-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56640/
-----------------------------------------------------------
(Updated Feb. 16, 2017, 12:16 a.m.)
Review request for ranger, Madhan Neethiraj and Velmurugan Periasamy.
Changes
-------
Reworked algorithm for matching policy against a RangerPolicyResourceMatcher
Bugs: RANGER-1383
https://issues.apache.org/jira/browse/RANGER-1383
Repository: ranger
Description
-------
Ranger admin's REST API support retrieving and filtering policies for resource
specified in the provided filter. Currently, a simple string-match and
wildcard-match is used to filter policies. It is desirable to provide an option
to use, for filtering purpose, the same resource-matching algorithm that is
used by the policy engine to search policies that need to be evaluated for
access determination in the component.
A new option ("resourceMatchScope") will be supported for filtering policies in
a service. If it is required to filter policies based on
the resources, then, with this option, Ranger will use resource-matchers for
filtering policies.
The values supported for "resourceMatchScope" option are:
"self" -> Search for exact match
"ancestor" -> Search for policies which partially match specified resource. If
resource is incompletely specified (for example, if
service-type supports multiple resourcedefs - hive supports database, table,
column; hbase supports database, column-family, column),
then unspecified resourcedefs will be considered to have value of "*", which
matches any value.
"self_or_ancestor" -> Search for policies which match as "self" or "ancestor"
If resourceMatchScope is specified, but its value is not one of "self",
"ancestor" or "self_or_ancestor", then value is set to
"self_or_ancestor".
An example curl command is as follows:
curl -u admin:admin -H "Accept: application/json" -H "Content-Type:
application/json" -X GET
'http://localhost:6080/service/plugins/policies/service/name/cl1_hadoop?policyType=0&resource:path=/demo&resourceMatchScope=self_or_ancestor'
This will return all access policies for cl1_hadoop service which match path
'/demo' or any path that starts with '/demo/'
Similarly, a command
curl -u admin:admin -H "Accept: application/json" -H "Content-Type:
application/json" -X GET
'http://localhost:6080/service/plugins/policies/service/name/cl1_hive?policyType=0&resource:udf=demo&resource:database=tmp&resourceMatchScope=self
will return only policies which have both database=tmp and udf=demo as one of
their policy values.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
3cdf40b
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
fa2b940
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
8a784b4
agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java
36a9a27
agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java
8f6426c
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
15f205a
security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java
4fb52a4
Diff: https://reviews.apache.org/r/56640/diff/
Testing
-------
Tested with local VM with and without specifying "resourceMatchScope" option in
the filter-spec.
Thanks,
Abhay Kulkarni
