You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2023/04/19 00:08:28 UTC
[ranger] branch master updated: RANGER-4192: A higher priority Data-masking policy is not considered when computing Datamask type
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new a378f285a RANGER-4192: A higher priority Data-masking policy is not considered when computing Datamask type
a378f285a is described below
commit a378f285a540dcee5f71069c613e198e024d0872
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Tue Apr 18 15:41:46 2023 -0700
RANGER-4192: A higher priority Data-masking policy is not considered when computing Datamask type
---
.../RangerDefaultDataMaskPolicyItemEvaluator.java | 6 ------
.../policyevaluator/RangerDefaultPolicyEvaluator.java | 4 +++-
.../RangerDefaultRowFilterPolicyItemEvaluator.java | 19 ++++++++-----------
3 files changed, 11 insertions(+), 18 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
index d979e97e1..6bf768bf1 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
@@ -80,12 +80,6 @@ public class RangerDefaultDataMaskPolicyItemEvaluator extends RangerDefaultPolic
result.setMaskCondition(dataMaskInfo.getConditionExpr());
}
- result.setIsAccessDetermined(true);
- result.setPolicyPriority(policyEvaluator.getPolicyPriority());
- result.setPolicyId(policyEvaluator.getPolicyId());
- result.setReason(getComments());
- result.setPolicyVersion(policyEvaluator.getPolicy().getVersion());
-
policyEvaluator.updateAccessResult(result, matchType, true, getComments());
}
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 2f9c1b019..96e232b43 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -887,7 +887,9 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
if (allowResult != null) {
- result.setAccessResultFrom(allowResult);
+ if (!result.getIsAllowed() || result.getPolicyPriority() < allowResult.getPolicyPriority()) {
+ result.setAccessResultFrom(allowResult);
+ }
} else if (denyResult != null) {
result.setAccessResultFrom(denyResult);
}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
index 63b3be964..d2b3e746b 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
@@ -34,7 +34,7 @@ public class RangerDefaultRowFilterPolicyItemEvaluator extends RangerDefaultPoli
final private RangerRequestExprResolver exprResolver;
public RangerDefaultRowFilterPolicyItemEvaluator(RangerServiceDef serviceDef, RangerPolicy policy, RangerRowFilterPolicyItem policyItem, int policyItemIndex, RangerPolicyEngineOptions options) {
- super(serviceDef, policy, policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATAMASK, policyItemIndex, options);
+ super(serviceDef, policy, policyItem, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ROWFILTER, policyItemIndex, options);
rowFilterPolicyItem = policyItem;
@@ -60,17 +60,14 @@ public class RangerDefaultRowFilterPolicyItemEvaluator extends RangerDefaultPoli
@Override
public void updateAccessResult(RangerPolicyEvaluator policyEvaluator, RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) {
- if (result.getFilterExpr() == null) {
- if (exprResolver != null) {
- result.setFilterExpr(exprResolver.resolveExpressions(result.getAccessRequest()));
- } else if (rowFilterExpr != null) {
- result.setFilterExpr(rowFilterExpr);
- }
+ if (exprResolver != null) {
+ result.setFilterExpr(exprResolver.resolveExpressions(result.getAccessRequest()));
+ } else if (rowFilterExpr != null) {
+ result.setFilterExpr(rowFilterExpr);
+ }
- if (result.getFilterExpr() != null) {
- policyEvaluator.updateAccessResult(result, matchType, true, getComments());
- result.setIsAccessDetermined(true);
- }
+ if (result.getFilterExpr() != null) {
+ policyEvaluator.updateAccessResult(result, matchType, true, getComments());
}
}
}