----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73469/#review223587 -----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java Lines 1071 (patched) <https://reviews.apache.org/r/73469/#comment312668> 'restrictions' will include accessTypeRestrictions specified for all resource-types referenced in the policy. This does not look correct. AccessTypeRestrictions specified for only the leaf-resource-type referenced in the policy should be allowed. Please review. Consider the following service-def: resource-type=database; accessTypeRestrictions=[create, alter, drop] resource-type=table; accessTypeRestrictions=[create, alter, drop, insert, update, select] resource-type=column; accessTypeRestrictions=[insert, update, select] Policies: 1. resource={database=db1}: this can only reference access types [create, alter, drop] 2. resource={database=db1, table=t1}: this can only reference access types [create, alter, drop, insert, update, select] 3. resource={database=db1, table=t1, column=c1}: this can only reference access types [insert, update, select] note that [create, alter, drop] are not valid for this policy. agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java Lines 1075 (patched) <https://reviews.apache.org/r/73469/#comment312669> In addition to policy.getPolicyItems(), other policy item list (deny/allow-exceptions/deny-exceptions/data-mask/row-filter) should be validated as well. Also, data-mask and row-filter policy-items can have different set of access-types than access items. Please review and update. - Madhan Neethiraj On July 29, 2021, 1:03 p.m., Mahesh Bandal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73469/ > ----------------------------------------------------------- > > (Updated July 29, 2021, 1:03 p.m.) > > > Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, > Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul > Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan > Periasamy. > > > Bugs: RANGER-3314 > https://issues.apache.org/jira/browse/RANGER-3314 > > > Repository: ranger > > > Description > ------- > > This is with respect to RANGER-3195 where we have moved the Add/Update/Remove > classification permissions to a new classification resource. > > When old atlas policy json is imported, it adds permissions like > "entity-add-classification", "entity-update-classification", > "entity-remove-classification" in the permission list where the resource is > “entity”. These permissions are not valid for resourceType=entity > > Ranger should validate accessTypeRestrictions for each resource during > policyImport. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java > 0ba1fb918 > > > Diff: https://reviews.apache.org/r/73469/diff/1/ > > > Testing > ------- > > Performed policy import for all service types. > > > Thanks, > > Mahesh Bandal > >
