apache · mneethiraj · Jan 7, 2026 · Jan 7, 2026 · Jan 8, 2026 · Jan 8, 2026
diff --git a/authz-api/src/main/java/org/apache/ranger/authz/model/RangerAuthzResult.java b/authz-api/src/main/java/org/apache/ranger/authz/model/RangerAuthzResult.java
@@ -106,12 +106,12 @@ public String toString() {
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
     @JsonIgnoreProperties(ignoreUnknown = true)
     public static class PermissionResult {
-        private String                        permission;
-        private AccessResult                  access;
-        private DataMaskResult                dataMask;
-        private RowFilterResult               rowFilter;
-        private Map<String, PermissionResult> subResources;
-        private Map<String, Object>           additionalInfo;
+        private String                  permission;
+        private AccessResult            access;
+        private DataMaskResult          dataMask;
+        private RowFilterResult         rowFilter;
+        private Map<String, Object>     additionalInfo;
+        private Map<String, ResultInfo> subResources;
 
         public PermissionResult() {
         }
@@ -120,14 +120,20 @@ public PermissionResult(String permission) {
             this(permission, null, null);
         }
 
-        public PermissionResult(String permission, AccessResult access) {
-            this(permission, access, null);
+        public PermissionResult(String permission, ResultInfo result) {
+            this(permission, result, null);
         }
 
-        public PermissionResult(String permission, AccessResult access, Map<String, Object> additionalInfo) {
-            this.permission     = permission;
-            this.access         = access;
-            this.additionalInfo = additionalInfo;
+        public PermissionResult(String permission, ResultInfo result, Map<String, ResultInfo> subResources) {
+            this.permission   = permission;
+            this.subResources = subResources;
+
+            if (result != null) {
+                this.access         = result.getAccess();
+                this.dataMask       = result.getDataMask();
+                this.rowFilter      = result.getRowFilter();
+                this.additionalInfo = result.getAdditionalInfo();
+            }
         }
 
         // Getters and Setters
@@ -163,28 +169,115 @@ public void setRowFilter(RowFilterResult rowFilter) {
             this.rowFilter = rowFilter;
         }
 
-        public Map<String, PermissionResult> getSubResources() {
+        public Map<String, Object> getAdditionalInfo() {
+            return additionalInfo;
+        }
+
+        public void setAdditionalInfo(Map<String, Object> additionalInfo) {
+            this.additionalInfo = additionalInfo;
+        }
+
+        public Map<String, ResultInfo> getSubResources() {
             return subResources;
         }
 
-        public void setSubResources(Map<String, PermissionResult> subResources) {
+        public void setSubResources(Map<String, ResultInfo> subResources) {
             this.subResources = subResources;
         }
 
-        public PermissionResult getdSubResourceResult(String resourceName) {
-            Map<String, PermissionResult> subResources = getSubResources();
+        public ResultInfo getSubResourceResult(String resourceName) {
+            Map<String, ResultInfo> subResources = getSubResources();
 
             return subResources != null ? subResources.get(resourceName) : null;
         }
 
-        public void addSubResourceResult(String resourceName, PermissionResult result) {
+        public void addSubResourceResult(String resourceName, ResultInfo result) {
             if (subResources == null) {
                 subResources = new HashMap<>();
             }
 
