----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/70629/#review215200 -----------------------------------------------------------
agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java Lines 127 (patched) <https://reviews.apache.org/r/70629/#comment301754> Would this include all roles of the user, at the time of access, in each audit log? This might add excessive data into audit logs. This should be seen as user->groups mapping, which is not included in audit logs. Please review. agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java Lines 1276 (patched) <https://reviews.apache.org/r/70629/#comment301755> It seems 'macroUserRoles' should be effective only for the current evaluation context. Adding to 'userRoles', which is a reference in 'userRoleMapping' would make the change visible to all evaluations. Please review and update. agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java Lines 1289 (patched) <https://reviews.apache.org/r/70629/#comment301756> Can handling of 'public' group be done at Ranger admin i.e. in ServicePolicies downloaded given to the plugins? agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java Lines 1299 (patched) <https://reviews.apache.org/r/70629/#comment301757> #1276 applies here as well. Please review. agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java Lines 1318 (patched) <https://reviews.apache.org/r/70629/#comment301758> #1276 might be applicable here as well. Please review. agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java Lines 529 (patched) <https://reviews.apache.org/r/70629/#comment301759> Why would presence of roles make it not-usable for evaluation? Shouldn't this should be treated similar to groups? agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java Lines 214 (patched) <https://reviews.apache.org/r/70629/#comment301760> Consider avoiding this typecasting, by adding following methods: class RangerAccessRequestUtil { public static void setCurrentUserRoles(Set<String> roles) { // ... } public static Set<String> getCurrentUserRoles() { // ... } } agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java Lines 165 (patched) <https://reviews.apache.org/r/70629/#comment301761> Shouldn't dataMaskPolicyItems and rowFilterPolicyItems be checked as well? agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java Lines 63 (patched) <https://reviews.apache.org/r/70629/#comment301762> It will be useful to add a comment here, on what the key and values are. Also, if Ranger admin is going to compute the roles for users and groups, following might be simpler in ServicePolicies: private Map<String, Set<String>> userRoles; private Map<String, Set<String>> groupRoles; - Madhan Neethiraj On May 11, 2019, 1:45 a.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/70629/ > ----------------------------------------------------------- > > (Updated May 11, 2019, 1:45 a.m.) > > > Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin > Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan > Periasamy. > > > Bugs: RANGER-2414 > https://issues.apache.org/jira/browse/RANGER-2414 > > > Repository: ranger > > > Description > ------- > > Current Ranger policy model supports > authorization/column-masking/row-filtering for users/user-groups based on > various criteria like accessed-resource, resource-classifications, IP-address > and custom conditions. Given the wide-spread use of role-based authorization > in traditional enterprise applications (like RDBMS, J2EE), it will be very > useful for Ranger policy model to support 'roles' i.e. to be able to specify > authorization/column-masking/row-filtering for roles as well - in addition to > existing support for users and user-groups. > > This patch provides an initial implementation of support for roles in Ranger. > > > Diffs > ----- > > > agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java > 28db58cd9 > > agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java > 5e2c49211 > > agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java > 3111037ff > > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java > 3cf509d7c > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java > 990aab0c9 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java > 9ed500c50 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java > 365edcf35 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java > eafbde246 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > a57b39827 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java > 45231e739 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java > 47b4921ad > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java > 5400f71c4 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java > a6e24c609 > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java > 5a18226fe > agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java > c20ccded6 > agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java > e22249ac6 > > agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java > cbd2cb012 > > agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java > 2c1de4eb8 > > agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java > e92a2e658 > > agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java > 5a47ba401 > agents-common/src/test/resources/policyengine/test_aclprovider_default.json > b4c4def85 > > agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json > PRE-CREATION > > hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java > f204c15c0 > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java > bf4d6c1ea > security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql > 769afb56a > security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION > security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql > 9a9e36b09 > security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION > security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql > df4201d89 > security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION > > security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql > a2d413743 > security-admin/db/sqlanywhere/patches/041-create-role-schema.sql > PRE-CREATION > security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql > 1f3ccbf5d > security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION > security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java > 921dc3736 > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java > f48a80387 > security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 35dc9405b > security-admin/src/main/java/org/apache/ranger/common/AppConstants.java > 039e4e8d5 > security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java > 979fd6543 > security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java > 5d513bd8b > security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/entity/XXRole.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java > 734faef3a > security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 3ff763c71 > > security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java > 3e1a8e1bf > > security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java > PRE-CREATION > security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9 > security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js > PRE-CREATION > security-admin/src/main/webapp/scripts/collections/VXRoleList.js > PRE-CREATION > security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df > security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js > PRE-CREATION > security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION > security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23 > security-admin/src/main/webapp/scripts/modules/globalize/message/en.js > a9287450c > security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21 > security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc > security-admin/src/main/webapp/scripts/views/policies/PermissionList.js > 0c3824bad > security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js > 8f23e84d3 > security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js > a1a1311aa > security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js > 1af54e18a > > security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js > c18cfaa08 > security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js > 18dba7ace > security-admin/src/main/webapp/scripts/views/users/RoleCreate.js > PRE-CREATION > security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION > security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js > 45b672caf > security-admin/src/main/webapp/styles/xa.css 6ae646dfc > security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b > security-admin/src/main/webapp/templates/policies/PermissionItem.html > d2b401d05 > security-admin/src/main/webapp/templates/policies/PermissionList.html > 9972d4885 > security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html > e76ad21e4 > security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html > PRE-CREATION > security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html > PRE-CREATION > security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html > d99b3b453 > security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java > ac9af5eb4 > > > Diff: https://reviews.apache.org/r/70629/diff/1/ > > > Testing > ------- > > - Role CRUD > - Policy Updates to add/remove roles > - Logic to authorize access with roles > - Tracking Service versions with role updates > > > Thanks, > > Abhay Kulkarni > >
