RANGER-4666: fixed getResourceACLs() API to account for tags assigned to ancestor resources
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index df39467..b0dc7a4 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -317,6 +317,11 @@
boolean isTemporalTagPolicy = policyIdForTemporalTags.contains(evaluator.getPolicyId());
MatchType tagMatchType = tagMatchTypeMap.get(evaluator.getPolicyId());
+ // tag assigned to ANCESTORS must apply to SELF as well, to be consistent with policy evaluation in RangerDefaultPolicyEvaluator.evaluate()
+ if (tagMatchType == MatchType.ANCESTOR) {
+ tagMatchType = MatchType.SELF;
+ }
+
evaluator.getResourceACLs(request, ret, isTemporalTagPolicy, null, tagMatchType, policyEngine);
}
diff --git a/agents-common/src/test/resources/policyengine/test_aclprovider_resource_hierarchy_tags.json b/agents-common/src/test/resources/policyengine/test_aclprovider_resource_hierarchy_tags.json
index dac583c..206a656 100644
--- a/agents-common/src/test/resources/policyengine/test_aclprovider_resource_hierarchy_tags.json
+++ b/agents-common/src/test/resources/policyengine/test_aclprovider_resource_hierarchy_tags.json
@@ -214,6 +214,7 @@
"dba": { "create": { "result": 1, "isFinal": true } }
},
"dataMasks": [
+ { "users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_NONE" }, "isConditional": false },
{ "users": [ "test-user" ], "groups": [], "roles": [], "accessTypes": [ "select" ], "maskInfo": { "dataMaskType": "MASK_HASH" }, "isConditional": false }
]
}