             subResources.put(resourceName, result);
         }
 
+        @Override
+        public int hashCode() {
+            return Objects.hash(permission, access, dataMask, rowFilter, additionalInfo, subResources);
+        }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) {
+                return true;
+            } else if (o == null || getClass() != o.getClass()) {
+                return false;
+            }
+
+            PermissionResult that = (PermissionResult) o;
+
+            return Objects.equals(permission, that.permission) &&
+                    Objects.equals(access, that.access) &&
+                    Objects.equals(dataMask, that.dataMask) &&
+                    Objects.equals(rowFilter, that.rowFilter) &&
+                    Objects.equals(additionalInfo, that.additionalInfo) &&
+                    Objects.equals(subResources, that.subResources);
+        }
+
+        @Override
+        public String toString() {
+            return "PermissionResult{" +
+                    "permission='" + permission + '\'' +
+                    ", access=" + access +
+                    ", dataMask=" + dataMask +
+                    ", rowFilter=" + rowFilter +
+                    ", additionalInfo=" + additionalInfo +
+                    ", subResources=" + subResources +
+                    '}';
+        }
+    }
+
+    @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY)
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    @JsonIgnoreProperties(ignoreUnknown = true)
+    public static class ResultInfo {
+        private AccessResult        access;
+        private DataMaskResult      dataMask;
+        private RowFilterResult     rowFilter;
+        private Map<String, Object> additionalInfo;
+
+        public ResultInfo() {
+        }
+
+        public ResultInfo(AccessResult access, DataMaskResult dataMask, RowFilterResult rowFilter, Map<String, Object> additionalInfo) {
+            this.access         = access;
+            this.dataMask       = dataMask;
+            this.rowFilter      = rowFilter;
+            this.additionalInfo = additionalInfo;
+        }
+
+        public AccessResult getAccess() {
+            return access;
+        }
+
+        public void setAccess(AccessResult access) {
+            this.access = access;
+        }
+
+        public DataMaskResult getDataMask() {
+            return dataMask;
+        }
+
+        public void setDataMask(DataMaskResult dataMask) {
+            this.dataMask = dataMask;
+        }
+
+        public RowFilterResult getRowFilter() {
+            return rowFilter;
+        }
+
+        public void setRowFilter(RowFilterResult rowFilter) {
+            this.rowFilter = rowFilter;
+        }
+
         public Map<String, Object> getAdditionalInfo() {
             return additionalInfo;
         }
@@ -195,7 +288,7 @@ public void setAdditionalInfo(Map<String, Object> additionalInfo) {
 
         @Override
         public int hashCode() {
-            return Objects.hash(permission, access, dataMask, rowFilter, subResources, additionalInfo);
+            return Objects.hash(access, dataMask, rowFilter, additionalInfo);
         }
 
         @Override
@@ -206,24 +299,20 @@ public boolean equals(Object o) {
                 return false;
             }
 
-            PermissionResult that = (PermissionResult) o;
+            ResultInfo that = (ResultInfo) o;
 
-            return Objects.equals(permission, that.permission) &&
-                    Objects.equals(access, that.access) &&
+            return Objects.equals(access, that.access) &&
                     Objects.equals(dataMask, that.dataMask) &&
                     Objects.equals(rowFilter, that.rowFilter) &&
-                    Objects.equals(subResources, that.subResources) &&
                     Objects.equals(additionalInfo, that.additionalInfo);
         }
 
         @Override
         public String toString() {
-            return "PermissionResult{" +
-                    "permission='" + permission + '\'' +
-                    ", access=" + access +
+            return "ResultInfo{" +
+                    "access=" + access +
                     ", dataMask=" + dataMask +
                     ", rowFilter=" + rowFilter +
-                    ", subResources=" + subResources +
                     ", additionalInfo=" + additionalInfo +
                     '}';
         }

diff --git a/authz-api/src/main/java/org/apache/ranger/authz/util/RangerResourceNameParser.java b/authz-api/src/main/java/org/apache/ranger/authz/util/RangerResourceNameParser.java
@@ -36,8 +36,9 @@
 public class RangerResourceNameParser {
     private static final Logger LOG = LoggerFactory.getLogger(RangerResourceNameParser.class);
 
-    public static final String[] EMPTY_ARRAY           = new String[0];
-    public static final char     RRN_RESOURCE_TYPE_SEP = ':';
+    public static final String[] EMPTY_ARRAY              = new String[0];
+    public static final char     RRN_RESOURCE_TYPE_SEP    = ':';
+    public static final char     DEFAULT_RRN_RESOURCE_SEP = '/';
 
     private static final char   ESCAPE_CHAR   = '\\';
     private static final String ESCAPE_STRING = "\\\\";
@@ -49,8 +50,25 @@ public class RangerResourceNameParser {
     private final String   template;   // examples: database/table/column, bucket/volume/path
     private final String[] resources;  // examples: [database, table, column],   [bucket, volume, path]
 
