You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Eckman, Barbara" <Ba...@comcast.com.INVALID> on 2022/07/19 14:35:54 UTC
Re: [EXTERNAL] Re: Review Request 74057: Plugin for Fine-grained Access Control over nested structures
I’m sorry, I’ve always done this sort of thing using github PRs…which code should I change based on your review items? My local copy, choose “fixed” on the review site, and then generate a new patch?
--
Barbara Eckman, Ph.D.
she/her/hers
Distinguished Architect
Enterprise Metadata, Lineage and Access Control
Comcast
[Logo Description automatically generated]
[signature_951927206]
From: Madhan Neethiraj <no...@reviews.apache.org> on behalf of Madhan Neethiraj <ma...@apache.org>
Date: Monday, July 18, 2022 at 3:01 AM
To: Madhan Neethiraj <ma...@apache.org>
Cc: Eckman, Barbara <Ba...@cable.comcast.com>, ranger <de...@ranger.apache.org>
Subject: [EXTERNAL] Re: Review Request 74057: Plugin for Fine-grained Access Control over nested structures
This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74057/<https://urldefense.com/v3/__https:/reviews.apache.org/r/74057/__;!!CQl3mcHX2A!E2jNuVsVoAw0ZO1x4kXRzu_arI9riLtPWfMmSMWtTrydzLb8GqQ8D2ln2aSNP2pxdMpctFFZW6-yi8Ex-1vsOQ$>
plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAuthorizer.java<https://urldefense.com/v3/__https:/reviews.apache.org/r/74057/diff/1/?file=2268966*file2268966line210__;Iw!!CQl3mcHX2A!E2jNuVsVoAw0ZO1x4kXRzu_arI9riLtPWfMmSMWtTrydzLb8GqQ8D2ln2aSNP2pxdMpctFFZW6-yi8Etmpg69w$> (Diff revision 1)
210
RangerAccessResult accessResult = plugin.isAccessAllowed(request);
This call to isAccessAllowed() would return isAllowed=true only when access is allowed for the whole schema, The intent of this method seems to return true if user has the requested access to even only of field in the schema.
To address this, resource-match scope should be set as shown below:
request.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS);
- Madhan Neethiraj
On July 13th, 2022, 11:03 p.m. UTC, Barbara Eckman wrote:
Review request for ranger and Madhan Neethiraj.
By Barbara Eckman.
Updated July 13, 2022, 11:03 p.m.
Repository: ranger
Description
It would be nice to be able to do fine-grained access control (FGA) over nested structures, e.g., the JSON responses of API calls. This requires the individual attributes in a JSON object to be first-class metadata objects which can be tagged and on which policies can be written. We have built a plugin and the corresponding Apache Atlas metadata structures and tagsync-mapper to support TBAC/RBAC/ABAC FGA over JSON structures. Our instigating use case was FGA over the JSON responses of API calls, but this plugin has potential value anywhere FGA over the individual attributes of nested structures is needed, eg JSON messages read from Kafka topics.
