You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2016/09/07 04:42:09 UTC
incubator-ranger git commit: RANGER-1100: Hive authorizer does not
block update operations if one of the masked columns has mask-type as
'Unmasked' for the user
Repository: incubator-ranger
Updated Branches:
refs/heads/master 40d742fa9 -> eea868860
RANGER-1100: Hive authorizer does not block update operations if one of the masked columns has mask-type as 'Unmasked' for the user
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/eea86886
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/eea86886
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/eea86886
Branch: refs/heads/master
Commit: eea868860d283f53d9d24de8909cf5d68b6cf1b7
Parents: 40d742f
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Tue Sep 6 14:04:25 2016 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Tue Sep 6 15:45:15 2016 -0700
----------------------------------------------------------------------
.../org/apache/ranger/plugin/model/RangerPolicy.java | 4 ++++
.../plugin/policyengine/RangerPolicyEngineImpl.java | 13 +++++++++++--
.../hive/authorizer/RangerHiveAuditHandler.java | 3 ++-
.../hive/authorizer/RangerHiveAuthorizer.java | 10 ++++------
4 files changed, 21 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eea86886/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
index d8e19b7..5e94bc7 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
@@ -50,6 +50,10 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria
POLICY_TYPE_ROWFILTER
};
+ public static final String MASK_TYPE_NULL = "MASK_NULL";
+ public static final String MASK_TYPE_NONE = "MASK_NONE";
+ public static final String MASK_TYPE_CUSTOM = "CUSTOM";
+
// For future use
private static final long serialVersionUID = 1L;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eea86886/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 9a63516..e5e7e82 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -320,7 +320,12 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
evaluator.evaluate(request, ret);
if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) {
- break;
+ if(!StringUtils.equalsIgnoreCase(ret.getMaskType(), RangerPolicy.MASK_TYPE_NONE)) {
+ break;
+ } else {
+ ret.setMaskType(null);
+ ret.setIsAccessDetermined(false);
+ }
}
}
}
@@ -357,7 +362,11 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
evaluator.evaluate(request, ret);
if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) {
- break;
+ if(StringUtils.isNotEmpty(ret.getFilterExpr())) {
+ break;
+ } else {
+ ret.setIsAccessDetermined(false);
+ }
}
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eea86886/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
index a6bb357..d98fe81 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
@@ -24,6 +24,7 @@ import java.util.*;
import org.apache.commons.lang.StringUtils;
import org.apache.ranger.audit.model.AuthzAuditEvent;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
@@ -66,7 +67,7 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler {
if(result instanceof RangerDataMaskResult) {
accessType = ((RangerDataMaskResult)result).getMaskType();
- if(StringUtils.equals(accessType, RangerHiveAuthorizer.MASK_TYPE_NONE)) {
+ if(StringUtils.equals(accessType, RangerPolicy.MASK_TYPE_NONE)) {
return null;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eea86886/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 166e95a..aff915e 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -54,6 +54,7 @@ import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants;
import org.apache.ranger.authorization.utils.StringUtil;
+import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerDataMaskTypeDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
@@ -71,9 +72,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
private static final Log LOG = LogFactory.getLog(RangerHiveAuthorizer.class) ;
private static final char COLUMN_SEP = ',';
- public static final String MASK_TYPE_NULL = "MASK_NULL";
- public static final String MASK_TYPE_NONE = "MASK_NONE";
- public static final String MASK_TYPE_CUSTOM = "CUSTOM";
private static final String HIVE_CONF_VAR_QUERY_STRING = "hive.query.string";
@@ -607,7 +605,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
}
private boolean isDataMaskEnabled(RangerDataMaskResult result) {
- return result != null && result.isMaskEnabled() && !StringUtils.equalsIgnoreCase(result.getMaskType(), MASK_TYPE_NONE);
+ return result != null && result.isMaskEnabled() && !StringUtils.equalsIgnoreCase(result.getMaskType(), RangerPolicy.MASK_TYPE_NONE);
}
private boolean isRowFilterEnabled(RangerRowFilterResult result) {
@@ -686,9 +684,9 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
transformer = maskTypeDef.getTransformer();
}
- if(StringUtils.equalsIgnoreCase(maskType, MASK_TYPE_NULL)) {
+ if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_NULL)) {
ret = "NULL";
- } else if(StringUtils.equalsIgnoreCase(maskType, MASK_TYPE_CUSTOM)) {
+ } else if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_CUSTOM)) {
String maskedValue = result.getMaskedValue();
if(maskedValue == null) {