This is an automated email from the ASF dual-hosted git repository.
abhi pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 7fa081002 RANGER-5355: Add content under Project tab (#804)
7fa081002 is described below
commit 7fa08100261d83f9c50c26fb8289a5253b1eb987
Author: Abhishek Kumar <[email protected]>
AuthorDate: Wed Jan 14 18:18:15 2026 -0800
RANGER-5355: Add content under Project tab (#804)
---
mkdocs/docs/project/contributing.md | 44 +++-
mkdocs/docs/project/cve-list.md | 178 ++++++++++++++
mkdocs/docs/project/java-code-style.md | 119 +++++++++
mkdocs/docs/project/release-process.md | 433 +++++++++++++++++++++++++++++++--
4 files changed, 755 insertions(+), 19 deletions(-)
diff --git a/mkdocs/docs/project/contributing.md
b/mkdocs/docs/project/contributing.md
index bb6c480df..41bb5e930 100644
--- a/mkdocs/docs/project/contributing.md
+++ b/mkdocs/docs/project/contributing.md
@@ -17,5 +17,47 @@ title: "Contribute"
- See the License for the specific language governing permissions and
- limitations under the License.
-->
-
+[ranger-prs]: https://github.com/apache/ranger/pulls
+[github-pr-docs]: https://help.github.com/articles/about-pull-requests/
+[Jira Issue]: https://issues.apache.org/jira/browse/RANGER
+[Review Board]: https://reviews.apache.org/
+[Slack]: https://the-asf.slack.com/archives/C4SC5NXAA
+[Dev List]: mailto:[email protected]
# Contributing
+
+In this page, you will find some guidelines on contributing to Apache Ranger.
+
+If you are thinking of contributing but first would like to discuss the change
you wish to make, we welcome you to
+raise a [Jira Issue]. You can also subscribe to the [Dev List] and join us on
[Slack]
+to connect with the community.
+
+The Ranger Project is hosted on GitHub at <https://github.com/apache/ranger>.
+
+## Pull Request <small>recommended</small>
+
+The Ranger community prefers to receive contributions as [Github pull
requests][github-pr-docs].
+
+[View open pull requests][ranger-prs]
+
+When you are ready to submit your pull request, please keep the following in
mind:
+
+* PRs should be associated with a [Jira Issue]
+* PRs should include a clear and descriptive title and summary of the change
+* Please ensure that your code adheres to the existing coding style
+* Please ensure that your code is well tested
+* Please ensure that your code is well documented
+
+
+## Review Board <small>legacy</small>
+
+The [Review Board] may be used for Ranger code reviews as well.
+
+To submit a patch for review, please follow these steps:
+
+- Create a [Jira Issue] for the change you wish to make.
+- Create a patch file using `git format-patch` or `git diff > my_patch.patch`.
+- Upload the patch to [Review Board] and associate it with the Jira issue you
created earlier.
+- Request a review from the Ranger committers.
+- Address any feedback you receive and update the patch as necessary.
+- Once your patch has been approved, a committer will merge it into the main
codebase.
+- Close the associated Jira issue.
diff --git a/mkdocs/docs/project/cve-list.md b/mkdocs/docs/project/cve-list.md
index df87d728a..0833f3078 100644
--- a/mkdocs/docs/project/cve-list.md
+++ b/mkdocs/docs/project/cve-list.md
@@ -20,3 +20,181 @@ title: "Vulnerabilities Found in Apache Ranger"
## Introduction
This page contains a list of security vulnerabilities that have been found in
Apache Ranger. For each vulnerability, the following information is provided:
+
+### Fixed in Ranger [2.6.0](../release-notes/2.6.0.md)
+
+| CVE-2024-55532 | Improper Neutralization of Formula Elements in a CSV
File in Export to CSV feature of Apache Ranger |
+|-------------------|----------------------------------------------------------------------------------------------------|
+| Severity | Low
|
+| Vendor | The Apache Software Foundation
|
+| Versions Affected | Apache Ranger versions prior to `2.6.0`
|
+| Users affected | All users of ranger policy admin tool
|
+| Description | Improper Neutralization issue in Export to CSV
functionality |
+| Fix detail | Added logic to properly sanitize the exported content
|
+| Mitigation | Users should upgrade to `2.6.0` or later version of
Apache Ranger with the fix |
+| Credit | 김도균 ([email protected])
|
+
+### Fixed in Ranger [2.5.0](../release-notes/2.5.0.md)
+| CVE-2024-45478 | Stored XSS vulnerability in Edit Service Page of Apache
Ranger UI |
+|-------------------|----------------------------------------------------------------------------------------------|
+| Severity | Moderate
|
+| Vendor | The Apache Software Foundation
|
+| Versions Affected | Apache Ranger versions prior to `2.5.0`
|
+| Users affected | All users of ranger policy admin tool UI
|
+| Description | Apache Ranger was found to be vulnerable to a Stored XSS
issue in Edit Service functionality |
+| Fix detail | Added logic to validate the user input
|
+| Mitigation | Users should upgrade to `2.5.0` or later version of
Apache Ranger with the fix |
+| Credit | Gyujin
|
+
+| CVE-2024-45479 | SSRF vulnerability in Edit Service Page of Apache Ranger
UI |
+|-------------------|----------------------------------------------------------------------------------------------|
+| Severity | Moderate
|
+| Vendor | The Apache Software Foundation
|
+| Versions Affected | Apache Ranger versions prior to `2.5.0`
|
+| Users affected | All users of ranger policy admin tool UI
