RANGER-4977: Fix hbase scan authorization by using ignoreDescendantDe…

…ny=false

hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java

@@ -64,6 +64,8 @@ public class AuthorizationSession {
 	boolean _superUser = false; // is this session for a super user?
 	private RangerAccessRequest.ResourceMatchingScope _resourceMatchingScope = RangerAccessRequest.ResourceMatchingScope.SELF;
 
+	private boolean _ignoreDescendantDeny = true;
+
 	// internal state per-authorization
 	RangerAccessRequest _request;
 	RangerAccessResult _result;
@@ -195,7 +197,7 @@ AuthorizationSession buildRequest() {
 		request.setClientIPAddress(_remoteAddress);
 		request.setResourceMatchingScope(_resourceMatchingScope);
 		request.setAccessTime(new Date());
-
+		request.setIgnoreDescendantDeny(_ignoreDescendantDeny);
 		_request = request;
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("Built request: " + request.toString());
@@ -377,4 +379,8 @@ AuthorizationSession resourceMatchingScope(RangerAccessRequest.ResourceMatchingS
 		_resourceMatchingScope = scope;
 		return this;
 	}
+	AuthorizationSession ignoreDescendantDeny(boolean ignoreDescendantDeny) {
+		_ignoreDescendantDeny = ignoreDescendantDeny;
+		return this;
+	}
 }

hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java

@@ -441,6 +441,7 @@ ColumnFamilyAccessResult evaluateAccess(ObserverContext<?> ctx, String operation
 					LOG.debug("evaluateAccess: family level access for [" + family + "] is evaluated to " + isColumnFamilyAuthorized + ". Checking if [" + family + "] descendants have access.");
 				}
 				session.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS)
+						.ignoreDescendantDeny(false)
 						.buildRequest()
 						.authorize();
 				auditEvent = auditHandler.getAndDiscardMostRecentEvent(); // capture it only for failure
@@ -488,6 +489,7 @@ ColumnFamilyAccessResult evaluateAccess(ObserverContext<?> ctx, String operation
 				}
 				// Restore the headMatch setting
 				session.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF);
+				session.ignoreDescendantDeny(true);
 			} else {
 				LOG.debug("evaluateAccess: columns collection not empty.  Skipping Family level check, will do finer level access check.");
 				Set<String> accessibleColumns = new HashSet<String>(); // will be used in to populate our results cache for the filter

hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/TestPolicyEngine.java

@@ -82,6 +82,12 @@ public void testPolicyEngine_hbase() {
 
 		runTestsFromResourceFiles(hbaseTestResourceFiles);
 	}
+	@Test
+	public void testPolicyEngine_hbase_ignoreDescendantDeny() {
+		String[] hbaseTestResourceFiles = { "/policyengine/test_policyengine_hbase_ignoreDenyDescendant.json" };
+
+		runTestsFromResourceFiles(hbaseTestResourceFiles);
+	}
 
 	private void runTestsFromResourceFiles(String[] resourceNames) {
 		for(String resourceName : resourceNames) {

hbase-agent/src/test/resources/policyengine/test_policyengine_hbase_ignoreDenyDescendant.json

@@ -0,0 +1,55 @@
+{
+  "serviceName":"hbasedev",
+
+  "serviceDef":{
+    "name":"hbase",
+    "id":2,
+    "resources":[
+      {"name":"table","level":1,"parent":"","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HBase Table","description":"HBase Table"},
+      {"name":"column-family","level":2,"parent":"table","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HBase Column-Family","description":"HBase Column-Family"},
+      {"name":"column","level":3,"parent":"column-family","mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher","matcherOptions":{"wildCard":true, "ignoreCase":true},"label":"HBase Column","description":"HBase Column"}
+    ],
+    "accessTypes":[
+      {"name":"read","label":"Read"},
+      {"name":"write","label":"Write"},
+      {"name":"create","label":"Create"},
+      {"name":"admin","label":"Admin","impliedGrants":["read","write","create"]}
+    ]
+  },
+
+  "policies":[
+    {"id":1,"name":"table=finance; column-family=restricted, column=restricted_column","isEnabled":true,"isAuditEnabled":true,
+      "resources":{"table":{"values":["finance"]},"column-family":{"values":["restricted_cf"]}, "column":{"values":["restricted_column"]}},
+      "denyPolicyItems":[
+        {"accesses":[{"type":"read","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false}
+      ]
+    }
+  ,
+    {"id":2,"name":"table=finance; column-family=restricted,column=*","isEnabled":true,"isAuditEnabled":true,
+      "resources":{"table":{"values":["finance"]},"column-family":{"values":["restricted_cf"]}, "column":{"values":["*"]}},
+      "policyItems":[
+        {"accesses":[{"type":"read","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false}
+      ]
+    }
+  ],
+
+  "tests":[
+    {"name":"TEST!!! DENY 'get' for restricted column family when isDescendantDenyIgnored=false",
+      "request":{
+        "resource":{"elements":{"table":"finance","column-family":"restricted_cf"}},
+        "resourceMatchingScope": "SELF_OR_DESCENDANTS","isDescendantDenyIgnored": "false",
+        "accessType":"read","user":"user1","requestData":"deny get as there is a restricted column. Expected behavior for scan"
+      },
+      "result":{"isAudited":true,"isAllowed":false,"policyId":1}
+    },
+    {"name":"TEST!!! Allow 'get' for restricted column family when isDescendantDenyIgnored=true",
+      "request":{
+        "resource":{"elements":{"table":"finance","column-family":"restricted_cf"}},
+        "resourceMatchingScope": "SELF_OR_DESCENDANTS",
+        "accessType":"read","user":"user1","requestData":"allow get as restricted column policy not considered. Not expected behavior"
+      },
+      "result":{"isAudited":true,"isAllowed":true,"policyId":2}
+    }
+
+  ]
+}