Re: Review Request 73443: RANGER-3329: Request for _any access-type is denied only when on all access-types are denied

Sun, 18 Jul 2021 10:43:25 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73443/
-----------------------------------------------------------

(Updated July 18, 2021, 5:43 p.m.)


Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, 
and Velmurugan Periasamy.


Changes
-------

Addressed review comment


Bugs: RANGER-3329
    https://issues.apache.org/jira/browse/RANGER-3329


Repository: ranger


Description
-------

Currently a request for _any access-type is denied only if all access-types in 
the service-def are denied by policies. Instead of this, the policy-engine 
should deny _any access if there are no allowed accesses, and at least one of 
the access-type is denied. This will help address following usecase:

when accessTypeRestrictions is defined on a resource i.e. only a subset of 
access-types are shown in policy-UI, it will not be possible to create policies 
that deny all accesses. In such cases, the proposed change will enable denying 
_any access-type with only subset of access-types denied.

The fix is to deny the access with type _any only if all of access-types 
"specified in the denying policy" are explicitly denied by policies.


Diffs (updated)
-----

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
 74a7a2615 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 3c0e32c2e 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 03e37fe3d 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 696a3f6eb 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
 f8eba5f96 
  
agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json
 934655ba9 
  agents-common/src/test/resources/policyengine/test_policyengine_hive.json 
bd2f67b68 
  agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json 
a8ec02733 
  
agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_for_show_databases.json
 f42df3eab 


Diff: https://reviews.apache.org/r/73443/diff/4/

Changes: https://reviews.apache.org/r/73443/diff/3-4/


Testing
-------

Passed all existing test cases.
Created a unit test for the use-case outlined in the JIRA, and ensured that it 
passes.


Thanks,

Abhay Kulkarni

Reply via email to