[jira] [Updated] (RANGER-3827) Ranger should block policy creation with incorrect permission

Dharshana M Krishnamoorthy (Jira) Wed, 13 Jul 2022 04:50:37 -0700


     [ 
https://issues.apache.org/jira/browse/RANGER-3827?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Dharshana M Krishnamoorthy updated RANGER-3827:
-----------------------------------------------
    Description: 
{code:java}
entity_allow_get_on_hive_table_policy_payload
{u'allowExceptions': [], u'end-one-entity': None, u'policyItems': [{u'users': 
[u'hrt_16'], u'accesses': [{u'isAllowed': True, u'type': u'entity-read'}, 
{u'isAllowed': True, u'type': u'entity-create'}, {u'isAllowed': True, u'type': 
u'entity-update'}, {u'isAllowed': True, u'type': u'entity-delete'}, 
{u'isAllowed': True, u'type': u'entity-add-classification'}, {u'isAllowed': 
True, u'type': u'entity-update-classification'}, {u'isAllowed': True, u'type': 
u'entity-remove-classification'}]}], u'policyPriority': 0, u'service': 
'cm_atlas', u'isEnabled': True, u'end-two-entity-classification': None, 
u'end-one-entity-type': None, u'type': None, u'resources': {u'entity': 
{u'isExcludes': False, u'values': [u'*'], u'isRecursive': False}, 
u'entity-type': {u'isExcludes': False, u'values': [u'hive_table'], 
u'isRecursive': False}, u'entity-classification': {u'isExcludes': False, 
u'values': [u'*'], u'isRecursive': False}}, u'description': u'', 
u'isAuditEnabled': True, u'isDenyAllElse': False, u'policyType': u'0', 
u'denyPolicyItems': [], u'end-two-entity': None, u'end-two-entity-type': None, 
u'none': [], u'end-one-entity-classification': None, u'name': 
u'entity_allow_all_hive_table', u'denyExceptions': [], u'policyLabels': []} 
{code}
Details/screenshot of the incorrect data attached in the attachments

For an entity type with 'None' , classification related policies can also be 
added when creating policy via api, which is ideally incorrect

This should be blocked at policy creation level itself

  was:
{code:java}
entity_allow_get_on_hive_table_policy_payload
{u'allowExceptions': [], u'end-one-entity': None, u'policyItems': [{u'users': 
[u'hrt_16'], u'accesses': [{u'isAllowed': True, u'type': u'entity-read'}, 
{u'isAllowed': True, u'type': u'entity-create'}, {u'isAllowed': True, u'type': 
u'entity-update'}, {u'isAllowed': True, u'type': u'entity-delete'}, 
{u'isAllowed': True, u'type': u'entity-add-classification'}, {u'isAllowed': 
True, u'type': u'entity-update-classification'}, {u'isAllowed': True, u'type': 
u'entity-remove-classification'}]}], u'policyPriority': 0, u'service': 
'cm_atlas', u'isEnabled': True, u'end-two-entity-classification': None, 
u'end-one-entity-type': None, u'type': None, u'resources': {u'entity': 
{u'isExcludes': False, u'values': [u'*'], u'isRecursive': False}, 
u'entity-type': {u'isExcludes': False, u'values': [u'hive_table'], 
u'isRecursive': False}, u'entity-classification': {u'isExcludes': False, 
u'values': [u'*'], u'isRecursive': False}}, u'description': u'', 
u'isAuditEnabled': True, u'isDenyAllElse': False, u'policyType': u'0', 
u'denyPolicyItems': [], u'end-two-entity': None, u'end-two-entity-type': None, 
u'none': [], u'end-one-entity-classification': None, u'name': 
u'entity_allow_all_hive_table', u'denyExceptions': [], u'policyLabels': []} 
{code}
 

For an entity type with 'None' , classification related policies can also be 
added when creating policy via api, which is ideally incorrect

This should be blocked at policy creation level itself


> Ranger should block policy creation with incorrect permission
> -------------------------------------------------------------
>
>                 Key: RANGER-3827
>                 URL: https://issues.apache.org/jira/browse/RANGER-3827
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Dharshana M Krishnamoorthy
>            Priority: Major
>         Attachments: Screenshot 2022-07-12 at 12.01.09 AM.png
>
>
> {code:java}
> entity_allow_get_on_hive_table_policy_payload
> {u'allowExceptions': [], u'end-one-entity': None, u'policyItems': [{u'users': 
> [u'hrt_16'], u'accesses': [{u'isAllowed': True, u'type': u'entity-read'}, 
> {u'isAllowed': True, u'type': u'entity-create'}, {u'isAllowed': True, 
> u'type': u'entity-update'}, {u'isAllowed': True, u'type': u'entity-delete'}, 
> {u'isAllowed': True, u'type': u'entity-add-classification'}, {u'isAllowed': 
> True, u'type': u'entity-update-classification'}, {u'isAllowed': True, 
> u'type': u'entity-remove-classification'}]}], u'policyPriority': 0, 
> u'service': 'cm_atlas', u'isEnabled': True, u'end-two-entity-classification': 
> None, u'end-one-entity-type': None, u'type': None, u'resources': {u'entity': 
> {u'isExcludes': False, u'values': [u'*'], u'isRecursive': False}, 
> u'entity-type': {u'isExcludes': False, u'values': [u'hive_table'], 
> u'isRecursive': False}, u'entity-classification': {u'isExcludes': False, 
> u'values': [u'*'], u'isRecursive': False}}, u'description': u'', 
> u'isAuditEnabled': True, u'isDenyAllElse': False, u'policyType': u'0', 
> u'denyPolicyItems': [], u'end-two-entity': None, u'end-two-entity-type': 
> None, u'none': [], u'end-one-entity-classification': None, u'name': 
> u'entity_allow_all_hive_table', u'denyExceptions': [], u'policyLabels': []} 
> {code}
> Details/screenshot of the incorrect data attached in the attachments
> For an entity type with 'None' , classification related policies can also be 
> added when creating policy via api, which is ideally incorrect
> This should be blocked at policy creation level itself



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-3827) Ranger should block policy creation with incorrect permission

Reply via email to