subject:"Re\: Review Request 69703\: RANGER\-2232\: Security Zones feature in Apache Ranger"

Re: Review Request 69703: RANGER-2232: Security Zones feature in Apache Ranger

2019-01-18 Thread Abhay Kulkarni


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69703/
---

(Updated Jan. 18, 2019, 10:17 p.m.)


Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Manage zone specific default policies; User Interface updates


Bugs: RANGER-2232
https://issues.apache.org/jira/browse/RANGER-2232


Repository: ranger


Description
---

This is to introduce a new abstraction in Apache Ranger that would allow 
carving/bucketing of resources in a service into multiple zones, for better 
administration of security policies. This would enable multiple administrators 
to setup security policies for a service – based on the zones to which they 
have been granted administration rights. 

For example, let us consider 2 security zones ‘finance’ and ‘sales’:

Security zone ‘finance’ includes all contents in Hive database named ‘finance’ 
Security zone ‘sales’ includes all contents in ‘sales’ database 
Set of users and groups are designated as administrators each zone 
Users are allowed to setup policies only in zones in which they are 
administrators 
Policies defined in a zone are applicable only for resources of the zone
A zone can be extended to include resource from multiple services like HDFS, 
Hive, HBase, Kafka, .., allowing administrators of a zone to setup policies for 
resources owned by their organization across multiple services.
Audit logs will include name of the zone in which the accessed resource 
resides. Only users having appropriate permissions on the security zone can 
view its audit logs.


Diffs (updated)
-

  
agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
 329e2f0b7 
  agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 
8d71851e8 
  
agents-audit/src/main/java/org/apache/ranger/audit/provider/solr/SolrAuditProvider.java
 26633fd6e 
  
agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
 b8da19215 
  
agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
 9b9ccd112 
  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
c2185a7f1 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
 b56b8dd4b 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZone.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
 ddedf3e17 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java
 51324b093 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
 891749d03 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
 8e7844f5d 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
 e6c0e5a94 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 ab26d41d6 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
 f64e773ac 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
 c1b29d3fa 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
 b898d292c 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
 7221f6b15 
  
agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java
 7446df604 
  
agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZonePredicateUtil.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZoneStore.java
 PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java 
9924cb4c4 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
 f4fe58993 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java 
efb27aafa 
  agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
33f82dd34 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java 
1ae3fc387 
  
agents-common/src/test/java/org/apache/ranger/plugin/model/TestRangerPolicyResourceSignature.java
 38c425dc6 
  
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java
 PRE-CREATION 
  
hbase-agent/src/main/jav

Re: Review Request 69703: RANGER-2232: Security Zones feature in Apache Ranger

2019-01-23 Thread Abhay Kulkarni


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69703/
---

(Updated Jan. 23, 2019, 7:39 p.m.)


Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Fixed Security Zone validation code and merged with master branch


Bugs: RANGER-2232
https://issues.apache.org/jira/browse/RANGER-2232


Repository: ranger


Description
---

This is to introduce a new abstraction in Apache Ranger that would allow 
carving/bucketing of resources in a service into multiple zones, for better 
administration of security policies. This would enable multiple administrators 
to setup security policies for a service – based on the zones to which they 
have been granted administration rights. 

For example, let us consider 2 security zones ‘finance’ and ‘sales’:

Security zone ‘finance’ includes all contents in Hive database named ‘finance’ 
Security zone ‘sales’ includes all contents in ‘sales’ database 
Set of users and groups are designated as administrators each zone 
Users are allowed to setup policies only in zones in which they are 
administrators 
Policies defined in a zone are applicable only for resources of the zone
A zone can be extended to include resource from multiple services like HDFS, 
Hive, HBase, Kafka, .., allowing administrators of a zone to setup policies for 
resources owned by their organization across multiple services.
Audit logs will include name of the zone in which the accessed resource 
resides. Only users having appropriate permissions on the security zone can 
view its audit logs.


