[jira] [Updated] (RANGER-2761) Policy evaluators are not correctly updated when using policy deltas for downloads to plugins

Thu, 19 Mar 2020 21:51:15 -0700 


     [ 
https://issues.apache.org/jira/browse/RANGER-2761?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhay Kulkarni updated RANGER-2761:
-----------------------------------
    Summary: Policy evaluators are not correctly updated when using policy 
deltas for downloads to plugins  (was: Bugs about wildcard evaluator 
incremental creation)

> Policy evaluators are not correctly updated when using policy deltas for 
> downloads to plugins
> ---------------------------------------------------------------------------------------------
>
>                 Key: RANGER-2761
>                 URL: https://issues.apache.org/jira/browse/RANGER-2761
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: 2.0.0
>            Reporter: star
>            Assignee: star
>            Priority: Major
>         Attachments: RANGER-2761.patch
>
>
> When incrementally update wildcard policies, it will not cause any effect. 
> Reproduce steps:
>    1. Create a policy A to grant Peter select access to database test and 
> table t. Verify Peter did have select access.
>    2. Create a policy B to deny Peter select access to all database and 
> table. Verify Peter is rejected select access to database test and table t.
>    3. Delete policy B and verify that Peter again has select access. 
>    4. Create a policy C, the same as policy B and expecting Peter again is 
> rejected select access. But it does not happen.
> {code:java}
> // RangerResourceTrie
> void undoSetup() {
>   if (isSetup) {
>     if (evaluators != null) {
>         for (TrieNode<U> child : children.values()) {
>             child.undoSetup();
>         }
>     ... 
>     }
>     isSetup = false;
>   }
> }
> private Set<T> getEvaluatorsForResource(String resource) {
>     ...
>     while (i < len) {
>         if (!isOptimizedForRetrieval) {
>             curr.setupIfNeeded(parent);
>         }
>         ...
>     }
>     if (!isOptimizedForRetrieval) {
>         curr.setupIfNeeded(parent);
>     }
>     Set<T> ret = i == len ? curr.getEvaluators() : 
> curr.getWildcardEvaluators();
>     return ret;
> }
> {code}
> When adding new wildcard policy, evaluators of the root trie is null. So 
> child.undoSetup will not be called. Then setupIfNeeded will not take effect 
> on child trie nodes. At last, new wildcard policy(policy C) does not take 
> effect.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to