You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Abhay Kulkarni <ak...@hortonworks.com> on 2016/10/20 04:04:09 UTC

Review Request 53043: User has access to a database via tag-based policy - but 'show databases' does not include the database

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53043/
-----------------------------------------------------------

Review request for ranger and Madhan Neethiraj.


Bugs: RANGER-1190
    https://issues.apache.org/jira/browse/RANGER-1190


Repository: ranger


Description
-------

Scenario: A user has some access to a table/column in a database - exclusively via a tag-based policy. For example: 'hr.employee.ssn' column is tagged as PII and user has 'select' access granted on 'PII' tag. User does not have any other access in 'hr' database.
In this scenario, 'show databases' command in beeline does not include 'hr' database. Since the user has some access into 'hr' database, the user will expect to see 'hr' database in the command result.


Diffs
-----

  agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 3c342a3 
  agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java 6873554 
  agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java 637423e 
  agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java 1a6e1b2 
  agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagForEval.java PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 905262c 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java 7711765 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 899b216 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 84aac1e 
  agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java 3b831c3 
  agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java 00f8f9a 
  agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java 9219450 
  agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java 30190ab 
  agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java cb0af84 
  agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java PRE-CREATION 
  agents-common/src/test/resources/contextenricher/test_tagenricher_hive.json 317c651 
  agents-common/src/test/resources/policyengine/descendant_tags.json PRE-CREATION 
  agents-common/src/test/resources/policyengine/test_policyengine_conditions.json 2ab2bee 
  agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json PRE-CREATION 
  agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json 6c9b966 
  agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json fab93f6 
  agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json 443ee53 
  agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json PRE-CREATION 

Diff: https://reviews.apache.org/r/53043/diff/


Testing
-------

Ran unit tests successfully. Tested with hive-server2 with ranger plugin and Ranger/TagSync/Atlas stack.


Thanks,

Abhay Kulkarni


Re: Review Request 53043: User has access to a database via tag-based policy - but 'show databases' does not include the database

Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53043/#review154606
-----------------------------------------------------------




agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java (line 214)
<https://reviews.apache.org/r/53043/#comment224220>

    Assuming that most requests would not have a matching tag, it will good to not create an ArrayList until it is needed (at line #235).



agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java (line 183)
<https://reviews.apache.org/r/53043/#comment224224>

    if @ line #183 seems unnecessary - as for all tag-requests, matchType needs to be copied from RangerTagAccessRequest.matchType. Please review.



agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java (line 53)
<https://reviews.apache.org/r/53043/#comment224234>

    It will help to add couple of examples of how this field is used.


- Madhan Neethiraj


On Oct. 28, 2016, 6:37 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53043/
> -----------------------------------------------------------
> 
> (Updated Oct. 28, 2016, 6:37 p.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-1190
>     https://issues.apache.org/jira/browse/RANGER-1190
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Scenario: A user has some access to a table/column in a database - exclusively via a tag-based policy. For example: 'hr.employee.ssn' column is tagged as PII and user has 'select' access granted on 'PII' tag. User does not have any other access in 'hr' database.
> In this scenario, 'show databases' command in beeline does not include 'hr' database. Since the user has some access into 'hr' database, the user will expect to see 'hr' database in the command result.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 3c342a3 
>   agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java 6873554 
>   agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java 637423e 
>   agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java 1a6e1b2 
>   agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagForEval.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 905262c 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java 7711765 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 899b216 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 84aac1e 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java 3b831c3 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java 00f8f9a 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java 9219450 
>   agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java 30190ab 
>   agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java cb0af84 
>   agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java PRE-CREATION 
>   agents-common/src/test/resources/contextenricher/test_tagenricher_hive.json 317c651 
>   agents-common/src/test/resources/policyengine/descendant_tags.json PRE-CREATION 
>   agents-common/src/test/resources/policyengine/test_policyengine_conditions.json 2ab2bee 
>   agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json PRE-CREATION 
>   agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json 6c9b966 
>   agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json fab93f6 
>   agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json 443ee53 
>   agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/53043/diff/
> 
> 
> Testing
> -------
> 
> Ran unit tests successfully. Tested with hive-server2 with ranger plugin and Ranger/TagSync/Atlas stack.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>


Re: Review Request 53043: User has access to a database via tag-based policy - but 'show databases' does not include the database

Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53043/#review154691
-----------------------------------------------------------


Ship it!




Ship It!

