[jira] [Commented] (RANGER-2771) Unix usersync is not working

[Pradeep Agrawal (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-2771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17073386#comment-17073386
 ] 

Pradeep Agrawal commented on RANGER-2771:
-

Is this working for LDAP sync. Also see if new groups are syncing or not ?

> Unix usersync is not working
> 
>
> Key: RANGER-2771
> URL: https://issues.apache.org/jira/browse/RANGER-2771
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Preetam Tripathi
>Priority: Major
>
>  Steps to Reproduce: 
> 1. Create a external user from terminal - useradd unixuser
> 2. Go to Ranger UI - Settings>>Users Tab
> Expected Result: User ‘unixuser’ should be displayed on Ranger UI - 
> Settings>>Users tab
> Actual Result: User ‘unixuser’ is not getting displayed on Ranger UI



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-2772) Adding the functionality of merging the policy

[Dineshkumar Yadav (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dineshkumar Yadav updated RANGER-2772:
--
Description: 
Adding the functionality of merging policy while creation of the policy.

The following conditions should match in order to merge the policy.
 # There should be already existing policy.
 # One should pass param mergeIfExists=true in create Policy API
 # One should also pass param "serviceName" and "policyName". 
 # You can pass "zoneName" if available.

  was:
Adding the functionality of merging policy while creation of the policy.

The following conditions should match in order to merge the policy.
 # There should be already existing policy.
 # one should pass param mergeIfExists=true in create Policy API
  


> Adding the functionality of merging the policy
> --
>
> Key: RANGER-2772
> URL: https://issues.apache.org/jira/browse/RANGER-2772
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Dineshkumar Yadav
>Assignee: Dineshkumar Yadav
>Priority: Major
>
> Adding the functionality of merging policy while creation of the policy.
> The following conditions should match in order to merge the policy.
>  # There should be already existing policy.
>  # One should pass param mergeIfExists=true in create Policy API
>  # One should also pass param "serviceName" and "policyName". 
>  # You can pass "zoneName" if available.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-2774) Enhance RangerBasePlugin to be able to retrieve all policies for a user, and list of groups.

[Mert Hocanin (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2774?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mert Hocanin updated RANGER-2774:
-
Attachment: RANGER-2774.patch

> Enhance RangerBasePlugin to be able to retrieve all policies for a user, and 
> list of groups.
> 
>
> Key: RANGER-2774
> URL: https://issues.apache.org/jira/browse/RANGER-2774
> Project: Ranger
>  Issue Type: New Feature
>  Components: Ranger
>Reporter: Mert Hocanin
>Priority: Minor
> Attachments: RANGER-2774.patch
>
>
> Currently, the RangerBasePlugin has API's that given a RangerAccessRequest, 
> it will return a RangerAccessResult which returns basically whether the 
> access is grantable or not. However, there are certain use cases where a 
> developer may want to pull all policies that a user and list of groups may 
> have access to. One use case that we had in mind was to translate a policy 
> from a calling user to another policy management system. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (RANGER-2774) Enhance RangerBasePlugin to be able to retrieve all policies for a user, and list of groups.

[Mert Hocanin (Jira)]

Mert Hocanin created RANGER-2774:


 Summary: Enhance RangerBasePlugin to be able to retrieve all 
policies for a user, and list of groups.
 Key: RANGER-2774
 URL: https://issues.apache.org/jira/browse/RANGER-2774
 Project: Ranger
  Issue Type: New Feature
  Components: Ranger
Reporter: Mert Hocanin


Currently, the RangerBasePlugin has API's that given a RangerAccessRequest, it 
will return a RangerAccessResult which returns basically whether the access is 
grantable or not. However, there are certain use cases where a developer may 
want to pull all policies that a user and list of groups may have access to. 
One use case that we had in mind was to translate a policy from a calling user 
to another policy management system. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: Review Request 72302: RANGER-2773: Enhanced logging messages for RangerScriptConditionEvaluator class

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72302/#review220176
---


Ship it!




Ship It!

