[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[
https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17152575#comment-17152575
]
RickyMa commented on RANGER-2856:
-
[~pradeep] : Got it. Thanks a lot.
> A policy should be deleted if it has no policyItems
> ---
>
> Key: RANGER-2856
> URL: https://issues.apache.org/jira/browse/RANGER-2856
> Project: Ranger
> Issue Type: Bug
> Components: admin, Ranger
>Affects Versions: master
>Reporter: RickyMa
>Priority: Minor
> Fix For: 2.1.0
>
> Attachments: RANGER-2856.patch, image-2020-07-02-21-58-59-495.png,
> image-2020-07-02-22-03-36-267.png
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Condition: A policy contains only one policyItem and the policyItem only sets
> one user and no groups.
> Action: Delete the user in the policyItem using API:
> '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,]
> Result: The policy still exists, but it has no policyItems. A policy with no
> policyItems is completely meaningless and it should be deleted.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[
https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17152565#comment-17152565
]
Pradeep Agrawal commented on RANGER-2856:
-
[~RickyMa] : Please close the RR.
Next time please create the patch using "git format-patch" command.
> A policy should be deleted if it has no policyItems
> ---
>
> Key: RANGER-2856
> URL: https://issues.apache.org/jira/browse/RANGER-2856
> Project: Ranger
> Issue Type: Bug
> Components: admin, Ranger
>Affects Versions: master
>Reporter: RickyMa
>Priority: Minor
> Fix For: 2.1.0
>
> Attachments: RANGER-2856.patch, image-2020-07-02-21-58-59-495.png,
> image-2020-07-02-22-03-36-267.png
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Condition: A policy contains only one policyItem and the policyItem only sets
> one user and no groups.
> Action: Delete the user in the policyItem using API:
> '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,]
> Result: The policy still exists, but it has no policyItems. A policy with no
> policyItems is completely meaningless and it should be deleted.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[
https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17152564#comment-17152564
]
Pradeep Agrawal commented on RANGER-2856:
-
Patch committed :
[https://github.com/apache/ranger/commit/400beaa7604e4c83d051dc6e83b8bc109e5d8c53]
> A policy should be deleted if it has no policyItems
> ---
>
> Key: RANGER-2856
> URL: https://issues.apache.org/jira/browse/RANGER-2856
> Project: Ranger
> Issue Type: Bug
> Components: admin, Ranger
>Affects Versions: master
>Reporter: RickyMa
>Priority: Minor
> Fix For: master
>
> Attachments: RANGER-2856.patch, image-2020-07-02-21-58-59-495.png,
> image-2020-07-02-22-03-36-267.png
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Condition: A policy contains only one policyItem and the policyItem only sets
> one user and no groups.
> Action: Delete the user in the policyItem using API:
> '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,]
> Result: The policy still exists, but it has no policyItems. A policy with no
> policyItems is completely meaningless and it should be deleted.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[
https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17150469#comment-17150469
]
RickyMa commented on RANGER-2856:
-
[~pradeep] : Got it. It's done. Please review it again. Thank you so much.
> A policy should be deleted if it has no policyItems
> ---
>
> Key: RANGER-2856
> URL: https://issues.apache.org/jira/browse/RANGER-2856
> Project: Ranger
> Issue Type: Bug
> Components: admin, Ranger
>Affects Versions: master
>Reporter: RickyMa
>Priority: Minor
> Fix For: master
>
> Attachments: RANGER-2856.patch, image-2020-07-02-21-58-59-495.png,
> image-2020-07-02-22-03-36-267.png
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Condition: A policy contains only one policyItem and the policyItem only sets
> one user and no groups.
> Action: Delete the user in the policyItem using API:
> '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,]
> Result: The policy still exists, but it has no policyItems. A policy with no
> policyItems is completely meaningless and it should be deleted.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[
https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17150436#comment-17150436
]
Pradeep Agrawal commented on RANGER-2856:
-
[~RickyMa] : if [^RANGER-2856.patch] is your proposed patch then download that
file and go to your RR and select: update -> update Diff -> select the file and
upload it. After upload publish the RR again.
!image-2020-07-02-22-03-36-267.png!
