[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[ https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17152575#comment-17152575 ] RickyMa commented on RANGER-2856: - [~pradeep] : Got it. Thanks a lot. > A policy should be deleted if it has no policyItems > --- > > Key: RANGER-2856 > URL: https://issues.apache.org/jira/browse/RANGER-2856 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: master >Reporter: RickyMa >Priority: Minor > Fix For: 2.1.0 > > Attachments: RANGER-2856.patch, image-2020-07-02-21-58-59-495.png, > image-2020-07-02-22-03-36-267.png > > Time Spent: 10m > Remaining Estimate: 0h > > Condition: A policy contains only one policyItem and the policyItem only sets > one user and no groups. > Action: Delete the user in the policyItem using API: > '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,] > Result: The policy still exists, but it has no policyItems. A policy with no > policyItems is completely meaningless and it should be deleted. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[ https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17152565#comment-17152565 ] Pradeep Agrawal commented on RANGER-2856: - [~RickyMa] : Please close the RR. Next time please create the patch using "git format-patch" command. > A policy should be deleted if it has no policyItems > --- > > Key: RANGER-2856 > URL: https://issues.apache.org/jira/browse/RANGER-2856 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: master >Reporter: RickyMa >Priority: Minor > Fix For: 2.1.0 > > Attachments: RANGER-2856.patch, image-2020-07-02-21-58-59-495.png, > image-2020-07-02-22-03-36-267.png > > Time Spent: 10m > Remaining Estimate: 0h > > Condition: A policy contains only one policyItem and the policyItem only sets > one user and no groups. > Action: Delete the user in the policyItem using API: > '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,] > Result: The policy still exists, but it has no policyItems. A policy with no > policyItems is completely meaningless and it should be deleted. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[ https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17152564#comment-17152564 ] Pradeep Agrawal commented on RANGER-2856: - Patch committed : [https://github.com/apache/ranger/commit/400beaa7604e4c83d051dc6e83b8bc109e5d8c53] > A policy should be deleted if it has no policyItems > --- > > Key: RANGER-2856 > URL: https://issues.apache.org/jira/browse/RANGER-2856 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: master >Reporter: RickyMa >Priority: Minor > Fix For: master > > Attachments: RANGER-2856.patch, image-2020-07-02-21-58-59-495.png, > image-2020-07-02-22-03-36-267.png > > Time Spent: 10m > Remaining Estimate: 0h > > Condition: A policy contains only one policyItem and the policyItem only sets > one user and no groups. > Action: Delete the user in the policyItem using API: > '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,] > Result: The policy still exists, but it has no policyItems. A policy with no > policyItems is completely meaningless and it should be deleted. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[ https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17150469#comment-17150469 ] RickyMa commented on RANGER-2856: - [~pradeep] : Got it. It's done. Please review it again. Thank you so much. > A policy should be deleted if it has no policyItems > --- > > Key: RANGER-2856 > URL: https://issues.apache.org/jira/browse/RANGER-2856 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: master >Reporter: RickyMa >Priority: Minor > Fix For: master > > Attachments: RANGER-2856.patch, image-2020-07-02-21-58-59-495.png, > image-2020-07-02-22-03-36-267.png > > Time Spent: 10m > Remaining Estimate: 0h > > Condition: A policy contains only one policyItem and the policyItem only sets > one user and no groups. > Action: Delete the user in the policyItem using API: > '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,] > Result: The policy still exists, but it has no policyItems. A policy with no > policyItems is completely meaningless and it should be deleted. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[ https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17150436#comment-17150436 ] Pradeep Agrawal commented on RANGER-2856: - [~RickyMa] : if [^RANGER-2856.patch] is your proposed patch then download that file and go to your RR and select: update -> update Diff -> select the file and upload it. After upload publish the RR again. !image-2020-07-02-22-03-36-267.png! > A policy should be deleted if it has no policyItems > --- > > Key: RANGER-2856 > URL: https://issues.apache.org/jira/browse/RANGER-2856 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: master >Reporter: RickyMa >Priority: Minor > Fix For: master > > Attachments: RANGER-2856.patch, image-2020-07-02-21-58-59-495.png, > image-2020-07-02-22-03-36-267.png > > Time Spent: 10m > Remaining Estimate: 0h > > Condition: A policy contains only one policyItem and the policyItem only sets > one user and no groups. > Action: Delete the user in the policyItem using API: > '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,] > Result: The policy still exists, but it has no policyItems. A policy with no > policyItems is completely meaningless and it should be deleted. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[ https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17150431#comment-17150431 ] Pradeep Agrawal commented on RANGER-2856: - [~RickyMa] : I see your patch diff like this : [https://reviews.apache.org/r/72588/diff/1#index_header] !image-2020-07-02-21-58-59-495.png! > A policy should be deleted if it has no policyItems > --- > > Key: RANGER-2856 > URL: https://issues.apache.org/jira/browse/RANGER-2856 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: master >Reporter: RickyMa >Priority: Minor > Fix For: master > > Attachments: RANGER-2856.patch, image-2020-07-02-21-58-59-495.png > > Time Spent: 10m > Remaining Estimate: 0h > > Condition: A policy contains only one policyItem and the policyItem only sets > one user and no groups. > Action: Delete the user in the policyItem using API: > '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,] > Result: The policy still exists, but it has no policyItems. A policy with no > policyItems is completely meaningless and it should be deleted. