-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70952/
-----------------------------------------------------------
Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay
Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh Mani,
Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-2484
https://issues.apache.org/jira/browse/RANGER-2484
Repository: ranger
Description
-------
**Problem Statement:** Observing failure while importing permissions into
ranger using ranger import API(
/service/plugins/policies/importPoliciesFromFile?updateIfExists=true).
Create a ranger policy for resource "db1/table1/column1" with policy name
policy-1 in service hivedev.
Import permissions for resource "db1/table1/column1" which has policy name
policy-2 into hivedev service using import API mentioned above.
This results in below failure
Validation failure: error code[3010], reason[Another policy already exists for
matching resource: policy-name=[policy-1], service=[hivedev]],
field[resources], subfield[null], type[semantically incorrect]
This issue will be seen only when there is a policy that already exists for the
resource with different policy name from the one that is being imported. If the
policy names match, the policy is updated properly.
** Proposed Solution: **
Import API can accept an additional parameter 'ignorePolicyName' along with
'updateIfExists'. 'ignorePolicyName' parameter shall be helpful to decide
whether policies should be merged or not irrespective of policy name.
**Updated Behaviour shall be:** (please add or ask to add if anything is
missing below)
1 ) if 'override' flag is true then import api shall delete existing policy
from the given service and create the policies received from json file.
2) if 'updateIfExists' flag is true then import api shall update the old policy
object with new policy json if policy guid or policy name is matching ; if
policy does not exist with given name and guid then it will create the policy
but policy creation may fail if a policy exist with the same resource having
different name.
3) if 'updateIfExists' flag is true and 'ignorePolicyName' flag is true and if
the new policy does not have policy conditions ; then ranger will try to find
existing policy for the exactly matching resource ; if exactly matching
resource policy is found then the new policy will be merged to existing policy
and existing policy name will remain same. if same resource policies are not
found then it will try to act as 'updateIfExists' true (mentioned in step-2)
Diffs
-----
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
1d9391f20
security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
c49c42698
Diff: https://reviews.apache.org/r/70952/diff/1/
Testing
-------
1) Build Ranger with the attached patch, untar the ranger, updated
install.properties and installed and started Ranger-admin.
2) Created testuser1 and testuser2.
3) Created a hive service : hivedev
4) Created a policy 'policy2' for resource : db1/table1/column1 , added a
policy item for user 'testuser1' with 'select' permissions.
5) Exported the policy json from UI.
6) Updated the exported policy json and updated policy name to 'policy3' ,
updated policy item by replacing 'testuser1' with 'testuser2' and added
'create' and 'update' permissions.
7) Now tried to import policies with param '' :
curl -i -X POST --header "Accept:*/*" -H "Content-Type: multipart/form-data" -F
'file=@/Users/pradeep/Downloads/Ranger_Policies_20190625_104505.json' -u
admin:ranger1234
'http://172.22.111.117:6080/service/plugins/policies/importPoliciesFromFile?updateIfExists=true&serviceType=hive'
**Expected Behaviour :** policy2 should be updated with additional policy item
having testuser2 permissions of 'create' and 'update'.
**Actual Behaviour :** policy2 updated with additional policy item having
testuser2 permissions of 'create' and 'update'.
Thanks,
Pradeep Agrawal
