ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Madhan Neethiraj <mad...@apache.org>
Subject Re: Review Request 69703: RANGER-2232: Security Zones feature in Apache Ranger
Date Sat, 26 Jan 2019 19:39:59 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69703/#review212359
-----------------------------------------------------------


Fix it, then Ship it!





agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
Line 127 (original), 130 (patched)
<https://reviews.apache.org/r/69703/#comment298134>

    Consider retaining existing constructor - to avoid breaking existing usage:
    
    public AuthzAuditEvent(int repositoryType, String repositoryName,
    			String user, Date eventTime, String accessType,
    			String resourcePath, String resourceType, String action,
    			short accessResult, String agentId, long policyId,
    			String resultReason, String aclEnforcer, String sessionId,
    			String clientType, String clientIP, String requestData, String clusterName) {
      this(repositoryType, repositoryName, user, eventTime, accessType, resourcePath, resourceType,
action, accessResult, agentId, policyId, resultReason, aclEnforcer, sessionId, clientType,
clientIP, requestData, clusterName, null);
    }
    
    Please review and update other such constructor changes - like RangerPolicy.



hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
Line 620 (original), 620 (patched)
<https://reviews.apache.org/r/69703/#comment298141>

    This file has only whitespace changes. Please consider reverting this.



knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
Line 57 (original), 57 (patched)
<https://reviews.apache.org/r/69703/#comment298139>

    This file has only whitespace changes. Please consider reverting this.



plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
Line 217 (original), 217 (patched)
<https://reviews.apache.org/r/69703/#comment298140>

    This file seems to have only whitespace changes. Please consider reverting this.



security-admin/src/main/webapp/templates/service/ServiceCreate_tmpl.html
Line 31 (original), 31 (patched)
<https://reviews.apache.org/r/69703/#comment298138>

    Only change is addition of a comment? Please review and consider reverting this.



storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java
Line 38 (original), 38 (patched)
<https://reviews.apache.org/r/69703/#comment298137>

    This file has only whitespace changes. Please consider reverting the changes.


- Madhan Neethiraj


On Jan. 25, 2019, 5:51 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69703/
> -----------------------------------------------------------
> 
> (Updated Jan. 25, 2019, 5:51 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep
Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2232
>     https://issues.apache.org/jira/browse/RANGER-2232
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> This is to introduce a new abstraction in Apache Ranger that would allow carving/bucketing
of resources in a service into multiple zones, for better administration of security policies.
This would enable multiple administrators to setup security policies for a service – based
on the zones to which they have been granted administration rights. 
> 
> For example, let us consider 2 security zones ‘finance’ and ‘sales’:
> 
> Security zone ‘finance’ includes all contents in Hive database named ‘finance’

> Security zone ‘sales’ includes all contents in ‘sales’ database 
> Set of users and groups are designated as administrators each zone 
> Users are allowed to setup policies only in zones in which they are administrators 
> Policies defined in a zone are applicable only for resources of the zone
> A zone can be extended to include resource from multiple services like HDFS, Hive, HBase,
Kafka, .., allowing administrators of a zone to setup policies for resources owned by their
organization across multiple services.
> Audit logs will include name of the zone in which the accessed resource resides. Only
users having appropriate permissions on the security zone can view its audit logs.
> 
> 
> Diffs
> -----
> 
>   agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
329e2f0b7 
>   agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 8d71851e8

>   agents-audit/src/main/java/org/apache/ranger/audit/provider/solr/SolrAuditProvider.java
26633fd6e 
>   agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
b8da19215 
>   agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
9b9ccd112 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java c2185a7f1

>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
b56b8dd4b 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZone.java
PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
ddedf3e17 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java
51324b093 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java
PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
891749d03 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
8e7844f5d 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
e6c0e5a94 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
ab26d41d6 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
f64e773ac 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
c1b29d3fa 
>   agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
b898d292c 
>   agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
7221f6b15 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java
7446df604 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZonePredicateUtil.java
PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZoneStore.java PRE-CREATION

