----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/72577/#review221006 -----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java Line 178 (original), 179 (patched) <https://reviews.apache.org/r/72577/#comment309768> It doesn't seem necessary to look at children zones. Please review. security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java Line 158 (original), 159 (patched) <https://reviews.apache.org/r/72577/#comment309767> For consistency, consider having 'zoneName' argument next to 'resource' argument - see #83 above. security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java Line 1288 (original), 1288 (patched) <https://reviews.apache.org/r/72577/#comment309764> Grant/revoke clients may not know of the zone in which the resource belongs to. In such cases (zoneName == null), the grant/revoke API implementation should find the zone in which the resource resides in, and create/update the policy in that zone. If multiple zones match for a given resource (for example, children of the resources are different zones), then grant/revoke should be applied on the unzoned policy - which will cover the parent resource as a whole. Please review other places that use zoneName from grant/revoke request for above. - Madhan Neethiraj On June 15, 2020, 5:50 p.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/72577/ > ----------------------------------------------------------- > > (Updated June 15, 2020, 5:50 p.m.) > > > Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, > and Velmurugan Periasamy. > > > Bugs: RANGER-2858 > https://issues.apache.org/jira/browse/RANGER-2858 > > > Repository: ranger > > > Description > ------- > > When user has permissions on a few of the databases in security zone > policies, "show databases" command is expected to list databases on which the > user has some permission in any security zone(s). However, the command fails > authorization. Furthermore, command "use <database>" where <database> is name > of the database where user has some access in any security zone, succeeds. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java > e6de06fa7 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java > fdec9caab > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java > 0930e2cf7 > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java > a6ea48d14 > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java > 29c3604d1 > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java > 1b5aa9e2d > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 1bdee86d3 > > > Diff: https://reviews.apache.org/r/72577/diff/2/ > > > Testing > ------- > > Created two security zones containing different databases with one zone > having Ranger policy to provide access to a table contained in that zone. > > Verified that 'show databases' command listed correct database which allowed > some access to the contained table. > > > Thanks, > > Abhay Kulkarni > >
