-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74968/
-----------------------------------------------------------
(Updated April 30, 2024, 6:20 p.m.)
Review request for ranger, madhan, Madhan Neethiraj, Mahesh Bandal, and
Velmurugan Periasamy.
Changes
-------
Addressed review comment, added unit tests.
Bugs: RANGER-4786
https://issues.apache.org/jira/browse/RANGER-4786
Repository: ranger
Description
-------
STEPS TO REPRODUCE:
Update default “all - path” policy in cm_hdfs service. Add a deny condition for
{USER} to read,write,execute permissions. With this policy all users will be
denied to access hdfs locations.
Now, add a policy for user "u1" to get "RWX" permissions on path "/testpath"
recursively. Enable ovverride for this policy.
Perform kinit by user u1 and dp hdfs operations.
hdfs dfs -ls /testpath
The access is denied by default "all - path" policy.
Fix:
Ensure that once all of the requested accesses are successfully allowed by
(possibly multiple) ranger policies, the access evaluation terminates with
access allowed as the result.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
ded8d0993
agents-common/src/test/resources/policyengine/test_policyengine_hdfs_multiple_accesses.json
6b53d2e02
Diff: https://reviews.apache.org/r/74968/diff/2/
Changes: https://reviews.apache.org/r/74968/diff/1-2/
Testing
-------
Passed all unit tests. Ensured that the repro scenario yields correct
evaluation result.
Thanks,
Abhay Kulkarni
