----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/56094/ -----------------------------------------------------------
Review request for ranger. Repository: ranger Description ------- When a user is denied, or excluded from "allowed", the use of "admin-queue", but is allowed the "submit-app", he is actually unable to submit Yarn jobs at all. The reason is found to be that the "implied grants" are indiscriminately incorporated into allow/deny/allow-exception/deny-exception lists. Actually we need to differentiate two types of implications. The first implication is "equivalent implication". The second is "unequivalent implication". For the "ALL" permission, it is equivalent, meaning that "ALL" implies the all implied permissions together, and vice versa. So DENY "ALL" will rid of any and all other permissions from a user. For YARN's implication from "queue-admin" to "submit-app", it's not equivalent. While "queue-admin" implies "submit-app", it is not the other way around; namely that deny "admin-queue" to a user should not deny his "submit-app" permission. Thus the "implied grants" should not be incorporated from the allow-exception/deny lists if they do not carry the "all" semantics. Diffs ----- agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ffb9523 agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b0d103e agents-common/src/test/resources/policyengine/test_policyengine_yarn.json PRE-CREATION Diff: https://reviews.apache.org/r/56094/diff/ Testing ------- Regression, manual, and newly added automated tests. Thanks, Yan Zhou