[jira] [Commented] (RANGER-2359) Show zone association with tag based service.

[Nitin Galave (JIRA)]

[ 
https://issues.apache.org/jira/browse/RANGER-2359?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16792364#comment-16792364
 ] 

Nitin Galave commented on RANGER-2359:
--

Committed to 
[master|https://github.com/apache/ranger/commit/cd9c2fd6bc013a2e5c2d66cf6ad7843c97a513cb]
 branch.

> Show zone association with tag based service.
> -
>
> Key: RANGER-2359
> URL: https://issues.apache.org/jira/browse/RANGER-2359
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Nitin Galave
>Assignee: Nitin Galave
>Priority: Major
> Fix For: master
>
> Attachments: 
> 0001-RANGER-2359-Show-zone-association-with-tag-based-ser.patch
>
>
> Show zone association with tag-based service.
> Under Tag Based Policies Menu - there is no zone related information that are 
> associated with tag-based service.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Re: Review Request 70205: RANGER-2359: Show zone association with tag based service.

[Mehul Parikh]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70205/#review213718
---


Ship it!




Ship It!

- Mehul Parikh


On March 13, 2019, 2:10 p.m., Nitin Galave wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70205/
> ---
> 
> (Updated March 13, 2019, 2:10 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and 
> Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2359
> https://issues.apache.org/jira/browse/RANGER-2359
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Show zone association with tag-based service.
> Under Tag Based Policies Menu - there is no zone related information that are 
> associated with tag-based service.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/webapp/scripts/modules/XALinks.js 7885b72 
>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 
> e369aa8 
>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js 
> 22cc7d1 
>   
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js
>  7369a3b 
>   security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 
> d2d1627 
> 
> 
> Diff: https://reviews.apache.org/r/70205/diff/1/
> 
> 
> Testing
> ---
> 
> Verified
> 1.Able to filter tag serivices based on zone selection dropdown
> 2.Verified that system displays only those Tag based services which is mapped 
> to zone and resource based services.
> 3.All unzoned Tag based services gets displayed if no zone selected from 
> "Security zone" drop down.
> 
> 
> Thanks,
> 
> Nitin Galave
> 
>

Re: Review Request 70205: RANGER-2359: Show zone association with tag based service.

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70205/#review213703
---


Ship it!




Ship It!

- Abhay Kulkarni


On March 13, 2019, 2:10 p.m., Nitin Galave wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70205/
> ---
> 
> (Updated March 13, 2019, 2:10 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and 
> Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2359
> https://issues.apache.org/jira/browse/RANGER-2359
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Show zone association with tag-based service.
> Under Tag Based Policies Menu - there is no zone related information that are 
> associated with tag-based service.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/webapp/scripts/modules/XALinks.js 7885b72 
>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 
> e369aa8 
>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js 
> 22cc7d1 
>   
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js
>  7369a3b 
>   security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 
> d2d1627 
> 
> 
> Diff: https://reviews.apache.org/r/70205/diff/1/
> 
> 
> Testing
> ---
> 
> Verified
> 1.Able to filter tag serivices based on zone selection dropdown
> 2.Verified that system displays only those Tag based services which is mapped 
> to zone and resource based services.
> 3.All unzoned Tag based services gets displayed if no zone selected from 
> "Security zone" drop down.
> 
> 
> Thanks,
> 
> Nitin Galave
> 
>

[jira] [Created] (RANGER-2367) Hive "show grants" when Ranger is authorizer should show permission details from Ranger

[Ramesh Mani (JIRA)]

Ramesh Mani created RANGER-2367:
---

 Summary: Hive "show grants" when Ranger is authorizer should show 
permission details from Ranger
 Key: RANGER-2367
 URL: https://issues.apache.org/jira/browse/RANGER-2367
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Affects Versions: 2.0.0
Reporter: Ramesh Mani
 Fix For: 2.0.0


Hive "show grants" when Ranger is authorizer should show permission details 
from Ranger.
Currently what is shown is wrong as it is getting from the Hive MetaStore. 
Actual grant details should come from Ranger permission.
This enhancement  privileges for a Hive Resource or Hive Resource for 
user/group from Ranger Policies when ranger plugin is enabled for hive.
Show privilege on user/Group alone wouldn't be feasible in this case because of 
Ranger policy for user can be maintain for any databases/tables and this 
association would be difficult to map and get the corresponding permission from 
 Ranger policies to show grants.
Attached is the visual representation of the output. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (RANGER-2367) Hive "show grants" when Ranger is authorizer should show permission details from Ranger

[Ramesh Mani (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-2367:

