Re: Review Request 71894: RANGER-2669: Blacklist for Ranger Audits

Madhan Neethiraj Wed, 11 Dec 2019 11:31:49 -0800

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71894/#review219006
-----------------------------------------------------------





agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java
Lines 297 (patched)
<https://reviews.apache.org/r/71894/#comment307007>

    configValue => str



agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java
Lines 299 (patched)
<https://reviews.apache.org/r/71894/#comment307008>

    is it necessary to call trimToEmpty()? isNotEmpty() should handle 
whitespaces.



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
Lines 189 (patched)
<https://reviews.apache.org/r/71894/#comment307010>

    Consider simplyfying the method, like:
      boolean ret = getAuditExcludeUsers().contains(request.getUser());
      
      if (!ret && CollectionUtils.isNotEmpty(getAuditExcludeGroups())) {
        ret = CollectionUtils.containsAny(getAuditExcludeGroups(), 
request.getUserGroups());
      }
      
      if (!ret && CollectionUtils.isNotEmpty(getAuditExcludeRoles())) {
        Set<String> roles = 
this.pluginContext.getAuthContext().getRolesForUserAndGroups(request.getUser(), 
request.getUserGroups());
        
        ret = CollectionUtils.containsAny(getAuditExcludeRoles(), roles);
      }
      
      return ret;



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
Lines 88 (patched)
<https://reviews.apache.org/r/71894/#comment307009>

    - consider moving auditExcludeUsers/auditExcludeGroups/auditExcludeRoles to 
PolicyEngine
    - consider marking these as 'final', as these values will not change once a 
policy-engine is constructed
    - it will help to ensure that these fields won't have null value; this will 
help avoid having to check for null in every isAccessAllowed() call to 
policy-engine


- Madhan Neethiraj


On Dec. 11, 2019, 10:41 a.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71894/
> -----------------------------------------------------------
> 
> (Updated Dec. 11, 2019, 10:41 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay 
> Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh 
> Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2669
>     https://issues.apache.org/jira/browse/RANGER-2669
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> **Problem Statement:** Ranger logs too much audit information, specifically 
> around service accounts (like hbase, atlas, solr). Too much data to solr is 
> making it turn off.
> 
> It would be good if a "audit exclude user/groups" optional - configuration 
> can be provided, where user can specify user/groups (like "solr") which 
> wouldn't get logged during the audits.
> 
> **Proposed Solution:** 
> 
> 1) Ranger service will support configuration parameters whose values will be 
> downloaded to Ranger plugin during policy/tag download. Their names will 
> start with 'ranger.plugin.audit'. ServicePolicies will have additional member 
> of type list which will contain these parameters and their values.
> 
> 2) One of the parameter will be 'ranger.plugin.audit.exclude.users' and the 
> value will be a comma-separated list of users that do not need to be audited.
> 
> 3) Plugin will accept and maintain a list of not-to-audit users/groups in an 
> instance of BasePlugin class.
> 
> 4) PolicyEngine.createAccessResult() will be modified to call 
> setIsAudited(false) if the user is in the list in case of AUDIT_ALL option.
> 
> **Note:** Changes to blacklist the audit for role is not implemented yet in 
> this patch.
> 
> 
> Diffs
> -----
> 
>   
> agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java
>  2bb834d56 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
>  a75a6c692 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
>  50313bc3d 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
>  197c30f0d 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
>  360404af3 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
> 0fd5093a9 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> f2bbd3c1a 
> 
> 
> Diff: https://reviews.apache.org/r/71894/diff/4/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>

Re: Review Request 71894: RANGER-2669: Blacklist for Ranger Audits

Reply via email to