|
+| Description | Apache Ranger was found to be vulnerable to a SSRF issue
in Edit Service functionality |
+| Fix detail | Added logic to validate the user input
|
+| Mitigation | Users should upgrade to `2.5.0` or later version of
Apache Ranger with the fix |
+| Credit | Gyujin
|
+
+### Fixed in Ranger 2.0.0
+| CVE-2019-12397 | Apache Ranger cross site scripting issue
|
+|-------------------|---------------------------------------------------------------------------------------------------|
+| Vendor | The Apache Software Foundation
|
+| Versions Affected | `0.7.0` to `1.2.0` versions of Apache Ranger, prior to
`2.0.0` |
+| Users affected | All users of ranger policy admin tool
|
+| Description | Apache Ranger was found to be vulnerable to a Cross-Site
Scripting in policy import functionality |
+| Fix detail | Added logic to sanitize the user input
|
+| Mitigation | Users should upgrade to `2.0.0` or later version of
Apache Ranger with the fix |
+| Credit | Jan Kaszycki from STM Solutions
|
+
+### Fixed in Ranger 1.2.0
+| CVE-2018-11778 | Apache Ranger Stack based buffer overflow
|
+|-------------------|----------------------------------------------------------------------------------------------------------------|
+| Severity | Critical
|
+| Vendor | The Apache Software Foundation
|
+| Versions Affected | Apache Ranger versions prior to `1.2.0`
|
+| Users affected | Unix Authentication Service users
|
+| Description | Apache Ranger UnixAuthenticationService should properly
handle user input to avoid Stack-based buffer overflow |
+| Fix detail | UnixAuthenticationService was updated to correctly
handle user input |
+| Mitigation | Users should upgrade to `1.2.0` or later version of
Apache Ranger with the fix |
+| Credit | Alexander Klink
|
+
+### Fixed in Ranger 0.7.1
+| CVE-2017-7676 | Apache Ranger policy evaluation ignores characters after
‘*’ wildcard character
|
+|-------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Severity | Critical
|
+| Vendor | The Apache Software Foundation
|
+| Versions Affected | `0.6.x`/`0.7.0` versions of Apache Ranger
|
+| Users affected | Environments that use Ranger policies with characters
after \‘\*\’ wildcard character – like my\*test, test\*.txt
|
+| Description | Policy resource matcher effectively ignores characters
after \‘\*\’ wildcard character. This can result in affected policies to apply
to resources where they should not be applied |
+| Fix detail | Ranger policy resource matcher was updated to correctly
handle wildcard matches.
|
+| Mitigation | Users should upgrade to `0.7.1` or later version of
Apache Ranger with the fix
|
+
+| CVE-2017-7677 | Apache Ranger Hive Authorizer should check for RWX
permission when external location is specified
|
+|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Severity | Critical
|
+| Vendor | The Apache Software Foundation
|
+| Versions Affected | `0.5.x`/`0.6.x`/`0.7.0` versions of Apache Ranger
|
+| Users affected | Environments that use external location for hive tables
|
+| Description | Without Ranger Hive Authorizer checking RWX permission
when external location is specified, there is a possibility that right
permissions are not required to create the table |
+| Fix detail | Ranger Hive Authorizer was updated to correctly handle
permission check with external location
|
+| Mitigation | Users should upgrade to `0.7.1` or later version of
Apache Ranger with the fix
|
+
+### Fixed in Ranger 0.6.3
+| CVE-2016-8746 | Apache Ranger path matching issue in policy evaluation
|
+|-------------------|------------------------------------------------------------------------------------------------------------------------------------------------|
+| Severity | Normal
|
+| Vendor | The Apache Software Foundation
|
+| Versions Affected | `0.6.0`/`0.6.1`/`0.6.2` versions of Apache Ranger
|
+| Users affected | All users of ranger policy admin tool
|
+| Description | Ranger policy engine incorrectly matches paths in
certain conditions when policy does not contain wildcards and has recursion
flag set to true |
+| Fix detail | Fixed policy evaluation logic
|
+| Mitigation | Users should upgrade to `0.6.3` or later version of
Apache Ranger with the fix
|
+
+| CVE-2016-8751 | Apache Ranger stored cross site scripting issue
|
+|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Severity | Normal
|
+| Vendor | The Apache Software Foundation
|
+| Versions Affected | `0.5.x` and `0.6.0`/`0.6.1`/`0.6.2` versions of Apache
Ranger
|
+| Users affected | All users of ranger policy admin tool
|
+| Description | Apache Ranger was found to be vulnerable to a Stored
Cross-Site Scripting in when entering custom policy conditions. Admin users can
store some arbitrary javascript code to be executed when normal users login and
access policies |
+| Fix detail | Added logic to sanitize the user input
|
+| Mitigation | Users should upgrade to `0.6.3` or later version of
Apache Ranger with the fix
|
+
+### Fixed in Ranger 0.6.2
+| CVE-2016-6815 | Apache Ranger user privilege vulnerability
|
+|-------------------|-------------------------------------------------------------------------------------------------|
+| Severity | Normal
|
+| Vendor | The Apache Software Foundation
|
+| Versions Affected | All `0.5.x` versions or `0.6.0`/`0.6.1` versions of
Apache Ranger |
