[ranger] branch master updated: RANGER-3754: Chained plugins access evaluation result is not considered in some cases

Thu, 12 May 2022 10:41:27 -0700 

This is an automated email from the ASF dual-hosted git repository.

abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new f375e3606 RANGER-3754: Chained plugins access evaluation result is not 
considered in some cases
f375e3606 is described below

commit f375e3606226e00677a95f9260e2a6e5cbc09983
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Thu May 12 10:41:09 2022 -0700

    RANGER-3754: Chained plugins access evaluation result is not considered in 
some cases
---
 .../java/org/apache/ranger/plugin/service/RangerBasePlugin.java   | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git 
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
 
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index f157475bf..b474de31c 100644
--- 
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ 
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -1156,12 +1156,12 @@ public class RangerBasePlugin {
                int     policyType     = result.getPolicyType();
 
                if (chainedResult.getIsAccessDetermined()) { // only if 
chained-result is definitive
-                       // override if result is not definitive or 
chained-result is by a higher priority policy
-                       overrideResult = !result.getIsAccessDetermined() || 
chainedResult.getPolicyPriority() > result.getPolicyPriority();
+                       // override if chained-result is by a higher priority 
policy or result is not definitive or the result is not-allowed and no matching 
Ranger policy found
+                       overrideResult = chainedResult.getPolicyPriority() > 
result.getPolicyPriority() || !result.getIsAccessDetermined() || 
(!result.getIsAllowed() && result.getPolicyId() == -1L);
 
                        if (!overrideResult) {
-                               // override if chained-result is from the same 
policy priority, and if denies access
-                               if (chainedResult.getPolicyPriority() == 
result.getPolicyPriority() && !chainedResult.getIsAllowed()) {
+                               // override if chained-result is from the same 
policy priority, and if denies access with a specific policy id
+                               if (chainedResult.getPolicyPriority() == 
result.getPolicyPriority() && (!chainedResult.getIsAllowed() && 
chainedResult.getPolicyId() != -1L)) {
                                        // let's not override if result is 
already denied
                                        if (result.getIsAllowed()) {
                                                overrideResult = true;

Reply via email to