You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Abhay Kulkarni (Jira)" <ji...@apache.org> on 2020/03/17 17:30:01 UTC

[jira] [Commented] (RANGER-2761) Bugs about wildcard evaluator incremental creation

    [ https://issues.apache.org/jira/browse/RANGER-2761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17061073#comment-17061073 ] 

Abhay Kulkarni commented on RANGER-2761:
----------------------------------------

Will this patch be required if proposed fix for [RANGER-2760|https://issues.apache.org/jira/browse/RANGER-2760] is applied? Please review.

> Bugs about wildcard evaluator incremental creation
> --------------------------------------------------
>
>                 Key: RANGER-2761
>                 URL: https://issues.apache.org/jira/browse/RANGER-2761
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: 2.0.0
>            Reporter: star
>            Assignee: star
>            Priority: Major
>         Attachments: RANGER-2761.patch
>
>
> When incrementally update wildcard policies, it will not cause any effect. Reproduce steps:
>    1. Create a policy A to grant Peter select access to database test and table t. Verify Peter did have select access.
>    2. Create a policy B to deny Peter select access to all database and table. Verify Peter is rejected select access to database test and table t.
>    3. Delete policy B and verify that Peter again has select access. 
>    4. Create a policy C, the same as policy B and expecting Peter again is rejected select access. But it does not happen.
> {code:java}
> // RangerResourceTrie
> void undoSetup() {
>   if (isSetup) {
>     if (evaluators != null) {
>         for (TrieNode<U> child : children.values()) {
>             child.undoSetup();
>         }
>     ... 
>     }
>     isSetup = false;
>   }
> }
> private Set<T> getEvaluatorsForResource(String resource) {
>     ...
>     while (i < len) {
>         if (!isOptimizedForRetrieval) {
>             curr.setupIfNeeded(parent);
>         }
>         ...
>     }
>     if (!isOptimizedForRetrieval) {
>         curr.setupIfNeeded(parent);
>     }
>     Set<T> ret = i == len ? curr.getEvaluators() : curr.getWildcardEvaluators();
>     return ret;
> }
> {code}
> When adding new wildcard policy, evaluators of the root trie is null. So child.undoSetup will not be called. Then setupIfNeeded will not take effect on child trie nodes. At last, new wildcard policy(policy C) does not take effect.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)