This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new f375e3606 RANGER-3754: Chained plugins access evaluation result is not considered in some cases f375e3606 is described below commit f375e3606226e00677a95f9260e2a6e5cbc09983 Author: Abhay Kulkarni <ab...@apache.org> AuthorDate: Thu May 12 10:41:09 2022 -0700 RANGER-3754: Chained plugins access evaluation result is not considered in some cases --- .../java/org/apache/ranger/plugin/service/RangerBasePlugin.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index f157475bf..b474de31c 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -1156,12 +1156,12 @@ public class RangerBasePlugin { int policyType = result.getPolicyType(); if (chainedResult.getIsAccessDetermined()) { // only if chained-result is definitive - // override if result is not definitive or chained-result is by a higher priority policy - overrideResult = !result.getIsAccessDetermined() || chainedResult.getPolicyPriority() > result.getPolicyPriority(); + // override if chained-result is by a higher priority policy or result is not definitive or the result is not-allowed and no matching Ranger policy found + overrideResult = chainedResult.getPolicyPriority() > result.getPolicyPriority() || !result.getIsAccessDetermined() || (!result.getIsAllowed() && result.getPolicyId() == -1L); if (!overrideResult) { - // override if chained-result is from the same policy priority, and if denies access - if (chainedResult.getPolicyPriority() == result.getPolicyPriority() && !chainedResult.getIsAllowed()) { + // override if chained-result is from the same policy priority, and if denies access with a specific policy id + if (chainedResult.getPolicyPriority() == result.getPolicyPriority() && (!chainedResult.getIsAllowed() && chainedResult.getPolicyId() != -1L)) { // let's not override if result is already denied if (result.getIsAllowed()) { overrideResult = true;