+| Users affected | All users of ranger policy admin tool
|
+| Description | Users with "keyadmin" role should not be allowed to
change password for users with `admin` role |
+| Fix detail | Added logic to validate the user privilege in the
backend |
+| Mitigation | Users should upgrade to `0.6.2` or later version of
Apache Ranger with the fix |
+
+### Fixed in Ranger 0.6.1
+| CVE-2016-5395 | Apache Ranger Stored Cross Site Scripting vulnerability
|
+|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Severity | Normal
|
+| Vendor | The Apache Software Foundation
|
+| Versions Affected | All `0.5.x` versions of Apache Ranger and version
`0.6.0`
|
+| Users affected | All users of ranger policy admin tool
|
+| Description | Apache Ranger was found to be vulnerable to a Stored
Cross-Site Scripting in the create user functionality. Admin users can store
some arbitrary javascript code to be executed when normal users login and
access policies |
+| Fix detail | Added logic to sanitize the user input
|
+| Mitigation | Users should upgrade to `0.6.1` or later version of
Apache Ranger with the fix
|
+| Credit | Thanks to Victor Hora from Securus Global for reporting
this issue
|
+
+### Fixed in Ranger 0.5.3
+| CVE-2016-2174 | Apache Ranger sql injection vulnerability
|
+|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Severity | Normal
|
+| Vendor | The Apache Software Foundation
|
+| Versions Affected | All versions of Apache Ranger from `0.5.0` (up to
`0.5.3`)
|
+| Users affected | All admin users of ranger policy admin tool
|
+| Description | SQL Injection vulnerability in Audit > Access tab. When
the user clicks an element from `policyId` row of the list, there is a call
made underneath with eventTime parameter which contains the vulnerability.
Admin users can send some arbitrary sql code to be executed along with
eventTime parameter using `/service/plugins/policies/eventTime url` |
+| Fix detail | Replaced native queries with JPA named queries
|
+| Mitigation | Users should upgrade to `0.5.3` version of Apache Ranger
with the fix
|
+| Credit | Thanks to Mateusz Olejarka from SecuRing for reporting
this issue
|
+
+### Fixed in Ranger 0.5.1
+| CVE-2015-5167 | Restrict REST API data access for non-admin users
|
+|-------------------|-------------------------------------------------------------------------------------------------------------------------------------|
+| Severity | Important
|
+| Vendor | The Apache Software Foundation
|
+| Versions Affected | `0.4.0` and `0.5.0` version of Apache Ranger
|
+| Users affected | All users of ranger policy admin tool
|
+| Description | Data access restrictions via REST API are not consistent
with restrictions in policy admin UI |
+| Mitigation | Users should upgrade to Ranger `0.5.1` version
|
+
+| CVE-2016-0733 | Ranger Admin authentication issue
|
+|-------------------|------------------------------------------------------------------------------------------------------------|
+| Severity | Important
|
+| Vendor | The Apache Software Foundation
|
+| Versions Affected | `0.4.0` and `0.5.0` version of Apache Ranger
|
+| Users affected | All users of ranger policy admin tool
|
+| Description | Malicious Users can gain access to ranger admin UI
without proper authentication |
+| Mitigation | Users should upgrade to Ranger `0.5.1` version
|
+
+### Fixed in Ranger 0.5.0
+| CVE-2015-0265 | Apache Ranger code injection vulnerability
|
+|-------------------|------------------------------------------------------------------------------------------------------------|
+| Severity | Important
|
+| Vendor | The Apache Software Foundation
|
+| Versions Affected | `0.4.0` version of Apache Ranger
|
+| Users affected | All admin users of ranger policy admin tool
|
+| Description | Unauthorized users can send some javascript code to be
executed in ranger policy admin tool admin sessions |
+| Fix detail | Added logic to sanitize the user input
|
+| Mitigation | Users should upgrade to `0.5.0+` version of Apache
Ranger with the fix |
+| Credit | Thanks to Jakub Kałużny from SecuRing for reporting this
issue |
+
+| CVE-2015-0266 | Apache Ranger direct url access vulnerability
|
+|-------------------|------------------------------------------------------------------------------------------------------------|
+| Severity | Important
|
+| Vendor | The Apache Software Foundation
|
+| Versions Affected | `0.4.0` version of Apache Ranger
|
+| Users affected | All users of ranger policy admin tool
|
+| Description | Regular users can type in the URL of modules that are
accessible only to admin users |
+| Fix detail | Added logic in the backend to verify user access
|
+| Mitigation | Users should upgrade to `0.5.0+` version of Apache
Ranger with the fix |
+| Credit | Thanks to Jakub Kałużny from SecuRing for reporting this
issue |
diff --git a/mkdocs/docs/project/java-code-style.md
b/mkdocs/docs/project/java-code-style.md
index 417783def..915286f4c 100644
--- a/mkdocs/docs/project/java-code-style.md
+++ b/mkdocs/docs/project/java-code-style.md
@@ -19,3 +19,122 @@ title: "Java Style Guide"
-->
# Java Code Style Guide
+Every major open-source project has its own style guide: a set of conventions
(sometimes arbitrary) about how to write code for that project. It is much
easier to understand a large codebase when all the code in it is in a
consistent style.
