You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2017/05/22 16:36:04 UTC

[jira] [Commented] (RANGER-1446) Ranger Solr Plugin does not work when the collection list in the request is empty

    [ https://issues.apache.org/jira/browse/RANGER-1446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16019788#comment-16019788 ] 

Colm O hEigeartaigh commented on RANGER-1446:
---------------------------------------------

Hi [~yzhou2001],

I'm wondering if the RangerSolrAuthorizer..createRequest logic should be modified after this change (to default to "true"). If no collection name is specified then it will not attempt any authorization. I'm not sure if this could arise in practise or not. It would seem safer to default to "*" if no collection name is specified and to perform the authorization. Would this change break your tests?

Colm.

> Ranger Solr Plugin does not work when the collection list in the request is empty
> ---------------------------------------------------------------------------------
>
>                 Key: RANGER-1446
>                 URL: https://issues.apache.org/jira/browse/RANGER-1446
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 0.7.0, 0.6.1, 0.6.2, 0.6.3
>            Reporter: Yan
>            Assignee: Yan
>            Priority: Critical
>             Fix For: 1.0.0, 0.7.1
>
>         Attachments: 0001-Ranger-1446-Ranger-Solr-Plugin-does-not-work-when-th.patch
>
>
> The fix of Ranger-1095 set the initial value of "denied" to "true" from the previous "false". One impact of this change is that, when context.getCollectionRequests() is empty which could be the case in many invocations Solr makes to Ranger on authorization per client request, the permission is plainly denied without going to Ranger policy engine. So the fix changed the default behavior related "denied".
> A proper fix of Ranger-1095 IMO should be just to set the "denied" to "true" in the catch block without changing the initial value of the variable.
>  



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)