ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Madhan Neethiraj <mad...@apache.org>
Subject Re: Review Request 73443: RANGER-3329: Request for _any access-type is denied only when on all access-types are denied
Date Mon, 19 Jul 2021 19:08:12 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73443/#review223245
-----------------------------------------------------------


Ship it!




Ship It!

- Madhan Neethiraj


On July 18, 2021, 5:43 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73443/
> -----------------------------------------------------------
> 
> (Updated July 18, 2021, 5:43 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan
Periasamy.
> 
> 
> Bugs: RANGER-3329
>     https://issues.apache.org/jira/browse/RANGER-3329
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Currently a request for _any access-type is denied only if all access-types in the service-def
are denied by policies. Instead of this, the policy-engine should deny _any access if there
are no allowed accesses, and at least one of the access-type is denied. This will help address
following usecase:
> 
> when accessTypeRestrictions is defined on a resource i.e. only a subset of access-types
are shown in policy-UI, it will not be possible to create policies that deny all accesses.
In such cases, the proposed change will enable denying _any access-type with only subset of
access-types denied.
> 
> The fix is to deny the access with type _any only if all of access-types "specified in
the denying policy" are explicitly denied by policies.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
74a7a2615 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
3c0e32c2e 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
03e37fe3d 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
696a3f6eb 
>   agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
f8eba5f96 
>   agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json
934655ba9 
>   agents-common/src/test/resources/policyengine/test_policyengine_hive.json bd2f67b68

>   agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json a8ec02733

>   agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_for_show_databases.json
f42df3eab 
> 
> 
> Diff: https://reviews.apache.org/r/73443/diff/4/
> 
> 
> Testing
> -------
> 
> Passed all existing test cases.
> Created a unit test for the use-case outlined in the JIRA, and ensured that it passes.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message