You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Ramesh Mani <rm...@hortonworks.com> on 2022/10/03 17:39:17 UTC
Re: Review Request 74143: RANGER-3912:Ranger Policy report for a give user should fetch policies maintained for roles belonging to that user
> On Sept. 30, 2022, 7:22 p.m., Abhay Kulkarni wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
> > Lines 4950 (patched)
> > <https://reviews.apache.org/r/74143/diff/1/?file=2270230#file2270230line4950>
> >
> > Why is the "group" parameter removed from searchFilter here, especially with line 4986? Please review.
searchFilter which are set in the previous call is reset to current filter which is based on "roles"and that is the reason we remove "group" parameter.
> On Sept. 30, 2022, 7:22 p.m., Abhay Kulkarni wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
> > Lines 6241 (patched)
> > <https://reviews.apache.org/r/74143/diff/1/?file=2270230#file2270230line6241>
> >
> > There is a recursive call here. If the depth of the role hierarchy is too deep, this may cause stack overflow. Please review to see if that is possible.
This recursive call is need to fetch the roles belonging to role and its childs. Haven't seen maintaing role tree that deep to get into overflow issue. Looping issue is already handled in the method
> On Sept. 30, 2022, 7:22 p.m., Abhay Kulkarni wrote:
> > security-admin/src/main/java/org/apache/ranger/db/XXGroupGroupDao.java
> > Lines 57 (patched)
> > <https://reviews.apache.org/r/74143/diff/1/?file=2270231#file2270231line57>
> >
> > Does this function's return list include the groupName that is passed in as argument? Is the caller expecting that? Please review.
No caller is not expected to return the groupName that is passed in the argument.
> On Sept. 30, 2022, 7:22 p.m., Abhay Kulkarni wrote:
> > security-admin/src/main/resources/META-INF/jpa_named_queries.xml
> > Lines 293 (patched)
> > <https://reviews.apache.org/r/74143/diff/1/?file=2270233#file2270233line293>
> >
> > This query returns only parent group of the argument groupName. Is it expected to find more distant ancestors too? Please review.
It is not expected to find more distant ancestors. Ranger don't maintain group to group mapping. Users belonging to groups and policies maintained for those groups are already handled.
- Ramesh
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74143/#review224725
-----------------------------------------------------------
On Sept. 27, 2022, 7:37 p.m., Ramesh Mani wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74143/
> -----------------------------------------------------------
>
> (Updated Sept. 27, 2022, 7:37 p.m.)
>
>
> Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3912
> https://issues.apache.org/jira/browse/RANGER-3912
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RANGER-3912:Ranger Policy report for a give user should fetch policies maintained for roles belonging to that user
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 913633600
> security-admin/src/main/java/org/apache/ranger/db/XXGroupGroupDao.java 21948b108
> security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java 35d718858
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4a2354b0
>
>
> Diff: https://reviews.apache.org/r/74143/diff/1/
>
>
> Testing
> -------
>
> Verified in local vm API to fetch policies for give user / group / role and also via Ranger UI
>
>
> Thanks,
>
> Ramesh Mani
>
>