> On May 11, 2019, 7:10 a.m., Don Bosco Durai wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java > > Lines 944 (patched) > > <https://reviews.apache.org/r/70629/diff/1/?file=2144531#file2144531line944> > > > > Do we have small window where the roles could be empty and it could > > affect during multi-thread environment> > > Abhay Kulkarni wrote: > I don't think so. Are you suggesting concurrent updates to policy may > lead to inconsistent policy state? If so, one of the transactions will be > aborted when attempting to persist changes to database.
I meant, while the policies are getting updated, a request for authorization, is it possible the list will be empty? - Don Bosco ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/70629/#review215198 ----------------------------------------------------------- On May 14, 2019, 1:55 a.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/70629/ > ----------------------------------------------------------- > > (Updated May 14, 2019, 1:55 a.m.) > > > Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin > Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan > Periasamy. > > > Bugs: RANGER-2414 > https://issues.apache.org/jira/browse/RANGER-2414 > > > Repository: ranger > > > Description > ------- > > Current Ranger policy model supports > authorization/column-masking/row-filtering for users/user-groups based on > various criteria like accessed-resource, resource-classifications, IP-address > and custom conditions. Given the wide-spread use of role-based authorization > in traditional enterprise applications (like RDBMS, J2EE), it will be very > useful for Ranger policy model to support 'roles' i.e. to be able to specify > authorization/column-masking/row-filtering for roles as well - in addition to > existing support for users and user-groups. > > This patch provides an initial implementation of support for roles in Ranger. > > > Diffs > ----- > > > agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java > 28db58cd9 > > agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java > 5e2c49211 > > agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java > 3111037ff > > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java > 3cf509d7c > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java > 990aab0c9 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java > 9ed500c50 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java > 365edcf35 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java > eafbde246 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > a57b39827 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java > 45231e739 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java > 47b4921ad > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java > 5400f71c4 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java > a6e24c609 > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java > 5a18226fe > agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java > c20ccded6 > agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java > e22249ac6 > > agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java > cbd2cb012 > > agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerPolicyValidator.java > 2c1de4eb8 > > agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java > e92a2e658 > > agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java > 5a47ba401 > agents-common/src/test/resources/policyengine/test_aclprovider_default.json > b4c4def85 > > agents-common/src/test/resources/policyengine/test_policyengine_with_roles.json > PRE-CREATION > > hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java > f204c15c0 > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuditHandler.java > bf4d6c1ea > security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql > 769afb56a > security-admin/db/mysql/patches/041-create-role-schema.sql PRE-CREATION > security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql > 9a9e36b09 > security-admin/db/oracle/patches/041-create-role-schema.sql PRE-CREATION > security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql > df4201d89 > security-admin/db/postgres/patches/041-create-role-schema.sql PRE-CREATION > > security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql > a2d413743 > security-admin/db/sqlanywhere/patches/041-create-role-schema.sql > PRE-CREATION > security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql > 1f3ccbf5d > security-admin/db/sqlserver/patches/041-create-role-schema.sql PRE-CREATION > security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java > 921dc3736 > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java > f48a80387 > security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 35dc9405b > security-admin/src/main/java/org/apache/ranger/common/AppConstants.java > 039e4e8d5 > security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java > 979fd6543 > security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java > 5d513bd8b > security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/db/XXRoleRefGroupDao.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/db/XXRoleRefUserDao.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/entity/XXPolicyRefRole.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/entity/XXRole.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/entity/XXRoleBase.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefGroup.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefRole.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/entity/XXRoleRefUser.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java > 734faef3a > security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 3ff763c71 > > security-admin/src/main/java/org/apache/ranger/service/RangerPolicyServiceBase.java > 3e1a8e1bf > > security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/service/RangerRoleServiceBase.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/view/RangerRoleList.java > PRE-CREATION > security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1c9 > security-admin/src/main/webapp/scripts/collection_bases/VXRoleListBase.js > PRE-CREATION > security-admin/src/main/webapp/scripts/collections/VXRoleList.js > PRE-CREATION > security-admin/src/main/webapp/scripts/controllers/Controller.js c4a0b58df > security-admin/src/main/webapp/scripts/model_bases/VXRoleBase.js > PRE-CREATION > security-admin/src/main/webapp/scripts/models/VXRole.js PRE-CREATION > security-admin/src/main/webapp/scripts/modules/XALinks.js ab0fe7a23 > security-admin/src/main/webapp/scripts/modules/globalize/message/en.js > a9287450c > security-admin/src/main/webapp/scripts/routers/Router.js f60e03c21 > security-admin/src/main/webapp/scripts/utils/XAEnums.js c6956eafb > security-admin/src/main/webapp/scripts/utils/XAUtils.js 18e86c9cc > security-admin/src/main/webapp/scripts/views/policies/PermissionList.js > 0c3824bad > security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js > 8f23e84d3 > security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js > a1a1311aa > security-admin/src/main/webapp/scripts/views/policies/RangerPolicyRO.js > 1af54e18a > > security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js > c18cfaa08 > security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js > 18dba7ace > security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js > 4a73c3215 > security-admin/src/main/webapp/scripts/views/users/RoleCreate.js > PRE-CREATION > security-admin/src/main/webapp/scripts/views/users/RoleForm.js PRE-CREATION > security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js > 45b672caf > security-admin/src/main/webapp/styles/xa.css 6ae646dfc > security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 22df5cb8b > security-admin/src/main/webapp/templates/policies/PermissionItem.html > d2b401d05 > security-admin/src/main/webapp/templates/policies/PermissionList.html > 9972d4885 > security-admin/src/main/webapp/templates/policies/RangerPolicyRO_tmpl.html > e76ad21e4 > > security-admin/src/main/webapp/templates/reports/RoleOperationDiff_tmpl.html > PRE-CREATION > > security-admin/src/main/webapp/templates/reports/RoleUpdateOperationDiff_tmpl.html > PRE-CREATION > security-admin/src/main/webapp/templates/users/RoleCreate_tmpl.html > PRE-CREATION > security-admin/src/main/webapp/templates/users/RoleForm_tmpl.html > PRE-CREATION > security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html > d99b3b453 > security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java > ac9af5eb4 > > > Diff: https://reviews.apache.org/r/70629/diff/2/ > > > Testing > ------- > > - Role CRUD > - Policy Updates to add/remove roles > - Logic to authorize access with roles > - Tracking Service versions with role updates > > > Thanks, > > Abhay Kulkarni > >