+
+"Style" covers a lot of ground, from "use camelCase for variable names" to
"never use global variables" to "never use exceptions".
+
+Ranger also contains checkstyle rules in
[dev-support/checkstyle.xml](https://github.com/apache/ranger/blob/master/dev-support/checkstyle.xml),
and a maven plugin associated with it - `maven-checkstyle-plugin` to assist
with style guide compliance. There are other code style guidelines which the
rules do not capture but are recommended to follow. Below is a list of rules
which were followed as part of implementing
[RANGER-5017](https://issues.apache.org/jira/browse/RANGER-5017).
+
+## Source File Structure
+A source file consists of, **in order**:
+
+- Apache License
+- Package statement
+- Import statements
+- Exactly one top-level class
+
+**Exactly one blank line** separates each section that is present.
+
+## Import Statements
+
+### No wildcard imports
+**Wildcard imports**, static or otherwise, **are not used**.
+
+### No line-wrapping
+Import statements are **not line-wrapped**.
+
+### Ordering and Spacing
+Imports are ordered as follows:
+
+- All non-static imports in a single block.
+- All static imports in a single block.
+
+If there are both static and non-static imports, a single blank line separates
the two blocks. There are no other blank lines between import statements.
+
+Within each block the imported names appear in ASCII sort order.
+
+## Class Declaration
+
+### Exactly one top-level class declaration
+Each top-level class resides in a source file of its own.
+
+### Ordering of class contents
+
+- Loggers if present are always at the top.
+- Static members are in a single block followed by non-static members.
+- Final members come before non-final members.
+- The order of access modifiers is: `public protected private default`
+
+## Formatting
+
+### Use of Braces
+Braces are used with `if, else, for, do` and `while` statements, even when the
body is empty or contains only a single statement.
+
+### Nonempty blocks: K & R style
+Braces follow the `Kernighan and Ritchie` style ([Egyptian
brackets](https://blog.codinghorror.com/new-programming-jargon/#3)) for
nonempty blocks and block-like constructs:
+
+- No line break before the opening brace, except as detailed below.
+- Line break after the opening brace.
+- No empty line after the opening brace.
+- Line break before the closing brace.
+- Line break after the closing brace, *only* if that brace terminates a
statement or terminates the body of a method, constructor, or named class. For
example, there is *no* line break after the brace if it is followed by `else`
or a comma.
+
+### Column Limit: Set to 512
+### Whitespace
+#### Vertical Whitespace
+A single blank line may also appear anywhere it improves readability, for
example between statements to organize the code into logical subsections.
+
+*Multiple* consecutive blank lines are **NOT** permitted.
+
+#### Horizontal Alignment: Recommended (not enforced)
+```java title="Horizontal Alignment"
+private int x = 5; // this is fine
+private String color = blue; // this too
+
+private int x = 5; // permitted, but future edits
+private String color = "blue"; // may leave it unaligned
+```
+
+## Naming
+
+### Package Names
+Package names use only lowercase letters and digits (no underscores).
Consecutive words are simply concatenated together. For example:
org.apache.ranger.rangerdb, **not** org.apache.ranger.rangerDb **or**
org.apache.ranger.ranger_db
+
+### Class Names
+Class names are written in
[UpperCamelCase](https://google.github.io/styleguide/javaguide.html#s5.3-camel-case).
+
+### Method Names
+Method names are written in
[lowerCamelCase](https://google.github.io/styleguide/javaguide.html#s5.3-camel-case).
+
+### Constant Names
+Constant names use UPPER_SNAKE_CASE : all uppercase letters, with each word
separated from the next by a single underscore.
+
+## Programming Practices
+### String Concatenation
+
+**NOT** allowed in log statements.
