Re: Review Request 74968: RANGER-4786: Ranger override policy is not working

Mon, 29 Apr 2024 23:00:56 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74968/#review226404
-----------------------------------------------------------


Fix it, then Ship it!





agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
Lines 911 (patched)
<https://reviews.apache.org/r/74968/#comment314618>

    is block #911 - #914 necessary, given the if condition here 
(allRequestedAccesses.size() == 1) is already covered in #886 above?


- Madhan Neethiraj


On April 30, 2024, 4:39 a.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74968/
> -----------------------------------------------------------
> 
> (Updated April 30, 2024, 4:39 a.m.)
> 
> 
> Review request for ranger, madhan, Madhan Neethiraj, Mahesh Bandal, and 
> Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4786
>     https://issues.apache.org/jira/browse/RANGER-4786
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> STEPS TO REPRODUCE:
> Update default “all - path” policy in cm_hdfs service. Add a deny condition 
> for {USER} to read,write,execute permissions. With this policy all users will 
> be denied to access hdfs locations.
> 
> Now, add a policy for user "u1" to get "RWX" permissions on path "/testpath" 
> recursively. Enable ovverride for this policy.
> 
> Perform kinit by user u1 and dp hdfs operations.
> 
> hdfs dfs -ls /testpath
> The access is denied by default "all - path" policy.
> 
> Fix:
> 
> Ensure that once all of the requested accesses are successfully allowed by 
> (possibly multiple) ranger policies, the access evaluation terminates with 
> access allowed as the result.
> 
> 
> Diffs
> -----
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  ded8d0993 
> 
> 
> Diff: https://reviews.apache.org/r/74968/diff/1/
> 
> 
> Testing
> -------
> 
> Passed all unit tests. Ensured that the repro scenario yields correct 
> evaluation result.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Reply via email to