Re: Review Request 70510: RANGER-2405: Evaluation of Ranger policies targeted to valid but partial resources

Wed, 18 May 2022 19:17:41 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70510/#review224455
-----------------------------------------------------------



Hi all, I recently met an issue of partial resource match on latest ranger 
version 2.2, eg: the following policy will grant *user2* with *drop* privilege 
to database *default*, I think it is not right, can you agree that the 
expectation of the following policy is grant user2 only drop privilege to all 
table in database *default*?

{
      "id": 3,
      "name": "db=default; table=*",
      "isEnabled": true,
      "isAuditEnabled": true,
      "resources": {
        "database": {
          "values": [
            "default"
          ]
        },
        "table": {
          "values": [
            "*"
          ]
        }
      },
      "policyItems": [
        {   
            {
              "type": "drop",
              "isAllowed": true
            }
          ],
          "users": [
            "user2"
          ],
          "groups": [
          ],
          "delegateAdmin": false
        }
      ]
    }
    }

- Andy Xu


On 四月 22, 2019, 2:34 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70510/
> -----------------------------------------------------------
> 
> (Updated 四月 22, 2019, 2:34 p.m.)
> 
> 
> Review request for ranger, Bolke de Bruin and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-2405
>     https://issues.apache.org/jira/browse/RANGER-2405
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> With RANGER-1781, Ranger supports resource policies with valid, but partial 
> hierarchies specified as the resource. However, during policy evaluation, a 
> partial hierarchy is treated as a complete hierarchy with the unspecified 
> part of the resource hierarchy as having been specified with an all-matching 
> wildcard value (that is, as an asterisk). This leads to such policy matching 
> an accessed resource which has more resource levels than in the policy, and 
> is more permissive than the policy specification.
> 
> Policy resource matching algorithm is enhanced to differentiate between 
> absence of a resource value and resource value of asterisk.
> 
> 
> Diffs
> -----
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  be256a9ba 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  f1e999aaf 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
>  12a1c1c9e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
>  4696d84da 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
>  e019e6218 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java
>  1755233d5 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_hive_with_partial_resource_policies.json
>  PRE-CREATION 
>   
> agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json
>  211e0ed9d 
>   
> agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_hive_policy.json
>  ddb171d1c 
> 
> 
> Diff: https://reviews.apache.org/r/70510/diff/2/
> 
> 
> Testing
> -------
> 
> Developed unit tests for this scenario and ran all unit tests successfully.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Reply via email to