+
+*Exceptions*: allowed in `Exception/System.out.println` statements. for ex:
+
+```java
+// allowed
+LOG.debug("revokeAccess as user {}", user);
+LOG.error("Failed to get response, Error is : {}", e.getMessage());
+// not allowed
+LOG.debug("revokeAccess as user " + user);
+LOG.error("Failed to get response, Error is : " + e.getMessage());
+// allowed
+throw new Exception("HTTP " + response.getStatus() + " Error: " +
resp.getMessage());
+// allowed
+System.out.println("Unknown callback [" + cb.getClass().getName() + "]");
+```
+### logger.isDebugEnabled()
+logger.debug statements may be preceded by isDebugEnabled() only if debug
statements involve heavy operations, for ex:
+
+```java
+if (LOG.isDebugEnabled()) {
+ LOG.debug("User found from principal [{}] => user:[{}], groups:[{}]",
user.getName(), userName, StringUtil.toString(groups));
+}
+```
+
+### Use IntelliJ suggestions - highly recommended
diff --git a/mkdocs/docs/project/release-process.md
b/mkdocs/docs/project/release-process.md
index f1a796741..a539c0a6a 100644
--- a/mkdocs/docs/project/release-process.md
+++ b/mkdocs/docs/project/release-process.md
@@ -1,18 +1,415 @@
-<!---
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-
-# Release Process
+---
+title: "Ranger Release Guidelines"
+---
+<!--
+ - Licensed to the Apache Software Foundation (ASF) under one or more
+ - contributor license agreements. See the NOTICE file distributed with
+ - this work for additional information regarding copyright ownership.
+ - The ASF licenses this file to You under the Apache License, Version 2.0
+ - (the "License"); you may not use this file except in compliance with
+ - the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing, software
+ - distributed under the License is distributed on an "AS IS" BASIS,
+ - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ - See the License for the specific language governing permissions and
+ - limitations under the License.
+ -->
+
+[keys]: https://dist.apache.org/repos/dist/release/ranger/KEYS
+[DockerHub]: https://hub.docker.com/r/apache/ranger
+## Introduction
+
+This page walks you through the release process of the Ranger project.
[Here](https://www.apache.org/legal/release-policy.html) you can read about the
release process in general for an Apache project.
+
+Decisions about releases are made by three groups:
+
+* Release Manager: Does the work of creating the release, signing it, counting
votes, announcing the release and so on.
+* The Community: Performs the discussion of whether it is the right time to
create a release and what that release should contain. The community can also
cast non-binding votes on the release.
+* PMC: Gives binding votes on the release.
+
+This page describes the procedures that the release manager and voting PMC
members take during the release process.
+
+### Prerequisite
+The release manager should have a gpg key setup to sign the artifacts. For
more details, please
[see](https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys)
+
+#### Setup for first time release managers
+
+```bash title="Generate OpenPPG Key"
+# create a key
+gpg --gen-key
+
+# If you have multiple keys present, select the key id you want to use, let's
say it is - your_gpg_key_id then do:
+export CODESIGNINGKEY=your_gpg_key_id
+
+gpg --list-keys ${CODESIGNINGKEY}
+
+# to upload the key to a key server
+gpg --keyserver hkp://keyserver.ubuntu.com --send-key ${CODESIGNINGKEY}
+```
+
+#### Publish your key
+The key is supposed to be published together with the release. If it doesn't
exist already, append it to the end of [keys] file.
+
+```bash title="Publish Key (PMC)"
+svn co https://dist.apache.org/repos/dist/release/ranger
+cd ranger
+gpg --list-sigs $CODESIGNINGKEY >> KEYS
+gpg --armor --export $CODESIGNINGKEY >> KEYS
+
+svn commit -m "Adding key of XXXX to the KEYS"
+```
+
+!!! note
+
+ In case you are a Committer and not a PMC member, you can add your key to
the dev `KEYS` file and a PMC member can move it to the final destination.
+
+```bash title="Publish Key (Committer)"
+svn co https://dist.apache.org/repos/dist/dev/ranger
+cd ranger
+gpg --list-sigs $CODESIGNINGKEY >> KEYS
+gpg --armor --export $CODESIGNINGKEY >> KEYS
+svn commit -m "Adding key of XXXX to the KEYS"
+```
+
+## Pre-Vote
+
+#### Create a parent Jira for the release
+This provides visibility into the progress of the release for the community.
Tasks mentioned in this guide like changing snapshot versions, updating the
Ranger website, publishing the artifacts, publishing the docker image, etc can
be added as subtasks. Here is an example:
[RANGER-5098](https://issues.apache.org/jira/browse/RANGER-5098)
+
+#### Notify the community in advance of the release
+The below details should be included when sending out an email to:
`[email protected]`
+
+* The release branch to be used for the release.
+* The release branch lockdown date, the branch will be closed for commits
after this date. Commits after this date will require approval from PMC Members.
+* Tentative date for the availability of release-candidate #0, after which
voting begins. A minimum of 72 hours needs to pass before the voting can close.
+* Tentative release date.
+#### Branching
+A release branch should already be available as a post-release activity from
the previous release. All release related changes will go to this branch until
the release is complete.
+
+* Ensure that there is no `OPEN` Jira associated with the release.
