This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 2a340fa66 RANGER-4990: Rationalize processing of match-types for
policy and tag evaluation
2a340fa66 is described below
commit 2a340fa6614bafb90e071ee05d60b53ab87d8ed7
Author: Abhay Kulkarni <[email protected]>
AuthorDate: Thu Nov 7 17:55:30 2024 -0800
RANGER-4990: Rationalize processing of match-types for policy and tag
evaluation
---
.../plugin/contextenricher/RangerTagEnricher.java | 11 ++++-----
.../gds/GdsSharedResourceEvaluator.java | 9 ++++---
.../RangerAbstractPolicyEvaluator.java | 4 +++-
.../RangerAuditPolicyEvaluator.java | 16 +++++--------
.../RangerDefaultPolicyEvaluator.java | 28 +++++++++-------------
.../plugin/util/CachedResourceEvaluators.java | 3 ++-
.../policyengine/test_policyengine_hive.json | 2 +-
.../test_policyengine_marker_access_types.json | 2 +-
8 files changed, 33 insertions(+), 42 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index c9ca7d822..822e20fd4 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -754,14 +754,13 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
LOG.debug("resource:[" +
resource + ", MatchType:[" + matchType + "]");
}
- final boolean isMatched;
+ final ResourceMatchingScope
resourceMatchingScope = request.getResourceMatchingScope() != null ?
request.getResourceMatchingScope() : ResourceMatchingScope.SELF;
+ final boolean isMatched;
- if (request.isAccessTypeAny()) {
- isMatched = matchType !=
RangerPolicyResourceMatcher.MatchType.NONE;
- } else if
(request.getResourceMatchingScope() ==
ResourceMatchingScope.SELF_OR_DESCENDANTS) {
- isMatched = matchType !=
RangerPolicyResourceMatcher.MatchType.NONE;
+ if (request.isAccessTypeAny() ||
resourceMatchingScope == ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+ isMatched = matchType ==
RangerPolicyResourceMatcher.MatchType.ANCESTOR || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType ==
RangerPolicyResourceMatcher.MatchType.DESCENDANT;
} else {
- isMatched = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType ==
RangerPolicyResourceMatcher.MatchType.ANCESTOR;
+ isMatched = matchType ==
RangerPolicyResourceMatcher.MatchType.ANCESTOR || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
}
if (isMatched) {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsSharedResourceEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsSharedResourceEvaluator.java
index 6e36c00cc..d03dd00c9 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsSharedResourceEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsSharedResourceEvaluator.java
@@ -133,12 +133,11 @@ public class GdsSharedResourceEvaluator implements
RangerResourceEvaluator {
ret = request.isAccessTypeAny() ? !allowedAccessTypes.isEmpty() :
allowedAccessTypes.contains(request.getAccessType());
if (ret) {
- MatchType matchType =
policyResourceMatcher.getMatchType(request.getResource(),
request.getResourceElementMatchingScopes(), request.getContext());
+ final RangerAccessRequest.ResourceMatchingScope
resourceMatchingScope = request.getResourceMatchingScope() != null ?
