Repository: incubator-ranger Updated Branches: refs/heads/ranger-0.6 00e07f22b -> 2dea1f91c
RANGER-1100: Hive authorizer does not block update operations if one of the masked columns has mask-type as 'Unmasked' for the user (cherry picked from commit eea868860d283f53d9d24de8909cf5d68b6cf1b7) Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/2dea1f91 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/2dea1f91 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/2dea1f91 Branch: refs/heads/ranger-0.6 Commit: 2dea1f91c259a52b5f90b23c8469b26ed542d418 Parents: 00e07f2 Author: Madhan Neethiraj <[email protected]> Authored: Tue Sep 6 14:04:25 2016 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Tue Sep 6 23:37:42 2016 -0700 ---------------------------------------------------------------------- .../org/apache/ranger/plugin/model/RangerPolicy.java | 4 ++++ .../plugin/policyengine/RangerPolicyEngineImpl.java | 13 +++++++++++-- .../hive/authorizer/RangerHiveAuditHandler.java | 3 ++- .../hive/authorizer/RangerHiveAuthorizer.java | 10 ++++------ 4 files changed, 21 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2dea1f91/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java index d8e19b7..5e94bc7 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java @@ -50,6 +50,10 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria POLICY_TYPE_ROWFILTER }; + public static final String MASK_TYPE_NULL = "MASK_NULL"; + public static final String MASK_TYPE_NONE = "MASK_NONE"; + public static final String MASK_TYPE_CUSTOM = "CUSTOM"; + // For future use private static final long serialVersionUID = 1L; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2dea1f91/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index f20923c..707b8a5 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -285,7 +285,12 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { evaluator.evaluate(request, ret); if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) { - break; + if(!StringUtils.equalsIgnoreCase(ret.getMaskType(), RangerPolicy.MASK_TYPE_NONE)) { + break; + } else { + ret.setMaskType(null); + ret.setIsAccessDetermined(false); + } } } } @@ -320,7 +325,11 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { evaluator.evaluate(request, ret); if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) { - break; + if(StringUtils.isNotEmpty(ret.getFilterExpr())) { + break; + } else { + ret.setIsAccessDetermined(false); + } } } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2dea1f91/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java index a6bb357..d98fe81 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java @@ -24,6 +24,7 @@ import java.util.*; import org.apache.commons.lang.StringUtils; import org.apache.ranger.audit.model.AuthzAuditEvent; import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler; +import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerAccessResult; @@ -66,7 +67,7 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { if(result instanceof RangerDataMaskResult) { accessType = ((RangerDataMaskResult)result).getMaskType(); - if(StringUtils.equals(accessType, RangerHiveAuthorizer.MASK_TYPE_NONE)) { + if(StringUtils.equals(accessType, RangerPolicy.MASK_TYPE_NONE)) { return null; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2dea1f91/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 0fcf13f..9329020 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -54,6 +54,7 @@ import org.apache.hadoop.security.UserGroupInformation; import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants; import org.apache.ranger.authorization.utils.StringUtil; +import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef.RangerDataMaskTypeDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; @@ -71,9 +72,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { private static final Log LOG = LogFactory.getLog(RangerHiveAuthorizer.class) ; private static final char COLUMN_SEP = ','; - public static final String MASK_TYPE_NULL = "MASK_NULL"; - public static final String MASK_TYPE_NONE = "MASK_NONE"; - public static final String MASK_TYPE_CUSTOM = "CUSTOM"; private static volatile RangerHivePlugin hivePlugin = null ; @@ -598,7 +596,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { } private boolean isDataMaskEnabled(RangerDataMaskResult result) { - return result != null && result.isMaskEnabled() && !StringUtils.equalsIgnoreCase(result.getMaskType(), MASK_TYPE_NONE); + return result != null && result.isMaskEnabled() && !StringUtils.equalsIgnoreCase(result.getMaskType(), RangerPolicy.MASK_TYPE_NONE); } private boolean isRowFilterEnabled(RangerRowFilterResult result) { @@ -677,9 +675,9 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { transformer = maskTypeDef.getTransformer(); } - if(StringUtils.equalsIgnoreCase(maskType, MASK_TYPE_NULL)) { + if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_NULL)) { ret = "NULL"; - } else if(StringUtils.equalsIgnoreCase(maskType, MASK_TYPE_CUSTOM)) { + } else if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_CUSTOM)) { String maskedValue = result.getMaskedValue(); if(maskedValue == null) {
