Re: Review Request 74270: RANGER-4035: added catagory to access-types; added marker access-type: _ALL

Fri, 27 Jan 2023 15:59:23 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74270/
-----------------------------------------------------------

(Updated Jan. 27, 2023, 11:58 p.m.)


Review request for ranger, Ankita Sinha, Kishor Gollapalliwar, Abhay Kulkarni, 
Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, Subhrat 
Chaudhary, and Velmurugan Periasamy.


Changes
-------

updates to address review comments


Bugs: RANGER-4035
    https://issues.apache.org/jira/browse/RANGER-4035


Repository: ranger


Description
-------

- added field AccessTypeDef.category, which can be set to one of the following: 
CREATE/READ/UPDATE/DELETE/MANAGE
- added field RangerServiceDef.markerAccessTypes, which will be populated by 
Ranger admin with following entries containing impliedGrants as per category 
specified in RangerServiceDef.accessTypes:
  -- _CREATE
  -- _READ
  -- _UPDATE
  -- _DELETE
  -- _MANAGE
- RangerServiceDef.markerAccessTypes will include _ALL, with all 
RangerServiceDef.accessTypes as impliedGrants


Diffs (updated)
-----

  
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java
 05dde4edf 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
 e1b5fe8f1 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
 4e287f9a4 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java
 d47be1404 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
 1c46f184c 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 55752e79c 
  agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java 
fe1cf9244 
  
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerValidator.java
 6114225ca 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
 eb3d0ff46 
  
agents-common/src/test/java/org/apache/ranger/plugin/util/ServiceDefUtilTest.java
 3cd42f44f 
  
agents-common/src/test/resources/policyengine/test_policyengine_marker_access_types.json
 PRE-CREATION 
  agents-common/src/test/resources/test_servicedef-normalize.json PRE-CREATION 
  intg/src/main/python/apache_ranger/model/ranger_service_def.py 3fd90f706 
  security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 
6cc3509d8 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
562467e80 
  
security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java
 656bc0184 


Diff: https://reviews.apache.org/r/74270/diff/7/

Changes: https://reviews.apache.org/r/74270/diff/6-7/


Testing
-------

- added unit tests to validate authorization with policies having marker 
access-types
- verified policy can be created with marker accessTypes via REST API call
- verified that plugin enforce built-in marker access-types referenced in 
policies
- verified that older version plugins continue to enforce policies for regular 
access-types i.e. non marker access-types
- TODO: policy UI to include permissions listed in 
RangerServiceDef.markerAccessTypes


Thanks,

Madhan Neethiraj

Reply via email to