From c4f6cc3951f979c4ae5859fbeaf1be5fe945b12d Mon Sep 17 00:00:00 2001
From: Abhay Kulkarni <abhay@apache.org>
Date: Tue, 20 Feb 2024 14:36:09 -0800
Subject: [PATCH] RANGER-4722: HDFS authorization logic for directory hierarchy
 rooted at '/' is incorrect

---
 .../ranger/authorization/hadoop/RangerHdfsAuthorizer.java   | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
index 9b1279bcb1..9b410a1854 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
@@ -453,7 +453,11 @@ private void checkRangerPermission(String fsOwner, String superGroup, UserGroupI
 								if (subDirAuthStatus != AuthzStatus.ALLOW) {
 									for(INode child : cList) {
 										if (child.isDirectory()) {
-											directories.push(new SubAccessData(child.asDirectory(), resourcePath + Path.SEPARATOR_CHAR + child.getLocalName()));
+											if (data.resourcePath.endsWith(Path.SEPARATOR)) {
+												directories.push(new SubAccessData(child.asDirectory(), data.resourcePath + child.getLocalName()));
+											} else {
+												directories.push(new SubAccessData(child.asDirectory(), data.resourcePath + Path.SEPARATOR_CHAR + child.getLocalName()));
+											}
 										}
 									}
 								}