----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74464/#review225528 -----------------------------------------------------------
Ship it! Ship It! - Madhan Neethiraj On June 6, 2023, 6:57 p.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74464/ > ----------------------------------------------------------- > > (Updated June 6, 2023, 6:57 p.m.) > > > Review request for ranger, Abhishek Kumar, Dineshkumar Yadav, Kishor > Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Nikhil P, Pradeep Agrawal, > Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-4255 > https://issues.apache.org/jira/browse/RANGER-4255 > > > Repository: ranger > > > Description > ------- > > **Problem Statement:** Currently ranger authentication entries are being > stored in x_auth_sess table which may have lot of entries in few days. User > need to manually remove the entries from x_auth_sess table time to time in > order to maintain disk space or handle disk space issues in a production env. > > **Proposed Solution:** > > **Option-1:** Delete the entries during every start of ranger-admin service: > > This patch exposes two ranger configs > 1) "ranger.admin.init.purge.login_records" => should be set to 'true'. > default is false. > 2) "ranger.admin.init.purge.login_records.retention.days" => which accepts > positive numerical values in days. > > According to above configs During the start of ranger-admin x_auth_sess table > entries older than the mentioned days shall be removed. > > When "ranger.admin.init.purge.login_records" is set to 'true' and > "ranger.admin.init.purge.login_records.retention.days" value set to a > positive number this feature shall be affective. > > > **Option-2: ** : User can call below mentioned REST api to delete the > records. User must use a credential which has admin role in the ranger to > call this REST API. > > curl -u admin:admin -H "Accept: application/json" -H "Content-Type: > application/json" -X DELETE > 'http://localhost:6080/service/public/v2/api/server/purge/records?type=login_records&retentionDays=5' > > if retentionDays parameter is not provided then default value 180 shall be > considered. > > > **Note:** The proposed implementation shall not delete entries every day as > there is no daemon process shall be running at the background, hence deletion > of entries shall be attempted only during the start of ranger. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 04aee289e > security-admin/src/main/java/org/apache/ranger/db/XXAuthSessionDao.java > c3bd13c63 > security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java > 69d2260de > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 3447eb20e > security-admin/src/main/resources/META-INF/jpa_named_queries.xml 2baf53673 > security-admin/src/main/resources/conf.dist/ranger-admin-site.xml 839cf180a > > > Diff: https://reviews.apache.org/r/74464/diff/3/ > > > Testing > ------- > > **Approach-1: ** ranger-admin start approach > > Added "ranger.admin.init.purge.login_records" and > "ranger.admin.init.purge.login_records.retention.days" in > ranger-admin-site.xml with value 6 and restarted the ranger-admin. > Verified the entries of x_auth_sess table after restart and it does not have > entries older than 6 days. > > **Approach-2:** REST API approach > > curl -u admin:admin -H "Accept: application/json" -H "Content-Type: > application/json" -X DELETE > 'http://localhost:6080/service/public/v2/api/server/purge/records?type=login_records&retentionDays=5' > > > request completed successfully with response code 204. Checked the entries in > x_auth_sess table manually and x_auth_sess entries were deleted. > below log was printed in the ranger log file: > > 2023-06-06 14:18:52,585 INFO org.apache.ranger.biz.ServiceDBStore: > [http-nio-6080-exec-22]: Deleted 2388 records from x_auth_sess that are older > than 5 days > > Note: Below is the SQL statement to check the x_auth_sess table records: > select date(create_time),count(*) from x_auth_sess group by date(create_time); > > > Thanks, > > Pradeep Agrawal > >
