-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73250/
-----------------------------------------------------------
Review request for ranger and Madhan Neethiraj.
Bugs: RANGER-3218
https://issues.apache.org/jira/browse/RANGER-3218
Repository: ranger
Description
-------
Steps
1.Created a database "vehicle1" with table "cars" and inserted some data into
table with hive user.
2.Tried to access "vehicle1" with user 'unixuser1' which will be denied since
policy is not there.
select * from vehicle1.cars;
3.Created a tag "tag1" in Atlas and assigned to database (vehicle1)
4.Created a unzone policy for "tag1" in cm_tag and gave permission to
"unixuser1".
5.Again tried to access the data with user 'unixuser1' but still it is getting
denied after having policy for the resource.
This patch addresses a scenario where incremental policy update involves only
tag policies in one of the security zones.
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
f536335a0
Diff: https://reviews.apache.org/r/73250/diff/1/
Testing
-------
Verification Setup:
1. Ranger and plugin is enabled for incremental policy downloads.
2. A security zone is created and associate with a tag-service.
3. After initial download of policies is completed, one tag policy is created
in the security zone.
4. When the policy download is completed, and access is made forcing
authorization calls to Ranger plugin.
5. Before the patch, authorization always fails as policy-engine is not created
correctly. After patch is applied, policy-engine is correctly constructed and
the authorization proceeds normally.
Thanks,
Abhay Kulkarni
