ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Abhay Kulkarni <akulka...@hortonworks.com>
Subject Re: Review Request 68942: RANGER-2207: Allow resources to appear in column mask policies without being visible in access policies
Date Sat, 06 Oct 2018 13:19:32 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68942/
-----------------------------------------------------------

(Updated Oct. 6, 2018, 1:19 p.m.)


Review request for ranger, Madhan Neethiraj, Nitin Galave, Ramesh Mani, and Velmurugan Periasamy.


Bugs: RANGER-2207
    https://issues.apache.org/jira/browse/RANGER-2207


Repository: ranger


Description (updated)
-------

In the service definition file, a resource can not be added to the list of dataMaskDef resources
without also declaring it as a resource for access policies. Plugins should have the flexibility
to define a resource for column masking policies only.

For example, a plugin may only allow the creation of access policies at the table level. Currently,
for this plugin to add column masking policies with a 'column' resource, 'column' would also
have to be added to access policies.

This Jira requests the removal of this requirement, or at least the ability to hide the resource
in access policies.

For a resource, if value of "mandatory" attribute is set to false, and uiHint is set to "{"hideIfNull":
true }", then GUI will not display the resource (provided its value is set to null).

Following is a sample service-definition to illustrate the usage. "column" resource is specified
in resources section as :
        {
            "description": "Hive Column", "isValidLeaf": true, "itemId": 4, "level": 30, "lookupSupported":
true,
            "mandatory": false, "matcherOptions": { "ignoreCase": "true", "wildCard": "true"
},
            "name": "column", "parent": "table", "type": "string", "uiHint": "{ \"hideIfNull\":
true }"
        }

It is specified in dataMaskDefs::resources section as:
            { "description": "Hive Column", "isValidLeaf": true, "itemId": 4, "level": 30,
"lookupSupported": true,
                "mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "false"
},
                "name": "column", "parent": "table", "type": "string", "uiHint": "{ \"singleValue\":true
}"
            }

As a result, GUI for access policy creation will not display "column" resource, but GUI for
masking policy creation will display it, and user can provide value for it.

Also note that in resources section, "table" resource (parent of "column")  is specified as
being a valid leaf resource.
            { "description": "Hive Table", "isValidLeaf": true, "itemId": 2, "level": 20,
"lookupSupported": true,
                "mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "true"
},
                "name": "table", "parent": "database", "type": "string"
            },
            
This is required so that correct set of default policies are created.

Service-definition for a test component follows. This is closely modeled after hive component's
service-definition.

