This is an automated email from the ASF dual-hosted git repository. abhi pushed a commit to branch ranger_5353 in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 4400c809adc18620f4f127e7ce880494b4bc061e Author: Abhishek Kumar <[email protected]> AuthorDate: Wed Jan 14 17:17:15 2026 -0800 RANGER-5355: Add content under Project tab --- mkdocs/docs/project/contributing.md | 44 +++- mkdocs/docs/project/cve-list.md | 178 ++++++++++++++ mkdocs/docs/project/java-code-style.md | 119 +++++++++ mkdocs/docs/project/release-process.md | 433 +++++++++++++++++++++++++++++++-- 4 files changed, 755 insertions(+), 19 deletions(-) diff --git a/mkdocs/docs/project/contributing.md b/mkdocs/docs/project/contributing.md index bb6c480df..41bb5e930 100644 --- a/mkdocs/docs/project/contributing.md +++ b/mkdocs/docs/project/contributing.md @@ -17,5 +17,47 @@ title: "Contribute" - See the License for the specific language governing permissions and - limitations under the License. --> - +[ranger-prs]: https://github.com/apache/ranger/pulls +[github-pr-docs]: https://help.github.com/articles/about-pull-requests/ +[Jira Issue]: https://issues.apache.org/jira/browse/RANGER +[Review Board]: https://reviews.apache.org/ +[Slack]: https://the-asf.slack.com/archives/C4SC5NXAA +[Dev List]: mailto:[email protected] # Contributing + +In this page, you will find some guidelines on contributing to Apache Ranger. + +If you are thinking of contributing but first would like to discuss the change you wish to make, we welcome you to +raise a [Jira Issue]. You can also subscribe to the [Dev List] and join us on [Slack] +to connect with the community. + +The Ranger Project is hosted on GitHub at <https://github.com/apache/ranger>. + +## Pull Request <small>recommended</small> + +The Ranger community prefers to receive contributions as [Github pull requests][github-pr-docs]. + +[View open pull requests][ranger-prs] + +When you are ready to submit your pull request, please keep the following in mind: + +* PRs should be associated with a [Jira Issue] +* PRs should include a clear and descriptive title and summary of the change +* Please ensure that your code adheres to the existing coding style +* Please ensure that your code is well tested +* Please ensure that your code is well documented + + +## Review Board <small>legacy</small> + +The [Review Board] may be used for Ranger code reviews as well. + +To submit a patch for review, please follow these steps: + +- Create a [Jira Issue] for the change you wish to make. +- Create a patch file using `git format-patch` or `git diff > my_patch.patch`. +- Upload the patch to [Review Board] and associate it with the Jira issue you created earlier. +- Request a review from the Ranger committers. +- Address any feedback you receive and update the patch as necessary. +- Once your patch has been approved, a committer will merge it into the main codebase. +- Close the associated Jira issue. diff --git a/mkdocs/docs/project/cve-list.md b/mkdocs/docs/project/cve-list.md index df87d728a..0833f3078 100644 --- a/mkdocs/docs/project/cve-list.md +++ b/mkdocs/docs/project/cve-list.md @@ -20,3 +20,181 @@ title: "Vulnerabilities Found in Apache Ranger" ## Introduction This page contains a list of security vulnerabilities that have been found in Apache Ranger. For each vulnerability, the following information is provided: + +### Fixed in Ranger [2.6.0](../release-notes/2.6.0.md) + +| CVE-2024-55532 | Improper Neutralization of Formula Elements in a CSV File in Export to CSV feature of Apache Ranger | +|-------------------|----------------------------------------------------------------------------------------------------| +| Severity | Low | +| Vendor | The Apache Software Foundation | +| Versions Affected | Apache Ranger versions prior to `2.6.0` | +| Users affected | All users of ranger policy admin tool | +| Description | Improper Neutralization issue in Export to CSV functionality | +| Fix detail | Added logic to properly sanitize the exported content | +| Mitigation | Users should upgrade to `2.6.0` or later version of Apache Ranger with the fix | +| Credit | 김도균 ([email protected]) | + +### Fixed in Ranger [2.5.0](../release-notes/2.5.0.md) +| CVE-2024-45478 | Stored XSS vulnerability in Edit Service Page of Apache Ranger UI | +|-------------------|----------------------------------------------------------------------------------------------| +| Severity | Moderate | +| Vendor | The Apache Software Foundation | +| Versions Affected | Apache Ranger versions prior to `2.5.0` | +| Users affected | All users of ranger policy admin tool UI | +| Description | Apache Ranger was found to be vulnerable to a Stored XSS issue in Edit Service functionality | +| Fix detail | Added logic to validate the user input | +| Mitigation | Users should