ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Abhay Kulkarni <akulka...@hortonworks.com>
Subject Re: Review Request 73443: RANGER-3329: Request for _any access-type is denied only when on all access-types are denied
Date Fri, 09 Jul 2021 18:17:11 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73443/
-----------------------------------------------------------

(Updated July 9, 2021, 6:17 p.m.)


Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan
Periasamy.


Changes
-------

Updated to ensure that the patch works when more than one policy is involved in processing
_any request


Bugs: RANGER-3329
    https://issues.apache.org/jira/browse/RANGER-3329


Repository: ranger


Description (updated)
-------

Currently a request for _any access-type is denied only if all access-types in the service-def
are denied by policies. Instead of this, the policy-engine should deny _any access if there
are no allowed accesses, and at least one of the access-type is denied. This will help address
following usecase:

when accessTypeRestrictions is defined on a resource i.e. only a subset of access-types are
shown in policy-UI, it will not be possible to create policies that deny all accesses. In
such cases, the proposed change will enable denying _any access-type with only subset of access-types
denied.

The fix is to deny the access with type _any only if all of access-types "specified in the
denying policy" are explicitly denied by policies.


Diffs (updated)
-----

  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
6a38747f4 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
74a7a2615 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
4887c0112 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
5ffd38f98 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
ebe85e9a2 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
03e37fe3d 
  agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json a8ec02733



Diff: https://reviews.apache.org/r/73443/diff/2/

Changes: https://reviews.apache.org/r/73443/diff/1-2/


Testing
-------

Passed all existing test cases.
Created a unit test for the use-case outlined in the JIRA, and ensured that it passes.


Thanks,

Abhay Kulkarni


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message