Review Request 75084: RANGER-4852: De-duplicated tags do not work correctly when tag-deltas are enabled

Thu, 11 Jul 2024 14:09:04 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/75084/
-----------------------------------------------------------

Review request for ranger, madhan, Madhan Neethiraj, Pradeep Agrawal, and 
Velmurugan Periasamy.


Bugs: RANGER-4852
    https://issues.apache.org/jira/browse/RANGER-4852


Repository: ranger


Description
-------

When tags are de-duplicated and tag deltas are enabled, multiple tagged 
entities point to the same base tag object. Removing tag association from any 
of the tagged entities may cause all entities to lose their associations with 
the base tag.


Diffs
-----

  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminTagRetriever.java
 b2b7d5f71 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java
 2a3643399 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
 0208e6892 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagRetriever.java
 d7c737525 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceTags.java
 a06945105 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java
 23689790d 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerServiceTagsDeltaUtil.java
 f2e68aed9 
  agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceTags.java 
3f981e558 
  security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java 9ecbb14ac 
  
security-admin/src/main/java/org/apache/ranger/common/RangerServiceTagsCache.java
 2aecc4388 


Diff: https://reviews.apache.org/r/75084/diff/1/


Testing
-------

Passed all unit tests.

Tested the following scenario in the cluster:

Create a table in Hive, table_1

1. Create table table_1(c0 int);
2. Create a tag 
3. Associate the tag to table_1
3. Create a table in Hive, table_2 as below
4. Create table table_2(c0 int);
5. Associate the same tag to table_2.
5. Create a tag policy in Ranger, on tag tag_1, allowing "Select", "Update", 
"Create", "Drop", "Alter", "Index", "All" permissions to another test user, say 
hrt_21.
6. As hrt_21 user, run the following queries

select * from table_1;
select * from table_2;
Both the queries should be allowed.
7. Remove tag from table_1
8. As hrt_21 user, try a select operation from table_1, it will be denied 
(Expected behaviour as the tag is not associated with the table).
9. As hrt_21 user, try a select operation from table_2, it is denied. The 
expected behaviour in this scenario is that the select operation should be 
allowed as the tag is still associated with table_2.


Thanks,

Abhay Kulkarni

Reply via email to