You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2018/03/28 03:11:14 UTC
ranger git commit: RANGER-2045: Hive table columns with no explicit allow policy are listed with 'desc table' command

Repository: ranger
Updated Branches:
  refs/heads/master b2295a5e2 -> 358540dcf


RANGER-2045: Hive table columns with no explicit allow policy are listed with 'desc table' command


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/358540dc
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/358540dc
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/358540dc

Branch: refs/heads/master
Commit: 358540dcfbaa78da2cae1c41e81fde983e91e510
Parents: b2295a5
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Tue Mar 27 17:46:02 2018 -0700
Committer: Abhay Kulkarni <ak...@hortonworks.com>
Committed: Tue Mar 27 17:46:02 2018 -0700

----------------------------------------------------------------------
 .../RangerDefaultPolicyEvaluator.java           | 31 ++++++++++++--------
 1 file changed, 18 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/358540dc/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 55938b1..56dc0f6 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -198,26 +198,31 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 
 			if (!result.getIsAccessDetermined() || !result.getIsAuditedDetermined()) {
 				RangerPolicyResourceMatcher.MatchType matchType;
+				final boolean isMatched;
 
 				if (RangerTagAccessRequest.class.isInstance(request)) {
 					matchType = ((RangerTagAccessRequest) request).getMatchType();
+					if (matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT
+							&& !request.isAccessTypeAny()
+							&& request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+						if (LOG.isDebugEnabled()) {
+							LOG.debug("Setting matchType from DESCENDANT to SELF, so that any DENY policy-items will take effect.");
+						}
+						matchType = RangerPolicyResourceMatcher.MatchType.SELF;
+					}
+					isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
 				} else {
 					matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE;
+					if (request.isAccessTypeAny()) {
+						isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
+					} else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+						isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT;
+					} else {
+						isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR;
+					}
 				}
 
-				final boolean isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;;
-
 				if (isMatched) {
-					if (RangerTagAccessRequest.class.isInstance(request)) {
-						if (matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT
-								&& !request.isAccessTypeAny()
-								&& request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
-							if (LOG.isDebugEnabled()) {
-								LOG.debug("Setting matchType from DESCENDANT to SELF, so that any DENY policy-items will take effect.");
-							}
-							matchType = RangerPolicyResourceMatcher.MatchType.SELF;
-						}
-					}
 					if (!result.getIsAuditedDetermined()) {
 						if (isAuditEnabled()) {
 							result.setIsAudited(true);
@@ -367,7 +372,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 			matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE;
 		}
 
-		final boolean isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;;
+		final boolean isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
 
 		if (isMatched) {