Repository: incubator-ranger Updated Branches: refs/heads/tag-policy a7ca7c674 -> 88d2ebe29
RANGER-482: HDFS plugin updated to check for traverse access (EXECUTE) when no-access is specified Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/0f8d0c5f Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/0f8d0c5f Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/0f8d0c5f Branch: refs/heads/tag-policy Commit: 0f8d0c5f7550d0c5109face03fce4ea24247a663 Parents: a7ca7c6 Author: Madhan Neethiraj <[email protected]> Authored: Fri May 15 23:51:31 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Sun May 17 00:04:42 2015 -0700 ---------------------------------------------------------------------- .../hadoop/RangerHdfsAuthorizer.java | 21 +++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0f8d0c5f/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java ---------------------------------------------------------------------- diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java index bd8b4c8..1599074 100644 --- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java +++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java @@ -198,7 +198,7 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { } try { - if(plugin != null && (access != null || ancestorAccess != null || parentAccess != null || subAccess != null) && !ArrayUtils.isEmpty(inodes)) { + if(plugin != null && !ArrayUtils.isEmpty(inodes)) { auditHandler = new RangerHdfsAuditHandler(path); if(ancestorIndex >= inodes.length) { @@ -222,10 +222,21 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { } // checkAncestorAccess - if(accessGranted && ancestorAccess != null && ancestor != null) { - INodeAttributes ancestorAttribs = inodeAttrs.length > ancestorIndex ? inodeAttrs[ancestorIndex] : null; + if(accessGranted && ancestor != null) { + FsAction accessToCheck = ancestorAccess; + RangerHdfsAuditHandler auditHandlerToUse = auditHandler; + + // if ancestorAccess is not specified and none of other access is specified, then check for traverse access (EXECUTE) to the ancestor + if(ancestorAccess == null && access == null && parentAccess == null && subAccess == null) { + accessToCheck = FsAction.EXECUTE; + auditHandlerToUse = null; // don't audit this access + } - accessGranted = isAccessAllowed(ancestor, ancestorAttribs, ancestorAccess, user, groups, fsOwner, superGroup, plugin, auditHandler); + if(accessToCheck != null) { + INodeAttributes ancestorAttribs = inodeAttrs.length > ancestorIndex ? inodeAttrs[ancestorIndex] : null; + + accessGranted = isAccessAllowed(ancestor, ancestorAttribs, accessToCheck, user, groups, fsOwner, superGroup, plugin, auditHandlerToUse); + } } // checkParentAccess @@ -253,7 +264,7 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { if (!(cList.isEmpty() && ignoreEmptyDir)) { INodeAttributes dirAttribs = dir.getSnapshotINode(snapshotId); - accessGranted = isAccessAllowed(dir, dirAttribs, access, user, groups, fsOwner, superGroup, plugin, auditHandler); + accessGranted = isAccessAllowed(dir, dirAttribs, subAccess, user, groups, fsOwner, superGroup, plugin, auditHandler); if(! accessGranted) { break;
