Re: [PR] RANGER-5645: Add audit-ingestor service-user allowlist for Docker plugins [ranger]

Sun, 14 Jun 2026 12:28:08 -0700 


mneethiraj commented on code in PR #1017:
URL: https://github.com/apache/ranger/pull/1017#discussion_r3410099763


##########
dev-support/ranger-docker/scripts/admin/create-ranger-services.py:
##########
@@ -129,9 +129,9 @@ def service_not_exists(service):
                        'configs': {'username': 'hdfs', 'password': 'hdfs',
                                    'ozone.om.http-address': 'http://om:9874',
                                    'hadoop.security.authentication': 'simple',
-                                   'policy.download.auth.users': 'ozone',
-                                   'tag.download.auth.users': 'ozone',
-                                   'userstore.download.auth.users': 'ozone',
+                                   'policy.download.auth.users': 
'ozone,om,scm,dn',

Review Comment:
   Ranger plugin runs only in Ozone Manager (om). Please update this 
configuration to list only the username associated with Kerberos principal used 
by om.



##########
dev-support/ranger-docker/scripts/admin/create-ranger-services.py:
##########
@@ -148,7 +148,35 @@ def service_not_exists(service):
                                  'ranger.plugin.super.users': 'solr',
                                  
'ranger.plugin.solr.policy.refresh.synchronous':'true'}})
 
-services = [hdfs, yarn, hive, hbase, kafka, knox, kms, trino, ozone, solr]
+tag = RangerService({'name': 'dev_tag', 'type': 'tag',

Review Comment:
   `tag` service is automatically created (refer: RANGER-2481). No need to 
create it explicitly. 



##########
dev-support/ranger-docker/scripts/admin/create-ranger-services.py:
##########
@@ -148,7 +148,35 @@ def service_not_exists(service):
                                  'ranger.plugin.super.users': 'solr',
                                  
'ranger.plugin.solr.policy.refresh.synchronous':'true'}})
 
-services = [hdfs, yarn, hive, hbase, kafka, knox, kms, trino, ozone, solr]
+tag = RangerService({'name': 'dev_tag', 'type': 'tag',
+                     'configs': {'ranger.plugin.audit.filters': "[ 
{'accessResult': 'DENIED', 'isAudited': true} ]"}})
+
+atlas = RangerService({'name': 'dev_atlas', 'type': 'atlas',

Review Comment:
   Ranger docker setup doesn't include Atlas, Kudu, NiFi; hence it is not 
necessary to create service instances for these.



##########
audit-server/audit-ingestor/src/main/resources/conf/ranger-audit-ingestor-site.xml:
##########
@@ -207,23 +273,55 @@
                RULE:[2:$1/$2@$0]([ndj]n/.*@.*|hdfs/.*@.*)s/.*/hdfs/
                RULE:[2:$1/$2@$0]([rn]m/.*@.*|yarn/.*@.*)s/.*/yarn/
                RULE:[2:$1/$2@$0](jhs/.*@.*)s/.*/mapred/
+               RULE:[2:$1/$2@$0](hive/.*@.*)s/.*/hive/

Review Comment:
   Lines 276 to 290, mappings introduced in this PR are already covered by 
DEFAULT rule; hence there is no need to explicitly specify these mappings.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to