----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/68942/#review209488 -----------------------------------------------------------
Ship it! Ship It! - Mehul Parikh On Oct. 10, 2018, 6:48 p.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/68942/ > ----------------------------------------------------------- > > (Updated Oct. 10, 2018, 6:48 p.m.) > > > Review request for ranger, Madhan Neethiraj, Nitin Galave, Ramesh Mani, and > Velmurugan Periasamy. > > > Bugs: RANGER-2207 > https://issues.apache.org/jira/browse/RANGER-2207 > > > Repository: ranger > > > Description > ------- > > In the service definition file, a resource can not be added to the list of > dataMaskDef resources without also declaring it as a resource for access > policies. Plugins should have the flexibility to define a resource for column > masking policies only. > > For example, a plugin may only allow the creation of access policies at the > table level. Currently, for this plugin to add column masking policies with a > 'column' resource, 'column' would also have to be added to access policies. > > This Jira requests the removal of this requirement, or at least the ability > to hide the resource in access policies. > > For a resource, if value of "mandatory" attribute is set to false, and uiHint > is set to "{"hideIfNull": true }", then GUI will not display the resource > (provided its value is set to null). > > Following is a sample service-definition to illustrate the usage. "column" > resource is specified in resources section as : > { > "description": "Hive Column", "isValidLeaf": true, "itemId": 4, > "level": 30, "lookupSupported": true, > "mandatory": false, "matcherOptions": { "ignoreCase": "true", > "wildCard": "true" }, > "name": "column", "parent": "table", "type": "string", "uiHint": > "{ \"hideIfNull\": true }" > } > > It is specified in dataMaskDefs::resources section as: > { "description": "Hive Column", "isValidLeaf": true, "itemId": 4, > "level": 30, "lookupSupported": true, > "mandatory": true, "matcherOptions": { "ignoreCase": "true", > "wildCard": "false" }, > "name": "column", "parent": "table", "type": "string", > "uiHint": "{ \"singleValue\":true }" > } > > As a result, GUI for access policy creation will not display "column" > resource, but GUI for masking policy creation will display it, and user can > provide value for it. > > Also note that in resources section, "table" resource (parent of "column") > is specified as being a valid leaf resource. > { "description": "Hive Table", "isValidLeaf": true, "itemId": 2, > "level": 20, "lookupSupported": true, > "mandatory": true, "matcherOptions": { "ignoreCase": "true", > "wildCard": "true" }, > "name": "table", "parent": "database", "type": "string" > }, > > This is required so that correct set of default policies are created. > > Service-definition for a test component follows. This is closely modeled > after hive component's service-definition. > > { > "name": "test", > "description": "Test ServiceDef for RANGER-2207", > "isEnabled": true, > "options": { "enableDenyAndExceptionsInPolicies": "true" }, > "accessTypes": [ > { "itemId": 1, "name": "select","label": "select" }, > { "itemId": 2, "name": "update","label": "update" }, > { "itemId": 3, "name": "create","label": "create" }, > { "itemId": 4, "name": "drop","label": "drop" }, > { "itemId": 5, "name": "alter","label": "alter" }, > { "itemId": 6, "name": "index","label": "index" }, > { "itemId": 7, "name": "lock","label": "lock" }, > { "impliedGrants": [ "select", "update", "create", "drop", "alter", > "index", > "lock", "read", "write", "repladmin", "serviceadmin" ], > "itemId": 8, "name": "all","label": "all" }, > { "itemId": 9, "name": "read","label": "read" }, > { "itemId": 10, "name": "write","label": "write" }, > { "itemId": 11, "name": "repladmin","label": "repladmin" }, > { "itemId": 12, "name": "serviceadmin","label": "serviceadmin" }, > { "itemId": 13, "name": "tempudfadmin","label": "tempudfadmin" } > ], > "resources": [ > { > "description": "URL", "isValidLeaf": true, "itemId": 5, "level": > 10, "lookupSupported": false, > "mandatory": true, "matcher": > "org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher", > "matcherOptions": { "ignoreCase": "false", "wildCard": "true" }, > "name": "url", "recursiveSupported": true, "type": "string" > }, > { > "description": "Hive Service", "isValidLeaf": true, "itemId": 6, > "level": 10, "lookupSupported": false, > "mandatory": true, "matcherOptions": { "ignoreCase": "false", > "wildCard": "true" }, > "name": "hiveservice", "type": "string" > }, > { > "description": "Global", "isValidLeaf": true, "itemId": 7, > "level": 10, "lookupSupported": false, > "mandatory": true, "matcherOptions": { "ignoreCase": "false", > "wildCard": "true" }, > "name": "global", "type": "string" > }, > { > "description": "Hive