Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215602
---


Ship it!




Ship It!

- Madhan Neethiraj


On May 30, 2019, 6:31 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> ---
> 
> (Updated May 30, 2019, 6:31 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
> Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Current Ranger policy model supports 
> authorization/column-masking/row-filtering for users/user-groups based on 
> various criteria like accessed-resource, resource-classifications, IP-address 
> and custom conditions. Given the wide-spread use of role-based authorization 
> in traditional enterprise applications (like RDBMS, J2EE), it will be very 
> useful for Ranger policy model to support 'roles' i.e. to be able to specify 
> authorization/column-masking/row-filtering for roles as well - in addition to 
> existing support for users and user-groups.
> 
> This patch provides an initial implementation of support for roles in Ranger.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
>  800b3c4f4 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
> 3cf509d7c 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java 
> PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
>  5316baea3 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
>  9ed500c50 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
>  99b2ab357 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  db5dde769 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
>  eafbde246 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  a57b39827 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
>  45231e739 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
>  47b4921ad 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
>  5400f71c4 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
>  a6e24c609 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
>  5a18226fe 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java 
> PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
>  c20ccded6 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
> e22249ac6 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
>  cbd2cb012 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
>  e6d90a491 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
>  e92a2e658 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
>  5a47ba401 
>   agents-common/src/test/resources/policyengine/test_aclprovider_default.json 
> b4c4def85 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json
>  PRE-CREATION 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 
> 769afb56a 
>   security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
> 9a9e36b09 
>   security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
> df4201d89 
>   security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION 
>   
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
>  a2d413743 
>   security-admin/db/sqlanywhere/patches/041-create-role-schema.sql 
> PRE-CREATION 
>   security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 
> 1f3ccbf5d 
>   security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION 
>   

Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/
---

(Updated May 30, 2019, 6:31 p.m.)


Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Addressed review comments


Bugs: RANGER-2414
https://issues.apache.org/jira/browse/RANGER-2414


Repository: ranger


Description
---

Current Ranger policy model supports authorization/column-masking/row-filtering 
for users/user-groups based on various criteria like accessed-resource, 
resource-classifications, IP-address and custom conditions. Given the 
wide-spread use of role-based authorization in traditional enterprise 
applications (like RDBMS, J2EE), it will be very useful for Ranger policy model 
to support 'roles' i.e. to be able to specify 
authorization/column-masking/row-filtering for roles as well - in addition to 
existing support for users and user-groups.

This patch provides an initial implementation of support for roles in Ranger.


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
 800b3c4f4 
  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
3cf509d7c 
  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java 
PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
 5316baea3 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
 9ed500c50 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
 99b2ab357 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 db5dde769 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
 eafbde246 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 a57b39827 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
 45231e739 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
 47b4921ad 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
 5400f71c4 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
 a6e24c609 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
 5a18226fe 
  agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java 
PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 c20ccded6 
  agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
e22249ac6 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java 
cbd2cb012 
  
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
 e6d90a491 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
 e92a2e658 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
 5a47ba401 
  agents-common/src/test/resources/policyengine/test_aclprovider_default.json 
b4c4def85 
  
agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json 
PRE-CREATION 
  security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a 
  security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
9a9e36b09 
  security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
df4201d89 
  security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION 
  
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 
a2d413743 
  security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 
1f3ccbf5d 
  security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 
921dc3736 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java 
f48a80387 
  security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java 
PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java 
PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
eef29b0dc 
  security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 
039e4e8d5 
  

Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215596
---


Fix it, then Ship it!





agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java
Lines 40 (patched)


Please consider adding "implements java.io.Serializable", to be consistent 
with other model classes - like RangerPolicy.



agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java
Lines 161 (patched)


Consider replacing with:
  return Objects.hash(name, isAdmin);



agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java
Lines 172 (patched)


Consider replacing #172 - #178 with the following:
  return Objects.equals(name, other.name) &&
 isAdmin == other.isAdmin;



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
Line 80 (original), 80 (patched)


Instead of updating existing method, consider retaining existing method and 
add a method that take 'roles' parameter - to avoid breaking  
RangerPolicyEngine implementations (that might exist outside Ranger repo).



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 1264 (patched)


Since 'owner' is not recognized, it will be simper to remove it from this 
method signature. This can be added if/when the usecase to support 'owner' is 
clear.



