You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2018/03/28 03:11:14 UTC
ranger git commit: RANGER-2045: Hive table columns with no explicit
allow policy are listed with 'desc table' command
Repository: ranger
Updated Branches:
refs/heads/master b2295a5e2 -> 358540dcf
RANGER-2045: Hive table columns with no explicit allow policy are listed with 'desc table' command
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/358540dc
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/358540dc
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/358540dc
Branch: refs/heads/master
Commit: 358540dcfbaa78da2cae1c41e81fde983e91e510
Parents: b2295a5
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Tue Mar 27 17:46:02 2018 -0700
Committer: Abhay Kulkarni <ak...@hortonworks.com>
Committed: Tue Mar 27 17:46:02 2018 -0700
----------------------------------------------------------------------
.../RangerDefaultPolicyEvaluator.java | 31 ++++++++++++--------
1 file changed, 18 insertions(+), 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/358540dc/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 55938b1..56dc0f6 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -198,26 +198,31 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
if (!result.getIsAccessDetermined() || !result.getIsAuditedDetermined()) {
RangerPolicyResourceMatcher.MatchType matchType;
+ final boolean isMatched;
if (RangerTagAccessRequest.class.isInstance(request)) {
matchType = ((RangerTagAccessRequest) request).getMatchType();
+ if (matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT
+ && !request.isAccessTypeAny()
+ && request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Setting matchType from DESCENDANT to SELF, so that any DENY policy-items will take effect.");
+ }
+ matchType = RangerPolicyResourceMatcher.MatchType.SELF;
+ }
+ isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
} else {
matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE;
+ if (request.isAccessTypeAny()) {
+ isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
+ } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+ isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT;
+ } else {
+ isMatched = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR;
+ }
}
- final boolean isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;;
-
if (isMatched) {
- if (RangerTagAccessRequest.class.isInstance(request)) {
- if (matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT
- && !request.isAccessTypeAny()
- && request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Setting matchType from DESCENDANT to SELF, so that any DENY policy-items will take effect.");
- }
- matchType = RangerPolicyResourceMatcher.MatchType.SELF;
- }
- }
if (!result.getIsAuditedDetermined()) {
if (isAuditEnabled()) {
result.setIsAudited(true);
@@ -367,7 +372,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
matchType = resourceMatcher != null ? resourceMatcher.getMatchType(request.getResource(), request.getContext()) : RangerPolicyResourceMatcher.MatchType.NONE;
}
- final boolean isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;;
+ final boolean isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
if (isMatched) {