This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new 967276241 RANGER-4786: Ranger override policy is not working 967276241 is described below commit 967276241ff593b7611576c21fb724b6839de8a2 Author: Abhay Kulkarni <akulka...@cloudera.com> AuthorDate: Mon Apr 29 17:59:17 2024 -0700 RANGER-4786: Ranger override policy is not working --- .../RangerDefaultPolicyEvaluator.java | 18 ++++++- .../test_policyengine_hdfs_multiple_accesses.json | 58 ++++++++++++++++++++++ 2 files changed, 75 insertions(+), 1 deletion(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java index ded8d0993..9745dc64f 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java @@ -832,14 +832,23 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator if (!result.getIsAllowed()) { // if access is not yet allowed by another policy if (matchType != RangerPolicyResourceMatcher.MatchType.ANCESTOR) { RangerAccessResult oneResult = new RangerAccessResult(result.getPolicyType(), result.getServiceName(), result.getServiceDef(), result.getAccessRequest()); - oneResult.setIsAllowed(true); oneResult.setPolicyPriority(getPolicyPriority()); oneResult.setPolicyId(getPolicyId()); oneResult.setPolicyVersion(getPolicy().getVersion()); + if (!oneResult.getIsAuditedDetermined()) { + oneResult.setAuditResultFrom(result); + } RangerAccessRequestUtil.setAccessTypeResult(request.getContext(), accessType, oneResult); } } + Map<String, RangerAccessResult> savedAccessResults = RangerAccessRequestUtil.getAccessTypeResults(request.getContext()); + int allowedAccessesCount = savedAccessResults == null ? 0 : savedAccessResults.size(); + if (allRequestedAccesses.size() == allowedAccessesCount) { + RangerAccessRequestUtil.setAccessTypeResults(request.getContext(), null); + result.setIsAllowed(true); + break; + } } } } @@ -909,6 +918,13 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator break; } else if (oneResult.getIsAllowed()) { RangerAccessRequestUtil.setAccessTypeResult(request.getContext(), accessType, oneResult); + + // Check if all access requests are satisfied, if so, access is allowed + if (allRequestedAccesses.size() == RangerAccessRequestUtil.getAccessTypeResults(request.getContext()).size()) { + allowResult = oneResult; + RangerAccessRequestUtil.setAccessTypeResults(request.getContext(), null); + break; + } } } } diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_multiple_accesses.json b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_multiple_accesses.json index 6b53d2e02..8962c5a3f 100644 --- a/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_multiple_accesses.json +++ b/agents-common/src/test/resources/policyengine/test_policyengine_hdfs_multiple_accesses.json @@ -48,6 +48,9 @@ "resources":{"path":{"values":["/public/*"],"isRecursive":true}}, "policyItems":[ {"accesses":[{"type":"execute","isAllowed":true}],"users":[],"groups":["public"],"delegateAdmin":false} + ], + "allowExceptions":[ + {"accesses":[{"type":"execute","isAllowed":true}],"users":["guest"],"groups":[],"delegateAdmin":false} ] } , @@ -56,10 +59,65 @@ "policyItems":[ {"accesses":[{"type":"read","isAllowed":true}],"users":["finance"],"groups":[],"delegateAdmin":false} ] + }, + {"id":4,"name":"deny-all-to-finance under /public/finance to user guest","isEnabled":true,"isAuditEnabled":true, + "resources":{"path":{"values":["/public/finance"],"isRecursive":true}}, + "denyPolicyItems":[ + {"accesses":[{"type":"read","isAllowed":true}, {"type":"write","isAllowed":true}, {"type":"execute","isAllowed":true}],"users":["guest"],"groups":[],"delegateAdmin":false} + ] + }, + {"id":5,"name":"allow-read-to-finance under /public/finance to user guest","isEnabled":true,"isAuditEnabled":true, "policyPriority": 1, + "resources":{"path":{"values":["/public/finance"],"isRecursive":true}}, + "policyItems":[ + {"accesses":[{"type":"read","isAllowed":true}],"users":["guest"],"groups":[],"delegateAdmin":false} + ] + }, + {"id":6,"name":"allow-execute-to-finance under /public/finance to user guest","isEnabled":true,"isAuditEnabled":true, "policyPriority": 1, + "resources":{"path":{"values":["/public/finance"],"isRecursive":true}}, + "policyItems":[ + {"accesses":[{"type":"execute","isAllowed":true}],"users":["guest"],"groups":[],"delegateAdmin":false} + ] } ], "tests":[ + {"name":"ALLOW 'read_execute /public/finance' for user guest", + "request":{ + "resource":{"elements":{"path":"/public/finance"}}, + "accessType":"read","user":"guest","userGroups":[],"requestData":"read_execute /public/finance", + "context": {"ACCESSTYPES": [ "read", "execute" ]} + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":6} + }, + {"name":"ALLOW 'read /public/finance' for user guest", + "request":{ + "resource":{"elements":{"path":"/public/finance"}}, + "accessType":"read","user":"guest","userGroups":[],"requestData":"read /public/finance" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":5} + }, + {"name":"ALLOW 'execute /public/finance' for user guest", + "request":{ + "resource":{"elements":{"path":"/public/finance"}}, + "accessType":"execute","user":"guest","userGroups":[],"requestData":"execute /public/finance" + }, + "result":{"isAudited":true,"isAllowed":true,"policyId":6} + }, + {"name":"DENY 'write /public/finance' for user guest", + "request":{ + "resource":{"elements":{"path":"/public/finance"}}, + "accessType":"write","user":"guest","userGroups":[],"requestData":"write /public/finance" + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":4} + }, + {"name":"DENY 'write_execute /public/finance' for user guest", + "request":{ + "resource":{"elements":{"path":"/public/finance"}}, + "accessType":"write","user":"guest","userGroups":[],"requestData":"write_execute /public/finance", + "context": {"ACCESSTYPES": [ "write", "execute" ]} + }, + "result":{"isAudited":true,"isAllowed":false,"policyId":4} + }, {"name":"ALLOW 'read_execute /public/finance' for user finance", "request":{ "resource":{"elements":{"path":"/public/finance"}},