Re: Review Request 65854: RANGER-1999: Ranger policy engine updates to support list-of-values in access reource
> On March 5, 2018, 9:57 a.m., Zsombor Gegesy wrote: > > Instead of using Objects, and casting to Collection or String, why didn't > > you use either just Collection - and use > > Collection.singleton(resourceName), or introduce a new 'ResourceMatch' > > type, with a 'SingleResourceMatch' and a 'AnyOfResourceMatch' subtypes ? So > > later a 'AllOfResourceMatch' could be introduced, if needed. Sure, a better > > name could be easily picked. > > Relaying on runtime class casts from 'Object' makes the code more fragile > > - it will be easy to forget later to update the code, because the compiler > > won't complain. @Zsombor - having generic 'Object' as the type for access-resouce value can enable extensions that can use types other than string/collection. Policy engine framework doesn't need to be restricted on specific types. Only 2 places need to deal with this: resource-matcher and trie-lookup. With this commit, I updated both to deal with string/collection type values. Current framework allows for registration of new type of resouce-matcher along with service-def. Not sure if such approach is feasible for trie-lookup - which arranges the policies based on string type resource values; for other resource types, trie can simply return complete policy-list. - Madhan --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65854/#review198619 --- On March 1, 2018, 8:41 p.m., Madhan Neethiraj wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/65854/ > --- > > (Updated March 1, 2018, 8:41 p.m.) > > > Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Nixon Rodrigues, > and Ramesh Mani. > > > Bugs: RANGER-1999 > https://issues.apache.org/jira/browse/RANGER-1999 > > > Repository: ranger > > > Description > --- > > Updated policy engine module to handle resources with multiple values > > > Diffs > - > > > agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java > 2835cddd > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java > 2ee616a1 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java > 58004862 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java > 18bb1f44 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java > 9fcefbe0 > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java > 415263ee > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java > acd599a7 > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java > a7399eed > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java > 8183dedb > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java > eab9dbc7 > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java > aad78340 > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java > f6c1e4d5 > > agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java > bcd15779 > > agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java > e2c7c270 > agents-common/src/test/resources/policyengine/test_policyengine_atlas.json > PRE-CREATION > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java > e4eafc69 > > ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java > 0008808e > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 5b7d0859 > > > Diff: https://reviews.apache.org/r/65854/diff/2/ > > > Testing > --- > > - added unit tests to validate the enhancements > > > Thanks, > > Madhan Neethiraj > >
Re: Review Request 65854: RANGER-1999: Ranger policy engine updates to support list-of-values in access reource
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65854/#review198619 --- Instead of using Objects, and casting to Collection or String, why didn't you use either just Collection - and use Collection.singleton(resourceName), or introduce a new 'ResourceMatch' type, with a 'SingleResourceMatch' and a 'AnyOfResourceMatch' subtypes ? So later a 'AllOfResourceMatch' could be introduced, if needed. Sure, a better name could be easily picked. Relaying on runtime class casts from 'Object' makes the code more fragile - it will be easy to forget later to update the code, because the compiler won't complain. - Zsombor Gegesy On March 1, 2018, 9:41 p.m., Madhan Neethiraj wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/65854/ > --- > > (Updated March 1, 2018, 9:41 p.m.) > > > Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Nixon Rodrigues, > and Ramesh Mani. > > > Bugs: RANGER-1999 > https://issues.apache.org/jira/browse/RANGER-1999 > > > Repository: ranger > > > Description > --- > > Updated policy engine module to handle resources with multiple values > > > Diffs > - > > > agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java > 2835cddd > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java > 2ee616a1 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java > 58004862 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java > 18bb1f44 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java > 9fcefbe0 > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java > 415263ee > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java > acd599a7 > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java > a7399eed > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java > 8183dedb > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java > eab9dbc7 > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java > aad78340 > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java > f6c1e4d5 > > agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java > bcd15779 > > agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java > e2c7c270 > agents-common/src/test/resources/policyengine/test_policyengine_atlas.json > PRE-CREATION > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java > e4eafc69 > > ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java > 0008808e > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 5b7d0859 > > > Diff: https://reviews.apache.org/r/65854/diff/2/ > > > Testing > --- > > - added unit tests to validate the enhancements > > > Thanks, > > Madhan Neethiraj > >
