[
https://issues.apache.org/jira/browse/HIVE-23433?focusedWorklogId=435008&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-435008
]
ASF GitHub Bot logged work on HIVE-23433:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 19/May/20 15:21
Start Date: 19/May/20 15:21
Worklog Time Spent: 10m
Work Description: pkumarsinha commented on a change in pull request #1016:
URL: https://github.com/apache/hive/pull/1016#discussion_r427387561
##########
File path:
ql/src/java/org/apache/hadoop/hive/ql/exec/repl/ranger/RangerRestClientImpl.java
##########
@@ -349,6 +349,70 @@ public boolean checkConnection(String url) {
return (clientResp.getStatus() < HttpServletResponse.SC_UNAUTHORIZED);
}
+ @Override
+ public List<RangerPolicy> addDenyPolicies(List<RangerPolicy> rangerPolicies,
String rangerServiceName,
+ String sourceDb, String targetDb)
throws SemanticException {
+ if (StringUtils.isEmpty(rangerServiceName)) {
+ throw new SemanticException("Ranger Service Name cannot be empty");
+ }
+ RangerPolicy denyRangerPolicy = new RangerPolicy();
+ denyRangerPolicy.setService(rangerServiceName);
+ denyRangerPolicy.setName(sourceDb + "_replication deny policy for " +
targetDb);
+ Map<String, RangerPolicy.RangerPolicyResource> rangerPolicyResourceMap =
new HashMap<String,
+ RangerPolicy.RangerPolicyResource>();
+ RangerPolicy.RangerPolicyResource rangerPolicyResource = new
RangerPolicy.RangerPolicyResource();
+ List<String> resourceNameList = new ArrayList<String>();
+
+ List<RangerPolicy.RangerPolicyItem> denyPolicyItemsForPublicGroup =
denyRangerPolicy.getDenyPolicyItems();
+ RangerPolicy.RangerPolicyItem denyPolicyItem = new
RangerPolicy.RangerPolicyItem();
+ List<RangerPolicy.RangerPolicyItemAccess> denyPolicyItemAccesses = new
ArrayList<RangerPolicy.
+ RangerPolicyItemAccess>();
+
+ List<RangerPolicy.RangerPolicyItem> denyExceptionsItemsForBeaconUser =
denyRangerPolicy.getDenyExceptions();
+ RangerPolicy.RangerPolicyItem denyExceptionsPolicyItem = new
RangerPolicy.RangerPolicyItem();
+ List<RangerPolicy.RangerPolicyItemAccess> denyExceptionsPolicyItemAccesses
= new ArrayList<RangerPolicy.
+ RangerPolicyItemAccess>();
+
+ resourceNameList.add(sourceDb);
+ rangerPolicyResource.setValues(resourceNameList);
+ RangerPolicy.RangerPolicyResource rangerPolicyResourceColumn =new
RangerPolicy.RangerPolicyResource();
+ rangerPolicyResourceColumn.setValues(new ArrayList<String>(){{add("*");
}});
+ RangerPolicy.RangerPolicyResource rangerPolicyResourceTable =new
RangerPolicy.RangerPolicyResource();
+ rangerPolicyResourceTable.setValues(new ArrayList<String>(){{add("*"); }});
+ rangerPolicyResourceMap.put("database", rangerPolicyResource);
+ rangerPolicyResourceMap.put("table", rangerPolicyResourceTable);
+ rangerPolicyResourceMap.put("column", rangerPolicyResourceColumn);
+ denyRangerPolicy.setResources(rangerPolicyResourceMap);
+
+ List<String> accessTypes = new ArrayList<>();
+ accessTypes.addAll(Arrays.asList("create", "update", "drop", "alter",
"index", "lock", "write", "ReplAdmin"));
+ for (String access : accessTypes) {
+ denyPolicyItemAccesses.add(new
RangerPolicy.RangerPolicyItemAccess(access, true));
+ }
+ denyPolicyItem.setAccesses(denyPolicyItemAccesses);
+ denyPolicyItemsForPublicGroup.add(denyPolicyItem);
+ List<String> denyPolicyItemsGroups = new ArrayList<String>();
+ denyPolicyItemsGroups.add("public");
+ denyPolicyItem.setGroups(denyPolicyItemsGroups);
+ denyRangerPolicy.setDenyPolicyItems(denyPolicyItemsForPublicGroup);
+
+ List<String> denyExcludeAccessTypes = new ArrayList<>();
+ denyExcludeAccessTypes.addAll(Arrays.asList("create", "update", "drop",
"alter", "index", "lock", "write",
+ "ReplAdmin", "select", "read"));
+ for (String access : denyExcludeAccessTypes) {
+ denyExceptionsPolicyItemAccesses.add(new
RangerPolicy.RangerPolicyItemAccess(access, true));
+ }
+ denyExceptionsPolicyItem.setAccesses(denyExceptionsPolicyItemAccesses);
+ denyExceptionsItemsForBeaconUser.add(denyExceptionsPolicyItem);
+ List<String> denyExceptionsPolicyItemsUsers = new ArrayList<String>();
+ denyExceptionsPolicyItemsUsers.add("hive");
Review comment:
Shouldn't it be hive service user and obtained from conf?
