WHBANG commented on code in PR #1518:
URL:
https://github.com/apache/incubator-pegasus/pull/1518#discussion_r1226260017
##########
src/runtime/ranger/ranger_resource_policy.cpp:
##########
@@ -27,45 +28,151 @@ bool policy_item::match(const access_type &ac_type, const
std::string &user_name
return static_cast<bool>(access_types & ac_type) && users.count(user_name)
!= 0;
}
-bool acl_policies::allowed(const access_type &ac_type, const std::string
&user_name) const
+policy_check_status acl_policies::policies_check(const access_type &ac_type,
+ const std::string &user_name,
+ const policy_check_type
&check_type) const
{
- // 1. Check if it is not allowed.
- for (const auto &deny_policy : deny_policies) {
- // 1.1. In 'deny_policies'.
- if (!deny_policy.match(ac_type, user_name)) {
+ if (check_type == policy_check_type::kAllow) {
+ return do_policies_check(
+ check_type, ac_type, user_name, allow_policies,
allow_policies_exclude);
+ }
+ CHECK(check_type == policy_check_type::kDeny, "");
+ return do_policies_check(check_type, ac_type, user_name, deny_policies,
deny_policies_exclude);
+}
+
+policy_check_status
+acl_policies::do_policies_check(const policy_check_type &check_type,
+ const access_type &ac_type,
+ const std::string &user_name,
+ const std::vector<policy_item> &policies,
+ const std::vector<policy_item>
&exclude_policies) const
+{
+ for (const auto &policy : policies) {
+ // 1. Doesn't match an allow_policies or a deny_policies.
+ if (!policy.match(ac_type, user_name)) {
continue;
}
- bool in_deny_policies_exclude = false;
- for (const auto &deny_policy_exclude : deny_policies_exclude) {
- if (deny_policy_exclude.match(ac_type, user_name)) {
- in_deny_policies_exclude = true;
- break;
+ // 2. Matches a policy.
+ for (const auto &policy_exclude : exclude_policies) {
+ if (policy_exclude.match(ac_type, user_name)) {
+ // 2.1. Matches an allow/deny_policies_exclude.
+ return policy_check_status::kPending;
}
}
- // 1.2. Not in any 'deny_policies_exclude', it's not allowed.
- if (!in_deny_policies_exclude) {
- return false;
+ // 2.2. Doesn't match any allow/deny_exclude_policies.
+ if (check_type == policy_check_type::kAllow) {
+ return policy_check_status::kAllowed;
+ } else {
+ return policy_check_status::kDenied;
}
}
+ // 3. Doesn't match any policy.
+ return policy_check_status::kNotMatched;
+}
- // 2. Check if it is allowed.
- for (const auto &allow_policy : allow_policies) {
- // 2.1. In 'allow_policies'.
- if (!allow_policy.match(ac_type, user_name)) {
+access_control_result
+check_ranger_resource_policy_allowed(const std::vector<ranger_resource_policy>
&policies,
+ const access_type &ac_type,
+ const std::string &user_name,
+ bool need_match_database,
+ const std::string &database_name,
+ const std::string &default_database_name)
+{
+ // Check if it is denied by any policy in current resource.
+ for (const auto &policy : policies) {
+ if (need_match_database) {
+ // Lagacy table not match any database.
+ if (database_name.empty() && policy.database_names.count("*") == 0
&&
+ policy.database_names.count(default_database_name) == 0) {
+ continue;
+ }
+ // New table not match any database.
+ if (!database_name.empty() && policy.database_names.count("*") ==
0 &&
+ policy.database_names.count(database_name) == 0) {
+ continue;
+ }
+ }
+ auto check_status =
+ policy.policies.policies_check(ac_type, user_name,
policy_check_type::kDeny);
+ // In a 'deny_policies' and not in any 'deny_policies_exclude'.
Review Comment:
uh not needed here
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
