Re: Review Request 74825: RANGER-4638:Multiple Columns Revoke not generating policies with correct number of columns

Abhay Kulkarni Fri, 19 Jan 2024 15:35:53 -0800

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74825/#review226160
-----------------------------------------------------------





security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
Lines 1048 (patched)
<https://reviews.apache.org/r/74825/#comment314441>

    If the revoked access types are not exactly the same as the access types 
granted in the existing policy, then this function returns false. This will 
lead to revokePolicyResource() getting called. That will remove the resources 
in the revoke request. 
    
    policy-resources : {a, b, c}
    policy-allow-accesses : {r, w}
    
    revoke-resources : {a}
    revoke-accesses : {w}
    
    will lead to 
    policy-resources : {b, c}
    policy-allow-accesses : {r, w}
    
    The result is resource 'a' loses its 'r' and 'w' access whereas only 'w' 
access needs to be removed.
    
    Please review.


- Abhay Kulkarni


On Jan. 19, 2024, 9:14 a.m., Ramesh Mani wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74825/
> -----------------------------------------------------------
> 
> (Updated Jan. 19, 2024, 9:14 a.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, 
> Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-4638
>     https://issues.apache.org/jira/browse/RANGER-4638
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> RANGER-4638:Multiple Columns Revoke not generating policies with correct 
> number of columns
> 
> 
> Diffs
> -----
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  7fe2a2eb3 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
>  0a14b387a 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
>  f16157ce6 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
>  e1cd89b70 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
>  5eee8d11a 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
>  ec22e01bf 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceisCompleteOrSomeMatchMatcher.java
>  PRE-CREATION 
>   
> agents-common/src/test/resources/resourcematcher/test_defaultpolicyresource_isCompleteOrSomeMatch_matcher.json
>  PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 
> 15a1e7118 
>   
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
> 84ee31ba2 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> cc9df27d6 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java 
> 60e34c0c7 
>   security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 
> a630e575b 
> 
> 
> Diff: https://reviews.apache.org/r/74825/diff/4/
> 
> 
> Testing
> -------
> 
> Impala / Hive beeline.
> 
> 1) "grant select(col1, col2, col3)  on table demo.test  to role Role1"  => 
> Create a Grant Policy for the given resource in Hadoop Sql
>    
> 
> 2) "grant select(col1, col2, col3, col4)  on table demo.test  to role Role1"  
> => updates the policy created in #1 with new col4 resource
> 
>      if  "revoke select(col1, col2, col3, col4) on table demo.test from role 
> Role1" is done => Since all the columns are revoked for Select, we update the 
> policy created in #1 with no policy Item for it.
>      if  "revoke select(col1, col2, col3) on table demo.test from role Role1" 
> is done => policy created in #1 will be updated to remove col1,col2,col3 from 
> the policy to revoke the access.
>      
> 3) If "revoke select(col1, col2, col3, col4) on table demo.test from role 
> Role1" found 2 Matching polcies,  say 1st policy matched col1,col2,col3 and  
> 2nd Policy matched col4, then both the policies will be updated for revoking 
> the corresponding column access.
> 
> 4) When Multiple Premission are there on the policy and revoke is to remove 
> one permission, then the policy will be updated by removing the revoked 
> permission.
>      Grant select on table demo.test  to role Role1
>      Grant Alter on table demo.test  to role Role1
>      Revoke alter table demo.test  to role Role1
> 
>      
> 
> HBASE shell
> 
> grant 'nifi', 'RWXCA', 'test'  => create policy with 'RWXCA' access for user 
> nifi on table 'test'.
> 
> 
> revoke 'nifi', 'test' => revoke access for user "nifi" on hbase table 'test'. 
> Here policy will be removed.
> 
> 
> Thanks,
> 
> Ramesh Mani
> 
>

Re: Review Request 74825: RANGER-4638:Multiple Columns Revoke not generating policies with correct number of columns

Reply via email to