----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/70952/#review216272 -----------------------------------------------------------
Ship it! Ship It! - Velmurugan Periasamy On June 27, 2019, 5:31 p.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/70952/ > ----------------------------------------------------------- > > (Updated June 27, 2019, 5:31 p.m.) > > > Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay > Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh > Mani, Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-2484 > https://issues.apache.org/jira/browse/RANGER-2484 > > > Repository: ranger > > > Description > ------- > > **Problem Statement:** Observing failure while importing permissions into > ranger using ranger import API( > /service/plugins/policies/importPoliciesFromFile?updateIfExists=true). > > Create a ranger policy for resource "db1/table1/column1" with policy name > policy-1 in service hivedev. > > Import permissions for resource "db1/table1/column1" which has policy name > policy-2 into hivedev service using import API mentioned above. > This results in below failure > > Validation failure: error code[3010], reason[Another policy already exists > for matching resource: policy-name=[policy-1], service=[hivedev]], > field[resources], subfield[null], type[semantically incorrect] > This issue will be seen only when there is a policy that already exists for > the resource with different policy name from the one that is being imported. > If the policy names match, the policy is updated properly. > > ** Proposed Solution: ** > Import API can accept an additional parameter 'ignorePolicyName' along with > 'updateIfExists'. 'ignorePolicyName' parameter shall be helpful to decide > whether policies should be merged or not irrespective of policy name. > > > **Updated Behaviour shall be:** (please add or ask to add if anything is > missing below) > 1 ) if 'override' flag is true then import api shall delete existing policy > from the given service and create the policies received from json file. > 2) if 'updateIfExists' flag is true then import api shall update the old > policy object with new policy json if policy guid or policy name is matching > ; if policy does not exist with given name and guid then it will create the > policy but policy creation may fail if a policy exist with the same resource > having different name. > 3) if 'updateIfExists' flag is true and 'ignorePolicyName' flag is true and > if the new policy does not have policy conditions ; then ranger will try to > find existing policy for the exactly matching resource ; if exactly matching > resource policy is found then the new policy will be merged to existing > policy and existing policy name will remain same. if same resource policies > are not found then it will try to act as 'updateIfExists' true (mentioned in > step-2) > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 1d9391f20 > security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java > c49c42698 > > > Diff: https://reviews.apache.org/r/70952/diff/1/ > > > Testing > ------- > > 1) Build Ranger with the attached patch, untar the ranger, updated > install.properties and installed and started Ranger-admin. > 2) Created testuser1 and testuser2. > 3) Created a hive service : hivedev > 4) Created a policy 'policy2' for resource : db1/table1/column1 , added a > policy item for user 'testuser1' with 'select' permissions. > 5) Exported the policy json from UI. > 6) Updated the exported policy json and updated policy name to 'policy3' , > updated policy item by replacing 'testuser1' with 'testuser2' and added > 'create' and 'update' permissions. > 7) Now tried to import policies with param '' : > curl -i -X POST --header "Accept:*/*" -H "Content-Type: multipart/form-data" > -F 'file=@/Users/pradeep/Downloads/Ranger_Policies_20190625_104505.json' -u > admin:ranger1234 > 'http://172.22.111.117:6080/service/plugins/policies/importPoliciesFromFile?updateIfExists=true&serviceType=hive' > > **Expected Behaviour :** policy2 should be updated with additional policy > item having testuser2 permissions of 'create' and 'update'. > **Actual Behaviour :** policy2 updated with additional policy item having > testuser2 permissions of 'create' and 'update'. > > > Thanks, > > Pradeep Agrawal > >
