----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/75047/#review226544 -----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java Line 953 (original), 1010 (patched) <https://reviews.apache.org/r/75047/#comment314805> oldResult could be by a policy having higher priority. In such case deny from current policy shouldn't override oldResult, right? Please review. hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java Line 885 (original), 887 (patched) <https://reviews.apache.org/r/75047/#comment314802> To collect into a TreeSet: Set<Set<String>> accessTypeGroups = accessTypes.stream().map(e -> Collections.singleton(e)).collect(TreeSet::new); hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java Line 962 (original), 969 (patched) <https://reviews.apache.org/r/75047/#comment314803> To collect into a TreeSet: Set<Set<String>> accessTypeGroups = accessTypes.stream().map(e -> Collections.singleton(e)).collect(TreeSet::new); - Madhan Neethiraj On June 12, 2024, 10:56 p.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/75047/ > ----------------------------------------------------------- > > (Updated June 12, 2024, 10:56 p.m.) > > > Review request for ranger, Dineshkumar Yadav, madhan, Madhan Neethiraj, > Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy. > > > Bugs: RANGER-4820 > https://issues.apache.org/jira/browse/RANGER-4820 > > > Repository: ranger > > > Description > ------- > > Currently, Ranger policy engine supports authorization of multiple accesses > for a given resource in a single call to the Ranger plugin's > isAccessAllowed() API. However, it has some limitations which are addressed > by this JIRA. > > Limitation: If multiple accesses are to be authorized, then the current > authorization logic in Ranger policy engine is designed to allow the request > to succeed (that is, grant access) only if all requested accesses are granted. > > This Jira supports organizing accesses in groups where each group is granted > access if any access in the group is allowed, and the request is successful > (that is, user is allowed access) only if all groups are granted access. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java > b0dc7a461 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsPolicyEngine.java > 6a6709254 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > c43ec4c2f > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java > df0352ca9 > > agents-common/src/test/resources/policyengine/test_policyengine_hdfs_multiple_accesses.json > 8962c5a3f > > hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java > c892bced3 > > > Diff: https://reviews.apache.org/r/75047/diff/1/ > > > Testing > ------- > > Updated the unit tests for muliple access > (agents-common/src/test/resources/policyengine/test_policyengine_hdfs_multiple_accesses.json). > > Ran all unit tests successfully. > > > Thanks, > > Abhay Kulkarni > >
