You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Pradeep Agrawal <pr...@freestoneinfotech.com> on 2016/04/17 09:00:59 UTC

Review Request 46305: RANGER-710 : Add a permission for 'Tag Based Policies'

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/46305/
-----------------------------------------------------------

Review request for ranger, Alok Lal, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.

Bugs: RANGER-710
https://issues.apache.org/jira/browse/RANGER-710

Repository: ranger

Description
-------

**Problem Statement :**
Ranger Admin permission model currently supports the following permissions:
Resource Based Policies
Users/Groups
Reports
Audit
Key Manager
The permission list should be updated to include 'Tag Based Policies' as well (implemented in RANGER-274). Only users with this permission should be able to access 'Tag Based Policies' page and the APIs that work with tag services and policies.

**Proposed Solution :**
A SQL statement need to be added to insert entry of 'Tag Based Policies' module in x_module_master table. In Proposed patch This change will be added only for MySQL db patch '016-updated-schema-for-tag-based-policy.sql'. All other DB flavors has similar statement in respective DB patch file '016-updated-schema-for-tag-based-policy.sql'.

>From UI code I am removing hard coding of displaying 'Tag Based Policies' module and after this patch it will be based on permissions assigned to user on 'Tag Based Policies' module.

**Known issue :** If user is upgrading Ranger from 0.5 to 0.6 and if Permission model patch 'PatchPersmissionModel_J10003' has already been executed during Ranger 0.5 installation, then during Ranger 0.6 installation ''PatchPersmissionModel_J10003' will not be executed and no user will have permission on 'Tag Based Policies'.

**Work Around of above mentioned issue :** Any user having 'Admin' role can assign permission on 'Tag based policy module' to any user from Ranger UI.

Diffs
-----

security-admin/db/mysql/patches/016-updated-schema-for-tag-based-policy.sql ff7fb3f
security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java ae81b22
security-admin/src/main/java/org/apache/ranger/common/RangerConstants.java c65981b
security-admin/src/main/webapp/scripts/utils/XAGlobals.js 31f7fa3
security-admin/src/main/webapp/scripts/utils/XAUtils.js f258a95
security-admin/src/main/webapp/templates/helpers/XAHelpers.js 2b5effe

Diff: https://reviews.apache.org/r/46305/diff/

Testing
-------

**Case-1 : Ranger 0.6 Fresh installation(with patch)**
**Steps Performed :**
1. Installed Ranger 0.6 and started Ranger service.
2. Logged into Ranger UI from 'admin' user. (Permission module had entry of 'Tag Based Policies')
3. Created a 'testuser1' with User role.
4. Added permission for 'admin' and 'testuser1' user in 'Tag Based Policies' module.

**Expected Behaviour :**
1. If 'admin' user refresh the policy manager page and/or relogin to Ranger UI then he should able to see 'Tag Based policies' menu and should able to create Tag Based policies.
2. If 'testuser1' user login to Ranger UI then he should able to see 'Tag Based policies' menu but should not able to create Tag Based policies.

**Actual Behaviour :**
1. After refreshing the policy manager page I was able to see 'Tag Based policies' menu and able to create Tag Based policies.
2. After relogin from 'admin' user I was able to see 'Tag Based policies' menu and able to create Tag Based policies.
3. After login from 'testuser1' I was able to see 'Tag Based policies' menu but was unable to create Tag Based policies.

--------
**Case-2 : Ranger 0.5 to Ranger 0.6(with patch) Upgrade case**

**Steps Performed :**
1. Installed Ranger 0.5 and logged into Ranger admin to check whether permission module is working as per 0.5.
2. Stopped Ranger 0.5 version.
3. Installed Ranger 0.6 version with same db crediantials used for Ranger 0.5 installation.
4. Logged into Ranger UI from 'admin' user. (Permission module had entry of 'Tag Based Policies')
5. Created a 'testuser1' with User role.
6. Added permission for 'admin' and 'testuser1' user in 'Tag Based Policies' module.

Thanks,

Pradeep Agrawal

Re: Review Request 46305: RANGER-710 : Add a permission for 'Tag Based Policies'

Posted by Pradeep Agrawal <pr...@freestoneinfotech.com>.


