Review Request 70711: RANGER-2446 : Suggestion - Include security zone details as part of admin audit for policy update
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/70711/ --- Review request for ranger, Gautam Borad, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy. Bugs: RANGER-2446 https://issues.apache.org/jira/browse/RANGER-2446 Repository: ranger Description --- If a policy which is part of security zone is edited, it will be good to include the zonename also along with policyid and policyname in the popup where admin audit details are displayed Diffs - security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java 0276367 security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 767f278 security-admin/src/main/webapp/scripts/views/reports/PlugableServiceDiffDetail.js cc9ee8d security-admin/src/main/webapp/scripts/views/security_zone/ZoneCreate.js e0fab23 security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDeleteDiff_tmpl.html 04aa6dc security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDiff_tmpl.html dbc519a security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html e150c32 Diff: https://reviews.apache.org/r/70711/diff/1/ Testing --- Verified that " Zone name" get sdisplayed on audit>>admin tab: 1. When performed CRUD operation on Zoned-resource based policies. 2. When performed CRUD operation on Zoned-Tag based policies. Thanks, Nitin Galave
[jira] [Updated] (RANGER-2443) Ranger UI support for access via Knox Trusted Proxy
[ https://issues.apache.org/jira/browse/RANGER-2443?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sailaja Polavarapu updated RANGER-2443: --- Attachment: 0001-RANGER-2443-Ranger-UI-support-for-access-via-Knox-Tr.patch > Ranger UI support for access via Knox Trusted Proxy > --- > > Key: RANGER-2443 > URL: https://issues.apache.org/jira/browse/RANGER-2443 > Project: Ranger > Issue Type: New Feature > Components: Ranger >Affects Versions: 2.0.0 >Reporter: Sailaja Polavarapu >Assignee: Sailaja Polavarapu >Priority: Major > Fix For: 2.0.0 > > Attachments: > 0001-RANGER-2443-Ranger-UI-support-for-access-via-Knox-Tr.patch > > > In cloud deployments, Ranger will be deployed on a host that does not have a > Public IP (or may have one, but the ports will not be opened). The Ranger UI > will be accessible via Knox proxy. > When a service is already proxied via Knox, the easiest way to propagate the > user identity is via the "trusted proxy" pattern. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
Review Request 70709: RANGER-2443: Ranger UI support for access via Knox Trusted Proxy
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/70709/ --- Review request for ranger. Bugs: RANGER-2443 https://issues.apache.org/jira/browse/RANGER-2443 Repository: ranger Description --- Added code to check if trusted proxy is enabled in ranger when the request is for ranger UI, then verify knox as the proxy user & host and impersonate doAs user. Diffs - security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java 0be0e68b2 Diff: https://reviews.apache.org/r/70709/diff/1/ Testing --- 1. Tested ranger UI access through knox with Ldap shiro provider and rangerUI service configured in knox topology. (Without enable ranger SSO) and enable "Allow trusted proxy" config in ranger. 2. Verified all the existing unit tests run successfully. 4. Verified few negative tests with proxy user names configured in ranger for knox service. 3. Also tested regression case with "Allow trusted proxy" disabled in ranger. Thanks, Sailaja Polavarapu
[jira] [Updated] (RANGER-2448) Policy update is adding user/group to 'Exclude from Deny Conditions' - Grant from Beeline / Impala-shell
[ https://issues.apache.org/jira/browse/RANGER-2448?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mahendra Korepu updated RANGER-2448: Summary: Policy update is adding user/group to 'Exclude from Deny Conditions' - Grant from Beeline / Impala-shell (was: Policy update is adding user/group to 'Exclude from Deny Conditions' - Grant from Beelo) > Policy update is adding user/group to 'Exclude from Deny Conditions' - Grant > from Beeline / Impala-shell > > > Key: RANGER-2448 > URL: https://issues.apache.org/jira/browse/RANGER-2448 > Project: Ranger > Issue Type: Bug > Components: plugins, Ranger >Reporter: Mahendra Korepu >Priority: Major > > Steps to Reproduce the issue: > * Use Beeline (hive ) or Impala-shell (Impala) : > # Grant a privilege to a user on db / table. > # Now revoke the same privilege from step1. > # Now grant privilege again from step1. > After step 3 . if you login to Ranger UI used is added to both allow > conditions and Deny Conditions. which is not the case the first time after > step1. > This behavior is same in Hive and Impala with Ranger , seems like a Ranger > plugin issue. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (RANGER-2448) Policy update is adding user/group to 'Exclude from Deny Conditions' - Grant from Beelo
