You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Abhay Kulkarni <ak...@hortonworks.com> on 2017/04/03 18:38:37 UTC

Review Request 58154: Policy engine updates to support tag-based masking policies

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58154/
-----------------------------------------------------------

Review request for ranger and Madhan Neethiraj.


Bugs: RANGER-1493
    https://issues.apache.org/jira/browse/RANGER-1493


Repository: ranger


Description
-------

The policy engine is enhanced to support tag-based policies for masking as well i.e. evalDataMaskPolicies()


Diffs
-----

  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java 9d8a651 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 06c7d16 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 508ef93 


Diff: https://reviews.apache.org/r/58154/diff/1/


Testing
-------

Updated Tag-Service-Definition with dataMaskDef section for hive component, created a tag policy for data-masking; tagged a hive column with a tag and used beeline to test data-masking for that column.


Thanks,

Abhay Kulkarni

Re: Review Request 58154: Policy engine updates to support tag-based masking policies

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58154/#review173093
-----------------------------------------------------------




agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 757 (patched)
<https://reviews.apache.org/r/58154/#comment246168>

    lines #757 through #764 should be replaced with the following:
    
    				if(ret.getIsAccessDetermined()) {
    						if (StringUtils.equalsIgnoreCase(ret.getMaskType(), RangerPolicy.MASK_TYPE_NONE)) {
    							ret.setMaskType(null);
    						}
    
    						if(ret.getIsAuditedDetermined()) {
    							break;
    						}
    					}
    				}



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 805 (patched)
<https://reviews.apache.org/r/58154/#comment246169>

    lines #805 through #814 should be replaced with:
    
    						if (tagEvalResult.getIsAccessDetermined()) {
    							if (StringUtils.equalsIgnoreCase(tagEvalResult.getMaskType(), RangerPolicy.MASK_TYPE_NONE)) {
    								tagEvalResult.setMaskType(null);
    							}
    
    							if (tagEvalResult.getIsAuditedDetermined()) {
    								break;
    							}
    						}



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 871 (patched)
<https://reviews.apache.org/r/58154/#comment246171>

    lines #871 through #877 should be replaced with:
    
    						if (ret.getIsAuditedDetermined() && ret.getIsAccessDetermined() {
    							break;
    						}



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 918 (patched)
<https://reviews.apache.org/r/58154/#comment246172>

    lines #918 through #928 should be replaced with:
    
    						if (tagEvalResult.getIsAuditedDetermined() && tagEvalResult.getIsAccessDetermined()) {
    							break;
    						}


- Madhan Neethiraj


On April 3, 2017, 6:38 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58154/
> -----------------------------------------------------------
> 
> (Updated April 3, 2017, 6:38 p.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-1493
>     https://issues.apache.org/jira/browse/RANGER-1493
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> The policy engine is enhanced to support tag-based policies for masking as well i.e. evalDataMaskPolicies()
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java 9d8a651 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 06c7d16 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 508ef93 
> 
> 
> Diff: https://reviews.apache.org/r/58154/diff/1/
> 
> 
> Testing
> -------
> 
> Updated Tag-Service-Definition with dataMaskDef section for hive component, created a tag policy for data-masking; tagged a hive column with a tag and used beeline to test data-masking for that column.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 58154: Policy engine updates to support tag-based masking policies

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58154/#review173229
-----------------------------------------------------------




agents-common/src/main/java/org/apache/ranger/plugin/policyengine/DataMaskOrRowFilterEvaluator.java
Lines 31 (patched)
<https://reviews.apache.org/r/58154/#comment246276>

    Since 'DataMaskOrRowFilterEvaluator' class is not specific to DataMask or RowFilter policies, consider renaming to 'PolicyEvaluatorForTag'.



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/DataMaskOrRowFilterEvaluator.java
Lines 43 (patched)
<https://reviews.apache.org/r/58154/#comment246279>

    Instead of sending a boolean argument, consider sending List<RangerPolocyEvaluator>, as below:
    
    return getPolicyEvaluators(tags, tagPolicyRepository, tagPolicyRepository.getDataMaskPolicyEvaluators());
    
    Same applies for getDataMaskOrRowFilterEvaluators() as well.
    
    Also, consider moving these methods to RangerPolicyRepository:
    
      getDataMaskPolicyEvaluators(Set<RangerTagForEval> tags)
      getRowFilterPolicyEvaluators(Set<RangerTagForEval> tags)


- Madhan Neethiraj


On April 26, 2017, 11:14 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58154/
> -----------------------------------------------------------
> 
> (Updated April 26, 2017, 11:14 p.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-1493
>     https://issues.apache.org/jira/browse/RANGER-1493
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> The policy engine is enhanced to support tag-based policies for masking as well i.e. evalDataMaskPolicies()
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/DataMaskOrRowFilterEvaluator.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java 9d8a651 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java 904fc86 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 06c7d16 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 508ef93 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java 0793a6a 
> 
> 
> Diff: https://reviews.apache.org/r/58154/diff/2/
> 
> 
> Testing
> -------
> 
> Updated Tag-Service-Definition with dataMaskDef section for hive component, created a tag policy for data-masking; tagged a hive column with a tag and used beeline to test data-masking for that column.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 58154: Policy engine updates to support tag-based masking policies

Posted by Colm O hEigeartaigh <co...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58154/#review173170
-----------------------------------------------------------



The current patch doesn't apply to master. It's better to use Collections.emptyMap() instead of Collections.EMPTY_MAP. You could combine these if statements:

