Re: Review Request 73253: RANGER-3214 : Configure default audit filters when ranger repo is created

Wed, 31 Mar 2021 09:34:11 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73253/#review222748
-----------------------------------------------------------




agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java
Lines 68 (patched)
<https://reviews.apache.org/r/73253/#comment311922>

    - RANGER_PLUGIN_AUDIT_FILTERS => RANGER_DEFALT_AUDIT_FILTERS_FILENAME_PREFIX
    - ranger-plugin-audit-filters => ranger-default-audit-filters



agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java
Lines 469 (patched)
<https://reviews.apache.org/r/73253/#comment311921>

    Instead of serviceType as a parameter, consider using this.serviceType.



agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java
Lines 475 (patched)
<https://reviews.apache.org/r/73253/#comment311913>

    To ensure inStream is closed, consider try-with-resources:
     try (InputStream inStream = getClass().getResourceAsStream(resource)) {
       ...
     }



agents-common/src/main/resources/audit-filters/ranger-plugin-audit-filters-hbase.json
Lines 1 (patched)
<https://reviews.apache.org/r/73253/#comment311914>

    - policy #1: audit should be filtered only for hbase service user
    - policy #2: audit should be filtered only for atlas service user
    - add following policy as the first entry:
      {'accessResult': 'DENIED', 'isAudited': true},



agents-common/src/main/resources/audit-filters/ranger-plugin-audit-filters-hdfs.json
Lines 1 (patched)
<https://reviews.apache.org/r/73253/#comment311915>

    - policy #2: I suggest to remove this policy as these paths are deployment 
specific, hence the default may not be useful/desirable
    - policy #3: please confirm if wildcards are supported for 'actions'. If 
not, replace 'rename*' with appropriate action strings
    - policy #4: I suggest to remove this policy as service usernames are 
deployment specific, hence the default may not be useful/desirable
    - policy #6: perhaps isAudited should be false here?



agents-common/src/main/resources/audit-filters/ranger-plugin-audit-filters-hive.json
Lines 1 (patched)
<https://reviews.apache.org/r/73253/#comment311916>

    I think policy #2 should be removed. Why should audits be skipped for 
updates?



agents-common/src/main/resources/audit-filters/ranger-plugin-audit-filters-kafka.json
Lines 1 (patched)
<https://reviews.apache.org/r/73253/#comment311917>

    - first policy should be to audit all deny
    - replace policy #1 and #2 with:
      - user=atlas, topic=ATLAS_ENTITIES, action=publish, audited=false
      - user=atlas, topic=ATLAS_HOOK, action=consume, audited=false
      - user=[hive,hbase,impala,nifi] topic=ATLAS_HOOK, action=publish, 
audited=false
      - user=rangertagsync, topic=ATLAS_ENTITIES, action=consume, audited=false
      - user=[atlas, rangertagsync], consumergroup=*, action=consume, 
audited=false
    - policy #3: remove users rangertagsync and atlas



security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
Lines 1387 (patched)
<https://reviews.apache.org/r/73253/#comment311919>

    Is it necessary to update 'service-def' with default audit filter policies?



security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
Lines 5777 (patched)
<https://reviews.apache.org/r/73253/#comment311920>

    Instead of instantiating RangerDefaultService, consider the following - 
similar to usage in populateDefaultPolicies():
                RangerBaseService svc = 
serviceMgr.getRangerServiceByService(service, this);



security-admin/src/main/java/org/apache/ranger/patch/PatchForDefaultAuidtFilters_J10047.java
Lines 103 (patched)
<https://reviews.apache.org/r/73253/#comment311926>

    logger.info("Found " + xxServiceList.size() + " services);



security-admin/src/main/java/org/apache/ranger/patch/PatchForDefaultAuidtFilters_J10047.java
Lines 108 (patched)
<https://reviews.apache.org/r/73253/#comment311924>

    if (rangerService != null && 
!rangerService.getConfigs().containsKey(RANGER_PLUGIN_AUDIT_FILTERS)) {
      ...
    }



security-admin/src/main/java/org/apache/ranger/patch/PatchForDefaultAuidtFilters_J10047.java
Lines 118 (patched)
<https://reviews.apache.org/r/73253/#comment311927>

    logger.info("adding default audit-filter to service " + 
rangerService.getName());



security-admin/src/main/java/org/apache/ranger/patch/PatchForDefaultAuidtFilters_J10047.java
Lines 120 (patched)
<https://reviews.apache.org/r/73253/#comment311928>

    else {
      logger.info("No default audit-filter available for service " + 
rangerService.getName() + ". Skipped");
    }



security-admin/src/main/java/org/apache/ranger/patch/PatchForDefaultAuidtFilters_J10047.java
Lines 128 (patched)
<https://reviews.apache.org/r/73253/#comment311925>

    addDefaultServiceConfig => addDefaultAuditFilterConfig


- Madhan Neethiraj


On March 31, 2021, 1:03 p.m., Dineshkumar Yadav wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73253/
> -----------------------------------------------------------
> 
> (Updated March 31, 2021, 1:03 p.m.)
> 
> 
> Review request for ranger, Gautam Borad, Kishor Gollapalliwar, Abhay 
> Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, and 
> Velmurugan Periasamy.
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Default audit filters should be automatically configured when ranger repos 
> are created.
> 
> We will have default audit filters for each repo in json format at below 
> location
> agents-common/src/main/resources/audit-filters/
> Service creation API : At the time of service creation will fetch default 
> audit filters if not already present and add it as service config.
> Service creation from UI : will fetch the default audit filters show it on 
> audit filter section of service creation page.
> 
> 
> Diffs
> -----
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBaseService.java
>  65c34e857 
>   
> agents-common/src/main/resources/audit-filters/ranger-plugin-audit-filters-hbase.json
>  PRE-CREATION 
>   
> agents-common/src/main/resources/audit-filters/ranger-plugin-audit-filters-hdfs.json
>  PRE-CREATION 
>   
> agents-common/src/main/resources/audit-filters/ranger-plugin-audit-filters-hive.json
>  PRE-CREATION 
>   
> agents-common/src/main/resources/audit-filters/ranger-plugin-audit-filters-kafka.json
>  PRE-CREATION 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 
> 7179dc998 
>   security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
> 40917cdf4 
>   security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
> ba9eb0157 
>   
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
>  371846f1e 
>   security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 
> 90004ec77 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
> a7871eda8 
>   
> security-admin/src/main/java/org/apache/ranger/patch/PatchForDefaultAuidtFilters_J10047.java
>  PRE-CREATION 
>   security-admin/src/main/webapp/scripts/views/service/ServiceForm.js 
> 668fa794b 
> 
> 
> Diff: https://reviews.apache.org/r/73253/diff/1/
> 
> 
> Testing
> -------
> 
> Testing Done
> Default audit filter is getting added when service is created.
> 
> 
> Thanks,
> 
> Dineshkumar Yadav
> 
>

Reply via email to