Diffs
· plugin-nestedstructure/CONTRIBUTING (PRE-CREATION)
· plugin-nestedstructure/LICENSE (PRE-CREATION)
· plugin-nestedstructure/NOTICE (PRE-CREATION)
· plugin-nestedstructure/README.md (PRE-CREATION)
· plugin-nestedstructure/conf/log4j.properties (PRE-CREATION)
· plugin-nestedstructure/conf/nestedstructure_servicedef.json (PRE-CREATION)
· plugin-nestedstructure/conf/ranger-nestedstructure-audit.xml (PRE-CREATION)
· plugin-nestedstructure/conf/ranger-nestedstructure-policymgr-ssl.xml (PRE-CREATION)
· plugin-nestedstructure/conf/ranger-nestedstructure-security.xml (PRE-CREATION)
· plugin-nestedstructure/pom.xml (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/AccessResult.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/DataMasker.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/ExampleClient.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/FieldLevelAccess.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/JsonManipulator.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/MaskTypes.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/MaskingException.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAccessType.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAuthorizer.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructure_Resource.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructure_Service.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/RecordFilterJavaScript.java (PRE-CREATION)
· plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestDataMasker.java (PRE-CREATION)
· plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestJsonManipulator.java (PRE-CREATION)
· plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestRecordFilterJavaScript.java (PRE-CREATION)
· pom.xml (0945f4b1d)
· tagsync/src/main/java/org/apache/ranger/tagsync/nestedstructureplugin/AtlasNestedStructureResourceMapper.java (PRE-CREATION)
· tagsync/src/test/java/org/apache/ranger/tagsync/nestedstructureplugin/ResourceTests.java (PRE-CREATION)
View Diff<https://urldefense.com/v3/__https:/reviews.apache.org/r/74057/diff/1/__;!!CQl3mcHX2A!E2jNuVsVoAw0ZO1x4kXRzu_arI9riLtPWfMmSMWtTrydzLb8GqQ8D2ln2aSNP2pxdMpctFFZW6-yi8HzFKnA5A$>
Re: [EXTERNAL] Re: Review Request 74057: Plugin for Fine-grained Access Control over nested structures
Posted by "Eckman, Barbara" <Ba...@comcast.com.INVALID>.
Thank you! That makes it clear to me!
--
Barbara Eckman, Ph.D.
she/her/hers
Distinguished Architect
Enterprise Metadata, Lineage and Access Control
Comcast
[Logo Description automatically generated]
[signature_951927206]
From: Madhan Neethiraj <ma...@apache.org>
Date: Tuesday, July 19, 2022 at 2:52 PM
To: dev@ranger.apache.org <de...@ranger.apache.org>, Eckman, Barbara <Ba...@cable.comcast.com>
Subject: Re: [EXTERNAL] Re: Review Request 74057: Plugin for Fine-grained Access Control over nested structures
Barbara,
I suggest the following:
Update sources in your local git repo to address the review comments and validate
Commit the changes in your local git repo
If you have multiple commits, squash them into a single commit
Create a patch file with command: git format-patch origin/master
Update the review with this patch file
Click on drop down Update
Select Update Diff
Click on Select button, upload the patch file
Mark the comments as Fixed/Drop; add comments where needed
Hope this helps.
Madhan
From: "Eckman, Barbara" <Ba...@comcast.com.INVALID>
Reply-To: <de...@ranger.apache.org>
Date: Tuesday, July 19, 2022 at 7:36 AM
To: Madhan Neethiraj <ma...@apache.org>
Cc: ranger <de...@ranger.apache.org>
Subject: Re: [EXTERNAL] Re: Review Request 74057: Plugin for Fine-grained Access Control over nested structures
I’m sorry, I’ve always done this sort of thing using github PRs…which code should I change based on your review items? My local copy, choose “fixed” on the review site, and then generate a new patch?
--
Barbara Eckman, Ph.D.
she/her/hers
Distinguished Architect
Enterprise Metadata, Lineage and Access Control
Comcast
From: Madhan Neethiraj <no...@reviews.apache.org> on behalf of Madhan Neethiraj <ma...@apache.org>
Date: Monday, July 18, 2022 at 3:01 AM
To: Madhan Neethiraj <ma...@apache.org>
Cc: Eckman, Barbara <Ba...@cable.comcast.com>, ranger <de...@ranger.apache.org>
Subject: [EXTERNAL] Re: Review Request 74057: Plugin for Fine-grained Access Control over nested structures
This is an automatically generated e-mail. To reply, visit: https://urldefense.com/v3/__https://reviews.apache.org/r/74057/__;!!CQl3mcHX2A!G5UvWDGYTThu6u8hFd9-9hYxeEzPLbTnWo4QWh4Z9cTSBEPlork_qUa57dPJGZPP3E971Q7iJRR817HzdS5r$<https://urldefense.com/v3/__https:/reviews.apache.org/r/74057/__;!!CQl3mcHX2A!G5UvWDGYTThu6u8hFd9-9hYxeEzPLbTnWo4QWh4Z9cTSBEPlork_qUa57dPJGZPP3E971Q7iJRR817HzdS5r$>
plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAuthorizer.java (Diff revision 1)
210
RangerAccessResult accessResult = plugin.isAccessAllowed(request);
This call to isAccessAllowed() would return isAllowed=true only when access is allowed for the whole schema, The intent of this method seems to return true if user has the requested access to even only of field in the schema.