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[ https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17150282#comment-17150282 ] RickyMa commented on RANGER-2856: - [~pradeep] : Sorry, I don't quite get it. Because I can see RANGER-2856.patch file had already been uploaded at RR [https://reviews.apache.org/r/72588/] two weeks before. > A policy should be deleted if it has no policyItems > --- > > Key: RANGER-2856 > URL: https://issues.apache.org/jira/browse/RANGER-2856 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: master >Reporter: RickyMa >Priority: Minor > Fix For: master > > Attachments: RANGER-2856.patch > > Time Spent: 10m > Remaining Estimate: 0h > > Condition: A policy contains only one policyItem and the policyItem only sets > one user and no groups. > Action: Delete the user in the policyItem using API: > '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,] > Result: The policy still exists, but it has no policyItems. A policy with no > policyItems is completely meaningless and it should be deleted. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[ https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17149442#comment-17149442 ] Pradeep Agrawal commented on RANGER-2856: - [~RickyMa] : Upload this patch [https://github.com/apache/ranger/pull/66/files] at RR [https://reviews.apache.org/r/72588/] > A policy should be deleted if it has no policyItems > --- > > Key: RANGER-2856 > URL: https://issues.apache.org/jira/browse/RANGER-2856 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: master >Reporter: RickyMa >Priority: Minor > Fix For: master > > Attachments: RANGER-2856.patch > > Time Spent: 10m > Remaining Estimate: 0h > > Condition: A policy contains only one policyItem and the policyItem only sets > one user and no groups. > Action: Delete the user in the policyItem using API: > '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,] > Result: The policy still exists, but it has no policyItems. A policy with no > policyItems is completely meaningless and it should be deleted. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[ https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17147998#comment-17147998 ] RickyMa commented on RANGER-2856: - [~madhan] : It's been a couple of days. Do you have time to review and merge this? Thank you so much. > A policy should be deleted if it has no policyItems > --- > > Key: RANGER-2856 > URL: https://issues.apache.org/jira/browse/RANGER-2856 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: master >Reporter: RickyMa >Priority: Minor > Fix For: master > > Attachments: RANGER-2856.patch > > Time Spent: 10m > Remaining Estimate: 0h > > Condition: A policy contains only one policyItem and the policyItem only sets > one user and no groups. > Action: Delete the user in the policyItem using API: > '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,] > Result: The policy still exists, but it has no policyItems. A policy with no > policyItems is completely meaningless and it should be deleted. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[ https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17135188#comment-17135188 ] RickyMa commented on RANGER-2856: - [~madhan] : I got your point now. I didn't know that. That explains it. I added an API. The patch is ready. Please have a look. Thanks a lot. pull request: [https://github.com/apache/ranger/pull/66/files] > A policy should be deleted if it has no policyItems > --- > > Key: RANGER-2856 > URL: https://issues.apache.org/jira/browse/RANGER-2856 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: master >Reporter: RickyMa >Priority: Minor > Fix For: master > > Attachments: RANGER-2856.patch > > Time Spent: 10m > Remaining Estimate: 0h > > Condition: A policy contains only one policyItem and the policyItem only sets > one user and no groups. > Action: Delete the user in the policyItem using API: > '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,] > Result: The policy still exists, but it has no policyItems. A policy with no > policyItems is completely meaningless and it should be deleted. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[ https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17134924#comment-17134924 ] Madhan Neethiraj commented on RANGER-2856: -- Current callers of {{ServiceDBStore.updatePolicy()}} API, including the following REST endpoints, expect to receive the updated policy as the return value. If the policy is implicitly deleted, null is returned and the callers need to be updated to handle this new behavior. Given there are applications using REST APIs to integrate with Ranger, this change in behavior could cause such integrations to break. Hence I suggest for a separate API to cleanup policies that have no impact in authorization/audit. - PublicAPIsv2.updatePolicy() - PublicAPIsv2.updatePolicyByName() - ServiceREST.updatePolicy() - ServiceREST.createPolicy() - ServiceREST.applyPolicy() > A policy should be deleted if it has no policyItems > --- > > Key: RANGER-2856 > URL: https://issues.apache.org/jira/browse/RANGER-2856 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: master >Reporter: RickyMa >Priority: Minor > Fix For: master > > Attachments: RANGER-2856.patch > > Time Spent: 10m > Remaining Estimate: 0h > > Condition: A policy contains only one policyItem and the policyItem only sets > one user and no groups. > Action: Delete the user in the policyItem using API: > '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,] > Result: The policy still exists, but it has no policyItems. A policy with no > policyItems is completely meaningless and it should be deleted. