----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/71894/#review219027 -----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java Lines 3220 (patched) <https://reviews.apache.org/r/71894/#comment307055> Only subset of service-configs should be included in ServicePolicies. I suggest to add following method: interface ServiceStore { Map<String, String> getServiceConfigForPlugin(long serviceId); } And have this method return only configurations that start with "ranger.plugin.". - Madhan Neethiraj On Dec. 13, 2019, 9:54 a.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/71894/ > ----------------------------------------------------------- > > (Updated Dec. 13, 2019, 9:54 a.m.) > > > Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay > Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh > Mani, Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-2669 > https://issues.apache.org/jira/browse/RANGER-2669 > > > Repository: ranger > > > Description > ------- > > **Problem Statement:** Ranger logs too much audit information, specifically > around service accounts (like hbase, atlas, solr). Too much data to solr is > making it turn off. > > It would be good if a "audit exclude user/groups" optional - configuration > can be provided, where user can specify user/groups (like "solr") which > wouldn't get logged during the audits. > > **Proposed Solution:** > > 1) Ranger service will support configuration parameters whose values will be > downloaded to Ranger plugin during policy/tag download. Their names will > start with 'ranger.plugin.audit'. ServicePolicies will have additional member > of type list which will contain these parameters and their values. > > 2) One of the parameter will be 'ranger.plugin.audit.exclude.users' and the > value will be a comma-separated list of users that do not need to be audited. > > 3) Plugin will accept and maintain a list of not-to-audit users/groups in an > instance of BasePlugin class. > > 4) PolicyEngine.createAccessResult() will be modified to call > setIsAudited(false) if the user is in the list in case of AUDIT_ALL option. > > **Note:** Changes to blacklist the audit for role is not implemented yet in > this patch. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java > 2bb834d56 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java > a75a6c692 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java > 50313bc3d > > agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java > 360404af3 > > ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java > b50fdcf79 > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 0fd5093a9 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > f2bbd3c1a > > > Diff: https://reviews.apache.org/r/71894/diff/6/ > > > Testing > ------- > > > Thanks, > > Pradeep Agrawal > >
