Repository: incubator-ranger Updated Branches: refs/heads/master 40d742fa9 -> eea868860
RANGER-1100: Hive authorizer does not block update operations if one of the masked columns has mask-type as 'Unmasked' for the user Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/eea86886 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/eea86886 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/eea86886 Branch: refs/heads/master Commit: eea868860d283f53d9d24de8909cf5d68b6cf1b7 Parents: 40d742f Author: Madhan Neethiraj <mad...@apache.org> Authored: Tue Sep 6 14:04:25 2016 -0700 Committer: Madhan Neethiraj <mad...@apache.org> Committed: Tue Sep 6 15:45:15 2016 -0700 ---------------------------------------------------------------------- .../org/apache/ranger/plugin/model/RangerPolicy.java | 4 ++++ .../plugin/policyengine/RangerPolicyEngineImpl.java | 13 +++++++++++-- .../hive/authorizer/RangerHiveAuditHandler.java | 3 ++- .../hive/authorizer/RangerHiveAuthorizer.java | 10 ++++------ 4 files changed, 21 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eea86886/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java index d8e19b7..5e94bc7 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java @@ -50,6 +50,10 @@ public class RangerPolicy extends RangerBaseModelObject implements java.io.Seria POLICY_TYPE_ROWFILTER }; + public static final String MASK_TYPE_NULL = "MASK_NULL"; + public static final String MASK_TYPE_NONE = "MASK_NONE"; + public static final String MASK_TYPE_CUSTOM = "CUSTOM"; + // For future use private static final long serialVersionUID = 1L; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eea86886/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java index 9a63516..e5e7e82 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java @@ -320,7 +320,12 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { evaluator.evaluate(request, ret); if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) { - break; + if(!StringUtils.equalsIgnoreCase(ret.getMaskType(), RangerPolicy.MASK_TYPE_NONE)) { + break; + } else { + ret.setMaskType(null); + ret.setIsAccessDetermined(false); + } } } } @@ -357,7 +362,11 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine { evaluator.evaluate(request, ret); if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) { - break; + if(StringUtils.isNotEmpty(ret.getFilterExpr())) { + break; + } else { + ret.setIsAccessDetermined(false); + } } } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eea86886/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java index a6bb357..d98fe81 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java @@ -24,6 +24,7 @@ import java.util.*; import org.apache.commons.lang.StringUtils; import org.apache.ranger.audit.model.AuthzAuditEvent; import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler; +import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResource; import org.apache.ranger.plugin.policyengine.RangerAccessResult; @@ -66,7 +67,7 @@ public class RangerHiveAuditHandler extends RangerDefaultAuditHandler { if(result instanceof RangerDataMaskResult) { accessType = ((RangerDataMaskResult)result).getMaskType(); - if(StringUtils.equals(accessType, RangerHiveAuthorizer.MASK_TYPE_NONE)) { + if(StringUtils.equals(accessType, RangerPolicy.MASK_TYPE_NONE)) { return null; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/eea86886/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 166e95a..aff915e 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -54,6 +54,7 @@ import org.apache.hadoop.security.UserGroupInformation; import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants; import org.apache.ranger.authorization.utils.StringUtil; +import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerServiceDef.RangerDataMaskTypeDef; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; @@ -71,9 +72,6 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { private static final Log LOG = LogFactory.getLog(RangerHiveAuthorizer.class) ; private static final char COLUMN_SEP = ','; - public static final String MASK_TYPE_NULL = "MASK_NULL"; - public static final String MASK_TYPE_NONE = "MASK_NONE"; - public static final String MASK_TYPE_CUSTOM = "CUSTOM"; private static final String HIVE_CONF_VAR_QUERY_STRING = "hive.query.string"; @@ -607,7 +605,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { } private boolean isDataMaskEnabled(RangerDataMaskResult result) { - return result != null && result.isMaskEnabled() && !StringUtils.equalsIgnoreCase(result.getMaskType(), MASK_TYPE_NONE); + return result != null && result.isMaskEnabled() && !StringUtils.equalsIgnoreCase(result.getMaskType(), RangerPolicy.MASK_TYPE_NONE); } private boolean isRowFilterEnabled(RangerRowFilterResult result) { @@ -686,9 +684,9 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { transformer = maskTypeDef.getTransformer(); } - if(StringUtils.equalsIgnoreCase(maskType, MASK_TYPE_NULL)) { + if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_NULL)) { ret = "NULL"; - } else if(StringUtils.equalsIgnoreCase(maskType, MASK_TYPE_CUSTOM)) { + } else if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_CUSTOM)) { String maskedValue = result.getMaskedValue(); if(maskedValue == null) {