You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Abhay Kulkarni <ak...@hortonworks.com> on 2020/11/21 03:36:17 UTC
Review Request 73032: RANGER-3082: User with delegated-admin is
unable to create policy
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73032/
-----------------------------------------------------------
Review request for ranger and Madhan Neethiraj.
Bugs: RANGER-3082
https://issues.apache.org/jira/browse/RANGER-3082
Repository: ranger
Description
-------
When macros like {USER} are used in resource names, users with delegated-admin are unable to set up policies.
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java f3e0dab2f
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java 979488181
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java 8f6facda5
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java 0cb3e0fed
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java a22027a46
Diff: https://reviews.apache.org/r/73032/diff/1/
Testing
-------
Passed all unit tests. Tested by creating delegated-admin policies with {USER} embedded in resource name and ensured the designated user can set up policy with macro in the resource name expanded with designated user's name.
Thanks,
Abhay Kulkarni
Re: Review Request 73032: RANGER-3082: User with delegated-admin is
unable to create policy
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73032/#review222240
-----------------------------------------------------------
Ship it!
Ship It!
- Madhan Neethiraj
On Nov. 25, 2020, 10:52 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73032/
> -----------------------------------------------------------
>
> (Updated Nov. 25, 2020, 10:52 p.m.)
>
>
> Review request for ranger and Madhan Neethiraj.
>
>
> Bugs: RANGER-3082
> https://issues.apache.org/jira/browse/RANGER-3082
>
>
> Repository: ranger
>
>
> Description
> -------
>
> When macros like {USER} are used in resource names, users with delegated-admin are unable to set up policies.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java 3250719de
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java f3e0dab2f
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 14b626df6
> agents-common/src/main/java/org/apache/ranger/plugin/util/WildcardContext.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e011c0bf5
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 6fc0abf4b
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 39869d385
>
>
> Diff: https://reviews.apache.org/r/73032/diff/3/
>
>
> Testing
> -------
>
> Passed all unit tests. Tested by creating delegated-admin policies with {USER} embedded in resource name and ensured the designated user can set up policy with macro in the resource name expanded with designated user's name.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 73032: RANGER-3082: User with delegated-admin is
unable to create policy
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73032/#review222241
-----------------------------------------------------------
Ship it!
Ship It!
- Madhan Neethiraj
On Nov. 26, 2020, 12:44 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73032/
> -----------------------------------------------------------
>
> (Updated Nov. 26, 2020, 12:44 a.m.)
>
>
> Review request for ranger and Madhan Neethiraj.
>
>
> Bugs: RANGER-3082
> https://issues.apache.org/jira/browse/RANGER-3082
>
>
> Repository: ranger
>
>
> Description
> -------
>
> When macros like {USER} are used in resource names, users with delegated-admin are unable to set up policies.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java 3250719de
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java f3e0dab2f
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 14b626df6
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e011c0bf5
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 6fc0abf4b
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 39869d385
>
>
> Diff: https://reviews.apache.org/r/73032/diff/4/
>
>
> Testing
> -------
>
> Passed all unit tests. Tested by creating delegated-admin policies with {USER} embedded in resource name and ensured the designated user can set up policy with macro in the resource name expanded with designated user's name.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 73032: RANGER-3082: User with delegated-admin is
unable to create policy
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73032/
-----------------------------------------------------------
(Updated Nov. 26, 2020, 12:44 a.m.)
Review request for ranger and Madhan Neethiraj.
Changes
-------
Clean up
Bugs: RANGER-3082
https://issues.apache.org/jira/browse/RANGER-3082
Repository: ranger
Description
-------
When macros like {USER} are used in resource names, users with delegated-admin are unable to set up policies.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java 3250719de
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java f3e0dab2f
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 14b626df6
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e011c0bf5
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 6fc0abf4b
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 39869d385
Diff: https://reviews.apache.org/r/73032/diff/4/
Changes: https://reviews.apache.org/r/73032/diff/3-4/
Testing
-------
Passed all unit tests. Tested by creating delegated-admin policies with {USER} embedded in resource name and ensured the designated user can set up policy with macro in the resource name expanded with designated user's name.
Thanks,
Abhay Kulkarni
Re: Review Request 73032: RANGER-3082: User with delegated-admin is
unable to create policy
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73032/
-----------------------------------------------------------
(Updated Nov. 25, 2020, 10:52 p.m.)
Review request for ranger and Madhan Neethiraj.
