[jira] [Resolved] (RANGER-3252) Inconsistent behavior in Ranger Role authorization with in same hive beeline session.

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3252?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani resolved RANGER-3252.
-
Resolution: Fixed

> Inconsistent behavior in Ranger Role authorization with in same hive beeline 
> session.
> -
>
> Key: RANGER-3252
> URL: https://issues.apache.org/jira/browse/RANGER-3252
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 3.0.0, 2.2.0
>Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
>
> Inconsistent behavior in Ranger Role authorization with in  same hive beeline 
> session.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: Review Request 73301: RANGER-3253: Make incremental policy change computation more resilient

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73301/
---

(Updated April 27, 2021, 11:12 p.m.)


Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Velmurugan 
Periasamy.


Changes
---

Addressed review comments


Bugs: RANGER-3253
https://issues.apache.org/jira/browse/RANGER-3253


Repository: ranger


Description
---

Ranger admin, when incremental policies are enabled, retrieves changes to 
policies from database since last provided policy-version and applies these 
changes on the cached policies to compute new set of policies. This computation 
needs to be more resilient - for example - if a change suggests that a policy 
is created, but it already exists in the policy-cache, then it should not be 
added again.


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
 f92cd3f7b 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
 4661f79b9 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
4fb71f0b7 
  
security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
 1176e0b9e 
  security-admin/src/main/java/org/apache/ranger/db/XXPolicyChangeLogDao.java 
0a1d1c142 


Diff: https://reviews.apache.org/r/73301/diff/3/

Changes: https://reviews.apache.org/r/73301/diff/2-3/


Testing
---

Passes all unit tests.


Thanks,

Abhay Kulkarni

[jira] [Updated] (RANGER-3254) sync source changes when same group is present in different sync source

[Sailaja Polavarapu (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3254?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sailaja Polavarapu updated RANGER-3254:
---
Attachment: (was: 
0001-RANGER-3254-Fixed-issue-where-user-or-group-name-is-.patch)

> sync source changes when same group is present in different sync source
> ---
>
> Key: RANGER-3254
> URL: https://issues.apache.org/jira/browse/RANGER-3254
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger, usersync
>Reporter: Deepesh Joshi
>Assignee: Sailaja Polavarapu
>Priority: Major
> Attachments: 
> 0001-RANGER-3254-RANGER-3232-Fixed-issue-where-user-or-gr.patch
>
>
> Test steps :-
> 1. configure unix sync source.
> 2. Add group "grp1"
> 3. check sync source of group 'grp1'. it will be Unix.
> 4. change sync source to LDAP, having "grp1" already present.
> 5. restart user sync service.
> 6. check sync source of group 'grp1'. it will be updated to "LDAP", Which is 
> not the accepted behaviour.
> Ideally grp1 should not be synced as it is already present.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3254) sync source changes when same group is present in different sync source

[Sailaja Polavarapu (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3254?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sailaja Polavarapu updated RANGER-3254:
---
Attachment: 0001-RANGER-3254-RANGER-3232-Fixed-issue-where-user-or-gr.patch

> sync source changes when same group is present in different sync source
> ---
>
> Key: RANGER-3254
> URL: https://issues.apache.org/jira/browse/RANGER-3254
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger, usersync
>Reporter: Deepesh Joshi
>Assignee: Sailaja Polavarapu
>Priority: Major
> Attachments: 
> 0001-RANGER-3254-RANGER-3232-Fixed-issue-where-user-or-gr.patch
>
>
> Test steps :-
> 1. configure unix sync source.
> 2. Add group "grp1"
> 3. check sync source of group 'grp1'. it will be Unix.
> 4. change sync source to LDAP, having "grp1" already present.
> 5. restart user sync service.
> 6. check sync source of group 'grp1'. it will be updated to "LDAP", Which is 
> not the accepted behaviour.
> Ideally grp1 should not be synced as it is already present.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: Review Request 73303: RANGER-3254: sync source changes when same group is present in different sync source

[Sailaja Polavarapu]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73303/
---

(Updated April 27, 2021, 10:42 p.m.)


Review request for ranger, Abhay Kulkarni, Mehul Parikh, Ramesh Mani, and 
Velmurugan Periasamy.


Changes
---

Included possible NPE fixes reported in RANGER-3232


Bugs: RANGER-3254
https://issues.apache.org/jira/browse/RANGER-3254


Repository: ranger


Description
---

Added additional checks before updating user or group attributes to ranger. 
Also fixed issue for not updating group memberships if same user with a 
different sync source or DN already exists in Ranger.


Diffs (updated)
-

  ugsync-util/src/main/java/org/apache/ranger/ugsyncutil/model/XGroupInfo.java 
5f5c9aa38 
  ugsync-util/src/main/java/org/apache/ranger/ugsyncutil/model/XUserInfo.java 
058b98467 
  
ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
 4d8a32a8a 


Diff: https://reviews.apache.org/r/73303/diff/2/

Changes: https://reviews.apache.org/r/73303/diff/1-2/


Testing
---

1. Verified all the existing unit tests pass.
2. Patched cluster and verified functionality with syncing users from unix as 
well as from AD.


Thanks,

Sailaja Polavarapu

[jira] [Updated] (RANGER-3192) Use read-write locks for managing access to policy-engine and tag-repository

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3192?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-3192:
-
Fix Version/s: 2.2.0
   3.0.0

> Use read-write locks for managing access to policy-engine and tag-repository
> 
>
> Key: RANGER-3192
> URL: https://issues.apache.org/jira/browse/RANGER-3192
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Abhay Kulkarni
>Assignee: Abhay Kulkarni
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
>
> Use concurrent read-write lock to ensure that access evaluation and 
> policy/tag updates are mutually exclusive in multi-threaded environment
> Ranger uses copy and switch method to handle reads and writes to policy and 
> tag repositories in a multi-threaded environment. Using read/write lock to 
> handle concurrent accesses will save on copy which is more memory and CPU 
> efficient.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3199) illegal reflective access operation warning in KMS catalina.out logs

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-3199:
-
Fix Version/s: 2.2.0
   3.0.0

> illegal reflective access operation warning in KMS catalina.out logs
> 
>
> Key: RANGER-3199
> URL: https://issues.apache.org/jira/browse/RANGER-3199
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 3.0.0
>Reporter: Mahesh Hanumant Bandal
>Assignee: Mahesh Hanumant Bandal
>Priority: Minor
> Fix For: 3.0.0, 2.2.0
>
>
> following logs are observed in catalina.out file of ranger-kms while using 
> JDK-11:
> {code:java}
> INFO: Initiating Jersey application, version 'Jersey: 1.19.3 10/24/2016 03:43 
> PM'
> WARNING: An illegal reflective access operation has occurred
> WARNING: Illegal reflective access by 
> com.sun.xml.bind.v2.runtime.reflect.opt.Injector$1 jaxb-impl-2.2.3-1.jar) to 
> method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int)
> WARNING: Please consider reporting this to the maintainers of 
> com.sun.xml.bind.v2.runtime.reflect.opt.Injector$1
> WARNING: Use --illegal-access=warn to enable warnings of further illegal 
> reflective access operations
> WARNING: All illegal access operations will be denied in a future release
> {code}
> Need to fix this warning logs.
> *This fix should be provided from the maintainers of "com.sun.xml.bind" i.e. 
> Oracle Corporation. Affected jar is "jaxb-impl-2.2.3-1.jar". This jar is 
> inherited from "jersey-json-1.19.3.jar".*
>  
> Workaround for this issue :
>  * +To avoid this warning logs we can add dependency for jaxb-impl-2.3.3.jar+



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3208) NPE in Ranger policy engine when processing SELF_OR_CHILD scoped search

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3208?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-3208:
-
Fix Version/s: 2.2.0
   3.0.0

