You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2017/01/07 03:03:13 UTC
incubator-ranger git commit: RANGER-1261: fix path matching
inconsistencies and wildcard treatment
Repository: incubator-ranger
Updated Branches:
refs/heads/master 1ff410500 -> 220298475
RANGER-1261: fix path matching inconsistencies and wildcard treatment
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/22029847
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/22029847
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/22029847
Branch: refs/heads/master
Commit: 22029847559b3881cdc3176b15e545e847ef6d7c
Parents: 1ff4105
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Mon Dec 5 20:49:52 2016 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Fri Jan 6 18:36:52 2017 -0800
----------------------------------------------------------------------
.../RangerPathResourceMatcher.java | 87 +++++++++++++++++++-
.../test_resourcematcher_path.json | 61 ++++++++++++++
.../src/test/resources/hdfs-policies.json | 10 +++
3 files changed, 155 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/22029847/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
index b14cc25..723be3d 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
@@ -130,10 +130,12 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher {
ret = optIgnoreCase ? new CaseInsensitiveRecursiveWildcardMatcher(policyValue, pathSeparatorChar)
: new CaseSensitiveRecursiveWildcardMatcher(policyValue, pathSeparatorChar);
} else {
- ret = optIgnoreCase ? new CaseInsensitiveStartsWithMatcher(policyValue) : new CaseSensitiveStartsWithMatcher(policyValue);
+ ret = optIgnoreCase ? new CaseInsensitiveRecursiveMatcher(policyValue, pathSeparatorChar) : new CaseSensitiveRecursiveMatcher(policyValue, pathSeparatorChar);
}
- ret.setDelimiters(startDelimiterChar, endDelimiterChar, escapeChar, tokenPrefix);
+ if (optReplaceTokens) {
+ ret.setDelimiters(startDelimiterChar, endDelimiterChar, escapeChar, tokenPrefix);
+ }
return ret;
}
@@ -172,7 +174,6 @@ public class RangerPathResourceMatcher extends RangerDefaultResourceMatcher {
return ret;
}
-
public StringBuilder toString(StringBuilder sb) {
sb.append("RangerPathResourceMatcher={");
@@ -214,3 +215,83 @@ final class CaseInsensitiveRecursiveWildcardMatcher extends ResourceMatcher {
int getPriority() { return 8 + (getNeedsDynamicEval() ? DYNAMIC_EVALUATION_PENALTY : 0);}
}
+
+abstract class RecursiveMatcher extends ResourceMatcher {
+ final char levelSeparatorChar;
+ String valueWithoutSeparator = null;
+ String valueWithSeparator = null;
+
+ RecursiveMatcher(String value, char levelSeparatorChar) {
+ super(value);
+ this.levelSeparatorChar = levelSeparatorChar;
+ }
+
+ String getStringToCompare(String policyValue) {
+ return (policyValue.lastIndexOf(levelSeparatorChar) == policyValue.length()-1) ?
+ policyValue.substring(0, policyValue.length()-1) : policyValue;
+ }
+}
+
+final class CaseSensitiveRecursiveMatcher extends RecursiveMatcher {
+ CaseSensitiveRecursiveMatcher(String value, char levelSeparatorChar) {
+ super(value, levelSeparatorChar);
+ }
+
+ @Override
+ boolean isMatch(String resourceValue, Map<String, Object> evalContext) {
+
+ final String noSeparator;
+ if (getNeedsDynamicEval()) {
+ noSeparator = getStringToCompare(getExpandedValue(evalContext));
+ } else {
+ if (valueWithoutSeparator == null) {
+ valueWithoutSeparator = getStringToCompare(value);
+ valueWithSeparator = valueWithoutSeparator + Character.toString(levelSeparatorChar);
+ }
+ noSeparator = valueWithoutSeparator;
+ }
+
+ boolean ret = StringUtils.equals(resourceValue, noSeparator);
+
+ if (!ret) {
+ final String withSeparator = getNeedsDynamicEval() ? noSeparator + Character.toString(levelSeparatorChar) : valueWithSeparator;
+ ret = StringUtils.startsWith(resourceValue, withSeparator);
+ }
+
+ return ret;
+ }
+ int getPriority() { return 7 + (getNeedsDynamicEval() ? DYNAMIC_EVALUATION_PENALTY : 0);}
+}
+
+final class CaseInsensitiveRecursiveMatcher extends RecursiveMatcher {
+ CaseInsensitiveRecursiveMatcher(String value, char levelSeparatorChar) {
+ super(value, levelSeparatorChar);
+ }
+
+ @Override
+ boolean isMatch(String resourceValue, Map<String, Object> evalContext) {
+
+ final String noSeparator;
+ if (getNeedsDynamicEval()) {
+ noSeparator = getStringToCompare(getExpandedValue(evalContext));
+ } else {
+ if (valueWithoutSeparator == null) {
+ valueWithoutSeparator = getStringToCompare(value);
