You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Abhay Kulkarni <ak...@hortonworks.com> on 2017/04/03 18:38:37 UTC
Review Request 58154: Policy engine updates to support tag-based
masking policies
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58154/
-----------------------------------------------------------
Review request for ranger and Madhan Neethiraj.
Bugs: RANGER-1493
https://issues.apache.org/jira/browse/RANGER-1493
Repository: ranger
Description
-------
The policy engine is enhanced to support tag-based policies for masking as well i.e. evalDataMaskPolicies()
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java 9d8a651
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 06c7d16
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 508ef93
Diff: https://reviews.apache.org/r/58154/diff/1/
Testing
-------
Updated Tag-Service-Definition with dataMaskDef section for hive component, created a tag policy for data-masking; tagged a hive column with a tag and used beeline to test data-masking for that column.
Thanks,
Abhay Kulkarni
Re: Review Request 58154: Policy engine updates to support tag-based
masking policies
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58154/#review173093
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 757 (patched)
<https://reviews.apache.org/r/58154/#comment246168>
lines #757 through #764 should be replaced with the following:
if(ret.getIsAccessDetermined()) {
if (StringUtils.equalsIgnoreCase(ret.getMaskType(), RangerPolicy.MASK_TYPE_NONE)) {
ret.setMaskType(null);
}
if(ret.getIsAuditedDetermined()) {
break;
}
}
}
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 805 (patched)
<https://reviews.apache.org/r/58154/#comment246169>
lines #805 through #814 should be replaced with:
if (tagEvalResult.getIsAccessDetermined()) {
if (StringUtils.equalsIgnoreCase(tagEvalResult.getMaskType(), RangerPolicy.MASK_TYPE_NONE)) {
tagEvalResult.setMaskType(null);
}
if (tagEvalResult.getIsAuditedDetermined()) {
break;
}
}
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 871 (patched)
<https://reviews.apache.org/r/58154/#comment246171>
lines #871 through #877 should be replaced with:
if (ret.getIsAuditedDetermined() && ret.getIsAccessDetermined() {
break;
}
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 918 (patched)
<https://reviews.apache.org/r/58154/#comment246172>
lines #918 through #928 should be replaced with:
if (tagEvalResult.getIsAuditedDetermined() && tagEvalResult.getIsAccessDetermined()) {
break;
}
- Madhan Neethiraj
On April 3, 2017, 6:38 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58154/
> -----------------------------------------------------------
>
> (Updated April 3, 2017, 6:38 p.m.)
>
>
> Review request for ranger and Madhan Neethiraj.
>
>
> Bugs: RANGER-1493
> https://issues.apache.org/jira/browse/RANGER-1493
>
>
> Repository: ranger
>
>
> Description
> -------
>
> The policy engine is enhanced to support tag-based policies for masking as well i.e. evalDataMaskPolicies()
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java 9d8a651
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 06c7d16
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 508ef93
>
>
> Diff: https://reviews.apache.org/r/58154/diff/1/
>
>
> Testing
> -------
>
> Updated Tag-Service-Definition with dataMaskDef section for hive component, created a tag policy for data-masking; tagged a hive column with a tag and used beeline to test data-masking for that column.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 58154: Policy engine updates to support tag-based
masking policies
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58154/#review173229
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/DataMaskOrRowFilterEvaluator.java
Lines 31 (patched)
<https://reviews.apache.org/r/58154/#comment246276>
Since 'DataMaskOrRowFilterEvaluator' class is not specific to DataMask or RowFilter policies, consider renaming to 'PolicyEvaluatorForTag'.
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/DataMaskOrRowFilterEvaluator.java
Lines 43 (patched)
<https://reviews.apache.org/r/58154/#comment246279>
Instead of sending a boolean argument, consider sending List<RangerPolocyEvaluator>, as below:
return getPolicyEvaluators(tags, tagPolicyRepository, tagPolicyRepository.getDataMaskPolicyEvaluators());
Same applies for getDataMaskOrRowFilterEvaluators() as well.
Also, consider moving these methods to RangerPolicyRepository:
getDataMaskPolicyEvaluators(Set<RangerTagForEval> tags)
getRowFilterPolicyEvaluators(Set<RangerTagForEval> tags)
- Madhan Neethiraj
On April 26, 2017, 11:14 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58154/
> -----------------------------------------------------------
>
> (Updated April 26, 2017, 11:14 p.m.)
>
>
> Review request for ranger and Madhan Neethiraj.
>
>
> Bugs: RANGER-1493
> https://issues.apache.org/jira/browse/RANGER-1493
>
>
> Repository: ranger
>
>
> Description
> -------
>
> The policy engine is enhanced to support tag-based policies for masking as well i.e. evalDataMaskPolicies()
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/DataMaskOrRowFilterEvaluator.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java 9d8a651
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java 904fc86
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 06c7d16
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 508ef93
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java 0793a6a
>
>
> Diff: https://reviews.apache.org/r/58154/diff/2/
>
>
> Testing
> -------
>
> Updated Tag-Service-Definition with dataMaskDef section for hive component, created a tag policy for data-masking; tagged a hive column with a tag and used beeline to test data-masking for that column.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 58154: Policy engine updates to support tag-based
masking policies
Posted by Colm O hEigeartaigh <co...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58154/#review173170
-----------------------------------------------------------
The current patch doesn't apply to master. It's better to use Collections.emptyMap() instead of Collections.EMPTY_MAP. You could combine these if statements:
+ if(ret.getIsAccessDetermined()) {
+ if (StringUtils.equalsIgnoreCase(ret.getMaskType(), RangerPolicy.MASK_TYPE_NONE)) {
+ ret.setMaskType(null);
+ }
+ }
- Colm O hEigeartaigh
On April 26, 2017, 11:14 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58154/
> -----------------------------------------------------------
>
> (Updated April 26, 2017, 11:14 p.m.)
