> On 八月 10, 2018, 12:50 p.m., Zsombor Gegesy wrote: > > plugin-elasticsearch/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuthorizer.java > > Lines 99 (patched) > > <https://reviews.apache.org/r/68128/diff/1/?file=2065518#file2065518line99> > > > > I don't get it, why this clientIPAddress is used. This is not a client > > IP address, but the current ElasticServer's address. This could confuse the > > users. Why not leaving just empty, if ES won't provide it automatically?
OK, I will get client IP address from rest request. > On 八月 10, 2018, 12:50 p.m., Zsombor Gegesy wrote: > > plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/client/ElasticsearchClient.java > > Lines 139 (patched) > > <https://reviews.apache.org/r/68128/diff/1/?file=2065520#file2065520line139> > > > > I guess, joptsimple.internal.Strings.EMPTY is just "". I don't think, > > it is good idea to depend on a library just for this - and this library is > > not directly included in the pom. OK, thanks. > On 八月 10, 2018, 12:50 p.m., Zsombor Gegesy wrote: > > ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/RangerElasticserachPlugin.java > > Lines 50 (patched) > > <https://reviews.apache.org/r/68128/diff/1/?file=2065531#file2065531line50> > > > > RangerElasticserachPlugin -> RangerElasticsearchPlugin OK, thanks. > On 八月 10, 2018, 12:50 p.m., Zsombor Gegesy wrote: > > ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/action/filter/RangerSecurityActionFilter.java > > Lines 76 (patched) > > <https://reviews.apache.org/r/68128/diff/1/?file=2065532#file2065532line76> > > > > Isn't it possible to get the user's IP address from > > action.remoteAddress()? I'm not too familiar with ES inner workings. Thanks, I find the user's IP address can be getted from RestRequest in the following method: org.apache.ranger.authorization.elasticsearch.plugin.rest.filter.RangerSecurityRestFilter.handleRequest(RestRequest, RestChannel, NodeClient) > On 八月 10, 2018, 12:50 p.m., Zsombor Gegesy wrote: > > ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/action/filter/RangerSecurityActionFilter.java > > Lines 88 (patched) > > <https://reviews.apache.org/r/68128/diff/1/?file=2065532#file2065532line88> > > > > Isn't it a security problem, if no user name is there, the plugin > > allows everything? 1.It is designed for elasticsearch internal call, such as elasticsearch start up with no user name, otherwise elasticsearch cluster could not work. 2.Restful API call with no user name would throw exception. Please refer the following test: curl -X GET "localhost:9200/twitter/_stats?pretty" { "error" : { "root_cause" : [ { "type" : "status_exception", "reason" : "Error: User is null, the request requires user authentication." } ], "type" : "status_exception", "reason" : "Error: User is null, the request requires user authentication." }, "status" : 401 } 3.May be there is better design in the future, to do more rigorous verification for elasticsearch cluster. - Qiang ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/68128/#review207073 ----------------------------------------------------------- On 八月 14, 2018, 8:46 a.m., Qiang Zhang wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/68128/ > ----------------------------------------------------------- > > (Updated 八月 14, 2018, 8:46 a.m.) > > > Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O > hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, > Selvamohan Neethiraj, sam rome, Venkat Ranganathan, and Velmurugan Periasamy. > > > Bugs: RANGER-2170 > https://issues.apache.org/jira/browse/RANGER-2170 > > > Repository: ranger > > > Description > ------- > > Elasticsearch is a distributed, RESTful search and analytics engine capable > of solving a growing number of use cases. > Like Apache Solr, it is also an index server based on Lucence. > Ranger supports plugin to enable, monitor and manage Elasticsearch, > to control index security of Elasticsearch. > > As there is X-Pack plugin for the Elasticsearch, but it is not free. > X-Pack is an Elastic Stack extension that bundles security, alerting, > monitoring, reporting, > and graph capabilities into one easy-to-install package. > We refer to the Indices Privileges design of X-Pack, > by keeping the permissions consistent, > to make user use ranger Elasticsearch plugin easily. > Reference X-Pack Indices Privileges: > https://www.elastic.co/guide/en/x-pack/current/security-privileges.html > > Here we develop Ranger Elasticsearch plugin, based on Elasticsearch version > 6.2.2. > Elasticsearch 6.2.2 was released in February 20, 2018, reference > release-notes: > https://www.elastic.co/guide/en/elasticsearch/reference/6.2/release-notes-6.2.2.html > Not like other system, Elasticsearch has no basic authentication, > it uses X-pack plugin to support basic authentication, > role-based access control, SSL/TLS encryption, LDAP and so on. > Not like X-pack, our Ranger Elasticsearch plugin is designed to do > authorization, > it is to control index of Elasticsearch without authentication, > this plugin should work with other Elasticsearch plugin to authenticate users. > > > Diffs > ----- > > agents-common/scripts/enable-agent.sh ce0dc8c > agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java > e654f2b > > agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java > 5e74da8 > > agents-common/src/main/resources/service-defs/ranger-servicedef-elasticsearch.json > PRE-CREATION > plugin-elasticsearch/.gitignore PRE-CREATION > plugin-elasticsearch/conf/ranger-elasticsearch-audit-changes.cfg > PRE-CREATION > plugin-elasticsearch/conf/ranger-elasticsearch-audit.xml PRE-CREATION > plugin-elasticsearch/conf/ranger-elasticsearch-security-changes.cfg > PRE-CREATION > plugin-elasticsearch/conf/ranger-elasticsearch-security.xml PRE-CREATION > plugin-elasticsearch/conf/ranger-policymgr-ssl-changes.cfg PRE-CREATION > plugin-elasticsearch/conf/ranger-policymgr-ssl.xml PRE-CREATION > plugin-elasticsearch/pom.xml PRE-CREATION > plugin-elasticsearch/scripts/install.properties PRE-CREATION > > plugin-elasticsearch/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuthorizer.java > PRE-CREATION > > plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/RangerServiceElasticsearch.java > PRE-CREATION > > plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/client/ElasticsearchClient.java > PRE-CREATION > > plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/client/ElasticsearchResourceMgr.java > PRE-CREATION > > plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/privilege/IndexPrivilege.java > PRE-CREATION > > plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/privilege/IndexPrivilegeUtils.java > PRE-CREATION > pom.xml 8d7ea13 > ranger-elasticsearch-plugin-shim/.gitignore PRE-CREATION > ranger-elasticsearch-plugin-shim/conf/plugin-descriptor.properties > PRE-CREATION > ranger-elasticsearch-plugin-shim/conf/plugin-security.policy PRE-CREATION > ranger-elasticsearch-plugin-shim/pom.xml PRE-CREATION > > ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAccessControl.java > PRE-CREATION > > ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuthorizer.java > PRE-CREATION > > ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/RangerElasticsearchPlugin.java > PRE-CREATION > > ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/action/filter/RangerSecurityActionFilter.java > PRE-CREATION > > ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/authc/user/UsernamePasswordToken.java > PRE-CREATION > > ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/rest/filter/RangerSecurityRestFilter.java > PRE-CREATION > > ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/utils/RequestUtils.java > PRE-CREATION > src/main/assembly/admin-web.xml d0f3545 > src/main/assembly/plugin-elasticsearch.xml PRE-CREATION > > > Diff: https://reviews.apache.org/r/68128/diff/2/ > > > Testing > ------- > > #Test Steps: > > 1.Intall > Ranger Elasticsearch Plugin Installation Guide > https://cwiki.apache.org/confluence/display/RANGER/Elasticsearch+Plugin > Include install Elasticsearch and Ranger Elasticsearch Plugin, > and verify install result. > > 2.Create policy in Ranger Admin > User "elasticsearch" has all permissions on all indices. > User "yuwen" has permission "read" on index "twitter". > > 3.Test permission > > 3.1 successful: > curl -u elasticsearch:xxx -X GET "localhost:9200/twitter/_stats?pretty" > curl -u elasticsearch:xxx -X GET "localhost:9200/twitter2/_stats?pretty" > curl -u yuwen:xxx -X GET "localhost:9200/twitter/_stats?pretty" > > 3.2 failed: > curl -X GET "localhost:9200/twitter/_stats?pretty" > { > "error" : { > "root_cause" : [ > { > "type" : "status_exception", > "reason" : "Error: User is null, the request requires user > authentication." > } > ], > "type" : "status_exception", > "reason" : "Error: User is null, the request requires user > authentication." > }, > "status" : 401 > } > > curl -u yuwen:xxx -X GET "localhost:9200/twitter2/_stats?pretty" > { > "error" : { > "root_cause" : [ > { > "type" : "status_exception", > "reason" : "Error: User[yuwen] could not do > action[indices:monitor/stats] on index[twitter2]" > } > ], > "type" : "status_exception", > "reason" : "Error: User[yuwen] could not do action[indices:monitor/stats] > on index[twitter2]" > }, > "status" : 403 > } > > > Thanks, > > Qiang Zhang > >
