Re: Review Request 35552: Hbase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit

Wed, 17 Jun 2015 14:21:12 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35552/#review88233
-----------------------------------------------------------



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
 (line 53)
<https://reviews.apache.org/r/35552/#comment140646>

    I think it will be better to have this flag in RangerAccessResource, 
instead of RangerAccessRequest. Something like RangerAccessResource.getScope():
     - valid values: SELF, ANY_CHILD (to start with)
     - default value: SELF (to be set in RangerAccessResourceImpl)
    
    With this in place, Hive check for child-level access (USE database 
scenario), can be updated to use this mechanism.


- Madhan Neethiraj


On June 17, 2015, 7:06 a.m., Alok Lal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/35552/
> -----------------------------------------------------------
> 
> (Updated June 17, 2015, 7:06 a.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-558
>     https://issues.apache.org/jira/browse/RANGER-558
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Hbase plugin: unless user has READ access at some level under the 
> table/family being accessed (via scan/get) authorizer should throw an 
> exception and audit
> 
> 
> Diffs
> -----
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
>  82a18fc 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
>  e1326ea 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  030cd87 
>   
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
>  006629b 
>   
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
>  e64c5af 
> 
> Diff: https://reviews.apache.org/r/35552/diff/
> 
> 
> Testing
> -------
> 
> Manual testing at table/family for scan/get/put/delete.
> 
> 
> Thanks,
> 
> Alok Lal
> 
>

Reply via email to