This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 967276241 RANGER-4786: Ranger override policy is not working
967276241 is described below
commit 967276241ff593b7611576c21fb724b6839de8a2
Author: Abhay Kulkarni <[email protected]>
AuthorDate: Mon Apr 29 17:59:17 2024 -0700
RANGER-4786: Ranger override policy is not working
---
.../RangerDefaultPolicyEvaluator.java | 18 ++++++-
.../test_policyengine_hdfs_multiple_accesses.json | 58 ++++++++++++++++++++++
2 files changed, 75 insertions(+), 1 deletion(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index ded8d0993..9745dc64f 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -832,14 +832,23 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
if
(!result.getIsAllowed()) { // if access is not yet allowed by another policy
if
(matchType != RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
RangerAccessResult oneResult = new RangerAccessResult(result.getPolicyType(),
result.getServiceName(), result.getServiceDef(), result.getAccessRequest());
-
oneResult.setIsAllowed(true);
oneResult.setPolicyPriority(getPolicyPriority());
oneResult.setPolicyId(getPolicyId());
oneResult.setPolicyVersion(getPolicy().getVersion());
+
if (!oneResult.getIsAuditedDetermined()) {
+
oneResult.setAuditResultFrom(result);
+
}
RangerAccessRequestUtil.setAccessTypeResult(request.getContext(), accessType,
oneResult);
}
}
+ Map<String,
RangerAccessResult> savedAccessResults =
RangerAccessRequestUtil.getAccessTypeResults(request.getContext());
+ int
allowedAccessesCount = savedAccessResults == null ? 0 :
savedAccessResults.size();
+ if
(allRequestedAccesses.size() == allowedAccessesCount) {
+
RangerAccessRequestUtil.setAccessTypeResults(request.getContext(), null);
+
result.setIsAllowed(true);
+ break;
+ }
}
}
}
@@ -909,6 +918,13 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
break;
} else if
(oneResult.getIsAllowed()) {
RangerAccessRequestUtil.setAccessTypeResult(request.getContext(), accessType,
oneResult);
+
+ // Check if all access
requests are satisfied, if so, access is allowed
+ if
(allRequestedAccesses.size() ==
RangerAccessRequestUtil.getAccessTypeResults(request.getContext()).size()) {
+ allowResult =
oneResult;
+
RangerAccessRequestUtil.setAccessTypeResults(request.getContext(), null);
+ break;
+ }
}
}
}
diff --git
a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_multiple_accesses.json
b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_multiple_accesses.json
index 6b53d2e02..8962c5a3f 100644
---
a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_multiple_accesses.json
+++
b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_multiple_accesses.json
@@ -48,6 +48,9 @@
"resources":{"path":{"values":["/public/*"],"isRecursive":true}},
"policyItems":[
{"accesses":[{"type":"execute","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false}
+ ],
+ "allowExceptions":[
+
{"accesses":[{"type":"execute","isAllowed":true}],"users":["guest"],"groups":[],"delegateAdmin":false}
]
}
,
@@ -56,10 +59,65 @@
"policyItems":[
{"accesses":[{"type":"read","isAllowed":true}],"users":["finance"],"groups":[],"delegateAdmin":false}
]
+ },
+ {"id":4,"name":"deny-all-to-finance under /public/finance to user
guest","isEnabled":true,"isAuditEnabled":true,
+ "resources":{"path":{"values":["/public/finance"],"isRecursive":true}},
+ "denyPolicyItems":[
+ {"accesses":[{"type":"read","isAllowed":true},
{"type":"write","isAllowed":true},
{"type":"execute","isAllowed":true}],"users":["guest"],"groups":[],"delegateAdmin":false}
+ ]
+ },
+ {"id":5,"name":"allow-read-to-finance under /public/finance to user
guest","isEnabled":true,"isAuditEnabled":true, "policyPriority": 1,
+ "resources":{"path":{"values":["/public/finance"],"isRecursive":true}},
+ "policyItems":[
+
{"accesses":[{"type":"read","isAllowed":true}],"users":["guest"],"groups":[],"delegateAdmin":false}
+ ]
+ },
+ {"id":6,"name":"allow-execute-to-finance under /public/finance to user
guest","isEnabled":true,"isAuditEnabled":true, "policyPriority": 1,
+ "resources":{"path":{"values":["/public/finance"],"isRecursive":true}},
+ "policyItems":[
+
{"accesses":[{"type":"execute","isAllowed":true}],"users":["guest"],"groups":[],"delegateAdmin":false}
+ ]
}
],
"tests":[
+ {"name":"ALLOW 'read_execute /public/finance' for user guest",
+ "request":{
+ "resource":{"elements":{"path":"/public/finance"}},
+
"accessType":"read","user":"guest","userGroups":[],"requestData":"read_execute
/public/finance",
+ "context": {"ACCESSTYPES": [ "read", "execute" ]}
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":6}
+ },
+ {"name":"ALLOW 'read /public/finance' for user guest",
+ "request":{
+ "resource":{"elements":{"path":"/public/finance"}},
+ "accessType":"read","user":"guest","userGroups":[],"requestData":"read
/public/finance"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":5}
+ },
+ {"name":"ALLOW 'execute /public/finance' for user guest",
+ "request":{
+ "resource":{"elements":{"path":"/public/finance"}},
+
"accessType":"execute","user":"guest","userGroups":[],"requestData":"execute
/public/finance"
+ },
+ "result":{"isAudited":true,"isAllowed":true,"policyId":6}
+ },
+ {"name":"DENY 'write /public/finance' for user guest",
+ "request":{
+ "resource":{"elements":{"path":"/public/finance"}},
+
"accessType":"write","user":"guest","userGroups":[],"requestData":"write
/public/finance"
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":4}
+ },
+ {"name":"DENY 'write_execute /public/finance' for user guest",
+ "request":{
+ "resource":{"elements":{"path":"/public/finance"}},
+
"accessType":"write","user":"guest","userGroups":[],"requestData":"write_execute
/public/finance",
+ "context": {"ACCESSTYPES": [ "write", "execute" ]}
+ },
+ "result":{"isAudited":true,"isAllowed":false,"policyId":4}
+ },
{"name":"ALLOW 'read_execute /public/finance' for user finance",
"request":{
"resource":{"elements":{"path":"/public/finance"}},
