This is an automated email from the ASF dual-hosted git repository.
dineshkumar pushed a commit to branch ranger-2.7
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.7 by this push:
new a98809e37 RANGER-5162 : Tag Allowed policy is not being enforced
a98809e37 is described below
commit a98809e3755fab5bf4da225691b08112528b0071
Author: Dineshkumar Yadav <[email protected]>
AuthorDate: Fri Apr 11 18:02:52 2025 +0530
RANGER-5162 : Tag Allowed policy is not being enforced
---
.../ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java | 6 ++++--
.../ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java | 6 ++++--
.../org/apache/ranger/plugin/util/CachedResourceEvaluators.java | 2 +-
3 files changed, 9 insertions(+), 5 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
index dad135aff..56dca40de 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
@@ -133,10 +133,12 @@ private boolean matchResource(RangerAccessRequest
request) {
final RangerAccessRequest.ResourceMatchingScope
resourceMatchingScope = request.getResourceMatchingScope() != null ?
request.getResourceMatchingScope() :
RangerAccessRequest.ResourceMatchingScope.SELF;
- if (request.isAccessTypeAny() || resourceMatchingScope ==
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+ if (request.isAccessTypeAny()) {
+ ret = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType ==
RangerPolicyResourceMatcher.MatchType.DESCENDANT || (matchType ==
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof
RangerTagAccessRequest);
+ } else if (resourceMatchingScope ==
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
ret = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType ==
RangerPolicyResourceMatcher.MatchType.DESCENDANT;
} else {
- ret = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
+ ret = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || (matchType ==
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof
RangerTagAccessRequest);
}
if (ret) {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index e2e3137eb..724368f60 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -231,10 +231,12 @@ public void evaluate(RangerAccessRequest request,
RangerAccessResult result) {
final
RangerAccessRequest.ResourceMatchingScope resourceMatchingScope =
request.getResourceMatchingScope() != null ? request.getResourceMatchingScope()
: RangerAccessRequest.ResourceMatchingScope.SELF;
final boolean
isMatched;
- if (request.isAccessTypeAny() ||
resourceMatchingScope ==
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+ if (request.isAccessTypeAny()) {
+ isMatched = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType ==
RangerPolicyResourceMatcher.MatchType.DESCENDANT || (matchType ==
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof
RangerTagAccessRequest);
+ } else if (resourceMatchingScope ==
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
isMatched = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType ==
RangerPolicyResourceMatcher.MatchType.DESCENDANT;
} else {
- isMatched = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
+ isMatched = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || (matchType ==
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof
RangerTagAccessRequest);
}
if (isMatched) {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/CachedResourceEvaluators.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/CachedResourceEvaluators.java
index 9ce11e6e7..661cdf06e 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/CachedResourceEvaluators.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/CachedResourceEvaluators.java
@@ -103,7 +103,7 @@ public static Collection<RangerServiceResourceMatcher>
getEvaluators(RangerAcces
ret =
RangerResourceEvaluatorsRetriever.getEvaluators(serviceResourceTrie,
resource.getAsMap(), request.getResourceElementMatchingScopes(), predicate);
if (LOG.isDebugEnabled()) {
- LOG.debug("Found [" + ret.size() + "]
service-resource-matchers for service-resource [" + resource.getAsString() +
"]");
+ LOG.debug("Found [{}] service-resource-matchers for
service-resource [{}]", (ret == null ? null : ret.size()),
resource.getAsString());
}
if (predicate != null) {
