You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Dineshkumar Yadav <di...@outlook.com> on 2020/10/13 16:01:59 UTC
Re: Review Request 72957: RANGER-3036 : Multiple disabled policies
getting created with same resource while import
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72957/
-----------------------------------------------------------
(Updated Oct. 13, 2020, 4:01 p.m.)
Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.
Repository: ranger
Description
-------
If updateifexist/mergeIfExist parameter passed while importing the ranger policies then additional policies are created for disabled policy with same resource.
Solution: 1. New disabled policy will be created only if no resource-signature matching policy found in ranger.
2. If policy with same resource-signature found in Ranger then policy get merged or updated according to parameter passed during import.
3. If multiple disabled policy with same resource-signature found the any random policy will be selected for update/merge.
Diffs
-----
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 4ef9abeb8
Diff: https://reviews.apache.org/r/72957/diff/1/
Testing
-------
Tested for below scenario
1. With no disable policy
2. With single disable policy
3. With multiple disable policy
Thanks,
Dineshkumar Yadav
Re: Review Request 72957: RANGER-3036 : Multiple disabled policies
getting created with same resource while import
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72957/#review222035
-----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
Line 1747 (original), 1747 (patched)
<https://reviews.apache.org/r/72957/#comment311102>
I suggest to consider the following:
- check if 'policiesWithMatchingSignature' has a policy having same name as 'policy'
- if one exists, pick that policy for update
- if not, create a new policy
- Madhan Neethiraj
On Oct. 13, 2020, 4:01 p.m., Dineshkumar Yadav wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72957/
> -----------------------------------------------------------
>
> (Updated Oct. 13, 2020, 4:01 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.
>
>
> Repository: ranger
>
>
> Description
> -------
>
> If updateifexist/mergeIfExist parameter passed while importing the ranger policies then additional policies are created for disabled policy with same resource.
>
> Solution: 1. New disabled policy will be created only if no resource-signature matching policy found in ranger.
> 2. If policy with same resource-signature found in Ranger then policy get merged or updated according to parameter passed during import.
> 3. If multiple disabled policy with same resource-signature found the any random policy will be selected for update/merge.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 4ef9abeb8
>
>
> Diff: https://reviews.apache.org/r/72957/diff/1/
>
>
> Testing
> -------
>
> Tested for below scenario
> 1. With no disable policy
> 2. With single disable policy
> 3. With multiple disable policy
>
>
> Thanks,
>
> Dineshkumar Yadav
>
>
Re: Review Request 72957: RANGER-3036 : Multiple disabled policies
getting created with same resource while import
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72957/#review222172
-----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
Lines 1699 (patched)
<https://reviews.apache.org/r/72957/#comment311237>
This block is reached if deleteIfExists is set to true when creating a policy and both mergeIfExists and updateIfExists are set to false. It appears that the only effect is that if a policy exists with the same name as policy being created, then the name of the policy being created is modified to ensure that policy creation goes through. Is this what is desired? The policy with matching name seems to be left alone and NOT deleted. Is this a correct use of deleteIfExists flag?
Please elaborate.
- Abhay Kulkarni
On Nov. 6, 2020, 8:49 a.m., Dineshkumar Yadav wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72957/
> -----------------------------------------------------------
>
> (Updated Nov. 6, 2020, 8:49 a.m.)
>
>
> Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3036
> https://issues.apache.org/jira/browse/RANGER-3036
>
>
> Repository: ranger
>
>
> Description
> -------
>
> If updateifexist/mergeIfExist parameter passed while importing the ranger policies then additional policies are created for disabled policy with same resource.
>
> Solution: 1. New disabled policy will be created only if no resource-signature matching policy found in ranger.
> 2. If policy with same resource-signature found in Ranger then policy get merged or updated according to parameter passed during import.
> 3. If multiple disabled policy with same resource-signature found then policy with same name will be picked up for update/merge otherwise randomly one policy will be picked-up for update/merge.
>
> Note: While creating new policy with existing name we appending System.currentTimeMillis() in the name of the policy to get unique name.(current implementation)
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 3baee02fd
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java a1db6004e
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 00ffabedd
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml d608ff849
>
>
> Diff: https://reviews.apache.org/r/72957/diff/4/
>
>
> Testing
> -------
>
> Tested for below scenario
> 1. With no disable policy
> 2. With single disable policy
> 3. With multiple disable policy
> 4. Scenario
> 1. Create enabled policy1 with resource1 and export the policy.