> NPE in Ranger policy engine when processing SELF_OR_CHILD scoped search
> ---
>
> Key: RANGER-3208
> URL: https://issues.apache.org/jira/browse/RANGER-3208
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Abhay Kulkarni
>Assignee: Abhay Kulkarni
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
>
> The following is the stack trace seen when Ranger policy engine searches Trie 
> object with SELF_OR_CHILD scope.
>  
> java.lang.NullPointerException         at 
> java.util.AbstractCollection.addAll(AbstractCollection.java:343)         at 
> org.apache.ranger.plugin.policyengine.RangerResourceTrie$TrieNode.collectChildEvaluators(RangerResourceTrie.java:1161)
>          at 
> org.apache.ranger.plugin.policyengine.RangerResourceTrie.lambda$getEvaluatorsForResource$0(RangerResourceTrie.java:604)
>          at 
> java.util.HashMap$ValueSpliterator.forEachRemaining(HashMap.java:1628)        
>  at 
> java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:647)   
>       at 
> org.apache.ranger.plugin.policyengine.RangerResourceTrie.getEvaluatorsForResource(RangerResourceTrie.java:604)
>          at 
> org.apache.ranger.plugin.policyengine.RangerResourceTrie.getEvaluatorsForResource(RangerResourceTrie.java:180)
>          at 
> org.apache.ranger.plugin.policyengine.RangerPolicyRepository.getLikelyMatchPolicyEvaluators(RangerPolicyRepository.java:811)
>          at 
> org.apache.ranger.plugin.policyengine.RangerPolicyRepository.getLikelyMatchAccessPolicyEvaluators(RangerPolicyRepository.java:764)
>          at 
> org.apache.ranger.plugin.policyengine.RangerPolicyRepository.getLikelyMatchPolicyEvaluators(RangerPolicyRepository.java:741)
>          at 
> org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl.evaluatePoliciesNoAudit(RangerPolicyEngineImpl.java:585)
>          at 
> org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl.zoneAwareAccessEvaluationWithNoAudit(RangerPolicyEngineImpl.java:486)
>          at 
> org.apache.ranger.plugin.policyengine.RangerPolicyEngineImpl.evaluatePolicies(RangerPolicyEngineImpl.java:110)
>          at 
> org.apache.ranger.plugin.service.RangerBasePlugin.isAccessAllowed(RangerBasePlugin.java:356)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3147) enhance resource-trie to enable finding evaluators for a given resource and its children

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-3147:
-
Fix Version/s: 2.2.0
   3.0.0

> enhance resource-trie to enable finding evaluators for a given resource and 
> its children
> 
>
> Key: RANGER-3147
> URL: https://issues.apache.org/jira/browse/RANGER-3147
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Abhay Kulkarni
>Assignee: Abhay Kulkarni
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
>
> For the resource modeled as a path (with a path separator configured in its 
> definition) it may be desired to search its Trie data to find an exact match 
> for the resource being searched and its children. Ranger access requests need 
> to support an additional scope specification (such as SELF_OR_CHILD) to 
> implement this feature.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3224) Not able to delete security-zone

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3224?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-3224:
-
Fix Version/s: 2.2.0
   3.0.0

> Not able to delete security-zone
> 
>
> Key: RANGER-3224
> URL: https://issues.apache.org/jira/browse/RANGER-3224
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Abhay Kulkarni
>Assignee: Abhay Kulkarni
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
>
> Steps
> 1. Create a security zone and have a tag service associated with it.
> 2. Create a tag policy in the tag service for the security zone.
> 3. Edit security zone to remove tag service association.
> 4. Now, try to delete the security zone.
> Zone deletion fails.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3202) Ranger KMS - Upgrade api-i18n jar from 1.0.0-M20 to 1.0.2+

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3202?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-3202:
-
Fix Version/s: 2.2.0
   3.0.0

> Ranger KMS - Upgrade api-i18n jar from 1.0.0-M20 to 1.0.2+
> --
>
> Key: RANGER-3202
> URL: https://issues.apache.org/jira/browse/RANGER-3202
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Dhaval Shah
>Assignee: Dhaval Shah
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
>
> Currently in Ranger KMS we have api-i18n jar v 1.0.0-M20. This should be 
> upgraded to 1.0.2 or later. 
> Github : https://github.com/apache/ranger/blob/master/kms/pom.xml#L384



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-980) User sync does not delete users if they do not exist anymore

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-980?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-980:

Fix Version/s: 2.2.0
   3.0.0

> User sync does not delete users if they do not exist anymore
> 
>
> Key: RANGER-980
> URL: https://issues.apache.org/jira/browse/RANGER-980
> Project: Ranger
>  Issue Type: Bug
>  Components: usersync
>Affects Versions: 0.6.0, 0.5.3
>Reporter: Bolke de Bruin
>Assignee: Sailaja Polavarapu
>Priority: Critical
>  Labels: security
> Fix For: 3.0.0, 2.2.0
>
> Attachments: 
> 0001-RANGER-980-Support-for-deleted-users-groups-in-Range.patch, 
> 0001-RANGER-980-User-sync-does-not-delete-users-if-they-d.patch, Deleted 
> users and groups support in Ranger (RANGER-980).pdf, RANGER-980.patch
>
>
> usersync for all sources creates users and groups, but does not delete them 
> from Ranger's database if these users and groups do not exists anymore in the 
> original source.
> So if you have for example a user called "bob" and bob leaves the company his 
> access rights will continue to exist in Ranger. If a new employee comes in 
> that is also "bob" he is immediately granted the same access as the previous 
> employee. This creates security incidents.
> In a reasonable complex company it cannot be expected that another user 
> administration is being taken care of, while deletion could and should happen 
> automatically.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3250) Add relevant indexes to database table to speed up ingress processing of tagged entities

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-3250:
-
Fix Version/s: 2.2.0
   3.0.0

> Add relevant indexes to database table to speed up ingress processing of 
> tagged entities
> 
>
> Key: RANGER-3250
> URL: https://issues.apache.org/jira/browse/RANGER-3250
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Abhay Kulkarni
>Assignee: Abhay Kulkarni
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
>
> Tagged entities are persisted in a Relational database table. During ingress 
> of tagged entities, Ranger admin needs to look up this table. Indexing the 
> table on the columns that are used for look-up will speed up ingress rate.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: Review Request 73300: RANGER-3252:Inconsistent behavior in Ranger Role authorization within same hive beeline session

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73300/#review222886
---


Ship it!




Ship It!

- Abhay Kulkarni


On April 27, 2021, 5:39 a.m., Ramesh Mani wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73300/
> ---
> 
> (Updated April 27, 2021, 5:39 a.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, 
> Mehul Parikh, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-3252
> https://issues.apache.org/jira/browse/RANGER-3252
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> RANGER-3252:Inconsistent behavior in Ranger Role authorization within same 
> hive beeline session
> 
> 
> Diffs
> -
> 
>   
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
>  5bd5c2da4 
> 
> 
> Diff: https://reviews.apache.org/r/73300/diff/3/
> 
> 
> Testing
> ---
> 
> - Within the Same Hive Session when Roles are updated for inclusion and 
> exclusion of user/group/roles, authorization failed for those users/ groups 
> and roles and this patch takes care of it
> - verified by setting current role with "set role " within the same 
> Hive session.
> - verified show roles and show current roles based on inclusion and exclusion 
> of user / groups and roles.
> 
> 
> Thanks,
> 
> Ramesh Mani
> 
>

Re: Review Request 73301: RANGER-3253: Make incremental policy change computation more resilient

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73301/
---

(Updated April 27, 2021, 8:21 p.m.)


Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Velmurugan 
Periasamy.


Changes
---

Addressed review comments


Bugs: RANGER-3253
https://issues.apache.org/jira/browse/RANGER-3253


Repository: ranger


Description
---

Ranger admin, when incremental policies are enabled, retrieves changes to 
policies from database since last provided policy-version and applies these 
changes on the cached policies to compute new set of policies. This computation 
needs to be more resilient - for example - if a change suggests that a policy 
is created, but it already exists in the policy-cache, then it should not be 
added again.


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
 f92cd3f7b 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
 4661f79b9 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
4fb71f0b7 
  
security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
 1176e0b9e 
  security-admin/src/main/java/org/apache/ranger/db/XXPolicyChangeLogDao.java 
0a1d1c142 


Diff: https://reviews.apache.org/r/73301/diff/2/

Changes: https://reviews.apache.org/r/73301/diff/1-2/


Testing
---

Passes all unit tests.


Thanks,

Abhay Kulkarni

Re: Review Request 73301: RANGER-3253: Make incremental policy change computation more resilient

[Abhay Kulkarni]

> On April 27, 2021, 6:59 p.m., Madhan Neethiraj wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
> > Lines 3144 (patched)
> > 
> >
> > retrievedPolicyVersion is the version of the last policy in the list of 
> > deltas. Using this to populate ServicePolicies.policyVesion, #3184, doesn't 
> > seem appropriate.
> > 
> > Same for retrievedTagPolicyVersion and #3192.

It is likely that the second read of the policyVersion for the given service 
may give a different value than what is read from the policy/tag change log 
table (READ_COMMITTED serialization level, in a busy ranger-admin server can 
cause this). Therefore, it is better to set the value of 
service-policy/tag-policy/tag version from the actual records read from the 
change log table.


