acelyc111 commented on code in PR #1518:
URL:
https://github.com/apache/incubator-pegasus/pull/1518#discussion_r1230359291
##########
src/runtime/ranger/ranger_resource_policy.cpp:
##########
@@ -27,45 +28,250 @@ bool policy_item::match(const access_type &ac_type, const
std::string &user_name
return static_cast<bool>(access_types & ac_type) && users.count(user_name)
!= 0;
}
-bool acl_policies::allowed(const access_type &ac_type, const std::string
&user_name) const
+template <>
+policy_check_status
+acl_policies::policies_check<policy_check_type::kAllow>(const access_type
&ac_type,
+ const std::string
&user_name) const
{
- // 1. Check if it is not allowed.
- for (const auto &deny_policy : deny_policies) {
- // 1.1. In 'deny_policies'.
- if (!deny_policy.match(ac_type, user_name)) {
+ return do_policies_check<policy_check_type::kAllow,
policy_check_status::kAllowed>(
+ ac_type, user_name, allow_policies, allow_policies_exclude);
+}
+
+template <>
+policy_check_status
+acl_policies::policies_check<policy_check_type::kDeny>(const access_type
&ac_type,
+ const std::string
&user_name) const
+{
+ return do_policies_check<policy_check_type::kDeny,
policy_check_status::kDenied>(
+ ac_type, user_name, deny_policies, deny_policies_exclude);
+}
+
+template <>
+policy_check_status
+acl_policies::do_policies_check<policy_check_type::kAllow,
policy_check_status::kAllowed>(
+ const access_type &ac_type,
+ const std::string &user_name,
+ const std::vector<policy_item> &policies,
+ const std::vector<policy_item> &exclude_policies) const
+{
+ for (const auto &policy : policies) {
+ // 1. Doesn't match an allow_policies or a deny_policies.
Review Comment:
Upadate the comments.
##########
src/runtime/ranger/ranger_resource_policy.cpp:
##########
@@ -27,45 +28,250 @@ bool policy_item::match(const access_type &ac_type, const
std::string &user_name
return static_cast<bool>(access_types & ac_type) && users.count(user_name)
!= 0;
}
-bool acl_policies::allowed(const access_type &ac_type, const std::string
&user_name) const
+template <>
+policy_check_status
+acl_policies::policies_check<policy_check_type::kAllow>(const access_type
&ac_type,
+ const std::string
&user_name) const
{
- // 1. Check if it is not allowed.
- for (const auto &deny_policy : deny_policies) {
- // 1.1. In 'deny_policies'.
- if (!deny_policy.match(ac_type, user_name)) {
+ return do_policies_check<policy_check_type::kAllow,
policy_check_status::kAllowed>(
+ ac_type, user_name, allow_policies, allow_policies_exclude);
+}
+
+template <>
+policy_check_status
+acl_policies::policies_check<policy_check_type::kDeny>(const access_type
&ac_type,
+ const std::string
&user_name) const
+{
+ return do_policies_check<policy_check_type::kDeny,
policy_check_status::kDenied>(
+ ac_type, user_name, deny_policies, deny_policies_exclude);
Review Comment:
Same.
##########
src/runtime/ranger/ranger_resource_policy.cpp:
##########
@@ -27,45 +28,250 @@ bool policy_item::match(const access_type &ac_type, const
std::string &user_name
return static_cast<bool>(access_types & ac_type) && users.count(user_name)
!= 0;
}
-bool acl_policies::allowed(const access_type &ac_type, const std::string
&user_name) const
+template <>
+policy_check_status
+acl_policies::policies_check<policy_check_type::kAllow>(const access_type
&ac_type,
+ const std::string
&user_name) const
{
- // 1. Check if it is not allowed.
- for (const auto &deny_policy : deny_policies) {
- // 1.1. In 'deny_policies'.
