(ranger) 01/03: RANGER-4666: fixed getResourceACLs() API to account for tags assigned to ancestor resources

Fri, 19 Jan 2024 12:10:01 -0800 

This is an automated email from the ASF dual-hosted git repository.

madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git

commit 30dd2b50280f0aee4ce2f7f45706616453c151a8
Author: Madhan Neethiraj <[email protected]>
AuthorDate: Fri Jan 19 01:07:40 2024 -0800

    RANGER-4666: fixed getResourceACLs() API to account for tags assigned to 
ancestor resources
---
 .../apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java    | 5 +++++
 .../policyengine/test_aclprovider_resource_hierarchy_tags.json       | 1 +
 2 files changed, 6 insertions(+)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index df39467ba..b0dc7a461 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -317,6 +317,11 @@ public class RangerPolicyEngineImpl implements 
RangerPolicyEngine {
                                        boolean   isTemporalTagPolicy = 
policyIdForTemporalTags.contains(evaluator.getPolicyId());
                                        MatchType tagMatchType        = 
tagMatchTypeMap.get(evaluator.getPolicyId());
 
+                                       // tag assigned to ANCESTORS must apply 
to SELF as well, to be consistent with policy evaluation in 
RangerDefaultPolicyEvaluator.evaluate()
+                                       if (tagMatchType == MatchType.ANCESTOR) 
{
+                                               tagMatchType = MatchType.SELF;
+                                       }
+
                                        evaluator.getResourceACLs(request, ret, 
isTemporalTagPolicy, null, tagMatchType, policyEngine);
                                }
 
diff --git 
a/agents-common/src/test/resources/policyengine/test_aclprovider_resource_hierarchy_tags.json
 
b/agents-common/src/test/resources/policyengine/test_aclprovider_resource_hierarchy_tags.json
index dac583c4a..206a6563d 100644
--- 
a/agents-common/src/test/resources/policyengine/test_aclprovider_resource_hierarchy_tags.json
+++ 
b/agents-common/src/test/resources/policyengine/test_aclprovider_resource_hierarchy_tags.json
@@ -214,6 +214,7 @@
             "dba":       { "create":  { "result": 1, "isFinal": true } }
           },
           "dataMasks": [
+            { "users": [ "test-user" ], "groups": [], "roles": [], 
"accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_NONE" }, 
"isConditional": false },
             { "users": [ "test-user" ], "groups": [], "roles": [], 
"accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, 
"isConditional": false }
           ]
         }

Reply via email to