Repository: incubator-ranger Updated Branches: refs/heads/master ded323b77 -> d804499ae
RANGER-323: Fix for incorrect isAudited flag determination in policy-evaluator Signed-off-by: Madhan Neethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/d804499a Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/d804499a Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/d804499a Branch: refs/heads/master Commit: d804499aed86205dc00d3e838209be195c92cc88 Parents: ded323b Author: Abhay Kulkarni <[email protected]> Authored: Mon Mar 30 14:33:34 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Tue Mar 31 10:28:26 2015 -0700 ---------------------------------------------------------------------- .../RangerDefaultPolicyEvaluator.java | 38 +++++++++++++------- 1 file changed, 26 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d804499a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index bfe5174..76e50cb 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -216,15 +216,26 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator boolean isMatchAttempted = false; boolean matchResult = false; + boolean isHeadMatchAttempted = false; boolean headMatchResult = false; if (!result.getIsAuditedDetermined()) { // Need to match request.resource first. If it matches (or head matches), then only more progress can be made - matchResult = isMatch(request.getResource()); - isMatchAttempted = true; + if (!isMatchAttempted) { + matchResult = isMatch(request.getResource()); + isMatchAttempted = true; + } + + // Try head match only if match was not found and ANY access was requested + if (!matchResult) { + if (isAnyAccess && !isHeadMatchAttempted) { + headMatchResult = matchResourceHead(request.getResource()); + isHeadMatchAttempted = true; + } + } - if (matchResult) { - // Do all stuff. + if (matchResult || headMatchResult) { + // We are done for determining if audit is needed for this policy if (policy.getIsAuditEnabled()) { result.setIsAudited(true); } @@ -232,19 +243,22 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } if (!result.getIsAccessDetermined()) { + // Try Match only if it was not attempted as part of evaluating Audit requirement if (!isMatchAttempted) { - // Need to match request.resource first. If it matches (or head matches), then only more progress can be made matchResult = isMatch(request.getResource()); - isMatchAttempted = true; + isMatchAttempted = true; } - // Try head match only if it is useful - if (isAnyAccess) { - headMatchResult = matchResult || matchResourceHead(request.getResource()); + // Try Head Match only if no match was found so far AND a head match was not attempted as part of evaluating + // Audit requirement + if (!matchResult) { + if (isAnyAccess && !isHeadMatchAttempted) { + headMatchResult = matchResourceHead(request.getResource()); + isHeadMatchAttempted = true; + } } - - if (matchResult || (isAnyAccess && headMatchResult)) { - // A match was found earlier + // Go further to evaluate access only if match or head match was found at this point + if (matchResult || headMatchResult) { evaluatePolicyItemsForAccess(request, result); } }
