You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Abhay Kulkarni <ak...@hortonworks.com> on 2019/08/24 01:30:33 UTC

Re: Review Request 71362: RANGER-2548: Ranger-admin updates to ensure owner information in GrantRevokeData is correctly consumed

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71362/
-----------------------------------------------------------

(Updated Aug. 24, 2019, 1:30 a.m.)


Review request for ranger, Madhan Neethiraj and Ramesh Mani.


Changes
-------

Addressed review comment


Summary (updated)
-----------------

RANGER-2548: Ranger-admin updates to ensure owner information in GrantRevokeData is correctly consumed


Bugs: RANGER-2548
    https://issues.apache.org/jira/browse/RANGER-2548


Repository: ranger


Description
-------

Grant/Revoke requests are processed by Ranger to create/update corresponding Ranger Policy. With Hive support for OWNER, Ranger also needs to ensure that Grant/Revoke requests, if they provide ownership information for the Hive object being granted permission on, are processed correctly in accordance with prevailing Ranger policies.


Diffs (updated)
-----

  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java daa62f408 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java cf590f9aa 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ecd6cb746 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 5bbbecedb 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 00c0d42ed 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java ec3950f62 
  agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 02f343196 
  agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c8276f127 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java bb825b822 


Diff: https://reviews.apache.org/r/71362/diff/2/

Changes: https://reviews.apache.org/r/71362/diff/1-2/


Testing (updated)
-------

Passed all unit tests


Thanks,

Abhay Kulkarni

Re: Review Request 71362: RANGER-2548: Ranger-admin updates to ensure owner information in GrantRevokeData is correctly consumed

Posted by Abhay Kulkarni <ak...@hortonworks.com>.


> On Aug. 25, 2019, 7:12 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
> > Line 343 (original), 343 (patched)
> > <https://reviews.apache.org/r/71362/diff/2/?file=2162857#file2162857line343>
> >
> >     This change removes sending evalContext to isMatch() method; this can cause isMatch() to return incorrect results for resources having {USER} in name - like /home/{USER}. Please review.
> >     
> >     Same applies for other similar updates as well - line #362, #377.

These APIs are called from within ranger-admin. There is no owner information available. In fact, to return policies with resource containing macros in its name, it is required that the expansion of the macros is suppressed, which is achieved by not passing any evalContext to the APIs which are also used by policy engine in the plugin. This applies to line #362 and #377 also.


> On Aug. 25, 2019, 7:12 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
> > Line 365 (original), 362 (patched)
> > <https://reviews.apache.org/r/71362/diff/2/?file=2162857#file2162857line365>
> >
> >     Sending 'user' for 'owner' doesn't look right; wouldn't this result in all users to be allowed for accesses granted for resource-owner?
> >     
> >     Same for line #377 as well.

That is the intent, as these APIs are called from with ranger-admin to filter policies. It is required, in absence of owner information, that policies with OWNER macro pass the filter (at least the first part of filter, namely, call to Optimized Policy Evaluator's hasMatchablePolicyItem()).


- Abhay


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71362/#review217425
-----------------------------------------------------------


On Aug. 24, 2019, 1:30 a.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71362/
> -----------------------------------------------------------
> 
> (Updated Aug. 24, 2019, 1:30 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj and Ramesh Mani.
> 
> 
> Bugs: RANGER-2548
>     https://issues.apache.org/jira/browse/RANGER-2548
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Grant/Revoke requests are processed by Ranger to create/update corresponding Ranger Policy. With Hive support for OWNER, Ranger also needs to ensure that Grant/Revoke requests, if they provide ownership information for the Hive object being granted permission on, are processed correctly in accordance with prevailing Ranger policies.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java daa62f408 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java cf590f9aa 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ecd6cb746 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 5bbbecedb 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 00c0d42ed 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java ec3950f62 
>   agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 02f343196 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c8276f127 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java bb825b822 
> 
> 
> Diff: https://reviews.apache.org/r/71362/diff/2/
> 
> 
> Testing
> -------
> 
> Passed all unit tests
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 71362: RANGER-2548: Ranger-admin updates to ensure owner information in GrantRevokeData is correctly consumed

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71362/#review217425
-----------------------------------------------------------




agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
Line 343 (original), 343 (patched)
<https://reviews.apache.org/r/71362/#comment304704>

    This change removes sending evalContext to isMatch() method; this can cause isMatch() to return incorrect results for resources having {USER} in name - like /home/{USER}. Please review.
    
