----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/57668/#review169070 -----------------------------------------------------------
Ship it! Ship It! - Madhan Neethiraj On March 15, 2017, 10:20 p.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/57668/ > ----------------------------------------------------------- > > (Updated March 15, 2017, 10:20 p.m.) > > > Review request for ranger and Madhan Neethiraj. > > > Bugs: RANGER-1460 > https://issues.apache.org/jira/browse/RANGER-1460 > > > Repository: ranger > > > Description > ------- > > If there is one tag policy which allows access to HDFS resource and if there > are no resource policies for HDFS, then authorization falls back to hadoop > acls. In such cases, Ranger authorizer should allow access to the resource > without falling back to hadoop acls, as tag policy has allowed access and > there is no resource policy. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java > 0c9c0fa > > > Diff: https://reviews.apache.org/r/57668/diff/1/ > > > Testing > ------- > > Tests: > > /user/user1 has a tag associated with it, whose policy allows access to user2. > /user/user1 has hadoop-acls which do not allow access to user2. > There are no resource-based policy defined for the HDFS service. > > user2 lists /user/user1 --> success (allowed by tag policy) > user1 lists /user/user1 --> success (allowed by hadoop acls) > > > Thanks, > > Abhay Kulkarni > >
