(ranger) branch master updated: RANGER-4966: Remove self node from the resourceTrie only if it has no children, no evaluators and no wildcard-evaluators

Wed, 23 Oct 2024 17:07:32 -0700 

This is an automated email from the ASF dual-hosted git repository.

abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new d44d5b3df RANGER-4966: Remove self node from the resourceTrie only if 
it has no children, no evaluators and no wildcard-evaluators
d44d5b3df is described below

commit d44d5b3df2caa4ebf5c15e243d94cc1f573a1733
Author: Abhay Kulkarni <[email protected]>
AuthorDate: Wed Oct 23 09:57:38 2024 -0700

    RANGER-4966: Remove self node from the resourceTrie only if it has no 
children, no evaluators and no wildcard-evaluators
---
 .../plugin/policyengine/RangerResourceTrie.java    |   4 +-
 .../plugin/policyengine/TestPolicyEngine.java      |   7 ++
 ...incremental_update_for_wildcard_evaluators.json | 125 +++++++++++++++++++++
 3 files changed, 134 insertions(+), 2 deletions(-)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
index 3a3a80e53..4f6860486 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
@@ -1101,14 +1101,14 @@ public class RangerResourceTrie<T extends 
RangerResourceEvaluator> {
             if (LOG.isDebugEnabled()) {
                 LOG.debug("==> removeSelfFromTrie(" + this + ")");
             }
-            if (evaluators == null && children.size() == 0) {
+            if (evaluators == null && wildcardEvaluators == null && 
children.size() == 0) {
                 TrieNode<U> parent = getParent();
                 if (parent != null) {
                     parent.children.remove(str.charAt(0));
                 }
             } else {
                 if (LOG.isDebugEnabled()) {
-                    LOG.debug("removeSelfFromTrie(" + this + ") could not 
remove self from Trie");
+                    LOG.debug("removeSelfFromTrie(" + this + "): node is not 
removed from Trie : [evaluators:" + evaluators + ", wildcard-evaluators:" + 
wildcardEvaluators + ", number-of-children-nodes:" + children.size() + "]");
                 }
             }
             if (LOG.isDebugEnabled()) {
diff --git 
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
 
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index 4a49374f3..c89206022 100644
--- 
a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ 
b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -256,6 +256,13 @@ public class TestPolicyEngine {
                runTestsFromResourceFiles(hdfsTestResourceFiles);
        }
 
+       @Test
+       public void 
testPolicyEngine_hdfs_incremental_update_for_wildcard_evaluators() {
+               String[] hdfsTestResourceFiles = 
{"/policyengine/test_policyengine_hdfs_incremental_update_for_wildcard_evaluators.json"};
+
+               runTestsFromResourceFiles(hdfsTestResourceFiles);
+       }
+
        @Test
        public void testPolicyEngine_hiveForTag() {
                String[] hiveTestResourceFiles = { 
"/policyengine/test_policyengine_tag_hive.json" };
diff --git 
a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_incremental_update_for_wildcard_evaluators.json
 
b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_incremental_update_for_wildcard_evaluators.json
new file mode 100644
index 000000000..f607917a8
--- /dev/null
+++ 
b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_incremental_update_for_wildcard_evaluators.json
@@ -0,0 +1,125 @@
+{
+  "serviceName": "hdfsdev",
+  "serviceDef": {
+    "name": "hdfs",
+    "id": 1,
+    "resources": [
+      {
+        "name": "path",
+        "type": "path",
+        "level": 1,
+        "mandatory": true,
+        "lookupSupported": true,
+        "matcher": 
"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
+        "matcherOptions": {
+          "wildCard": true,
+          "ignoreCase": true
+        },
+        "label": "Resource Path",
+        "description": "HDFS file or directory path"
+      }
+    ],
+    "accessTypes": [
+      {
+        "name": "read",
+        "label": "Read"
+      },
+      {
+        "name": "write",
+        "label": "Write"
+      },
+      {
+        "name": "execute",
+        "label": "Execute"
+      }
+    ],
+    "contextEnrichers": [
+      {
+        "itemId": 1,
+        "name": "GeolocationEnricher",
+        "enricher": 
"org.apache.ranger.plugin.contextenricher.RangerFileBasedGeolocationProvider",
+        "enricherOptions": {
+          "FilePath": "/etc/ranger/geo/geo.txt",
+          "ForceRead": "false",
+          "IPInDotFormat": "true",
+          "geolocation.meta.prefix": "TEST_"
+        }
+      }
+    ],
+    "policyConditions": [
+      {
+        "itemId": 1,
+        "name": "ScriptConditionEvaluator",
+        "evaluator": 
"org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator",
+        "evaluatorOptions": {
+          "engineName": "JavaScript"
+        },
+        "label": "Script",
+        "description": "Script to execute"
+      }
+    ]
+  },
+  "policies": [
+    {
+      "id": 162,
+      "name": "read to mybu-analyst",
+      "isEnabled": true, "isAuditEnabled": true,
+      "resources": {"path": {"values": ["/mybu/analyst"], "isRecursive": 
true}},
+      "policyItems": [
+        {"accesses": [{"type": "execute", "isAllowed": true}, {"type": "read", 
"isAllowed": true}], "users": ["superman"]}
+      ]
+    },
+    {
+      "id": 163,
+      "name": "write to mybu-admin",
+      "isEnabled": true, "isAuditEnabled": true,
+      "resources": {"path": {"values": ["/mybu/analyst", "/mybu/admin"], 
"isRecursive": true}},
+      "policyItems": [
+        {"accesses": [{"type": "write", "isAllowed": true}, {"type": 
"execute", "isAllowed": true}], "users": ["superman"]}
+      ]
+    }
+  ],
+  "tests": [
+    {
+      "name": "ALLOW 'read /mybu/analyst' for u=superman",
+      "request": {"resource": {"elements": {"path": "/mybu/analyst"}},
+        "accessType": "read",
+        "user": "superman", "userGroups": [], "requestData": "read 
/mybu/analyst for u=superman"
+      },
+      "result": {"isAudited": true, "isAllowed": true, "policyId": 162}
+    },
+    {
+      "name": "ALLOW 'write /mybu/analyst' for u=superman",
+      "request": {"resource": {"elements": {"path": "/mybu/analyst"}},
+        "accessType": "write",
+        "user": "superman", "userGroups": [], "requestData": "write 
/mybu/analyst for u=superman"
+      },
+      "result": {"isAudited": true, "isAllowed": true, "policyId": 163}
+    }
+  ],
+  "updatedPolicies": {
+    "policyDeltas": [
+      {"changeType": 1,
+        "policy": {"version": 1, "serviceType":"hdfs", "policyType": 0,
+          "id": 163,
+          "name": "write to mybu-analyst",
+          "isEnabled": true, "isAuditEnabled": true,
+          "resources": {"path": {"values": ["/mybu/analyst", 
"/mybu/admin","/mybu/test"], "isRecursive": true}},
+          "policyItems": [
+            {"accesses": [{"type": "write", "isAllowed": true}, {"type": 
"execute", "isAllowed": true}], "users": ["superman"]}
+          ]
+        }
+      }
+    ]
+  },
+  "updatedTests": [
+    {
+      "name": "ALLOW 'read /mybu/analyst' for u=superman",
+      "request": {"resource": {"elements": {"path": "/mybu/analyst"}},
+        "accessType": "read",
+        "user": "superman", "userGroups": [], "requestData": "read 
/mybu/analyst for u=superman"
+      },
+      "result": {"isAudited": true, "isAllowed": true, "policyId": 162}
+    }
+  ]
+}
\ No newline at end of file

Reply via email to