Google Git
Sign in
apache / ranger / 30dd2b50280f0aee4ce2f7f45706616453c151a8^! / .
commit30dd2b50280f0aee4ce2f7f45706616453c151a8[log] [tgz]
authorMadhan Neethiraj <madhan@apache.org>Fri Jan 19 01:07:40 2024 -0800
committerMadhan Neethiraj <madhan@apache.org>Fri Jan 19 09:01:21 2024 -0800
tree868a4afbabdcbff0f19ad2fefac3d24d8e0e1016
parent11dbcf7a76038c053a5cd62613c8511828707f09 [diff]
RANGER-4666: fixed getResourceACLs() API to account for tags assigned to ancestor resources

diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index df39467..b0dc7a4 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java

@@ -317,6 +317,11 @@
 					boolean   isTemporalTagPolicy = policyIdForTemporalTags.contains(evaluator.getPolicyId());
 					MatchType tagMatchType        = tagMatchTypeMap.get(evaluator.getPolicyId());
 
+					// tag assigned to ANCESTORS must apply to SELF as well, to be consistent with policy evaluation in RangerDefaultPolicyEvaluator.evaluate()
+					if (tagMatchType == MatchType.ANCESTOR) {
+						tagMatchType = MatchType.SELF;
+					}
+
 					evaluator.getResourceACLs(request, ret, isTemporalTagPolicy, null, tagMatchType, policyEngine);
 				}
 

diff --git a/agents-common/src/test/resources/policyengine/test_aclprovider_resource_hierarchy_tags.json b/agents-common/src/test/resources/policyengine/test_aclprovider_resource_hierarchy_tags.json
index dac583c..206a656 100644
--- a/agents-common/src/test/resources/policyengine/test_aclprovider_resource_hierarchy_tags.json
+++ b/agents-common/src/test/resources/policyengine/test_aclprovider_resource_hierarchy_tags.json

@@ -214,6 +214,7 @@
             "dba":       { "create":  { "result": 1, "isFinal": true } }
           },
           "dataMasks": [
+            { "users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_NONE" }, "isConditional": false },
             { "users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": false }
           ]
         }