You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Alok Lal <al...@hortonworks.com> on 2015/06/17 09:06:28 UTC
Review Request 35552: Hbase plugin: unless user has READ access at
some
level under the table/family being accessed (via scan/get) authorizer
should throw an exception and audit
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35552/
-----------------------------------------------------------
Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.
Bugs: RANGER-558
https://issues.apache.org/jira/browse/RANGER-558
Repository: ranger
Description
-------
Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java 82a18fc
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java e1326ea
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 030cd87
hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java 006629b
hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java e64c5af
Diff: https://reviews.apache.org/r/35552/diff/
Testing
-------
Manual testing at table/family for scan/get/put/delete.
Thanks,
Alok Lal
Re: Review Request 35552: Hbase plugin: unless user has READ access
at some
level under the table/family being accessed (via scan/get) authorizer
should throw an exception and audit
Posted by Alok Lal <al...@hortonworks.com>.
> On June 17, 2015, 12:35 p.m., Abhay Kulkarni wrote:
> > hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java, line 377
> > <https://reviews.apache.org/r/35552/diff/2/?file=986543#file986543line377>
> >
> > setResourceMatchingScope() ?
This class is using fluid api.
- Alok
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35552/#review88267
-----------------------------------------------------------
On June 17, 2015, 12:55 p.m., Alok Lal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35552/
> -----------------------------------------------------------
>
> (Updated June 17, 2015, 12:55 p.m.)
>
>
> Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.
>
>
> Bugs: RANGER-558
> https://issues.apache.org/jira/browse/RANGER-558
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java 82a18fc
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java e1326ea
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 030cd87
>
> Diff: https://reviews.apache.org/r/35552/diff/
>
>
> Testing
> -------
>
> Manual testing at table/family for scan/get/put/delete.
>
>
> Thanks,
>
> Alok Lal
>
>
Re: Review Request 35552: Hbase plugin: unless user has READ access
at some
level under the table/family being accessed (via scan/get) authorizer
should throw an exception and audit
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35552/#review88267
-----------------------------------------------------------
Ship it!
Ship It!
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java (line 53)
<https://reviews.apache.org/r/35552/#comment140694>
spelling?
hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java (line 377)
<https://reviews.apache.org/r/35552/#comment140695>
setResourceMatchingScope() ?
- Abhay Kulkarni
On June 17, 2015, 6:11 p.m., Alok Lal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35552/
> -----------------------------------------------------------
>
> (Updated June 17, 2015, 6:11 p.m.)
>
>
> Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.
>
>
> Bugs: RANGER-558
> https://issues.apache.org/jira/browse/RANGER-558
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java 82a18fc
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java e1326ea
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 030cd87
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java 006629b
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java e64c5af
>
> Diff: https://reviews.apache.org/r/35552/diff/
>
>
> Testing
> -------
>
> Manual testing at table/family for scan/get/put/delete.
>
>
> Thanks,
>
> Alok Lal
>
>
Re: Review Request 35552: Hbase plugin: unless user has READ access
at some
level under the table/family being accessed (via scan/get) authorizer
should throw an exception and audit
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35552/#review88288
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java (line 55)
<https://reviews.apache.org/r/35552/#comment140732>
How is SELF_OR_CHILDREN different from SELF_OR_DESCENDANTS? Is it about the depth of the child nodes? If yes, please review use of the scope in RnagerDefaultPolicyEvaluator - to make sure taht attemptHeadMatch is set to true for both these values..
If SELF_OR_CHILDREN is not used, perhaps it will be simple to just remove it.
- Madhan Neethiraj
On June 17, 2015, 7:55 p.m., Alok Lal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35552/
> -----------------------------------------------------------
>
> (Updated June 17, 2015, 7:55 p.m.)
>
>
> Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.
>
>
> Bugs: RANGER-558
> https://issues.apache.org/jira/browse/RANGER-558
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java 82a18fc
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java e1326ea
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 030cd87
>
> Diff: https://reviews.apache.org/r/35552/diff/
>
>
> Testing
> -------
>
> Manual testing at table/family for scan/get/put/delete.
>
>
> Thanks,
>
> Alok Lal
>
>
Re: Review Request 35552: Hbase plugin: unless user has READ access
at some
level under the table/family being accessed (via scan/get) authorizer
should throw an exception and audit
Posted by Alok Lal <al...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35552/
-----------------------------------------------------------
(Updated June 17, 2015, 12:55 p.m.)
Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.
Changes
-------
Spelling correct per Abhay's review comment.
Bugs: RANGER-558
https://issues.apache.org/jira/browse/RANGER-558
Repository: ranger
Description
-------
Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java 82a18fc
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java e1326ea
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 030cd87
Diff: https://reviews.apache.org/r/35552/diff/
Testing
-------
Manual testing at table/family for scan/get/put/delete.
Thanks,
Alok Lal
Re: Review Request 35552: Hbase plugin: unless user has READ access
at some
level under the table/family being accessed (via scan/get) authorizer
should throw an exception and audit
Posted by Alok Lal <al...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35552/
-----------------------------------------------------------
(Updated June 17, 2015, 11:11 a.m.)
Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.
Changes
-------
Rework comments addresed.
Bugs: RANGER-558
https://issues.apache.org/jira/browse/RANGER-558
Repository: ranger
Description
-------
Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java 82a18fc
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java e1326ea
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 030cd87
hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java 006629b
hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java e64c5af
Diff: https://reviews.apache.org/r/35552/diff/
Testing
-------
Manual testing at table/family for scan/get/put/delete.
Thanks,
Alok Lal
Re: Review Request 35552: Hbase plugin: unless user has READ access
at some
level under the table/family being accessed (via scan/get) authorizer
should throw an exception and audit
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35552/#review88233
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java (line 53)
<https://reviews.apache.org/r/35552/#comment140646>
I think it will be better to have this flag in RangerAccessResource, instead of RangerAccessRequest. Something like RangerAccessResource.getScope():
- valid values: SELF, ANY_CHILD (to start with)
- default value: SELF (to be set in RangerAccessResourceImpl)
With this in place, Hive check for child-level access (USE database scenario), can be updated to use this mechanism.
- Madhan Neethiraj
On June 17, 2015, 7:06 a.m., Alok Lal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35552/
> -----------------------------------------------------------
>
> (Updated June 17, 2015, 7:06 a.m.)
>
>
> Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.
>
>
> Bugs: RANGER-558
> https://issues.apache.org/jira/browse/RANGER-558
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java 82a18fc
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java e1326ea
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 030cd87
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java 006629b
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java e64c5af
>
> Diff: https://reviews.apache.org/r/35552/diff/
>
>
> Testing
> -------
>
> Manual testing at table/family for scan/get/put/delete.
>
>
> Thanks,
>
> Alok Lal
>
>