RANGER-4723: updated zone matcher to handle descendent match

apache · Feb 22, 2024 · 84ef6e5 · 84ef6e5
1 parent c4f6cc3
commit 84ef6e5
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/...common/src/main/java/org/apache/ranger/plugin/policyengine/RangerSecurityZoneMatcher.java b/...common/src/main/java/org/apache/ranger/plugin/policyengine/RangerSecurityZoneMatcher.java
@@ -26,6 +26,7 @@
 import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
 import org.apache.ranger.plugin.model.validation.RangerZoneResourceMatcher;
 import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
+import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher.MatchType;
 import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
 import org.apache.ranger.plugin.util.RangerResourceEvaluatorsRetriever;
 import org.apache.ranger.plugin.util.ServicePolicies.SecurityZoneInfo;
@@ -103,7 +104,14 @@ private Set<String> getZonesForResourceAndChildren(Map<String, ?> resource, Rang
                         LOG.debug("Trying to match resource:[{}] using matcher:[{}]", accessResource, matcher);
                     }
 
-                    if (matcher.getPolicyResourceMatcher().isMatch(accessResource, RangerPolicyResourceMatcher.MatchScope.ANY, null)) {
+                    RangerPolicyResourceMatcher policyResourceMatcher = matcher.getPolicyResourceMatcher();
+                    MatchType                   matchType             = policyResourceMatcher.getMatchType(accessResource, null);
+
+                    if (matchType == MatchType.DESCENDANT) { // add unzoned name
+                        ret.add("");
+                    }
+
+                    if (matchType != MatchType.NONE) {
                         if (LOG.isDebugEnabled()) {
                             LOG.debug("Matched resource:[{}] using matcher:[{}]", accessResource, matcher);
                         }

diff --git a/...on/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerSecurityZoneMatcher.java b/...on/src/test/java/org/apache/ranger/plugin/policyengine/TestRangerSecurityZoneMatcher.java
@@ -72,7 +72,7 @@ public void testZoneMatcher() {
 
         res   = createResource("database", "db3");
         zones = zoneMatcher.getZonesForResourceAndChildren(res);
-        assertEquals(createSet("z3", "z4"), zones);
+        assertEquals(createSet("", "z3", "z4"), zones);
     }
 
     private Map<String, SecurityZoneInfo> createSecurityZones() {