----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73212/#review222812 -----------------------------------------------------------
agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json Line 100 (original), 100 (patched) <https://reviews.apache.org/r/73212/#comment311992> Following accessTypes are not applicable to 'entity' resource anymore; they are only applicable to the new resource 'classification'. Please remove them from here. - entity-add-classification - entity-update-classification - entity-remove-classification security-admin/src/main/java/org/apache/ranger/patch/PatchAtlasForClassificationResource_J10047.java Lines 217 (patched) <https://reviews.apache.org/r/73212/#comment311993> Only policies having following resource hierarchy need to be looked into: - entity-type/entity-classification/entity Other policies can be skipped. Consider adding a check here. security-admin/src/main/java/org/apache/ranger/patch/PatchAtlasForClassificationResource_J10047.java Lines 225 (patched) <https://reviews.apache.org/r/73212/#comment311994> This is a smart approach to clone the policy - good work! Please consider following updates: - policy.getName() + CLASSIFICATION: introduce a hypen as separator for easier readability policy.getName() + " - " + CLASSIFICATION - set following policy fields to null: - id, guid, version, createTime, updateTime, resourceSignature - is resourceSignature computation (#234, #235) needed here? Doesn't svcStore.createPolicy() handle this? - Madhan Neethiraj On April 4, 2021, 5:39 p.m., Nixon Rodrigues wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73212/ > ----------------------------------------------------------- > > (Updated April 4, 2021, 5:39 p.m.) > > > Review request for ranger, Jayendra Parab, Madhan Neethiraj, Ramesh Mani, > Sarath Subramanian, and Velmurugan Periasamy. > > > Bugs: RANGER-3195 > https://issues.apache.org/jira/browse/RANGER-3195 > > > Repository: ranger > > > Description > ------- > > Requirement :- The new requirement is to provide a way to authorize who can > Add/Remove/Update Classification for an entity even if the entities on which > classification have to be applied do not have classifications already tagged > to it. > > Solution:- > > > This will require changes on Ranger Atlas service defination to introduce a > new resource "*classifications*" in entity authz model called classifications > at level 40 [4th level], with the new classifications resource ranger > authorizer will check the classification exist in policy for that > add/update/remove classification request to authorize. > > > Diffs > ----- > > agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json > 4ce7ec991 > > plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java > 79ef60465 > > plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java > c13633ad2 > security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql > 7179dc998 > security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql > 40917cdf4 > security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql > ba9eb0157 > > security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql > 371846f1e > security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql > 90004ec77 > > security-admin/src/main/java/org/apache/ranger/patch/PatchAtlasForClassificationResource_J10047.java > PRE-CREATION > > > Diff: https://reviews.apache.org/r/73212/diff/5/ > > > Testing > ------- > > Tested Atlas with Ranger authorization with entities for add, update , > add-classification, remove-classification, update-classification events. > > > Thanks, > > Nixon Rodrigues > >