----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/70426/#review214472 -----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java Lines 1854 (patched) <https://reviews.apache.org/r/70426/#comment300675> "service-def does not exist" ==> "zone does not exist" security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java Lines 58 (patched) <https://reviews.apache.org/r/70426/#comment300676> It is a valid condition to have multiple policies for a given combination of serviceId and policyName; consider this: serviceId=1, policyName="test-policy", zoneId= serviceId=1, policyName="test-policy", zoneId=1 serviceId=1, policyName="test-policy", zoneId=2 Consider adding a named-query which looks only for unzoned policy: <named-query name="XXPolicy.findUnzonedByNameAndServiceId"> <query>select obj from XXPolicy obj where obj.name = :polName and obj.service = :serviceId and obj.zoneId is null order by obj.id</query> </named-query> - Madhan Neethiraj On April 8, 2019, 6:46 p.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/70426/ > ----------------------------------------------------------- > > (Updated April 8, 2019, 6:46 p.m.) > > > Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Pradeep > Agrawal, Ramesh Mani, and Velmurugan Periasamy. > > > Bugs: RANGER-2400 > https://issues.apache.org/jira/browse/RANGER-2400 > > > Repository: ranger > > > Description > ------- > > Ranger enforces uniqueness of policy name within a service. However, with > introduction of security zones, policy name needs to be unique within a > security zone and a service. This will obviate the need for inventing unique > policy names if the policy is associated with the same service but different > security zones, as well as present security zone as a namespace in Ranger > admin as it does for making authorization decisions. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java > 710e75d57 > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java > fa50ab2d6 > > agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java > 9e37cd550 > > agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java > 8cdb9c3a6 > security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql > 2eaffccac > > security-admin/db/mysql/patches/041-modify-unique-constraint-on-policy-table.sql > PRE-CREATION > security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql > 5ca1e3667 > > security-admin/db/oracle/patches/041-modify-unique-constraint-on-policy-table.sql > PRE-CREATION > security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql > 51f4999f7 > > security-admin/db/postgres/patches/041-modify-unique-constraint-on-policy-table.sql > PRE-CREATION > > security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql > 5f64a2dba > > security-admin/db/sqlanywhere/patches/041-modify-unique-constraint-on-policy-table.sql > PRE-CREATION > security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql > fc21cec3e > > security-admin/db/sqlserver/patches/041-modify-unique-constraint-on-policy-table.sql > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 574166c3d > security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java > 2a870efaa > > security-admin/src/main/java/org/apache/ranger/patch/PatchMigration_J10002.java > 0af7a1da2 > security-admin/src/main/resources/META-INF/jpa_named_queries.xml 7e702c144 > > > Diff: https://reviews.apache.org/r/70426/diff/1/ > > > Testing > ------- > > Created security zone and ensured that the default policies created within > zone have same names as corresponding default policies in unzoned zone. > Ensured that within same zone (including unzoned zone), two policies with > same name cannot be created. > > > Thanks, > > Abhay Kulkarni > >
