Review Request 69975: SENTRY-2495: Support Conjunctive Matching in Solr QueryDocAuthorizationComponent
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/69975/ --- Review request for sentry. Repository: sentry Description --- Adds a conjunctive match capabiltiy to the existing QueryDocAuthorizationComponent (which applies document level security against Sentry roles) Diffs - sentry-solr/solr-sentry-handlers/pom.xml 621d8325 sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/QueryDocAuthorizationComponent.java 9da3d6e1 sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestCase.java 3d4d555f sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/DocLevelGenerator.java 40cc153e sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/SolrSentryServiceTestBase.java e1f789cb sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestDocLevelOperations.java 7834f339 sentry-tests/sentry-tests-solr/src/test/resources/log4j.properties d9418167 Diff: https://reviews.apache.org/r/69975/diff/1/ Testing --- Unit tests added for SubsetQueryPlugin End-to-end tests added under sentry-tests/senty-tests-solr for full SolrCloud+Sentry Service using the new QueryDocAuthorizationComponent in conjunctive match mode Thanks, Tristan Stevens
Re: Review Request 69924: SENTRY-2440: Add a new thrift API for checking if a user is in admin group
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/69924/#review212802 --- Ship it! Ship It! - Na Li On Feb. 7, 2019, 11:47 p.m., Hao Hao wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/69924/ > --- > > (Updated Feb. 7, 2019, 11:47 p.m.) > > > Review request for sentry, kalyan kumar kalvagadda and Na Li. > > > Repository: sentry > > > Description > --- > > SENTRY-2440: Add a new thrift API for checking if a user is in admin group to > check if a given user is in the Sentry admin group or not. > > This is useful for Sentry client to recognize failure earlier than actually > making a call to privileged API such as 'create_role', 'drop_role'. > > This API shouldn't leak any sensitive information because connection to teh > Sentry server is guarded by 'sentry.service.allow.connect' config, that only > the trusted service users can connect to the Sentry service. > > > Diffs > - > > > sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/SentryPolicyService.java > 0cbd8ab0a624d4c09aead4097f72762e12d1d21b > > sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/TIsSentryAdminRequest.java > PRE-CREATION > > sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/TIsSentryAdminResponse.java > PRE-CREATION > > sentry-service/sentry-service-api/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyServiceClient.java > 5fc299b2485e0af6df333e4a288299f39e18b3b7 > > sentry-service/sentry-service-api/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyServiceClientDefaultImpl.java > 68d864cfbdf18057d87a65a04af8991292aadccf > > sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift > 2e79e5646ae9102d8c0c28da4260a539254fcd15 > > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryMetrics.java > 236a07bdf5191cdc0f167f20a406b721b3dc506d > > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java > 30875299ebf81e74a78b396d4aeaf27890083370 > > sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceIntegration.java > bfafa7d99735bec07bd81ebe665f4e84e65bd3b7 > > > Diff: https://reviews.apache.org/r/69924/diff/1/ > > > Testing > --- > > Unit test. > > > Thanks, > > Hao Hao > >
Re: Review Request 69619: SENTRY-2482: Sentry Solr to support multi-attribute document level security
> On Feb. 12, 2019, 8:38 p.m., kalyan kumar kalvagadda wrote: > > Tristan Stevens, > > > > This patch has two enhancements > > 1. Subset Match Filtering/ > > 2. User Attribute Filter > > > > Having multiple enhacements in single commit is not easy to understand. Can > > you seperate them to two different patches? > > Tristan Stevens wrote: > Hi Kalyan, > I understand the concern. The problem we have is that both enhancements > depend on the SubsetQueryPlugin, which in itself doesn't merit a JIRA on its > own. Also, I'm not sure how do submit a review board for one patch built on > another. > > To break it down, please consider: > > 1. SubsetQueryPlugin.java which used by both > QueryDocAuthorizationComponent.java and SolrAttrBasedFilter.java. > 2. QueryDocAuthorizationComponent.java provides the first enhancement, > extending DocAuthorizationComponent.java > 3. All other classes under src/main are related to > SolrAttrBasedFilter.java. Tristan, You don't have to submit both the patches at the same time. You can sumbit one first, i will reiview it and commit it so that you can submit another one after that. I will not out delay in the review process. - kalyan kumar --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/69619/#review212760 --- On Jan. 15, 2019, 9:49 p.m., Tristan Stevens wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/69619/ > --- > > (Updated Jan. 15, 2019, 9:49 p.m.) > > > Review request for sentry. > > > Repository: sentry > > > Description > --- > > This is an improvement request to cover enhanced document level security for > the Solr document level controls, specifically to cover: > > - Security controls against multiple fields > - Filters based on user attributes as well as just Sentry roles > - Different security predicates (AND, LessThan, GreaterThan - in addition to > the currently supported OR) > - Pluggable user attribute source ahead of Sentry enhancements. > - Sample LDAP user attribute source > > The ambition is this will be a precursor to full complex predicate support > being served by Sentry ABAC roadmap. > > > Diffs > - > > sentry-solr/solr-sentry-handlers/pom.xml 621d8325 > > sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/CachingUserAttributeSource.java > PRE-CREATION > > sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/DocAuthorizationComponent.java > PRE-CREATION > > sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/FieldToAttributeMapping.java > PRE-CREATION > > sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/LdapUserAttributeSource.java > PRE-CREATION > > sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/LdapUserAttributeSourceParams.java > PRE-CREATION > > sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/QueryDocAuthorizationComponent.java > 9da3d6e1 > > sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/SolrAttrBasedFilter.java > PRE-CREATION > > sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/SubsetQueryPlugin.java > PRE-CREATION > > sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/UserAttributeSource.java > PRE-CREATION > > sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/UserAttributeSourceParams.java > PRE-CREATION > > sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/handler/component/CachingUserAttributeSourceTest.java > PRE-CREATION > > sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/handler/component/LdapRegexTest.java > PRE-CREATION > > sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/handler/component/MockUserAttributeSource.java > PRE-CREATION > > sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/handler/component/SubsetQueryTest.java > PRE-CREATION > > sentry-solr/solr-sentry-handlers/src/test/resources/solr/collection1/schema-docValuesSubsetMatch.xml > PRE-CREATION > > sentry-solr/solr-sentry-handlers/src/test/resources/solr/collection1/solrconfig-subsetmatchcomponent.xml > PRE-CREATION > > sentry-solr/solr-sentry-handlers/src/test/resources/solr/collection1/solrconfig-subsetquery.xml > PRE-CREATION > > sentry-solr/solr-sentry-handlers/src/test/resources/solr/collection1/solrconfig.snippet.randomindexconfig.xml > PRE-CREATION > sentry-tests/sentry-tests-solr/pom.xml 7c28bda5 > >
Re: Review Request 69536: SENTRY-2471: Table rename should sync Sentry privilege even without location information
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/69536/#review212797 --- Ship it! Ship It! - Na Li On Feb. 7, 2019, 1:04 a.m., Hao Hao wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/69536/ > --- > > (Updated Feb. 7, 2019, 1:04 a.m.) > > > Review request for sentry, Na Li and Sergio Pena. > > > Repository: sentry > > > Description > --- > > SENTRY-2471: Table rename should sync Sentry privilege even without location > information > > > Diffs > - > > > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/NotificationProcessor.java > 7b7d0e1eb7ea1f17dea622e51ccc557e0b76fbff > > sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestNotificationProcessor.java > f227bb45835b98e6fef14399a239d7f9975d56d1 > > > Diff: https://reviews.apache.org/r/69536/diff/3/ > > > Testing > --- > > added new unit tests > > > Thanks, > > Hao Hao > >