You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Abhay Kulkarni <ak...@hortonworks.com> on 2018/04/13 00:41:32 UTC
Review Request 66593: RANGER-2066: Hbase column family access is
authorized by a tagged column in the column family
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66593/
-----------------------------------------------------------
Review request for ranger, Madhan Neethiraj and Velmurugan Periasamy.
Bugs: RANGER-2066
https://issues.apache.org/jira/browse/RANGER-2066
Repository: ranger
Description
-------
SCENARIO:
Table emp has 2 column families: personal_data(name,SSN,age) ; prof_data(role, manager)
Column emp/prof_data/role is tagged with OFFICIAL tag.
Create following policies:
Resource policy allows Read on all tables, all column-families and all columns and a tag policy allows Read on OFFICIAL tag to test_user.
When test_user executes "scan 'emp' " command, two audit log records are created:
1. Resource: emp/personal_data
Name / Type: column-family
Allowed
Policy allowing: Resource based policy
2. Resource: emp/prof_data
Name / Type: column-family
Allowed
Policy allowing: TAG based policy for OFFICIAL tag
prof_data column-family should be authorized by resource policy.
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java 4a3a95062
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java dbdcacd11
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 71c076d03
agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json b4941cd19
agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json 11f31e317
Diff: https://reviews.apache.org/r/66593/diff/1/
Testing
-------
Developed test case for this scenario. Ran all unit tests successfully
Thanks,
Abhay Kulkarni
Re: Review Request 66593: RANGER-2066: Hbase column family access is
authorized by a tagged column in the column family
Posted by pengjianhua <pe...@zte.com.cn>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66593/#review201072
-----------------------------------------------------------
Ship it!
Ship It!
- pengjianhua
On 四月 13, 2018, 12:41 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/66593/
> -----------------------------------------------------------
>
> (Updated 四月 13, 2018, 12:41 a.m.)
>
>
> Review request for ranger, Madhan Neethiraj and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2066
> https://issues.apache.org/jira/browse/RANGER-2066
>
>
> Repository: ranger
>
>
> Description
> -------
>
> SCENARIO:
>
> Table emp has 2 column families: personal_data(name,SSN,age) ; prof_data(role, manager)
> Column emp/prof_data/role is tagged with OFFICIAL tag.
>
> Create following policies:
> Resource policy allows Read on all tables, all column-families and all columns and a tag policy allows Read on OFFICIAL tag to test_user.
>
> When test_user executes "scan 'emp' " command, two audit log records are created:
> 1. Resource: emp/personal_data
> Name / Type: column-family
> Allowed
> Policy allowing: Resource based policy
>
> 2. Resource: emp/prof_data
> Name / Type: column-family
> Allowed
> Policy allowing: TAG based policy for OFFICIAL tag
>
> prof_data column-family should be authorized by resource policy.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java 4a3a95062
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java dbdcacd11
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 71c076d03
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json b4941cd19
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json 11f31e317
>
>
> Diff: https://reviews.apache.org/r/66593/diff/1/
>
>
> Testing
> -------
>
> Developed test case for this scenario. Ran all unit tests successfully
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 66593: RANGER-2066: Hbase column family access is
authorized by a tagged column in the column family
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66593/#review201081
-----------------------------------------------------------
Ship it!
Ship It!
- Madhan Neethiraj
On April 13, 2018, 12:41 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/66593/
> -----------------------------------------------------------
>
> (Updated April 13, 2018, 12:41 a.m.)
>
>
> Review request for ranger, Madhan Neethiraj and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2066
> https://issues.apache.org/jira/browse/RANGER-2066
>
>
> Repository: ranger
>
>
> Description
> -------
>
> SCENARIO:
>
> Table emp has 2 column families: personal_data(name,SSN,age) ; prof_data(role, manager)
> Column emp/prof_data/role is tagged with OFFICIAL tag.
>
> Create following policies:
> Resource policy allows Read on all tables, all column-families and all columns and a tag policy allows Read on OFFICIAL tag to test_user.
>
> When test_user executes "scan 'emp' " command, two audit log records are created:
> 1. Resource: emp/personal_data
> Name / Type: column-family
> Allowed
> Policy allowing: Resource based policy
>
> 2. Resource: emp/prof_data
> Name / Type: column-family
> Allowed
> Policy allowing: TAG based policy for OFFICIAL tag
>
> prof_data column-family should be authorized by resource policy.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java 4a3a95062
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java dbdcacd11
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 71c076d03
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json b4941cd19
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json 11f31e317
>
>
> Diff: https://reviews.apache.org/r/66593/diff/1/
>
>
> Testing
> -------
>
> Developed test case for this scenario. Ran all unit tests successfully
>
>
> Thanks,
>
> Abhay Kulkarni
>
>