You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "star (Jira)" <ji...@apache.org> on 2020/03/17 10:41:00 UTC

[jira] [Created] (RANGER-2760) Bugs about wildcard evaluator incremental updates

star created RANGER-2760:
----------------------------

             Summary: Bugs about wildcard evaluator incremental updates 
                 Key: RANGER-2760
                 URL: https://issues.apache.org/jira/browse/RANGER-2760
             Project: Ranger
          Issue Type: Bug
          Components: Ranger
    Affects Versions: 2.0.0
            Reporter: star
            Assignee: star


When incrementally update wildcard policies, it will not cause any effect. Reproduce steps:

   1. Create a policy A to grant Peter select access to database test and table t. Verify Peter did have select access.

   2. Create a policy B to deny Peter select access to all database and table. Verify Peter is rejected select access to database test and table t.

   3. Delete deny rule from  policy B and expecting that Peter again has select access. However it is does not happen.

The bug is caused by following code.

 
{code:java}
//RangerResourceTrie
boolean removeWildcardEvaluator(U evaluator) {
   ...
   this.wildcardEvaluators.remove(evaluator);
   undoSetup();
   ...
}

void undoSetup() {
...
   if (wildcardEvaluators != null) {
     evaluators.removeAll(this.wildcardEvaluators);
   }
...
}

Set<T> getEvaluatorsForResource(String resource) {
   ...
   Set<T> ret = i == len ? curr.getEvaluators() : curr.getWildcardEvaluators();
   ...
}

{code}
Func 'removeWildcardEvaluator' removed the wildcard evaluator from this.wildcardEvaluators first. Then, evaluators fail to remove the same wildcard evaluator. As a result, the old evaluator will be matched in func 'getEvaluatorsForResource'。

 

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)