Diffs (updated)
-

  
agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
 329e2f0b7 
  agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 
8d71851e8 
  
agents-audit/src/main/java/org/apache/ranger/audit/provider/solr/SolrAuditProvider.java
 26633fd6e 
  
agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
 b8da19215 
  
agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
 9b9ccd112 
  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
c2185a7f1 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
 b56b8dd4b 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZone.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
 ddedf3e17 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java
 51324b093 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
 891749d03 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
 8e7844f5d 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
 e6c0e5a94 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 ab26d41d6 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
 f64e773ac 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
 c1b29d3fa 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
 b898d292c 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
 7221f6b15 
  
agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java
 7446df604 
  
agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZonePredicateUtil.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZoneStore.java
 PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java 
9924cb4c4 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
 f4fe58993 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java 
efb27aafa 
  agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
33f82dd34 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java 
1ae3fc387 
  
agents-common/src/test/java/org/apache/ranger/plugin/model/TestRangerPolicyResourceSignature.java
 38c425dc6 
  
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java
 PRE-CREATION 
  
hbase-agent/src/main/

Re: Review Request 69703: RANGER-2232: Security Zones feature in Apache Ranger

2019-01-25 Thread Abhay Kulkarni


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69703/
---

(Updated Jan. 25, 2019, 5:51 p.m.)


Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Rebased with master.


Bugs: RANGER-2232
https://issues.apache.org/jira/browse/RANGER-2232


Repository: ranger


Description
---

This is to introduce a new abstraction in Apache Ranger that would allow 
carving/bucketing of resources in a service into multiple zones, for better 
administration of security policies. This would enable multiple administrators 
to setup security policies for a service – based on the zones to which they 
have been granted administration rights. 

For example, let us consider 2 security zones ‘finance’ and ‘sales’:

Security zone ‘finance’ includes all contents in Hive database named ‘finance’ 
Security zone ‘sales’ includes all contents in ‘sales’ database 
Set of users and groups are designated as administrators each zone 
Users are allowed to setup policies only in zones in which they are 
administrators 
Policies defined in a zone are applicable only for resources of the zone
A zone can be extended to include resource from multiple services like HDFS, 
Hive, HBase, Kafka, .., allowing administrators of a zone to setup policies for 
resources owned by their organization across multiple services.
Audit logs will include name of the zone in which the accessed resource 
resides. Only users having appropriate permissions on the security zone can 
view its audit logs.


Diffs (updated)
-

  
agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
 329e2f0b7 
  agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 
8d71851e8 
  
agents-audit/src/main/java/org/apache/ranger/audit/provider/solr/SolrAuditProvider.java
 26633fd6e 
  
agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
 b8da19215 
  
agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
 9b9ccd112 
  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
c2185a7f1 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
 b56b8dd4b 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZone.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
 ddedf3e17 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java
 51324b093 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
 891749d03 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
 8e7844f5d 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
 e6c0e5a94 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 ab26d41d6 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
 f64e773ac 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
 c1b29d3fa 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
 b898d292c 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
 7221f6b15 
  
agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java
 7446df604 
  
agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZonePredicateUtil.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZoneStore.java
 PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java 
9924cb4c4 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
 f4fe58993 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java 
efb27aafa 
  agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
33f82dd34 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java 
1ae3fc387 
  
agents-common/src/test/java/org/apache/ranger/plugin/model/TestRangerPolicyResourceSignature.java
 38c425dc6 
  
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java
 PRE-CREATION 
  
hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/Au

Re: Review Request 69703: RANGER-2232: Security Zones feature in Apache Ranger

2019-01-26 Thread Madhan Neethiraj


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69703/#review212359
---


Fix it, then Ship it!





agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
Line 127 (original), 130 (patched)


Consider retaining existing constructor - to avoid breaking existing usage:

public AuthzAuditEvent(int repositoryType, String repositoryName,
String user, Date eventTime, String accessType,
String resourcePath, String resourceType, String action,
short accessResult, String agentId, long policyId,
String resultReason, String aclEnforcer, String 
sessionId,
String clientType, String clientIP, String requestData, 
String clusterName) {
  this(repositoryType, repositoryName, user, eventTime, accessType, 
resourcePath, resourceType, action, accessResult, agentId, policyId, 
resultReason, aclEnforcer, sessionId, clientType, clientIP, requestData, 
clusterName, null);
}

