You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2017/07/25 02:14:46 UTC
ranger git commit: RANGER-1696: Request to get all policies for hive
or hbase service-type does not include policies that apply to specific child
resource
Repository: ranger
Updated Branches:
refs/heads/master 55e6d4e13 -> 5055db153
RANGER-1696: Request to get all policies for hive or hbase service-type does not include policies that apply to specific child resource
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/5055db15
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/5055db15
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/5055db15
Branch: refs/heads/master
Commit: 5055db1535098f25603cb63fa4bb5aa521d6161a
Parents: 55e6d4e
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Mon Jul 24 19:13:30 2017 -0700
Committer: Abhay Kulkarni <ak...@hortonworks.com>
Committed: Mon Jul 24 19:13:30 2017 -0700
----------------------------------------------------------------------
.../policyengine/RangerPolicyEngineImpl.java | 7 ++++--
.../RangerPathResourceMatcher.java | 17 ++++++++++-----
.../ranger/plugin/util/StringTokenReplacer.java | 6 ++++-
.../test_resourcematcher_dynamic.json | 23 +++++++++++++++++---
...resourcematcher_wildcards_as_delimiters.json | 6 +++--
5 files changed, 45 insertions(+), 14 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/5055db15/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 101013b..c72c8b5 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -31,6 +31,7 @@ import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
+import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.ServicePolicies;
@@ -568,7 +569,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
for (List<RangerPolicyEvaluator> evaluators : likelyEvaluators) {
for (RangerPolicyEvaluator evaluator : evaluators) {
- if (evaluator.isMatch(tagResource, null)) {
+ RangerPolicyResourceMatcher matcher = evaluator.getPolicyResourceMatcher();
+ if (matcher != null && matcher.isMatch(tagResource, RangerPolicyResourceMatcher.MatchScope.SELF_OR_ANCESTOR_OR_DESCENDANT, null)) {
ret.add(evaluator.getPolicy());
}
}
@@ -586,7 +588,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
for (List<RangerPolicyEvaluator> evaluators : likelyEvaluators) {
for (RangerPolicyEvaluator evaluator : evaluators) {
- if (evaluator.isMatch(resource, null)) {
+ RangerPolicyResourceMatcher matcher = evaluator.getPolicyResourceMatcher();
+ if (matcher != null && matcher.isMatch(resource, RangerPolicyResourceMatcher.MatchScope.SELF_OR_ANCESTOR_OR_DESCENDANT, null)) {
ret.add(evaluator.getPolicy());
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/5055db15/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
index 2f2399c..78a3b8a 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
@@ -227,6 +227,9 @@ abstract class RecursiveMatcher extends ResourceMatcher {
}
String getStringToCompare(String policyValue) {
+ if (policyValue == null) {
+ return null;
+ }
return (policyValue.lastIndexOf(levelSeparatorChar) == policyValue.length()-1) ?
policyValue.substring(0, policyValue.length()-1) : policyValue;
}
@@ -242,9 +245,10 @@ final class CaseSensitiveRecursiveMatcher extends RecursiveMatcher {
final String noSeparator;
if (getNeedsDynamicEval()) {
- noSeparator = getStringToCompare(getExpandedValue(evalContext));
+ String expandedPolicyValue = getExpandedValue(evalContext);
+ noSeparator = expandedPolicyValue != null ? getStringToCompare(expandedPolicyValue) : null;
} else {
- if (valueWithoutSeparator == null) {
+ if (valueWithoutSeparator == null && value != null) {
valueWithoutSeparator = getStringToCompare(value);
valueWithSeparator = valueWithoutSeparator + Character.toString(levelSeparatorChar);
}
@@ -253,7 +257,7 @@ final class CaseSensitiveRecursiveMatcher extends RecursiveMatcher {
boolean ret = StringUtils.equals(resourceValue, noSeparator);
- if (!ret) {
+ if (!ret && noSeparator != null) {
final String withSeparator = getNeedsDynamicEval() ? noSeparator + Character.toString(levelSeparatorChar) : valueWithSeparator;
ret = StringUtils.startsWith(resourceValue, withSeparator);
}
@@ -273,9 +277,10 @@ final class CaseInsensitiveRecursiveMatcher extends RecursiveMatcher {
final String noSeparator;
if (getNeedsDynamicEval()) {
- noSeparator = getStringToCompare(getExpandedValue(evalContext));
+ String expandedPolicyValue = getExpandedValue(evalContext);
+ noSeparator = expandedPolicyValue != null ? getStringToCompare(expandedPolicyValue) : null;
} else {
- if (valueWithoutSeparator == null) {
+ if (valueWithoutSeparator == null && value != null) {
valueWithoutSeparator = getStringToCompare(value);
valueWithSeparator = valueWithoutSeparator + Character.toString(levelSeparatorChar);
}
