----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/75084/#review226666 -----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java Line 182 (original), 178 (patched) <https://reviews.apache.org/r/75084/#comment314920> Since ret is already deDuped, is this block (#178 - #181) necessary? Same for the block at #203 as well. agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java Lines 312 (patched) <https://reviews.apache.org/r/75084/#comment314921> Since serviceTags is already deDuped, is this block (#312 - #316) necessary? agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceTags.java Line 260 (original), 285 (patched) <https://reviews.apache.org/r/75084/#comment314922> Consider simplifying #281 - #306 with the following: Long tagId = listIter.next(); for (Long replacerTagId = replacedIds.get(tagId); replacerTagId != null; replacerTagId = replacedIds.get(replacerTagId)) { tagId = replacerTagId; } listIter.set(tagId); RangerTag tag = tags.get(tagId); if (tag != null) { MutablePair<Long, Long> cachedTag = cachedTags.get(tag); if (cachedTag != null) { cachedTag.right++; } } - Madhan Neethiraj On July 11, 2024, 9:08 p.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/75084/ > ----------------------------------------------------------- > > (Updated July 11, 2024, 9:08 p.m.) > > > Review request for ranger, madhan, Madhan Neethiraj, Pradeep Agrawal, and > Velmurugan Periasamy. > > > Bugs: RANGER-4852 > https://issues.apache.org/jira/browse/RANGER-4852 > > > Repository: ranger > > > Description > ------- > > When tags are de-duplicated and tag deltas are enabled, multiple tagged > entities point to the same base tag object. Removing tag association from any > of the tagged entities may cause all entities to lose their associations with > the base tag. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminTagRetriever.java > b2b7d5f71 > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java > 2a3643399 > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java > 0208e6892 > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagRetriever.java > d7c737525 > > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceTags.java > a06945105 > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java > 23689790d > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerServiceTagsDeltaUtil.java > f2e68aed9 > agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceTags.java > 3f981e558 > security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java > 9ecbb14ac > > security-admin/src/main/java/org/apache/ranger/common/RangerServiceTagsCache.java > 2aecc4388 > > > Diff: https://reviews.apache.org/r/75084/diff/1/ > > > Testing > ------- > > Passed all unit tests. > > Tested the following scenario in the cluster: > > Create a table in Hive, table_1 > > 1. Create table table_1(c0 int); > 2. Create a tag > 3. Associate the tag to table_1 > 3. Create a table in Hive, table_2 as below > 4. Create table table_2(c0 int); > 5. Associate the same tag to table_2. > 5. Create a tag policy in Ranger, on tag tag_1, allowing "Select", "Update", > "Create", "Drop", "Alter", "Index", "All" permissions to another test user, > say hrt_21. > 6. As hrt_21 user, run the following queries > > select * from table_1; > select * from table_2; > Both the queries should be allowed. > 7. Remove tag from table_1 > 8. As hrt_21 user, try a select operation from table_1, it will be denied > (Expected behaviour as the tag is not associated with the table). > 9. As hrt_21 user, try a select operation from table_2, it is denied. The > expected behaviour in this scenario is that the select operation should be > allowed as the tag is still associated with table_2. > > > Thanks, > > Abhay Kulkarni > >