> A policy should be deleted if it has no policyItems
> ---
>
> Key: RANGER-2856
> URL: https://issues.apache.org/jira/browse/RANGER-2856
> Project: Ranger
> Issue Type: Bug
> Components: admin, Ranger
>Affects Versions: master
>Reporter: RickyMa
>Priority: Minor
> Fix For: master
>
> Attachments: RANGER-2856.patch, image-2020-07-02-21-58-59-495.png,
> image-2020-07-02-22-03-36-267.png
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Condition: A policy contains only one policyItem and the policyItem only sets
> one user and no groups.
> Action: Delete the user in the policyItem using API:
> '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,]
> Result: The policy still exists, but it has no policyItems. A policy with no
> policyItems is completely meaningless and it should be deleted.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[
https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17150431#comment-17150431
]
Pradeep Agrawal commented on RANGER-2856:
-
[~RickyMa] : I see your patch diff like this :
[https://reviews.apache.org/r/72588/diff/1#index_header]
!image-2020-07-02-21-58-59-495.png!
> A policy should be deleted if it has no policyItems
> ---
>
> Key: RANGER-2856
> URL: https://issues.apache.org/jira/browse/RANGER-2856
> Project: Ranger
> Issue Type: Bug
> Components: admin, Ranger
>Affects Versions: master
>Reporter: RickyMa
>Priority: Minor
> Fix For: master
>
> Attachments: RANGER-2856.patch, image-2020-07-02-21-58-59-495.png
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Condition: A policy contains only one policyItem and the policyItem only sets
> one user and no groups.
> Action: Delete the user in the policyItem using API:
> '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,]
> Result: The policy still exists, but it has no policyItems. A policy with no
> policyItems is completely meaningless and it should be deleted.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[
https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17150282#comment-17150282
]
RickyMa commented on RANGER-2856:
-
[~pradeep] : Sorry, I don't quite get it. Because I can see RANGER-2856.patch
file had already been uploaded at RR [https://reviews.apache.org/r/72588/] two
weeks before.
> A policy should be deleted if it has no policyItems
> ---
>
> Key: RANGER-2856
> URL: https://issues.apache.org/jira/browse/RANGER-2856
> Project: Ranger
> Issue Type: Bug
> Components: admin, Ranger
>Affects Versions: master
>Reporter: RickyMa
>Priority: Minor
> Fix For: master
>
> Attachments: RANGER-2856.patch
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Condition: A policy contains only one policyItem and the policyItem only sets
> one user and no groups.
> Action: Delete the user in the policyItem using API:
> '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,]
> Result: The policy still exists, but it has no policyItems. A policy with no
> policyItems is completely meaningless and it should be deleted.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[
https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17149442#comment-17149442
]
Pradeep Agrawal commented on RANGER-2856:
-
[~RickyMa] : Upload this patch [https://github.com/apache/ranger/pull/66/files]
at RR [https://reviews.apache.org/r/72588/]
> A policy should be deleted if it has no policyItems
> ---
>
> Key: RANGER-2856
> URL: https://issues.apache.org/jira/browse/RANGER-2856
> Project: Ranger
> Issue Type: Bug
> Components: admin, Ranger
>Affects Versions: master
>Reporter: RickyMa
>Priority: Minor
> Fix For: master
>
> Attachments: RANGER-2856.patch
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Condition: A policy contains only one policyItem and the policyItem only sets
> one user and no groups.
> Action: Delete the user in the policyItem using API:
> '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,]
> Result: The policy still exists, but it has no policyItems. A policy with no
> policyItems is completely meaningless and it should be deleted.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[
https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17147998#comment-17147998
]
RickyMa commented on RANGER-2856:
-
[~madhan] : It's been a couple of days. Do you have time to review and merge
this? Thank you so much.
> A policy should be deleted if it has no policyItems
> ---
>
> Key: RANGER-2856
> URL: https://issues.apache.org/jira/browse/RANGER-2856
> Project: Ranger
> Issue Type: Bug
> Components: admin, Ranger
>Affects Versions: master
>Reporter: RickyMa
>Priority: Minor
> Fix For: master
>
> Attachments: RANGER-2856.patch
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Condition: A policy contains only one policyItem and the policyItem only sets
> one user and no groups.
