-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71362/#review217425
-----------------------------------------------------------




agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
Line 343 (original), 343 (patched)
<https://reviews.apache.org/r/71362/#comment304704>

    This change removes sending evalContext to isMatch() method; this can cause 
isMatch() to return incorrect results for resources having {USER} in name - 
like /home/{USER}. Please review.
    
    Same applies for other similar updates as well - line #362, #377.



agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
Line 365 (original), 362 (patched)
<https://reviews.apache.org/r/71362/#comment304702>

    Sending 'user' for 'owner' doesn't look right; wouldn't this result in all 
users to be allowed for accesses granted for resource-owner?
    
    Same for line #377 as well.



agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
Line 294 (original), 294 (patched)
<https://reviews.apache.org/r/71362/#comment304703>

    wouldn't adding 'hasResourceOwner' here effectively ignore the {OWNER} 
condition, since there is no validation that 'user' is 'owner' - as owner 
information is not available in this method?
    
    Please remove 'hasResourceOwner' from this line.


- Madhan Neethiraj


On Aug. 24, 2019, 1:30 a.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71362/
> -----------------------------------------------------------
> 
> (Updated Aug. 24, 2019, 1:30 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj and Ramesh Mani.
> 
> 
> Bugs: RANGER-2548
>     https://issues.apache.org/jira/browse/RANGER-2548
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Grant/Revoke requests are processed by Ranger to create/update corresponding 
> Ranger Policy. With Hive support for OWNER, Ranger also needs to ensure that 
> Grant/Revoke requests, if they provide ownership information for the Hive 
> object being granted permission on, are processed correctly in accordance 
> with prevailing Ranger policies.
> 
> 
> Diffs
> -----
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  daa62f408 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
>  cf590f9aa 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  ecd6cb746 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
>  5bbbecedb 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
>  00c0d42ed 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
>  ec3950f62 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
>  02f343196 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
>  c8276f127 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> bb825b822 
> 
> 
> Diff: https://reviews.apache.org/r/71362/diff/2/
> 
> 
> Testing
> -------
> 
> Passed all unit tests
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Reply via email to