----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74825/ -----------------------------------------------------------
(Updated Jan. 29, 2024, 8:04 a.m.) Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy. Changes ------- Updated the patch to have the current flow of grant and revoke and added multiple columns grant and revoke flow as separate path. This will avoid regression on existing functionality and will help in address the unsupported features in current patch. Bugs: RANGER-4638 https://issues.apache.org/jira/browse/RANGER-4638 Repository: ranger Description ------- RANGER-4638:Multiple Columns Revoke not generating policies with correct number of columns Diffs (updated) ----- agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 7fe2a2eb3 agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java 0a14b387a agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java f16157ce6 agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java e1cd89b70 agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java 5eee8d11a agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java ec22e01bf agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceisSubSetMatcher.java PRE-CREATION agents-common/src/test/resources/resourcematcher/test_defaultpolicyresource_isSubset_matcher.json PRE-CREATION security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 15a1e7118 security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 84ee31ba2 security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java cc9df27d6 security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java 60e34c0c7 security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java a630e575b Diff: https://reviews.apache.org/r/74825/diff/6/ Changes: https://reviews.apache.org/r/74825/diff/5-6/ Testing ------- Impala / Hive beeline. 1) "grant select(col1, col2, col3) on table demo.test to role Role1" => Create a Grant Policy for the given resource in Hadoop Sql 2) "grant select(col1, col2, col3, col4) on table demo.test to role Role1" => updates the policy created in #1 with new col4 resource if "revoke select(col1, col2, col3, col4) on table demo.test from role Role1" is done => Since all the columns are revoked for Select, we update the policy created in #1 with no policy Item for it. if "revoke select(col1, col2, col3) on table demo.test from role Role1" is done => policy created in #1 will be updated to remove col1,col2,col3 from the policy to revoke the access. 3) If "revoke select(col1, col2, col3, col4) on table demo.test from role Role1" found 2 Matching polcies, say 1st policy matched col1,col2,col3 and 2nd Policy matched col4, then both the policies will be updated for revoking the corresponding column access. 4) When Multiple Premission are there on the policy and revoke is to remove one permission, then the policy will be updated by removing the revoked permission. Grant select on table demo.test to role Role1 Grant Alter on table demo.test to role Role1 Revoke alter table demo.test to role Role1 HBASE shell grant 'nifi', 'RWXCA', 'test' => create policy with 'RWXCA' access for user nifi on table 'test'. revoke 'nifi', 'test' => revoke access for user "nifi" on hbase table 'test'. Here policy will be removed. Thanks, Ramesh Mani