-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69703/
-----------------------------------------------------------
(Updated Jan. 23, 2019, 7:39 p.m.)
Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin
Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan
Periasamy.
Changes
-------
Fixed Security Zone validation code and merged with master branch
Bugs: RANGER-2232
https://issues.apache.org/jira/browse/RANGER-2232
Repository: ranger
Description
-------
This is to introduce a new abstraction in Apache Ranger that would allow
carving/bucketing of resources in a service into multiple zones, for better
administration of security policies. This would enable multiple administrators
to setup security policies for a service – based on the zones to which they
have been granted administration rights.
For example, let us consider 2 security zones ‘finance’ and ‘sales’:
Security zone ‘finance’ includes all contents in Hive database named ‘finance’
Security zone ‘sales’ includes all contents in ‘sales’ database
Set of users and groups are designated as administrators each zone
Users are allowed to setup policies only in zones in which they are
administrators
Policies defined in a zone are applicable only for resources of the zone
A zone can be extended to include resource from multiple services like HDFS,
Hive, HBase, Kafka, .., allowing administrators of a zone to setup policies for
resources owned by their organization across multiple services.
Audit logs will include name of the zone in which the accessed resource
resides. Only users having appropriate permissions on the security zone can
view its audit logs.
Diffs (updated)
-----
agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
329e2f0b7
agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
8d71851e8
agents-audit/src/main/java/org/apache/ranger/audit/provider/solr/SolrAuditProvider.java
26633fd6e
agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
b8da19215
agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
9b9ccd112
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
c2185a7f1
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
b56b8dd4b
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZone.java
PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
ddedf3e17
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java
51324b093
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java
PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
891749d03
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
8e7844f5d
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
e6c0e5a94
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
ab26d41d6
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
f64e773ac
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
c1b29d3fa
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
b898d292c
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
7221f6b15
agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java
7446df604
agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZonePredicateUtil.java
PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZoneStore.java
PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java
9924cb4c4
agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
f4fe58993
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java
efb27aafa
agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java
33f82dd34
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
1ae3fc387
agents-common/src/test/java/org/apache/ranger/plugin/model/TestRangerPolicyResourceSignature.java
38c425dc6
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java
PRE-CREATION
hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
74293fb4a
hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
ddb6d9b82
knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
814aedd20
plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
07921a99a
plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java
d89b46787
security-admin/contrib/solr_for_audit_setup/conf/managed-schema 6c87af7cf
security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 9af2c8f57
security-admin/db/mysql/patches/037-add-column-zone-in-x_policy_export_audit.sql
PRE-CREATION
security-admin/db/mysql/patches/038-create-security-zone-schema.sql
PRE-CREATION
security-admin/db/mysql/patches/039-update-permissionmodel.sql PRE-CREATION
security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
98c45b05d
security-admin/db/oracle/patches/037-add-column-zone-in-x_policy_export_audit.sql
PRE-CREATION
security-admin/db/oracle/patches/038-create-security-zone-schema.sql
PRE-CREATION
security-admin/db/oracle/patches/039-update-permissionmodel.sql PRE-CREATION
security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
2ed8cb02c
security-admin/db/postgres/patches/037-add-column-zone-in-x_policy_export_audit.sql
PRE-CREATION
security-admin/db/postgres/patches/038-create-security-zone-schema.sql
PRE-CREATION
security-admin/db/postgres/patches/039-update-permissionmodel.sql
PRE-CREATION
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
c8a3ba14a
security-admin/db/sqlanywhere/patches/037-add-column-zone-in-x_policy_export_audit.sql
PRE-CREATION
security-admin/db/sqlanywhere/patches/038-create-security-zone-schema.sql
PRE-CREATION
security-admin/db/sqlanywhere/patches/039-update-permissionmodel.sql
PRE-CREATION
security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
230c50b02
security-admin/db/sqlserver/patches/037-add-column-zone-in-x_policy_export_audit.sql
PRE-CREATION
security-admin/db/sqlserver/patches/038-create-security-zone-schema.sql
PRE-CREATION
security-admin/db/sqlserver/patches/039-update-permissionmodel.sql
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java
36a7b4bfa
security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneRefUpdater.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
f2d61d348
security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 88b8f8db3
security-admin/src/main/java/org/apache/ranger/common/AppConstants.java
032e5f0da
security-admin/src/main/java/org/apache/ranger/common/RangerConstants.java
88509a618
security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java
7b0fd8766
security-admin/src/main/java/org/apache/ranger/common/RangerValidatorFactory.java
4b149e4ec
security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java
5cecef14c
security-admin/src/main/java/org/apache/ranger/db/XXGlobalStateDao.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java b4f868709
security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefGroupDao.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefResourceDao.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefUserDao.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXGlobalState.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXGlobalStateBase.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXPolicyBase.java
e441ec0e5
security-admin/src/main/java/org/apache/ranger/entity/XXPolicyExportAudit.java
1545e047d
