----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/68942/ -----------------------------------------------------------
Review request for ranger, Madhan Neethiraj, Nitin Galave, Ramesh Mani, and Velmurugan Periasamy. Bugs: RANGER-2207 https://issues.apache.org/jira/browse/RANGER-2207 Repository: ranger Description ------- In the service definition file, a resource can not be added to the list of dataMaskDef resources without also declaring it as a resource for access policies. Plugins should have the flexibility to define a resource for column masking policies only. For example, a plugin may only allow the creation of access policies at the table level. Currently, for this plugin to add column masking policies with a 'column' resource, 'column' would also have to be added to access policies. This Jira requests the removal of this requirement, or at least the ability to hide the resource in access policies. For a resource, if value of "mandatory" attribute is set to false, and uiHint is set to "{"hideIfNull": true }", then GUI will not display the resource (provided its value is set to null). Following is a sample service-definition to illustrate the usage. "column" resource is specified in resources section as : { "description": "Hive Column", "isValidLeaf": true, "itemId": 4, "level": 30, "lookupSupported": true, "mandatory": false, "matcherOptions": { "ignoreCase": "true", "wildCard": "true" }, "name": "column", "parent": "table", "type": "string", "uiHint": "{ \"hideIfNull\": true }" } It is specified in dataMaskDefs::resources section as: { "description": "Hive Column", "isValidLeaf": true, "itemId": 4, "level": 30, "lookupSupported": true, "mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "false" }, "name": "column", "parent": "table", "type": "string", "uiHint": "{ \"singleValue\":true }" } As a result, GUI for access policy creation will not display "column" resource, but GUI for masking policy creation will display it, and user can provide value for it. Also note that in resources section, "table" resource (parent of "column") is specified as being a valid leaf resource. { "description": "Hive Table", "isValidLeaf": false, "itemId": 2, "level": 20, "lookupSupported": true, "mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "false" }, "name": "table", "parent": "database", "type": "string", "uiHint": "{ \"singleValue\":true }" }, This is required so that correct set of default policies are created. Service-definition for a test component follows. This is closely modeled after hive component's service-definition. { "name": "test", "description": "Test ServiceDef for RANGER-2207", "isEnabled": true, "options": { "enableDenyAndExceptionsInPolicies": "true" }, "accessTypes": [ { "itemId": 1, "name": "select","label": "select" }, { "itemId": 2, "name": "update","label": "update" }, { "itemId": 3, "name": "create","label": "create" }, { "itemId": 4, "name": "drop","label": "drop" }, { "itemId": 5, "name": "alter","label": "alter" }, { "itemId": 6, "name": "index","label": "index" }, { "itemId": 7, "name": "lock","label": "lock" }, { "impliedGrants": [ "select", "update", "create", "drop", "alter", "index", "lock", "read", "write", "repladmin", "serviceadmin" ], "itemId": 8, "name": "all","label": "all" }, { "itemId": 9, "name": "read","label": "read" }, { "itemId": 10, "name": "write","label": "write" }, { "itemId": 11, "name": "repladmin","label": "repladmin" }, { "itemId": 12, "name": "serviceadmin","label": "serviceadmin" }, { "itemId": 13, "name": "tempudfadmin","label": "tempudfadmin" } ], "resources": [ { "description": "URL", "isValidLeaf": true, "itemId": 5, "level": 10, "lookupSupported": false, "mandatory": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher", "matcherOptions": { "ignoreCase": "false", "wildCard": "true" }, "name": "url", "recursiveSupported": true, "type": "string" }, { "description": "Hive Service", "isValidLeaf": true, "itemId": 6, "level": 10, "lookupSupported": false, "mandatory": true, "matcherOptions": { "ignoreCase": "false", "wildCard": "true" }, "name": "hiveservice", "type": "string" }, { "description": "Global", "isValidLeaf": true, "itemId": 7, "level": 10, "lookupSupported": false, "mandatory": true, "matcherOptions": { "ignoreCase": "false", "wildCard": "true" }, "name": "global", "type": "string" }, { "description": "Hive