Review comments: code cleanup

apache · Nov 5, 2024 · c9ee929 · c9ee929
1 parent 102cf9e
commit c9ee929
Showing 1 changed file with 9 additions and 15 deletions.
diff --git a/...t/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/...t/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -434,20 +434,15 @@ ColumnFamilyAccessResult evaluateAccess(ObserverContext<?> ctx, String operation
 
 		for (Map.Entry<byte[], ? extends Collection<?>> anEntry : familyMap.entrySet()) {
 			String family = Bytes.toString(anEntry.getKey());
-			session.columnFamily(family);
+			session.columnFamily(family).
+					column(null).
+					buildRequest(); // zap stale column from prior iteration of this loop, if any
 			if (LOG.isDebugEnabled()) {
 				LOG.debug("evaluateAccess: Processing family: " + family);
 			}
 			Collection<?> columns = anEntry.getValue();
 			if (columns == null || columns.isEmpty()) {
-				// family points to null map, OK.
-				// if column auth disabled, then also empty set is fine
-				if (LOG.isDebugEnabled()) {
-					LOG.debug("RangerAuthorizationCoprocessor evaluateAccess: (No tags found for resource, "+
-							" all policies are * at column level for resource and "+
-							RangerHadoopConstants.HBASE_COLUMN_AUTH_OPTIMIZATION +
-							" is true) or columns are empty. Family level access is desired.");
-				}
+				LOG.debug("evaluateAccess: columns collection null or empty, ok.  Family level access is desired.");
 				//buildRequest() already done before 'if' condition
 				session.authorize();
 				AuthzAuditEvent auditEvent = auditHandler.getAndDiscardMostRecentEvent(); // capture it only for success
@@ -517,12 +512,11 @@ ColumnFamilyAccessResult evaluateAccess(ObserverContext<?> ctx, String operation
 				// Restore the headMatch setting
 				session.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF);
 			} else {
-				if(LOG.isDebugEnabled()) {
-					LOG.debug("evaluateAccess: " + RangerHadoopConstants.HBASE_COLUMN_AUTH_OPTIMIZATION + " is false or " +
-							"tags exist for resource or policies at column level exist or columns collection not empty. " +
-							" Skipping Family level check, will do finer level access check.");
-				}
 				boolean isColumnAuthShortCircuitingEnabled = hbasePlugin.getPropertyIsColumnAuthOptimizationEnabled();
+				if(LOG.isDebugEnabled()) {
+					LOG.debug("evaluateAccess: columns collection not empty." +
+							" Skipping Family level check, will do finer level access check for columns."+);
+					}
 				if (isColumnAuthShortCircuitingEnabled) {
 						session.column(null)
 								.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_AND_ALL_DESCENDANTS)
@@ -539,7 +533,7 @@ ColumnFamilyAccessResult evaluateAccess(ObserverContext<?> ctx, String operation
 								familesFullyAuthorized.add(family);
 								if (auditEvent != null) {
 										if (LOG.isDebugEnabled()) {
-												LOG.debug("evaluateAccess: isColumnAuthShortCircuitingEnabled=true, adding to family-level-access-granted-event-set");
+												LOG.debug("evaluateAccess: isColumnAuthShortCircuitingEnabled=true, adding to familesFullyAuthorized set");
 										}
 										familyLevelAccessEvents.add(auditEvent);
 								}