This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 96da0c834 RANGER-4639: Provide an option to bypass evaluation of
chained plugin if the parent plugin has applicable policy
96da0c834 is described below
commit 96da0c834e6ded11f66583dbf27cdd0405a8ac13
Author: Abhay Kulkarni <[email protected]>
AuthorDate: Mon Jan 8 10:42:24 2024 -0800
RANGER-4639: Provide an option to bypass evaluation of chained plugin if
the parent plugin has applicable policy
---
.../java/org/apache/ranger/plugin/service/RangerBasePlugin.java | 8 +++++++-
.../org/apache/ranger/plugin/service/RangerChainedPlugin.java | 4 ++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 5d6c3d97c..9bf01b982 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -502,7 +502,13 @@ public class RangerBasePlugin {
LOG.debug("BasePlugin.isAccessAllowed
result=[" + ret + "]");
LOG.debug("Calling
chainedPlugin.isAccessAllowed for service:[" +
chainedPlugin.plugin.pluginConfig.getServiceName() + "]");
}
- RangerAccessResult chainedResult =
chainedPlugin.isAccessAllowed(request);
+ RangerAccessResult chainedResult;
+
+ if (ret.getIsAccessDetermined() &&
chainedPlugin.skipAccessCheckIfAlreadyDetermined) {
+ chainedResult = null;
+ } else {
+ chainedResult =
chainedPlugin.isAccessAllowed(request);
+ }
if (chainedResult != null) {
if (LOG.isDebugEnabled()) {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerChainedPlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerChainedPlugin.java
index b969fb687..5e52ce30c 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerChainedPlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerChainedPlugin.java
@@ -19,6 +19,7 @@
package org.apache.ranger.plugin.service;
+import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
@@ -34,6 +35,7 @@ public abstract class RangerChainedPlugin {
protected final String serviceType;
protected final String serviceName;
protected final RangerBasePlugin plugin;
+ protected final boolean skipAccessCheckIfAlreadyDetermined;
protected RangerChainedPlugin(RangerBasePlugin rootPlugin, String
serviceType, String serviceName) {
LOG.info("RangerChainedPlugin(" + serviceType + ", " + serviceName +
")");
@@ -42,6 +44,8 @@ public abstract class RangerChainedPlugin {
this.serviceType = serviceType;
this.serviceName = serviceName;
this.plugin = buildChainedPlugin(serviceType, serviceName,
rootPlugin.getAppId());
+ RangerPluginConfig rootPluginConfig =
rootPlugin.getPluginContext().getConfig();
+ skipAccessCheckIfAlreadyDetermined =
rootPluginConfig.getBoolean(rootPluginConfig.getPropertyPrefix() +
".bypass.chained.plugin.evaluation.if.access.is.determined", false);
}
public void init() {
