----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/56640/ -----------------------------------------------------------
(Updated Feb. 16, 2017, 12:16 a.m.) Review request for ranger, Madhan Neethiraj and Velmurugan Periasamy. Changes ------- Reworked algorithm for matching policy against a RangerPolicyResourceMatcher Bugs: RANGER-1383 https://issues.apache.org/jira/browse/RANGER-1383 Repository: ranger Description ------- Ranger admin's REST API support retrieving and filtering policies for resource specified in the provided filter. Currently, a simple string-match and wildcard-match is used to filter policies. It is desirable to provide an option to use, for filtering purpose, the same resource-matching algorithm that is used by the policy engine to search policies that need to be evaluated for access determination in the component. A new option ("resourceMatchScope") will be supported for filtering policies in a service. If it is required to filter policies based on the resources, then, with this option, Ranger will use resource-matchers for filtering policies. The values supported for "resourceMatchScope" option are: "self" -> Search for exact match "ancestor" -> Search for policies which partially match specified resource. If resource is incompletely specified (for example, if service-type supports multiple resourcedefs - hive supports database, table, column; hbase supports database, column-family, column), then unspecified resourcedefs will be considered to have value of "*", which matches any value. "self_or_ancestor" -> Search for policies which match as "self" or "ancestor" If resourceMatchScope is specified, but its value is not one of "self", "ancestor" or "self_or_ancestor", then value is set to "self_or_ancestor". An example curl command is as follows: curl -u admin:admin -H "Accept: application/json" -H "Content-Type: application/json" -X GET 'http://localhost:6080/service/plugins/policies/service/name/cl1_hadoop?policyType=0&resource:path=/demo&resourceMatchScope=self_or_ancestor' This will return all access policies for cl1_hadoop service which match path '/demo' or any path that starts with '/demo/' Similarly, a command curl -u admin:admin -H "Accept: application/json" -H "Content-Type: application/json" -X GET 'http://localhost:6080/service/plugins/policies/service/name/cl1_hive?policyType=0&resource:udf=demo&resource:database=tmp&resourceMatchScope=self will return only policies which have both database=tmp and udf=demo as one of their policy values. Diffs (updated) ----- agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java 3cdf40b agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java fa2b940 agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java 8a784b4 agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java 36a9a27 agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 8f6426c security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 15f205a security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java 4fb52a4 Diff: https://reviews.apache.org/r/56640/diff/ Testing ------- Tested with local VM with and without specifying "resourceMatchScope" option in the filter-spec. Thanks, Abhay Kulkarni