[
https://issues.apache.org/jira/browse/RANGER-2761?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
star updated RANGER-2761:
-------------------------
Attachment: RANGER-2761.patch
> Bugs about wildcard evaluator incremental creation
> --------------------------------------------------
>
> Key: RANGER-2761
> URL: https://issues.apache.org/jira/browse/RANGER-2761
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: 2.0.0
> Reporter: star
> Assignee: star
> Priority: Major
> Attachments: RANGER-2761.patch
>
>
> When incrementally update wildcard policies, it will not cause any effect.
> Reproduce steps:
> 1. Create a policy A to grant Peter select access to database test and
> table t. Verify Peter did have select access.
> 2. Create a policy B to deny Peter select access to all database and
> table. Verify Peter is rejected select access to database test and table t.
> 3. Delete policy B and verify that Peter again has select access.
> 4. Create a policy C, the same as policy B and expecting Peter again is
> rejected select access. But it does not happen.
> {code:java}
> // RangerResourceTrie
> void undoSetup() {
> if (isSetup) {
> if (evaluators != null) {
> for (TrieNode<U> child : children.values()) {
> child.undoSetup();
> }
> ...
> }
> isSetup = false;
> }
> }
> private Set<T> getEvaluatorsForResource(String resource) {
> ...
> while (i < len) {
> if (!isOptimizedForRetrieval) {
> curr.setupIfNeeded(parent);
> }
> ...
> }
> if (!isOptimizedForRetrieval) {
> curr.setupIfNeeded(parent);
> }
> Set<T> ret = i == len ? curr.getEvaluators() :
> curr.getWildcardEvaluators();
> return ret;
> }
> {code}
> When adding new wildcard policy, evaluators of the root trie is null. So
> child.undoSetup will not be called. Then setupIfNeeded will not take effect
> on child trie nodes. At last, new wildcard policy(policy C) does not take
> effect.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