> 2. Disabled the exported policy and try to import it.
> Expected Result new disabled policy should get created.
>
> Test case for flag deleteIfExist
> 1. Create Policy1 with resource /path1 at source cluster.
> 2. Import Policy1 to target cluster new policy get created
> 3. Create disabled policy at target cluster with resource /path1
> 4. Disabled Policy1 at source cluster and then import
> Output : disabled policy deleted and new disabled policy created.
>
> Test case for flag deleteIfExist
> 1. Create Policy1 with resource /path1 at source Cluster and import to target cluster
> 2. Create Policy1 with same service in zone1 at target
> 3. Create disabled policy at target cluster with resource
> 3. Again import the Policy1 from source to target.
>
> Output : unzone Policy1 deleted and new policy1 created.
>
>
> Thanks,
>
> Dineshkumar Yadav
>
>
Re: Review Request 72957: RANGER-3036 : Multiple disabled policies
getting created with same resource while import
Posted by Dineshkumar Yadav <di...@outlook.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72957/
-----------------------------------------------------------
(Updated Nov. 6, 2020, 8:49 a.m.)
Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.
Changes
-------
handle code for disabled policy with deleteIfExist flag
Bugs: RANGER-3036
https://issues.apache.org/jira/browse/RANGER-3036
Repository: ranger
Description
-------
If updateifexist/mergeIfExist parameter passed while importing the ranger policies then additional policies are created for disabled policy with same resource.
Solution: 1. New disabled policy will be created only if no resource-signature matching policy found in ranger.
2. If policy with same resource-signature found in Ranger then policy get merged or updated according to parameter passed during import.
3. If multiple disabled policy with same resource-signature found then policy with same name will be picked up for update/merge otherwise randomly one policy will be picked-up for update/merge.
Note: While creating new policy with existing name we appending System.currentTimeMillis() in the name of the policy to get unique name.(current implementation)
Diffs (updated)
-----
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 3baee02fd
security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java a1db6004e
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 00ffabedd
security-admin/src/main/resources/META-INF/jpa_named_queries.xml d608ff849
Diff: https://reviews.apache.org/r/72957/diff/4/
Changes: https://reviews.apache.org/r/72957/diff/3-4/
Testing (updated)
-------
Tested for below scenario
1. With no disable policy
2. With single disable policy
3. With multiple disable policy
4. Scenario
1. Create enabled policy1 with resource1 and export the policy.
2. Disabled the exported policy and try to import it.
Expected Result new disabled policy should get created.
Test case for flag deleteIfExist
1. Create Policy1 with resource /path1 at source cluster.
2. Import Policy1 to target cluster new policy get created
3. Create disabled policy at target cluster with resource /path1
4. Disabled Policy1 at source cluster and then import
Output : disabled policy deleted and new disabled policy created.
Test case for flag deleteIfExist
1. Create Policy1 with resource /path1 at source Cluster and import to target cluster
2. Create Policy1 with same service in zone1 at target
3. Create disabled policy at target cluster with resource
3. Again import the Policy1 from source to target.
Output : unzone Policy1 deleted and new policy1 created.
Thanks,
Dineshkumar Yadav
Re: Review Request 72957: RANGER-3036 : Multiple disabled policies
getting created with same resource while import
Posted by Madhan Neethiraj <ma...@apache.org>.
> On Oct. 23, 2020, 2:05 p.m., Madhan Neethiraj wrote:
> > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
> > Line 1743 (original), 1742 (patched)
> > <https://reviews.apache.org/r/72957/diff/3/?file=2241583#file2241583line1743>
> >
> > Consider the following scenario:
> >
> > Step #1:
> > - at source Ranger, a repo has an enabled policy (say, id=1)
> > - target Ranger doesn't have this repo
> > - export policies in this repo from source Ranger and import into target Ranger
> > - target Ranger will now have the repo with one policy
> >
> >
> > Step #2:
> > - at source Ranger, disable policy (id=1)
> > - export policies from source Ranger and import into target Ranger
> > - a new policy, with status=disabled, will be created at the target Ranger; and earlier policy will continue to be present
> >
> > Ideally import should disable the existing policy, and not create the new policy.