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[ https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17134919#comment-17134919 ] RickyMa commented on RANGER-2856: - [~madhan] - Alright, I can add this REST API. But I am still a little confused about this. After discussing this issue with my collegues, we all think that deleting a policy which has no policyItems and audit log is disabled is completely safe. There will be only benefits and no harm. A policy like this is useless and it will only increase overhead expense. Especially when you have tens of thousands of policies like this in your system, which is a serious performance issue. Could you please explain it to me why we should keep such policies? Thanks a lot. > A policy should be deleted if it has no policyItems > --- > > Key: RANGER-2856 > URL: https://issues.apache.org/jira/browse/RANGER-2856 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: master >Reporter: RickyMa >Priority: Minor > Fix For: master > > Attachments: RANGER-2856.patch > > Time Spent: 10m > Remaining Estimate: 0h > > Condition: A policy contains only one policyItem and the policyItem only sets > one user and no groups. > Action: Delete the user in the policyItem using API: > '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,] > Result: The policy still exists, but it has no policyItems. A policy with no > policyItems is completely meaningless and it should be deleted. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[ https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17133923#comment-17133923 ] Madhan Neethiraj commented on RANGER-2856: -- [~RickyMa] - instead of handling such optimization in lower level {{updatePolicy()}} method, which is called from many different contexts, I suggest to consider adding a new REST API to purge empty policies, like: {code:java} public class PublicAPIsv2 { ... @DELETE @Path("/api/server/purgepolicies/{serviceName}") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public List purgeEmptyPolicies(@PathParam("serviceName", @Context HttpServletRequest request) String serviceName) { ... } ... } {code} > A policy should be deleted if it has no policyItems > --- > > Key: RANGER-2856 > URL: https://issues.apache.org/jira/browse/RANGER-2856 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: master >Reporter: RickyMa >Priority: Minor > Fix For: master > > Attachments: RANGER-2856.patch > > Time Spent: 10m > Remaining Estimate: 0h > > Condition: A policy contains only one policyItem and the policyItem only sets > one user and no groups. > Action: Delete the user in the policyItem using API: > '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,] > Result: The policy still exists, but it has no policyItems. A policy with no > policyItems is completely meaningless and it should be deleted. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[ https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17133901#comment-17133901 ] RickyMa commented on RANGER-2856: - [~madhan] : I added an if condition to dispel your worries about audit logs. In our situation, we have a very high employee turnover rate and large numbers of employees. So we need to delete users in Ranger more frequently than others. That's why we are more likely to face this issue. We have tens of thousands of policies in Ranger and as time goes by, most of them will be meaningless policies which have no policyItems. And this can be a great performance issue in our condition. Because a large number of useless policies are synchronized to plugins every time the policies are updated(created,updated,deleted). And every time Ranger is managing an access control, it has to filter a lot of redundant policies. This is a great performance issue as I think. > A policy should be deleted if it has no policyItems > --- > > Key: RANGER-2856 > URL: https://issues.apache.org/jira/browse/RANGER-2856 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: master >Reporter: RickyMa >Priority: Minor > Fix For: master > > Attachments: RANGER-2856.patch > > Time Spent: 10m > Remaining Estimate: 0h > > Condition: A policy contains only one policyItem and the policyItem only sets > one user and no groups. > Action: Delete the user in the policyItem using API: > '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,] > Result: The policy still exists, but it has no policyItems. A policy with no > policyItems is completely meaningless and it should be deleted. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[ https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17133587#comment-17133587 ] Madhan Neethiraj commented on RANGER-2856: -- The side effect is deleting such policies is potential skipping of audit logs for the resources covered by the policy i.e. if there is no audit-enabled policy that matches the accessed resource, Ranger plugins would not generate audit logs. I suggest to not delete policies having no items automatically. > A policy should be deleted if it has no policyItems > --- > > Key: RANGER-2856 > URL: https://issues.apache.org/jira/browse/RANGER-2856 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: master >Reporter: RickyMa >Priority: Minor > Fix For: master > > Attachments: RANGER-2856.patch > > Time Spent: 10m > Remaining Estimate: 0h > > Condition: A policy contains only one policyItem and the policyItem only sets > one user and no groups. > Action: Delete the user in the policyItem using API: > '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,] > Result: The policy still exists, but it has no policyItems. A policy with no > policyItems is completely meaningless and it should be deleted. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[ https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17133534#comment-17133534 ] RickyMa commented on RANGER-2856: - A simple patch to fix this bug. Pull Request and Review link is ready. Can anyone please merge this? > A policy should be deleted if it has no policyItems > --- > > Key: RANGER-2856 > URL: https://issues.apache.org/jira/browse/RANGER-2856 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Affects Versions: master >Reporter: RickyMa >Priority: Minor > Fix For: master > > Attachments: RANGER-2856.patch > > Time Spent: 10m > Remaining Estimate: 0h > > Condition: A policy contains only one policyItem and the policyItem only sets > one user and no groups. > Action: Delete the user in the policyItem using API: > '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,] > Result: The policy still exists, but it has no policyItems. A policy with no > policyItems is completely meaningless and it should be deleted. -- This message was sent by Atlassian Jira (v8.3.4#803005)