----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/69703/#review212364 -----------------------------------------------------------
Ship it! Ship It! - Madhan Neethiraj On Jan. 27, 2019, 12:10 a.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/69703/ > ----------------------------------------------------------- > > (Updated Jan. 27, 2019, 12:10 a.m.) > > > Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin > Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan > Periasamy. > > > Bugs: RANGER-2232 > https://issues.apache.org/jira/browse/RANGER-2232 > > > Repository: ranger > > > Description > ------- > > This is to introduce a new abstraction in Apache Ranger that would allow > carving/bucketing of resources in a service into multiple zones, for better > administration of security policies. This would enable multiple > administrators to setup security policies for a service – based on the zones > to which they have been granted administration rights. > > For example, let us consider 2 security zones ‘finance’ and ‘sales’: > > Security zone ‘finance’ includes all contents in Hive database named > ‘finance’ > Security zone ‘sales’ includes all contents in ‘sales’ database > Set of users and groups are designated as administrators each zone > Users are allowed to setup policies only in zones in which they are > administrators > Policies defined in a zone are applicable only for resources of the zone > A zone can be extended to include resource from multiple services like HDFS, > Hive, HBase, Kafka, .., allowing administrators of a zone to setup policies > for resources owned by their organization across multiple services. > Audit logs will include name of the zone in which the accessed resource > resides. Only users having appropriate permissions on the security zone can > view its audit logs. > > > Diffs > ----- > > > agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java > 329e2f0b7 > > agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java > 8d71851e8 > > agents-audit/src/main/java/org/apache/ranger/audit/provider/solr/SolrAuditProvider.java > 26633fd6e > > agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java > b8da19215 > > agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java > 9b9ccd112 > > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java > c2185a7f1 > > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java > b56b8dd4b > > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZone.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java > ddedf3e17 > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java > 51324b093 > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java > 891749d03 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java > 8e7844f5d > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java > e6c0e5a94 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java > ab26d41d6 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java > f64e773ac > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java > c1b29d3fa > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java > b898d292c > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java > 7221f6b15 > > agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java > 7446df604 > > agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZonePredicateUtil.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZoneStore.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java > 9924cb4c4 > > agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java > f4fe58993 > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java > efb27aafa > agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java > 33f82dd34 > > agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java > 1ae3fc387 > > agents-common/src/test/java/org/apache/ranger/plugin/model/TestRangerPolicyResourceSignature.java > 38c425dc6 > > agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java > PRE-CREATION > > hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java > 74293fb4a > > plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java > d89b46787 > security-admin/contrib/solr_for_audit_setup/conf/managed-schema 6c87af7cf > security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql > 9af2c8f57 > security-admin/db/mysql/patches/037-create-security-zone-schema.sql > PRE-CREATION > security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql > eaa0b4f43 > security-admin/db/oracle/patches/037-create-security-zone-schema.sql > PRE-CREATION > security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql > 2ed8cb02c > security-admin/db/postgres/patches/037-create-security-zone-schema.sql > PRE-CREATION > > security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql > c8a3ba14a > security-admin/db/sqlanywhere/patches/037-create-security-zone-schema.sql > PRE-CREATION > security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql > 230c50b02 > security-admin/db/sqlserver/patches/037-create-security-zone-schema.sql > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java > 36a7b4bfa > security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneRefUpdater.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > f2d61d348 > security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 88b8f8db3 > security-admin/src/main/java/org/apache/ranger/common/AppConstants.java > 032e5f0da > security-admin/src/main/java/org/apache/ranger/common/RangerConstants.java > 88509a618 > security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java > 7b0fd8766 > > security-admin/src/main/java/org/apache/ranger/common/RangerValidatorFactory.java > 4b149e4ec > security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java > 5cecef14c > security-admin/src/main/java/org/apache/ranger/db/XXGlobalStateDao.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java > b4f868709 > security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefGroupDao.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefResourceDao.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefUserDao.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/entity/XXGlobalState.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/entity/XXGlobalStateBase.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/entity/XXPolicyBase.java > e441ec0e5 > > security-admin/src/main/java/org/apache/ranger/entity/XXPolicyExportAudit.java > 1545e047d > security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZone.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneBase.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefGroup.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefResource.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefService.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefUser.