-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73094/
-----------------------------------------------------------
Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja
Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-3122
https://issues.apache.org/jira/browse/RANGER-3122
Repository: ranger
Description
-------
Currently delegate-admin cannot be marked for specific permissions. It is
all-or-nothing for the permissions defined in resource policy. Ranger should
have ability for granting delegate-admin for specific permissions.
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
d64d226a6
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
bac076c29
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
236f99820
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
873553a60
agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java
cd6c18ba7
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java
891c800fe
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
cd566bc34
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
802abac68
Diff: https://reviews.apache.org/r/73094/diff/1/
Testing
-------
Passes all unit tests.
Tested in cluster with HDFS policies:
1. There is a delegate-admin policy giving user1 'read' permission on /tmp, and
another delegate-admin policy giving user1 'write' permission on /tmp/a
a. user1 can create policy on /tmp/b with permission 'read', but cannot
create policy on /tmp/c with permission 'write'
b. user1 can create policy on /tmp/a/d with permissions 'read' and 'write'
but cannot create policy on /tmp/a/e with permission 'execute'.
Thanks,
Abhay Kulkarni
