You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2023/04/19 00:08:28 UTC

[ranger] branch master updated: RANGER-4192: A higher priority Data-masking policy is not considered when computing Datamask type

This is an automated email from the ASF dual-hosted git repository.

abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new a378f285a RANGER-4192: A higher priority Data-masking policy is not considered when computing Datamask type
a378f285a is described below

commit a378f285a540dcee5f71069c613e198e024d0872
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Tue Apr 18 15:41:46 2023 -0700

    RANGER-4192: A higher priority Data-masking policy is not considered when computing Datamask type
---
 .../RangerDefaultDataMaskPolicyItemEvaluator.java     |  6 ------
 .../policyevaluator/RangerDefaultPolicyEvaluator.java |  4 +++-
 .../RangerDefaultRowFilterPolicyItemEvaluator.java    | 19 ++++++++-----------
 3 files changed, 11 insertions(+), 18 deletions(-)

diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
index d979e97e1..6bf768bf1 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
@@ -80,12 +80,6 @@ public class RangerDefaultDataMaskPolicyItemEvaluator extends RangerDefaultPolic
 				result.setMaskCondition(dataMaskInfo.getConditionExpr());
 			}
 
-			result.setIsAccessDetermined(true);
-			result.setPolicyPriority(policyEvaluator.getPolicyPriority());
-			result.setPolicyId(policyEvaluator.getPolicyId());
-			result.setReason(getComments());
-			result.setPolicyVersion(policyEvaluator.getPolicy().getVersion());
-
 			policyEvaluator.updateAccessResult(result, matchType, true, getComments());
 		}
 	}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 2f9c1b019..96e232b43 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -887,7 +887,9 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
 				}
 
 				if (allowResult != null) {
-					result.setAccessResultFrom(allowResult);
+					if (!result.getIsAllowed() || result.getPolicyPriority() < allowResult.getPolicyPriority()) {
+						result.setAccessResultFrom(allowResult);
+					}
 				} else if (denyResult != null) {
 					result.setAccessResultFrom(denyResult);
 				}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
index 63b3be964..d2b3e746b 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
@@ -34,7 +34,7 @@ public class RangerDefaultRowFilterPolicyItemEvaluator extends RangerDefaultPoli
 	final private RangerRequestExprResolver exprResolver;
 
 	public RangerDefaultRowFilterPolicyItemEvaluator(RangerServiceDef serviceDef, RangerPolicy policy, RangerRowFilterPolicyItem policyItem, int policyItemIndex, RangerPolicyEngineOptions options) {
-		super(serviceDef, policy, policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATAMASK, policyItemIndex, options);
+		super(serviceDef, policy, policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ROWFILTER, policyItemIndex, options);
 
 		rowFilterPolicyItem = policyItem;
 
@@ -60,17 +60,14 @@ public class RangerDefaultRowFilterPolicyItemEvaluator extends RangerDefaultPoli
 
 	@Override
 	public void updateAccessResult(RangerPolicyEvaluator policyEvaluator, RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) {
-		if (result.getFilterExpr() == null) {
-			if (exprResolver != null) {
-				result.setFilterExpr(exprResolver.resolveExpressions(result.getAccessRequest()));
-			} else if (rowFilterExpr != null) {
-				result.setFilterExpr(rowFilterExpr);
-			}
+		if (exprResolver != null) {
+			result.setFilterExpr(exprResolver.resolveExpressions(result.getAccessRequest()));
+		} else if (rowFilterExpr != null) {
+			result.setFilterExpr(rowFilterExpr);
+		}
 
-			if (result.getFilterExpr() != null) {
-				policyEvaluator.updateAccessResult(result, matchType, true, getComments());
-				result.setIsAccessDetermined(true);
-			}
+		if (result.getFilterExpr() != null) {
+			policyEvaluator.updateAccessResult(result, matchType, true, getComments());
 		}
 	}
 }