----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/71894/#review218994 -----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java Line 169 (original), 169 (patched) <https://reviews.apache.org/r/71894/#comment306995> I think following should be called immediately after #169, #173 and #184: ret.setIsAuditedDetermined(true) Please review. agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java Line 62 (original), 63 (patched) <https://reviews.apache.org/r/71894/#comment306994> Instead of adding fields auditExcludeUsers/auditExcludeGroups/auditExcludeRoles, please consider returning subset of service-configs from Ranger admin - like: Map<String, String> serviceConfig; And have the PolicyEngine/RangerBasePlugin read following configurations to populate auditExcludeUsers/auditExcludeGroups/auditExcludeRoles: - ranger.plugin.audit.excluded.users - ranger.plugin.audit.excluded.groups - ranger.plugin.audit.excluded.roles - Madhan Neethiraj On Dec. 9, 2019, 10:33 a.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/71894/ > ----------------------------------------------------------- > > (Updated Dec. 9, 2019, 10:33 a.m.) > > > Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay > Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh > Mani, Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-2669 > https://issues.apache.org/jira/browse/RANGER-2669 > > > Repository: ranger > > > Description > ------- > > **Problem Statement:** Ranger logs too much audit information, specifically > around service accounts (like hbase, atlas, solr). Too much data to solr is > making it turn off. > > It would be good if a "audit exclude user/groups" optional - configuration > can be provided, where user can specify user/groups (like "solr") which > wouldn't get logged during the audits. > > **Proposed Solution:** > > 1) Ranger service will support configuration parameters whose values will be > downloaded to Ranger plugin during policy/tag download. Their names will > start with 'ranger.plugin.audit'. ServicePolicies will have additional member > of type list which will contain these parameters and their values. > > 2) One of the parameter will be 'ranger.plugin.audit.exclude.users' and the > value will be a comma-separated list of users that do not need to be audited. > > 3) Plugin will accept and maintain a list of not-to-audit users/groups in an > instance of BasePlugin class. > > 4) PolicyEngine.createAccessResult() will be modified to call > setIsAudited(false) if the user is in the list in case of AUDIT_ALL option. > > **Note:** Changes to blacklist the audit for role is not implemented yet in > this patch. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java > a75a6c692 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java > 197c30f0d > > agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java > 360404af3 > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 0fd5093a9 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > f2bbd3c1a > > > Diff: https://reviews.apache.org/r/71894/diff/3/ > > > Testing > ------- > > > Thanks, > > Pradeep Agrawal > >
