ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Abhay Kulkarni <akulka...@hortonworks.com>
Subject Review Request 66599: RANGER-2066: Hbase column family access is authorized by a tagged column in the column family
Date Fri, 13 Apr 2018 05:36:02 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66599/
-----------------------------------------------------------

Review request for ranger, Madhan Neethiraj and Velmurugan Periasamy.


Bugs: RANGER-2066
    https://issues.apache.org/jira/browse/RANGER-2066


Repository: ranger


Description
-------

SCENARIO:

Table emp has 2 column families: personal_data(name,SSN,age) ; prof_data(role, manager)
Column emp/prof_data/role is tagged with OFFICIAL tag.

Create following policies:
Resource policy allows Read on all tables, all column-families and all columns and a tag policy
allows Read on OFFICIAL tag to test_user.

When test_user executes "scan 'emp' " command, two audit log records are created:
1. Resource: emp/personal_data
Name / Type: column-family
Allowed
Policy allowing: Resource based policy

2. Resource: emp/prof_data
Name / Type: column-family
Allowed
Policy allowing: TAG based policy for OFFICIAL tag

prof_data column-family should be authorized by resource policy.


Diffs
-----

  agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
415d4a499 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultDataMaskPolicyItemEvaluator.java
349ab360b 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
ab4a9d27e 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
956456551 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultRowFilterPolicyItemEvaluator.java
cacae5a5b 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
7a890b8b2 
  agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
e4864031b 
  agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json 11f31e317



Diff: https://reviews.apache.org/r/66599/diff/1/


Testing
-------

Developed and passed unit tests.


Thanks,

Abhay Kulkarni


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message