You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/03/31 19:32:23 UTC
incubator-ranger git commit: RANGER-323: Fix for incorrect isAudited
flag determination in policy-evaluator
Repository: incubator-ranger
Updated Branches:
refs/heads/master ded323b77 -> d804499ae
RANGER-323: Fix for incorrect isAudited flag determination in policy-evaluator
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/d804499a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/d804499a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/d804499a
Branch: refs/heads/master
Commit: d804499aed86205dc00d3e838209be195c92cc88
Parents: ded323b
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Mon Mar 30 14:33:34 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Tue Mar 31 10:28:26 2015 -0700
----------------------------------------------------------------------
.../RangerDefaultPolicyEvaluator.java | 38 +++++++++++++-------
1 file changed, 26 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d804499a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index bfe5174..76e50cb 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -216,15 +216,26 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
boolean isMatchAttempted = false;
boolean matchResult = false;
+ boolean isHeadMatchAttempted = false;
boolean headMatchResult = false;
if (!result.getIsAuditedDetermined()) {
// Need to match request.resource first. If it matches (or head matches), then only more progress can be made
- matchResult = isMatch(request.getResource());
- isMatchAttempted = true;
+ if (!isMatchAttempted) {
+ matchResult = isMatch(request.getResource());
+ isMatchAttempted = true;
+ }
+
+ // Try head match only if match was not found and ANY access was requested
+ if (!matchResult) {
+ if (isAnyAccess && !isHeadMatchAttempted) {
+ headMatchResult = matchResourceHead(request.getResource());
+ isHeadMatchAttempted = true;
+ }
+ }
- if (matchResult) {
- // Do all stuff.
+ if (matchResult || headMatchResult) {
+ // We are done for determining if audit is needed for this policy
if (policy.getIsAuditEnabled()) {
result.setIsAudited(true);
}
@@ -232,19 +243,22 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
if (!result.getIsAccessDetermined()) {
+ // Try Match only if it was not attempted as part of evaluating Audit requirement
if (!isMatchAttempted) {
- // Need to match request.resource first. If it matches (or head matches), then only more progress can be made
matchResult = isMatch(request.getResource());
- isMatchAttempted = true;
+ isMatchAttempted = true;
}
- // Try head match only if it is useful
- if (isAnyAccess) {
- headMatchResult = matchResult || matchResourceHead(request.getResource());
+ // Try Head Match only if no match was found so far AND a head match was not attempted as part of evaluating
+ // Audit requirement
+ if (!matchResult) {
+ if (isAnyAccess && !isHeadMatchAttempted) {
+ headMatchResult = matchResourceHead(request.getResource());
+ isHeadMatchAttempted = true;
+ }
}
-
- if (matchResult || (isAnyAccess && headMatchResult)) {
- // A match was found earlier
+ // Go further to evaluate access only if match or head match was found at this point
+ if (matchResult || headMatchResult) {
evaluatePolicyItemsForAccess(request, result);
}
}