This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 4b941b2f0 RANGER-3999: Implement more efficient way to handle _any
access authorization - Part 3
4b941b2f0 is described below
commit 4b941b2f0d7a8390155c61fa0960c42aa8a37b69
Author: Abhay Kulkarni <[email protected]>
AuthorDate: Thu Feb 16 10:20:13 2023 -0800
RANGER-3999: Implement more efficient way to handle _any access
authorization - Part 3
---
.../RangerDefaultPolicyEvaluator.java | 2 +-
.../plugin/util/RangerAccessRequestUtil.java | 2 +-
.../plugin/policyengine/TestPolicyEngine.java | 8 ++++++
.../policyengine/test_policyengine_hive.json | 32 ++++++++++++++++++++++
4 files changed, 42 insertions(+), 2 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 9a0df550c..2f9c1b019 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -242,7 +242,7 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
final boolean isMatched;
- if (request.isAccessTypeAny() ||
RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) {
+ if (request.isAccessTypeAny()) {
isMatched = matchType !=
RangerPolicyResourceMatcher.MatchType.NONE;
} else if
(request.getResourceMatchingScope() ==
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
isMatched = matchType !=
RangerPolicyResourceMatcher.MatchType.NONE;
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
index a51f2322a..b505f495b 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
@@ -222,7 +222,7 @@ public class RangerAccessRequestUtil {
public static void setAllRequestedAccessTypes(Map<String, Object>
context, Set<String> accessTypes, Boolean isAny) {
context.put(KEY_CONTEXT_ACCESSTYPES, accessTypes);
- context.put(KEY_CONTEXT_IS_ANY_ACCESS, isAny);
+ setIsAnyAccessInContext(context, isAny);
}
public static Set<String>
getAllRequestedAccessTypes(RangerAccessRequest request) {
diff --git
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index eb3d0ff46..89e678bf9 100644
---
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -69,6 +69,7 @@ import java.io.OutputStreamWriter;
import java.lang.reflect.Type;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
@@ -923,6 +924,13 @@ public class TestPolicyEngine {
if (ret.getAccessTime() == null) {
ret.setAccessTime(new Date());
}
+ Map<String, Object> reqContext = ret.getContext();
+ Object accessTypes = reqContext.get("ACCESSTYPES");
+ if (accessTypes != null) {
+ Collection<String> accessTypesCollection =
(Collection<String>) accessTypes;
+ Set<String> requestedAccesses = new
HashSet<>(accessTypesCollection);
+ ret.getContext().put("ACCESSTYPES",
requestedAccesses);
+ }
return ret;
}
diff --git
a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
index 0544feb14..8e34aa174 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
@@ -123,10 +123,42 @@
"policyItems":[
{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false}
]
+ },
+ {"id":1001,"name":"db=org; table=employee;
column=*","isEnabled":true,"isAuditEnabled":true,
+
"resources":{"database":{"values":["org"]},"table":{"values":["employee"]},"column":{"values":["*"],
"isExcludes":false}},
+ "policyItems":[
+ {"accesses":[{"type":"select","isAllowed":true},
{"type":"create","isAllowed":true},
{"type":"read","isAllowed":true}],"users":["john"],"groups":[],"delegateAdmin":false}
+ ]
}
],
"tests":[
+ {"name":"DENY 'create or write for org;' for john",
+ "request":{
+ "resource":{"elements":{"database":"org"}},
+
"accessType":"create","user":"john","userGroups":[],"requestData":"create org",
+ "context": {"ISANYACCESS":true, "ACCESSTYPES": [ "create", "write" ]}
+ },
+ "result":{"isAudited":false,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"DENY 'create and write for org;' for john",
+ "request":{
+ "resource":{"elements":{"database":"org"}},
+
"accessType":"create","user":"john","userGroups":[],"requestData":"create org",
+ "context": {"ISANYACCESS":false, "ACCESSTYPES": [ "create", "write" ]}
+ },
+ "result":{"isAudited":false,"isAllowed":false,"policyId":-1}
+ }
+ ,
+ {"name":"ALLOW 'any' for org;' for john",
+ "request":{
+ "resource":{"elements":{"database":"org"}},
+ "accessType":"","user":"john","userGroups":[],"requestData":"'any'
access for org"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":1001}
+ }
+ ,
{"name":"ALLOW 'read http://qe-s3-bucket-mst/test_abcd/abcd;' for user1",
"request":{
"resource":{"elements":{"url":["http://qe-s3-bucket-mst/test_abcd/abcd";,
"http://qe-s3-bucket-mst/test_abcd/abcd/"]}},