+
+#### Update the versions
+```bash title="Update Versions"
+# Use below command or use IDE to replace "${RANGER_VERSION}-SNAPSHOT" with
"${RANGER_VERSION}".
+export RANGER_VERSION="2.7.0"
+
+mvn versions:set -DnewVersion=${RANGER_VERSION} -DgenerateBackupPoms=false
+
+# Also, manually update versions in:
+# - dev-support/ranger-docker/.env
+# - docs/pom.xml
+# - unixauthnative/pom.xml
+# - ranger-trino-plugin-shim/pom.xml
+```
+
+#### Commit the changes
+```bash title="Commit version changes to release branch"
+export RANGER_VERSION="2.7.0" # Set to the version of Ranger being released.
+
+git commit -am "RANGER-XXXX: Updated version from ${RANGER_VERSION}-SNAPSHOT
to ${RANGER_VERSION}"
+
+git push origin
+
+# for ex: https://github.com/apache/ranger/commit/81f3d2f
+```
+```bash title="Tag the RC and Push"
+git tag -a release-${RANGER_VERSION}-rc${RANGER_RC} -m "Ranger
${RANGER_VERSION}-rc${RANGER_RC} release"
+
+# example: git tag -a release-2.6.0-rc0 -m "Ranger 2.6.0-rc0 release"
+
+# and then push to the release branch like this
+git push origin release-${RANGER_VERSION}-rc${RANGER_RC}
+```
+
+### Build and Publish Source Artifacts
+
+#### Set up local environment
+
+It is probably best to clone a fresh Ranger repository locally to work on the
release, and leave your existing repository intact for dev tasks you may be
working on simultaneously.
+After cloning, make sure the `apache/ranger` upstream repo is named origin.
+This is required for release build metadata to be correctly populated.
+Assume all following commands are executed from within this repo with your
release branch checked out.
+
+```bash
+export RANGER_RC=0 # Set to the number of the current release candidate,
starting at 0.
+export CODESIGNINGKEY=your_gpg_key_id
+```
+
+#### Reset the git repository
+```bash title="Reset the git repo"
+git reset --hard
+git clean -dfx
+```
+
+#### Create the release artifacts
+```bash title="Build Ranger"
+# run with unit tests
+mvn clean install -Dmaven.javadoc.skip=true
+```
+
+* Verify `LICENSE` and `NOTICE` files for the release are updated based on
changes in the release.
+* Go through all commits in this particular release and create Release Notes.
for example: [Apache Ranger 2.6.0 - Release
Notes](https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+2.6.0+-+Release+Notes)
+* Also, ensure the fix versions are appropriately added for all the jiras
related to the commits.
+
+#### Calculate the checksum and sign the artifacts
+```bash title="Sign and checksum the artifacts"
+export GPG_TTY=$(tty)
+ant -f release-build.xml -Dranger-release-version=${RANGER_VERSION}
-Dsigning-key=${CODESIGNINGKEY}
+
+# on successful run, the above command generates 4 files in target:
+# - apache-ranger-${RANGER_VERSION}.tar.gz
+# - apache-ranger-${RANGER_VERSION}.tar.gz.asc
+# - apache-ranger-${RANGER_VERSION}.tar.gz.sha512
+# - apache-ranger-${RANGER_VERSION}.tar.gz.sha256
+
+# verify the signed tarball and checksum file using below command
+cd target
+gpg --verify apache-ranger-${RANGER_VERSION}.tar.gz.asc
apache-ranger-${RANGER_VERSION}.tar.gz
+sha512sum -c apache-ranger-${RANGER_VERSION}.tar.gz.sha512
+sha256sum -c apache-ranger-${RANGER_VERSION}.tar.gz.sha256
+```
+
+#### Publish source artifacts to dev
+```bash title="publish dev artifacts"
+svn co https://dist.apache.org/repos/dist/dev/ranger ranger-dev
+
+mkdir ranger-dev/${RANGER_VERSION}-rc${RANGER_RC}
+
+cp target/apache-ranger-${RANGER_VERSION}.tar.gz
ranger-dev/${RANGER_VERSION}-rc${RANGER_RC}/
+cp target/apache-ranger-${RANGER_VERSION}.tar.gz.asc
ranger-dev/${RANGER_VERSION}-rc${RANGER_RC}/
+cp target/apache-ranger-${RANGER_VERSION}.tar.gz.sha256
ranger-dev/${RANGER_VERSION}-rc${RANGER_RC}/
+cp target/apache-ranger-${RANGER_VERSION}.tar.gz.sha512
ranger-dev/${RANGER_VERSION}-rc${RANGER_RC}/
+
+svn add ${RANGER_VERSION}-rc${RANGER_RC}
+svn commit -m "RANGER-XXXX: Upload ${RANGER_VERSION}-rc${RANGER_RC}" #
requires ASF authentication
+```
+
+## Vote
+#### Send the voting email as described below
+- Send release voting request to `[email protected]` and
`[email protected]` with the subject
+```
+[VOTE] Release Apache Ranger ${RANGER_VERSION} ${RANGER_RC}
+```
+
+- Include the following in the email:
+ - Link to a Jira query showing all resolved issues for this release.
