You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Mahesh Bandal <ma...@gmail.com> on 2021/07/29 13:03:24 UTC

Re: Review Request 73469: RANGER-3314: Importing atlas policy with old schema displays incorrect permissions on UI

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73469/
-----------------------------------------------------------

(Updated July 29, 2021, 1:03 p.m.)


Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-3314
    https://issues.apache.org/jira/browse/RANGER-3314


Repository: ranger


Description
-------

This is with respect to RANGER-3195 where we have moved the Add/Update/Remove classification permissions to a new classification resource.

When old atlas policy json is imported, it adds permissions like "entity-add-classification", "entity-update-classification", "entity-remove-classification" in the permission list where the resource is “entity”. These permissions are not valid for resourceType=entity

Ranger should validate accessTypeRestrictions for each resource during policyImport.


Diffs
-----

  agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 0ba1fb918 


Diff: https://reviews.apache.org/r/73469/diff/1/


Testing
-------

Performed policy import for all service types.


Thanks,

Mahesh Bandal

Re: Review Request 73469: RANGER-3314: Importing atlas policy with old schema displays incorrect permissions on UI

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73469/#review223587
-----------------------------------------------------------




agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
Lines 1071 (patched)
<https://reviews.apache.org/r/73469/#comment312668>

    'restrictions' will include accessTypeRestrictions specified for all resource-types referenced in the policy. This does not look correct. AccessTypeRestrictions specified for only the leaf-resource-type referenced in the policy should be allowed. Please review.
    
    Consider the following service-def:
     resource-type=database; accessTypeRestrictions=[create, alter, drop]
     resource-type=table;    accessTypeRestrictions=[create, alter, drop, insert, update, select]
     resource-type=column;   accessTypeRestrictions=[insert, update, select]
    
    Policies:
     1. resource={database=db1}: this can only reference access types [create, alter, drop]
     2. resource={database=db1, table=t1}: this can only reference access types [create, alter, drop, insert, update, select]
     3. resource={database=db1, table=t1, column=c1}: this can only reference access types [insert, update, select]
        note that [create, alter, drop] are not valid for this policy.



agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
Lines 1075 (patched)
<https://reviews.apache.org/r/73469/#comment312669>

    In addition to policy.getPolicyItems(), other policy item list (deny/allow-exceptions/deny-exceptions/data-mask/row-filter) should be validated as well.
    
    Also, data-mask and row-filter policy-items can have different set of access-types than access items. Please review and update.


- Madhan Neethiraj


On July 29, 2021, 1:03 p.m., Mahesh Bandal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73469/
> -----------------------------------------------------------
> 
> (Updated July 29, 2021, 1:03 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3314
>     https://issues.apache.org/jira/browse/RANGER-3314
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> This is with respect to RANGER-3195 where we have moved the Add/Update/Remove classification permissions to a new classification resource.
> 
> When old atlas policy json is imported, it adds permissions like "entity-add-classification", "entity-update-classification", "entity-remove-classification" in the permission list where the resource is “entity”. These permissions are not valid for resourceType=entity
> 
> Ranger should validate accessTypeRestrictions for each resource during policyImport.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 0ba1fb918 
> 
> 
> Diff: https://reviews.apache.org/r/73469/diff/1/
> 
> 
> Testing
> -------
> 
> Performed policy import for all service types.
> 
> 
> Thanks,
> 
> Mahesh Bandal
> 
>

Re: Review Request 73469: RANGER-3314: Importing atlas policy with old schema displays incorrect permissions on UI

Posted by Kishor Gollapalliwar <ki...@gmail.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73469/#review223585
-----------------------------------------------------------


Ship it!




Ship It!

- Kishor Gollapalliwar


On July 29, 2021, 1:03 p.m., Mahesh Bandal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73469/
> -----------------------------------------------------------
> 
> (Updated July 29, 2021, 1:03 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3314
>     https://issues.apache.org/jira/browse/RANGER-3314
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> This is with respect to RANGER-3195 where we have moved the Add/Update/Remove classification permissions to a new classification resource.
> 
> When old atlas policy json is imported, it adds permissions like "entity-add-classification", "entity-update-classification", "entity-remove-classification" in the permission list where the resource is “entity”. These permissions are not valid for resourceType=entity
> 
> Ranger should validate accessTypeRestrictions for each resource during policyImport.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 0ba1fb918 
> 
> 
> Diff: https://reviews.apache.org/r/73469/diff/1/
> 
> 
> Testing
> -------
> 
> Performed policy import for all service types.
> 
> 
> Thanks,
> 
> Mahesh Bandal
> 
>