(ranger) 05/08: RANGER-5202: Tag deny policy is not getting enforced on scan table command for hbase

dhavalshah9131 Tue, 13 May 2025 03:32:25 -0700

This is an automated email from the ASF dual-hosted git repository.

dhavalshah9131 pushed a commit to branch RANGER-5199
in repository https://gitbox.apache.org/repos/asf/ranger.git


commit c4aba2734fac0381f6b671dae45d670ef133bfb7
Author: Dineshkumar Yadav <dineshkumar.ya...@outlook.com>
AuthorDate: Fri May 2 16:23:46 2025 +0530

    RANGER-5202: Tag deny policy is not getting enforced on scan table command 
for hbase
    
    Signed-off-by: Dineshkumar Yadav <dineshkumar.ya...@outlook.com>
---
 .../ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java     | 4 +---
 .../ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java   | 4 +---
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
index 6a9d0a041..b916825bc 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
@@ -147,10 +147,8 @@ private boolean matchResource(RangerAccessRequest request) 
{
 
                 final RangerAccessRequest.ResourceMatchingScope 
resourceMatchingScope = request.getResourceMatchingScope() != null ? 
request.getResourceMatchingScope() : 
RangerAccessRequest.ResourceMatchingScope.SELF;
 
-                if (request.isAccessTypeAny()) {
+                if (request.isAccessTypeAny() || resourceMatchingScope == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
                     ret = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType == 
RangerPolicyResourceMatcher.MatchType.DESCENDANT || (matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof 
RangerTagAccessRequest);
-                } else if (resourceMatchingScope == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
-                    ret = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType == 
RangerPolicyResourceMatcher.MatchType.DESCENDANT;
                 } else {
                     ret = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || (matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof 
RangerTagAccessRequest);
                 }
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 4c5818d2f..16389da7e 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -259,10 +259,8 @@ public void evaluate(RangerAccessRequest request, 
RangerAccessResult result) {
                     final ResourceMatchingScope resourceMatchingScope = 
request.getResourceMatchingScope() != null ? request.getResourceMatchingScope() 
: ResourceMatchingScope.SELF;
                     final boolean               isMatched;
 
-                    if (request.isAccessTypeAny()) {
+                    if (request.isAccessTypeAny() || resourceMatchingScope == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
                         isMatched = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType == 
RangerPolicyResourceMatcher.MatchType.DESCENDANT || (matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof 
RangerTagAccessRequest);
-                    } else if (resourceMatchingScope == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
-                        isMatched = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType == 
RangerPolicyResourceMatcher.MatchType.DESCENDANT;
                     } else {
                         isMatched = matchType == 
RangerPolicyResourceMatcher.MatchType.SELF || matchType == 
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || (matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof 
RangerTagAccessRequest);
                     }

(ranger) 05/08: RANGER-5202: Tag deny policy is not getting enforced on scan table command for hbase

Reply via email to