Re: Review Request 71894: RANGER-2669: Blacklist for Ranger Audits

Fri, 13 Dec 2019 11:47:01 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71894/
-----------------------------------------------------------

(Updated Dec. 13, 2019, 7:46 p.m.)


Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay 
Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh Mani, 
Sailaja Polavarapu, and Velmurugan Periasamy.


Changes
-------

Updated patch


Bugs: RANGER-2669
    https://issues.apache.org/jira/browse/RANGER-2669


Repository: ranger


Description
-------

**Problem Statement:** Ranger logs too much audit information, specifically 
around service accounts (like hbase, atlas, solr). Too much data to solr is 
making it turn off.

It would be good if a "audit exclude user/groups" optional - configuration can 
be provided, where user can specify user/groups (like "solr") which wouldn't 
get logged during the audits.

**Proposed Solution:** 

1) Ranger service will support configuration parameters whose values will be 
downloaded to Ranger plugin during policy/tag download. Their names will start 
with 'ranger.plugin.audit'. ServicePolicies will have additional member of type 
list which will contain these parameters and their values.

2) One of the parameter will be 'ranger.plugin.audit.exclude.users' and the 
value will be a comma-separated list of users that do not need to be audited.

3) Plugin will accept and maintain a list of not-to-audit users/groups in an 
instance of BasePlugin class.

4) PolicyEngine.createAccessResult() will be modified to call 
setIsAudited(false) if the user is in the list in case of AUDIT_ALL option.

**Note:** Changes to blacklist the audit for role is not implemented yet in 
this patch.


Diffs (updated)
-----

  
agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java
 2bb834d56 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
 a75a6c692 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
 50313bc3d 
  agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java 
a52e96d72 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java 
360404af3 
  
ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
 b50fdcf79 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
ecb8d110b 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
62ffee4e0 


Diff: https://reviews.apache.org/r/71894/diff/7/

Changes: https://reviews.apache.org/r/71894/diff/6-7/


Testing
-------


Thanks,

Pradeep Agrawal

Reply via email to