Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RANGER-4670: RANGER-4977: hbase plugin: SELF_AND_ALL_DESCENDANTS Reso… #410

Open
wants to merge 10 commits into
base: master
Choose a base branch
from

Conversation

fateh288
Copy link
Contributor

@fateh288 fateh288 commented Nov 4, 2024

…urceMatchingScope, support shortcircuit column auth

What changes were proposed in this pull request?

RANGER-4977: Introduced a new SELF_AND_ALL_DESCENDANTS ResourceMatchingScope which is now used for column family authorization which fixes bug in scan operation wherein a denied column was also being returned in the scan operation.

RANGER-4670: A property/flag can be set via hbase service configs wherein during column level authorization, it can be used to determine if an authorization at column family can be used to determine if column authorization can be shortcircuited as an optimization (there will be audit behavior changes in this case). This is useful for improving performance especially for multiget and multiput workloads wherein thousands of columns can come in the authorization request and just checking column family level access can improve performance drastically

How was this patch tested?

New unit test cases have been added for the policy engine for the new ResourceMatchingScope of SELF_AND_ALL_DESCENDANTS.
New test cases have also been added for hbase. The test cases cover the scan operation bug and also covers new unit test cases for testing correctness of column authorization shortcircuiting. These test cases do not work on master branch (because they are ignored using junit ignore annotation) currently https://issues.apache.org/jira/browse/RANGER-4686 but I have verified that they work on my private fork.

…urceMatchingScope, support shortcircuit column auth
break;
}
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when scope is null, shouldn't the return be true if matchType is SELF or SELF_AND_ALL_DESCENDANTS?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

scope!=null always as per current implementation of RangerAccessRequestImpl .
private ResourceMatchingScope resourceMatchingScope = ResourceMatchingScope.SELF;
The default value is always SELF. But I see it can be somehow null if interface is implemented differently (I think we should prevent this)
Can there (or is there currently ) be a use case of null ResourceMatchingScope ?
However, I think a check for not null would be required for current refactoring logic as we cannot have null in switch case and we should return isMatched=False in this case unless there is an explicit use case for the same
(if ResourceMatchingScope is null then I think isMatched should be false as matchType seems irrelevant).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fateh288 - the regression in handling scope==null should be addressed in this PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I identified the issue is in test cases defined in test_policyengine_resource_with_req_expressions.json
The ResourceMatchingScope defined in these test cases is SELF_OR_CHILD which is not a valid value in the ResourceMatchingScope enum and results in null scope.

I tried changing ResourceMatchingScope to SELF here and all the test cases pass here. Do you suggest doing this ? Or should we add SELF_OR_CHILD as a valid ResourceMatchingScope ?

Yes, I can handle null as a scope or prevent regressions, but ideally it should be an invalid scenario if implemented correctly.

break;
}
case SELF_AND_ALL_DESCENDANTS: {
ret = matchType != RangerPolicyResourceMatcher.MatchType.NONE;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't matchType be SELF_AND_ALL_DESCENDENTS here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

matchType=DESCENDANT is the scenario we are also interested in.
if policy resource is (t1,cf1,c1) and accessed resource is (t1,cf1) then matchType is DESCENDANT which is what we want to match as it is a valid policy to evaluate for this case.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fateh288 - case blocks for SELF_OR_DESCENDANTS and SELF_AND_ALL_DESCENDANTS are the same, which doesn't look correct. Can you review?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, 'case' blocks for both SELF_OR_DESCENDANTS and SELF_AND_ALL_DESCENDANTS would be the same.

ResourceMatchingScope=SELF_OR_DESCENDANTS will result in isMatched = true for all cases of matchType in {SELF, DESCENDANT, ANCESTOR, SELF_AND_ALL_DESCENDANTS} --- I am not sure here if matchType is Ancestor then why isMatched=true makes sense.
For ResourceMatchingScope=SELF_OR_DESCENDANTS, I tried changing
ret = matchType == RangerPolicyResourceMatcher.MatchType.SELF || matchType == RangerPolicyResourceMatcher.MatchType.SELF_AND_ALL_DESCENDANTS || matchType == RangerPolicyResourceMatcher.MatchType.DESCENDANT;

After this change, agents-common test cases pass successfully even after I change it to above (do you suggest changing it to this ?).

The same works for SELF_AND_ALL_DESCENDANTS too.

In the current implementation, the difference between SELF_OR_DESCENDANTS and SELF_AND_ALL_DESCENDANTS comes in implementation of updateAccessResult()

if (matchType != RangerPolicyResourceMatcher.MatchType.DESCENDANT ||

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mneethiraj @kulkabhay
Any ideas on how to proceed?
I have resolved the merge conflicts.
Essentially with SELF_AND_ALL_DESCENDANTS we want same behavior as SELF_OR_DESCENDANTS but the special case for matchType!=DESCENDANTS needs to be bypassed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants