This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 8ebf1dc RANGER-2343: Evaluate tag policies in the same security zone
as accessed resource
8ebf1dc is described below
commit 8ebf1dc2fd5a8c4f0e7dca7f55cd7c60916de27a
Author: Abhay Kulkarni <>
AuthorDate: Thu Mar 7 09:49:38 2019 -0800
RANGER-2343: Evaluate tag policies in the same security zone as accessed
resource
---
.../policyengine/RangerPolicyEngineImpl.java | 24 ++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index e239c89..d709dcc 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -1246,7 +1246,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
}
}
if (policyRepository != null) {
- ret = evaluatePoliciesNoAudit(request, policyType,
policyRepository, tagPolicyRepository);
+ ret = evaluatePoliciesNoAudit(request, policyType,
zoneName, policyRepository, tagPolicyRepository);
ret.setZoneName(zoneName);
}
@@ -1257,9 +1257,9 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
return ret;
}
- private RangerAccessResult evaluatePoliciesNoAudit(RangerAccessRequest
request, int policyType, RangerPolicyRepository policyRepository,
RangerPolicyRepository tagPolicyRepository) {
+ private RangerAccessResult evaluatePoliciesNoAudit(RangerAccessRequest
request, int policyType, String zoneName, RangerPolicyRepository
policyRepository, RangerPolicyRepository tagPolicyRepository) {
if (LOG.isDebugEnabled()) {
- LOG.debug("==>
RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" +
policyType + ")");
+ LOG.debug("==>
RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" +
policyType + ", zoneName=" + zoneName + ")");
}
RangerAccessResult ret = createAccessResult(request,
policyType);
@@ -1267,7 +1267,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
if (ret != null && request != null) {
- evaluateTagPolicies(request, policyType,
tagPolicyRepository, ret);
+ evaluateTagPolicies(request, policyType, zoneName,
tagPolicyRepository, ret);
if (LOG.isDebugEnabled()) {
if (ret.getIsAccessDetermined() &&
ret.getIsAuditedDetermined()) {
@@ -1340,15 +1340,15 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
}
if (LOG.isDebugEnabled()) {
- LOG.debug("<==
RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" +
policyType + "): " + ret);
+ LOG.debug("<==
RangerPolicyEngineImpl.evaluatePoliciesNoAudit(" + request + ", policyType =" +
policyType + ", zoneName=" + zoneName + "): " + ret);
}
return ret;
}
- private void evaluateTagPolicies(final RangerAccessRequest request, int
policyType, RangerPolicyRepository tagPolicyRepository, RangerAccessResult
result) {
+ private void evaluateTagPolicies(final RangerAccessRequest request, int
policyType, String zoneName, RangerPolicyRepository tagPolicyRepository,
RangerAccessResult result) {
if (LOG.isDebugEnabled()) {
- LOG.debug("==>
RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" +
policyType + ", " + result + ")");
+ LOG.debug("==>
RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" +
policyType + ", zoneName=" + zoneName + ", " + result + ")");
}
Date accessTime = request.getAccessTime() != null ?
request.getAccessTime() : new Date();
@@ -1361,6 +1361,14 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
for (PolicyEvaluatorForTag policyEvaluator :
policyEvaluators) {
RangerPolicyEvaluator evaluator =
policyEvaluator.getEvaluator();
+ String policyZoneName =
evaluator.getPolicy().getZoneName();
+ if (!StringUtils.equals(zoneName,
policyZoneName)) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Tag policy does not
belong to the zone:[" + zoneName + "] of the accessed resource. Not evaluating
this policy:[" + evaluator.getPolicy() + "]");
+ }
+ continue;
+ }
+
RangerTagForEval tag = policyEvaluator.getTag();
RangerAccessRequest tagEvalRequest = new
RangerTagAccessRequest(tag, tagPolicyRepository.getServiceDef(), request);
@@ -1407,7 +1415,7 @@ public class RangerPolicyEngineImpl implements
RangerPolicyEngine {
}
if (LOG.isDebugEnabled()) {
- LOG.debug("<==
RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" +
policyType + ", " + result + ")");
+ LOG.debug("<==
RangerPolicyEngineImpl.evaluateTagPolicies(" + request + ", policyType =" +
policyType + ", zoneName=" + zoneName + ", " + result + ")");
}
}