+					if(ret.getIsAccessDetermined()) {
+						if (StringUtils.equalsIgnoreCase(ret.getMaskType(), RangerPolicy.MASK_TYPE_NONE)) {
+							ret.setMaskType(null);
+						}
+					}

- Colm O hEigeartaigh


On April 26, 2017, 11:14 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58154/
> -----------------------------------------------------------
> 
> (Updated April 26, 2017, 11:14 p.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-1493
>     https://issues.apache.org/jira/browse/RANGER-1493
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> The policy engine is enhanced to support tag-based policies for masking as well i.e. evalDataMaskPolicies()
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/DataMaskOrRowFilterEvaluator.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java 9d8a651 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java 904fc86 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 06c7d16 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 508ef93 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java 0793a6a 
> 
> 
> Diff: https://reviews.apache.org/r/58154/diff/2/
> 
> 
> Testing
> -------
> 
> Updated Tag-Service-Definition with dataMaskDef section for hive component, created a tag policy for data-masking; tagged a hive column with a tag and used beeline to test data-masking for that column.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 58154: Policy engine updates to support tag-based masking policies

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58154/#review176545
-----------------------------------------------------------


Fix it, then Ship it!





agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 820 (patched)
<https://reviews.apache.org/r/58154/#comment249932>

    This block should either be moved up, before line #815 or updated to replace 'tagEvalResult' with 'result'.


- Madhan Neethiraj


On April 27, 2017, 8:40 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58154/
> -----------------------------------------------------------
> 
> (Updated April 27, 2017, 8:40 p.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-1493
>     https://issues.apache.org/jira/browse/RANGER-1493
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> The policy engine is enhanced to support tag-based policies for masking as well i.e. evalDataMaskPolicies()
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEvaluatorForTag.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java 904fc86 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 06c7d16 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 508ef93 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java 0793a6a 
> 
> 
> Diff: https://reviews.apache.org/r/58154/diff/3/
> 
> 
> Testing
> -------
> 
> Updated Tag-Service-Definition with dataMaskDef section for hive component, created a tag policy for data-masking; tagged a hive column with a tag and used beeline to test data-masking for that column.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 58154: Policy engine updates to support tag-based masking policies

Posted by Colm O hEigeartaigh <co...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58154/#review173309
-----------------------------------------------------------



There are still two instances of if statements that could be combined using &&:

 if (LOG.isDebugEnabled()) {
                    if (ret.getIsAccessDetermined() && ret.getIsAuditedDetermined()) {


 if(ret.getIsAccessDetermined()) {
                        if (StringUtils.equalsIgnoreCase(ret.getMaskType(), RangerPolicy.MASK_TYPE_NONE)) {

- Colm O hEigeartaigh


On April 27, 2017, 8:40 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58154/
> -----------------------------------------------------------
> 
> (Updated April 27, 2017, 8:40 p.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-1493
>     https://issues.apache.org/jira/browse/RANGER-1493
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> The policy engine is enhanced to support tag-based policies for masking as well i.e. evalDataMaskPolicies()
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEvaluatorForTag.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java 904fc86 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 06c7d16 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 508ef93 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java 0793a6a 
> 
> 
> Diff: https://reviews.apache.org/r/58154/diff/3/
> 
> 
> Testing
> -------
> 
> Updated Tag-Service-Definition with dataMaskDef section for hive component, created a tag policy for data-masking; tagged a hive column with a tag and used beeline to test data-masking for that column.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 58154: Policy engine updates to support tag-based masking policies

Posted by Abhay Kulkarni <ak...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58154/
-----------------------------------------------------------

(Updated April 27, 2017, 8:40 p.m.)


Review request for ranger and Madhan Neethiraj.


Changes
-------

Addressed review comments


Bugs: RANGER-1493
    https://issues.apache.org/jira/browse/RANGER-1493


Repository: ranger


Description
-------

The policy engine is enhanced to support tag-based policies for masking as well i.e. evalDataMaskPolicies()


Diffs (updated)
-----

  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEvaluatorForTag.java PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java 904fc86 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 06c7d16 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 508ef93 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java 0793a6a 


Diff: https://reviews.apache.org/r/58154/diff/3/

Changes: https://reviews.apache.org/r/58154/diff/2-3/


Testing
-------

Updated Tag-Service-Definition with dataMaskDef section for hive component, created a tag policy for data-masking; tagged a hive column with a tag and used beeline to test data-masking for that column.


Thanks,

Abhay Kulkarni

Re: Review Request 58154: Policy engine updates to support tag-based masking policies

Posted by Abhay Kulkarni <ak...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58154/
-----------------------------------------------------------

(Updated April 26, 2017, 11:14 p.m.)


Review request for ranger and Madhan Neethiraj.


Changes
-------

Updated to handle row-filtering and possible match for multiple data-masking/row-filtering tag policies


Bugs: RANGER-1493
    https://issues.apache.org/jira/browse/RANGER-1493


Repository: ranger


Description
-------

The policy engine is enhanced to support tag-based policies for masking as well i.e. evalDataMaskPolicies()


Diffs (updated)
-----

  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/DataMaskOrRowFilterEvaluator.java PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java 9d8a651 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java 904fc86 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 06c7d16 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 508ef93 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java 0793a6a 


Diff: https://reviews.apache.org/r/58154/diff/2/

Changes: https://reviews.apache.org/r/58154/diff/1-2/


Testing
-------

Updated Tag-Service-Definition with dataMaskDef section for hive component, created a tag policy for data-masking; tagged a hive column with a tag and used beeline to test data-masking for that column.


Thanks,

Abhay Kulkarni