Re: Review Request 73032: RANGER-3082: User with delegated-admin is unable to create policy

Wed, 25 Nov 2020 12:49:29 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73032/#review222239
-----------------------------------------------------------




agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
Lines 159 (patched)
<https://reviews.apache.org/r/73032/#comment311288>

    Consider alternate approach, by creating following context in 
RangerPolicyAdminImpl, and send to this  method:
    
      public class WildcardContext extends HashMap<String, Object> {
        private static final String WILDCARD_ASTERISK = "*";
    
        public WildcardContext() {
          put(WILDCARD_ASTERISK, WILDCARD_ASTERISK);
        }
    
        // always return WILDCARD_ASTERISK
        @Override
        public Object get(Object key) {
          return WILDCARD_ASTERISK;
        }
      }



security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
Lines 3589 (patched)
<https://reviews.apache.org/r/73032/#comment311287>

    Consider moving evalContext creation to #3537 i.e. before entering this 
for-loop.


- Madhan Neethiraj


On Nov. 25, 2020, 7:49 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73032/
> -----------------------------------------------------------
> 
> (Updated Nov. 25, 2020, 7:49 p.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-3082
>     https://issues.apache.org/jira/browse/RANGER-3082
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> When macros like {USER} are used in resource names, users with 
> delegated-admin are unable to set up policies.
> 
> 
> Diffs
> -----
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
>  3250719de 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  f3e0dab2f 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
>  14b626df6 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
>  a22027a46 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 
> e011c0bf5 
>   
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
> 6fc0abf4b 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> 39869d385 
> 
> 
> Diff: https://reviews.apache.org/r/73032/diff/2/
> 
> 
> Testing
> -------
> 
> Passed all unit tests. Tested by creating delegated-admin policies with 
> {USER} embedded in resource name and ensured the designated user can set up 
> policy with macro in the resource name expanded with designated user's name.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Reply via email to