fateh288 commented on code in PR #410:
URL: https://github.com/apache/ranger/pull/410#discussion_r1833294474
##########
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java:
##########
@@ -1512,4 +1504,27 @@ private List<RangerConditionEvaluator>
createPolicyConditionEvaluators(RangerPol
return ret;
}
+ private static boolean isMatchForResourceMatchingScope(final
RangerAccessRequest.ResourceMatchingScope scope, final
RangerPolicyResourceMatcher.MatchType matchType, boolean isAnyMatch) {
+ boolean ret = false;
+ if (isAnyMatch){
+ ret = matchType !=
RangerPolicyResourceMatcher.MatchType.NONE;
+ }
+ else if (scope!=null) {
+ switch (scope) {
+ case SELF_OR_DESCENDANTS: {
+ ret = matchType !=
RangerPolicyResourceMatcher.MatchType.NONE;
+ break;
+ }
+ case SELF_AND_ALL_DESCENDANTS: {
+ ret = matchType !=
RangerPolicyResourceMatcher.MatchType.NONE;
+ break;
+ }
+ default: {
+ ret = matchType ==
RangerPolicyResourceMatcher.MatchType.SELF || matchType ==
RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS;
+ break;
+ }
+ }
+ }
Review Comment:
Yes, I identified the issue is in test cases defined in
test_policyengine_resource_with_req_expressions.json
The ResourceMatchingScope defined in these test cases is SELF_OR_CHILD which
is not a valid value in the ResourceMatchingScope enum and results in null
scope.
I tried changing ResourceMatchingScope to SELF here and all the test cases
pass here. Do you suggest doing this ? Or should we add SELF_OR_CHILD as a
valid ResourceMatchingScope ?
Yes, I can handle null as a scope or prevent regressions, but ideally it
should be an invalid scenario if implemented correctly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
