-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73443/
-----------------------------------------------------------
Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu,
and Velmurugan Periasamy.
Bugs: RANGER-3329
https://issues.apache.org/jira/browse/RANGER-3329
Repository: ranger
Description
-------
Currently a request for _any access-type is denied only if all access-types in
the service-def are denied by policies. Instead of this, the policy-engine
should deny _any access if there are no allowed accesses, and at least one of
the access-type is denied. This will help address following usecase:
when accessTypeRestrictions is defined on a resource i.e. only a subset of
access-types are shown in policy-UI, it will not be possible to create policies
that deny all accesses. In such cases, the proposed change will enable denying
_any access-type with only subset of access-types denied.
The fix is to deny the access with type _any only if all of access-types
"specified in the denying policy" are explicitly denied by some policy-item in
the policy.
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
03e37fe3d
agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
a8ec02733
Diff: https://reviews.apache.org/r/73443/diff/1/
Testing
-------
Passed all existing test cases.
Created a unit test for the use-case outlined in the JIRA, and ensured that it
passes.
Thanks,
Abhay Kulkarni
