Re: Review Request 67635: RANGER-2136 - Upgrade to the released version of Atlas 1.0.0
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/67635/#review204937 --- Ship it! Ship It! - Abhay Kulkarni On June 18, 2018, 3:56 p.m., Colm O hEigeartaigh wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/67635/ > --- > > (Updated June 18, 2018, 3:56 p.m.) > > > Review request for ranger. > > > Bugs: RANGER-2136 > https://issues.apache.org/jira/browse/RANGER-2136 > > > Repository: ranger > > > Description > --- > > We should update to the released version of Atlas 1.0.0. > > > Diffs > - > > pom.xml 95ba4604b > > > Diff: https://reviews.apache.org/r/67635/diff/1/ > > > Testing > --- > > > Thanks, > > Colm O hEigeartaigh > >
Review Request 67635: RANGER-2136 - Upgrade to the released version of Atlas 1.0.0
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/67635/ --- Review request for ranger. Bugs: RANGER-2136 https://issues.apache.org/jira/browse/RANGER-2136 Repository: ranger Description --- We should update to the released version of Atlas 1.0.0. Diffs - pom.xml 95ba4604b Diff: https://reviews.apache.org/r/67635/diff/1/ Testing --- Thanks, Colm O hEigeartaigh
[jira] [Updated] (RANGER-2136) Upgrade to the released version of Atlas 1.0.0
[ https://issues.apache.org/jira/browse/RANGER-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh updated RANGER-2136: Attachment: 0001-RANGER-2136-Upgrade-to-the-released-version-of-Atlas.patch > Upgrade to the released version of Atlas 1.0.0 > -- > > Key: RANGER-2136 > URL: https://issues.apache.org/jira/browse/RANGER-2136 > Project: Ranger > Issue Type: Task > Components: plugins >Reporter: Colm O hEigeartaigh >Assignee: Colm O hEigeartaigh >Priority: Minor > Fix For: 1.1.0 > > Attachments: > 0001-RANGER-2136-Upgrade-to-the-released-version-of-Atlas.patch > > > We should update to the released version of Atlas 1.0.0. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (RANGER-2136) Upgrade to the released version of Atlas 1.0.0
Colm O hEigeartaigh created RANGER-2136: --- Summary: Upgrade to the released version of Atlas 1.0.0 Key: RANGER-2136 URL: https://issues.apache.org/jira/browse/RANGER-2136 Project: Ranger Issue Type: Task Components: plugins Reporter: Colm O hEigeartaigh Assignee: Colm O hEigeartaigh Fix For: 1.1.0 We should update to the released version of Atlas 1.0.0. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (RANGER-2131) Ranger UserSync port (ie 5151) supports TLSv1.0
[ https://issues.apache.org/jira/browse/RANGER-2131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16515542#comment-16515542 ] Nikhil Purbhe commented on RANGER-2131: --- patch committed on [master|https://github.com/apache/ranger/commit/6cf1471c240930d33a4d3334a2d011a9dfd22ea8] > Ranger UserSync port (ie 5151) supports TLSv1.0 > --- > > Key: RANGER-2131 > URL: https://issues.apache.org/jira/browse/RANGER-2131 > Project: Ranger > Issue Type: Bug > Components: usersync >Affects Versions: 1.0.0 >Reporter: t oo >Assignee: Nikhil Purbhe >Priority: Major > Labels: security > Fix For: 1.1.0 > > Attachments: RANGER-2131.patch > > > THREAT: > TLS is capable of using a multitude of ciphers (algorithms) to create the > public and private key pairs. > For example if TLSv1.0 uses either the RC4 stream cipher, or a block cipher > in CBC mode. > RC4 is known to have biases and the block cipher in CBC mode is vulnerable to > the POODLE attack. > TLSv1.0, if configured to use the same cipher suites as SSLv3, includes a > means by which a TLS implementation can downgrade the connection to > SSL v3.0, thus weakening security. > A POODLE-type ([https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls]) > attack could also be launched directly at TLS without negotiating a > downgrade. > This QID will be marked as a Fail for PCI as of May 1st, 2017 in accordance > with the new standards. For existing implementations, Merchants will > be able to submit a PCI False Positive / Exception Request and provide proof > of their Risk Mitigation and Migration Plan, which will result in a pass > for PCI up until June 30th, 2018. > Further details can be found at: NEW PCI DSS v3.2 and Migrating from SSL and > Early TLS v1.1 ([https://community.qualys.com/message/34120]) > IMPACT: > An attacker can exploit cryptographic flaws to conduct man-in-the-middle type > attacks or to decryption communications. > For example: An attacker could force a downgrade from the TLS protocol to the > older SSLv3.0 protocol and exploit the POODLE vulnerability, read > secure communications or maliciously modify messages. > A POODLE-type ([https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls]) > attack could also be launched directly at TLS without negotiating a > downgrade. > SOLUTION: > Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger > protocol such as TLSv1.2. > The following openssl commands can be used > to do a manual test: > openssl s_client -connect ip:port -tls1 > If the test is successful, then the target support TLSv1 > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (RANGER-2130) Ranger Admin - client-side control bypass
[
https://issues.apache.org/jira/browse/RANGER-2130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16515419#comment-16515419
]
Don Bosco Durai commented on RANGER-2130:
-
[~toopt4] , I am not sure whether this is a valid issue. What you are seeing
are the roles supported by Ranger. There is no harm in knowing all the roles
supported by Ranger. Especially, Ranger is an open source project and the
source code is available to everyone.
