----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/69703/ -----------------------------------------------------------
(Updated Jan. 25, 2019, 5:51 p.m.) Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy. Changes ------- Rebased with master. Bugs: RANGER-2232 https://issues.apache.org/jira/browse/RANGER-2232 Repository: ranger Description ------- This is to introduce a new abstraction in Apache Ranger that would allow carving/bucketing of resources in a service into multiple zones, for better administration of security policies. This would enable multiple administrators to setup security policies for a service – based on the zones to which they have been granted administration rights. For example, let us consider 2 security zones ‘finance’ and ‘sales’: Security zone ‘finance’ includes all contents in Hive database named ‘finance’ Security zone ‘sales’ includes all contents in ‘sales’ database Set of users and groups are designated as administrators each zone Users are allowed to setup policies only in zones in which they are administrators Policies defined in a zone are applicable only for resources of the zone A zone can be extended to include resource from multiple services like HDFS, Hive, HBase, Kafka, .., allowing administrators of a zone to setup policies for resources owned by their organization across multiple services. Audit logs will include name of the zone in which the accessed resource resides. Only users having appropriate permissions on the security zone can view its audit logs. Diffs (updated) ----- agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java 329e2f0b7 agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 8d71851e8 agents-audit/src/main/java/org/apache/ranger/audit/provider/solr/SolrAuditProvider.java 26633fd6e agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java b8da19215 agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 9b9ccd112 agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java c2185a7f1 agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java b56b8dd4b agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZone.java PRE-CREATION agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java ddedf3e17 agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java PRE-CREATION agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java 51324b093 agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java PRE-CREATION agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java 891749d03 agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java 8e7844f5d agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java e6c0e5a94 agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java ab26d41d6 agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java f64e773ac agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java c1b29d3fa agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java b898d292c agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java 7221f6b15 agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java 7446df604 agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZonePredicateUtil.java PRE-CREATION agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZoneStore.java PRE-CREATION agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java 9924cb4c4 agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java f4fe58993 agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java efb27aafa agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 33f82dd34 agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java 1ae3fc387 agents-common/src/test/java/org/apache/ranger/plugin/model/TestRangerPolicyResourceSignature.java 38c425dc6 agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java PRE-CREATION hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java 74293fb4a hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java ddb6d9b82 knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java 814aedd20 plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java 07921a99a plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java d89b46787 security-admin/contrib/solr_for_audit_setup/conf/managed-schema 6c87af7cf security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 9af2c8f57 security-admin/db/mysql/patches/037-create-security-zone-schema.sql PRE-CREATION security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql eaa0b4f43 security-admin/db/oracle/patches/037-create-security-zone-schema.sql PRE-CREATION security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 2ed8cb02c security-admin/db/postgres/patches/037-create-security-zone-schema.sql PRE-CREATION security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql c8a3ba14a security-admin/db/sqlanywhere/patches/037-create-security-zone-schema.sql PRE-CREATION security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 230c50b02 security-admin/db/sqlserver/patches/037-create-security-zone-schema.sql PRE-CREATION security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java 36a7b4bfa security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneRefUpdater.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java f2d61d348 security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 88b8f8db3 security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 032e5f0da security-admin/src/main/java/org/apache/ranger/common/RangerConstants.java 88509a618 security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java 7b0fd8766 security-admin/src/main/java/org/apache/ranger/common/RangerValidatorFactory.java 4b149e4ec security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 5cecef14c security-admin/src/main/java/org/apache/ranger/db/XXGlobalStateDao.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java b4f868709 security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefGroupDao.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefResourceDao.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefUserDao.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/entity/XXGlobalState.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/entity/XXGlobalStateBase.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/entity/XXPolicyBase.java e441ec0e5 security-admin/src/main/java/org/apache/ranger/entity/XXPolicyExportAudit.java 1545e047d security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZone.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneBase.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefGroup.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefResource.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefService.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefUser.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/patch/PatchAssignSecurityZonePersmissionToAdmin_J10026.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java 50dc17826 security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 0b854d0d7 security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java b2213ed76 security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java 08baf8907 security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java 6ab12adcb security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneService.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneServiceBase.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/service/RangerTagDefService.java 10c73f0d2 security-admin/src/main/java/org/apache/ranger/service/RangerTagService.java 2fa883096 security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java 4c8ed83b6 security-admin/src/main/java/org/apache/ranger/service/XAssetService.java 132879a63 security-admin/src/main/java/org/apache/ranger/service/XAuditMapService.java 09fd963d4 security-admin/src/main/java/org/apache/ranger/service/XGroupService.java 3009d36c2 security-admin/src/main/java/org/apache/ranger/service/XPermMapService.java 866448465 security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditServiceBase.java a25cfc17f security-admin/src/main/java/org/apache/ranger/service/XResourceService.java b3e7bd7d7 security-admin/src/main/java/org/apache/ranger/service/XTrxLogService.java e940df250 security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java 7f3d0c70d security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoServiceBase.java 78e4c57ac security-admin/src/main/java/org/apache/ranger/service/XUserService.java fbc37d642 security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java 593634ba6 security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java f6689c168 security-admin/src/main/java/org/apache/ranger/view/VXPolicyExportAudit.java ce5a21e06 security-admin/src/main/resources/META-INF/jpa_named_queries.xml be51592ec security-admin/src/main/webapp/images/defult_zone.png PRE-CREATION security-admin/src/main/webapp/scripts/collection_bases/RangerZoneListBase.js PRE-CREATION security-admin/src/main/webapp/scripts/collections/RangerZoneList.js PRE-CREATION security-admin/src/main/webapp/scripts/controllers/Controller.js 92dac6abc security-admin/src/main/webapp/scripts/model_bases/RangerZoneBase.js PRE-CREATION security-admin/src/main/webapp/scripts/models/RangerPolicy.js e406e1810 security-admin/src/main/webapp/scripts/models/RangerPolicyResource.js 853e62b38 security-admin/src/main/webapp/scripts/models/RangerServiceDef.js d008f40b3 security-admin/src/main/webapp/scripts/models/RangerZone.js PRE-CREATION security-admin/src/main/webapp/scripts/modules/XALinks.js 060ab364c security-admin/src/main/webapp/scripts/modules/globalize/message/en.js 34e3387c8 security-admin/src/main/webapp/scripts/routers/Router.js c8391e6ec security-admin/src/main/webapp/scripts/utils/XAEnums.js ea8054571 security-admin/src/main/webapp/scripts/utils/XAGlobals.js 7b1b1b560 security-admin/src/main/webapp/scripts/utils/XAUtils.js d85dc7aee security-admin/src/main/webapp/scripts/views/DownloadServicePolicy.js 8f9dfe50a security-admin/src/main/webapp/scripts/views/UploadServicePolicy.js 62a1fcff2 security-admin/src/main/webapp/scripts/views/common/TopNav.js 0f4a70896 security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 9588fb75d security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js 6c0cf3641 security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js 3a6a59efe security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js 90ad83ebe security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 8a8e94a0f security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 886815d84 security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js e9ce7d483 security-admin/src/main/webapp/scripts/views/security_zone/SecurityZone.js PRE-CREATION security-admin/src/main/webapp/scripts/views/security_zone/ZoneAdministration.js PRE-CREATION security-admin/src/main/webapp/scripts/views/security_zone/ZoneCreate.js PRE-CREATION security-admin/src/main/webapp/scripts/views/security_zone/ZoneCreateForm.js PRE-CREATION security-admin/src/main/webapp/scripts/views/security_zone/ZoneResourceForm.js PRE-CREATION security-admin/src/main/webapp/scripts/views/security_zone/zoneResource.js PRE-CREATION security-admin/src/main/webapp/styles/xa.css c601d54af security-admin/src/main/webapp/templates/common/ServiceManagerLayout_tmpl.html d4d19a606 security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 31a9c2656 security-admin/src/main/webapp/templates/helpers/XAHelpers.js 9e2c02b04 security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html b7666f926 security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html 6566d53e8 security-admin/src/main/webapp/templates/reports/ZoneOperationDiff_tmpl.html PRE-CREATION security-admin/src/main/webapp/templates/reports/ZoneUpdateOperationDiff_tmpl.html PRE-CREATION security-admin/src/main/webapp/templates/security_zone/SecurityZone_tmpl.html PRE-CREATION security-admin/src/main/webapp/templates/security_zone/ZoneAdministration_tmpl.html PRE-CREATION security-admin/src/main/webapp/templates/security_zone/ZoneCreateForm_tmpl.html PRE-CREATION security-admin/src/main/webapp/templates/security_zone/ZoneCreate_tmpl.html PRE-CREATION security-admin/src/main/webapp/templates/security_zone/ZoneResourceForm_tmpl.html PRE-CREATION security-admin/src/main/webapp/templates/security_zone/ZoneResourceItem_tmpl.html PRE-CREATION security-admin/src/main/webapp/templates/security_zone/ZoneResourceList_tmpl.html PRE-CREATION security-admin/src/main/webapp/templates/security_zone/ZoneResourcesForm_tmpl.html PRE-CREATION security-admin/src/main/webapp/templates/security_zone/ZoneResources_tmpl.html PRE-CREATION security-admin/src/main/webapp/templates/service/ServiceCreate_tmpl.html dff0b666c security-admin/src/test/java/org/apache/ranger/biz/TestSecurityZoneDBStore.java PRE-CREATION security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java 8054d1e2e security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java PRE-CREATION security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 0196e24a0 storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java 88ea05e9d Diff: https://reviews.apache.org/r/69703/diff/4/ Changes: https://reviews.apache.org/r/69703/diff/3-4/ Testing ------- Tested with a local VM, for CRUD of security zones, creation of policies for a security zone and access evaluation for a resource within specific security zone in hive plugin. Thanks, Abhay Kulkarni