----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74825/#review226146 -----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java Line 435 (original), 435 (patched) <https://reviews.apache.org/r/74825/#comment314428> If rangerAccessRequest contains exactly the same resource(s) specified in the GrantRevokeRequest, the call to getLikeMatchPolicyEvaluators() will not get all potentially matching policies. Please see if the resource to be searched needs to be one-level higher in the hierarchy. (if the resource in GrantRevokeRequest is a column, then the argument to getLikelyMatchPolicyEvaluators need to be the table(s) in which the columns may appear). Please review. security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java Lines 1282 (patched) <https://reviews.apache.org/r/74825/#comment314427> This code (and at line 1399) seems to process only the first policy in the list of complete or partially matched policies. Elsewhere (line 1602) all policies are processed. Please review. security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java Line 968 (original), 946 (patched) <https://reviews.apache.org/r/74825/#comment314429> grantResources ==> revokeResources? or getRevokedResources() => getGrantedResources()? security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java Lines 1032 (patched) <https://reviews.apache.org/r/74825/#comment314430> Is the test for the sizes of the policyResources and revokedResources necessary? Only exclusion seems to be when the sizes of these collections is equal. Please review. - Abhay Kulkarni On Jan. 17, 2024, 8:32 a.m., Ramesh Mani wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74825/ > ----------------------------------------------------------- > > (Updated Jan. 17, 2024, 8:32 a.m.) > > > Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, > Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan > Periasamy. > > > Bugs: RANGER-4638 > https://issues.apache.org/jira/browse/RANGER-4638 > > > Repository: ranger > > > Description > ------- > > RANGER-4638:Multiple Columns Revoke not generating policies with correct > number of columns > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > 7fe2a2eb3 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java > 0a14b387a > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java > f16157ce6 > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java > e1cd89b70 > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java > 5eee8d11a > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java > ec22e01bf > > agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceisCompleteOrSomeMatchMatcher.java > PRE-CREATION > > agents-common/src/test/resources/resourcematcher/test_defaultpolicyresource_isCompleteOrSomeMatch_matcher.json > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java > 15a1e7118 > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java > 84ee31ba2 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > cc9df27d6 > security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java > 60e34c0c7 > security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java > a630e575b > > > Diff: https://reviews.apache.org/r/74825/diff/2/ > > > Testing > ------- > > Impala / Hive beeline. > > 1) "grant select(col1, col2, col3) on table demo.test to role Role1" => > Create a Grant Policy for the given resource in Hadoop Sql > > > 2) "grant select(col1, col2, col3, col4) on table demo.test to role Role1" > => updates the policy created in #1 with new col4 resource > > if "revoke select(col1, col2, col3, col4) on table demo.test from role > Role1" is done => Since all the columns are revoked for Select, we update the > policy created in #1 with no policy Item for it. > if "revoke select(col1, col2, col3) on table demo.test from role Role1" > is done => policy created in #1 will be updated to remove col1,col2,col3 from > the policy to revoke the access. > > 3) If "revoke select(col1, col2, col3, col4) on table demo.test from role > Role1" found 2 Matching polcies, say 1st policy matched col1,col2,col3 and > 2nd Policy matched col4, then both the policies will be updated for revoking > the corresponding column access. > > 4) When Multiple Premission are there on the policy and revoke is to remove > one permission, then the policy will be updated by removing the revoked > permission. > Grant select on table demo.test to role Role1 > Grant Alter on table demo.test to role Role1 > Revoke alter table demo.test to role Role1 > > > > HBASE shell > > grant 'nifi', 'RWXCA', 'test' => create policy with 'RWXCA' access for user > nifi on table 'test'. > > > revoke 'nifi', 'test' => revoke access for user "nifi" on hbase table 'test'. > Here policy will be removed. > > > Thanks, > > Ramesh Mani > >