Re: Review Request 71894: RANGER-2669: Blacklist for Ranger Audits

Wed, 11 Dec 2019 02:41:32 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71894/
-----------------------------------------------------------

(Updated Dec. 11, 2019, 10:41 a.m.)


Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay 
Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh Mani, 
Sailaja Polavarapu, and Velmurugan Periasamy.


Changes
-------

Addressed review comments.


Bugs: RANGER-2669
    https://issues.apache.org/jira/browse/RANGER-2669


Repository: ranger


Description
-------

**Problem Statement:** Ranger logs too much audit information, specifically 
around service accounts (like hbase, atlas, solr). Too much data to solr is 
making it turn off.

It would be good if a "audit exclude user/groups" optional - configuration can 
be provided, where user can specify user/groups (like "solr") which wouldn't 
get logged during the audits.

**Proposed Solution:** 

1) Ranger service will support configuration parameters whose values will be 
downloaded to Ranger plugin during policy/tag download. Their names will start 
with 'ranger.plugin.audit'. ServicePolicies will have additional member of type 
list which will contain these parameters and their values.

2) One of the parameter will be 'ranger.plugin.audit.exclude.users' and the 
value will be a comma-separated list of users that do not need to be audited.

3) Plugin will accept and maintain a list of not-to-audit users/groups in an 
instance of BasePlugin class.

4) PolicyEngine.createAccessResult() will be modified to call 
setIsAudited(false) if the user is in the list in case of AUDIT_ALL option.

**Note:** Changes to blacklist the audit for role is not implemented yet in 
this patch.


Diffs (updated)
-----

  
agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java
 2bb834d56 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
 a75a6c692 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
 50313bc3d 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
 197c30f0d 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java 
360404af3 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
0fd5093a9 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
f2bbd3c1a 


Diff: https://reviews.apache.org/r/71894/diff/4/

Changes: https://reviews.apache.org/r/71894/diff/3-4/


Testing
-------


Thanks,

Pradeep Agrawal

Reply via email to