> Action: Delete the user in the policyItem using API:
> '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,]
> Result: The policy still exists, but it has no policyItems. A policy with no
> policyItems is completely meaningless and it should be deleted.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[
https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17135188#comment-17135188
]
RickyMa commented on RANGER-2856:
-
[~madhan] : I got your point now. I didn't know that. That explains it.
I added an API. The patch is ready. Please have a look. Thanks a lot.
pull request: [https://github.com/apache/ranger/pull/66/files]
> A policy should be deleted if it has no policyItems
> ---
>
> Key: RANGER-2856
> URL: https://issues.apache.org/jira/browse/RANGER-2856
> Project: Ranger
> Issue Type: Bug
> Components: admin, Ranger
>Affects Versions: master
>Reporter: RickyMa
>Priority: Minor
> Fix For: master
>
> Attachments: RANGER-2856.patch
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Condition: A policy contains only one policyItem and the policyItem only sets
> one user and no groups.
> Action: Delete the user in the policyItem using API:
> '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,]
> Result: The policy still exists, but it has no policyItems. A policy with no
> policyItems is completely meaningless and it should be deleted.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[
https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17134924#comment-17134924
]
Madhan Neethiraj commented on RANGER-2856:
--
Current callers of {{ServiceDBStore.updatePolicy()}} API, including the
following REST endpoints, expect to receive the updated policy as the return
value. If the policy is implicitly deleted, null is returned and the callers
need to be updated to handle this new behavior. Given there are applications
using REST APIs to integrate with Ranger, this change in behavior could cause
such integrations to break. Hence I suggest for a separate API to cleanup
policies that have no impact in authorization/audit.
- PublicAPIsv2.updatePolicy()
- PublicAPIsv2.updatePolicyByName()
- ServiceREST.updatePolicy()
- ServiceREST.createPolicy()
- ServiceREST.applyPolicy()
> A policy should be deleted if it has no policyItems
> ---
>
> Key: RANGER-2856
> URL: https://issues.apache.org/jira/browse/RANGER-2856
> Project: Ranger
> Issue Type: Bug
> Components: admin, Ranger
>Affects Versions: master
>Reporter: RickyMa
>Priority: Minor
> Fix For: master
>
> Attachments: RANGER-2856.patch
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Condition: A policy contains only one policyItem and the policyItem only sets
> one user and no groups.
> Action: Delete the user in the policyItem using API:
> '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,]
> Result: The policy still exists, but it has no policyItems. A policy with no
> policyItems is completely meaningless and it should be deleted.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[
https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17134919#comment-17134919
]
RickyMa commented on RANGER-2856:
-
[~madhan] - Alright, I can add this REST API. But I am still a little confused
about this. After discussing this issue with my collegues, we all think that
deleting a policy which has no policyItems and audit log is disabled is
completely safe. There will be only benefits and no harm. A policy like this is
useless and it will only increase overhead expense. Especially when you have
tens of thousands of policies like this in your system, which is a serious
performance issue.
Could you please explain it to me why we should keep such policies? Thanks a
lot.
> A policy should be deleted if it has no policyItems
> ---
>
> Key: RANGER-2856
> URL: https://issues.apache.org/jira/browse/RANGER-2856
> Project: Ranger
> Issue Type: Bug
> Components: admin, Ranger
>Affects Versions: master
>Reporter: RickyMa
>Priority: Minor
> Fix For: master
>
> Attachments: RANGER-2856.patch
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Condition: A policy contains only one policyItem and the policyItem only sets
> one user and no groups.
> Action: Delete the user in the policyItem using API:
> '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,]
> Result: The policy still exists, but it has no policyItems. A policy with no
> policyItems is completely meaningless and it should be deleted.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[
https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17133923#comment-17133923
]
Madhan Neethiraj commented on RANGER-2856:
--
[~RickyMa] - instead of handling such optimization in lower level
{{updatePolicy()}} method, which is called from many different contexts, I
suggest to consider adding a new REST API to purge empty policies, like:
{code:java}
public class PublicAPIsv2 {
...
@DELETE
@Path("/api/server/purgepolicies/{serviceName}")
@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
public List purgeEmptyPolicies(@PathParam("serviceName",
@Context HttpServletRequest request) String serviceName) {
...