I would have been more concerned if by changing the UI fields values a regular
user is able to impersonate as an Admin user and able to make server-side
changes. But based on your comment, the server gives an appropriate error when
you do it.
Let me know if you still feel this is an issue.
Thanks
> Ranger Admin - client-side control bypass
> -
>
> Key: RANGER-2130
> URL: https://issues.apache.org/jira/browse/RANGER-2130
> Project: Ranger
> Issue Type: Bug
> Components: admin
>Affects Versions: 1.0.0
>Reporter: t oo
>Assignee: Nitin Galave
>Priority: Major
> Attachments: 0001-RANGER-2130.patch, Screen Shot 2018-06-11 at
> 10.36.39 am.png, client_side_controls1.PNG, client_side_controls2.PNG
>
>
> *Risk/Issue summary finding*
> {code:java}
> Client-side Control Bypass (Ranger){code}
> *Risk/Issue summary description/detail*
> {code:java}
> The Apache Ranger application relies on client-side controls to restrict user
> access to certain information and functionality. A user can bypass these
> controls (by modifying client-side parameters or directly browsing to
> specific API requests or resources) to view information without the required
> authorisation.
> The attached screenshots show the "admin" user bypassing client-side controls
> to modify their Role from "User" to "Admin". Whilst submitting this request
> is unsuccessful and will not permanently change the user role, the GUI allows
> access to sections that were previously hidden.{code}
> *Business impact / attack scenario*
> {code:java}
> Low privilege users with restricted access are able to view information that
> is not intended for their viewing. As an example, the admin user can bypass
> client side controls to view configuration details for the HIVE_RANGER_E2E
> hive object. {code}
> *Recommendation*
> {code:java}
> Do not rely on client-side controls to restrict user access. Ensure that
> server-side controls are in place to restrict unauthorised access to
> sensitive information and APIs. {code}
>
> In the rangeradmin ui, on the users page, after clicking on a user. If you
> edit the html on the site (ie in Chrome) you can remove the 'disabled' tag so
> that the role of User becomes ungreyed out and you can change the role from
> User to Admin!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Review Request 67624: RANGER-2130: Ranger Admin - client-side control bypass
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/67624/ --- Review request for ranger, Gautam Borad, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy. Bugs: RANGER-2130 https://issues.apache.org/jira/browse/RANGER-2130 Repository: ranger Description --- In the rangeradmin ui, on the users page, after clicking on a user. If you edit the html on the site (ie in Chrome) you can remove the 'disabled' tag so that the role of User becomes ungreyed out and you can change the role from User to Admin! Also user able to see other role in the system. Diffs - security-admin/src/main/webapp/scripts/models/VXPortalUser.js 0292ceb security-admin/src/main/webapp/scripts/views/users/UserForm.js ee0d256 Diff: https://reviews.apache.org/r/67624/diff/1/ Testing --- 1. Any Users can not change their role through profile page option even after enabling role field throught inspect element chrome feature.(Also user can't see other role in the role drop-down) 2. Admin is able to change other Admin user’s role. 3. Admin is able to view & update other user's roles through UI 4. Other Admin role user able change role of user which has name "admin". Thanks, Nitin Galave
