Github user interma commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1081#discussion_r95522261
--- Diff: src/backend/libpq/rangerrest.c ---
@@ -68,51 +69,99 @@ static void getClientIP(char *remote_host)
}
}
-RangerACLResult parse_ranger_response(char* buffer)
+/*
+ * parse ranger response
+ * @param buffer ranger response
+ * @param result_list List of RangerPrivilegeResults
+ * @return 0 parse success; -1 other error
+ */
+static int parse_ranger_response(char* buffer, List *result_list)
{
if (buffer == NULL || strlen(buffer) == 0)
- return RANGERCHECK_UNKNOWN;
+ return -1;
elog(LOG, "read from Ranger Restful API: %s", buffer);
struct json_object *response = json_tokener_parse(buffer);
if (response == NULL)
{
elog(WARNING, "json_tokener_parse failed");
- return RANGERCHECK_NO_PRIV;
+ return -1;
}
struct json_object *accessObj = NULL;
if (!json_object_object_get_ex(response, "access", &accessObj))
{
elog(WARNING, "get json access field failed");
- return RANGERCHECK_NO_PRIV;
+ return -1;
}
int arraylen = json_object_array_length(accessObj);
elog(LOG, "Array Length: %d",arraylen);
-
- // here should return which table's acl check failed in future.
+
for (int i=0; i< arraylen; i++){
struct json_object *jvalue = NULL;
struct json_object *jallow = NULL;
+ struct json_object *jresource = NULL;
+ struct json_object *jprivilege = NULL;
jvalue = json_object_array_get_idx(accessObj, i);
+ if (jvalue == NULL)
+ return -1;
if (!json_object_object_get_ex(jvalue, "allowed", &jallow))
- {
- return RANGERCHECK_NO_PRIV;
- }
- json_bool result = json_object_get_boolean(jallow);
- if(result != 1){
- return RANGERCHECK_NO_PRIV;
+ return -1;
+ if (!json_object_object_get_ex(jvalue, "resource", &jresource))
+ return -1;
+ if (!json_object_object_get_ex(jvalue, "privileges",
&jprivilege))
+ return -1;
+
+ json_bool ok = json_object_get_boolean(jallow);
+
+ const char *resource_str = json_object_get_string(jresource);
+ const char *privilege_str = json_object_get_string(jprivilege);
+ uint32 resource_sign = string_hash(resource_str,
strlen(resource_str));
+ uint32 privilege_sign = string_hash(privilege_str,
strlen(privilege_str));
+ elog(DEBUG3, "ranger reponse access sign, resource_str:%s,
privilege_str:%s",
+ resource_str, privilege_str);
+
+ ListCell *result;
+ /* get each resource result by use sign */
+ foreach(result, result_list) {
+ /* loop find is enough for performence*/
+ RangerPrivilegeResults *result_ptr =
(RangerPrivilegeResults *) lfirst(result);
+ if (result_ptr->resource_sign != resource_sign ||
result_ptr->privilege_sign != privilege_sign)
+ continue;
+
+ if (ok == 1)
+ result_ptr->result = RANGERCHECK_OK;
+ else
+ result_ptr->result = RANGERCHECK_NO_PRIV;
--- End diff --
Match response sign to request, and judge a **pair**.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
