> On May 6, 2024, 10:54 p.m., Madhan Neethiraj wrote:
> > > For the change only in security-zone resource name (resource count of the
> > > zone is same), admin audit is not generated.
> > Subhrat - instead of skipping admin audit in this scenario, I suggest audit
> > to indicate that resources have been updated in services - with text like
> > '{ "dev_hdfs": "resources updated", "dev_hbase": "resources updated" }
> >
> > if (oldValue == null || oldValue.equalsIgnoreCase(value)) { // existing
> > line #357
> > Map<String, String> resourceUpdateSummary =
> > getResourceUpdateSummary(securityZoneDB.getServices(),
> > vSecurityZone.getServices());
> >
> > if (MapUtils.isNotEmpty(resourceUpdateSummary)) {
> > oldValue = "";
> > value = new Gson().toJson(resourceUpdateSummary, Map.class);
> > } else {
> > continue;
> > }
> > } else {
> > continue; // existing line #358
> > } // existing line #359
Json of Map<String, String> does not work, since UI is expecting json of
Map<String, Map<String, RangerSecurityZoneService>>.
Please review the changes. One drawback with approach is - if there are mutiple
services in the zone and resource name for only one service is updated, audit
for all the service will be updated as -- service_name : resources updated.
Please refer the image attached.
Proper solution for this would be to implement
getResourceUpdateSummary(securityZoneDB.getServices(),
vSecurityZone.getServices()), iterating thorugh each service, comparing
resource json with older version, updating for the ones for which resource have
changed and return json of Map<String, Map<String, RangerSecurityZoneService>>.
I tried working on this approach, but changes were getting too complex and
extensive for this case. Please suggest.
- Subhrat
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74974/#review226415
-----------------------------------------------------------
On May 9, 2024, 10:09 p.m., Subhrat Chaudhary wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74974/
> -----------------------------------------------------------
>
> (Updated May 9, 2024, 10:09 p.m.)
>
>
> Review request for ranger, Anand Nadar, Asit Vadhavkar, Madhan Neethiraj,
> Monika Kachhadiya, and Siddhesh Phatak.
>
>
> Bugs: RANGER-4789
> https://issues.apache.org/jira/browse/RANGER-4789
>
>
> Repository: ranger
>
>
> Description
> -------
>
> In security-zone when resource name is updated, admin audit is generated for
> same, with details about old and new value.
>
> When the json data compression is enabled in the security-zone with the
> property:
>
> ranger.admin.store.security.zone.compress.json_data
>
> the old and new value in the generated admin audit is blank, when only the
> resource name is changed. The reason for this is, if compression is enabled,
> only the resource count is added in the new and old values. Hence if the
> resource count does not change, change details in the admin audit is blank.
>
> In the code flow to update security-zone, when no change is noticed in the
> new and old values, a dummy admin audit is being added with null for old and
> new values. In this fix, removing the that code block.
>
>
> Diffs
> -----
>
>
> security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneServiceService.java
> a4b7616e1
>
>
> Diff: https://reviews.apache.org/r/74974/diff/2/
>
>
> Testing
> -------
>
> Validations done:
> 1. For the change only in security-zone resource name (resource count of the
> zone is same), admin audit is not generated.
> 2. For above case x_service_version_info.policy_version is incremented (same
> as existing behavior).
> 3. If a resource is added or removed from the security-zone, admin audit is
> generated for same.
> 4. All the existing Junits are passing
>
>
> File Attachments
> ----------------
>
> audit.png
>
> https://reviews.apache.org/media/uploaded/files/2024/05/09/e0b4debc-b20e-41a2-a635-1bf766d87efd__audit.png
>
>
> Thanks,
>
> Subhrat Chaudhary
>
>
