You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pegasus.apache.org by wa...@apache.org on 2023/06/01 06:46:36 UTC
[incubator-pegasus] branch master updated: feat(Ranger): remove ACL of RPC_CM_LIST_APPS from global resource (#1500)
This is an automated email from the ASF dual-hosted git repository.
wangdan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-pegasus.git
The following commit(s) were added to refs/heads/master by this push:
new bbdb7041d feat(Ranger): remove ACL of RPC_CM_LIST_APPS from global resource (#1500)
bbdb7041d is described below
commit bbdb7041dd8fcaff5b8ea57a2095e669aeb30fbd
Author: WHBANG <38...@users.noreply.github.com>
AuthorDate: Thu Jun 1 14:46:30 2023 +0800
feat(Ranger): remove ACL of RPC_CM_LIST_APPS from global resource (#1500)
https://github.com/apache/incubator-pegasus/issues/1054
The access control management of RPC RPC_CM_LIST_APPS is removed from
the global level resource, which is managed by the database resource.
---
src/runtime/ranger/ranger_resource_policy_manager.cpp | 15 +++++----------
src/runtime/test/ranger_resource_policy_manager_test.cpp | 3 ++-
2 files changed, 7 insertions(+), 11 deletions(-)
diff --git a/src/runtime/ranger/ranger_resource_policy_manager.cpp b/src/runtime/ranger/ranger_resource_policy_manager.cpp
index d08df9466..7f708f808 100644
--- a/src/runtime/ranger/ranger_resource_policy_manager.cpp
+++ b/src/runtime/ranger/ranger_resource_policy_manager.cpp
@@ -147,10 +147,9 @@ ranger_resource_policy_manager::ranger_resource_policy_manager(
: _meta_svc(meta_svc), _local_policy_version(-1)
{
// GLOBAL - kMetadata
- register_rpc_access_type(
- access_type::kMetadata,
- {"RPC_CM_LIST_NODES", "RPC_CM_CLUSTER_INFO", "RPC_CM_LIST_APPS", "RPC_QUERY_DISK_INFO"},
- _ac_type_of_global_rpcs);
+ register_rpc_access_type(access_type::kMetadata,
+ {"RPC_CM_LIST_NODES", "RPC_CM_CLUSTER_INFO", "RPC_QUERY_DISK_INFO"},
+ _ac_type_of_global_rpcs);
// GLOBAL - kControl
register_rpc_access_type(access_type::kControl,
{"RPC_HTTP_SERVICE",
@@ -231,12 +230,8 @@ bool ranger_resource_policy_manager::allowed(const int rpc_code,
}
}
- // It's not allowed to access except list_app.
- // list_app rpc code is in both GLOBAL and DATABASE policies, check the DATABASE policies
- // later.
- if (rpc_code != RPC_CM_LIST_APPS.code()) {
- return false;
- }
+ // The check that does not match any GLOBAL policy returns false.
+ return false;
} while (false);
do {
diff --git a/src/runtime/test/ranger_resource_policy_manager_test.cpp b/src/runtime/test/ranger_resource_policy_manager_test.cpp
index 8bf4e3f56..e9fc87984 100644
--- a/src/runtime/test/ranger_resource_policy_manager_test.cpp
+++ b/src/runtime/test/ranger_resource_policy_manager_test.cpp
@@ -338,7 +338,8 @@ TEST_F(ranger_resource_policy_manager_function_test, allowed)
{"TASK_CODE_INVALID", "user7", "database3", false},
{"RPC_CM_LIST_NODES", "user7", "database3", true},
{"RPC_CM_LIST_NODES", "user8", "database3", false},
- {"RPC_CM_LIST_APPS", "user7", "database3", true},
+ // RPC_CM_LIST_APPS has been removed from global resources.
+ {"RPC_CM_LIST_APPS", "user7", "database3", false},
{"RPC_CM_LIST_APPS", "user8", "database3", false},
{"TASK_CODE_INVALID", "user9", "database4", false},
{"RPC_CM_LIST_NODES", "user9", "database4", false},
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pegasus.apache.org
For additional commands, e-mail: commits-help@pegasus.apache.org