[jira] [Updated] (RANGER-1916) Remove duplicate code and optimize code in AtlasClient.class

[peng.jianhua (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-1916?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

peng.jianhua updated RANGER-1916:
-
Attachment: 0001-RANGER-1916-Remove-duplicate-code-and-optimize-code-.patch

> Remove duplicate code and optimize code in AtlasClient.class
> 
>
> Key: RANGER-1916
> URL: https://issues.apache.org/jira/browse/RANGER-1916
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Affects Versions: master
>Reporter: peng.jianhua
>Assignee: peng.jianhua
>Priority: Minor
> Fix For: master
>
> Attachments: 
> 0001-RANGER-1916-Remove-duplicate-code-and-optimize-code-.patch
>
>
> Remove duplicate code and optimize code in AtlasClient.class
> The follow code
> “if (client != null) {
>   client.destroy();
>   }” 
>  in connectionTestResource  and connectionTestResource method has  been 
> declared and execute in the getResourceList  method that called them ,so 
> remove duplicate code,And change the code "AtlasClient AtlasClient = null;" 
> to "AtlasClient atlasClient = null;"



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Review Request 64365: RANGER-1916:Remove duplicate code and optimize code in AtlasClient.class

[pengjianhua]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64365/
---

Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
Neethiraj, Velmurugan Periasamy, and Qiang Zhang.


Bugs: RANGER-1916
https://issues.apache.org/jira/browse/RANGER-1916


Repository: ranger


Description
---

Remove duplicate code and optimize code in AtlasClient.class
The follow code
“if (client != null)
{ client.destroy(); }
” 
in connectionTestResource and connectionTestResource method has been declared 
and execute in the getResourceList method that called them ,so remove duplicate 
code,And change the code "AtlasClient AtlasClient = null;" to "AtlasClient 
atlasClient = null;"


Diffs
-

  
plugin-atlas/src/main/java/org/apache/ranger/services/atlas/client/AtlasClient.java
 857df87 


Diff: https://reviews.apache.org/r/64365/diff/1/


Testing
---

Tested it.


Thanks,

pengjianhua

[jira] [Updated] (RANGER-1916) Remove duplicate code and optimize code in AtlasClient.class

[peng.jianhua (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-1916?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

peng.jianhua updated RANGER-1916:
-
Description: 
Remove duplicate code and optimize code in AtlasClient.class
The follow code
“if (client != null) {
client.destroy();
}” 
 in connectionTestResource  and connectionTestResource method has  been 
declared and execute in the getResourceList  method that called them ,so remove 
duplicate code,And change the code "AtlasClient AtlasClient = null;" to 
"AtlasClient atlasClient = null;"

  was:
Remove duplicate code and optimize code in AtlasClient.class
The follow code
“if (client != null) {
client.destroy();
}” 
 in connectionTestResource  and connectionTestResource method has  been 
declared in the run () method that called them ,so remove duplicate code,And 
change the code "AtlasClient AtlasClient = null;" to "AtlasClient atlasClient = 
null;"


> Remove duplicate code and optimize code in AtlasClient.class
> 
>
> Key: RANGER-1916
> URL: https://issues.apache.org/jira/browse/RANGER-1916
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Affects Versions: master
>Reporter: peng.jianhua
>Assignee: peng.jianhua
>Priority: Minor
> Fix For: master
>
>
> Remove duplicate code and optimize code in AtlasClient.class
> The follow code
> “if (client != null) {
>   client.destroy();
>   }” 
>  in connectionTestResource  and connectionTestResource method has  been 
> declared and execute in the getResourceList  method that called them ,so 
> remove duplicate code,And change the code "AtlasClient AtlasClient = null;" 
> to "AtlasClient atlasClient = null;"



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (RANGER-1916) Remove duplicate code and optimize code in AtlasClient.class

[peng.jianhua (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-1916?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

peng.jianhua updated RANGER-1916:
-
Description: 
Remove duplicate code and optimize code in AtlasClient.class
The follow code
“if (client != null) {
client.destroy();
}” 
 in connectionTestResource  and connectionTestResource method has  been 
declared in the run () method that called them ,so remove duplicate code,And 
change the code "AtlasClient AtlasClient = null;" to "AtlasClient atlasClient = 
null;"

  was:
Remove duplicate code and optimize code in AtlasClient.class
The follow code in connectionTestResource  and connectionTestResource method 
has  been declared in the run () method that called them ,so remove duplicate 
code,And change the code "AtlasClient AtlasClient = null;" to "AtlasClient 
atlasClient = null;"


> Remove duplicate code and optimize code in AtlasClient.class
> 
>
> Key: RANGER-1916
> URL: https://issues.apache.org/jira/browse/RANGER-1916
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Affects Versions: master
>Reporter: peng.jianhua
>Assignee: peng.jianhua
>Priority: Minor
> Fix For: master
>
>
> Remove duplicate code and optimize code in AtlasClient.class
> The follow code
> “if (client != null) {
>   client.destroy();
>   }” 
>  in connectionTestResource  and connectionTestResource method has  been 
> declared in the run () method that called them ,so remove duplicate code,And 
> change the code "AtlasClient AtlasClient = null;" to "AtlasClient atlasClient 
> = null;"



