Re: Review Request 44444: RANGER-875 : Restrict Grantor privileges of Ranger db user for Oracle DB Flavor

Fri, 18 Mar 2016 22:55:27 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/44444/#review123859
-----------------------------------------------------------


Ship it!




Ship It!

- Gautam Borad


On March 8, 2016, 2:13 p.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/44444/
> -----------------------------------------------------------
> 
> (Updated March 8, 2016, 2:13 p.m.)
> 
> 
> Review request for ranger, Alok Lal, Don Bosco Durai, Gautam Borad, Abhay 
> Kulkarni, Madhan Neethiraj, Ramesh Mani, and Selvamohan Neethiraj.
> 
> 
> Bugs: RANGER-875
>     https://issues.apache.org/jira/browse/RANGER-875
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> **Problem Statement :**
> Currently installation script gives grantor roles to Ranger db user on 
> several privileges. Restrict Grantor role of Ranger Db user on only those 
> privileges on which Ranger db user needs to give grants to the audit db user.
> 
> **Proposed Solution :**
> In attached patch have removed 'WITH ADMIN OPTION' clause from GRANT 
> statement as it's not required any more.
> Ranger db user do not need Grantor role on tables for SELECT operation 
> explicitly as he is scehma owner and has all privileges of all object of that 
> schema. 
> Since Oracle Root user gives 'CREATE SESSION' privilege to audit db user, 
> Ranger db user does not need to give same privileges again to audit db user 
> thus Ranger db user do not need Grantor role in 'CREATE SESSION' privilege 
> also.
> 
> 
> Diffs
> -----
> 
>   kms/scripts/dba_script.py 1e039e5 
>   security-admin/scripts/db_setup.py 1a74b4a 
>   security-admin/scripts/dba_script.py 66b2848 
> 
> Diff: https://reviews.apache.org/r/44444/diff/
> 
> 
> Testing
> -------
> 
> **Steps performed : **
> 1. After configuring install.properties of Ranger admin for Oracle DB Flavor, 
> called setup.sh to install Ranger.
> 2. Started Ranger Admin and Created HDFS service and policy.
> 3. Installed HDFS plugin and enabled HDFS plugin with audit to DB logs.
> 4. Executed few HDFS command to audit logs.
> 
> **Result/Behavior:**
> Installation logs do not have any Grant statement containing 'WITH ADMIN 
> OPTION'.
> Setup was done successfully and Ranger UI was working.
> Was Able to see Audit logs of HDFS command executed in Testing processs for 
> policy enforcement.
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>

Reply via email to