Something like this.
+ - Link to the release candidate tag on GitHub.
+ - Location of the source and binary tarballs. This link will look
something like https://dist.apache.org/repos/dist/dev/ranger/2.6.0-rc0/
+ - Link to the public key used to sign the artifacts. This should always be
in the [keys] file.
+- The vote will be open for at least 72 hours or until necessary votes are
reached.
+```
+ [] +1 approve
+ [] +0 no opinion
+ [] -1 disapprove (and reason why)
+```
+- Review
[release-policy](https://www.apache.org/legal/release-policy.html#release-approval)
for the ASF wide release voting policy.
+
+!!! note
+
+ Note what is required of binding voters, and that binding votes can only
come from PMC members. Check
[https://people.apache.org/committer-index.html](https://people.apache.org/committer-index.html),
users whose group membership includes `ranger-pmc` can cast binding votes.
+
+- If VOTE did not go through:
+ - Apply fixes to the release branch and repeat the steps starting from
tagging the commit for the release candidate with the `$RANGER_RC` variable
incremented by 1 for all steps.
+- Once voting is finished, email `[email protected]` and
`[email protected]`summarizing the results with subject:
+```
+[RESULT] [VOTE] Apache Ranger ${RANGER_VERSION} ${RANGER_RC}
+```
+Include names of all PMC members, followed by committers/contributors who cast
their votes. Here is a reference
[link](https://lists.apache.org/thread/sonr9mmjv8ot9kzwh66royv0pblnn41c).
+
+## Post-Vote
+
+### Publish the source artifacts to dist.apache.org
+
+You should commit the artifacts to the SVN repository. If you are not a PMC
member you can commit it to the dev ranger first and ask a PMC member for the
final move. PMC members can move it to the final location:
+
+```bash title="Move"
+svn co https://dist.apache.org/repos/dist/dev/ranger ranger-dev && cd
ranger-dev
+
+svn co https://dist.apache.org/repos/dist/release/ranger ranger-release && cd
ranger-release
+
+mkdir ranger-release/${RANGER_VERSION}
+
+cp ranger-dev/${RANGER_VERSION}-rc${RANGER_RC}/*
ranger-release/${RANGER_VERSION} # copy release artifacts from dev to release
+
+cd ranger-release
+
+svn add ${RANGER_VERSION}
+
+svn commit -m "Uploading Apache Ranger ${RANGER_VERSION} release src
artifacts" ${RANGER_VERSION}
+```
+Now the `.tar.gz` artifact should have an associated `.asc` file, `.sha512`
and `.sha256` file at the destination, so a total of 4 files.
+
+### Publish the source artifacts to Maven Central
+1. Setup `~/.m2/settings-security.xml` as per the
[guidelines](https://maven.apache.org/guides/mini/guide-encryption.html).
+2. Encrypt your Apache account password using above guidelines, and enter it
in `~/.m2/settings.xml` in the following entry
+ ```xml title="Update settings.xml"
+ <server>
+ <id>apache.staging.https</id>
+ <username>username</username>
+ <password>encrypted_password</password>
+ </server>
+ ```
+3. Run the following:
+ ```bash title="checkout and deploy"
+ # checkout the relevant git tag
+
+ git checkout release-ranger-${RANGER_VERSION}
+ # eg: git checkout release-ranger-2.6.0
+
+ # deploy the release
+ mvn clean deploy -Papache-release -DskipTests -DskipDocs
+ ```
+4. Go to [https://repository.apache.org/](https://repository.apache.org/) and
log in using your Apache account.
+5. Click on `Staging Repositories` on the left-hand side.
+6. Select the entry that starts with orgapacheranger and click on `close`.
+7. Verify via the URL that should appear after refresh that the artifacts look
as expected.
+8. After approval, click on `release`.
+
+### Publish build artifacts
+```bash title="build ranger release and push artifacts to svn"
+# build ranger from the release branch
+
+# create parent directory before build
+RELEASE_DIR=/tmp/release-${RANGER_VERSION}
+mkdir -p ${RELEASE_DIR} && cd ${RELEASE_DIR}
+
+git clone https://github.com/apache/ranger.git && cd ranger
+
+git checkout release-ranger-${RANGER_VERSION}
+
+# after successful build, artifacts should be present in target
+mvn clean package -DskipTests
+
+# checkout svn repo
+cd ~
+svn co https://dist.apache.org/repos/dist/dev/ranger ranger-dev && cd
ranger-dev
+cd ${RANGER_VERSION}-rc${RANGER_RC}
+cp ${RELEASE_DIR}/ranger/target/ranger-* .