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (RANGER-1916) Remove duplicate code and optimize code in AtlasClient.class

[peng.jianhua (JIRA)]

peng.jianhua created RANGER-1916:


 Summary: Remove duplicate code and optimize code in 
AtlasClient.class
 Key: RANGER-1916
 URL: https://issues.apache.org/jira/browse/RANGER-1916
 Project: Ranger
  Issue Type: Improvement
  Components: plugins
Affects Versions: master
Reporter: peng.jianhua
Assignee: peng.jianhua
Priority: Minor
 Fix For: master


Remove duplicate code and optimize code in AtlasClient.class
The follow code in connectionTestResource  and connectionTestResource method 
has  been declared in the run () method that called them ,so remove duplicate 
code,And change the code "AtlasClient AtlasClient = null;" to "AtlasClient 
atlasClient = null;"



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: Review Request 64323: RANGER-1915:Optimize the code and keep the code style consistent in the RangerAdminRESTClient class

[Qiang Zhang]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64323/#review192964
---


Ship it!




Ship It!

- Qiang Zhang


On Dec. 5, 2017, 2:39 a.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/64323/
> ---
> 
> (Updated Dec. 5, 2017, 2:39 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1915
> https://issues.apache.org/jira/browse/RANGER-1915
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Default constructors didn't need to display declarations and Most of the 
> places using HttpServletResponse status code in RangerAdminRESTClient class.
> HttpServletResponse.SC_UNAUTHORIZED Replaces 401 to keep the code style 
> consistent.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
>  0aa400f 
> 
> 
> Diff: https://reviews.apache.org/r/64323/diff/1/
> 
> 
> Testing
> ---
> 
> Tested it.
> 
> 
> Thanks,
> 
> pengjianhua
> 
>

[jira] [Resolved] (RANGER-1797) Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.

[peng.jianhua (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-1797?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

peng.jianhua resolved RANGER-1797.
--
   Resolution: Fixed
Fix Version/s: master
   1.0.0

> Tomcat Security Vulnerability Alert. The version of the tomcat for ranger 
> should upgrade to 7.0.82.
> ---
>
> Key: RANGER-1797
> URL: https://issues.apache.org/jira/browse/RANGER-1797
> Project: Ranger
>  Issue Type: Bug
>  Components: admin
>Affects Versions: 1.0.0, master
>Reporter: peng.jianhua
>Assignee: peng.jianhua
>  Labels: patch
> Fix For: 1.0.0, master
>
> Attachments: 
> 0001-RANGER-1797-Tomcat-Security-Vulnerability-Alert.-The.patch, catalina.out
>
>
> 【Security Vulnerability Alert】Tomcat Information leakage and remote code 
> execution vulnerabilities.
> CVE ID:
> {code}
> CVE-2017-12615\CVE-2017-12616
> {code}
> Description
> {code}
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with 
> HTTP PUTs enabled, it was possible to upload a JSP file to the server via a 
> specially crafted request. This JSP could then be requested and any code it 
> contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 
> 7.0.80, it was possible to use a specially crafted request, bypass security 
> constraints, or get the source code of JSPs for resources served by the 
> VirtualDirContext, thereby cased code disclosure.
> {code}
> Scope
> {code}
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
> {code}
> Solution
> {code}
> The official release of the Apache Tomcat 7.0.81 version has fixed the two 
> vulnerabilities and recommends upgrading to the latest version.
> {code}
> Reference
> {code}
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (RANGER-1707) Update RangerHdfsAuthorizer for changes in traverse checks since Hadoop 2.8

[Abhay Kulkarni (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-1707?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhay Kulkarni updated RANGER-1707:
---
Summary:  Update RangerHdfsAuthorizer for changes in traverse checks since 
Hadoop 2.8  (was: Traverse check in RangerHdfsAuthorizer works incorrectly)

>  Update RangerHdfsAuthorizer for changes in traverse checks since Hadoop 2.8
> 
>
> Key: RANGER-1707
> URL: https://issues.apache.org/jira/browse/RANGER-1707
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Affects Versions: 1.0.0
>Reporter: Zsombor Gegesy
>Assignee: Abhay Kulkarni
>  Labels: hdfs-2.8
> Fix For: 1.0.0
>
> Attachments: 
> 0001-RANGER-1707-Fix-hdfs-traverse-check-which-problem-wa.patch, 
> RANGER-1707-2.patch, RANGER-1707-3.patch
>
>
> Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked 
> for access to /a/b/c.txt, it only checks that if there are a policy which 
> grants EXEC to /a/b, but if it there aren't any, then it doesn't check, if 
> there is a policy which grants READ, WRITE or EXEC to /a/b/c.txt explicitly, 
> which would mean, that the path is accessible to the user.
>  This hasn't noticed by the current unit tests, because HDFS before 2.8.0 
> doesn't called the traversal check before reading or writing a file, however 
> it will cause problem with 2.8.0, where FSDirectory.resolvePath will perform 
> a mandatory traversal check.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: Review Request 64228: Traverse check in RangerHdfsAuthorizer works incorrectly

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64228/#review192956
---


Ship it!




