You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Abhay Kulkarni <ak...@hortonworks.com> on 2021/10/20 19:28:41 UTC
Review Request 73659: RANGER-3490:Make policy resource signature is
unique in a service
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73659/
-----------------------------------------------------------
Review request for ranger, Dineshkumar Yadav, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, and Sailaja Polavarapu.
Bugs: RANGER-3490
https://issues.apache.org/jira/browse/RANGER-3490
Repository: ranger
Description
-------
There may be multiple policies with the same resource signature within a service (at most one enabled policy and potentially any number of disabled policies). Therefore, the resource-signature uniqueness within a service cannot be enforced at the database level.
The proposal is to encode GUID of a disabled policy within the resource signature, thus making the resource signature unique within a service.
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java 312005e0f
agents-common/src/test/java/org/apache/ranger/plugin/model/TestRangerPolicyResourceSignature.java bc9df31cc
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java f13cef71d
security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ef0d3b4eb
Diff: https://reviews.apache.org/r/73659/diff/1/
Testing
-------
Compiled and ran all unit tests successfully.
Thanks,
Abhay Kulkarni
Re: Review Request 73659: RANGER-3490:Make policy resource signature
is unique in a service
Posted by Madhan Neethiraj <ma...@apache.org>.
> On Oct. 20, 2021, 10:18 p.m., Madhan Neethiraj wrote:
> > In addition to the changes in this patch, DB scripts need to be updated to setup unique-key constraint for {service, zone, resource-signature}.
> >
> > Also, resource signature of existing disabled policies should be updated using a Java patch.
>
> Abhay Kulkarni wrote:
> As zone is encrypted within policy-resource-signature, the unique-key constraint needs to be on {service, resource-signature } fields.
You are right. In fact, I noted the same in RANGER-3472; missed it in this review :-)
- Madhan
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73659/#review223642
-----------------------------------------------------------
On Oct. 20, 2021, 7:28 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73659/
> -----------------------------------------------------------
>
> (Updated Oct. 20, 2021, 7:28 p.m.)
>
>
> Review request for ranger, Dineshkumar Yadav, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, and Sailaja Polavarapu.
>
>
> Bugs: RANGER-3490
> https://issues.apache.org/jira/browse/RANGER-3490
>
>
> Repository: ranger
>
>
> Description
> -------
>
> There may be multiple policies with the same resource signature within a service (at most one enabled policy and potentially any number of disabled policies). Therefore, the resource-signature uniqueness within a service cannot be enforced at the database level.
>
> The proposal is to encode GUID of a disabled policy within the resource signature, thus making the resource signature unique within a service.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java 312005e0f
> agents-common/src/test/java/org/apache/ranger/plugin/model/TestRangerPolicyResourceSignature.java bc9df31cc
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java f13cef71d
> security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ef0d3b4eb
>
>
> Diff: https://reviews.apache.org/r/73659/diff/1/
>
>
> Testing
> -------
>
> Compiled and ran all unit tests successfully.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 73659: RANGER-3490:Make policy resource signature
is unique in a service
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
> On Oct. 20, 2021, 10:18 p.m., Madhan Neethiraj wrote:
> > In addition to the changes in this patch, DB scripts need to be updated to setup unique-key constraint for {service, zone, resource-signature}.
> >
> > Also, resource signature of existing disabled policies should be updated using a Java patch.
As zone is encrypted within policy-resource-signature, the unique-key constraint needs to be on {service, resource-signature } fields.
- Abhay
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73659/#review223642
-----------------------------------------------------------
On Oct. 20, 2021, 7:28 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73659/
> -----------------------------------------------------------
>
> (Updated Oct. 20, 2021, 7:28 p.m.)
>
>
> Review request for ranger, Dineshkumar Yadav, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, and Sailaja Polavarapu.
>
>
> Bugs: RANGER-3490
> https://issues.apache.org/jira/browse/RANGER-3490
>
>
> Repository: ranger
>
>
> Description
> -------
>
> There may be multiple policies with the same resource signature within a service (at most one enabled policy and potentially any number of disabled policies). Therefore, the resource-signature uniqueness within a service cannot be enforced at the database level.