+ valueWithSeparator = valueWithoutSeparator + Character.toString(levelSeparatorChar);
+ }
+ noSeparator = valueWithoutSeparator;
+ }
+
+ boolean ret = StringUtils.equalsIgnoreCase(resourceValue, noSeparator);
+
+ if (!ret) {
+ final String withSeparator = getNeedsDynamicEval() ? noSeparator + Character.toString(levelSeparatorChar) : valueWithSeparator;
+ ret = StringUtils.startsWithIgnoreCase(resourceValue, withSeparator);
+ }
+
+ return ret;
+ }
+
+ int getPriority() { return 8 + (getNeedsDynamicEval() ? DYNAMIC_EVALUATION_PENALTY : 0);}
+
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/22029847/agents-common/src/test/resources/resourcematcher/test_resourcematcher_path.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_path.json b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_path.json
index c67ff45..86da28c 100644
--- a/agents-common/src/test/resources/resourcematcher/test_resourcematcher_path.json
+++ b/agents-common/src/test/resources/resourcematcher/test_resourcematcher_path.json
@@ -1,6 +1,45 @@
{
"testCases":[
{
+ "name":"value=/a/b*y.txt; isRecursive=true; wildCard=true; ignoreCase=true",
+ "resourceDef":{
+ "matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
+ "matcherOptions":{"wildCard":true, "ignoreCase":true}
+ },
+ "policyResource":{
+ "values": ["/a/b*y.txt"],
+ "isRecursive":true
+ },
+ "tests":[
+ { "name":"exact-path","input":"/a/b*y.txt", "result":true},
+ { "name":"child-path","input":"/a/b/y.txt", "result":true},
+ { "name":"grand-child-path","input":"/a/b1/b2/y.txt", "result":true},
+ { "name":"descendant-child-path","input":"/a/b1/c1/d1/any.txt", "result":true},
+ { "name":"mismatche-path","input":"/a/any.txt", "result":false},
+
+ ]
+ }
+ ,
+ {
+ "name":"value=/a/b*y.txt; isRecursive=false; wildCard=true; ignoreCase=true",
+ "resourceDef":{
+ "matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
+ "matcherOptions":{"wildCard":true, "ignoreCase":true}
+ },
+ "policyResource":{
+ "values": ["/a/b*y.txt"],
+ "isRecursive":false
+ },
+ "tests":[
+ { "name":"exact-path","input":"/a/b*y.txt", "result":true},
+ { "name":"child-path","input":"/a/b/y.txt", "result":true},
+ { "name":"grand-child-path","input":"/a/b1/b2/y.txt", "result":true},
+ { "name":"descendant-child-path","input":"/a/b1/c1/d1/any.txt", "result":true},
+ { "name":"mismatche-path","input":"/a/any.txt", "result":false},
+ ]
+ }
+ ,
+ {
"name":"value=*; isRecursive=false; wildCard=true; ignoreCase=true",
"resourceDef":{
"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
@@ -131,9 +170,31 @@
{ "name":"grand-child-path-camel-case","input":"/Path1/Path2/Path3", "result":true},
{ "name":"sibling-path","input":"/path2", "result":false},
{ "name":"invalid-path","input":"path1", "result":false},
+ { "name":"prefix-path","input":"/path12", "result":false},
+ { "name":"no-path","input":"", "result":false}
]
}
,
+ {
+ "name": "value=/path1/path2; isRecursive=true; wildCard=true; ignoreCase=true",
+ "resourceDef": {
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
+ "matcherOptions": {"wildCard": true, "ignoreCase": true
+ }
+ },
+ "policyResource": {"values": ["/path1/path2"], "isRecursive": true},
+ "tests": [
+ {"name": "exact-path", "input": "/path1/path2", "result": true},
+ {"name": "parent-path", "input": "/path1", "result": false},
+ {"name": "grand-parent-path", "input": "/", "result": false},
+ {"name": "child-path", "input": "/path1/path2/path3", "result": true},
+ {"name": "grandchild-path", "input": "/path1/path2/path3/path4", "result": true},
+ {"name": "sibling-path", "input": "/path1/path3", "result": false},
+ {"name": "prefix-path", "input": "/path1/path21", "result": false},
+ {"name": "invalid-path", "input": "path1/path2*", "result": false}
+ ]
+ }
+ ,
{
"name":"value=/path*; isRecursive=true; wildCard=true; ignoreCase=true",
"resourceDef":{
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/22029847/hdfs-agent/src/test/resources/hdfs-policies.json
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/test/resources/hdfs-policies.json b/hdfs-agent/src/test/resources/hdfs-policies.json
index c99c811..eb61796 100644
--- a/hdfs-agent/src/test/resources/hdfs-policies.json
+++ b/hdfs-agent/src/test/resources/hdfs-policies.json
@@ -82,6 +82,11 @@
{
"accesses": [
{
+ "type": "read",
+ "isAllowed": true
+ }
+ ,
+ {
"type": "execute",
"isAllowed": true
}
@@ -96,6 +101,11 @@
{
"accesses": [
{
+ "type": "read",
+ "isAllowed": true
+ }
+ ,
+ {
"type": "execute",
"isAllowed": true
}