-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68942/
-----------------------------------------------------------
Review request for ranger, Madhan Neethiraj, Nitin Galave, Ramesh Mani, and
Velmurugan Periasamy.
Bugs: RANGER-2207
https://issues.apache.org/jira/browse/RANGER-2207
Repository: ranger
Description
-------
In the service definition file, a resource can not be added to the list of
dataMaskDef resources without also declaring it as a resource for access
policies. Plugins should have the flexibility to define a resource for column
masking policies only.
For example, a plugin may only allow the creation of access policies at the
table level. Currently, for this plugin to add column masking policies with a
'column' resource, 'column' would also have to be added to access policies.
This Jira requests the removal of this requirement, or at least the ability to
hide the resource in access policies.
For a resource, if value of "mandatory" attribute is set to false, and uiHint
is set to "{"hideIfNull": true }", then GUI will not display the resource
(provided its value is set to null).
Following is a sample service-definition to illustrate the usage. "column"
resource is specified in resources section as :
{
"description": "Hive Column", "isValidLeaf": true, "itemId": 4,
"level": 30, "lookupSupported": true,
"mandatory": false, "matcherOptions": { "ignoreCase": "true",
"wildCard": "true" },
"name": "column", "parent": "table", "type": "string", "uiHint": "{
\"hideIfNull\": true }"
}
It is specified in dataMaskDefs::resources section as:
{ "description": "Hive Column", "isValidLeaf": true, "itemId": 4,
"level": 30, "lookupSupported": true,
"mandatory": true, "matcherOptions": { "ignoreCase": "true",
"wildCard": "false" },
"name": "column", "parent": "table", "type": "string",
"uiHint": "{ \"singleValue\":true }"
}
As a result, GUI for access policy creation will not display "column" resource,
but GUI for masking policy creation will display it, and user can provide value
for it.
Also note that in resources section, "table" resource (parent of "column") is
specified as being a valid leaf resource.
{ "description": "Hive Table", "isValidLeaf": false, "itemId": 2,
"level": 20, "lookupSupported": true,
"mandatory": true, "matcherOptions": { "ignoreCase": "true",
"wildCard": "false" },
"name": "table", "parent": "database", "type": "string",
"uiHint": "{ \"singleValue\":true }"
},
This is required so that correct set of default policies are created.
Service-definition for a test component follows. This is closely modeled after
hive component's service-definition.
{
"name": "test",
"description": "Test ServiceDef for RANGER-2207",
"isEnabled": true,
"options": { "enableDenyAndExceptionsInPolicies": "true" },
"accessTypes": [
{ "itemId": 1, "name": "select","label": "select" },
{ "itemId": 2, "name": "update","label": "update" },
{ "itemId": 3, "name": "create","label": "create" },
{ "itemId": 4, "name": "drop","label": "drop" },
{ "itemId": 5, "name": "alter","label": "alter" },
{ "itemId": 6, "name": "index","label": "index" },
{ "itemId": 7, "name": "lock","label": "lock" },
{ "impliedGrants": [ "select", "update", "create", "drop", "alter",
"index",
"lock", "read", "write", "repladmin", "serviceadmin" ],
"itemId": 8, "name": "all","label": "all" },
{ "itemId": 9, "name": "read","label": "read" },
{ "itemId": 10, "name": "write","label": "write" },
{ "itemId": 11, "name": "repladmin","label": "repladmin" },
{ "itemId": 12, "name": "serviceadmin","label": "serviceadmin" },
{ "itemId": 13, "name": "tempudfadmin","label": "tempudfadmin" }
],
"resources": [
{
"description": "URL", "isValidLeaf": true, "itemId": 5, "level":
10, "lookupSupported": false,
"mandatory": true, "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
"matcherOptions": { "ignoreCase": "false", "wildCard": "true" },
"name": "url", "recursiveSupported": true, "type": "string"
},
{
"description": "Hive Service", "isValidLeaf": true, "itemId": 6,
"level": 10, "lookupSupported": false,
"mandatory": true, "matcherOptions": { "ignoreCase": "false",
"wildCard": "true" },
"name": "hiveservice", "type": "string"
},
{
"description": "Global", "isValidLeaf": true, "itemId": 7, "level":
10, "lookupSupported": false,
"mandatory": true, "matcherOptions": { "ignoreCase": "false",
"wildCard": "true" },
"name": "global", "type": "string"
},
{