- Abhay


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73301/#review222884
---


On April 26, 2021, 5:52 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73301/
> ---
> 
> (Updated April 26, 2021, 5:52 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-3253
> https://issues.apache.org/jira/browse/RANGER-3253
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ranger admin, when incremental policies are enabled, retrieves changes to 
> policies from database since last provided policy-version and applies these 
> changes on the cached policies to compute new set of policies. This 
> computation needs to be more resilient - for example - if a change suggests 
> that a policy is created, but it already exists in the policy-cache, then it 
> should not be added again.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
>  f92cd3f7b 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
>  4661f79b9 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
> 4fb71f0b7 
>   
> security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
>  1176e0b9e 
>   security-admin/src/main/java/org/apache/ranger/db/XXPolicyChangeLogDao.java 
> 0a1d1c142 
> 
> 
> Diff: https://reviews.apache.org/r/73301/diff/1/
> 
> 
> Testing
> ---
> 
> Passes all unit tests.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 73301: RANGER-3253: Make incremental policy change computation more resilient

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73301/#review222884
---




agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
Lines 93 (patched)


iter.next() is already called in previous line. Please review and update.



agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
Lines 101 (patched)


LOG.warn("Unexpected: found existing policy for CHANGE_TYPE_POLICY_CREATE: 
" + Arrays.toString(deletedPolicies.toArray()));



agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
Lines 106 (patched)


LOG.warn("Unexpected: found no policy or multiple policies for 
CHANGE_TYPE_POLICY_UPDATE: " + Arrays.toString(deletedPolicies.toArray()));



agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
Lines 113 (patched)


LOG.warn("Unexpected: found no policy or multiple policies for 
CHANGE_TYPE_POLICY_DELETE: " + Arrays.toString(deletedPolicies.toArray()));



security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
Lines 3144 (patched)


retrievedPolicyVersion is the version of the last policy in the list of 
deltas. Using this to populate ServicePolicies.policyVesion, #3184, doesn't 
seem appropriate.

Same for retrievedTagPolicyVersion and #3192.



security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
Line 369 (original), 363 (patched)


Consider replacing #363 - #369 with:
  result = Objects.equals(dbPolicyVersion, cachedPolicyVersion);



security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
Line 401 (original), 371 (patched)


LOG.warn("checkCacheSanity(serviceName=" + serviceName + "): policy cache 
has incorrect version. policyVersionInDB=" + dbPolicyVersion + ", 
policyVersionInCache=" + cachedPolicyVersion);



security-admin/src/main/java/org/apache/ranger/db/XXPolicyChangeLogDao.java
Line 167 (original), 169 (patched)


Would policyId be null for changes that require delta-reset (i.e. 
full-download) - like changes in service-def (eg. context enrichers), service 
(eg. tag-service association), service-config (eg. plugin config for 
superusers/serviceadmins)?

If this is an expected case, warn log doesn't seem appropriate. Consider an 
info level log, like:
  LOG.info("delta-reset-event: log-record-id=" + logRecordId + "; 
service-type=" + serviceType + "; policy-change-type=" + policyChangeType + ". 
Discarding " + ret.size() + " deltas");


- Madhan Neethiraj


On April 26, 2021, 5:52 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73301/
> ---
> 
> (Updated April 26, 2021, 5:52 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-3253
> https://issues.apache.org/jira/browse/RANGER-3253
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ranger admin, when incremental policies are enabled, retrieves changes to 
> policies from database since last provided policy-version and applies these 
> changes on the cached policies to compute new set of policies. This 
> computation needs to be more resilient - for example - if a change suggests 
> that a policy is created, but it already exists in the policy-cache, then it 
> should not be added again.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
>  f92cd3f7b 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPolicyDeltaUtil.java
>  4661f79b9 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
> 4fb71f0b7 
>   
> security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
>  1176e0b9e 
>   security-admin/src/main/java/org/apache/ranger/db/XXPolicyChangeLogDao.java 
> 0a1d1c142 
> 
> 
> Diff: https://reviews.apache.org/r/73301/diff/1/
> 
> 
> Testing
> ---
> 
> Passes all unit tests.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 73298: RANGER-3250: Add relevant indexes to database table to speed up ingress processing of tagged entities

[Velmurugan Periasamy]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73298/#review222883
---


Ship it!




Ship It!

- Velmurugan Periasamy


On April 27, 2021, 4:47 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73298/
> ---
> 
> (Updated April 27, 2021, 4:47 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-3250
> https://issues.apache.org/jira/browse/RANGER-3250
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Tagged entities are persisted in a Relational database table. During ingress 
> of tagged entities, Ranger admin needs to look up this table. Indexing the 
> table on the columns that are used for look-up will speed up ingress rate.
> 
> The columns 'resource_signature' and 'guid' in table 'x_service_resource' 
> need to have unique indexes built on them
> 
> 
> Diffs
> -
> 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 
> 9d0cd9db2 
>   security-admin/db/mysql/patches/051-create-index-for-service-resource.sql 
> PRE-CREATION 
>   security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
> 1904c6847 
>   security-admin/db/oracle/patches/051-create-index-for-service-resource.sql 
> PRE-CREATION 
>   security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
> 51ef67b8f 
>   
> security-admin/db/postgres/patches/051-create-index-for-service-resource.sql 
> PRE-CREATION 
>   
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
>  97ddb5df3 
>   
> security-admin/db/sqlanywhere/patches/051-create-index-for-service-resource.sql
>  PRE-CREATION 
>   security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 
> d15015009 
>   
> security-admin/db/sqlserver/patches/052-create-index-for-service-resource.sql 
> PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/73298/diff/3/
> 
> 
> Testing
> ---
> 
> Passed unit tests
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 73298: RANGER-3250: Add relevant indexes to database table to speed up ingress processing of tagged entities

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73298/
---

(Updated April 27, 2021, 4:47 p.m.)


Review request for ranger, Madhan Neethiraj, Mehul Parikh, and Velmurugan 
Periasamy.


Changes
---

Addressed review comments


Bugs: RANGER-3250
https://issues.apache.org/jira/browse/RANGER-3250


Repository: ranger


Description
---

Tagged entities are persisted in a Relational database table. During ingress of 
tagged entities, Ranger admin needs to look up this table. Indexing the table 
on the columns that are used for look-up will speed up ingress rate.

The columns 'resource_signature' and 'guid' in table 'x_service_resource' need 
to have unique indexes built on them


Diffs (updated)
-

  security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 9d0cd9db2 
  security-admin/db/mysql/patches/051-create-index-for-service-resource.sql 
PRE-CREATION 
  security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
1904c6847 
  security-admin/db/oracle/patches/051-create-index-for-service-resource.sql 
PRE-CREATION 
  security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
51ef67b8f 
  security-admin/db/postgres/patches/051-create-index-for-service-resource.sql 
PRE-CREATION 
  
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 
97ddb5df3 
  
security-admin/db/sqlanywhere/patches/051-create-index-for-service-resource.sql 
PRE-CREATION 
  security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 
d15015009 
  security-admin/db/sqlserver/patches/052-create-index-for-service-resource.sql 
PRE-CREATION 


Diff: https://reviews.apache.org/r/73298/diff/3/

Changes: https://reviews.apache.org/r/73298/diff/2-3/


Testing
---

Passed unit tests


Thanks,

Abhay Kulkarni

[jira] [Commented] (RANGER-3229) Correct Kafka default policy item for all-delegation token and rangerlookup user

[Nitin Galave (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-3229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=1770#comment-1770
 ] 

Nitin Galave commented on RANGER-3229:
--

Committed to 
[master|https://github.com/apache/ranger/commit/f5b8481ecc7c45fd181670cc29752a053ed8a30e]
 branch.
Committed to 
[ranger-2.2|https://github.com/apache/ranger/commit/ab5aab216e3cf7477a2151c24a1f29e9991aa548]
 branch.

> Correct Kafka default policy item for all-delegation token and rangerlookup 
> user
> 
>
> Key: RANGER-3229
> URL: https://issues.apache.org/jira/browse/RANGER-3229
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Bhagyashri Kokate
>Assignee: Bhagyashri Kokate
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
> Attachments: RANGER-3229_V2.patch
>
>
> When creating a policy for delegation token, only 'describe' permission is 
> allowed by UI.
> But the default policy created for "all - delegationtoken" contains a policy 
> item for rangerlookup user with "consume".



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3157) Improvements for audit details page part-2

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3157?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-3157:
-
Fix Version/s: 2.2.0
   3.0.0

> Improvements for audit details page part-2
> --
>
> Key: RANGER-3157
> URL: https://issues.apache.org/jira/browse/RANGER-3157
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Nitin Galave
>Assignee: Nitin Galave
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
> Attachments: 0001-RANGER-3157.patch
>
>
> Audit --> Access tab
> 1) Include policy details, after the table showing audit log details. 
> Contents of policy details should be similar to the one shown on clicking 
> policy-id in audit logs listing page.
> 2) given audit log details are likely to be used in compliance, it will help 
> to include following at the bottom of this page:
> * Generated by: 
> * Generated on:  like: Jan 11, 2021, 11:52 AM EST
> * User IP address: 
> * Ranger Admin URL



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3228) Improvement in audit filter feature

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3228?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-3228:
-
Fix Version/s: 2.2.0
   3.0.0

> Improvement in audit filter feature
> ---
>
> Key: RANGER-3228
> URL: https://issues.apache.org/jira/browse/RANGER-3228
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Nitin Galave
>Assignee: Nitin Galave
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
> Attachments: 0001-RANGER-3228.patch, 0002-RANGER-3228.patch
>
>
> 1)In tag service permission for audit filter not populate properly.
> 2) Show audit filter data in readable format instead of just json value in 
> service detail view popup.
> 3)When Save the Resources and then click on Cancel icon then there should be 
> Add icon besides it instead of Edit iocn.
> 4)When I do delete audit filter then there should be message under audit 
> filter required saying:No Audit filter Data Found.!!
> 5)Observed that there is no select dropdown for the operations column while 
> configuring audit filters. While the placeholder hint is displayed as Select 
> Action. we should add an apt placeholder/tooltip with a message like, "Type 
> Action Name".



