Re: Review Request 74744: RANGER-4535: GET dataset API should return public:LIST in ACL if available

Wed, 29 Nov 2023 00:12:19 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74744/#review226020
-----------------------------------------------------------




security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
Lines 1497 (patched)
<https://reviews.apache.org/r/74744/#comment314369>

    Is it necessary to check if GROUP_PUBLIC has LIST permission? Consider 
following for getPublicAclIfAllowed(): 
    
    private RangerGdsObjectACL getPublicAclIfAllowed(RangerGdsObjectACL acl) {
      GdsPermission grpPublicPerm = acl != null && acl.getGroups() != null ? 
acl.getGroups.get(RangerConstants.GROUP_PUBLIC) : null;
    
      if (grpPublicPerm != null) {
        ret = new RangerGdsObjectACL();
    
        ret.setGroups(Collections.sigletonMap(RangerConstants.GROUP_PUBLIC, 
grpPublicPerm));
      }
    
      return ret;
    }


- Madhan Neethiraj


On Nov. 20, 2023, 4:36 p.m., Subhrat Chaudhary wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74744/
> -----------------------------------------------------------
> 
> (Updated Nov. 20, 2023, 4:36 p.m.)
> 
> 
> Review request for ranger, Anand Nadar, Ankita Sinha, Madhan Neethiraj, 
> Monika Kachhadiya, Prashant Satam, and Siddhesh Phatak.
> 
> 
> Bugs: RANGER-4535
>     https://issues.apache.org/jira/browse/RANGER-4535
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> When the GET dataset /gds/dataset API is called, gdsPermission=LIST is passed 
> in query-param, available ACLs are not returned in the dataset.
> 
> It will be helpful to know, if the current dataset is accessible to public 
> group, in case gdsPermission=LIST is passed in query-param (which can be 
> eventually used by the depending applications). We can add the the ACL, in 
> the returned dataset (if available):
> 
> "groups": { "public": "LIST" }
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java 
> 589fcdd68 
>   
> security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
>  6c55fd029 
> 
> 
> Diff: https://reviews.apache.org/r/74744/diff/2/
> 
> 
> Testing
> -------
> 
> Following cases are validated (with gdsPermission=LIST passed in query-param) 
> (tested with GET /gds/dataset API):
> 1. Even if the calling user has higher than LIST access, same is not retruned 
> in ACL.
> 2. All the datasets where public : LIST access is given, are returned in 
> response.
> 3. When the API is called by ranger admin user, all the datasets are returned 
> and only permission for public group is returned in the ACL (no other 
> permissions are added in the ACL, even if the user has them in the dataset).
> 
> 
> Thanks,
> 
> Subhrat Chaudhary
> 
>

Reply via email to