- Madhan Neethiraj


On April 1, 2020, 9:48 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72302/
> ---
> 
> (Updated April 1, 2020, 9:48 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2773
> https://issues.apache.org/jira/browse/RANGER-2773
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Failure during initialization of RangerScriptConditionEvaluator is not 
> reported. Such failure should be clearly reported as an error. Any methods 
> called on incorrectly initialized RangerScriptConditionEvaluator also need to 
> report error.
> 
> Note that this fix only logs an error.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
>  5b6653901 
> 
> 
> Diff: https://reviews.apache.org/r/72302/diff/2/
> 
> 
> Testing
> ---
> 
> Tested in a live cluster.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 72302: RANGER-2773: Enhanced logging messages for RangerScriptConditionEvaluator class

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72302/
---

(Updated April 1, 2020, 9:48 p.m.)


Review request for ranger, Madhan Neethiraj and Velmurugan Periasamy.


Changes
---

Fixed review comments


Bugs: RANGER-2773
https://issues.apache.org/jira/browse/RANGER-2773


Repository: ranger


Description
---

Failure during initialization of RangerScriptConditionEvaluator is not 
reported. Such failure should be clearly reported as an error. Any methods 
called on incorrectly initialized RangerScriptConditionEvaluator also need to 
report error.

Note that this fix only logs an error.


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
 5b6653901 


Diff: https://reviews.apache.org/r/72302/diff/2/

Changes: https://reviews.apache.org/r/72302/diff/1-2/


Testing
---

Tested in a live cluster.


Thanks,

Abhay Kulkarni

Re: Review Request 72302: RANGER-2773: Enhanced logging messages for RangerScriptConditionEvaluator class

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72302/#review220175
---


Fix it, then Ship it!





agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
Lines 76 (patched)


String conditionType = condition != null ? condition.getType() : null;

"failed to initialize condition " + conditionType + ": script engine '" + 
engineName + "' was not created"



agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
Lines 131 (patched)


String conditionType = condition != null ? condition.getType() : null;

"failed to evaluate condition " + conditionType + ": script is empty"



agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
Lines 135 (patched)


String conditionType = condition != null ? condition.getType() : null;

"failed to evaluate condition " + conditionType + ": script engine not 
found"


- Madhan Neethiraj


On April 1, 2020, 5:50 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72302/
> ---
> 
> (Updated April 1, 2020, 5:50 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2773
> https://issues.apache.org/jira/browse/RANGER-2773
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Failure during initialization of RangerScriptConditionEvaluator is not 
> reported. Such failure should be clearly reported as an error. Any methods 
> called on incorrectly initialized RangerScriptConditionEvaluator also need to 
> report error.
> 
> Note that this fix only logs an error.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
>  5b6653901 
> 
> 
> Diff: https://reviews.apache.org/r/72302/diff/1/
> 
> 
> Testing
> ---
> 
> Tested in a live cluster.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

[GitHub] [ranger] mosabua opened a new pull request #60: Remove redundant Maven lifecycle calls

[GitBox]

mosabua opened a new pull request #60: Remove redundant Maven lifecycle calls
URL: https://github.com/apache/ranger/pull/60
 
 
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Review Request 72302: RANGER-2773: Enhanced logging messages for RangerScriptConditionEvaluator class

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72302/
---

Review request for ranger, Madhan Neethiraj and Velmurugan Periasamy.


Bugs: RANGER-2773
https://issues.apache.org/jira/browse/RANGER-2773


Repository: ranger


Description
---

Failure during initialization of RangerScriptConditionEvaluator is not 
reported. Such failure should be clearly reported as an error. Any methods 
called on incorrectly initialized RangerScriptConditionEvaluator also need to 
report error.

Note that this fix only logs an error.


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java
 5b6653901 


Diff: https://reviews.apache.org/r/72302/diff/1/


Testing
---

Tested in a live cluster.


Thanks,

Abhay Kulkarni

[jira] [Created] (RANGER-2773) Enhanced logging messages for RangerScriptConditionEvaluator class

[Abhay Kulkarni (Jira)]

Abhay Kulkarni created RANGER-2773:
--

 Summary: Enhanced logging messages for 
RangerScriptConditionEvaluator class
 Key: RANGER-2773
 URL: https://issues.apache.org/jira/browse/RANGER-2773
 Project: Ranger
  Issue Type: Bug
  Components: plugins, Ranger
Reporter: Abhay Kulkarni
Assignee: Abhay Kulkarni


Failure during initialization of RangerScriptConditionEvaluator is not 
reported. Such failure should be clearly reported as an error. Any methods 
called on incorrectly initialized RangerScriptConditionEvaluator also need to 
report error.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: Review Request 72298: RANGER-785: updated Ranger plugin to support the notion of super-users and super-groups

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72298/#review220174
---


Ship it!




