ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Review Request 56094: Ranger-1339: DENY and ALLOW EXCLUSION do not work with YARN
Date Wed, 08 Nov 2017 12:48:43 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56094/#review190442
-----------------------------------------------------------



+		preprocessPolicyItems(policy.getDataMaskPolicyItems(), impliedAccessGrants,
+						RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW);
+		preprocessPolicyItems(policy.getRowFilterPolicyItems(), impliedAccessGrants,
+						RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW);

These do not have the correct RangerPolicyItemEvaluator int.

- Colm O hEigeartaigh


On Jan. 30, 2017, 7:47 p.m., Yan Zhou wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56094/
> -----------------------------------------------------------
> 
> (Updated Jan. 30, 2017, 7:47 p.m.)
> 
> 
> Review request for ranger.
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> When a user is denied, or excluded from "allowed", the use of "admin-queue", but is allowed
the "submit-app", he is actually unable to submit Yarn jobs at all.
> 
> The reason is found to be that the "implied grants" are indiscriminately incorporated
into allow/deny/allow-exception/deny-exception lists. Actually we need to differentiate two
types of implications. The first implication is "equivalent implication". The second is "unequivalent
implication". For the "ALL" permission, it is equivalent, meaning that "ALL" implies the all
implied permissions together, and vice versa. So DENY "ALL" will rid of any and all other
permissions from a user. For YARN's implication from "queue-admin" to "submit-app", it's not
equivalent. While "queue-admin" implies "submit-app", it is not the other way around; namely
that deny "admin-queue" to a user should not deny his "submit-app" permission. Thus the "implied
grants" should not be incorporated from the allow-exception/deny lists if they do not carry
the "all" semantics.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
ffb9523 
>   agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
b0d103e 
>   agents-common/src/test/resources/policyengine/test_policyengine_yarn.json PRE-CREATION

> 
> 
> Diff: https://reviews.apache.org/r/56094/diff/1/
> 
> 
> Testing
> -------
> 
> Regression, manual, and newly added automated tests.
> 
> 
> Thanks,
> 
> Yan Zhou
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message