ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Review Request 56094: Ranger-1339: DENY and ALLOW EXCLUSION do not work with YARN
Date Mon, 13 Nov 2017 10:23:19 GMT


> On Nov. 10, 2017, 7:43 a.m., Madhan Neethiraj wrote:
> > I think the special handling of implied grants of "ALL", in deny and allow-exceptions,
would be confusing. Currently Ranger policy model treats all access-types the same - there
is no special treatment for "ALL". Also, the special handling introduced in this patch would
break existing policies that use "ALL" in deny and allow-exceptions.
> > 
> > I would suggest couple of options to address the usecase:
> >  - update the service-def to remove implied-grant for 'admin-queue'. This would
require explicit grant of 'submit-app' where needed i.e. 'admin-queue' access would not implicitly
allow 'submit-app' access as well
> >  - other option is to have 'impliedGrants' interpretted only by UI and have policy
engine ignore it. In this case, when 'admin-queue' is selected in the UI, 'submit-app' will
automatically be selected - but the user will be able to de-select 'submit-app' when necessary.

Thanks for the review Madhan. I think the simplest way of handling it is your first suggestion
- to remove the implied grant. I will create a separate JIRA and submit a patch for it.


- Colm


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56094/#review190683
-----------------------------------------------------------


On Jan. 30, 2017, 7:47 p.m., Yan Zhou wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56094/
> -----------------------------------------------------------
> 
> (Updated Jan. 30, 2017, 7:47 p.m.)
> 
> 
> Review request for ranger.
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> When a user is denied, or excluded from "allowed", the use of "admin-queue", but is allowed
the "submit-app", he is actually unable to submit Yarn jobs at all.
> 
> The reason is found to be that the "implied grants" are indiscriminately incorporated
into allow/deny/allow-exception/deny-exception lists. Actually we need to differentiate two
types of implications. The first implication is "equivalent implication". The second is "unequivalent
implication". For the "ALL" permission, it is equivalent, meaning that "ALL" implies the all
implied permissions together, and vice versa. So DENY "ALL" will rid of any and all other
permissions from a user. For YARN's implication from "queue-admin" to "submit-app", it's not
equivalent. While "queue-admin" implies "submit-app", it is not the other way around; namely
that deny "admin-queue" to a user should not deny his "submit-app" permission. Thus the "implied
grants" should not be incorporated from the allow-exception/deny lists if they do not carry
the "all" semantics.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
ffb9523 
>   agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
b0d103e 
>   agents-common/src/test/resources/policyengine/test_policyengine_yarn.json PRE-CREATION

> 
> 
> Diff: https://reviews.apache.org/r/56094/diff/1/
> 
> 
> Testing
> -------
> 
> Regression, manual, and newly added automated tests.
> 
> 
> Thanks,
> 
> Yan Zhou
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message