request.getResourceMatchingScope() :
RangerAccessRequest.ResourceMatchingScope.SELF;
+ final MatchType matchType
= policyResourceMatcher.getMatchType(request.getResource(),
request.getResourceElementMatchingScopes(), request.getContext());
- if (request.isAccessTypeAny()) {
- ret = matchType !=
RangerPolicyResourceMatcher.MatchType.NONE;
- } else if (request.getResourceMatchingScope() ==
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
- ret = matchType !=
RangerPolicyResourceMatcher.MatchType.NONE;
+ if (request.isAccessTypeAny() || resourceMatchingScope ==
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+ ret = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType ==
RangerPolicyResourceMatcher.MatchType.DESCENDANT;
} else {
ret = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
index 006ceefc3..60399e8bb 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
@@ -308,8 +308,10 @@ public abstract class RangerAbstractPolicyEvaluator
implements RangerPolicyEvalu
private boolean isMatch(MatchType matchType, ResourceMatchingScope
matchingScope) {
final boolean ret;
+ matchingScope = matchingScope != null ? matchingScope :
ResourceMatchingScope.SELF;
+
if (matchingScope == ResourceMatchingScope.SELF_OR_DESCENDANTS)
{
- ret = matchType != MatchType.NONE;
+ ret = matchType == MatchType.SELF || matchType ==
MatchType.SELF_AND_ALL_DESCENDANTS || matchType == MatchType.DESCENDANT;
} else {
ret = matchType == MatchType.SELF || matchType ==
MatchType.SELF_AND_ALL_DESCENDANTS;
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
index 96610e2eb..dad135aff 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
@@ -117,14 +117,10 @@ public class RangerAuditPolicyEvaluator extends
RangerDefaultPolicyEvaluator {
if (!matchAnyResource) {
for (RangerPolicyResourceEvaluator resourceEvaluator :
getResourceEvaluators()) {
- RangerPolicyResourceMatcher.MatchType matchType;
+ final RangerPolicyResourceMatcher.MatchType matchType;
- if (RangerTagAccessRequest.class.isInstance(request)) {
+ if (request instanceof RangerTagAccessRequest) {
matchType = ((RangerTagAccessRequest)
request).getMatchType();
-
- if (matchType ==
RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
- matchType = RangerPolicyResourceMatcher.MatchType.SELF;
- }
} else {
RangerPolicyResourceMatcher resourceMatcher =
resourceEvaluator.getPolicyResourceMatcher();
@@ -135,10 +131,10 @@ public class RangerAuditPolicyEvaluator extends
RangerDefaultPolicyEvaluator {
}
}
- if (request.isAccessTypeAny()) {
- ret = matchType !=
RangerPolicyResourceMatcher.MatchType.NONE;
- } else if (request.getResourceMatchingScope() ==
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
- ret = matchType !=
RangerPolicyResourceMatcher.MatchType.NONE;
+ final RangerAccessRequest.ResourceMatchingScope
resourceMatchingScope = request.getResourceMatchingScope() != null ?
request.getResourceMatchingScope() :
RangerAccessRequest.ResourceMatchingScope.SELF;
+
+ if (request.isAccessTypeAny() || resourceMatchingScope ==
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+ ret = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType ==
RangerPolicyResourceMatcher.MatchType.DESCENDANT;
} else {
ret = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 621b65137..183d93a4b 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -220,23 +220,19 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
RangerPolicyResourceMatcher resourceMatcher =
resourceEvaluator.getPolicyResourceMatcher();
if (!result.getIsAccessDetermined() ||
!result.getIsAuditedDetermined()) {
- RangerPolicyResourceMatcher.MatchType
matchType;
+ final
RangerPolicyResourceMatcher.MatchType matchType;
- if
(RangerTagAccessRequest.class.isInstance(request)) {
+ if (request instanceof
RangerTagAccessRequest) {
matchType =
((RangerTagAccessRequest) request).getMatchType();
- if (matchType ==
RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
- matchType =
RangerPolicyResourceMatcher.MatchType.SELF;
- }
} else {
matchType = resourceMatcher !=
null ? resourceMatcher.getMatchType(request.getResource(),
request.getResourceElementMatchingScopes(), request.getContext()) :
RangerPolicyResourceMatcher.MatchType.NONE;
}
- final boolean isMatched;
+ final
RangerAccessRequest.ResourceMatchingScope resourceMatchingScope =
request.getResourceMatchingScope() != null ? request.getResourceMatchingScope()
