You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2019/05/07 20:34:02 UTC
[ranger] branch master updated: RANGER-2415: Value of isExcludes
flag needs to be considered when matching accessed resource to Ranger
policy
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 45f639f RANGER-2415: Value of isExcludes flag needs to be considered when matching accessed resource to Ranger policy
45f639f is described below
commit 45f639f21bb7ae6581443e688392016aa65fb8bb
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Tue May 7 13:02:16 2019 -0700
RANGER-2415: Value of isExcludes flag needs to be considered when matching accessed resource to Ranger policy
---
.../RangerDefaultPolicyResourceMatcher.java | 31 ++--
.../test_defaultpolicyresourcematcher.json | 161 +++++++++++++++++++--
2 files changed, 164 insertions(+), 28 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
index b0fcf6e..633ec96 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
@@ -581,7 +581,9 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
}
}
- int lastMatchedMatcherIndex = -1;
+ if (resourceKeysSize == 0) {
+ ret = MatchType.SELF;
+ }
for (RangerResourceDef resourceDef : hierarchy) {
@@ -589,28 +591,13 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
Object resourceValue = resource.getValue(resourceDef.getName());
if (matcher != null) {
- if (resourceValue != null) {
+ if (resourceValue != null || matcher.isMatchAny()) {
if (matcher.isMatch(resourceValue, evalContext)) {
ret = MatchType.SELF;
- lastMatchedMatcherIndex++;
} else {
ret = MatchType.NONE;
break;
}
- } else {
- // More matchers than resource-values
- if (lastMatchedMatcherIndex >= lastNonAnyMatcherIndex) {
- // all remaining matchers are of type Any
- if (lastMatchedMatcherIndex == -1) {
- // For degenerate case: empty resource
- ret = MatchType.SELF;
- } else {
- ret = MatchType.ANCESTOR_WITH_WILDCARDS;
- }
- } else {
- ret = MatchType.DESCENDANT;
- }
- break;
}
} else {
if (resourceValue != null) {
@@ -620,6 +607,16 @@ public class RangerDefaultPolicyResourceMatcher implements RangerPolicyResourceM
break;
}
}
+
+ if (ret == MatchType.SELF && resourceKeysSize < policyResources.size()) {
+ // More matchers than resource-values
+ if (resourceKeysSize > lastNonAnyMatcherIndex) {
+ // all remaining matchers which matched resource value of null are of type Any
+ ret = MatchType.ANCESTOR_WITH_WILDCARDS;
+ } else {
+ ret = MatchType.DESCENDANT;
+ }
+ }
}
}
}
diff --git a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json
index 68166f9..8d4a680 100644
--- a/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json
+++ b/agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json
@@ -14,7 +14,8 @@
"ignoreCase": true
},
"label": "Hive Database",
- "description": "Hive Database"
+ "description": "Hive Database",
+ "isExcludes": true
},
{
"name": "table",
@@ -28,7 +29,8 @@
"ignoreCase": true
},
"label": "Hive Table",
- "description": "Hive Table"
+ "description": "Hive Table",
+ "isExcludes": true
},
{
"name": "udf",
@@ -56,7 +58,8 @@
"ignoreCase": true
},
"label": "Hive Column",
- "description": "Hive Column"
+ "description": "Hive Column",
+ "isExcludes": true
}
],
"accessTypes": [
@@ -96,6 +99,142 @@
},
"testCases": [
{
+ "name": "database=*, isExclude=true:table=*, isExcludes=true",
+ "policyResources": {
+ "database": {"values": ["*"], "isExcludes": true},
+ "table": {"values": ["*"], "isExcludes": true}
+ },
+ "tests": [
+ {
+ "name": "NO MATCH for invalid resource level",
+ "type": "anyMatch",
+ "resource" : {
+ "elements" : { "database":"finance", "invalid-resource-name":"any"}
+ },
+ "evalContext": {},
+ "result" : false
+ }
+ ,
+ {
+ "name": "NO MATCH for resource from different hierarchy 'finance:udf=some_udf",
+ "type": "anyMatch",
+ "resource" : {
+ "elements" : { "database":"finance", "udf":"some_udf"}
+ },
+ "evalContext": {},
+ "result" : false
+ }
+ ,
+ {
+ "name": "No MATCH for parent 'finance.tax.ssn'",
+ "type": "anyMatch",
+ "resource": {
+ "elements": {"database": "finance", "table":"tax", "column":"ssn"}
+ },
+ "evalContext": {},
+ "result": false
+ }
+ ,
+ {
+ "name": "No MATCH for exact 'finance:tax'",
+ "type": "anyMatch",
+ "resource": {
+ "elements": {"database": "finance","table": "tax"}
+ },
+ "evalContext": {},
+ "result": false
+ }
+ ,
+ {
+ "name": "No MATCH for parent with wildcards 'finance'",
+ "type": "anyMatch",
+ "resource": {
+ "elements": {"database": "finance"}
+ },
+ "evalContext": {},
+ "result": false
+ }
+ ,
+ {
+ "name": "No MATCH for any ''",
+ "type": "anyMatch",
+ "resource": {
+ "elements": {}
+ },
+ "evalContext": {},
+ "result": false
+ }
+ ]
+ },
+ {
+ "name": "database=*:table=tax, isExcludes=true",
+ "policyResources": {
+ "database": {"values": ["*"]},
+ "table": {"values": ["tax"], "isExcludes": true}
+ },
+ "tests": [
+ {
+ "name": "NO MATCH for invalid resource level",
+ "type": "anyMatch",
+ "resource" : {
+ "elements" : { "database":"finance", "invalid-resource-name":"any"}
+ },
+ "evalContext": {},
+ "result" : false
+ }
+ ,
+ {
+ "name": "NO MATCH for resource from different hierarchy 'finance:udf=some_udf",
+ "type": "anyMatch",
+ "resource" : {
+ "elements" : { "database":"finance", "udf":"some_udf"}
+ },
+ "evalContext": {},
+ "result" : false
+ }
+ ,
+ {
+ "name": "No MATCH for parent 'finance.tax.ssn'",
+ "type": "anyMatch",
+ "resource": {
+ "elements": {"database": "finance", "table":"tax", "column":"ssn"}
+ },
+ "evalContext": {},
+ "result": false
+ }
+ ,
+ {
+ "name": "No MATCH for exact 'finance:tax'",
+ "type": "anyMatch",
+ "resource": {
+ "elements": {"database": "finance","table": "tax"}
+ },
+ "evalContext": {},
+ "result": false
+ }
+ ,
+ {
+ "name": "MATCH for parent with wildcards 'finance'",
+ "type": "ancestorWithWildcardsMatch",
+ "resource": {
+ "elements": {"database": "finance"}
+ },
+ "evalContext": {},
+ "result": true
+ }
+ ,
+ {
+ "name": "MATCH for child ''",
+ "type": "descendantMatch",
+ "resource": {
+ "elements": {}
+ },
+ "evalContext": {},
+ "result": true
+ }
+ ]
+ },
+ {
"name": "database=*:table=*",
"policyResources": {
"database": {"values": ["*"]},
@@ -153,8 +292,8 @@
}
,
{
- "name": "MATCH for exact ''",
- "type": "exactMatch",
+ "name": "MATCH for parent with wildcards ''",
+ "type": "ancestorWithWildcardsMatch",
"resource": {
"elements": {}
},
@@ -421,8 +560,8 @@
}
,
{
- "name": "MATCH for exact ''",
- "type": "exactMatch",
+ "name": "MATCH for parent with wildcards ''",
+ "type": "ancestorWithWildcardsMatch",
"resource": {
"elements": {}
},
@@ -470,8 +609,8 @@
}
,
{
- "name": "MATCH for exact ''",
- "type": "exactMatch",
+ "name": "MATCH for parent with wildcards ''",
+ "type": "ancestorWithWildcardsMatch",
"resource": {
"elements": {}
},
@@ -667,8 +806,8 @@
}
,
{
- "name": "MATCH for child 'finance'",
- "type": "descendantMatch",
+ "name": "MATCH for parent with wildcards 'finance'",
+ "type": "ancestorWithWildcardsMatch",
"resource": {
"elements": {"database": "finance"}
},