From dev-return-16919-archive-asf-public=cust-asf.ponee.io@ranger.apache.org Mon Mar 5 17:18:52 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id B2BB2180608 for ; Mon, 5 Mar 2018 17:18:51 +0100 (CET) Received: (qmail 22234 invoked by uid 500); 5 Mar 2018 16:18:50 -0000 Mailing-List: contact dev-help@ranger.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ranger.apache.org Delivered-To: mailing list dev@ranger.apache.org Received: (qmail 22202 invoked by uid 99); 5 Mar 2018 16:18:50 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 Mar 2018 16:18:50 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id AF1DE1804BC; Mon, 5 Mar 2018 16:18:49 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.69 X-Spam-Level: X-Spam-Status: No, score=0.69 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id weksXqj84V5y; Mon, 5 Mar 2018 16:18:47 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 2672F5F169; Mon, 5 Mar 2018 16:18:47 +0000 (UTC) Received: from reviews.apache.org (unknown [10.41.0.12]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 6A93AE00C6; Mon, 5 Mar 2018 16:18:46 +0000 (UTC) Received: from reviews-vm2.apache.org (localhost [IPv6:::1]) by reviews.apache.org (ASF Mail Server at reviews-vm2.apache.org) with ESMTP id 2E168C418F9; Mon, 5 Mar 2018 16:18:46 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============3842528857042368452==" MIME-Version: 1.0 Subject: Re: Review Request 65854: RANGER-1999: Ranger policy engine updates to support list-of-values in access reource From: Madhan Neethiraj To: Ramesh Mani , Abhay Kulkarni , Don Bosco Durai , Nixon Rodrigues Cc: ranger , Madhan Neethiraj , Zsombor Gegesy Date: Mon, 05 Mar 2018 16:18:46 -0000 Message-ID: <20180305161846.9468.40687@reviews-vm2.apache.org> X-ReviewBoard-URL: https://reviews.apache.org/ Auto-Submitted: auto-generated Sender: Madhan Neethiraj X-ReviewGroup: ranger X-Auto-Response-Suppress: DR, RN, OOF, AutoReply X-ReviewRequest-URL: https://reviews.apache.org/r/65854/ X-Sender: Madhan Neethiraj References: <20180305095748.9468.39488@reviews-vm2.apache.org> In-Reply-To: <20180305095748.9468.39488@reviews-vm2.apache.org> X-ReviewBoard-Diff-For: agents-common/src/test/resources/policyengine/test_policyengine_atlas.json Reply-To: Madhan Neethiraj X-ReviewRequest-Repository: ranger --===============3842528857042368452== MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit > On March 5, 2018, 9:57 a.m., Zsombor Gegesy wrote: > > Instead of using Objects, and casting to Collection or String, why didn't you use either just Collection - and use Collection.singleton(resourceName), or introduce a new 'ResourceMatch' type, with a 'SingleResourceMatch' and a 'AnyOfResourceMatch' subtypes ? So later a 'AllOfResourceMatch' could be introduced, if needed. Sure, a better name could be easily picked. > > Relaying on runtime class casts from 'Object' makes the code more fragile - it will be easy to forget later to update the code, because the compiler won't complain. @Zsombor - having generic 'Object' as the type for access-resouce value can enable extensions that can use types other than string/collection. Policy engine framework doesn't need to be restricted on specific types. Only 2 places need to deal with this: resource-matcher and trie-lookup. With this commit, I updated both to deal with string/collection type values. Current framework allows for registration of new type of resouce-matcher along with service-def. Not sure if such approach is feasible for trie-lookup - which arranges the policies based on string type resource values; for other resource types, trie can simply return complete policy-list. - Madhan ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65854/#review198619 ----------------------------------------------------------- On March 1, 2018, 8:41 p.m., Madhan Neethiraj wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/65854/ > ----------------------------------------------------------- > > (Updated March 1, 2018, 8:41 p.m.) > > > Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Nixon Rodrigues, and Ramesh Mani. > > > Bugs: RANGER-1999 > https://issues.apache.org/jira/browse/RANGER-1999 > > > Repository: ranger > > > Description > ------- > > Updated policy engine module to handle resources with multiple values > > > Diffs > ----- > > agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java 2835cddd > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java 2ee616a1 > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java 58004862 > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java 18bb1f44 > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java 9fcefbe0 > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java 415263ee > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java acd599a7 > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java a7399eed > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java 8183dedb > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java eab9dbc7 > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java aad78340 > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java f6c1e4d5 > agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java bcd15779 > agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java e2c7c270 > agents-common/src/test/resources/policyengine/test_policyengine_atlas.json PRE-CREATION > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java e4eafc69 > ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java 0008808e > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 5b7d0859 > > > Diff: https://reviews.apache.org/r/65854/diff/2/ > > > Testing > ------- > > - added unit tests to validate the enhancements > > > Thanks, > > Madhan Neethiraj > > --===============3842528857042368452==--