"description": "Hive Database", "isValidLeaf": false, "itemId": 1,
"level": 10, "lookupSupported": true,
"mandatory": true, "matcherOptions": { "ignoreCase": "true",
"wildCard": "true" },
"name": "database", "type": "string"
},
{
"description": "Hive UDF", "isValidLeaf": true, "itemId": 3,
"level": 20, "lookupSupported": true,
"mandatory": true, "matcherOptions": { "ignoreCase": "true",
"wildCard": "true" },
"name": "udf", "parent": "database", "type": "string" },
{
"description": "Hive Table", "isValidLeaf": true, "itemId": 2,
"level": 20, "lookupSupported": true,
"mandatory": true, "matcherOptions": { "ignoreCase": "true",
"wildCard": "true" },
"name": "table", "parent": "database", "type": "string"
},
{
"description": "Hive Column", "isValidLeaf": true, "itemId": 4,
"level": 30, "lookupSupported": true,
"mandatory": false, "matcherOptions": { "ignoreCase": "true",
"wildCard": "true" },
"name": "column", "parent": "table", "type": "string", "uiHint": "{
\"hideIfNull\": true }"
}
],
"dataMaskDef": {
"resources": [
{ "description": "Hive Database", "isValidLeaf": false, "itemId":
1, "level": 10, "lookupSupported": true,
"mandatory": true, "matcherOptions": { "ignoreCase": "true",
"wildCard": "false" },
"name": "database", "type": "string", "uiHint": "{
\"singleValue\":true }"
},
{ "description": "Hive Table", "isValidLeaf": false, "itemId": 2,
"level": 20, "lookupSupported": true,
"mandatory": true, "matcherOptions": { "ignoreCase": "true",
"wildCard": "false" },
"name": "table", "parent": "database", "type": "string",
"uiHint": "{ \"singleValue\":true }"
},
{ "description": "Hive Column", "isValidLeaf": true, "itemId": 4,
"level": 30, "lookupSupported": true,
"mandatory": true, "matcherOptions": { "ignoreCase": "true",
"wildCard": "false" },
"name": "column", "parent": "table", "type": "string",
"uiHint": "{ \"singleValue\":true }"
}
],
"accessTypes": [ { "itemId": 1, "name": "select","label": "select" } ],
"maskTypes": [
{ "description": "Replace lowercase with 'x', uppercase with 'X',
digits with '0'", "itemId": 1, "label":"Redact", "name": "MASK", "transformer":
"mask({col})" },
{ "description": "Custom", "itemId": 13, "label": "Custom", "name":
"CUSTOM" }
]
},
"rowFilterDef": {
"resources": [
{ "description": "Hive Database", "isValidLeaf": false, "itemId":
1, "level": 10, "lookupSupported": true,
"mandatory": true, "matcherOptions": { "ignoreCase": "true",
"wildCard": "false" },
"name": "database", "type": "string", "uiHint": "{
\"singleValue\":true }"
},
{ "description": "Hive Table", "isValidLeaf": true, "itemId": 2,
"level": 20, "lookupSupported": true,
"mandatory": true, "matcherOptions": { "ignoreCase": "true",
"wildCard": "false" },
"name": "table", "parent": "database", "type": "string",
"uiHint": "{ \"singleValue\":true }"
}
],
"accessTypes": [ { "itemId": 1, "name": "select","label": "select" } ]
},
"configs": [
{ "itemId": 1, "label": "Username", "mandatory": true, "name":
"username", "type": "string", "uiHint": "" },
{ "itemId": 2, "label": "Password", "mandatory": true, "name":
"password", "type": "password", "uiHint": "" },
{ "itemId": 3, "mandatory": false, "name": "jdbc.driverClassName",
"type": "string", "uiHint": "" },
{ "itemId": 4, "mandatory": false, "name": "jdbc.url", "type":
"string", "uiHint": "" },
{ "itemId": 5, "label": "Common Name for Certificate", "mandatory":
false, "name": "commonNameForCertificate", "type": "string", "uiHint": "" }
]
}
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
3cd7876dd
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
6cb55c204
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefValidator.java
45821e839
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java
342b381c7
agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java
f8994a73f
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefValidator.java
f4e29c7de
hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java
22ecabf6a
security-admin/src/main/webapp/scripts/models/BackboneFormDataType.js
1329eb223
security-admin/src/main/webapp/scripts/utils/XAUtils.js d9366a1a9
Diff: https://reviews.apache.org/r/68942/diff/1/
Testing
-------
Tested with a local VM. Verified that "column" resource is not displayed when
creating access policy, and displayed when creating data-mask policy. Verified
that default policy is not created for database->table->column hierarchy, but
is created for database->table hierarchy.
Thanks,
Abhay Kulkarni