>
> The proposal is to encode GUID of a disabled policy within the resource signature, thus making the resource signature unique within a service.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java 312005e0f
> agents-common/src/test/java/org/apache/ranger/plugin/model/TestRangerPolicyResourceSignature.java bc9df31cc
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java f13cef71d
> security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ef0d3b4eb
>
>
> Diff: https://reviews.apache.org/r/73659/diff/1/
>
>
> Testing
> -------
>
> Compiled and ran all unit tests successfully.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 73659: RANGER-3490:Make policy resource signature
is unique in a service
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73659/#review223642
-----------------------------------------------------------
Ship it!
In addition to the changes in this patch, DB scripts need to be updated to setup unique-key constraint for {service, zone, resource-signature}.
Also, resource signature of existing disabled policies should be updated using a Java patch.
- Madhan Neethiraj
On Oct. 20, 2021, 7:28 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73659/
> -----------------------------------------------------------
>
> (Updated Oct. 20, 2021, 7:28 p.m.)
>
>
> Review request for ranger, Dineshkumar Yadav, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, and Sailaja Polavarapu.
>
>
> Bugs: RANGER-3490
> https://issues.apache.org/jira/browse/RANGER-3490
>
>
> Repository: ranger
>
>
> Description
> -------
>
> There may be multiple policies with the same resource signature within a service (at most one enabled policy and potentially any number of disabled policies). Therefore, the resource-signature uniqueness within a service cannot be enforced at the database level.
>
> The proposal is to encode GUID of a disabled policy within the resource signature, thus making the resource signature unique within a service.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java 312005e0f
> agents-common/src/test/java/org/apache/ranger/plugin/model/TestRangerPolicyResourceSignature.java bc9df31cc
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java f13cef71d
> security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ef0d3b4eb
>
>
> Diff: https://reviews.apache.org/r/73659/diff/1/
>
>
> Testing
> -------
>
> Compiled and ran all unit tests successfully.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 73659: RANGER-3490:Make policy resource signature
is unique in a service
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73659/#review223671
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
Lines 544 (patched)
<https://reviews.apache.org/r/73659/#comment312765>
Consider moving 'action' value validations at #544 and #570, depending on presence of existing policy, to isValid() method at #109.
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
Lines 559 (patched)
<https://reviews.apache.org/r/73659/#comment312766>
Wouldn't "!policy.getIsEnabled()" be same as "existingPolicy.getIsEnabled()" - given the 'if' at #548?
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
Line 548 (original), 564 (patched)
<https://reviews.apache.org/r/73659/#comment312767>
if a policy update includes change in resources, the signatures would be different. In such case would #564 result in validation failure? Please review.
- Madhan Neethiraj
On Oct. 26, 2021, 5:47 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73659/
> -----------------------------------------------------------
>
> (Updated Oct. 26, 2021, 5:47 p.m.)
>
>
> Review request for ranger, Dineshkumar Yadav, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, and Sailaja Polavarapu.
>
>
> Bugs: RANGER-3490
> https://issues.apache.org/jira/browse/RANGER-3490
>
>
> Repository: ranger
>
>
> Description
> -------
>
> There may be multiple policies with the same resource signature within a service (at most one enabled policy and potentially any number of disabled policies). Therefore, the resource-signature uniqueness within a service cannot be enforced at the database level.
>
> The proposal is to encode GUID of a disabled policy within the resource signature, thus making the resource signature unique within a service.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java 312005e0f
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 0ba1fb918
> agents-common/src/test/java/org/apache/ranger/plugin/model/TestRangerPolicyResourceSignature.java bc9df31cc
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java f0e2d07d9
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java f13cef71d
> security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ef0d3b4eb
>
>
> Diff: https://reviews.apache.org/r/73659/diff/2/
>
>
> Testing
> -------
>
> Compiled and ran all unit tests successfully.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 73659: RANGER-3490:Make policy resource signature
is unique in a service
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73659/#review223674
-----------------------------------------------------------
Ship it!