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3186) [Ranger Access Audit Improvement]Changes done from one user, persists for other users as well.

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-3186:
-
Fix Version/s: 2.2.0
   3.0.0

> [Ranger Access Audit Improvement]Changes done from one user, persists for 
> other users as well.
> --
>
> Key: RANGER-3186
> URL: https://issues.apache.org/jira/browse/RANGER-3186
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Nitin Galave
>Assignee: Nitin Galave
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
> Attachments: 0001-RANGER-3186.patch
>
>
> Steps to reproduce :-
> 1. Login with admin user.
> 2. Add one user with admin role.
> 3. On ranger access audit deselect some column.
> 4. Logout from admin user and login with new user created.
> 5. Go to access audit page, you will see the changes are still present.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3239) Ranger : Add checkbox for default audit filters on Service Creation page

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3239?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-3239:
-
Fix Version/s: 2.2.0
   3.0.0

> Ranger : Add checkbox for default audit filters on Service Creation page
> 
>
> Key: RANGER-3239
> URL: https://issues.apache.org/jira/browse/RANGER-3239
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Nitin Galave
>Assignee: Nitin Galave
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
> Attachments: 0001-RANGER-3239.patch
>
>
> Introduce check box in service creation page on UI. Based on the checkbox, 
> will decide addition/removal of audit filters at the time of service creation.
> * By default checkbox will be checked and will show default audit filters in 
> the audit filter section of the service creation page.
> * When the user unchecked the checkbox, audit filters won't be shown on the 
> screen and it will not be persisted.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3240) Show Latest Response from Server on all pages of Ranger UI.

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-3240:
-
Fix Version/s: 2.2.0
   3.0.0

> Show Latest Response from Server on all pages of Ranger UI.
> ---
>
> Key: RANGER-3240
> URL: https://issues.apache.org/jira/browse/RANGER-3240
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Nitin Galave
>Assignee: Nitin Galave
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
> Attachments: 0001-RANGER-3240.patch
>
>
> Suggestion for Improvement on Ranger UI : 
> The text should show the timestamp of the most recent response from the 
> server. Needs to be done for all pages in UI as part of Header. 
>  * Generated on:  like: Jan 11, 2021, 11:52 AM EST



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-2924) [Ranger Latest Admin UI] Security Zones are not clickable to select different security zones

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2924?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-2924:
-
Fix Version/s: (was: 2.2.0)
   (was: 3.0.0)
   2.1.0

> [Ranger Latest Admin UI] Security Zones are not clickable to select different 
> security zones
> 
>
> Key: RANGER-2924
> URL: https://issues.apache.org/jira/browse/RANGER-2924
> Project: Ranger
>  Issue Type: Bug
>  Components: admin
>Affects Versions: 2.1.0
>Reporter: Abhishek Shukla
>Priority: Major
>  Labels: ranger
> Fix For: 2.1.0
>
> Attachments: Screenshot 2020-07-24 at 1.25.54 PM.png
>
>
> Observed that in the New Ranger Admin UI, Security Zones Page, we are not 
> able to click on different security zones in the sidebar.
> !Screenshot 2020-07-24 at 1.25.54 PM.png|width=301,height=175!  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-2924) [Ranger Latest Admin UI] Security Zones are not clickable to select different security zones

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2924?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-2924:
-
Fix Version/s: 2.2.0
   3.0.0

> [Ranger Latest Admin UI] Security Zones are not clickable to select different 
> security zones
> 
>
> Key: RANGER-2924
> URL: https://issues.apache.org/jira/browse/RANGER-2924
> Project: Ranger
>  Issue Type: Bug
>  Components: admin
>Affects Versions: 2.1.0
>Reporter: Abhishek Shukla
>Priority: Major
>  Labels: ranger
> Fix For: 3.0.0, 2.2.0
>
> Attachments: Screenshot 2020-07-24 at 1.25.54 PM.png
>
>
> Observed that in the New Ranger Admin UI, Security Zones Page, we are not 
> able to click on different security zones in the sidebar.
> !Screenshot 2020-07-24 at 1.25.54 PM.png|width=301,height=175!  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3120) [Ranger Latest UI] Long tag based service names are not shown correctly

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-3120:
-
Fix Version/s: 2.2.0
   3.0.0

> [Ranger Latest UI] Long tag based service names are not shown correctly
> ---
>
> Key: RANGER-3120
> URL: https://issues.apache.org/jira/browse/RANGER-3120
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 2.2.0
>Reporter: Abhishek Shukla
>Assignee: Dhaval Rajpara
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
> Attachments: 0001-RANGER-3120.patch, 0002-RANGER-3120.patch, 
> tag_based_policy_latest_ranger_ui.png
>
>
> Observed that with Ranger Latest UI, the Tag Policies page is not able to 
> display service names with long names correctly, it overlaps with other 
> service names.
> Attached screenshot.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3242) Need feature to make the access log file name configurable for user

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3242?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-3242:
-
Fix Version/s: 2.2.0
   3.0.0

> Need feature to make the access log file name configurable for user
> ---
>
> Key: RANGER-3242
> URL: https://issues.apache.org/jira/browse/RANGER-3242
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 2.2.0, 2.1.1, 2.10
>Reporter: Vishal Suvagia
>Assignee: Vishal Suvagia
>Priority: Minor
> Fix For: 3.0.0, 2.2.0
>
> Attachments: RANGER-3242.patch
>
>
> Currently the access log file name is set as default, need feature to have it 
> customizable for the user.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3130) [Ranger Admin UI] Improvement in Ranger Latest UI's Edit Policy Page

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3130?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-3130:
-
Fix Version/s: 2.2.0
   3.0.0

> [Ranger Admin UI] Improvement in Ranger Latest UI's Edit Policy Page
> 
>
> Key: RANGER-3130
> URL: https://issues.apache.org/jira/browse/RANGER-3130
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 2.2.0
>Reporter: Abhishek Shukla
>Assignee: Dhaval Rajpara
>Priority: Minor
> Fix For: 3.0.0, 2.2.0
>
> Attachments: 0001-RANGER-3130.patch, With Sidebar.png, Without 
> Sidebar.png
>
>
> Observed that there are some issues related to button alignment in the Ranger 
> Admin UI's Edit Policy Page.
>  * On closing the sidebar, the Enabled button's left side padding is not 
> correct compared to the Policy Name Input box.
>  * On enabling the sidebar, the Recursive button is not aligned correctly 
> with the Enabled button.
>  
> Creating this Improvement Jira for tracking these UI enhancements.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3249) Enhance RangerScriptExecutionContext class to provide APIs for comprehensive tag information

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3249?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-3249:
-
Fix Version/s: 2.2.0
   3.0.0

> Enhance RangerScriptExecutionContext class to provide APIs for comprehensive 
> tag information
> 
>
> Key: RANGER-3249
> URL: https://issues.apache.org/jira/browse/RANGER-3249
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Abhay Kulkarni
>Assignee: Abhay Kulkarni
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
>
> Use case: When an accessed resource is associated with multiple tags of the 
> same type but with different attribute values, current API to retrieve value 
> of an attribute incorrectly returns a scalar attribute value of any of the 
> associated tags. This may lead to incorrect access evaluation. The API needs 
> to return an array of values to caller. The caller then may decide how to use 
> the values. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Resolved] (RANGER-3233) Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config instead of Subject from Kafka LoginManager

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani resolved RANGER-3233.
-
Resolution: Fixed

> Ranger Kafka Plugin changes to get the UGI from  Kafka client JAAS config 
> instead of Subject from Kafka LoginManager
> 
>
> Key: RANGER-3233
> URL: https://issues.apache.org/jira/browse/RANGER-3233
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 3.0.0, 2.2.0
>Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
>
> Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config 
> instead of Subject from Kafka LoginManager.
> When UGI is created with Subject from Kafka LoginManager, Ranger Kafka Plugin 
> fails with kerberos error because of changed kerberos identity when ticket 
> expires and subject load all the principals based on the GSS mechanism used.
> [https://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html#useSub]
> This was reported in https://issues.apache.org/jira/browse/RANGER-2810 which 
> has a work around. Solution would be to have the UGI created with the kafka 
> client JAAS and use it in plugin. This will help is Kerberos ticket renewed 
> properly and avoid using the Subject() which may cause issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3233) Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config instead of Subject from Kafka LoginManager

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-3233:

