ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Abhay Kulkarni" <akulka...@hortonworks.com>
Subject Re: Review Request 39103: RANGER-683: access should not be be allowed if denied by either a tag-based policy or a resource-based policy
Date Wed, 07 Oct 2015 23:24:54 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/39103/#review101827
-----------------------------------------------------------



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
(line 333)
<https://reviews.apache.org/r/39103/#comment159323>

    If isAuditedDetermined is true at this point, then the auditCache is bypassed, i.e. cacheing
of the result of audit will not be done. Will we ever need to cache this as an optimization?



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
(line 419)
<https://reviews.apache.org/r/39103/#comment159324>

    getIsAudited() and setIsAudited() is generally not used anywhere in the code. Any specific
reason for using those APIs here?



agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 
<https://reviews.apache.org/r/39103/#comment159326>

    Can these headers to kept around? I have some commented out code in this file which I
sometimes use to set up configuration properties. That code requires these headers.



agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json (line 121)
<https://reviews.apache.org/r/39103/#comment159336>

    td->ta



agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json (line 138)
<https://reviews.apache.org/r/39103/#comment159337>

    remove enforce_expiry


- Abhay Kulkarni


On Oct. 7, 2015, 9:05 p.m., Madhan Neethiraj wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/39103/
> -----------------------------------------------------------
> 
> (Updated Oct. 7, 2015, 9:05 p.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Selvamohan
Neethiraj, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-683
>     https://issues.apache.org/jira/browse/RANGER-683
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Fixed the earlier implementation that allowed access if the user has permission for the
tag even though a resource-based policy denied the access
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
5d1140b 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
1764b60 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
a118466 
>   agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
d7801b9 
>   agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json ed42d5c

> 
> Diff: https://reviews.apache.org/r/39103/diff/
> 
> 
> Testing
> -------
> 
> - added unit tests to cover the following combinations:
> 
> -------------------------------------------
> | Resource-policy | Tag-policy | Result    |
> |-----------------|------------|-----------|
> | Allowed         |  Allowed   | Allowed   |
> |-----------------|------------|-----------|
> | Allowed         |  Denied    | Denied    |
> |-----------------|------------|-----------|
> | Allowed         |  No policy | Allowed   |
> |-----------------|------------|-----------|
> | Denied          |  Allowed   | Denied    |
> |-----------------|------------|-----------|
> | Denied          |  Denied    | Denied    |
> |-----------------|------------|-----------|
> | Denied          |  No policy | Denied    |
> |-----------------|------------|-----------|
> | No policy       |  Allowed   | Allowed   |
> |-----------------|------------|-----------|
> | No policy       |  Denied    | Denied    |
> |-----------------|------------|-----------|
> | No policy       |  No policy | No result |
> |-----------------|------------|-----------|
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message