You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Abhay Kulkarni <ak...@hortonworks.com> on 2019/05/11 01:45:33 UTC
Review Request 70629: RANGER-2414: Enhancements to support roles in
Ranger policies
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/
-----------------------------------------------------------
Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-2414
https://issues.apache.org/jira/browse/RANGER-2414
Repository: ranger
Description
-------
Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups based on various criteria like accessed-resource, resource-classifications, IP-address and custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support 'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as well - in addition to existing support for users and user-groups.
This patch provides an initial implementation of support for roles in Ranger.
Diffs
-----
agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 28db58cd9
agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 5e2c49211
agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 3111037ff
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 990aab0c9
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 9ed500c50
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 365edcf35
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java eafbde246
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java a57b39827
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e739
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 47b4921ad
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 5400f71c4
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java a6e24c609
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 5a18226fe
agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c20ccded6
agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java 2c1de4eb8
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e92a2e658
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 5a47ba401
agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85
agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION
hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java f204c15c0
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java bf4d6c1ea
security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a
security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09
security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89
security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743
security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d
security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387
security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 35dc9405b
security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5
security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543
security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b
security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a
security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3ff763c71
security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 3e1a8e1bf
security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION
security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9
security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION
security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION
security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df
security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION
security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION
security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23
security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c
security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21
security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc
security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 1af54e18a
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08
security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace
security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION
security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION
security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf
security-admin/src/main/webapp/styles/xa.css 6ae646dfc
security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b
security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05
security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885
security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4
security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453
security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ac9af5eb4
Diff: https://reviews.apache.org/r/70629/diff/1/
Testing
-------
- Role CRUD
- Policy Updates to add/remove roles
- Logic to authorize access with roles
- Tracking Service versions with role updates
Thanks,
Abhay Kulkarni
Re: Review Request 70629: RANGER-2414: Enhancements to support roles
in Ranger policies
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215596
-----------------------------------------------------------
Fix it, then Ship it!
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java
Lines 40 (patched)
<https://reviews.apache.org/r/70629/#comment302328>
Please consider adding "implements java.io.Serializable", to be consistent with other model classes - like RangerPolicy.
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java
Lines 161 (patched)
<https://reviews.apache.org/r/70629/#comment302329>
Consider replacing with:
return Objects.hash(name, isAdmin);
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java
Lines 172 (patched)
<https://reviews.apache.org/r/70629/#comment302330>
Consider replacing #172 - #178 with the following:
return Objects.equals(name, other.name) &&
isAdmin == other.isAdmin;
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
Line 80 (original), 80 (patched)
<https://reviews.apache.org/r/70629/#comment302331>
Instead of updating existing method, consider retaining existing method and add a method that take 'roles' parameter - to avoid breaking RangerPolicyEngine implementations (that might exist outside Ranger repo).
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 1264 (patched)
<https://reviews.apache.org/r/70629/#comment302332>
Since 'owner' is not recognized, it will be simper to remove it from this method signature. This can be added if/when the usecase to support 'owner' is clear.
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
Line 157 (original), 192 (patched)
<https://reviews.apache.org/r/70629/#comment302333>
One more '}' needed, for the opening '{' in #159?
- Madhan Neethiraj
On May 29, 2019, 10:47 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> -----------------------------------------------------------
>
> (Updated May 29, 2019, 10:47 p.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups based on various criteria like accessed-resource, resource-classifications, IP-address and custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support 'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as well - in addition to existing support for users and user-groups.
>
> This patch provides an initial implementation of support for roles in Ranger.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 800b3c4f4
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 5316baea3
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 9ed500c50
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java 99b2ab357
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java eab2c238e
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java eafbde246
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java a57b39827
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e739
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 47b4921ad
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 5400f71c4
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java a6e24c609
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 5a18226fe
> agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c20ccded6
> agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java e6d90a491
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e92a2e658
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 5a47ba401
> agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85
> agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a
> security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09
> security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89
> security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743
> security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d
> security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387
> security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java eef29b0dc
> security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5
> security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a
> security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 01f1a1264
> security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 3e1a8e1bf
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml 2fa12f9f5
> security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION
> security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df
> security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION
> security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23
> security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c
> security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21
> security-admin/src/main/webapp/scripts/utils/XAEnums.js c6956eafb
> security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc
> security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js a4b608796
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08
> security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace
> security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js 4a73c3215
> security-admin/src/main/webapp/scripts/views/users/AddUsersOrGroupsList.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf
> security-admin/src/main/webapp/styles/xa.css 8b44d3ad4
> security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b
> security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05
> security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885
> security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4
> security-admin/src/main/webapp/templates/reports/RoleOperationDiff_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/reports/RoleUpdateOperationDiff_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/AddUserOrGroupsItem_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/AddUserOrGroupsList_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453
> security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java 00ef5e347
>
>
> Diff: https://reviews.apache.org/r/70629/diff/5/
>
>
> Testing
> -------
>
> - Role CRUD
> - Policy Updates to add/remove roles
> - Logic to authorize access with roles
> - Tracking Service versions with role updates
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 70629: RANGER-2414: Enhancements to support roles
in Ranger policies
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215602
-----------------------------------------------------------
Ship it!
Ship It!
- Madhan Neethiraj
On May 30, 2019, 6:31 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> -----------------------------------------------------------
>
> (Updated May 30, 2019, 6:31 p.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups based on various criteria like accessed-resource, resource-classifications, IP-address and custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support 'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as well - in addition to existing support for users and user-groups.
