----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/75252/#review227030 -----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerGds.java Lines 894 (patched) <https://reviews.apache.org/r/75252/#comment315299> How about replacing principalType and principalName with RangerPrincipal? security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java Lines 1901 (patched) <https://reviews.apache.org/r/75252/#comment315301> Missing ')'. Please review all log statements and update where needed. security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java Lines 1922 (patched) <https://reviews.apache.org/r/75252/#comment315304> Returning empty list seems a better choice for line #1919 and #1922. security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java Lines 1964 (patched) <https://reviews.apache.org/r/75252/#comment315305> Consider returning SC_NOT_MODIFIED when no policies are updated. security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java Lines 1967 (patched) <https://reviews.apache.org/r/75252/#comment315303> If no policies exist for the dataset, it should be created by this API. security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java Lines 1984 (patched) <https://reviews.apache.org/r/75252/#comment315300> Following methods can be private: - filterPolicyItemsByRequest() - transformPolicyItemsToGrants() - rangerPolicyHeaderOf() - updatePolicyWithModifiedGrants() security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java Lines 2063 (patched) <https://reviews.apache.org/r/75252/#comment315309> If rangerGrants has multiple entries for a principal, only the last grant will be in the policy. This doesn't seem correct. rangerGrants: [ { "user": "user1", "access": "read" }, { "user": "user1", "access": "write", "condition": "..." } ] security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java Lines 2102 (patched) <https://reviews.apache.org/r/75252/#comment315308> Introduce a constant for "expression": public static final String GDS_SERVICEDEF_EXPR_CONDITION = "expression"; security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java Lines 2106 (patched) <https://reviews.apache.org/r/75252/#comment315307> RangerPrincipal principal = grant.getPrincipal(); if (principal.getType() == RangerPrincipal.PrincipalType.USER)) { policyItem.setUsers(Collections.singletonList(principal.getName()); } else if (principal.getType() == RangerPrincipal.PrincipalType.GROUP) { policyItem.setGroups(Collections.singletonList(principal.getName()); } else if (principal.getType() == RangerPrincipal.PrincipalType.ROLE) { policyItem.setRoles(Collections.singletonList(principal.getName()); } security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java Lines 2121 (patched) <https://reviews.apache.org/r/75252/#comment315306> Instead of convering to String, consider using RangerPrincipal.PrincipalType. RangerPrincipal principal = grant.getPrincipal(); return policyItem -> { switch (principal.getType()) { case PrincipalType.USER: return policyItem.getUsers().contains(principal.getName()); case PrincipalType.GROUP: return policyItem.getGroups().contains(principal.getName()); case PrincipalType.ROLE: return policyItem.getRoles().contains(principal.getName()); } return false; }; - Madhan Neethiraj On Nov. 6, 2024, 3:41 a.m., Radhika Kundam wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/75252/ > ----------------------------------------------------------- > > (Updated Nov. 6, 2024, 3:41 a.m.) > > > Review request for ranger, Madhan Neethiraj and Ramesh Mani. > > > Bugs: RANGER-4960 > https://issues.apache.org/jira/browse/RANGER-4960 > > > Repository: ranger > > > Description > ------- > > This Grant API introduces functionality to grant or revoke specific > permissions on datasets to external users, groups, or roles. It includes > support for defining access validity based on policy item conditions. > > Key features include: > 1. Permission Management: Enables granting and revoking access to datasets > for designated users, groups, or roles. > 2. Policy-Based Validity: Allows setting validity periods and conditions > within policy items, defining the scope and duration of access for each user, > group, or role. > > This API enhancement provides flexibility in managing dataset permissions, > improving security and control over data access. > > Attached file for Grant API UseCases. > > Detailed information about Grant API request and response attached to Jira. > > > Diffs > ----- > > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerGrant.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyHeader.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java > a6c6746b3 > security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java c66429834 > > security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java > acfce5f0a > security-admin/src/test/java/org/apache/ranger/rest/TestGdsREST.java > PRE-CREATION > > > Diff: https://reviews.apache.org/r/75252/diff/3/ > > > Testing > ------- > > Tested locally. > > > File Attachments > ---------------- > > Grant API UseCases > > https://reviews.apache.org/media/uploaded/files/2024/11/06/db61e292-0942-428b-b6d9-c771336dfca0__Grant_API_UseCases.pdf > > > Thanks, > > Radhika Kundam > >