Ship It!

- Madhan Neethiraj


On Dec. 5, 2017, 11:45 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/64228/
> ---
> 
> (Updated Dec. 5, 2017, 11:45 p.m.)
> 
> 
> Review request for ranger, Colm O hEigeartaigh, Zsombor Gegesy, Madhan 
> Neethiraj, Ramesh Mani, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1707
> https://issues.apache.org/jira/browse/RANGER-1707
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked 
> for access to /a/b/c.txt, it only checks that if there are a policy which 
> grants EXEC to /a/b, but if it there aren't any, then it doesn't check, if 
> there is a policy which grants READ, WRITE or EXEC to /a/b/c.txt explicitly, 
> which would mean, that the path is accessible to the user.
> This hasn't noticed by the current unit tests, because HDFS before 2.8.0 
> doesn't called the traversal check before reading or writing a file, however 
> it will cause problem with 2.8.0, where FSDirectory.resolvePath will perform 
> a mandatory traversal check.
> 
> This patch is based on the patch submitted for review 
> (https://reviews.apache.org/r/61062/) with following modifications.
> 1. If traversal check (check for EXECUTE on the parent/ancestor if resource 
> is a file) does not fail with explicit DENY by Ranger Authorizer, then it is 
> presumed to have succeeded without any further checks and no audit record 
> created. If it fails with DENY, then the authorization fails and an audit 
> record is created.
> 2. Test policies in hdfs-policies.json and test cases 
> (RangerHdfsAuthorizerTest) are modified to test for explicit DENY case.
> 
> 
> Diffs
> -
> 
>   hdfs-agent/pom.xml 87ba777 
>   
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
>  af4d9b5 
>   
> hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerAdminClientImpl.java
>  75d73aa 
>   
> hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
>  PRE-CREATION 
>   hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies-tag.json 
> PRE-CREATION 
>   hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json 
> PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/64228/diff/3/
> 
> 
> Testing
> ---
> 
> Unit tested with HDFS versions 2.7.1 and 3.0.0.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 64228: Traverse check in RangerHdfsAuthorizer works incorrectly

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64228/
---

(Updated Dec. 5, 2017, 11:45 p.m.)


Review request for ranger, Colm O hEigeartaigh, Zsombor Gegesy, Madhan 
Neethiraj, Ramesh Mani, and Velmurugan Periasamy.


Changes
---

Addressed review comments


Bugs: RANGER-1707
https://issues.apache.org/jira/browse/RANGER-1707


Repository: ranger


Description
---

Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked for 
access to /a/b/c.txt, it only checks that if there are a policy which grants 
EXEC to /a/b, but if it there aren't any, then it doesn't check, if there is a 
policy which grants READ, WRITE or EXEC to /a/b/c.txt explicitly, which would 
mean, that the path is accessible to the user.
This hasn't noticed by the current unit tests, because HDFS before 2.8.0 
doesn't called the traversal check before reading or writing a file, however it 
will cause problem with 2.8.0, where FSDirectory.resolvePath will perform a 
mandatory traversal check.

This patch is based on the patch submitted for review 
(https://reviews.apache.org/r/61062/) with following modifications.
1. If traversal check (check for EXECUTE on the parent/ancestor if resource is 
a file) does not fail with explicit DENY by Ranger Authorizer, then it is 
presumed to have succeeded without any further checks and no audit record 
created. If it fails with DENY, then the authorization fails and an audit 
record is created.
2. Test policies in hdfs-policies.json and test cases 
(RangerHdfsAuthorizerTest) are modified to test for explicit DENY case.


Diffs (updated)
-

  hdfs-agent/pom.xml 87ba777 
  
hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
 af4d9b5 
  
hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerAdminClientImpl.java
 75d73aa 
  
hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
 PRE-CREATION 
  hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies-tag.json 
PRE-CREATION 
  hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json 
PRE-CREATION 


Diff: https://reviews.apache.org/r/64228/diff/3/

Changes: https://reviews.apache.org/r/64228/diff/2-3/


Testing
---

Unit tested with HDFS versions 2.7.1 and 3.0.0.


Thanks,

Abhay Kulkarni

Re: Review Request 64228: Traverse check in RangerHdfsAuthorizer works incorrectly

[Madhan Neethiraj]

> On Dec. 5, 2017, 9:44 p.m., Madhan Neethiraj wrote:
> > hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
> > Lines 452 (patched)
> > 
> >
> > This treats NOT_DETERMINED as ALLOW, which is different from the 
> > current behavior. Why not return NOT_DETERMINED from here?
> > 
> > if (result == null || !result.getIsAccessDetermined()) {
> >   ret = AuthzStatus.NOT_DETERMINED;
> > } else {
> >   ret = result.getIsAllowed() ? AuthzStatus.ALLOW : AuthzStatus.DENY;
> > }

I take back this comment. The implementation in this patch looks good!