>
> This patch provides an initial implementation of support for roles in Ranger.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 800b3c4f4
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 5316baea3
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 9ed500c50
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java 99b2ab357
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java db5dde769
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java eafbde246
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java a57b39827
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e739
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 47b4921ad
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 5400f71c4
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java a6e24c609
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 5a18226fe
> agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c20ccded6
> agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java e6d90a491
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e92a2e658
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 5a47ba401
> agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85
> agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a
> security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09
> security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89
> security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743
> security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d
> security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387
> security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java eef29b0dc
> security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5
> security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a
> security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java e1f6eeccf
> security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 3e1a8e1bf
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml 2fa12f9f5
> security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION
> security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df
> security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION
> security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23
> security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c
> security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21
> security-admin/src/main/webapp/scripts/utils/XAEnums.js c6956eafb
> security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc
> security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js a4b608796
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08
> security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace
> security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js 4a73c3215
> security-admin/src/main/webapp/scripts/views/users/AddUsersOrGroupsList.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf
> security-admin/src/main/webapp/styles/xa.css 8b44d3ad4
> security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b
> security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05
> security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885
> security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4
> security-admin/src/main/webapp/templates/reports/RoleOperationDiff_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/reports/RoleUpdateOperationDiff_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/AddUserOrGroupsItem_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/AddUserOrGroupsList_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453
> security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java 00ef5e347
>
>
> Diff: https://reviews.apache.org/r/70629/diff/6/
>
>
> Testing
> -------
>
> - Role CRUD
> - Policy Updates to add/remove roles
> - Logic to authorize access with roles
> - Tracking Service versions with role updates
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 70629: RANGER-2414: Enhancements to support roles
in Ranger policies
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/
-----------------------------------------------------------
(Updated May 30, 2019, 6:31 p.m.)
Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Addressed review comments
Bugs: RANGER-2414
https://issues.apache.org/jira/browse/RANGER-2414
Repository: ranger
Description
-------
Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups based on various criteria like accessed-resource, resource-classifications, IP-address and custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support 'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as well - in addition to existing support for users and user-groups.
This patch provides an initial implementation of support for roles in Ranger.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 800b3c4f4
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 5316baea3
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 9ed500c50
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java 99b2ab357
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java db5dde769
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java eafbde246
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java a57b39827
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e739
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 47b4921ad
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 5400f71c4
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java a6e24c609
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 5a18226fe
agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c20ccded6
agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java e6d90a491
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e92a2e658
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 5a47ba401
agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85
agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION
security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a
security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09
security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89
security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743
security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d
security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387
security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java eef29b0dc
security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5
security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543
security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b
security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a
security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java e1f6eeccf
security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 3e1a8e1bf
security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION
security-admin/src/main/resources/META-INF/jpa_named_queries.xml 2fa12f9f5
security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION
security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION
security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df
security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION
security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION
security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23
security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c
security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21
security-admin/src/main/webapp/scripts/utils/XAEnums.js c6956eafb
security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc
security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js a4b608796
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08
security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace
security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js 4a73c3215
security-admin/src/main/webapp/scripts/views/users/AddUsersOrGroupsList.js PRE-CREATION
security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION
security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION
security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf
security-admin/src/main/webapp/styles/xa.css 8b44d3ad4
security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b
security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05
security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885
security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4
security-admin/src/main/webapp/templates/reports/RoleOperationDiff_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/reports/RoleUpdateOperationDiff_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/AddUserOrGroupsItem_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/AddUserOrGroupsList_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453
security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java 00ef5e347
Diff: https://reviews.apache.org/r/70629/diff/6/
Changes: https://reviews.apache.org/r/70629/diff/5-6/
Testing
-------
- Role CRUD
- Policy Updates to add/remove roles
- Logic to authorize access with roles
- Tracking Service versions with role updates
Thanks,
Abhay Kulkarni
Re: Review Request 70629: RANGER-2414: Enhancements to support roles
in Ranger policies
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/
-----------------------------------------------------------
(Updated May 29, 2019, 10:47 p.m.)
Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Updated GUI. Tested with zones.
Bugs: RANGER-2414
https://issues.apache.org/jira/browse/RANGER-2414
Repository: ranger
Description
-------
Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups based on various criteria like accessed-resource, resource-classifications, IP-address and custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support 'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as well - in addition to existing support for users and user-groups.
This patch provides an initial implementation of support for roles in Ranger.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 800b3c4f4
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 5316baea3
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 9ed500c50
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java 99b2ab357
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java eab2c238e
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java eafbde246
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java a57b39827
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e739
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 47b4921ad
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 5400f71c4
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java a6e24c609
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 5a18226fe
agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c20ccded6
agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java e6d90a491
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e92a2e658
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 5a47ba401
agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85
agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION
security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a
security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09
security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89
security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743
security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d
security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387
security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java eef29b0dc
security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5
security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543
security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b
security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a
security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 01f1a1264
security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 3e1a8e1bf
security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION
security-admin/src/main/resources/META-INF/jpa_named_queries.xml 2fa12f9f5
security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION
security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION
security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df
security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION
security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION
security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23
security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c
security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21
security-admin/src/main/webapp/scripts/utils/XAEnums.js c6956eafb
security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc
security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js a4b608796
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08
security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace
security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js 4a73c3215
security-admin/src/main/webapp/scripts/views/users/AddUsersOrGroupsList.js PRE-CREATION
security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION
security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION
security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf
security-admin/src/main/webapp/styles/xa.css 8b44d3ad4
security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b
security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05
security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885
security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4
security-admin/src/main/webapp/templates/reports/RoleOperationDiff_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/reports/RoleUpdateOperationDiff_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/AddUserOrGroupsItem_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/AddUserOrGroupsList_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453
security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java 00ef5e347
Diff: https://reviews.apache.org/r/70629/diff/5/
Changes: https://reviews.apache.org/r/70629/diff/4-5/
Testing
-------
- Role CRUD
- Policy Updates to add/remove roles
- Logic to authorize access with roles
- Tracking Service versions with role updates
Thanks,
Abhay Kulkarni
Re: Review Request 70629: RANGER-2414: Enhancements to support roles
in Ranger policies
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/
-----------------------------------------------------------
(Updated May 22, 2019, 1:19 a.m.)
Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Refactored RangerRole to use inner class RoleMember. Updated GUI.
Bugs: RANGER-2414
https://issues.apache.org/jira/browse/RANGER-2414
Repository: ranger
Description
-------
Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups based on various criteria like accessed-resource, resource-classifications, IP-address and custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support 'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as well - in addition to existing support for users and user-groups.
This patch provides an initial implementation of support for roles in Ranger.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 800b3c4f4
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 5316baea3
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 9ed500c50
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java eab2c238e
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java eafbde246
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java a57b39827
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e739
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 47b4921ad
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 5400f71c4
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java a6e24c609
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 5a18226fe
agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c20ccded6
agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java e6d90a491
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e92a2e658
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 5a47ba401
agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85
agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION
security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a
security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09
security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89
security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743
security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d
security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387
security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 35dc9405b
security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5
security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543
security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b
security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a
security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 0e7cd8f86
security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 3e1a8e1bf
security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION
security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9
security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION
security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION
security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df
security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION
security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION
security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23
security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c
security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21
security-admin/src/main/webapp/scripts/utils/XAEnums.js c6956eafb
security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc
security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js a4b608796
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08
security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace
security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js 4a73c3215
security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION
security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION
security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf
security-admin/src/main/webapp/styles/xa.css 8b44d3ad4
security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b
security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05
security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885
security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4
security-admin/src/main/webapp/templates/reports/RoleOperationDiff_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/reports/RoleUpdateOperationDiff_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453
security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ac9af5eb4
Diff: https://reviews.apache.org/r/70629/diff/4/
Changes: https://reviews.apache.org/r/70629/diff/3-4/
Testing
-------
- Role CRUD
- Policy Updates to add/remove roles
- Logic to authorize access with roles
- Tracking Service versions with role updates
Thanks,
Abhay Kulkarni
Re: Review Request 70629: RANGER-2414: Enhancements to support roles
in Ranger policies
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/
-----------------------------------------------------------
(Updated May 15, 2019, 1:58 a.m.)
Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Addressed review comments
Bugs: RANGER-2414
https://issues.apache.org/jira/browse/RANGER-2414
Repository: ranger
Description
-------
Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups based on various criteria like accessed-resource, resource-classifications, IP-address and custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support 'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as well - in addition to existing support for users and user-groups.
This patch provides an initial implementation of support for roles in Ranger.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 3111037ff
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 990aab0c9
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 9ed500c50
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java eab2c238e
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java eafbde246
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java a57b39827
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e739
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 47b4921ad
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 5400f71c4
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java a6e24c609
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 5a18226fe
agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c20ccded6
agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java 2c1de4eb8
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e92a2e658
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 5a47ba401
agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85
agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION
security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a
security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09
security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89
security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743
security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d
security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387
security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 35dc9405b
security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5
security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543
security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b
security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a
security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3ff763c71
security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 3e1a8e1bf
security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION
security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9
security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION
security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION
security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df
security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION
security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION
security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23
security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c
security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21
security-admin/src/main/webapp/scripts/utils/XAEnums.js c6956eafb
security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc
security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 1af54e18a
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08
security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace
security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js 4a73c3215
security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION
security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION
security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf
security-admin/src/main/webapp/styles/xa.css 6ae646dfc
security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b
security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05
security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885
security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4
security-admin/src/main/webapp/templates/reports/RoleOperationDiff_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/reports/RoleUpdateOperationDiff_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453
security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ac9af5eb4
Diff: https://reviews.apache.org/r/70629/diff/3/
Changes: https://reviews.apache.org/r/70629/diff/2-3/
Testing
-------
- Role CRUD
- Policy Updates to add/remove roles
- Logic to authorize access with roles
- Tracking Service versions with role updates
Thanks,
Abhay Kulkarni
Re: Review Request 70629: RANGER-2414: Enhancements to support roles
in Ranger policies
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
> On May 14, 2019, 3:37 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
> > Line 527 (original), 528 (patched)
> > <https://reviews.apache.org/r/70629/diff/2/?file=2144835#file2144835line528>
> >
> > PolicyACLSummary has getRolesAccessInfo(), so it may not be necessary to skip policies that include 'roles'. Please review and update.
Opened https://issues.apache.org/jira/browse/RANGER-2428 to track this.
- Abhay
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215233
-----------------------------------------------------------
On May 15, 2019, 1:58 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> -----------------------------------------------------------
>
> (Updated May 15, 2019, 1:58 a.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups based on various criteria like accessed-resource, resource-classifications, IP-address and custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support 'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as well - in addition to existing support for users and user-groups.
>
> This patch provides an initial implementation of support for roles in Ranger.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 3111037ff
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 990aab0c9
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 9ed500c50
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java eab2c238e
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java eafbde246
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java a57b39827
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e739
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 47b4921ad
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 5400f71c4
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java a6e24c609
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 5a18226fe
> agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c20ccded6
> agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java 2c1de4eb8
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e92a2e658
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 5a47ba401
> agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85
> agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a
> security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09
> security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89
> security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743
> security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d
> security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387
> security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 35dc9405b
> security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5
> security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a
> security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3ff763c71
> security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 3e1a8e1bf
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9
> security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION
> security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df
> security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION
> security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23
> security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c
> security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21
> security-admin/src/main/webapp/scripts/utils/XAEnums.js c6956eafb
> security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc
> security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 1af54e18a
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08
> security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace
> security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js 4a73c3215
> security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf
> security-admin/src/main/webapp/styles/xa.css 6ae646dfc
> security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b
> security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05
> security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885
> security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4
> security-admin/src/main/webapp/templates/reports/RoleOperationDiff_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/reports/RoleUpdateOperationDiff_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453
> security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ac9af5eb4
>
>
> Diff: https://reviews.apache.org/r/70629/diff/3/
>
>
> Testing
> -------
>
> - Role CRUD
> - Policy Updates to add/remove roles
> - Logic to authorize access with roles
> - Tracking Service versions with role updates
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 70629: RANGER-2414: Enhancements to support roles
in Ranger policies
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215233
-----------------------------------------------------------
agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
Lines 127 (patched)
<https://reviews.apache.org/r/70629/#comment301848>
I suggest to not include 'roles' in audit logs - at least for the first cut. If this becomes critical this can be added later.
agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
Lines 256 (patched)
<https://reviews.apache.org/r/70629/#comment301849>
Looks like the method can be replaced with the following. Please review and update.
return RangerAccessRequestUtil.getCurrentUserRolesFromContext(request.getContext());
Anyway, this method wouldn't be needed if we decided to not store roles in audit logs.
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 1264 (patched)
<https://reviews.apache.org/r/70629/#comment301847>
Defining roles for 'USER_CURRENT' doesn't seem intutive. This is equivalent to having the role assigned to 'public' group. Consider removing lines #1264 - #1268.
Given owner (of resource) is available only for few service-types (well, only HDFS for now; Atlas and Hive on the way), I think it will be good to not support this in roles. Consider removing #1269 - #1275.
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
Line 527 (original), 528 (patched)
<https://reviews.apache.org/r/70629/#comment301851>
PolicyACLSummary has getRolesAccessInfo(), so it may not be necessary to skip policies that include 'roles'. Please review and update.
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
Lines 253 (patched)
<https://reviews.apache.org/r/70629/#comment301852>
Consider removing #252 - #260, and replace 'hasRole' in #261 with:
(CollectionUtils.isNotEmpty(roles) && CollectionUtils.containsAny(roles, RangerAccessRequestUtil.getCurrentUserRolesFromContext(request.getContext());
Note that RangerAccessRequestUtil.getCurrentUserRolesFromContext() should return emptyList() when current user has no roles.
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
Lines 162 (patched)
<https://reviews.apache.org/r/70629/#comment301853>
RangerAccessRequestUtil.setTokenInContext() ==> RangerAccessRequestUtil.setCurrentUserRolesInContext()
- Madhan Neethiraj
On May 14, 2019, 1:55 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> -----------------------------------------------------------
>
> (Updated May 14, 2019, 1:55 a.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups based on various criteria like accessed-resource, resource-classifications, IP-address and custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support 'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as well - in addition to existing support for users and user-groups.
>
> This patch provides an initial implementation of support for roles in Ranger.
>
>
> Diffs
> -----
>
> agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 28db58cd9
> agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 5e2c49211
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 3111037ff
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 990aab0c9
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 9ed500c50
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 365edcf35
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java eafbde246
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java a57b39827
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e739
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 47b4921ad
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 5400f71c4
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java a6e24c609
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 5a18226fe
> agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c20ccded6
> agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java 2c1de4eb8
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e92a2e658
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 5a47ba401
> agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85
> agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java f204c15c0
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java bf4d6c1ea
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a
> security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09
> security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89
> security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743
> security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d
> security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387
> security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 35dc9405b
> security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5
> security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a
> security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3ff763c71
> security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 3e1a8e1bf
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9
> security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION
> security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df
> security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION
> security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23
> security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c
> security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21
> security-admin/src/main/webapp/scripts/utils/XAEnums.js c6956eafb
> security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc
> security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 1af54e18a
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08
> security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace
> security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js 4a73c3215
> security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf
> security-admin/src/main/webapp/styles/xa.css 6ae646dfc
> security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b
> security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05
> security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885
> security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4
> security-admin/src/main/webapp/templates/reports/RoleOperationDiff_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/reports/RoleUpdateOperationDiff_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453
> security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ac9af5eb4
>
>
> Diff: https://reviews.apache.org/r/70629/diff/2/
>
>
> Testing
> -------
>
> - Role CRUD
> - Policy Updates to add/remove roles
> - Logic to authorize access with roles
> - Tracking Service versions with role updates
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 70629: RANGER-2414: Enhancements to support roles
in Ranger policies
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/
-----------------------------------------------------------
(Updated May 14, 2019, 1:55 a.m.)
Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Addressed review comments
Bugs: RANGER-2414
https://issues.apache.org/jira/browse/RANGER-2414
Repository: ranger
Description
-------
Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups based on various criteria like accessed-resource, resource-classifications, IP-address and custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support 'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as well - in addition to existing support for users and user-groups.
This patch provides an initial implementation of support for roles in Ranger.
Diffs (updated)
-----
agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 28db58cd9
agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 5e2c49211
agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 3111037ff
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 990aab0c9
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 9ed500c50
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 365edcf35
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java eafbde246
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java a57b39827
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e739
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 47b4921ad
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 5400f71c4
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java a6e24c609
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 5a18226fe
agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c20ccded6
agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java 2c1de4eb8
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e92a2e658
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 5a47ba401
agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85
agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION
hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java f204c15c0
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java bf4d6c1ea
security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a
security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09
security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89
security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743
security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION
security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d
security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387
security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 35dc9405b
security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5
security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543
security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b
security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a
security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3ff763c71
security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 3e1a8e1bf
security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION
security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9
security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION
security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION
security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df
security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION
security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION
security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23
security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c
security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21
security-admin/src/main/webapp/scripts/utils/XAEnums.js c6956eafb
security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc
security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 1af54e18a
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08
security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace
security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js 4a73c3215
security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION
security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION
security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf
security-admin/src/main/webapp/styles/xa.css 6ae646dfc
security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b
security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05
security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885
security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4
security-admin/src/main/webapp/templates/reports/RoleOperationDiff_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/reports/RoleUpdateOperationDiff_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION
security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453
security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ac9af5eb4
Diff: https://reviews.apache.org/r/70629/diff/2/
Changes: https://reviews.apache.org/r/70629/diff/1-2/
Testing
-------
- Role CRUD
- Policy Updates to add/remove roles
- Logic to authorize access with roles
- Tracking Service versions with role updates
Thanks,
Abhay Kulkarni
Re: Review Request 70629: RANGER-2414: Enhancements to support roles
in Ranger policies
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
> On May 11, 2019, 5:08 p.m., Madhan Neethiraj wrote:
> > agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
> > Lines 127 (patched)
> > <https://reviews.apache.org/r/70629/diff/1/?file=2144528#file2144528line127>
> >
> > Would this include all roles of the user, at the time of access, in each audit log? This might add excessive data into audit logs. This should be seen as user->groups mapping, which is not included in audit logs. Please review.
