You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Alok Lal <al...@hortonworks.com> on 2015/06/17 09:06:28 UTC

Review Request 35552: Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35552/
-----------------------------------------------------------

Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.


Bugs: RANGER-558
    https://issues.apache.org/jira/browse/RANGER-558


Repository: ranger


Description
-------

Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit


Diffs
-----

  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java 82a18fc 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java e1326ea 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 030cd87 
  hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java 006629b 
  hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java e64c5af 

Diff: https://reviews.apache.org/r/35552/diff/


Testing
-------

Manual testing at table/family for scan/get/put/delete.


Thanks,

Alok Lal

Re: Review Request 35552: Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit

Posted by Alok Lal <al...@hortonworks.com>.


> On June 17, 2015, 12:35 p.m., Abhay Kulkarni wrote:
> > hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java, line 377
> > <https://reviews.apache.org/r/35552/diff/2/?file=986543#file986543line377>
> >
> >     setResourceMatchingScope() ?

This class is using fluid api.


- Alok


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35552/#review88267
-----------------------------------------------------------


On June 17, 2015, 12:55 p.m., Alok Lal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35552/
> -----------------------------------------------------------
> 
> (Updated June 17, 2015, 12:55 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-558
>     https://issues.apache.org/jira/browse/RANGER-558
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java 82a18fc 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java e1326ea 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 030cd87 
> 
> Diff: https://reviews.apache.org/r/35552/diff/
> 
> 
> Testing
> -------
> 
> Manual testing at table/family for scan/get/put/delete.
> 
> 
> Thanks,
> 
> Alok Lal
> 
>

Re: Review Request 35552: Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit

Posted by Abhay Kulkarni <ak...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35552/#review88267
-----------------------------------------------------------

Ship it!


Ship It!


agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java (line 53)
<https://reviews.apache.org/r/35552/#comment140694>

    spelling?



hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java (line 377)
<https://reviews.apache.org/r/35552/#comment140695>

    setResourceMatchingScope() ?


- Abhay Kulkarni


On June 17, 2015, 6:11 p.m., Alok Lal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35552/
> -----------------------------------------------------------
> 
> (Updated June 17, 2015, 6:11 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-558
>     https://issues.apache.org/jira/browse/RANGER-558
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java 82a18fc 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java e1326ea 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 030cd87 
>   hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java 006629b 
>   hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java e64c5af 
> 
> Diff: https://reviews.apache.org/r/35552/diff/
> 
> 
> Testing
> -------
> 
> Manual testing at table/family for scan/get/put/delete.
> 
> 
> Thanks,
> 
> Alok Lal
> 
>

Re: Review Request 35552: Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35552/#review88288
-----------------------------------------------------------



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java (line 55)
<https://reviews.apache.org/r/35552/#comment140732>

    How is SELF_OR_CHILDREN different from SELF_OR_DESCENDANTS? Is it about the depth of the child nodes? If yes, please review use of the scope in RnagerDefaultPolicyEvaluator - to make sure taht attemptHeadMatch is set to true for both these values..
    
    If SELF_OR_CHILDREN is not used, perhaps it will be simple to just remove it.


- Madhan Neethiraj


On June 17, 2015, 7:55 p.m., Alok Lal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35552/
> -----------------------------------------------------------
> 
> (Updated June 17, 2015, 7:55 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-558
>     https://issues.apache.org/jira/browse/RANGER-558
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java 82a18fc 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java e1326ea 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 030cd87 
> 
> Diff: https://reviews.apache.org/r/35552/diff/
> 
> 
> Testing
> -------
> 
> Manual testing at table/family for scan/get/put/delete.
> 
> 
> Thanks,
> 
> Alok Lal
> 
>

Re: Review Request 35552: Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit

Posted by Alok Lal <al...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35552/
-----------------------------------------------------------

(Updated June 17, 2015, 12:55 p.m.)


Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.


Changes
-------

Spelling correct per Abhay's review comment.


Bugs: RANGER-558
    https://issues.apache.org/jira/browse/RANGER-558


Repository: ranger


Description
-------

Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit


Diffs (updated)
-----

  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java 82a18fc 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java e1326ea 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 030cd87 

Diff: https://reviews.apache.org/r/35552/diff/


Testing
-------

Manual testing at table/family for scan/get/put/delete.


Thanks,

Alok Lal

Re: Review Request 35552: Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit

Posted by Alok Lal <al...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35552/
-----------------------------------------------------------

(Updated June 17, 2015, 11:11 a.m.)


Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.


Changes
-------

Rework comments addresed.


Bugs: RANGER-558
    https://issues.apache.org/jira/browse/RANGER-558


Repository: ranger


Description
-------

Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit


Diffs (updated)
-----

  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java 82a18fc 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java e1326ea 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 030cd87 
  hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java 006629b 
  hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java e64c5af 

Diff: https://reviews.apache.org/r/35552/diff/


Testing
-------

Manual testing at table/family for scan/get/put/delete.


Thanks,

Alok Lal

Re: Review Request 35552: Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35552/#review88233
-----------------------------------------------------------



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java (line 53)
<https://reviews.apache.org/r/35552/#comment140646>

    I think it will be better to have this flag in RangerAccessResource, instead of RangerAccessRequest. Something like RangerAccessResource.getScope():
     - valid values: SELF, ANY_CHILD (to start with)
     - default value: SELF (to be set in RangerAccessResourceImpl)
    
    With this in place, Hive check for child-level access (USE database scenario), can be updated to use this mechanism.


- Madhan Neethiraj


On June 17, 2015, 7:06 a.m., Alok Lal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35552/
> -----------------------------------------------------------
> 
> (Updated June 17, 2015, 7:06 a.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-558
>     https://issues.apache.org/jira/browse/RANGER-558
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java 82a18fc 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java e1326ea 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 030cd87 
>   hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java 006629b 
>   hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java e64c5af 
> 
> Diff: https://reviews.apache.org/r/35552/diff/
> 
> 
> Testing
> -------
> 
> Manual testing at table/family for scan/get/put/delete.
> 
> 
> Thanks,
> 
> Alok Lal
> 
>