----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/56640/#review166043 -----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java (line 51) <https://reviews.apache.org/r/56640/#comment237946> Consider renaming: "getServiceDefForNonrecursivePathResourceMatchers" ==> "cloneServiceDefForResourceFiltering" agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java (line 370) <https://reviews.apache.org/r/56640/#comment237947> Qhy should serviceDef be given as argument to this method? Shouldn't the serviceDef be set for the resource-matcher via init(). How is the serviceDef in this method parameter different from the one given in init()? It will help to add examples/usecases for match being attempted here. Especially details of exits from the 'for' loop at line #370.. value of { matchType, ret } at each iteration and at exit. security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java (line 2151) <https://reviews.apache.org/r/56640/#comment237952> Consider abstracting the details of updating resourceName in a method like: updateResourceForFilter(filterResources, serviceDef) security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java (line 2161) <https://reviews.apache.org/r/56640/#comment237948> Instead of hardcoding resource names ("path" and "queue") and delimiters (".", "/"), consider reading these from serviceDef.resources. - Madhan Neethiraj On Feb. 16, 2017, 10:45 p.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/56640/ > ----------------------------------------------------------- > > (Updated Feb. 16, 2017, 10:45 p.m.) > > > Review request for ranger, Madhan Neethiraj and Velmurugan Periasamy. > > > Bugs: RANGER-1383 > https://issues.apache.org/jira/browse/RANGER-1383 > > > Repository: ranger > > > Description > ------- > > Ranger admin's REST API support retrieving and filtering policies for > resource specified in the provided filter. Currently, a simple string-match > and wildcard-match is used to filter policies. It is desirable to provide an > option to use, for filtering purpose, the same resource-matching algorithm > that is used by the policy engine to search policies that need to be > evaluated for access determination in the component. > > A new option ("resourceMatchScope") will be supported for filtering policies > in a service. If it is required to filter policies based on > the resources, then, with this option, Ranger will use resource-matchers for > filtering policies. > > The values supported for "resourceMatchScope" option are: > > "self" -> Search for exact match > "ancestor" -> Search for policies which partially match specified resource. > If resource is incompletely specified (for example, if > service-type supports multiple resourcedefs - hive supports database, table, > column; hbase supports database, column-family, column), > then unspecified resourcedefs will be considered to have value of "*", which > matches any value. > "self_or_ancestor" -> Search for policies which match as "self" or "ancestor" > > If resourceMatchScope is specified, but its value is not one of "self", > "ancestor" or "self_or_ancestor", then value is set to > "self_or_ancestor". > > An example curl command is as follows: > > curl -u admin:admin -H "Accept: application/json" -H "Content-Type: > application/json" -X GET > 'http://localhost:6080/service/plugins/policies/service/name/cl1_hadoop?policyType=0&resource:path=/demo&resourceMatchScope=self_or_ancestor' > > This will return all access policies for cl1_hadoop service which match path > '/demo' or any path that starts with '/demo/' > > Similarly, a command > > curl -u admin:admin -H "Accept: application/json" -H "Content-Type: > application/json" -X GET > 'http://localhost:6080/service/plugins/policies/service/name/cl1_hive?policyType=0&resource:udf=demo&resource:database=tmp&resourceMatchScope=self > > will return only policies which have both database=tmp and udf=demo as one of > their policy values. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java > 3cdf40b > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java > fa2b940 > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java > 8a784b4 > > agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java > 36a9a27 > agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java > 8f6426c > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 15f205a > security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java > 4fb52a4 > > Diff: https://reviews.apache.org/r/56640/diff/ > > > Testing > ------- > > Tested with local VM with and without specifying "resourceMatchScope" option > in the filter-spec. > > > Thanks, > > Abhay Kulkarni > >