----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/75024/#review226542 -----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java Lines 115 (patched) <https://reviews.apache.org/r/75024/#comment314789> Is the special treament for tag service-def needed in line #115? I suggest removing #115 and using the value from #114 as the default. security-admin/src/main/java/org/apache/ranger/patch/PatchForUpdatingAtlasSvcDefAndTagPolicies_J10062.java Lines 103 (patched) <https://reviews.apache.org/r/75024/#comment314790> updateTagServiceDef() => updateAtlasServiceDef() security-admin/src/main/java/org/apache/ranger/patch/PatchForUpdatingAtlasSvcDefAndTagPolicies_J10062.java Lines 117 (patched) <https://reviews.apache.org/r/75024/#comment314804> serviceDefOptionsUpdate is null (i.e. the service-def in the database doesn't have any options set), create and save it. if (serviceDefOptionsUpdate == null) { serviceDefOptionsUpdate = new HashMap<>(); } serviceDefOptionsUpdate.put(RangerServiceDef.OPTION_ENABLE_TAG_BASED_POLICIES, "false"); ... security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java Lines 77 (patched) <https://reviews.apache.org/r/75024/#comment314791> The special treatment for EMBEDDED_SERVICEDEF_TAG_NAME seem unnecessary here. Please review. - Madhan Neethiraj On June 13, 2024, 7:17 a.m., Rakesh Gupta wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/75024/ > ----------------------------------------------------------- > > (Updated June 13, 2024, 7:17 a.m.) > > > Review request for ranger, Dineshkumar Yadav, Kishor Gollapalliwar, Mehul > Parikh, Pradeep Agrawal, and sanket shelar. > > > Bugs: RANGER-4805 > https://issues.apache.org/jira/browse/RANGER-4805 > > > Repository: ranger > > > Description > ------- > > Steps to reproduce: > > Created a tag policy for a `test` classification > Added deny permission for user `tuser` > Access entity tagged with `test` classification through `tuser` through Atlas > UI > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java > 18ee3adc3 > > agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java > 5c06cd602 > > agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java > f9816546a > agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json > c98da315d > security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql > e1e2274b6 > security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql > ec0a5ba3a > security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql > bbe5975e8 > > security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql > 2e0a000a3 > security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql > 7a7b3a5c8 > > security-admin/src/main/java/org/apache/ranger/patch/PatchForUpdatingAtlasSvcDefAndTagPolicies_J10062.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java > 7d363c4c7 > > > Diff: https://reviews.apache.org/r/75024/diff/2/ > > > Testing > ------- > > 1)Verified that while creating or updating a Tag-based policy, the accessType > for the Atlas service is not allowed. > 2)Confirmed that the accessType for the Atlas service is not included in the > default Tag-based policy. > 3)Tested upgrade scenarios, any existing Tag-based policies have the > accessType for the Atlas service removed and verified the serviceDef are > updated with RangerServiceDef.options. > > > Thanks, > > Rakesh Gupta > >
