----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/71362/#review217425 -----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java Line 343 (original), 343 (patched) <https://reviews.apache.org/r/71362/#comment304704> This change removes sending evalContext to isMatch() method; this can cause isMatch() to return incorrect results for resources having {USER} in name - like /home/{USER}. Please review. Same applies for other similar updates as well - line #362, #377. agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java Line 365 (original), 362 (patched) <https://reviews.apache.org/r/71362/#comment304702> Sending 'user' for 'owner' doesn't look right; wouldn't this result in all users to be allowed for accesses granted for resource-owner? Same for line #377 as well. agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java Line 294 (original), 294 (patched) <https://reviews.apache.org/r/71362/#comment304703> wouldn't adding 'hasResourceOwner' here effectively ignore the {OWNER} condition, since there is no validation that 'user' is 'owner' - as owner information is not available in this method? Please remove 'hasResourceOwner' from this line. - Madhan Neethiraj On Aug. 24, 2019, 1:30 a.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/71362/ > ----------------------------------------------------------- > > (Updated Aug. 24, 2019, 1:30 a.m.) > > > Review request for ranger, Madhan Neethiraj and Ramesh Mani. > > > Bugs: RANGER-2548 > https://issues.apache.org/jira/browse/RANGER-2548 > > > Repository: ranger > > > Description > ------- > > Grant/Revoke requests are processed by Ranger to create/update corresponding > Ranger Policy. With Hive support for OWNER, Ranger also needs to ensure that > Grant/Revoke requests, if they provide ownership information for the Hive > object being granted permission on, are processed correctly in accordance > with prevailing Ranger policies. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java > daa62f408 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java > cf590f9aa > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > ecd6cb746 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java > 5bbbecedb > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java > 00c0d42ed > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java > ec3950f62 > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java > 02f343196 > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java > c8276f127 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > bb825b822 > > > Diff: https://reviews.apache.org/r/71362/diff/2/ > > > Testing > ------- > > Passed all unit tests > > > Thanks, > > Abhay Kulkarni > >