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
Line 157 (original), 192 (patched)


One more '}' needed, for the opening '{' in #159?


- Madhan Neethiraj


On May 29, 2019, 10:47 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> ---
> 
> (Updated May 29, 2019, 10:47 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
> Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Current Ranger policy model supports 
> authorization/column-masking/row-filtering for users/user-groups based on 
> various criteria like accessed-resource, resource-classifications, IP-address 
> and custom conditions. Given the wide-spread use of role-based authorization 
> in traditional enterprise applications (like RDBMS, J2EE), it will be very 
> useful for Ranger policy model to support 'roles' i.e. to be able to specify 
> authorization/column-masking/row-filtering for roles as well - in addition to 
> existing support for users and user-groups.
> 
> This patch provides an initial implementation of support for roles in Ranger.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
>  800b3c4f4 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
> 3cf509d7c 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java 
> PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
>  5316baea3 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
>  9ed500c50 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
>  99b2ab357 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  eab2c238e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
>  eafbde246 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  a57b39827 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
>  45231e739 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
>  47b4921ad 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
>  5400f71c4 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
>  a6e24c609 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
>  5a18226fe 
>   

Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/
---

(Updated May 29, 2019, 10:47 p.m.)


Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Updated GUI. Tested with zones.


Bugs: RANGER-2414
https://issues.apache.org/jira/browse/RANGER-2414


Repository: ranger


Description
---

Current Ranger policy model supports authorization/column-masking/row-filtering 
for users/user-groups based on various criteria like accessed-resource, 
resource-classifications, IP-address and custom conditions. Given the 
wide-spread use of role-based authorization in traditional enterprise 
applications (like RDBMS, J2EE), it will be very useful for Ranger policy model 
to support 'roles' i.e. to be able to specify 
authorization/column-masking/row-filtering for roles as well - in addition to 
existing support for users and user-groups.

This patch provides an initial implementation of support for roles in Ranger.


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
 800b3c4f4 
  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
3cf509d7c 
  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java 
PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
 5316baea3 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
 9ed500c50 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
 99b2ab357 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 eab2c238e 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
 eafbde246 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 a57b39827 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
 45231e739 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
 47b4921ad 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
 5400f71c4 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
 a6e24c609 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
 5a18226fe 
  agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java 
PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 c20ccded6 
  agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
e22249ac6 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java 
cbd2cb012 
  
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
 e6d90a491 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
 e92a2e658 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
 5a47ba401 
  agents-common/src/test/resources/policyengine/test_aclprovider_default.json 
b4c4def85 
  
agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json 
PRE-CREATION 
  security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a 
  security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
9a9e36b09 
  security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
df4201d89 
  security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION 
  
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 
a2d413743 
  security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 
1f3ccbf5d 
  security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 
921dc3736 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java 
f48a80387 
  security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java 
PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java 
PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
eef29b0dc 
  security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 
039e4e8d5 
  

Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/
---

(Updated May 22, 2019, 1:19 a.m.)


Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Refactored RangerRole to use inner class RoleMember. Updated GUI.


Bugs: RANGER-2414
https://issues.apache.org/jira/browse/RANGER-2414


Repository: ranger


Description
---

Current Ranger policy model supports authorization/column-masking/row-filtering 
for users/user-groups based on various criteria like accessed-resource, 
resource-classifications, IP-address and custom conditions. Given the 
wide-spread use of role-based authorization in traditional enterprise 
applications (like RDBMS, J2EE), it will be very useful for Ranger policy model 
to support 'roles' i.e. to be able to specify 
authorization/column-masking/row-filtering for roles as well - in addition to 
existing support for users and user-groups.

This patch provides an initial implementation of support for roles in Ranger.


