You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/03/31 19:32:23 UTC

incubator-ranger git commit: RANGER-323: Fix for incorrect isAudited flag determination in policy-evaluator

Repository: incubator-ranger
Updated Branches:
  refs/heads/master ded323b77 -> d804499ae


RANGER-323: Fix for incorrect isAudited flag determination in policy-evaluator

Signed-off-by: Madhan Neethiraj <ma...@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/d804499a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/d804499a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/d804499a

Branch: refs/heads/master
Commit: d804499aed86205dc00d3e838209be195c92cc88
Parents: ded323b
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Mon Mar 30 14:33:34 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Tue Mar 31 10:28:26 2015 -0700

----------------------------------------------------------------------
 .../RangerDefaultPolicyEvaluator.java           | 38 +++++++++++++-------
 1 file changed, 26 insertions(+), 12 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d804499a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index bfe5174..76e50cb 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -216,15 +216,26 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 
             boolean isMatchAttempted = false;
             boolean matchResult = false;
+            boolean isHeadMatchAttempted = false;
             boolean headMatchResult = false;
 
             if (!result.getIsAuditedDetermined()) {
                 // Need to match request.resource first. If it matches (or head matches), then only more progress can be made
-                matchResult = isMatch(request.getResource());
-                isMatchAttempted = true;
+                if (!isMatchAttempted) {
+                    matchResult = isMatch(request.getResource());
+                    isMatchAttempted = true;
+                }
+
+                // Try head match only if match was not found and ANY access was requested
+                if (!matchResult) {
+                    if (isAnyAccess && !isHeadMatchAttempted) {
+                        headMatchResult = matchResourceHead(request.getResource());
+                        isHeadMatchAttempted = true;
+                    }
+                }
 
-                if (matchResult) {
-                    // Do all stuff.
+                if (matchResult || headMatchResult) {
+                    // We are done for determining if audit is needed for this policy
                     if (policy.getIsAuditEnabled()) {
                         result.setIsAudited(true);
                     }
@@ -232,19 +243,22 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
             }
 
             if (!result.getIsAccessDetermined()) {
+                // Try Match only if it was not attempted as part of evaluating Audit requirement
                 if (!isMatchAttempted) {
-                    // Need to match request.resource first. If it matches (or head matches), then only more progress can be made
                     matchResult = isMatch(request.getResource());
-                    isMatchAttempted = true;
+	                isMatchAttempted = true;
                 }
 
-                // Try head match only if it is useful
-                if (isAnyAccess) {
-                    headMatchResult = matchResult || matchResourceHead(request.getResource());
+                // Try Head Match only if no match was found so far AND a head match was not attempted as part of evaluating
+                // Audit requirement
+                if (!matchResult) {
+                    if (isAnyAccess && !isHeadMatchAttempted) {
+                        headMatchResult = matchResourceHead(request.getResource());
+	                    isHeadMatchAttempted = true;
+                    }
                 }
-
-                if (matchResult || (isAnyAccess && headMatchResult)) {
-                    // A match was found earlier
+                // Go further to evaluate access only if match or head match was found at this point
+                if (matchResult || headMatchResult) {
                     evaluatePolicyItemsForAccess(request, result);
                 }
             }