ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Madhan Neethiraj <mad...@apache.org>
Subject Re: Review Request 73367: RANGER-3294:AccessResult attribute with isAudited as false not filtered in Ranger Audit Filter
Date Fri, 28 May 2021 16:35:30 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73367/#review223073
-----------------------------------------------------------




hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
Lines 836 (patched)
<https://reviews.apache.org/r/73367/#comment312210>

    Consider setting isFallbackSupported based on existing config i.e. this.hadoopAuthEnabled.
Replace #836 with the following line after #838:
      config.setIsFallbackSupported(this.hadoopAuthEnabled);



plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
Lines 301 (patched)
<https://reviews.apache.org/r/73367/#comment312213>

    Consider enabling fallback based on existing config, RangerHadoopConstants.RANGER_ADD_YARN_PERMISSION_PROP
i.e. from line #92:
    
     boolean yarnAuthEnabled = rangerPluginConfig.getBoolean(RangerHadoopConstants.RANGER_ADD_YARN_PERMISSION_PROP,
RangerHadoopConstants.RANGER_ADD_YARN_PERMISSION_DEFAULT);
     
     rangerPluginConfig.setIsFallbackSupported(yarnAuthEnabled);
    
    This will make policy-engine to not return UNDETERMINED when fallback is disabled. Changes
in RangerYarnAuthorizer shouldn't be needed with above.


- Madhan Neethiraj


On May 27, 2021, 11:15 p.m., Ramesh Mani wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73367/
> -----------------------------------------------------------
> 
> (Updated May 27, 2021, 11:15 p.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh,
Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3294
>     https://issues.apache.org/jira/browse/RANGER-3294
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> RANGER-3294:AccessResult attribute with isAudited as false not filtered in Ranger Audit
Filter
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
7b34f77da 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
ecfc9ad14 
>   agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
4d7fb6c87 
>   hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
539d4c148 
>   plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
1f965823c 
> 
> 
> Diff: https://reviews.apache.org/r/73367/diff/2/
> 
> 
> Testing
> -------
> 
> - Verified in local VM for audit filter to filter out Allow and deny request in Hive.
> - Verified YARN and HDFS fallback and audit related to it.
> 
> 
> Thanks,
> 
> Ramesh Mani
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message