Fix Version/s: 3.0.0

> Ranger Kafka Plugin changes to get the UGI from  Kafka client JAAS config 
> instead of Subject from Kafka LoginManager
> 
>
> Key: RANGER-3233
> URL: https://issues.apache.org/jira/browse/RANGER-3233
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 3.0.0, 2.2.0
>Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
>
> Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config 
> instead of Subject from Kafka LoginManager.
> When UGI is created with Subject from Kafka LoginManager, Ranger Kafka Plugin 
> fails with kerberos error because of changed kerberos identity when ticket 
> expires and subject load all the principals based on the GSS mechanism used.
> [https://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html#useSub]
> This was reported in https://issues.apache.org/jira/browse/RANGER-2810 which 
> has a work around. Solution would be to have the UGI created with the kafka 
> client JAAS and use it in plugin. This will help is Kerberos ticket renewed 
> properly and avoid using the Subject() which may cause issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3233) Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config instead of Subject from Kafka LoginManager

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-3233:

Affects Version/s: 2.2.0
   3.0.0

> Ranger Kafka Plugin changes to get the UGI from  Kafka client JAAS config 
> instead of Subject from Kafka LoginManager
> 
>
> Key: RANGER-3233
> URL: https://issues.apache.org/jira/browse/RANGER-3233
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 3.0.0, 2.2.0
>Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
> Fix For: 2.2.0
>
>
> Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config 
> instead of Subject from Kafka LoginManager.
> When UGI is created with Subject from Kafka LoginManager, Ranger Kafka Plugin 
> fails with kerberos error because of changed kerberos identity when ticket 
> expires and subject load all the principals based on the GSS mechanism used.
> [https://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html#useSub]
> This was reported in https://issues.apache.org/jira/browse/RANGER-2810 which 
> has a work around. Solution would be to have the UGI created with the kafka 
> client JAAS and use it in plugin. This will help is Kerberos ticket renewed 
> properly and avoid using the Subject() which may cause issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3233) Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config instead of Subject from Kafka LoginManager

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-3233:

Fix Version/s: 2.2.0

> Ranger Kafka Plugin changes to get the UGI from  Kafka client JAAS config 
> instead of Subject from Kafka LoginManager
> 
>
> Key: RANGER-3233
> URL: https://issues.apache.org/jira/browse/RANGER-3233
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
> Fix For: 2.2.0
>
>
> Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config 
> instead of Subject from Kafka LoginManager.
> When UGI is created with Subject from Kafka LoginManager, Ranger Kafka Plugin 
> fails with kerberos error because of changed kerberos identity when ticket 
> expires and subject load all the principals based on the GSS mechanism used.
> [https://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html#useSub]
> This was reported in https://issues.apache.org/jira/browse/RANGER-2810 which 
> has a work around. Solution would be to have the UGI created with the kafka 
> client JAAS and use it in plugin. This will help is Kerberos ticket renewed 
> properly and avoid using the Subject() which may cause issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3233) Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config instead of Subject from Kafka LoginManager

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-3233:

Component/s: (was: Ranger)
 2.2.0

> Ranger Kafka Plugin changes to get the UGI from  Kafka client JAAS config 
> instead of Subject from Kafka LoginManager
> 
>
> Key: RANGER-3233
> URL: https://issues.apache.org/jira/browse/RANGER-3233
> Project: Ranger
>  Issue Type: Bug
>  Components: 2.2.0
>Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
> Fix For: 2.2.0
>
>
> Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config 
> instead of Subject from Kafka LoginManager.
> When UGI is created with Subject from Kafka LoginManager, Ranger Kafka Plugin 
> fails with kerberos error because of changed kerberos identity when ticket 
> expires and subject load all the principals based on the GSS mechanism used.
> [https://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html#useSub]
> This was reported in https://issues.apache.org/jira/browse/RANGER-2810 which 
> has a work around. Solution would be to have the UGI created with the kafka 
> client JAAS and use it in plugin. This will help is Kerberos ticket renewed 
> properly and avoid using the Subject() which may cause issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3233) Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config instead of Subject from Kafka LoginManager

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-3233:

Component/s: (was: 2.2.0)
 Ranger

> Ranger Kafka Plugin changes to get the UGI from  Kafka client JAAS config 
> instead of Subject from Kafka LoginManager
> 
>
> Key: RANGER-3233
> URL: https://issues.apache.org/jira/browse/RANGER-3233
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
> Fix For: 2.2.0
>
>
> Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config 
> instead of Subject from Kafka LoginManager.
> When UGI is created with Subject from Kafka LoginManager, Ranger Kafka Plugin 
> fails with kerberos error because of changed kerberos identity when ticket 
> expires and subject load all the principals based on the GSS mechanism used.
> [https://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html#useSub]
> This was reported in https://issues.apache.org/jira/browse/RANGER-2810 which 
> has a work around. Solution would be to have the UGI created with the kafka 
> client JAAS and use it in plugin. This will help is Kerberos ticket renewed 
> properly and avoid using the Subject() which may cause issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: Review Request 73270: RANGER-3233:Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config instead of Subject from Kafka LoginManager

[Velmurugan Periasamy]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73270/#review222878
---


Ship it!




Ship It!

- Velmurugan Periasamy


On April 7, 2021, 6:17 p.m., Ramesh Mani wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73270/
> ---
> 
> (Updated April 7, 2021, 6:17 p.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Gergo Wilder, Abhay Kulkarni, 
> Madhan Neethiraj, Mehul Parikh, Selvamohan Neethiraj, Sailaja Polavarapu, and 
> Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3233
> https://issues.apache.org/jira/browse/RANGER-3233
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> RANGER-3233:Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS 
> config instead of Subject from Kafka LoginManager
> 
> 
> Diffs
> -
> 
>   
> plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
>  8674521c1 
> 
> 
> Diff: https://reviews.apache.org/r/73270/diff/2/
> 
> 
> Testing
> ---
> 
> - Verified Kafka Plugin and auditing for it in Local VM and verified kerberos 
> ticket renewal for Kafka UGI used for policy download and auditing.
> 
> 
> Thanks,
> 
> Ramesh Mani
> 
>

[jira] [Created] (RANGER-3262) Ranger group memberships are not working for LDAP sync

[Sailaja Polavarapu (Jira)]

Sailaja Polavarapu created RANGER-3262:
--

 Summary: Ranger group memberships are not working for LDAP sync
 Key: RANGER-3262
 URL: https://issues.apache.org/jira/browse/RANGER-3262
 Project: Ranger
  Issue Type: Bug
  Components: Ranger, usersync
Reporter: Sailaja Polavarapu


In order to sync group memberships from LDAP, usersync uses the value 
configured for "ranger.usersync.group.memberattributename" (generally it is 
memberUid in case of LDAP). In majority of LDAP servers, memberUid typically 
returns the shortname of the user. This was causing an issue while computing 
group membership in usersync.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Assigned] (RANGER-3262) Ranger group memberships are not working for LDAP sync

[Sailaja Polavarapu (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sailaja Polavarapu reassigned RANGER-3262:
--

Assignee: Sailaja Polavarapu

> Ranger group memberships are not working for LDAP sync
> --
>
> Key: RANGER-3262
> URL: https://issues.apache.org/jira/browse/RANGER-3262
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger, usersync
>Reporter: Sailaja Polavarapu
>Assignee: Sailaja Polavarapu
>Priority: Major
>
> In order to sync group memberships from LDAP, usersync uses the value 
> configured for "ranger.usersync.group.memberattributename" (generally it is 
> memberUid in case of LDAP). In majority of LDAP servers, memberUid typically 
> returns the shortname of the user. This was causing an issue while computing 
> group membership in usersync.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: Contributor Request

[Velmurugan Periasamy]

Hi Abhishek:

I have added you as contributor. Welcome to Ranger community.

Thanks.

On Tue, Apr 27, 2021 at 4:57 AM Abhishek Shukla  
wrote:
Hi,

Can someone add me as a contributor to Apache Ranger Project?
Username: Shukla

Thanks
Abhishek

Re: Review Request 73306: RANGER-3062 : Even after removing ‘Security Zone’ permission for an user, UI still shows ‘Security Zone’ tab.

[Nitin Galave]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73306/
---

(Updated April 27, 2021, 1:11 p.m.)


Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Harshal Chavan, 
Jayendra Parab, Kishor Gollapalliwar, Madhan Neethiraj, Mahesh Bandal, Mehul 
Parikh, Pradeep Agrawal, and Velmurugan Periasamy.


Bugs: RANGER-3062
https://issues.apache.org/jira/browse/RANGER-3062


Repository: ranger


Description
---

*_Steps to Reproduce_*
 1) A newly created user : *_user1_*, by default gets access to security zone 
page.
 2) From a admin role user, remove access to Security Zone permission for 
*_user1_*. 
 3) Login with that *_user1_*

Current behaviour : Security Zone details Page is visible for *_user1_*.
 Actual behaviour : *_user1_* should not be allowed to view Security Zone 
details page.


