This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new 7a7215f67 RANGER-3999: Implement more efficient way to handle _any access authorization - Part 2 7a7215f67 is described below commit 7a7215f67e7db807ee0401f2b41d7bb871a248f5 Author: Abhay Kulkarni <ab...@apache.org> AuthorDate: Mon Feb 13 14:23:02 2023 -0800 RANGER-3999: Implement more efficient way to handle _any access authorization - Part 2 --- .../ranger/plugin/policyengine/RangerPolicyEngineImpl.java | 3 +-- .../plugin/policyevaluator/RangerDefaultPolicyEvaluator.java | 9 ++++++++- .../org/apache/ranger/plugin/util/RangerAccessRequestUtil.java | 5 +++++ 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 4f65d3da2..e75bb722c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -703,8 +703,7 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { String requestedAccess = accessTypeDef.getName(); allRequestedAccesses.add(requestedAccess); } - RangerAccessRequestUtil.setIsAnyAccessInContext(request.getContext(), Boolean.TRUE); - request.getContext().put(RangerAccessRequestUtil.KEY_CONTEXT_ACCESSTYPES, allRequestedAccesses); + RangerAccessRequestUtil.setAllRequestedAccessTypes(request.getContext(), allRequestedAccesses, Boolean.TRUE); } ret = evaluatePoliciesForOneAccessTypeNoAudit(request, policyType, zoneName, policyRepository, tagPolicyRepository); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 55752e79c..9a0df550c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -833,6 +833,9 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator for (String accessType : allRequestedAccesses) { + if (LOG.isDebugEnabled()) { + LOG.debug("Checking for accessType:[" + accessType + "]"); + } RangerAccessRequestWrapper oneRequest = new RangerAccessRequestWrapper(request, accessType); RangerAccessResult oneResult = new RangerAccessResult(result.getPolicyType(), result.getServiceName(), result.getServiceDef(), oneRequest); @@ -846,7 +849,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator updateAccessResult(oneResult, matchType, false, "matched deny-all-else policy"); } - if (request.isAccessTypeAny()) { + if (request.isAccessTypeAny() || RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) { // Implement OR logic if (oneResult.getIsAllowed()) { allowResult = oneResult; @@ -879,6 +882,10 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator } } + if (LOG.isDebugEnabled()) { + LOG.debug("allowResult:[" + allowResult + "], denyResult:[" + denyResult + "], noResult:[" + noResult + "]"); + } + if (allowResult != null) { result.setAccessResultFrom(allowResult); } else if (denyResult != null) { diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java index 0ebb9cba5..a51f2322a 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java @@ -220,6 +220,11 @@ public class RangerAccessRequestUtil { context.put(KEY_CONTEXT_ACCESSTYPES, accessTypes); } + public static void setAllRequestedAccessTypes(Map<String, Object> context, Set<String> accessTypes, Boolean isAny) { + context.put(KEY_CONTEXT_ACCESSTYPES, accessTypes); + context.put(KEY_CONTEXT_IS_ANY_ACCESS, isAny); + } + public static Set<String> getAllRequestedAccessTypes(RangerAccessRequest request) { Set<String> ret = (Set<String>) request.getContext().get(KEY_CONTEXT_ACCESSTYPES);