{
    "name": "test",
    "description": "Test ServiceDef for RANGER-2207",
    "isEnabled": true,
    "options": { "enableDenyAndExceptionsInPolicies": "true" },
    "accessTypes": [
        { "itemId": 1, "name": "select","label": "select" },
        { "itemId": 2, "name": "update","label": "update" },
        { "itemId": 3, "name": "create","label": "create" },
        { "itemId": 4, "name": "drop","label": "drop" },
        { "itemId": 5, "name": "alter","label": "alter" },
        { "itemId": 6, "name": "index","label": "index" },
        { "itemId": 7, "name": "lock","label": "lock" },
        { "impliedGrants": [ "select", "update", "create", "drop", "alter", "index",
                "lock", "read", "write", "repladmin", "serviceadmin" ],
            "itemId": 8, "name": "all","label": "all" },
        { "itemId": 9, "name": "read","label": "read" },
        { "itemId": 10, "name": "write","label": "write" },
        { "itemId": 11, "name": "repladmin","label": "repladmin" },
        { "itemId": 12, "name": "serviceadmin","label": "serviceadmin" },
        { "itemId": 13, "name": "tempudfadmin","label": "tempudfadmin" }
    ],
    "resources": [
        {
            "description": "URL", "isValidLeaf": true, "itemId": 5, "level": 10, "lookupSupported":
false,
            "mandatory": true, "matcher": "org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
            "matcherOptions": { "ignoreCase": "false", "wildCard": "true" },
            "name": "url", "recursiveSupported": true, "type": "string"
        },
        {
            "description": "Hive Service", "isValidLeaf": true, "itemId": 6, "level": 10,
"lookupSupported": false,
            "mandatory": true, "matcherOptions": { "ignoreCase": "false", "wildCard": "true"
},
            "name": "hiveservice", "type": "string"
        },
        {
            "description": "Global", "isValidLeaf": true, "itemId": 7, "level": 10, "lookupSupported":
false,
            "mandatory": true, "matcherOptions": { "ignoreCase": "false", "wildCard": "true"
},
            "name": "global", "type": "string"
        },
        {
            "description": "Hive Database", "isValidLeaf": false, "itemId": 1, "level": 10,
"lookupSupported": true,
            "mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "true"
},
            "name": "database", "type": "string"
        },
        {
            "description": "Hive UDF", "isValidLeaf": true, "itemId": 3, "level": 20, "lookupSupported":
true,
            "mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "true"
},
            "name": "udf", "parent": "database", "type": "string" },
        {
            "description": "Hive Table", "isValidLeaf": true, "itemId": 2, "level": 20, "lookupSupported":
true,
            "mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "true"
},
            "name": "table", "parent": "database", "type": "string"
        },
        {
            "description": "Hive Column", "isValidLeaf": true, "itemId": 4, "level": 30, "lookupSupported":
true,
            "mandatory": false, "matcherOptions": { "ignoreCase": "true", "wildCard": "true"
},
            "name": "column", "parent": "table", "type": "string", "uiHint": "{ \"hideIfNull\":
true }"
        }
    ],
    "dataMaskDef": {
        "resources": [
            { "description": "Hive Database", "isValidLeaf": false, "itemId": 1, "level":
10, "lookupSupported": true,
		"mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "false" },
                "name": "database", "type": "string", "uiHint": "{ \"singleValue\":true }"
            },
            { "description": "Hive Table", "isValidLeaf": false, "itemId": 2, "level": 20,
"lookupSupported": true,
		"mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "false" },
                "name": "table", "parent": "database", "type": "string", "uiHint": "{ \"singleValue\":true
}"
            },
            { "description": "Hive Column", "isValidLeaf": true, "itemId": 4, "level": 30,
"lookupSupported": true,
		"mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "false" },
                "name": "column", "parent": "table", "type": "string", "uiHint": "{ \"singleValue\":true
}"
            }
        ],
        "accessTypes": [ { "itemId": 1, "name": "select","label": "select" } ],
        "maskTypes": [
            { "description": "Replace lowercase with 'x', uppercase with 'X', digits with
'0'", "itemId": 1, "label":"Redact", "name": "MASK", "transformer": "mask({col})" },
            { "description": "Custom", "itemId": 13, "label": "Custom", "name": "CUSTOM" }
        ]
    },
    "rowFilterDef": {
        "resources": [
            { "description": "Hive Database", "isValidLeaf": false, "itemId": 1, "level":
10, "lookupSupported": true,
                "mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "false"
},
                "name": "database", "type": "string", "uiHint": "{ \"singleValue\":true }"
            },
            { "description": "Hive Table", "isValidLeaf": true, "itemId": 2, "level": 20,
"lookupSupported": true,
                "mandatory": true, "matcherOptions": { "ignoreCase": "true", "wildCard": "false"
},
                "name": "table", "parent": "database", "type": "string", "uiHint": "{ \"singleValue\":true
}"
            }
        ],
        "accessTypes": [ { "itemId": 1, "name": "select","label": "select" } ]
    },
    "configs": [
        { "itemId": 1, "label": "Username", "mandatory": true, "name": "username", "type":
"string", "uiHint": "" },
        { "itemId": 2, "label": "Password", "mandatory": true, "name": "password", "type":
"password", "uiHint": "" },
        { "itemId": 3, "mandatory": false, "name": "jdbc.driverClassName", "type": "string",
"uiHint": "" },
        { "itemId": 4, "mandatory": false, "name": "jdbc.url", "type": "string", "uiHint":
"" },
        { "itemId": 5, "label": "Common Name for Certificate", "mandatory": false, "name":
"commonNameForCertificate", "type": "string", "uiHint": "" }
    ]
}


Diffs
-----

  agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java 3cd7876dd

  agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
6cb55c204 
  agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefValidator.java
45821e839 
  agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java 342b381c7

  agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java f8994a73f

  agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefValidator.java
f4e29c7de 
  hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/RangerServiceHdfs.java 22ecabf6a

  security-admin/src/main/webapp/scripts/models/BackboneFormDataType.js 1329eb223 
  security-admin/src/main/webapp/scripts/utils/XAUtils.js d9366a1a9 


Diff: https://reviews.apache.org/r/68942/diff/1/


Testing
-------

Tested with a local VM. Verified that "column" resource is not displayed when creating access
policy, and displayed when creating data-mask policy. Verified that default policy is not
created for database->table->column hierarchy, but is created for database->table
hierarchy.


Thanks,

Abhay Kulkarni


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message