You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Ramesh Mani <rm...@hortonworks.com> on 2021/01/27 21:19:50 UTC
Re: Review Request 71899: RANGER-2640:Implement SHOW ROLE GRANT in
Hive ranger plugin
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71899/
-----------------------------------------------------------
(Updated Jan. 27, 2021, 9:19 p.m.)
Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Fixed review comments and revised patch to introduced configuration parameter "service admins" to authorize show role calls.
Bugs: RANGER-2640
https://issues.apache.org/jira/browse/RANGER-2640
Repository: ranger
Description
-------
RANGER-2640:Implement SHOW ROLE GRANT in Hive ranger plugin
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java 7b34f77da
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 71f8daeb5
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 4e0c98e9e
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 81b1971a8
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java fda57f947
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java 0268e2f30
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 5bd5c2da4
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java e06f1357f
Diff: https://reviews.apache.org/r/71899/diff/2/
Changes: https://reviews.apache.org/r/71899/diff/1-2/
Testing (updated)
-------
- Verified in Local VM.
- Show Role Grant <user|group|role> <principal> implementation.
- Revised that patch to handle the ROLE fetch from plugin instead of getting it from Ranger admin via rest.
- Introduced service configuration "ranger.plugin.service.admins" to maintain list of service admin who can run "show role"commands in hive.
- Introduced api isServiceAdmin() in RangerBasePlugin to check if the user is service admin. This will enable other plugins to use similar service admin check for any ROLE based command authorization check.
Thanks,
Ramesh Mani
Re: Review Request 71899: RANGER-2640:Implement SHOW ROLE GRANT in
Hive ranger plugin
Posted by Ramesh Mani <rm...@hortonworks.com>.
> On Feb. 5, 2021, 7:20 p.m., Abhay Kulkarni wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
> > Lines 36 (patched)
> > <https://reviews.apache.org/r/71899/diff/2/?file=2245598#file2245598line36>
> >
> > Why is this needed? Authorization request will typically contain only user/groups. Ranger role-names need to be derived only from these two.
show role grant role <rolename> needs the role mapping to display the roles.
- Ramesh
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71899/#review222568
-----------------------------------------------------------
On Jan. 27, 2021, 9:19 p.m., Ramesh Mani wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71899/
> -----------------------------------------------------------
>
> (Updated Jan. 27, 2021, 9:19 p.m.)
>
>
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2640
> https://issues.apache.org/jira/browse/RANGER-2640
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RANGER-2640:Implement SHOW ROLE GRANT in Hive ranger plugin
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java 3e35709aa
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 71f8daeb5
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 5ffd38f98
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 81b1971a8
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java 115a576e0
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java 0268e2f30
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java e145ea299
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java e06f1357f
>
>
> Diff: https://reviews.apache.org/r/71899/diff/3/
>
>
> Testing
> -------
>
> - Verified in Local VM.
> - Show Role Grant <user|group|role> <principal> implementation.
> - Revised that patch to handle the ROLE fetch from plugin instead of getting it from Ranger admin via rest.
> - Introduced service configuration "ranger.plugin.service.admins" to maintain list of service admin who can run "show role"commands in hive.
> - Introduced api isServiceAdmin() in RangerBasePlugin to check if the user is service admin. This will enable other plugins to use similar service admin check for any ROLE based command authorization check.
>
>
> Thanks,
>
> Ramesh Mani
>
>
Re: Review Request 71899: RANGER-2640:Implement SHOW ROLE GRANT in
Hive ranger plugin
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71899/#review222568
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
Lines 77 (patched)
<https://reviews.apache.org/r/71899/#comment311683>
Please consider if exposing the internals such as pluginContext can be avoided, by providing the required functionality through parameters (such as user-type).
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java
Lines 36 (patched)
<https://reviews.apache.org/r/71899/#comment311685>
Why is this needed? Authorization request will typically contain only user/groups. Ranger role-names need to be derived only from these two.
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
Lines 3022 (patched)
<https://reviews.apache.org/r/71899/#comment311684>
Please consider if this API can be provided directly by the Hive plugin. Doing so will help in keeping the plugin internals hidden from the authorizer code.
