[ranger] branch master updated: RANGER-2603: Delegate Admin processing incorrectly giving policy access to user - due to owner policies

Thu, 03 Oct 2019 21:52:05 -0700 

This is an automated email from the ASF dual-hosted git repository.

abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 52936a5  RANGER-2603: Delegate Admin processing incorrectly giving 
policy access to user - due to owner policies
52936a5 is described below

commit 52936a50cfde9959825cd57d62593873941dc9b4
Author: Abhay Kulkarni <[email protected]>
AuthorDate: Thu Oct 3 21:51:43 2019 -0700

    RANGER-2603: Delegate Admin processing incorrectly giving policy access to 
user - due to owner policies
---
 .../ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 3e00d1e..8469605 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -358,7 +358,7 @@ public class RangerDefaultPolicyEvaluator extends 
RangerAbstractPolicyEvaluator
                        LOG.debug("==> 
RangerDefaultPolicyEvaluator.isAccessAllowed(" + resources + ", " + user + ", " 
+ userGroups + ", " + accessType + ")");
                }
 
-               boolean ret = isAccessAllowed(user, userGroups, null, user, 
accessType) && isMatch(resources, null);
+               boolean ret = isAccessAllowed(user, userGroups, null, null, 
accessType) && isMatch(resources, null);
 
                if(LOG.isDebugEnabled()) {
                        LOG.debug("<== 
RangerDefaultPolicyEvaluator.isAccessAllowed(" + resources + ", " + user + ", " 
+ userGroups + ", " + accessType + "): " + ret);
@@ -373,7 +373,7 @@ public class RangerDefaultPolicyEvaluator extends 
RangerAbstractPolicyEvaluator
                        LOG.debug("==> 
RangerDefaultPolicyEvaluator.isAccessAllowed(" + policy.getId() + ", " + user + 
", " + userGroups + ", " + roles + ", " + accessType + ")");
                }
 
-               boolean ret = isAccessAllowed(user, userGroups, roles, user, 
accessType) && isMatch(policy, null);
+               boolean ret = isAccessAllowed(user, userGroups, roles, null, 
accessType) && isMatch(policy, null);
                
                if(LOG.isDebugEnabled()) {
                        LOG.debug("<== 
RangerDefaultPolicyEvaluator.isAccessAllowed(" + policy.getId() + ", " + user + 
", " + userGroups + ", " + roles + ", " + accessType + "): " + ret);

Reply via email to