- Madhan


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64228/#review192932
---


On Dec. 2, 2017, 1:25 a.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/64228/
> ---
> 
> (Updated Dec. 2, 2017, 1:25 a.m.)
> 
> 
> Review request for ranger, Colm O hEigeartaigh, Zsombor Gegesy, Madhan 
> Neethiraj, Ramesh Mani, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1707
> https://issues.apache.org/jira/browse/RANGER-1707
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked 
> for access to /a/b/c.txt, it only checks that if there are a policy which 
> grants EXEC to /a/b, but if it there aren't any, then it doesn't check, if 
> there is a policy which grants READ, WRITE or EXEC to /a/b/c.txt explicitly, 
> which would mean, that the path is accessible to the user.
> This hasn't noticed by the current unit tests, because HDFS before 2.8.0 
> doesn't called the traversal check before reading or writing a file, however 
> it will cause problem with 2.8.0, where FSDirectory.resolvePath will perform 
> a mandatory traversal check.
> 
> This patch is based on the patch submitted for review 
> (https://reviews.apache.org/r/61062/) with following modifications.
> 1. If traversal check (check for EXECUTE on the parent/ancestor if resource 
> is a file) does not fail with explicit DENY by Ranger Authorizer, then it is 
> presumed to have succeeded without any further checks and no audit record 
> created. If it fails with DENY, then the authorization fails and an audit 
> record is created.
> 2. Test policies in hdfs-policies.json and test cases 
> (RangerHdfsAuthorizerTest) are modified to test for explicit DENY case.
> 
> 
> Diffs
> -
> 
>   hdfs-agent/pom.xml 87ba777 
>   
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
>  af4d9b5 
>   
> hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerAdminClientImpl.java
>  75d73aa 
>   
> hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
>  PRE-CREATION 
>   hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies-tag.json 
> PRE-CREATION 
>   hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json 
> PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/64228/diff/2/
> 
> 
> Testing
> ---
> 
> Unit tested with HDFS versions 2.7.1 and 3.0.0.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 64228: Traverse check in RangerHdfsAuthorizer works incorrectly

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64228/#review192932
---




hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
Lines 403 (patched)


Consider renaming 'alwaysAudit' as 'skipAuditOnAllow' (and reverse the 
value assigned in line #403, #406).



hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
Lines 430 (patched)


inode can't be null here - due to 'if' in line #416 above.



hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
Lines 452 (patched)


This treats NOT_DETERMINED as ALLOW, which is different from the current 
behavior. Why not return NOT_DETERMINED from here?

if (result == null || !result.getIsAccessDetermined()) {
  ret = AuthzStatus.NOT_DETERMINED;
} else {
  ret = result.getIsAllowed() ? AuthzStatus.ALLOW : AuthzStatus.DENY;
}


- Madhan Neethiraj


On Dec. 2, 2017, 1:25 a.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/64228/
> ---
> 
> (Updated Dec. 2, 2017, 1:25 a.m.)
> 
> 
> Review request for ranger, Colm O hEigeartaigh, Zsombor Gegesy, Madhan 
> Neethiraj, Ramesh Mani, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1707
> https://issues.apache.org/jira/browse/RANGER-1707
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked 
> for access to /a/b/c.txt, it only checks that if there are a policy which 
> grants EXEC to /a/b, but if it there aren't any, then it doesn't check, if 
> there is a policy which grants READ, WRITE or EXEC to /a/b/c.txt explicitly, 
> which would mean, that the path is accessible to the user.
> This hasn't noticed by the current unit tests, because HDFS before 2.8.0 
> doesn't called the traversal check before reading or writing a file, however 
> it will cause problem with 2.8.0, where FSDirectory.resolvePath will perform 
> a mandatory traversal check.
> 
> This patch is based on the patch submitted for review 
> (https://reviews.apache.org/r/61062/) with following modifications.
> 1. If traversal check (check for EXECUTE on the parent/ancestor if resource 
> is a file) does not fail with explicit DENY by Ranger Authorizer, then it is 
> presumed to have succeeded without any further checks and no audit record 
> created. If it fails with DENY, then the authorization fails and an audit 
> record is created.
> 2. Test policies in hdfs-policies.json and test cases 
> (RangerHdfsAuthorizerTest) are modified to test for explicit DENY case.
> 
> 
> Diffs
> -
> 
>   hdfs-agent/pom.xml 87ba777 
>   
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
>  af4d9b5 
>   
> hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerAdminClientImpl.java
>  75d73aa 
>   
> hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java
>  PRE-CREATION 
>   hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies-tag.json 
> PRE-CREATION 
>   hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json 
> PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/64228/diff/2/
> 
> 
> Testing
> ---
> 
> Unit tested with HDFS versions 2.7.1 and 3.0.0.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 63995: Ranger-1488 Adding GaianDB plugin serviceDef

[Shi Wang]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63995/
---

(Updated Dec. 5, 2017, 6:49 p.m.)


Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.


