Re: Review Request 53043: User has access to a database via tag-based policy - but 'show databases' does not include the database

Madhan Neethiraj Wed, 02 Nov 2016 12:35:57 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53043/#review154606
-----------------------------------------------------------





agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
 (line 214)
<https://reviews.apache.org/r/53043/#comment224220>

    Assuming that most requests would not have a matching tag, it will good to 
not create an ArrayList until it is needed (at line #235).



agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 (line 183)
<https://reviews.apache.org/r/53043/#comment224224>

    if @ line #183 seems unnecessary - as for all tag-requests, matchType needs 
to be copied from RangerTagAccessRequest.matchType. Please review.



agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
 (line 53)
<https://reviews.apache.org/r/53043/#comment224234>

    It will help to add couple of examples of how this field is used.


- Madhan Neethiraj


On Oct. 28, 2016, 6:37 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53043/
> -----------------------------------------------------------
> 
> (Updated Oct. 28, 2016, 6:37 p.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-1190
>     https://issues.apache.org/jira/browse/RANGER-1190
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Scenario: A user has some access to a table/column in a database - 
> exclusively via a tag-based policy. For example: 'hr.employee.ssn' column is 
> tagged as PII and user has 'select' access granted on 'PII' tag. User does 
> not have any other access in 'hr' database.
> In this scenario, 'show databases' command in beeline does not include 'hr' 
> database. Since the user has some access into 'hr' database, the user will 
> expect to see 'hr' database in the command result.
> 
> 
> Diffs
> -----
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
>  3c342a3 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java
>  6873554 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerServiceResourceMatcher.java
>  637423e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
>  1a6e1b2 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagForEval.java
>  PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  905262c 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
>  PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java
>  PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java
>  7711765 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  899b216 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
>  84aac1e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
>  3b831c3 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
>  00f8f9a 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
>  9219450 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/contextenricher/TestTagEnricher.java
>  30190ab 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
>  cb0af84 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceMatcher.java
>  PRE-CREATION 
>   agents-common/src/test/resources/contextenricher/test_tagenricher_hive.json 
> 317c651 
>   agents-common/src/test/resources/policyengine/descendant_tags.json 
> PRE-CREATION 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_conditions.json
>  2ab2bee 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json
>  PRE-CREATION 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hdfs.json 
> 6c9b966 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json 
> fab93f6 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
>  443ee53 
>   
> agents-common/src/test/resources/resourcematcher/test_defaultpolicyresourcematcher.json
>  PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/53043/diff/
> 
> 
> Testing
> -------
> 
> Ran unit tests successfully. Tested with hive-server2 with ranger plugin and 
> Ranger/TagSync/Atlas stack.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 53043: User has access to a database via tag-based policy - but 'show databases' does not include the database

Reply via email to