Diffs
-

  security-admin/src/main/webapp/scripts/utils/XAGlobals.js 5132e8f33 
  security-admin/src/main/webapp/scripts/views/common/ErrorView.js f0a60adfd 
  security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 4b22f6c6c 


Diff: https://reviews.apache.org/r/73306/diff/1/


Testing (updated)
---

1.Created a user with "User" role and verify whether security zone permission 
bydefault assign to user.
2.Created a user with "User" role and verify "security Zone" tab is visible by 
login from that specific user.
3.Removed a User from Security zone permissions and verify "Security Zone" tab 
is visible or not for that specific user.
4.Created a user using CURL Commands and removed a Security zone permissions 
and verify ""Security Zone"" tab is 
visible or not for that specific user."
5.Created a User using CURL Command and verify "User source" is display as a 
"External User".
6.Created a zones from admin user and verified the zones should be visible by 
login from that specific user.
7.Removed a user from security zone from the admin user ,refreshed the other 
logged in user session and verified 
"401"message getting displayed."
8.Verified direct access URL scenarios when user removed from security zone 
permission.
9.Verify zone is visible for that user which are created from admin usr.
10.Removed the security zones from admin user and verified whether the zone is 
not visible for that user as well.
11.Verify When there is no zone is present then Security Zone drop down on 
listing page would be disabled.
12.Verify admin user is able to create a User with admin role and auditor role 
and checked respective pages getting display
ed accordingly,"


Thanks,

Nitin Galave

[jira] [Updated] (RANGER-3229) Correct Kafka default policy item for all-delegation token and rangerlookup user

[Bhagyashri Kokate (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhagyashri Kokate updated RANGER-3229:
--
Attachment: (was: RANGER-3229.patch)

> Correct Kafka default policy item for all-delegation token and rangerlookup 
> user
> 
>
> Key: RANGER-3229
> URL: https://issues.apache.org/jira/browse/RANGER-3229
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Bhagyashri Kokate
>Assignee: Bhagyashri Kokate
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
> Attachments: RANGER-3229_V2.patch
>
>
> When creating a policy for delegation token, only 'describe' permission is 
> allowed by UI.
> But the default policy created for "all - delegationtoken" contains a policy 
> item for rangerlookup user with "consume".



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3229) Correct Kafka default policy item for all-delegation token and rangerlookup user

[Bhagyashri Kokate (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhagyashri Kokate updated RANGER-3229:
--
Attachment: RANGER-3229_V2.patch

> Correct Kafka default policy item for all-delegation token and rangerlookup 
> user
> 
>
> Key: RANGER-3229
> URL: https://issues.apache.org/jira/browse/RANGER-3229
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Bhagyashri Kokate
>Assignee: Bhagyashri Kokate
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
> Attachments: RANGER-3229_V2.patch
>
>
> When creating a policy for delegation token, only 'describe' permission is 
> allowed by UI.
> But the default policy created for "all - delegationtoken" contains a policy 
> item for rangerlookup user with "consume".



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Review Request 73306: RANGER-3062 : Even after removing ‘Security Zone’ permission for an user, UI still shows ‘Security Zone’ tab.

[Nitin Galave]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73306/
---

Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Harshal Chavan, 
Jayendra Parab, Kishor Gollapalliwar, Madhan Neethiraj, Mahesh Bandal, Mehul 
Parikh, Pradeep Agrawal, and Velmurugan Periasamy.


Bugs: RANGER-3062
https://issues.apache.org/jira/browse/RANGER-3062


Repository: ranger


Description
---

*_Steps to Reproduce_*
 1) A newly created user : *_user1_*, by default gets access to security zone 
page.
 2) From a admin role user, remove access to Security Zone permission for 
*_user1_*. 
 3) Login with that *_user1_*

Current behaviour : Security Zone details Page is visible for *_user1_*.
 Actual behaviour : *_user1_* should not be allowed to view Security Zone 
details page.


Diffs
-

  security-admin/src/main/webapp/scripts/utils/XAGlobals.js 5132e8f33 
  security-admin/src/main/webapp/scripts/views/common/ErrorView.js f0a60adfd 
  security-admin/src/main/webapp/templates/common/TopNav_tmpl.html 4b22f6c6c 


Diff: https://reviews.apache.org/r/73306/diff/1/


Testing
---

Testing is in progress.


Thanks,

Nitin Galave

[jira] [Updated] (RANGER-3062) Even after removing ‘Security Zone’ permission for an user, UI still shows ‘Security Zone’ tab.

[Nitin Galave (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3062?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nitin Galave updated RANGER-3062:
-
Attachment: 0001-RANGER-3062.patch

> Even after removing ‘Security Zone’ permission for an user, UI still shows 
> ‘Security Zone’ tab.
> ---
>
> Key: RANGER-3062
> URL: https://issues.apache.org/jira/browse/RANGER-3062
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Nitin Galave
>Assignee: Nitin Galave
>Priority: Major
> Attachments: 0001-RANGER-3062.patch
>
>
> *_Steps to Reproduce_*
>  1) A newly created user : *_user1_*, by default gets access to security zone 
> page.
>  2) From a admin role user, remove access to Security Zone permission for 
> *_user1_*. 
>  3) Login with that *_user1_*
> Current behaviour : Security Zone details Page is visible for *_user1_*.
>  Actual behaviour : *_user1_* should not be allowed to view Security Zone 
> details page.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Review Request 73305: RANGER-3261 : Remove unused .htaccess file from component

[Mateen Mansoori]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73305/
---

Review request for ranger, Dhaval Shah, Jayendra Parab, Abhay Kulkarni, Madhan 
Neethiraj, Mehul Parikh, Vishal Suvagia, and Velmurugan Periasamy.


Bugs: RANGER-3261
https://issues.apache.org/jira/browse/RANGER-3261


Repository: ranger


Description
---

.htaccess file is not process by tomcat as .htaccess are Apache Web Server 
files, not Tomcat, we should remove it.


Diffs
-

  security-admin/src/main/webapp/.htaccess 9168b159a 


Diff: https://reviews.apache.org/r/73305/diff/1/


Testing
---

Done with the funtional testing on HA with LB and without LB in krb env.


Thanks,

Mateen Mansoori

[jira] [Created] (RANGER-3261) Remove unused .htaccess file from component

[Mateen N Mansoori (Jira)]

Mateen N Mansoori created RANGER-3261:
-

 Summary: Remove unused .htaccess file from component
 Key: RANGER-3261
 URL: https://issues.apache.org/jira/browse/RANGER-3261
 Project: Ranger
  Issue Type: Task
  Components: Ranger
Reporter: Mateen N Mansoori


*.htaccess*   file is not process by tomcat anymore as .htaccess are Apache Web 
Server files, not Tomcat, we should remove it.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: Review Request 73298: RANGER-3250: Add relevant indexes to database table to speed up ingress processing of tagged entities

[Kishor Gollapalliwar]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73298/#review222877
---




security-admin/db/sqlanywhere/patches/051-create-index-for-service-resource.sql
Lines 16 (patched)


The UNIQUE index named "x_service_res_UK_guid" added in db-patch-016. 
Please reconsider.



security-admin/db/sqlserver/patches/052-create-index-for-service-resource.sql
Lines 27 (patched)


The UNIQUE nonclusterd index named "x_service_res_UK_guid" added in 
db-patch-016. Please reconsider.


- Kishor Gollapalliwar


On April 26, 2021, 1:24 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73298/
> ---
> 
> (Updated April 26, 2021, 1:24 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-3250
> https://issues.apache.org/jira/browse/RANGER-3250
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Tagged entities are persisted in a Relational database table. During ingress 
> of tagged entities, Ranger admin needs to look up this table. Indexing the 
> table on the columns that are used for look-up will speed up ingress rate.
> 
> The columns 'resource_signature' and 'guid' in table 'x_service_resource' 
> need to have unique indexes built on them
> 
> 
> Diffs
> -
> 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 
> 9d0cd9db2 
>   security-admin/db/mysql/patches/051-create-index-for-service-resource.sql 
> PRE-CREATION 
>   security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
> 1904c6847 
>   security-admin/db/oracle/patches/051-create-index-for-service-resource.sql 
> PRE-CREATION 
>   security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
> 51ef67b8f 
>   
> security-admin/db/postgres/patches/051-create-index-for-service-resource.sql 
> PRE-CREATION 
>   
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
>  97ddb5df3 
>   
> security-admin/db/sqlanywhere/patches/051-create-index-for-service-resource.sql
>  PRE-CREATION 
>   security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 
> d15015009 
>   
> security-admin/db/sqlserver/patches/052-create-index-for-service-resource.sql 
> PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/73298/diff/2/
> 
> 
> Testing
> ---
> 
> Passed unit tests
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

[jira] [Updated] (RANGER-3260) Update default hdfs audit filters to filter out unwanted audits

