ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Madhan Neethiraj <mad...@apache.org>
Subject Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies
Date Tue, 14 May 2019 03:37:09 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215233
-----------------------------------------------------------




agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
Lines 127 (patched)
<https://reviews.apache.org/r/70629/#comment301848>

    I suggest to not include 'roles' in audit logs - at least for the first cut. If this becomes
critical this can be added later.



agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
Lines 256 (patched)
<https://reviews.apache.org/r/70629/#comment301849>

    Looks like the method can be replaced with the following. Please review and update.
      return RangerAccessRequestUtil.getCurrentUserRolesFromContext(request.getContext());
      
    Anyway, this method wouldn't be needed if we decided to not store roles in audit logs.



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 1264 (patched)
<https://reviews.apache.org/r/70629/#comment301847>

    Defining roles for 'USER_CURRENT' doesn't seem intutive. This is equivalent to having
the role assigned to 'public' group. Consider removing lines #1264 - #1268.
    
    Given owner (of resource) is available only for few service-types (well, only HDFS for
now; Atlas and Hive on the way), I think it will be good to not support this in roles. Consider
removing #1269 - #1275.



agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
Line 527 (original), 528 (patched)
<https://reviews.apache.org/r/70629/#comment301851>

    PolicyACLSummary has getRolesAccessInfo(), so it may not be necessary to skip policies
that include 'roles'. Please review and update.



agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
Lines 253 (patched)
<https://reviews.apache.org/r/70629/#comment301852>

    Consider removing #252 - #260, and replace 'hasRole' in #261 with:
    
      (CollectionUtils.isNotEmpty(roles) && CollectionUtils.containsAny(roles, RangerAccessRequestUtil.getCurrentUserRolesFromContext(request.getContext());
      
    Note that RangerAccessRequestUtil.getCurrentUserRolesFromContext() should return emptyList()
when current user has no roles.



agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
Lines 162 (patched)
<https://reviews.apache.org/r/70629/#comment301853>

    RangerAccessRequestUtil.setTokenInContext() ==> RangerAccessRequestUtil.setCurrentUserRolesInContext()


- Madhan Neethiraj


On May 14, 2019, 1:55 a.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> -----------------------------------------------------------
> 
> (Updated May 14, 2019, 1:55 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep
Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2414
>     https://issues.apache.org/jira/browse/RANGER-2414
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups
based on various criteria like accessed-resource, resource-classifications, IP-address and
custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise
applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support
'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as
well - in addition to existing support for users and user-groups.
> 
> This patch provides an initial implementation of support for roles in Ranger.
> 
> 
> Diffs
> -----
> 
>   agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 28db58cd9

>   agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
5e2c49211 
>   agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
3111037ff 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c

>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION

>   agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
990aab0c9 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
9ed500c50 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
365edcf35 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
eafbde246 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
a57b39827 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
45231e739 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
47b4921ad 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
5400f71c4 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
a6e24c609 
>   agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
5a18226fe 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION

>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
c20ccded6 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6

>   agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012

>   agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
2c1de4eb8 
>   agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
e92a2e658 
>   agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
5a47ba401 
>   agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85

>   agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION

>   hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
f204c15c0 
>   hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
bf4d6c1ea 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a 
>   security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09 
>   security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89

>   security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743

>   security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d

>   security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736

>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387

>   security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 35dc9405b 
>   security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5 
>   security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543

>   security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b 
>   security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a 
>   security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3ff763c71 
>   security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java
3e1a8e1bf 
>   security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION

>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9 
>   security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION

>   security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df 
>   security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23 
>   security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c 
>   security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21 
>   security-admin/src/main/webapp/scripts/utils/XAEnums.js c6956eafb 
>   security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc 
>   security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad 
>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3

>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa

>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 1af54e18a 
>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08

>   security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace 
>   security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js 4a73c3215

>   security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf 
>   security-admin/src/main/webapp/styles/xa.css 6ae646dfc 
>   security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b 
>   security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05 
>   security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885 
>   security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4

>   security-admin/src/main/webapp/templates/reports/RoleOperationDiff_tmpl.html PRE-CREATION

>   security-admin/src/main/webapp/templates/reports/RoleUpdateOperationDiff_tmpl.html
PRE-CREATION 
>   security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION 
>   security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION 
>   security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453

>   security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ac9af5eb4

> 
> 
> Diff: https://reviews.apache.org/r/70629/diff/2/
> 
> 
> Testing
> -------
> 
> - Role CRUD
> - Policy Updates to add/remove roles
> - Logic to authorize access with roles
> - Tracking Service versions with role updates
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message