security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZone.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneBase.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefGroup.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefResource.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefService.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefUser.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/patch/PatchAssignSecurityZonePersmissionToAdmin_J10026.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java 50dc17826
security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
0b854d0d7
security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java
b2213ed76
security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java
08baf8907
security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java
6ab12adcb
security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneService.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneServiceBase.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/service/RangerTagDefService.java
10c73f0d2
security-admin/src/main/java/org/apache/ranger/service/RangerTagService.java
2fa883096
security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java
4c8ed83b6
security-admin/src/main/java/org/apache/ranger/service/XAssetService.java
132879a63
security-admin/src/main/java/org/apache/ranger/service/XAuditMapService.java
09fd963d4
security-admin/src/main/java/org/apache/ranger/service/XGroupService.java
3009d36c2
security-admin/src/main/java/org/apache/ranger/service/XPermMapService.java
866448465
security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditServiceBase.java
a25cfc17f
security-admin/src/main/java/org/apache/ranger/service/XResourceService.java
b3e7bd7d7
security-admin/src/main/java/org/apache/ranger/service/XTrxLogService.java
e940df250
security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java
7f3d0c70d
security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoServiceBase.java
78e4c57ac
security-admin/src/main/java/org/apache/ranger/service/XUserService.java
fbc37d642
security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java
593634ba6
security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java
f6689c168
security-admin/src/main/java/org/apache/ranger/view/VXPolicyExportAudit.java
ce5a21e06
security-admin/src/main/resources/META-INF/jpa_named_queries.xml be51592ec
security-admin/src/main/webapp/images/defult_zone.png PRE-CREATION
security-admin/src/main/webapp/scripts/collection_bases/RangerZoneListBase.js
PRE-CREATION
security-admin/src/main/webapp/scripts/collections/RangerZoneList.js
PRE-CREATION
security-admin/src/main/webapp/scripts/controllers/Controller.js 92dac6abc
security-admin/src/main/webapp/scripts/model_bases/RangerZoneBase.js
PRE-CREATION
security-admin/src/main/webapp/scripts/models/RangerPolicy.js e406e1810
security-admin/src/main/webapp/scripts/models/RangerPolicyResource.js
853e62b38
security-admin/src/main/webapp/scripts/models/RangerServiceDef.js d008f40b3
security-admin/src/main/webapp/scripts/models/RangerZone.js PRE-CREATION
security-admin/src/main/webapp/scripts/modules/XALinks.js 060ab364c
security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
34e3387c8
security-admin/src/main/webapp/scripts/routers/Router.js c8391e6ec
security-admin/src/main/webapp/scripts/utils/XAEnums.js ea8054571
security-admin/src/main/webapp/scripts/utils/XAGlobals.js 7b1b1b560
security-admin/src/main/webapp/scripts/utils/XAUtils.js d85dc7aee
security-admin/src/main/webapp/scripts/views/DownloadServicePolicy.js
8f9dfe50a
security-admin/src/main/webapp/scripts/views/UploadServicePolicy.js 62a1fcff2
security-admin/src/main/webapp/scripts/views/common/TopNav.js 0f4a70896
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js
9588fb75d
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js
6c0cf3641
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js
3a6a59efe
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js
90ad83ebe
security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js
8a8e94a0f
security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 886815d84
security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js
e9ce7d483
security-admin/src/main/webapp/scripts/views/security_zone/SecurityZone.js
PRE-CREATION
security-admin/src/main/webapp/scripts/views/security_zone/ZoneAdministration.js
PRE-CREATION
security-admin/src/main/webapp/scripts/views/security_zone/ZoneCreate.js
PRE-CREATION
security-admin/src/main/webapp/scripts/views/security_zone/ZoneCreateForm.js
PRE-CREATION
security-admin/src/main/webapp/scripts/views/security_zone/ZoneResourceForm.js
PRE-CREATION
security-admin/src/main/webapp/scripts/views/security_zone/zoneResource.js
PRE-CREATION
security-admin/src/main/webapp/styles/xa.css c601d54af
security-admin/src/main/webapp/templates/common/ServiceManagerLayout_tmpl.html
d4d19a606
security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 31a9c2656
security-admin/src/main/webapp/templates/helpers/XAHelpers.js 9e2c02b04
security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html
b7666f926
security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html
6566d53e8
security-admin/src/main/webapp/templates/reports/ZoneOperationDiff_tmpl.html
PRE-CREATION
security-admin/src/main/webapp/templates/reports/ZoneUpdateOperationDiff_tmpl.html
PRE-CREATION
security-admin/src/main/webapp/templates/security_zone/SecurityZone_tmpl.html
PRE-CREATION
security-admin/src/main/webapp/templates/security_zone/ZoneAdministration_tmpl.html
PRE-CREATION
security-admin/src/main/webapp/templates/security_zone/ZoneCreateForm_tmpl.html
PRE-CREATION
security-admin/src/main/webapp/templates/security_zone/ZoneCreate_tmpl.html
PRE-CREATION
security-admin/src/main/webapp/templates/security_zone/ZoneResourceForm_tmpl.html
PRE-CREATION
security-admin/src/main/webapp/templates/security_zone/ZoneResourceItem_tmpl.html
PRE-CREATION
security-admin/src/main/webapp/templates/security_zone/ZoneResourceList_tmpl.html
PRE-CREATION
security-admin/src/main/webapp/templates/security_zone/ZoneResourcesForm_tmpl.html
PRE-CREATION
security-admin/src/main/webapp/templates/security_zone/ZoneResources_tmpl.html
PRE-CREATION
security-admin/src/main/webapp/templates/service/ServiceCreate_tmpl.html
dff0b666c
security-admin/src/test/java/org/apache/ranger/biz/TestSecurityZoneDBStore.java
PRE-CREATION
security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java
8054d1e2e
security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java
PRE-CREATION
security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
0196e24a0
storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java
88ea05e9d
Diff: https://reviews.apache.org/r/69703/diff/3/
Changes: https://reviews.apache.org/r/69703/diff/2-3/
Testing
-------
Tested with a local VM, for CRUD of security zones, creation of policies for a
security zone and access evaluation for a resource within specific security
zone in hive plugin.
Thanks,
Abhay Kulkarni
