Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(Ranger): refactor the logic when ranger performs ACL #1518

Merged
merged 7 commits into from
Jun 15, 2023
Merged

feat(Ranger): refactor the logic when ranger performs ACL #1518

merged 7 commits into from
Jun 15, 2023

Conversation

WHBANG
Copy link
Contributor

@WHBANG WHBANG commented Jun 7, 2023
edited by acelyc111
Loading

#1054

This patch fixes the judgment logic when ranger matches policies:

  1. Traverse all resource policies
    1. If the current policy matches deny_condition
      1. does not match any deny_exclude, returns kDenied, and the traversal ends
      2. A deny_exclude is matched, return kPending, and continue to the next policy judgment
    2. No policy is matched or the return value is kPending, enter 2
  2. Traverse all resource policies again
    1. If the current policy matches allow_condition
      1. does not match any allow_exclude, returns kAllowed, and the traversal ends
      2. An allow_exclude is matched, return kPending, and continue to the next policy judgment
    2. If the return value is kPending, it will return kDenied
  3. dose not match any policy, return kDenied

As shown below:

                *** Ranger Policy Evaluation Flow ***
                    +-----------------+
                     \ Resource access \
                      \    request      \
                       +-------+---------+
                               |
                         +-----v-------+
                        /               \
                       /     Has a       \
         +-----N------+  resource policy  <----------------N-----------------+
         |             \  been matched ? /                                   |
         |              \               /                                    |
         |               +-----+-------+                                     |
         |                     |                                             |
         |                     Y                                             |
         |                     |                                             |
         |               +-----v-------+                  +-------------+    |
         |              /               \                /               \   |
         |             /    Has more     \              /   Has more      \  |
         |      +----->   policies with   +---N--+---->+  policies with    +-+
         |      |      \ Deny Condition? /       |      \ Allow Condition?/
         |      |       \               /        |       \               /
         |      |        +------+------+         |        +------+------+
         |      |               |                |               |
         |      |               Y                |               Y
         |      |               |                |               |
         |      |        +------v------+         |        +------v------+
         |      |       /    Request    \        |       /    Request    \
         |      |      / matches a deny  \       |      /matches an allow \
         |      +--N--+ condition in the  +      +--N--+ condition in the  +
         |      |      \     policy?     /       |      \    policy?      /
         |      |       \               /        |       \               /
         |      |        +------+------+         |        +------+------+
         |      |               |                |               |
         |      |               Y                |               Y
         |      |               |                |               |
         |      |        +------v------+         |        +------v------+
         |      |       /    Request    \        |       /    Request    \
         |      |      /  matches a deny \       |      / matches an allow\
         |      +--Y--+   exclude in the  +      +--Y--+   exclude in the  +
         |             \      policy?    /              \      policy?    /
         |              \               /                \               /
         |               +------+------+                  +------+------+
         |                      |                                |
         |                      N                                N
         |                      |                                |
   +-----v-----+         +------v------+                  +------v------+
   |    DENY   |         |    DENY     |                  |    ALLOW    |
   +-----------+         +-------------+                  +-------------+

@github-actions github-actions bot added the cpp label Jun 7, 2023
@WHBANG WHBANG changed the title Dev/ranger fix feat(Ranger): refactor the logic when ranger performs ACL Jun 7, 2023
acelyc111
acelyc111 reviewed Jun 12, 2023
View reviewed changes
src/runtime/ranger/ranger_resource_policy.cpp Outdated Show resolved Hide resolved
src/runtime/ranger/ranger_resource_policy.cpp Outdated Show resolved Hide resolved
src/runtime/ranger/ranger_resource_policy.cpp Outdated Show resolved Hide resolved
src/runtime/ranger/ranger_resource_policy.cpp Outdated Show resolved Hide resolved
src/runtime/ranger/ranger_resource_policy_manager.cpp Outdated Show resolved Hide resolved
src/runtime/ranger/ranger_resource_policy_manager.cpp Show resolved Hide resolved
acelyc111
acelyc111 reviewed Jun 14, 2023
View reviewed changes
src/runtime/ranger/ranger_resource_policy.cpp Outdated Show resolved Hide resolved
src/runtime/ranger/ranger_resource_policy.cpp Outdated Show resolved Hide resolved
src/runtime/ranger/ranger_resource_policy.cpp Outdated Show resolved Hide resolved
src/runtime/ranger/ranger_resource_policy.cpp Outdated Show resolved Hide resolved
src/runtime/ranger/ranger_resource_policy.cpp Outdated Show resolved Hide resolved
src/runtime/ranger/ranger_resource_policy.cpp Outdated Show resolved Hide resolved
src/runtime/ranger/ranger_resource_policy.cpp Outdated Show resolved Hide resolved
src/runtime/ranger/ranger_resource_policy_manager.cpp Show resolved Hide resolved
src/runtime/ranger/ranger_resource_policy_manager.cpp Show resolved Hide resolved
@cr-gpt
Copy link

cr-gpt bot commented Jun 14, 2023

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

7 similar comments
@cr-gpt
Copy link

cr-gpt bot commented Jun 14, 2023

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

@cr-gpt
Copy link

cr-gpt bot commented Jun 14, 2023

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

@cr-gpt
Copy link

cr-gpt bot commented Jun 14, 2023

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

@cr-gpt
Copy link

cr-gpt bot commented Jun 14, 2023

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

@cr-gpt
Copy link

cr-gpt bot commented Jun 14, 2023

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

@cr-gpt
Copy link

cr-gpt bot commented Jun 14, 2023

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

@cr-gpt
Copy link

cr-gpt bot commented Jun 14, 2023

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

@acelyc111
Copy link
Member

acelyc111 commented Jun 14, 2023
edited
Loading

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

I want to turn you off.

@cr-gpt
Copy link

cr-gpt bot commented Jun 14, 2023

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

1 similar comment
@cr-gpt
Copy link

cr-gpt bot commented Jun 14, 2023

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

@cr-gpt
Copy link

cr-gpt bot commented Jun 14, 2023

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

acelyc111
acelyc111 reviewed Jun 15, 2023
View reviewed changes
src/runtime/ranger/ranger_resource_policy.cpp Outdated Show resolved Hide resolved
src/runtime/ranger/ranger_resource_policy.cpp Outdated Show resolved Hide resolved
src/runtime/ranger/ranger_resource_policy.cpp Outdated Show resolved Hide resolved
src/runtime/ranger/ranger_resource_policy.cpp Outdated Show resolved Hide resolved
src/runtime/ranger/ranger_resource_policy.cpp Outdated Show resolved Hide resolved
@cr-gpt
Copy link

cr-gpt bot commented Jun 15, 2023

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

@cr-gpt
Copy link

cr-gpt bot commented Jun 15, 2023

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

acelyc111
acelyc111 previously approved these changes Jun 15, 2023
View reviewed changes
@cr-gpt
Copy link

cr-gpt bot commented Jun 15, 2023

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

@empiredan empiredan merged commit 78136dd into apache:master Jun 15, 2023
@empiredan empiredan mentioned this pull request Aug 22, 2023
Closed
GehaFearless pushed a commit to GehaFearless/incubator-pegasus that referenced this pull request Feb 28, 2024
@acelyc111
[SKV-670] feat(Ranger): refactor the logic when ranger performs ACL (a…
842cd40 
…pache#1518)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@acelyc111 acelyc111 acelyc111 approved these changes

@empiredan empiredan empiredan approved these changes

Assignees
No one assigned
Labels
cpp
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@WHBANG @acelyc111 @empiredan