Re: Review Request 70426: RANGER-2400: policy name needs to be unique within security zone and service

Madhan Neethiraj Tue, 16 Apr 2019 21:32:29 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70426/#review214715
-----------------------------------------------------------



Fix it, then Ship it!





security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java
Line 168 (original), 169 (patched)
<https://reviews.apache.org/r/70426/#comment300934>

    zone == null is an error condition, which should result in following 
exception - from #114 above:
    
      throw restErrorUtil.createRESTException("Invalid zoneName for policyName: 
" + vObj.getName()
                                        + "Zone Not Found : " + 
vObj.getZoneName(), MessageEnums.INVALID_INPUT_DATA);



security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java
Line 174 (original), 175 (patched)
<https://reviews.apache.org/r/70426/#comment300935>

    line #173 returns null, #175 returns StringUtis.EMPTY. Is this intentional?


- Madhan Neethiraj


On April 17, 2019, 4:24 a.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70426/
> -----------------------------------------------------------
> 
> (Updated April 17, 2019, 4:24 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Pradeep 
> Agrawal, Ramesh Mani, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2400
>     https://issues.apache.org/jira/browse/RANGER-2400
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Ranger enforces uniqueness of policy name within a service. However, with 
> introduction of security zones, policy name needs to be unique within a 
> security zone and a service. This will obviate the need for inventing unique 
> policy names if the policy is associated with the same service but different 
> security zones, as well as present security zone as a namespace in Ranger 
> admin as it does for making authorization decisions.
> 
> 
> Diffs
> -----
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZone.java
>  c3e96bf60 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
>  710e75d57 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java
>  fa50ab2d6 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java 
> 9e37cd550 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
>  8cdb9c3a6 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 
> 707c3119a 
>   security-admin/db/mysql/patches/037-create-security-zone-schema.sql 
> a50ec0e34 
>   
> security-admin/db/mysql/patches/040-modify-unique-constraint-on-policy-table.sql
>  PRE-CREATION 
>   security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
> e7d89898f 
>   security-admin/db/oracle/patches/037-create-security-zone-schema.sql 
> 354c74dd4 
>   
> security-admin/db/oracle/patches/040-modify-unique-constraint-on-policy-table.sql
>  PRE-CREATION 
>   security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
> a1998fc3e 
>   security-admin/db/postgres/patches/037-create-security-zone-schema.sql 
> 434231dd6 
>   
> security-admin/db/postgres/patches/040-modify-unique-constraint-on-policy-table.sql
>  PRE-CREATION 
>   
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
>  207c5a3a5 
>   security-admin/db/sqlanywhere/patches/037-create-security-zone-schema.sql 
> 893d453e6 
>   
> security-admin/db/sqlanywhere/patches/040-modify-unique-constraint-on-policy-table.sql
>  PRE-CREATION 
>   security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 
> 36aefcff6 
>   security-admin/db/sqlserver/patches/037-create-security-zone-schema.sql 
> a610b70b1 
>   
> security-admin/db/sqlserver/patches/040-modify-unique-constraint-on-policy-table.sql
>  PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java 
> 5499ea7c0 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
> 1d341c56f 
>   security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 
> 2a870efaa 
>   security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZone.java 
> eccff5feb 
>   security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java 
> 3c1b1d2ee 
>   
> security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java
>  c18759a5d 
>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml 18dc5fe48 
>   
> security-admin/src/test/java/org/apache/ranger/biz/TestSecurityZoneDBStore.java
>  ecd120eef 
>   
> security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java 
> 88a563b6d 
> 
> 
> Diff: https://reviews.apache.org/r/70426/diff/5/
> 
> 
> Testing
> -------
> 
> Created security zone and ensured that the default policies created within 
> zone have same names as corresponding default policies in unzoned zone. 
> Ensured that within same zone (including unzoned zone), two policies with 
> same name cannot be created.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 70426: RANGER-2400: policy name needs to be unique within security zone and service

Reply via email to