-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72957/
-----------------------------------------------------------
(Updated Nov. 6, 2020, 8:49 a.m.)
Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar,
Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.
Changes
-------
handle code for disabled policy with deleteIfExist flag
Bugs: RANGER-3036
https://issues.apache.org/jira/browse/RANGER-3036
Repository: ranger
Description
-------
If updateifexist/mergeIfExist parameter passed while importing the ranger
policies then additional policies are created for disabled policy with same
resource.
Solution: 1. New disabled policy will be created only if no resource-signature
matching policy found in ranger.
2. If policy with same resource-signature found in Ranger then policy
get merged or updated according to parameter passed during import.
3. If multiple disabled policy with same resource-signature found
then policy with same name will be picked up for update/merge otherwise
randomly one policy will be picked-up for update/merge.
Note: While creating new policy with existing name we appending
System.currentTimeMillis() in the name of the policy to get unique
name.(current implementation)
Diffs (updated)
-----
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
3baee02fd
security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java a1db6004e
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
00ffabedd
security-admin/src/main/resources/META-INF/jpa_named_queries.xml d608ff849
Diff: https://reviews.apache.org/r/72957/diff/4/
Changes: https://reviews.apache.org/r/72957/diff/3-4/
Testing (updated)
-------
Tested for below scenario
1. With no disable policy
2. With single disable policy
3. With multiple disable policy
4. Scenario
1. Create enabled policy1 with resource1 and export the policy.
2. Disabled the exported policy and try to import it.
Expected Result new disabled policy should get created.
Test case for flag deleteIfExist
1. Create Policy1 with resource /path1 at source cluster.
2. Import Policy1 to target cluster new policy get created
3. Create disabled policy at target cluster with resource /path1
4. Disabled Policy1 at source cluster and then import
Output : disabled policy deleted and new disabled policy created.
Test case for flag deleteIfExist
1. Create Policy1 with resource /path1 at source Cluster and
import to target cluster
2. Create Policy1 with same service in zone1 at target
3. Create disabled policy at target cluster with resource
3. Again import the Policy1 from source to target.
Output : unzone Policy1 deleted and new policy1 created.
Thanks,
Dineshkumar Yadav
