Review Request 72624: RANGER-2876: allow-exception policy-items are not correctly handled when access-type is '_any'

Fri, 26 Jun 2020 18:19:17 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72624/
-----------------------------------------------------------

Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Velmurugan 
Periasamy.


Bugs: RANGER-2876
    https://issues.apache.org/jira/browse/RANGER-2876


Repository: ranger


Description
-------

Ranger plugins use an internal access-type '_any' to when access authorization 
requires that the accessed resource has some permission for given 
user/group/role. For a component that supports  three access-types viz. 'read', 
'write', 'delete', and a policy containing access specification for some 
resource and some user, such as,

allowed accesses : {'read', 'write', 'delete'}

exceptions to allowed accesses: {'read', 'write'}

the user should be allowed '_any' access to the resource by this policy. 
Similarly, a policy containing access specification such as 

allowed accesses : {'read', 'write'}

exceptions to allowed accesses: {'read', 'write'}

should not make authorization decision for '_any' access.

-----

Fix:

Authorizing "any" access for access-type policies now involves checking if any 
of the accesses defined in the service-definition allows access using 
policy-items of the policy being evaluated. If true, the "any" access is 
authorized; else if none of defined accesses are allowed, then access is 
explicitly denied, else no authorization decision is made by the policy.


Diffs
-----

  agents-audit/pom.xml b30474a9c 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 d75bf46a0 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
 90d96d93d 
  
agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json
 a2ec460e6 
  agents-common/src/test/resources/policyengine/test_policyengine_hive.json 
ba5a53c30 
  agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json 
79417a0cb 
  
agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
 73fe540c7 
  pom.xml 5bfd08df2 


Diff: https://reviews.apache.org/r/72624/diff/1/


Testing
-------

Ensured all existing unit tests are valid. New unit tests are developed, and 
verified that all unit tests pass.


Thanks,

Abhay Kulkarni

Reply via email to