----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/71260/#review217710 -----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java Line 95 (original), 100 (patched) <https://reviews.apache.org/r/71260/#comment305019> When policy-engine is built from policy-deltas, this API is called. This needs to be provided with rangerRoles as well. agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java Line 218 (original), 223 (patched) <https://reviews.apache.org/r/71260/#comment305020> After rangerRoles are provided to this API, the code to build userRoleMapping and groupRoleMapping needs to be inserted here. agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java Line 336 (original), 348 (patched) <https://reviews.apache.org/r/71260/#comment305021> This API needs to have rangerRoles as an additional parameter. Please review. agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java Lines 451 (patched) <https://reviews.apache.org/r/71260/#comment305022> It appears that rangerRoles are hard-coded in the TestPolicyEngine code. It will be better to enhance TestPolicyEngine code to accept this information as part of the JSON used to specify test-data. security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java Lines 700 (patched) <https://reviews.apache.org/r/71260/#comment305024> PluginInfo updates are managed here. Is there corresponding GUI code change included here to display it? security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java Lines 275 (patched) <https://reviews.apache.org/r/71260/#comment305025> The global state for maintaing role version (across all services) may cause unnecessary role-downloads when a role that is not used in any policy of a service is modified. Is using global role version in x_global_state for determining if roles need to be downloaded helpful here? security-admin/src/main/java/org/apache/ranger/common/RangerRoleCache.java Lines 112 (patched) <https://reviews.apache.org/r/71260/#comment305023> This code block is not needed. Please consider removing this and related code. - Abhay Kulkarni On Sept. 5, 2019, 6 p.m., Ramesh Mani wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/71260/ > ----------------------------------------------------------- > > (Updated Sept. 5, 2019, 6 p.m.) > > > Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, > Madhan Neethiraj, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, > and Velmurugan Periasamy. > > > Bugs: RANGER-2512 > https://issues.apache.org/jira/browse/RANGER-2512 > > > Repository: ranger > > > Description > ------- > > RANGER-2512:RangerRolesRESTClient for serving user group > roles to the plugins for evaluation > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java > 6367235 > > agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminClient.java > b09a9be > > agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java > 62d5776 > > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPluginInfo.java > e3f9f15 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java > d201aa6 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java > 015ca09 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java > 51cd658 > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java > 3d0f107 > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java > 8d89a18 > > agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java > 0e52c31 > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java > 310f69d > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRoles.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesProvider.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRolesUtil.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java > 8c63434 > > agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java > 7180675 > > knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java > f57012e > security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java 63959c9 > security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java 28b2c11 > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > fc4b40d > security-admin/src/main/java/org/apache/ranger/common/RangerRoleCache.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/db/XXGlobalStateDao.java > f6b9e1a > security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java 25fb085 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 3d44315 > > > Diff: https://reviews.apache.org/r/71260/diff/5/ > > > Testing > ------- > > - Testing done in Local Vm for > 1) Role cache file creation along with Policy file. > 2) Role based authorization happening based on the user / group role in the > plugin. > 3) Ranger Admin now has role version and based on the roles are to be > fetched to the plugin. > 4) RoleREST > curl -u user:password -H "Accept: application/json" -H "Content-Type: > application/json" -X GET "http://`hostname > -f`:6080/service/roles/secure/download/cm_hive?lastKnownRoleVersion=-1" > > > Thanks, > > Ramesh Mani > >
