[ranger] branch master updated: RANGER-3999: Implement more efficient way to handle _any access authorization - Part 2

Mon, 13 Feb 2023 14:34:55 -0800 

This is an automated email from the ASF dual-hosted git repository.

abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 7a7215f67 RANGER-3999: Implement more efficient way to handle _any 
access authorization - Part 2
7a7215f67 is described below

commit 7a7215f67e7db807ee0401f2b41d7bb871a248f5
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Mon Feb 13 14:23:02 2023 -0800

    RANGER-3999: Implement more efficient way to handle _any access 
authorization - Part 2
---
 .../ranger/plugin/policyengine/RangerPolicyEngineImpl.java       | 3 +--
 .../plugin/policyevaluator/RangerDefaultPolicyEvaluator.java     | 9 ++++++++-
 .../org/apache/ranger/plugin/util/RangerAccessRequestUtil.java   | 5 +++++
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 4f65d3da2..e75bb722c 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -703,8 +703,7 @@ public class RangerPolicyEngineImpl implements 
RangerPolicyEngine {
                                String requestedAccess = 
accessTypeDef.getName();
                                allRequestedAccesses.add(requestedAccess);
                        }
-                       
RangerAccessRequestUtil.setIsAnyAccessInContext(request.getContext(), 
Boolean.TRUE);
-                       
request.getContext().put(RangerAccessRequestUtil.KEY_CONTEXT_ACCESSTYPES, 
allRequestedAccesses);
+                       
RangerAccessRequestUtil.setAllRequestedAccessTypes(request.getContext(), 
allRequestedAccesses, Boolean.TRUE);
                }
 
                ret = evaluatePoliciesForOneAccessTypeNoAudit(request, 
policyType, zoneName, policyRepository, tagPolicyRepository);
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 55752e79c..9a0df550c 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -833,6 +833,9 @@ public class RangerDefaultPolicyEvaluator extends 
RangerAbstractPolicyEvaluator
 
                                for (String accessType : allRequestedAccesses) {
 
+                                       if (LOG.isDebugEnabled()) {
+                                               LOG.debug("Checking for 
accessType:[" + accessType + "]");
+                                       }
                                        RangerAccessRequestWrapper  oneRequest 
= new RangerAccessRequestWrapper(request, accessType);
                                        RangerAccessResult          oneResult  
= new RangerAccessResult(result.getPolicyType(), result.getServiceName(), 
result.getServiceDef(), oneRequest);
 
@@ -846,7 +849,7 @@ public class RangerDefaultPolicyEvaluator extends 
RangerAbstractPolicyEvaluator
                                                updateAccessResult(oneResult, 
matchType, false, "matched deny-all-else policy");
                                        }
 
-                                       if (request.isAccessTypeAny()) {
+                                       if (request.isAccessTypeAny() || 
RangerAccessRequestUtil.getIsAnyAccessInContext(request.getContext())) {
                                                // Implement OR logic
                                                if (oneResult.getIsAllowed()) {
                                                        allowResult = oneResult;
@@ -879,6 +882,10 @@ public class RangerDefaultPolicyEvaluator extends 
RangerAbstractPolicyEvaluator
                                        }
                                }
 
+                               if (LOG.isDebugEnabled()) {
+                                       LOG.debug("allowResult:[" + allowResult 
+ "], denyResult:[" + denyResult + "], noResult:[" + noResult + "]");
+                               }
+
                                if (allowResult != null) {
                                        result.setAccessResultFrom(allowResult);
                                } else if (denyResult != null) {
diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
index 0ebb9cba5..a51f2322a 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
@@ -220,6 +220,11 @@ public class RangerAccessRequestUtil {
                context.put(KEY_CONTEXT_ACCESSTYPES, accessTypes);
        }
 
+        public static void setAllRequestedAccessTypes(Map<String, Object> 
context, Set<String> accessTypes, Boolean isAny) {
+                context.put(KEY_CONTEXT_ACCESSTYPES, accessTypes);
+                context.put(KEY_CONTEXT_IS_ANY_ACCESS, isAny);
+        }
+
        public static Set<String> 
getAllRequestedAccessTypes(RangerAccessRequest request) {
                Set<String> ret = (Set<String>) 
request.getContext().get(KEY_CONTEXT_ACCESSTYPES);

Reply via email to