You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/10/28 17:00:10 UTC

[34/50] [abbrv] incubator-ranger git commit: RANGER-675: fix the incorrect column authorization via tag

RANGER-675: fix the incorrect column authorization via tag


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/54270d55
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/54270d55
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/54270d55

Branch: refs/heads/master
Commit: 54270d556f0341920f25d141c55746e8ec8bbea3
Parents: 89b7ba2
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Thu Oct 1 18:23:11 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Oct 1 18:23:11 2015 -0700

----------------------------------------------------------------------
 .../contextenricher/RangerTagEnricher.java      | 14 ++---------
 .../plugin/util/RangerAccessRequestUtil.java    | 26 +++++++++++++++++++-
 .../authorizer/RangerHiveAccessRequest.java     |  3 ++-
 3 files changed, 29 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/54270d55/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index 6388c78..b5662bf 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -129,20 +129,10 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
 
 		List<RangerTag> matchedTags = findMatchingTags(request.getResource(), serviceResourceMatchersCopy);
 
-		if (CollectionUtils.isNotEmpty(matchedTags)) {
-			RangerAccessRequestUtil.setRequestTagsInContext(request.getContext(), matchedTags);
-
-			if (LOG.isDebugEnabled()) {
-				LOG.debug("RangerTagEnricher.enrich(" + request + ") - " + matchedTags.size() + " tags found by enricher.");
-			}
-		} else {
-			if (LOG.isDebugEnabled()) {
-				LOG.debug("RangerTagEnricher.enrich(" + request + ") - no tags found by enricher.");
-			}
-		}
+		RangerAccessRequestUtil.setRequestTagsInContext(request.getContext(), matchedTags);
 
 		if (LOG.isDebugEnabled()) {
-			LOG.debug("<== RangerTagEnricher.enrich(" + request + ")");
+			LOG.debug("<== RangerTagEnricher.enrich(" + request + "): tags count=" + (matchedTags == null ? 0 : matchedTags.size()));
 		}
 	}
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/54270d55/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
index 92a87d0..0ce3721 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
@@ -19,9 +19,12 @@
 
 package org.apache.ranger.plugin.util;
 
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.ranger.plugin.model.RangerTag;
@@ -36,7 +39,11 @@ public class RangerAccessRequestUtil {
 	public static final String KEY_CONTEXT_REQUESTED_RESOURCES = "REQUESTED_RESOURCES";
 
 	public static void setRequestTagsInContext(Map<String, Object> context, List<RangerTag> tags) {
-		context.put(KEY_CONTEXT_TAGS, tags);
+		if(CollectionUtils.isEmpty(tags)) {
+			context.remove(KEY_CONTEXT_TAGS);
+		} else {
+			context.put(KEY_CONTEXT_TAGS, tags);
+		}
 	}
 
 	public static List<RangerTag> getRequestTagsFromContext(Map<String, Object> context) {
@@ -101,4 +108,21 @@ public class RangerAccessRequestUtil {
 
 		return ret;
 	}
+
+	public static Map<String, Object> copyContext(Map<String, Object> context) {
+		final Map<String, Object> ret;
+
+		if(MapUtils.isEmpty(context)) {
+			ret = new HashMap<String, Object>();
+		} else {
+			ret = new HashMap<String, Object>(context);
+
+			ret.remove(KEY_CONTEXT_TAGS);
+			ret.remove(KEY_CONTEXT_TAG_OBJECT);
+			ret.remove(KEY_CONTEXT_RESOURCE);
+			// don't remove REQUESTED_RESOURCES
+		}
+
+		return ret;
+	}
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/54270d55/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
index 9f99ea1..3140056 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java
@@ -27,6 +27,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType
 import org.apache.ranger.authorization.utils.StringUtil;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
+import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
 
 
 public class RangerHiveAccessRequest extends RangerAccessRequestImpl {
@@ -101,7 +102,7 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl {
 		ret.setRequestData(getRequestData());
 		ret.setClientType(getClientType());
 		ret.setSessionId(getSessionId());
-		ret.setContext(getContext());
+		ret.setContext(RangerAccessRequestUtil.copyContext(getContext()));
 		ret.accessType = accessType;
 
 		return ret;