> On Sept. 1, 2020, 2 p.m., Madhan Neethiraj wrote: > > plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java > > Lines 172 (patched) > > <https://reviews.apache.org/r/72828/diff/2/?file=2238975#file2238975line172> > > > > Atlas calls isAccessAllowed(TYPE_READ) to enforce permission to read a > > type-def. Such cases will result in generation of audit logs. I suggest to > > merge methods at #168 and #176, and have audit disabled at #210 for > > permission TYPE_READ - as shown below: > > > > boolean isAuditDisabled = ACCESS_TYPE_READ.equalsIgnoreCase(action); > > > > if (isAuditDisabled) { > > ret = checkAccess(rangerRequest, null); > > } else { > > ret = checkAccess(rangerRequest); > > }
action TYPE_READ is passed from both cases, filterTypes and isAccessAllowed, so in both the case audits will be disabled. we need indentifier other than TYPE_READ > On Sept. 1, 2020, 2 p.m., Madhan Neethiraj wrote: > > plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java > > Lines 193 (patched) > > <https://reviews.apache.org/r/72828/diff/2/?file=2238975#file2238975line193> > > > > This should not be necessary, as 'impliedGrants' defined in service-def > > should automatically allow 'type-read' when the user has one of the > > following permissions: > > - type-create > > - type-update > > - type-delete read access is not granted by default even if non-type-read permissions are set. How do debug this issue. - Nixon ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/72828/#review221764 ----------------------------------------------------------- On Sept. 2, 2020, 1:37 p.m., Nixon Rodrigues wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/72828/ > ----------------------------------------------------------- > > (Updated Sept. 2, 2020, 1:37 p.m.) > > > Review request for ranger, Jayendra Parab, Madhan Neethiraj, Mehul Parikh, > and Sarath Subramanian. > > > Bugs: RANGER-2929 > https://issues.apache.org/jira/browse/RANGER-2929 > > > Repository: ranger > > > Description > ------- > > Update Atlas Ranger Authorizer for "type-read" accessType changes done in > ATLAS-3898. > > Currently in the Atlas-Ranger plugin for types resource READ permission is > not available and read access is available by default to all types of any > category. > > This patch updates service-def with "type-read" permission and updates > authorizer for read of all typedefs and also filters typesdefs based on > access provided. > > > Diffs > ----- > > agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json > 7672be05a > > plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java > 28d71de21 > > plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java > 7c89ffef5 > pom.xml 1f88b27e4 > > ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java > 0e220f132 > security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql > dfaf3c987 > security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql > 21626f6dc > security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql > 5cd2cc798 > > security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql > 081b153a3 > security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql > 642d6c151 > > security-admin/src/main/java/org/apache/ranger/patch/PatchForAtlasToAddTypeRead_J10039.java > PRE-CREATION > > > Diff: https://reviews.apache.org/r/72828/diff/3/ > > > Testing > ------- > > Tested Atlas UI and typedefs API functionality by setting policies in ranger > Admin for type-category/type resources . > > > Thanks, > > Nixon Rodrigues > >
