(ranger) branch ranger-2.7 updated: RANGER-5202: Tag deny policy is not getting enforced on scan table command for hbase

dineshkumar Mon, 05 May 2025 00:05:52 -0700

This is an automated email from the ASF dual-hosted git repository.

dineshkumar pushed a commit to branch ranger-2.7
in repository https://gitbox.apache.org/repos/asf/ranger.git



The following commit(s) were added to refs/heads/ranger-2.7 by this push:
     new aaa39530f RANGER-5202: Tag deny policy is not getting enforced on scan 
table command for hbase
aaa39530f is described below

commit aaa39530fc9065b846b2627c281cd59cca611ebc
Author: Dineshkumar Yadav <[email protected]>
AuthorDate: Fri May 2 13:53:19 2025 +0530

    RANGER-5202: Tag deny policy is not getting enforced on scan table command 
for hbase
    
    Signed-off-by: Dineshkumar Yadav <[email protected]>
---
 .../ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java     | 4 +---
 .../ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java   | 4 +---
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
index 56dca40de..a56c25072 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
@@ -133,10 +133,8 @@ private boolean matchResource(RangerAccessRequest request) 
{
 
                 final RangerAccessRequest.ResourceMatchingScope 
resourceMatchingScope = request.getResourceMatchingScope() != null ? 
request.getResourceMatchingScope() : 
RangerAccessRequest.ResourceMatchingScope.SELF;
 
-                if (request.isAccessTypeAny()) {
+                if (request.isAccessTypeAny() || resourceMatchingScope == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
                     ret = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType == 
RangerPolicyResourceMatcher.MatchType.DESCENDANT || (matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof 
RangerTagAccessRequest);
-                } else if (resourceMatchingScope == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
-                    ret = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType == 
RangerPolicyResourceMatcher.MatchType.DESCENDANT;
                 } else {
                     ret = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || (matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof 
RangerTagAccessRequest);
                 }
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 724368f60..bb00320ae 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -231,10 +231,8 @@ public void evaluate(RangerAccessRequest request, 
RangerAccessResult result) {
                                        final 
RangerAccessRequest.ResourceMatchingScope resourceMatchingScope = 
request.getResourceMatchingScope() != null ? request.getResourceMatchingScope() 
: RangerAccessRequest.ResourceMatchingScope.SELF;
                                        final boolean                           
        isMatched;
 
-                                       if (request.isAccessTypeAny()) {
+                                       if (request.isAccessTypeAny() || 
resourceMatchingScope == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
                                                isMatched = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType == 
RangerPolicyResourceMatcher.MatchType.DESCENDANT || (matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof 
RangerTagAccessRequest);
-                                       } else if (resourceMatchingScope == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
-                                               isMatched = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType == 
RangerPolicyResourceMatcher.MatchType.DESCENDANT;
                                        } else {
                                                isMatched = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || (matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof 
RangerTagAccessRequest);
                                        }

(ranger) branch ranger-2.7 updated: RANGER-5202: Tag deny policy is not getting enforced on scan table command for hbase

Reply via email to