Re: Review Request 74057: Plugin for Fine-grained Access Control over nested structures

Madhan Neethiraj Mon, 18 Jul 2022 00:01:30 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74057/#review224567
-----------------------------------------------------------





plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAuthorizer.java
Lines 210 (patched)
<https://reviews.apache.org/r/74057/#comment313322>

    This call to isAccessAllowed() would return isAllowed=true only when access 
is allowed for the whole schema, The intent of this method seems to return true 
if user has the requested access to even only of field in the schema.
    
    To address this, resource-match scope should be set as shown below:
      
request.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS);


- Madhan Neethiraj


On July 13, 2022, 11:03 p.m., Barbara Eckman wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74057/
> -----------------------------------------------------------
> 
> (Updated July 13, 2022, 11:03 p.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> It would be nice to be able to do fine-grained access control (FGA) over 
> nested structures, e.g., the JSON responses of API calls.  This requires the 
> individual attributes in a JSON object to be first-class metadata objects 
> which can be tagged and on which policies can be written.  We have built a 
> plugin and the corresponding Apache Atlas metadata structures and 
> tagsync-mapper to support TBAC/RBAC/ABAC FGA over JSON structures.   Our 
> instigating use case was FGA over the JSON responses of API calls, but this 
> plugin has potential value anywhere FGA over the individual attributes of 
> nested structures is needed, eg JSON messages read from Kafka topics.
> 
> 
> Diffs
> -----
> 
>   plugin-nestedstructure/CONTRIBUTING PRE-CREATION 
>   plugin-nestedstructure/LICENSE PRE-CREATION 
>   plugin-nestedstructure/NOTICE PRE-CREATION 
>   plugin-nestedstructure/README.md PRE-CREATION 
>   plugin-nestedstructure/conf/log4j.properties PRE-CREATION 
>   plugin-nestedstructure/conf/nestedstructure_servicedef.json PRE-CREATION 
>   plugin-nestedstructure/conf/ranger-nestedstructure-audit.xml PRE-CREATION 
>   plugin-nestedstructure/conf/ranger-nestedstructure-policymgr-ssl.xml 
> PRE-CREATION 
>   plugin-nestedstructure/conf/ranger-nestedstructure-security.xml 
> PRE-CREATION 
>   plugin-nestedstructure/pom.xml PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/AccessResult.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/DataMasker.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/ExampleClient.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/FieldLevelAccess.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/JsonManipulator.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/MaskTypes.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/MaskingException.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAccessType.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAuthorizer.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructure_Resource.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructure_Service.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/RecordFilterJavaScript.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestDataMasker.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestJsonManipulator.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestRecordFilterJavaScript.java
>  PRE-CREATION 
>   pom.xml 0945f4b1d 
>   
> tagsync/src/main/java/org/apache/ranger/tagsync/nestedstructureplugin/AtlasNestedStructureResourceMapper.java
>  PRE-CREATION 
>   
> tagsync/src/test/java/org/apache/ranger/tagsync/nestedstructureplugin/ResourceTests.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/74057/diff/1/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Barbara Eckman
> 
>

Re: Review Request 74057: Plugin for Fine-grained Access Control over nested structures

Reply via email to