> On April 17, 2016, 10:06 p.m., Madhan Neethiraj wrote:
> > Can you please review the following usecase result?
> > 
> > >>  2.  If 'testuser1' user login to Ranger UI then he should able to see 'Tag Based policies' menu but should not able to create Tag Based policies.
> > 
> > Since 'testuser1' has been given permission for 'Tag Based Policies' module, why should the user be not able to create 'Tag Based Poiicies'? And what should be done to enable this user to create 'Tag Based Policies'?

Thanks for reviewing the content of use-cases, it should be : 
[If 'testuser1' user login to Ranger UI then he should able to see 'Tag Based policies' menu but should not able to create Tag service.]

I have updated content of use-cases. Please review and let me know if I need to cover any other use cases.


- Pradeep


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/46305/#review129270
-----------------------------------------------------------


On April 18, 2016, 4:51 a.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/46305/
> -----------------------------------------------------------
> 
> (Updated April 18, 2016, 4:51 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-710
>     https://issues.apache.org/jira/browse/RANGER-710
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> **Problem Statement :**
> Ranger Admin permission model currently supports the following permissions:
> Resource Based Policies
> Users/Groups
> Reports
> Audit
> Key Manager
> The permission list should be updated to include 'Tag Based Policies' as well (implemented in RANGER-274). Only users with this permission should be able to access 'Tag Based Policies' page and the APIs that work with tag services and policies.
> 
> **Proposed Solution :**
> A SQL statement need to be added to insert entry of 'Tag Based Policies' module in x_module_master table. In Proposed patch This change will be added only for MySQL db patch '016-updated-schema-for-tag-based-policy.sql'. All other DB flavors has similar statement in respective DB patch file '016-updated-schema-for-tag-based-policy.sql'.
> 
> From UI code I am removing hard coding of displaying 'Tag Based Policies' module and after this patch it will be based on permissions assigned to user on 'Tag Based Policies' module.
> 
> 
> **Known issue :** If user is upgrading Ranger from 0.5 to 0.6 and if Permission model patch 'PatchPersmissionModel_J10003' has already been executed during Ranger 0.5 installation, then during Ranger 0.6 installation ''PatchPersmissionModel_J10003' will not be executed and no user will have permission on 'Tag Based Policies'.
> 
> **Work Around of above mentioned issue :** Any user having 'Admin' role can assign permission on 'Tag based policy module' to any user from Ranger UI.
> 
> 
> Diffs
> -----
> 
>   security-admin/db/mysql/patches/016-updated-schema-for-tag-based-policy.sql ff7fb3f 
>   security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java ae81b22 
>   security-admin/src/main/java/org/apache/ranger/common/RangerConstants.java c65981b 
>   security-admin/src/main/webapp/scripts/utils/XAGlobals.js 31f7fa3 
>   security-admin/src/main/webapp/scripts/utils/XAUtils.js f258a95 
>   security-admin/src/main/webapp/templates/helpers/XAHelpers.js 2b5effe 
> 
> Diff: https://reviews.apache.org/r/46305/diff/
> 
> 
> Testing
> -------
> 
> **Case-1 : Ranger 0.6 Fresh installation(with patch)**
> **Steps Performed :**
> 1. Installed Ranger 0.6 and started Ranger service.
> 2. Logged into Ranger UI from 'admin' user. (Permission module had entry of 'Tag Based Policies')
> 3. Created a 'testuser1' with User role.
> 4. Added permission for 'admin' and 'testuser1' user in 'Tag Based Policies' module.
> 
> **Expected Behaviour :**
>  1. If 'admin' user refresh the policy manager page and/or relogin to Ranger UI then he should able to see 'Tag Based policies' menu and should able to create Tag service.
>  2.  If 'testuser1' user login to Ranger UI then he should able to see 'Tag Based policies' menu but should not able to create Tag service.
>  
> **Actual Behaviour :**
> 1. After refreshing the policy manager page I was able to see 'Tag Based policies' menu and able to create Tag service.
> 2. After relogin from 'admin' user I was able to see 'Tag Based policies' menu and able to create Tag service.
> 3. After login from 'testuser1' I was able to see 'Tag Based policies' menu but was unable to create Tag service.
> 
> 
> --------
> **Case-2 : Ranger 0.5 to Ranger 0.6(with patch) Upgrade case**
> 
> **Steps Performed :**
> 1. Installed Ranger 0.5 and logged into Ranger admin to check whether permission module is working as per 0.5.
> 2. Stopped Ranger 0.5 version.
> 3. Installed Ranger 0.6 version with same db crediantials used for Ranger 0.5 installation.
> 4. Logged into Ranger UI from 'admin' user. (Permission module had entry of 'Tag Based Policies')
> 5. Created a 'testuser1' with User role.
> 6. Added permission for 'admin' and 'testuser1' user in 'Tag Based Policies' module.
> 
> **Expected Behaviour :**
>  1. If 'admin' user refresh the policy manager page and/or relogin to Ranger UI then he should able to see 'Tag Based policies' menu and should able to create Tag service.
>  2.  If 'testuser1' user login to Ranger UI then he should able to see 'Tag Based policies' menu but should not able to create Tag service.
>  
> **Actual Behaviour :**
> 1. After refreshing the policy manager page I was able to see 'Tag Based policies' menu and able to create Tag service.
> 2. After relogin from 'admin' user I was able to see 'Tag Based policies' menu and able to create Tag service.
> 3. After login from 'testuser1' I was able to see 'Tag Based policies' menu but was unable to create Tag service.
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>