Yes. I think it will be useful to log this, as the user->role mapping is 'owned' by Ranger admin (unlike user->group mapping, which is 'owned' by LDAP or some external entity).
> On May 11, 2019, 5:08 p.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
> > Lines 1289 (patched)
> > <https://reviews.apache.org/r/70629/diff/1/?file=2144535#file2144535line1289>
> >
> > Can handling of 'public' group be done at Ranger admin i.e. in ServicePolicies downloaded given to the plugins?
No. Role-names that the requesting user maps to need to be built per request, as the requesting user is known only at the access time.
> On May 11, 2019, 5:08 p.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
> > Lines 529 (patched)
> > <https://reviews.apache.org/r/70629/diff/1/?file=2144537#file2144537line529>
> >
> > Why would presence of roles make it not-usable for evaluation? Shouldn't this should be treated similar to groups?
Theoretically, no. However, as a first-cut, this approximation is useful.
- Abhay
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215200
-----------------------------------------------------------
On May 11, 2019, 1:45 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> -----------------------------------------------------------
>
> (Updated May 11, 2019, 1:45 a.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups based on various criteria like accessed-resource, resource-classifications, IP-address and custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support 'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as well - in addition to existing support for users and user-groups.
>
> This patch provides an initial implementation of support for roles in Ranger.
>
>
> Diffs
> -----
>
> agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 28db58cd9
> agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 5e2c49211
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 3111037ff
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 990aab0c9
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 9ed500c50
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 365edcf35
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java eafbde246
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java a57b39827
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e739
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 47b4921ad
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 5400f71c4
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java a6e24c609
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 5a18226fe
> agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c20ccded6
> agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java 2c1de4eb8
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e92a2e658
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 5a47ba401
> agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85
> agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java f204c15c0
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java bf4d6c1ea
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a
> security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09
> security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89
> security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743
> security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d
> security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387
> security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 35dc9405b
> security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5
> security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a
> security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3ff763c71
> security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 3e1a8e1bf
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9
> security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION
> security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df
> security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION
> security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23
> security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c
> security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21
> security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc
> security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 1af54e18a
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08
> security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace
> security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf
> security-admin/src/main/webapp/styles/xa.css 6ae646dfc
> security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b
> security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05
> security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885
> security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4
> security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453
> security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ac9af5eb4
>
>
> Diff: https://reviews.apache.org/r/70629/diff/1/
>
>
> Testing
> -------
>
> - Role CRUD
> - Policy Updates to add/remove roles
> - Logic to authorize access with roles
> - Tracking Service versions with role updates
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 70629: RANGER-2414: Enhancements to support roles
in Ranger policies
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
> On May 11, 2019, 5:08 p.m., Madhan Neethiraj wrote:
> > agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
> > Lines 127 (patched)
> > <https://reviews.apache.org/r/70629/diff/1/?file=2144528#file2144528line127>
> >
> > Would this include all roles of the user, at the time of access, in each audit log? This might add excessive data into audit logs. This should be seen as user->groups mapping, which is not included in audit logs. Please review.
>
> Abhay Kulkarni wrote:
> Yes. I think it will be useful to log this, as the user->role mapping is 'owned' by Ranger admin (unlike user->group mapping, which is 'owned' by LDAP or some external entity).
Done
> On May 11, 2019, 5:08 p.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
> > Lines 529 (patched)
> > <https://reviews.apache.org/r/70629/diff/1/?file=2144537#file2144537line529>
> >
> > Why would presence of roles make it not-usable for evaluation? Shouldn't this should be treated similar to groups?
>
> Abhay Kulkarni wrote:
> Theoretically, no. However, as a first-cut, this approximation is useful.
Opened https://issues.apache.org/jira/browse/RANGER-2428 to track this.
- Abhay
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215200
-----------------------------------------------------------
On May 15, 2019, 1:58 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> -----------------------------------------------------------
>
> (Updated May 15, 2019, 1:58 a.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups based on various criteria like accessed-resource, resource-classifications, IP-address and custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support 'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as well - in addition to existing support for users and user-groups.
