Re: Review Request 74744: RANGER-4535: GET dataset API should return public:LIST in ACL if available

Mon, 20 Nov 2023 08:11:31 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74744/#review225974
-----------------------------------------------------------




security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
Lines 1494 (patched)
<https://reviews.apache.org/r/74744/#comment314345>

    getScrubbedAcl() ==> getPublicAclIfAllowed()



security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
Lines 1497 (patched)
<https://reviews.apache.org/r/74744/#comment314346>

    Wouldn't it be useful to return the permission for public group, instead of 
just LIST permission?


- Madhan Neethiraj


On Nov. 20, 2023, 2:14 p.m., Subhrat Chaudhary wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74744/
> -----------------------------------------------------------
> 
> (Updated Nov. 20, 2023, 2:14 p.m.)
> 
> 
> Review request for ranger, Anand Nadar, Ankita Sinha, Madhan Neethiraj, 
> Monika Kachhadiya, Prashant Satam, and Siddhesh Phatak.
> 
> 
> Bugs: RANGER-4535
>     https://issues.apache.org/jira/browse/RANGER-4535
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> When the GET dataset /gds/dataset API is called, gdsPermission=LIST is passed 
> in query-param, available ACLs are not returned in the dataset.
> 
> It will be helpful to know, if the current dataset is accessible to public 
> group, in case gdsPermission=LIST is passed in query-param (which can be 
> eventually used by the depending applications). We can add the the ACL, in 
> the returned dataset (if available):
> 
> "groups": { "public": "LIST" }
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java 
> 589fcdd68 
>   
> security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
>  6c55fd029 
> 
> 
> Diff: https://reviews.apache.org/r/74744/diff/1/
> 
> 
> Testing
> -------
> 
> Following cases are validated (with gdsPermission=LIST passed in query-param) 
> (tested with GET /gds/dataset API):
> 1. Even if the calling user has higher than LIST access, same is not retruned 
> in ACL.
> 2. All the datasets where public : LIST access is given, are returned in 
> response.
> 3. When the API is called by ranger admin user, all the datasets are returned 
> and only public : LIST permission is available in the ACL (no other 
> permissions are added in the ACL, even if the user has them in the dataset).
> 
> 
> Thanks,
> 
> Subhrat Chaudhary
> 
>

Reply via email to