Re: Review Request 74057: Plugin for Fine-grained Access Control over nested structures

Madhan Neethiraj Wed, 10 Aug 2022 16:30:38 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74057/#review224598
-----------------------------------------------------------





plugin-nestedstructure/README.md
Lines 34 (patched)
<https://reviews.apache.org/r/74057/#comment313384>

    ExampleClient is in package 
org.apache.ranger.authorization.nestedstructure.authorizer. Please review and 
update README.md.



plugin-nestedstructure/README.md
Lines 56 (patched)
<https://reviews.apache.org/r/74057/#comment313385>

    Now that servicedef is loaded automatically, this instruction is no more 
neeed.



plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/NestedStructureAuthorizer.java
Lines 66 (patched)
<https://reviews.apache.org/r/74057/#comment313393>

    Consider replacing hardcoded service-name (RANGER_CMT_SERVICE_NAME) with 
policies.getServiceName().



plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/NestedStructureAuthorizer.java
Lines 114 (patched)
<https://reviews.apache.org/r/74057/#comment313394>

    Calls at #114 and #125 will generate audit logs - which will result in 
multiple audit logs be generated for an authorization call. I sugged to review 
RangerHiveAuthorizer implementation, which does post-processing of all audit 
logs generated for a given authorization.



plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/NestedStructureAuthorizer.java
Lines 183 (patched)
<https://reviews.apache.org/r/74057/#comment313396>

    sending resultProcessor=null (second parameter) will result in no audit be 
generated for applied mask. Please review and update.



plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/NestedStructureAuthorizer.java
Lines 221 (patched)
<https://reviews.apache.org/r/74057/#comment313395>

    sending resultProcessor=null (second parameter) will result in no audit be 
generated for row-filter. Please review and update.



tagsync/src/main/java/org/apache/ranger/tagsync/nestedstructureplugin/AtlasNestedStructureResourceMapper.java
Lines 30 (patched)
<https://reviews.apache.org/r/74057/#comment313392>

    Apache strongly recommends to avoid author tags in source code - see 
https://www.apache.org/foundation/records/minutes/2004/board_minutes_2004_09_22.txt
 (Recommend strongly that @author is avoided; but leave it to each PMC to make 
the final call with their respective communities).
    
    To be consistent with rest of Apache Ranger source code, I suggest to 
remove @author tag from sources.



tagsync/src/main/java/org/apache/ranger/tagsync/nestedstructureplugin/AtlasNestedStructureResourceMapper.java
Lines 88 (patched)
<https://reviews.apache.org/r/74057/#comment313391>

    Instead of hardcoding service-name, consider deriving serivce-name from the 
given qualifiedName - similar to other AtlasResourceMapper implementations, 
like AtlasHiveResourceMapper.
    
    For example, consider qualifiedName to include the clusterName as given 
below:
     - json_object.foo.v1@dev
     - json_object.foo.v1#partner@dev
     - json_object.foo.v1#partner@prod
     - json_object.foo.v1#partner@prod
    
    Service name can be derived from the given clusterName by calling 
AtlasResourceMapper.getRangerServiceName(clusterName), which will return 
following:
    - clusterName: dev  => serviceName: dev_nestedstructure
    - clusterName: prod => serviceName: prod_nestedstructure


- Madhan Neethiraj


On July 28, 2022, 2 p.m., Barbara Eckman wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74057/
> -----------------------------------------------------------
> 
> (Updated July 28, 2022, 2 p.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> It would be nice to be able to do fine-grained access control (FGA) over 
> nested structures, e.g., the JSON responses of API calls.  This requires the 
> individual attributes in a JSON object to be first-class metadata objects 
> which can be tagged and on which policies can be written.  We have built a 
> plugin and the corresponding Apache Atlas metadata structures and 
> tagsync-mapper to support TBAC/RBAC/ABAC FGA over JSON structures.   Our 
> instigating use case was FGA over the JSON responses of API calls, but this 
> plugin has potential value anywhere FGA over the individual attributes of 
> nested structures is needed, eg JSON messages read from Kafka topics.
> 
> 
> Diffs
> -----
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
>  db629c85d 
>   
> agents-common/src/main/resources/service-defs/ranger-servicedef-nestedstructure.json
>  PRE-CREATION 
>   dev-support/ranger-pmd-ruleset.xml 88d77f236 
>   plugin-nestedstructure/.gitignore PRE-CREATION 
>   plugin-nestedstructure/LICENSE PRE-CREATION 
>   plugin-nestedstructure/NOTICE PRE-CREATION 
>   plugin-nestedstructure/README.md PRE-CREATION 
>   plugin-nestedstructure/conf/log4j.properties PRE-CREATION 
>   plugin-nestedstructure/conf/ranger-nestedstructure-audit.xml PRE-CREATION 
>   plugin-nestedstructure/conf/ranger-nestedstructure-policymgr-ssl.xml 
> PRE-CREATION 
>   plugin-nestedstructure/conf/ranger-nestedstructure-security.xml 
> PRE-CREATION 
>   plugin-nestedstructure/pom.xml PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/AccessResult.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/DataMasker.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/FieldLevelAccess.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/JsonManipulator.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/MaskTypes.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/MaskingException.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/NestedStructureAccessType.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/NestedStructureAuthorizer.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/NestedStructureResource.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/NestedStructureService.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/RecordFilterJavaScript.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/ExampleClient.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestDataMasker.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestJsonManipulator.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestNestedStructureAuthorizer.java
>  PRE-CREATION 
>   
> plugin-nestedstructure/src/test/java/org/apache/ranger/authorization/nestedstructure/authorizer/TestRecordFilterJavaScript.java
>  PRE-CREATION 
>   plugin-nestedstructure/src/test/resources/servicedef-nestedstructure.json 
> PRE-CREATION 
>   plugin-nestedstructure/src/test/resources/test_customer_records.json 
> PRE-CREATION 
>   pom.xml 0945f4b1d 
>   
> tagsync/src/main/java/org/apache/ranger/tagsync/nestedstructureplugin/AtlasNestedStructureResourceMapper.java
>  PRE-CREATION 
>   
> tagsync/src/test/java/org/apache/ranger/tagsync/nestedstructureplugin/ResourceTests.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/74057/diff/3/
> 
> 
> Testing
> -------
> 
> 
> File Attachments
> ----------------
> 
> 0001-patch-with-edits-based-on-OS-review.patch
>   
> https://reviews.apache.org/media/uploaded/files/2022/07/26/9d048baa-1968-4201-b213-1b807ed02587__0001-patch-with-edits-based-on-OS-review.patch
> original patch
>   
> https://reviews.apache.org/media/uploaded/files/2022/07/27/5d6d9df2-b661-4d03-bba3-3f08cb26c32e__3809-plugin-nestedstructure-RANGER-3828-with-tagsync-Atla.patch
> RANGER-3828-3.patch
>   
> https://reviews.apache.org/media/uploaded/files/2022/07/28/6367376f-0582-450c-a1e5-e61d982b5ff2__RANGER-3828-3.patch
> 
> 
> Thanks,
> 
> Barbara Eckman
> 
>

Re: Review Request 74057: Plugin for Fine-grained Access Control over nested structures

Reply via email to