Re: Review Request 65854: RANGER-1999: Ranger policy engine updates to support list-of-values in access reource
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65854/#review198540 --- Ship it! Ship It! - Abhay Kulkarni On March 1, 2018, 8:41 p.m., Madhan Neethiraj wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/65854/ > --- > > (Updated March 1, 2018, 8:41 p.m.) > > > Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Nixon Rodrigues, > and Ramesh Mani. > > > Bugs: RANGER-1999 > https://issues.apache.org/jira/browse/RANGER-1999 > > > Repository: ranger > > > Description > --- > > Updated policy engine module to handle resources with multiple values > > > Diffs > - > > > agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java > 2835cddd > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java > 2ee616a1 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java > 58004862 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java > 18bb1f44 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java > 9fcefbe0 > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java > 415263ee > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java > acd599a7 > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java > a7399eed > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java > 8183dedb > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java > eab9dbc7 > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java > aad78340 > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java > f6c1e4d5 > > agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java > bcd15779 > > agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java > e2c7c270 > agents-common/src/test/resources/policyengine/test_policyengine_atlas.json > PRE-CREATION > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java > e4eafc69 > > ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java > 0008808e > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 5b7d0859 > > > Diff: https://reviews.apache.org/r/65854/diff/2/ > > > Testing > --- > > - added unit tests to validate the enhancements > > > Thanks, > > Madhan Neethiraj > >
Re: Review Request 65854: RANGER-1999: Ranger policy engine updates to support list-of-values in access reource
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65854/ --- (Updated March 1, 2018, 8:41 p.m.) Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Nixon Rodrigues, and Ramesh Mani. Changes --- fix for PMD violations (unused import), optimizations Bugs: RANGER-1999 https://issues.apache.org/jira/browse/RANGER-1999 Repository: ranger Description --- Updated policy engine module to handle resources with multiple values Diffs (updated) - agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java 2835cddd agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java 2ee616a1 agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java 58004862 agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java 18bb1f44 agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java 9fcefbe0 agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java 415263ee agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java acd599a7 agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java a7399eed agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java 8183dedb agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java eab9dbc7 agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java aad78340 agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java f6c1e4d5 agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java bcd15779 agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java e2c7c270 agents-common/src/test/resources/policyengine/test_policyengine_atlas.json PRE-CREATION hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java e4eafc69 ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java 0008808e security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 5b7d0859 Diff: https://reviews.apache.org/r/65854/diff/2/ Changes: https://reviews.apache.org/r/65854/diff/1-2/ Testing --- - added unit tests to validate the enhancements Thanks, Madhan Neethiraj
Review Request 65854: RANGER-1999: Ranger policy engine updates to support list-of-values in access reource
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65854/ --- Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Nixon Rodrigues, and Ramesh Mani. Bugs: RANGER-1999 https://issues.apache.org/jira/browse/RANGER-1999 Repository: ranger Description --- Updated policy engine module to handle resources with multiple values Diffs - agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java 2835cddd agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java 2ee616a1 agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java 58004862 agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java 18bb1f44 agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java 9fcefbe0 agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java 415263ee agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java acd599a7 agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java a7399eed agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java 8183dedb agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java eab9dbc7 agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java aad78340 agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java f6c1e4d5 agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java bcd15779 agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java e2c7c270 agents-common/src/test/resources/policyengine/test_policyengine_atlas.json PRE-CREATION hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java e4eafc69 ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java 0008808e security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 5b7d0859 Diff: https://reviews.apache.org/r/65854/diff/1/ Testing --- - added unit tests to validate the enhancements Thanks, Madhan Neethiraj