You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Nikhil P <np...@gmail.com> on 2019/05/17 13:21:21 UTC
Re: Review Request 70658: RANGER-2436 - Custom condition: Access from
cluster
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70658/
-----------------------------------------------------------
(Updated May 17, 2019, 6:51 p.m.)
Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.
Summary (updated)
-----------------
RANGER-2436 - Custom condition: Access from cluster
Bugs: RANGER-2436
https://issues.apache.org/jira/browse/RANGER-2436
Repository: ranger
Description
-------
Include a custom-condition that checks if the current cluster-name matches one of the condition values. This will enable setting up different authorization policies depending on the cluster from which access was performed.
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerClusterMatcher.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java 5b66539
agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java 0c078a8
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e7
agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json 370ff56
security-admin/src/main/java/org/apache/ranger/patch/PatchForHiveServiceDefUpdate_J10027.java a54d69e
Diff: https://reviews.apache.org/r/70658/diff/2/
Testing
-------
1.Tested If cluster name condition is provided in policy/policyItem condition then access is granted if that cluster name is given in policy condition while setting up the policy.
2.If condition is specified with some cluster names and the cluster from which access request is coming is not present in condition then access is denied.
3.Tested for hive plugin
Thanks,
Nikhil P
Re: Review Request 70658: RANGER-2436 - Custom condition: Access from
cluster
Posted by Velmurugan Periasamy <vp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70658/#review215414
-----------------------------------------------------------
Ship it!
Ship It!
- Velmurugan Periasamy
On May 21, 2019, 1:27 p.m., Nikhil P wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70658/
> -----------------------------------------------------------
>
> (Updated May 21, 2019, 1:27 p.m.)
>
>
> Review request for ranger, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2436
> https://issues.apache.org/jira/browse/RANGER-2436
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Include a custom-condition that checks if the current cluster-name matches one of the condition values. This will enable setting up different authorization policies depending on the cluster from which access was performed.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedFromClusterCondition.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedNotFromClusterCondition.java PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/70658/diff/3/
>
>
> Testing
> -------
>
> 1.Tested If cluster name condition is provided in policy/policyItem condition then access is granted if that cluster name is given in policy condition while setting up the policy.
> 2.If condition is specified with some cluster names and the cluster from which access request is coming is not present in condition then access is denied.
> 3.Tested for hive plugin
>
>
> Thanks,
>
> Nikhil P
>
>
Re: Review Request 70658: RANGER-2436 - Custom condition: Access from
cluster
Posted by Pradeep Agrawal <pr...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70658/#review215443
-----------------------------------------------------------
Ship it!
Ship It!
- Pradeep Agrawal
On May 21, 2019, 1:27 p.m., Nikhil P wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70658/
> -----------------------------------------------------------
>
> (Updated May 21, 2019, 1:27 p.m.)
>
>
> Review request for ranger, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2436
> https://issues.apache.org/jira/browse/RANGER-2436
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Include a custom-condition that checks if the current cluster-name matches one of the condition values. This will enable setting up different authorization policies depending on the cluster from which access was performed.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedFromClusterCondition.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedNotFromClusterCondition.java PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/70658/diff/3/
>
>
> Testing
> -------
>
> 1.Tested If cluster name condition is provided in policy/policyItem condition then access is granted if that cluster name is given in policy condition while setting up the policy.
> 2.If condition is specified with some cluster names and the cluster from which access request is coming is not present in condition then access is denied.
> 3.Tested for hive plugin
>
>
> Thanks,
>
> Nikhil P
>
>
Re: Review Request 70658: RANGER-2436 - Custom condition: Access from
cluster
Posted by Nikhil P <np...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70658/
-----------------------------------------------------------
(Updated May 21, 2019, 6:57 p.m.)
Review request for ranger, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-2436
https://issues.apache.org/jira/browse/RANGER-2436
Repository: ranger
Description
-------
Include a custom-condition that checks if the current cluster-name matches one of the condition values. This will enable setting up different authorization policies depending on the cluster from which access was performed.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedFromClusterCondition.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAccessedNotFromClusterCondition.java PRE-CREATION
Diff: https://reviews.apache.org/r/70658/diff/3/
Changes: https://reviews.apache.org/r/70658/diff/2-3/
Testing
-------
1.Tested If cluster name condition is provided in policy/policyItem condition then access is granted if that cluster name is given in policy condition while setting up the policy.
2.If condition is specified with some cluster names and the cluster from which access request is coming is not present in condition then access is denied.
3.Tested for hive plugin
Thanks,
Nikhil P
Re: Review Request 70658: RANGER-2436 - Custom condition: Access from
cluster
Posted by Velmurugan Periasamy <vp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70658/#review215340
-----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/patch/PatchForHiveServiceDefUpdate_J10027.java
Lines 127 (patched)
<https://reviews.apache.org/r/70658/#comment302005>
I don't think this needs to be included in the service def by default. If required, users can register the policy condition.
- Velmurugan Periasamy
On May 17, 2019, 1:21 p.m., Nikhil P wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70658/
> -----------------------------------------------------------
>
> (Updated May 17, 2019, 1:21 p.m.)
>
>
> Review request for ranger, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2436
> https://issues.apache.org/jira/browse/RANGER-2436
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Include a custom-condition that checks if the current cluster-name matches one of the condition values. This will enable setting up different authorization policies depending on the cluster from which access was performed.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerClusterMatcher.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java 5b66539
> agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java 0c078a8
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 45231e7
> agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json 370ff56
> security-admin/src/main/java/org/apache/ranger/patch/PatchForHiveServiceDefUpdate_J10027.java a54d69e
>
>
> Diff: https://reviews.apache.org/r/70658/diff/2/
>
>
> Testing
> -------
>
> 1.Tested If cluster name condition is provided in policy/policyItem condition then access is granted if that cluster name is given in policy condition while setting up the policy.
> 2.If condition is specified with some cluster names and the cluster from which access request is coming is not present in condition then access is denied.
> 3.Tested for hive plugin
>
>
> Thanks,
>
> Nikhil P
>
>