Mahendra Korepu created RANGER-2448: --- Summary: Policy update is adding user/group to 'Exclude from Deny Conditions' - Grant from Beelo Key: RANGER-2448 URL: https://issues.apache.org/jira/browse/RANGER-2448 Project: Ranger Issue Type: Bug Components: plugins, Ranger Reporter: Mahendra Korepu Steps to Reproduce the issue: * Use Beeline (hive ) or Impala-shell (Impala) : # Grant a privilege to a user on db / table. # Now revoke the same privilege from step1. # Now grant privilege again from step1. After step 3 . if you login to Ranger UI used is added to both allow conditions and Deny Conditions. which is not the case the first time after step1. This behavior is same in Hive and Impala with Ranger , seems like a Ranger plugin issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (RANGER-2433) Ranger base plugin `grant-` (the auto-generated grant name) may not be unique enough - Failing concurrent transactions
[ https://issues.apache.org/jira/browse/RANGER-2433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16846951#comment-16846951 ] Velmurugan Periasamy commented on RANGER-2433: -- Looks similar to https://issues.apache.org/jira/browse/RANGER-2369 > Ranger base plugin `grant-` (the auto-generated grant name) may > not be unique enough - Failing concurrent transactions > -- > > Key: RANGER-2433 > URL: https://issues.apache.org/jira/browse/RANGER-2433 > Project: Ranger > Issue Type: Bug > Components: plugins >Reporter: Mahendra Korepu >Priority: Major > > When running concurrent grant transactions - Ranger base plugin returns > following error: > > {code:java} > // ERROR: InternalException: HTTP 400 Error: Exception [EclipseLink-4002] > (Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd): > org.eclipse.persistence.exceptions.DatabaseException > Internal Exception: org.postgresql.util.PSQLException: ERROR: duplicate key > value violates unique constraint "x_policy_uk_name_service_zone" > Detail: Key (name, service, zone_id)=(grant-1557766372626, 4, 1) already > exists. > Error Code: 0 > Call: INSERT INTO x_policy (id, ADDED_BY_ID, CREATE_TIME, description, guid, > is_audit_enabled, is_enabled, name, policy_options, policy_priority, > policy_text, policy_type, resource_signature, service, UPDATE_TIME, > UPD_BY_ID, version, zone_id) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, > ?, ?, ?, ?, ?) > bind => [18 parameters bound] > Query: InsertObjectQuery(XXPolicy [id=6438]) > Could not execute command: GRANT SELECT ON table db1.tbl1 TO GROUP usr_grp1 > Start, End, Duration: 20190513-095246/20190513-095252/6322.754 > {code} > Recommendation : some sort of unique number or string need to be appended to > policy to avoid race conditions. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (RANGER-2447) Provide an API to get all policies associated with a user/group in "show grant" statements
[ https://issues.apache.org/jira/browse/RANGER-2447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16846934#comment-16846934 ] Abhay Kulkarni commented on RANGER-2447: [~fredyw] [RANGER-2061|https://issues.apache.org/jira/browse/RANGER-2061] provides necessary APIs. Please review. > Provide an API to get all policies associated with a user/group in "show > grant" statements > -- > > Key: RANGER-2447 > URL: https://issues.apache.org/jira/browse/RANGER-2447 > Project: Ranger > Issue Type: Improvement > Components: Ranger >Affects Versions: 1.2.0 >Reporter: Fredy Wijaya >Priority: Major > > In Impala we have statements that mean show all policies associated with a > particular user/group. > {noformat} > show grant user ; > show grant group ; > {noformat} > I believe there's something similar in Hive, i.e. > {noformat} > show grant user on all; > show grant group on all; > {noformat} > It will be useful for Ranger to provide this API that can be used in both > Impala and Hive. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (RANGER-2447) Provide an API to get all policies associated with a user/group in "show grant" statements
Fredy Wijaya created RANGER-2447: Summary: Provide an API to get all policies associated with a user/group in "show grant" statements Key: RANGER-2447 URL: https://issues.apache.org/jira/browse/RANGER-2447 Project: Ranger Issue Type: Improvement Components: Ranger Affects Versions: 1.2.0 Reporter: Fredy Wijaya In Impala we have statements that mean show all policies associated with a particular user/group. {noformat} show grant user ; show grant group ; {noformat} I believe there's something similar in Hive, i.e. {noformat} show grant user on all; show grant group on all; {noformat} It will be useful for Ranger to provide this API that can be used in both Impala and Hive. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (RANGER-2446) Suggestion - Include security zone details as part of admin audit for policy update