Database", "isValidLeaf": false, "itemId": 1, "level": 10, "lookupSupported": true, "mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "true" }, "name": "database", "type": "string" }, { "description": "Hive UDF", "isValidLeaf": true, "itemId": 3, "level": 20, "lookupSupported": true, "mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "true" }, "name": "udf", "parent": "database", "type": "string" }, { "description": "Hive Table", "isValidLeaf": true, "itemId": 2, "level": 20, "lookupSupported": true, "mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "true" }, "name": "table", "parent": "database", "type": "string" }, { "description": "Hive Column", "isValidLeaf": true, "itemId": 4, "level": 30, "lookupSupported": true, "mandatory": false, "matcherOptions": { "ignoreCase": "true", "wildCard": "true" }, "name": "column", "parent": "table", "type": "string", "uiHint": "{ \"hideIfNull\": true }" } ], "dataMaskDef": { "resources": [ { "description": "Hive Database", "isValidLeaf": false, "itemId": 1, "level": 10, "lookupSupported": true, "mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "false" }, "name": "database", "type": "string", "uiHint": "{ \"singleValue\":true }" }, { "description": "Hive Table", "isValidLeaf": false, "itemId": 2, "level": 20, "lookupSupported": true, "mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "false" }, "name": "table", "parent": "database", "type": "string", "uiHint": "{ \"singleValue\":true }" }, { "description": "Hive Column", "isValidLeaf": true, "itemId": 4, "level": 30, "lookupSupported": true, "mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "false" }, "name": "column", "parent": "table", "type": "string", "uiHint": "{ \"singleValue\":true }" } ], "accessTypes": [ { "itemId": 1, "name": "select","label": "select" } ], "maskTypes": [ { "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'", "itemId": 1, "label":"Redact", "name": "MASK", "transformer": "mask({col})" }, { "description": "Custom", "itemId": 13, "label": "Custom", "name": "CUSTOM" } ] }, "rowFilterDef": { "resources": [ { "description": "Hive Database", "isValidLeaf": false, "itemId": 1, "level": 10, "lookupSupported": true, "mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "false" }, "name": "database", "type": "string", "uiHint": "{ \"singleValue\":true }" }, { "description": "Hive Table", "isValidLeaf": true, "itemId": 2, "level": 20, "lookupSupported": true, "mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "false" }, "name": "table", "parent": "database", "type": "string", "uiHint": "{ \"singleValue\":true }" } ], "accessTypes": [ { "itemId": 1, "name": "select","label": "select" } ] }, "configs": [ { "itemId": 1, "label": "Username", "mandatory": true, "name": "username", "type": "string", "uiHint": "" }, { "itemId": 2, "label": "Password", "mandatory": true, "name": "password", "type": "password", "uiHint": "" }, { "itemId": 3, "mandatory": false, "name": "jdbc.driverClassName", "type": "string", "uiHint": "" }, { "itemId": 4, "mandatory": false, "name": "jdbc.url", "type": "string", "uiHint": "" }, { "itemId": 5, "label": "Common Name for Certificate", "mandatory": false, "name": "commonNameForCertificate", "type": "string", "uiHint": "" } ] } Diffs ----- agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 3cd7876dd agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java 6cb55c204 agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefValidator.java 45821e839 agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java 342b381c7 agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java f8994a73f agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefValidator.java f4e29c7de hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java 22ecabf6a security-admin/src/main/webapp/scripts/models/BackboneFormDataType.js 1329eb223 security-admin/src/main/webapp/scripts/utils/XAUtils.js d9366a1a9 Diff: https://reviews.apache.org/r/68942/diff/1/ Testing ------- Tested with a local VM. Verified that "column" resource is not displayed when creating access policy, and displayed when creating data-mask policy. Verified that default policy is not created for database->table->column hierarchy, but is created for database->table hierarchy. Thanks, Abhay Kulkarni