ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Abhay Kulkarni <akulka...@hortonworks.com>
Subject Re: Review Request 69703: RANGER-2232: Security Zones feature in Apache Ranger
Date Wed, 23 Jan 2019 19:39:54 GMT 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69703/
-----------------------------------------------------------

(Updated Jan. 23, 2019, 7:39 p.m.)


Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep
Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.


Changes
-------

Fixed Security Zone validation code and merged with master branch


Bugs: RANGER-2232
    https://issues.apache.org/jira/browse/RANGER-2232


Repository: ranger


Description
-------

This is to introduce a new abstraction in Apache Ranger that would allow carving/bucketing
of resources in a service into multiple zones, for better administration of security policies.
This would enable multiple administrators to setup security policies for a service – based
on the zones to which they have been granted administration rights. 

For example, let us consider 2 security zones ‘finance’ and ‘sales’:

Security zone ‘finance’ includes all contents in Hive database named ‘finance’ 
Security zone ‘sales’ includes all contents in ‘sales’ database 
Set of users and groups are designated as administrators each zone 
Users are allowed to setup policies only in zones in which they are administrators 
Policies defined in a zone are applicable only for resources of the zone
A zone can be extended to include resource from multiple services like HDFS, Hive, HBase,
Kafka, .., allowing administrators of a zone to setup policies for resources owned by their
organization across multiple services.
Audit logs will include name of the zone in which the accessed resource resides. Only users
having appropriate permissions on the security zone can view its audit logs.


Diffs (updated)
-----

  agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
329e2f0b7 
  agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 8d71851e8

  agents-audit/src/main/java/org/apache/ranger/audit/provider/solr/SolrAuditProvider.java
26633fd6e 
  agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
b8da19215 
  agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 9b9ccd112

  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java c2185a7f1 
  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
b56b8dd4b 
  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZone.java PRE-CREATION

  agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
ddedf3e17 
  agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java
51324b093 
  agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java
PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
891749d03 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
8e7844f5d 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
e6c0e5a94 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
ab26d41d6 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
f64e773ac 
  agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
c1b29d3fa 
  agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java b898d292c

  agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java 7221f6b15

  agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java 7446df604

  agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZonePredicateUtil.java
PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZoneStore.java PRE-CREATION

  agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java 9924cb4c4 
  agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java f4fe58993

  agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java efb27aafa

  agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 33f82dd34 
  agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java 1ae3fc387

  agents-common/src/test/java/org/apache/ranger/plugin/model/TestRangerPolicyResourceSignature.java
38c425dc6 
  agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java
PRE-CREATION 
  hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
74293fb4a 
  hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
ddb6d9b82 
  knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java 814aedd20

  plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
07921a99a 
  plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java
d89b46787 
  security-admin/contrib/solr_for_audit_setup/conf/managed-schema 6c87af7cf 
  security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 9af2c8f57 
  security-admin/db/mysql/patches/037-add-column-zone-in-x_policy_export_audit.sql PRE-CREATION

  security-admin/db/mysql/patches/038-create-security-zone-schema.sql PRE-CREATION 
  security-admin/db/mysql/patches/039-update-permissionmodel.sql PRE-CREATION 
  security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 98c45b05d 
  security-admin/db/oracle/patches/037-add-column-zone-in-x_policy_export_audit.sql PRE-CREATION

  security-admin/db/oracle/patches/038-create-security-zone-schema.sql PRE-CREATION 
  security-admin/db/oracle/patches/039-update-permissionmodel.sql PRE-CREATION 
  security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 2ed8cb02c 
  security-admin/db/postgres/patches/037-add-column-zone-in-x_policy_export_audit.sql PRE-CREATION

  security-admin/db/postgres/patches/038-create-security-zone-schema.sql PRE-CREATION 
  security-admin/db/postgres/patches/039-update-permissionmodel.sql PRE-CREATION 
  security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql c8a3ba14a

  security-admin/db/sqlanywhere/patches/037-add-column-zone-in-x_policy_export_audit.sql PRE-CREATION

  security-admin/db/sqlanywhere/patches/038-create-security-zone-schema.sql PRE-CREATION 
  security-admin/db/sqlanywhere/patches/039-update-permissionmodel.sql PRE-CREATION 
  security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 230c50b02 
  security-admin/db/sqlserver/patches/037-add-column-zone-in-x_policy_export_audit.sql PRE-CREATION

  security-admin/db/sqlserver/patches/038-create-security-zone-schema.sql PRE-CREATION 
  security-admin/db/sqlserver/patches/039-update-permissionmodel.sql PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java 36a7b4bfa

  security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java PRE-CREATION

  security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneRefUpdater.java PRE-CREATION

