You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2020/11/20 18:30:02 UTC
[ranger] branch master updated: RANGER-3083: denyAllElse policy
does not handle access request with access-type of '_any'
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 6fc3878 RANGER-3083: denyAllElse policy does not handle access request with access-type of '_any'
6fc3878 is described below
commit 6fc3878171618a16d0d8a12ea10714bf8317a9ae
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Fri Nov 20 09:51:46 2020 -0800
RANGER-3083: denyAllElse policy does not handle access request with access-type of '_any'
---
.../RangerDefaultPolicyEvaluator.java | 4 ++-
.../policyengine/test_policyengine_hdfs.json | 22 +++++++++++++
.../policyengine/test_policyengine_hive.json | 36 ++++++++++++++++++++--
3 files changed, 59 insertions(+), 3 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 24cb424..f3e0dab 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -612,6 +612,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
Integer accessResult = lookupPolicyACLSummary(request.getUser(), request.getUserGroups(), request.getUserRoles(), request.getAccessType());
if (accessResult != null) {
updateAccessResult(result, matchType, accessResult.equals(RangerPolicyEvaluator.ACCESS_ALLOWED), null);
+ } else if (getPolicy().getIsDenyAllElse()) {
+ updateAccessResult(result, RangerPolicyResourceMatcher.MatchType.NONE, false, "matched deny-all-else policy");
}
} else {
if (LOG.isDebugEnabled()) {
@@ -622,7 +624,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
if (matchedPolicyItem != null) {
matchedPolicyItem.updateAccessResult(this, result, matchType);
- } else if (getPolicy().getIsDenyAllElse() && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS) && !request.isAccessTypeAny()) {
+ } else if (getPolicy().getIsDenyAllElse() && (getPolicy().getPolicyType() == null || getPolicy().getPolicyType() == RangerPolicy.POLICY_TYPE_ACCESS)) {
updateAccessResult(result, RangerPolicyResourceMatcher.MatchType.NONE, false, "matched deny-all-else policy");
}
}
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
index 976cd25..f06ca16 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
@@ -48,6 +48,19 @@
]
}
,
+ {"id":11,"name":"allow-read-to-public /test/forbidden/","isEnabled":true,"isAuditEnabled":true,
+ "isDenyAllElse": false,
+ "resources":{"path":{"values":["/test/forbidden/"],"isRecursive":true}},
+ "policyItems":[
+ {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false}
+ ]
+ }
+ ,
+ {"id":12,"name":"deny-any-to-everybody /test/forbidden/","isEnabled":true,"isAuditEnabled":true,
+ "isDenyAllElse": true,
+ "resources":{"path":{"values":["/test/forbidden/"],"isRecursive":true}}
+ }
+ ,
{"id":20,"name":"allow-read-to-user2 /test/restricted/","isEnabled":true,"isAuditEnabled":true,
"resources":{"path":{"values":["/test/restricted/"],"isRecursive":true}},
"policyItems":[
@@ -122,6 +135,15 @@
"result":{"isAudited":true,"isAllowed":true,"policyId":10}
}
,
+ {"name":"DENY 'read /test/forbidden/sales.db' for u=user1",
+ "request":{
+ "resource":{"elements":{"path":"/test/forbidden/sales.db"}},
+ "accessType":"","user":"user1","userGroups":[],"requestData":"read /test/forbidden/sales.db",
+ "remoteIPAddress":"255.255.255.255"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":12}
+ }
+ ,
{"name":"DENY 'read /test/restricted/sales.db' for u=user3",
"request":{
"resource":{"elements":{"path":"/test/restricted/sales.db"}},
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
index 52864a0..bd2f67b 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
@@ -110,9 +110,41 @@
{"accesses":[{"type":"create","isAllowed":true}, {"type":"update","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false}
]
}
+ ,
+ {"id":9,"name":"db=db1","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"database":{"values":["db1"]}},
+ "isDenyAllElse": true,
+ "policyItems":[
+ {"accesses":[{"type":"select","isAllowed":true}],"users":["user1","user3","user4"],"groups":["group1","group2"],"delegateAdmin":false}
+ ]
+ }
],
"tests":[
+ {"name":"ALLOW '_any access to no-database' for user5: match when request has less levels than policy",
+ "request":{
+ "resource":{"elements":{}},
+ "accessType":"","user":"user5","userGroups":["users"],"requestData":"show databases"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":9}
+ }
+ ,
+ {"name":"ALLOW '_any access to db1' for user5: match when request has less levels than policy",
+ "request":{
+ "resource":{"elements":{"database":"db1"}},
+ "accessType":"","user":"user5","userGroups":["users"],"requestData":"use db1"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":9}
+ }
+ ,
+ {"name":"DENY '_any access to db1' for user5: match when request has less levels than policy",
+ "request":{
+ "resource":{"elements":{"database":"db1"}},
+ "accessType":"","user":"user5","userGroups":["users"],"requestData":"use db1"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":9}
+ }
+ ,
{"name":"ALLOW 'any dummy/*/*;' for user1",
"request":{
"resource":{"elements":{"database":"dummy", "table": "dummy", "column": "dummy"}},
@@ -391,7 +423,7 @@
"resource":{"elements":{"database":"db1", "table":"table1"}},
"accessType":"","user":"user1","userGroups":["users"],"requestData":"show columns in table1 from db1;"
},
- "result":{"isAudited":false,"isAllowed":false,"policyId":-1}
+ "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
}
,
{"name":"DENY '_any access to db1/_/col1' for user1: table not specified but column was specified",
@@ -410,7 +442,7 @@
"result":{"isAudited":true,"isAllowed":true,"policyId":3}
}
,
- {"name":"ALLOW '_any access to db1/table1' for user1: match when request has same levels as policy",
+ {"name":"ALLOW '_any access to db1/tbl1' for user1: match when request has same levels as policy",
"request":{
"resource":{"elements":{"database":"db1", "table":"tbl1"}},
"accessType":"","user":"user1","userGroups":["users"],"requestData":"describe db1.tbl1"