upgrade to `2.5.0` or later version of Apache Ranger with the fix | +| Credit | Gyujin | + +| CVE-2024-45479 | SSRF vulnerability in Edit Service Page of Apache Ranger UI | +|-------------------|----------------------------------------------------------------------------------------------| +| Severity | Moderate | +| Vendor | The Apache Software Foundation | +| Versions Affected | Apache Ranger versions prior to `2.5.0` | +| Users affected | All users of ranger policy admin tool UI | +| Description | Apache Ranger was found to be vulnerable to a SSRF issue in Edit Service functionality | +| Fix detail | Added logic to validate the user input | +| Mitigation | Users should upgrade to `2.5.0` or later version of Apache Ranger with the fix | +| Credit | Gyujin | + +### Fixed in Ranger 2.0.0 +| CVE-2019-12397 | Apache Ranger cross site scripting issue | +|-------------------|---------------------------------------------------------------------------------------------------| +| Vendor | The Apache Software Foundation | +| Versions Affected | `0.7.0` to `1.2.0` versions of Apache Ranger, prior to `2.0.0` | +| Users affected | All users of ranger policy admin tool | +| Description | Apache Ranger was found to be vulnerable to a Cross-Site Scripting in policy import functionality | +| Fix detail | Added logic to sanitize the user input | +| Mitigation | Users should upgrade to `2.0.0` or later version of Apache Ranger with the fix | +| Credit | Jan Kaszycki from STM Solutions | + +### Fixed in Ranger 1.2.0 +| CVE-2018-11778 | Apache Ranger Stack based buffer overflow | +|-------------------|----------------------------------------------------------------------------------------------------------------| +| Severity | Critical | +| Vendor | The Apache Software Foundation | +| Versions Affected | Apache Ranger versions prior to `1.2.0` | +| Users affected | Unix Authentication Service users | +| Description | Apache Ranger UnixAuthenticationService should properly handle user input to avoid Stack-based buffer overflow | +| Fix detail | UnixAuthenticationService was updated to correctly handle user input | +| Mitigation | Users should upgrade to `1.2.0` or later version of Apache Ranger with the fix | +| Credit | Alexander Klink | + +### Fixed in Ranger 0.7.1 +| CVE-2017-7676 | Apache Ranger policy evaluation ignores characters after ‘*’ wildcard character | +|-------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Severity | Critical | +| Vendor | The Apache Software Foundation | +| Versions Affected | `0.6.x`/`0.7.0` versions of Apache Ranger | +| Users affected | Environments that use Ranger policies with characters after \‘\*\’ wildcard character – like my\*test, test\*.txt | +| Description | Policy resource matcher effectively ignores characters after \‘\*\’ wildcard character. This can result in affected policies to apply to resources where they should not be applied | +| Fix detail | Ranger policy resource matcher was updated to correctly handle wildcard matches. | +| Mitigation | Users should upgrade to `0.7.1` or later version of Apache Ranger with the fix | + +| CVE-2017-7677 | Apache Ranger Hive Authorizer should check for RWX permission when external location is specified | +|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Severity | Critical | +| Vendor | The Apache Software Foundation | +| Versions Affected | `0.5.x`/`0.6.x`/`0.7.0` versions of Apache Ranger | +| Users affected | Environments that use external location for hive tables | +| Description | Without Ranger Hive Authorizer checking RWX permission when external location is specified, there is a possibility that right permissions are not required to create the table | +| Fix detail | Ranger Hive Authorizer was updated to correctly handle permission check with external location | +| Mitigation | Users should upgrade to `0.7.1` or later version of Apache Ranger with the fix | + +### Fixed in Ranger 0.6.3 +| CVE-2016-8746 | Apache Ranger path matching issue in policy evaluation | +|-------------------|------------------------------------------------------------------------------------------------------------------------------------------------| +| Severity | Normal | +| Vendor | The Apache Software Foundation | +| Versions Affected | `0.6.0`/`0.6.1`/`0.6.2` versions of Apache Ranger | +| Users affected | All users of ranger policy admin tool | +| Description | Ranger policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true | +| Fix detail | Fixed policy evaluation logic | +| Mitigation | Users should upgrade to `0.6.3` or later version of Apache Ranger with the fix | + +| CVE-2016-8751 | Apache Ranger stored cross site scripting issue | +|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Severity | Normal | +| Vendor | The Apache Software