Attachment: Screen Shot 2019-03-13 at 11.00.29 AM.png

> Hive "show grants" when Ranger is authorizer should show permission details 
> from Ranger
> ---
>
> Key: RANGER-2367
> URL: https://issues.apache.org/jira/browse/RANGER-2367
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 2.0.0
>Reporter: Ramesh Mani
>Priority: Critical
> Fix For: 2.0.0
>
> Attachments: Screen Shot 2019-03-13 at 11.00.29 AM.png
>
>
> Hive "show grants" when Ranger is authorizer should show permission details 
> from Ranger.
> Currently what is shown is wrong as it is getting from the Hive MetaStore. 
> Actual grant details should come from Ranger permission.
> This enhancement  privileges for a Hive Resource or Hive Resource for 
> user/group from Ranger Policies when ranger plugin is enabled for hive.
> Show privilege on user/Group alone wouldn't be feasible in this case because 
> of Ranger policy for user can be maintain for any databases/tables and this 
> association would be difficult to map and get the corresponding permission 
> from  Ranger policies to show grants.
> Attached is the visual representation of the output. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Deleted] (RANGER-2366) [security] Admin webui - simultaneous logins

[Velmurugan Periasamy (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2366?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy deleted RANGER-2366:
-


> [security] Admin webui -  simultaneous logins
> -
>
> Key: RANGER-2366
> URL: https://issues.apache.org/jira/browse/RANGER-2366
> Project: Ranger
>  Issue Type: Bug
>Reporter: t oo
>Priority: Major
>
> |The application supports concurrent sessions, enabling an attacker who has 
> compromised another user’s credentials to make use of them without risk of 
> detection. Allowing simultaneous logins without any notifications/updates can 
> allow an attacker to access a user’s account undetected by the latter. Having 
> no notifications that a user is logged in to another location and that the 
> system accepts multiple logins prevents a user from taking necessary steps to 
> address the issue.|
> |The application was found to allow multiple simultaneous logins using a 
> single user account. When a user account is applied to log in from multiple 
> locations, neither the currently logged in user nor the new user are informed 
> of this event.  This has been verified by accessing the application via two 
> machines using the same credentials.|
> |Business Impact/Attack Scenario| | | |
> |In the scenario that a genuine user’s credentials are stolen, an attacker 
> can use the user’s account and access information within the application. 
> Probability of detection of this unauthorised access is reduced as the user 
> is not informed during login when the account was last accessed or if there 
> were any invalid login attempts made in the recent past.|
> |Recommendation| | | | |
> |Enforce validation in the application to allow only one login per user ID at 
> a time, or display Last Logged In’ and ‘Failed Login Attempt’ information 
> during the login process so that users can be alerted in case of any 
> unauthorized access of their accounts. Consider invalidating current user 
> sessions server-side upon subsequent user login. Notification can also be 
> made to the terminated session along with pertinent information such as the 
> IP address of the new session holder as well as contact information for the 
> site’s security administration.|



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Deleted] (RANGER-2365) [security] Admin webui - OPTIONS Method Enabled

[Velmurugan Periasamy (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2365?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy deleted RANGER-2365:
-


> [security] Admin webui -  OPTIONS Method Enabled
> 
>
> Key: RANGER-2365
> URL: https://issues.apache.org/jira/browse/RANGER-2365
> Project: Ranger
>  Issue Type: Bug
>Reporter: t oo
>Priority: Major
>
> |The OPTIONS method is used to determine what other methods the server 
> supports for a given URL/resource. |
> |It was found that the application’s server supports the OPTIONS HTTP Method. 
>  
>  Details of HTTP Request and HTTP Response, respectively.|
> |Business Impact/Attack Scenario| | | |
> |If the attacker is able to check what options the server accepts he may be 
> able to utilize it such that he can put a malicious file into the server 
> which may eventually grant him unauthorized access to different information.|
> |Recommendation| | | | |
> |If not required it is best to disable such feature or verify that the usage 
> is properly limited to authorised users.|



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (RANGER-2366) [security] Admin webui - simultaneous logins

[t oo (JIRA)]

t oo created RANGER-2366:


