(ranger) branch ranger-2.6 updated: RANGER-4990: Rationalize processing of match-types for policy and tag evaluation

Thu, 14 Nov 2024 13:25:50 -0800 

This is an automated email from the ASF dual-hosted git repository.

abhay pushed a commit to branch ranger-2.6
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/ranger-2.6 by this push:
     new 30883cf94 RANGER-4990: Rationalize processing of match-types for 
policy and tag evaluation
30883cf94 is described below

commit 30883cf941dde13882ab4d8d5f94d4cd5e52e0da
Author: Abhay Kulkarni <[email protected]>
AuthorDate: Thu Nov 7 17:55:30 2024 -0800

    RANGER-4990: Rationalize processing of match-types for policy and tag 
evaluation
---
 .../plugin/contextenricher/RangerTagEnricher.java  | 11 ++++-----
 .../RangerAbstractPolicyEvaluator.java             |  4 +++-
 .../RangerAuditPolicyEvaluator.java                | 16 +++++--------
 .../RangerDefaultPolicyEvaluator.java              | 28 +++++++++-------------
 .../plugin/util/CachedResourceEvaluators.java      |  3 ++-
 .../policyengine/test_policyengine_hive.json       |  2 +-
 .../test_policyengine_marker_access_types.json     |  2 +-
 7 files changed, 29 insertions(+), 37 deletions(-)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index c9ca7d822..822e20fd4 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -754,14 +754,13 @@ public class RangerTagEnricher extends 
RangerAbstractContextEnricher {
                                                LOG.debug("resource:[" + 
resource + ", MatchType:[" + matchType + "]");
                                        }
 
-                                       final boolean isMatched;
+                                       final ResourceMatchingScope 
resourceMatchingScope = request.getResourceMatchingScope() != null ? 
request.getResourceMatchingScope() : ResourceMatchingScope.SELF;
+                                       final boolean               isMatched;
 
-                                       if (request.isAccessTypeAny()) {
-                                               isMatched = matchType != 
RangerPolicyResourceMatcher.MatchType.NONE;
-                                       } else if 
(request.getResourceMatchingScope() == 
ResourceMatchingScope.SELF_OR_DESCENDANTS) {
-                                               isMatched = matchType != 
RangerPolicyResourceMatcher.MatchType.NONE;
+                                       if (request.isAccessTypeAny() || 
resourceMatchingScope == ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+                                               isMatched = matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType == 
RangerPolicyResourceMatcher.MatchType.DESCENDANT;
                                        } else {
-                                               isMatched = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR;
+                                               isMatched = matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
                                        }
 
                                        if (isMatched) {
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
index d1a35a37a..7b403e4f9 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
@@ -308,8 +308,10 @@ public abstract class RangerAbstractPolicyEvaluator 
implements RangerPolicyEvalu
        private boolean isMatch(MatchType matchType, ResourceMatchingScope 
matchingScope) {
                final boolean ret;
 
+               matchingScope = matchingScope != null ? matchingScope : 
ResourceMatchingScope.SELF;
+
                if (matchingScope == ResourceMatchingScope.SELF_OR_DESCENDANTS) 
{
-                       ret = matchType != MatchType.NONE;
+                       ret = matchType == MatchType.SELF || matchType == 
MatchType.SELF_AND_ALL_DESCENDANTS || matchType == MatchType.DESCENDANT;
                } else {
                        ret = matchType == MatchType.SELF || matchType == 
MatchType.SELF_AND_ALL_DESCENDANTS;
                }
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
index 96610e2eb..dad135aff 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
@@ -117,14 +117,10 @@ public class RangerAuditPolicyEvaluator extends 
RangerDefaultPolicyEvaluator {
 
         if (!matchAnyResource) {
             for (RangerPolicyResourceEvaluator resourceEvaluator : 
getResourceEvaluators()) {
-                RangerPolicyResourceMatcher.MatchType matchType;
+                final RangerPolicyResourceMatcher.MatchType matchType;
 
-                if (RangerTagAccessRequest.class.isInstance(request)) {
+                if (request instanceof RangerTagAccessRequest) {
                     matchType = ((RangerTagAccessRequest) 
request).getMatchType();
-
-                    if (matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
-                        matchType = RangerPolicyResourceMatcher.MatchType.SELF;
-                    }
                 } else {
                     RangerPolicyResourceMatcher resourceMatcher = 
resourceEvaluator.getPolicyResourceMatcher();
 
@@ -135,10 +131,10 @@ public class RangerAuditPolicyEvaluator extends 
RangerDefaultPolicyEvaluator {
                     }
                 }
 
-                if (request.isAccessTypeAny()) {
-                    ret = matchType != 
RangerPolicyResourceMatcher.MatchType.NONE;
-                } else if (request.getResourceMatchingScope() == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
-                    ret = matchType != 
RangerPolicyResourceMatcher.MatchType.NONE;
+                final RangerAccessRequest.ResourceMatchingScope 
resourceMatchingScope = request.getResourceMatchingScope() != null ? 
request.getResourceMatchingScope() : 
RangerAccessRequest.ResourceMatchingScope.SELF;
+
+                if (request.isAccessTypeAny() || resourceMatchingScope == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+                    ret = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType == 
RangerPolicyResourceMatcher.MatchType.DESCENDANT;
                 } else {
                     ret = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
                 }
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 621b65137..183d93a4b 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -220,23 +220,19 @@ public class RangerDefaultPolicyEvaluator extends 
RangerAbstractPolicyEvaluator
                                RangerPolicyResourceMatcher resourceMatcher = 
resourceEvaluator.getPolicyResourceMatcher();
 