To address this, resource-match scope should be set as shown below:
request.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS);
- Madhan Neethiraj
On July 13th, 2022, 11:03 p.m. UTC, Barbara Eckman wrote:
Review request for ranger and Madhan Neethiraj.
By Barbara Eckman.
Updated July 13, 2022, 11:03 p.m.Repository: ranger
Description
It would be nice to be able to do fine-grained access control (FGA) over nested structures, e.g., the JSON responses of API calls. This requires the individual attributes in a JSON object to be first-class metadata objects which can be tagged and on which policies can be written. We have built a plugin and the corresponding Apache Atlas metadata structures and tagsync-mapper to support TBAC/RBAC/ABAC FGA over JSON structures. Our instigating use case was FGA over the JSON responses of API calls, but this plugin has potential value anywhere FGA over the individual attributes of nested structures is needed, eg JSON messages read from Kafka topics.
Diffs
· plugin-nestedstructure/CONTRIBUTING (PRE-CREATION)
· plugin-nestedstructure/LICENSE (PRE-CREATION)
· plugin-nestedstructure/NOTICE (PRE-CREATION)
· plugin-nestedstructure/README.md (PRE-CREATION)
· plugin-nestedstructure/conf/log4j.properties (PRE-CREATION)
· plugin-nestedstructure/conf/nestedstructure_servicedef.json (PRE-CREATION)
· plugin-nestedstructure/conf/ranger-nestedstructure-audit.xml (PRE-CREATION)
· plugin-nestedstructure/conf/ranger-nestedstructure-policymgr-ssl.xml (PRE-CREATION)
· plugin-nestedstructure/conf/ranger-nestedstructure-security.xml (PRE-CREATION)
· plugin-nestedstructure/pom.xml (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/AccessResult.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/DataMasker.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/ExampleClient.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/FieldLevelAccess.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/JsonManipulator.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/MaskTypes.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/MaskingException.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAccessType.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAuthorizer.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructure_Resource.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructure_Service.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/RecordFilterJavaScript.java (PRE-CREATION)
· plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestDataMasker.java (PRE-CREATION)
· plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestJsonManipulator.java (PRE-CREATION)
· plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestRecordFilterJavaScript.java (PRE-CREATION)
· pom.xml (0945f4b1d)
· tagsync/src/main/java/org/apache/ranger/tagsync/nestedstructureplugin/AtlasNestedStructureResourceMapper.java (PRE-CREATION)
· tagsync/src/test/java/org/apache/ranger/tagsync/nestedstructureplugin/ResourceTests.java (PRE-CREATION)
View Diff
Re: [EXTERNAL] Re: Review Request 74057: Plugin for Fine-grained Access Control over nested structures
Posted by Madhan Neethiraj <ma...@apache.org>.
Barbara,
I suggest the following:
Update sources in your local git repo to address the review comments and validate
Commit the changes in your local git repo
If you have multiple commits, squash them into a single commit
Create a patch file with command: git format-patch origin/master
Update the review with this patch file
Click on drop down Update
Select Update Diff
Click on Select button, upload the patch file
Mark the comments as Fixed/Drop; add comments where needed
Hope this helps.
