RANGER-4980: Delete permissions on directory is denied which has hier…

…archy of files/directory rooted at the argument passed to the HDFS command
apache · Nov 7, 2024 · bec8af3 · bec8af3
1 parent 592e6d2
commit bec8af3
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 30 deletions.
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -533,7 +533,7 @@ public RangerAccessResult isAccessAllowed(RangerAccessRequest request, RangerAcc
 			ret = policyEngine.evaluatePolicies(request, RangerPolicy.POLICY_TYPE_ACCESS, null);
 		}
 
-		if (ret != null && !RangerAccessRequestUtil.getIsSkipChainedPlugins(request.getContext())) {
+		if (ret != null) {
 			for (RangerChainedPlugin chainedPlugin : chainedPlugins) {
 				if (LOG.isDebugEnabled()) {
 					LOG.debug("BasePlugin.isAccessAllowed result=[" + ret + "]");

diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
@@ -54,7 +54,6 @@ public class RangerAccessRequestUtil {
 	public static final String KEY_CONTEXT_GDS_RESULT              = "_GDS_RESULT";
 	public static final String KEY_CONTEXT_IS_REQUEST_PREPROCESSED = "ISREQUESTPREPROCESSED";
 	public static final String KEY_CONTEXT_RESOURCE_ZONE_NAMES     = "RESOURCE_ZONE_NAMES";
-	public static final String KEY_CONTEXT_IS_SKIP_CHAINED_PLUGINS = "_IS_SKIP_CHAINED_PLUGINS";
 
 	public static void setRequestTagsInContext(Map<String, Object> context, Set<RangerTagForEval> tags) {
 		if (CollectionUtils.isEmpty(tags)) {
@@ -446,13 +445,4 @@ public static void setAccessTypeResult(Map<String, Object> context, String acces
 			results.putIfAbsent(accessType, result);
 		}
 	}
-
-	public static void setIsSkipChainedPlugins(Map<String, Object> context, Boolean value) {
-		context.put(KEY_CONTEXT_IS_SKIP_CHAINED_PLUGINS, value);
-	}
-
-	public static boolean getIsSkipChainedPlugins(Map<String, Object> context) {
-		Boolean value = (Boolean) context.get(KEY_CONTEXT_IS_SKIP_CHAINED_PLUGINS);
-		return value != null && value;
-	}
 }
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -741,13 +741,6 @@ private AuthzStatus isAccessAllowedForTraversal(INode inode, INodeAttributes ino
 
 			RangerHdfsAccessRequest request = new RangerHdfsAccessRequest(inode, path, pathOwner, access, EXECUTE_ACCCESS_TYPE, operation, context.user, context.userGroups);
 
-			// if the request was already allowed by a Ranger policy (for ancestor/parent/node/child), skip chained plugin evaluations in subsequent calls
-			if (context.isAllowedByRangerPolicies) {
-				LOG.warn("This request is already allowed by Ranger policies. Ensuring that chained-plugins are not evaluated again for this request, request:[" + request + "]");
-
-				RangerAccessRequestUtil.setIsSkipChainedPlugins(request.getContext(), Boolean.TRUE);
-			}
-
 			RangerAccessResult result = context.plugin.isAccessAllowed(request, null);
 
 			context.saveResult(result);
@@ -761,8 +754,6 @@ private AuthzStatus isAccessAllowedForTraversal(INode inode, INodeAttributes ino
 				if (LOG.isDebugEnabled()) {
 					LOG.debug("This request is for the first time allowed by Ranger policies. request:[" + request + "]");
 				}
-
-				context.isAllowedByRangerPolicies = true;
 			}
 
 			if (ret == AuthzStatus.DENY || (!skipAuditOnAllow && result != null && result.getIsAccessDetermined())) {
@@ -904,13 +895,6 @@ private AuthzStatus isAccessAllowed(INode inode, INodeAttributes inodeAttribs, S
 					}
 				}
 
-				// if the request was already allowed by a Ranger policy (for ancestor/parent/node/child), skip chained plugin evaluations in subsequent calls
-				if (context.isAllowedByRangerPolicies) {
-					LOG.warn("This request is already allowed by Ranger policies. Ensuring that chained-plugins are not evaluated again for this request, request:[" + request + "]");
-
-					RangerAccessRequestUtil.setIsSkipChainedPlugins(request.getContext(), Boolean.TRUE);
-				}
-
 				RangerAccessResult result = context.plugin.isAccessAllowed(request, context.auditHandler);
 
 				context.saveResult(result);
@@ -926,8 +910,6 @@ private AuthzStatus isAccessAllowed(INode inode, INodeAttributes inodeAttribs, S
 					if (LOG.isDebugEnabled()) {
 						LOG.debug("This request is for the first time allowed by Ranger policies. request:[" + request + "]");
 					}
-
-					context.isAllowedByRangerPolicies = true;
 				}
 			}
 
@@ -1448,7 +1430,6 @@ class AuthzContext {
 	public final Set<String>            userGroups;
 	public final String                 operationName;
 	public       boolean                isTraverseOnlyCheck;
-	public       boolean                isAllowedByRangerPolicies;
 	public       RangerHdfsAuditHandler auditHandler = null;
 	private      RangerAccessResult     lastResult   = null;