WHBANG commented on code in PR #1402:
URL:
https://github.com/apache/incubator-pegasus/pull/1402#discussion_r1150017401
##########
src/runtime/ranger/ranger_resource_policy_manager.cpp:
##########
@@ -187,6 +202,70 @@
ranger_resource_policy_manager::ranger_resource_policy_manager(
_ac_type_of_database_rpcs);
}
+void ranger_resource_policy_manager::start()
+{
+ tasking::enqueue_timer(LPC_USE_RANGER_ACCESS_CONTROL,
+ &_tracker,
+ [this]() {
this->update_policies_from_ranger_service(); },
+
std::chrono::seconds(FLAGS_update_ranger_policy_interval_sec),
+ 0,
+ std::chrono::milliseconds(1));
+}
+
+bool ranger_resource_policy_manager::allowed(const int rpc_code,
+ const std::string &user_name,
+ const std::string &database_name)
+{
+ do {
+ const auto &ac_type = _ac_type_of_global_rpcs.find(rpc_code);
+ // It's not a GLOBAL rpc code.
+ if (ac_type == _ac_type_of_global_rpcs.end()) {
+ break;
+ }
+
+ // Check if it is allowed by any GLOBAL policy.
+ utils::auto_read_lock l(_global_policies_lock);
+ for (const auto &policy : _global_policies_cache) {
+ if (policy.policies.allowed(ac_type->second, user_name)) {
+ return true;
+ }
+ }
+
+ // It's not allowed to access except list_app.
+ // list_app rpc code is in both GLOBAL and DATABASE policies, check
the DATABASE policies
+ // later.
+ if (rpc_code != RPC_CM_LIST_APPS.code()) {
+ return false;
+ }
+ } while (false);
+
+ do {
+ const auto &ac_type = _ac_type_of_database_rpcs.find(rpc_code);
+ // It's not a DATABASE rpc code.
+ if (ac_type == _ac_type_of_database_rpcs.end()) {
+ break;
+ }
+
+ // Check if it is allowed by any DATABASE policy.
+ utils::auto_read_lock l(_database_policies_lock);
+ for (const auto &policy : _database_policies_cache) {
+ if (!policy.policies.allowed(ac_type->second, user_name)) {
+ continue;
+ }
+ // Legacy tables may don't contain database section.
+ if (database_name.empty() && policy.database_names.count("*") !=
0) {
Review Comment:
If the `user_name` and `rpc_code` of the executed RPC has pass one policy,
and the `database_name` of this policy is "*," it will return true. for
example in unit test::
```
fake_policy_3.allow_policies = {{access_type::kCreate, {"user5", "user6"}}};
fake_policy_3.allow_policies_exclude = {{access_type::kCreate, {"user6"}}};
ranger_resource_policy fake_ranger_resource_policy_3;
fake_ranger_resource_policy_3.database_names = {"*"};
{"RPC_CM_CREATE_APP", "user5", "", true},
{"RPC_CM_CREATE_APP", "user5", "database2", false},
{"RPC_CM_CREATE_APP", "user6", "", false},
{"RPC_CM_CREATE_APP", "user6", "database2", false},
```
when `database_name` of `user5` is empty, return true, `database_name` of
`user5` is not empty, return false; but `user6` returns false no matter what
the `database_name` is.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