>   agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java 9924cb4c4

>   agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java f4fe58993

>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java efb27aafa

>   agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 33f82dd34

>   agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java 1ae3fc387

>   agents-common/src/test/java/org/apache/ranger/plugin/model/TestRangerPolicyResourceSignature.java
38c425dc6 
>   agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java
PRE-CREATION 
>   hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
74293fb4a 
>   hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
ddb6d9b82 
>   knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
814aedd20 
>   plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
07921a99a 
>   plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java
d89b46787 
>   security-admin/contrib/solr_for_audit_setup/conf/managed-schema 6c87af7cf 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 9af2c8f57 
>   security-admin/db/mysql/patches/037-create-security-zone-schema.sql PRE-CREATION 
>   security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql eaa0b4f43 
>   security-admin/db/oracle/patches/037-create-security-zone-schema.sql PRE-CREATION 
>   security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 2ed8cb02c

>   security-admin/db/postgres/patches/037-create-security-zone-schema.sql PRE-CREATION

>   security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql c8a3ba14a

>   security-admin/db/sqlanywhere/patches/037-create-security-zone-schema.sql PRE-CREATION

>   security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 230c50b02

>   security-admin/db/sqlserver/patches/037-create-security-zone-schema.sql PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java 36a7b4bfa

>   security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneRefUpdater.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java f2d61d348 
>   security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 88b8f8db3 
>   security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 032e5f0da 
>   security-admin/src/main/java/org/apache/ranger/common/RangerConstants.java 88509a618

>   security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java 7b0fd8766

>   security-admin/src/main/java/org/apache/ranger/common/RangerValidatorFactory.java 4b149e4ec

>   security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 5cecef14c

>   security-admin/src/main/java/org/apache/ranger/db/XXGlobalStateDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java b4f868709 
>   security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefGroupDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefResourceDao.java
PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java
PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefUserDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXGlobalState.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXGlobalStateBase.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXPolicyBase.java e441ec0e5 
>   security-admin/src/main/java/org/apache/ranger/entity/XXPolicyExportAudit.java 1545e047d

>   security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZone.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneBase.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefGroup.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefResource.java
PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefService.java
PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefUser.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/patch/PatchAssignSecurityZonePersmissionToAdmin_J10026.java
PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java 50dc17826 
>   security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 0b854d0d7 
>   security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java
b2213ed76 
>   security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java 08baf8907

>   security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java
6ab12adcb 
>   security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneService.java
PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneServiceBase.java
PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/service/RangerTagDefService.java 10c73f0d2

>   security-admin/src/main/java/org/apache/ranger/service/RangerTagService.java 2fa883096

>   security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java 4c8ed83b6

>   security-admin/src/main/java/org/apache/ranger/service/XAssetService.java 132879a63

>   security-admin/src/main/java/org/apache/ranger/service/XAuditMapService.java 09fd963d4

>   security-admin/src/main/java/org/apache/ranger/service/XGroupService.java 3009d36c2

>   security-admin/src/main/java/org/apache/ranger/service/XPermMapService.java 866448465

>   security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditServiceBase.java
a25cfc17f 
>   security-admin/src/main/java/org/apache/ranger/service/XResourceService.java b3e7bd7d7

>   security-admin/src/main/java/org/apache/ranger/service/XTrxLogService.java e940df250

>   security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java
7f3d0c70d 
>   security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoServiceBase.java
78e4c57ac 
>   security-admin/src/main/java/org/apache/ranger/service/XUserService.java fbc37d642

>   security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java 593634ba6

>   security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java f6689c168 
>   security-admin/src/main/java/org/apache/ranger/view/VXPolicyExportAudit.java ce5a21e06

>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml be51592ec 
>   security-admin/src/main/webapp/images/defult_zone.png PRE-CREATION 
>   security-admin/src/main/webapp/scripts/collection_bases/RangerZoneListBase.js PRE-CREATION

