[
https://issues.apache.org/jira/browse/RANGER-4122?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
KyrieG updated RANGER-4122:
---------------------------
Description:
# Reorganize authorization logic
Recently when I was sorting out the authorization logic of ranger admin, I saw
confusion.
For example: At ServiceREST I saw the following, similar logic been implemented
in a distributed fasion.
!image-2023-03-05-22-16-17-927.png!
!image-2023-03-05-22-17-00-698.png!!image-2023-03-05-22-17-35-210.png!
# I think these method should be in the same class for easy maintainance. A
Better way is to create a new class for authorization logic instead of putting
everythiong into bizUtil because it's responsible for many thing.
# To sum up, I want to put these method into A new class named
"RangerAuthorizationHelper".
{quote}RangerBizUtil.isUserAllowed
RangerBizUtil.checkAdminAccess
RangerBizUtil.isUserRangerAdmin
RangerBizUtil.isUserServiceAdmin
RoleREST.userIsSrvAdmOrSrvUser
svcStore.isServiceAdminUser
XUserMgr.hasAccessToModule
RangerBizUtil.hasModuleAccess
RoleDBStore.ensureRoleAccess
RangerBizUtil.blockAuditorRoleUser
... and many.
{quote}
was:
# Reorganize authorization logic
Recently when I was sorting out the authorization logic of ranger admin, I saw
confusion.
For example: At ServiceREST I saw the following, similar logic been implemented
in a distributed fasion.
![[Pasted image 20230305134707.png]]
![[Pasted image 20230305134449.png]]
![[Pasted image 20230305140346.png]]
![[Pasted image 20230305141025.png]]
I think these method should be in the same class for easy maintainance. A
Better way is to create a new class for authorization logic instead of putting
everythiong into bizUtil because it's responsible for many thing.
To sum up, I want to put these method into A new class named
"RangerAuthorizationHelper".
RangerBizUtil.isUserAllowed
RangerBizUtil.checkAdminAccess
RangerBizUtil.isUserRangerAdmin
RangerBizUtil.isUserServiceAdmin
RoleREST.userIsSrvAdmOrSrvUser
svcStore.isServiceAdminUser
XUserMgr.hasAccessToModule
RangerBizUtil.hasModuleAccess
RoleDBStore.ensureRoleAccess
RangerBizUtil.blockAuditorRoleUser
... and many.
> [RangerAdmin] Reorganize authorization check logic
> --------------------------------------------------
>
> Key: RANGER-4122
> URL: https://issues.apache.org/jira/browse/RANGER-4122
> Project: Ranger
> Issue Type: Improvement
> Components: admin
> Affects Versions: 2.3.0
> Reporter: KyrieG
> Priority: Major
> Fix For: 2.4.0
>
> Attachments: Pasted image 20230305134707 1.png,
> image-2023-03-05-22-16-17-927.png, image-2023-03-05-22-17-00-698.png,
> image-2023-03-05-22-17-35-210.png
>
>
> # Reorganize authorization logic
> Recently when I was sorting out the authorization logic of ranger admin, I
> saw confusion.
> For example: At ServiceREST I saw the following, similar logic been
> implemented in a distributed fasion.
> !image-2023-03-05-22-16-17-927.png!
> !image-2023-03-05-22-17-00-698.png!!image-2023-03-05-22-17-35-210.png!
> # I think these method should be in the same class for easy maintainance. A
> Better way is to create a new class for authorization logic instead of
> putting everythiong into bizUtil because it's responsible for many thing.
> # To sum up, I want to put these method into A new class named
> "RangerAuthorizationHelper".
> {quote}RangerBizUtil.isUserAllowed
> RangerBizUtil.checkAdminAccess
> RangerBizUtil.isUserRangerAdmin
> RangerBizUtil.isUserServiceAdmin
> RoleREST.userIsSrvAdmOrSrvUser
> svcStore.isServiceAdminUser
> XUserMgr.hasAccessToModule
> RangerBizUtil.hasModuleAccess
> RoleDBStore.ensureRoleAccess
> RangerBizUtil.blockAuditorRoleUser
> ... and many.
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
