Repository: incubator-ranger Updated Branches: refs/heads/master 5a18b906b -> 711c69c87
RANGER-1126 : Authorization checks for non existent file/directory should not be recursive in Ranger Hive authorizer Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/711c69c8 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/711c69c8 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/711c69c8 Branch: refs/heads/master Commit: 711c69c87d5315d9936b6a46fe390e2672891402 Parents: 5a18b90 Author: rmani <[email protected]> Authored: Wed Jul 27 14:40:28 2016 -0700 Committer: rmani <[email protected]> Committed: Wed Jul 27 14:40:28 2016 -0700 ---------------------------------------------------------------------- .../hive/authorizer/RangerHiveAuthorizer.java | 22 ++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/711c69c8/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index bf210e2..bfe1891 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -1014,14 +1014,24 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { try { Path filePath = new Path(uri); FileSystem fs = FileSystem.get(filePath.toUri(), conf); - // Path path = FileUtils.getPathOrParentThatExists(fs, filePath); - // FileStatus fileStatus = fs.getFileStatus(path); - FileStatus fileStatus = FileUtils.getPathOrParentThatExists(fs, filePath); + FileStatus[] filestat = fs.globStatus(filePath); - if (FileUtils.isOwnerOfFileHierarchy(fs, fileStatus, userName)) { + if(filestat != null && filestat.length > 0) { + ret = true; + + for(FileStatus file : filestat) { + ret = FileUtils.isOwnerOfFileHierarchy(fs, file, userName) || + FileUtils.isActionPermittedForFileHierarchy(fs, file, userName, action); + + if(! ret) { + break; + } + } + } else { // if given path does not exist then check for parent + FileStatus file = FileUtils.getPathOrParentThatExists(fs, filePath); + + FileUtils.checkFileAccessWithImpersonation(fs, file, action, userName); ret = true; - } else { - ret = FileUtils.isActionPermittedForFileHierarchy(fs, fileStatus, userName, action); } } catch(Exception excp) { LOG.error("Error getting permissions for " + uri, excp);