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/patch/PatchAssignSecurityZonePersmissionToAdmin_J10026.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java > 50dc17826 > security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 0b854d0d7 > > security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java > b2213ed76 > > security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java > 08baf8907 > > security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java > 6ab12adcb > > security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneService.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneServiceBase.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/service/RangerTagDefService.java > 10c73f0d2 > > security-admin/src/main/java/org/apache/ranger/service/RangerTagService.java > 2fa883096 > > security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java > 4c8ed83b6 > security-admin/src/main/java/org/apache/ranger/service/XAssetService.java > 132879a63 > > security-admin/src/main/java/org/apache/ranger/service/XAuditMapService.java > 09fd963d4 > security-admin/src/main/java/org/apache/ranger/service/XGroupService.java > 3009d36c2 > security-admin/src/main/java/org/apache/ranger/service/XPermMapService.java > 866448465 > > security-admin/src/main/java/org/apache/ranger/service/XPolicyExportAuditServiceBase.java > a25cfc17f > > security-admin/src/main/java/org/apache/ranger/service/XResourceService.java > b3e7bd7d7 > security-admin/src/main/java/org/apache/ranger/service/XTrxLogService.java > e940df250 > > security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java > 7f3d0c70d > > security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoServiceBase.java > 78e4c57ac > security-admin/src/main/java/org/apache/ranger/service/XUserService.java > fbc37d642 > > security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java > 593634ba6 > security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java > f6689c168 > > security-admin/src/main/java/org/apache/ranger/view/VXPolicyExportAudit.java > ce5a21e06 > security-admin/src/main/resources/META-INF/jpa_named_queries.xml be51592ec > security-admin/src/main/webapp/images/defult_zone.png PRE-CREATION > > security-admin/src/main/webapp/scripts/collection_bases/RangerZoneListBase.js > PRE-CREATION > security-admin/src/main/webapp/scripts/collections/RangerZoneList.js > PRE-CREATION > security-admin/src/main/webapp/scripts/controllers/Controller.js 92dac6abc > security-admin/src/main/webapp/scripts/model_bases/RangerZoneBase.js > PRE-CREATION > security-admin/src/main/webapp/scripts/models/RangerPolicy.js e406e1810 > security-admin/src/main/webapp/scripts/models/RangerPolicyResource.js > 853e62b38 > security-admin/src/main/webapp/scripts/models/RangerServiceDef.js d008f40b3 > security-admin/src/main/webapp/scripts/models/RangerZone.js PRE-CREATION > security-admin/src/main/webapp/scripts/modules/XALinks.js 060ab364c > security-admin/src/main/webapp/scripts/modules/globalize/message/en.js > 34e3387c8 > security-admin/src/main/webapp/scripts/routers/Router.js c8391e6ec > security-admin/src/main/webapp/scripts/utils/XAEnums.js ea8054571 > security-admin/src/main/webapp/scripts/utils/XAGlobals.js 7b1b1b560 > security-admin/src/main/webapp/scripts/utils/XAUtils.js d85dc7aee > security-admin/src/main/webapp/scripts/views/DownloadServicePolicy.js > 8f9dfe50a > security-admin/src/main/webapp/scripts/views/UploadServicePolicy.js > 62a1fcff2 > security-admin/src/main/webapp/scripts/views/common/TopNav.js 0f4a70896 > security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js > 9588fb75d > security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js > 6c0cf3641 > security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js > 3a6a59efe > > security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js > 90ad83ebe > security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js > 8a8e94a0f > security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js > 886815d84 > security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js > e9ce7d483 > security-admin/src/main/webapp/scripts/views/security_zone/SecurityZone.js > PRE-CREATION > > security-admin/src/main/webapp/scripts/views/security_zone/ZoneAdministration.js > PRE-CREATION > security-admin/src/main/webapp/scripts/views/security_zone/ZoneCreate.js > PRE-CREATION > > security-admin/src/main/webapp/scripts/views/security_zone/ZoneCreateForm.js > PRE-CREATION > > security-admin/src/main/webapp/scripts/views/security_zone/ZoneResourceForm.js > PRE-CREATION > security-admin/src/main/webapp/scripts/views/security_zone/zoneResource.js > PRE-CREATION > security-admin/src/main/webapp/styles/xa.css c601d54af > > security-admin/src/main/webapp/templates/common/ServiceManagerLayout_tmpl.html > d4d19a606 > security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 31a9c2656 > security-admin/src/main/webapp/templates/helpers/XAHelpers.js 9e2c02b04 > > security-admin/src/main/webapp/templates/policies/RangerPolicyForm_tmpl.html > b7666f926 > security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html > 6566d53e8 > > security-admin/src/main/webapp/templates/reports/ZoneOperationDiff_tmpl.html > PRE-CREATION > > security-admin/src/main/webapp/templates/reports/ZoneUpdateOperationDiff_tmpl.html > PRE-CREATION > > security-admin/src/main/webapp/templates/security_zone/SecurityZone_tmpl.html > PRE-CREATION > > security-admin/src/main/webapp/templates/security_zone/ZoneAdministration_tmpl.html > PRE-CREATION > > security-admin/src/main/webapp/templates/security_zone/ZoneCreateForm_tmpl.html > PRE-CREATION > security-admin/src/main/webapp/templates/security_zone/ZoneCreate_tmpl.html > PRE-CREATION > > security-admin/src/main/webapp/templates/security_zone/ZoneResourceForm_tmpl.html > PRE-CREATION > > security-admin/src/main/webapp/templates/security_zone/ZoneResourceItem_tmpl.html > PRE-CREATION > > security-admin/src/main/webapp/templates/security_zone/ZoneResourceList_tmpl.html > PRE-CREATION > > security-admin/src/main/webapp/templates/security_zone/ZoneResourcesForm_tmpl.html > PRE-CREATION > > security-admin/src/main/webapp/templates/security_zone/ZoneResources_tmpl.html > PRE-CREATION > > security-admin/src/test/java/org/apache/ranger/biz/TestSecurityZoneDBStore.java > PRE-CREATION > security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java > 8054d1e2e > > security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java > PRE-CREATION > security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java > 0196e24a0 > > > Diff: https://reviews.apache.org/r/69703/diff/5/ > > > Testing > ------- > > Tested with a local VM, for CRUD of security zones, creation of policies for > a security zone and access evaluation for a resource within specific security > zone in hive plugin. > > > Thanks, > > Abhay Kulkarni > >
