You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Abhay Kulkarni <ak...@hortonworks.com> on 2016/10/20 04:04:09 UTC
Review Request 53043: User has access to a database via tag-based
policy - but 'show databases' does not include the database
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53043/
-----------------------------------------------------------
Review request for ranger and Madhan Neethiraj.
Bugs: RANGER-1190
https://issues.apache.org/jira/browse/RANGER-1190
Repository: ranger
Description
-------
Scenario: A user has some access to a table/column in a database - exclusively via a tag-based policy. For example: 'hr.employee.ssn' column is tagged as PII and user has 'select' access granted on 'PII' tag. User does not have any other access in 'hr' database.
In this scenario, 'show databases' command in beeline does not include 'hr' database. Since the user has some access into 'hr' database, the user will expect to see 'hr' database in the command result.
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 3c342a3
agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java 6873554
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java 637423e
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java 1a6e1b2
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagForEval.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 905262c
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java 7711765
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 899b216
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 84aac1e
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java 3b831c3
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java 00f8f9a
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java 9219450
agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java 30190ab
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java cb0af84
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java PRE-CREATION
agents-common/src/test/resources/contextenricher/test_tagenricher_hive.json 317c651
agents-common/src/test/resources/policyengine/descendant_tags.json PRE-CREATION
agents-common/src/test/resources/policyengine/test_policyengine_conditions.json 2ab2bee
agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json PRE-CREATION
agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json 6c9b966
agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json fab93f6
agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json 443ee53
agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json PRE-CREATION
Diff: https://reviews.apache.org/r/53043/diff/
Testing
-------
Ran unit tests successfully. Tested with hive-server2 with ranger plugin and Ranger/TagSync/Atlas stack.
Thanks,
Abhay Kulkarni
Re: Review Request 53043: User has access to a database via tag-based
policy - but 'show databases' does not include the database
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53043/#review154606
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java (line 214)
<https://reviews.apache.org/r/53043/#comment224220>
Assuming that most requests would not have a matching tag, it will good to not create an ArrayList until it is needed (at line #235).
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java (line 183)
<https://reviews.apache.org/r/53043/#comment224224>
if @ line #183 seems unnecessary - as for all tag-requests, matchType needs to be copied from RangerTagAccessRequest.matchType. Please review.
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java (line 53)
<https://reviews.apache.org/r/53043/#comment224234>
It will help to add couple of examples of how this field is used.
- Madhan Neethiraj
On Oct. 28, 2016, 6:37 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53043/
> -----------------------------------------------------------
>
> (Updated Oct. 28, 2016, 6:37 p.m.)
>
>
> Review request for ranger and Madhan Neethiraj.
>
>
> Bugs: RANGER-1190
> https://issues.apache.org/jira/browse/RANGER-1190
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Scenario: A user has some access to a table/column in a database - exclusively via a tag-based policy. For example: 'hr.employee.ssn' column is tagged as PII and user has 'select' access granted on 'PII' tag. User does not have any other access in 'hr' database.
> In this scenario, 'show databases' command in beeline does not include 'hr' database. Since the user has some access into 'hr' database, the user will expect to see 'hr' database in the command result.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 3c342a3
> agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java 6873554
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java 637423e
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java 1a6e1b2
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagForEval.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 905262c
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java 7711765
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 899b216
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 84aac1e
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java 3b831c3
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java 00f8f9a
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java 9219450
> agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java 30190ab
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java cb0af84
> agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java PRE-CREATION
> agents-common/src/test/resources/contextenricher/test_tagenricher_hive.json 317c651
> agents-common/src/test/resources/policyengine/descendant_tags.json PRE-CREATION
> agents-common/src/test/resources/policyengine/test_policyengine_conditions.json 2ab2bee
> agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json PRE-CREATION
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json 6c9b966
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json fab93f6
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json 443ee53
> agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json PRE-CREATION
>
> Diff: https://reviews.apache.org/r/53043/diff/
>
>
> Testing
> -------
>
> Ran unit tests successfully. Tested with hive-server2 with ranger plugin and Ranger/TagSync/Atlas stack.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 53043: User has access to a database via tag-based
policy - but 'show databases' does not include the database
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53043/#review154691
-----------------------------------------------------------
Ship it!
Ship It!
- Madhan Neethiraj
On Nov. 3, 2016, 7:52 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53043/
> -----------------------------------------------------------
>
> (Updated Nov. 3, 2016, 7:52 a.m.)
>
>
> Review request for ranger and Madhan Neethiraj.
>
>
> Bugs: RANGER-1190
> https://issues.apache.org/jira/browse/RANGER-1190
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Scenario: A user has some access to a table/column in a database - exclusively via a tag-based policy. For example: 'hr.employee.ssn' column is tagged as PII and user has 'select' access granted on 'PII' tag. User does not have any other access in 'hr' database.