Foundation | +| Versions Affected | `0.5.x` and `0.6.0`/`0.6.1`/`0.6.2` versions of Apache Ranger | +| Users affected | All users of ranger policy admin tool | +| Description | Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies | +| Fix detail | Added logic to sanitize the user input | +| Mitigation | Users should upgrade to `0.6.3` or later version of Apache Ranger with the fix | + +### Fixed in Ranger 0.6.2 +| CVE-2016-6815 | Apache Ranger user privilege vulnerability | +|-------------------|-------------------------------------------------------------------------------------------------| +| Severity | Normal | +| Vendor | The Apache Software Foundation | +| Versions Affected | All `0.5.x` versions or `0.6.0`/`0.6.1` versions of Apache Ranger | +| Users affected | All users of ranger policy admin tool | +| Description | Users with "keyadmin" role should not be allowed to change password for users with `admin` role | +| Fix detail | Added logic to validate the user privilege in the backend | +| Mitigation | Users should upgrade to `0.6.2` or later version of Apache Ranger with the fix | + +### Fixed in Ranger 0.6.1 +| CVE-2016-5395 | Apache Ranger Stored Cross Site Scripting vulnerability | +|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Severity | Normal | +| Vendor | The Apache Software Foundation | +| Versions Affected | All `0.5.x` versions of Apache Ranger and version `0.6.0` | +| Users affected | All users of ranger policy admin tool | +| Description | Apache Ranger was found to be vulnerable to a Stored Cross-Site Scripting in the create user functionality. Admin users can store some arbitrary javascript code to be executed when normal users login and access policies | +| Fix detail | Added logic to sanitize the user input | +| Mitigation | Users should upgrade to `0.6.1` or later version of Apache Ranger with the fix | +| Credit | Thanks to Victor Hora from Securus Global for reporting this issue | + +### Fixed in Ranger 0.5.3 +| CVE-2016-2174 | Apache Ranger sql injection vulnerability | +|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Severity | Normal | +| Vendor | The Apache Software Foundation | +| Versions Affected | All versions of Apache Ranger from `0.5.0` (up to `0.5.3`) | +| Users affected | All admin users of ranger policy admin tool | +| Description | SQL Injection vulnerability in Audit > Access tab. When the user clicks an element from `policyId` row of the list, there is a call made underneath with eventTime parameter which contains the vulnerability. Admin users can send some arbitrary sql code to be executed along with eventTime parameter using `/service/plugins/policies/eventTime url` | +| Fix detail | Replaced native queries with JPA named queries | +| Mitigation | Users should upgrade to `0.5.3` version of Apache Ranger with the fix | +| Credit | Thanks to Mateusz Olejarka from SecuRing for reporting this issue | + +### Fixed in Ranger 0.5.1 +| CVE-2015-5167 | Restrict REST API data access for non-admin users | +|-------------------|-------------------------------------------------------------------------------------------------------------------------------------| +| Severity | Important | +| Vendor | The Apache Software Foundation | +| Versions Affected | `0.4.0` and `0.5.0` version of Apache Ranger | +| Users affected | All users of ranger policy admin tool | +| Description | Data access restrictions via REST API are not consistent with restrictions in policy admin UI | +| Mitigation | Users should upgrade to Ranger `0.5.1` version | + +| CVE-2016-0733 | Ranger Admin authentication issue | +|-------------------|------------------------------------------------------------------------------------------------------------| +| Severity | Important | +| Vendor | The Apache Software Foundation | +| Versions Affected | `0.4.0` and `0.5.0` version of Apache Ranger | +| Users affected | All users of ranger policy admin tool | +| Description | Malicious Users can gain access to ranger admin UI without proper authentication | +| Mitigation | Users should upgrade to Ranger `0.5.1` version | + +### Fixed in Ranger 0.5.0 +| CVE-2015-0265 | Apache Ranger code injection vulnerability | +|-------------------|------------------------------------------------------------------------------------------------------------| +| Severity | Important | +| Vendor | The Apache Software Foundation | +| Versions Affected | `0.4.0` version of Apache Ranger | +| Users affected | All admin users of ranger policy admin tool | +| Description | Unauthorized users can send some javascript code to be executed in ranger policy admin tool admin sessions | +| Fix detail | Added logic to sanitize the user input | +| Mitigation | Users should upgrade to `0.5.0+` version of Apache Ranger with the fix | +| Credit | Thanks