Review Request 39103: RANGER-683: access should not be be allowed if denied by either a tag-based policy or a resource-based policy

[Madhan Neethiraj]

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/39103/
-----------------------------------------------------------

Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, 
Selvamohan Neethiraj, and Velmurugan Periasamy.


Bugs: RANGER-683
    https://issues.apache.org/jira/browse/RANGER-683


Repository: ranger


Description
-------

Fixed the earlier implementation that allowed access if the user has permission 
for the tag even though a resource-based policy denied the access


Diffs
-----

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 5d1140b 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 1764b60 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
 a118466 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
 d7801b9 
  agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json 
ed42d5c 

Diff: https://reviews.apache.org/r/39103/diff/


Testing
-------

- added unit tests to cover the following combinations:

-------------------------------------------
| Resource-policy | Tag-policy | Result    |
|-----------------|------------|-----------|
| Allowed         |  Allowed   | Allowed   |
|-----------------|------------|-----------|
| Allowed         |  Denied    | Denied    |
|-----------------|------------|-----------|
| Allowed         |  No policy | Allowed   |
|-----------------|------------|-----------|
| Denied          |  Allowed   | Denied    |
|-----------------|------------|-----------|
| Denied          |  Denied    | Denied    |
|-----------------|------------|-----------|
| Denied          |  No policy | Denied    |
|-----------------|------------|-----------|
| No policy       |  Allowed   | Allowed   |
|-----------------|------------|-----------|
| No policy       |  Denied    | Denied    |
|-----------------|------------|-----------|
| No policy       |  No policy | No result |
|-----------------|------------|-----------|


Thanks,

Madhan Neethiraj