Ship It!
- Madhan Neethiraj
On Oct. 27, 2021, midnight, Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73659/
> -----------------------------------------------------------
>
> (Updated Oct. 27, 2021, midnight)
>
>
> Review request for ranger, Dineshkumar Yadav, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, and Sailaja Polavarapu.
>
>
> Bugs: RANGER-3490
> https://issues.apache.org/jira/browse/RANGER-3490
>
>
> Repository: ranger
>
>
> Description
> -------
>
> There may be multiple policies with the same resource signature within a service (at most one enabled policy and potentially any number of disabled policies). Therefore, the resource-signature uniqueness within a service cannot be enforced at the database level.
>
> The proposal is to encode GUID of a disabled policy within the resource signature, thus making the resource signature unique within a service.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java 312005e0f
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 0ba1fb918
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java b02090b3c
> agents-common/src/test/java/org/apache/ranger/plugin/model/TestRangerPolicyResourceSignature.java bc9df31cc
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java f0e2d07d9
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerValidator.java 6de590b0e
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java f13cef71d
> security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ef0d3b4eb
>
>
> Diff: https://reviews.apache.org/r/73659/diff/3/
>
>
> Testing
> -------
>
> Compiled and ran all unit tests successfully.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 73659: RANGER-3490:Make policy resource signature
is unique in a service
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73659/
-----------------------------------------------------------
(Updated Oct. 27, 2021, midnight)
Review request for ranger, Dineshkumar Yadav, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, and Sailaja Polavarapu.
Changes
-------
Updated to address review comments.
Bugs: RANGER-3490
https://issues.apache.org/jira/browse/RANGER-3490
Repository: ranger
Description
-------
There may be multiple policies with the same resource signature within a service (at most one enabled policy and potentially any number of disabled policies). Therefore, the resource-signature uniqueness within a service cannot be enforced at the database level.
The proposal is to encode GUID of a disabled policy within the resource signature, thus making the resource signature unique within a service.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java 312005e0f
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 0ba1fb918
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java b02090b3c
agents-common/src/test/java/org/apache/ranger/plugin/model/TestRangerPolicyResourceSignature.java bc9df31cc
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java f0e2d07d9
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerValidator.java 6de590b0e
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java f13cef71d
security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ef0d3b4eb
Diff: https://reviews.apache.org/r/73659/diff/3/
Changes: https://reviews.apache.org/r/73659/diff/2-3/
Testing
-------
Compiled and ran all unit tests successfully.
Thanks,
Abhay Kulkarni
Re: Review Request 73659: RANGER-3490:Make policy resource signature
is unique in a service
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73659/
-----------------------------------------------------------
(Updated Oct. 26, 2021, 5:47 p.m.)
Review request for ranger, Dineshkumar Yadav, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, and Sailaja Polavarapu.
Changes
-------
Updated RangerPolicyValidator to handle signature of disabled policy
Bugs: RANGER-3490
https://issues.apache.org/jira/browse/RANGER-3490
Repository: ranger
Description
-------
There may be multiple policies with the same resource signature within a service (at most one enabled policy and potentially any number of disabled policies). Therefore, the resource-signature uniqueness within a service cannot be enforced at the database level.
The proposal is to encode GUID of a disabled policy within the resource signature, thus making the resource signature unique within a service.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java 312005e0f
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java 0ba1fb918
agents-common/src/test/java/org/apache/ranger/plugin/model/TestRangerPolicyResourceSignature.java bc9df31cc
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java f0e2d07d9
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java f13cef71d
security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ef0d3b4eb
Diff: https://reviews.apache.org/r/73659/diff/2/
Changes: https://reviews.apache.org/r/73659/diff/1-2/
Testing
-------
Compiled and ran all unit tests successfully.
Thanks,
Abhay Kulkarni