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3260?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla updated RANGER-3260:

Description: 
Can we update the default hdfs audit filters as follows: 

This will filter out hdfs audits related to hdfs, hue, oozie, spark, mapred, 
hbase service users access audits.
{code:java}
[
  {
"accessResult":"DENIED",
"isAudited":true
  },
  {
"actions":[
  "delete",
  "rename"
],
"isAudited":true
  },
  {
"users":[
  "hdfs"
],
"actions":[
  "listStatus",
  "getfileinfo",
  "listCachePools",
  "listCacheDirectives",
  "listCorruptFileBlocks",
  "monitorHealth",
  "rollEditLog",
  "open"
],
"isAudited":false
  },
  {
"users":[
  "oozie"
],
"resources":{
  "path":{
"values":[
  "/user/oozie/share/lib"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "spark"
],
"resources":{
  "path":{
"values":[
  "/user/spark/applicationHistory"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "hue"
],
"resources":{
  "path":{
"values":[
  "/user/hue"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "hbase"
],
"resources":{
  "path":{
"values":[
  "/hbase"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "mapred"
],
"resources":{
  "path":{
"values":[
  "/user/history"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"actions":[
  "getfileinfo"
],
"isAudited":false
  }
]
{code}

cc [~dineshkumar-yadav]

  was:
Can we update the default hdfs audit filters as follows: 

This will filter out hdfs audits related to hdfs, hue, oozie, spark, mapred, 
hbase service users access audits.
{code:java}
[
  {
"accessResult":"DENIED",
"isAudited":true
  },
  {
"actions":[
  "delete",
  "rename"
],
"isAudited":true
  },
  {
"users":[
  "hdfs"
],
"actions":[
  "listStatus",
  "getfileinfo",
  "listCachePools",
  "listCacheDirectives",
  "listCorruptFileBlocks",
  "monitorHealth",
  "rollEditLog",
  "open"
],
"isAudited":false
  },
  {
"users":[
  "oozie"
],
"resources":{
  "path":{
"values":[
  "/user/oozie/share/lib"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "spark"
],
"resources":{
  "path":{
"values":[
  "/user/spark/applicationHistory"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "hue"
],
"resources":{
  "path":{
"values":[
  "/user/hue"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "hbase"
],
"resources":{
  "path":{
"values":[
  "/hbase"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "mapred"
],
"resources":{
  "path":{
"values":[
  "/user/history"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"actions":[
  "getfileinfo"
],
"isAudited":false
  }
]
{code}

[~dineshkumar-yadav]


> Update default hdfs audit filters to filter out unwanted audits
> ---
>
> Key: RANGER-3260
> URL: https://issues.apache.org/jira/browse/RANGER-3260
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 2.2.0
>Reporter: Abhishek Shukla
>Priority: Major
>
> Can we update the default hdfs audit filters as follows: 
> This will filter out hdfs audits related to hdfs, hue, oozie, spark, mapred, 
> hbase service users access audits.
> {code:java}
> [
>   {
> "accessResult":"DENIED",
> "isAudited":true
>   },
>   {
> "actions":[
>   "delete",
>   "rename"
> ],
> "isAudited":true
>   },
>   {
> "users":[
>   "hdfs"
> ],
> "actions":[
>   "listStatus",
>   "getfileinfo",
>   "listCachePools",
>   "listCacheDirectives",
>   "listCorruptFileBlocks",
>   "monitorHealth",
>   "rollEditLog",
>   "open"
> ],
> "isAudited":false
>   },
>   {
> "users":[
>   "oozie"
> ],
> "resources":{
>   "path":{
> "values":[
>   "/user/oozie/share/lib"
> ],
> "isRecursive":true
>   }
> },
> "isAudited":false
>   },
>   {
> "users":[
>   "spark"

[jira] [Created] (RANGER-3260) Update default hdfs audit filters to filter out unwanted audits

[Abhishek Shukla (Jira)]

Abhishek Shukla created RANGER-3260:
---

 Summary: Update default hdfs audit filters to filter out unwanted 
audits
 Key: RANGER-3260
 URL: https://issues.apache.org/jira/browse/RANGER-3260
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Affects Versions: 2.2.0
Reporter: Abhishek Shukla


Can we update the default hdfs audit filters as follows: 

This will filter out hdfs audits related to hdfs, hue, oozie, spark, mapred, 
hbase service users access audits.
{code:java}
[
  {
"accessResult":"DENIED",
"isAudited":true
  },
  {
"actions":[
  "delete",
  "rename"
],
"isAudited":true
  },
  {
"users":[
  "hdfs"
],
"actions":[
  "listStatus",
  "getfileinfo",
  "listCachePools",
  "listCacheDirectives",
  "listCorruptFileBlocks",
  "monitorHealth",
  "rollEditLog",
  "open"
],
"isAudited":false
  },
  {
"users":[
  "oozie"
],
"resources":{
  "path":{
"values":[
  "/user/oozie/share/lib"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "spark"
],
"resources":{
  "path":{
"values":[
  "/user/spark/applicationHistory"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "hue"
],
"resources":{
  "path":{
"values":[
  "/user/hue"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "hbase"
],
"resources":{
  "path":{
"values":[
  "/hbase"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "mapred"
],
"resources":{
  "path":{
"values":[
  "/user/history"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"actions":[
  "getfileinfo"
],
"isAudited":false
  }
]
{code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3260) Update default hdfs audit filters to filter out unwanted audits

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3260?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla updated RANGER-3260:

Description: 
Can we update the default hdfs audit filters as follows: 

This will filter out hdfs audits related to hdfs, hue, oozie, spark, mapred, 
hbase service users access audits.
{code:java}
[
  {
"accessResult":"DENIED",
"isAudited":true
  },
  {
"actions":[
  "delete",
  "rename"
],
"isAudited":true
  },
  {
"users":[
  "hdfs"
],
"actions":[
  "listStatus",
  "getfileinfo",
  "listCachePools",
  "listCacheDirectives",
  "listCorruptFileBlocks",
  "monitorHealth",
  "rollEditLog",
  "open"
],
"isAudited":false
  },
  {
"users":[
  "oozie"
],
"resources":{
  "path":{
"values":[
  "/user/oozie/share/lib"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "spark"
],
"resources":{
  "path":{
"values":[
  "/user/spark/applicationHistory"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "hue"
],
"resources":{
  "path":{
"values":[
  "/user/hue"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "hbase"
],
"resources":{
  "path":{
"values":[
  "/hbase"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "mapred"
],
"resources":{
  "path":{
"values":[
  "/user/history"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"actions":[
  "getfileinfo"
],
"isAudited":false
  }
]
{code}

[~dineshkumar-yadav]

  was:
Can we update the default hdfs audit filters as follows: 

This will filter out hdfs audits related to hdfs, hue, oozie, spark, mapred, 
hbase service users access audits.
{code:java}
[
  {
"accessResult":"DENIED",
"isAudited":true
  },
  {
"actions":[
  "delete",
  "rename"
],
"isAudited":true
  },
  {
"users":[
  "hdfs"
],
"actions":[
  "listStatus",
  "getfileinfo",
  "listCachePools",
  "listCacheDirectives",
  "listCorruptFileBlocks",
  "monitorHealth",
  "rollEditLog",
  "open"
],
"isAudited":false
  },
  {
"users":[
  "oozie"
],
"resources":{
  "path":{
"values":[
  "/user/oozie/share/lib"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "spark"
],
"resources":{
  "path":{
"values":[
  "/user/spark/applicationHistory"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "hue"
],
"resources":{
  "path":{
"values":[
  "/user/hue"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "hbase"
],
"resources":{
  "path":{
"values":[
  "/hbase"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"users":[
  "mapred"
],
"resources":{
  "path":{
"values":[
  "/user/history"
],
"isRecursive":true
  }
},
"isAudited":false
  },
  {
"actions":[
  "getfileinfo"
],
"isAudited":false
  }
]
{code}


> Update default hdfs audit filters to filter out unwanted audits
> ---
>
> Key: RANGER-3260
> URL: https://issues.apache.org/jira/browse/RANGER-3260
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 2.2.0
>Reporter: Abhishek Shukla
>Priority: Major
>
> Can we update the default hdfs audit filters as follows: 
> This will filter out hdfs audits related to hdfs, hue, oozie, spark, mapred, 
> hbase service users access audits.
> {code:java}
> [
>   {
> "accessResult":"DENIED",
> "isAudited":true
>   },
>   {
> "actions":[
>   "delete",
>   "rename"
> ],
> "isAudited":true
>   },
>   {
> "users":[
>   "hdfs"
> ],
> "actions":[
>   "listStatus",
>   "getfileinfo",
>   "listCachePools",
>   "listCacheDirectives",
>   "listCorruptFileBlocks",
>   "monitorHealth",
>   "rollEditLog",
>   "open"
> ],
> "isAudited":false
>   },
>   {
> "users":[
>   "oozie"
> ],
> "resources":{
>   "path":{
> "values":[
>   "/user/oozie/share/lib"
> ],
> "isRecursive":true
>   }
> },
> "isAudited":false
>   },
>   {
> "users":[
>   "spark"
> ],
> 

[jira] [Created] (RANGER-3259) [Ranger Audit Filter] Ranger role is allowed to delete, even if its used in audit filters

[Abhishek Shukla (Jira)]

Abhishek Shukla created RANGER-3259:
---

 Summary: [Ranger Audit Filter] Ranger role is allowed to delete, 
even if its used in audit filters
 Key: RANGER-3259
 URL: https://issues.apache.org/jira/browse/RANGER-3259
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Affects Versions: 2.2.0
Reporter: Abhishek Shukla


Observed that we are able to delete ranger role, even if the role is used in 
ranger audit filters in some service plugin.