 Summary: [security] Admin webui -  simultaneous logins
 Key: RANGER-2366
 URL: https://issues.apache.org/jira/browse/RANGER-2366
 Project: Ranger
  Issue Type: Bug
  Components: admin, Ranger
Affects Versions: 1.0.0
Reporter: t oo


|The application supports concurrent sessions, enabling an attacker who has 
compromised another user’s credentials to make use of them without risk of 
detection. Allowing simultaneous logins without any notifications/updates can 
allow an attacker to access a user’s account undetected by the latter. Having 
no notifications that a user is logged in to another location and that the 
system accepts multiple logins prevents a user from taking necessary steps to 
address the issue.|
|The application was found to allow multiple simultaneous logins using a single 
user account. When a user account is applied to log in from multiple locations, 
neither the currently logged in user nor the new user are informed of this 
event.  This has been verified by accessing the application via two machines 
using the same credentials.|

|Business Impact/Attack Scenario| | | |
|In the scenario that a genuine user’s credentials are stolen, an attacker can 
use the user’s account and access information within the application. 
Probability of detection of this unauthorised access is reduced as the user is 
not informed during login when the account was last accessed or if there were 
any invalid login attempts made in the recent past.|

|Recommendation| | | | |
|Enforce validation in the application to allow only one login per user ID at a 
time, or display Last Logged In’ and ‘Failed Login Attempt’ information during 
the login process so that users can be alerted in case of any unauthorized 
access of their accounts. Consider invalidating current user sessions 
server-side upon subsequent user login. Notification can also be made to the 
terminated session along with pertinent information such as the IP address of 
the new session holder as well as contact information for the site’s security 
administration.|



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Please follow Apache process for handling vulnerabilities

[Velmurugan Periasamy]

Please see https://www.apache.org/security/committers.html 
 and follow the process 
detailed there. 

[jira] [Deleted] (RANGER-2363) [security] Admin webui - Broken Access Control - Vertical Privilege Escalation

[Velmurugan Periasamy (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy deleted RANGER-2363:
-


> [security] Admin webui - Broken Access Control - Vertical Privilege Escalation
> --
>
> Key: RANGER-2363
> URL: https://issues.apache.org/jira/browse/RANGER-2363
> Project: Ranger
>  Issue Type: Bug
>Reporter: t oo
>Priority: Major
>
> "Tag Based Policies" page can be directly accessed whereas tab is not visible 
> when logged in with normal user privilege. ie enter this in browser url when 
> logged in as non-admin user: 
> https://domain:6182/index.html#!/policymanager/tag
>  
> |Access control, sometimes called authorization, is how a web application 
> grants access to content and functions to some users and not others. These 
> checks are performed after authentication, and govern what ‘authorized’ users 
> are allowed to do. |
> |The application users have different roles assigned to them, such as Admin 
> and User role. One of tab Access Manager shows Tag Based Policies under drop 
> down list when logged in with admin privileges but this tab is not visible 
> under normal user privilege.
>  During testing, it was observed that even though the "Tag Based policies" 
> tab was not visible when logged into the application with normal user 
> privilege but the same was accessible when directly accessed the link under 
> user privilege as shown in below screenshots. Even though the user was not 
> able to make any chnages to the TAGs and service connections paramters but 
> this was accssible by directly accessing the link which should not be the 
> case.
>  
>  
>  
> |Any authenticated non-Site-Admin user can view the Presentation page, 
> create/delete Shortcuts, do a Search and view the documents returned by the 
> search. Essentially, all users can perform tasks that should be limited to 
> Site Admin only, and the roles assigned to them only limit what is visible 
> under the main menu. Once an attacker succeeds in logging in, he would be 
> able to do the mentioned tasks above, regardless of his current role.
>  
> |Check access. Limit what types of users can access the system, and what 
> functions and content each of these types of users should be allowed to 
> access. 
>  
>  Source: https://www.owasp.org/index.php/Broken_Access_Control|
> |
> |



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (RANGER-2365) [security] Admin webui - OPTIONS Method Enabled

[t oo (JIRA)]

t oo created RANGER-2365:


 Summary: [security] Admin webui -  OPTIONS Method Enabled
 Key: RANGER-2365
 URL: https://issues.apache.org/jira/browse/RANGER-2365
 Project: Ranger
  Issue Type: Bug
  Components: admin, Ranger
Affects Versions: 1.0.0
Reporter: t oo


|The OPTIONS method is used to determine what other methods the server supports 
for a given URL/resource. |
|It was found that the application’s server supports the OPTIONS HTTP Method. 
 
 Details of HTTP Request and HTTP Response, respectively.|

|Business Impact/Attack Scenario| | | |
|If the attacker is able to check what options the server accepts he may be 
able to utilize it such that he can put a malicious file into the server which 
may eventually grant him unauthorized access to different information.|

|Recommendation| | | | |
|If not required it is best to disable such feature or verify that the usage is 
properly limited to authorised users.|



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Deleted] (RANGER-2364) [security] Admin webui - Logout does not invalidate the session correctly

[Velmurugan Periasamy (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy deleted RANGER-2364:
-


