You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2018/10/17 21:54:50 UTC
ranger git commit: RANGER-2247: RangerRANGER-2247 Ranger Plugin for
HDFS throws StringIndexOutOfBounds exception when policy resource is \
Repository: ranger
Updated Branches:
refs/heads/master e20e7f4ca -> 70efa6810
RANGER-2247:
RangerRANGER-2247
Ranger Plugin for HDFS throws StringIndexOutOfBounds exception when policy resource is \
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/70efa681
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/70efa681
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/70efa681
Branch: refs/heads/master
Commit: 70efa6810d5880184578b54a205b62a1349f426b
Parents: e20e7f4
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Wed Oct 17 14:54:33 2018 -0700
Committer: Abhay Kulkarni <ak...@hortonworks.com>
Committed: Wed Oct 17 14:54:33 2018 -0700
----------------------------------------------------------------------
.../resourcematcher/RangerPathResourceMatcher.java | 4 ++--
.../ranger/plugin/util/StringTokenReplacer.java | 16 +++++++++++++++-
.../policyengine/test_policyengine_hdfs.json | 6 ++++++
.../test_resourcematcher_dynamic.json | 2 +-
...est_resourcematcher_wildcards_as_delimiters.json | 2 +-
5 files changed, 25 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/70efa681/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
index 78a3b8a..9cf31a2 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
@@ -227,8 +227,8 @@ abstract class RecursiveMatcher extends ResourceMatcher {
}
String getStringToCompare(String policyValue) {
- if (policyValue == null) {
- return null;
+ if (StringUtils.isEmpty(policyValue)) {
+ return policyValue;
}
return (policyValue.lastIndexOf(levelSeparatorChar) == policyValue.length()-1) ?
policyValue.substring(0, policyValue.length()-1) : policyValue;
http://git-wip-us.apache.org/repos/asf/ranger/blob/70efa681/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java
index ace04d6..2d09d44 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/StringTokenReplacer.java
@@ -50,11 +50,25 @@ public class StringTokenReplacer {
i++;
if(i < value.length()) {
c = value.charAt(i);
- if(token != null) {
+ if (token != null) {
+ // if next char is not the escape char or endChar, retain the escapeChar
+ if (c != escapeChar && c != endChar) {
+ token.append(escapeChar);
+ }
token.append(c);
} else {
+ // if next char is not the escape char or startChar, retain the escapeChar
+ if (c != escapeChar && c != startChar) {
+ ret.append(escapeChar);
+ }
ret.append(c);
}
+ } else {
+ if (token != null) {
+ token.append(escapeChar);
+ } else {
+ ret.append(escapeChar);
+ }
}
continue;
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/70efa681/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
index ea167f4..3833ba1 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs.json
@@ -60,6 +60,12 @@
"values":["var country_code = ctx.getRequestContextAttribute('LOCATION_TEST_COUNTRY_CODE'); ctx.result = !!country_code;"]
}]}
]
+ },
+ {"id":4,"name":"invalid policy with a single backslash","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"path":{"values":["\\"],"isRecursive":true}},
+ "policyItems":[
+ {"accesses":[{"type":"read","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false}
+ ]
}
],
http://git-wip-us.apache.org/repos/asf/ranger/blob/70efa681/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json
index db19f76..6a2119d 100644
--- a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json
+++ b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_dynamic.json
@@ -25,7 +25,7 @@
,
{ "name":"exact-path","input":"/abc@%xyz@w", "evalContext": {"token:somestuff": "somethingelse"}, "result":false}
,
- { "name":"exact-path","input":"/abc%xyzw", "evalContext": {"token:somestuff": "somethingelse"}, "result":true}
+ { "name":"exact-path","input":"/abc%xyz@w", "evalContext": {"token:somestuff": "somethingelse"}, "result":true}
,
{ "name":"exact-path","input":"/abcabcdw", "evalContext": {"token:somestuff": "somethingelse", "xyz":"abcd"}, "result":false}
,
http://git-wip-us.apache.org/repos/asf/ranger/blob/70efa681/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json
index 8e791d6..c1432d0 100644
--- a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json
+++ b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_wildcards_as_delimiters.json
@@ -23,7 +23,7 @@
,
{ "name":"exact-path","input":"/xyzsomethingelsez", "evalContext": {"token:somestuff": "somethingelse"}, "result":true}
,
- { "name":"exact-path","input":"/abc*xyzw", "evalContext": {"token:somestuff": "somethingelse"}, "result":true}
+ { "name":"exact-path","input":"/abc*xyz@w", "evalContext": {"token:somestuff": "somethingelse"}, "result":true}
]
}
]