You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "star (Jira)" <ji...@apache.org> on 2020/03/17 10:52:00 UTC
[jira] [Updated] (RANGER-2760) Bugs about wildcard evaluator
incremental updates
[ https://issues.apache.org/jira/browse/RANGER-2760?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
star updated RANGER-2760:
-------------------------
Attachment: RANGER-2760.patch
> Bugs about wildcard evaluator incremental updates
> --------------------------------------------------
>
> Key: RANGER-2760
> URL: https://issues.apache.org/jira/browse/RANGER-2760
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: 2.0.0
> Reporter: star
> Assignee: star
> Priority: Major
> Attachments: RANGER-2760.patch
>
>
> When incrementally update wildcard policies, it will not cause any effect. Reproduce steps:
> 1. Create a policy A to grant Peter select access to database test and table t. Verify Peter did have select access.
> 2. Create a policy B to deny Peter select access to all database and table. Verify Peter is rejected select access to database test and table t.
> 3. Delete deny rule from policy B and expecting that Peter again has select access. However it is does not happen.
> The bug is caused by following code.
>
> {code:java}
> //RangerResourceTrie
> boolean removeWildcardEvaluator(U evaluator) {
> ...
> this.wildcardEvaluators.remove(evaluator);
> undoSetup();
> ...
> }
> void undoSetup() {
> ...
> if (wildcardEvaluators != null) {
> evaluators.removeAll(this.wildcardEvaluators);
> }
> ...
> }
> Set<T> getEvaluatorsForResource(String resource) {
> ...
> Set<T> ret = i == len ? curr.getEvaluators() : curr.getWildcardEvaluators();
> ...
> }
> {code}
> Func 'removeWildcardEvaluator' removed the wildcard evaluator from this.wildcardEvaluators first. Then, evaluators fail to remove the same wildcard evaluator. As a result, the old evaluator will be matched in func 'getEvaluatorsForResource'。
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)