> [security] Admin webui - Logout does not invalidate the session correctly
> -
>
> Key: RANGER-2364
> URL: https://issues.apache.org/jira/browse/RANGER-2364
> Project: Ranger
>  Issue Type: Bug
>Reporter: t oo
>Priority: Major
>
> After changing password in one browser, tester was still able to browse the 
> application in other browser.
>  
> |Logging out should clear all session state and remove or invalidate any 
> residual cookies.|
> |It is possible to replay a request from a previous session after the “Log 
> Out” button has been pressed and view the data|
>  
> |Business Impact/Attack Scenario| | | |
> |An attacker can replay the original session information to gain access to 
> the application after a logout has been completed.
>  
>  
> |
>  
> |Recommendation| | | | |
> |Log out needs to be configured to completely invalidate the session (client 
> and server-side) to prevent replay attacks.
>  All protected pages need to check the authentication state and authorization 
> role before performing any significant work, including rendering content.|



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (RANGER-2362) [security] Admin webui - Lack of account lockout

[t oo (JIRA)]

t oo created RANGER-2362:


 Summary: [security] Admin webui - Lack of account lockout
 Key: RANGER-2362
 URL: https://issues.apache.org/jira/browse/RANGER-2362
 Project: Ranger
  Issue Type: Bug
  Components: admin, Ranger
Affects Versions: 1.0.0
Reporter: t oo


|Account lockout is a mechanism used to stop non-valid users from guessing for 
the right password. It is also a protection against brute force attacks wherein 
an automated system can use common/dictionary passwords or even build passwords 
based on set of characters just to try to guess the valid one.|
|The application does not implement an account lockout mechanism, leaving it 
susceptible to brute force attacks. These login pages were susceptible to this 
condition.|

|It is possible for an attacker to use dictionary or brute force attacks and 
set it to attempt sending the requests on a particular amount of time to bypass 
the validation. Once a username has been correctly guessed, the attacker may 
then be able to gain access to the application. Since it is vulnerable to Form 
Auto Complete Active vulnerability (LINK) which makes the email addresses 
easier to guess, it will make brute force attack to more likely possible.

|Enforce account lockout conditions to prevent intrusions and improve password 
requirements and complexities to avoid the chances of brute force and 
dictionary attacks from working.|
|



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (RANGER-2364) [security] Admin webui - Logout does not invalidate the session correctly

[t oo (JIRA)]

t oo created RANGER-2364:


 Summary: [security] Admin webui - Logout does not invalidate the 
session correctly
 Key: RANGER-2364
 URL: https://issues.apache.org/jira/browse/RANGER-2364
 Project: Ranger
  Issue Type: Bug
  Components: admin, Ranger
Affects Versions: 1.0.0
Reporter: t oo


After changing password in one browser, tester was still able to browse the 
application in other browser.

 
|Logging out should clear all session state and remove or invalidate any 
residual cookies.|
|It is possible to replay a request from a previous session after the “Log Out” 
button has been pressed and view the data|

 
|Business Impact/Attack Scenario| | | |
|An attacker can replay the original session information to gain access to the 
application after a logout has been completed.
 
 
|

 
|Recommendation| | | | |
|Log out needs to be configured to completely invalidate the session (client 
and server-side) to prevent replay attacks.
 All protected pages need to check the authentication state and authorization 
role before performing any significant work, including rendering content.|



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (RANGER-2363) [security] Admin webui - Broken Access Control - Vertical Privilege Escalation

[t oo (JIRA)]

t oo created RANGER-2363:


 Summary: [security] Admin webui - Broken Access Control - Vertical 
Privilege Escalation
 Key: RANGER-2363
 URL: https://issues.apache.org/jira/browse/RANGER-2363
 Project: Ranger
  Issue Type: Bug
  Components: admin, Ranger
Affects Versions: 1.0.0
Reporter: t oo


"Tag Based Policies" page can be directly accessed whereas tab is not visible 
when logged in with normal user privilege. ie enter this in browser url when 
logged in as non-admin user: https://domain:6182/index.html#!/policymanager/tag

 
|Access control, sometimes called authorization, is how a web application 
grants access to content and functions to some users and not others. These 
checks are performed after authentication, and govern what ‘authorized’ users 
are allowed to do. |
|The application users have different roles assigned to them, such as Admin and 
User role. One of tab Access Manager shows Tag Based Policies under drop down 
list when logged in with admin privileges but this tab is not visible under 
normal user privilege.
 During testing, it was observed that even though the "Tag Based policies" tab 
was not visible when logged into the application with normal user privilege but 
the same was accessible when directly accessed the link under user privilege as 
shown in below screenshots. Even though the user was not able to make any 
chnages to the TAGs and service connections paramters but this was accssible by 
directly accessing the link which should not be the case.
 
