Re: Review Request 75047: RANGER-4820: Support authorization of multiple accesses grouped by access groups in one policy engine call

Sat, 15 Jun 2024 14:10:01 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/75047/
-----------------------------------------------------------

(Updated June 15, 2024, 9:09 p.m.)


Review request for ranger, Dineshkumar Yadav, madhan, Madhan Neethiraj, Pradeep 
Agrawal, Ramesh Mani, and Velmurugan Periasamy.


Changes
-------

Addressed review comments


Bugs: RANGER-4820
    https://issues.apache.org/jira/browse/RANGER-4820


Repository: ranger


Description
-------

Currently, Ranger policy engine supports authorization of multiple accesses for 
a given resource in a single call to the Ranger plugin's isAccessAllowed() API. 
However, it has some limitations which are addressed by this JIRA.

Limitation: If multiple accesses are to be authorized, then the current 
authorization logic in Ranger policy engine is designed to allow the request to 
succeed (that is, grant access) only if all requested accesses are granted.

This Jira supports organizing  accesses in groups where each group is granted 
access if any access in the group is allowed, and the request is successful 
(that is, user is allowed access) only if all groups are granted access.


Diffs (updated)
-----

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 b0dc7a461 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsPolicyEngine.java
 6a6709254 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 c43ec4c2f 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 df0352ca9 
  
agents-common/src/test/resources/policyengine/test_policyengine_hdfs_multiple_accesses.json
 8962c5a3f 
  
hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
 c892bced3 


Diff: https://reviews.apache.org/r/75047/diff/2/

Changes: https://reviews.apache.org/r/75047/diff/1-2/


Testing
-------

Updated the unit tests for muliple access 
(agents-common/src/test/resources/policyengine/test_policyengine_hdfs_multiple_accesses.json).

Ran all unit tests successfully.


Thanks,

Abhay Kulkarni

Reply via email to