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
 800b3c4f4 
  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
3cf509d7c 
  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java 
PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
 5316baea3 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
 9ed500c50 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 eab2c238e 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
 eafbde246 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 a57b39827 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
 45231e739 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
 47b4921ad 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
 5400f71c4 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
 a6e24c609 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
 5a18226fe 
  agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java 
PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 c20ccded6 
  agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
e22249ac6 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java 
cbd2cb012 
  
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
 e6d90a491 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
 e92a2e658 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
 5a47ba401 
  agents-common/src/test/resources/policyengine/test_aclprovider_default.json 
b4c4def85 
  
agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json 
PRE-CREATION 
  security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a 
  security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
9a9e36b09 
  security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
df4201d89 
  security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION 
  
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 
a2d413743 
  security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 
1f3ccbf5d 
  security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 
921dc3736 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java 
f48a80387 
  security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java 
PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java 
PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
35dc9405b 
  security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 
039e4e8d5 
  security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 
979fd6543 
  

Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies

[Abhay Kulkarni]

> On May 14, 2019, 3:37 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
> > Line 527 (original), 528 (patched)
> > 
> >
> > PolicyACLSummary has getRolesAccessInfo(), so it may not be necessary 
> > to skip policies that include 'roles'. Please review and update.

Opened https://issues.apache.org/jira/browse/RANGER-2428 to track this.


- Abhay


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215233
---


On May 15, 2019, 1:58 a.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> ---
> 
> (Updated May 15, 2019, 1:58 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
> Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Current Ranger policy model supports 
> authorization/column-masking/row-filtering for users/user-groups based on 
> various criteria like accessed-resource, resource-classifications, IP-address 
> and custom conditions. Given the wide-spread use of role-based authorization 
> in traditional enterprise applications (like RDBMS, J2EE), it will be very 
> useful for Ranger policy model to support 'roles' i.e. to be able to specify 
> authorization/column-masking/row-filtering for roles as well - in addition to 
> existing support for users and user-groups.
> 
> This patch provides an initial implementation of support for roles in Ranger.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
>  3111037ff 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
> 3cf509d7c 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java 
> PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
>  990aab0c9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
>  9ed500c50 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  eab2c238e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
>  eafbde246 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  a57b39827 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
>  45231e739 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
>  47b4921ad 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
>  5400f71c4 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
>  a6e24c609 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
>  5a18226fe 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java 
> PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
>  c20ccded6 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
> e22249ac6 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
>  cbd2cb012 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
>  2c1de4eb8 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
>  e92a2e658 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
>  5a47ba401 
>   agents-common/src/test/resources/policyengine/test_aclprovider_default.json 
> b4c4def85 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json
>  PRE-CREATION 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 
> 769afb56a 
>   security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
> 9a9e36b09 
>   security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
> df4201d89 
>   security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION 
>   
> 

Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies

[Don Bosco Durai]

> On May 11, 2019, 7:10 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
> > Lines 944 (patched)
> > 
> >
> > Do we have small window where the roles could be empty and it could 
> > affect during multi-thread environment>
> 
> Abhay Kulkarni wrote:
> I don't think so. Are you suggesting concurrent updates to policy may 
> lead to inconsistent policy state? If so, one of the transactions will be 
> aborted when attempting to persist changes to database.
> 
> Don Bosco Durai wrote:
> I meant, while the policies are getting updated, a request for 
> authorization, is it possible the  list will be empty?
> 
> Abhay Kulkarni wrote:
> Policies in the policy-engine are treated as read-only during 
> authorization. So, there is no possibility of list getting modified.

Thanks for clarifying.


- Don Bosco


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215198
---


On May 15, 2019, 1:58 a.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> ---
> 
> (Updated May 15, 2019, 1:58 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
> Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Current Ranger policy model supports 
> authorization/column-masking/row-filtering for users/user-groups based on 
> various criteria like accessed-resource, resource-classifications, IP-address 
> and custom conditions. Given the wide-spread use of role-based authorization 
> in traditional enterprise applications (like RDBMS, J2EE), it will be very 
> useful for Ranger policy model to support 'roles' i.e. to be able to specify 
> authorization/column-masking/row-filtering for roles as well - in addition to 
> existing support for users and user-groups.
> 
> This patch provides an initial implementation of support for roles in Ranger.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
>  3111037ff 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
> 3cf509d7c 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java 
> PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
>  990aab0c9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
>  9ed500c50 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  eab2c238e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
>  eafbde246 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  a57b39827 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
>  45231e739 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
>  47b4921ad 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
>  5400f71c4 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
>  a6e24c609 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
>  5a18226fe 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java 
> PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
>  c20ccded6 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
> e22249ac6 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
>  cbd2cb012 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
>  2c1de4eb8 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
>  e92a2e658 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
>  5a47ba401 
>   agents-common/src/test/resources/policyengine/test_aclprovider_default.json 
> b4c4def85 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json
>  PRE-CREATION 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 
> 769afb56a 
>   

Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies

[Abhay Kulkarni]

> On May 11, 2019, 5:08 p.m., Madhan Neethiraj wrote:
> > agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
> > Lines 127 (patched)
> > 
> >
> > Would this include all roles of the user, at the time of access, in 
> > each audit log? This might add excessive data into audit logs. This should 
> > be seen as user->groups mapping, which is not included in audit logs. 
> > Please review.
> 
> Abhay Kulkarni wrote:
> Yes. I think it will be useful to log this, as the user->role mapping is 
> 'owned' by Ranger admin (unlike user->group mapping, which is 'owned' by LDAP 
> or some external entity).

Done


> On May 11, 2019, 5:08 p.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
> > Lines 529 (patched)
> > 
> >
> > Why would presence of roles make it not-usable for evaluation? 
> > Shouldn't this should be treated similar to groups?
> 
> Abhay Kulkarni wrote:
> Theoretically, no. However, as a first-cut, this approximation is useful.

Opened https://issues.apache.org/jira/browse/RANGER-2428 to track this.


- Abhay


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215200
---


On May 15, 2019, 1:58 a.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> ---
> 
> (Updated May 15, 2019, 1:58 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
> Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Current Ranger policy model supports 
> authorization/column-masking/row-filtering for users/user-groups based on 
> various criteria like accessed-resource, resource-classifications, IP-address 
> and custom conditions. Given the wide-spread use of role-based authorization 
> in traditional enterprise applications (like RDBMS, J2EE), it will be very 
> useful for Ranger policy model to support 'roles' i.e. to be able to specify 
> authorization/column-masking/row-filtering for roles as well - in addition to 
> existing support for users and user-groups.
> 
> This patch provides an initial implementation of support for roles in Ranger.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
>  3111037ff 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
> 3cf509d7c 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java 
> PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
>  990aab0c9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
>  9ed500c50 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  eab2c238e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
>  eafbde246 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  a57b39827 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
>  45231e739 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
>  47b4921ad 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
>  5400f71c4 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
>  a6e24c609 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
>  5a18226fe 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java 
> PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
>  c20ccded6 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
> e22249ac6 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
>  cbd2cb012 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
>  2c1de4eb8 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
>  e92a2e658 
>   
> 

Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies

[Abhay Kulkarni]

> On May 11, 2019, 7:10 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
> > Lines 944 (patched)
> > 
> >
> > Do we have small window where the roles could be empty and it could 
> > affect during multi-thread environment>
> 
> Abhay Kulkarni wrote:
> I don't think so. Are you suggesting concurrent updates to policy may 
> lead to inconsistent policy state? If so, one of the transactions will be 
> aborted when attempting to persist changes to database.
> 
> Don Bosco Durai wrote:
> I meant, while the policies are getting updated, a request for 
> authorization, is it possible the  list will be empty?

Policies in the policy-engine are treated as read-only during authorization. 
So, there is no possibility of list getting modified.


- Abhay


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215198
---


On May 15, 2019, 1:58 a.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> ---
> 
> (Updated May 15, 2019, 1:58 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
> Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Current Ranger policy model supports 
> authorization/column-masking/row-filtering for users/user-groups based on 
> various criteria like accessed-resource, resource-classifications, IP-address 
> and custom conditions. Given the wide-spread use of role-based authorization 
> in traditional enterprise applications (like RDBMS, J2EE), it will be very 
> useful for Ranger policy model to support 'roles' i.e. to be able to specify 
> authorization/column-masking/row-filtering for roles as well - in addition to 
> existing support for users and user-groups.
> 
> This patch provides an initial implementation of support for roles in Ranger.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
>  3111037ff 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
> 3cf509d7c 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java 
> PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
>  990aab0c9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
>  9ed500c50 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  eab2c238e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
>  eafbde246 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  a57b39827 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
>  45231e739 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
>  47b4921ad 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
>  5400f71c4 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
>  a6e24c609 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
>  5a18226fe 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java 
> PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
>  c20ccded6 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
> e22249ac6 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
>  cbd2cb012 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
>  2c1de4eb8 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
>  e92a2e658 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
>  5a47ba401 
>   agents-common/src/test/resources/policyengine/test_aclprovider_default.json 
> b4c4def85 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json
>  PRE-CREATION 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 
> 769afb56a 
>   security-admin/db/mysql/patches/041-create-role-schema.sql 

Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/
---

(Updated May 15, 2019, 1:58 a.m.)


Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Addressed review comments


Bugs: RANGER-2414
https://issues.apache.org/jira/browse/RANGER-2414


Repository: ranger


Description
---

Current Ranger policy model supports authorization/column-masking/row-filtering 
for users/user-groups based on various criteria like accessed-resource, 
resource-classifications, IP-address and custom conditions. Given the 
wide-spread use of role-based authorization in traditional enterprise 
applications (like RDBMS, J2EE), it will be very useful for Ranger policy model 
to support 'roles' i.e. to be able to specify 
authorization/column-masking/row-filtering for roles as well - in addition to 
existing support for users and user-groups.

This patch provides an initial implementation of support for roles in Ranger.


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
 3111037ff 
  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
3cf509d7c 
  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java 
PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
 990aab0c9 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
 9ed500c50 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 eab2c238e 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
 eafbde246 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 a57b39827 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
 45231e739 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
 47b4921ad 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
 5400f71c4 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
 a6e24c609 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
 5a18226fe 
  agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java 
PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 c20ccded6 
  agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
e22249ac6 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java 
cbd2cb012 
  
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
 2c1de4eb8 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
 e92a2e658 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
 5a47ba401 
  agents-common/src/test/resources/policyengine/test_aclprovider_default.json 
b4c4def85 
  
agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json 
PRE-CREATION 
  security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a 
  security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
9a9e36b09 
  security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
df4201d89 
  security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION 
  
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 
a2d413743 
  security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 
1f3ccbf5d 
  security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 
921dc3736 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java 
f48a80387 
  security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java 
PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java 
PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
35dc9405b 
  security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 
039e4e8d5 
  security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 
979fd6543 
  

Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215233
---




agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
Lines 127 (patched)


I suggest to not include 'roles' in audit logs - at least for the first 
cut. If this becomes critical this can be added later.



agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
Lines 256 (patched)


Looks like the method can be replaced with the following. Please review and 
update.
  return 
RangerAccessRequestUtil.getCurrentUserRolesFromContext(request.getContext());
  
Anyway, this method wouldn't be needed if we decided to not store roles in 
audit logs.



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 1264 (patched)


Defining roles for 'USER_CURRENT' doesn't seem intutive. This is equivalent 
to having the role assigned to 'public' group. Consider removing lines #1264 - 
#1268.

Given owner (of resource) is available only for few service-types (well, 
only HDFS for now; Atlas and Hive on the way), I think it will be good to not 
support this in roles. Consider removing #1269 - #1275.



agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
Line 527 (original), 528 (patched)


PolicyACLSummary has getRolesAccessInfo(), so it may not be necessary to 
skip policies that include 'roles'. Please review and update.



agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
Lines 253 (patched)


Consider removing #252 - #260, and replace 'hasRole' in #261 with:

  (CollectionUtils.isNotEmpty(roles) && CollectionUtils.containsAny(roles, 
RangerAccessRequestUtil.getCurrentUserRolesFromContext(request.getContext());
  
Note that RangerAccessRequestUtil.getCurrentUserRolesFromContext() should 
return emptyList() when current user has no roles.



agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
Lines 162 (patched)


RangerAccessRequestUtil.setTokenInContext() ==> 
RangerAccessRequestUtil.setCurrentUserRolesInContext()


- Madhan Neethiraj


On May 14, 2019, 1:55 a.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> ---
> 
> (Updated May 14, 2019, 1:55 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
> Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Current Ranger policy model supports 
> authorization/column-masking/row-filtering for users/user-groups based on 
> various criteria like accessed-resource, resource-classifications, IP-address 
> and custom conditions. Given the wide-spread use of role-based authorization 
> in traditional enterprise applications (like RDBMS, J2EE), it will be very 
> useful for Ranger policy model to support 'roles' i.e. to be able to specify 
> authorization/column-masking/row-filtering for roles as well - in addition to 
> existing support for users and user-groups.
> 
> This patch provides an initial implementation of support for roles in Ranger.
> 
> 
> Diffs
> -
> 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 
> 28db58cd9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
>  5e2c49211 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
>  3111037ff 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
> 3cf509d7c 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java 
> PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
>  990aab0c9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
>  9ed500c50 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  365edcf35 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
>  eafbde246 
>   
> 

Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies

[Don Bosco Durai]

> On May 11, 2019, 7:10 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
> > Lines 944 (patched)
> > 
> >
> > Do we have small window where the roles could be empty and it could 
> > affect during multi-thread environment>
> 
> Abhay Kulkarni wrote:
> I don't think so. Are you suggesting concurrent updates to policy may 
> lead to inconsistent policy state? If so, one of the transactions will be 
> aborted when attempting to persist changes to database.

I meant, while the policies are getting updated, a request for authorization, 
is it possible the  list will be empty?


- Don Bosco


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215198
---


On May 14, 2019, 1:55 a.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> ---
> 
> (Updated May 14, 2019, 1:55 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
> Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Current Ranger policy model supports 
> authorization/column-masking/row-filtering for users/user-groups based on 
> various criteria like accessed-resource, resource-classifications, IP-address 
> and custom conditions. Given the wide-spread use of role-based authorization 
> in traditional enterprise applications (like RDBMS, J2EE), it will be very 
> useful for Ranger policy model to support 'roles' i.e. to be able to specify 
> authorization/column-masking/row-filtering for roles as well - in addition to 
> existing support for users and user-groups.
> 
> This patch provides an initial implementation of support for roles in Ranger.
> 
> 
> Diffs
> -
> 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 
> 28db58cd9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
>  5e2c49211 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
>  3111037ff 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
> 3cf509d7c 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java 
> PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
>  990aab0c9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
>  9ed500c50 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  365edcf35 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
>  eafbde246 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  a57b39827 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
>  45231e739 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
>  47b4921ad 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
>  5400f71c4 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
>  a6e24c609 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
>  5a18226fe 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java 
> PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
>  c20ccded6 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
> e22249ac6 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
>  cbd2cb012 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
>  2c1de4eb8 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
>  e92a2e658 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
>  5a47ba401 
>   agents-common/src/test/resources/policyengine/test_aclprovider_default.json 
> b4c4def85 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json
>  PRE-CREATION 
>   
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
>  

Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/
---

(Updated May 14, 2019, 1:55 a.m.)


Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Addressed review comments


Bugs: RANGER-2414
https://issues.apache.org/jira/browse/RANGER-2414


Repository: ranger


Description
---

Current Ranger policy model supports authorization/column-masking/row-filtering 
for users/user-groups based on various criteria like accessed-resource, 
resource-classifications, IP-address and custom conditions. Given the 
wide-spread use of role-based authorization in traditional enterprise 
applications (like RDBMS, J2EE), it will be very useful for Ranger policy model 
to support 'roles' i.e. to be able to specify 
authorization/column-masking/row-filtering for roles as well - in addition to 
existing support for users and user-groups.

This patch provides an initial implementation of support for roles in Ranger.


Diffs (updated)
-

  agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 
28db58cd9 
  
agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
 5e2c49211 
  
agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
 3111037ff 
  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
3cf509d7c 
  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java 
PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
 990aab0c9 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
 9ed500c50 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 365edcf35 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
 eafbde246 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 a57b39827 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
 45231e739 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
 47b4921ad 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
 5400f71c4 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
 a6e24c609 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
 5a18226fe 
  agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java 
PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 c20ccded6 
  agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
e22249ac6 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java 
cbd2cb012 
  
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
 2c1de4eb8 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
 e92a2e658 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
 5a47ba401 
  agents-common/src/test/resources/policyengine/test_aclprovider_default.json 
b4c4def85 
  
agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json 
PRE-CREATION 
  
hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
 f204c15c0 
  
hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
 bf4d6c1ea 
  security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 769afb56a 
  security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
9a9e36b09 
  security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
df4201d89 
  security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION 
  
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 
a2d413743 
  security-admin/db/sqlanywhere/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 
1f3ccbf5d 
  security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 
921dc3736 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java 
f48a80387 
  

Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies

[Abhay Kulkarni]

> On May 11, 2019, 5:08 p.m., Madhan Neethiraj wrote:
> > agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
> > Lines 127 (patched)
> > 
> >
> > Would this include all roles of the user, at the time of access, in 
> > each audit log? This might add excessive data into audit logs. This should 
> > be seen as user->groups mapping, which is not included in audit logs. 
> > Please review.

