(ranger) branch master updated: RANGER-5202: Tag deny policy is not getting enforced on scan table command for hbase

dineshkumar Mon, 05 May 2025 00:07:51 -0700

This is an automated email from the ASF dual-hosted git repository.

dineshkumar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git



The following commit(s) were added to refs/heads/master by this push:
     new dd35db06b RANGER-5202: Tag deny policy is not getting enforced on scan 
table command for hbase
dd35db06b is described below

commit dd35db06b631f3c962ba234cbe699fd4b67ce370
Author: Dineshkumar Yadav <[email protected]>
AuthorDate: Fri May 2 16:23:46 2025 +0530

    RANGER-5202: Tag deny policy is not getting enforced on scan table command 
for hbase
    
    Signed-off-by: Dineshkumar Yadav <[email protected]>
---
 .../ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java     | 4 +---
 .../ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java   | 4 +---
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
index 6a9d0a041..b916825bc 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
@@ -147,10 +147,8 @@ private boolean matchResource(RangerAccessRequest request) 
{
 
                 final RangerAccessRequest.ResourceMatchingScope 
resourceMatchingScope = request.getResourceMatchingScope() != null ? 
request.getResourceMatchingScope() : 
RangerAccessRequest.ResourceMatchingScope.SELF;
 
-                if (request.isAccessTypeAny()) {
+                if (request.isAccessTypeAny() || resourceMatchingScope == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
                     ret = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType == 
RangerPolicyResourceMatcher.MatchType.DESCENDANT || (matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof 
RangerTagAccessRequest);
-                } else if (resourceMatchingScope == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
-                    ret = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType == 
RangerPolicyResourceMatcher.MatchType.DESCENDANT;
                 } else {
                     ret = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || (matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof 
RangerTagAccessRequest);
                 }
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 4c5818d2f..16389da7e 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -259,10 +259,8 @@ public void evaluate(RangerAccessRequest request, 
RangerAccessResult result) {
                     final ResourceMatchingScope resourceMatchingScope = 
request.getResourceMatchingScope() != null ? request.getResourceMatchingScope() 
: ResourceMatchingScope.SELF;
                     final boolean               isMatched;
 
-                    if (request.isAccessTypeAny()) {
+                    if (request.isAccessTypeAny() || resourceMatchingScope == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
                         isMatched = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType == 
RangerPolicyResourceMatcher.MatchType.DESCENDANT || (matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof 
RangerTagAccessRequest);
-                    } else if (resourceMatchingScope == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
-                        isMatched = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType == 
RangerPolicyResourceMatcher.MatchType.DESCENDANT;
                     } else {
                         isMatched = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || (matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof 
RangerTagAccessRequest);
                     }

(ranger) branch master updated: RANGER-5202: Tag deny policy is not getting enforced on scan table command for hbase

Reply via email to