Re: Review Request 64228: Traverse check in RangerHdfsAuthorizer works incorrectly

2017-12-05 Thread Madhan Neethiraj 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64228/#review192956
---


Ship it!




Ship It!

- Madhan Neethiraj


On Dec. 5, 2017, 11:45 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/64228/
> ---
> 
> (Updated Dec. 5, 2017, 11:45 p.m.)
> 
> 
> Review request for ranger, Colm O hEigeartaigh, Zsombor Gegesy, Madhan 
> Neethiraj, Ramesh Mani, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1707
> https://issues.apache.org/jira/browse/RANGER-1707
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked 
> for access to /a/b/c.txt, it only checks that if there are a policy which 
> grants EXEC to /a/b, but if it there aren't any, then it doesn't check, if 
> there is a policy which grants READ, WRITE or EXEC to /a/b/c.txt explicitly, 
> which would mean, that the path is accessible to the user.
> This hasn't noticed by the current unit tests, because HDFS before 2.8.0 
> doesn't called the traversal check before reading or writing a file, however 
> it will cause problem with 2.8.0, where FSDirectory.resolvePath will perform 
> a mandatory traversal check.
> 
> This patch is based on the patch submitted for review 
> (https://reviews.apache.org/r/61062/) with following modifications.
> 1. If traversal check (check for EXECUTE on the parent/ancestor if resource 
> is a file) does not fail with explicit DENY by Ranger Authorizer, then it is 
> presumed to have succeeded without any further checks and no audit record 
> created. If it fails with DENY, then the authorization fails and an audit 
> record is created.
> 2. Test policies in hdfs-policies.json and test cases 
> (RangerHdfsAuthorizerTest) are modified to test for explicit DENY case.
> 
> 
> Diffs
> -
> 
>   hdfs-agent/pom.xml 87ba777 
>   
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
>  af4d9b5 
>   
> hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerAdminClientImpl.java
>  75d73aa 
>   
> hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
>  PRE-CREATION 
>   hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies-tag.json 
> PRE-CREATION 
>   hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json 
> PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/64228/diff/3/
> 
> 
> Testing
> ---
> 
> Unit tested with HDFS versions 2.7.1 and 3.0.0.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 64228: Traverse check in RangerHdfsAuthorizer works incorrectly

2017-12-05 Thread Abhay Kulkarni 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64228/
---

(Updated Dec. 5, 2017, 11:45 p.m.)


Review request for ranger, Colm O hEigeartaigh, Zsombor Gegesy, Madhan 
Neethiraj, Ramesh Mani, and Velmurugan Periasamy.


Changes
---

Addressed review comments


Bugs: RANGER-1707
https://issues.apache.org/jira/browse/RANGER-1707


Repository: ranger


Description
---

Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked for 
access to /a/b/c.txt, it only checks that if there are a policy which grants 
EXEC to /a/b, but if it there aren't any, then it doesn't check, if there is a 
policy which grants READ, WRITE or EXEC to /a/b/c.txt explicitly, which would 
mean, that the path is accessible to the user.
This hasn't noticed by the current unit tests, because HDFS before 2.8.0 
doesn't called the traversal check before reading or writing a file, however it 
will cause problem with 2.8.0, where FSDirectory.resolvePath will perform a 
mandatory traversal check.

This patch is based on the patch submitted for review 
(https://reviews.apache.org/r/61062/) with following modifications.
1. If traversal check (check for EXECUTE on the parent/ancestor if resource is 
a file) does not fail with explicit DENY by Ranger Authorizer, then it is 
presumed to have succeeded without any further checks and no audit record 
created. If it fails with DENY, then the authorization fails and an audit 
record is created.
2. Test policies in hdfs-policies.json and test cases 
(RangerHdfsAuthorizerTest) are modified to test for explicit DENY case.


Diffs (updated)
-

  hdfs-agent/pom.xml 87ba777 
  
hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
 af4d9b5 
  
hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerAdminClientImpl.java
 75d73aa 
  
hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
 PRE-CREATION 
  hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies-tag.json 
PRE-CREATION 
  hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json 
PRE-CREATION 


Diff: https://reviews.apache.org/r/64228/diff/3/

Changes: https://reviews.apache.org/r/64228/diff/2-3/


Testing
---

Unit tested with HDFS versions 2.7.1 and 3.0.0.


Thanks,

Abhay Kulkarni

Re: Review Request 64228: Traverse check in RangerHdfsAuthorizer works incorrectly

2017-12-05 Thread Madhan Neethiraj 


> On Dec. 5, 2017, 9:44 p.m., Madhan Neethiraj wrote:
> > hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
> > Lines 452 (patched)
> > 
> >
> > This treats NOT_DETERMINED as ALLOW, which is different from the 
> > current behavior. Why not return NOT_DETERMINED from here?
> > 
> > if (result == null || !result.getIsAccessDetermined()) {
> >   ret = AuthzStatus.NOT_DETERMINED;
> > } else {
> >   ret = result.getIsAllowed() ? AuthzStatus.ALLOW : AuthzStatus.DENY;
> > }

I take back this comment. The implementation in this patch looks good!


