Re: Review Request 70310: RANGER-2379: Support for associating a tag service with security zone and relevant authorization logic

[Abhay Kulkarni]

> On March 29, 2019, 7:18 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
> > Lines 1363 (patched)
> > 
> >
> > Unzoned tag policies should be used *only* when the zone is not 
> > associated with the service. Lines #1361 to #1385 should be removed. Please 
> > review and update.
> 
> Abhay Kulkarni wrote:
> The description of the use-case in the JIRA says otherwise. Please review 
> the use-case description - especially the part where the access evaluation is 
> described, and if it is not correct, then let us fix it and revisit this 
> patch as a whole.

I have removed code which picked tag-policies from default zone if there were 
no tag-policies for the zone of the accessed resource. However, the JIRA 
description needs to changed.

From:


On the access evaluation perspective, if accessed resource falls in a Security 
Zone, then there are two possibilities:

1) no policies for the zone in tag-service
2) no association of the zone with tag-service

Although it is possible to differentiate between these two cases, tag policies 
in the default("unzoned") zone need to be considered for evaluation in both 
cases for now. 


To:

On the access evaluation perspective, if accessed resource falls in a Security 
Zone, then there are two possibilities:

1) no policies for the zone in tag-service
2) no association of the zone with tag-service

tag policies in the default("unzoned") zone need to be considered for 
evaluation in only in the case 2.
-


- Abhay


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70310/#review214198
---


On March 27, 2019, 7:24 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70310/
> ---
> 
> (Updated March 27, 2019, 7:24 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nitin Galave, and 
> Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2379
> https://issues.apache.org/jira/browse/RANGER-2379
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Currently, tag service is associated with a security zone if and only if any 
> service-resource (that is, a tuple  ) in the 
> Security Zone is contained in resource-service that is associated with the 
> tag service. However, consider the following use case:
> 
> 1) No zone exists. Tag-based policies are in-place, say for PII, EXPIRES_ON, 
> etc.
> 
> 2) Few tables in finance DB were tagged with EXPIRES_ON; few columns within 
> this DB were tagged with PII. So tag-based access enforcement/masking 
> policies are in effect for these objects.
> 
> 3) An admin creates 'Finance' zone and moves 'finance' DB to this zone.
> 
> 4) All tag-based policy enforcement is lost; as there is no tag-based policy 
> in 'finance' zone, as the policies still belong to “unzoned” zone. 
> 
> Given this, it is a better design to not automatically create 
> tag-service->zone association. Instead, the association between 
> zone->tag-service needs to supported directly similar to how 
> zone->resource-service association is established, with one difference; when 
> a tag service is associated with a Security Zone, user should not be able to 
> include any resource (tag-name, to be specific). This requires GUI changes 
> for Security Zone CRUD, but no other changes, especially to tag service 
> browser as well as tag policy creation.
> 
> On the access evaluation perspective, if accessed resource falls in a 
> Security Zone, then there are two possibilities:
> 
> 1) no policies for the zone in tag-service
> 2) no association of the zone with tag-service
> 
> Although it is possible to differentiate between these two cases, tag 
> policies in the default("unzoned") zone need to be considered for evaluation 
> in both cases for now.
> 
> This patch contains changes for security zone validations and access 
> authorization logic only.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
>  5a8fb5e1d 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
>  0e3b8f48a 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  5e683638b 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
>  ff2a4b207 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
>  2a80b2518 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTe

Re: Review Request 70310: RANGER-2379: Support for associating a tag service with security zone and relevant authorization logic

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70310/
---

(Updated March 29, 2019, 8:44 p.m.)


Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nitin Galave, and 
Velmurugan Periasamy.


Changes
---

Addressed review comment.


Bugs: RANGER-2379
https://issues.apache.org/jira/browse/RANGER-2379


Repository: ranger


Description
---

Currently, tag service is associated with a security zone if and only if any 
service-resource (that is, a tuple  ) in the 
Security Zone is contained in resource-service that is associated with the tag 
service. However, consider the following use case:

1) No zone exists. Tag-based policies are in-place, say for PII, EXPIRES_ON, 
etc.

