You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Mahesh Bandal <ma...@gmail.com> on 2021/07/29 13:03:24 UTC
Re: Review Request 73469: RANGER-3314: Importing atlas policy with old
schema displays incorrect permissions on UI
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73469/
-----------------------------------------------------------
(Updated July 29, 2021, 1:03 p.m.)
Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-3314
https://issues.apache.org/jira/browse/RANGER-3314
Repository: ranger
Description
-------
This is with respect to RANGER-3195 where we have moved the Add/Update/Remove classification permissions to a new classification resource.
When old atlas policy json is imported, it adds permissions like "entity-add-classification", "entity-update-classification", "entity-remove-classification" in the permission list where the resource is “entity”. These permissions are not valid for resourceType=entity
Ranger should validate accessTypeRestrictions for each resource during policyImport.
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 0ba1fb918
Diff: https://reviews.apache.org/r/73469/diff/1/
Testing
-------
Performed policy import for all service types.
Thanks,
Mahesh Bandal
Re: Review Request 73469: RANGER-3314: Importing atlas policy with old
schema displays incorrect permissions on UI
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73469/#review223587
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
Lines 1071 (patched)
<https://reviews.apache.org/r/73469/#comment312668>
'restrictions' will include accessTypeRestrictions specified for all resource-types referenced in the policy. This does not look correct. AccessTypeRestrictions specified for only the leaf-resource-type referenced in the policy should be allowed. Please review.
Consider the following service-def:
resource-type=database; accessTypeRestrictions=[create, alter, drop]
resource-type=table; accessTypeRestrictions=[create, alter, drop, insert, update, select]
resource-type=column; accessTypeRestrictions=[insert, update, select]
Policies:
1. resource={database=db1}: this can only reference access types [create, alter, drop]
2. resource={database=db1, table=t1}: this can only reference access types [create, alter, drop, insert, update, select]
3. resource={database=db1, table=t1, column=c1}: this can only reference access types [insert, update, select]
note that [create, alter, drop] are not valid for this policy.
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
Lines 1075 (patched)
<https://reviews.apache.org/r/73469/#comment312669>
In addition to policy.getPolicyItems(), other policy item list (deny/allow-exceptions/deny-exceptions/data-mask/row-filter) should be validated as well.
Also, data-mask and row-filter policy-items can have different set of access-types than access items. Please review and update.
- Madhan Neethiraj
On July 29, 2021, 1:03 p.m., Mahesh Bandal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73469/
> -----------------------------------------------------------
>
> (Updated July 29, 2021, 1:03 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3314
> https://issues.apache.org/jira/browse/RANGER-3314
>
>
> Repository: ranger
>
>
> Description
> -------
>
> This is with respect to RANGER-3195 where we have moved the Add/Update/Remove classification permissions to a new classification resource.
>
> When old atlas policy json is imported, it adds permissions like "entity-add-classification", "entity-update-classification", "entity-remove-classification" in the permission list where the resource is “entity”. These permissions are not valid for resourceType=entity
>
> Ranger should validate accessTypeRestrictions for each resource during policyImport.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 0ba1fb918
>
>
> Diff: https://reviews.apache.org/r/73469/diff/1/
>
>
> Testing
> -------
>
> Performed policy import for all service types.
>
>
> Thanks,
>
> Mahesh Bandal
>
>
Re: Review Request 73469: RANGER-3314: Importing atlas policy with old
schema displays incorrect permissions on UI
Posted by Kishor Gollapalliwar <ki...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73469/#review223585
-----------------------------------------------------------
Ship it!
Ship It!
- Kishor Gollapalliwar
On July 29, 2021, 1:03 p.m., Mahesh Bandal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73469/
> -----------------------------------------------------------
>
> (Updated July 29, 2021, 1:03 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3314
> https://issues.apache.org/jira/browse/RANGER-3314
>
>
> Repository: ranger
>
>
> Description
> -------
>
> This is with respect to RANGER-3195 where we have moved the Add/Update/Remove classification permissions to a new classification resource.
>
> When old atlas policy json is imported, it adds permissions like "entity-add-classification", "entity-update-classification", "entity-remove-classification" in the permission list where the resource is “entity”. These permissions are not valid for resourceType=entity
>
> Ranger should validate accessTypeRestrictions for each resource during policyImport.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 0ba1fb918
>
>
> Diff: https://reviews.apache.org/r/73469/diff/1/
>
>
> Testing
> -------
>
> Performed policy import for all service types.
>
>
> Thanks,
>
> Mahesh Bandal
>
>