You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Pradeep Agrawal <pr...@gmail.com> on 2019/06/27 17:31:25 UTC
Review Request 70952: RANGER-2484: Improve import API to merge the
policies if resources are exactly same
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70952/
-----------------------------------------------------------
Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-2484
https://issues.apache.org/jira/browse/RANGER-2484
Repository: ranger
Description
-------
**Problem Statement:** Observing failure while importing permissions into ranger using ranger import API( /service/plugins/policies/importPoliciesFromFile?updateIfExists=true).
Create a ranger policy for resource "db1/table1/column1" with policy name policy-1 in service hivedev.
Import permissions for resource "db1/table1/column1" which has policy name policy-2 into hivedev service using import API mentioned above.
This results in below failure
Validation failure: error code[3010], reason[Another policy already exists for matching resource: policy-name=[policy-1], service=[hivedev]], field[resources], subfield[null], type[semantically incorrect]
This issue will be seen only when there is a policy that already exists for the resource with different policy name from the one that is being imported. If the policy names match, the policy is updated properly.
** Proposed Solution: **
Import API can accept an additional parameter 'ignorePolicyName' along with 'updateIfExists'. 'ignorePolicyName' parameter shall be helpful to decide whether policies should be merged or not irrespective of policy name.
**Updated Behaviour shall be:** (please add or ask to add if anything is missing below)
1 ) if 'override' flag is true then import api shall delete existing policy from the given service and create the policies received from json file.
2) if 'updateIfExists' flag is true then import api shall update the old policy object with new policy json if policy guid or policy name is matching ; if policy does not exist with given name and guid then it will create the policy but policy creation may fail if a policy exist with the same resource having different name.
3) if 'updateIfExists' flag is true and 'ignorePolicyName' flag is true and if the new policy does not have policy conditions ; then ranger will try to find existing policy for the exactly matching resource ; if exactly matching resource policy is found then the new policy will be merged to existing policy and existing policy name will remain same. if same resource policies are not found then it will try to act as 'updateIfExists' true (mentioned in step-2)
Diffs
-----
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 1d9391f20
security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java c49c42698
Diff: https://reviews.apache.org/r/70952/diff/1/
Testing
-------
1) Build Ranger with the attached patch, untar the ranger, updated install.properties and installed and started Ranger-admin.
2) Created testuser1 and testuser2.
3) Created a hive service : hivedev
4) Created a policy 'policy2' for resource : db1/table1/column1 , added a policy item for user 'testuser1' with 'select' permissions.
5) Exported the policy json from UI.
6) Updated the exported policy json and updated policy name to 'policy3' , updated policy item by replacing 'testuser1' with 'testuser2' and added 'create' and 'update' permissions.
7) Now tried to import policies with param '' :
curl -i -X POST --header "Accept:*/*" -H "Content-Type: multipart/form-data" -F 'file=@/Users/pradeep/Downloads/Ranger_Policies_20190625_104505.json' -u admin:ranger1234 'http://172.22.111.117:6080/service/plugins/policies/importPoliciesFromFile?updateIfExists=true&serviceType=hive'
**Expected Behaviour :** policy2 should be updated with additional policy item having testuser2 permissions of 'create' and 'update'.
**Actual Behaviour :** policy2 updated with additional policy item having testuser2 permissions of 'create' and 'update'.
Thanks,
Pradeep Agrawal
Re: Review Request 70952: RANGER-2484: Improve import API to merge the
policies if resources are exactly same
Posted by Velmurugan Periasamy <vp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70952/#review216272
-----------------------------------------------------------
Ship it!
Ship It!
- Velmurugan Periasamy
On June 27, 2019, 5:31 p.m., Pradeep Agrawal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70952/
> -----------------------------------------------------------
>
> (Updated June 27, 2019, 5:31 p.m.)
>
>
> Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2484
> https://issues.apache.org/jira/browse/RANGER-2484
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Problem Statement:** Observing failure while importing permissions into ranger using ranger import API( /service/plugins/policies/importPoliciesFromFile?updateIfExists=true).
>
> Create a ranger policy for resource "db1/table1/column1" with policy name policy-1 in service hivedev.
>
> Import permissions for resource "db1/table1/column1" which has policy name policy-2 into hivedev service using import API mentioned above.
> This results in below failure
>
> Validation failure: error code[3010], reason[Another policy already exists for matching resource: policy-name=[policy-1], service=[hivedev]], field[resources], subfield[null], type[semantically incorrect]
> This issue will be seen only when there is a policy that already exists for the resource with different policy name from the one that is being imported. If the policy names match, the policy is updated properly.
>
> ** Proposed Solution: **
> Import API can accept an additional parameter 'ignorePolicyName' along with 'updateIfExists'. 'ignorePolicyName' parameter shall be helpful to decide whether policies should be merged or not irrespective of policy name.
>
>
> **Updated Behaviour shall be:** (please add or ask to add if anything is missing below)
> 1 ) if 'override' flag is true then import api shall delete existing policy from the given service and create the policies received from json file.
> 2) if 'updateIfExists' flag is true then import api shall update the old policy object with new policy json if policy guid or policy name is matching ; if policy does not exist with given name and guid then it will create the policy but policy creation may fail if a policy exist with the same resource having different name.
> 3) if 'updateIfExists' flag is true and 'ignorePolicyName' flag is true and if the new policy does not have policy conditions ; then ranger will try to find existing policy for the exactly matching resource ; if exactly matching resource policy is found then the new policy will be merged to existing policy and existing policy name will remain same. if same resource policies are not found then it will try to act as 'updateIfExists' true (mentioned in step-2)
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 1d9391f20
> security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java c49c42698
>
>
> Diff: https://reviews.apache.org/r/70952/diff/1/
>
>
> Testing
> -------
>
> 1) Build Ranger with the attached patch, untar the ranger, updated install.properties and installed and started Ranger-admin.
> 2) Created testuser1 and testuser2.
> 3) Created a hive service : hivedev
> 4) Created a policy 'policy2' for resource : db1/table1/column1 , added a policy item for user 'testuser1' with 'select' permissions.
> 5) Exported the policy json from UI.
> 6) Updated the exported policy json and updated policy name to 'policy3' , updated policy item by replacing 'testuser1' with 'testuser2' and added 'create' and 'update' permissions.
> 7) Now tried to import policies with param '' :
> curl -i -X POST --header "Accept:*/*" -H "Content-Type: multipart/form-data" -F 'file=@/Users/pradeep/Downloads/Ranger_Policies_20190625_104505.json' -u admin:ranger1234 'http://172.22.111.117:6080/service/plugins/policies/importPoliciesFromFile?updateIfExists=true&serviceType=hive'
>
> **Expected Behaviour :** policy2 should be updated with additional policy item having testuser2 permissions of 'create' and 'update'.
> **Actual Behaviour :** policy2 updated with additional policy item having testuser2 permissions of 'create' and 'update'.
>
>
> Thanks,
>
> Pradeep Agrawal
>
>