>
> This patch provides an initial implementation of support for roles in Ranger.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 3111037ff
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 990aab0c9
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 9ed500c50
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java eab2c238e
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java eafbde246
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java a57b39827
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e739
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 47b4921ad
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 5400f71c4
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java a6e24c609
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 5a18226fe
> agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c20ccded6
> agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java 2c1de4eb8
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e92a2e658
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 5a47ba401
> agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85
> agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a
> security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09
> security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89
> security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743
> security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d
> security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387
> security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 35dc9405b
> security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5
> security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a
> security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3ff763c71
> security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 3e1a8e1bf
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9
> security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION
> security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df
> security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION
> security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23
> security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c
> security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21
> security-admin/src/main/webapp/scripts/utils/XAEnums.js c6956eafb
> security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc
> security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 1af54e18a
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08
> security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace
> security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js 4a73c3215
> security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf
> security-admin/src/main/webapp/styles/xa.css 6ae646dfc
> security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b
> security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05
> security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885
> security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4
> security-admin/src/main/webapp/templates/reports/RoleOperationDiff_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/reports/RoleUpdateOperationDiff_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453
> security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ac9af5eb4
>
>
> Diff: https://reviews.apache.org/r/70629/diff/3/
>
>
> Testing
> -------
>
> - Role CRUD
> - Policy Updates to add/remove roles
> - Logic to authorize access with roles
> - Tracking Service versions with role updates
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 70629: RANGER-2414: Enhancements to support roles
in Ranger policies
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215200
-----------------------------------------------------------
agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
Lines 127 (patched)
<https://reviews.apache.org/r/70629/#comment301754>
Would this include all roles of the user, at the time of access, in each audit log? This might add excessive data into audit logs. This should be seen as user->groups mapping, which is not included in audit logs. Please review.
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 1276 (patched)
<https://reviews.apache.org/r/70629/#comment301755>
It seems 'macroUserRoles' should be effective only for the current evaluation context. Adding to 'userRoles', which is a reference in 'userRoleMapping' would make the change visible to all evaluations. Please review and update.
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 1289 (patched)
<https://reviews.apache.org/r/70629/#comment301756>
Can handling of 'public' group be done at Ranger admin i.e. in ServicePolicies downloaded given to the plugins?
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 1299 (patched)
<https://reviews.apache.org/r/70629/#comment301757>
#1276 applies here as well. Please review.
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 1318 (patched)
<https://reviews.apache.org/r/70629/#comment301758>
#1276 might be applicable here as well. Please review.
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
Lines 529 (patched)
<https://reviews.apache.org/r/70629/#comment301759>
Why would presence of roles make it not-usable for evaluation? Shouldn't this should be treated similar to groups?
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
Lines 214 (patched)
<https://reviews.apache.org/r/70629/#comment301760>
Consider avoiding this typecasting, by adding following methods:
class RangerAccessRequestUtil {
public static void setCurrentUserRoles(Set<String> roles) {
// ...
}
public static Set<String> getCurrentUserRoles() {
// ...
}
}
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
Lines 165 (patched)
<https://reviews.apache.org/r/70629/#comment301761>
Shouldn't dataMaskPolicyItems and rowFilterPolicyItems be checked as well?
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
Lines 63 (patched)
<https://reviews.apache.org/r/70629/#comment301762>
It will be useful to add a comment here, on what the key and values are.
Also, if Ranger admin is going to compute the roles for users and groups, following might be simpler in ServicePolicies:
private Map<String, Set<String>> userRoles;
private Map<String, Set<String>> groupRoles;
- Madhan Neethiraj
On May 11, 2019, 1:45 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> -----------------------------------------------------------
>
> (Updated May 11, 2019, 1:45 a.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups based on various criteria like accessed-resource, resource-classifications, IP-address and custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support 'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as well - in addition to existing support for users and user-groups.
>
> This patch provides an initial implementation of support for roles in Ranger.
>
>
> Diffs
> -----
>
> agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 28db58cd9
> agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 5e2c49211
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 3111037ff
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 990aab0c9
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 9ed500c50
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 365edcf35
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java eafbde246
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java a57b39827
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e739
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 47b4921ad
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 5400f71c4
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java a6e24c609
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 5a18226fe
> agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c20ccded6
> agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java 2c1de4eb8
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e92a2e658
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 5a47ba401
> agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85
> agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java f204c15c0
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java bf4d6c1ea
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a
> security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09
> security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89
> security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743
> security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d
> security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387
> security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 35dc9405b
> security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5
> security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a
> security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3ff763c71
> security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 3e1a8e1bf
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9
> security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION
> security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df
> security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION
> security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23
> security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c
> security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21
> security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc
> security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 1af54e18a
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08
> security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace
> security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf
> security-admin/src/main/webapp/styles/xa.css 6ae646dfc
> security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b
> security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05
> security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885
> security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4
> security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453
> security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ac9af5eb4
>
>
> Diff: https://reviews.apache.org/r/70629/diff/1/
>
>
> Testing
> -------
>
> - Role CRUD
> - Policy Updates to add/remove roles
> - Logic to authorize access with roles
> - Tracking Service versions with role updates
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 70629: RANGER-2414: Enhancements to support roles
in Ranger policies
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
> On May 11, 2019, 7:10 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
> > Lines 944 (patched)
> > <https://reviews.apache.org/r/70629/diff/1/?file=2144531#file2144531line944>
> >
> > Do we have small window where the roles could be empty and it could affect during multi-thread environment>
I don't think so. Are you suggesting concurrent updates to policy may lead to inconsistent policy state? If so, one of the transactions will be aborted when attempting to persist changes to database.
- Abhay
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215198
-----------------------------------------------------------
On May 11, 2019, 1:45 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> -----------------------------------------------------------
>
> (Updated May 11, 2019, 1:45 a.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups based on various criteria like accessed-resource, resource-classifications, IP-address and custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support 'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as well - in addition to existing support for users and user-groups.
>
> This patch provides an initial implementation of support for roles in Ranger.
