----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/71894/#review219031 -----------------------------------------------------------
Ship it! Ship It! - Madhan Neethiraj On Dec. 13, 2019, 7:46 p.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/71894/ > ----------------------------------------------------------- > > (Updated Dec. 13, 2019, 7:46 p.m.) > > > Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay > Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh > Mani, Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-2669 > https://issues.apache.org/jira/browse/RANGER-2669 > > > Repository: ranger > > > Description > ------- > > **Problem Statement:** Ranger logs too much audit information, specifically > around service accounts (like hbase, atlas, solr). Too much data to solr is > making it turn off. > > It would be good if a "audit exclude user/groups" optional - configuration > can be provided, where user can specify user/groups (like "solr") which > wouldn't get logged during the audits. > > **Proposed Solution:** > > 1) Ranger service will support configuration parameters whose values will be > downloaded to Ranger plugin during policy/tag download. Their names will > start with 'ranger.plugin.audit'. ServicePolicies will have additional member > of type list which will contain these parameters and their values. > > 2) One of the parameter will be 'ranger.plugin.audit.exclude.users' and the > value will be a comma-separated list of users that do not need to be audited. > > 3) Plugin will accept and maintain a list of not-to-audit users/groups in an > instance of BasePlugin class. > > 4) PolicyEngine.createAccessResult() will be modified to call > setIsAudited(false) if the user is in the list in case of AUDIT_ALL option. > > **Note:** Changes to blacklist the audit for role is not implemented yet in > this patch. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java > 2bb834d56 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java > a75a6c692 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java > 50313bc3d > > agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java > a52e96d72 > > agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java > 360404af3 > > ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java > b50fdcf79 > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > ecb8d110b > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 62ffee4e0 > > > Diff: https://reviews.apache.org/r/71894/diff/7/ > > > Testing > ------- > > > Thanks, > > Pradeep Agrawal > >
