This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new 4b941b2f0 RANGER-3999: Implement more efficient way to handle _any access authorization - Part 3 4b941b2f0 is described below commit 4b941b2f0d7a8390155c61fa0960c42aa8a37b69 Author: Abhay Kulkarni <ab...@apache.org> AuthorDate: Thu Feb 16 10:20:13 2023 -0800 RANGER-3999: Implement more efficient way to handle _any access authorization - Part 3 --- .../RangerDefaultPolicyEvaluator.java | 2 +- .../plugin/util/RangerAccessRequestUtil.java | 2 +- .../plugin/policyengine/TestPolicyEngine.java | 8 ++++++ .../policyengine/test_policyengine_hive.json | 32 ++++++++++++++++++++++ 4 files changed, 42 insertions(+), 2 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index 9a0df550c..2f9c1b019 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -242,7 +242,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator final boolean isMatched; - if (request.isAccessTypeAny() || RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) { + if (request.isAccessTypeAny()) { isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; } else if (request.getResourceMatchingScope() == RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS) { isMatched = matchType != RangerPolicyResourceMatcher.MatchType.NONE; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java index a51f2322a..b505f495b 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java @@ -222,7 +222,7 @@ public class RangerAccessRequestUtil { public static void setAllRequestedAccessTypes(Map<String, Object> context, Set<String> accessTypes, Boolean isAny) { context.put(KEY_CONTEXT_ACCESSTYPES, accessTypes); - context.put(KEY_CONTEXT_IS_ANY_ACCESS, isAny); + setIsAnyAccessInContext(context, isAny); } public static Set<String> getAllRequestedAccessTypes(RangerAccessRequest request) { diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java index eb3d0ff46..89e678bf9 100644 --- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java +++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java @@ -69,6 +69,7 @@ import java.io.OutputStreamWriter; import java.lang.reflect.Type; import java.util.ArrayList; import java.util.Arrays; +import java.util.Collection; import java.util.Date; import java.util.HashSet; import java.util.List; @@ -923,6 +924,13 @@ public class TestPolicyEngine { if (ret.getAccessTime() == null) { ret.setAccessTime(new Date()); } + Map<String, Object> reqContext = ret.getContext(); + Object accessTypes = reqContext.get("ACCESSTYPES"); + if (accessTypes != null) { + Collection<String> accessTypesCollection = (Collection<String>) accessTypes; + Set<String> requestedAccesses = new HashSet<>(accessTypesCollection); + ret.getContext().put("ACCESSTYPES", requestedAccesses); + } return ret; } diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json index 0544feb14..8e34aa174 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_hive.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_hive.json @@ -123,10 +123,42 @@ "policyItems":[ {"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false} ] + }, + {"id":1001,"name":"db=org; table=employee; column=*","isEnabled":true,"isAuditEnabled":true, + "resources":{"database":{"values":["org"]},"table":{"values":["employee"]},"column":{"values":["*"], "isExcludes":false}}, + "policyItems":[ + {"accesses":[{"type":"select","isAllowed":true}, {"type":"create","isAllowed":true}, {"type":"read","isAllowed":true}],"users":["john"],"groups":[],"delegateAdmin":false} + ] } ], "tests":[ + {"name":"DENY 'create or write for org;' for john", + "request":{ + "resource":{"elements":{"database":"org"}}, + "accessType":"create","user":"john","userGroups":[],"requestData":"create org", + "context": {"ISANYACCESS":true, "ACCESSTYPES": [ "create", "write" ]} + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + , + {"name":"DENY 'create and write for org;' for john", + "request":{ + "resource":{"elements":{"database":"org"}}, + "accessType":"create","user":"john","userGroups":[],"requestData":"create org", + "context": {"ISANYACCESS":false, "ACCESSTYPES": [ "create", "write" ]} + }, + "result":{"isAudited":false,"isAllowed":false,"policyId":-1} + } + , + {"name":"ALLOW 'any' for org;' for john", + "request":{ + "resource":{"elements":{"database":"org"}}, + "accessType":"","user":"john","userGroups":[],"requestData":"'any' access for org" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":1001} + } + , {"name":"ALLOW 'read http://qe-s3-bucket-mst/test_abcd/abcd;' for user1", "request":{ "resource":{"elements":{"url":["http://qe-s3-bucket-mst/test_abcd/abcd", "http://qe-s3-bucket-mst/test_abcd/abcd/"]}},