ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Abhay Kulkarni <akulka...@hortonworks.com>
Subject Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies
Date Wed, 15 May 2019 01:58:37 GMT


> On May 11, 2019, 5:08 p.m., Madhan Neethiraj wrote:
> > agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
> > Lines 127 (patched)
> > <https://reviews.apache.org/r/70629/diff/1/?file=2144528#file2144528line127>
> >
> >     Would this include all roles of the user, at the time of access, in each audit
log? This might add excessive data into audit logs. This should be seen as user->groups
mapping, which is not included in audit logs. Please review.
> 
> Abhay Kulkarni wrote:
>     Yes. I think it will be useful to log this, as the user->role mapping is 'owned'
by Ranger admin (unlike user->group mapping, which is 'owned' by LDAP or some external
entity).

Done


> On May 11, 2019, 5:08 p.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
> > Lines 529 (patched)
> > <https://reviews.apache.org/r/70629/diff/1/?file=2144537#file2144537line529>
> >
> >     Why would presence of roles make it not-usable for evaluation? Shouldn't this
should be treated similar to groups?
> 
> Abhay Kulkarni wrote:
>     Theoretically, no. However, as a first-cut, this approximation is useful.

Opened https://issues.apache.org/jira/browse/RANGER-2428 to track this.


- Abhay


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215200
-----------------------------------------------------------


On May 15, 2019, 1:58 a.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> -----------------------------------------------------------
> 
> (Updated May 15, 2019, 1:58 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep
Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2414
>     https://issues.apache.org/jira/browse/RANGER-2414
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups
based on various criteria like accessed-resource, resource-classifications, IP-address and
custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise
applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support
'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as
well - in addition to existing support for users and user-groups.
> 
> This patch provides an initial implementation of support for roles in Ranger.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
3111037ff 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c

>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION

>   agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
990aab0c9 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
9ed500c50 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
eab2c238e 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
eafbde246 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
a57b39827 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
45231e739 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
47b4921ad 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
5400f71c4 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
a6e24c609 
>   agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
5a18226fe 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION

>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
c20ccded6 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6

>   agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012

>   agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
2c1de4eb8 
>   agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
e92a2e658 
>   agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
5a47ba401 
>   agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85

>   agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION

>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a 
>   security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09 
>   security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89

>   security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743

>   security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d

>   security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736

>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387

>   security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 35dc9405b 
>   security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5 
>   security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543

>   security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b 
>   security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a 
>   security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3ff763c71 
>   security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java
3e1a8e1bf 
>   security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION

>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9 
>   security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION

>   security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df 
>   security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23 
>   security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c 
>   security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21 
>   security-admin/src/main/webapp/scripts/utils/XAEnums.js c6956eafb 
>   security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc 
>   security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad 
>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3

>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa

>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 1af54e18a 
>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08

>   security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace 
>   security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js 4a73c3215

>   security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf 
>   security-admin/src/main/webapp/styles/xa.css 6ae646dfc 
>   security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b 
>   security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05 
>   security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885 
>   security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4

>   security-admin/src/main/webapp/templates/reports/RoleOperationDiff_tmpl.html PRE-CREATION

>   security-admin/src/main/webapp/templates/reports/RoleUpdateOperationDiff_tmpl.html
PRE-CREATION 
>   security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION 
>   security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION 
>   security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453

>   security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ac9af5eb4

> 
> 
> Diff: https://reviews.apache.org/r/70629/diff/3/
> 
> 
> Testing
> -------
> 
> - Role CRUD
> - Policy Updates to add/remove roles
> - Logic to authorize access with roles
> - Tracking Service versions with role updates
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message