- Madhan Neethiraj


On Nov. 3, 2016, 7:52 a.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53043/
> -----------------------------------------------------------
> 
> (Updated Nov. 3, 2016, 7:52 a.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-1190
>     https://issues.apache.org/jira/browse/RANGER-1190
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Scenario: A user has some access to a table/column in a database - exclusively via a tag-based policy. For example: 'hr.employee.ssn' column is tagged as PII and user has 'select' access granted on 'PII' tag. User does not have any other access in 'hr' database.
> In this scenario, 'show databases' command in beeline does not include 'hr' database. Since the user has some access into 'hr' database, the user will expect to see 'hr' database in the command result.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 3c342a3 
>   agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java 6873554 
>   agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java 637423e 
>   agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java 1a6e1b2 
>   agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagForEval.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 905262c 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java 7711765 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 899b216 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 6119dbc 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java 3b831c3 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java 00f8f9a 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java 9219450 
>   agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java 30190ab 
>   agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 2ae280d 
>   agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java PRE-CREATION 
>   agents-common/src/test/resources/contextenricher/test_tagenricher_hive.json 317c651 
>   agents-common/src/test/resources/policyengine/descendant_tags.json PRE-CREATION 
>   agents-common/src/test/resources/policyengine/test_policyengine_conditions.json 2ab2bee 
>   agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json PRE-CREATION 
>   agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json 6c9b966 
>   agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json fab93f6 
>   agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json 443ee53 
>   agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/53043/diff/
> 
> 
> Testing
> -------
> 
> Ran unit tests successfully. Tested with hive-server2 with ranger plugin and Ranger/TagSync/Atlas stack.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>


Re: Review Request 53043: User has access to a database via tag-based policy - but 'show databases' does not include the database

Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53043/
-----------------------------------------------------------

(Updated Nov. 3, 2016, 7:52 a.m.)


Review request for ranger and Madhan Neethiraj.


Changes
-------

Addressed review comments.


Bugs: RANGER-1190
    https://issues.apache.org/jira/browse/RANGER-1190


Repository: ranger


Description
-------

Scenario: A user has some access to a table/column in a database - exclusively via a tag-based policy. For example: 'hr.employee.ssn' column is tagged as PII and user has 'select' access granted on 'PII' tag. User does not have any other access in 'hr' database.
In this scenario, 'show databases' command in beeline does not include 'hr' database. Since the user has some access into 'hr' database, the user will expect to see 'hr' database in the command result.


Diffs (updated)
-----

  agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 3c342a3 
  agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java 6873554 
  agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java 637423e 
  agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java 1a6e1b2 
  agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagForEval.java PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 905262c 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java 7711765 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 899b216 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 6119dbc 
  agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java 3b831c3 
  agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java 00f8f9a 
  agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java 9219450 
  agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java 30190ab 
  agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 2ae280d 
  agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java PRE-CREATION 
  agents-common/src/test/resources/contextenricher/test_tagenricher_hive.json 317c651 
  agents-common/src/test/resources/policyengine/descendant_tags.json PRE-CREATION 
  agents-common/src/test/resources/policyengine/test_policyengine_conditions.json 2ab2bee 
  agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json PRE-CREATION 
  agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json 6c9b966 
  agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json fab93f6 
  agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json 443ee53 
  agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json PRE-CREATION 

Diff: https://reviews.apache.org/r/53043/diff/


Testing
-------

Ran unit tests successfully. Tested with hive-server2 with ranger plugin and Ranger/TagSync/Atlas stack.


Thanks,

Abhay Kulkarni


Re: Review Request 53043: User has access to a database via tag-based policy - but 'show databases' does not include the database

Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53043/
-----------------------------------------------------------

(Updated Oct. 28, 2016, 6:37 p.m.)


Review request for ranger and Madhan Neethiraj.


Changes
-------

Ensure that access-resource is valid before attempting a match.
If policy-resource matches everything, then return ANCESTOR-match.


Bugs: RANGER-1190
    https://issues.apache.org/jira/browse/RANGER-1190


Repository: ranger


Description
-------

Scenario: A user has some access to a table/column in a database - exclusively via a tag-based policy. For example: 'hr.employee.ssn' column is tagged as PII and user has 'select' access granted on 'PII' tag. User does not have any other access in 'hr' database.
In this scenario, 'show databases' command in beeline does not include 'hr' database. Since the user has some access into 'hr' database, the user will expect to see 'hr' database in the command result.


Diffs (updated)
-----

  agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 3c342a3 
  agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java 6873554 
  agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java 637423e 
  agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java 1a6e1b2 
  agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagForEval.java PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 905262c 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java 7711765 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 899b216 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 84aac1e 
  agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java 3b831c3 
  agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java 00f8f9a 
  agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java 9219450 
  agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java 30190ab 
  agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java cb0af84 
  agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java PRE-CREATION 
  agents-common/src/test/resources/contextenricher/test_tagenricher_hive.json 317c651 
  agents-common/src/test/resources/policyengine/descendant_tags.json PRE-CREATION 
  agents-common/src/test/resources/policyengine/test_policyengine_conditions.json 2ab2bee 
  agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json PRE-CREATION 
  agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json 6c9b966 
  agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json fab93f6 
  agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json 443ee53 
  agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json PRE-CREATION 

Diff: https://reviews.apache.org/r/53043/diff/


Testing
-------

Ran unit tests successfully. Tested with hive-server2 with ranger plugin and Ranger/TagSync/Atlas stack.


Thanks,

Abhay Kulkarni