>
>
> Review request for ranger and Madhan Neethiraj.
>
>
> Bugs: RANGER-1493
> https://issues.apache.org/jira/browse/RANGER-1493
>
>
> Repository: ranger
>
>
> Description
> -------
>
> The policy engine is enhanced to support tag-based policies for masking as well i.e. evalDataMaskPolicies()
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/DataMaskOrRowFilterEvaluator.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java 9d8a651
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java 904fc86
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 06c7d16
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 508ef93
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java 0793a6a
>
>
> Diff: https://reviews.apache.org/r/58154/diff/2/
>
>
> Testing
> -------
>
> Updated Tag-Service-Definition with dataMaskDef section for hive component, created a tag policy for data-masking; tagged a hive column with a tag and used beeline to test data-masking for that column.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 58154: Policy engine updates to support tag-based
masking policies
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58154/#review176545
-----------------------------------------------------------
Fix it, then Ship it!
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 820 (patched)
<https://reviews.apache.org/r/58154/#comment249932>
This block should either be moved up, before line #815 or updated to replace 'tagEvalResult' with 'result'.
- Madhan Neethiraj
On April 27, 2017, 8:40 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58154/
> -----------------------------------------------------------
>
> (Updated April 27, 2017, 8:40 p.m.)
>
>
> Review request for ranger and Madhan Neethiraj.
>
>
> Bugs: RANGER-1493
> https://issues.apache.org/jira/browse/RANGER-1493
>
>
> Repository: ranger
>
>
> Description
> -------
>
> The policy engine is enhanced to support tag-based policies for masking as well i.e. evalDataMaskPolicies()
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEvaluatorForTag.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java 904fc86
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 06c7d16
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 508ef93
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java 0793a6a
>
>
> Diff: https://reviews.apache.org/r/58154/diff/3/
>
>
> Testing
> -------
>
> Updated Tag-Service-Definition with dataMaskDef section for hive component, created a tag policy for data-masking; tagged a hive column with a tag and used beeline to test data-masking for that column.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 58154: Policy engine updates to support tag-based
masking policies
Posted by Colm O hEigeartaigh <co...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58154/#review173309
-----------------------------------------------------------
There are still two instances of if statements that could be combined using &&:
if (LOG.isDebugEnabled()) {
if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) {
if(ret.getIsAccessDetermined()) {
if (StringUtils.equalsIgnoreCase(ret.getMaskType(), RangerPolicy.MASK_TYPE_NONE)) {
- Colm O hEigeartaigh
On April 27, 2017, 8:40 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58154/
> -----------------------------------------------------------
>
> (Updated April 27, 2017, 8:40 p.m.)
>
>
> Review request for ranger and Madhan Neethiraj.
>
>
> Bugs: RANGER-1493
> https://issues.apache.org/jira/browse/RANGER-1493
>
>
> Repository: ranger
>
>
> Description
> -------
>
> The policy engine is enhanced to support tag-based policies for masking as well i.e. evalDataMaskPolicies()
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEvaluatorForTag.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java 904fc86
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 06c7d16
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 508ef93
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java 0793a6a
>
>
> Diff: https://reviews.apache.org/r/58154/diff/3/
>
>
> Testing
> -------
>
> Updated Tag-Service-Definition with dataMaskDef section for hive component, created a tag policy for data-masking; tagged a hive column with a tag and used beeline to test data-masking for that column.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 58154: Policy engine updates to support tag-based
masking policies
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58154/
-----------------------------------------------------------
(Updated April 27, 2017, 8:40 p.m.)
Review request for ranger and Madhan Neethiraj.
Changes
-------
Addressed review comments
Bugs: RANGER-1493
https://issues.apache.org/jira/browse/RANGER-1493
Repository: ranger
Description
-------
The policy engine is enhanced to support tag-based policies for masking as well i.e. evalDataMaskPolicies()
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEvaluatorForTag.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java 904fc86
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 06c7d16
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 508ef93
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java 0793a6a
Diff: https://reviews.apache.org/r/58154/diff/3/
Changes: https://reviews.apache.org/r/58154/diff/2-3/
Testing
-------
Updated Tag-Service-Definition with dataMaskDef section for hive component, created a tag policy for data-masking; tagged a hive column with a tag and used beeline to test data-masking for that column.
Thanks,
Abhay Kulkarni
Re: Review Request 58154: Policy engine updates to support tag-based
masking policies
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58154/
-----------------------------------------------------------
(Updated April 26, 2017, 11:14 p.m.)
Review request for ranger and Madhan Neethiraj.
Changes
-------
Updated to handle row-filtering and possible match for multiple data-masking/row-filtering tag policies
Bugs: RANGER-1493
https://issues.apache.org/jira/browse/RANGER-1493
Repository: ranger
Description
-------
The policy engine is enhanced to support tag-based policies for masking as well i.e. evalDataMaskPolicies()
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/DataMaskOrRowFilterEvaluator.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java 9d8a651
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java 904fc86
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 06c7d16
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 508ef93
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java 0793a6a
Diff: https://reviews.apache.org/r/58154/diff/2/
Changes: https://reviews.apache.org/r/58154/diff/1-2/
Testing
-------
Updated Tag-Service-Definition with dataMaskDef section for hive component, created a tag policy for data-masking; tagged a hive column with a tag and used beeline to test data-masking for that column.
Thanks,
Abhay Kulkarni