Re: Review Request 74270: RANGER-4035: added catagory to access-types; added marker access-type: _ALL

Madhan Neethiraj Sun, 08 Jan 2023 21:22:13 -0800


> On Jan. 9, 2023, 4:31 a.m., Ramesh Mani wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java
> > Lines 67 (patched)
> > <https://reviews.apache.org/r/74270/diff/5/?file=2273658#file2273658line67>
> >
> >     Does the _ALL in the MARKER ACCESSTYPE include hive:tempudfadmin
> >     In Hive Plugin we avoid ALL permission to give impliedGrant to 
> > hive:tempudfadmin because of security reason. Hive Users need exclusive 
> > permission to create tempUdfs.
> >     Should the _ALL in MARKER ACCESS TYPE has to be handled in the same way?


@Ramesh - _ALL includes every access-type defined in the service-def; its a 
short cut to replace the need to add individual permissions in a policy. This 
will be of immense help especially in tag-based policies, where a service could 
be added after a tag-based policy is created.

Excluding specific permissions like hive:tempudfadmin can be done with 
exception in policies. Does this address the concern?


- Madhan


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74270/#review225074
-----------------------------------------------------------


On Jan. 9, 2023, 12:13 a.m., Madhan Neethiraj wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74270/
> -----------------------------------------------------------
> 
> (Updated Jan. 9, 2023, 12:13 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Kishor Gollapalliwar, Abhay 
> Kulkarni, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, 
> Subhrat Chaudhary, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4035
>     https://issues.apache.org/jira/browse/RANGER-4035
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> - added field AccessTypeDef.category, which can be set to one of the 
> following: CREATE/READ/UPDATE/DELETE/MANAGE
> - added field RangerServiceDef.markerAccessTypes, which will be populated by 
> Ranger admin with following entries containing impliedGrants as per category 
> specified in RangerServiceDef.accessTypes:
>   -- _CREATE
>   -- _READ
>   -- _UPDATE
>   -- _DELETE
>   -- _MANAGE
> - RangerServiceDef.markerAccessTypes will include _ALL, with all 
> RangerServiceDef.accessTypes as impliedGrants
> 
> 
> Diffs
> -----
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java
>  05dde4edf 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
>  e1b5fe8f1 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
>  4e287f9a4 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java
>  d47be1404 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAuditPolicyEvaluator.java
>  1c46f184c 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  55752e79c 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java 
> fe1cf9244 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerValidator.java
>  6114225ca 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
>  eb3d0ff46 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/util/ServiceDefUtilTest.java
>  3cd42f44f 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_marker_access_types.json
>  PRE-CREATION 
>   agents-common/src/test/resources/test_servicedef-normalize.json 
> PRE-CREATION 
>   intg/src/main/python/apache_ranger/model/ranger_service_def.py 3fd90f706 
>   security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 
> 6cc3509d8 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
> 6b9604817 
>   
> security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java
>  656bc0184 
> 
> 
> Diff: https://reviews.apache.org/r/74270/diff/5/
> 
> 
> Testing
> -------
> 
> - added unit tests to validate authorization with policies having marker 
> access-types
> - verified policy can be created with marker accessTypes via REST API call
> - verified that plugin enforce built-in marker access-types referenced in 
> policies
> - verified that older version plugins continue to enforce policies for 
> regular access-types i.e. non marker access-types
> - TODO: policy UI to include permissions listed in 
> RangerServiceDef.markerAccessTypes
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74270: RANGER-4035: added catagory to access-types; added marker access-type: _ALL

Reply via email to