This is an automated email from the ASF dual-hosted git repository.
dineshkumar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new c5e04517a RANGER-5162 : Tag Allowed policy is not being enforced
c5e04517a is described below
commit c5e04517af707197005e07dff2dff7cdc345a1fc
Author: Dineshkumar Yadav <[email protected]>
AuthorDate: Fri Apr 11 17:17:31 2025 +0530
RANGER-5162 : Tag Allowed policy is not being enforced
---
.../ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java | 6 ++++--
.../plugin/policyevaluator/RangerDefaultPolicyEvaluator.java | 8 +++++---
.../org/apache/ranger/plugin/util/CachedResourceEvaluators.java | 4 +---
3 files changed, 10 insertions(+), 8 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
index 920ddc716..6a9d0a041 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
@@ -147,10 +147,12 @@ private boolean matchResource(RangerAccessRequest
request) {
final RangerAccessRequest.ResourceMatchingScope
resourceMatchingScope = request.getResourceMatchingScope() != null ?
request.getResourceMatchingScope() :
RangerAccessRequest.ResourceMatchingScope.SELF;
- if (request.isAccessTypeAny() || resourceMatchingScope ==
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+ if (request.isAccessTypeAny()) {
+ ret = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType ==
RangerPolicyResourceMatcher.MatchType.DESCENDANT || (matchType ==
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof
RangerTagAccessRequest);
+ } else if (resourceMatchingScope ==
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
ret = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType ==
RangerPolicyResourceMatcher.MatchType.DESCENDANT;
} else {
- ret = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
+ ret = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || (matchType ==
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof
RangerTagAccessRequest);
}
if (ret) {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 246cc4514..4c5818d2f 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -259,10 +259,12 @@ public void evaluate(RangerAccessRequest request,
RangerAccessResult result) {
final ResourceMatchingScope resourceMatchingScope =
request.getResourceMatchingScope() != null ? request.getResourceMatchingScope()
: ResourceMatchingScope.SELF;
final boolean isMatched;
- if (request.isAccessTypeAny() || resourceMatchingScope ==
ResourceMatchingScope.SELF_OR_DESCENDANTS) {
- isMatched = matchType == MatchType.SELF || matchType
== MatchType.SELF_AND_ALL_DESCENDANTS || matchType == MatchType.DESCENDANT;
+ if (request.isAccessTypeAny()) {
+ isMatched = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType ==
RangerPolicyResourceMatcher.MatchType.DESCENDANT || (matchType ==
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof
RangerTagAccessRequest);
+ } else if (resourceMatchingScope ==
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+ isMatched = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType ==
RangerPolicyResourceMatcher.MatchType.DESCENDANT;
} else {
- isMatched = matchType == MatchType.SELF || matchType
== MatchType.SELF_AND_ALL_DESCENDANTS;
+ isMatched = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || (matchType ==
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof
RangerTagAccessRequest);
}
if (isMatched) {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/CachedResourceEvaluators.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/CachedResourceEvaluators.java
index 99cb0f858..1af05bf62 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/CachedResourceEvaluators.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/CachedResourceEvaluators.java
@@ -73,9 +73,7 @@ public static Collection<RangerServiceResourceMatcher>
getEvaluators(RangerAcces
if (ret == null) {
ret =
RangerResourceEvaluatorsRetriever.getEvaluators(serviceResourceTrie,
resource.getAsMap(), request.getResourceElementMatchingScopes(), predicate);
- if (LOG.isDebugEnabled()) {
- LOG.debug("Found [{}] service-resource-matchers for
service-resource [{}]", ret.size(), resource.getAsString());
- }
+ LOG.debug("Found [{}] service-resource-matchers for
service-resource [{}]", (ret == null ? null : ret.size()),
resource.getAsString());
if (predicate != null) {
cache.cacheEvaluators(resource.getCacheKey(),
request.getResourceElementMatchingScopes(), ret);
