You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2019/09/18 15:20:11 UTC
[ranger] branch master updated: RANGER-2569: Policy with
isDenyAllElse=true denies request to check if any access is allowed
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 67e3cea RANGER-2569: Policy with isDenyAllElse=true denies request to check if any access is allowed
67e3cea is described below
commit 67e3ceaf5d7ab6bdd8d7a9550dd2bf9bef13cfc3
Author: Abhay Kulkarni <ak...@cloudera.com>
AuthorDate: Wed Sep 18 07:56:22 2019 -0700
RANGER-2569: Policy with isDenyAllElse=true denies request to check if any access is allowed
---
.../ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 4c1402a..3e00d1e 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -619,7 +619,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
if (matchedPolicyItem != null) {
matchedPolicyItem.updateAccessResult(this, result, matchType);
- } else if (getPolicy().getIsDenyAllElse() && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
+ } else if (getPolicy().getIsDenyAllElse() && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS) && !request.isAccessTypeAny()) {
updateAccessResult(result, RangerPolicyResourceMatcher.MatchType.NONE, false, "matched deny-all-else policy");
}
}