ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Madhan Neethiraj <mad...@apache.org>
Subject Re: Review Request 69703: RANGER-2232: Security Zones feature in Apache Ranger
Date Sun, 27 Jan 2019 01:37:48 GMT 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69703/#review212364
-----------------------------------------------------------


Ship it!




Ship It!

- Madhan Neethiraj


On Jan. 27, 2019, 12:10 a.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69703/
> -----------------------------------------------------------
> 
> (Updated Jan. 27, 2019, 12:10 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep
Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2232
>     https://issues.apache.org/jira/browse/RANGER-2232
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> This is to introduce a new abstraction in Apache Ranger that would allow carving/bucketing
of resources in a service into multiple zones, for better administration of security policies.
This would enable multiple administrators to setup security policies for a service – based
on the zones to which they have been granted administration rights. 
> 
> For example, let us consider 2 security zones ‘finance’ and ‘sales’:
> 
> Security zone ‘finance’ includes all contents in Hive database named ‘finance’

> Security zone ‘sales’ includes all contents in ‘sales’ database 
> Set of users and groups are designated as administrators each zone 
> Users are allowed to setup policies only in zones in which they are administrators 
> Policies defined in a zone are applicable only for resources of the zone
> A zone can be extended to include resource from multiple services like HDFS, Hive, HBase,
Kafka, .., allowing administrators of a zone to setup policies for resources owned by their
organization across multiple services.
> Audit logs will include name of the zone in which the accessed resource resides. Only
users having appropriate permissions on the security zone can view its audit logs.
> 
> 
> Diffs
> -----
> 
>   agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
329e2f0b7 
>   agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 8d71851e8

>   agents-audit/src/main/java/org/apache/ranger/audit/provider/solr/SolrAuditProvider.java
26633fd6e 
>   agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
b8da19215 
>   agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
9b9ccd112 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java c2185a7f1

>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
b56b8dd4b 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZone.java
PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
ddedf3e17 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java
51324b093 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java
PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
891749d03 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
8e7844f5d 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
e6c0e5a94 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
ab26d41d6 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
f64e773ac 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
c1b29d3fa 
>   agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
b898d292c 
>   agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
7221f6b15 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java
7446df604 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZonePredicateUtil.java
PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZoneStore.java PRE-CREATION

>   agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java 9924cb4c4

>   agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java f4fe58993

>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java efb27aafa

>   agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 33f82dd34

>   agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java 1ae3fc387

>   agents-common/src/test/java/org/apache/ranger/plugin/model/TestRangerPolicyResourceSignature.java
38c425dc6 
>   agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java
PRE-CREATION 
>   hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
74293fb4a 
>   plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java
d89b46787 
>   security-admin/contrib/solr_for_audit_setup/conf/managed-schema 6c87af7cf 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 9af2c8f57 
>   security-admin/db/mysql/patches/037-create-security-zone-schema.sql PRE-CREATION 
>   security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql eaa0b4f43 
>   security-admin/db/oracle/patches/037-create-security-zone-schema.sql PRE-CREATION 
>   security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 2ed8cb02c

>   security-admin/db/postgres/patches/037-create-security-zone-schema.sql PRE-CREATION

>   security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql c8a3ba14a

>   security-admin/db/sqlanywhere/patches/037-create-security-zone-schema.sql PRE-CREATION

>   security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 230c50b02

>   security-admin/db/sqlserver/patches/037-create-security-zone-schema.sql PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java 36a7b4bfa

>   security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneRefUpdater.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java f2d61d348 
>   security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 88b8f8db3 
>   security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 032e5f0da 
>   security-admin/src/main/java/org/apache/ranger/common/RangerConstants.java 88509a618

>   security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java 7b0fd8766

>   security-admin/src/main/java/org/apache/ranger/common/RangerValidatorFactory.java 4b149e4ec

>   security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 5cecef14c

>   security-admin/src/main/java/org/apache/ranger/db/XXGlobalStateDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java b4f868709 
>   security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefGroupDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefResourceDao.java
PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java
PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefUserDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXGlobalState.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXGlobalStateBase.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXPolicyBase.java e441ec0e5 
>   security-admin/src/main/java/org/apache/ranger/entity/XXPolicyExportAudit.java 1545e047d

>   security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZone.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneBase.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefGroup.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefResource.java
PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefService.java
PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefUser.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/patch/PatchAssignSecurityZonePersmissionToAdmin_J10026.java
PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java 50dc17826 
>   security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 0b854d0d7 
>   security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java
b2213ed76 
>   security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java 08baf8907

>   security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java
6ab12adcb 
>   security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneService.java
PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneServiceBase.java
PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/service/RangerTagDefService.java 10c73f0d2

>   security-admin/src/main/java/org/apache/ranger/service/RangerTagService.java 2fa883096

>   security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java 4c8ed83b6

>   security-admin/src/main/java/org/apache/ranger/service/XAssetService.java 132879a63

>   security-admin/src/main/java/org/apache/ranger/service/XAuditMapService.java 09fd963d4

>   security-admin/src/main/java/org/apache/ranger/service/XGroupService.java 3009d36c2

>   security-admin/src/main/java/org/apache/ranger/service/XPermMapService.java 866448465

