RANGER-675: fix the incorrect column authorization via tag
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/54270d55 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/54270d55 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/54270d55 Branch: refs/heads/master Commit: 54270d556f0341920f25d141c55746e8ec8bbea3 Parents: 89b7ba2 Author: Madhan Neethiraj <[email protected]> Authored: Thu Oct 1 18:23:11 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Thu Oct 1 18:23:11 2015 -0700 ---------------------------------------------------------------------- .../contextenricher/RangerTagEnricher.java | 14 ++--------- .../plugin/util/RangerAccessRequestUtil.java | 26 +++++++++++++++++++- .../authorizer/RangerHiveAccessRequest.java | 3 ++- 3 files changed, 29 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/54270d55/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java index 6388c78..b5662bf 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java @@ -129,20 +129,10 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { List<RangerTag> matchedTags = findMatchingTags(request.getResource(), serviceResourceMatchersCopy); - if (CollectionUtils.isNotEmpty(matchedTags)) { - RangerAccessRequestUtil.setRequestTagsInContext(request.getContext(), matchedTags); - - if (LOG.isDebugEnabled()) { - LOG.debug("RangerTagEnricher.enrich(" + request + ") - " + matchedTags.size() + " tags found by enricher."); - } - } else { - if (LOG.isDebugEnabled()) { - LOG.debug("RangerTagEnricher.enrich(" + request + ") - no tags found by enricher."); - } - } + RangerAccessRequestUtil.setRequestTagsInContext(request.getContext(), matchedTags); if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerTagEnricher.enrich(" + request + ")"); + LOG.debug("<== RangerTagEnricher.enrich(" + request + "): tags count=" + (matchedTags == null ? 0 : matchedTags.size())); } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/54270d55/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java index 92a87d0..0ce3721 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java @@ -19,9 +19,12 @@ package org.apache.ranger.plugin.util; +import java.util.HashMap; import java.util.List; import java.util.Map; +import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.collections.MapUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.model.RangerTag; @@ -36,7 +39,11 @@ public class RangerAccessRequestUtil { public static final String KEY_CONTEXT_REQUESTED_RESOURCES = "REQUESTED_RESOURCES"; public static void setRequestTagsInContext(Map<String, Object> context, List<RangerTag> tags) { - context.put(KEY_CONTEXT_TAGS, tags); + if(CollectionUtils.isEmpty(tags)) { + context.remove(KEY_CONTEXT_TAGS); + } else { + context.put(KEY_CONTEXT_TAGS, tags); + } } public static List<RangerTag> getRequestTagsFromContext(Map<String, Object> context) { @@ -101,4 +108,21 @@ public class RangerAccessRequestUtil { return ret; } + + public static Map<String, Object> copyContext(Map<String, Object> context) { + final Map<String, Object> ret; + + if(MapUtils.isEmpty(context)) { + ret = new HashMap<String, Object>(); + } else { + ret = new HashMap<String, Object>(context); + + ret.remove(KEY_CONTEXT_TAGS); + ret.remove(KEY_CONTEXT_TAG_OBJECT); + ret.remove(KEY_CONTEXT_RESOURCE); + // don't remove REQUESTED_RESOURCES + } + + return ret; + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/54270d55/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java index 9f99ea1..3140056 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAccessRequest.java @@ -27,6 +27,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; +import org.apache.ranger.plugin.util.RangerAccessRequestUtil; public class RangerHiveAccessRequest extends RangerAccessRequestImpl { @@ -101,7 +102,7 @@ public class RangerHiveAccessRequest extends RangerAccessRequestImpl { ret.setRequestData(getRequestData()); ret.setClientType(getClientType()); ret.setSessionId(getSessionId()); - ret.setContext(getContext()); + ret.setContext(RangerAccessRequestUtil.copyContext(getContext())); ret.accessType = accessType; return ret;
