This is an automated email from the ASF dual-hosted git repository. maheshbandal pushed a commit to branch ranger-2.6 in repository https://gitbox.apache.org/repos/asf/ranger.git
commit df1b4f184176633f8ee0069760769151739d652b Author: Mahesh Bandal <[email protected]> AuthorDate: Fri Nov 8 23:03:55 2024 +0530 RANGER-4980: Delete permissions on directory is denied which has hierarchy of files/directory rooted at the argument passed to the HDFS command --- .../ranger/plugin/service/RangerBasePlugin.java | 2 +- .../ranger/plugin/util/RangerAccessRequestUtil.java | 10 ---------- .../authorization/hadoop/RangerHdfsAuthorizer.java | 19 ------------------- 3 files changed, 1 insertion(+), 30 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 96ad6d6d8..6c051616f 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -509,7 +509,7 @@ public class RangerBasePlugin { ret = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, null); } - if (ret != null && !RangerAccessRequestUtil.getIsSkipChainedPlugins(request.getContext())) { + if (ret != null) { for (RangerChainedPlugin chainedPlugin : chainedPlugins) { if (LOG.isDebugEnabled()) { LOG.debug("BasePlugin.isAccessAllowed result=[" + ret + "]"); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java index 7f20f3fa4..f76f91275 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java @@ -49,7 +49,6 @@ public class RangerAccessRequestUtil { public static final String KEY_CONTEXT_REQUEST = "_REQUEST"; public static final String KEY_CONTEXT_IS_REQUEST_PREPROCESSED = "ISREQUESTPREPROCESSED"; public static final String KEY_CONTEXT_RESOURCE_ZONE_NAMES = "RESOURCE_ZONE_NAMES"; - public static final String KEY_CONTEXT_IS_SKIP_CHAINED_PLUGINS = "_IS_SKIP_CHAINED_PLUGINS"; public static final String KEY_CONTEXT_ALL_ACCESSTYPE_GROUPS = "ALLACCESSTYPEGROUPS"; public static final String KEY_CONTEXT_ALL_ACCESS_TYPE_ACL_RESULTS = "ALL_ACCESS_TYPE_ACL_RESULTS"; @@ -417,13 +416,4 @@ public class RangerAccessRequestUtil { results.putIfAbsent(accessType, result); } } - - public static void setIsSkipChainedPlugins(Map<String, Object> context, Boolean value) { - context.put(KEY_CONTEXT_IS_SKIP_CHAINED_PLUGINS, value); - } - - public static boolean getIsSkipChainedPlugins(Map<String, Object> context) { - Boolean value = (Boolean) context.get(KEY_CONTEXT_IS_SKIP_CHAINED_PLUGINS); - return value != null && value; - } } diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java index 02cbaea64..ac7ed9e91 100644 --- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java +++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java @@ -742,13 +742,6 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(inode, path, pathOwner, access, EXECUTE_ACCCESS_TYPE, operation, context.user, context.userGroups); - // if the request was already allowed by a Ranger policy (for ancestor/parent/node/child), skip chained plugin evaluations in subsequent calls - if (context.isAllowedByRangerPolicies) { - LOG.warn("This request is already allowed by Ranger policies. Ensuring that chained-plugins are not evaluated again for this request, request:[" + request + "]"); - - RangerAccessRequestUtil.setIsSkipChainedPlugins(request.getContext(), Boolean.TRUE); - } - RangerAccessResult result = context.plugin.isAccessAllowed(request, null); context.saveResult(result); @@ -762,8 +755,6 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { if (LOG.isDebugEnabled()) { LOG.debug("This request is for the first time allowed by Ranger policies. request:[" + request + "]"); } - - context.isAllowedByRangerPolicies = true; } if (ret == AuthzStatus.DENY || (!skipAuditOnAllow && result != null && result.getIsAccessDetermined())) { @@ -905,13 +896,6 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { } } - // if the request was already allowed by a Ranger policy (for ancestor/parent/node/child), skip chained plugin evaluations in subsequent calls - if (context.isAllowedByRangerPolicies) { - LOG.warn("This request is already allowed by Ranger policies. Ensuring that chained-plugins are not evaluated again for this request, request:[" + request + "]"); - - RangerAccessRequestUtil.setIsSkipChainedPlugins(request.getContext(), Boolean.TRUE); - } - RangerAccessResult result = context.plugin.isAccessAllowed(request, context.auditHandler); context.saveResult(result); @@ -927,8 +911,6 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { if (LOG.isDebugEnabled()) { LOG.debug("This request is for the first time allowed by Ranger policies. request:[" + request + "]"); } - - context.isAllowedByRangerPolicies = true; } } @@ -1449,7 +1431,6 @@ class AuthzContext { public final Set<String> userGroups; public final String operationName; public boolean isTraverseOnlyCheck; - public boolean isAllowedByRangerPolicies; public RangerHdfsAuditHandler auditHandler = null; private RangerAccessResult lastResult = null;
