Repository: ranger Updated Branches: refs/heads/master d8295fe6c -> a6c9065c6
RANGER-2086: Resource data mask policy overrides when both tag and resource datamask policies match Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/a6c9065c Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/a6c9065c Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/a6c9065c Branch: refs/heads/master Commit: a6c9065c65e125771cf3b2ffb58599687b7dd387 Parents: d8295fe Author: Abhay Kulkarni <[email protected]> Authored: Wed Apr 25 16:19:23 2018 -0700 Committer: Abhay Kulkarni <[email protected]> Committed: Wed Apr 25 16:19:23 2018 -0700 ---------------------------------------------------------------------- .../RangerDefaultDataMaskPolicyItemEvaluator.java | 2 +- .../plugin/policyevaluator/RangerDefaultPolicyEvaluator.java | 7 ++++++- .../RangerDefaultRowFilterPolicyItemEvaluator.java | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/a6c9065c/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java index 557dd0a..5582124 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java @@ -45,7 +45,7 @@ public class RangerDefaultDataMaskPolicyItemEvaluator extends RangerDefaultPolic public void updateAccessResult(RangerPolicyEvaluator policyEvaluator, RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) { RangerPolicyItemDataMaskInfo dataMaskInfo = getDataMaskInfo(); - if (dataMaskInfo != null) { + if (result.getMaskType() == null && dataMaskInfo != null) { result.setMaskType(dataMaskInfo.getDataMaskType()); result.setMaskCondition(dataMaskInfo.getConditionExpr()); result.setMaskedValue(dataMaskInfo.getValueExpr()); http://git-wip-us.apache.org/repos/asf/ranger/blob/a6c9065c/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index c3a9760..e16148d 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -457,7 +457,9 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator @Override public void updateAccessResult(RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType, boolean isAllowed, String reason) { - + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerDefaultPolicyEvaluator.updateAccessResult(" + result + ", " + matchType +", " + isAllowed + ", " + reason + ", " + getId() + ")"); + } if (!isAllowed) { if (matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT || !result.getAccessRequest().isAccessTypeAny()) { result.setIsAllowed(false); @@ -473,6 +475,9 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator result.setReason(reason); } } + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerDefaultPolicyEvaluator.updateAccessResult(" + result + ", " + matchType +", " + isAllowed + ", " + reason + ", " + getId() + ")"); + } } /* http://git-wip-us.apache.org/repos/asf/ranger/blob/a6c9065c/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java index 26ded0e..0831dde 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java @@ -45,7 +45,7 @@ public class RangerDefaultRowFilterPolicyItemEvaluator extends RangerDefaultPoli public void updateAccessResult(RangerPolicyEvaluator policyEvaluator, RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) { RangerPolicyItemRowFilterInfo rowFilterInfo = getRowFilterInfo(); - if (rowFilterInfo != null) { + if (result.getFilterExpr() == null && rowFilterInfo != null) { result.setFilterExpr(rowFilterInfo.getFilterExpr()); policyEvaluator.updateAccessResult(result, matchType, true, getComments()); }