 
 

|Any authenticated non-Site-Admin user can view the Presentation page, 
create/delete Shortcuts, do a Search and view the documents returned by the 
search. Essentially, all users can perform tasks that should be limited to Site 
Admin only, and the roles assigned to them only limit what is visible under the 
main menu. Once an attacker succeeds in logging in, he would be able to do the 
mentioned tasks above, regardless of his current role.
 

|Check access. Limit what types of users can access the system, and what 
functions and content each of these types of users should be allowed to access. 
 
 Source: https://www.owasp.org/index.php/Broken_Access_Control|
|
|



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Re: Review Request 70204: RANGER-2358: Upgrade Jackson Databind to 2.9.8

[Zsombor Gegesy]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70204/#review213667
---


Ship it!




Ship It!

- Zsombor Gegesy


On March 13, 2019, 12:41 p.m., Pradeep Agrawal wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70204/
> ---
> 
> (Updated March 13, 2019, 12:41 p.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Gautam 
> Borad, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, 
> Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2358
> https://issues.apache.org/jira/browse/RANGER-2358
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> It seems there are different versions of same jar is being pulled by 
> different parent libraries during the ranger build. This issue shall address 
> following libraries versions.
> 1) jackson-core
> 2) jackson-annotations
> 3) jackson-databind
> 4) commons.codec
> 5) commons.io.version
> 6) commons.net.version
> 7) netty-all.version
> 8) zookeeper.version
> 
> 
> Diffs
> -
> 
>   kms/pom.xml 59dd2761f 
>   pom.xml d5c4e924a 
>   ranger-examples/src/main/assembly/plugin-sampleapp.xml 42d2e2d62 
>   security-admin/pom.xml 2c587605b 
>   src/main/assembly/kms.xml 8a7c6a7c4 
>   src/main/assembly/tagsync.xml dd7580b01 
> 
> 
> Diff: https://reviews.apache.org/r/70204/diff/1/
> 
> 
> Testing
> ---
> 
> Tested Ranger installation and user/policy CRUD operations.
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>

Review Request 70205: RANGER-2359: Show zone association with tag based service.

[Nitin Galave]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70205/
---

Review request for ranger, Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and 
Velmurugan Periasamy.


Bugs: RANGER-2359
https://issues.apache.org/jira/browse/RANGER-2359


Repository: ranger


Description
---

Show zone association with tag-based service.
Under Tag Based Policies Menu - there is no zone related information that are 
associated with tag-based service.


Diffs
-

  security-admin/src/main/webapp/scripts/modules/XALinks.js 7885b72 
  security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js 
e369aa8 
  security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js 
22cc7d1 
  
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js
 7369a3b 
  security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 
d2d1627 


Diff: https://reviews.apache.org/r/70205/diff/1/


Testing
---

Verified
1.Able to filter tag serivices based on zone selection dropdown
2.Verified that system displays only those Tag based services which is mapped 
to zone and resource based services.
3.All unzoned Tag based services gets displayed if no zone selected from 
"Security zone" drop down.


Thanks,

Nitin Galave

[jira] [Updated] (RANGER-2359) Show zone association with tag based service.

[Nitin Galave (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2359?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nitin Galave updated RANGER-2359:
-
Attachment: 0001-RANGER-2359-Show-zone-association-with-tag-based-ser.patch

> Show zone association with tag based service.
> -
>
> Key: RANGER-2359
> URL: https://issues.apache.org/jira/browse/RANGER-2359
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Nitin Galave
>Assignee: Nitin Galave
>Priority: Major
> Fix For: master
>
> Attachments: 
> 0001-RANGER-2359-Show-zone-association-with-tag-based-ser.patch
>
>
> Show zone association with tag-based service.
> Under Tag Based Policies Menu - there is no zone related information that are 
> associated with tag-based service.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (RANGER-2361) [security] Login Cross Site Request Forgery (CSRF)

[t oo (JIRA)]

t oo created RANGER-2361:


 Summary: [security] Login Cross Site Request Forgery (CSRF)

 Key: RANGER-2361
 URL: https://issues.apache.org/jira/browse/RANGER-2361
 Project: Ranger
  Issue Type: Bug
  Components: admin, Ranger
Affects Versions: 1.0.0
Reporter: t oo


CSRF is an attack which forces an end user to execute unwanted actions on a web 
application in which he/she is currently authenticated. With a little help of 
social engineering (like sending a link via email/chat), an attacker may force 
the users of a web application to execute actions of the attacker's choosing. A 
successful CSRF exploit can compromise end user data and operation in case of 
normal user. If the targeted end user is the administrator account, this can 
compromise the entire web application. 
"The application's login page was vulnerable to CSRF attack. This means that 
the application's Login page can be triggered externally by an attacker. Other 
users or potential attackers having valid credentials to the application may be 
able hijack requests to the domain that the victim thought were anonymous or 
were under their own account but sending it to the attacker's account instead.

