> On Jan. 19, 2024, 11:12 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > > Lines 1281 (patched) > > <https://reviews.apache.org/r/74825/diff/4/?file=2284895#file2284895line1281> > > > > For grant, shouldn't the update be done only on 'exact-match' policy? > > Else, the update might end up granting the user access to more resources. > > Please review and update. > > > > I think current grant implementation wouldn't need any update.
Madhan, Thanks for the review. With the multiple column grant in SELECT, there is a possiblity that user run the grant with addition columns, in that case the patch does update the existing policy for that user/group/role and accesstype if matches. e.g 1) "grant select(col1, col2, col3) on table demo.test to role Role1" => Create a Grant Policy for the given resource in Hadoop Sql 2) "grant select(col1, col2, col3, col4) on table demo.test to role Role1" => updates the policy created in #1 with new col4 resource Addition test cases which are covered are here. Please review this. https://docs.google.com/document/d/19WLt10QmxFQjBbIFRqYCpd9lY46FoEaDSPRAXUn7vow/edit#heading=h.jhpqwr2prvv8 - Ramesh ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74825/#review226159 ----------------------------------------------------------- On Jan. 24, 2024, 4:07 a.m., Ramesh Mani wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74825/ > ----------------------------------------------------------- > > (Updated Jan. 24, 2024, 4:07 a.m.) > > > Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, > Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan > Periasamy. > > > Bugs: RANGER-4638 > https://issues.apache.org/jira/browse/RANGER-4638 > > > Repository: ranger > > > Description > ------- > > RANGER-4638:Multiple Columns Revoke not generating policies with correct > number of columns > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > 7fe2a2eb3 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java > 0a14b387a > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java > f16157ce6 > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java > e1cd89b70 > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java > 5eee8d11a > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java > ec22e01bf > > agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceisSubSetMatcher.java > PRE-CREATION > > agents-common/src/test/resources/resourcematcher/test_defaultpolicyresource_isSubset_matcher.json > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java > 15a1e7118 > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java > 84ee31ba2 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > cc9df27d6 > security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java > 60e34c0c7 > security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java > a630e575b > > > Diff: https://reviews.apache.org/r/74825/diff/5/ > > > Testing > ------- > > Impala / Hive beeline. > > 1) "grant select(col1, col2, col3) on table demo.test to role Role1" => > Create a Grant Policy for the given resource in Hadoop Sql > > > 2) "grant select(col1, col2, col3, col4) on table demo.test to role Role1" > => updates the policy created in #1 with new col4 resource > > if "revoke select(col1, col2, col3, col4) on table demo.test from role > Role1" is done => Since all the columns are revoked for Select, we update the > policy created in #1 with no policy Item for it. > if "revoke select(col1, col2, col3) on table demo.test from role Role1" > is done => policy created in #1 will be updated to remove col1,col2,col3 from > the policy to revoke the access. > > 3) If "revoke select(col1, col2, col3, col4) on table demo.test from role > Role1" found 2 Matching polcies, say 1st policy matched col1,col2,col3 and > 2nd Policy matched col4, then both the policies will be updated for revoking > the corresponding column access. > > 4) When Multiple Premission are there on the policy and revoke is to remove > one permission, then the policy will be updated by removing the revoked > permission. > Grant select on table demo.test to role Role1 > Grant Alter on table demo.test to role Role1 > Revoke alter table demo.test to role Role1 > > > > HBASE shell > > grant 'nifi', 'RWXCA', 'test' => create policy with 'RWXCA' access for user > nifi on table 'test'. > > > revoke 'nifi', 'test' => revoke access for user "nifi" on hbase table 'test'. > Here policy will be removed. > > > Thanks, > > Ramesh Mani > >