- Madhan


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64228/#review192932
---


On Dec. 2, 2017, 1:25 a.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/64228/
> ---
> 
> (Updated Dec. 2, 2017, 1:25 a.m.)
> 
> 
> Review request for ranger, Colm O hEigeartaigh, Zsombor Gegesy, Madhan 
> Neethiraj, Ramesh Mani, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1707
> https://issues.apache.org/jira/browse/RANGER-1707
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked 
> for access to /a/b/c.txt, it only checks that if there are a policy which 
> grants EXEC to /a/b, but if it there aren't any, then it doesn't check, if 
> there is a policy which grants READ, WRITE or EXEC to /a/b/c.txt explicitly, 
> which would mean, that the path is accessible to the user.
> This hasn't noticed by the current unit tests, because HDFS before 2.8.0 
> doesn't called the traversal check before reading or writing a file, however 
> it will cause problem with 2.8.0, where FSDirectory.resolvePath will perform 
> a mandatory traversal check.
> 
> This patch is based on the patch submitted for review 
> (https://reviews.apache.org/r/61062/) with following modifications.
> 1. If traversal check (check for EXECUTE on the parent/ancestor if resource 
> is a file) does not fail with explicit DENY by Ranger Authorizer, then it is 
> presumed to have succeeded without any further checks and no audit record 
> created. If it fails with DENY, then the authorization fails and an audit 
> record is created.
> 2. Test policies in hdfs-policies.json and test cases 
> (RangerHdfsAuthorizerTest) are modified to test for explicit DENY case.
> 
> 
> Diffs
> -
> 
>   hdfs-agent/pom.xml 87ba777 
>   
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
>  af4d9b5 
>   
> hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerAdminClientImpl.java
>  75d73aa 
>   
> hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
>  PRE-CREATION 
>   hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies-tag.json 
> PRE-CREATION 
>   hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json 
> PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/64228/diff/2/
> 
> 
> Testing
> ---
> 
> Unit tested with HDFS versions 2.7.1 and 3.0.0.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 64228: Traverse check in RangerHdfsAuthorizer works incorrectly

2017-12-05 Thread Madhan Neethiraj 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64228/#review192932
---




hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
Lines 403 (patched)


Consider renaming 'alwaysAudit' as 'skipAuditOnAllow' (and reverse the 
value assigned in line #403, #406).



hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
Lines 430 (patched)


inode can't be null here - due to 'if' in line #416 above.



hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
Lines 452 (patched)


This treats NOT_DETERMINED as ALLOW, which is different from the current 
behavior. Why not return NOT_DETERMINED from here?

if (result == null || !result.getIsAccessDetermined()) {
  ret = AuthzStatus.NOT_DETERMINED;
} else {
  ret = result.getIsAllowed() ? AuthzStatus.ALLOW : AuthzStatus.DENY;
}


- Madhan Neethiraj


On Dec. 2, 2017, 1:25 a.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/64228/
> ---
> 
> (Updated Dec. 2, 2017, 1:25 a.m.)
> 
> 
> Review request for ranger, Colm O hEigeartaigh, Zsombor Gegesy, Madhan 
> Neethiraj, Ramesh Mani, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1707
> https://issues.apache.org/jira/browse/RANGER-1707
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked 
> for access to /a/b/c.txt, it only checks that if there are a policy which 
> grants EXEC to /a/b, but if it there aren't any, then it doesn't check, if 
> there is a policy which grants READ, WRITE or EXEC to /a/b/c.txt explicitly, 
> which would mean, that the path is accessible to the user.
> This hasn't noticed by the current unit tests, because HDFS before 2.8.0 
> doesn't called the traversal check before reading or writing a file, however 
> it will cause problem with 2.8.0, where FSDirectory.resolvePath will perform 
> a mandatory traversal check.
> 
> This patch is based on the patch submitted for review 
> (https://reviews.apache.org/r/61062/) with following modifications.
> 1. If traversal check (check for EXECUTE on the parent/ancestor if resource 
> is a file) does not fail with explicit DENY by Ranger Authorizer, then it is 
> presumed to have succeeded without any further checks and no audit record 
> created. If it fails with DENY, then the authorization fails and an audit 
> record is created.
> 2. Test policies in hdfs-policies.json and test cases 
> (RangerHdfsAuthorizerTest) are modified to test for explicit DENY case.
> 
> 
> Diffs
> -
> 
>   hdfs-agent/pom.xml 87ba777 
>   
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
>  af4d9b5 
>   
> hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerAdminClientImpl.java
>  75d73aa 
>   
> hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
>  PRE-CREATION 
>   hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies-tag.json 
> PRE-CREATION 
>   hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json 
> PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/64228/diff/2/
> 
> 
> Testing
> ---
> 
> Unit tested with HDFS versions 2.7.1 and 3.0.0.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 64228: Traverse check in RangerHdfsAuthorizer works incorrectly

2017-12-04 Thread Colm O hEigeartaigh 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64228/#review192712
---


Ship it!