Ship It!

- Abhay Kulkarni


On April 1, 2020, 7:43 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72298/
> ---
> 
> (Updated April 1, 2020, 7:43 a.m.)
> 
> 
> Review request for ranger, deepak sharma, Kishor Gollapalliwar, Abhay 
> Kulkarni, Mehul Parikh, Nitin Galave, Ramesh Mani, Sailaja Polavarapu, and 
> Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-785
> https://issues.apache.org/jira/browse/RANGER-785
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - added method RangerBasePlugin.setSuperUsersAndGroups(users, groups), which 
> a plugin implementation can call to register users and groups for whom all 
> permissions should be allowed
> - additional super-users and groups can be specified via 
> service-configurations ranger.plugin.super.users, ranger.plugin.super.groups
> - Ranger plugin will allow all accesses from super users and groups
> - Ranger plugin generates audit logs for such accesses - just as for regular 
> users
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
>  460290345 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  fefa4659f 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
>  32fbb0687 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
>  4265b06e3 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_super_user_groups.json
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/72298/diff/1/
> 
> 
> Testing
> ---
> 
> - added unit tests to cover the new feature
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Review request

[Lars Francke]

Hi,

I was wondering if anyone has the time to do a quick review of <
https://issues.apache.org/jira/browse/RANGER-2736>.

It enables a whole bunch of checkstyle rules but doesn't fail the build so
it's a totally optional thing which could still help to gain some
consistency.

Thank you!

Cheers,
Lars

[jira] [Updated] (RANGER-2772) Adding the functionality of merging the policy

[Dineshkumar Yadav (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dineshkumar Yadav updated RANGER-2772:
--
Summary: Adding the functionality of merging the policy  (was: Adding the 
functionality of merging policy)

> Adding the functionality of merging the policy
> --
>
> Key: RANGER-2772
> URL: https://issues.apache.org/jira/browse/RANGER-2772
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Dineshkumar Yadav
>Assignee: Dineshkumar Yadav
>Priority: Major
>
> Adding the functionality of merging policy while creation of the policy.
> The following conditions should match in order to merge the policy.
>  # There should be already existing policy.
>  # one should pass param mergeIfExists=true in create Policy API
>   



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-2772) Adding the functionality of merging policy

[Dineshkumar Yadav (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dineshkumar Yadav updated RANGER-2772:
--
Description: 
Adding the functionality of merging policy while creation of the policy.

The following conditions should match in order to merge the policy.
 # There should be already existing policy.
 # one should pass param mergeIfExists=true in create Policy API
  

  was:
Adding the functionality of merging policy while creation of the policy.

The following conditions should match in order to merge the policy.
 # There should be already existing policy.
 # we should pass param mergeIfExists=true
  


> Adding the functionality of merging policy
> --
>
> Key: RANGER-2772
> URL: https://issues.apache.org/jira/browse/RANGER-2772
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Dineshkumar Yadav
>Assignee: Dineshkumar Yadav
>Priority: Major
>
> Adding the functionality of merging policy while creation of the policy.
> The following conditions should match in order to merge the policy.
>  # There should be already existing policy.
>  # one should pass param mergeIfExists=true in create Policy API
>   



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-2772) Adding the functionality of merging policy

[Dineshkumar Yadav (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dineshkumar Yadav updated RANGER-2772:
--
Description: 
Adding the functionality of merging policy while creation of the policy.

The following condition should match in order to merge the policy.
 # There should be already existing policy.
 # we should pass param mergeIfExists=true
  

  was:
Adding the functionality of merging policy while creation of the policy.

for this should happen following condition should be match.
 # There should be already existing policy.
 # we should pass param mergeIfExists=true
 


> Adding the functionality of merging policy
> --
>
> Key: RANGER-2772
> URL: https://issues.apache.org/jira/browse/RANGER-2772
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Dineshkumar Yadav
>Assignee: Dineshkumar Yadav
>Priority: Major
>
> Adding the functionality of merging policy while creation of the policy.
> The following condition should match in order to merge the policy.
>  # There should be already existing policy.
>  # we should pass param mergeIfExists=true
>   



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-2772) Adding the functionality of merging policy

[Dineshkumar Yadav (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dineshkumar Yadav updated RANGER-2772:
--
Description: 
Adding the functionality of merging policy while creation of the policy.