I suggest to consider the following approach in a subsequent patch:
- policy created by import should retain the guid of the source policy
- import should first try to locate an existing policy that matches guid of the policy being imported
- if no policy exists with the same guid, follow the current flow i.e. match for resource-signature, policy-name, ..
- if a policy exists with the same guid, simply replace that policy contents with the policy being imported
- note that this can fail if another policy exists in the target having the same resource signature. In such case, existing policy at target should be removed.
- Madhan
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72957/#review222114
-----------------------------------------------------------
On Oct. 23, 2020, 12:32 p.m., Dineshkumar Yadav wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72957/
> -----------------------------------------------------------
>
> (Updated Oct. 23, 2020, 12:32 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.
>
>
> Repository: ranger
>
>
> Description
> -------
>
> If updateifexist/mergeIfExist parameter passed while importing the ranger policies then additional policies are created for disabled policy with same resource.
>
> Solution: 1. New disabled policy will be created only if no resource-signature matching policy found in ranger.
> 2. If policy with same resource-signature found in Ranger then policy get merged or updated according to parameter passed during import.
> 3. If multiple disabled policy with same resource-signature found then policy with same name will be picked up for update/merge otherwise randomly one policy will be picked-up for update/merge.
>
> Note: While creating new policy with existing name we appending System.currentTimeMillis() in the name of the policy to get unique name.(current implementation)
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 4ef9abeb8
>
>
> Diff: https://reviews.apache.org/r/72957/diff/3/
>
>
> Testing
> -------
>
> Tested for below scenario
> 1. With no disable policy
> 2. With single disable policy
> 3. With multiple disable policy
> 4. Scenario
> 1. Create enabled policy1 with resource1 and export the policy.
> 2. Disabled the exported policy and try to import it.
> Expected Result new disabled policy should get created.
>
>
> Thanks,
>
> Dineshkumar Yadav
>
>
Re: Review Request 72957: RANGER-3036 : Multiple disabled policies
getting created with same resource while import
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72957/#review222114
-----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
Line 1743 (original), 1742 (patched)
<https://reviews.apache.org/r/72957/#comment311182>
Consider the following scenario:
Step #1:
- at source Ranger, a repo has an enabled policy (say, id=1)
- target Ranger doesn't have this repo
- export policies in this repo from source Ranger and import into target Ranger
- target Ranger will now have the repo with one policy
Step #2:
- at source Ranger, disable policy (id=1)
- export policies from source Ranger and import into target Ranger
- a new policy, with status=disabled, will be created at the target Ranger; and earlier policy will continue to be present
Ideally import should disable the existing policy, and not create the new policy.
- Madhan Neethiraj
On Oct. 23, 2020, 12:32 p.m., Dineshkumar Yadav wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72957/
> -----------------------------------------------------------
>
> (Updated Oct. 23, 2020, 12:32 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.
>
>
> Repository: ranger
>
>
> Description
> -------
>
> If updateifexist/mergeIfExist parameter passed while importing the ranger policies then additional policies are created for disabled policy with same resource.
>
> Solution: 1. New disabled policy will be created only if no resource-signature matching policy found in ranger.
> 2. If policy with same resource-signature found in Ranger then policy get merged or updated according to parameter passed during import.
> 3. If multiple disabled policy with same resource-signature found then policy with same name will be picked up for update/merge otherwise randomly one policy will be picked-up for update/merge.
>
> Note: While creating new policy with existing name we appending System.currentTimeMillis() in the name of the policy to get unique name.(current implementation)
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 4ef9abeb8
>
>
> Diff: https://reviews.apache.org/r/72957/diff/3/
>
>
> Testing
> -------
>
> Tested for below scenario
> 1. With no disable policy
> 2. With single disable policy
> 3. With multiple disable policy
> 4. Scenario
> 1. Create enabled policy1 with resource1 and export the policy.
> 2. Disabled the exported policy and try to import it.
> Expected Result new disabled policy should get created.
>
>
> Thanks,
>
> Dineshkumar Yadav
>
>
Re: Review Request 72957: RANGER-3036 : Multiple disabled policies
getting created with same resource while import
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72957/#review222116
-----------------------------------------------------------
Ship it!