>   security-admin/src/main/webapp/scripts/collections/RangerZoneList.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/controllers/Controller.js 92dac6abc 
>   security-admin/src/main/webapp/scripts/model_bases/RangerZoneBase.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/models/RangerPolicy.js e406e1810 
>   security-admin/src/main/webapp/scripts/models/RangerPolicyResource.js 853e62b38 
>   security-admin/src/main/webapp/scripts/models/RangerServiceDef.js d008f40b3 
>   security-admin/src/main/webapp/scripts/models/RangerZone.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/modules/XALinks.js 060ab364c 
>   security-admin/src/main/webapp/scripts/modules/globalize/message/en.js 34e3387c8 
>   security-admin/src/main/webapp/scripts/routers/Router.js c8391e6ec 
>   security-admin/src/main/webapp/scripts/utils/XAEnums.js ea8054571 
>   security-admin/src/main/webapp/scripts/utils/XAGlobals.js 7b1b1b560 
>   security-admin/src/main/webapp/scripts/utils/XAUtils.js d85dc7aee 
>   security-admin/src/main/webapp/scripts/views/DownloadServicePolicy.js 8f9dfe50a 
>   security-admin/src/main/webapp/scripts/views/UploadServicePolicy.js 62a1fcff2 
>   security-admin/src/main/webapp/scripts/views/common/TopNav.js 0f4a70896 
>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 9588fb75d

>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js 6c0cf3641

>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 3a6a59efe 
>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js 90ad83ebe

>   security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 8a8e94a0f

>   security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 886815d84 
>   security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js e9ce7d483

>   security-admin/src/main/webapp/scripts/views/security_zone/SecurityZone.js PRE-CREATION

>   security-admin/src/main/webapp/scripts/views/security_zone/ZoneAdministration.js PRE-CREATION

>   security-admin/src/main/webapp/scripts/views/security_zone/ZoneCreate.js PRE-CREATION

>   security-admin/src/main/webapp/scripts/views/security_zone/ZoneCreateForm.js PRE-CREATION

>   security-admin/src/main/webapp/scripts/views/security_zone/ZoneResourceForm.js PRE-CREATION

>   security-admin/src/main/webapp/scripts/views/security_zone/zoneResource.js PRE-CREATION

>   security-admin/src/main/webapp/styles/xa.css c601d54af 
>   security-admin/src/main/webapp/templates/common/ServiceManagerLayout_tmpl.html d4d19a606

>   security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 31a9c2656 
>   security-admin/src/main/webapp/templates/helpers/XAHelpers.js 9e2c02b04 
>   security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html b7666f926

>   security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html 6566d53e8

>   security-admin/src/main/webapp/templates/reports/ZoneOperationDiff_tmpl.html PRE-CREATION

>   security-admin/src/main/webapp/templates/reports/ZoneUpdateOperationDiff_tmpl.html
PRE-CREATION 
>   security-admin/src/main/webapp/templates/security_zone/SecurityZone_tmpl.html PRE-CREATION

>   security-admin/src/main/webapp/templates/security_zone/ZoneAdministration_tmpl.html
PRE-CREATION 
>   security-admin/src/main/webapp/templates/security_zone/ZoneCreateForm_tmpl.html PRE-CREATION

>   security-admin/src/main/webapp/templates/security_zone/ZoneCreate_tmpl.html PRE-CREATION

>   security-admin/src/main/webapp/templates/security_zone/ZoneResourceForm_tmpl.html PRE-CREATION

>   security-admin/src/main/webapp/templates/security_zone/ZoneResourceItem_tmpl.html PRE-CREATION

>   security-admin/src/main/webapp/templates/security_zone/ZoneResourceList_tmpl.html PRE-CREATION

>   security-admin/src/main/webapp/templates/security_zone/ZoneResourcesForm_tmpl.html
PRE-CREATION 
>   security-admin/src/main/webapp/templates/security_zone/ZoneResources_tmpl.html PRE-CREATION

>   security-admin/src/main/webapp/templates/service/ServiceCreate_tmpl.html dff0b666c

>   security-admin/src/test/java/org/apache/ranger/biz/TestSecurityZoneDBStore.java PRE-CREATION

>   security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java 8054d1e2e 
>   security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java PRE-CREATION

>   security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 0196e24a0

>   storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java
88ea05e9d 
> 
> 
> Diff: https://reviews.apache.org/r/69703/diff/4/
> 
> 
> Testing
> -------
> 
> Tested with a local VM, for CRUD of security zones, creation of policies for a security
zone and access evaluation for a resource within specific security zone in hive plugin.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message