You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2019/03/07 17:49:45 UTC

[ranger] branch master updated: RANGER-2343: Evaluate tag policies in the same security zone as accessed resource

This is an automated email from the ASF dual-hosted git repository.

abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 8ebf1dc  RANGER-2343: Evaluate tag policies in the same security zone as accessed resource
8ebf1dc is described below

commit 8ebf1dc2fd5a8c4f0e7dca7f55cd7c60916de27a
Author: Abhay Kulkarni <>
AuthorDate: Thu Mar 7 09:49:38 2019 -0800

    RANGER-2343: Evaluate tag policies in the same security zone as accessed resource
---
 .../policyengine/RangerPolicyEngineImpl.java       | 24 ++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index e239c89..d709dcc 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -1246,7 +1246,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 			}
 		}
 		if (policyRepository != null) {
-			ret = evaluatePoliciesNoAudit(request, policyType, policyRepository, tagPolicyRepository);
+			ret = evaluatePoliciesNoAudit(request, policyType, zoneName, policyRepository, tagPolicyRepository);
 			ret.setZoneName(zoneName);
 		}
 
@@ -1257,9 +1257,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 		return ret;
 	}
 
-	private RangerAccessResult evaluatePoliciesNoAudit(RangerAccessRequest request, int policyType, RangerPolicyRepository policyRepository, RangerPolicyRepository tagPolicyRepository) {
+	private RangerAccessResult evaluatePoliciesNoAudit(RangerAccessRequest request, int policyType, String zoneName, RangerPolicyRepository policyRepository, RangerPolicyRepository tagPolicyRepository) {
 		if (LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" + policyType + ")");
+			LOG.debug("==> RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" + policyType + ", zoneName=" + zoneName + ")");
 		}
 
 		RangerAccessResult ret = createAccessResult(request, policyType);
@@ -1267,7 +1267,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 
         if (ret != null && request != null) {
 
-			evaluateTagPolicies(request, policyType, tagPolicyRepository, ret);
+			evaluateTagPolicies(request, policyType, zoneName, tagPolicyRepository, ret);
 
 			if (LOG.isDebugEnabled()) {
 				if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) {
@@ -1340,15 +1340,15 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 		}
 
 		if (LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" + policyType + "): " + ret);
+			LOG.debug("<== RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" + policyType + ", zoneName=" + zoneName + "): " + ret);
 		}
 
 		return ret;
 	}
 
-	private void evaluateTagPolicies(final RangerAccessRequest request, int policyType, RangerPolicyRepository tagPolicyRepository, RangerAccessResult result) {
+	private void evaluateTagPolicies(final RangerAccessRequest request, int policyType, String zoneName, RangerPolicyRepository tagPolicyRepository, RangerAccessResult result) {
 		if (LOG.isDebugEnabled()) {
-			LOG.debug("==> RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" + policyType + ", " + result + ")");
+			LOG.debug("==> RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" + policyType + ", zoneName=" + zoneName + ", " + result + ")");
 		}
 
 		Date accessTime = request.getAccessTime() != null ? request.getAccessTime() : new Date();
@@ -1361,6 +1361,14 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 			for (PolicyEvaluatorForTag policyEvaluator : policyEvaluators) {
 				RangerPolicyEvaluator evaluator = policyEvaluator.getEvaluator();
 
+				String policyZoneName = evaluator.getPolicy().getZoneName();
+				if (!StringUtils.equals(zoneName, policyZoneName)) {
+					if (LOG.isDebugEnabled()) {
+						LOG.debug("Tag policy does not belong to the zone:[" + zoneName + "] of the accessed resource. Not evaluating this policy:[" + evaluator.getPolicy() + "]");
+					}
+					continue;
+				}
+
 				RangerTagForEval tag = policyEvaluator.getTag();
 
 				RangerAccessRequest tagEvalRequest = new RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request);
@@ -1407,7 +1415,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
 		}
 
 		if (LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" + policyType + ", " + result + ")");
+			LOG.debug("<== RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" + policyType + ", zoneName=" + zoneName + ", " + result + ")");
 		}
 	}