> In this scenario, 'show databases' command in beeline does not include 'hr' database. Since the user has some access into 'hr' database, the user will expect to see 'hr' database in the command result.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 3c342a3
> agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java 6873554
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java 637423e
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java 1a6e1b2
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagForEval.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 905262c
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java 7711765
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 899b216
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 6119dbc
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java 3b831c3
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java 00f8f9a
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java 9219450
> agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java 30190ab
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 2ae280d
> agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java PRE-CREATION
> agents-common/src/test/resources/contextenricher/test_tagenricher_hive.json 317c651
> agents-common/src/test/resources/policyengine/descendant_tags.json PRE-CREATION
> agents-common/src/test/resources/policyengine/test_policyengine_conditions.json 2ab2bee
> agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json PRE-CREATION
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json 6c9b966
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json fab93f6
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json 443ee53
> agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json PRE-CREATION
>
> Diff: https://reviews.apache.org/r/53043/diff/
>
>
> Testing
> -------
>
> Ran unit tests successfully. Tested with hive-server2 with ranger plugin and Ranger/TagSync/Atlas stack.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 53043: User has access to a database via tag-based
policy - but 'show databases' does not include the database
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53043/
-----------------------------------------------------------
(Updated Nov. 3, 2016, 7:52 a.m.)
Review request for ranger and Madhan Neethiraj.
Changes
-------
Addressed review comments.
Bugs: RANGER-1190
https://issues.apache.org/jira/browse/RANGER-1190
Repository: ranger
Description
-------
Scenario: A user has some access to a table/column in a database - exclusively via a tag-based policy. For example: 'hr.employee.ssn' column is tagged as PII and user has 'select' access granted on 'PII' tag. User does not have any other access in 'hr' database.
In this scenario, 'show databases' command in beeline does not include 'hr' database. Since the user has some access into 'hr' database, the user will expect to see 'hr' database in the command result.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 3c342a3
agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java 6873554
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java 637423e
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java 1a6e1b2
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagForEval.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 905262c
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java 7711765
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 899b216
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 6119dbc
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java 3b831c3
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java 00f8f9a
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java 9219450
agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java 30190ab
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java 2ae280d
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java PRE-CREATION
agents-common/src/test/resources/contextenricher/test_tagenricher_hive.json 317c651
agents-common/src/test/resources/policyengine/descendant_tags.json PRE-CREATION
agents-common/src/test/resources/policyengine/test_policyengine_conditions.json 2ab2bee
agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json PRE-CREATION
agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json 6c9b966
agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json fab93f6
agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json 443ee53
agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json PRE-CREATION
Diff: https://reviews.apache.org/r/53043/diff/
Testing
-------
Ran unit tests successfully. Tested with hive-server2 with ranger plugin and Ranger/TagSync/Atlas stack.
Thanks,
Abhay Kulkarni
Re: Review Request 53043: User has access to a database via tag-based
policy - but 'show databases' does not include the database
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53043/
-----------------------------------------------------------
(Updated Oct. 28, 2016, 6:37 p.m.)
Review request for ranger and Madhan Neethiraj.
Changes
-------
Ensure that access-resource is valid before attempting a match.
If policy-resource matches everything, then return ANCESTOR-match.
Bugs: RANGER-1190
https://issues.apache.org/jira/browse/RANGER-1190
Repository: ranger
Description
-------
Scenario: A user has some access to a table/column in a database - exclusively via a tag-based policy. For example: 'hr.employee.ssn' column is tagged as PII and user has 'select' access granted on 'PII' tag. User does not have any other access in 'hr' database.
In this scenario, 'show databases' command in beeline does not include 'hr' database. Since the user has some access into 'hr' database, the user will expect to see 'hr' database in the command result.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 3c342a3
agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java 6873554
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java 637423e
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java 1a6e1b2
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagForEval.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 905262c
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java 7711765
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 899b216
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 84aac1e
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java 3b831c3
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java 00f8f9a
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java 9219450
agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java 30190ab
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java cb0af84
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java PRE-CREATION
agents-common/src/test/resources/contextenricher/test_tagenricher_hive.json 317c651
agents-common/src/test/resources/policyengine/descendant_tags.json PRE-CREATION
agents-common/src/test/resources/policyengine/test_policyengine_conditions.json 2ab2bee
agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json PRE-CREATION
agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json 6c9b966
agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json fab93f6
agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json 443ee53
agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json PRE-CREATION
Diff: https://reviews.apache.org/r/53043/diff/
Testing
-------
Ran unit tests successfully. Tested with hive-server2 with ranger plugin and Ranger/TagSync/Atlas stack.
Thanks,
Abhay Kulkarni