> On July 11, 2024, 10:43 p.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java > > Lines 312 (patched) > > <https://reviews.apache.org/r/75084/diff/1/?file=2290893#file2290893line312> > > > > Since serviceTags is already deDuped, is this block (#312 - #316) > > necessary?
It is necessary to keep the ServiceTags.cachedTags object in sync with the Admin server's copy of ServiceTags. cachedTags are NOT serialized and downloaded as part of tags download. - Abhay ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/75084/#review226666 ----------------------------------------------------------- On July 12, 2024, 11:16 p.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/75084/ > ----------------------------------------------------------- > > (Updated July 12, 2024, 11:16 p.m.) > > > Review request for ranger, madhan, Madhan Neethiraj, Pradeep Agrawal, and > Velmurugan Periasamy. > > > Bugs: RANGER-4852 > https://issues.apache.org/jira/browse/RANGER-4852 > > > Repository: ranger > > > Description > ------- > > When tags are de-duplicated and tag deltas are enabled, multiple tagged > entities point to the same base tag object. Removing tag association from any > of the tagged entities may cause all entities to lose their associations with > the base tag. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminTagRetriever.java > b2b7d5f71 > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerFileBasedTagRetriever.java > 2a3643399 > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java > 0208e6892 > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagRetriever.java > d7c737525 > > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceTags.java > 59288f7d5 > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java > 23689790d > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerServiceTagsDeltaUtil.java > f2e68aed9 > agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceTags.java > 39110357d > security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java > 9ecbb14ac > > security-admin/src/main/java/org/apache/ranger/common/RangerServiceTagsCache.java > 2aecc4388 > > > Diff: https://reviews.apache.org/r/75084/diff/2/ > > > Testing > ------- > > Passed all unit tests. > > Tested the following scenario in the cluster: > > Create a table in Hive, table_1 > > 1. Create table table_1(c0 int); > 2. Create a tag > 3. Associate the tag to table_1 > 3. Create a table in Hive, table_2 as below > 4. Create table table_2(c0 int); > 5. Associate the same tag to table_2. > 5. Create a tag policy in Ranger, on tag tag_1, allowing "Select", "Update", > "Create", "Drop", "Alter", "Index", "All" permissions to another test user, > say hrt_21. > 6. As hrt_21 user, run the following queries > > select * from table_1; > select * from table_2; > Both the queries should be allowed. > 7. Remove tag from table_1 > 8. As hrt_21 user, try a select operation from table_1, it will be denied > (Expected behaviour as the tag is not associated with the table). > 9. As hrt_21 user, try a select operation from table_2, it is denied. The > expected behaviour in this scenario is that the select operation should be > allowed as the tag is still associated with table_2. > > > Thanks, > > Abhay Kulkarni > >