Please review and update other such constructor changes - like RangerPolicy.



hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
Line 620 (original), 620 (patched)


This file has only whitespace changes. Please consider reverting this.



knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
Line 57 (original), 57 (patched)


This file has only whitespace changes. Please consider reverting this.



plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
Line 217 (original), 217 (patched)


This file seems to have only whitespace changes. Please consider reverting 
this.



security-admin/src/main/webapp/templates/service/ServiceCreate_tmpl.html
Line 31 (original), 31 (patched)


Only change is addition of a comment? Please review and consider reverting 
this.



storm-agent/src/main/java/org/apache/ranger/authorization/storm/StormRangerPlugin.java
Line 38 (original), 38 (patched)


This file has only whitespace changes. Please consider reverting the 
changes.


- Madhan Neethiraj


On Jan. 25, 2019, 5:51 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69703/
> ---
> 
> (Updated Jan. 25, 2019, 5:51 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
> Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-2232
> https://issues.apache.org/jira/browse/RANGER-2232
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> This is to introduce a new abstraction in Apache Ranger that would allow 
> carving/bucketing of resources in a service into multiple zones, for better 
> administration of security policies. This would enable multiple 
> administrators to setup security policies for a service – based on the zones 
> to which they have been granted administration rights. 
> 
> For example, let us consider 2 security zones ‘finance’ and ‘sales’:
> 
> Security zone ‘finance’ includes all contents in Hive database named 
> ‘finance’ 
> Security zone ‘sales’ includes all contents in ‘sales’ database 
> Set of users and groups are designated as administrators each zone 
> Users are allowed to setup policies only in zones in which they are 
> administrators 
> Policies defined in a zone are applicable only for resources of the zone
> A zone can be extended to include resource from multiple services like HDFS, 
> Hive, HBase, Kafka, .., allowing administrators of a zone to setup policies 
> for resources owned by their organization across multiple services.
> Audit logs will include name of the zone in which the accessed resource 
> resides. Only users having appropriate permissions on the security zone can 
> view its audit logs.
> 
> 
> Diffs
> -
> 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
>  329e2f0b7 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 
> 8d71851e8 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/provider/solr/SolrAuditProvider.java
>  26633fd6e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
>  b8da19215 
>   
> agents-common/src/main/java/org/ap

Re: Review Request 69703: RANGER-2232: Security Zones feature in Apache Ranger

2019-01-26 Thread Abhay Kulkarni


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69703/
---

(Updated Jan. 27, 2019, 12:10 a.m.)


Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Addressed review comments


Bugs: RANGER-2232
https://issues.apache.org/jira/browse/RANGER-2232


Repository: ranger


Description
---

This is to introduce a new abstraction in Apache Ranger that would allow 
carving/bucketing of resources in a service into multiple zones, for better 
administration of security policies. This would enable multiple administrators 
to setup security policies for a service – based on the zones to which they 
have been granted administration rights. 

For example, let us consider 2 security zones ‘finance’ and ‘sales’:

Security zone ‘finance’ includes all contents in Hive database named ‘finance’ 
Security zone ‘sales’ includes all contents in ‘sales’ database 
Set of users and groups are designated as administrators each zone 
Users are allowed to setup policies only in zones in which they are 
administrators 
Policies defined in a zone are applicable only for resources of the zone
A zone can be extended to include resource from multiple services like HDFS, 
Hive, HBase, Kafka, .., allowing administrators of a zone to setup policies for 
resources owned by their organization across multiple services.
Audit logs will include name of the zone in which the accessed resource 
resides. Only users having appropriate permissions on the security zone can 
view its audit logs.