To demonstrate the issue, an HTML file having the following codes below is 
created as a proof-of-concept.


 
 
 history.pushState('', '', '/')
 https://domain:6182/j_spring_security_check"; method=""POST"">
 
 
 
 
 


How the CSRF HTML PoC Works:
 # Load the above HTML PoC code in the browser. This will show the response 
that Login has been successful as shown in the screenshot below.
2. Once you get authentication, then you can access any link within the 
application and you can see the page directly opens up without logging into the 
application.

 
|Depending on the nature of the application, a successful exploitation of this 
vulnerability may lead to stealing of private user information which can be 
used by an attacker to perform other exploits or attacks.
 

|It is recommended that the application validate where the login requests comes 
from and not allow login process to be called from an external source. 
Recommendations also include utilizing anti-Cross Site Request Forgery tokens 
to prevent Cross-Site Request Forgery attacks. 
 
 References: 
 www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf 
 http://www.ethicalhack3r.co.uk/login-cross-site-request-forgery-csrf/|
|



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (RANGER-2360) [security] Admin WebUI - Server information disclosure

[t oo (JIRA)]

t oo created RANGER-2360:


 Summary: [security] Admin WebUI - Server information disclosure
 Key: RANGER-2360
 URL: https://issues.apache.org/jira/browse/RANGER-2360
 Project: Ranger
  Issue Type: Bug
  Components: admin, Ranger
Affects Versions: 1.0.0
Reporter: t oo


|Revealing server information or system data helps an attacker learn about the 
technologies used by the application, which can aid him in forming a plan of 
attack. The information revealed could then be abused to craft more effective 
exploits against the application and underlying platforms.|
|All HTTP Responses and error messages disclosed server information names and 
version. 
 Apache-Coyote/1.1
 Apache Tomcat/7.0.82|

|Threat actors can include external and internal users with malicious intent. A 
potential attacker would first conduct a review of the system and try to 
identify the technologies that the system is running on, by inducing errors on 
the site, looking at the HTTP headers sent in response to requests and by 
looking at the HTML source code generated by the application. Though these bits 
of information are not vulnerabilities themselves, an attacker, equipped with 
this information, can proceed to use targeted vulnerability tests and exploits 
against the platform/technology in use. 
 Given the following server information, a would-be attacker can infer the 
following information: Server product, version, operating system, and 
vulnerability publications. These are helpful in planning an attack and 
minimises the possibility of detection.|

Remove the information from application’s HTTP headers in response. Modify or 
remove the banner to limit the amount of information disclosed over the 
Internet. 

 

GET /login.jsp reveals Apache-Coyote/1.1

PROFIND /index.html reveals Apache Tomcat/7.0.82

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (RANGER-2357) Improvement on getServices API

[Nikhil Purbhe (JIRA)]

[ 
https://issues.apache.org/jira/browse/RANGER-2357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16791683#comment-16791683
 ] 

Nikhil Purbhe commented on RANGER-2357:
---

patch committed on 
[master|https://github.com/apache/ranger/commit/b3cb2248aba52af7c6bf977dfe921ca329265f12]

> Improvement on getServices API
> --
>
> Key: RANGER-2357
> URL: https://issues.apache.org/jira/browse/RANGER-2357
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: master
>Reporter: Nikhil Purbhe
>Assignee: Nikhil Purbhe
>Priority: Major
> Fix For: master
>
> Attachments: RANGER-2357.patch
>
>
> Ranger user should be able to get plugin services based on its associated tag 
> service.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (RANGER-2358) Upgrade Jackson Databind to 2.9.8

[Pradeep Agrawal (JIRA)]

[ 
https://issues.apache.org/jira/browse/RANGER-2358?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16791659#comment-16791659
 ] 

Pradeep Agrawal commented on RANGER-2358:
-

[~rmani] : Can you review the patch and confirm that RANGER-2344 issue is not 
coming again.

