ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Velmurugan Periasamy <vperias...@hortonworks.com>
Subject Re: Review Request 44444: RANGER-875 : Restrict Grantor privileges of Ranger db user for Oracle DB Flavor
Date Fri, 18 Mar 2016 22:50:25 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/44444/#review124313
-----------------------------------------------------------


Ship it!




Ship It!

- Velmurugan Periasamy


On March 8, 2016, 2:13 p.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/44444/
> -----------------------------------------------------------
> 
> (Updated March 8, 2016, 2:13 p.m.)
> 
> 
> Review request for ranger, Alok Lal, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan
Neethiraj, Ramesh Mani, and Selvamohan Neethiraj.
> 
> 
> Bugs: RANGER-875
>     https://issues.apache.org/jira/browse/RANGER-875
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> **Problem Statement :**
> Currently installation script gives grantor roles to Ranger db user on several privileges.
Restrict Grantor role of Ranger Db user on only those privileges on which Ranger db user needs
to give grants to the audit db user.
> 
> **Proposed Solution :**
> In attached patch have removed 'WITH ADMIN OPTION' clause from GRANT statement as it's
not required any more.
> Ranger db user do not need Grantor role on tables for SELECT operation explicitly as
he is scehma owner and has all privileges of all object of that schema. 
> Since Oracle Root user gives 'CREATE SESSION' privilege to audit db user, Ranger db user
does not need to give same privileges again to audit db user thus Ranger db user do not need
Grantor role in 'CREATE SESSION' privilege also.
> 
> 
> Diffs
> -----
> 
>   kms/scripts/dba_script.py 1e039e5 
>   security-admin/scripts/db_setup.py 1a74b4a 
>   security-admin/scripts/dba_script.py 66b2848 
> 
> Diff: https://reviews.apache.org/r/44444/diff/
> 
> 
> Testing
> -------
> 
> **Steps performed : **
> 1. After configuring install.properties of Ranger admin for Oracle DB Flavor, called
setup.sh to install Ranger.
> 2. Started Ranger Admin and Created HDFS service and policy.
> 3. Installed HDFS plugin and enabled HDFS plugin with audit to DB logs.
> 4. Executed few HDFS command to audit logs.
> 
> **Result/Behavior:**
> Installation logs do not have any Grant statement containing 'WITH ADMIN OPTION'.
> Setup was done successfully and Ranger UI was working.
> Was Able to see Audit logs of HDFS command executed in Testing processs for policy enforcement.
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message