You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sn...@apache.org on 2015/05/25 16:37:56 UTC
[04/15] incubator-ranger git commit: RANGER-482: HDFS plugin updated
to check for traverse access (EXECUTE) when no-access is specified
RANGER-482: HDFS plugin updated to check for traverse access (EXECUTE) when no-access is specified
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/afe001bb
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/afe001bb
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/afe001bb
Branch: refs/heads/ranger-0.5
Commit: afe001bb7c734d10cca1f9189241f1bdecae7de1
Parents: 154c490
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Tue May 19 12:50:24 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Tue May 19 12:51:11 2015 -0700
----------------------------------------------------------------------
.../hadoop/RangerHdfsAuthorizer.java | 36 ++++++++++++--------
1 file changed, 22 insertions(+), 14 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/afe001bb/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index 1599074..5b115b2 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -213,6 +213,25 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
INode parent = inodes.length > 1 ? inodes[inodes.length - 2] : null;
INode inode = inodes[inodes.length - 1];
+ boolean noAccessToCheck = access == null && parentAccess == null && ancestorAccess == null && subAccess == null;
+
+ if(noAccessToCheck) { // check for traverse (EXECUTE) access on the path (if path is a directory) or its parent (if path is a file)
+ INode node = null;
+ INodeAttributes nodeAttribs = null;
+
+ if(inode != null && inode.isDirectory()) {
+ node = inode;
+ nodeAttribs = inodeAttrs.length > 0 ? inodeAttrs[inodeAttrs.length - 1] : null;
+ } else if(parent != null) {
+ node = parent;
+ nodeAttribs = inodeAttrs.length > 1 ? inodeAttrs[inodeAttrs.length - 2] : null;
+ }
+
+ if(node != null) {
+ accessGranted = isAccessAllowed(node, nodeAttribs, FsAction.EXECUTE, user, groups, fsOwner, superGroup, plugin, null);
+ }
+ }
+
// checkStickyBit
if (accessGranted && parentAccess != null && parentAccess.implies(FsAction.WRITE) && parent != null && inode != null) {
if (parent.getFsPermission() != null && parent.getFsPermission().getStickyBit()) {
@@ -222,21 +241,10 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
}
// checkAncestorAccess
- if(accessGranted && ancestor != null) {
- FsAction accessToCheck = ancestorAccess;
- RangerHdfsAuditHandler auditHandlerToUse = auditHandler;
-
- // if ancestorAccess is not specified and none of other access is specified, then check for traverse access (EXECUTE) to the ancestor
- if(ancestorAccess == null && access == null && parentAccess == null && subAccess == null) {
- accessToCheck = FsAction.EXECUTE;
- auditHandlerToUse = null; // don't audit this access
- }
+ if(accessGranted && ancestorAccess != null && ancestor != null) {
+ INodeAttributes ancestorAttribs = inodeAttrs.length > ancestorIndex ? inodeAttrs[ancestorIndex] : null;
- if(accessToCheck != null) {
- INodeAttributes ancestorAttribs = inodeAttrs.length > ancestorIndex ? inodeAttrs[ancestorIndex] : null;
-
- accessGranted = isAccessAllowed(ancestor, ancestorAttribs, accessToCheck, user, groups, fsOwner, superGroup, plugin, auditHandlerToUse);
- }
+ accessGranted = isAccessAllowed(ancestor, ancestorAttribs, ancestorAccess, user, groups, fsOwner, superGroup, plugin, auditHandler);
}
// checkParentAccess