This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new a378f285a RANGER-4192: A higher priority Data-masking policy is not
considered when computing Datamask type
a378f285a is described below
commit a378f285a540dcee5f71069c613e198e024d0872
Author: Abhay Kulkarni <[email protected]>
AuthorDate: Tue Apr 18 15:41:46 2023 -0700
RANGER-4192: A higher priority Data-masking policy is not considered when
computing Datamask type
---
.../RangerDefaultDataMaskPolicyItemEvaluator.java | 6 ------
.../policyevaluator/RangerDefaultPolicyEvaluator.java | 4 +++-
.../RangerDefaultRowFilterPolicyItemEvaluator.java | 19 ++++++++-----------
3 files changed, 11 insertions(+), 18 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
index d979e97e1..6bf768bf1 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
@@ -80,12 +80,6 @@ public class RangerDefaultDataMaskPolicyItemEvaluator
extends RangerDefaultPolic
result.setMaskCondition(dataMaskInfo.getConditionExpr());
}
- result.setIsAccessDetermined(true);
-
result.setPolicyPriority(policyEvaluator.getPolicyPriority());
- result.setPolicyId(policyEvaluator.getPolicyId());
- result.setReason(getComments());
-
result.setPolicyVersion(policyEvaluator.getPolicy().getVersion());
-
policyEvaluator.updateAccessResult(result, matchType,
true, getComments());
}
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 2f9c1b019..96e232b43 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -887,7 +887,9 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
}
if (allowResult != null) {
- result.setAccessResultFrom(allowResult);
+ if (!result.getIsAllowed() ||
result.getPolicyPriority() < allowResult.getPolicyPriority()) {
+
result.setAccessResultFrom(allowResult);
+ }
} else if (denyResult != null) {
result.setAccessResultFrom(denyResult);
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
index 63b3be964..d2b3e746b 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
@@ -34,7 +34,7 @@ public class RangerDefaultRowFilterPolicyItemEvaluator
extends RangerDefaultPoli
final private RangerRequestExprResolver exprResolver;
public RangerDefaultRowFilterPolicyItemEvaluator(RangerServiceDef
serviceDef, RangerPolicy policy, RangerRowFilterPolicyItem policyItem, int
policyItemIndex, RangerPolicyEngineOptions options) {
- super(serviceDef, policy, policyItem,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATAMASK, policyItemIndex, options);
+ super(serviceDef, policy, policyItem,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ROWFILTER, policyItemIndex, options);
rowFilterPolicyItem = policyItem;
@@ -60,17 +60,14 @@ public class RangerDefaultRowFilterPolicyItemEvaluator
extends RangerDefaultPoli
@Override
public void updateAccessResult(RangerPolicyEvaluator policyEvaluator,
RangerAccessResult result, RangerPolicyResourceMatcher.MatchType matchType) {
- if (result.getFilterExpr() == null) {
- if (exprResolver != null) {
-
result.setFilterExpr(exprResolver.resolveExpressions(result.getAccessRequest()));
- } else if (rowFilterExpr != null) {
- result.setFilterExpr(rowFilterExpr);
- }
+ if (exprResolver != null) {
+
result.setFilterExpr(exprResolver.resolveExpressions(result.getAccessRequest()));
+ } else if (rowFilterExpr != null) {
+ result.setFilterExpr(rowFilterExpr);
+ }
- if (result.getFilterExpr() != null) {
- policyEvaluator.updateAccessResult(result,
matchType, true, getComments());
- result.setIsAccessDetermined(true);
- }
+ if (result.getFilterExpr() != null) {
+ policyEvaluator.updateAccessResult(result, matchType,
true, getComments());
}
}
}
