Repository: ranger Updated Branches: refs/heads/ranger-1.0 e9085bc37 -> 952fe4535
RANGER-2066: Fix regression Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/952fe453 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/952fe453 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/952fe453 Branch: refs/heads/ranger-1.0 Commit: 952fe45350637379618d22d13b483692d8329368 Parents: e9085bc Author: Abhay Kulkarni <akulka...@hortonworks.com> Authored: Wed Apr 18 14:11:07 2018 -0700 Committer: Abhay Kulkarni <akulka...@hortonworks.com> Committed: Wed Apr 18 14:11:07 2018 -0700 ---------------------------------------------------------------------- .../RangerDefaultPolicyEvaluator.java | 10 ++- .../hbase/RangerAuthorizationCoprocessor.java | 65 +++++++++++++------- 2 files changed, 48 insertions(+), 27 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/952fe453/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index a4164a2..7ede98f 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -373,12 +373,10 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator result.setReason(reason); } } else { - if (matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT || result.getAccessRequest().isAccessTypeAny()) { - if (!result.getIsAllowed()) { // if access is not yet allowed by another policy - result.setIsAllowed(true); - result.setPolicyId(getId()); - result.setReason(reason); - } + if (!result.getIsAllowed()) { // if access is not yet allowed by another policy + result.setIsAllowed(true); + result.setPolicyId(getId()); + result.setReason(reason); } } } http://git-wip-us.apache.org/repos/asf/ranger/blob/952fe453/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java index 12b675b..8ebac56 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java @@ -397,53 +397,75 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess Set<String> columns = anEntry.getValue(); if (columns == null || columns.isEmpty()) { LOG.debug("evaluateAccess: columns collection null or empty, ok. Family level access is desired."); + session.column(null) // zap stale column from prior iteration of this loop, if any .buildRequest() .authorize(); AuthzAuditEvent auditEvent = auditHandler.getAndDiscardMostRecentEvent(); // capture it only for success + + final boolean isColumnFamilyAuthorized = session.isAuthorized(); + + if (auditEvent != null) { + if (isColumnFamilyAuthorized) { + familyLevelAccessEvents.add(auditEvent); + } else { + if (deniedEvent == null) { // we need to capture just one denial event + LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure audit event."); + deniedEvent = auditEvent; + } + } + } + if (LOG.isDebugEnabled()) { + LOG.debug("evaluateAccess: family level access for [" + family + "] is evaluated to " + isColumnFamilyAuthorized + ". Checking if [" + family + "] descendants have access."); + } + session.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) + .buildRequest() + .authorize(); + auditEvent = auditHandler.getAndDiscardMostRecentEvent(); // capture it only for failure if (session.isAuthorized()) { - somethingIsAccessible = true; if (LOG.isDebugEnabled()) { - LOG.debug("evaluateAccess: has family level access [" + family + "]. Checking if [" + family + "] descendants have access."); + LOG.debug("evaluateAccess: [" + family + "] descendants have access"); } - session.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) - .buildRequest() - .authorize(); - auditEvent = auditHandler.getAndDiscardMostRecentEvent(); // capture it only for failure - if (session.isAuthorized()) { - if (LOG.isDebugEnabled()) { - LOG.debug("evaluateAccess: [" + family + "] descendants have access"); - } + somethingIsAccessible = true; + if (isColumnFamilyAuthorized) { familesAccessAllowed.add(family); if (auditEvent != null) { LOG.debug("evaluateAccess: adding to family-level-access-granted-event-set"); familyLevelAccessEvents.add(auditEvent); } } else { + familesAccessIndeterminate.add(family); if (LOG.isDebugEnabled()) { LOG.debug("evaluateAccess: has partial access (of some type) in family [" + family + "]"); } everythingIsAccessible = false; - familesAccessIndeterminate.add(family); if (auditEvent != null && deniedEvent == null) { // we need to capture just one denial event LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure audit event."); deniedEvent = auditEvent; } } - // Restore the headMatch setting - session.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF); } else { - if (LOG.isDebugEnabled()) { - LOG.debug("evaluateAccess: has no access of [" + access + "] type in family [" + family + "]"); - } everythingIsAccessible = false; - familesAccessDenied.add(family); - denialReason = String.format("Insufficient permissions for user â%s',action: %s, tableName:%s, family:%s.", user.getName(), operation, table, family); - if (auditEvent != null && deniedEvent == null) { // we need to capture just one denial event - LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure audit event."); - deniedEvent = auditEvent; + if (isColumnFamilyAuthorized) { + somethingIsAccessible = true; + familesAccessIndeterminate.add(family); + if (LOG.isDebugEnabled()) { + LOG.debug("evaluateAccess: has partial access (of some type) in family [" + family + "]"); + } + if (auditEvent != null && deniedEvent == null) { // we need to capture just one denial event + LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure audit event."); + deniedEvent = auditEvent; + } + } else { + if (LOG.isDebugEnabled()) { + LOG.debug("evaluateAccess: has no access of [" + access + "] type in family [" + family + "]"); + } + familesAccessDenied.add(family); + denialReason = String.format("Insufficient permissions for user â%s',action: %s, tableName:%s, family:%s.", user.getName(), operation, table, family); } } + // Restore the headMatch setting + session.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF); } else { LOG.debug("evaluateAccess: columns collection not empty. Skipping Family level check, will do finer level access check."); Set<String> accessibleColumns = new HashSet<String>(); // will be used in to populate our results cache for the filter @@ -470,6 +492,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess if (LOG.isDebugEnabled()) { LOG.debug("evaluateAccess: no column level access [" + family + ", " + column + "]"); } + somethingIsAccessible = false; everythingIsAccessible = false; denialReason = String.format("Insufficient permissions for user â%s',action: %s, tableName:%s, family:%s, column: %s", user.getName(), operation, table, family, column); if (auditEvent != null && deniedEvent == null) { // we need to capture just one denial event