+    public RangerResourceNameParser(String[] resourcePath) throws RangerAuthzException {
+        this(resourcePath, DEFAULT_RRN_RESOURCE_SEP);
+    }
+
     public RangerResourceNameParser(String[] resourcePath, char separatorChar) throws RangerAuthzException {
-        this(StringUtils.join(resourcePath, separatorChar), separatorChar);
+        if (resourcePath == null || resourcePath.length == 0) {
+            throw new RangerAuthzException(INVALID_RESOURCE_TEMPLATE_EMPTY_VALUE);
+        }
+
+        this.separatorChar    = separatorChar;
+        this.separatorString  = String.valueOf(separatorChar);
+        this.escapedSeparator = ESCAPE_STRING + separatorString;
+        this.separatorPattern = Pattern.compile(separatorString);
+        this.template         = StringUtils.join(resourcePath, separatorChar);
+        this.resources        = resourcePath;
+    }
+
+    public RangerResourceNameParser(String template) throws RangerAuthzException {
+        this(template, DEFAULT_RRN_RESOURCE_SEP);
     }
 
     public RangerResourceNameParser(String template, char separatorChar) throws RangerAuthzException {

diff --git a/authz-api/src/test/java/org/apache/ranger/authz/util/TestRangerResourceNameParser.java b/authz-api/src/test/java/org/apache/ranger/authz/util/TestRangerResourceNameParser.java
@@ -36,8 +36,6 @@
 import static org.junit.jupiter.api.Assertions.assertThrowsExactly;
 
 public class TestRangerResourceNameParser {
-    private static final char RRN_RESOURCE_SEP_CHAR = '/';
-
     @Test
     public void testValidTemplates() throws Exception {
         Object[][] testData = {
@@ -62,7 +60,7 @@ public void testValidTemplates() throws Exception {
             String                   template         = (String) test[0];
             String                   resourceType     = (String) test[1];
             int                      resourceCount    = (Integer) test[2];
-            RangerResourceNameParser resourceTemplate = new RangerResourceNameParser(template, RRN_RESOURCE_SEP_CHAR);
+            RangerResourceNameParser resourceTemplate = new RangerResourceNameParser(template);
 
             assertEquals(resourceType, resourceTemplate.getResourceType(), template);
             assertEquals(resourceCount, resourceTemplate.count(), template);
@@ -83,7 +81,7 @@ public void testInvalidTemplates() {
         };
 
         for (String template : templates) {
-            RangerAuthzException excp = assertThrowsExactly(RangerAuthzException.class, () -> new RangerResourceNameParser(template, RRN_RESOURCE_SEP_CHAR), template);
+            RangerAuthzException excp = assertThrowsExactly(RangerAuthzException.class, () -> new RangerResourceNameParser(template), template);
 
             assertEquals(INVALID_RESOURCE_TEMPLATE_EMPTY_VALUE.getCode(), excp.getErrorCode().getCode(), template);
         }
@@ -303,51 +301,51 @@ public void testResourceNameFromArrayS3() throws Exception {
     private static Map<String, RangerResourceNameParser> getHiveTemplates() throws Exception {
         Map<String, RangerResourceNameParser> ret = new HashMap<>();
 
-        ret.put("database", new RangerResourceNameParser("database", RRN_RESOURCE_SEP_CHAR));
-        ret.put("table", new RangerResourceNameParser("database/table", RRN_RESOURCE_SEP_CHAR));
-        ret.put("column", new RangerResourceNameParser("database/table/column", RRN_RESOURCE_SEP_CHAR));
-        ret.put("udf", new RangerResourceNameParser("database/udf", RRN_RESOURCE_SEP_CHAR));
-        ret.put("url", new RangerResourceNameParser("url", RRN_RESOURCE_SEP_CHAR));
-        ret.put("hiveservice", new RangerResourceNameParser("hiveservice", RRN_RESOURCE_SEP_CHAR));
-        ret.put("global", new RangerResourceNameParser("global", RRN_RESOURCE_SEP_CHAR));
+        ret.put("database", new RangerResourceNameParser("database"));
+        ret.put("table", new RangerResourceNameParser("database/table"));
+        ret.put("column", new RangerResourceNameParser("database/table/column"));
+        ret.put("udf", new RangerResourceNameParser("database/udf"));
+        ret.put("url", new RangerResourceNameParser("url"));
+        ret.put("hiveservice", new RangerResourceNameParser("hiveservice"));
+        ret.put("global", new RangerResourceNameParser("global"));
 
         return ret;
     }
 
     private static Map<String, RangerResourceNameParser> getS3Templates() throws Exception {
         Map<String, RangerResourceNameParser> ret = new HashMap<>();
 
