-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56640/
-----------------------------------------------------------

(Updated Feb. 22, 2017, 11:37 p.m.)


Review request for ranger, Madhan Neethiraj and Velmurugan Periasamy.


Changes
-------

Addressed review comments.


Bugs: RANGER-1383
    https://issues.apache.org/jira/browse/RANGER-1383


Repository: ranger


Description
-------

Ranger admin's REST API support retrieving and filtering policies for resource 
specified in the provided filter. Currently, a simple string-match and 
wildcard-match is used to filter policies. It is desirable to provide an option 
to use, for filtering purpose, the same resource-matching algorithm that is 
used by the policy engine to search policies that need to be evaluated for 
access determination in the component.

A new option ("resourceMatchScope") will be supported for filtering policies in 
a service. If it is required to filter policies based on
the resources, then, with this option, Ranger will use resource-matchers for 
filtering policies.

The values supported for "resourceMatchScope" option are:

"self" -> Search for exact match
"ancestor" -> Search for policies which partially match specified resource. If 
resource is incompletely specified (for example, if
service-type supports multiple resourcedefs - hive supports database, table, 
column; hbase supports database, column-family, column),
then unspecified resourcedefs will be considered to have value of "*", which 
matches any value.
"self_or_ancestor" -> Search for policies which match as "self" or "ancestor"

If resourceMatchScope is specified, but its value is not one of "self", 
"ancestor" or "self_or_ancestor", then value is set to
"self_or_ancestor".

An example curl command is as follows:

curl -u admin:admin -H "Accept: application/json" -H "Content-Type: 
application/json" -X GET 
'http://localhost:6080/service/plugins/policies/service/name/cl1_hadoop?policyType=0&resource:path=/demo&resourceMatchScope=self_or_ancestor'

This will return all access policies for cl1_hadoop service which match path 
'/demo' or any path that starts with '/demo/'

Similarly, a command

curl -u admin:admin -H "Accept: application/json" -H "Content-Type: 
application/json" -X GET 
'http://localhost:6080/service/plugins/policies/service/name/cl1_hive?policyType=0&resource:udf=demo&resource:database=tmp&resourceMatchScope=self

will return only policies which have both database=tmp and udf=demo as one of 
their policy values.


Diffs (updated)
-----

  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
 3cdf40b 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
 fa2b940 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
 8a784b4 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
 300c1f8 
  
agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java
 36a9a27 
  agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
8f6426c 
  
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcherForPolicy.java
 PRE-CREATION 
  
agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_hdfs_policy.json
 PRE-CREATION 
  
agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher_for_policy.json
 PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
15f205a 
  security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java 
4fb52a4 

Diff: https://reviews.apache.org/r/56640/diff/


Testing
-------

Tested with local VM with and without specifying "resourceMatchScope" option in 
the filter-spec.


Thanks,

Abhay Kulkarni

Reply via email to