> On Jan. 18, 2024, 6:12 p.m., Abhay Kulkarni wrote: > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java > > Line 435 (original), 435 (patched) > > <https://reviews.apache.org/r/74825/diff/1-2/?file=2284698#file2284698line435> > > > > If rangerAccessRequest contains exactly the same resource(s) specified > > in the GrantRevokeRequest, the call to getLikeMatchPolicyEvaluators() will > > not get all potentially matching policies. Please see if the resource to be > > searched needs to be one-level higher in the hierarchy. (if the resource in > > GrantRevokeRequest is a column, then the argument to > > getLikelyMatchPolicyEvaluators need to be the table(s) in which the columns > > may appear). Please review.
Verified that it worked as expected by return multiple policies. - Ramesh ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74825/#review226146 ----------------------------------------------------------- On Jan. 19, 2024, 9:14 a.m., Ramesh Mani wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74825/ > ----------------------------------------------------------- > > (Updated Jan. 19, 2024, 9:14 a.m.) > > > Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, > Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan > Periasamy. > > > Bugs: RANGER-4638 > https://issues.apache.org/jira/browse/RANGER-4638 > > > Repository: ranger > > > Description > ------- > > RANGER-4638:Multiple Columns Revoke not generating policies with correct > number of columns > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > 7fe2a2eb3 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java > 0a14b387a > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java > f16157ce6 > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java > e1cd89b70 > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java > 5eee8d11a > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java > ec22e01bf > > agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceisCompleteOrSomeMatchMatcher.java > PRE-CREATION > > agents-common/src/test/resources/resourcematcher/test_defaultpolicyresource_isCompleteOrSomeMatch_matcher.json > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java > 15a1e7118 > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java > 84ee31ba2 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > cc9df27d6 > security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java > 60e34c0c7 > security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java > a630e575b > > > Diff: https://reviews.apache.org/r/74825/diff/4/ > > > Testing > ------- > > Impala / Hive beeline. > > 1) "grant select(col1, col2, col3) on table demo.test to role Role1" => > Create a Grant Policy for the given resource in Hadoop Sql > > > 2) "grant select(col1, col2, col3, col4) on table demo.test to role Role1" > => updates the policy created in #1 with new col4 resource > > if "revoke select(col1, col2, col3, col4) on table demo.test from role > Role1" is done => Since all the columns are revoked for Select, we update the > policy created in #1 with no policy Item for it. > if "revoke select(col1, col2, col3) on table demo.test from role Role1" > is done => policy created in #1 will be updated to remove col1,col2,col3 from > the policy to revoke the access. > > 3) If "revoke select(col1, col2, col3, col4) on table demo.test from role > Role1" found 2 Matching polcies, say 1st policy matched col1,col2,col3 and > 2nd Policy matched col4, then both the policies will be updated for revoking > the corresponding column access. > > 4) When Multiple Premission are there on the policy and revoke is to remove > one permission, then the policy will be updated by removing the revoked > permission. > Grant select on table demo.test to role Role1 > Grant Alter on table demo.test to role Role1 > Revoke alter table demo.test to role Role1 > > > > HBASE shell > > grant 'nifi', 'RWXCA', 'test' => create policy with 'RWXCA' access for user > nifi on table 'test'. > > > revoke 'nifi', 'test' => revoke access for user "nifi" on hbase table 'test'. > Here policy will be removed. > > > Thanks, > > Ramesh Mani > >