- if (!deny_policy.match(ac_type, user_name)) {
+ return do_policies_check<policy_check_type::kAllow,
policy_check_status::kAllowed>(
+ ac_type, user_name, allow_policies, allow_policies_exclude);
+}
+
+template <>
+policy_check_status
+acl_policies::policies_check<policy_check_type::kDeny>(const access_type
&ac_type,
+ const std::string
&user_name) const
+{
+ return do_policies_check<policy_check_type::kDeny,
policy_check_status::kDenied>(
+ ac_type, user_name, deny_policies, deny_policies_exclude);
+}
+
+template <>
+policy_check_status
+acl_policies::do_policies_check<policy_check_type::kAllow,
policy_check_status::kAllowed>(
+ const access_type &ac_type,
+ const std::string &user_name,
+ const std::vector<policy_item> &policies,
+ const std::vector<policy_item> &exclude_policies) const
+{
+ for (const auto &policy : policies) {
+ // 1. Doesn't match an allow_policies or a deny_policies.
+ if (!policy.match(ac_type, user_name)) {
continue;
}
- bool in_deny_policies_exclude = false;
- for (const auto &deny_policy_exclude : deny_policies_exclude) {
- if (deny_policy_exclude.match(ac_type, user_name)) {
- in_deny_policies_exclude = true;
- break;
+ // 2. Matches a policy.
+ for (const auto &exclude_policy : exclude_policies) {
+ if (exclude_policy.match(ac_type, user_name)) {
+ // 2.1. Matches an allow/deny_policies_exclude.
Review Comment:
Same.
##########
src/runtime/ranger/ranger_resource_policy.cpp:
##########
@@ -27,45 +28,250 @@ bool policy_item::match(const access_type &ac_type, const
std::string &user_name
return static_cast<bool>(access_types & ac_type) && users.count(user_name)
!= 0;
}
-bool acl_policies::allowed(const access_type &ac_type, const std::string
&user_name) const
+template <>
+policy_check_status
+acl_policies::policies_check<policy_check_type::kAllow>(const access_type
&ac_type,
+ const std::string
&user_name) const
{
- // 1. Check if it is not allowed.
- for (const auto &deny_policy : deny_policies) {
- // 1.1. In 'deny_policies'.
- if (!deny_policy.match(ac_type, user_name)) {
+ return do_policies_check<policy_check_type::kAllow,
policy_check_status::kAllowed>(
+ ac_type, user_name, allow_policies, allow_policies_exclude);
Review Comment:
Now it's not needed to pass `allow_policies` and `allow_policies_exclude`
##########
src/runtime/ranger/ranger_resource_policy.cpp:
##########
@@ -27,45 +28,250 @@ bool policy_item::match(const access_type &ac_type, const
std::string &user_name
return static_cast<bool>(access_types & ac_type) && users.count(user_name)
!= 0;
}
-bool acl_policies::allowed(const access_type &ac_type, const std::string
&user_name) const
+template <>
+policy_check_status
+acl_policies::policies_check<policy_check_type::kAllow>(const access_type
&ac_type,
+ const std::string
&user_name) const
{
- // 1. Check if it is not allowed.
- for (const auto &deny_policy : deny_policies) {
- // 1.1. In 'deny_policies'.
- if (!deny_policy.match(ac_type, user_name)) {
+ return do_policies_check<policy_check_type::kAllow,
policy_check_status::kAllowed>(
+ ac_type, user_name, allow_policies, allow_policies_exclude);
+}
+
+template <>
+policy_check_status
+acl_policies::policies_check<policy_check_type::kDeny>(const access_type
&ac_type,
+ const std::string
&user_name) const
+{
+ return do_policies_check<policy_check_type::kDeny,
policy_check_status::kDenied>(
+ ac_type, user_name, deny_policies, deny_policies_exclude);
+}
+
+template <>
+policy_check_status
+acl_policies::do_policies_check<policy_check_type::kAllow,
policy_check_status::kAllowed>(
+ const access_type &ac_type,
+ const std::string &user_name,
+ const std::vector<policy_item> &policies,
+ const std::vector<policy_item> &exclude_policies) const
+{
+ for (const auto &policy : policies) {
Review Comment:
Use `allow_policies` and `allow_policies_exclude` directly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
