Re: Review Request 74825: RANGER-4638:Multiple Columns Revoke not generating policies with correct number of columns

Madhan Neethiraj Fri, 19 Jan 2024 15:14:07 -0800

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74825/#review226159
-----------------------------------------------------------





agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
Lines 115 (patched)
<https://reviews.apache.org/r/74825/#comment314438>

    Consider renaming isCompleteOrSomeMatch() as isSubsetMatch()



agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
Lines 403 (patched)
<https://reviews.apache.org/r/74825/#comment314436>

    The body of 'if' and 'else' are equivalent; please review and replace #403 
to #407 with #406.



agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
Lines 272 (patched)
<https://reviews.apache.org/r/74825/#comment314439>

    Flags optIgnoreCase and optQuotedCaseSensitive are not handled here. Please 
review #236 above and update here to be consistent.



agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
Lines 278 (patched)
<https://reviews.apache.org/r/74825/#comment314437>

    line #278 is not necessary, as this is already handled in #274



security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java
Lines 50 (patched)
<https://reviews.apache.org/r/74825/#comment314440>

    rangerAccessRequest => request



security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
Lines 418 (patched)
<https://reviews.apache.org/r/74825/#comment314442>

    - rangerAccessRequest => request
    - resource and evalContext are already present in request, so these 
parameters can be removed
    - getMatchingPolicies() => getPoliciesHavingResource() - to avoid potential 
confusion that this method returns policies that match the request (including 
user/groups/roles/action/..)



security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
Line 1277 (original), 1278 (patched)
<https://reviews.apache.org/r/74825/#comment314443>

    rangerAccessRequest => accessRequest



security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
Lines 1281 (patched)
<https://reviews.apache.org/r/74825/#comment314444>

    For grant, shouldn't the update be done only on 'exact-match' policy? Else, 
the update might end up granting the user access to more resources. Please 
review and update.
    
    I think current grant implementation wouldn't need any update.



security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
Line 1391 (original), 1395 (patched)
<https://reviews.apache.org/r/74825/#comment314445>

    rangerAccessRequest => accessRequest



security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
Lines 1398 (patched)
<https://reviews.apache.org/r/74825/#comment314446>

    For grant, shouldn't the update be done only on 'exact-match' policy? Else, 
the update might end up granting the user access to more resources. Please 
review and update.
    
    I think current grant implementation wouldn't need any update.


- Madhan Neethiraj


On Jan. 19, 2024, 9:14 a.m., Ramesh Mani wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74825/
> -----------------------------------------------------------
> 
> (Updated Jan. 19, 2024, 9:14 a.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, 
> Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-4638
>     https://issues.apache.org/jira/browse/RANGER-4638
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> RANGER-4638:Multiple Columns Revoke not generating policies with correct 
> number of columns
> 
> 
> Diffs
> -----
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  7fe2a2eb3 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
>  0a14b387a 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
>  f16157ce6 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
>  e1cd89b70 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
>  5eee8d11a 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
>  ec22e01bf 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceisCompleteOrSomeMatchMatcher.java
>  PRE-CREATION 
>   
> agents-common/src/test/resources/resourcematcher/test_defaultpolicyresource_isCompleteOrSomeMatch_matcher.json
>  PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 
> 15a1e7118 
>   
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
> 84ee31ba2 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> cc9df27d6 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java 
> 60e34c0c7 
>   security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 
> a630e575b 
> 
> 
> Diff: https://reviews.apache.org/r/74825/diff/4/
> 
> 
> Testing
> -------
> 
> Impala / Hive beeline.
> 
> 1) "grant select(col1, col2, col3)  on table demo.test  to role Role1"  => 
> Create a Grant Policy for the given resource in Hadoop Sql
>    
> 
> 2) "grant select(col1, col2, col3, col4)  on table demo.test  to role Role1"  
> => updates the policy created in #1 with new col4 resource
> 
>      if  "revoke select(col1, col2, col3, col4) on table demo.test from role 
> Role1" is done => Since all the columns are revoked for Select, we update the 
> policy created in #1 with no policy Item for it.
>      if  "revoke select(col1, col2, col3) on table demo.test from role Role1" 
> is done => policy created in #1 will be updated to remove col1,col2,col3 from 
> the policy to revoke the access.
>      
> 3) If "revoke select(col1, col2, col3, col4) on table demo.test from role 
> Role1" found 2 Matching polcies,  say 1st policy matched col1,col2,col3 and  
> 2nd Policy matched col4, then both the policies will be updated for revoking 
> the corresponding column access.
> 
> 4) When Multiple Premission are there on the policy and revoke is to remove 
> one permission, then the policy will be updated by removing the revoked 
> permission.
>      Grant select on table demo.test  to role Role1
>      Grant Alter on table demo.test  to role Role1
>      Revoke alter table demo.test  to role Role1
> 
>      
> 
> HBASE shell
> 
> grant 'nifi', 'RWXCA', 'test'  => create policy with 'RWXCA' access for user 
> nifi on table 'test'.
> 
> 
> revoke 'nifi', 'test' => revoke access for user "nifi" on hbase table 'test'. 
> Here policy will be removed.
> 
> 
> Thanks,
> 
> Ramesh Mani
> 
>

Re: Review Request 74825: RANGER-4638:Multiple Columns Revoke not generating policies with correct number of columns

Reply via email to