  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java f2d61d348 
  security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 88b8f8db3 
  security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 032e5f0da 
  security-admin/src/main/java/org/apache/ranger/common/RangerConstants.java 88509a618 
  security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java 7b0fd8766 
  security-admin/src/main/java/org/apache/ranger/common/RangerValidatorFactory.java 4b149e4ec

  security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 5cecef14c 
  security-admin/src/main/java/org/apache/ranger/db/XXGlobalStateDao.java PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java b4f868709 
  security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefGroupDao.java PRE-CREATION

  security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefResourceDao.java PRE-CREATION

  security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java PRE-CREATION

  security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefUserDao.java PRE-CREATION

  security-admin/src/main/java/org/apache/ranger/entity/XXGlobalState.java PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/entity/XXGlobalStateBase.java PRE-CREATION

  security-admin/src/main/java/org/apache/ranger/entity/XXPolicyBase.java e441ec0e5 
  security-admin/src/main/java/org/apache/ranger/entity/XXPolicyExportAudit.java 1545e047d

  security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZone.java PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneBase.java PRE-CREATION

  security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefGroup.java PRE-CREATION

  security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefResource.java PRE-CREATION

  security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefService.java PRE-CREATION

  security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefUser.java PRE-CREATION

  security-admin/src/main/java/org/apache/ranger/patch/PatchAssignSecurityZonePersmissionToAdmin_J10026.java
PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java 50dc17826 
  security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 0b854d0d7 
  security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java
b2213ed76 
  security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java 08baf8907

  security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 6ab12adcb

  security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneService.java PRE-CREATION

  security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneServiceBase.java
PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/service/RangerTagDefService.java 10c73f0d2

  security-admin/src/main/java/org/apache/ranger/service/RangerTagService.java 2fa883096 
  security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java 4c8ed83b6

  security-admin/src/main/java/org/apache/ranger/service/XAssetService.java 132879a63 
  security-admin/src/main/java/org/apache/ranger/service/XAuditMapService.java 09fd963d4 
  security-admin/src/main/java/org/apache/ranger/service/XGroupService.java 3009d36c2 
  security-admin/src/main/java/org/apache/ranger/service/XPermMapService.java 866448465 
  security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditServiceBase.java
a25cfc17f 
  security-admin/src/main/java/org/apache/ranger/service/XResourceService.java b3e7bd7d7 
  security-admin/src/main/java/org/apache/ranger/service/XTrxLogService.java e940df250 
  security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java 7f3d0c70d

  security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoServiceBase.java
78e4c57ac 
  security-admin/src/main/java/org/apache/ranger/service/XUserService.java fbc37d642 
  security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java 593634ba6

  security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java f6689c168 
  security-admin/src/main/java/org/apache/ranger/view/VXPolicyExportAudit.java ce5a21e06 
  security-admin/src/main/resources/META-INF/jpa_named_queries.xml be51592ec 
  security-admin/src/main/webapp/images/defult_zone.png PRE-CREATION 
  security-admin/src/main/webapp/scripts/collection_bases/RangerZoneListBase.js PRE-CREATION

