----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73443/#review223240 -----------------------------------------------------------
Fix it, then Ship it! agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java Lines 700 (patched) <https://reviews.apache.org/r/73443/#comment312329> Is the 'if' in #700 necessary? When allowResult is null, deniedAccessTypeCount will always be allAccessDefs.size(), right? - Madhan Neethiraj On July 17, 2021, 2:25 a.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73443/ > ----------------------------------------------------------- > > (Updated July 17, 2021, 2:25 a.m.) > > > Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, > and Velmurugan Periasamy. > > > Bugs: RANGER-3329 > https://issues.apache.org/jira/browse/RANGER-3329 > > > Repository: ranger > > > Description > ------- > > Currently a request for _any access-type is denied only if all access-types > in the service-def are denied by policies. Instead of this, the policy-engine > should deny _any access if there are no allowed accesses, and at least one of > the access-type is denied. This will help address following usecase: > > when accessTypeRestrictions is defined on a resource i.e. only a subset of > access-types are shown in policy-UI, it will not be possible to create > policies that deny all accesses. In such cases, the proposed change will > enable denying _any access-type with only subset of access-types denied. > > The fix is to deny the access with type _any only if all of access-types > "specified in the denying policy" are explicitly denied by policies. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java > 74a7a2615 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java > 3c0e32c2e > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > 03e37fe3d > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java > 696a3f6eb > > agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java > f8eba5f96 > > agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json > 934655ba9 > agents-common/src/test/resources/policyengine/test_policyengine_hive.json > bd2f67b68 > > agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json > a8ec02733 > > agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_for_show_databases.json > f42df3eab > > > Diff: https://reviews.apache.org/r/73443/diff/3/ > > > Testing > ------- > > Passed all existing test cases. > Created a unit test for the use-case outlined in the JIRA, and ensured that > it passes. > > > Thanks, > > Abhay Kulkarni > >