- Abhay Kulkarni
On Jan. 27, 2021, 9:19 p.m., Ramesh Mani wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71899/
> -----------------------------------------------------------
>
> (Updated Jan. 27, 2021, 9:19 p.m.)
>
>
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2640
> https://issues.apache.org/jira/browse/RANGER-2640
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RANGER-2640:Implement SHOW ROLE GRANT in Hive ranger plugin
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java 7b34f77da
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 71f8daeb5
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 4e0c98e9e
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 81b1971a8
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java fda57f947
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java 0268e2f30
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java 5bd5c2da4
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java e06f1357f
>
>
> Diff: https://reviews.apache.org/r/71899/diff/2/
>
>
> Testing
> -------
>
> - Verified in Local VM.
> - Show Role Grant <user|group|role> <principal> implementation.
> - Revised that patch to handle the ROLE fetch from plugin instead of getting it from Ranger admin via rest.
> - Introduced service configuration "ranger.plugin.service.admins" to maintain list of service admin who can run "show role"commands in hive.
> - Introduced api isServiceAdmin() in RangerBasePlugin to check if the user is service admin. This will enable other plugins to use similar service admin check for any ROLE based command authorization check.
>
>
> Thanks,
>
> Ramesh Mani
>
>
Re: Review Request 71899: RANGER-2640:Implement SHOW ROLE GRANT in
Hive ranger plugin
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71899/#review223151
-----------------------------------------------------------
Ship it!
Ship It!
- Abhay Kulkarni
On June 5, 2021, 7:48 a.m., Ramesh Mani wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71899/
> -----------------------------------------------------------
>
> (Updated June 5, 2021, 7:48 a.m.)
>
>
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2640
> https://issues.apache.org/jira/browse/RANGER-2640
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RANGER-2640:Implement SHOW ROLE GRANT in Hive ranger plugin
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java 3e35709aa
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 71f8daeb5
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 5ffd38f98
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 81b1971a8
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java 115a576e0
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java 0268e2f30
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java e145ea299
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java e06f1357f
>
>
> Diff: https://reviews.apache.org/r/71899/diff/3/
>
>
> Testing
> -------
>
> - Verified in Local VM.
> - Show Role Grant <user|group|role> <principal> implementation.
> - Revised that patch to handle the ROLE fetch from plugin instead of getting it from Ranger admin via rest.
> - Introduced service configuration "ranger.plugin.service.admins" to maintain list of service admin who can run "show role"commands in hive.
> - Introduced api isServiceAdmin() in RangerBasePlugin to check if the user is service admin. This will enable other plugins to use similar service admin check for any ROLE based command authorization check.
>
>
> Thanks,
>
> Ramesh Mani
>
>
Re: Review Request 71899: RANGER-2640:Implement SHOW ROLE GRANT in
Hive ranger plugin
Posted by Ramesh Mani <rm...@hortonworks.com>.
> On June 15, 2021, 2:21 p.m., Pradeep Agrawal wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
> > Lines 601 (patched)
> > <https://reviews.apache.org/r/71899/diff/3/?file=2250694#file2250694line601>
> >
> > Can we optimize these two loops.
> > probably we can store rangerRoles objects in a hashmap where role name can be key and RangerRole object can be stored as value.
> >
> > Later we can just run for loop on principalRoles and refer the created hashmap to compare and populate ret object.
> >
> > This may increase space requirement but shall reduce no. of cpu cycles.
> >
> > Please review.
Even to create a reference map a loop through rangerRoles has to happen, so this won't do much of difference overall.
- Ramesh
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71899/#review223148
-----------------------------------------------------------
On June 5, 2021, 7:48 a.m., Ramesh Mani wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71899/
> -----------------------------------------------------------
>
> (Updated June 5, 2021, 7:48 a.m.)
