> On Jan. 20, 2023, 5:56 p.m., Madhan Neethiraj wrote:
> > security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
> > Line 471 (original), 471 (patched)
> > <https://reviews.apache.org/r/74251/diff/3/?file=2273892#file2273892line471>
> >
> > Multiple policies within a service can have the same name - each in
> > different zone. Please review and update to handle this case.
>
> Ramachandran Krishnan wrote:
> When we pass the serviceName and policyName and zoneName is null then
> we will use the ZoneId is
> RangerSecurityZone.RANGER_UNZONED_SECURITY_ZONE_ID
> and getting the single result from DB
>
> if (StringUtils.isNotBlank(serviceName) &&
> StringUtils.isNotBlank(policyName)) {
> XXPolicy dbPolicy = daoManager.getXXPolicy().findPolicy(policyName,
> serviceName, null);
> if (dbPolicy != null) {
> ret = policyService.getPopulatedViewObject(dbPolicy);
> }
> }
>
>
> public XXPolicy findPolicy(String policyName, String serviceName,
> String zoneName) {
> if (policyName == null || serviceName == null) {
> return null;
> }
>
> try {
> if (zoneName == null) {
> return
> getEntityManager().createNamedQuery("XXPolicy.findPolicyByPolicyNameAndServiceName",
> tClass)
> .setParameter("policyName",
> policyName).setParameter("serviceName", serviceName)
> .setParameter("zoneId",
> RangerSecurityZone.RANGER_UNZONED_SECURITY_ZONE_ID)
> .getSingleResult();
> } else {
> return getEntityManager()
>
> .createNamedQuery("XXPolicy.findPolicyByPolicyNameAndServiceNameAndZoneName",
> tClass)
> .setParameter("policyName",
> policyName).setParameter("serviceName", serviceName)
> .setParameter("zoneName", zoneName).getSingleResult();
> }
> } catch (NoResultException e) {
> return null;
> }
>
> }
>
> Madhan Neethiraj wrote:
> @Ramachandran - given PublicAPIsv2.getPolicyByName() doesn't deal with
> zoneName, how would the API caller supply zoneName when necessary?
@madhan Yeah ,We are not provoding the option to caller for passing the
zoneName in the PublicAPIsv2.getPolicyByName()
Instead we can change the rest api for the caller to pass zoneName as query
parameter
like
/api/service/{servicename}/policy/{policyname}?zoneName=test1
@GET
@Path("/api/service/{servicename}/policy/{policyname}")
@Produces({ "application/json" })
public RangerPolicy getPolicyByName(@PathParam("servicename") String
serviceName,
@PathParam("policyname") String
policyName,
@DefaultValue("")
@QueryParam("zoneName") String zoneName,
@Context HttpServletRequest
request) {
So that caller can pass zoneName if it needed
- Ramachandran
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74251/#review225110
-----------------------------------------------------------
On Jan. 20, 2023, 3:22 p.m., Ramachandran Krishnan wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74251/
> -----------------------------------------------------------
>
> (Updated Jan. 20, 2023, 3:22 p.m.)
>
>
> Review request for ranger, Don Bosco Durai, Kirby Zhou, Abhay Kulkarni,
> Madhan Neethiraj, Mehul Parikh, Nikhil P, Pradeep Agrawal, Ramesh Mani,
> Selvamohan Neethiraj, Sailaja Polavarapu, Subhrat Chaudhary, and Velmurugan
> Periasamy.
>
>
> Bugs: RANGER-4012
> https://issues.apache.org/jira/browse/RANGER-4012
>
>
> Repository: ranger
>
>
> Description
> -------
>
> getPolicyByName searches policy by serviceName, policyName simply by traverse
> all policies in RangerServicePoliciesCache.
>
> However, It takes more time to search for policies from the cache when there
> are millions of policies
>
> As well as The above REST API sometimes gives stable data due to the deleted
> element is present in the Cache
>
> We need to call the DB to fetch policy instead of calling
> RangerServicePoliciesCache
>
> In PublicAPIsv2 we add the API's which are available in ServiceREST as an API
> and the getPolicyByName is not available as an API in ServiceREST.
>
> getPolicyByName ---> (/api/service/{servicename}/policy/{policyname}) in
> PublicAPIsv2
>
> I guess we should add the below API in ServiceREST also for the same.
>
> getPolicyByName ---> (/policies/service/{serviceName}/policy/{policyName}) in
> ServiceREST
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
> d98910bee
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
> ec02f47f7
> security-admin/src/test/java/org/apache/ranger/rest/TestPublicAPIsv2.java
> 7409883ab
> security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
> 8fdcc43c8
>
>
> Diff: https://reviews.apache.org/r/74251/diff/3/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Ramachandran Krishnan
>
>
