Repository: incubator-ranger Updated Branches: refs/heads/ranger-0.6 4a64c4fa1 -> ecfa86caa
RANGER-1126 : Authorization checks for non existent file/directory should not be recursive in Ranger Hive authorizer Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/ecfa86ca Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/ecfa86ca Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/ecfa86ca Branch: refs/heads/ranger-0.6 Commit: ecfa86caa1fea9e58c8d175bb48e667a64077397 Parents: 4a64c4f Author: rmani <rm...@hortonworks.com> Authored: Wed Jul 27 14:40:28 2016 -0700 Committer: rmani <rm...@hortonworks.com> Committed: Mon Oct 24 16:28:31 2016 -0700 ---------------------------------------------------------------------- .../hive/authorizer/RangerHiveAuthorizer.java | 22 ++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ecfa86ca/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 9329020..ae4c237 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -1006,14 +1006,24 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { try { Path filePath = new Path(uri); FileSystem fs = FileSystem.get(filePath.toUri(), conf); - // Path path = FileUtils.getPathOrParentThatExists(fs, filePath); - // FileStatus fileStatus = fs.getFileStatus(path); - FileStatus fileStatus = FileUtils.getPathOrParentThatExists(fs, filePath); + FileStatus[] filestat = fs.globStatus(filePath); - if (FileUtils.isOwnerOfFileHierarchy(fs, fileStatus, userName)) { + if(filestat != null && filestat.length > 0) { + ret = true; + + for(FileStatus file : filestat) { + ret = FileUtils.isOwnerOfFileHierarchy(fs, file, userName) || + FileUtils.isActionPermittedForFileHierarchy(fs, file, userName, action); + + if(! ret) { + break; + } + } + } else { // if given path does not exist then check for parent + FileStatus file = FileUtils.getPathOrParentThatExists(fs, filePath); + + FileUtils.checkFileAccessWithImpersonation(fs, file, action, userName); ret = true; - } else { - ret = FileUtils.isActionPermittedForFileHierarchy(fs, fileStatus, userName, action); } } catch(Exception excp) { LOG.error("Error getting permissions for " + uri, excp);
