You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Abhay Kulkarni <ak...@hortonworks.com> on 2020/06/15 17:47:11 UTC
Re: Review Request 72577: 'show databases' gives permission denied
error,
even though the user has permissions on a few of the databases in security
zone policies
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72577/
-----------------------------------------------------------
(Updated June 15, 2020, 5:47 p.m.)
Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Addressed review comments.
Summary (updated)
-----------------
'show databases' gives permission denied error, even though the user has permissions on a few of the databases in security zone policies
Bugs: RANGER-2858
https://issues.apache.org/jira/browse/RANGER-2858
Repository: ranger
Description (updated)
-------
When user has permissions on a few of the databases in security zone policies, "show databases" command is expected to list databases on which the user has some permission in any security zone(s). However, the command fails authorization. Furthermore, command "use <database>" where <database> is name of the database where user has some access in any security zone, succeeds.
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java e6de06fa7
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 0930e2cf7
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 29c3604d1
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 1b5aa9e2d
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 1bdee86d3
Diff: https://reviews.apache.org/r/72577/diff/1/
Testing (updated)
-------
Created two security zones containing different databases with one zone having Ranger policy to provide access to a table contained in that zone.
Verified that 'show databases' command listed correct database which allowed some access to the contained table.
Thanks,
Abhay Kulkarni
Re: Review Request 72577: 'show databases' gives permission denied
error,
even though the user has permissions on a few of the databases in security
zone policies
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72577/#review221006
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Line 178 (original), 179 (patched)
<https://reviews.apache.org/r/72577/#comment309768>
It doesn't seem necessary to look at children zones. Please review.
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
Line 158 (original), 159 (patched)
<https://reviews.apache.org/r/72577/#comment309767>
For consistency, consider having 'zoneName' argument next to 'resource' argument - see #83 above.
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
Line 1288 (original), 1288 (patched)
<https://reviews.apache.org/r/72577/#comment309764>
Grant/revoke clients may not know of the zone in which the resource belongs to. In such cases (zoneName == null), the grant/revoke API implementation should find the zone in which the resource resides in, and create/update the policy in that zone.
If multiple zones match for a given resource (for example, children of the resources are different zones), then grant/revoke should be applied on the unzoned policy - which will cover the parent resource as a whole.
Please review other places that use zoneName from grant/revoke request for above.
- Madhan Neethiraj
On June 15, 2020, 5:50 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72577/
> -----------------------------------------------------------
>
> (Updated June 15, 2020, 5:50 p.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2858
> https://issues.apache.org/jira/browse/RANGER-2858
>
>
> Repository: ranger
>
>
> Description
> -------
>
> When user has permissions on a few of the databases in security zone policies, "show databases" command is expected to list databases on which the user has some permission in any security zone(s). However, the command fails authorization. Furthermore, command "use <database>" where <database> is name of the database where user has some access in any security zone, succeeds.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java e6de06fa7
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java fdec9caab
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 0930e2cf7
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java a6ea48d14
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 29c3604d1
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 1b5aa9e2d
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 1bdee86d3
>
>
> Diff: https://reviews.apache.org/r/72577/diff/2/
>
>
> Testing
> -------
>
> Created two security zones containing different databases with one zone having Ranger policy to provide access to a table contained in that zone.
>
> Verified that 'show databases' command listed correct database which allowed some access to the contained table.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 72577: 'show databases' gives permission denied
error,
even though the user has permissions on a few of the databases in security
zone policies
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72577/#review221016
-----------------------------------------------------------
Ship it!
- Madhan Neethiraj
On June 16, 2020, 8:12 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72577/
> -----------------------------------------------------------
>
> (Updated June 16, 2020, 8:12 p.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2858
> https://issues.apache.org/jira/browse/RANGER-2858
>
>
> Repository: ranger
>
>
> Description
> -------
>
> When user has permissions on a few of the databases in security zone policies, "show databases" command is expected to list databases on which the user has some permission in any security zone(s). However, the command fails authorization. Furthermore, command "use <database>" where <database> is name of the database where user has some access in any security zone, succeeds.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java e6de06fa7
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java fdec9caab
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 0930e2cf7
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java a6ea48d14
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 29c3604d1
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 1b5aa9e2d
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 1bdee86d3
>
>
> Diff: https://reviews.apache.org/r/72577/diff/3/
>
>
> Testing
> -------
>
> Created two security zones containing different databases with one zone having Ranger policy to provide access to a table contained in that zone.
>
> Verified that 'show databases' command listed correct database which allowed some access to the contained table.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 72577: 'show databases' gives permission denied
error,
even though the user has permissions on a few of the databases in security
zone policies
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72577/
-----------------------------------------------------------
(Updated June 16, 2020, 8:12 p.m.)
Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Addressed review comments
Bugs: RANGER-2858
https://issues.apache.org/jira/browse/RANGER-2858
Repository: ranger
Description
-------
When user has permissions on a few of the databases in security zone policies, "show databases" command is expected to list databases on which the user has some permission in any security zone(s). However, the command fails authorization. Furthermore, command "use <database>" where <database> is name of the database where user has some access in any security zone, succeeds.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java e6de06fa7
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java fdec9caab
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 0930e2cf7
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java a6ea48d14
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 29c3604d1
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 1b5aa9e2d
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 1bdee86d3
Diff: https://reviews.apache.org/r/72577/diff/3/
Changes: https://reviews.apache.org/r/72577/diff/2-3/
Testing
-------
Created two security zones containing different databases with one zone having Ranger policy to provide access to a table contained in that zone.
Verified that 'show databases' command listed correct database which allowed some access to the contained table.
Thanks,
Abhay Kulkarni
Re: Review Request 72577: 'show databases' gives permission denied
error,
even though the user has permissions on a few of the databases in security
zone policies
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72577/
-----------------------------------------------------------
(Updated June 15, 2020, 5:50 p.m.)
Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Addressed review comments
Bugs: RANGER-2858
https://issues.apache.org/jira/browse/RANGER-2858
Repository: ranger
Description
-------
When user has permissions on a few of the databases in security zone policies, "show databases" command is expected to list databases on which the user has some permission in any security zone(s). However, the command fails authorization. Furthermore, command "use <database>" where <database> is name of the database where user has some access in any security zone, succeeds.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java e6de06fa7
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java fdec9caab
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 0930e2cf7
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java a6ea48d14
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 29c3604d1
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 1b5aa9e2d
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 1bdee86d3
Diff: https://reviews.apache.org/r/72577/diff/2/
Changes: https://reviews.apache.org/r/72577/diff/1-2/
Testing
-------
Created two security zones containing different databases with one zone having Ranger policy to provide access to a table contained in that zone.
Verified that 'show databases' command listed correct database which allowed some access to the contained table.
Thanks,
Abhay Kulkarni