>   security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditServiceBase.java
a25cfc17f 
>   security-admin/src/main/java/org/apache/ranger/service/XResourceService.java b3e7bd7d7

>   security-admin/src/main/java/org/apache/ranger/service/XTrxLogService.java e940df250

>   security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java
7f3d0c70d 
>   security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoServiceBase.java
78e4c57ac 
>   security-admin/src/main/java/org/apache/ranger/service/XUserService.java fbc37d642

>   security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java 593634ba6

>   security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java f6689c168 
>   security-admin/src/main/java/org/apache/ranger/view/VXPolicyExportAudit.java ce5a21e06

>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml be51592ec 
>   security-admin/src/main/webapp/images/defult_zone.png PRE-CREATION 
>   security-admin/src/main/webapp/scripts/collection_bases/RangerZoneListBase.js PRE-CREATION

>   security-admin/src/main/webapp/scripts/collections/RangerZoneList.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/controllers/Controller.js 92dac6abc 
>   security-admin/src/main/webapp/scripts/model_bases/RangerZoneBase.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/models/RangerPolicy.js e406e1810 
>   security-admin/src/main/webapp/scripts/models/RangerPolicyResource.js 853e62b38 
>   security-admin/src/main/webapp/scripts/models/RangerServiceDef.js d008f40b3 
>   security-admin/src/main/webapp/scripts/models/RangerZone.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/modules/XALinks.js 060ab364c 
>   security-admin/src/main/webapp/scripts/modules/globalize/message/en.js 34e3387c8 
>   security-admin/src/main/webapp/scripts/routers/Router.js c8391e6ec 
>   security-admin/src/main/webapp/scripts/utils/XAEnums.js ea8054571 
>   security-admin/src/main/webapp/scripts/utils/XAGlobals.js 7b1b1b560 
>   security-admin/src/main/webapp/scripts/utils/XAUtils.js d85dc7aee 
>   security-admin/src/main/webapp/scripts/views/DownloadServicePolicy.js 8f9dfe50a 
>   security-admin/src/main/webapp/scripts/views/UploadServicePolicy.js 62a1fcff2 
>   security-admin/src/main/webapp/scripts/views/common/TopNav.js 0f4a70896 
>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 9588fb75d

>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js 6c0cf3641

>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 3a6a59efe 
>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js 90ad83ebe

>   security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 8a8e94a0f

>   security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 886815d84 
>   security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js e9ce7d483

>   security-admin/src/main/webapp/scripts/views/security_zone/SecurityZone.js PRE-CREATION

>   security-admin/src/main/webapp/scripts/views/security_zone/ZoneAdministration.js PRE-CREATION

>   security-admin/src/main/webapp/scripts/views/security_zone/ZoneCreate.js PRE-CREATION

>   security-admin/src/main/webapp/scripts/views/security_zone/ZoneCreateForm.js PRE-CREATION

>   security-admin/src/main/webapp/scripts/views/security_zone/ZoneResourceForm.js PRE-CREATION

>   security-admin/src/main/webapp/scripts/views/security_zone/zoneResource.js PRE-CREATION

>   security-admin/src/main/webapp/styles/xa.css c601d54af 
>   security-admin/src/main/webapp/templates/common/ServiceManagerLayout_tmpl.html d4d19a606

>   security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 31a9c2656 
>   security-admin/src/main/webapp/templates/helpers/XAHelpers.js 9e2c02b04 
>   security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html b7666f926

>   security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html 6566d53e8

>   security-admin/src/main/webapp/templates/reports/ZoneOperationDiff_tmpl.html PRE-CREATION

>   security-admin/src/main/webapp/templates/reports/ZoneUpdateOperationDiff_tmpl.html
PRE-CREATION 
>   security-admin/src/main/webapp/templates/security_zone/SecurityZone_tmpl.html PRE-CREATION

>   security-admin/src/main/webapp/templates/security_zone/ZoneAdministration_tmpl.html
PRE-CREATION 
>   security-admin/src/main/webapp/templates/security_zone/ZoneCreateForm_tmpl.html PRE-CREATION

>   security-admin/src/main/webapp/templates/security_zone/ZoneCreate_tmpl.html PRE-CREATION

>   security-admin/src/main/webapp/templates/security_zone/ZoneResourceForm_tmpl.html PRE-CREATION

>   security-admin/src/main/webapp/templates/security_zone/ZoneResourceItem_tmpl.html PRE-CREATION

>   security-admin/src/main/webapp/templates/security_zone/ZoneResourceList_tmpl.html PRE-CREATION

>   security-admin/src/main/webapp/templates/security_zone/ZoneResourcesForm_tmpl.html
PRE-CREATION 
>   security-admin/src/main/webapp/templates/security_zone/ZoneResources_tmpl.html PRE-CREATION

>   security-admin/src/test/java/org/apache/ranger/biz/TestSecurityZoneDBStore.java PRE-CREATION

>   security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java 8054d1e2e 
>   security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java PRE-CREATION

>   security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 0196e24a0

> 
> 
> Diff: https://reviews.apache.org/r/69703/diff/5/
> 
> 
> Testing
> -------
> 
> Tested with a local VM, for CRUD of security zones, creation of policies for a security
zone and access evaluation for a resource within specific security zone in hive plugin.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message