Re: Review Request 74974: RANGER-4789: Admin audits for security-zone are blank for new and old value, when compression is enabled

Mon, 06 May 2024 10:25:20 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74974/#review226415
-----------------------------------------------------------



> For the change only in security-zone resource name (resource count of the 
> zone is same), admin audit is not generated.
Subhrat - instead of skipping admin audit in this scenario, I suggest audit to 
indicate that resources have been updated in services - with text like '{ 
"dev_hdfs": "resources updated", "dev_hbase": "resources updated" }

if (oldValue == null || oldValue.equalsIgnoreCase(value)) { // existing line 
#357
  Map<String, String> resourceUpdateSummary = 
getResourceUpdateSummary(securityZoneDB.getServices(), 
vSecurityZone.getServices());

  if (MapUtils.isNotEmpty(resourceUpdateSummary)) {
    oldValue = "";
    value    = new Gson().toJson(resourceUpdateSummary, Map.class);
  } else {
    continue;
  }
} else {
  continue; // existing line #358
} // existing line #359

- Madhan Neethiraj


On May 3, 2024, 12:45 p.m., Subhrat Chaudhary wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74974/
> -----------------------------------------------------------
> 
> (Updated May 3, 2024, 12:45 p.m.)
> 
> 
> Review request for ranger, Anand Nadar, Asit Vadhavkar, Madhan Neethiraj, 
> Monika Kachhadiya, and Siddhesh Phatak.
> 
> 
> Bugs: RANGER-4789
>     https://issues.apache.org/jira/browse/RANGER-4789
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> In security-zone when resource name is updated, admin audit is generated for 
> same, with details about old and new value.
> 
> When the json data compression is enabled in the security-zone with the 
> property:
> 
> ranger.admin.store.security.zone.compress.json_data
> 
> the old and new value in the generated admin audit is blank, when only the 
> resource name is changed. The reason for this is, if compression is enabled, 
> only the resource count is added in the new and old values. Hence if the 
> resource count does not change, change details in the admin audit is blank.
> 
> In the code flow to update security-zone, when no change is noticed in the 
> new and old values, a dummy admin audit is being added with null for old and 
> new values. In this fix, removing the that code block.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 
> 5534c8056 
>   
> security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneServiceService.java
>  a6cb2ae74 
> 
> 
> Diff: https://reviews.apache.org/r/74974/diff/1/
> 
> 
> Testing
> -------
> 
> Validations done:
> 1. For the change only in security-zone resource name (resource count of the 
> zone is same), admin audit is not generated.
> 2. For above case x_service_version_info.policy_version is incremented (same 
> as existing behavior).
> 3. If a resource is added or removed from the security-zone, admin audit is 
> generated for same.
> 4. All the existing Junits are passing
> 
> 
> Thanks,
> 
> Subhrat Chaudhary
> 
>

Reply via email to