You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Madhan Neethiraj <ma...@apache.org> on 2020/08/10 15:04:18 UTC
Re: Review Request 72624: RANGER-2876: allow-exception policy-items
are not correctly handled when access-type is '_any'
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72624/#review221082
-----------------------------------------------------------
Fix it, then Ship it!
agents-audit/pom.xml
Line 162 (original)
<https://reviews.apache.org/r/72624/#comment309891>
These dependecies were added in a recent patch - for RANGER-2834. Perhaps these got deleted in this patch by mistake? Can you please rebase?
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
Lines 1128 (patched)
<https://reviews.apache.org/r/72624/#comment310580>
Why is special treatment for access-type "all"? Is this is about "all" in Hive service def? If yes, wouldn't it be okay to treat this as rest of the access-types?
agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
Line 331 (original), 331 (patched)
<https://reviews.apache.org/r/72624/#comment310579>
policyId=3 has only deny and denyException policy-items; it doesn't have any allow. This policy shouldn't result in 'allow', right? It should be 101 or 103. Please review.
agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
Line 291 (original), 291 (patched)
<https://reviews.apache.org/r/72624/#comment310578>
policyId=3 has only deny and denyException policy-items; it doesn't have any allow. This policy shouldn't result in 'allow', right? It should be either 101 or 103. Please review.
pom.xml
Line 48 (original)
<https://reviews.apache.org/r/72624/#comment310567>
Is it necessary to remove this prereq (maven 3.0.1)?
- Madhan Neethiraj
On June 27, 2020, 1:18 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72624/
> -----------------------------------------------------------
>
> (Updated June 27, 2020, 1:18 a.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2876
> https://issues.apache.org/jira/browse/RANGER-2876
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Ranger plugins use an internal access-type '_any' to when access authorization requires that the accessed resource has some permission for given user/group/role. For a component that supports three access-types viz. 'read', 'write', 'delete', and a policy containing access specification for some resource and some user, such as,
>
> allowed accesses : {'read', 'write', 'delete'}
>
> exceptions to allowed accesses: {'read', 'write'}
>
> the user should be allowed '_any' access to the resource by this policy. Similarly, a policy containing access specification such as
>
> allowed accesses : {'read', 'write'}
>
> exceptions to allowed accesses: {'read', 'write'}
>
> should not make authorization decision for '_any' access.
>
> -----
>
> Fix:
>
> Authorizing "any" access for access-type policies now involves checking if any of the accesses defined in the service-definition allows access using policy-items of the policy being evaluated. If true, the "any" access is authorized; else if none of defined accesses are allowed, then access is explicitly denied, else no authorization decision is made by the policy.
>
>
> Diffs
> -----
>
> agents-audit/pom.xml b30474a9c
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java d75bf46a0
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 90d96d93d
> agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json a2ec460e6
> agents-common/src/test/resources/policyengine/test_policyengine_hive.json ba5a53c30
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json 79417a0cb
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json 73fe540c7
> pom.xml 5bfd08df2
>
>
> Diff: https://reviews.apache.org/r/72624/diff/1/
>
>
> Testing
> -------
>
> Ensured all existing unit tests are valid. New unit tests are developed, and verified that all unit tests pass.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 72624: RANGER-2876: allow-exception policy-items
are not correctly handled when access-type is '_any'
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
> On Aug. 10, 2020, 3:04 p.m., Madhan Neethiraj wrote:
> > pom.xml
> > Line 48 (original)
> > <https://reviews.apache.org/r/72624/diff/1/?file=2235132#file2235132line48>
> >
> > Is it necessary to remove this prereq (maven 3.0.1)?
This is already take care by RANGER-2916 - by adding the following to the pom.xml :
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>1.4.1</version>
<executions>
<execution>
<id>enforce-maven</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<rules>
<requireMavenVersion>
<version>3.0.1</version>
</requireMavenVersion>
</rules>
</configuration>
</execution>
</executions>
</plugin>
- Abhay
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72624/#review221082
-----------------------------------------------------------
On June 27, 2020, 1:18 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72624/
> -----------------------------------------------------------
>
> (Updated June 27, 2020, 1:18 a.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2876
> https://issues.apache.org/jira/browse/RANGER-2876
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Ranger plugins use an internal access-type '_any' to when access authorization requires that the accessed resource has some permission for given user/group/role. For a component that supports three access-types viz. 'read', 'write', 'delete', and a policy containing access specification for some resource and some user, such as,
>
> allowed accesses : {'read', 'write', 'delete'}
>
> exceptions to allowed accesses: {'read', 'write'}
>
> the user should be allowed '_any' access to the resource by this policy. Similarly, a policy containing access specification such as
>
> allowed accesses : {'read', 'write'}
>
> exceptions to allowed accesses: {'read', 'write'}
>
> should not make authorization decision for '_any' access.
>
> -----
>
> Fix:
>
> Authorizing "any" access for access-type policies now involves checking if any of the accesses defined in the service-definition allows access using policy-items of the policy being evaluated. If true, the "any" access is authorized; else if none of defined accesses are allowed, then access is explicitly denied, else no authorization decision is made by the policy.
>
>
> Diffs
> -----
>
> agents-audit/pom.xml b30474a9c
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java d75bf46a0
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 90d96d93d
> agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json a2ec460e6
> agents-common/src/test/resources/policyengine/test_policyengine_hive.json ba5a53c30
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json 79417a0cb
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json 73fe540c7
> pom.xml 5bfd08df2
>
>
> Diff: https://reviews.apache.org/r/72624/diff/1/
>
>
> Testing
> -------
>
> Ensured all existing unit tests are valid. New unit tests are developed, and verified that all unit tests pass.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>