-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74464/
-----------------------------------------------------------
(Updated June 6, 2023, 3:29 p.m.)
Review request for ranger, Abhishek Kumar, Dineshkumar Yadav, Kishor
Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Nikhil P, Pradeep Agrawal,
Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Updated patch along with REST approach
Bugs: RANGER-4255
https://issues.apache.org/jira/browse/RANGER-4255
Repository: ranger
Description (updated)
-------
**Problem Statement:** Currently ranger authentication entries are being stored
in x_auth_sess table which may have lot of entries in few days. User need to
manually remove the entries from x_auth_sess table time to time in order to
maintain disk space or handle disk space issues in a production env.
**Proposed Solution:**
**Option-1:** Delete the entries during every start of ranger-admin service:
This patch exposes two ranger configs
1) "ranger.admin.init.purge.login_records" => should be set to 'true'. default
is false.
2) "ranger.admin.init.purge.login_records.retention.days" => which accepts
positive numerical values in days.
According to above configs During the start of ranger-admin x_auth_sess table
entries older than the mentioned days shall be removed.
When "ranger.admin.init.purge.login_records" is set to 'true' and
"ranger.admin.init.purge.login_records.retention.days" value set to a positive
number this feature shall be affective.
**Option-2: ** : User can call below mentioned REST api to delete the records.
User must use a credential which has admin role in the ranger to call this REST
API.
curl -u admin:admin -H "Accept: application/json" -H "Content-Type:
application/json" -X DELETE
'http://localhost:6080/service/public/v2/api/server/purge/records?type=login_records&days=5'
if days parameter is not provided then default value 180 shall be considered.
**Note:** The proposed implementation shall not delete entries every day as
there is no daemon process shall be running at the background, hence deletion
of entries shall be attempted only during the start of ranger.
Diffs (updated)
-----
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
04aee289e
security-admin/src/main/java/org/apache/ranger/db/XXAuthSessionDao.java
c3bd13c63
security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
69d2260de
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
3447eb20e
security-admin/src/main/resources/META-INF/jpa_named_queries.xml 2baf53673
security-admin/src/main/resources/conf.dist/ranger-admin-site.xml 839cf180a
Diff: https://reviews.apache.org/r/74464/diff/2/
Changes: https://reviews.apache.org/r/74464/diff/1-2/
Testing (updated)
-------
**Approach-1: ** ranger-admin start approach
Added "ranger.admin.init.purge.login_records" and
"ranger.admin.init.purge.login_records.retention.days" in ranger-admin-site.xml
with value 6 and restarted the ranger-admin.
Verified the entries of x_auth_sess table after restart and it does not have
entries older than 6 days.
**Approach-2:** REST API approach
curl -u admin:admin -H "Accept: application/json" -H "Content-Type:
application/json" -X DELETE
'http://localhost:6080/service/public/v2/api/server/purge/records?type=login_records&days=5'
request completed successfully with response code 204. Checked the entries in
x_auth_sess table manually and x_auth_sess entries were deleted.
below log was printed in the ranger log file:
2023-06-06 14:18:52,585 INFO org.apache.ranger.biz.ServiceDBStore:
[http-nio-6080-exec-22]: Deleted 2388 records from x_auth_sess that are older
than 5 days
Note: Below is the SQL statement to check the x_auth_sess table records:
select date(create_time),count(*) from x_auth_sess group by date(create_time);
Thanks,
Pradeep Agrawal