Ship It!

- Colm O hEigeartaigh


On Dec. 2, 2017, 1:25 a.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/64228/
> ---
> 
> (Updated Dec. 2, 2017, 1:25 a.m.)
> 
> 
> Review request for ranger, Colm O hEigeartaigh, Zsombor Gegesy, Madhan 
> Neethiraj, Ramesh Mani, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1707
> https://issues.apache.org/jira/browse/RANGER-1707
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked 
> for access to /a/b/c.txt, it only checks that if there are a policy which 
> grants EXEC to /a/b, but if it there aren't any, then it doesn't check, if 
> there is a policy which grants READ, WRITE or EXEC to /a/b/c.txt explicitly, 
> which would mean, that the path is accessible to the user.
> This hasn't noticed by the current unit tests, because HDFS before 2.8.0 
> doesn't called the traversal check before reading or writing a file, however 
> it will cause problem with 2.8.0, where FSDirectory.resolvePath will perform 
> a mandatory traversal check.
> 
> This patch is based on the patch submitted for review 
> (https://reviews.apache.org/r/61062/) with following modifications.
> 1. If traversal check (check for EXECUTE on the parent/ancestor if resource 
> is a file) does not fail with explicit DENY by Ranger Authorizer, then it is 
> presumed to have succeeded without any further checks and no audit record 
> created. If it fails with DENY, then the authorization fails and an audit 
> record is created.
> 2. Test policies in hdfs-policies.json and test cases 
> (RangerHdfsAuthorizerTest) are modified to test for explicit DENY case.
> 
> 
> Diffs
> -
> 
>   hdfs-agent/pom.xml 87ba777 
>   
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
>  af4d9b5 
>   
> hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerAdminClientImpl.java
>  75d73aa 
>   
> hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
>  PRE-CREATION 
>   hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies-tag.json 
> PRE-CREATION 
>   hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json 
> PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/64228/diff/2/
> 
> 
> Testing
> ---
> 
> Unit tested with HDFS versions 2.7.1 and 3.0.0.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 64228: Traverse check in RangerHdfsAuthorizer works incorrectly

2017-12-01 Thread Abhay Kulkarni 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64228/
---

(Updated Dec. 2, 2017, 1:25 a.m.)


Review request for ranger, Colm O hEigeartaigh, Zsombor Gegesy, Madhan 
Neethiraj, Ramesh Mani, and Velmurugan Periasamy.


Changes
---

Addressed review comment by setting up a subdirectory (hdfs_version_3.0) under 
resources where test policies specific to testing hdfs 3.0 plugin functionality 
are located.


Bugs: RANGER-1707
https://issues.apache.org/jira/browse/RANGER-1707


Repository: ranger


Description
---

Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked for 
access to /a/b/c.txt, it only checks that if there are a policy which grants 
EXEC to /a/b, but if it there aren't any, then it doesn't check, if there is a 
policy which grants READ, WRITE or EXEC to /a/b/c.txt explicitly, which would 
mean, that the path is accessible to the user.
This hasn't noticed by the current unit tests, because HDFS before 2.8.0 
doesn't called the traversal check before reading or writing a file, however it 
will cause problem with 2.8.0, where FSDirectory.resolvePath will perform a 
mandatory traversal check.

This patch is based on the patch submitted for review 
(https://reviews.apache.org/r/61062/) with following modifications.
1. If traversal check (check for EXECUTE on the parent/ancestor if resource is 
a file) does not fail with explicit DENY by Ranger Authorizer, then it is 
presumed to have succeeded without any further checks and no audit record 
created. If it fails with DENY, then the authorization fails and an audit 
record is created.
2. Test policies in hdfs-policies.json and test cases 
(RangerHdfsAuthorizerTest) are modified to test for explicit DENY case.


Diffs (updated)
-

  hdfs-agent/pom.xml 87ba777 
  
hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
 af4d9b5 
  
hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerAdminClientImpl.java
 75d73aa 
  
hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
 PRE-CREATION 
  hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies-tag.json 
PRE-CREATION 
  hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json 
PRE-CREATION 


Diff: https://reviews.apache.org/r/64228/diff/2/

Changes: https://reviews.apache.org/r/64228/diff/1-2/


Testing
---

Unit tested with HDFS versions 2.7.1 and 3.0.0.


