Re: Review Request 66599: RANGER-2066: Hbase column family access is authorized by a tagged column in the column family

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66599/#review201122
---


Ship it!




Ship It!

- Madhan Neethiraj


On April 13, 2018, 5:36 a.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/66599/
> ---
> 
> (Updated April 13, 2018, 5:36 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2066
> https://issues.apache.org/jira/browse/RANGER-2066
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> SCENARIO:
> 
> Table emp has 2 column families: personal_data(name,SSN,age) ; 
> prof_data(role, manager)
> Column emp/prof_data/role is tagged with OFFICIAL tag.
> 
> Create following policies:
> Resource policy allows Read on all tables, all column-families and all 
> columns and a tag policy allows Read on OFFICIAL tag to test_user.
> 
> When test_user executes "scan 'emp' " command, two audit log records are 
> created:
> 1. Resource: emp/personal_data
> Name / Type: column-family
> Allowed
> Policy allowing: Resource based policy
> 
> 2. Resource: emp/prof_data
> Name / Type: column-family
> Allowed
> Policy allowing: TAG based policy for OFFICIAL tag
> 
> prof_data column-family should be authorized by resource policy.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
>  415d4a499 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
>  349ab360b 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  ab4a9d27e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
>  956456551 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
>  cacae5a5b 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
>  7a890b8b2 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
>  e4864031b 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json 
> 11f31e317 
> 
> 
> Diff: https://reviews.apache.org/r/66599/diff/1/
> 
> 
> Testing
> ---
> 
> Developed and passed unit tests.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Review Request 66599: RANGER-2066: Hbase column family access is authorized by a tagged column in the column family

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66599/
---

Review request for ranger, Madhan Neethiraj and Velmurugan Periasamy.


Bugs: RANGER-2066
https://issues.apache.org/jira/browse/RANGER-2066


Repository: ranger


Description
---

SCENARIO:

Table emp has 2 column families: personal_data(name,SSN,age) ; prof_data(role, 
manager)
Column emp/prof_data/role is tagged with OFFICIAL tag.

Create following policies:
Resource policy allows Read on all tables, all column-families and all columns 
and a tag policy allows Read on OFFICIAL tag to test_user.

When test_user executes "scan 'emp' " command, two audit log records are 
created:
1. Resource: emp/personal_data
Name / Type: column-family
Allowed
Policy allowing: Resource based policy

2. Resource: emp/prof_data
Name / Type: column-family
Allowed
Policy allowing: TAG based policy for OFFICIAL tag

prof_data column-family should be authorized by resource policy.


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
 415d4a499 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
 349ab360b 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 ab4a9d27e 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
 956456551 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
 cacae5a5b 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
 7a890b8b2 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
 e4864031b 
  agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json 
11f31e317 


Diff: https://reviews.apache.org/r/66599/diff/1/


Testing
---

Developed and passed unit tests.


Thanks,

Abhay Kulkarni