You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2021/11/29 01:03:37 UTC
[ranger] branch master updated: RANGER-3526: policy evaluation ordering to use name as secondary sorting key
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new a6583cf RANGER-3526: policy evaluation ordering to use name as secondary sorting key
a6583cf is described below
commit a6583cffdf5813773721f7ae1e02e632de886558
Author: Madhan Neethiraj <ma...@apache.org>
AuthorDate: Sat Nov 27 13:01:20 2021 -0800
RANGER-3526: policy evaluation ordering to use name as secondary sorting key
---
.../policyevaluator/RangerPolicyEvaluator.java | 6 +++++-
.../policyengine/test_aclprovider_mask_filter.json | 22 ++++++++++++++++++++--
2 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
index 15a6465..8fbbf94 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
@@ -193,7 +193,7 @@ public interface RangerPolicyEvaluator extends RangerPolicyResourceEvaluator {
}
private int compareNormal(RangerPolicyEvaluator me, RangerPolicyEvaluator other) {
- final int result;
+ int result;
if (me.hasDeny() && !other.hasDeny()) {
result = -1;
@@ -201,6 +201,10 @@ public interface RangerPolicyEvaluator extends RangerPolicyResourceEvaluator {
result = 1;
} else {
result = Integer.compare(me.getEvalOrder(), other.getEvalOrder());
+
+ if (result == 0) {
+ result = me.getPolicy().getName().compareTo(other.getPolicy().getName());
+ }
}
return result;
diff --git a/agents-common/src/test/resources/policyengine/test_aclprovider_mask_filter.json b/agents-common/src/test/resources/policyengine/test_aclprovider_mask_filter.json
index f6ebaf5..6ff4886 100644
--- a/agents-common/src/test/resources/policyengine/test_aclprovider_mask_filter.json
+++ b/agents-common/src/test/resources/policyengine/test_aclprovider_mask_filter.json
@@ -91,7 +91,7 @@
}
},
"policies": [
- {"id":101,"name":"db=employee, table=personal, column=ssn: mask","isEnabled":true,"isAuditEnabled":true,"policyType":1,
+ {"id":101,"name":"01: db=employee, table=personal, column=ssn: mask","isEnabled":true,"isAuditEnabled":true,"policyType":1,
"resources":{"database":{"values":["employee"]},"table":{"values":["personal"]},"column":{"values":["ssn"]}},
"dataMaskPolicyItems":[
{"accesses":[{"type":"select","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false,
@@ -102,6 +102,17 @@
}
]
},
+ {"id":1011,"name":"02: db=employee, table=personal, column=ssn,dummy: mask","isEnabled":true,"isAuditEnabled":true,"policyType":1,
+ "resources":{"database":{"values":["employee"]},"table":{"values":["personal"]},"column":{"values":["ssn", "dummy"]}},
+ "dataMaskPolicyItems":[
+ {"accesses":[{"type":"select","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false,
+ "dataMaskInfo": {"dataMaskType":"HASH"}
+ },
+ {"accesses":[{"type":"select","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false,
+ "dataMaskInfo": {"dataMaskType":"MASK"}
+ }
+ ]
+ },
{"id":102,"name":"db=hr, table=employee, column=date_of_birth: mask","isEnabled":true,"isAuditEnabled":true,"policyType":1,
"resources":{"database":{"values":["hr"]},"table":{"values":["employee"]},"column":{"values":["date_of_birth"]}},
"dataMaskPolicyItems":[
@@ -189,6 +200,11 @@
{ "itemId": 8, "name": "hive:all", "label": "hive:all",
"impliedGrants": [ "hive:select", "hive:update", "hive:create", "hive:drop", "hive:alter", "hive:index", "hive:lock" ] }
],
+ "dataMaskDef": {
+ "resources":[
+ {"name":"tag"}
+ ]
+ },
"contextEnrichers": [
{ "itemId": 1, "name": "TagEnricher",
"enricher": "org.apache.ranger.plugin.contextenricher.RangerTagEnricher",
@@ -267,7 +283,9 @@
"resource":{"elements":{"database":"employee", "table":"personal", "column":"ssn"}},
"dataMasks": [
{"users":["user1"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"MASK"}},
- {"users":["user2"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"SHUFFLE"}}
+ {"users":["user2"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"SHUFFLE"}},
+ {"users":["user1"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"HASH"}},
+ {"users":["user2"], "groups":[], "roles":[], "accessTypes":["select"], "maskInfo":{"dataMaskType":"MASK"}}
]
},
{"name":"mask: hr.employee.date_of_birth",