}
...
}
{code}
> A policy should be deleted if it has no policyItems
> ---
>
> Key: RANGER-2856
> URL: https://issues.apache.org/jira/browse/RANGER-2856
> Project: Ranger
> Issue Type: Bug
> Components: admin, Ranger
>Affects Versions: master
>Reporter: RickyMa
>Priority: Minor
> Fix For: master
>
> Attachments: RANGER-2856.patch
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Condition: A policy contains only one policyItem and the policyItem only sets
> one user and no groups.
> Action: Delete the user in the policyItem using API:
> '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,]
> Result: The policy still exists, but it has no policyItems. A policy with no
> policyItems is completely meaningless and it should be deleted.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[
https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17133901#comment-17133901
]
RickyMa commented on RANGER-2856:
-
[~madhan] : I added an if condition to dispel your worries about audit logs.
In our situation, we have a very high employee turnover rate and large numbers
of employees. So we need to delete users in Ranger more frequently than others.
That's why we are more likely to face this issue.
We have tens of thousands of policies in Ranger and as time goes by, most of
them will be meaningless policies which have no policyItems.
And this can be a great performance issue in our condition. Because a large
number of useless policies are synchronized to plugins every time the policies
are updated(created,updated,deleted). And every time Ranger is managing an
access control, it has to filter a lot of redundant policies. This is a great
performance issue as I think.
> A policy should be deleted if it has no policyItems
> ---
>
> Key: RANGER-2856
> URL: https://issues.apache.org/jira/browse/RANGER-2856
> Project: Ranger
> Issue Type: Bug
> Components: admin, Ranger
>Affects Versions: master
>Reporter: RickyMa
>Priority: Minor
> Fix For: master
>
> Attachments: RANGER-2856.patch
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Condition: A policy contains only one policyItem and the policyItem only sets
> one user and no groups.
> Action: Delete the user in the policyItem using API:
> '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,]
> Result: The policy still exists, but it has no policyItems. A policy with no
> policyItems is completely meaningless and it should be deleted.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[
https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17133587#comment-17133587
]
Madhan Neethiraj commented on RANGER-2856:
--
The side effect is deleting such policies is potential skipping of audit logs
for the resources covered by the policy i.e. if there is no audit-enabled
policy that matches the accessed resource, Ranger plugins would not generate
audit logs. I suggest to not delete policies having no items automatically.
> A policy should be deleted if it has no policyItems
> ---
>
> Key: RANGER-2856
> URL: https://issues.apache.org/jira/browse/RANGER-2856
> Project: Ranger
> Issue Type: Bug
> Components: admin, Ranger
>Affects Versions: master
>Reporter: RickyMa
>Priority: Minor
> Fix For: master
>
> Attachments: RANGER-2856.patch
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Condition: A policy contains only one policyItem and the policyItem only sets
> one user and no groups.
> Action: Delete the user in the policyItem using API:
> '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,]
> Result: The policy still exists, but it has no policyItems. A policy with no
> policyItems is completely meaningless and it should be deleted.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (RANGER-2856) A policy should be deleted if it has no policyItems
[
https://issues.apache.org/jira/browse/RANGER-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17133534#comment-17133534
]
RickyMa commented on RANGER-2856:
-
A simple patch to fix this bug. Pull Request and Review link is ready. Can
anyone please merge this?
> A policy should be deleted if it has no policyItems
> ---
>
> Key: RANGER-2856
> URL: https://issues.apache.org/jira/browse/RANGER-2856
> Project: Ranger
> Issue Type: Bug
> Components: admin, Ranger
>Affects Versions: master
>Reporter: RickyMa
>Priority: Minor
> Fix For: master
>
> Attachments: RANGER-2856.patch
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Condition: A policy contains only one policyItem and the policyItem only sets
> one user and no groups.
> Action: Delete the user in the policyItem using API:
> '[http://ip:6080/service/xusers/users/\{id}?forceDelete=true'|http://ip:6080/service/xusers/users/id?forceDelete=true%27,]
> Result: The policy still exists, but it has no policyItems. A policy with no
> policyItems is completely meaningless and it should be deleted.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