to Jakub Kałużny from SecuRing for reporting this issue | + +| CVE-2015-0266 | Apache Ranger direct url access vulnerability | +|-------------------|------------------------------------------------------------------------------------------------------------| +| Severity | Important | +| Vendor | The Apache Software Foundation | +| Versions Affected | `0.4.0` version of Apache Ranger | +| Users affected | All users of ranger policy admin tool | +| Description | Regular users can type in the URL of modules that are accessible only to admin users | +| Fix detail | Added logic in the backend to verify user access | +| Mitigation | Users should upgrade to `0.5.0+` version of Apache Ranger with the fix | +| Credit | Thanks to Jakub Kałużny from SecuRing for reporting this issue | diff --git a/mkdocs/docs/project/java-code-style.md b/mkdocs/docs/project/java-code-style.md index 417783def..915286f4c 100644 --- a/mkdocs/docs/project/java-code-style.md +++ b/mkdocs/docs/project/java-code-style.md @@ -19,3 +19,122 @@ title: "Java Style Guide" --> # Java Code Style Guide +Every major open-source project has its own style guide: a set of conventions (sometimes arbitrary) about how to write code for that project. It is much easier to understand a large codebase when all the code in it is in a consistent style. + +"Style" covers a lot of ground, from "use camelCase for variable names" to "never use global variables" to "never use exceptions". + +Ranger also contains checkstyle rules in [dev-support/checkstyle.xml](https://github.com/apache/ranger/blob/master/dev-support/checkstyle.xml), and a maven plugin associated with it - `maven-checkstyle-plugin` to assist with style guide compliance. There are other code style guidelines which the rules do not capture but are recommended to follow. Below is a list of rules which were followed as part of implementing [RANGER-5017](https://issues.apache.org/jira/browse/RANGER-5017). + +## Source File Structure +A source file consists of, **in order**: + +- Apache License +- Package statement +- Import statements +- Exactly one top-level class + +**Exactly one blank line** separates each section that is present. + +## Import Statements + +### No wildcard imports +**Wildcard imports**, static or otherwise, **are not used**. + +### No line-wrapping +Import statements are **not line-wrapped**. + +### Ordering and Spacing +Imports are ordered as follows: + +- All non-static imports in a single block. +- All static imports in a single block. + +If there are both static and non-static imports, a single blank line separates the two blocks. There are no other blank lines between import statements. + +Within each block the imported names appear in ASCII sort order. + +## Class Declaration + +### Exactly one top-level class declaration +Each top-level class resides in a source file of its own. + +### Ordering of class contents + +- Loggers if present are always at the top. +- Static members are in a single block followed by non-static members. +- Final members come before non-final members. +- The order of access modifiers is: `public protected private default` + +## Formatting + +### Use of Braces +Braces are used with `if, else, for, do` and `while` statements, even when the body is empty or contains only a single statement. + +### Nonempty blocks: K & R style +Braces follow the `Kernighan and Ritchie` style ([Egyptian brackets](https://blog.codinghorror.com/new-programming-jargon/#3)) for nonempty blocks and block-like constructs: + +- No line break before the opening brace, except as detailed below. +- Line break after the opening brace. +- No empty line after the opening brace. +- Line break before the closing brace. +- Line break after the closing brace, *only* if that brace terminates a statement or terminates the body of a method, constructor, or named class. For example, there is *no* line break after the brace if it is followed by `else` or a comma. + +### Column Limit: Set to 512 +### Whitespace +#### Vertical Whitespace +A single blank line may also appear anywhere it improves readability, for example between statements to organize the code into logical subsections. + +*Multiple* consecutive blank lines are **NOT** permitted. + +#### Horizontal Alignment: Recommended (not enforced) +```java title="Horizontal Alignment" +private int x = 5; // this is fine +private String color = blue; // this too + +private int x = 5; // permitted, but future edits +private String color = "blue"; // may leave it unaligned +``` + +## Naming + +### Package Names +Package names use only lowercase letters and digits (no underscores). Consecutive words are simply concatenated together. For example: org.apache.ranger.rangerdb, **not** org.apache.ranger.rangerDb **or** org.apache.ranger.ranger_db + +### Class Names +Class names are written in [UpperCamelCase](https://google.github.io/styleguide/javaguide.html#s5.3-camel-case). + +### Method Names +Method names are written in [lowerCamelCase](https://google.github.io/styleguide/javaguide.html#s5.3-camel-case). + +### Constant Names +Constant names use UPPER_SNAKE_CASE : all uppercase letters, with each word separated from the next by a single underscore. + +## Programming Practices +### String Concatenation + +**NOT** allowed in log statements. + +*Exceptions*: allowed in `Exception/System.out.println` statements. for ex: + +```java +// allowed +LOG.debug("revokeAccess as user {}", user); +LOG.error("Failed to get response, Error is : {}", e.getMessage()); +// not allowed +LOG.debug("revokeAccess as user " + user); +LOG.error("Failed to get response, Error is : " + e.getMessage()); +// allowed +throw new Exception("HTTP " + response.getStatus() + " Error: " + resp.getMessage()); +// allowed +System.out.println("Unknown callback [" + cb.getClass().getName() + "]"); +``` +### logger.isDebugEnabled() +logger.debug statements may be preceded by isDebugEnabled() only if debug statements involve heavy operations, for ex: + +```java +if (LOG.isDebugEnabled()) { + LOG.debug("User found from principal [{}] => user:[{}], groups:[{}]", user.getName(), userName, StringUtil.toString(groups)); +} +``` + +### Use IntelliJ suggestions - highly recommended diff --git a/mkdocs/docs/project/release-process.md b/mkdocs/docs/project/release-process.md index f1a796741..a539c0a6a 100644 --- a/mkdocs/docs/project/release-process.md +++ b/mkdocs/docs/project/release-process.md @@ -1,18 +1,415 @@ -<!--- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> - -# Release Process +--- +title: "Ranger Release Guidelines" +--- +<!-- + - Licensed to the Apache Software Foundation (ASF) under one or more + - contributor license agreements. See the NOTICE file distributed with + - this work for additional information regarding copyright ownership. + - The ASF licenses this file to You under the Apache License, Version 2.0 + - (the "License"); you may not use this file except in compliance with + - the License. You may obtain a copy of the License at + - + - http://www.apache.org/licenses/LICENSE-2.0 + - + - Unless required by applicable law or agreed to in writing, software + - distributed under the License is distributed on an "AS IS" BASIS, + - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + - See the License for the specific language governing permissions and + - limitations under the License. + --> + +[keys]: https://dist.apache.org/repos/dist/release/ranger/KEYS +[DockerHub]: https://hub.docker.com/r/apache/ranger +## Introduction + +This page walks you through the release process of the Ranger project. [Here](https://www.apache.org/legal/release-policy.html) you can read about the release process in general for an Apache project. + +Decisions about releases are made by three groups: + +* Release Manager: Does the work of creating the release, signing it, counting votes, announcing the release and so on. +* The Community: Performs the discussion of whether it is the right time to create a release and what that release should contain. The community can also cast non-binding votes on the release. +* PMC: Gives binding votes on the release. + +This page describes the procedures that the release manager and voting PMC members take during the release process. + +### Prerequisite +The release manager should have a gpg key setup to sign the artifacts. For more details, please [see](https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys) + +#### Setup for first time release managers + +```bash title="Generate OpenPPG Key" +# create a key +gpg --gen-key + +# If you have multiple keys present, select the key id you want to use, let's say it is - your_gpg_key_id then do: +export CODESIGNINGKEY=your_gpg_key_id + +gpg --list-keys ${CODESIGNINGKEY} + +# to upload the key to a key server +gpg --keyserver hkp://keyserver.ubuntu.com --send-key ${CODESIGNINGKEY} +``` + +#### Publish your key +The key is supposed to be published together with the release. If it doesn't exist already, append it to the end of [keys] file. + +```bash title="Publish Key (PMC)" +svn co https://dist.apache.org/repos/dist/release/ranger +cd ranger +gpg --list-sigs $CODESIGNINGKEY >> KEYS +gpg --armor --export $CODESIGNINGKEY >> KEYS + +svn commit -m "Adding key of XXXX to the KEYS" +``` + +!!! note + + In case you are a Committer and not a PMC member, you can add your key to the dev `KEYS` file and a PMC member can move it to the final destination. + +```bash title="Publish Key (Committer)" +svn co https://dist.apache.org/repos/dist/dev/ranger +cd ranger +gpg --list-sigs $CODESIGNINGKEY >> KEYS +gpg --armor --export $CODESIGNINGKEY >> KEYS +svn commit -m "Adding key of XXXX to the KEYS" +``` + +## Pre-Vote + +#### Create a parent Jira for the release +This provides visibility into the progress of the release for the community. Tasks mentioned in this guide like changing snapshot versions, updating the Ranger website, publishing the artifacts, publishing the docker image, etc can be added as subtasks. Here is an example: [RANGER-5098](https://issues.apache.org/jira/browse/RANGER-5098) + +#### Notify the community in advance of the release +The below details should be included when sending out an email to: `[email protected]` + +* The release branch to be used for the release. +* The release branch lockdown date, the branch will be closed for commits after this date. Commits after this date will require approval from PMC Members. +* Tentative date for the availability of release-candidate #0, after which voting begins. A minimum of 72 hours needs to pass before the voting can close. +* Tentative release date. +#### Branching +A release branch should already be available as a post-release activity from the previous release. All release related changes will go to this branch until the release is complete. + +* Ensure that there is no `OPEN` Jira associated with the release. + +#### Update the versions +```bash title="Update Versions" +# Use below command or use IDE to replace "${RANGER_VERSION}-SNAPSHOT" with "${RANGER_VERSION}". +export RANGER_VERSION="2.7.0" + +mvn versions:set -DnewVersion=${RANGER_VERSION} -DgenerateBackupPoms=false + +# Also, manually update versions in: +# - dev-support/ranger-docker/.env +# - docs/pom.xml +# - unixauthnative/pom.xml +# - ranger-trino-plugin-shim/pom.xml +``` + +#### Commit the changes +```bash title="Commit version changes to release branch" +export RANGER_VERSION="2.7.0" # Set to the version of Ranger being released. + +git commit -am "RANGER-XXXX: Updated version from ${RANGER_VERSION}-SNAPSHOT to ${RANGER_VERSION}" + +git push origin + +# for ex: https://github.com/apache/ranger/commit/81f3d2f +``` +```bash title="Tag the RC and Push" +git tag -a release-${RANGER_VERSION}-rc${RANGER_RC} -m "Ranger ${RANGER_VERSION}-rc${RANGER_RC} release" + +# example: git tag -a release-2.6.0-rc0 -m "Ranger 2.6.0-rc0 release" + +# and then push to the release branch like this +git push origin release-${RANGER_VERSION}-rc${RANGER_RC} +``` + +### Build and Publish Source Artifacts + +#### Set up local environment + +It is probably best to clone a fresh Ranger repository locally to work on the release, and leave your existing repository intact for dev tasks you may be working on simultaneously. +After cloning, make sure the `apache/ranger` upstream repo is named origin. +This is required for release build metadata to be correctly populated. +Assume all following commands are executed from within this repo with your release branch checked out. + +```bash +export RANGER_RC=0 # Set to the number of the current release candidate, starting at 0. +export CODESIGNINGKEY=your_gpg_key_id +``` + +#### Reset the git repository +```bash title="Reset the git repo" +git reset --hard +git clean -dfx +``` + +#### Create the release artifacts +```bash title="Build Ranger" +# run with unit tests +mvn clean install -Dmaven.javadoc.skip=true +``` + +* Verify `LICENSE` and `NOTICE` files for the release are updated based on changes in the release. +* Go through all commits in this particular release and create Release Notes. for example: [Apache Ranger 2.6.0 - Release Notes](https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+2.6.0+-+Release+Notes) +* Also, ensure the fix versions are appropriately added for all the jiras related to the commits. + +#### Calculate the checksum and sign the artifacts +```bash title="Sign and checksum the artifacts" +export GPG_TTY=$(tty) +ant -f release-build.xml -Dranger-release-version=${RANGER_VERSION} -Dsigning-key=${CODESIGNINGKEY} + +# on successful run, the above command generates 4 files in target: +# - apache-ranger-${RANGER_VERSION}.tar.gz +# - apache-ranger-${RANGER_VERSION}.tar.gz.asc +# - apache-ranger-${RANGER_VERSION}.tar.gz.sha512 +# - apache-ranger-${RANGER_VERSION}.tar.gz.sha256 + +# verify the signed tarball and checksum file using below command +cd target +gpg --verify apache-ranger-${RANGER_VERSION}.tar.gz.asc apache-ranger-${RANGER_VERSION}.tar.gz +sha512sum -c apache-ranger-${RANGER_VERSION}.tar.gz.sha512 +sha256sum -c apache-ranger-${RANGER_VERSION}.tar.gz.sha256 +``` + +#### Publish source artifacts to dev +```bash title="publish dev artifacts" +svn co https://dist.apache.org/repos/dist/dev/ranger ranger-dev + +mkdir ranger-dev/${RANGER_VERSION}-rc${RANGER_RC} + +cp target/apache-ranger-${RANGER_VERSION}.tar.gz ranger-dev/${RANGER_VERSION}-rc${RANGER_RC}/ +cp target/apache-ranger-${RANGER_VERSION}.tar.gz.asc