This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new fdc527b54 RANGER-4007: HDFS Authorizer changes to take advantage of support for multiple access-types in the Ranger Access Request fdc527b54 is described below commit fdc527b542bab6f101f530b39bf688a11e16b352 Author: Abhay Kulkarni <ab...@apache.org> AuthorDate: Thu Dec 8 19:07:57 2022 -0800 RANGER-4007: HDFS Authorizer changes to take advantage of support for multiple access-types in the Ranger Access Request --- .../authorization/hadoop/RangerHdfsAuthorizer.java | 43 +++++++++------------- 1 file changed, 18 insertions(+), 25 deletions(-) diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java index ef6f4f865..9b1279bcb 100644 --- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java +++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java @@ -199,7 +199,7 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { return rangerPlugin.getConfig(); } - private enum AuthzStatus { ALLOW, DENY, NOT_DETERMINED }; + private enum AuthzStatus { ALLOW, DENY, NOT_DETERMINED } class RangerAccessControlEnforcer implements AccessControlEnforcer { private INodeAttributeProvider.AccessControlEnforcer defaultEnforcer = null; @@ -716,11 +716,12 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { accessTypes = access2ActionListMapper.get(FsAction.NONE); } - for(String accessType : accessTypes) { - RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(inode, path, pathOwner, access, accessType, context.operationName, context.user, context.userGroups); + if (accessTypes.size() > 0) { + RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(inode, path, pathOwner, access, accessTypes.iterator().next(), context.operationName, context.user, context.userGroups); - Map<String, Object> requestContext = request.getContext(); - requestContext.put(RangerAccessRequestUtil.KEY_CONTEXT_ACCESSTYPES, accessTypes); + if (accessTypes.size() > 1) { + RangerAccessRequestUtil.setAllRequestedAccessTypes(request.getContext(), accessTypes); + } RangerAccessResult result = context.plugin.isAccessAllowed(request, context.auditHandler); @@ -728,14 +729,10 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { if (result == null || !result.getIsAccessDetermined()) { ret = AuthzStatus.NOT_DETERMINED; - // don't break yet; subsequent accessType could be denied - } else if(! result.getIsAllowed()) { // explicit deny + } else if (!result.getIsAllowed()) { // explicit deny ret = AuthzStatus.DENY; - break; } else { // allowed - if(!AuthzStatus.NOT_DETERMINED.equals(ret)) { // set to ALLOW only if there was no NOT_DETERMINED earlier - ret = AuthzStatus.ALLOW; - } + ret = AuthzStatus.ALLOW; } } @@ -782,11 +779,12 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { } subDirPath = subDirPath + rangerPlugin.getRandomizedWildcardPathName(); - for (String accessType : accessTypes) { - RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(null, subDirPath, pathOwner, access, accessType, context.operationName, context.user, context.userGroups); + if (accessTypes.size() > 0) { + RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(null, subDirPath, pathOwner, access, accessTypes.iterator().next(), context.operationName, context.user, context.userGroups); - Map<String, Object> requestContext = request.getContext(); - requestContext.put(RangerAccessRequestUtil.KEY_CONTEXT_ACCESSTYPES, accessTypes); + if (accessTypes.size() > 1) { + RangerAccessRequestUtil.setAllRequestedAccessTypes(request.getContext(), accessTypes); + } RangerAccessResult result = context.plugin.isAccessAllowed(request, null); @@ -794,14 +792,10 @@ public class RangerHdfsAuthorizer extends INodeAttributeProvider { if (result == null || !result.getIsAccessDetermined()) { ret = AuthzStatus.NOT_DETERMINED; - // don't break yet; subsequent accessType could be denied } else if(! result.getIsAllowed()) { // explicit deny ret = AuthzStatus.DENY; - break; } else { // allowed - if(!AuthzStatus.NOT_DETERMINED.equals(ret)) { // set to ALLOW only if there was no NOT_DETERMINED earlier - ret = AuthzStatus.ALLOW; - } + ret = AuthzStatus.ALLOW; } } } @@ -1145,17 +1139,16 @@ class RangerHdfsAuditHandler extends RangerDefaultAuditHandler { private String getAccessTypesAsString(RangerAccessRequest request) { String ret = null; - Map<String,Object> context = request.getContext(); - Set<String> accessTypes = null; + Set<String> accessTypes = RangerAccessRequestUtil.getAllRequestedAccessTypes(request); - Object val = context.get(RangerAccessRequestUtil.KEY_CONTEXT_ACCESSTYPES); - if (val instanceof Set<?>) { + if (CollectionUtils.isNotEmpty(accessTypes)) { try { - accessTypes = (Set<String>) val; ret = getFormattedAccessType(accessTypes); } catch (Throwable t) { LOG.error("getAccessTypesAsString(): failed to get accessTypes from context", t); } + } else { + ret = request.getAccessType(); } return ret; }