> On 五月 19, 2022, 2:17 a.m., Andy Xu wrote:
> > Hi all, I recently met an issue of partial resource match on latest ranger
> > version 2.2, eg: the following policy will grant *user2* with *drop*
> > privilege to database *default*, I think it is not right, can you agree
> > that the expectation of the following policy is grant user2 only drop
> > privilege to all table in database *default*?
> >
> > {
> > "id": 3,
> > "name": "db=default; table=*",
> > "isEnabled": true,
> > "isAuditEnabled": true,
> > "resources": {
> > "database": {
> > "values": [
> > "default"
> > ]
> > },
> > "table": {
> > "values": [
> > "*"
> > ]
> > }
> > },
> > "policyItems": [
> > {
> > {
> > "type": "drop",
> > "isAllowed": true
> > }
> > ],
> > "users": [
> > "user2"
> > ],
> > "groups": [
> > ],
> > "delegateAdmin": false
> > }
> > ]
> > }
> > }
{
"id": 3,
"name": "db=default; table=*",
"isEnabled": true,
"isAuditEnabled": true,
"resources": {
"database": {
"values": [
"default"
]
},
"table": {
"values": [
"*"
]
}
},
"policyItems": [
{
"accesses": [
{
"type": "drop",
"isAllowed": true
}
],
"users": [
"user2"
],
"groups": [],
"delegateAdmin": false
}
]
}
- Andy
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70510/#review224455
-----------------------------------------------------------
On 四月 22, 2019, 2:34 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70510/
> -----------------------------------------------------------
>
> (Updated 四月 22, 2019, 2:34 p.m.)
>
>
> Review request for ranger, Bolke de Bruin and Madhan Neethiraj.
>
>
> Bugs: RANGER-2405
> https://issues.apache.org/jira/browse/RANGER-2405
>
>
> Repository: ranger
>
>
> Description
> -------
>
> With RANGER-1781, Ranger supports resource policies with valid, but partial
> hierarchies specified as the resource. However, during policy evaluation, a
> partial hierarchy is treated as a complete hierarchy with the unspecified
> part of the resource hierarchy as having been specified with an all-matching
> wildcard value (that is, as an asterisk). This leads to such policy matching
> an accessed resource which has more resource levels than in the policy, and
> is more permissive than the policy specification.
>
> Policy resource matching algorithm is enhanced to differentiate between
> absence of a resource value and resource value of asterisk.
>
>
> Diffs
> -----
>
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
> be256a9ba
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
> f1e999aaf
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
> 12a1c1c9e
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
> 4696d84da
>
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
> e019e6218
>
> agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java
> 1755233d5
>
> agents-common/src/test/resources/policyengine/test_policyengine_hive_with_partial_resource_policies.json
> PRE-CREATION
>
> agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json
> 211e0ed9d
>
> agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_hive_policy.json
> ddb171d1c
>
>
> Diff: https://reviews.apache.org/r/70510/diff/2/
>
>
> Testing
> -------
>
> Developed unit tests for this scenario and ran all unit tests successfully.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
