> On Jan. 10, 2024, 7:46 p.m., Abhay Kulkarni wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > > Lines 394 (patched) > > <https://reviews.apache.org/r/74825/diff/1/?file=2284689#file2284689line394> > > > > If there are many resource-evaluators, this will return false. Is that > > expected? Please review.
yes this is expected, same is done for exact match also. > On Jan. 10, 2024, 7:46 p.m., Abhay Kulkarni wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java > > Lines 403 (patched) > > <https://reviews.apache.org/r/74825/diff/1/?file=2284691#file2284691line403> > > > > Is the null check for the resourceValue needed here? In both cases, it > > is executing the same logic (lines 404 and 406. Please review. > > > > Please consider if line 406 needs to be > > > > ret = matcher == null && matcher.isSomeMatch( resourceValue, > > evalContext); This condition work as required, so no change needed. Suggetion will result in NPE. > On Jan. 10, 2024, 7:46 p.m., Abhay Kulkarni wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java > > Lines 276 (patched) > > <https://reviews.apache.org/r/74825/diff/1/?file=2284693#file2284693line279> > > > > Please review if this condition is correct. The first part of the > > condition may not be needed. > > > > Can this condition be replaced with > > > > ret = policyValues.containsAny(resValues); > > > > ? policyValues is a List, so will use isPolicyResourceContains(policyValues, resValues) method - Ramesh ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74825/#review226124 ----------------------------------------------------------- On Jan. 17, 2024, 8:32 a.m., Ramesh Mani wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74825/ > ----------------------------------------------------------- > > (Updated Jan. 17, 2024, 8:32 a.m.) > > > Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, > Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan > Periasamy. > > > Bugs: RANGER-4638 > https://issues.apache.org/jira/browse/RANGER-4638 > > > Repository: ranger > > > Description > ------- > > RANGER-4638:Multiple Columns Revoke not generating policies with correct > number of columns > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > 7fe2a2eb3 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java > 0a14b387a > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java > f16157ce6 > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java > e1cd89b70 > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java > 5eee8d11a > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java > ec22e01bf > > agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceisCompleteOrSomeMatchMatcher.java > PRE-CREATION > > agents-common/src/test/resources/resourcematcher/test_defaultpolicyresource_isCompleteOrSomeMatch_matcher.json > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java > 15a1e7118 > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java > 84ee31ba2 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > cc9df27d6 > security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java > 60e34c0c7 > security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java > a630e575b > > > Diff: https://reviews.apache.org/r/74825/diff/2/ > > > Testing > ------- > > Impala / Hive beeline. > > 1) "grant select(col1, col2, col3) on table demo.test to role Role1" => > Create a Grant Policy for the given resource in Hadoop Sql > > > 2) "grant select(col1, col2, col3, col4) on table demo.test to role Role1" > => updates the policy created in #1 with new col4 resource > > if "revoke select(col1, col2, col3, col4) on table demo.test from role > Role1" is done => Since all the columns are revoked for Select, we update the > policy created in #1 with no policy Item for it. > if "revoke select(col1, col2, col3) on table demo.test from role Role1" > is done => policy created in #1 will be updated to remove col1,col2,col3 from > the policy to revoke the access. > > 3) If "revoke select(col1, col2, col3, col4) on table demo.test from role > Role1" found 2 Matching polcies, say 1st policy matched col1,col2,col3 and > 2nd Policy matched col4, then both the policies will be updated for revoking > the corresponding column access. > > 4) When Multiple Premission are there on the policy and revoke is to remove > one permission, then the policy will be updated by removing the revoked > permission. > Grant select on table demo.test to role Role1 > Grant Alter on table demo.test to role Role1 > Revoke alter table demo.test to role Role1 > > > > HBASE shell > > grant 'nifi', 'RWXCA', 'test' => create policy with 'RWXCA' access for user > nifi on table 'test'. > > > revoke 'nifi', 'test' => revoke access for user "nifi" on hbase table 'test'. > Here policy will be removed. > > > Thanks, > > Ramesh Mani > >
