You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Alok Lal <al...@hortonworks.com> on 2015/09/01 07:58:38 UTC
Re: Review Request 37943: RANGER-630 : Data consistency across API
and UI
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/37943/#review97260
-----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java (lines 70 - 71)
<https://reviews.apache.org/r/37943/#comment153097>
Do we want to log these at WARN? If it is only so someone can diagnose a one-off problem then it consider leaving it at DEBUG level.
- Alok Lal
On Aug. 31, 2015, 4:16 a.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/37943/
> -----------------------------------------------------------
>
> (Updated Aug. 31, 2015, 4:16 a.m.)
>
>
> Review request for ranger, Alok Lal, Don Bosco Durai, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-630
> https://issues.apache.org/jira/browse/RANGER-630
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Make data access consistent across REST API and UI.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java 611eaf8
> security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java e5de160
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3d2e8b0
> security-admin/src/main/java/org/apache/ranger/rest/UserREST.java a9d0059
> security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java 1c0f9fc
> security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java 93980b4
> security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java PRE-CREATION
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml 7761756
> security-admin/src/main/resources/conf.dist/security-applicationContext.xml a648809
>
> Diff: https://reviews.apache.org/r/37943/diff/
>
>
> Testing
> -------
>
> 1) Tested on Ranger UI working of permission model.
> 2) Test REST calls to reflect access conrol based on Permission model.
> 3) Checked cases like revoking access to 'user1' (having user role) from Audit tab (using permission model) and making curl call to Audit tab's REST APIs.
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 37943: RANGER-630 : Data consistency across API
and UI
Posted by Gautam Borad <gb...@gmail.com>.
> On Sept. 1, 2015, 5:58 a.m., Alok Lal wrote:
> > security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java, lines 70-71
> > <https://reviews.apache.org/r/37943/diff/1/?file=1060272#file1060272line70>
> >
> > Do we want to log these at WARN? If it is only so someone can diagnose a one-off problem then it consider leaving it at DEBUG level.
Eventually Admin is not supposed to access KMS related APIs but here due to some reason had to allow read/create/update operations on KMS services/policies, hence the WARN message.
Let me know if you think otherwise.
- Gautam
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/37943/#review97260
-----------------------------------------------------------
On Aug. 31, 2015, 11:16 a.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/37943/
> -----------------------------------------------------------
>
> (Updated Aug. 31, 2015, 11:16 a.m.)
>
>
> Review request for ranger, Alok Lal, Don Bosco Durai, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-630
> https://issues.apache.org/jira/browse/RANGER-630
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Make data access consistent across REST API and UI.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java 611eaf8
> security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java e5de160
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3d2e8b0
> security-admin/src/main/java/org/apache/ranger/rest/UserREST.java a9d0059
> security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java 1c0f9fc
> security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java 93980b4
> security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java PRE-CREATION
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml 7761756
> security-admin/src/main/resources/conf.dist/security-applicationContext.xml a648809
>
> Diff: https://reviews.apache.org/r/37943/diff/
>
>
> Testing
> -------
>
> 1) Tested on Ranger UI working of permission model.
> 2) Test REST calls to reflect access conrol based on Permission model.
> 3) Checked cases like revoking access to 'user1' (having user role) from Audit tab (using permission model) and making curl call to Audit tab's REST APIs.
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 37943: RANGER-630 : Data consistency across API
and UI
Posted by Alok Lal <al...@hortonworks.com>.
> On Aug. 31, 2015, 10:58 p.m., Alok Lal wrote:
> > security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java, lines 70-71
> > <https://reviews.apache.org/r/37943/diff/1/?file=1060272#file1060272line70>
> >
> > Do we want to log these at WARN? If it is only so someone can diagnose a one-off problem then it consider leaving it at DEBUG level.
>
> Gautam Borad wrote:
> Eventually Admin is not supposed to access KMS related APIs but here due to some reason had to allow read/create/update operations on KMS services/policies, hence the WARN message.
> Let me know if you think otherwise.
The concern is around filling up disk space where our logs are written. Most sites would log at INFO level. Since we are going to allow access adding this log entry for every access by Admin would just end up increasing space. The logging is valuable of course, because of the reasons you have stated above. Perhaps we can leave it at DEBUG level so it helps both causes.
- Alok
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/37943/#review97260
-----------------------------------------------------------
On Aug. 31, 2015, 4:16 a.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/37943/
> -----------------------------------------------------------
>
> (Updated Aug. 31, 2015, 4:16 a.m.)
>
>
> Review request for ranger, Alok Lal, Don Bosco Durai, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-630
> https://issues.apache.org/jira/browse/RANGER-630
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Make data access consistent across REST API and UI.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java 611eaf8
> security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java e5de160
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 3d2e8b0
> security-admin/src/main/java/org/apache/ranger/rest/UserREST.java a9d0059
> security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java 1c0f9fc
> security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java 93980b4
> security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java PRE-CREATION
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml 7761756
> security-admin/src/main/resources/conf.dist/security-applicationContext.xml a648809
>
> Diff: https://reviews.apache.org/r/37943/diff/
>
>
> Testing
> -------
>
> 1) Tested on Ranger UI working of permission model.
> 2) Test REST calls to reflect access conrol based on Permission model.
> 3) Checked cases like revoking access to 'user1' (having user role) from Audit tab (using permission model) and making curl call to Audit tab's REST APIs.
>
>
> Thanks,
>
> Gautam Borad
>
>