  security-admin/src/main/webapp/scripts/collections/RangerZoneList.js PRE-CREATION 
  security-admin/src/main/webapp/scripts/controllers/Controller.js 92dac6abc 
  security-admin/src/main/webapp/scripts/model_bases/RangerZoneBase.js PRE-CREATION 
  security-admin/src/main/webapp/scripts/models/RangerPolicy.js e406e1810 
  security-admin/src/main/webapp/scripts/models/RangerPolicyResource.js 853e62b38 
  security-admin/src/main/webapp/scripts/models/RangerServiceDef.js d008f40b3 
  security-admin/src/main/webapp/scripts/models/RangerZone.js PRE-CREATION 
  security-admin/src/main/webapp/scripts/modules/XALinks.js 060ab364c 
  security-admin/src/main/webapp/scripts/modules/globalize/message/en.js 34e3387c8 
  security-admin/src/main/webapp/scripts/routers/Router.js c8391e6ec 
  security-admin/src/main/webapp/scripts/utils/XAEnums.js ea8054571 
  security-admin/src/main/webapp/scripts/utils/XAGlobals.js 7b1b1b560 
  security-admin/src/main/webapp/scripts/utils/XAUtils.js d85dc7aee 
  security-admin/src/main/webapp/scripts/views/DownloadServicePolicy.js 8f9dfe50a 
  security-admin/src/main/webapp/scripts/views/UploadServicePolicy.js 62a1fcff2 
  security-admin/src/main/webapp/scripts/views/common/TopNav.js 0f4a70896 
  security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 9588fb75d 
  security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js 6c0cf3641 
  security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 3a6a59efe 
  security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js 90ad83ebe

  security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 8a8e94a0f 
  security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 886815d84 
  security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js e9ce7d483 
  security-admin/src/main/webapp/scripts/views/security_zone/SecurityZone.js PRE-CREATION

  security-admin/src/main/webapp/scripts/views/security_zone/ZoneAdministration.js PRE-CREATION

  security-admin/src/main/webapp/scripts/views/security_zone/ZoneCreate.js PRE-CREATION 
  security-admin/src/main/webapp/scripts/views/security_zone/ZoneCreateForm.js PRE-CREATION

  security-admin/src/main/webapp/scripts/views/security_zone/ZoneResourceForm.js PRE-CREATION

  security-admin/src/main/webapp/scripts/views/security_zone/zoneResource.js PRE-CREATION

  security-admin/src/main/webapp/styles/xa.css c601d54af 
  security-admin/src/main/webapp/templates/common/ServiceManagerLayout_tmpl.html d4d19a606

  security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 31a9c2656 
  security-admin/src/main/webapp/templates/helpers/XAHelpers.js 9e2c02b04 
  security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html b7666f926 
  security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html 6566d53e8 
  security-admin/src/main/webapp/templates/reports/ZoneOperationDiff_tmpl.html PRE-CREATION

  security-admin/src/main/webapp/templates/reports/ZoneUpdateOperationDiff_tmpl.html PRE-CREATION

  security-admin/src/main/webapp/templates/security_zone/SecurityZone_tmpl.html PRE-CREATION

  security-admin/src/main/webapp/templates/security_zone/ZoneAdministration_tmpl.html PRE-CREATION

  security-admin/src/main/webapp/templates/security_zone/ZoneCreateForm_tmpl.html PRE-CREATION

  security-admin/src/main/webapp/templates/security_zone/ZoneCreate_tmpl.html PRE-CREATION

  security-admin/src/main/webapp/templates/security_zone/ZoneResourceForm_tmpl.html PRE-CREATION

  security-admin/src/main/webapp/templates/security_zone/ZoneResourceItem_tmpl.html PRE-CREATION

  security-admin/src/main/webapp/templates/security_zone/ZoneResourceList_tmpl.html PRE-CREATION

  security-admin/src/main/webapp/templates/security_zone/ZoneResourcesForm_tmpl.html PRE-CREATION

  security-admin/src/main/webapp/templates/security_zone/ZoneResources_tmpl.html PRE-CREATION

  security-admin/src/main/webapp/templates/service/ServiceCreate_tmpl.html dff0b666c 
  security-admin/src/test/java/org/apache/ranger/biz/TestSecurityZoneDBStore.java PRE-CREATION

  security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java 8054d1e2e 
  security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java PRE-CREATION

  security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 0196e24a0 
  storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java 88ea05e9d



Diff: https://reviews.apache.org/r/69703/diff/3/

Changes: https://reviews.apache.org/r/69703/diff/2-3/


Testing
-------

Tested with a local VM, for CRUD of security zones, creation of policies for a security zone
and access evaluation for a resource within specific security zone in hive plugin.


Thanks,

Abhay Kulkarni
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message