I’m sorry, I’ve always done this sort of thing using github PRs…which code should I change based on your review items? My local copy, choose “fixed” on the review site, and then generate a new patch?
-- Barbara Eckman, Ph.D. she/her/hers Distinguished Architect Enterprise Metadata, Lineage and Access Control Comcast [Logo Description automatically generated] [signature_951927206] From: Madhan Neethiraj <[email protected]> on behalf of Madhan Neethiraj <[email protected]> Date: Monday, July 18, 2022 at 3:01 AM To: Madhan Neethiraj <[email protected]> Cc: Eckman, Barbara <[email protected]>, ranger <[email protected]> Subject: [EXTERNAL] Re: Review Request 74057: Plugin for Fine-grained Access Control over nested structures This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74057/<https://urldefense.com/v3/__https:/reviews.apache.org/r/74057/__;!!CQl3mcHX2A!E2jNuVsVoAw0ZO1x4kXRzu_arI9riLtPWfMmSMWtTrydzLb8GqQ8D2ln2aSNP2pxdMpctFFZW6-yi8Ex-1vsOQ$> plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAuthorizer.java<https://urldefense.com/v3/__https:/reviews.apache.org/r/74057/diff/1/?file=2268966*file2268966line210__;Iw!!CQl3mcHX2A!E2jNuVsVoAw0ZO1x4kXRzu_arI9riLtPWfMmSMWtTrydzLb8GqQ8D2ln2aSNP2pxdMpctFFZW6-yi8Etmpg69w$> (Diff revision 1) 210 RangerAccessResult accessResult = plugin.isAccessAllowed(request); This call to isAccessAllowed() would return isAllowed=true only when access is allowed for the whole schema, The intent of this method seems to return true if user has the requested access to even only of field in the schema. To address this, resource-match scope should be set as shown below: request.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS); - Madhan Neethiraj On July 13th, 2022, 11:03 p.m. UTC, Barbara Eckman wrote: Review request for ranger and Madhan Neethiraj. By Barbara Eckman. Updated July 13, 2022, 11:03 p.m. Repository: ranger Description It would be nice to be able to do fine-grained access control (FGA) over nested structures, e.g., the JSON responses of API calls. This requires the individual attributes in a JSON object to be first-class metadata objects which can be tagged and on which policies can be written. We have built a plugin and the corresponding Apache Atlas metadata structures and tagsync-mapper to support TBAC/RBAC/ABAC FGA over JSON structures. Our instigating use case was FGA over the JSON responses of API calls, but this plugin has potential value anywhere FGA over the individual attributes of nested structures is needed, eg JSON messages read from Kafka topics. Diffs · plugin-nestedstructure/CONTRIBUTING (PRE-CREATION) · plugin-nestedstructure/LICENSE (PRE-CREATION) · plugin-nestedstructure/NOTICE (PRE-CREATION) · plugin-nestedstructure/README.md (PRE-CREATION) · plugin-nestedstructure/conf/log4j.properties (PRE-CREATION) · plugin-nestedstructure/conf/nestedstructure_servicedef.json (PRE-CREATION) · plugin-nestedstructure/conf/ranger-nestedstructure-audit.xml (PRE-CREATION) · plugin-nestedstructure/conf/ranger-nestedstructure-policymgr-ssl.xml (PRE-CREATION) · plugin-nestedstructure/conf/ranger-nestedstructure-security.xml (PRE-CREATION) · plugin-nestedstructure/pom.xml (PRE-CREATION) · plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/AccessResult.java (PRE-CREATION) · plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/DataMasker.java (PRE-CREATION) · plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/ExampleClient.java (PRE-CREATION) · plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/FieldLevelAccess.java (PRE-CREATION) · plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/JsonManipulator.java (PRE-CREATION) · plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/MaskTypes.java (PRE-CREATION) · plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/MaskingException.java (PRE-CREATION) · plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAccessType.java (PRE-CREATION) · plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAuthorizer.java (PRE-CREATION) · plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructure_Resource.java (PRE-CREATION) · plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructure_Service.java (PRE-CREATION) · plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/RecordFilterJavaScript.java (PRE-CREATION) · plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestDataMasker.java (PRE-CREATION) · plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestJsonManipulator.java (PRE-CREATION) · plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestRecordFilterJavaScript.java (PRE-CREATION) · pom.xml (0945f4b1d) · tagsync/src/main/java/org/apache/ranger/tagsync/nestedstructureplugin/AtlasNestedStructureResourceMapper.java (PRE-CREATION) · tagsync/src/test/java/org/apache/ranger/tagsync/nestedstructureplugin/ResourceTests.java (PRE-CREATION) View Diff<https://urldefense.com/v3/__https:/reviews.apache.org/r/74057/diff/1/__;!!CQl3mcHX2A!E2jNuVsVoAw0ZO1x4kXRzu_arI9riLtPWfMmSMWtTrydzLb8GqQ8D2ln2aSNP2pxdMpctFFZW6-yi8HzFKnA5A$>