+
+# generate signature and checksums for all
+for file in `find . -name "ranger-*"`
+do
+ gpg --armor --output ${file}.asc --detach-sig ${file} && sha512sum ${file} >
${file}.sha512
+done
+
+svn add ranger-*
+svn commit -m "upload build artifacts for ${RANGER_RELEASE} release"
+
+# PMC Members may selectively move these artifacts to
https://dist.apache.org/repos/dist/release/ranger/${RANGER_RELEASE} under
respective directories
+```
+
+### Add the final git tag and push it
+```bash title="Add final release tag"
+git checkout "release-${RANGER_VERSION}-rc${RANGER_RC}"
+
+git tag -a "release-ranger-${RANGER_VERSION}" -m "Apache Ranger
$RANGER_VERSION"
+
+git push origin "release-ranger-${RANGER_VERSION}"
+```
+
+### Create a sub-page in Confluence
+Add a sub-page under Release Folders for this release and add links for the
following:
+
+* Link to the release notes
+* Link to the release artifacts
+* Link to the release tag
+
+Something like
[this](https://cwiki.apache.org/confluence/display/RANGER/2.6.0+release+-+Apache+Ranger).
+
+### Update the Ranger website
+
+* Create a [PR](https://github.com/apache/ranger/pull/532) targeted for master
branch to update the docs with the new release.
+* Update the ranger website with the release artifacts (use master branch to
do this!) and push the changes in the master branch.
+
+### Publish docker images for the release
+Build the following docker images:
+
+* ranger
+* ranger-db
+* ranger-solr
+* ranger-zk
+
+with the release checked out and upload them to [DockerHub].
+Instructions to build the images can be found
[here](https://github.com/apache/ranger/blob/master/dev-support/ranger-docker/README.md).
+```bash title="tag and push docker images"
+# tag the images
+docker tag ranger:latest apache/ranger:${RANGER_VERSION}
+docker tag ranger-db:latest apache/ranger-db:${RANGER_VERSION}
+docker tag ranger-solr:latest apache/ranger-solr:${RANGER_VERSION}
+docker tag ranger-zk:latest apache/ranger-zk:${RANGER_VERSION}
+
+# do docker login
+docker login
+
+# push the images
+docker push apache/ranger:${RANGER_VERSION}
+docker push apache/ranger-db:${RANGER_VERSION}
+docker push apache/ranger-solr:${RANGER_VERSION}
+docker push apache/ranger-zk:${RANGER_VERSION}
+```
+### Send an announcement mail
+
+to `[email protected]`, `[email protected]`, `[email protected]`.
Something like
[this](https://lists.apache.org/thread/4ssdwwpdcd8381k09otjfsydb47z1ygm).
+
+```
+Subject: [ANNOUNCE] Apache Ranger ${RANGER_VERSION}
+```
+!!! note
+
+ Only PMC members can send the email to `[email protected]`
+- Include the following in the email:
+ - Download [link](https://ranger.apache.org/download.html)
+ - Release notes: example - [Apache Ranger 2.6.0 - Release
Notes](https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+2.6.0+-+Release+Notes)
+ - When downloading binaries from the site, please remember to verify the
downloads using signatures at: [KEYS](https://www.apache.org/dist/ranger/KEYS)
+
+### Branching
+
+Create a new release branch, for ex: ranger-2.7 from ranger-2.6. In this
release branch, do the following and commit it.
+```bash title="Update to SNAPSHOT version and Push"
+NEXT_RANGER_VERSION=2.7.0-SNAPSHOT
+mvn versions:set -DnewVersion=${NEXT_RANGER_VERSION}
+
+git commit -am "RANGER-XXXX: Updated version from ${RANGER_VERSION} to
${NEXT_RANGER_VERSION}"
+
+# Also, manually update versions in:
+# - dev-support/ranger-docker/.env
+# - docs/pom.xml
+
+git push origin
+```
+Now, update the previous release branch with newer SNAPSHOT version and commit
it, something like this:
+
+```bash title="Update to SNAPSHOT version and Push"
+NEXT_RANGER_VERSION="2.6.1-SNAPSHOT"
+mvn versions:set -DnewVersion=${NEXT_RANGER_VERSION}
+
+git commit -am "RANGER-XXXX: Updated version from ${RANGER_VERSION} to
${NEXT_RANGER_VERSION}"
+
+# Also, manually update versions in:
+# - dev-support/ranger-docker/.env
+# - docs/pom.xml
+
+git push origin
+```
+
+### Other Tasks
+- In Apache JIRA admin, mark the release as complete and create a next version
for tracking the changes to the next (major|minor) version
+- Update release data in
[https://reporter.apache.org/?ranger](https://reporter.apache.org/?ranger)
+
+!!! note
+
+ Only PMC members can do this step.
+
+- If the release resolved any CVE
+ - update [Vulnerabilities Found](./cve-list.md)
+ - send notification to
+ - `[email protected]`
+ - `[email protected]`
+ - `[email protected]`
+ - `[email protected]`
+ - `[email protected]`
+ - Follow
[https://www.apache.org/security/committers.html](https://www.apache.org/security/committers.html)
for publishing the CVE
+
