ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Abhay Kulkarni <akulka...@hortonworks.com>
Subject Re: Review Request 72957: RANGER-3036 : Multiple disabled policies getting created with same resource while import
Date Mon, 09 Nov 2020 00:29:26 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72957/#review222172
-----------------------------------------------------------




security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
Lines 1699 (patched)
<https://reviews.apache.org/r/72957/#comment311237>

    This block is reached if deleteIfExists is set to true when creating a policy and both
mergeIfExists and updateIfExists are set to false. It appears that the only effect is that
if a policy exists with the same name as policy being created, then the name of the policy
being created is modified to ensure that policy creation goes through. Is this what is desired?
The policy with matching name seems to be left alone and NOT deleted. Is this a correct use
of deleteIfExists flag?
    
    Please elaborate.


- Abhay Kulkarni


On Nov. 6, 2020, 8:49 a.m., Dineshkumar Yadav wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72957/
> -----------------------------------------------------------
> 
> (Updated Nov. 6, 2020, 8:49 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni,
Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3036
>     https://issues.apache.org/jira/browse/RANGER-3036
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> If updateifexist/mergeIfExist parameter passed while importing the ranger policies then
additional policies are created for disabled policy with same resource.
> 
> Solution: 1. New disabled policy will be created only if no resource-signature matching
policy found in ranger.
>           2. If policy with same resource-signature found in Ranger then policy get merged
or updated according to parameter passed during import.
>           3. If multiple disabled policy with same resource-signature found then policy
with same name will be picked up for update/merge otherwise randomly one policy will be picked-up
for update/merge.
> 
> Note: While creating new policy with existing name we appending System.currentTimeMillis()
in the name of the policy to get unique name.(current implementation)
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 3baee02fd 
>   security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java a1db6004e 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 00ffabedd 
>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml d608ff849 
> 
> 
> Diff: https://reviews.apache.org/r/72957/diff/4/
> 
> 
> Testing
> -------
> 
> Tested for below scenario 
>     1. With no disable policy 
>     2. With single disable policy 
>     3. With multiple disable policy
>     4. Scenario 
>             1. Create enabled policy1 with resource1 and export the policy.
>             2. Disabled the exported policy and try to import it.
>        Expected Result new disabled policy should get created.
>        
> Test case for flag deleteIfExist
> 		1. Create Policy1 with resource /path1 at source cluster.
> 		2. Import Policy1 to target cluster new policy get created
> 		3. Create disabled policy at target cluster with resource /path1
>         4. Disabled Policy1 at source cluster and then import 
> Output : disabled policy deleted and new disabled policy created.	
> 
> Test case for flag deleteIfExist
> 		1. Create Policy1 with resource /path1 at source Cluster and import to target cluster
	
> 		2. Create Policy1 with same service in zone1 at target
> 		3. Create disabled policy at target cluster with resource
> 		3. Again import the Policy1 from source to target.
>         
> Output : unzone Policy1 deleted and new policy1 created.
> 
> 
> Thanks,
> 
> Dineshkumar Yadav
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message