>
>
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2640
> https://issues.apache.org/jira/browse/RANGER-2640
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RANGER-2640:Implement SHOW ROLE GRANT in Hive ranger plugin
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java 3e35709aa
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 71f8daeb5
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 5ffd38f98
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 81b1971a8
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java 115a576e0
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java 0268e2f30
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java e145ea299
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java e06f1357f
>
>
> Diff: https://reviews.apache.org/r/71899/diff/3/
>
>
> Testing
> -------
>
> - Verified in Local VM.
> - Show Role Grant <user|group|role> <principal> implementation.
> - Revised that patch to handle the ROLE fetch from plugin instead of getting it from Ranger admin via rest.
> - Introduced service configuration "ranger.plugin.service.admins" to maintain list of service admin who can run "show role"commands in hive.
> - Introduced api isServiceAdmin() in RangerBasePlugin to check if the user is service admin. This will enable other plugins to use similar service admin check for any ROLE based command authorization check.
>
>
> Thanks,
>
> Ramesh Mani
>
>
Re: Review Request 71899: RANGER-2640:Implement SHOW ROLE GRANT in
Hive ranger plugin
Posted by Pradeep Agrawal <pr...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71899/#review223148
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
Lines 601 (patched)
<https://reviews.apache.org/r/71899/#comment312256>
Can we optimize these two loops.
probably we can store rangerRoles objects in a hashmap where role name can be key and RangerRole object can be stored as value.
Later we can just run for loop on principalRoles and refer the created hashmap to compare and populate ret object.
This may increase space requirement but shall reduce no. of cpu cycles.
Please review.
- Pradeep Agrawal
On June 5, 2021, 7:48 a.m., Ramesh Mani wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71899/
> -----------------------------------------------------------
>
> (Updated June 5, 2021, 7:48 a.m.)
>
>
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2640
> https://issues.apache.org/jira/browse/RANGER-2640
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RANGER-2640:Implement SHOW ROLE GRANT in Hive ranger plugin
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java 3e35709aa
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 71f8daeb5
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 5ffd38f98
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 81b1971a8
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java 115a576e0
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java 0268e2f30
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java e145ea299
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java e06f1357f
>
>
> Diff: https://reviews.apache.org/r/71899/diff/3/
>
>
> Testing
> -------
>
> - Verified in Local VM.
> - Show Role Grant <user|group|role> <principal> implementation.
> - Revised that patch to handle the ROLE fetch from plugin instead of getting it from Ranger admin via rest.
> - Introduced service configuration "ranger.plugin.service.admins" to maintain list of service admin who can run "show role"commands in hive.
> - Introduced api isServiceAdmin() in RangerBasePlugin to check if the user is service admin. This will enable other plugins to use similar service admin check for any ROLE based command authorization check.
>
>
> Thanks,
>
> Ramesh Mani
>
>
Re: Review Request 71899: RANGER-2640:Implement SHOW ROLE GRANT in
Hive ranger plugin
Posted by Ramesh Mani <rm...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71899/
-----------------------------------------------------------
(Updated June 5, 2021, 7:48 a.m.)
Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Fixed review comments
Bugs: RANGER-2640
https://issues.apache.org/jira/browse/RANGER-2640
Repository: ranger
Description
-------
RANGER-2640:Implement SHOW ROLE GRANT in Hive ranger plugin
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java 3e35709aa
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java 71f8daeb5
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 5ffd38f98
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java 81b1971a8
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java 115a576e0
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java 0268e2f30
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java e145ea299
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizerBase.java e06f1357f
Diff: https://reviews.apache.org/r/71899/diff/3/
Changes: https://reviews.apache.org/r/71899/diff/2-3/
Testing
-------
- Verified in Local VM.
- Show Role Grant <user|group|role> <principal> implementation.
- Revised that patch to handle the ROLE fetch from plugin instead of getting it from Ranger admin via rest.
- Introduced service configuration "ranger.plugin.service.admins" to maintain list of service admin who can run "show role"commands in hive.
- Introduced api isServiceAdmin() in RangerBasePlugin to check if the user is service admin. This will enable other plugins to use similar service admin check for any ROLE based command authorization check.
Thanks,
Ramesh Mani