> Upgrade Jackson Databind to 2.9.8
> -
>
> Key: RANGER-2358
> URL: https://issues.apache.org/jira/browse/RANGER-2358
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 2.0.0
>Reporter: Pradeep Agrawal
>Assignee: Pradeep Agrawal
>Priority: Major
> Fix For: Ranger
>
> Attachments: 0001-RANGER-2358-Upgrade-Jackson-Databind-to-2.9.8.patch
>
>
> Upgrade Jackson Databind from 2.7.8 to 2.9.8



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (RANGER-2358) Upgrade Jackson Databind to 2.9.8

[Pradeep Agrawal (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2358?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pradeep Agrawal updated RANGER-2358:

Attachment: 0001-RANGER-2358-Upgrade-Jackson-Databind-to-2.9.8.patch

> Upgrade Jackson Databind to 2.9.8
> -
>
> Key: RANGER-2358
> URL: https://issues.apache.org/jira/browse/RANGER-2358
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 2.0.0
>Reporter: Pradeep Agrawal
>Assignee: Pradeep Agrawal
>Priority: Major
> Fix For: Ranger
>
> Attachments: 0001-RANGER-2358-Upgrade-Jackson-Databind-to-2.9.8.patch
>
>
> Upgrade Jackson Databind from 2.7.8 to 2.9.8



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Review Request 70204: RANGER-2358: Upgrade Jackson Databind to 2.9.8

[Pradeep Agrawal]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70204/
---

Review request for ranger, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, 
Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Sailaja 
Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-2358
https://issues.apache.org/jira/browse/RANGER-2358


Repository: ranger


Description
---

It seems there are different versions of same jar is being pulled by different 
parent libraries during the ranger build. This issue shall address following 
libraries versions.
1) jackson-core
2) jackson-annotations
3) jackson-databind
4) commons.codec
5) commons.io.version
6) commons.net.version
7) netty-all.version
8) zookeeper.version


Diffs
-

  kms/pom.xml 59dd2761f 
  pom.xml d5c4e924a 
  ranger-examples/src/main/assembly/plugin-sampleapp.xml 42d2e2d62 
  security-admin/pom.xml 2c587605b 
  src/main/assembly/kms.xml 8a7c6a7c4 
  src/main/assembly/tagsync.xml dd7580b01 


Diff: https://reviews.apache.org/r/70204/diff/1/


Testing
---

Tested Ranger installation and user/policy CRUD operations.


Thanks,

Pradeep Agrawal

[jira] [Resolved] (RANGER-2317) Enable compilation on JDK11

[Zsombor Gegesy (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Zsombor Gegesy resolved RANGER-2317.

Resolution: Fixed

Merged to 
[master|https://github.com/apache/ranger/commit/08f32cd35824399eaac573f47338fbe8433ed97e]

> Enable compilation on JDK11
> ---
>
> Key: RANGER-2317
> URL: https://issues.apache.org/jira/browse/RANGER-2317
> Project: Ranger
>  Issue Type: Improvement
>  Components: admin, plugins
>Reporter: Zsombor Gegesy
>Assignee: Zsombor Gegesy
>Priority: Major
> Fix For: master
>
> Attachments: RANGER-2317-2.patch, RANGER-2317-3.patch
>
>
> Currently, Ranger can be compiled only with JDK 8, however JDK 11 is the 
> current LTS release for Java, it is essential to support it. As a first step, 
> we need to ensure that Ranger can be compiled on JDK 11.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (RANGER-2355) Reports page: policy listing to have column of Zone name

[Nitin Galave (JIRA)]

[ 
https://issues.apache.org/jira/browse/RANGER-2355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16791507#comment-16791507
 ] 

Nitin Galave commented on RANGER-2355:
--

[Committed|https://github.com/apache/ranger/commit/daec465b36d8489c9237b0db9b8dde947d62db04]
 to master branch.

> Reports page: policy listing to have column of Zone name
> 
>
> Key: RANGER-2355
> URL: https://issues.apache.org/jira/browse/RANGER-2355
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Nitin Galave
>Assignee: Nitin Galave
>Priority: Major
> Fix For: master
>
> Attachments: RANGER-2355.patch
>
>
> As Security zone feature has been added. Add Zone name column in policy 
> listing for Reports page.
> Also add a filter to search policies for a Zone.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Resolved] (RANGER-2356) External user's email address can be edited

[Zsombor Gegesy (JIRA)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2356?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Zsombor Gegesy resolved RANGER-2356.

Resolution: Fixed

Merged to   
[master|https://github.com/apache/ranger/commit/3e04f089c9ad5b8e749c3faa08447cbe04be6dba]
 - Thanks for the fix !

> External user's email address can be edited
> ---
>
> Key: RANGER-2356
> URL: https://issues.apache.org/jira/browse/RANGER-2356
> Project: Ranger
>  Issue Type: Bug
>  Components: admin
>Affects Versions: master
>Reporter: László Dénes Terjéki
>Priority: Major
>  Labels: email
> Attachments: 
> 0001-RANGER-2356-Ranger-UI-disable-email-editing-for-Exte.patch, Screenshot 
> 2019-03-12 at 13.30.46.png
>
>
> In Settings -> Users/Groups clicking on an external user the email field is 
> editable while the "User Name", "First Name" and "Last Name" fields are 
> disabled.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Re: Review Request 69655: RANGER-2317 : make Ranger buildable on newer JDKs

[Qiang Zhang]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69655/#review213656
---


Ship it!




