This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new fdc527b54 RANGER-4007: HDFS Authorizer changes to take advantage of
support for multiple access-types in the Ranger Access Request
fdc527b54 is described below
commit fdc527b542bab6f101f530b39bf688a11e16b352
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Thu Dec 8 19:07:57 2022 -0800
RANGER-4007: HDFS Authorizer changes to take advantage of support for
multiple access-types in the Ranger Access Request
---
.../authorization/hadoop/RangerHdfsAuthorizer.java | 43 +++++++++-------------
1 file changed, 18 insertions(+), 25 deletions(-)
diff --git
a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index ef6f4f865..9b1279bcb 100644
---
a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++
b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -199,7 +199,7 @@ public class RangerHdfsAuthorizer extends
INodeAttributeProvider {
return rangerPlugin.getConfig();
}
- private enum AuthzStatus { ALLOW, DENY, NOT_DETERMINED };
+ private enum AuthzStatus { ALLOW, DENY, NOT_DETERMINED }
class RangerAccessControlEnforcer implements AccessControlEnforcer {
private INodeAttributeProvider.AccessControlEnforcer
defaultEnforcer = null;
@@ -716,11 +716,12 @@ public class RangerHdfsAuthorizer extends
INodeAttributeProvider {
accessTypes =
access2ActionListMapper.get(FsAction.NONE);
}
- for(String accessType : accessTypes) {
- RangerHdfsAccessRequest request = new
RangerHdfsAccessRequest(inode, path, pathOwner, access, accessType,
context.operationName, context.user, context.userGroups);
+ if (accessTypes.size() > 0) {
+ RangerHdfsAccessRequest request = new
RangerHdfsAccessRequest(inode, path, pathOwner, access,
accessTypes.iterator().next(), context.operationName, context.user,
context.userGroups);
- Map<String, Object> requestContext =
request.getContext();
-
requestContext.put(RangerAccessRequestUtil.KEY_CONTEXT_ACCESSTYPES,
accessTypes);
+ if (accessTypes.size() > 1) {
+
RangerAccessRequestUtil.setAllRequestedAccessTypes(request.getContext(),
accessTypes);
+ }
RangerAccessResult result =
context.plugin.isAccessAllowed(request, context.auditHandler);
@@ -728,14 +729,10 @@ public class RangerHdfsAuthorizer extends
INodeAttributeProvider {
if (result == null ||
!result.getIsAccessDetermined()) {
ret = AuthzStatus.NOT_DETERMINED;
- // don't break yet; subsequent
accessType could be denied
- } else if(! result.getIsAllowed()) { //
explicit deny
+ } else if (!result.getIsAllowed()) { //
explicit deny
ret = AuthzStatus.DENY;
- break;
} else { // allowed
-
if(!AuthzStatus.NOT_DETERMINED.equals(ret)) { // set to ALLOW only if there was
no NOT_DETERMINED earlier
- ret = AuthzStatus.ALLOW;
- }
+ ret = AuthzStatus.ALLOW;
}
}
@@ -782,11 +779,12 @@ public class RangerHdfsAuthorizer extends
INodeAttributeProvider {
}
subDirPath = subDirPath +
rangerPlugin.getRandomizedWildcardPathName();
- for (String accessType : accessTypes) {
- RangerHdfsAccessRequest request = new
RangerHdfsAccessRequest(null, subDirPath, pathOwner, access, accessType,
context.operationName, context.user, context.userGroups);
+ if (accessTypes.size() > 0) {
+ RangerHdfsAccessRequest request = new
RangerHdfsAccessRequest(null, subDirPath, pathOwner, access,
accessTypes.iterator().next(), context.operationName, context.user,
context.userGroups);
- Map<String, Object> requestContext =
request.getContext();
-
requestContext.put(RangerAccessRequestUtil.KEY_CONTEXT_ACCESSTYPES,
accessTypes);
+ if (accessTypes.size() > 1) {
+
RangerAccessRequestUtil.setAllRequestedAccessTypes(request.getContext(),
accessTypes);
+ }
RangerAccessResult result =
context.plugin.isAccessAllowed(request, null);
@@ -794,14 +792,10 @@ public class RangerHdfsAuthorizer extends
INodeAttributeProvider {
if (result == null ||
!result.getIsAccessDetermined()) {
ret =
AuthzStatus.NOT_DETERMINED;
- // don't break yet; subsequent
accessType could be denied
} else if(! result.getIsAllowed()) { //
explicit deny
ret = AuthzStatus.DENY;
- break;
} else { // allowed
-
if(!AuthzStatus.NOT_DETERMINED.equals(ret)) { // set to ALLOW only if there was
no NOT_DETERMINED earlier
- ret = AuthzStatus.ALLOW;
- }
+ ret = AuthzStatus.ALLOW;
}
}
}
@@ -1145,17 +1139,16 @@ class RangerHdfsAuditHandler extends
RangerDefaultAuditHandler {
private String getAccessTypesAsString(RangerAccessRequest request) {
String ret = null;
- Map<String,Object> context = request.getContext();
- Set<String> accessTypes = null;
+ Set<String> accessTypes =
RangerAccessRequestUtil.getAllRequestedAccessTypes(request);
- Object val =
context.get(RangerAccessRequestUtil.KEY_CONTEXT_ACCESSTYPES);
- if (val instanceof Set<?>) {
+ if (CollectionUtils.isNotEmpty(accessTypes)) {
try {
- accessTypes = (Set<String>) val;
ret = getFormattedAccessType(accessTypes);
} catch (Throwable t) {
LOG.error("getAccessTypesAsString(): failed to
get accessTypes from context", t);
}
+ } else {
+ ret = request.getAccessType();
}
return ret;
}