Yes. I think it will be useful to log this, as the user->role mapping is 
'owned' by Ranger admin (unlike user->group mapping, which is 'owned' by LDAP 
or some external entity).


> On May 11, 2019, 5:08 p.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
> > Lines 1289 (patched)
> > 
> >
> > Can handling of 'public' group be done at Ranger admin i.e. in 
> > ServicePolicies downloaded given to the plugins?

No. Role-names that the requesting user maps to need to be built per request, 
as the requesting user is known only at the access time.


> On May 11, 2019, 5:08 p.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
> > Lines 529 (patched)
> > 
> >
> > Why would presence of roles make it not-usable for evaluation? 
> > Shouldn't this should be treated similar to groups?

Theoretically, no. However, as a first-cut, this approximation is useful.


- Abhay


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215200
---


On May 11, 2019, 1:45 a.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> ---
> 
> (Updated May 11, 2019, 1:45 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
> Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Current Ranger policy model supports 
> authorization/column-masking/row-filtering for users/user-groups based on 
> various criteria like accessed-resource, resource-classifications, IP-address 
> and custom conditions. Given the wide-spread use of role-based authorization 
> in traditional enterprise applications (like RDBMS, J2EE), it will be very 
> useful for Ranger policy model to support 'roles' i.e. to be able to specify 
> authorization/column-masking/row-filtering for roles as well - in addition to 
> existing support for users and user-groups.
> 
> This patch provides an initial implementation of support for roles in Ranger.
> 
> 
> Diffs
> -
> 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 
> 28db58cd9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
>  5e2c49211 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
>  3111037ff 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
> 3cf509d7c 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java 
> PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
>  990aab0c9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
>  9ed500c50 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  365edcf35 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
>  eafbde246 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  a57b39827 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
>  45231e739 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
>  47b4921ad 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
>  5400f71c4 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
>  a6e24c609 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
>  5a18226fe 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java 
> 

Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies

[Abhay Kulkarni]

> On May 11, 2019, 7:10 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
> > Lines 944 (patched)
> > 
> >
> > Do we have small window where the roles could be empty and it could 
> > affect during multi-thread environment>

I don't think so. Are you suggesting concurrent updates to policy may lead to 
inconsistent policy state? If so, one of the transactions will be aborted when 
attempting to persist changes to database.


- Abhay


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215198
---


On May 11, 2019, 1:45 a.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> ---
> 
> (Updated May 11, 2019, 1:45 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
> Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Current Ranger policy model supports 
> authorization/column-masking/row-filtering for users/user-groups based on 
> various criteria like accessed-resource, resource-classifications, IP-address 
> and custom conditions. Given the wide-spread use of role-based authorization 
> in traditional enterprise applications (like RDBMS, J2EE), it will be very 
> useful for Ranger policy model to support 'roles' i.e. to be able to specify 
> authorization/column-masking/row-filtering for roles as well - in addition to 
> existing support for users and user-groups.
> 
> This patch provides an initial implementation of support for roles in Ranger.
> 
> 
> Diffs
> -
> 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 
> 28db58cd9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
>  5e2c49211 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
>  3111037ff 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
> 3cf509d7c 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java 
> PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
>  990aab0c9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
>  9ed500c50 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  365edcf35 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
>  eafbde246 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  a57b39827 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
>  45231e739 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
>  47b4921ad 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
>  5400f71c4 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
>  a6e24c609 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
>  5a18226fe 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java 
> PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
>  c20ccded6 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
> e22249ac6 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
>  cbd2cb012 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
>  2c1de4eb8 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
>  e92a2e658 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
>  5a47ba401 
>   agents-common/src/test/resources/policyengine/test_aclprovider_default.json 
> b4c4def85 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json
>  PRE-CREATION 
>   
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
>  f204c15c0 
>   
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
>  bf4d6c1ea 
>   

Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215200
---




agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
Lines 127 (patched)


Would this include all roles of the user, at the time of access, in each 
audit log? This might add excessive data into audit logs. This should be seen 
as user->groups mapping, which is not included in audit logs. Please review.