>
>
> Diffs
> -----
>
> agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 28db58cd9
> agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 5e2c49211
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 3111037ff
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 990aab0c9
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 9ed500c50
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 365edcf35
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java eafbde246
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java a57b39827
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e739
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 47b4921ad
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 5400f71c4
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java a6e24c609
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 5a18226fe
> agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c20ccded6
> agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java 2c1de4eb8
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e92a2e658
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 5a47ba401
> agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85
> agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java f204c15c0
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java bf4d6c1ea
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a
> security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09
> security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89
> security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743
> security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d
> security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387
> security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 35dc9405b
> security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5
> security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a
> security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3ff763c71
> security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 3e1a8e1bf
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9
> security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION
> security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df
> security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION
> security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23
> security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c
> security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21
> security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc
> security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 1af54e18a
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08
> security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace
> security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf
> security-admin/src/main/webapp/styles/xa.css 6ae646dfc
> security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b
> security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05
> security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885
> security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4
> security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453
> security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ac9af5eb4
>
>
> Diff: https://reviews.apache.org/r/70629/diff/1/
>
>
> Testing
> -------
>
> - Role CRUD
> - Policy Updates to add/remove roles
> - Logic to authorize access with roles
> - Tracking Service versions with role updates
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 70629: RANGER-2414: Enhancements to support roles
in Ranger policies
Posted by Don Bosco Durai <bo...@apache.org>.
> On May 11, 2019, 7:10 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
> > Lines 944 (patched)
> > <https://reviews.apache.org/r/70629/diff/1/?file=2144531#file2144531line944>
> >
> > Do we have small window where the roles could be empty and it could affect during multi-thread environment>
>
> Abhay Kulkarni wrote:
> I don't think so. Are you suggesting concurrent updates to policy may lead to inconsistent policy state? If so, one of the transactions will be aborted when attempting to persist changes to database.
>
> Don Bosco Durai wrote:
> I meant, while the policies are getting updated, a request for authorization, is it possible the list will be empty?
>
> Abhay Kulkarni wrote:
> Policies in the policy-engine are treated as read-only during authorization. So, there is no possibility of list getting modified.
Thanks for clarifying.
- Don Bosco
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215198
-----------------------------------------------------------
On May 15, 2019, 1:58 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> -----------------------------------------------------------
>
> (Updated May 15, 2019, 1:58 a.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups based on various criteria like accessed-resource, resource-classifications, IP-address and custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support 'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as well - in addition to existing support for users and user-groups.
>
> This patch provides an initial implementation of support for roles in Ranger.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 3111037ff
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 990aab0c9
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 9ed500c50
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java eab2c238e
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java eafbde246
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java a57b39827
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e739
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 47b4921ad
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 5400f71c4
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java a6e24c609
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 5a18226fe
> agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c20ccded6
> agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java 2c1de4eb8
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e92a2e658
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 5a47ba401
> agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85
> agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a
> security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09
> security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89
> security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743
> security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d
> security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387
> security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 35dc9405b
> security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5
> security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a
> security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3ff763c71
> security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 3e1a8e1bf
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9
> security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION
> security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df
> security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION
> security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23
> security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c
> security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21
> security-admin/src/main/webapp/scripts/utils/XAEnums.js c6956eafb
> security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc
> security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 1af54e18a
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08
> security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace
> security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js 4a73c3215
> security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf
> security-admin/src/main/webapp/styles/xa.css 6ae646dfc
> security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b
> security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05
> security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885
> security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4
> security-admin/src/main/webapp/templates/reports/RoleOperationDiff_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/reports/RoleUpdateOperationDiff_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453
> security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ac9af5eb4
>
>
> Diff: https://reviews.apache.org/r/70629/diff/3/
>
>
> Testing
> -------
>
> - Role CRUD
> - Policy Updates to add/remove roles
> - Logic to authorize access with roles
> - Tracking Service versions with role updates
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 70629: RANGER-2414: Enhancements to support roles
in Ranger policies
Posted by Don Bosco Durai <bo...@apache.org>.
> On May 11, 2019, 7:10 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
> > Lines 944 (patched)
> > <https://reviews.apache.org/r/70629/diff/1/?file=2144531#file2144531line944>
> >
> > Do we have small window where the roles could be empty and it could affect during multi-thread environment>
>
> Abhay Kulkarni wrote:
> I don't think so. Are you suggesting concurrent updates to policy may lead to inconsistent policy state? If so, one of the transactions will be aborted when attempting to persist changes to database.
I meant, while the policies are getting updated, a request for authorization, is it possible the list will be empty?
- Don Bosco
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215198
-----------------------------------------------------------
On May 14, 2019, 1:55 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> -----------------------------------------------------------
>
> (Updated May 14, 2019, 1:55 a.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups based on various criteria like accessed-resource, resource-classifications, IP-address and custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support 'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as well - in addition to existing support for users and user-groups.
>
> This patch provides an initial implementation of support for roles in Ranger.
>
>
> Diffs
> -----
>
> agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 28db58cd9
> agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 5e2c49211
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 3111037ff
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 990aab0c9
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 9ed500c50
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 365edcf35
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java eafbde246
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java a57b39827
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e739
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 47b4921ad
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 5400f71c4
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java a6e24c609
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 5a18226fe
> agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c20ccded6
> agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java 2c1de4eb8
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e92a2e658
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 5a47ba401
> agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85
> agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java f204c15c0
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java bf4d6c1ea
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a
> security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09
> security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89
> security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743
> security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d
> security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387
> security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 35dc9405b
> security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5
> security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a
> security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3ff763c71
> security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 3e1a8e1bf
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9
> security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION
> security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df
> security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION
> security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23
> security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c
> security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21
> security-admin/src/main/webapp/scripts/utils/XAEnums.js c6956eafb
> security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc
> security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 1af54e18a
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08
> security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace
> security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js 4a73c3215
> security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf
> security-admin/src/main/webapp/styles/xa.css 6ae646dfc
> security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b
> security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05
> security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885
> security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4
> security-admin/src/main/webapp/templates/reports/RoleOperationDiff_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/reports/RoleUpdateOperationDiff_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453
> security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ac9af5eb4
>
>
> Diff: https://reviews.apache.org/r/70629/diff/2/
>
>
> Testing
> -------
>
> - Role CRUD
> - Policy Updates to add/remove roles
> - Logic to authorize access with roles
> - Tracking Service versions with role updates
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 70629: RANGER-2414: Enhancements to support roles
in Ranger policies
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
> On May 11, 2019, 7:10 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
> > Lines 944 (patched)
> > <https://reviews.apache.org/r/70629/diff/1/?file=2144531#file2144531line944>
> >
> > Do we have small window where the roles could be empty and it could affect during multi-thread environment>
>
> Abhay Kulkarni wrote:
> I don't think so. Are you suggesting concurrent updates to policy may lead to inconsistent policy state? If so, one of the transactions will be aborted when attempting to persist changes to database.
>
> Don Bosco Durai wrote:
> I meant, while the policies are getting updated, a request for authorization, is it possible the list will be empty?
Policies in the policy-engine are treated as read-only during authorization. So, there is no possibility of list getting modified.
- Abhay
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215198
-----------------------------------------------------------
On May 15, 2019, 1:58 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> -----------------------------------------------------------
>
> (Updated May 15, 2019, 1:58 a.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups based on various criteria like accessed-resource, resource-classifications, IP-address and custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support 'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as well - in addition to existing support for users and user-groups.
>
> This patch provides an initial implementation of support for roles in Ranger.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 3111037ff
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 990aab0c9
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 9ed500c50
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java eab2c238e
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java eafbde246
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java a57b39827
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e739
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 47b4921ad
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 5400f71c4
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java a6e24c609
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 5a18226fe
> agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c20ccded6
> agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java 2c1de4eb8
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e92a2e658
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 5a47ba401
> agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85
> agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a
> security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09
> security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89
> security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743
> security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d
> security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387
> security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 35dc9405b
> security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5
> security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a
> security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3ff763c71
> security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 3e1a8e1bf
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9
> security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION
> security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df
> security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION
> security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23
> security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c
> security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21
> security-admin/src/main/webapp/scripts/utils/XAEnums.js c6956eafb
> security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc
> security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 1af54e18a
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08
> security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace
> security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js 4a73c3215
> security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf
> security-admin/src/main/webapp/styles/xa.css 6ae646dfc
> security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b
> security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05
> security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885
> security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4
> security-admin/src/main/webapp/templates/reports/RoleOperationDiff_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/reports/RoleUpdateOperationDiff_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453
> security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ac9af5eb4
>
>
> Diff: https://reviews.apache.org/r/70629/diff/3/
>
>
> Testing
> -------
>
> - Role CRUD
> - Policy Updates to add/remove roles
> - Logic to authorize access with roles
> - Tracking Service versions with role updates
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 70629: RANGER-2414: Enhancements to support roles
in Ranger policies
Posted by Don Bosco Durai <bo...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215198
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
Lines 944 (patched)
<https://reviews.apache.org/r/70629/#comment301746>
Do we have small window where the roles could be empty and it could affect during multi-thread environment>
- Don Bosco Durai
On May 11, 2019, 1:45 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> -----------------------------------------------------------
>
> (Updated May 11, 2019, 1:45 a.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Current Ranger policy model supports authorization/column-masking/row-filtering for users/user-groups based on various criteria like accessed-resource, resource-classifications, IP-address and custom conditions. Given the wide-spread use of role-based authorization in traditional enterprise applications (like RDBMS, J2EE), it will be very useful for Ranger policy model to support 'roles' i.e. to be able to specify authorization/column-masking/row-filtering for roles as well - in addition to existing support for users and user-groups.
>
> This patch provides an initial implementation of support for roles in Ranger.
>
>
> Diffs
> -----
>
> agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 28db58cd9
> agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 5e2c49211
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 3111037ff
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 3cf509d7c
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 990aab0c9
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 9ed500c50
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 365edcf35
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java eafbde246
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java a57b39827
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e739
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java 47b4921ad
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 5400f71c4
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java a6e24c609
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 5a18226fe
> agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java c20ccded6
> agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java e22249ac6
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java cbd2cb012
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java 2c1de4eb8
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java e92a2e658
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 5a47ba401
> agents-common/src/test/resources/policyengine/test_aclprovider_default.json b4c4def85
> agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json PRE-CREATION
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java f204c15c0
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java bf4d6c1ea
> security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a
> security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 9a9e36b09
> security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql df4201d89
> security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql a2d413743
> security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 1f3ccbf5d
> security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 921dc3736
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java f48a80387
> security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 35dc9405b
> security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 039e4e8d5
> security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 979fd6543
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 5d513bd8b
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 734faef3a
> security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3ff763c71
> security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 3e1a8e1bf
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java PRE-CREATION
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9
> security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/collections/VXRoleList.js PRE-CREATION
> security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df
> security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js PRE-CREATION
> security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION
> security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23
> security-admin/src/main/webapp/scripts/modules/globalize/message/en.js a9287450c
> security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21
> security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc
> security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 0c3824bad
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 8f23e84d3
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js a1a1311aa
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 1af54e18a
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js c18cfaa08
> security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 18dba7ace
> security-admin/src/main/webapp/scripts/views/users/RoleCreate.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION
> security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 45b672caf
> security-admin/src/main/webapp/styles/xa.css 6ae646dfc
> security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b
> security-admin/src/main/webapp/templates/policies/PermissionItem.html d2b401d05
> security-admin/src/main/webapp/templates/policies/PermissionList.html 9972d4885
> security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html e76ad21e4
> security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html PRE-CREATION
> security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html d99b3b453
> security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ac9af5eb4
>
>
> Diff: https://reviews.apache.org/r/70629/diff/1/
>
>
> Testing
> -------
>
> - Role CRUD
> - Policy Updates to add/remove roles
> - Logic to authorize access with roles
> - Tracking Service versions with role updates
>
>
> Thanks,
>
> Abhay Kulkarni
>
>