-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74825/
-----------------------------------------------------------
(Updated Jan. 29, 2024, 8:04 a.m.)
Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh,
Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan
Periasamy.
Changes
-------
Updated the patch to have the current flow of grant and revoke and added
multiple columns grant and revoke flow as separate path. This will avoid
regression on existing functionality and will help in address the unsupported
features in current patch.
Bugs: RANGER-4638
https://issues.apache.org/jira/browse/RANGER-4638
Repository: ranger
Description
-------
RANGER-4638:Multiple Columns Revoke not generating policies with correct number
of columns
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
7fe2a2eb3
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
0a14b387a
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
f16157ce6
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
e1cd89b70
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
5eee8d11a
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
ec22e01bf
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceisSubSetMatcher.java
PRE-CREATION
agents-common/src/test/resources/resourcematcher/test_defaultpolicyresource_isSubset_matcher.json
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java
15a1e7118
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
84ee31ba2
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
cc9df27d6
security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
60e34c0c7
security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
a630e575b
Diff: https://reviews.apache.org/r/74825/diff/6/
Changes: https://reviews.apache.org/r/74825/diff/5-6/
Testing
-------
Impala / Hive beeline.
1) "grant select(col1, col2, col3) on table demo.test to role Role1" =>
Create a Grant Policy for the given resource in Hadoop Sql
2) "grant select(col1, col2, col3, col4) on table demo.test to role Role1"
=> updates the policy created in #1 with new col4 resource
if "revoke select(col1, col2, col3, col4) on table demo.test from role
Role1" is done => Since all the columns are revoked for Select, we update the
policy created in #1 with no policy Item for it.
if "revoke select(col1, col2, col3) on table demo.test from role Role1"
is done => policy created in #1 will be updated to remove col1,col2,col3 from
the policy to revoke the access.
3) If "revoke select(col1, col2, col3, col4) on table demo.test from role
Role1" found 2 Matching polcies, say 1st policy matched col1,col2,col3 and
2nd Policy matched col4, then both the policies will be updated for revoking
the corresponding column access.
4) When Multiple Premission are there on the policy and revoke is to remove one
permission, then the policy will be updated by removing the revoked permission.
Grant select on table demo.test to role Role1
Grant Alter on table demo.test to role Role1
Revoke alter table demo.test to role Role1
HBASE shell
grant 'nifi', 'RWXCA', 'test' => create policy with 'RWXCA' access for user
nifi on table 'test'.
revoke 'nifi', 'test' => revoke access for user "nifi" on hbase table 'test'.
Here policy will be removed.
Thanks,
Ramesh Mani