The following conditions should match in order to merge the policy.
 # There should be already existing policy.
 # we should pass param mergeIfExists=true
  

  was:
Adding the functionality of merging policy while creation of the policy.

The following condition should match in order to merge the policy.
 # There should be already existing policy.
 # we should pass param mergeIfExists=true
  


> Adding the functionality of merging policy
> --
>
> Key: RANGER-2772
> URL: https://issues.apache.org/jira/browse/RANGER-2772
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Dineshkumar Yadav
>Assignee: Dineshkumar Yadav
>Priority: Major
>
> Adding the functionality of merging policy while creation of the policy.
> The following conditions should match in order to merge the policy.
>  # There should be already existing policy.
>  # we should pass param mergeIfExists=true
>   



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-2772) Adding the functionality of merging policy

[Dineshkumar Yadav (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dineshkumar Yadav updated RANGER-2772:
--
Summary: Adding the functionality of merging policy  (was: Default policy 
should be merged during sentry-ranger upgrade)

> Adding the functionality of merging policy
> --
>
> Key: RANGER-2772
> URL: https://issues.apache.org/jira/browse/RANGER-2772
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Dineshkumar Yadav
>Assignee: Dineshkumar Yadav
>Priority: Major
>
> Adding the functionality of merging policy while the policy is already exists.
> As per 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-2772) Default policy should be merged during sentry-ranger upgrade

[Dineshkumar Yadav (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dineshkumar Yadav updated RANGER-2772:
--
Description: 
Adding the functionality of merging policy while the policy is already exists.

As per 

  was:Adding the functionality of merging policy while the policy is already 
exists.


> Default policy should be merged during sentry-ranger upgrade
> 
>
> Key: RANGER-2772
> URL: https://issues.apache.org/jira/browse/RANGER-2772
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Dineshkumar Yadav
>Assignee: Dineshkumar Yadav
>Priority: Major
>
> Adding the functionality of merging policy while the policy is already exists.
> As per 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (RANGER-2772) Default policy should be merged during sentry-ranger upgrade

[Dineshkumar Yadav (Jira)]

Dineshkumar Yadav created RANGER-2772:
-

 Summary: Default policy should be merged during sentry-ranger 
upgrade
 Key: RANGER-2772
 URL: https://issues.apache.org/jira/browse/RANGER-2772
 Project: Ranger
  Issue Type: Improvement
  Components: Ranger
Reporter: Dineshkumar Yadav
Assignee: Dineshkumar Yadav


Adding the functionality of merging policy while the policy is already exists.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (RANGER-785) Ranger plugins should support a formal notion of super user

[Madhan Neethiraj (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17072481#comment-17072481
 ] 

Madhan Neethiraj commented on RANGER-785:
-

* added method {{RangerBasePlugin.setSuperUsersAndGroups(users, groups)}}, 
which a plugin implementation can call to register users and groups for whom 
all permissions should be allowed
* additional super-users and groups can be specified via service-configurations 
{{ranger.plugin.super.users}}, {{ranger.plugin.super.groups}}
* Ranger plugin will allow all accesses from super users and groups
* Ranger plugin generates audit logs for such accesses - just as for regular 
users

> Ranger plugins should support a formal notion of super user
> ---
>
> Key: RANGER-785
> URL: https://issues.apache.org/jira/browse/RANGER-785
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Alok Lal
>Assignee: Madhan Neethiraj
>Priority: Major
> Fix For: 2.1.0
>
> Attachments: RANGER-785.patch
>
>
> Most services that we authorize have some notion of superuser.
> # hbase has a property which lists the superuse id.  Ranger plugin skips most 
> authorizations for that superuser.
> # In case of kafka unless proper policies exist for the service user cluster 
> won't come up.
> # At other times people have asked that auditing be done differently for the 
> service user.
> One way to remedy these is to add a formal notion of a superuser for a 
> service and deal with it appropriately during service creation, during 
> authorization in the plugin, etc.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-785) Ranger plugins should support a formal notion of super user