[ https://issues.apache.org/jira/browse/RANGER-2446?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nitin Galave updated RANGER-2446: - Attachment: RANGER-2446.patch > Suggestion - Include security zone details as part of admin audit for policy > update > --- > > Key: RANGER-2446 > URL: https://issues.apache.org/jira/browse/RANGER-2446 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Nitin Galave >Assignee: Nitin Galave >Priority: Major > Attachments: RANGER-2446.patch > > > If a policy which is part of security zone is edited, it will be good to > include the zonename also along with policyid and policyname in the popup > where admin audit details are displayed. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (RANGER-2446) Suggestion - Include security zone details as part of admin audit for policy update
Nitin Galave created RANGER-2446: Summary: Suggestion - Include security zone details as part of admin audit for policy update Key: RANGER-2446 URL: https://issues.apache.org/jira/browse/RANGER-2446 Project: Ranger Issue Type: Bug Components: Ranger Reporter: Nitin Galave Assignee: Nitin Galave If a policy which is part of security zone is edited, it will be good to include the zonename also along with policyid and policyname in the popup where admin audit details are displayed. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
Review Request 70703: RANGER-2445 : Import of Tagservice for zone
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/70703/ --- Review request for ranger, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy. Bugs: RANGER-2445 https://issues.apache.org/jira/browse/RANGER-2445 Repository: ranger Description --- Import of tagservice is not working for zone Diffs - security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java 8006272 security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 0e7cd8f security-admin/src/main/resources/META-INF/jpa_named_queries.xml e4647b1 security-admin/src/main/webapp/scripts/views/UploadServicePolicy.js 94362bf security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 19f162b Diff: https://reviews.apache.org/r/70703/diff/1/ Testing --- Tested If tag based policies are getting exported and imported properly in the provided zone. Tested unzoned and zoned policies are getting imported correctly based to mapping provided. Thanks, Nikhil P
[jira] [Assigned] (RANGER-2444) Admin logs are not getting generated when "policy level" policy condition is updated
[ https://issues.apache.org/jira/browse/RANGER-2444?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mehul Parikh reassigned RANGER-2444: Assignee: Nitin Galave > Admin logs are not getting generated when "policy level" policy condition is > updated > > > Key: RANGER-2444 > URL: https://issues.apache.org/jira/browse/RANGER-2444 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Harshal Chavan >Assignee: Nitin Galave >Priority: Major > > Steps- > 1.Create a Knox service. > 2.Edit the "policy level" policy condition of default policy. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (RANGER-2445) Import of Tagservice for zone
[ https://issues.apache.org/jira/browse/RANGER-2445?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nikhil Purbhe reassigned RANGER-2445: - Assignee: Nikhil Purbhe > Import of Tagservice for zone > - > > Key: RANGER-2445 > URL: https://issues.apache.org/jira/browse/RANGER-2445 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Harshal Chavan >Assignee: Nikhil Purbhe >Priority: Major > > Import of tagservice is not working for zone -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (RANGER-2445) Import of Tagservice for zone
Harshal Chavan created RANGER-2445: -- Summary: Import of Tagservice for zone Key: RANGER-2445 URL: https://issues.apache.org/jira/browse/RANGER-2445 Project: Ranger Issue Type: Bug Components: Ranger Reporter: Harshal Chavan Import of tagservice is not working for zone -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (RANGER-2185) Hive Plugin show databases permission denied when user has access to some of the databases
[ https://issues.apache.org/jira/browse/RANGER-2185?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16846523#comment-16846523 ] Haihui Xu commented on RANGER-2185: --- I find that ranger 1.1.0 has the same issue. But the solution of [~dhomme] maybe not good enough。 The method “isShowDatabasesAccessAllowed(request)” should not in RangerHiveAuthorizer.java(ranger-hive-plugin) what about the offical solution?[~rmani] > Hive Plugin show databases permission denied when user has access to some of > the databases > -- > > Key: RANGER-2185 > URL: https://issues.apache.org/jira/browse/RANGER-2185 > Project: Ranger > Issue Type: Bug > Components: plugins >Affects Versions: 1.0.0 >Reporter: dhomme >Priority: Major > Labels: security > Attachments: 0001-RANGER-2185-fix-hive-show-databases-bug.patch > > > Add a resource based policy to allow a user, hive, has access to the default > database. Then execute 'show databases;' via beeline, the user should see > 'default'. Instead following error is shown: > Error: Error while compiling statement: FAILED: HiveAccessControlException > Permission denied: user [hive] does not have [USE] privilege on [*] > (state=42000,code=4) -- This message was sent by Atlassian JIRA (v7.6.3#76005)