sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shreepa...@apache.org
Subject git commit: SENTRY-89: Sentry WildCardPermission always ends a / to the URI (Brock Noland via Shreepadma Venugopalan)
Date Thu, 16 Jan 2014 19:15:11 GMT
Updated Branches:
  refs/heads/master a93fb4161 -> 8fc91c54f


SENTRY-89: Sentry WildCardPermission always ends a / to the URI (Brock Noland via Shreepadma
Venugopalan)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/8fc91c54
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/8fc91c54
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/8fc91c54

Branch: refs/heads/master
Commit: 8fc91c54f6d412dd404825f35b77805784d51d5d
Parents: a93fb41
Author: Shreepadma Venugopalan <shreepadma@apache.org>
Authored: Thu Jan 16 11:14:13 2014 -0800
Committer: Shreepadma Venugopalan <shreepadma@apache.org>
Committed: Thu Jan 16 11:14:13 2014 -0800

----------------------------------------------------------------------
 .../sentry/policy/db/DBWildcardPermission.java    | 18 ++++++++++++++++--
 .../policy/db/TestDBWildcardPermission.java       |  5 ++++-
 2 files changed, 20 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8fc91c54/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
index e84e5b9..e0eb2dc 100644
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
+++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
@@ -154,8 +154,8 @@ public class DBWildcardPermission implements Permission, Serializable
{
       // request path does not contain relative parts /a/../b &&
       // request path starts with policy path &&
       // authorities (nullable) are equal
-      String requestPath = requestURI.getPath() + File.separator;
-      String policyPath = policyURI.getPath() + File.separator;
+      String requestPath = ensureEndsWithSeparator(requestURI.getPath());
+      String policyPath = ensureEndsWithSeparator(policyURI.getPath());
       if(policyURI.getScheme().equals(requestURI.getScheme()) &&
           requestURI.getPath().equals(new URI(request).normalize().getPath()) &&
           requestPath.startsWith(policyPath) &&
@@ -169,6 +169,20 @@ public class DBWildcardPermission implements Permission, Serializable
{
     }
   }
 
+  /**
+   * The URI must be a directory as opposed to a partial
+   * path entry name. To ensure this is true we add a /
+   * at the end of the path. Without this the admin might
+   * grant access to /dir1 but the user would be given access
+   * to /dir1* whereas the admin meant /dir1/
+   */
+  private static String ensureEndsWithSeparator(String path) {
+    if (path.endsWith(File.separator)) {
+      return path;
+    }
+    return path + File.separator;
+  }
+
   @Override
   public String toString() {
     return AUTHORIZABLE_JOINER.join(parts);

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8fc91c54/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
index 8f1ee2c..2024cd8 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
@@ -51,7 +51,7 @@ public class TestDBWildcardPermission {
           "hdfs://namenode:8020/path/to/uri1"));
   private static final Permission ROLE_SERVER_SERVER1_URI_URI2 =
       create(new KeyValue("server", "server1"), new KeyValue("uri",
-          "hdfs://namenode:8020/path/to/uri2"));
+          "hdfs://namenode:8020/path/to/uri2/"));
   private static final Permission ROLE_SERVER_SERVER1_URI_ALL =
       create(new KeyValue("server", "server1"), new KeyValue("uri", ALL));
 
@@ -272,6 +272,9 @@ public class TestDBWildcardPermission {
     // mangled path
     assertFalse(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
         "hdfs://namenode:8020/pathFooBar"));
+    // ends in /
+    assertTrue(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path/",
+        "hdfs://namenode:8020/path/FooBar"));
   }
   static DBWildcardPermission create(KeyValue... keyValues) {
     return create(AUTHORIZABLE_JOINER.join(keyValues));


Mime
View raw message