----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/72624/#review221527 -----------------------------------------------------------
Ship it! Ship It! - Madhan Neethiraj On Aug. 10, 2020, 11:42 p.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/72624/ > ----------------------------------------------------------- > > (Updated Aug. 10, 2020, 11:42 p.m.) > > > Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Velmurugan > Periasamy. > > > Bugs: RANGER-2876 > https://issues.apache.org/jira/browse/RANGER-2876 > > > Repository: ranger > > > Description > ------- > > Ranger plugins use an internal access-type '_any' to when access > authorization requires that the accessed resource has some permission for > given user/group/role. For a component that supports three access-types viz. > 'read', 'write', 'delete', and a policy containing access specification for > some resource and some user, such as, > > allowed accesses : {'read', 'write', 'delete'} > > exceptions to allowed accesses: {'read', 'write'} > > the user should be allowed '_any' access to the resource by this policy. > Similarly, a policy containing access specification such as > > allowed accesses : {'read', 'write'} > > exceptions to allowed accesses: {'read', 'write'} > > should not make authorization decision for '_any' access. > > ----- > > Fix: > > Authorizing "any" access for access-type policies now involves checking if > any of the accesses defined in the service-definition allows access using > policy-items of the policy being evaluated. If true, the "any" access is > authorized; else if none of defined accesses are allowed, then access is > explicitly denied, else no authorization decision is made by the policy. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > d75bf46a0 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java > 90d96d93d > > agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json > a2ec460e6 > agents-common/src/test/resources/policyengine/test_policyengine_hive.json > ba5a53c30 > > agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json > 79417a0cb > > agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json > 73fe540c7 > > > Diff: https://reviews.apache.org/r/72624/diff/2/ > > > Testing > ------- > > Ensured all existing unit tests are valid. New unit tests are developed, and > verified that all unit tests pass. > > > Thanks, > > Abhay Kulkarni > >
