You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "star (Jira)" <ji...@apache.org> on 2020/03/17 10:51:00 UTC
[jira] [Created] (RANGER-2761) Bugs about wildcard evaluator
incremental creation
star created RANGER-2761:
----------------------------
Summary: Bugs about wildcard evaluator incremental creation
Key: RANGER-2761
URL: https://issues.apache.org/jira/browse/RANGER-2761
Project: Ranger
Issue Type: Bug
Components: Ranger
Affects Versions: 2.0.0
Reporter: star
Assignee: star
When incrementally update wildcard policies, it will not cause any effect. Reproduce steps:
1. Create a policy A to grant Peter select access to database test and table t. Verify Peter did have select access.
2. Create a policy B to deny Peter select access to all database and table. Verify Peter is rejected select access to database test and table t.
3. Delete policy B and verify that Peter again has select access.
4. Create a policy C, the same as policy B and expecting Peter again is rejected select access. But it does not happen.
{code:java}
// RangerResourceTrie
void undoSetup() {
if (isSetup) {
if (evaluators != null) {
for (TrieNode<U> child : children.values()) {
child.undoSetup();
}
...
}
isSetup = false;
}
}
private Set<T> getEvaluatorsForResource(String resource) {
...
while (i < len) {
if (!isOptimizedForRetrieval) {
curr.setupIfNeeded(parent);
}
...
}
if (!isOptimizedForRetrieval) {
curr.setupIfNeeded(parent);
}
Set<T> ret = i == len ? curr.getEvaluators() : curr.getWildcardEvaluators();
return ret;
}
{code}
When adding new wildcard policy, evaluators of the root trie is null. So child.undoSetup will not be called. Then setupIfNeeded will not take effect on child trie nodes. At last, new wildcard policy(policy C) does not take effect.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)