Ship It!

- Qiang Zhang


On 三月 11, 2019, 7:10 p.m., Zsombor Gegesy wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69655/
> ---
> 
> (Updated 三月 11, 2019, 7:10 p.m.)
> 
> 
> Review request for ranger.
> 
> 
> Bugs: RANGER-2317
> https://issues.apache.org/jira/browse/RANGER-2317
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Upgrade librarias to become compatible with JDK11, and JAXB and other 
> librarias to the modules, and exclude jdk.tools. 
> (These modules was previously part of the JDK, now they are independent). 
> Add JDK10/11 to the travis build - with excluding the Hive tests, as we can't 
> even start the Hive tests on JDK 9 - because internal Hive code cast the 
> system classloader to URLClassLoader.
> Removed one empty test class file, which triggered test failures with newer 
> mockito version.
> 
> 
> Diffs
> -
> 
>   .travis.yml b38b892bd 
>   embeddedwebserver/scripts/ranger-admin-services.sh c04e1fc72 
>   enunciate.xml f64af1a56 
>   hbase-agent/pom.xml 6b3763f22 
>   kms/pom.xml 59dd2761f 
>   knox-agent/pom.xml bd68221cc 
>   plugin-solr/pom.xml 619cc9ebd 
>   pom.xml d5c4e924a 
>   ranger-hbase-plugin-shim/pom.xml 9ed0aebe8 
>   ranger-solr-plugin-shim/pom.xml 46b78218a 
>   security-admin/pom.xml 2c587605b 
>   
> security-admin/src/test/java/org/apache/ranger/plugin/store/RangerDBStore.java
>  cd5bb384e 
>   
> ugsync/src/test/java/org/apache/ranger/unixusersync/process/TestUnixUserGroupBuilder.java
>  2118c8430 
> 
> 
> Diff: https://reviews.apache.org/r/69655/diff/4/
> 
> 
> Testing
> ---
> 
> Tested resulting binaries locally on JDK 8, to stay the same as previously. 
> All the dependency change was either in test code, or in Maven plugin config, 
> or has 'provided' scope.
> 
> Tested on Travis that build is succesfull in 4 JVMs - 
> oraclejdk8/oraclejdk11/openjdk10/openjdk11:
> https://travis-ci.org/gzsombor/ranger/builds/474559352
> 
> 
> Thanks,
> 
> Zsombor Gegesy
> 
>

[jira] [Created] (RANGER-2358) Upgrade Jackson Databind to 2.9.8

[Pradeep Agrawal (JIRA)]

Pradeep Agrawal created RANGER-2358:
---

 Summary: Upgrade Jackson Databind to 2.9.8
 Key: RANGER-2358
 URL: https://issues.apache.org/jira/browse/RANGER-2358
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Affects Versions: 2.0.0
Reporter: Pradeep Agrawal
Assignee: Pradeep Agrawal
 Fix For: Ranger


Upgrade Jackson Databind from 2.7.8 to 2.9.8



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Re: Review Request 70189: RANGER-2355: Reports page: policy listing to have column of Zone name

[Mehul Parikh]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70189/#review213655
---


Ship it!




Ship It!

- Mehul Parikh


On March 12, 2019, 11 a.m., Nitin Galave wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70189/
> ---
> 
> (Updated March 12, 2019, 11 a.m.)
> 
> 
> Review request for ranger, Gautam Borad, Abhay Kulkarni, Mehul Parikh, 
> Pradeep Agrawal, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2355
> https://issues.apache.org/jira/browse/RANGER-2355
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> As Security zone feature has been added. Add Zone name column in policy 
> listing for Reports page.
> 
> Also add a filter to search policies for a Zone.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js 
> f0e5c1d 
>   security-admin/src/main/webapp/templates/reports/UserAccessLayout_tmpl.html 
> b3a9427 
> 
> 
> Diff: https://reviews.apache.org/r/70189/diff/1/
> 
> 
> Testing
> ---
> 
> 1. Verified that when user performs search with zone name, system displays 
> only zoned policies in search results
> 2. Without selecting Zone name filter, All policies(Zoned & unzoned) is 
> getting displayed
> 3. Verified that when multiple services are mapped to particular zone, Able 
> to view all associated polices of the services mapped to zone
> 4. Verified search functionality with other combinations also: e.g. Zone name 
> and Access type, Zone name and component etc.
> 
> 
> Thanks,
> 
> Nitin Galave
> 
>