You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "star (Jira)" <ji...@apache.org> on 2020/03/17 10:41:00 UTC
[jira] [Created] (RANGER-2760) Bugs about wildcard evaluator
incremental updates
star created RANGER-2760:
----------------------------
Summary: Bugs about wildcard evaluator incremental updates
Key: RANGER-2760
URL: https://issues.apache.org/jira/browse/RANGER-2760
Project: Ranger
Issue Type: Bug
Components: Ranger
Affects Versions: 2.0.0
Reporter: star
Assignee: star
When incrementally update wildcard policies, it will not cause any effect. Reproduce steps:
1. Create a policy A to grant Peter select access to database test and table t. Verify Peter did have select access.
2. Create a policy B to deny Peter select access to all database and table. Verify Peter is rejected select access to database test and table t.
3. Delete deny rule from policy B and expecting that Peter again has select access. However it is does not happen.
The bug is caused by following code.
{code:java}
//RangerResourceTrie
boolean removeWildcardEvaluator(U evaluator) {
...
this.wildcardEvaluators.remove(evaluator);
undoSetup();
...
}
void undoSetup() {
...
if (wildcardEvaluators != null) {
evaluators.removeAll(this.wildcardEvaluators);
}
...
}
Set<T> getEvaluatorsForResource(String resource) {
...
Set<T> ret = i == len ? curr.getEvaluators() : curr.getWildcardEvaluators();
...
}
{code}
Func 'removeWildcardEvaluator' removed the wildcard evaluator from this.wildcardEvaluators first. Then, evaluators fail to remove the same wildcard evaluator. As a result, the old evaluator will be matched in func 'getEvaluatorsForResource'。
--
This message was sent by Atlassian Jira
(v8.3.4#803005)