> On Sept. 22, 2021, 3:29 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > > Lines 2301 (patched) > > <https://reviews.apache.org/r/73601/diff/1/?file=2253167#file2253167line2301> > > > > Can there be multiple policies for a given guid? If yes, a policy can > > be identified/retrieved only with its guid; serviceName is not necessary > > here. Please review.
Yes, there is a case with that more than one policy can exist with same guid. **Use Case:** Currently Ranger-admin allows user's to export ranger policies from one ranger service and import into another ranger service. If same ranger-admin instance is used for source/export and target/import then policy exported from one service can be imported into the another service. In this import process ranger keeps the same guid which was provided as input(received from export output). Currently there is no uniqueness restriction on the guid column of x_policy table and at the server side also there are no such restrictions so duplicate guid may exist in x_policy table as per this use case. There is possibility that user might have tried this use case and might be having duplicate guid entries. However, Within the same service duplicate guid chances are not there so using RANGER-3435 patch we can create uniqueness restriction. Please let me know if above analysis is correct and advice if this can be handled some others ways. - Pradeep ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73601/#review223515 ----------------------------------------------------------- On Sept. 22, 2021, 11:03 a.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73601/ > ----------------------------------------------------------- > > (Updated Sept. 22, 2021, 11:03 a.m.) > > > Review request for ranger, Dineshkumar Yadav, Abhay Kulkarni, Madhan > Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan > Periasamy. > > > Bugs: RANGER-3439 > https://issues.apache.org/jira/browse/RANGER-3439 > > > Repository: ranger > > > Description > ------- > > **Problem Statmeent: ** This is required after the analysys of RANGER-3401, > as there could be request on x_policy table to find a policy by guid and > service id. There is no workaround to this problem however its recommended > that similar option should be provided through a REST url. > > > **Proposed solution:** A New API can be introduced which shall accept the > guid and service name as request parameter input and either provide the > respective policy or delete the same. > API: > a) getPolicyByGUIDAndServiceName(guid, service): reads the input values and > returns the policy object. > b) deletePolicyByGUIDAndServiceName(guid, service) : reads the input values > and deletes the respective policy object. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 3cd289cc2 > security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java > 865926706 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > f1123d19c > security-admin/src/main/resources/META-INF/jpa_named_queries.xml 8eff33643 > > > Diff: https://reviews.apache.org/r/73601/diff/1/ > > > Testing > ------- > > Tested getPolicyByGUIDAndServiceName() API and was able to recieve the > matching policy object. > Tested deletePolicyByGUIDAndServiceName() API and was able to delete the > respective policy object. > > > Thanks, > > Pradeep Agrawal > >
