This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new 52936a5 RANGER-2603: Delegate Admin processing incorrectly giving policy access to user - due to owner policies 52936a5 is described below commit 52936a50cfde9959825cd57d62593873941dc9b4 Author: Abhay Kulkarni <ab...@apache.org> AuthorDate: Thu Oct 3 21:51:43 2019 -0700 RANGER-2603: Delegate Admin processing incorrectly giving policy access to user - due to owner policies --- .../ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 3e00d1e..8469605 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -358,7 +358,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + ")"); } - boolean ret = isAccessAllowed(user, userGroups, null, user, accessType) && isMatch(resources, null); + boolean ret = isAccessAllowed(user, userGroups, null, null, accessType) && isMatch(resources, null); if(LOG.isDebugEnabled()) { LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + resources + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret); @@ -373,7 +373,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator LOG.debug("==> RangerDefaultPolicyEvaluator.isAccessAllowed(" + policy.getId() + ", " + user + ", " + userGroups + ", " + roles + ", " + accessType + ")"); } - boolean ret = isAccessAllowed(user, userGroups, roles, user, accessType) && isMatch(policy, null); + boolean ret = isAccessAllowed(user, userGroups, roles, null, accessType) && isMatch(policy, null); if(LOG.isDebugEnabled()) { LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + policy.getId() + ", " + user + ", " + userGroups + ", " + roles + ", " + accessType + "): " + ret);