[ranger] branch master updated: RANGER-2569: Policy with isDenyAllElse=true denies request to check if any access is allowed

[ab...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 67e3cea  RANGER-2569: Policy with isDenyAllElse=true denies request to check if any access is allowed
67e3cea is described below

commit 67e3ceaf5d7ab6bdd8d7a9550dd2bf9bef13cfc3
Author: Abhay Kulkarni <ak...@cloudera.com>
AuthorDate: Wed Sep 18 07:56:22 2019 -0700

    RANGER-2569: Policy with isDenyAllElse=true denies request to check if any access is allowed
---
 .../ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 4c1402a..3e00d1e 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -619,7 +619,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 
 			if (matchedPolicyItem != null) {
 				matchedPolicyItem.updateAccessResult(this, result, matchType);
-			} else if (getPolicy().getIsDenyAllElse() && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
+			} else if (getPolicy().getIsDenyAllElse() && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS) && !request.isAccessTypeAny()) {
 				updateAccessResult(result, RangerPolicyResourceMatcher.MatchType.NONE, false, "matched deny-all-else policy");
 			}
 		}