Re: Review Request 75369: RANGER-5162 : Tag Allowed policy is not being enforced

Wed, 12 Mar 2025 14:18:45 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/75369/#review227290
-----------------------------------------------------------




agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
Lines 138 (patched)
<https://reviews.apache.org/r/75369/#comment315538>

    This fix will result in incorrect return value when:
    - resourceMatchingScope == SELF_OR_DESCENDANTS (line #151)
    - and `tagRequest.getMatchType()` is ANCESTOR` (line #138)
    
    To avoid this, I suggest the following:
    - revert changes to `if` block at #137
    - replace #150 - #154 with the following:
    
    ```
    if (request.isAccessTypeAny()) {
      ret = matchType == RangerPolicyResourceMatcher.MatchType.SELF || 
matchType == RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || 
matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT || (matchType == 
RangerPolicyResourceMatcher.MatchType.ANCESTOR && request instanceof 
RangerTagAccessRequest);
    } else if (resourceMatchingScope == 
RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) {
      ret = matchType == RangerPolicyResourceMatcher.MatchType.SELF || 
matchType == RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || 
matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT;
    } else {
      ret = matchType == RangerPolicyResourceMatcher.MatchType.SELF || 
matchType == RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || 
(matchType == RangerPolicyResourceMatcher.MatchType.ANCESTOR && request 
instanceof RangerTagAccessRequest);
    }
    ```
    
    Similar updates would be needed in RangerDefaultPolicyEvaluator as well.



agents-common/src/main/java/org/apache/ranger/plugin/util/CachedResourceEvaluators.java
Line 85 (original), 85 (patched)
<https://reviews.apache.org/r/75369/#comment315537>

    `else` block at #83 will be entered only when `ret != null` i.e. some 
resouce-matchers are found. The updated log message does not look correct.


- Madhan Neethiraj


On March 12, 2025, 7:08 a.m., Dineshkumar Yadav wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/75369/
> -----------------------------------------------------------
> 
> (Updated March 12, 2025, 7:08 a.m.)
> 
> 
> Review request for ranger, Kishor Gollapalliwar, Madhan Neethiraj, Mehul 
> Parikh, Pradeep Agrawal, Ramesh Mani, and Vyom Tiwari.
> 
> 
> Bugs: RANGER-5162
>     https://issues.apache.org/jira/browse/RANGER-5162
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Tag Allowed policy is not being enforced
> 
> 
> Diffs
> -----
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
>  920ddc716 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  246cc4514 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/CachedResourceEvaluators.java
>  99cb0f858 
> 
> 
> Diff: https://reviews.apache.org/r/75369/diff/2/
> 
> 
> Testing
> -------
> 
> Testing done using ranger docker with help of tag.json
> 
> 
> Thanks,
> 
> Dineshkumar Yadav
> 
>

Reply via email to