##########
File path:
ql/src/java/org/apache/hadoop/hive/ql/exec/repl/ranger/RangerRestClientImpl.java
##########
@@ -349,6 +349,70 @@ public boolean checkConnection(String url) {
return (clientResp.getStatus() < HttpServletResponse.SC_UNAUTHORIZED);
}
+ @Override
+ public List<RangerPolicy> addDenyPolicies(List<RangerPolicy> rangerPolicies,
String rangerServiceName,
+ String sourceDb, String targetDb)
throws SemanticException {
+ if (StringUtils.isEmpty(rangerServiceName)) {
+ throw new SemanticException("Ranger Service Name cannot be empty");
+ }
+ RangerPolicy denyRangerPolicy = new RangerPolicy();
+ denyRangerPolicy.setService(rangerServiceName);
+ denyRangerPolicy.setName(sourceDb + "_replication deny policy for " +
targetDb);
+ Map<String, RangerPolicy.RangerPolicyResource> rangerPolicyResourceMap =
new HashMap<String,
+ RangerPolicy.RangerPolicyResource>();
+ RangerPolicy.RangerPolicyResource rangerPolicyResource = new
RangerPolicy.RangerPolicyResource();
+ List<String> resourceNameList = new ArrayList<String>();
+
+ List<RangerPolicy.RangerPolicyItem> denyPolicyItemsForPublicGroup =
denyRangerPolicy.getDenyPolicyItems();
+ RangerPolicy.RangerPolicyItem denyPolicyItem = new
RangerPolicy.RangerPolicyItem();
+ List<RangerPolicy.RangerPolicyItemAccess> denyPolicyItemAccesses = new
ArrayList<RangerPolicy.
+ RangerPolicyItemAccess>();
+
+ List<RangerPolicy.RangerPolicyItem> denyExceptionsItemsForBeaconUser =
denyRangerPolicy.getDenyExceptions();
+ RangerPolicy.RangerPolicyItem denyExceptionsPolicyItem = new
RangerPolicy.RangerPolicyItem();
+ List<RangerPolicy.RangerPolicyItemAccess> denyExceptionsPolicyItemAccesses
= new ArrayList<RangerPolicy.
+ RangerPolicyItemAccess>();
+
+ resourceNameList.add(sourceDb);
+ rangerPolicyResource.setValues(resourceNameList);
+ RangerPolicy.RangerPolicyResource rangerPolicyResourceColumn =new
RangerPolicy.RangerPolicyResource();
+ rangerPolicyResourceColumn.setValues(new ArrayList<String>(){{add("*");
}});
+ RangerPolicy.RangerPolicyResource rangerPolicyResourceTable =new
RangerPolicy.RangerPolicyResource();
+ rangerPolicyResourceTable.setValues(new ArrayList<String>(){{add("*"); }});
+ rangerPolicyResourceMap.put("database", rangerPolicyResource);
+ rangerPolicyResourceMap.put("table", rangerPolicyResourceTable);
+ rangerPolicyResourceMap.put("column", rangerPolicyResourceColumn);
+ denyRangerPolicy.setResources(rangerPolicyResourceMap);
+
+ List<String> accessTypes = new ArrayList<>();
+ accessTypes.addAll(Arrays.asList("create", "update", "drop", "alter",
"index", "lock", "write", "ReplAdmin"));
Review comment:
Don't need to do addAll. You can directly use List<String> accessTypes =
Arrays.asList
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 435008)
Time Spent: 40m (was: 0.5h)
> Add Deny Policy on Target Database After Ranger Replication to avoid writes
> ---------------------------------------------------------------------------
>
> Key: HIVE-23433
> URL: https://issues.apache.org/jira/browse/HIVE-23433
> Project: Hive
> Issue Type: Task
> Reporter: Aasha Medhi
> Assignee: Aasha Medhi
> Priority: Major
> Labels: pull-request-available
> Attachments: HIVE-23433.01.patch, HIVE-23433.02.patch,
> HIVE-23433.03.patch, HIVE-23433.04.patch, HIVE-23433.05.patch,
> HIVE-23433.06.patch, HIVE-23433.07.patch
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