Ship It!
- Madhan Neethiraj
On Oct. 23, 2020, 12:32 p.m., Dineshkumar Yadav wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72957/
> -----------------------------------------------------------
>
> (Updated Oct. 23, 2020, 12:32 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.
>
>
> Repository: ranger
>
>
> Description
> -------
>
> If updateifexist/mergeIfExist parameter passed while importing the ranger policies then additional policies are created for disabled policy with same resource.
>
> Solution: 1. New disabled policy will be created only if no resource-signature matching policy found in ranger.
> 2. If policy with same resource-signature found in Ranger then policy get merged or updated according to parameter passed during import.
> 3. If multiple disabled policy with same resource-signature found then policy with same name will be picked up for update/merge otherwise randomly one policy will be picked-up for update/merge.
>
> Note: While creating new policy with existing name we appending System.currentTimeMillis() in the name of the policy to get unique name.(current implementation)
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 4ef9abeb8
>
>
> Diff: https://reviews.apache.org/r/72957/diff/3/
>
>
> Testing
> -------
>
> Tested for below scenario
> 1. With no disable policy
> 2. With single disable policy
> 3. With multiple disable policy
> 4. Scenario
> 1. Create enabled policy1 with resource1 and export the policy.
> 2. Disabled the exported policy and try to import it.
> Expected Result new disabled policy should get created.
>
>
> Thanks,
>
> Dineshkumar Yadav
>
>
Re: Review Request 72957: RANGER-3036 : Multiple disabled policies
getting created with same resource while import
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72957/#review222113
-----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
Line 2432 (original), 2451 (patched)
<https://reviews.apache.org/r/72957/#comment311181>
This will result in import operation to create new policy for every disabled policy. Multiple import operations will result in multiple such dupliate policies. This is not desirable.
Also, does Ranger allow multiple policies with the same name?
- Madhan Neethiraj
On Oct. 23, 2020, 12:32 p.m., Dineshkumar Yadav wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72957/
> -----------------------------------------------------------
>
> (Updated Oct. 23, 2020, 12:32 p.m.)
>
>
> Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.
>
>
> Repository: ranger
>
>
> Description
> -------
>
> If updateifexist/mergeIfExist parameter passed while importing the ranger policies then additional policies are created for disabled policy with same resource.
>
> Solution: 1. New disabled policy will be created only if no resource-signature matching policy found in ranger.
> 2. If policy with same resource-signature found in Ranger then policy get merged or updated according to parameter passed during import.
> 3. If multiple disabled policy with same resource-signature found then policy with same name will be picked up for update/merge otherwise randomly one policy will be picked-up for update/merge.
>
> Note: While creating new policy with existing name we appending System.currentTimeMillis() in the name of the policy to get unique name.(current implementation)
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 4ef9abeb8
>
>
> Diff: https://reviews.apache.org/r/72957/diff/3/
>
>
> Testing
> -------
>
> Tested for below scenario
> 1. With no disable policy
> 2. With single disable policy
> 3. With multiple disable policy
> 4. Scenario
> 1. Create enabled policy1 with resource1 and export the policy.
> 2. Disabled the exported policy and try to import it.
> Expected Result new disabled policy should get created.
>
>
> Thanks,
>
> Dineshkumar Yadav
>
>
Re: Review Request 72957: RANGER-3036 : Multiple disabled policies
getting created with same resource while import
Posted by Dineshkumar Yadav <di...@outlook.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72957/
-----------------------------------------------------------
(Updated Oct. 23, 2020, 12:32 p.m.)
Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.
Changes
-------
change code to handle case: When enabled policy imported with disabled flag getting merged.
Repository: ranger
Description (updated)
-------
If updateifexist/mergeIfExist parameter passed while importing the ranger policies then additional policies are created for disabled policy with same resource.
Solution: 1. New disabled policy will be created only if no resource-signature matching policy found in ranger.
2. If policy with same resource-signature found in Ranger then policy get merged or updated according to parameter passed during import.
3. If multiple disabled policy with same resource-signature found then policy with same name will be picked up for update/merge otherwise randomly one policy will be picked-up for update/merge.