Re: Review Request 46305: RANGER-710 : Add a permission for 'Tag Based Policies'

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/46305/#review129270
-----------------------------------------------------------



Can you please review the following usecase result?

>>  2.  If 'testuser1' user login to Ranger UI then he should able to see 'Tag Based policies' menu but should not able to create Tag Based policies.

Since 'testuser1' has been given permission for 'Tag Based Policies' module, why should the user be not able to create 'Tag Based Poiicies'? And what should be done to enable this user to create 'Tag Based Policies'?

- Madhan Neethiraj


On April 17, 2016, 7 a.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/46305/
> -----------------------------------------------------------
> 
> (Updated April 17, 2016, 7 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-710
>     https://issues.apache.org/jira/browse/RANGER-710
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> **Problem Statement :**
> Ranger Admin permission model currently supports the following permissions:
> Resource Based Policies
> Users/Groups
> Reports
> Audit
> Key Manager
> The permission list should be updated to include 'Tag Based Policies' as well (implemented in RANGER-274). Only users with this permission should be able to access 'Tag Based Policies' page and the APIs that work with tag services and policies.
> 
> **Proposed Solution :**
> A SQL statement need to be added to insert entry of 'Tag Based Policies' module in x_module_master table. In Proposed patch This change will be added only for MySQL db patch '016-updated-schema-for-tag-based-policy.sql'. All other DB flavors has similar statement in respective DB patch file '016-updated-schema-for-tag-based-policy.sql'.
> 
> From UI code I am removing hard coding of displaying 'Tag Based Policies' module and after this patch it will be based on permissions assigned to user on 'Tag Based Policies' module.
> 
> 
> **Known issue :** If user is upgrading Ranger from 0.5 to 0.6 and if Permission model patch 'PatchPersmissionModel_J10003' has already been executed during Ranger 0.5 installation, then during Ranger 0.6 installation ''PatchPersmissionModel_J10003' will not be executed and no user will have permission on 'Tag Based Policies'.
> 
> **Work Around of above mentioned issue :** Any user having 'Admin' role can assign permission on 'Tag based policy module' to any user from Ranger UI.
> 
> 
> Diffs
> -----
> 
>   security-admin/db/mysql/patches/016-updated-schema-for-tag-based-policy.sql ff7fb3f 
>   security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java ae81b22 
>   security-admin/src/main/java/org/apache/ranger/common/RangerConstants.java c65981b 
>   security-admin/src/main/webapp/scripts/utils/XAGlobals.js 31f7fa3 
>   security-admin/src/main/webapp/scripts/utils/XAUtils.js f258a95 
>   security-admin/src/main/webapp/templates/helpers/XAHelpers.js 2b5effe 
> 
> Diff: https://reviews.apache.org/r/46305/diff/
> 
> 
> Testing
> -------
> 
> **Case-1 : Ranger 0.6 Fresh installation(with patch)**
> **Steps Performed :**
> 1. Installed Ranger 0.6 and started Ranger service.
> 2. Logged into Ranger UI from 'admin' user. (Permission module had entry of 'Tag Based Policies')
> 3. Created a 'testuser1' with User role.
> 4. Added permission for 'admin' and 'testuser1' user in 'Tag Based Policies' module.
> 
> **Expected Behaviour :**
>  1. If 'admin' user refresh the policy manager page and/or relogin to Ranger UI then he should able to see 'Tag Based policies' menu and should able to create Tag Based policies.
>  2.  If 'testuser1' user login to Ranger UI then he should able to see 'Tag Based policies' menu but should not able to create Tag Based policies.
>  
> **Actual Behaviour :**
> 1. After refreshing the policy manager page I was able to see 'Tag Based policies' menu and able to create Tag Based policies.
> 2. After relogin from 'admin' user I was able to see 'Tag Based policies' menu and able to create Tag Based policies.
> 3. After login from 'testuser1' I was able to see 'Tag Based policies' menu but was unable to create Tag Based policies.
> 
> 
> --------
> **Case-2 : Ranger 0.5 to Ranger 0.6(with patch) Upgrade case**
> 
> **Steps Performed :**
> 1. Installed Ranger 0.5 and logged into Ranger admin to check whether permission module is working as per 0.5.
> 2. Stopped Ranger 0.5 version.
> 3. Installed Ranger 0.6 version with same db crediantials used for Ranger 0.5 installation.
> 4. Logged into Ranger UI from 'admin' user. (Permission module had entry of 'Tag Based Policies')
> 5. Created a 'testuser1' with User role.
> 6. Added permission for 'admin' and 'testuser1' user in 'Tag Based Policies' module.
> 
> **Expected Behaviour :**
>  1. If 'admin' user refresh the policy manager page and/or relogin to Ranger UI then he should able to see 'Tag Based policies' menu and should able to create Tag Based policies.
>  2.  If 'testuser1' user login to Ranger UI then he should able to see 'Tag Based policies' menu but should not able to create Tag Based policies.
> 
> **Actual Behaviour :**
> 1. After refreshing the policy manager page I was able to see 'Tag Based policies' menu and able to create Tag Based policies.
> 2. After relogin from 'admin' user I was able to see 'Tag Based policies' menu and able to create Tag Based policies.
> 3. After login from 'testuser1' I was able to see 'Tag Based policies' menu but was unable to create Tag Based policies.
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>

