----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74270/#review225083 -----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java Lines 618 (patched) <https://reviews.apache.org/r/74270/#comment313881> This call is difficult to read. Please consider changing line 618 (and 619 through 623) as follows: addMarkerTypeDef(ACCESS_TYPE_MARKER_CREATE, ++maxItemId, markerGrants.get(ACCESS_TYPE_MARKER_CREATE, ret); And change the signature/processing of addMarkerTypeDef() accordingly. agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java Lines 672 (patched) <https://reviews.apache.org/r/74270/#comment313882> The names of the methods - addToMarkerGrants and addMarkerGrants - are confusing. Please consider renaming them to accurately describe their functions. - Abhay Kulkarni On Jan. 9, 2023, 12:13 a.m., Madhan Neethiraj wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74270/ > ----------------------------------------------------------- > > (Updated Jan. 9, 2023, 12:13 a.m.) > > > Review request for ranger, Ankita Sinha, Kishor Gollapalliwar, Abhay > Kulkarni, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, > Subhrat Chaudhary, and Velmurugan Periasamy. > > > Bugs: RANGER-4035 > https://issues.apache.org/jira/browse/RANGER-4035 > > > Repository: ranger > > > Description > ------- > > - added field AccessTypeDef.category, which can be set to one of the > following: CREATE/READ/UPDATE/DELETE/MANAGE > - added field RangerServiceDef.markerAccessTypes, which will be populated by > Ranger admin with following entries containing impliedGrants as per category > specified in RangerServiceDef.accessTypes: > -- _CREATE > -- _READ > -- _UPDATE > -- _DELETE > -- _MANAGE > - RangerServiceDef.markerAccessTypes will include _ALL, with all > RangerServiceDef.accessTypes as impliedGrants > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java > 05dde4edf > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java > e1b5fe8f1 > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java > 4e287f9a4 > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java > d47be1404 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java > 1c46f184c > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > 55752e79c > > agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java > fe1cf9244 > > agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerValidator.java > 6114225ca > > agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java > eb3d0ff46 > > agents-common/src/test/java/org/apache/ranger/plugin/util/ServiceDefUtilTest.java > 3cd42f44f > > agents-common/src/test/resources/policyengine/test_policyengine_marker_access_types.json > PRE-CREATION > agents-common/src/test/resources/test_servicedef-normalize.json > PRE-CREATION > intg/src/main/python/apache_ranger/model/ranger_service_def.py 3fd90f706 > security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java > 6cc3509d8 > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 6b9604817 > > security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java > 656bc0184 > > > Diff: https://reviews.apache.org/r/74270/diff/5/ > > > Testing > ------- > > - added unit tests to validate authorization with policies having marker > access-types > - verified policy can be created with marker accessTypes via REST API call > - verified that plugin enforce built-in marker access-types referenced in > policies > - verified that older version plugins continue to enforce policies for > regular access-types i.e. non marker access-types > - TODO: policy UI to include permissions listed in > RangerServiceDef.markerAccessTypes > > > Thanks, > > Madhan Neethiraj > >