Note: While creating new policy with existing name we appending System.currentTimeMillis() in the name of the policy to get unique name.(current implementation)
Diffs (updated)
-----
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 4ef9abeb8
Diff: https://reviews.apache.org/r/72957/diff/3/
Changes: https://reviews.apache.org/r/72957/diff/2-3/
Testing (updated)
-------
Tested for below scenario
1. With no disable policy
2. With single disable policy
3. With multiple disable policy
4. Scenario
1. Create enabled policy1 with resource1 and export the policy.
2. Disabled the exported policy and try to import it.
Expected Result new disabled policy should get created.
Thanks,
Dineshkumar Yadav
Re: Review Request 72957: RANGER-3036 : Multiple disabled policies
getting created with same resource while import
Posted by Mehul Parikh <xs...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72957/#review222067
-----------------------------------------------------------
Ship it!
Ship It!
- Mehul Parikh
On Oct. 14, 2020, 9:14 a.m., Dineshkumar Yadav wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72957/
> -----------------------------------------------------------
>
> (Updated Oct. 14, 2020, 9:14 a.m.)
>
>
> Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.
>
>
> Repository: ranger
>
>
> Description
> -------
>
> If updateifexist/mergeIfExist parameter passed while importing the ranger policies then additional policies are created for disabled policy with same resource.
>
> Solution: 1. New disabled policy will be created only if no resource-signature matching policy found in ranger.
> 2. If policy with same resource-signature found in Ranger then policy get merged or updated according to parameter passed during import.
> 3. If multiple disabled policy with same resource-signature found then policy with same name will be picked up for update/merge otherwise new policy will be created.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 4ef9abeb8
>
>
> Diff: https://reviews.apache.org/r/72957/diff/2/
>
>
> Testing
> -------
>
> Tested for below scenario
> 1. With no disable policy
> 2. With single disable policy
> 3. With multiple disable policy
>
>
> Thanks,
>
> Dineshkumar Yadav
>
>
Re: Review Request 72957: RANGER-3036 : Multiple disabled policies
getting created with same resource while import
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72957/#review222049
-----------------------------------------------------------
Ship it!
Ship It!
- Madhan Neethiraj
On Oct. 14, 2020, 9:14 a.m., Dineshkumar Yadav wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72957/
> -----------------------------------------------------------
>
> (Updated Oct. 14, 2020, 9:14 a.m.)
>
>
> Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.
>
>
> Repository: ranger
>
>
> Description
> -------
>
> If updateifexist/mergeIfExist parameter passed while importing the ranger policies then additional policies are created for disabled policy with same resource.
>
> Solution: 1. New disabled policy will be created only if no resource-signature matching policy found in ranger.
> 2. If policy with same resource-signature found in Ranger then policy get merged or updated according to parameter passed during import.
> 3. If multiple disabled policy with same resource-signature found then policy with same name will be picked up for update/merge otherwise new policy will be created.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 4ef9abeb8
>
>
> Diff: https://reviews.apache.org/r/72957/diff/2/
>
>
> Testing
> -------
>
> Tested for below scenario
> 1. With no disable policy
> 2. With single disable policy
> 3. With multiple disable policy
>
>
> Thanks,
>
> Dineshkumar Yadav
>
>
Re: Review Request 72957: RANGER-3036 : Multiple disabled policies
getting created with same resource while import
Posted by Dineshkumar Yadav <di...@outlook.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72957/
-----------------------------------------------------------
(Updated Oct. 14, 2020, 9:14 a.m.)
Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.
Changes
-------
code changes : considered policy name for selecting from multiple policy with same resource-signature
Repository: ranger
Description (updated)
-------
If updateifexist/mergeIfExist parameter passed while importing the ranger policies then additional policies are created for disabled policy with same resource.
Solution: 1. New disabled policy will be created only if no resource-signature matching policy found in ranger.
2. If policy with same resource-signature found in Ranger then policy get merged or updated according to parameter passed during import.
3. If multiple disabled policy with same resource-signature found then policy with same name will be picked up for update/merge otherwise new policy will be created.
Diffs (updated)
-----
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 4ef9abeb8
Diff: https://reviews.apache.org/r/72957/diff/2/
Changes: https://reviews.apache.org/r/72957/diff/1-2/
Testing
-------
Tested for below scenario
1. With no disable policy
2. With single disable policy
3. With multiple disable policy
Thanks,
Dineshkumar Yadav