Thanks,

Abhay Kulkarni

Re: Review Request 64228: Traverse check in RangerHdfsAuthorizer works incorrectly

2017-12-01 Thread Zsombor Gegesy 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64228/#review192476
---



The 'lack of deny,means allow in traversal' could work as well, I was not able 
to fabricate a counter example yet :)
One small remark, it would be better, if instead of modifying the already 
existing test policies, you could add new, explicit test cases for the deny 
handling. So it will be more convincing, that if a user had similar policies, 
as in the original test cases, the new code work in a compatible way, not 
breaking the old tests.

- Zsombor Gegesy


On Nov. 30, 2017, 10:38 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/64228/
> ---
> 
> (Updated Nov. 30, 2017, 10:38 p.m.)
> 
> 
> Review request for ranger, Colm O hEigeartaigh, Zsombor Gegesy, Madhan 
> Neethiraj, Ramesh Mani, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1707
> https://issues.apache.org/jira/browse/RANGER-1707
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked 
> for access to /a/b/c.txt, it only checks that if there are a policy which 
> grants EXEC to /a/b, but if it there aren't any, then it doesn't check, if 
> there is a policy which grants READ, WRITE or EXEC to /a/b/c.txt explicitly, 
> which would mean, that the path is accessible to the user.
> This hasn't noticed by the current unit tests, because HDFS before 2.8.0 
> doesn't called the traversal check before reading or writing a file, however 
> it will cause problem with 2.8.0, where FSDirectory.resolvePath will perform 
> a mandatory traversal check.
> 
> This patch is based on the patch submitted for review 
> (https://reviews.apache.org/r/61062/) with following modifications.
> 1. If traversal check (check for EXECUTE on the parent/ancestor if resource 
> is a file) does not fail with explicit DENY by Ranger Authorizer, then it is 
> presumed to have succeeded without any further checks and no audit record 
> created. If it fails with DENY, then the authorization fails and an audit 
> record is created.
> 2. Test policies in hdfs-policies.json and test cases 
> (RangerHdfsAuthorizerTest) are modified to test for explicit DENY case.
> 
> 
> Diffs
> -
> 
>   hdfs-agent/pom.xml 87ba777 
>   
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
>  af4d9b5 
>   
> hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
>  PRE-CREATION 
>   hdfs-agent/src/test/resources/hdfs-policies.json 056231f 
> 
> 
> Diff: https://reviews.apache.org/r/64228/diff/1/
> 
> 
> Testing
> ---
> 
> Unit tested with HDFS versions 2.7.1 and 3.0.0.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 64228: Traverse check in RangerHdfsAuthorizer works incorrectly

2017-12-01 Thread Colm O hEigeartaigh 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64228/#review192459
---



LGTM. Zsombor?

- Colm O hEigeartaigh


On Nov. 30, 2017, 10:38 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/64228/
> ---
> 
> (Updated Nov. 30, 2017, 10:38 p.m.)
> 
> 
> Review request for ranger, Colm O hEigeartaigh, Zsombor Gegesy, Madhan 
> Neethiraj, Ramesh Mani, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1707
> https://issues.apache.org/jira/browse/RANGER-1707
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked 
> for access to /a/b/c.txt, it only checks that if there are a policy which 
> grants EXEC to /a/b, but if it there aren't any, then it doesn't check, if 
> there is a policy which grants READ, WRITE or EXEC to /a/b/c.txt explicitly, 
> which would mean, that the path is accessible to the user.
> This hasn't noticed by the current unit tests, because HDFS before 2.8.0 
> doesn't called the traversal check before reading or writing a file, however 
> it will cause problem with 2.8.0, where FSDirectory.resolvePath will perform 
> a mandatory traversal check.
> 
> This patch is based on the patch submitted for review 
> (https://reviews.apache.org/r/61062/) with following modifications.
> 1. If traversal check (check for EXECUTE on the parent/ancestor if resource 
> is a file) does not fail with explicit DENY by Ranger Authorizer, then it is 
> presumed to have succeeded without any further checks and no audit record 
> created. If it fails with DENY, then the authorization fails and an audit 
> record is created.
> 2. Test policies in hdfs-policies.json and test cases 
> (RangerHdfsAuthorizerTest) are modified to test for explicit DENY case.
> 
> 
> Diffs
> -
> 
>   hdfs-agent/pom.xml 87ba777 
>   
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
>  af4d9b5 
>   
> hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
>  PRE-CREATION 
>   hdfs-agent/src/test/resources/hdfs-policies.json 056231f 
> 
> 
> Diff: https://reviews.apache.org/r/64228/diff/1/
> 
> 
> Testing
> ---
> 
> Unit tested with HDFS versions 2.7.1 and 3.0.0.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>