Re: Review Request 73250: RANGER-3218: User getting denied even after having tag based policy - Part 2

Tue, 23 Mar 2021 13:52:54 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73250/#review222732
-----------------------------------------------------------


Ship it!




Ship It!

- Madhan Neethiraj


On March 23, 2021, 8:41 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73250/
> -----------------------------------------------------------
> 
> (Updated March 23, 2021, 8:41 p.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-3218
>     https://issues.apache.org/jira/browse/RANGER-3218
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Steps
> 1.Created a database "vehicle1" with table "cars" and inserted some data into 
> table with hive user.
> 2.Tried to access "vehicle1" with user 'unixuser1' which will be denied since 
> policy is not there.
> 
> select * from vehicle1.cars;
> 3.Created a tag "tag1" in Atlas and assigned to database (vehicle1)
> 4.Created a unzone policy for "tag1" in cm_tag and gave permission to 
> "unixuser1".
> 5.Again tried to access the data with user 'unixuser1' but still it is 
> getting denied after having policy for the resource.
> 
> This patch addresses a scenario where incremental policy update involves only 
> tag policies in one of the security zones.
> 
> 
> Diffs
> -----
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
>  f536335a0 
> 
> 
> Diff: https://reviews.apache.org/r/73250/diff/1/
> 
> 
> Testing
> -------
> 
> Verification Setup: 
> 1. Ranger and plugin is enabled for incremental policy downloads. 
> 2. A security zone is created and associate with a tag-service. 
> 3. After initial download of policies is completed, one tag policy is created 
> in the security zone. 
> 4. When the policy download is completed, and access is made forcing 
> authorization calls to Ranger plugin.
> 5. Before the patch, authorization always fails as policy-engine is not 
> created correctly. After patch is applied, policy-engine is correctly 
> constructed and the authorization proceeds normally.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Reply via email to