> On Nov. 10, 2017, 7:43 a.m., Madhan Neethiraj wrote: > > I think the special handling of implied grants of "ALL", in deny and > > allow-exceptions, would be confusing. Currently Ranger policy model treats > > all access-types the same - there is no special treatment for "ALL". Also, > > the special handling introduced in this patch would break existing policies > > that use "ALL" in deny and allow-exceptions. > > > > I would suggest couple of options to address the usecase: > > - update the service-def to remove implied-grant for 'admin-queue'. This > > would require explicit grant of 'submit-app' where needed i.e. > > 'admin-queue' access would not implicitly allow 'submit-app' access as well > > - other option is to have 'impliedGrants' interpretted only by UI and have > > policy engine ignore it. In this case, when 'admin-queue' is selected in > > the UI, 'submit-app' will automatically be selected - but the user will be > > able to de-select 'submit-app' when necessary.
Thanks for the review Madhan. I think the simplest way of handling it is your first suggestion - to remove the implied grant. I will create a separate JIRA and submit a patch for it. - Colm ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/56094/#review190683 ----------------------------------------------------------- On Jan. 30, 2017, 7:47 p.m., Yan Zhou wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/56094/ > ----------------------------------------------------------- > > (Updated Jan. 30, 2017, 7:47 p.m.) > > > Review request for ranger. > > > Repository: ranger > > > Description > ------- > > When a user is denied, or excluded from "allowed", the use of "admin-queue", > but is allowed the "submit-app", he is actually unable to submit Yarn jobs at > all. > > The reason is found to be that the "implied grants" are indiscriminately > incorporated into allow/deny/allow-exception/deny-exception lists. Actually > we need to differentiate two types of implications. The first implication is > "equivalent implication". The second is "unequivalent implication". For the > "ALL" permission, it is equivalent, meaning that "ALL" implies the all > implied permissions together, and vice versa. So DENY "ALL" will rid of any > and all other permissions from a user. For YARN's implication from > "queue-admin" to "submit-app", it's not equivalent. While "queue-admin" > implies "submit-app", it is not the other way around; namely that deny > "admin-queue" to a user should not deny his "submit-app" permission. Thus the > "implied grants" should not be incorporated from the allow-exception/deny > lists if they do not carry the "all" semantics. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > ffb9523 > > agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java > b0d103e > agents-common/src/test/resources/policyengine/test_policyengine_yarn.json > PRE-CREATION > > > Diff: https://reviews.apache.org/r/56094/diff/1/ > > > Testing > ------- > > Regression, manual, and newly added automated tests. > > > Thanks, > > Yan Zhou > >