2) Few tables in finance DB were tagged with EXPIRES_ON; few columns within 
this DB were tagged with PII. So tag-based access enforcement/masking policies 
are in effect for these objects.

3) An admin creates 'Finance' zone and moves 'finance' DB to this zone.

4) All tag-based policy enforcement is lost; as there is no tag-based policy in 
'finance' zone, as the policies still belong to “unzoned” zone. 

Given this, it is a better design to not automatically create tag-service->zone 
association. Instead, the association between zone->tag-service needs to 
supported directly similar to how zone->resource-service association is 
established, with one difference; when a tag service is associated with a 
Security Zone, user should not be able to include any resource (tag-name, to be 
specific). This requires GUI changes for Security Zone CRUD, but no other 
changes, especially to tag service browser as well as tag policy creation.

On the access evaluation perspective, if accessed resource falls in a Security 
Zone, then there are two possibilities:

1) no policies for the zone in tag-service
2) no association of the zone with tag-service

Although it is possible to differentiate between these two cases, tag policies 
in the default("unzoned") zone need to be considered for evaluation in both 
cases for now.

This patch contains changes for security zone validations and access 
authorization logic only.


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
 5a8fb5e1d 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
 0e3b8f48a 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 9fe05311f 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
 ff2a4b207 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java 
2a80b2518 
  
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java
 fa167a77c 
  
agents-common/src/test/resources/policyengine/test_policyengine_hdfs_zones.json 
6fcb66e0b 
  security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java 
991649664 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
a60d4e005 
  security-admin/src/main/resources/META-INF/jpa_named_queries.xml eaa4e08c2 


Diff: https://reviews.apache.org/r/70310/diff/4/

Changes: https://reviews.apache.org/r/70310/diff/3-4/


Testing
---

Passed all unit tests


Thanks,

Abhay Kulkarni

[jira] [Created] (RANGER-2387) add public api v2 for security zones

[Deepak Sharma (JIRA)]

Deepak Sharma created RANGER-2387:
-

 Summary: add public api v2 for security zones
 Key: RANGER-2387
 URL: https://issues.apache.org/jira/browse/RANGER-2387
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Affects Versions: master
Reporter: Deepak Sharma
 Fix For: master


add public api v2 for security zones



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Re: Review Request 70310: RANGER-2379: Support for associating a tag service with security zone and relevant authorization logic

[Abhay Kulkarni]

> On March 29, 2019, 7:18 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
> > Lines 1363 (patched)
> > 
> >
> > Unzoned tag policies should be used *only* when the zone is not 
> > associated with the service. Lines #1361 to #1385 should be removed. Please 
> > review and update.

The description of the use-case in the JIRA says otherwise. Please review the 
use-case description - especially the part where the access evaluation is 
described, and if it is not correct, then let us fix it and revisit this patch 
as a whole.