Changes
-------
Addressed review comments
Bugs: RANGER-3082
https://issues.apache.org/jira/browse/RANGER-3082
Repository: ranger
Description
-------
When macros like {USER} are used in resource names, users with delegated-admin are unable to set up policies.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java 3250719de
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java f3e0dab2f
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 14b626df6
agents-common/src/main/java/org/apache/ranger/plugin/util/WildcardContext.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e011c0bf5
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 6fc0abf4b
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 39869d385
Diff: https://reviews.apache.org/r/73032/diff/3/
Changes: https://reviews.apache.org/r/73032/diff/2-3/
Testing
-------
Passed all unit tests. Tested by creating delegated-admin policies with {USER} embedded in resource name and ensured the designated user can set up policy with macro in the resource name expanded with designated user's name.
Thanks,
Abhay Kulkarni
Re: Review Request 73032: RANGER-3082: User with delegated-admin is
unable to create policy
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73032/#review222239
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
Lines 159 (patched)
<https://reviews.apache.org/r/73032/#comment311288>
Consider alternate approach, by creating following context in RangerPolicyAdminImpl, and send to this method:
public class WildcardContext extends HashMap<String, Object> {
private static final String WILDCARD_ASTERISK = "*";
public WildcardContext() {
put(WILDCARD_ASTERISK, WILDCARD_ASTERISK);
}
// always return WILDCARD_ASTERISK
@Override
public Object get(Object key) {
return WILDCARD_ASTERISK;
}
}
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
Lines 3589 (patched)
<https://reviews.apache.org/r/73032/#comment311287>
Consider moving evalContext creation to #3537 i.e. before entering this for-loop.
- Madhan Neethiraj
On Nov. 25, 2020, 7:49 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73032/
> -----------------------------------------------------------
>
> (Updated Nov. 25, 2020, 7:49 p.m.)
>
>
> Review request for ranger and Madhan Neethiraj.
>
>
> Bugs: RANGER-3082
> https://issues.apache.org/jira/browse/RANGER-3082
>
>
> Repository: ranger
>
>
> Description
> -------
>
> When macros like {USER} are used in resource names, users with delegated-admin are unable to set up policies.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java 3250719de
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java f3e0dab2f
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 14b626df6
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java a22027a46
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e011c0bf5
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 6fc0abf4b
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 39869d385
>
>
> Diff: https://reviews.apache.org/r/73032/diff/2/
>
>
> Testing
> -------
>
> Passed all unit tests. Tested by creating delegated-admin policies with {USER} embedded in resource name and ensured the designated user can set up policy with macro in the resource name expanded with designated user's name.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 73032: RANGER-3082: User with delegated-admin is
unable to create policy
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73032/
-----------------------------------------------------------
(Updated Nov. 25, 2020, 7:49 p.m.)
Review request for ranger and Madhan Neethiraj.
Changes
-------
Addressed review comments
Bugs: RANGER-3082
https://issues.apache.org/jira/browse/RANGER-3082
Repository: ranger
Description
-------
When macros like {USER} are used in resource names, users with delegated-admin are unable to set up policies.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java 3250719de
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java f3e0dab2f
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 14b626df6
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java a22027a46
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e011c0bf5
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 6fc0abf4b
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 39869d385
Diff: https://reviews.apache.org/r/73032/diff/2/
Changes: https://reviews.apache.org/r/73032/diff/1-2/
Testing
-------
Passed all unit tests. Tested by creating delegated-admin policies with {USER} embedded in resource name and ensured the designated user can set up policy with macro in the resource name expanded with designated user's name.
Thanks,
Abhay Kulkarni
Re: Review Request 73032: RANGER-3082: User with delegated-admin is
unable to create policy
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73032/#review222221
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
Lines 381 (patched)
<https://reviews.apache.org/r/73032/#comment311269>
Consider creating the context in the caller, and send as argument to this method - to avoid creating one in each policy-evaluator.
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
Line 509 (original), 509 (patched)
<https://reviews.apache.org/r/73032/#comment311270>
Consider replacing the macros in 'resources' parameter in the caller - to avoid scanning and replacing values in every isMatch() call.
- Madhan Neethiraj
On Nov. 21, 2020, 3:36 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73032/
> -----------------------------------------------------------
>
> (Updated Nov. 21, 2020, 3:36 a.m.)
>
>
> Review request for ranger and Madhan Neethiraj.
>
>
> Bugs: RANGER-3082
> https://issues.apache.org/jira/browse/RANGER-3082
>
>
> Repository: ranger
>
>
> Description
> -------
>
> When macros like {USER} are used in resource names, users with delegated-admin are unable to set up policies.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java f3e0dab2f
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java 979488181
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java 8f6facda5
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java 0cb3e0fed
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java a22027a46
>
>
> Diff: https://reviews.apache.org/r/73032/diff/1/
>
>
> Testing
> -------
>
> Passed all unit tests. Tested by creating delegated-admin policies with {USER} embedded in resource name and ensured the designated user can set up policy with macro in the resource name expanded with designated user's name.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>