Changes
---

Adding full attributes to dataMaskDef resources


Repository: ranger


Description
---

Ranger-1488 Adding GaianDB plugin serviceDef


Diffs (updated)
-

  agents-common/src/main/resources/service-defs/ranger-servicedef-gaiandb.json 
PRE-CREATION 


Diff: https://reviews.apache.org/r/63995/diff/2/

Changes: https://reviews.apache.org/r/63995/diff/1-2/


Testing
---

Used curl -u admin:admin -X POST -H "Accept: application/json" -H 
"Content-Type: application/json" \
-d @ranger-servicedef-gaiandb.json 
http://hostname:6080/service/plugins/definitions 

to register and it shows the proper defination on UI, the only problem is the 
masking tab is not showing.


Thanks,

Shi Wang

Re: Review Request 64051: RANGER-1906 - Simplify Atlas plugin dependency management

[Colm O hEigeartaigh]

> On Nov. 30, 2017, 6:52 a.m., Mehul Parikh wrote:
> > @Colm : Can you please confirm if Audit to HDFS and Audit to Solr are 
> > working after removal of these dependencies?
> 
> Colm O hEigeartaigh wrote:
> Hi Mehul,
> 
> I haven't actually removed any dependencies with this patch as such - the 
> distribution jars are exactly the same. The Solr jar is bundled via the 
> agents-common dependency, and the Atlas plugin takes the Hadoop jars from 
> Atlas itself instead of via the lib directory in the distribution.

@Mehul, As a sanity test I've verified that Atlas auditing to Solr works as 
expected.


- Colm


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64051/#review192242
---


On Nov. 28, 2017, 11:44 a.m., Colm O hEigeartaigh wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/64051/
> ---
> 
> (Updated Nov. 28, 2017, 11:44 a.m.)
> 
> 
> Review request for ranger.
> 
> 
> Bugs: RANGER-1906
> https://issues.apache.org/jira/browse/RANGER-1906
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> This task is to simplify the dependency management for the Atlas plugin. In 
> particular, the hadoop/solr dependencies should just be imported via the 
> ranger-plugin-commons dependency.
> 
> No changes are made to the resulting jars for the Atlas distribution.
> 
> 
> Diffs
> -
> 
>   plugin-atlas/pom.xml 957b4ce3 
>   ranger-atlas-plugin-shim/pom.xml a207d16b 
>   src/main/assembly/plugin-atlas.xml fd988116 
> 
> 
> Diff: https://reviews.apache.org/r/64051/diff/2/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> Colm O hEigeartaigh
> 
>

Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.

[bhavik patel]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192836
---


Ship it!




Ship It!

- bhavik patel


On Dec. 5, 2017, 2:59 a.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> ---
> 
> (Updated Dec. 5, 2017, 2:59 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> [Security Vulnerability Alert] Tomcat Information leakage and remote code 
> execution vulnerabilities.
> 
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
> 
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with 
> HTTP PUTs enabled, it was possible to upload a JSP file to the server via a 
> specially crafted request. This JSP could then be requested and any code it 
> contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 
> 7.0.80, it was possible to use a specially crafted request, bypass security 
> constraints, or get the source code of JSPs for resources served by the 
> VirtualDirContext, thereby cased code disclosure.
> 
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
> 
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two 
> vulnerabilities and recommends upgrading to the latest version.
> 
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
> 
> 
> Diffs
> -
> 
>   embeddedwebserver/pom.xml 81699573 
>   pom.xml 589cd6ac 
>   src/main/assembly/admin-web.xml aa37426f 
>   src/main/assembly/kms.xml 7c40ce4e 
> 
> 
> Diff: https://reviews.apache.org/r/62495/diff/5/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> pengjianhua
> 
>

Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.

[Vishal Suvagia via Review Board]

