Review Request 66588: RANGER-2066: Hbase column family access is authorized by a tagged column in the column family

Thu, 12 Apr 2018 11:14:26 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66588/
-----------------------------------------------------------

Review request for ranger, Madhan Neethiraj and Velmurugan Periasamy.


Bugs: RANGER-2066
    https://issues.apache.org/jira/browse/RANGER-2066


Repository: ranger


Description
-------

SCENARIO:

Table emp has 2 column families: personal_data(name,SSN,age) ; prof_data(role, 
manager)
Column emp/prof_data/role is tagged with OFFICIAL tag.

Create following policies:
Resource policy allows Read on all tables, all column-families and all columns 
and a tag policy allows Read on OFFICIAL tag to test_user.

When test_user executes "scan 'emp' " command, two audit log records are 
created:
1. Resource: emp/personal_data
Name / Type: column-family
Allowed
Policy allowing: Resource based policy

2. Resource: emp/prof_data
Name / Type: column-family
Allowed
Policy allowing: TAG based policy for OFFICIAL tag

prof_data column-family should be authorized by resource policy.


Diffs
-----

  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
 83d128061 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 5bce47b43 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
 bfdf58163 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 63fc468d8 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
 312deefed 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
 a6cea957c 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
 e3cd15462 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
 be0ab7de1 
  agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json 
ef758874a 


Diff: https://reviews.apache.org/r/66588/diff/1/


Testing
-------

Developed a unit test scenario for testing the case. Used localVM to test hbase 
plugin.


Thanks,

Abhay Kulkarni

Reply via email to