You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by br...@apache.org on 2014/02/25 03:52:56 UTC
[13/26] git commit: SENTRY-89: Sentry WildCardPermission always ends
a / to the URI (Brock Noland via Shreepadma Venugopalan)
SENTRY-89: Sentry WildCardPermission always ends a / to the URI (Brock Noland via Shreepadma Venugopalan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/8fc91c54
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/8fc91c54
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/8fc91c54
Branch: refs/heads/db_policy_store
Commit: 8fc91c54f6d412dd404825f35b77805784d51d5d
Parents: a93fb41
Author: Shreepadma Venugopalan <sh...@apache.org>
Authored: Thu Jan 16 11:14:13 2014 -0800
Committer: Shreepadma Venugopalan <sh...@apache.org>
Committed: Thu Jan 16 11:14:13 2014 -0800
----------------------------------------------------------------------
.../sentry/policy/db/DBWildcardPermission.java | 18 ++++++++++++++++--
.../policy/db/TestDBWildcardPermission.java | 5 ++++-
2 files changed, 20 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8fc91c54/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
index e84e5b9..e0eb2dc 100644
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
+++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
@@ -154,8 +154,8 @@ public class DBWildcardPermission implements Permission, Serializable {
// request path does not contain relative parts /a/../b &&
// request path starts with policy path &&
// authorities (nullable) are equal
- String requestPath = requestURI.getPath() + File.separator;
- String policyPath = policyURI.getPath() + File.separator;
+ String requestPath = ensureEndsWithSeparator(requestURI.getPath());
+ String policyPath = ensureEndsWithSeparator(policyURI.getPath());
if(policyURI.getScheme().equals(requestURI.getScheme()) &&
requestURI.getPath().equals(new URI(request).normalize().getPath()) &&
requestPath.startsWith(policyPath) &&
@@ -169,6 +169,20 @@ public class DBWildcardPermission implements Permission, Serializable {
}
}
+ /**
+ * The URI must be a directory as opposed to a partial
+ * path entry name. To ensure this is true we add a /
+ * at the end of the path. Without this the admin might
+ * grant access to /dir1 but the user would be given access
+ * to /dir1* whereas the admin meant /dir1/
+ */
+ private static String ensureEndsWithSeparator(String path) {
+ if (path.endsWith(File.separator)) {
+ return path;
+ }
+ return path + File.separator;
+ }
+
@Override
public String toString() {
return AUTHORIZABLE_JOINER.join(parts);
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8fc91c54/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
index 8f1ee2c..2024cd8 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
@@ -51,7 +51,7 @@ public class TestDBWildcardPermission {
"hdfs://namenode:8020/path/to/uri1"));
private static final Permission ROLE_SERVER_SERVER1_URI_URI2 =
create(new KeyValue("server", "server1"), new KeyValue("uri",
- "hdfs://namenode:8020/path/to/uri2"));
+ "hdfs://namenode:8020/path/to/uri2/"));
private static final Permission ROLE_SERVER_SERVER1_URI_ALL =
create(new KeyValue("server", "server1"), new KeyValue("uri", ALL));
@@ -272,6 +272,9 @@ public class TestDBWildcardPermission {
// mangled path
assertFalse(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
"hdfs://namenode:8020/pathFooBar"));
+ // ends in /
+ assertTrue(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path/",
+ "hdfs://namenode:8020/path/FooBar"));
}
static DBWildcardPermission create(KeyValue... keyValues) {
return create(AUTHORIZABLE_JOINER.join(keyValues));