You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2020/05/13 06:08:42 UTC
[ranger] branch master updated: RANGER-2824: fixed
policy-evaluation to terminate after override policies determine the access
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new c2155df RANGER-2824: fixed policy-evaluation to terminate after override policies determine the access
c2155df is described below
commit c2155dfad98323df02b05c5852b1a3c3a05aa313
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Tue May 12 02:40:39 2020 -0700
RANGER-2824: fixed policy-evaluation to terminate after override policies determine the access
---
.../policyengine/RangerPolicyEngineImpl.java | 2 +-
.../plugin/policyengine/TestPolicyEngine.java | 7 ++
.../policyengine/test_policyengine_priority.json | 81 ++++++++++++++++++++++
3 files changed, 89 insertions(+), 1 deletion(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 6140549..b594409 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -629,7 +629,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
if (ret.getPolicyPriority() >= evaluator.getPolicyPriority()) {
ret.setIsAccessDetermined(true);
}
- } else if (isAllowedByTags) {
+ } else if (ret.getIsAllowed()) {
if (ret.getPolicyPriority() > evaluator.getPolicyPriority()) {
ret.setIsAccessDetermined(true);
}
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 26c7dfb..2567edb 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -415,6 +415,13 @@ public class TestPolicyEngine {
runTestsFromResourceFiles(resourceFiles);
}
+ @Test
+ public void testPolicyEngine_PolicyPriority() {
+ String[] resourceFiles = {"/policyengine/test_policyengine_priority.json"};
+
+ runTestsFromResourceFiles(resourceFiles);
+ }
+
private void runTestsFromResourceFiles(String[] resourceNames) {
for(String resourceName : resourceNames) {
InputStream inStream = this.getClass().getResourceAsStream(resourceName);
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_priority.json b/agents-common/src/test/resources/policyengine/test_policyengine_priority.json
new file mode 100644
index 0000000..cd85702
--- /dev/null
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_priority.json
@@ -0,0 +1,81 @@
+{
+ "serviceName":"kmsdev",
+
+ "serviceDef":{
+ "name":"kms",
+ "id":1,
+ "resources":[
+ {"name":"key","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"KMS key","description":"KMS key"}
+ ],
+ "accessTypes":[
+ {"name":"read","label":"Read"},
+ {"name":"create","label":"Create"},
+ {"name":"delete","label":"Delete"}
+ ],
+ "contextEnrichers": [ ],
+ "policyConditions": [ ]
+ },
+
+ "policies":[
+ {"id":1,"name":"allow-all to power-users","isEnabled":true,"isAuditEnabled":true,
+ "policyPriority":1,
+ "resources":{"key":{"values":["*"]}},
+ "policyItems":[
+ {"accesses":[{"type":"read","isAllowed":true},{"type":"create", "isAllowed":true}, {"type":"delete","isAllowed":true}],"users":[],"groups":["power-users"],"delegateAdmin":false}
+ ],
+ "denyPolicyItems":[
+ {"accesses":[{"type":"read","isAllowed":true},{"type":"create", "isAllowed":true}, {"type":"delete","isAllowed":true}],"users":["nobody"],"groups":[],"delegateAdmin":false}
+ ]
+ }
+ ,
+ {"id":2,"name":"only hbase can read hbase; denyAllElse","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"key":{"values":["hbase"],"isRecursive":true}},
+ "policyItems":[
+ {"accesses":[{"type":"read","isAllowed":true}],"users":["hbase"],"groups":[],"delegateAdmin":false}
+ ],
+ "isDenyAllElse": true
+ }
+ ],
+
+ "tests":[
+ {"name":"ALLOW 'read hbase' for user=admin1, group=power-users",
+ "request":{
+ "resource":{"elements":{"key":"hbase"}},
+ "accessType":"read","user":"admin1","userGroups":["power-users"],"requestData":"read hbase, user=admin1, group=power-users"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"ALLOW 'create hbase' for user=admin1, group=power-users",
+ "request":{
+ "resource":{"elements":{"key":"hbase"}},
+ "accessType":"create","user":"admin1","userGroups":["power-users"],"requestData":"read hbase, user=admin1, group=power-users"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":1}
+ }
+ ,
+ {"name":"ALLOW 'read hbase' for user=hbase",
+ "request":{
+ "resource":{"elements":{"key":"hbase"}},
+ "accessType":"read","user":"hbase","requestData":"read hbase, user=hbase"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ }
+ ,
+ {"name":"DENY 'delete hbase' for user=hbase",
+ "request":{
+ "resource":{"elements":{"key":"hbase"}},
+ "accessType":"delete","user":"hbase","requestData":"delete hbase, user=hbase"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":2}
+ }
+ ,
+ {"name":"DENY 'read hbase' for user=kafka",
+ "request":{
+ "resource":{"elements":{"key":"hbase"}},
+ "accessType":"read","user":"kafka","requestData":"read hbase, user=kafka"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":2}
+ }
+ ]
+}