Diffs (updated)
-

  
agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
 329e2f0b7 
  agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 
8d71851e8 
  
agents-audit/src/main/java/org/apache/ranger/audit/provider/solr/SolrAuditProvider.java
 26633fd6e 
  
agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
 b8da19215 
  
agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
 9b9ccd112 
  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
c2185a7f1 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
 b56b8dd4b 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZone.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
 ddedf3e17 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java
 51324b093 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
 891749d03 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
 8e7844f5d 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
 e6c0e5a94 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 ab26d41d6 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
 f64e773ac 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
 c1b29d3fa 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
 b898d292c 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
 7221f6b15 
  
agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java
 7446df604 
  
agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZonePredicateUtil.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZoneStore.java
 PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java 
9924cb4c4 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
 f4fe58993 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java 
efb27aafa 
  agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
33f82dd34 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java 
1ae3fc387 
  
agents-common/src/test/java/org/apache/ranger/plugin/model/TestRangerPolicyResourceSignature.java
 38c425dc6 
  
agents-common/src/test/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidatorTest.java
 PRE-CREATION 
  
hbase-agent/src/main/java/org/apache/ranger/authorization/hb

Re: Review Request 69703: RANGER-2232: Security Zones feature in Apache Ranger

2019-01-26 Thread Madhan Neethiraj


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69703/#review212364
---


Ship it!




Ship It!

- Madhan Neethiraj


On Jan. 27, 2019, 12:10 a.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69703/
> ---
> 
> (Updated Jan. 27, 2019, 12:10 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin 
> Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-2232
> https://issues.apache.org/jira/browse/RANGER-2232
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> This is to introduce a new abstraction in Apache Ranger that would allow 
> carving/bucketing of resources in a service into multiple zones, for better 
> administration of security policies. This would enable multiple 
> administrators to setup security policies for a service – based on the zones 
> to which they have been granted administration rights. 
> 
> For example, let us consider 2 security zones ‘finance’ and ‘sales’:
> 
> Security zone ‘finance’ includes all contents in Hive database named 
> ‘finance’ 
> Security zone ‘sales’ includes all contents in ‘sales’ database 
> Set of users and groups are designated as administrators each zone 
> Users are allowed to setup policies only in zones in which they are 
> administrators 
> Policies defined in a zone are applicable only for resources of the zone
> A zone can be extended to include resource from multiple services like HDFS, 
> Hive, HBase, Kafka, .., allowing administrators of a zone to setup policies 
> for resources owned by their organization across multiple services.
> Audit logs will include name of the zone in which the accessed resource 
> resides. Only users having appropriate permissions on the security zone can 
> view its audit logs.
> 
> 
> Diffs
> -
> 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
>  329e2f0b7 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 
> 8d71851e8 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/provider/solr/SolrAuditProvider.java
>  26633fd6e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
>  b8da19215 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
>  9b9ccd112 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
> c2185a7f1 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
>  b56b8dd4b 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZone.java
>  PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
>  ddedf3e17 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
>  PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerValidator.java
>  51324b093 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerZoneResourceMatcher.java
>  PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
>  891749d03 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java
>  8e7844f5d 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
>  e6c0e5a94 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  ab26d41d6 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
>  f64e773ac 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
>  c1b29d3fa 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
>  b898d292c 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
>  7221f6b15 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java
>  7446df604 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZonePredicateUtil.java
>  PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/store/SecurityZoneStore.java
>  PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java 
> 9924cb4c4 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
>  f4fe58993 
>   
> agents-common/src/main/java/org/apache/ranger

Re: Review Request 69703: RANGER-2232: Security Zones feature in Apache Ranger

Re: Review Request 69703: RANGER-2232: Security Zones feature in Apache Ranger

Re: Review Request 69703: RANGER-2232: Security Zones feature in Apache Ranger

Re: Review Request 69703: RANGER-2232: Security Zones feature in Apache Ranger

Re: Review Request 69703: RANGER-2232: Security Zones feature in Apache Ranger

Re: Review Request 69703: RANGER-2232: Security Zones feature in Apache Ranger

6 matches

Site Navigation

Mail list logo

Footer information