Database", "isValidLeaf": false, "itemId": > 1, "level": 10, "lookupSupported": true, > "mandatory": true, "matcherOptions": { "ignoreCase": "true", > "wildCard": "true" }, > "name": "database", "type": "string" > }, > { > "description": "Hive UDF", "isValidLeaf": true, "itemId": 3, > "level": 20, "lookupSupported": true, > "mandatory": true, "matcherOptions": { "ignoreCase": "true", > "wildCard": "true" }, > "name": "udf", "parent": "database", "type": "string" }, > { > "description": "Hive Table", "isValidLeaf": true, "itemId": 2, > "level": 20, "lookupSupported": true, > "mandatory": true, "matcherOptions": { "ignoreCase": "true", > "wildCard": "true" }, > "name": "table", "parent": "database", "type": "string" > }, > { > "description": "Hive Column", "isValidLeaf": true, "itemId": 4, > "level": 30, "lookupSupported": true, > "mandatory": false, "matcherOptions": { "ignoreCase": "true", > "wildCard": "true" }, > "name": "column", "parent": "table", "type": "string", "uiHint": > "{ \"hideIfNull\": true }" > } > ], > "dataMaskDef": { > "resources": [ > { "description": "Hive Database", "isValidLeaf": false, "itemId": > 1, "level": 10, "lookupSupported": true, > "mandatory": true, "matcherOptions": { "ignoreCase": "true", > "wildCard": "false" }, > "name": "database", "type": "string", "uiHint": "{ > \"singleValue\":true }" > }, > { "description": "Hive Table", "isValidLeaf": false, "itemId": 2, > "level": 20, "lookupSupported": true, > "mandatory": true, "matcherOptions": { "ignoreCase": "true", > "wildCard": "false" }, > "name": "table", "parent": "database", "type": "string", > "uiHint": "{ \"singleValue\":true }" > }, > { "description": "Hive Column", "isValidLeaf": true, "itemId": 4, > "level": 30, "lookupSupported": true, > "mandatory": true, "matcherOptions": { "ignoreCase": "true", > "wildCard": "false" }, > "name": "column", "parent": "table", "type": "string", > "uiHint": "{ \"singleValue\":true }" > } > ], > "accessTypes": [ { "itemId": 1, "name": "select","label": "select" } > ], > "maskTypes": [ > { "description": "Replace lowercase with 'x', uppercase with 'X', > digits with '0'", "itemId": 1, "label":"Redact", "name": "MASK", > "transformer": "mask({col})" }, > { "description": "Custom", "itemId": 13, "label": "Custom", > "name": "CUSTOM" } > ] > }, > "rowFilterDef": { > "resources": [ > { "description": "Hive Database", "isValidLeaf": false, "itemId": > 1, "level": 10, "lookupSupported": true, > "mandatory": true, "matcherOptions": { "ignoreCase": "true", > "wildCard": "false" }, > "name": "database", "type": "string", "uiHint": "{ > \"singleValue\":true }" > }, > { "description": "Hive Table", "isValidLeaf": true, "itemId": 2, > "level": 20, "lookupSupported": true, > "mandatory": true, "matcherOptions": { "ignoreCase": "true", > "wildCard": "false" }, > "name": "table", "parent": "database", "type": "string", > "uiHint": "{ \"singleValue\":true }" > } > ], > "accessTypes": [ { "itemId": 1, "name": "select","label": "select" } ] > }, > "configs": [ > { "itemId": 1, "label": "Username", "mandatory": true, "name": > "username", "type": "string", "uiHint": "" }, > { "itemId": 2, "label": "Password", "mandatory": true, "name": > "password", "type": "password", "uiHint": "" }, > { "itemId": 3, "mandatory": false, "name": "jdbc.driverClassName", > "type": "string", "uiHint": "" }, > { "itemId": 4, "mandatory": false, "name": "jdbc.url", "type": > "string", "uiHint": "" }, > { "itemId": 5, "label": "Common Name for Certificate", "mandatory": > false, "name": "commonNameForCertificate", "type": "string", "uiHint": "" } > ] > } > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java > 3cd7876dd > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java > 6cb55c204 > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefValidator.java > 45821e839 > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java > 342b381c7 > > agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java > f8994a73f > > agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefValidator.java > f4e29c7de > > hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java > 22ecabf6a > security-admin/src/main/webapp/scripts/models/BackboneFormDataType.js > 1329eb223 > security-admin/src/main/webapp/scripts/utils/XAUtils.js d9366a1a9 > > > Diff: https://reviews.apache.org/r/68942/diff/2/ > > > Testing > ------- > > Tested with a local VM. Verified that "column" resource is not displayed when > creating access policy, and displayed when creating data-mask policy. > Verified that default policy is not created for database->table->column > hierarchy, but is created for database->table hierarchy. > > > Thanks, > > Abhay Kulkarni > >
