> On July 17, 2019, 6:05 p.m., Abhay Kulkarni wrote: > > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > > Lines 1578 (patched) > > <https://reviews.apache.org/r/71063/diff/1/?file=2155237#file2155237line1578> > > > > Does this API expect both deleteIfExists and updateIfExists to be true? > > If so, how are they prioritized?
Sorry, I did not add enough summary in the point 6 of the description. Yes, I have added this additional behaviour on the current 'updateIfExists' flow. If deleteIfExists and updateIfExists both are true then the behaviour shall be : =>If policy resource is exactly matching then Policy will be deleted first and then update logic will execute. =>If policy resource is not matching then Policy will not be deleted and update logic will execute. In the create policy API call if updateIfExists is true then following update policy implementation will execute. update logic: It will check whether the policy exists or not in a order. first it will check the matching guid if not found then policyname+servicename+zone if not found then policyname+servicename. if policy found via either of three check then it will try to update. if not found then create policy call will execute. When I started working on this issue at that time I had no plan to add this behaviour but later while testing my initial patch I thought that there could be users who might want this feature as well. If you have any other concern which is not covered here then please let me know. > On July 17, 2019, 6:05 p.m., Abhay Kulkarni wrote: > > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > > Line 2217 (original), 2222 (patched) > > <https://reviews.apache.org/r/71063/diff/1/?file=2155237#file2155237line2224> > > > > Same as earlier comment. What is the semantics if both deleteIfExists > > and updateIfExists are defined? same as previous comment. during import in the json file there could be a case that exact resource matching policy may or may exist. if it will exist then policy will be deleted and eventually create will happen. if policy does not exist then delete will not happen but update might happen only when policy does not have same resource but may have same guid or policyname+servicename+zone or policyname+servicename. if there is no update then return object shall be null and create policy call will be executed. - Pradeep ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/71063/#review216696 ----------------------------------------------------------- On July 17, 2019, 3:55 a.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/71063/ > ----------------------------------------------------------- > > (Updated July 17, 2019, 3:55 a.m.) > > > Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay > Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh > Mani, Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-2503 > https://issues.apache.org/jira/browse/RANGER-2503 > > > Repository: ranger > > > Description > ------- > > **Problem Statement:** > > Currently, Import Policy API provide option to override all policies of given > service but it do not override given set of policies of a service. > > **Proposed improvements :** > > If there is a policy which matches the resource, the policy should be deleted > and the new policy should be created with the data provided. > > If there is no policy which matches the resource, a new policy should be > created with the data provided. > > **Proposed Solution :** > > Patch shall delete the existing policy of which resource is exactly matching > with the new policy then it will create the policy using new json. > > **other changes:** > 1) This patch also has little improvement merge feature flag(Refer > RANGER-2484). 'ignorePolicyName' flag is replaced with 'mergeIfExist' for > better understanding. > > **Behaviour of the Import API shall be:** > 1) 'Override' flag : API shall delete all the policies of given target > service and shall create the new policies from the received json. > 2) 'deleteIfExists' flag : API shall delete those existing policies which are > exactly matching after comparing with new policy based on their resources. > After deleting the existing policy, API shall create the new policy from the > given json file. > 3) 'updateIfExists' flag with resource input : API shall delete all the > existing policies from target service of which resources are exactly matching > with given policies resources. > 4) 'updateIfExists' flag without resource input : API shall update existing > policies with new policy json based on either of the following conditions. > a) existing and new policy guid is matching > b) existing and new policy name, service and zone are matching > c) existing and new policy name and service are matching. > 5) 'mergeIfExists' flag : API shall merge the existing policy's policy-items > with the new policy of which resources will match exactly with available > policies. > 6) 'deleteIfExists' flag and 'updateIfExists' : delete the policies of > which resources are exactly matching. update the policies which are matching > else will create the policy. > > If none of the cases are matching then API shall try to create the policy. > Policy creation validation will be done before creating the policy. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > b88a68426 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 3f6b7e1eb > > > Diff: https://reviews.apache.org/r/71063/diff/1/ > > > Testing > ------- > > > Thanks, > > Pradeep Agrawal > >
