Description
When incrementally update wildcard policies, it will not cause any effect. Reproduce steps:
1. Create a policy A to grant Peter select access to database test and table t. Verify Peter did have select access.
2. Create a policy B to deny Peter select access to all database and table. Verify Peter is rejected select access to database test and table t.
3. Delete policy B and verify that Peter again has select access.
4. Create a policy C, the same as policy B and expecting Peter again is rejected select access. But it does not happen.
// RangerResourceTrie void undoSetup() { if (isSetup) { if (evaluators != null) { for (TrieNode<U> child : children.values()) { child.undoSetup(); } ... } isSetup = false; } } private Set<T> getEvaluatorsForResource(String resource) { ... while (i < len) { if (!isOptimizedForRetrieval) { curr.setupIfNeeded(parent); } ... } if (!isOptimizedForRetrieval) { curr.setupIfNeeded(parent); } Set<T> ret = i == len ? curr.getEvaluators() : curr.getWildcardEvaluators(); return ret; }
When adding new wildcard policy, evaluators of the root trie is null. So child.undoSetup will not be called. Then setupIfNeeded will not take effect on child trie nodes. At last, new wildcard policy(policy C) does not take effect.
Attachments
Attachments
Issue Links
- is related to
-
RANGER-2760 Bugs about wildcard evaluator incremental updates
-
- Resolved
-
- links to