Re: Review Request 46305: RANGER-710 : Add a permission for 'Tag Based Policies'

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/46305/#review129289
-----------------------------------------------------------


Ship it!




Ship It!

- Madhan Neethiraj


On April 18, 2016, 4:51 a.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/46305/
> -----------------------------------------------------------
> 
> (Updated April 18, 2016, 4:51 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-710
>     https://issues.apache.org/jira/browse/RANGER-710
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> **Problem Statement :**
> Ranger Admin permission model currently supports the following permissions:
> Resource Based Policies
> Users/Groups
> Reports
> Audit
> Key Manager
> The permission list should be updated to include 'Tag Based Policies' as well (implemented in RANGER-274). Only users with this permission should be able to access 'Tag Based Policies' page and the APIs that work with tag services and policies.
> 
> **Proposed Solution :**
> A SQL statement need to be added to insert entry of 'Tag Based Policies' module in x_module_master table. In Proposed patch This change will be added only for MySQL db patch '016-updated-schema-for-tag-based-policy.sql'. All other DB flavors has similar statement in respective DB patch file '016-updated-schema-for-tag-based-policy.sql'.
> 
> From UI code I am removing hard coding of displaying 'Tag Based Policies' module and after this patch it will be based on permissions assigned to user on 'Tag Based Policies' module.
> 
> 
> **Known issue :** If user is upgrading Ranger from 0.5 to 0.6 and if Permission model patch 'PatchPersmissionModel_J10003' has already been executed during Ranger 0.5 installation, then during Ranger 0.6 installation ''PatchPersmissionModel_J10003' will not be executed and no user will have permission on 'Tag Based Policies'.
> 
> **Work Around of above mentioned issue :** Any user having 'Admin' role can assign permission on 'Tag based policy module' to any user from Ranger UI.
> 
> 
> Diffs
> -----
> 
>   security-admin/db/mysql/patches/016-updated-schema-for-tag-based-policy.sql ff7fb3f 
>   security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java ae81b22 
>   security-admin/src/main/java/org/apache/ranger/common/RangerConstants.java c65981b 
>   security-admin/src/main/webapp/scripts/utils/XAGlobals.js 31f7fa3 
>   security-admin/src/main/webapp/scripts/utils/XAUtils.js f258a95 
>   security-admin/src/main/webapp/templates/helpers/XAHelpers.js 2b5effe 
> 
> Diff: https://reviews.apache.org/r/46305/diff/
> 
> 
> Testing
> -------
> 
> **Case-1 : Ranger 0.6 Fresh installation(with patch)**
> **Steps Performed :**
> 1. Installed Ranger 0.6 and started Ranger service.
> 2. Logged into Ranger UI from 'admin' user. (Permission module had entry of 'Tag Based Policies')
> 3. Created a 'testuser1' with User role.
> 4. Added permission for 'admin' and 'testuser1' user in 'Tag Based Policies' module.
> 
> **Expected Behaviour :**
>  1. If 'admin' user refresh the policy manager page and/or relogin to Ranger UI then he should able to see 'Tag Based policies' menu and should able to create Tag service.
>  2.  If 'testuser1' user login to Ranger UI then he should able to see 'Tag Based policies' menu but should not able to create Tag service.
>  
> **Actual Behaviour :**
> 1. After refreshing the policy manager page I was able to see 'Tag Based policies' menu and able to create Tag service.