- Abhay


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70310/#review214198
---


On March 27, 2019, 7:24 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70310/
> ---
> 
> (Updated March 27, 2019, 7:24 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nitin Galave, and 
> Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2379
> https://issues.apache.org/jira/browse/RANGER-2379
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Currently, tag service is associated with a security zone if and only if any 
> service-resource (that is, a tuple  ) in the 
> Security Zone is contained in resource-service that is associated with the 
> tag service. However, consider the following use case:
> 
> 1) No zone exists. Tag-based policies are in-place, say for PII, EXPIRES_ON, 
> etc.
> 
> 2) Few tables in finance DB were tagged with EXPIRES_ON; few columns within 
> this DB were tagged with PII. So tag-based access enforcement/masking 
> policies are in effect for these objects.
> 
> 3) An admin creates 'Finance' zone and moves 'finance' DB to this zone.
> 
> 4) All tag-based policy enforcement is lost; as there is no tag-based policy 
> in 'finance' zone, as the policies still belong to “unzoned” zone. 
> 
> Given this, it is a better design to not automatically create 
> tag-service->zone association. Instead, the association between 
> zone->tag-service needs to supported directly similar to how 
> zone->resource-service association is established, with one difference; when 
> a tag service is associated with a Security Zone, user should not be able to 
> include any resource (tag-name, to be specific). This requires GUI changes 
> for Security Zone CRUD, but no other changes, especially to tag service 
> browser as well as tag policy creation.
> 
> On the access evaluation perspective, if accessed resource falls in a 
> Security Zone, then there are two possibilities:
> 
> 1) no policies for the zone in tag-service
> 2) no association of the zone with tag-service
> 
> Although it is possible to differentiate between these two cases, tag 
> policies in the default("unzoned") zone need to be considered for evaluation 
> in both cases for now.
> 
> This patch contains changes for security zone validations and access 
> authorization logic only.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
>  5a8fb5e1d 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
>  0e3b8f48a 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  5e683638b 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
>  ff2a4b207 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
>  2a80b2518 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java
>  fa167a77c 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_hdfs_zones.json
>  6fcb66e0b 
>   security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java 
> 991649664 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> a60d4e005 
>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml eaa4e08c2 
> 
> 
> Diff: https://reviews.apache.org/r/70310/diff/3/
> 
> 
> Testing
> ---
> 
> Passed all unit tests
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

[jira] [Updated] (RANGER-2324) Bootstrapping Solr in Ranger service start-up

[bhavik patel (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

bhavik patel updated RANGER-2324:
-
Attachment: RANGER-2324-09.patch

> Bootstrapping Solr in Ranger service start-up
> -
>
> Key: RANGER-2324
> URL: https://issues.apache.org/jira/browse/RANGER-2324
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: bhavik patel
>Assignee: bhavik patel
>Priority: Minor
> Attachments: RANGER-2324-09.patch, RANGER-2324.patch
>
>




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (RANGER-2386) Code duplication due to RangerCredentialProvider.getCredentialString returns char[]

[Zsombor Gegesy (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2386?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Zsombor Gegesy updated RANGER-2386:
---
Attachment: RANGER-2386.patch

> Code duplication due to RangerCredentialProvider.getCredentialString returns 
> char[]
> ---
>
> Key: RANGER-2386
> URL: https://issues.apache.org/jira/browse/RANGER-2386
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Affects Versions: master
>Reporter: Zsombor Gegesy
>Assignee: Zsombor Gegesy
>Priority: Major
> Fix For: 2.0.0
>
> Attachments: RANGER-2386.patch
>
>
> The same code appears in lot's of places, because 
> RangerCredentialProvider.getCredentialString returns a char array, which 
> needs to be converted to String.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Review Request 70339: RANGER-2386: Code duplication due to RangerCredentialProvider.getCredentialString returns char[]

[Zsombor Gegesy]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70339/
---

Review request for ranger.


Bugs: RANGER-2386
https://issues.apache.org/jira/browse/RANGER-2386


Repository: ranger


Description
---

The same code appears in lot's of places, because 
RangerCredentialProvider.getCredentialString returns a char array, which needs 
to be converted to String - remove this duplication.


Diffs
-

  
agents-audit/src/main/java/org/apache/ranger/audit/provider/DbAuditProvider.java
 1490c2782a9d603b8ad1392a1aafef7655e56562 
  agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java 
eff38249e044a910b747aa7e81003028d2b3 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java 
2a4b9c90186effdcc2d9bc5b8726a5351ea668bd 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerSslHelper.java 
2036661e81201b15fc296d53f2a831a8a1770b36 
  
agents-cred/src/main/java/org/apache/ranger/authorization/hadoop/utils/RangerCredentialProvider.java
 44cadfba2dc2f209a94b11f6d3ad7e7582f3d8cb 
  
agents-cred/src/test/java/org/apache/ranger/authorization/hadoop/utils/RangerCredentialProviderTest.java
 971ee681a33dfcf5993e4d79e25c648c90646df2 


Diff: https://reviews.apache.org/r/70339/diff/1/


Testing
---

Tested with plugins on a cluster


Thanks,

Zsombor Gegesy

Re: Review Request 70057: RANGER-2324 Bootstrapping Solr in Ranger service start-up

[Oliver Szabo]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70057/#review214202
---


Ship it!




