> On Nov. 5, 2024, 8:24 p.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerGds.java > > Lines 894 (patched) > > <https://reviews.apache.org/r/75252/diff/2/?file=2294014#file2294014line894> > > > > How about replacing principalType and principalName with > > RangerPrincipal?
New class RangerGrant is introduced with RangerPrincipal as per earlier comments, and I missed to delete the RangerGDSGrant which is not relevant anymore. This was removed in latest uploaded patch. > On Nov. 5, 2024, 8:24 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java > > Lines 1984 (patched) > > <https://reviews.apache.org/r/75252/diff/2/?file=2294018#file2294018line1985> > > > > Following methods can be private: > > - filterPolicyItemsByRequest() > > - transformPolicyItemsToGrants() > > - rangerPolicyHeaderOf() > > - updatePolicyWithModifiedGrants() These methods are used in UnitTests. Updated the access level and added annotations @VisibleForTesting to make it clear that these methods are accessible for testing purposes. > On Nov. 5, 2024, 8:24 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java > > Lines 2106 (patched) > > <https://reviews.apache.org/r/75252/diff/2/?file=2294018#file2294018line2107> > > > > RangerPrincipal principal = grant.getPrincipal(); > > > > if (principal.getType() == RangerPrincipal.PrincipalType.USER)) { > > policyItem.setUsers(Collections.singletonList(principal.getName()); > > } else if (principal.getType() == RangerPrincipal.PrincipalType.GROUP) { > > policyItem.setGroups(Collections.singletonList(principal.getName()); > > } else if (principal.getType() == RangerPrincipal.PrincipalType.ROLE) { > > policyItem.setRoles(Collections.singletonList(principal.getName()); > > } By using a PrincipalType string instead of directly comparing with RangerPrincipal, we allow the API to be case-insensitive, making it more user-friendly. This avoids the tight coupling to uppercase RangerPrincipal values, providing users with the convenience of using the API without having to worry about case sensitivity in the payload. And, I updated the patch to use Collections.singletonList instead of Arrays.asList > On Nov. 5, 2024, 8:24 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java > > Lines 2121 (patched) > > <https://reviews.apache.org/r/75252/diff/2/?file=2294018#file2294018line2122> > > > > Instead of convering to String, consider using > > RangerPrincipal.PrincipalType. > > > > RangerPrincipal principal = grant.getPrincipal(); > > > > return policyItem -> { > > switch (principal.getType()) { > > case PrincipalType.USER: > > return policyItem.getUsers().contains(principal.getName()); > > case PrincipalType.GROUP: > > return policyItem.getGroups().contains(principal.getName()); > > case PrincipalType.ROLE: > > return policyItem.getRoles().contains(principal.getName()); > > } > > > > return false; > > }; By using a PrincipalType string instead of directly comparing with RangerPrincipal, we allow the API to be case-insensitive, making it more user-friendly. This avoids the tight coupling to uppercase RangerPrincipal values, providing users with the convenience of using the API without having to worry about case sensitivity in the payload. - Radhika ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/75252/#review227030 ----------------------------------------------------------- On Nov. 5, 2024, 7:41 p.m., Radhika Kundam wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/75252/ > ----------------------------------------------------------- > > (Updated Nov. 5, 2024, 7:41 p.m.) > > > Review request for ranger, Madhan Neethiraj and Ramesh Mani. > > > Bugs: RANGER-4960 > https://issues.apache.org/jira/browse/RANGER-4960 > > > Repository: ranger > > > Description > ------- > > This Grant API introduces functionality to grant or revoke specific > permissions on datasets to external users, groups, or roles. It includes > support for defining access validity based on policy item conditions. > > Key features include: > 1. Permission Management: Enables granting and revoking access to datasets > for designated users, groups, or roles. > 2. Policy-Based Validity: Allows setting validity periods and conditions > within policy items, defining the scope and duration of access for each user, > group, or role. > > This API enhancement provides flexibility in managing dataset permissions, > improving security and control over data access. > > Attached file for Grant API UseCases. > > Detailed information about Grant API request and response attached to Jira. > > > Diffs > ----- > > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerGrant.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyHeader.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java > a6c6746b3 > security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java c66429834 > > security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java > acfce5f0a > security-admin/src/test/java/org/apache/ranger/rest/TestGdsREST.java > PRE-CREATION > > > Diff: https://reviews.apache.org/r/75252/diff/3/ > > > Testing > ------- > > Tested locally. > > > File Attachments > ---------------- > > Grant API UseCases > > https://reviews.apache.org/media/uploaded/files/2024/11/06/db61e292-0942-428b-b6d9-c771336dfca0__Grant_API_UseCases.pdf > > > Thanks, > > Radhika Kundam > >
