> On Oct. 15, 2022, 4:17 p.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
> > Lines 44 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270179#file2270179line44>
> >
> >     Yes, it was a question. I was not sure whether we are printing would 
> > have sensitive information. If it doesn't the suggestion is not to print 
> > them. The reason being, it is common for applications to be configured to 
> > DEBUG level during troubleshooting sessions and also in some cases, these 
> > logs are sent to external systems like DataDog (in the cloud) or other log 
> > aggregation tools and it would be difficult to enforce any policies in 
> > those tools.

I removed debug logging for sensitive info everywhere. It will make debugging 
harder but I agree it is necessary.


- Barbara


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224797
-----------------------------------------------------------


On Nov. 3, 2022, 5:36 p.m., Barbara Eckman wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
> 
> (Updated Nov. 3, 2022, 5:36 p.m.)
> 
> 
> Review request for ranger and madhan.
> 
> 
> Bugs: Ranger-3855
>     https://issues.apache.org/jira/browse/Ranger-3855
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> RangerExternalUserStoreRetriever class Ranger-3855
> 
> Ranger version 3.0.0 provides a means, via a context enricher, to add or 
> retrieve attributes to the database of users for whom Ranger controls access. 
> This permits syntax like "Dumbo" in $USER.aliases any Ranger policy 
> condition, including row and tag filters.   This greatly enhances the ability 
> to provide custom Attribute-based Access Control based on the specific 
> business needs of one's organization.
> 
> I believe that the original assumption was that such attributes would be 
> added to AD/LDAP and enter Ranger via regular user sync's. However, this 
> process does not currently work with Azure AD, which many organizations use. 
> Neither does it provide timely support for organizations for whom adding each 
> new attribute to AD would be subject to prolonged scrutiny by overworked 
> security teams.  
> 
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have 
> written a RangerExternalUserStoreRetriever class which adds arbitrary 
> attributes to Ranger users via external API calls, thus freeing additions to 
> the UserStore from dependency on AD/LDAP.   We have also written a 
> RangerRoleUserStoreRetriever class, which transforms role membership into 
> user attributes, for ease of use in complex policy conditions.
> 
> 
> Diffs
> -----
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
>  PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java
>  PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java
>  PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE
>  PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE
>  PRE-CREATION 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md
>  PRE-CREATION 
>   dev-support/spotbugsIncludeFile.xml 3621e8c08 
>   plugin-nestedstructure/README.md ea878f6a2 
> 
> 
> Diff: https://reviews.apache.org/r/74142/diff/4/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Barbara Eckman
> 
>

Reply via email to