> 2. After relogin from 'admin' user I was able to see 'Tag Based policies' menu and able to create Tag service.
> 3. After login from 'testuser1' I was able to see 'Tag Based policies' menu but was unable to create Tag service.
> 
> 
> --------
> **Case-2 : Ranger 0.5 to Ranger 0.6(with patch) Upgrade case**
> 
> **Steps Performed :**
> 1. Installed Ranger 0.5 and logged into Ranger admin to check whether permission module is working as per 0.5.
> 2. Stopped Ranger 0.5 version.
> 3. Installed Ranger 0.6 version with same db crediantials used for Ranger 0.5 installation.
> 4. Logged into Ranger UI from 'admin' user. (Permission module had entry of 'Tag Based Policies')
> 5. Created a 'testuser1' with User role.
> 6. Added permission for 'admin' and 'testuser1' user in 'Tag Based Policies' module.
> 
> **Expected Behaviour :**
>  1. If 'admin' user refresh the policy manager page and/or relogin to Ranger UI then he should able to see 'Tag Based policies' menu and should able to create Tag service.
>  2.  If 'testuser1' user login to Ranger UI then he should able to see 'Tag Based policies' menu but should not able to create Tag service.
>  
> **Actual Behaviour :**
> 1. After refreshing the policy manager page I was able to see 'Tag Based policies' menu and able to create Tag service.
> 2. After relogin from 'admin' user I was able to see 'Tag Based policies' menu and able to create Tag service.
> 3. After login from 'testuser1' I was able to see 'Tag Based policies' menu but was unable to create Tag service.
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>

Re: Review Request 46305: RANGER-710 : Add a permission for 'Tag Based Policies'

Posted by Pradeep Agrawal <pr...@freestoneinfotech.com>.

(Updated April 18, 2016, 4:51 a.m.)

Review request for ranger, Alok Lal, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.

Changes
-------

Addressed review comments and Updated Content of UseCases

Bugs: RANGER-710
https://issues.apache.org/jira/browse/RANGER-710

Repository: ranger

Description
-------

>From UI code I am removing hard coding of displaying 'Tag Based Policies' module and after this patch it will be based on permissions assigned to user on 'Tag Based Policies' module.

**Work Around of above mentioned issue :** Any user having 'Admin' role can assign permission on 'Tag based policy module' to any user from Ranger UI.

Diffs
-----

Diff: https://reviews.apache.org/r/46305/diff/

Testing (updated)
-------

**Expected Behaviour :**
1. If 'admin' user refresh the policy manager page and/or relogin to Ranger UI then he should able to see 'Tag Based policies' menu and should able to create Tag service.
2. If 'testuser1' user login to Ranger UI then he should able to see 'Tag Based policies' menu but should not able to create Tag service.

**Actual Behaviour :**
1. After refreshing the policy manager page I was able to see 'Tag Based policies' menu and able to create Tag service.
2. After relogin from 'admin' user I was able to see 'Tag Based policies' menu and able to create Tag service.
3. After login from 'testuser1' I was able to see 'Tag Based policies' menu but was unable to create Tag service.

--------
**Case-2 : Ranger 0.5 to Ranger 0.6(with patch) Upgrade case**

**Expected Behaviour :**
1. If 'admin' user refresh the policy manager page and/or relogin to Ranger UI then he should able to see 'Tag Based policies' menu and should able to create Tag service.
2. If 'testuser1' user login to Ranger UI then he should able to see 'Tag Based policies' menu but should not able to create Tag service.

Thanks,

Pradeep Agrawal