RANGER-1229: fix resource-matcher to correctly handle policy containi…

…ng only one resource whose value is '*'

Signed-off-by: Madhan Neethiraj <[email protected]>

agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java

@@ -267,7 +267,7 @@ public boolean applyExcludes(boolean allValuesRequested, boolean resultWithoutEx
 	ResourceMatcher getMatcher(String policyValue) {
 		final int len = policyValue != null ? policyValue.length() : 0;
 
-		if (len == 0 || (optWildCard && policyValue.equals(WILDCARD_ASTERISK))) {
+		if (len == 0) {
 			return null;
 		}
 

agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java

@@ -92,10 +92,15 @@ ResourceMatcher getMatcher(String policyValue) {
 
 		final int len = policyValue != null ? policyValue.length() : 0;
 
-		if (len == 0 || (optWildCard && policyValue.equals(WILDCARD_ASTERISK))) {
+		if (len == 0) {
 			return null;
 		}
 
+		// To ensure that when policyValue is single '*', ResourceMatcher created here returns true for isMatchAny()
+		if (optWildCard && policyValue.equals(WILDCARD_ASTERISK)) {
+			return new CaseInsensitiveStringMatcher("");
+		}
+
 		boolean isWildcardPresent = false;
 
 		if (optWildCard) {

agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java

@@ -214,6 +214,13 @@ public void testPolicyEngine_hbase() {
 		runTestsFromResourceFiles(hbaseTestResourceFiles);
 	}
 
+	@Test
+	public void testPolicyEngine_hbase_with_multiple_matching_policies() {
+		String[] hbaseTestResourceFiles = { "/policyengine/test_policyengine_hbase_multiple_matching_policies.json" };
+
+		runTestsFromResourceFiles(hbaseTestResourceFiles);
+	}
+
 	@Test
 	public void testPolicyEngine_conditions() {
 		String[] conditionsTestResourceFiles = { "/policyengine/test_policyengine_conditions.json" };

agents-common/src/test/resources/policyengine/test_policyengine_hbase_multiple_matching_policies.json

@@ -0,0 +1,75 @@
+{
+  "serviceName":"hbasedev",
+
+  "serviceDef":{
+    "name":"hbase",
+    "id":2,
+    "resources":[
+      {"name":"table","level":1,"parent":"","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HBase Table","description":"HBase Table"},
+      {"name":"column-family","level":2,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HBase Column-Family","description":"HBase Column-Family"},
+      {"name":"column","level":3,"parent":"column-family","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HBase Column","description":"HBase Column"}
+    ],
+    "accessTypes":[
+      {"name":"read","label":"Read"},
+      {"name":"write","label":"Write"},
+      {"name":"create","label":"Create"},
+      {"name":"admin","label":"Admin","impliedGrants":["read","write","create"]}
+    ]
+  },
+
+  "policies":[
+    {"id":1,"name":"table=default,*; column-family=default,*; column=default, *: audit-all-access","isEnabled":true,"isAuditEnabled":true,
+     "resources":{"table":{"values":["default", "*"]},"column-family":{"values":["default", "*"]}, "column":{"values":["default", "*"]}},
+     "policyItems":[
+       {"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true}, {"type":"create", "isAllowed":true},
+         {"type":"admin", "isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false}
+       ,
+       {"accesses":[{"type":"read","isAllowed":true}],"users":["hrt_qa"],"groups":[],"delegateAdmin":false}
+     ]
+    }
+    ,
+    {"id":2,"name":"table=*; column-family=*; column=*: audit-all-access","isEnabled":true,"isAuditEnabled":true,
+      "resources":{"table":{"values":["*"]},"column-family":{"values":["*"]}, "column":{"values":["*"]}},
+      "policyItems":[
+        {"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true}, {"type":"create", "isAllowed":true},
+          {"type":"admin", "isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false}
+      ,
+        {"accesses":[{"type":"read","isAllowed":true}, {"type":"write", "isAllowed":true}],"users":["hrt_qa"],"groups":[],"delegateAdmin":false}
+      ]
+    }
+  ],
+
+  "tests":[
+    {"name":"TEST!!! ALLOW 'scan finance restricted-cf;' for hrt_qa",
+      "request":{
+        "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}},
+        "accessType":"read","user":"hrt_qa","userGroups":[],"requestData":"scan finance restricted-cf; for hrt_qa"
+      },
+      "result":{"isAudited":true,"isAllowed":true,"policyId":1}
+    }
+  ,
+    {"name":"TEST!!! ALLOW 'put finance restricted-cf;' for hrt_qa",
+     "request":{
+      "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}},
+      "accessType":"write","user":"hrt_qa","userGroups":[],"requestData":"put finance restricted-cf; for hrt_qa"
+     },
+     "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+    },
+    {"name":"TEST!!! DENY 'create finance restricted-cf;' for hrt_qa",
+      "request":{
+        "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}},
+        "accessType":"create","user":"hrt_qa","userGroups":[],"requestData":"create finance restricted-cf; for hrt_qa"
+      },
+      "result":{"isAudited":true,"isAllowed":false,"policyId":-1}
+    }
+    ,
+    {"name":"TEST!!! ALLOW 'create finance restricted-cf;' for user1",
+      "request":{
+        "resource":{"elements":{"table":"finance","column-family":"restricted-cf"}},
+        "accessType":"create","user":"user1","userGroups":[],"requestData":"create finance restricted-cf; for user1"
+      },
+      "result":{"isAudited":true,"isAllowed":true,"policyId":1}
+    }
+  ]
+}
+