Updated Branches: refs/heads/master a93fb4161 -> 8fc91c54f
SENTRY-89: Sentry WildCardPermission always ends a / to the URI (Brock Noland via Shreepadma Venugopalan) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/8fc91c54 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/8fc91c54 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/8fc91c54 Branch: refs/heads/master Commit: 8fc91c54f6d412dd404825f35b77805784d51d5d Parents: a93fb41 Author: Shreepadma Venugopalan <[email protected]> Authored: Thu Jan 16 11:14:13 2014 -0800 Committer: Shreepadma Venugopalan <[email protected]> Committed: Thu Jan 16 11:14:13 2014 -0800 ---------------------------------------------------------------------- .../sentry/policy/db/DBWildcardPermission.java | 18 ++++++++++++++++-- .../policy/db/TestDBWildcardPermission.java | 5 ++++- 2 files changed, 20 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8fc91c54/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java index e84e5b9..e0eb2dc 100644 --- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java +++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java @@ -154,8 +154,8 @@ public class DBWildcardPermission implements Permission, Serializable { // request path does not contain relative parts /a/../b && // request path starts with policy path && // authorities (nullable) are equal - String requestPath = requestURI.getPath() + File.separator; - String policyPath = policyURI.getPath() + File.separator; + String requestPath = ensureEndsWithSeparator(requestURI.getPath()); + String policyPath = ensureEndsWithSeparator(policyURI.getPath()); if(policyURI.getScheme().equals(requestURI.getScheme()) && requestURI.getPath().equals(new URI(request).normalize().getPath()) && requestPath.startsWith(policyPath) && @@ -169,6 +169,20 @@ public class DBWildcardPermission implements Permission, Serializable { } } + /** + * The URI must be a directory as opposed to a partial + * path entry name. To ensure this is true we add a / + * at the end of the path. Without this the admin might + * grant access to /dir1 but the user would be given access + * to /dir1* whereas the admin meant /dir1/ + */ + private static String ensureEndsWithSeparator(String path) { + if (path.endsWith(File.separator)) { + return path; + } + return path + File.separator; + } + @Override public String toString() { return AUTHORIZABLE_JOINER.join(parts); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8fc91c54/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java ---------------------------------------------------------------------- diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java index 8f1ee2c..2024cd8 100644 --- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java +++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java @@ -51,7 +51,7 @@ public class TestDBWildcardPermission { "hdfs://namenode:8020/path/to/uri1")); private static final Permission ROLE_SERVER_SERVER1_URI_URI2 = create(new KeyValue("server", "server1"), new KeyValue("uri", - "hdfs://namenode:8020/path/to/uri2")); + "hdfs://namenode:8020/path/to/uri2/")); private static final Permission ROLE_SERVER_SERVER1_URI_ALL = create(new KeyValue("server", "server1"), new KeyValue("uri", ALL)); @@ -272,6 +272,9 @@ public class TestDBWildcardPermission { // mangled path assertFalse(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path", "hdfs://namenode:8020/pathFooBar")); + // ends in / + assertTrue(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path/", + "hdfs://namenode:8020/path/FooBar")); } static DBWildcardPermission create(KeyValue... keyValues) { return create(AUTHORIZABLE_JOINER.join(keyValues));