[Madhan Neethiraj (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Madhan Neethiraj updated RANGER-785:

Attachment: RANGER-785.patch

> Ranger plugins should support a formal notion of super user
> ---
>
> Key: RANGER-785
> URL: https://issues.apache.org/jira/browse/RANGER-785
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Alok Lal
>Assignee: Madhan Neethiraj
>Priority: Major
> Fix For: 2.1.0
>
> Attachments: RANGER-785.patch
>
>
> Most services that we authorize have some notion of superuser.
> # hbase has a property which lists the superuse id.  Ranger plugin skips most 
> authorizations for that superuser.
> # In case of kafka unless proper policies exist for the service user cluster 
> won't come up.
> # At other times people have asked that auditing be done differently for the 
> service user.
> One way to remedy these is to add a formal notion of a superuser for a 
> service and deal with it appropriately during service creation, during 
> authorization in the plugin, etc.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Review Request 72298: RANGER-785: updated Ranger plugin to support the notion of super-users and super-groups

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72298/
---

Review request for ranger, deepak sharma, Kishor Gollapalliwar, Abhay Kulkarni, 
Mehul Parikh, Nitin Galave, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Bugs: RANGER-785
https://issues.apache.org/jira/browse/RANGER-785


Repository: ranger


Description
---

- added method RangerBasePlugin.setSuperUsersAndGroups(users, groups), which a 
plugin implementation can call to register users and groups for whom all 
permissions should be allowed
- additional super-users and groups can be specified via service-configurations 
ranger.plugin.super.users, ranger.plugin.service.groups
- Ranger plugin will allow all accesses from super users and groups
- Ranger plugin generates audit logs for such accesses - just as for regular 
users


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngine.java
 460290345 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 fefa4659f 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
 32fbb0687 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
 4265b06e3 
  
agents-common/src/test/resources/policyengine/test_policyengine_super_user_groups.json
 PRE-CREATION 


Diff: https://reviews.apache.org/r/72298/diff/1/


Testing
---

- added unit tests to cover the new feature


Thanks,

Madhan Neethiraj

[jira] [Updated] (RANGER-785) Ranger plugins should support a formal notion of super user

[Madhan Neethiraj (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Madhan Neethiraj updated RANGER-785:

Component/s: plugins
Summary: Ranger plugins should support a formal notion of super user  
(was: Service definitions should support a formal notion of super user)

> Ranger plugins should support a formal notion of super user
> ---
>
> Key: RANGER-785
> URL: https://issues.apache.org/jira/browse/RANGER-785
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Alok Lal
>Assignee: Madhan Neethiraj
>Priority: Major
>
> Most services that we authorize have some notion of superuser.
> # hbase has a property which lists the superuse id.  Ranger plugin skips most 
> authorizations for that superuser.
> # In case of kafka unless proper policies exist for the service user cluster 
> won't come up.
> # At other times people have asked that auditing be done differently for the 
> service user.
> One way to remedy these is to add a formal notion of a superuser for a 
> service and deal with it appropriately during service creation, during 
> authorization in the plugin, etc.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Assigned] (RANGER-785) Service definitions should support a formal notion of super user

[Madhan Neethiraj (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Madhan Neethiraj reassigned RANGER-785:
---

Assignee: Madhan Neethiraj

> Service definitions should support a formal notion of super user
> 
>
> Key: RANGER-785
> URL: https://issues.apache.org/jira/browse/RANGER-785
> Project: Ranger
>  Issue Type: Improvement
>Reporter: Alok Lal
>Assignee: Madhan Neethiraj
>Priority: Major
>
> Most services that we authorize have some notion of superuser.
> # hbase has a property which lists the superuse id.  Ranger plugin skips most 
> authorizations for that superuser.
> # In case of kafka unless proper policies exist for the service user cluster 
> won't come up.
> # At other times people have asked that auditing be done differently for the 
> service user.
> One way to remedy these is to add a formal notion of a superuser for a 
> service and deal with it appropriately during service creation, during 
> authorization in the plugin, etc.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)