ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Don Bosco Durai <bo...@apache.org>
Subject Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies
Date Wed, 15 May 2019 02:58:20 GMT


> On May 11, 2019, 7:10 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
> > Lines 944 (patched)
> > <https://reviews.apache.org/r/70629/diff/1/?file=2144531#file2144531line944>
> >
> >     Do we have small window where the roles could be empty and it could affect during
multi-thread environment>
> 
> Abhay Kulkarni wrote:
>     I don't think so. Are you suggesting concurrent updates to policy may lead to inconsistent
policy state? If so, one of the transactions will be aborted when attempting to persist changes
to database.
> 
> Don Bosco Durai wrote:
>     I meant, while the policies are getting updated, a request for authorization, is
it possible the  list will be empty?
> 
> Abhay Kulkarni wrote:
>     Policies in the policy-engine are treated as read-only during authorization. So,
there is no possibility of list getting modified.

Thanks for clarifying.


- Don Bosco


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215198
-----------------------------------------------------------


On May 15, 2019, 1:58 a.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> -----------------------------------------------------------
> 
> (Updated May 15, 2019, 1:58 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep
Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2414
>     https://issues.apache.org/jira/browse/RANGER-2414
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups
based on various criteria like accessed-resource, resource-classifications, IP-address and
custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise
applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support
'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as
well - in addition to existing support for users and user-groups.
> 
> This patch provides an initial implementation of support for roles in Ranger.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
3111037ff 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c

>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION

>   agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
990aab0c9 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
9ed500c50 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
eab2c238e 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
eafbde246 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
a57b39827 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
45231e739 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
47b4921ad 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
5400f71c4 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
a6e24c609 
>   agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
5a18226fe 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION

>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
c20ccded6 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6

>   agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012

>   agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
2c1de4eb8 
>   agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
e92a2e658 
>   agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
5a47ba401 
>   agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85

>   agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION

>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a 
>   security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09 
>   security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89

>   security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743

>   security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d

>   security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736

>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387

>   security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 35dc9405b 
>   security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5 
>   security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543

>   security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b 
>   security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a 
>   security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3ff763c71 
>   security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java
3e1a8e1bf 
>   security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION

>   security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION

>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9 
>   security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION

>   security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df 
>   security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23 
>   security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c 
>   security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21 
>   security-admin/src/main/webapp/scripts/utils/XAEnums.js c6956eafb 
>   security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc 
>   security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad 
>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3

>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa

>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 1af54e18a 
>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08

>   security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace 
>   security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js 4a73c3215

>   security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION 
>   security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf 
>   security-admin/src/main/webapp/styles/xa.css 6ae646dfc 
>   security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b 
>   security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05 
>   security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885 
>   security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4

>   security-admin/src/main/webapp/templates/reports/RoleOperationDiff_tmpl.html PRE-CREATION

>   security-admin/src/main/webapp/templates/reports/RoleUpdateOperationDiff_tmpl.html
PRE-CREATION 
>   security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION 
>   security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION 
>   security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453

>   security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ac9af5eb4

> 
> 
> Diff: https://reviews.apache.org/r/70629/diff/3/
> 
> 
> Testing
> -------
> 
> - Role CRUD
> - Policy Updates to add/remove roles
> - Logic to authorize access with roles
> - Tracking Service versions with role updates
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message