----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73094/#review222378 -----------------------------------------------------------
Ship it! Ship It! - bhavik patel On Dec. 23, 2020, 5:22 a.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73094/ > ----------------------------------------------------------- > > (Updated Dec. 23, 2020, 5:22 a.m.) > > > Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, > Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-3122 > https://issues.apache.org/jira/browse/RANGER-3122 > > > Repository: ranger > > > Description > ------- > > Currently delegate-admin cannot be marked for specific permissions. It is > all-or-nothing for the permissions defined in resource policy. Ranger should > have ability for granting delegate-admin for specific permissions. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > d64d226a6 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java > bac076c29 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java > 236f99820 > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java > 873553a60 > > agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java > cd6c18ba7 > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java > 891c800fe > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java > cd566bc34 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 802abac68 > > > Diff: https://reviews.apache.org/r/73094/diff/4/ > > > Testing > ------- > > Passes all unit tests. > Tested in cluster with HDFS policies: > 1. There is a delegate-admin policy giving user1 'read' permission on /tmp, > and another delegate-admin policy giving user1 'write' permission on /tmp/a > a. user1 can create policy on /tmp/b with permission 'read', but cannot > create policy on /tmp/c with permission 'write' > b. user1 can create policy on /tmp/a/d with permissions 'read' and > 'write' but cannot create policy on /tmp/a/e with permission 'execute'. > > > Thanks, > > Abhay Kulkarni > >