Ship It!

(as follow up changes are here: 
https://issues.apache.org/jira/browse/RANGER-2377)

- Oliver Szabo


On March 28, 2019, 4:10 p.m., bhavik patel wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70057/
> ---
> 
> (Updated March 28, 2019, 4:10 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay 
> Kulkarni, Madhan Neethiraj, Oliver Szabo, Pradeep Agrawal, Ramesh Mani, 
> Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2324
> https://issues.apache.org/jira/browse/RANGER-2324
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> We are handling the solr bootstrapping in below mentioned manner for Ranger
> 1.) Connection to solr
> 2.) Upload Configuration
> 3.) Create Collection
> 4.) Setting ACL
> 
> 
> Diffs
> -
> 
>   
> embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
>  8d32352 
>   
> embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/SolrCollectionBoostrapper.java
>  PRE-CREATION 
>   security-admin/scripts/install.properties fdcee1b 
>   security-admin/scripts/setup.sh bd4bd4c 
>   security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
> 686f720 
>   security-admin/src/main/resources/conf.dist/ranger-admin-site.xml 4d4a1de 
>   src/main/assembly/admin-web.xml 0296652 
> 
> 
> Diff: https://reviews.apache.org/r/70057/diff/11/
> 
> 
> Testing
> ---
> 
> Tested Below Scenario on ranger manual start / restart
> 1.) Solr configuration were uploaded successfully
> 2.) Solr collections were created successfully
> 3.) ACL were setup as required.
> 
> 
> Thanks,
> 
> bhavik patel
> 
>

[jira] [Created] (RANGER-2386) Code duplication due to RangerCredentialProvider.getCredentialString returns char[]

[Zsombor Gegesy (JIRA)]

Zsombor Gegesy created RANGER-2386:
--

 Summary: Code duplication due to 
RangerCredentialProvider.getCredentialString returns char[]
 Key: RANGER-2386
 URL: https://issues.apache.org/jira/browse/RANGER-2386
 Project: Ranger
  Issue Type: Improvement
  Components: plugins
Affects Versions: master
Reporter: Zsombor Gegesy
Assignee: Zsombor Gegesy
 Fix For: 2.0.0


The same code appears in lot's of places, because 
RangerCredentialProvider.getCredentialString returns a char array, which needs 
to be converted to String.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Re: Review Request 70057: RANGER-2324 Bootstrapping Solr in Ranger service start-up

[Zsombor Gegesy]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70057/#review214200
---


Ship it!




Ship It!

- Zsombor Gegesy


On March 28, 2019, 4:10 p.m., bhavik patel wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70057/
> ---
> 
> (Updated March 28, 2019, 4:10 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay 
> Kulkarni, Madhan Neethiraj, Oliver Szabo, Pradeep Agrawal, Ramesh Mani, 
> Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2324
> https://issues.apache.org/jira/browse/RANGER-2324
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> We are handling the solr bootstrapping in below mentioned manner for Ranger
> 1.) Connection to solr
> 2.) Upload Configuration
> 3.) Create Collection
> 4.) Setting ACL
> 
> 
> Diffs
> -
> 
>   
> embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
>  8d32352 
>   
> embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/SolrCollectionBoostrapper.java
>  PRE-CREATION 
>   security-admin/scripts/install.properties fdcee1b 
>   security-admin/scripts/setup.sh bd4bd4c 
>   security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
> 686f720 
>   security-admin/src/main/resources/conf.dist/ranger-admin-site.xml 4d4a1de 
>   src/main/assembly/admin-web.xml 0296652 
> 
> 
> Diff: https://reviews.apache.org/r/70057/diff/11/
> 
> 
> Testing
> ---
> 
> Tested Below Scenario on ranger manual start / restart
> 1.) Solr configuration were uploaded successfully
> 2.) Solr collections were created successfully
> 3.) ACL were setup as required.
> 
> 
> Thanks,
> 
> bhavik patel
> 
>

