> On July 18, 2022, 7:01 a.m., Madhan Neethiraj wrote: > > plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAuthorizer.java > > Lines 210 (patched) > > <https://reviews.apache.org/r/74057/diff/1/?file=2268966#file2268966line210> > > > > This call to isAccessAllowed() would return isAllowed=true only when > > access is allowed for the whole schema, The intent of this method seems to > > return true if user has the requested access to even only of field in the > > schema. > > > > To address this, resource-match scope should be set as shown below: > > > > request.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS);
done - Barbara ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74057/#review224567 ----------------------------------------------------------- On July 13, 2022, 11:03 p.m., Barbara Eckman wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74057/ > ----------------------------------------------------------- > > (Updated July 13, 2022, 11:03 p.m.) > > > Review request for ranger and Madhan Neethiraj. > > > Repository: ranger > > > Description > ------- > > It would be nice to be able to do fine-grained access control (FGA) over > nested structures, e.g., the JSON responses of API calls. This requires the > individual attributes in a JSON object to be first-class metadata objects > which can be tagged and on which policies can be written. We have built a > plugin and the corresponding Apache Atlas metadata structures and > tagsync-mapper to support TBAC/RBAC/ABAC FGA over JSON structures. Our > instigating use case was FGA over the JSON responses of API calls, but this > plugin has potential value anywhere FGA over the individual attributes of > nested structures is needed, eg JSON messages read from Kafka topics. > > > Diffs > ----- > > plugin-nestedstructure/CONTRIBUTING PRE-CREATION > plugin-nestedstructure/LICENSE PRE-CREATION > plugin-nestedstructure/NOTICE PRE-CREATION > plugin-nestedstructure/README.md PRE-CREATION > plugin-nestedstructure/conf/log4j.properties PRE-CREATION > plugin-nestedstructure/conf/nestedstructure_servicedef.json PRE-CREATION > plugin-nestedstructure/conf/ranger-nestedstructure-audit.xml PRE-CREATION > plugin-nestedstructure/conf/ranger-nestedstructure-policymgr-ssl.xml > PRE-CREATION > plugin-nestedstructure/conf/ranger-nestedstructure-security.xml > PRE-CREATION > plugin-nestedstructure/pom.xml PRE-CREATION > > plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/AccessResult.java > PRE-CREATION > > plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/DataMasker.java > PRE-CREATION > > plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/ExampleClient.java > PRE-CREATION > > plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/FieldLevelAccess.java > PRE-CREATION > > plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/JsonManipulator.java > PRE-CREATION > > plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/MaskTypes.java > PRE-CREATION > > plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/MaskingException.java > PRE-CREATION > > plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAccessType.java > PRE-CREATION > > plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructureAuthorizer.java > PRE-CREATION > > plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructure_Resource.java > PRE-CREATION > > plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/NestedStructure_Service.java > PRE-CREATION > > plugin-nestedstructure/src/main/java/org.apache.ranger/authorization.nestedstructure.authorizer/RecordFilterJavaScript.java > PRE-CREATION > > plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestDataMasker.java > PRE-CREATION > > plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestJsonManipulator.java > PRE-CREATION > > plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestRecordFilterJavaScript.java > PRE-CREATION > pom.xml 0945f4b1d > > tagsync/src/main/java/org/apache/ranger/tagsync/nestedstructureplugin/AtlasNestedStructureResourceMapper.java > PRE-CREATION > > tagsync/src/test/java/org/apache/ranger/tagsync/nestedstructureplugin/ResourceTests.java > PRE-CREATION > > > Diff: https://reviews.apache.org/r/74057/diff/1/ > > > Testing > ------- > > > Thanks, > > Barbara Eckman > >