-        ret.put("bucket", new RangerResourceNameParser("bucket", RRN_RESOURCE_SEP_CHAR));
-        ret.put("path", new RangerResourceNameParser("bucket/path", RRN_RESOURCE_SEP_CHAR));
+        ret.put("bucket", new RangerResourceNameParser("bucket"));
+        ret.put("path", new RangerResourceNameParser("bucket/path"));
 
         return ret;
     }
 
     private static Map<String, RangerResourceNameParser> getAdlsGen2Templates() throws Exception {
         Map<String, RangerResourceNameParser> ret = new HashMap<>();
 
-        ret.put("container", new RangerResourceNameParser("storageaccount/container", RRN_RESOURCE_SEP_CHAR));
-        ret.put("relativepath", new RangerResourceNameParser("storageaccount/container/relativepath", RRN_RESOURCE_SEP_CHAR));
+        ret.put("container", new RangerResourceNameParser("storageaccount/container"));
+        ret.put("relativepath", new RangerResourceNameParser("storageaccount/container/relativepath"));
 
         return ret;
     }
 
     private static Map<String, RangerResourceNameParser> getTrinoTemplates() throws Exception {
         Map<String, RangerResourceNameParser> ret = new HashMap<>();
 
-        ret.put("catalog", new RangerResourceNameParser("catalog", RRN_RESOURCE_SEP_CHAR));
-        ret.put("schema", new RangerResourceNameParser("catalog/schema", RRN_RESOURCE_SEP_CHAR));
-        ret.put("table", new RangerResourceNameParser("catalog/schema/table", RRN_RESOURCE_SEP_CHAR));
-        ret.put("column", new RangerResourceNameParser("catalog/schema/table/column", RRN_RESOURCE_SEP_CHAR));
-        ret.put("trinouser", new RangerResourceNameParser("trinouser", RRN_RESOURCE_SEP_CHAR));
-        ret.put("systemproperty", new RangerResourceNameParser("systemproperty", RRN_RESOURCE_SEP_CHAR));
-        ret.put("sessionproperty", new RangerResourceNameParser("catalog/sessionproperty", RRN_RESOURCE_SEP_CHAR));
-        ret.put("function", new RangerResourceNameParser("function", RRN_RESOURCE_SEP_CHAR));
-        ret.put("procedure", new RangerResourceNameParser("catalog/schema/procedure", RRN_RESOURCE_SEP_CHAR));
-        ret.put("schemafunction", new RangerResourceNameParser("catalog/schema/schemafunction", RRN_RESOURCE_SEP_CHAR));
-        ret.put("queryid", new RangerResourceNameParser("queryid", RRN_RESOURCE_SEP_CHAR));
-        ret.put("sysinfo", new RangerResourceNameParser("sysinfo", RRN_RESOURCE_SEP_CHAR));
-        ret.put("role", new RangerResourceNameParser("role", RRN_RESOURCE_SEP_CHAR));
+        ret.put("catalog", new RangerResourceNameParser("catalog"));
+        ret.put("schema", new RangerResourceNameParser("catalog/schema"));
+        ret.put("table", new RangerResourceNameParser("catalog/schema/table"));
+        ret.put("column", new RangerResourceNameParser("catalog/schema/table/column"));
+        ret.put("trinouser", new RangerResourceNameParser("trinouser"));
+        ret.put("systemproperty", new RangerResourceNameParser("systemproperty"));
+        ret.put("sessionproperty", new RangerResourceNameParser("catalog/sessionproperty"));
+        ret.put("function", new RangerResourceNameParser("function"));
+        ret.put("procedure", new RangerResourceNameParser("catalog/schema/procedure"));
+        ret.put("schemafunction", new RangerResourceNameParser("catalog/schema/schemafunction"));
+        ret.put("queryid", new RangerResourceNameParser("queryid"));
+        ret.put("sysinfo", new RangerResourceNameParser("sysinfo"));
+        ret.put("role", new RangerResourceNameParser("role"));
 
         return ret;
     }