You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Ramesh Mani <rm...@hortonworks.com> on 2019/10/02 01:33:04 UTC
Review Request 71569: RANGER-2512:RangerRolesRESTClient for serving
user group roles to the plugins for evaluation -part2
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71569/
-----------------------------------------------------------
Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-2512
https://issues.apache.org/jira/browse/RANGER-2512
Repository: ranger
Description
-------
RANGER-2512:RangerRolesRESTClient for serving user group roles to the plugins for evaluation -part2
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 77648fd
security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java 9d26fb5
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 85db577
security-admin/src/main/java/org/apache/ranger/db/XXGlobalStateDao.java d687e73
security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 06a4063
security-admin/src/main/java/org/apache/ranger/entity/XXServiceVersionInfo.java 1d81337
security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java d28cf3d
security-admin/src/main/resources/META-INF/jpa_named_queries.xml ab8e675
Diff: https://reviews.apache.org/r/71569/diff/1/
Testing
-------
- Addressed previous review comments
- Addressed issue with Role download to the plugin when Roles are first create and added to new or existing policy.
Thanks,
Ramesh Mani
Re: Review Request 71569: RANGER-2512:RangerRolesRESTClient for
serving user group roles to the plugins for evaluation -part2
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71569/#review218013
-----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
Lines 3401 (patched)
<https://reviews.apache.org/r/71569/#comment305476>
This functions returns true when policy is null or there are no roles in the policy at all. In those cases, there is no need to create an roleVersionUpdater. Please consider reversing the logic (perhaps renaming the function isSomeRoleInPolicyNotPresentInAnyOtherPoliciesInService() or something like that), that returns true only if some role in the policy is never before seen in any other policy in the containing service.
- Abhay Kulkarni
On Oct. 2, 2019, 1:33 a.m., Ramesh Mani wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71569/
> -----------------------------------------------------------
>
> (Updated Oct. 2, 2019, 1:33 a.m.)
>
>
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2512
> https://issues.apache.org/jira/browse/RANGER-2512
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RANGER-2512:RangerRolesRESTClient for serving user group roles to the plugins for evaluation -part2
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 77648fd
> security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java 9d26fb5
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 85db577
> security-admin/src/main/java/org/apache/ranger/db/XXGlobalStateDao.java d687e73
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 06a4063
> security-admin/src/main/java/org/apache/ranger/entity/XXServiceVersionInfo.java 1d81337
> security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java d28cf3d
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml ab8e675
>
>
> Diff: https://reviews.apache.org/r/71569/diff/1/
>
>
> Testing
> -------
>
> - Addressed previous review comments
> - Addressed issue with Role download to the plugin when Roles are first create and added to new or existing policy.
>
>
> Thanks,
>
> Ramesh Mani
>
>
Re: Review Request 71569: RANGER-2512:RangerRolesRESTClient for
serving user group roles to the plugins for evaluation -part2
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71569/#review218053
-----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
Lines 3417 (patched)
<https://reviews.apache.org/r/71569/#comment305562>
- when a role is referenced in multiple policyItems, #3418 will be executed for each reference. This can be avoided - by collecting all roleNames in a Set<>, and iterating through the set.
- in case of policy-update, it will be useful to avoid the call to isRoleDownloadRequired() where possible. For example, by checking if the updated policy references additional role(s) than the current policy in the DB.
- in case of policy-create, it is necessary to verify if this policy refers to a role that hasn't been referenced by another policy in this service (consider tag service too)
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
Lines 3418 (patched)
<https://reviews.apache.org/r/71569/#comment305563>
Instead of retrieving all policy-IDs (List<Long>), it will be efficient to simply get the count:
daoMgr.getXXPolicy().findRoleRefPolicyCount():
select count(*)
from XXPolicy policy, XXPolicyRefRole roleRef
where policy.service = :serviceId
and roleRef.policyId = policy.id
and roleRef.roleName = :roleName
- Madhan Neethiraj
On Oct. 2, 2019, 6:14 p.m., Ramesh Mani wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71569/
> -----------------------------------------------------------
>
> (Updated Oct. 2, 2019, 6:14 p.m.)
>
>
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2512
> https://issues.apache.org/jira/browse/RANGER-2512
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RANGER-2512:RangerRolesRESTClient for serving user group roles to the plugins for evaluation -part2
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 77648fd
> security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java 9d26fb5
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 85db577
> security-admin/src/main/java/org/apache/ranger/db/XXGlobalStateDao.java d687e73
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 06a4063
> security-admin/src/main/java/org/apache/ranger/entity/XXServiceVersionInfo.java 1d81337
> security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java d28cf3d
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml ab8e675
>
>
> Diff: https://reviews.apache.org/r/71569/diff/2/
>
>
> Testing
> -------
>
> - Addressed previous review comments
> - Addressed issue with Role download to the plugin when Roles are first create and added to new or existing policy.
>
>
> Thanks,
>
> Ramesh Mani
>
>
Re: Review Request 71569: RANGER-2512:RangerRolesRESTClient for
serving user group roles to the plugins for evaluation -part2
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71569/#review218025
-----------------------------------------------------------
Ship it!
Ship It!
- Abhay Kulkarni
On Oct. 2, 2019, 6:14 p.m., Ramesh Mani wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71569/
> -----------------------------------------------------------
>
> (Updated Oct. 2, 2019, 6:14 p.m.)
>
>
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2512
> https://issues.apache.org/jira/browse/RANGER-2512
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RANGER-2512:RangerRolesRESTClient for serving user group roles to the plugins for evaluation -part2
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 77648fd
> security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java 9d26fb5
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 85db577
> security-admin/src/main/java/org/apache/ranger/db/XXGlobalStateDao.java d687e73
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 06a4063
> security-admin/src/main/java/org/apache/ranger/entity/XXServiceVersionInfo.java 1d81337
> security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java d28cf3d
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml ab8e675
>
>
> Diff: https://reviews.apache.org/r/71569/diff/2/
>
>
> Testing
> -------
>
> - Addressed previous review comments
> - Addressed issue with Role download to the plugin when Roles are first create and added to new or existing policy.
>
>
> Thanks,
>
> Ramesh Mani
>
>
Re: Review Request 71569: RANGER-2512:RangerRolesRESTClient for
serving user group roles to the plugins for evaluation -part2
Posted by Ramesh Mani <rm...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71569/
-----------------------------------------------------------
(Updated Oct. 2, 2019, 6:14 p.m.)
Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Addressed review comment
Bugs: RANGER-2512
https://issues.apache.org/jira/browse/RANGER-2512
Repository: ranger
Description
-------
RANGER-2512:RangerRolesRESTClient for serving user group roles to the plugins for evaluation -part2
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 77648fd
security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java 9d26fb5
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 85db577
security-admin/src/main/java/org/apache/ranger/db/XXGlobalStateDao.java d687e73
security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 06a4063
security-admin/src/main/java/org/apache/ranger/entity/XXServiceVersionInfo.java 1d81337
security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java d28cf3d
security-admin/src/main/resources/META-INF/jpa_named_queries.xml ab8e675
Diff: https://reviews.apache.org/r/71569/diff/2/
Changes: https://reviews.apache.org/r/71569/diff/1-2/
Testing
-------
- Addressed previous review comments
- Addressed issue with Role download to the plugin when Roles are first create and added to new or existing policy.
Thanks,
Ramesh Mani