    Same applies for other similar updates as well - line #362, #377.



agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
Line 365 (original), 362 (patched)
<https://reviews.apache.org/r/71362/#comment304702>

    Sending 'user' for 'owner' doesn't look right; wouldn't this result in all users to be allowed for accesses granted for resource-owner?
    
    Same for line #377 as well.



agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
Line 294 (original), 294 (patched)
<https://reviews.apache.org/r/71362/#comment304703>

    wouldn't adding 'hasResourceOwner' here effectively ignore the {OWNER} condition, since there is no validation that 'user' is 'owner' - as owner information is not available in this method?
    
    Please remove 'hasResourceOwner' from this line.


- Madhan Neethiraj


On Aug. 24, 2019, 1:30 a.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71362/
> -----------------------------------------------------------
> 
> (Updated Aug. 24, 2019, 1:30 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj and Ramesh Mani.
> 
> 
> Bugs: RANGER-2548
>     https://issues.apache.org/jira/browse/RANGER-2548
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Grant/Revoke requests are processed by Ranger to create/update corresponding Ranger Policy. With Hive support for OWNER, Ranger also needs to ensure that Grant/Revoke requests, if they provide ownership information for the Hive object being granted permission on, are processed correctly in accordance with prevailing Ranger policies.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java daa62f408 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java cf590f9aa 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ecd6cb746 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 5bbbecedb 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 00c0d42ed 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java ec3950f62 
>   agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 02f343196 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c8276f127 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java bb825b822 
> 
> 
> Diff: https://reviews.apache.org/r/71362/diff/2/
> 
> 
> Testing
> -------
> 
> Passed all unit tests
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 71362: RANGER-2548: Ranger-admin updates to ensure owner information in GrantRevokeData is correctly consumed

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71362/#review217485
-----------------------------------------------------------


Ship it!




Ship It!

- Madhan Neethiraj


On Aug. 27, 2019, 5:14 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71362/
> -----------------------------------------------------------
> 
> (Updated Aug. 27, 2019, 5:14 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj and Ramesh Mani.
> 
> 
> Bugs: RANGER-2548
>     https://issues.apache.org/jira/browse/RANGER-2548
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Grant/Revoke requests are processed by Ranger to create/update corresponding Ranger Policy. With Hive support for OWNER, Ranger also needs to ensure that Grant/Revoke requests, if they provide ownership information for the Hive object being granted permission on, are processed correctly in accordance with prevailing Ranger policies.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java daa62f408 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java cf590f9aa 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ecd6cb746 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 5bbbecedb 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 00c0d42ed 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java ec3950f62 
>   agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 02f343196 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c8276f127 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java bb825b822 
> 
> 
> Diff: https://reviews.apache.org/r/71362/diff/3/
> 
> 
> Testing
> -------
> 
> Passed all unit tests
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 71362: RANGER-2548: Ranger-admin updates to ensure owner information in GrantRevokeData is correctly consumed

Posted by Abhay Kulkarni <ak...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71362/
-----------------------------------------------------------

(Updated Aug. 27, 2019, 5:14 p.m.)


Review request for ranger, Madhan Neethiraj and Ramesh Mani.


Changes
-------

Addressed review comments


Bugs: RANGER-2548
    https://issues.apache.org/jira/browse/RANGER-2548


Repository: ranger


Description
-------

Grant/Revoke requests are processed by Ranger to create/update corresponding Ranger Policy. With Hive support for OWNER, Ranger also needs to ensure that Grant/Revoke requests, if they provide ownership information for the Hive object being granted permission on, are processed correctly in accordance with prevailing Ranger policies.


Diffs (updated)
-----

  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java daa62f408 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java cf590f9aa 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ecd6cb746 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 5bbbecedb 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 00c0d42ed 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java ec3950f62 
  agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 02f343196 
  agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c8276f127 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java bb825b822 


Diff: https://reviews.apache.org/r/71362/diff/3/

Changes: https://reviews.apache.org/r/71362/diff/2-3/


Testing
-------

Passed all unit tests


Thanks,

Abhay Kulkarni