                                if (!result.getIsAccessDetermined() || 
!result.getIsAuditedDetermined()) {
-                                       RangerPolicyResourceMatcher.MatchType 
matchType;
+                                       final 
RangerPolicyResourceMatcher.MatchType matchType;
 
-                                       if 
(RangerTagAccessRequest.class.isInstance(request)) {
+                                       if (request instanceof 
RangerTagAccessRequest) {
                                                matchType = 
((RangerTagAccessRequest) request).getMatchType();
-                                               if (matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
-                                                       matchType = 
RangerPolicyResourceMatcher.MatchType.SELF;
-                                               }
                                        } else {
                                                matchType = resourceMatcher != 
null ? resourceMatcher.getMatchType(request.getResource(), 
request.getResourceElementMatchingScopes(), request.getContext()) : 
RangerPolicyResourceMatcher.MatchType.NONE;
                                        }
 
-                                       final boolean isMatched;
+                                       final 
RangerAccessRequest.ResourceMatchingScope resourceMatchingScope = 
request.getResourceMatchingScope() != null ? request.getResourceMatchingScope() 
: RangerAccessRequest.ResourceMatchingScope.SELF;
+                                       final boolean                           
        isMatched;
 
-                                       if (request.isAccessTypeAny()) {
-                                               isMatched = matchType != 
RangerPolicyResourceMatcher.MatchType.NONE;
-                                       } else if 
(request.getResourceMatchingScope() == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
-                                               isMatched = matchType != 
RangerPolicyResourceMatcher.MatchType.NONE;
+                                       if (request.isAccessTypeAny() || 
resourceMatchingScope == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
+                                               isMatched = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType == 
RangerPolicyResourceMatcher.MatchType.DESCENDANT;
                                        } else {
                                                isMatched = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
                                        }
@@ -548,13 +544,11 @@ public class RangerDefaultPolicyEvaluator extends 
RangerAbstractPolicyEvaluator
                        }
                } else {
                        if (!result.getIsAllowed()) { // if access is not yet 
allowed by another policy
-                               if (matchType != 
RangerPolicyResourceMatcher.MatchType.ANCESTOR) {
-                                       result.setIsAllowed(true);
-                                       
result.setPolicyPriority(getPolicyPriority());
-                                       result.setPolicyId(getPolicyId());
-                                       result.setReason(reason);
-                                       
result.setPolicyVersion(getPolicy().getVersion());
-                               }
+                               result.setIsAllowed(true);
+                               result.setPolicyPriority(getPolicyPriority());
+                               result.setPolicyId(getPolicyId());
+                               result.setReason(reason);
+                               
result.setPolicyVersion(getPolicy().getVersion());
                        }
                }
                if (LOG.isDebugEnabled()) {
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/util/CachedResourceEvaluators.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/util/CachedResourceEvaluators.java
index ff2d04376..9ce11e6e7 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/util/CachedResourceEvaluators.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/util/CachedResourceEvaluators.java
@@ -92,7 +92,8 @@ public class CachedResourceEvaluators {
             perf = 
RangerPerfTracer.getPerfTracer(PERF_EVALUATORS_RETRIEVAL_LOG, 
"CachedResourceEvaluators.getEvaluators(resource=" + resource.getAsString() + 
")");
         }
 
-        final Predicate predicate = !(request.isAccessTypeAny() || 
RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext()) || 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS.equals(request.getResourceMatchingScope()))
 && excludeDescendantMatches(resource) ? new 
SelfOrAncestorPredicate(helper.getResourceDef(resource.getLeafName())) : null;
+        final RangerAccessRequest.ResourceMatchingScope resourceMatchingScope 
= request.getResourceMatchingScope() != null ? 
request.getResourceMatchingScope() : 
RangerAccessRequest.ResourceMatchingScope.SELF;
+        final Predicate                                 predicate             
= !(request.isAccessTypeAny() || resourceMatchingScope == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) && 
excludeDescendantMatches(resource) ? new 
SelfOrAncestorPredicate(helper.getResourceDef(resource.getLeafName())) : null;
 
         if (predicate != null) {
             ret = cache.getEvaluators(resource.getCacheKey(), 
request.getResourceElementMatchingScopes());
diff --git 
a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json 
b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
index 8e34aa174..f064e163a 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json
@@ -469,7 +469,7 @@
       "resource":{"elements":{"database":"db1", "table":"table1"}},
       
"accessType":"","user":"user1","userGroups":["users"],"requestData":"show 
columns in table1 from db1;"
      },
-     "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+     "result":{"isAudited":false,"isAllowed":false,"policyId":-1}
     }
     ,
     {"name":"DENY '_any access to db1/_/col1' for user1: table not specified 
but column was specified",
diff --git 
a/agents-common/src/test/resources/policyengine/test_policyengine_marker_access_types.json
 
b/agents-common/src/test/resources/policyengine/test_policyengine_marker_access_types.json
index a18523b60..59b164a97 100644
--- 
a/agents-common/src/test/resources/policyengine/test_policyengine_marker_access_types.json
+++ 
b/agents-common/src/test/resources/policyengine/test_policyengine_marker_access_types.json
@@ -386,7 +386,7 @@
         "resource": { "elements": { "database": "db1", "table": "table1" } },
         "accessType": "", "user": "user1", "userGroups": [ "users" ], 
"requestData": "show columns in table1 from db1;"
        },
-       "result": { "isAudited": true, "isAllowed": false, "policyId": -1 }
+       "result": { "isAudited": false, "isAllowed": false, "policyId": -1 }
     },
     { "name": "DENY '_any access to db1/_/col1' for user1: table not specified 
but column was specified",
       "request": {

Reply via email to