Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 33210200D33 for ; Wed, 8 Nov 2017 13:48:49 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 31757160BE0; Wed, 8 Nov 2017 12:48:49 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 7798F160BDA for ; Wed, 8 Nov 2017 13:48:48 +0100 (CET) Received: (qmail 59814 invoked by uid 500); 8 Nov 2017 12:48:47 -0000 Mailing-List: contact dev-help@ranger.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ranger.apache.org Delivered-To: mailing list dev@ranger.apache.org Received: (qmail 59803 invoked by uid 99); 8 Nov 2017 12:48:47 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Nov 2017 12:48:47 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 77AD0180782; Wed, 8 Nov 2017 12:48:46 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.999 X-Spam-Level: ** X-Spam-Status: No, score=2.999 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id CELuFN7oZUuz; Wed, 8 Nov 2017 12:48:44 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 5F10261DD8; Wed, 8 Nov 2017 12:48:44 +0000 (UTC) Received: from reviews.apache.org (unknown [10.41.0.12]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id AAC61E05B7; Wed, 8 Nov 2017 12:48:43 +0000 (UTC) Received: from reviews-vm2.apache.org (localhost [IPv6:::1]) by reviews.apache.org (ASF Mail Server at reviews-vm2.apache.org) with ESMTP id A2A7FC402DD; Wed, 8 Nov 2017 12:48:43 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============1903766387577760541==" MIME-Version: 1.0 Subject: Re: Review Request 56094: Ranger-1339: DENY and ALLOW EXCLUSION do not work with YARN From: Colm O hEigeartaigh To: Yan Zhou , Colm O hEigeartaigh , ranger Date: Wed, 08 Nov 2017 12:48:43 -0000 Message-ID: <20171108124843.35837.78952@reviews-vm2.apache.org> X-ReviewBoard-URL: https://reviews.apache.org/ Auto-Submitted: auto-generated Sender: Colm O hEigeartaigh X-ReviewGroup: ranger X-Auto-Response-Suppress: DR, RN, OOF, AutoReply X-ReviewRequest-URL: https://reviews.apache.org/r/56094/ X-Sender: Colm O hEigeartaigh References: <20170130194724.5716.11883@reviews.apache.org> In-Reply-To: <20170130194724.5716.11883@reviews.apache.org> X-ReviewBoard-Diff-For: agents-common/src/test/resources/policyengine/test_policyengine_yarn.json Reply-To: Colm O hEigeartaigh X-ReviewRequest-Repository: ranger archived-at: Wed, 08 Nov 2017 12:48:49 -0000 --===============1903766387577760541== MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/56094/#review190442 ----------------------------------------------------------- + preprocessPolicyItems(policy.getDataMaskPolicyItems(), impliedAccessGrants, + RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW); + preprocessPolicyItems(policy.getRowFilterPolicyItems(), impliedAccessGrants, + RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW); These do not have the correct RangerPolicyItemEvaluator int. - Colm O hEigeartaigh On Jan. 30, 2017, 7:47 p.m., Yan Zhou wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/56094/ > ----------------------------------------------------------- > > (Updated Jan. 30, 2017, 7:47 p.m.) > > > Review request for ranger. > > > Repository: ranger > > > Description > ------- > > When a user is denied, or excluded from "allowed", the use of "admin-queue", but is allowed the "submit-app", he is actually unable to submit Yarn jobs at all. > > The reason is found to be that the "implied grants" are indiscriminately incorporated into allow/deny/allow-exception/deny-exception lists. Actually we need to differentiate two types of implications. The first implication is "equivalent implication". The second is "unequivalent implication". For the "ALL" permission, it is equivalent, meaning that "ALL" implies the all implied permissions together, and vice versa. So DENY "ALL" will rid of any and all other permissions from a user. For YARN's implication from "queue-admin" to "submit-app", it's not equivalent. While "queue-admin" implies "submit-app", it is not the other way around; namely that deny "admin-queue" to a user should not deny his "submit-app" permission. Thus the "implied grants" should not be incorporated from the allow-exception/deny lists if they do not carry the "all" semantics. > > > Diffs > ----- > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java ffb9523 > agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b0d103e > agents-common/src/test/resources/policyengine/test_policyengine_yarn.json PRE-CREATION > > > Diff: https://reviews.apache.org/r/56094/diff/1/ > > > Testing > ------- > > Regression, manual, and newly added automated tests. > > > Thanks, > > Yan Zhou > > --===============1903766387577760541==--