This is an automated email from the ASF dual-hosted git repository.
fatehsingh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new c324fba5a RANGER-5225: Override policy should take precedence over
normal deny policy (#588)
c324fba5a is described below
commit c324fba5ab2e0ad3c50b9c5a7921d420129fd642
Author: Fateh Singh <[email protected]>
AuthorDate: Thu Jul 10 12:14:37 2025 -0700
RANGER-5225: Override policy should take precedence over normal deny policy
(#588)
Co-authored-by: Madhan Neethiraj <[email protected]>
---
.../RangerDefaultPolicyEvaluator.java | 8 +++--
.../policyengine/test_policyengine_tag_hdfs.json | 42 ++++++++++++++++++++--
.../policyengine/test_policyengine_tag_hive.json | 18 +++++++++-
3 files changed, 63 insertions(+), 5 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 16389da7e..ee72ca27d 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -611,8 +611,12 @@ protected void evaluatePolicyItems(RangerAccessRequest
request, MatchType matchT
if (getPolicyPriority() >= oldPriority &&
allowResult != null && (oneRequest.isAccessTypeAny() ||
RangerAccessRequestUtil.getIsAnyAccessInContext(oneRequest.getContext()))) {
accessTypeResults.put(accessType, allowResult);
} else {
- if (getPolicyPriority() > oldPriority &&
denyResult != null) {
- accessTypeResults.put(accessType,
denyResult);
+ if (getPolicyPriority() > oldPriority) {
+ if (allowResult != null) {
+ accessTypeResults.put(accessType,
allowResult);
+ } else if (denyResult != null) {
+ accessTypeResults.put(accessType,
denyResult);
+ }
}
}
}
diff --git
a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json
b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json
index eb2251c3c..b7cd6e349 100644
---
a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json
+++
b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json
@@ -89,6 +89,31 @@
}
],
"denyExceptions":[ ]
+ },
+ {
+ "id": 3,
+ "name": "/override-resource: allow: users=user-td, user-ra-td,
user-rd-td",
+ "isEnabled": true,
+ "isAuditEnabled": false,
+ "policyPriority":1,
+ "resources": {
+ "path": { "values": [ "/override-resource" ], "isRecursive": true }
+ },
+ "policyItems": [
+ {
+ "accesses":[
+ {"type":"read" },
+ {"type":"write" }
+ ],
+ "users":["user-td", "user-ra-td", "user-rd-td"],
+ "groups":[],
+ "delegateAdmin":false,
+ "conditions" : []
+ }
+ ],
+ "allowExceptions":[],
+ "denyPolicyItems": [],
+ "denyExceptions":[]
}
],
@@ -688,8 +713,21 @@
},
"result": { "isAudited": false, "isAllowed": false, "policyId": -1 }
}
-
-
+ ,
+ {
+ "name": "ALLOW 'read /override-resource' for u=user-td",
+ "request": {
+ "resource": { "elements": { "path": "/override-resource" } },
+ "accessType": "read",
+ "user": "user-td",
+ "userGroups": [ ],
+ "requestData": "read /override-resource",
+ "context": {
+ "TAGS": "[{\"type\":\"PII\"}]"
+ }
+ },
+ "result": { "isAudited": true, "isAllowed": true, "policyId": 3 }
+ }
]
}
diff --git
a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
index 81feced15..0c8ae5d65 100644
---
a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
+++
b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
@@ -55,6 +55,12 @@
"denyPolicyItems":[
{"accesses":[{"type":"select","isAllowed":true}],"users":["denieduser"],"groups":[],"delegateAdmin":false}
]
+ },
+ {"id":104,"name":"db=default, table=table-override:
audit-all-access","isEnabled":true,"isAuditEnabled":true,"policyPriority":1,
+
"resources":{"database":{"values":["default"]},"table":{"values":["table-override"]},"column":{"values":["*"]}},
+ "policyItems":[
+
{"accesses":[{"type":"read","isAllowed":true}],"users":["user-override"],"groups":[],"delegateAdmin":false}
+ ]
}
],
"tagPolicyInfo": {
@@ -185,6 +191,9 @@
"resources":{"tag":{"values":["PII"],"isRecursive":false}},
"policyItems":[
{"accesses":[{"type":"hive:select","isAllowed":true}],"users":["hive"],"groups":[],"delegateAdmin":false}
+ ],
+ "denyPolicyItems":[
+
{"accesses":[{"type":"hive:select","isAllowed":true}],"users":["user-override"],"groups":[],"delegateAdmin":false}
]
},
{"id":3,"name":"PII_TAG_POLICY-FINAL","isEnabled":true,"isAuditEnabled":true,
@@ -367,8 +376,15 @@
"context": {"TAGS":"[{\"type\":\"PII\",
\"attributes\":{\"expiry\":\"2026/06/15\"}}]"}
},
"result":{"isAudited":true,"isAllowed":true,"policyId":2}
+ },
+ {"name":"ALLOW 'select * from default.table-override;' for user-override",
+ "request":{
+ "resource":{"elements":{"database":"default",
"table":"table-override", "column":"name"}},
+
"accessType":"read","user":"user-override","userGroups":[],"requestData":"select
* from default.table-override",
+ "context": {"TAGS":"[{\"type\":\"PII\"}]"}
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":104}
}
-
]
}
