----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73094/#review222367 -----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java Line 357 (original), 377 (patched) <https://reviews.apache.org/r/73094/#comment311423> Is 'policyId' needed as parameter to this method? This should be already available to this object. agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java Line 256 (original), 256 (patched) <https://reviews.apache.org/r/73094/#comment311424> It seems following optimization is still useful: if (request.isAccessTypeDelegatedAdmin()) { ret = delegateAdmin; } security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java Line 158 (original), 164 (patched) <https://reviews.apache.org/r/73094/#comment311425> This should collect accesses only from policy-items having delegate-admin=true. Please review to make sure that only such policy-items are included in policyEngine. - Madhan Neethiraj On Dec. 16, 2020, 3:02 a.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73094/ > ----------------------------------------------------------- > > (Updated Dec. 16, 2020, 3:02 a.m.) > > > Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, > Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-3122 > https://issues.apache.org/jira/browse/RANGER-3122 > > > Repository: ranger > > > Description > ------- > > Currently delegate-admin cannot be marked for specific permissions. It is > all-or-nothing for the permissions defined in resource policy. Ranger should > have ability for granting delegate-admin for specific permissions. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > d64d226a6 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java > bac076c29 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java > 236f99820 > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java > 873553a60 > > agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java > cd6c18ba7 > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java > 891c800fe > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java > cd566bc34 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 802abac68 > > > Diff: https://reviews.apache.org/r/73094/diff/1/ > > > Testing > ------- > > Passes all unit tests. > Tested in cluster with HDFS policies: > 1. There is a delegate-admin policy giving user1 'read' permission on /tmp, > and another delegate-admin policy giving user1 'write' permission on /tmp/a > a. user1 can create policy on /tmp/b with permission 'read', but cannot > create policy on /tmp/c with permission 'write' > b. user1 can create policy on /tmp/a/d with permissions 'read' and > 'write' but cannot create policy on /tmp/a/e with permission 'execute'. > > > Thanks, > > Abhay Kulkarni > >