Madhan
From: "Eckman, Barbara" <Ba...@comcast.com.INVALID>
Reply-To: <de...@ranger.apache.org>
Date: Tuesday, July 19, 2022 at 7:36 AM
To: Madhan Neethiraj <ma...@apache.org>
Cc: ranger <de...@ranger.apache.org>
Subject: Re: [EXTERNAL] Re: Review Request 74057: Plugin for Fine-grained Access Control over nested structures
I’m sorry, I’ve always done this sort of thing using github PRs…which code should I change based on your review items? My local copy, choose “fixed” on the review site, and then generate a new patch?
--
Barbara Eckman, Ph.D.
she/her/hers
Distinguished Architect
Enterprise Metadata, Lineage and Access Control
Comcast
From: Madhan Neethiraj <no...@reviews.apache.org> on behalf of Madhan Neethiraj <ma...@apache.org>
Date: Monday, July 18, 2022 at 3:01 AM
To: Madhan Neethiraj <ma...@apache.org>
Cc: Eckman, Barbara <Ba...@cable.comcast.com>, ranger <de...@ranger.apache.org>
Subject: [EXTERNAL] Re: Review Request 74057: Plugin for Fine-grained Access Control over nested structures
This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74057/
plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAuthorizer.java (Diff revision 1)
210
RangerAccessResult accessResult = plugin.isAccessAllowed(request);
This call to isAccessAllowed() would return isAllowed=true only when access is allowed for the whole schema, The intent of this method seems to return true if user has the requested access to even only of field in the schema.
To address this, resource-match scope should be set as shown below:
request.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS);
- Madhan Neethiraj
On July 13th, 2022, 11:03 p.m. UTC, Barbara Eckman wrote:
Review request for ranger and Madhan Neethiraj.
By Barbara Eckman.
Updated July 13, 2022, 11:03 p.m.Repository: ranger
Description
It would be nice to be able to do fine-grained access control (FGA) over nested structures, e.g., the JSON responses of API calls. This requires the individual attributes in a JSON object to be first-class metadata objects which can be tagged and on which policies can be written. We have built a plugin and the corresponding Apache Atlas metadata structures and tagsync-mapper to support TBAC/RBAC/ABAC FGA over JSON structures. Our instigating use case was FGA over the JSON responses of API calls, but this plugin has potential value anywhere FGA over the individual attributes of nested structures is needed, eg JSON messages read from Kafka topics.
Diffs
· plugin-nestedstructure/CONTRIBUTING (PRE-CREATION)
· plugin-nestedstructure/LICENSE (PRE-CREATION)
· plugin-nestedstructure/NOTICE (PRE-CREATION)
· plugin-nestedstructure/README.md (PRE-CREATION)
· plugin-nestedstructure/conf/log4j.properties (PRE-CREATION)
· plugin-nestedstructure/conf/nestedstructure_servicedef.json (PRE-CREATION)
· plugin-nestedstructure/conf/ranger-nestedstructure-audit.xml (PRE-CREATION)
· plugin-nestedstructure/conf/ranger-nestedstructure-policymgr-ssl.xml (PRE-CREATION)
· plugin-nestedstructure/conf/ranger-nestedstructure-security.xml (PRE-CREATION)
· plugin-nestedstructure/pom.xml (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/AccessResult.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/DataMasker.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/ExampleClient.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/FieldLevelAccess.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/JsonManipulator.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/MaskTypes.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/MaskingException.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAccessType.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAuthorizer.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructure_Resource.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructure_Service.java (PRE-CREATION)
· plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/RecordFilterJavaScript.java (PRE-CREATION)
· plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestDataMasker.java (PRE-CREATION)
· plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestJsonManipulator.java (PRE-CREATION)
· plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestRecordFilterJavaScript.java (PRE-CREATION)
· pom.xml (0945f4b1d)
· tagsync/src/main/java/org/apache/ranger/tagsync/nestedstructureplugin/AtlasNestedStructureResourceMapper.java (PRE-CREATION)
· tagsync/src/test/java/org/apache/ranger/tagsync/nestedstructureplugin/ResourceTests.java (PRE-CREATION)
View Diff