You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Madhan Neethiraj <ma...@apache.org> on 2016/11/02 19:35:37 UTC

Re: Review Request 53043: User has access to a database via tag-based policy - but 'show databases' does not include the database

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53043/#review154606
-----------------------------------------------------------




agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java (line 214)
<https://reviews.apache.org/r/53043/#comment224220>

    Assuming that most requests would not have a matching tag, it will good to not create an ArrayList until it is needed (at line #235).



agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java (line 183)
<https://reviews.apache.org/r/53043/#comment224224>

    if @ line #183 seems unnecessary - as for all tag-requests, matchType needs to be copied from RangerTagAccessRequest.matchType. Please review.



agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java (line 53)
<https://reviews.apache.org/r/53043/#comment224234>

    It will help to add couple of examples of how this field is used.


- Madhan Neethiraj


On Oct. 28, 2016, 6:37 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53043/
> -----------------------------------------------------------
> 
> (Updated Oct. 28, 2016, 6:37 p.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-1190
>     https://issues.apache.org/jira/browse/RANGER-1190
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Scenario: A user has some access to a table/column in a database - exclusively via a tag-based policy. For example: 'hr.employee.ssn' column is tagged as PII and user has 'select' access granted on 'PII' tag. User does not have any other access in 'hr' database.
> In this scenario, 'show databases' command in beeline does not include 'hr' database. Since the user has some access into 'hr' database, the user will expect to see 'hr' database in the command result.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 3c342a3 
>   agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java 6873554 
>   agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java 637423e 
>   agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java 1a6e1b2 
>   agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagForEval.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java 905262c 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java 7711765 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 899b216 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java 84aac1e 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java 3b831c3 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java 00f8f9a 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java 9219450 
>   agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java 30190ab 
>   agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java cb0af84 
>   agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java PRE-CREATION 
>   agents-common/src/test/resources/contextenricher/test_tagenricher_hive.json 317c651 
>   agents-common/src/test/resources/policyengine/descendant_tags.json PRE-CREATION 
>   agents-common/src/test/resources/policyengine/test_policyengine_conditions.json 2ab2bee 
>   agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json PRE-CREATION 
>   agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json 6c9b966 
>   agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json fab93f6 
>   agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json 443ee53 
>   agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/53043/diff/
> 
> 
> Testing
> -------
> 
> Ran unit tests successfully. Tested with hive-server2 with ranger plugin and Ranger/TagSync/Atlas stack.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>