> On Oct. 23, 2020, 2:05 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > > Line 1743 (original), 1742 (patched) > > <https://reviews.apache.org/r/72957/diff/3/?file=2241583#file2241583line1743> > > > > Consider the following scenario: > > > > Step #1: > > - at source Ranger, a repo has an enabled policy (say, id=1) > > - target Ranger doesn't have this repo > > - export policies in this repo from source Ranger and import into > > target Ranger > > - target Ranger will now have the repo with one policy > > > > > > Step #2: > > - at source Ranger, disable policy (id=1) > > - export policies from source Ranger and import into target Ranger > > - a new policy, with status=disabled, will be created at the target > > Ranger; and earlier policy will continue to be present > > > > Ideally import should disable the existing policy, and not create the > > new policy.
I suggest to consider the following approach in a subsequent patch: - policy created by import should retain the guid of the source policy - import should first try to locate an existing policy that matches guid of the policy being imported - if no policy exists with the same guid, follow the current flow i.e. match for resource-signature, policy-name, .. - if a policy exists with the same guid, simply replace that policy contents with the policy being imported - note that this can fail if another policy exists in the target having the same resource signature. In such case, existing policy at target should be removed. - Madhan ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/72957/#review222114 ----------------------------------------------------------- On Oct. 23, 2020, 12:32 p.m., Dineshkumar Yadav wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/72957/ > ----------------------------------------------------------- > > (Updated Oct. 23, 2020, 12:32 p.m.) > > > Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, > Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy. > > > Repository: ranger > > > Description > ------- > > If updateifexist/mergeIfExist parameter passed while importing the ranger > policies then additional policies are created for disabled policy with same > resource. > > Solution: 1. New disabled policy will be created only if no > resource-signature matching policy found in ranger. > 2. If policy with same resource-signature found in Ranger then > policy get merged or updated according to parameter passed during import. > 3. If multiple disabled policy with same resource-signature found > then policy with same name will be picked up for update/merge otherwise > randomly one policy will be picked-up for update/merge. > > Note: While creating new policy with existing name we appending > System.currentTimeMillis() in the name of the policy to get unique > name.(current implementation) > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 4ef9abeb8 > > > Diff: https://reviews.apache.org/r/72957/diff/3/ > > > Testing > ------- > > Tested for below scenario > 1. With no disable policy > 2. With single disable policy > 3. With multiple disable policy > 4. Scenario > 1. Create enabled policy1 with resource1 and export the policy. > 2. Disabled the exported policy and try to import it. > Expected Result new disabled policy should get created. > > > Thanks, > > Dineshkumar Yadav > >
