> On Dec. 11, 2019, 7:31 p.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java > > Lines 88 (patched) > > <https://reviews.apache.org/r/71894/diff/4/?file=2183689#file2183689line88> > > > > - consider moving > > auditExcludeUsers/auditExcludeGroups/auditExcludeRoles to PolicyEngine > > - consider marking these as 'final', as these values will not change > > once a policy-engine is constructed > > - it will help to ensure that these fields won't have null value; this > > will help avoid having to check for null in every isAccessAllowed() call to > > policy-engine
Thanks, Please see if code is placed at the right line number or not. - Pradeep ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/71894/#review219006 ----------------------------------------------------------- On Dec. 12, 2019, 7:28 p.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/71894/ > ----------------------------------------------------------- > > (Updated Dec. 12, 2019, 7:28 p.m.) > > > Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay > Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh > Mani, Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-2669 > https://issues.apache.org/jira/browse/RANGER-2669 > > > Repository: ranger > > > Description > ------- > > **Problem Statement:** Ranger logs too much audit information, specifically > around service accounts (like hbase, atlas, solr). Too much data to solr is > making it turn off. > > It would be good if a "audit exclude user/groups" optional - configuration > can be provided, where user can specify user/groups (like "solr") which > wouldn't get logged during the audits. > > **Proposed Solution:** > > 1) Ranger service will support configuration parameters whose values will be > downloaded to Ranger plugin during policy/tag download. Their names will > start with 'ranger.plugin.audit'. ServicePolicies will have additional member > of type list which will contain these parameters and their values. > > 2) One of the parameter will be 'ranger.plugin.audit.exclude.users' and the > value will be a comma-separated list of users that do not need to be audited. > > 3) Plugin will accept and maintain a list of not-to-audit users/groups in an > instance of BasePlugin class. > > 4) PolicyEngine.createAccessResult() will be modified to call > setIsAudited(false) if the user is in the list in case of AUDIT_ALL option. > > **Note:** Changes to blacklist the audit for role is not implemented yet in > this patch. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java > 2bb834d56 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java > a75a6c692 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java > 50313bc3d > > agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java > 360404af3 > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 0fd5093a9 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > f2bbd3c1a > > > Diff: https://reviews.apache.org/r/71894/diff/5/ > > > Testing > ------- > > > Thanks, > > Pradeep Agrawal > >
