----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/75024/#review226500 -----------------------------------------------------------
Rakesh - consider using RangerServiceDef.options to allow a service-def to opt-out of tag-based policies - similar to use of enableDenyAndExceptionsInPolicies option in service-defs for elasticsearch, kylin, nifi, nifi-registry, sqoop. - Madhan Neethiraj On May 31, 2024, 11:31 a.m., Rakesh Gupta wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/75024/ > ----------------------------------------------------------- > > (Updated May 31, 2024, 11:31 a.m.) > > > Review request for ranger, Dineshkumar Yadav, Kishor Gollapalliwar, Mehul > Parikh, Pradeep Agrawal, and sanket shelar. > > > Bugs: RANGER-4805 > https://issues.apache.org/jira/browse/RANGER-4805 > > > Repository: ranger > > > Description > ------- > > Steps to reproduce: > > Created a tag policy for a `test` classification > Added deny permission for user `tuser` > Access entity tagged with `test` classification through `tuser` through Atlas > UI > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java > 18ee3adc3 > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java > 462246a3e > > agents-common/src/main/java/org/apache/ranger/services/tag/RangerServiceTag.java > 036de11e2 > > security-admin/src/main/java/org/apache/ranger/patch/PatchForDisableAccessTypeForTagPolicies_J10062.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java > a0ba463e4 > security-admin/src/main/resources/conf.dist/ranger-admin-site.xml f3dbb777b > > security-admin/src/main/webapp/react-webapp/src/views/PolicyListing/PolicyPermissionItem.jsx > 896c34cb0 > > > Diff: https://reviews.apache.org/r/75024/diff/1/ > > > Testing > ------- > > 1)Verified that while creating or updating a Tag-based policy, the accessType > for the Atlas service is not allowed. > 2)Confirmed that the accessType for the Atlas service is removed from the > default Tag-based policy. > 3)Tested upgrade scenarios for all existing Tag-based policies to ensure that > the accessType for the Atlas service is removed. > > Configurations: > disable.accesstype.for.tag.policy : Config to enable and disable policy > permission for Tag-based policies. > > servicedef.accesstype.disable.for.tag.policy: Config to disable accessType > for the service definition in Tag-based policies. > > > Thanks, > > Rakesh Gupta > >