> On Nov. 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > 
> >
> > @PengJianhua,
> > I used attached patch and did a build on  my local machine 
> > using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a 
> > ranger-admin-services start. I am getting error in catalina.out file as the 
> > Tomcat server start itself is failing(PS: attached log file on apache jira).
> > 
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> > 
> > Did the attached patch work for you without adding this dependency ? If 
> > yes Kindly share how did this work for you !
> 
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your 
> local maven repository. Then compile the ranger project using the following 
> command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
> 
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service 
> start using the compiled packaged bits. Are you able to access Ranger UI ?
> 
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this 
> issue. If I guess good, you should be more in-depth understanding of how to 
> use ranger, please refer to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
> 
> bhavik patel wrote:
> @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, 
> the service start itself is failing and also got the same error in 
> catalina.out which Vishal has attached on jira. 
> 
> Not sure how it's working for you!!!
> 
> Colm O hEigeartaigh wrote:
> It also fails for me with errors in catalina.out like:
> 
> INFO: validateJarFile(../lib/javax.servlet-api-3.1.0.jar) - jar not 
> loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: 
> javax/servlet/Servlet.class
> 
> pengjianhua wrote:
> I compiled the source that I built the patch.Based on the compiling's 
> version I've been testing and verify whether the issue effected the ranger's 
> function. Maybe our lastest modifications introduced new issues. I will also 
> compile the lastest source to further verify the problem you mentioned.
> 
> pengjianhua wrote:
> I'm sorry. In this patch I lacked the tomcat-annotations-api dependency 
> package. I had fixed this patch. Thanks!
> 
> pengjianhua wrote:
> Hi Colm and bhavik patel, Is there any problem now, if there is no 
> problem, I will merge this issue.
> 
> Vishal Suvagia wrote:
> Hi Pengjianhua,
>The versions for  org.apache.tomcat -> annotations-api 
> present here -> 
> https://mvnrepository.com/artifact/org.apache.tomcat/annotations-api do not 
> have a specific build for 7.0.82 (last stable build version is 6.0.53). 
> Additionally recent fixes from tomcat devs suggest that the 
> tomcat.annotations-api has been removed from tomcat-embed-core shipments in 
> favour of javax.annotations-api refer -> 
> https://bz.apache.org/bugzilla/show_bug.cgi?id=61439.
> 
> pengjianhua wrote:
> Ok. Thanks. How do you think we should deal with this issue? Should we 
> upgrade directly to tomcat7.0.83 or is there a better way to handle this 
> issue?
> 
> Vishal Suvagia wrote:
> Pengjianhua, Sadly looks like there is no tomcat-7.0.83 build out yet. 
> From what I have tried we will need to add a new dependency for 
> javax.annotation-api -> 
> https://mvnrepository.com/artifact/javax.annotation/javax.annotation-api.
> 
> pengjianhua wrote:
> Hi Vishal Suvagia, please reference to 
> http://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core/7.0.82
>  and 
> http://mvnrepository.com/artifact/org.apache.tomcat/tomcat-annotations-api/7.0.82.

Pengjianhua, my bad, looks like I missed on the tomcat-annotations-api, will 
drop the issue.


- Vishal


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
---


On Dec. 5, 2017, 2:59 a.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> ---
> 
> (Updated Dec. 5, 2017, 2:59 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> 

Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.

[pengjianhua]

> On 十一月 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > 
> >
> > @PengJianhua,
> > I used attached patch and did a build on  my local machine 
> > using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a 
> > ranger-admin-services start. I am getting error in catalina.out file as the 
> > Tomcat server start itself is failing(PS: attached log file on apache jira).
> > 
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> > 
> > Did the attached patch work for you without adding this dependency ? If 
> > yes Kindly share how did this work for you !
> 
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your 
> local maven repository. Then compile the ranger project using the following 
> command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
> 
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service 
> start using the compiled packaged bits. Are you able to access Ranger UI ?
> 
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this 
> issue. If I guess good, you should be more in-depth understanding of how to 
> use ranger, please refer to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
> 
> bhavik patel wrote:
> @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, 
> the service start itself is failing and also got the same error in 
> catalina.out which Vishal has attached on jira. 
> 
> Not sure how it's working for you!!!
> 
> Colm O hEigeartaigh wrote:
> It also fails for me with errors in catalina.out like:
> 
> INFO: validateJarFile(../lib/javax.servlet-api-3.1.0.jar) - jar not 
> loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: 
> javax/servlet/Servlet.class
> 
> pengjianhua wrote:
> I compiled the source that I built the patch.Based on the compiling's 
> version I've been testing and verify whether the issue effected the ranger's 
> function. Maybe our lastest modifications introduced new issues. I will also 
> compile the lastest source to further verify the problem you mentioned.
> 
> pengjianhua wrote:
> I'm sorry. In this patch I lacked the tomcat-annotations-api dependency 
> package. I had fixed this patch. Thanks!
> 
> pengjianhua wrote:
> Hi Colm and bhavik patel, Is there any problem now, if there is no 
> problem, I will merge this issue.
> 
> Vishal Suvagia wrote:
> Hi Pengjianhua,
>The versions for  org.apache.tomcat -> annotations-api 
> present here -> 
> https://mvnrepository.com/artifact/org.apache.tomcat/annotations-api do not 
> have a specific build for 7.0.82 (last stable build version is 6.0.53). 
> Additionally recent fixes from tomcat devs suggest that the 
> tomcat.annotations-api has been removed from tomcat-embed-core shipments in 
> favour of javax.annotations-api refer -> 
> https://bz.apache.org/bugzilla/show_bug.cgi?id=61439.
> 
> pengjianhua wrote:
> Ok. Thanks. How do you think we should deal with this issue? Should we 
> upgrade directly to tomcat7.0.83 or is there a better way to handle this 
> issue?
> 
> Vishal Suvagia wrote:
> Pengjianhua, Sadly looks like there is no tomcat-7.0.83 build out yet. 
> From what I have tried we will need to add a new dependency for 
> javax.annotation-api -> 
> https://mvnrepository.com/artifact/javax.annotation/javax.annotation-api.

Hi Vishal Suvagia, please reference to 
http://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core/7.0.82
 and 
http://mvnrepository.com/artifact/org.apache.tomcat/tomcat-annotations-api/7.0.82.


- pengjianhua


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
---


On 十二月 5, 2017, 2:59 a.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> ---
> 
> (Updated 十二月 5, 2017, 2:59 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> [Security Vulnerability Alert] Tomcat Information leakage and remote code 
> execution vulnerabilities.
> 
> CVE ID:
> 

Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.

