvaluator(U evaluator) {
>    ...
>    this.wildcardEvaluators.remove(evaluator);
>    undoSetup();
>    ...
> }
> void undoSetup() {
> ...
>    if (wildcardEvaluators != null) {
>      evaluators.removeAll(this.wildcardEvaluators);
>    }
> ...
> }
> Set<T> getEvaluatorsForResource(String resource) {
>    ...
>    Set<T> ret = i == len ? curr.getEvaluators() : curr.getWildcardEvaluators();
>    ...
> }
> {code}
> Func 'removeWildcardEvaluator' removed the wildcard evaluator from this.wildcardEvaluators first. Then, evaluators fail to remove the same wildcard evaluator. As a result, the old evaluator will be matched in func 'getEvaluatorsForResource'。
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)