----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/56094/#review190442 -----------------------------------------------------------
+ preprocessPolicyItems(policy.getDataMaskPolicyItems(), impliedAccessGrants, + RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW); + preprocessPolicyItems(policy.getRowFilterPolicyItems(), impliedAccessGrants, + RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW); These do not have the correct RangerPolicyItemEvaluator int. - Colm O hEigeartaigh On Jan. 30, 2017, 7:47 p.m., Yan Zhou wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/56094/ > ----------------------------------------------------------- > > (Updated Jan. 30, 2017, 7:47 p.m.) > > > Review request for ranger. > > > Repository: ranger > > > Description > ------- > > When a user is denied, or excluded from "allowed", the use of "admin-queue", > but is allowed the "submit-app", he is actually unable to submit Yarn jobs at > all. > > The reason is found to be that the "implied grants" are indiscriminately > incorporated into allow/deny/allow-exception/deny-exception lists. Actually > we need to differentiate two types of implications. The first implication is > "equivalent implication". The second is "unequivalent implication". For the > "ALL" permission, it is equivalent, meaning that "ALL" implies the all > implied permissions together, and vice versa. So DENY "ALL" will rid of any > and all other permissions from a user. For YARN's implication from > "queue-admin" to "submit-app", it's not equivalent. While "queue-admin" > implies "submit-app", it is not the other way around; namely that deny > "admin-queue" to a user should not deny his "submit-app" permission. Thus the > "implied grants" should not be incorporated from the allow-exception/deny > lists if they do not carry the "all" semantics. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > ffb9523 > > agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java > b0d103e > agents-common/src/test/resources/policyengine/test_policyengine_yarn.json > PRE-CREATION > > > Diff: https://reviews.apache.org/r/56094/diff/1/ > > > Testing > ------- > > Regression, manual, and newly added automated tests. > > > Thanks, > > Yan Zhou > >