[jira] [Created] (RANGER-2385) Improvement to Audit page -> Plugin status tab

[Nitin Galave (JIRA)]

Nitin Galave created RANGER-2385:


 Summary: Improvement to Audit page -> Plugin status tab
 Key: RANGER-2385
 URL: https://issues.apache.org/jira/browse/RANGER-2385
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Reporter: Nitin Galave
Assignee: Nitin Galave
 Fix For: master


Plugin Status Tab:
 * Add sorting to Active/Download TIme column
This will help quickly compare the hosts and pick the ones having stale 
policies.
Also, the labels ‘Active’, ‘Download’, ‘Last Update’ need help to interpret; 
consider rewording them and/or add tool tips with a short description.
 * It should render the number of entries displayed in the results. This can 
help identify servers that haven’t downloaded policies yet.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (RANGER-2384) Get All Zones API is returning response in raw format,proper response object is required.

[Nitin Galave (JIRA)]

Nitin Galave created RANGER-2384:


 Summary: Get All Zones API is returning response in raw 
format,proper response object is required.
 Key: RANGER-2384
 URL: https://issues.apache.org/jira/browse/RANGER-2384
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Reporter: Nitin Galave
Assignee: Nikhil Purbhe
 Fix For: master


Get All Zones API is returning response in raw format,proper response object is 
required.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Re: Review Request 70310: RANGER-2379: Support for associating a tag service with security zone and relevant authorization logic

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70310/#review214198
---


Fix it, then Ship it!





agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 1363 (patched)


Unzoned tag policies should be used *only* when the zone is not associated 
with the service. Lines #1361 to #1385 should be removed. Please review and 
update.


- Madhan Neethiraj


On March 27, 2019, 7:24 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70310/
> ---
> 
> (Updated March 27, 2019, 7:24 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nitin Galave, and 
> Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2379
> https://issues.apache.org/jira/browse/RANGER-2379
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Currently, tag service is associated with a security zone if and only if any 
> service-resource (that is, a tuple  ) in the 
> Security Zone is contained in resource-service that is associated with the 
> tag service. However, consider the following use case:
> 
> 1) No zone exists. Tag-based policies are in-place, say for PII, EXPIRES_ON, 
> etc.
> 
> 2) Few tables in finance DB were tagged with EXPIRES_ON; few columns within 
> this DB were tagged with PII. So tag-based access enforcement/masking 
> policies are in effect for these objects.
> 
> 3) An admin creates 'Finance' zone and moves 'finance' DB to this zone.
> 
> 4) All tag-based policy enforcement is lost; as there is no tag-based policy 
> in 'finance' zone, as the policies still belong to “unzoned” zone. 
> 
> Given this, it is a better design to not automatically create 
> tag-service->zone association. Instead, the association between 
> zone->tag-service needs to supported directly similar to how 
> zone->resource-service association is established, with one difference; when 
> a tag service is associated with a Security Zone, user should not be able to 
> include any resource (tag-name, to be specific). This requires GUI changes 
> for Security Zone CRUD, but no other changes, especially to tag service 
> browser as well as tag policy creation.
> 
> On the access evaluation perspective, if accessed resource falls in a 
> Security Zone, then there are two possibilities:
> 
> 1) no policies for the zone in tag-service
> 2) no association of the zone with tag-service
> 
> Although it is possible to differentiate between these two cases, tag 
> policies in the default("unzoned") zone need to be considered for evaluation 
> in both cases for now.
> 
> This patch contains changes for security zone validations and access 
> authorization logic only.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
>  5a8fb5e1d 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
>  0e3b8f48a 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  5e683638b 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
>  ff2a4b207 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
>  2a80b2518 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java
>  fa167a77c 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_hdfs_zones.json
>  6fcb66e0b 
>   security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java 
> 991649664 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> a60d4e005 
>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml eaa4e08c2 
> 
> 
> Diff: https://reviews.apache.org/r/70310/diff/3/
> 
> 
> Testing
> ---
> 
> Passed all unit tests
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>