ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Abhay Kulkarni <akulka...@hortonworks.com>
Subject Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies
Date Tue, 14 May 2019 01:55:44 GMT


> On May 11, 2019, 7:10 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
> > Lines 944 (patched)
> > <https://reviews.apache.org/r/70629/diff/1/?file=2144531#file2144531line944>
> >
> >     Do we have small window where the roles could be empty and it could affect during
multi-thread environment>

I don't think so. Are you suggesting concurrent updates to policy may lead to inconsistent
policy state? If so, one of the transactions will be aborted when attempting to persist changes
to database.


- Abhay


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215198
-----------------------------------------------------------


On May 11, 2019, 1:45 a.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> -----------------------------------------------------------
> 
> (Updated May 11, 2019, 1:45 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep
Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2414
>     https://issues.apache.org/jira/browse/RANGER-2414
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups
based on various criteria like accessed-resource, resource-classifications, IP-address and
custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise
applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support
'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as
well - in addition to existing support for users and user-groups.
> 
> This patch provides an initial implementation of support for roles in Ranger.
> 
> 
> Diffs
> -----
> 
>   agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 28db58cd9

>   agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
5e2c49211 
>   agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
3111037ff 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c

>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION

>   agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
990aab0c9 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
9ed500c50 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
365edcf35 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
eafbde246 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
a57b39827 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
45231e739 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
47b4921ad 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
5400f71c4 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
a6e24c609 
>   agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
5a18226fe 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION

>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
c20ccded6 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6

>   agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012

>   agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
2c1de4eb8 
>   agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
e92a2e658 
>   agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
5a47ba401 
>   agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85

>   agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION

>   hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
f204c15c0 
>   hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
bf4d6c1ea 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a 
>   security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09 
>   security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89

>   security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743

>   security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d

>   security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736

>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387

>   security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 35dc9405b 
>   security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5 
>   security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543

>   security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b 
>   security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a 
>   security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3ff763c71 
>   security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java
3e1a8e1bf 
>   security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION

>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9 
>   security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION

>   security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df 
>   security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23 
>   security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c 
>   security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21 
>   security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc 
>   security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad 
>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3

>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa

>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 1af54e18a 
>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08

>   security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace 
>   security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf 
>   security-admin/src/main/webapp/styles/xa.css 6ae646dfc 
>   security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b 
>   security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05 
>   security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885 
>   security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4

>   security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION 
>   security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION 
>   security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453

>   security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ac9af5eb4

> 
> 
> Diff: https://reviews.apache.org/r/70629/diff/1/
> 
> 
> Testing
> -------
> 
> - Role CRUD
> - Policy Updates to add/remove roles
> - Logic to authorize access with roles
> - Tracking Service versions with role updates
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message