[Vishal Suvagia via Review Board]

> On Nov. 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > 
> >
> > @PengJianhua,
> > I used attached patch and did a build on  my local machine 
> > using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a 
> > ranger-admin-services start. I am getting error in catalina.out file as the 
> > Tomcat server start itself is failing(PS: attached log file on apache jira).
> > 
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> > 
> > Did the attached patch work for you without adding this dependency ? If 
> > yes Kindly share how did this work for you !
> 
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your 
> local maven repository. Then compile the ranger project using the following 
> command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
> 
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service 
> start using the compiled packaged bits. Are you able to access Ranger UI ?
> 
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this 
> issue. If I guess good, you should be more in-depth understanding of how to 
> use ranger, please refer to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
> 
> bhavik patel wrote:
> @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, 
> the service start itself is failing and also got the same error in 
> catalina.out which Vishal has attached on jira. 
> 
> Not sure how it's working for you!!!
> 
> Colm O hEigeartaigh wrote:
> It also fails for me with errors in catalina.out like:
> 
> INFO: validateJarFile(../lib/javax.servlet-api-3.1.0.jar) - jar not 
> loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: 
> javax/servlet/Servlet.class
> 
> pengjianhua wrote:
> I compiled the source that I built the patch.Based on the compiling's 
> version I've been testing and verify whether the issue effected the ranger's 
> function. Maybe our lastest modifications introduced new issues. I will also 
> compile the lastest source to further verify the problem you mentioned.
> 
> pengjianhua wrote:
> I'm sorry. In this patch I lacked the tomcat-annotations-api dependency 
> package. I had fixed this patch. Thanks!
> 
> pengjianhua wrote:
> Hi Colm and bhavik patel, Is there any problem now, if there is no 
> problem, I will merge this issue.
> 
> Vishal Suvagia wrote:
> Hi Pengjianhua,
>The versions for  org.apache.tomcat -> annotations-api 
> present here -> 
> https://mvnrepository.com/artifact/org.apache.tomcat/annotations-api do not 
> have a specific build for 7.0.82 (last stable build version is 6.0.53). 
> Additionally recent fixes from tomcat devs suggest that the 
> tomcat.annotations-api has been removed from tomcat-embed-core shipments in 
> favour of javax.annotations-api refer -> 
> https://bz.apache.org/bugzilla/show_bug.cgi?id=61439.
> 
> pengjianhua wrote:
> Ok. Thanks. How do you think we should deal with this issue? Should we 
> upgrade directly to tomcat7.0.83 or is there a better way to handle this 
> issue?

Pengjianhua, Sadly looks like there is no tomcat-7.0.83 build out yet. From 
what I have tried we will need to add a new dependency for javax.annotation-api 
-> https://mvnrepository.com/artifact/javax.annotation/javax.annotation-api.


- Vishal


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
---


On Dec. 5, 2017, 2:59 a.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> ---
> 
> (Updated Dec. 5, 2017, 2:59 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> [Security Vulnerability Alert] Tomcat Information leakage and remote code 
> execution vulnerabilities.
> 
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
> 
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with 
> HTTP PUTs enabled, it was possible to upload a JSP file to the server via a 
> specially crafted request. This JSP could then be 

Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.

[pengjianhua]

> On 十一月 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > 
> >
> > @PengJianhua,
> > I used attached patch and did a build on  my local machine 
> > using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a 
> > ranger-admin-services start. I am getting error in catalina.out file as the 
> > Tomcat server start itself is failing(PS: attached log file on apache jira).
> > 
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> > 
> > Did the attached patch work for you without adding this dependency ? If 
> > yes Kindly share how did this work for you !
> 
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your 
> local maven repository. Then compile the ranger project using the following 
> command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
> 
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service 
> start using the compiled packaged bits. Are you able to access Ranger UI ?
> 
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this 
> issue. If I guess good, you should be more in-depth understanding of how to 
> use ranger, please refer to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
> 
> bhavik patel wrote:
> @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, 
> the service start itself is failing and also got the same error in 
> catalina.out which Vishal has attached on jira. 
> 
> Not sure how it's working for you!!!
> 
> Colm O hEigeartaigh wrote:
> It also fails for me with errors in catalina.out like:
> 
> INFO: validateJarFile(../lib/javax.servlet-api-3.1.0.jar) - jar not 
> loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: 
> javax/servlet/Servlet.class
> 
> pengjianhua wrote:
> I compiled the source that I built the patch.Based on the compiling's 
> version I've been testing and verify whether the issue effected the ranger's 
> function. Maybe our lastest modifications introduced new issues. I will also 
> compile the lastest source to further verify the problem you mentioned.
> 
> pengjianhua wrote:
> I'm sorry. In this patch I lacked the tomcat-annotations-api dependency 
> package. I had fixed this patch. Thanks!
> 
> pengjianhua wrote:
> Hi Colm and bhavik patel, Is there any problem now, if there is no 
> problem, I will merge this issue.
> 
> Vishal Suvagia wrote:
> Hi Pengjianhua,
>The versions for  org.apache.tomcat -> annotations-api 
> present here -> 
> https://mvnrepository.com/artifact/org.apache.tomcat/annotations-api do not 
> have a specific build for 7.0.82 (last stable build version is 6.0.53). 
> Additionally recent fixes from tomcat devs suggest that the 
> tomcat.annotations-api has been removed from tomcat-embed-core shipments in 
> favour of javax.annotations-api refer -> 
> https://bz.apache.org/bugzilla/show_bug.cgi?id=61439.

