(ranger) branch master updated: RANGER-4723: updated zone matcher to handle descendent match

[madhan]

This is an automated email from the ASF dual-hosted git repository.

madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 84ef6e5b1 RANGER-4723: updated zone matcher to handle descendent match
84ef6e5b1 is described below

commit 84ef6e5b1c8d14291d6cf245467ae8166288434d
Author: Madhan Neethiraj <mad...@apache.org>
AuthorDate: Tue Feb 20 21:23:26 2024 -0800

    RANGER-4723: updated zone matcher to handle descendent match
---
 .../ranger/plugin/policyengine/RangerSecurityZoneMatcher.java  | 10 +++++++++-
 .../plugin/policyengine/TestRangerSecurityZoneMatcher.java     |  2 +-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerSecurityZoneMatcher.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerSecurityZoneMatcher.java
index a36eda0b8..822bb3902 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerSecurityZoneMatcher.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerSecurityZoneMatcher.java
@@ -26,6 +26,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef;
 import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
 import org.apache.ranger.plugin.model.validation.RangerZoneResourceMatcher;
 import 
org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
+import 
org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher.MatchType;
 import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
 import org.apache.ranger.plugin.util.RangerResourceEvaluatorsRetriever;
 import org.apache.ranger.plugin.util.ServicePolicies.SecurityZoneInfo;
@@ -103,7 +104,14 @@ public class RangerSecurityZoneMatcher {
                         LOG.debug("Trying to match resource:[{}] using 
matcher:[{}]", accessResource, matcher);
                     }
 
-                    if 
(matcher.getPolicyResourceMatcher().isMatch(accessResource, 
RangerPolicyResourceMatcher.MatchScope.ANY, null)) {
+                    RangerPolicyResourceMatcher policyResourceMatcher = 
matcher.getPolicyResourceMatcher();
+                    MatchType                   matchType             = 
policyResourceMatcher.getMatchType(accessResource, null);
+
+                    if (matchType == MatchType.DESCENDANT) { // add unzoned 
name
+                        ret.add("");
+                    }
+
+                    if (matchType != MatchType.NONE) {
                         if (LOG.isDebugEnabled()) {
                             LOG.debug("Matched resource:[{}] using 
matcher:[{}]", accessResource, matcher);
                         }
diff --git 
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerSecurityZoneMatcher.java
 
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerSecurityZoneMatcher.java
index 254184403..1506df3b5 100644
--- 
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerSecurityZoneMatcher.java
+++ 
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerSecurityZoneMatcher.java
@@ -72,7 +72,7 @@ public class TestRangerSecurityZoneMatcher {
 
         res   = createResource("database", "db3");
         zones = zoneMatcher.getZonesForResourceAndChildren(res);
-        assertEquals(createSet("z3", "z4"), zones);
+        assertEquals(createSet("", "z3", "z4"), zones);
     }
 
     private Map<String, SecurityZoneInfo> createSecurityZones() {