> On Aug. 25, 2019, 7:12 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > > Line 343 (original), 343 (patched) > > <https://reviews.apache.org/r/71362/diff/2/?file=2162857#file2162857line343> > > > > This change removes sending evalContext to isMatch() method; this can > > cause isMatch() to return incorrect results for resources having {USER} in > > name - like /home/{USER}. Please review. > > > > Same applies for other similar updates as well - line #362, #377.
These APIs are called from within ranger-admin. There is no owner information available. In fact, to return policies with resource containing macros in its name, it is required that the expansion of the macros is suppressed, which is achieved by not passing any evalContext to the APIs which are also used by policy engine in the plugin. This applies to line #362 and #377 also. > On Aug. 25, 2019, 7:12 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > > Line 365 (original), 362 (patched) > > <https://reviews.apache.org/r/71362/diff/2/?file=2162857#file2162857line365> > > > > Sending 'user' for 'owner' doesn't look right; wouldn't this result in > > all users to be allowed for accesses granted for resource-owner? > > > > Same for line #377 as well. That is the intent, as these APIs are called from with ranger-admin to filter policies. It is required, in absence of owner information, that policies with OWNER macro pass the filter (at least the first part of filter, namely, call to Optimized Policy Evaluator's hasMatchablePolicyItem()). - Abhay ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/71362/#review217425 ----------------------------------------------------------- On Aug. 24, 2019, 1:30 a.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/71362/ > ----------------------------------------------------------- > > (Updated Aug. 24, 2019, 1:30 a.m.) > > > Review request for ranger, Madhan Neethiraj and Ramesh Mani. > > > Bugs: RANGER-2548 > https://issues.apache.org/jira/browse/RANGER-2548 > > > Repository: ranger > > > Description > ------- > > Grant/Revoke requests are processed by Ranger to create/update corresponding > Ranger Policy. With Hive support for OWNER, Ranger also needs to ensure that > Grant/Revoke requests, if they provide ownership information for the Hive > object being granted permission on, are processed correctly in accordance > with prevailing Ranger policies. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java > daa62f408 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java > cf590f9aa > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > ecd6cb746 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java > 5bbbecedb > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java > 00c0d42ed > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java > ec3950f62 > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java > 02f343196 > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java > c8276f127 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > bb825b822 > > > Diff: https://reviews.apache.org/r/71362/diff/2/ > > > Testing > ------- > > Passed all unit tests > > > Thanks, > > Abhay Kulkarni > >
