You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Nikhil P <np...@gmail.com> on 2019/10/15 11:39:55 UTC

Review Request 71615: RANGER-2618 : Restrict rolename change when a policy with that role exist

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71615/
-----------------------------------------------------------

Review request for ranger, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-2618
    https://issues.apache.org/jira/browse/RANGER-2618


Repository: ranger


Description
-------

When we try to delete a role associated with a ranger policy, the operation is not allowed. Likewise, role edit for rolename change also should be restricted.
Reason:
Rolename edit is allowed and the ranger policy still exists with old rolename reference. Policy enforcement happens as per old policy. Rolename change is not taken into consideration during policy download.


Diffs
-----

  security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java 9151a7209 


Diff: https://reviews.apache.org/r/71615/diff/1/


Testing
-------

Tested on local vm whether rolename update is restricted if it exists in any policy.


Thanks,

Nikhil P

Re: Review Request 71615: RANGER-2618 : Restrict rolename change when a policy with that role exist

Posted by Velmurugan Periasamy <vp...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71615/#review218217
-----------------------------------------------------------


Ship it!




Ship It!

- Velmurugan Periasamy


On Oct. 15, 2019, 1:54 p.m., Nikhil P wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71615/
> -----------------------------------------------------------
> 
> (Updated Oct. 15, 2019, 1:54 p.m.)
> 
> 
> Review request for ranger, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2618
>     https://issues.apache.org/jira/browse/RANGER-2618
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> When we try to delete a role associated with a ranger policy, the operation is not allowed. Likewise, role edit for rolename change also should be restricted.
> Reason:
> Rolename edit is allowed and the ranger policy still exists with old rolename reference. Policy enforcement happens as per old policy. Rolename change is not taken into consideration during policy download.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java dfc5be89d 
> 
> 
> Diff: https://reviews.apache.org/r/71615/diff/2/
> 
> 
> Testing
> -------
> 
> Tested on local vm whether rolename update is restricted if it exists in any policy.
> 
> 
> Thanks,
> 
> Nikhil P
> 
>

Re: Review Request 71615: RANGER-2618 : Restrict rolename change when a policy with that role exist

Posted by Velmurugan Periasamy <vp...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71615/#review218226
-----------------------------------------------------------




security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
Lines 125 (patched)
<https://reviews.apache.org/r/71615/#comment305821>

    To be consistent with validation on https://reviews.apache.org/r/71614/ check if role is part of other roles.


- Velmurugan Periasamy


On Oct. 15, 2019, 1:54 p.m., Nikhil P wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71615/
> -----------------------------------------------------------
> 
> (Updated Oct. 15, 2019, 1:54 p.m.)
> 
> 
> Review request for ranger, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2618
>     https://issues.apache.org/jira/browse/RANGER-2618
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> When we try to delete a role associated with a ranger policy, the operation is not allowed. Likewise, role edit for rolename change also should be restricted.
> Reason:
> Rolename edit is allowed and the ranger policy still exists with old rolename reference. Policy enforcement happens as per old policy. Rolename change is not taken into consideration during policy download.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java dfc5be89d 
> 
> 
> Diff: https://reviews.apache.org/r/71615/diff/2/
> 
> 
> Testing
> -------
> 
> Tested on local vm whether rolename update is restricted if it exists in any policy.
> 
> 
> Thanks,
> 
> Nikhil P
> 
>

Re: Review Request 71615: RANGER-2618 : Restrict rolename change when a policy with that role exist

Posted by Nikhil P <np...@gmail.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71615/
-----------------------------------------------------------

(Updated Oct. 17, 2019, 5:11 p.m.)


Review request for ranger, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-2618
    https://issues.apache.org/jira/browse/RANGER-2618


Repository: ranger


Description
-------

When we try to delete a role associated with a ranger policy, the operation is not allowed. Likewise, role edit for rolename change also should be restricted.
Reason:
Rolename edit is allowed and the ranger policy still exists with old rolename reference. Policy enforcement happens as per old policy. Rolename change is not taken into consideration during policy download.


Diffs (updated)
-----

  security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java 0854ff20e 


Diff: https://reviews.apache.org/r/71615/diff/3/

Changes: https://reviews.apache.org/r/71615/diff/2-3/


Testing
-------

Tested on local vm whether rolename update is restricted if it exists in any policy.


Thanks,

Nikhil P

Re: Review Request 71615: RANGER-2618 : Restrict rolename change when a policy with that role exist

Posted by Nikhil P <np...@gmail.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71615/
-----------------------------------------------------------

(Updated Oct. 15, 2019, 7:24 p.m.)


Review request for ranger, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-2618
    https://issues.apache.org/jira/browse/RANGER-2618


Repository: ranger


Description
-------

When we try to delete a role associated with a ranger policy, the operation is not allowed. Likewise, role edit for rolename change also should be restricted.
Reason:
Rolename edit is allowed and the ranger policy still exists with old rolename reference. Policy enforcement happens as per old policy. Rolename change is not taken into consideration during policy download.


Diffs (updated)
-----

  security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java dfc5be89d 


Diff: https://reviews.apache.org/r/71615/diff/2/

Changes: https://reviews.apache.org/r/71615/diff/1-2/


Testing
-------

Tested on local vm whether rolename update is restricted if it exists in any policy.


Thanks,

Nikhil P

Re: Review Request 71615: RANGER-2618 : Restrict rolename change when a policy with that role exist

Posted by Velmurugan Periasamy <vp...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71615/#review218214
-----------------------------------------------------------




security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
Lines 125 (patched)
<https://reviews.apache.org/r/71615/#comment305810>

    Reuse ensureRoleNotInPolicy method introduced in https://reviews.apache.org/r/71614/


- Velmurugan Periasamy


On Oct. 15, 2019, 11:39 a.m., Nikhil P wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71615/
> -----------------------------------------------------------
> 
> (Updated Oct. 15, 2019, 11:39 a.m.)
> 
> 
> Review request for ranger, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2618
>     https://issues.apache.org/jira/browse/RANGER-2618
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> When we try to delete a role associated with a ranger policy, the operation is not allowed. Likewise, role edit for rolename change also should be restricted.
> Reason:
> Rolename edit is allowed and the ranger policy still exists with old rolename reference. Policy enforcement happens as per old policy. Rolename change is not taken into consideration during policy download.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java 9151a7209 
> 
> 
> Diff: https://reviews.apache.org/r/71615/diff/1/
> 
> 
> Testing
> -------
> 
> Tested on local vm whether rolename update is restricted if it exists in any policy.
> 
> 
> Thanks,
> 
> Nikhil P
> 
>