You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sn...@apache.org on 2015/05/25 16:37:56 UTC

[04/15] incubator-ranger git commit: RANGER-482: HDFS plugin updated to check for traverse access (EXECUTE) when no-access is specified

RANGER-482: HDFS plugin updated to check for traverse access (EXECUTE) when no-access is specified


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/afe001bb
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/afe001bb
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/afe001bb

Branch: refs/heads/ranger-0.5
Commit: afe001bb7c734d10cca1f9189241f1bdecae7de1
Parents: 154c490
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Tue May 19 12:50:24 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Tue May 19 12:51:11 2015 -0700

----------------------------------------------------------------------
 .../hadoop/RangerHdfsAuthorizer.java            | 36 ++++++++++++--------
 1 file changed, 22 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/afe001bb/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index 1599074..5b115b2 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -213,6 +213,25 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
 					INode parent   = inodes.length > 1 ? inodes[inodes.length - 2] : null;
 					INode inode    = inodes[inodes.length - 1];
 
+					boolean noAccessToCheck = access == null && parentAccess == null && ancestorAccess == null && subAccess == null;
+
+					if(noAccessToCheck) { // check for traverse (EXECUTE) access on the path (if path is a directory) or its parent (if path is a file)
+						INode           node        = null;
+						INodeAttributes nodeAttribs = null;
+
+						if(inode != null && inode.isDirectory()) {
+							node        = inode;
+							nodeAttribs = inodeAttrs.length > 0 ? inodeAttrs[inodeAttrs.length - 1] : null;
+						} else if(parent != null) {
+							node        = parent;
+							nodeAttribs = inodeAttrs.length > 1 ? inodeAttrs[inodeAttrs.length - 2] : null;
+						}
+
+						if(node != null) {
+							accessGranted = isAccessAllowed(node, nodeAttribs, FsAction.EXECUTE, user, groups, fsOwner, superGroup, plugin, null);
+						}
+					}
+
 					// checkStickyBit
 					if (accessGranted && parentAccess != null && parentAccess.implies(FsAction.WRITE) && parent != null && inode != null) {
 						if (parent.getFsPermission() != null && parent.getFsPermission().getStickyBit()) {
@@ -222,21 +241,10 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider {
 					}
 
 					// checkAncestorAccess
-					if(accessGranted && ancestor != null) {
-						FsAction               accessToCheck     = ancestorAccess;
-						RangerHdfsAuditHandler auditHandlerToUse = auditHandler;
-
-						// if ancestorAccess is not specified and none of other access is specified, then check for traverse access (EXECUTE) to the ancestor
-						if(ancestorAccess == null && access == null && parentAccess == null && subAccess == null) {
-							accessToCheck = FsAction.EXECUTE;
-							auditHandlerToUse = null; // don't audit this access
-						}
+					if(accessGranted && ancestorAccess != null && ancestor != null) {
+						INodeAttributes ancestorAttribs = inodeAttrs.length > ancestorIndex ? inodeAttrs[ancestorIndex] : null;
 
-						if(accessToCheck != null) {
-							INodeAttributes ancestorAttribs = inodeAttrs.length > ancestorIndex ? inodeAttrs[ancestorIndex] : null;
-	
-							accessGranted = isAccessAllowed(ancestor, ancestorAttribs, accessToCheck, user, groups, fsOwner, superGroup, plugin, auditHandlerToUse);
-						}
+						accessGranted = isAccessAllowed(ancestor, ancestorAttribs, ancestorAccess, user, groups, fsOwner, superGroup, plugin, auditHandler);
 					}
 
 					// checkParentAccess