You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by br...@apache.org on 2014/02/25 03:52:56 UTC

[13/26] git commit: SENTRY-89: Sentry WildCardPermission always ends a / to the URI (Brock Noland via Shreepadma Venugopalan)

SENTRY-89: Sentry WildCardPermission always ends a / to the URI (Brock Noland via Shreepadma Venugopalan)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/8fc91c54
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/8fc91c54
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/8fc91c54

Branch: refs/heads/db_policy_store
Commit: 8fc91c54f6d412dd404825f35b77805784d51d5d
Parents: a93fb41
Author: Shreepadma Venugopalan <sh...@apache.org>
Authored: Thu Jan 16 11:14:13 2014 -0800
Committer: Shreepadma Venugopalan <sh...@apache.org>
Committed: Thu Jan 16 11:14:13 2014 -0800

----------------------------------------------------------------------
 .../sentry/policy/db/DBWildcardPermission.java    | 18 ++++++++++++++++--
 .../policy/db/TestDBWildcardPermission.java       |  5 ++++-
 2 files changed, 20 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8fc91c54/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
index e84e5b9..e0eb2dc 100644
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
+++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
@@ -154,8 +154,8 @@ public class DBWildcardPermission implements Permission, Serializable {
       // request path does not contain relative parts /a/../b &&
       // request path starts with policy path &&
       // authorities (nullable) are equal
-      String requestPath = requestURI.getPath() + File.separator;
-      String policyPath = policyURI.getPath() + File.separator;
+      String requestPath = ensureEndsWithSeparator(requestURI.getPath());
+      String policyPath = ensureEndsWithSeparator(policyURI.getPath());
       if(policyURI.getScheme().equals(requestURI.getScheme()) &&
           requestURI.getPath().equals(new URI(request).normalize().getPath()) &&
           requestPath.startsWith(policyPath) &&
@@ -169,6 +169,20 @@ public class DBWildcardPermission implements Permission, Serializable {
     }
   }
 
+  /**
+   * The URI must be a directory as opposed to a partial
+   * path entry name. To ensure this is true we add a /
+   * at the end of the path. Without this the admin might
+   * grant access to /dir1 but the user would be given access
+   * to /dir1* whereas the admin meant /dir1/
+   */
+  private static String ensureEndsWithSeparator(String path) {
+    if (path.endsWith(File.separator)) {
+      return path;
+    }
+    return path + File.separator;
+  }
+
   @Override
   public String toString() {
     return AUTHORIZABLE_JOINER.join(parts);

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8fc91c54/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
index 8f1ee2c..2024cd8 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
@@ -51,7 +51,7 @@ public class TestDBWildcardPermission {
           "hdfs://namenode:8020/path/to/uri1"));
   private static final Permission ROLE_SERVER_SERVER1_URI_URI2 =
       create(new KeyValue("server", "server1"), new KeyValue("uri",
-          "hdfs://namenode:8020/path/to/uri2"));
+          "hdfs://namenode:8020/path/to/uri2/"));
   private static final Permission ROLE_SERVER_SERVER1_URI_ALL =
       create(new KeyValue("server", "server1"), new KeyValue("uri", ALL));
 
@@ -272,6 +272,9 @@ public class TestDBWildcardPermission {
     // mangled path
     assertFalse(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
         "hdfs://namenode:8020/pathFooBar"));
+    // ends in /
+    assertTrue(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path/",
+        "hdfs://namenode:8020/path/FooBar"));
   }
   static DBWildcardPermission create(KeyValue... keyValues) {
     return create(AUTHORIZABLE_JOINER.join(keyValues));