Re: Review Request 74229: RANGER-3995: Policy update request fails if isDenyAllElse flag is set true in request json when using "/policy/apply" API

Mon, 05 Dec 2022 11:51:39 -0800 


> On Dec. 3, 2022, 7:34 p.m., Madhan Neethiraj wrote:
> > security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
> > Lines 228 (patched)
> > <https://reviews.apache.org/r/74229/diff/2/?file=2272258#file2272258line230>
> >
> >     if appliedPolicy has isDenyAllElse=true and existingPolicy has 
> > isDenyAllElse=false, it should be treated as an error - as it can result in 
> > access to be denied for users who might have access currently. Please 
> > reveiew.
> 
> Abhay Kulkarni wrote:
>     I don't quite see why. Can you please elaborate? Thanks!

Consider following:

Existing policies:
- #1: resource: { database: fin, table: *  } groups: [ fin-admin ], 
accessTypes: [ select ], isDenyAllElse: false
- #2: resource: { database: fin, table: t1 } groups: [ fin-user ],  
accessTypes: [ select ], isDenyAllElse: false

Applied policy:
- resource: { database: fin, table: t1 } users: [ john ], accessTypes: [ select 
], isDenyAllElse: true


If above applyPolicy() changes isDenyAllElse to true on #2, it might result in 
fin-admin group to loose access to fin.t1 table.

My suggestion is to ignore isDenyAllElse coming from applyPolicy() - even if a 
new policy is created as result of applyPolicy().


- Madhan


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74229/#review224948
-----------------------------------------------------------


On Dec. 3, 2022, 12:28 a.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74229/
> -----------------------------------------------------------
> 
> (Updated Dec. 3, 2022, 12:28 a.m.)
> 
> 
> Review request for ranger, madhan, Madhan Neethiraj, Pradeep Agrawal, Ramesh 
> Mani, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3995
>     https://issues.apache.org/jira/browse/RANGER-3995
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Steps to reproduce :-
> 
> 1. Make a POST request to the below mentioned API endpoint, using a policy 
> json where isDenyAllElse flag is set true
> 
> /service/public/v2/api/policy/apply
> 2. Fetch the policy using the newly created policy id, and try to make a POST 
> request to "/policy/apply" using the policy json obtained from the GET 
> request. The request results in an error
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java 
> b56fd3966 
> 
> 
> Diff: https://reviews.apache.org/r/74229/diff/2/
> 
> 
> Testing
> -------
> 
> Tested per the steps listed above. No error was reported and the policy was 
> applied correctly
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Reply via email to