Ok. Thanks. How do you think we should deal with this issue? Should we upgrade 
directly to tomcat7.0.83 or is there a better way to handle this issue?


- pengjianhua


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
---


On 十二月 5, 2017, 2:59 a.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> ---
> 
> (Updated 十二月 5, 2017, 2:59 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> [Security Vulnerability Alert] Tomcat Information leakage and remote code 
> execution vulnerabilities.
> 
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
> 
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with 
> HTTP PUTs enabled, it was possible to upload a JSP file to the server via a 
> specially crafted request. This JSP could then be requested and any code it 
> contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 
> 7.0.80, it was possible to use a specially crafted request, bypass security 
> constraints, or get the source code of JSPs 

Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.

[Vishal Suvagia via Review Board]

> On Nov. 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > 
> >
> > @PengJianhua,
> > I used attached patch and did a build on  my local machine 
> > using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a 
> > ranger-admin-services start. I am getting error in catalina.out file as the 
> > Tomcat server start itself is failing(PS: attached log file on apache jira).
> > 
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> > 
> > Did the attached patch work for you without adding this dependency ? If 
> > yes Kindly share how did this work for you !
> 
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your 
> local maven repository. Then compile the ranger project using the following 
> command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
> 
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service 
> start using the compiled packaged bits. Are you able to access Ranger UI ?
> 
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this 
> issue. If I guess good, you should be more in-depth understanding of how to 
> use ranger, please refer to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
> 
> bhavik patel wrote:
> @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, 
> the service start itself is failing and also got the same error in 
> catalina.out which Vishal has attached on jira. 
> 
> Not sure how it's working for you!!!
> 
> Colm O hEigeartaigh wrote:
> It also fails for me with errors in catalina.out like:
> 
> INFO: validateJarFile(../lib/javax.servlet-api-3.1.0.jar) - jar not 
> loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: 
> javax/servlet/Servlet.class
> 
> pengjianhua wrote:
> I compiled the source that I built the patch.Based on the compiling's 
> version I've been testing and verify whether the issue effected the ranger's 
> function. Maybe our lastest modifications introduced new issues. I will also 
> compile the lastest source to further verify the problem you mentioned.
> 
> pengjianhua wrote:
> I'm sorry. In this patch I lacked the tomcat-annotations-api dependency 
> package. I had fixed this patch. Thanks!
> 
> pengjianhua wrote:
> Hi Colm and bhavik patel, Is there any problem now, if there is no 
> problem, I will merge this issue.

Hi Pengjianhua,
   The versions for  org.apache.tomcat -> annotations-api present 
here -> https://mvnrepository.com/artifact/org.apache.tomcat/annotations-api do 
not have a specific build for 7.0.82 (last stable build version is 6.0.53). 
Additionally recent fixes from tomcat devs suggest that the 
tomcat.annotations-api has been removed from tomcat-embed-core shipments in 
favour of javax.annotations-api refer -> 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61439.


- Vishal


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
---


On Dec. 5, 2017, 2:59 a.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> ---
> 
> (Updated Dec. 5, 2017, 2:59 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> [Security Vulnerability Alert] Tomcat Information leakage and remote code 
> execution vulnerabilities.
> 
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
> 
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with 
> HTTP PUTs enabled, it was possible to upload a JSP file to the server via a 
> specially crafted request. This JSP could then be requested and any code it 
> contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 
> 7.0.80, it was possible to use a specially crafted request, bypass security 
> constraints, or get the source code of JSPs for resources served by the 
> VirtualDirContext, thereby cased code disclosure.
> 
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
> 
> Solution
> The official 

Re: Review Request 64323: RANGER-1915:Optimize the code and keep the code style consistent in the RangerAdminRESTClient class

[Zsombor Gegesy]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/64323/#review192825
---


Ship it!




Ship It!

- Zsombor Gegesy


On Dec. 5, 2017, 2:39 a.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/64323/
> ---
> 
> (Updated Dec. 5, 2017, 2:39 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1915
> https://issues.apache.org/jira/browse/RANGER-1915
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Default constructors didn't need to display declarations and Most of the 
> places using HttpServletResponse status code in RangerAdminRESTClient class.
> HttpServletResponse.SC_UNAUTHORIZED Replaces 401 to keep the code style 
> consistent.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
>  0aa400f 
> 
> 
> Diff: https://reviews.apache.org/r/64323/diff/1/
> 
> 
> Testing
> ---
> 
> Tested it.
> 
> 
> Thanks,
> 
> pengjianhua
> 
>