: RangerAccessRequest.ResourceMatchingScope.SELF;
+ final boolean
isMatched;
- if (request.isAccessTypeAny()) {
- isMatched = matchType !=
RangerPolicyResourceMatcher.MatchType.NONE;
- } else if
(request.getResourceMatchingScope() ==
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
- isMatched = matchType !=
RangerPolicyResourceMatcher.MatchType.NONE;
+ if (request.isAccessTypeAny() ||
resourceMatchingScope ==
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+ isMatched = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType ==
RangerPolicyResourceMatcher.MatchType.DESCENDANT;
} else {
isMatched = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
}
@@ -548,13 +544,11 @@ public class RangerDefaultPolicyEvaluator extends
RangerAbstractPolicyEvaluator
}
} else {
if (!result.getIsAllowed()) { // if access is not yet
allowed by another policy
- if (matchType !=
RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
- result.setIsAllowed(true);
-
result.setPolicyPriority(getPolicyPriority());
- result.setPolicyId(getPolicyId());
- result.setReason(reason);
-
result.setPolicyVersion(getPolicy().getVersion());
- }
+ result.setIsAllowed(true);
+ result.setPolicyPriority(getPolicyPriority());
+ result.setPolicyId(getPolicyId());
+ result.setReason(reason);
+
result.setPolicyVersion(getPolicy().getVersion());
}
}
if (LOG.isDebugEnabled()) {
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/CachedResourceEvaluators.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/CachedResourceEvaluators.java
index ff2d04376..9ce11e6e7 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/CachedResourceEvaluators.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/CachedResourceEvaluators.java
@@ -92,7 +92,8 @@ public class CachedResourceEvaluators {
perf =
RangerPerfTracer.getPerfTracer(PERF_EVALUATORS_RETRIEVAL_LOG,
"CachedResourceEvaluators.getEvaluators(resource=" + resource.getAsString() +
")");
}
- final Predicate predicate = !(request.isAccessTypeAny() ||
RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext()) ||
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS.equals(request.getResourceMatchingScope()))
&& excludeDescendantMatches(resource) ? new
SelfOrAncestorPredicate(helper.getResourceDef(resource.getLeafName())) : null;
+ final RangerAccessRequest.ResourceMatchingScope resourceMatchingScope
= request.getResourceMatchingScope() != null ?
request.getResourceMatchingScope() :
RangerAccessRequest.ResourceMatchingScope.SELF;
+ final Predicate predicate
= !(request.isAccessTypeAny() || resourceMatchingScope ==
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) &&
excludeDescendantMatches(resource) ? new
SelfOrAncestorPredicate(helper.getResourceDef(resource.getLeafName())) : null;
if (predicate != null) {
ret = cache.getEvaluators(resource.getCacheKey(),
request.getResourceElementMatchingScopes());
diff --git
a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
index 8e34aa174..f064e163a 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
@@ -469,7 +469,7 @@
"resource":{"elements":{"database":"db1", "table":"table1"}},
"accessType":"","user":"user1","userGroups":["users"],"requestData":"show
columns in table1 from db1;"
},
- "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+ "result":{"isAudited":false,"isAllowed":false,"policyId":-1}
}
,
{"name":"DENY '_any access to db1/_/col1' for user1: table not specified
but column was specified",
diff --git
a/agents-common/src/test/resources/policyengine/test_policyengine_marker_access_types.json
b/agents-common/src/test/resources/policyengine/test_policyengine_marker_access_types.json
index a18523b60..59b164a97 100644
---
a/agents-common/src/test/resources/policyengine/test_policyengine_marker_access_types.json
+++
b/agents-common/src/test/resources/policyengine/test_policyengine_marker_access_types.json
@@ -386,7 +386,7 @@
"resource": { "elements": { "database": "db1", "table": "table1" } },
"accessType": "", "user": "user1", "userGroups": [ "users" ],
"requestData": "show columns in table1 from db1;"
},
- "result": { "isAudited": true, "isAllowed": false, "policyId": -1 }
+ "result": { "isAudited": false, "isAllowed": false, "policyId": -1 }
},
{ "name": "DENY '_any access to db1/_/col1' for user1: table not specified
but column was specified",
"request": {
