You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2021/09/18 05:53:37 UTC
[ranger] branch ranger-2.2 updated: RANGER-3404: user with no
permissions can access and edit deligate admin only policies
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.2 by this push:
new 0324e50 RANGER-3404: user with no permissions can access and edit deligate admin only policies
0324e50 is described below
commit 0324e50c4833555fed6dbdb6166c12bf8ffb18c8
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Fri Sep 17 22:31:42 2021 -0700
RANGER-3404: user with no permissions can access and edit deligate admin only policies
---
.../RangerDefaultPolicyEvaluator.java | 16 ++++++++----
.../RangerDefaultPolicyItemEvaluator.java | 2 ++
.../apache/ranger/biz/RangerPolicyAdminImpl.java | 30 +++++++++++-----------
3 files changed, 28 insertions(+), 20 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 8471918..739ecd0 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -382,10 +382,16 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
Set<String> ret = null;
if (isMatch(resources, evalContext)) {
- ret = new HashSet<>();
- for (String accessType : accessTypes) {
- if (isAccessAllowed(user, userGroups, roles, null, accessType)) {
- ret.add(accessType);
+ if (CollectionUtils.isNotEmpty(accessTypes)) {
+ ret = new HashSet<>();
+ for (String accessType : accessTypes) {
+ if (isAccessAllowed(user, userGroups, roles, null, accessType)) {
+ ret.add(accessType);
+ }
+ }
+ } else {
+ if (isAccessAllowed(user, userGroups, roles, null, null)) {
+ ret = new HashSet<>();
}
}
}
@@ -959,7 +965,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
LOG.debug("Using ACL Summary for checking if access is allowed. PolicyId=[" + getId() +"]");
}
- Integer accessResult = lookupPolicyACLSummary(user, userGroups, roles, accessType);
+ Integer accessResult = StringUtils.isEmpty(accessType) ? null : lookupPolicyACLSummary(user, userGroups, roles, accessType);
if (accessResult != null && accessResult.equals(RangerPolicyEvaluator.ACCESS_ALLOWED)) {
ret = true;
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
index 8f2d3f1..2cf9a99 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
@@ -212,6 +212,8 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv
break;
}
}
+ } else if (StringUtils.isEmpty(accessType)) {
+ ret = true;
}
}
}
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
index 2eef20b..090384b 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
@@ -193,24 +193,24 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin {
LOG.debug("Checking admin-access for the access-types:[" + accessTypes + "]");
}
- if (CollectionUtils.isEmpty(accessTypes)) {
- LOG.info("access-types to check for admin-access are empty!! Allowing admin access!!");
- ret = true;
- } else {
- for (RangerPolicyEvaluator evaluator : matchedRepository.getPolicyEvaluators()) {
- Set<String> allowedAccesses = evaluator.getAllowedAccesses(modifiedPolicyResources, user, userGroups, roles, accessTypes, evalContext);
- if (CollectionUtils.isNotEmpty(allowedAccesses)) {
- accessTypes.removeAll(allowedAccesses);
- if (CollectionUtils.isEmpty(accessTypes)) {
- ret = true;
- break;
- }
- }
+ for (RangerPolicyEvaluator evaluator : matchedRepository.getPolicyEvaluators()) {
+ Set<String> allowedAccesses = evaluator.getAllowedAccesses(modifiedPolicyResources, user, userGroups, roles, accessTypes, evalContext);
+
+ if (allowedAccesses == null) {
+ continue;
}
- if (CollectionUtils.isNotEmpty(accessTypes)) {
- LOG.info("Accesses : " + accessTypes + " are not authorized for the policy:[" + policy.getId() + "] by any of delegated-admin policies");
+
+ accessTypes.removeAll(allowedAccesses);
+
+ if (CollectionUtils.isEmpty(accessTypes)) {
+ ret = true;
+ break;
}
}
+ if (CollectionUtils.isNotEmpty(accessTypes)) {
+ LOG.info("Accesses : " + accessTypes + " are not authorized for the policy:[" + policy.getId() + "] by any of delegated-admin policies");
+ }
+
}
}