Repository: ranger Updated Branches: refs/heads/ranger-1.0 952fe4535 -> 89864e60b
RANGER-2086: Resource data mask policy overrides when both tag and resource datamask policies match Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/89864e60 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/89864e60 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/89864e60 Branch: refs/heads/ranger-1.0 Commit: 89864e60bfd96adaa7ebcc332635e3d924ec419d Parents: 952fe45 Author: Abhay Kulkarni <[email protected]> Authored: Wed Apr 25 16:19:23 2018 -0700 Committer: Abhay Kulkarni <[email protected]> Committed: Wed Apr 25 16:43:43 2018 -0700 ---------------------------------------------------------------------- .../RangerDefaultDataMaskPolicyItemEvaluator.java | 2 +- .../plugin/policyevaluator/RangerDefaultPolicyEvaluator.java | 7 ++++++- .../RangerDefaultRowFilterPolicyItemEvaluator.java | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/89864e60/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java index bbb450c..2ff3b1e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java @@ -47,7 +47,7 @@ public class RangerDefaultDataMaskPolicyItemEvaluator extends RangerDefaultPolic public void updateAccessResult(RangerPolicyEvaluator policyEvaluator, RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) { RangerPolicyItemDataMaskInfo dataMaskInfo = getDataMaskInfo(); - if (dataMaskInfo != null) { + if (result.getMaskType() == null && dataMaskInfo != null) { result.setMaskType(dataMaskInfo.getDataMaskType()); result.setMaskCondition(dataMaskInfo.getConditionExpr()); result.setMaskedValue(dataMaskInfo.getValueExpr()); http://git-wip-us.apache.org/repos/asf/ranger/blob/89864e60/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 7ede98f..333a2e1 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -365,7 +365,9 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator @Override public void updateAccessResult(RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType, boolean isAllowed, String reason) { - + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerDefaultPolicyEvaluator.updateAccessResult(" + result + ", " + matchType +", " + isAllowed + ", " + reason + ", " + getId() + ")"); + } if (!isAllowed) { if (matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT || !result.getAccessRequest().isAccessTypeAny()) { result.setIsAllowed(false); @@ -379,6 +381,9 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator result.setReason(reason); } } + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerDefaultPolicyEvaluator.updateAccessResult(" + result + ", " + matchType +", " + isAllowed + ", " + reason + ", " + getId() + ")"); + } } protected void evaluatePolicyItems(RangerAccessRequest request, RangerPolicyResourceMatcher.MatchType matchType, RangerAccessResult result) { http://git-wip-us.apache.org/repos/asf/ranger/blob/89864e60/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java index 1f1fdb8..d0a7ed7 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java @@ -46,7 +46,7 @@ public class RangerDefaultRowFilterPolicyItemEvaluator extends RangerDefaultPoli public void updateAccessResult(RangerPolicyEvaluator policyEvaluator, RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) { RangerPolicyItemRowFilterInfo rowFilterInfo = getRowFilterInfo(); - if (rowFilterInfo != null) { + if (result.getFilterExpr() == null && rowFilterInfo != null) { result.setFilterExpr(rowFilterInfo.getFilterExpr()); policyEvaluator.updateAccessResult(result, matchType, true, getComments()); }
