> On Feb. 22, 2017, 2:16 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java, > > line 115 > > <https://reviews.apache.org/r/56640/diff/4/?file=1641490#file1641490line115> > > > > "ret" is not populated for non-path resources. intentional?
Yes. Caller needs to know if any changes are to be done to filterResources. > On Feb. 22, 2017, 2:16 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java, > > line 386 > > <https://reviews.apache.org/r/56640/diff/4/?file=1641491#file1641491line386> > > > > "matchType != MatchType.NONE" ==> "isMatch(scope, matchType)" > > i.e. break from policyResource iteration only on finding the expected > > match. Line #398 may not be needed after this update. > > > > > > It might be cleaner to replace lines #384 & #386 with a call to > > isMatch(accessResource, scope, evalContext) This is not required. - Abhay ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/56640/#review166287 ----------------------------------------------------------- On Feb. 21, 2017, 10:11 p.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/56640/ > ----------------------------------------------------------- > > (Updated Feb. 21, 2017, 10:11 p.m.) > > > Review request for ranger, Madhan Neethiraj and Velmurugan Periasamy. > > > Bugs: RANGER-1383 > https://issues.apache.org/jira/browse/RANGER-1383 > > > Repository: ranger > > > Description > ------- > > Ranger admin's REST API support retrieving and filtering policies for > resource specified in the provided filter. Currently, a simple string-match > and wildcard-match is used to filter policies. It is desirable to provide an > option to use, for filtering purpose, the same resource-matching algorithm > that is used by the policy engine to search policies that need to be > evaluated for access determination in the component. > > A new option ("resourceMatchScope") will be supported for filtering policies > in a service. If it is required to filter policies based on > the resources, then, with this option, Ranger will use resource-matchers for > filtering policies. > > The values supported for "resourceMatchScope" option are: > > "self" -> Search for exact match > "ancestor" -> Search for policies which partially match specified resource. > If resource is incompletely specified (for example, if > service-type supports multiple resourcedefs - hive supports database, table, > column; hbase supports database, column-family, column), > then unspecified resourcedefs will be considered to have value of "*", which > matches any value. > "self_or_ancestor" -> Search for policies which match as "self" or "ancestor" > > If resourceMatchScope is specified, but its value is not one of "self", > "ancestor" or "self_or_ancestor", then value is set to > "self_or_ancestor". > > An example curl command is as follows: > > curl -u admin:admin -H "Accept: application/json" -H "Content-Type: > application/json" -X GET > 'http://localhost:6080/service/plugins/policies/service/name/cl1_hadoop?policyType=0&resource:path=/demo&resourceMatchScope=self_or_ancestor' > > This will return all access policies for cl1_hadoop service which match path > '/demo' or any path that starts with '/demo/' > > Similarly, a command > > curl -u admin:admin -H "Accept: application/json" -H "Content-Type: > application/json" -X GET > 'http://localhost:6080/service/plugins/policies/service/name/cl1_hive?policyType=0&resource:udf=demo&resource:database=tmp&resourceMatchScope=self > > will return only policies which have both database=tmp and udf=demo as one of > their policy values. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java > 3cdf40b > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java > fa2b940 > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java > 8a784b4 > > agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java > 36a9a27 > agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java > 8f6426c > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 15f205a > security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java > 4fb52a4 > > Diff: https://reviews.apache.org/r/56640/diff/ > > > Testing > ------- > > Tested with local VM with and without specifying "resourceMatchScope" option > in the filter-spec. > > > Thanks, > > Abhay Kulkarni > >