Re: Review Request 56640: Support for using resource-matcher for filtering policies within a service if service-resource is provided in the filter

Madhan Neethiraj Tue, 21 Feb 2017 18:17:26 -0800

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56640/#review166287
-----------------------------------------------------------





agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
 (line 62)
<https://reviews.apache.org/r/56640/#comment238209>

    if "matcherClassName" can be null, consider rewriting the condition to:
    
      RangerPathResourceMatcher.class.getName().equals(matcherClassName)
      
    Same for line #94 as well.



agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
 (line 66)
<https://reviews.apache.org/r/56640/#comment238210>

    "wildcard" ==> RangerAbstractResourceMatcher.OPTION_WILD_CARD



agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
 (line 84)
<https://reviews.apache.org/r/56640/#comment238218>

    getFilterResourcesForPolicyFiltering() adds "/*" to path resources - if 
they don't already end with these (assuming / is the delimiter). This would 
work only for ANCESTOR matches. Consider renaming this methods appropriately.



agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
 (line 90)
<https://reviews.apache.org/r/56640/#comment238212>

    Consider moving line #90 inside "if" block at #94.



agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
 (line 98)
<https://reviews.apache.org/r/56640/#comment238215>

    "pathSeparatorChar" ==> RangerPathResourceMatcher.OPTION_PATH_SEPARATOR
      (need to change the visibility of this constant to public)



agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
 (line 100)
<https://reviews.apache.org/r/56640/#comment238216>

    "org.apache.hadoop.fs.Path.SEPARATOR_CHAR" ==> 
RangerPathResourceMatcher.DEFAULT_PATH_SEPARATOR_CHAR



agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
 (line 115)
<https://reviews.apache.org/r/56640/#comment238217>

    "ret" is not populated for non-path resources. intentional?



agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
 (line 381)
<https://reviews.apache.org/r/56640/#comment238222>

    setValue(name, null) <== should not be needed -  looking at the 
implementation in RangerAccessResourceImpl.setValue()



agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
 (line 386)
<https://reviews.apache.org/r/56640/#comment238232>

    "matchType != MatchType.NONE" ==> "isMatch(scope, matchType)"
     i.e. break from policyResource iteration only on finding the expected 
match. Line #398 may not be needed after this update.
     
    
    It might be cleaner to replace lines #384 & #386 with a call to 
isMatch(accessResource, scope, evalContext)



security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java (line 
2202)
<https://reviews.apache.org/r/56640/#comment238235>

    line #2202 can be:
    
    for (RangerPolicy policy : policies) {
      ...
    }
    
    workList does not seen necessary.


- Madhan Neethiraj


On Feb. 21, 2017, 10:11 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56640/
> -----------------------------------------------------------
> 
> (Updated Feb. 21, 2017, 10:11 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1383
>     https://issues.apache.org/jira/browse/RANGER-1383
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Ranger admin's REST API support retrieving and filtering policies for 
> resource specified in the provided filter. Currently, a simple string-match 
> and wildcard-match is used to filter policies. It is desirable to provide an 
> option to use, for filtering purpose, the same resource-matching algorithm 
> that is used by the policy engine to search policies that need to be 
> evaluated for access determination in the component.
> 
> A new option ("resourceMatchScope") will be supported for filtering policies 
> in a service. If it is required to filter policies based on
> the resources, then, with this option, Ranger will use resource-matchers for 
> filtering policies.
> 
> The values supported for "resourceMatchScope" option are:
> 
> "self" -> Search for exact match
> "ancestor" -> Search for policies which partially match specified resource. 
> If resource is incompletely specified (for example, if
> service-type supports multiple resourcedefs - hive supports database, table, 
> column; hbase supports database, column-family, column),
> then unspecified resourcedefs will be considered to have value of "*", which 
> matches any value.
> "self_or_ancestor" -> Search for policies which match as "self" or "ancestor"
> 
> If resourceMatchScope is specified, but its value is not one of "self", 
> "ancestor" or "self_or_ancestor", then value is set to
> "self_or_ancestor".
> 
> An example curl command is as follows:
> 
> curl -u admin:admin -H "Accept: application/json" -H "Content-Type: 
> application/json" -X GET 
> 'http://localhost:6080/service/plugins/policies/service/name/cl1_hadoop?policyType=0&resource:path=/demo&resourceMatchScope=self_or_ancestor'
> 
> This will return all access policies for cl1_hadoop service which match path 
> '/demo' or any path that starts with '/demo/'
> 
> Similarly, a command
> 
> curl -u admin:admin -H "Accept: application/json" -H "Content-Type: 
> application/json" -X GET 
> 'http://localhost:6080/service/plugins/policies/service/name/cl1_hive?policyType=0&resource:udf=demo&resource:database=tmp&resourceMatchScope=self
> 
> will return only policies which have both database=tmp and udf=demo as one of 
> their policy values.
> 
> 
> Diffs
> -----
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
>  3cdf40b 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
>  fa2b940 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
>  8a784b4 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java
>  36a9a27 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
> 8f6426c 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
> 15f205a 
>   security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java 
> 4fb52a4 
> 
> Diff: https://reviews.apache.org/r/56640/diff/
> 
> 
> Testing
> -------
> 
> Tested with local VM with and without specifying "resourceMatchScope" option 
> in the filter-spec.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 56640: Support for using resource-matcher for filtering policies within a service if service-resource is provided in the filter

Reply via email to