@@ -284,7 +289,7 @@ final class CaseInsensitiveRecursiveMatcher extends RecursiveMatcher {
boolean ret = StringUtils.equalsIgnoreCase(resourceValue, noSeparator);
- if (!ret) {
+ if (!ret && noSeparator != null) {
final String withSeparator = getNeedsDynamicEval() ? noSeparator + Character.toString(levelSeparatorChar) : valueWithSeparator;
ret = StringUtils.startsWithIgnoreCase(resourceValue, withSeparator);
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/5055db15/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java
index 4ec1595..2ec809c 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java
@@ -72,6 +72,10 @@ public class StringTokenReplacer {
Object replaced = RangerAccessRequestUtil.getTokenFromContext(tokens, rawToken.substring(tokenPrefix.length()));
if (replaced != null) {
ret.append(replaced.toString());
+ } else {
+ ret = null;
+ token = null;
+ break;
}
} else {
ret.append(startChar).append(token).append(endChar);
@@ -87,6 +91,6 @@ public class StringTokenReplacer {
ret.append(startChar).append(token);
}
- return ret.toString();
+ return ret != null ? ret.toString() : null;
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/5055db15/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json
index 168a50f..5237d47 100644
--- a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json
+++ b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json
@@ -7,13 +7,15 @@
"matcherOptions":{"wildCard":true, "ignoreCase":true, "replaceTokens":true, "tokenDelimiterStart":"%", "tokenDelimiterEnd":"%", "tokenDelimiterEscape":"@" }
},
"policyResource":{
- "values": ["/abc%xyz%w", "/xyz%somestuff%z", "/abc@%xyz@w", "/mad@@%xyy%"],
+ "values": ["/abc%xyz%w", "/xyz%somestuff%z", "/abc@%xyz@w", "/mad@@%xyy%","/tmp/tmpdir4/%FILENAME%", "/tmp/tmpdir5/%BASE_FILENAME%.txt"],
"isRecursive":false
},
"tests":[
{ "name":"exact-path","input":"/mad@new", "evalContext": {"token:xyy": "new"}, "result":true}
,
- { "name":"exact-path","input":"/abcw", "evalContext": {"token:somestuff": "somethingelse"}, "result":true}
+ { "name":"exact-path","input":"/abcw", "evalContext": {"token:somestuff": "somethingelse"}, "result":false}
+ ,
+ { "name":"exact-path","input":"/abc%xyz%w", "evalContext": {"token:somestuff": "somethingelse"}, "result":false}
,
{ "name":"exact-path","input":"/abc%xyz%w", "evalContext": {"token:somestuff": "somethingelse", "token:xyz":"abcd"}, "result":false}
,
@@ -26,7 +28,22 @@
{ "name":"exact-path","input":"/abc%xyzw", "evalContext": {"token:somestuff": "somethingelse"}, "result":true}
,
{ "name":"exact-path","input":"/abcabcdw", "evalContext": {"token:somestuff": "somethingelse", "xyz":"abcd"}, "result":false}
-
+ ,
+ { "name":"hdfs-agent-test-10","input":"/tmp/tmpdir4/data-file", "evalContext": {"token:FILENAME": "data-file"}, "result":true}
+ ,
+ { "name":"hdfs-agent-test-11","input":"/tmp/tmpdir4/data-file", "evalContext": {"token:FILENAME": ""}, "result":false}
+ ,
+ { "name":"hdfs-agent-test-12","input":"/tmp/tmpdir4/data-file", "evalContext": {"token:USER": "admin"}, "result":false}
+ ,
+ { "name":"hdfs-agent-test-13","input":"/tmp/tmpdir4", "evalContext": {}, "result":false}
+ ,
+ { "name":"hdfs-agent-test-11","input":"/tmp/tmpdir4/", "evalContext": {"token:FILENAME": ""}, "result":true}
+ ,
+ { "name":"hdfs-agent-test-12","input":"/tmp/tmpdir4/%FILENAME%", "evalContext": {"token:USER": "admin"}, "result":false}
+ ,
+ { "name":"hdfs-agent-test-13","input":"/tmp/tmpdir5/data-file.txt", "evalContext": {"token:BASE_FILENAME": "data-file"}, "result":true}
+ ,
+ { "name":"hdfs-agent-test-14","input":"/tmp/tmpdir5/txt", "evalContext": {"token:BASE_FILENAME": ""}, "result":false}
]
}
]
http://git-wip-us.apache.org/repos/asf/ranger/blob/5055db15/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json
index f896745..c907f41 100644
--- a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json
+++ b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json
@@ -15,9 +15,11 @@
,
{ "name":"exact-path","input":"/mad@new", "evalContext": {"token:xyy": "new"}, "result":true}
,
- { "name":"exact-path","input":"/abcw", "evalContext": {"token:somestuff": "somethingelse"}, "result":true}
+ { "name":"exact-path","input":"/abcw", "evalContext": {"token:somestuff": "somethingelse"}, "result":false}
,
- { "name":"exact-path","input":"/abc*xyz?w", "evalContext": {"token:somestuff": "somethingelse", "token:xyz":"abcd"}, "result":false}
+ { "name":"exact-path","input":"/abc*xyz?w", "evalContext": {"token:somestuff": "somethingelse"}, "result":false}
+ ,
+ { "name":"exact-path","input":"/abcabcdw", "evalContext": {"token:somestuff": "somethingelse", "token:xyz":"abcd"}, "result":true}
,
{ "name":"exact-path","input":"/xyzsomethingelsez", "evalContext": {"token:somestuff": "somethingelse"}, "result":true}
,