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 1276 (patched)


It seems 'macroUserRoles' should be effective only for the current 
evaluation context. Adding to 'userRoles', which is a reference in 
'userRoleMapping' would make the change visible to all evaluations. Please 
review and update.



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 1289 (patched)


Can handling of 'public' group be done at Ranger admin i.e. in 
ServicePolicies downloaded given to the plugins?



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 1299 (patched)


#1276 applies here as well. Please review.



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 1318 (patched)


#1276 might be applicable here as well. Please review.



agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
Lines 529 (patched)


Why would presence of roles make it not-usable for evaluation? Shouldn't 
this should be treated similar to groups?



agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
Lines 214 (patched)


Consider avoiding this typecasting, by adding following methods:

class RangerAccessRequestUtil {
  public static void setCurrentUserRoles(Set roles) {
// ...
  }
  
  public static Set getCurrentUserRoles() {
// ...
  }
}



agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
Lines 165 (patched)


Shouldn't dataMaskPolicyItems and rowFilterPolicyItems be checked as well?



agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
Lines 63 (patched)


It will be useful to add a comment here, on what the key and values are.

Also, if Ranger admin is going to compute the roles for users and groups, 
following might be simpler in ServicePolicies:
 private Map> userRoles;
 private Map> groupRoles;


- Madhan Neethiraj


On May 11, 2019, 1:45 a.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> ---
> 
> (Updated May 11, 2019, 1:45 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
> Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Current Ranger policy model supports 
> authorization/column-masking/row-filtering for users/user-groups based on 
> various criteria like accessed-resource, resource-classifications, IP-address 
> and custom conditions. Given the wide-spread use of role-based authorization 
> in traditional enterprise applications (like RDBMS, J2EE), it will be very 
> useful for Ranger policy model to support 'roles' i.e. to be able to specify 
> authorization/column-masking/row-filtering for roles as well - in addition to 
> existing support for users and user-groups.
> 
> This patch provides an initial implementation of support for roles in Ranger.
> 
> 
> Diffs
> -
> 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 
> 28db58cd9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
>  5e2c49211 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
>  3111037ff 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
> 3cf509d7c 
>   

Re: Review Request 70629: RANGER-2414: Enhancements to support roles in Ranger policies

[Don Bosco Durai]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70629/#review215198
---




agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java
Lines 944 (patched)


Do we have small window where the roles could be empty and it could affect 
during multi-thread environment>


- Don Bosco Durai


On May 11, 2019, 1:45 a.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70629/
> ---
> 
> (Updated May 11, 2019, 1:45 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
> Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-2414
> https://issues.apache.org/jira/browse/RANGER-2414
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Current Ranger policy model supports 
> authorization/column-masking/row-filtering for users/user-groups based on 
> various criteria like accessed-resource, resource-classifications, IP-address 
> and custom conditions. Given the wide-spread use of role-based authorization 
> in traditional enterprise applications (like RDBMS, J2EE), it will be very 
> useful for Ranger policy model to support 'roles' i.e. to be able to specify 
> authorization/column-masking/row-filtering for roles as well - in addition to 
> existing support for users and user-groups.
> 
> This patch provides an initial implementation of support for roles in Ranger.
> 
> 
> Diffs
> -
> 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 
> 28db58cd9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
>  5e2c49211 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
>  3111037ff 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
> 3cf509d7c 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java 
> PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
>  990aab0c9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
>  9ed500c50 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  365edcf35 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
>  eafbde246 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  a57b39827 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
>  45231e739 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
>  47b4921ad 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
>  5400f71c4 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
>  a6e24c609 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
>  5a18226fe 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java 
> PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
>  c20ccded6 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
> e22249ac6 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
>  cbd2cb012 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java
>  2c1de4eb8 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
>  e92a2e658 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
>  5a47ba401 
>   agents-common/src/test/resources/policyengine/test_aclprovider_default.json 
> b4c4def85 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json
>  PRE-CREATION 
>   
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
>  f204c15c0 
>   
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java
>  bf4d6c1ea 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 
> 769afb56a 
>   security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION 
>   security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
> 9a9e36b09 
>   security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION