You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2019/03/07 17:49:45 UTC
[ranger] branch master updated: RANGER-2343: Evaluate tag policies
in the same security zone as accessed resource
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 8ebf1dc RANGER-2343: Evaluate tag policies in the same security zone as accessed resource
8ebf1dc is described below
commit 8ebf1dc2fd5a8c4f0e7dca7f55cd7c60916de27a
Author: Abhay Kulkarni <>
AuthorDate: Thu Mar 7 09:49:38 2019 -0800
RANGER-2343: Evaluate tag policies in the same security zone as accessed resource
---
.../policyengine/RangerPolicyEngineImpl.java | 24 ++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index e239c89..d709dcc 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -1246,7 +1246,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
}
if (policyRepository != null) {
- ret = evaluatePoliciesNoAudit(request, policyType, policyRepository, tagPolicyRepository);
+ ret = evaluatePoliciesNoAudit(request, policyType, zoneName, policyRepository, tagPolicyRepository);
ret.setZoneName(zoneName);
}
@@ -1257,9 +1257,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
return ret;
}
- private RangerAccessResult evaluatePoliciesNoAudit(RangerAccessRequest request, int policyType, RangerPolicyRepository policyRepository, RangerPolicyRepository tagPolicyRepository) {
+ private RangerAccessResult evaluatePoliciesNoAudit(RangerAccessRequest request, int policyType, String zoneName, RangerPolicyRepository policyRepository, RangerPolicyRepository tagPolicyRepository) {
if (LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" + policyType + ")");
+ LOG.debug("==> RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" + policyType + ", zoneName=" + zoneName + ")");
}
RangerAccessResult ret = createAccessResult(request, policyType);
@@ -1267,7 +1267,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
if (ret != null && request != null) {
- evaluateTagPolicies(request, policyType, tagPolicyRepository, ret);
+ evaluateTagPolicies(request, policyType, zoneName, tagPolicyRepository, ret);
if (LOG.isDebugEnabled()) {
if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) {
@@ -1340,15 +1340,15 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
if (LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" + policyType + "): " + ret);
+ LOG.debug("<== RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" + policyType + ", zoneName=" + zoneName + "): " + ret);
}
return ret;
}
- private void evaluateTagPolicies(final RangerAccessRequest request, int policyType, RangerPolicyRepository tagPolicyRepository, RangerAccessResult result) {
+ private void evaluateTagPolicies(final RangerAccessRequest request, int policyType, String zoneName, RangerPolicyRepository tagPolicyRepository, RangerAccessResult result) {
if (LOG.isDebugEnabled()) {
- LOG.debug("==> RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" + policyType + ", " + result + ")");
+ LOG.debug("==> RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" + policyType + ", zoneName=" + zoneName + ", " + result + ")");
}
Date accessTime = request.getAccessTime() != null ? request.getAccessTime() : new Date();
@@ -1361,6 +1361,14 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
for (PolicyEvaluatorForTag policyEvaluator : policyEvaluators) {
RangerPolicyEvaluator evaluator = policyEvaluator.getEvaluator();
+ String policyZoneName = evaluator.getPolicy().getZoneName();
+ if (!StringUtils.equals(zoneName, policyZoneName)) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Tag policy does not belong to the zone:[" + zoneName + "] of the accessed resource. Not evaluating this policy:[" + evaluator.getPolicy() + "]");
+ }
+ continue;
+ }
+
RangerTagForEval tag = policyEvaluator.getTag();
RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request);
@@ -1407,7 +1415,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
if (LOG.isDebugEnabled()) {
- LOG.debug("<== RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" + policyType + ", " + result + ")");
+ LOG.debug("<== RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" + policyType + ", zoneName=" + zoneName + ", " + result + ")");
}
}