ranger-dev/${RANGER_VERSION}-rc${RANGER_RC}/ +cp target/apache-ranger-${RANGER_VERSION}.tar.gz.sha256 ranger-dev/${RANGER_VERSION}-rc${RANGER_RC}/ +cp target/apache-ranger-${RANGER_VERSION}.tar.gz.sha512 ranger-dev/${RANGER_VERSION}-rc${RANGER_RC}/ + +svn add ${RANGER_VERSION}-rc${RANGER_RC} +svn commit -m "RANGER-XXXX: Upload ${RANGER_VERSION}-rc${RANGER_RC}" # requires ASF authentication +``` + +## Vote +#### Send the voting email as described below +- Send release voting request to `[email protected]` and `[email protected]` with the subject +``` +[VOTE] Release Apache Ranger ${RANGER_VERSION} ${RANGER_RC} +``` + +- Include the following in the email: + - Link to a Jira query showing all resolved issues for this release. Something like this. + - Link to the release candidate tag on GitHub. + - Location of the source and binary tarballs. This link will look something like https://dist.apache.org/repos/dist/dev/ranger/2.6.0-rc0/ + - Link to the public key used to sign the artifacts. This should always be in the [keys] file. +- The vote will be open for at least 72 hours or until necessary votes are reached. +``` + [] +1 approve + [] +0 no opinion + [] -1 disapprove (and reason why) +``` +- Review [release-policy](https://www.apache.org/legal/release-policy.html#release-approval) for the ASF wide release voting policy. + +!!! note + + Note what is required of binding voters, and that binding votes can only come from PMC members. Check [https://people.apache.org/committer-index.html](https://people.apache.org/committer-index.html), users whose group membership includes `ranger-pmc` can cast binding votes. + +- If VOTE did not go through: + - Apply fixes to the release branch and repeat the steps starting from tagging the commit for the release candidate with the `$RANGER_RC` variable incremented by 1 for all steps. +- Once voting is finished, email `[email protected]` and `[email protected]`summarizing the results with subject: +``` +[RESULT] [VOTE] Apache Ranger ${RANGER_VERSION} ${RANGER_RC} +``` +Include names of all PMC members, followed by committers/contributors who cast their votes. Here is a reference [link](https://lists.apache.org/thread/sonr9mmjv8ot9kzwh66royv0pblnn41c). + +## Post-Vote + +### Publish the source artifacts to dist.apache.org + +You should commit the artifacts to the SVN repository. If you are not a PMC member you can commit it to the dev ranger first and ask a PMC member for the final move. PMC members can move it to the final location: + +```bash title="Move" +svn co https://dist.apache.org/repos/dist/dev/ranger ranger-dev && cd ranger-dev + +svn co https://dist.apache.org/repos/dist/release/ranger ranger-release && cd ranger-release + +mkdir ranger-release/${RANGER_VERSION} + +cp ranger-dev/${RANGER_VERSION}-rc${RANGER_RC}/* ranger-release/${RANGER_VERSION} # copy release artifacts from dev to release + +cd ranger-release + +svn add ${RANGER_VERSION} + +svn commit -m "Uploading Apache Ranger ${RANGER_VERSION} release src artifacts" ${RANGER_VERSION} +``` +Now the `.tar.gz` artifact should have an associated `.asc` file, `.sha512` and `.sha256` file at the destination, so a total of 4 files. + +### Publish the source artifacts to Maven Central +1. Setup `~/.m2/settings-security.xml` as per the [guidelines](https://maven.apache.org/guides/mini/guide-encryption.html). +2. Encrypt your Apache account password using above guidelines, and enter it in `~/.m2/settings.xml` in the following entry + ```xml title="Update settings.xml" + <server> + <id>apache.staging.https</id> + <username>username</username> + <password>encrypted_password</password> + </server> + ``` +3. Run the following: + ```bash title="checkout and deploy" + # checkout the relevant git tag + + git checkout release-ranger-${RANGER_VERSION} + # eg: git checkout release-ranger-2.6.0 + + # deploy the release + mvn clean deploy -Papache-release -DskipTests -DskipDocs + ``` +4. Go to [https://repository.apache.org/](https://repository.apache.org/) and log in using your Apache account. +5. Click on `Staging Repositories` on the left-hand side. +6. Select the entry that starts with orgapacheranger and click on `close`. +7. Verify via the URL that should appear after refresh that the artifacts look as expected. +8. After approval, click on `release`. + +### Publish build artifacts +```bash title="build ranger release and push artifacts to svn" +# build ranger from the release branch + +# create parent directory before build +RELEASE_DIR=/tmp/release-${RANGER_VERSION} +mkdir -p ${RELEASE_DIR} && cd ${RELEASE_DIR} + +git clone https://github.com/apache/ranger.git && cd ranger + +git checkout release-ranger-${RANGER_VERSION} + +# after successful build, artifacts should be present in target +mvn clean package -DskipTests + +# checkout svn repo +cd ~ +svn co https://dist.apache.org/repos/dist/dev/ranger ranger-dev && cd ranger-dev +cd ${RANGER_VERSION}-rc${RANGER_RC} +cp ${RELEASE_DIR}/ranger/target/ranger-* . + +# generate signature and checksums for all +for file in `find . -name "ranger-*"` +do + gpg --armor --output ${file}.asc --detach-sig ${file} && sha512sum ${file} > ${file}.sha512 +done + +svn add ranger-* +svn commit -m "upload build artifacts for ${RANGER_RELEASE} release" + +# PMC Members may selectively move these artifacts to https://dist.apache.org/repos/dist/release/ranger/${RANGER_RELEASE} under respective directories +``` + +### Add the final git tag and push it +```bash title="Add final release tag" +git checkout "release-${RANGER_VERSION}-rc${RANGER_RC}" + +git tag -a "release-ranger-${RANGER_VERSION}" -m "Apache Ranger $RANGER_VERSION" + +git push origin "release-ranger-${RANGER_VERSION}" +``` + +### Create a sub-page in Confluence +Add a sub-page under Release Folders for this release and add links for the following: + +* Link to the release notes +* Link to the release artifacts +* Link to the release tag + +Something like [this](https://cwiki.apache.org/confluence/display/RANGER/2.6.0+release+-+Apache+Ranger). + +### Update the Ranger website + +* Create a [PR](https://github.com/apache/ranger/pull/532) targeted for master branch to update the docs with the new release. +* Update the ranger website with the release artifacts (use master branch to do this!) and push the changes in the master branch. + +### Publish docker images for the release +Build the following docker images: + +* ranger +* ranger-db +* ranger-solr +* ranger-zk + +with the release checked out and upload them to [DockerHub]. +Instructions to build the images can be found [here](https://github.com/apache/ranger/blob/master/dev-support/ranger-docker/README.md). +```bash title="tag and push docker images" +# tag the images +docker tag ranger:latest apache/ranger:${RANGER_VERSION} +docker tag ranger-db:latest apache/ranger-db:${RANGER_VERSION} +docker tag ranger-solr:latest apache/ranger-solr:${RANGER_VERSION} +docker tag ranger-zk:latest apache/ranger-zk:${RANGER_VERSION} + +# do docker login +docker login + +# push the images +docker push apache/ranger:${RANGER_VERSION} +docker push apache/ranger-db:${RANGER_VERSION} +docker push apache/ranger-solr:${RANGER_VERSION} +docker push apache/ranger-zk:${RANGER_VERSION} +``` +### Send an announcement mail + +to `[email protected]`, `[email protected]`, `[email protected]`. Something like [this](https://lists.apache.org/thread/4ssdwwpdcd8381k09otjfsydb47z1ygm). + +``` +Subject: [ANNOUNCE] Apache Ranger ${RANGER_VERSION} +``` +!!! note + + Only PMC members can send the email to `[email protected]` +- Include the following in the email: + - Download [link](https://ranger.apache.org/download.html) + - Release notes: example - [Apache Ranger 2.6.0 - Release Notes](https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+2.6.0+-+Release+Notes) + - When downloading binaries from the site, please remember to verify the downloads using signatures at: [KEYS](https://www.apache.org/dist/ranger/KEYS) + +### Branching + +Create a new release branch, for ex: ranger-2.7 from ranger-2.6. In this release branch, do the following and commit it. +```bash title="Update to SNAPSHOT version and Push" +NEXT_RANGER_VERSION=2.7.0-SNAPSHOT +mvn versions:set -DnewVersion=${NEXT_RANGER_VERSION} + +git commit -am "RANGER-XXXX: Updated version from ${RANGER_VERSION} to ${NEXT_RANGER_VERSION}" + +# Also, manually update versions in: +# - dev-support/ranger-docker/.env +# - docs/pom.xml + +git push origin +``` +Now, update the previous release branch with newer SNAPSHOT version and commit it, something like this: + +```bash title="Update to SNAPSHOT version and Push" +NEXT_RANGER_VERSION="2.6.1-SNAPSHOT" +mvn versions:set -DnewVersion=${NEXT_RANGER_VERSION} + +git commit -am "RANGER-XXXX: Updated version from ${RANGER_VERSION} to ${NEXT_RANGER_VERSION}" + +# Also, manually update versions in: +# - dev-support/ranger-docker/.env +# - docs/pom.xml + +git push origin +``` + +### Other Tasks +- In Apache JIRA admin, mark the release as complete and create a next version for tracking the changes to the next (major|minor) version +- Update release data in [https://reporter.apache.org/?ranger](https://reporter.apache.org/?ranger) + +!!! note + + Only PMC members can do this step. + +- If the release resolved any CVE + - update [Vulnerabilities Found](./cve-list.md) + - send notification to + - `[email protected]` + - `[email protected]` + - `[email protected]` + - `[email protected]` + - `[email protected]` + - Follow [https://www.apache.org/security/committers.html](https://www.apache.org/security/committers.html) for publishing the CVE +