 

While if the same ranger role is present in some ranger policy we are not 
allowed to delete the role unless we remove the role usage from policy OR 
delete the policy itself.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3259) [Ranger Audit Filter] Ranger role is allowed to delete, even if its used in audit filters

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla updated RANGER-3259:

Description: 
Observed that we are able to delete ranger role, even if the role is used in 
ranger audit filters in some service plugin.

 

While if the same ranger role is present in some ranger policy we are not 
allowed to delete the role unless we remove the role usage from policy OR 
delete the policy itself.

cc [~rmani]

  was:
Observed that we are able to delete ranger role, even if the role is used in 
ranger audit filters in some service plugin.

 

While if the same ranger role is present in some ranger policy we are not 
allowed to delete the role unless we remove the role usage from policy OR 
delete the policy itself.


> [Ranger Audit Filter] Ranger role is allowed to delete, even if its used in 
> audit filters
> -
>
> Key: RANGER-3259
> URL: https://issues.apache.org/jira/browse/RANGER-3259
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 2.2.0
>Reporter: Abhishek Shukla
>Priority: Major
>
> Observed that we are able to delete ranger role, even if the role is used in 
> ranger audit filters in some service plugin.
>  
> While if the same ranger role is present in some ranger policy we are not 
> allowed to delete the role unless we remove the role usage from policy OR 
> delete the policy itself.
> cc [~rmani]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Contributor Request

[Abhishek Shukla]

Hi,

Can someone add me as a contributor to Apache Ranger Project?
Username: Shukla

Thanks
Abhishek

[jira] [Closed] (RANGER-3130) [Ranger Admin UI] Improvement in Ranger Latest UI's Edit Policy Page

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3130?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla closed RANGER-3130.
---

> [Ranger Admin UI] Improvement in Ranger Latest UI's Edit Policy Page
> 
>
> Key: RANGER-3130
> URL: https://issues.apache.org/jira/browse/RANGER-3130
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 2.2.0
>Reporter: Abhishek Shukla
>Assignee: Dhaval Rajpara
>Priority: Minor
> Attachments: 0001-RANGER-3130.patch, With Sidebar.png, Without 
> Sidebar.png
>
>
> Observed that there are some issues related to button alignment in the Ranger 
> Admin UI's Edit Policy Page.
>  * On closing the sidebar, the Enabled button's left side padding is not 
> correct compared to the Policy Name Input box.
>  * On enabling the sidebar, the Recursive button is not aligned correctly 
> with the Enabled button.
>  
> Creating this Improvement Jira for tracking these UI enhancements.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3251) [Ranger Audit Filters UI] Tag, KMS service not showing the audit filters in UI section

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3251?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla updated RANGER-3251:

Description: 
Observed that for Tag and KMS service, while clicking on view service button, 
we are not displaying the audit filters in UI section, instead, we are 
displaying it as configs. [While the same works for other services like hdfs, 
hive, etc]

 

Attached screenshots.

cc [~nitin.galave]

  was:
Observed that for Tag and KMS service, while clicking on view service button, 
we are not displaying the audit filters in UI section, instead, we are 
displaying it as configs. [While the same works for other services like hdfs, 
hive, etc]

 

Attached screenshots.

cc [~ngalave]


> [Ranger Audit Filters UI] Tag, KMS service not showing the audit filters in 
> UI section
> --
>
> Key: RANGER-3251
> URL: https://issues.apache.org/jira/browse/RANGER-3251
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 2.2.0, 2.1.1
>Reporter: Abhishek Shukla
>Priority: Major
> Attachments: kms service audit filters.png, tag service audit 
> filters.png
>
>
> Observed that for Tag and KMS service, while clicking on view service button, 
> we are not displaying the audit filters in UI section, instead, we are 
> displaying it as configs. [While the same works for other services like hdfs, 
> hive, etc]
>  
> Attached screenshots.
> cc [~nitin.galave]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Closed] (RANGER-3120) [Ranger Latest UI] Long tag based service names are not shown correctly

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla closed RANGER-3120.
---

> [Ranger Latest UI] Long tag based service names are not shown correctly
> ---
>
> Key: RANGER-3120
> URL: https://issues.apache.org/jira/browse/RANGER-3120
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 2.2.0
>Reporter: Abhishek Shukla
>Assignee: Dhaval Rajpara
>Priority: Major
> Attachments: 0001-RANGER-3120.patch, 0002-RANGER-3120.patch, 
> tag_based_policy_latest_ranger_ui.png
>
>
> Observed that with Ranger Latest UI, the Tag Policies page is not able to 
> display service names with long names correctly, it overlaps with other 
> service names.
> Attached screenshot.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Closed] (RANGER-3018) [Ozone Ranger Plugin] Include and Recursive buttons are overlapped in Ranger Admin UI

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3018?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla closed RANGER-3018.
---

> [Ozone Ranger Plugin] Include and Recursive buttons are overlapped in Ranger 
> Admin UI
> -
>
> Key: RANGER-3018
> URL: https://issues.apache.org/jira/browse/RANGER-3018
> Project: Ranger
>  Issue Type: Improvement
>  Components: admin
>Affects Versions: 2.2.0
>Reporter: Abhishek Shukla
>Assignee: Nitin Galave
>Priority: Minor
> Fix For: 3.0.0, 2.2.0
>
> Attachments: 0001-RANGER-3018.patch, ozone_key_flags.png
>
>
> Observed that Include and Recursive flag buttons are overlapped in the Ranger 
> UI.
> Attached screenshot.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Closed] (RANGER-3101) Ranger usersync not recovering from initial errors in subsequent syncs

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3101?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla closed RANGER-3101.
---

> Ranger usersync not recovering from initial errors in subsequent syncs
> --
>
> Key: RANGER-3101
> URL: https://issues.apache.org/jira/browse/RANGER-3101
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger, usersync
>Affects Versions: 3.0.0, 2.2.0
>Reporter: Abhishek Shukla
>Assignee: Sailaja Polavarapu
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
> Attachments: 
> 0001-RANGER-3101-Added-code-to-handle-updating-users-in-c.patch
>
>
> One issue noticed was that during initial sync a deadlock was detected while 
> updating x_portal_user table which caused the initial sync failure. The 
> subsequent syncs should have been successful, but because of a missing error 
> case check during update of this user, subsequent syncs are also failing. 
> From the logs, I noticed that the initial DB deadlock happened for a service 
> user. This user is being created by usersync during which I also see service 
> creation request which also creates the service user if doesn't exist. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Closed] (RANGER-3026) Ranger TAG dropdown shows old deleted tags during tag based policy creation.

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3026?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla closed RANGER-3026.
---

> Ranger TAG dropdown shows old deleted tags during tag based policy creation.
> 
>
> Key: RANGER-3026
> URL: https://issues.apache.org/jira/browse/RANGER-3026
> Project: Ranger
>  Issue Type: Bug
>  Components: tagsync
>Affects Versions: 2.1.0
>Reporter: Abhishek Shukla
>Priority: Major
> Attachments: Atlas_Tags.png, Ranger_Admin_UI.png
>
>
> Observed that while creating a tag-based policy in Ranger, TAG resource 
> dropdown displays old deleted tags in the atlas as well. Ideally, it should 
> only display the currently present tags in Atlas.
>  
> Attached screenshots.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Closed] (RANGER-2938) [Ranger Audits] Zone Name field is not populated in case of Deny Operations via Security Zones

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2938?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla closed RANGER-2938.
---

> [Ranger Audits] Zone Name field is not populated in case of Deny Operations 
> via Security Zones
> --
>
> Key: RANGER-2938
> URL: https://issues.apache.org/jira/browse/RANGER-2938
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 2.1.0
>Reporter: Abhishek Shukla
>Priority: Minor
>  Labels: ranger
> Fix For: 2.1.0
>
> Attachments: access_audits.png, zone_policy_details_1.png, 
> zone_policy_details_2.png
>
>
> Observed that the Zone Name field is not populated in ranger audits in case 
> of operations [where there is a deny policy in security zone or if there is 
> no policy granting access to the matching resource path in security zone] 
>  
> Zone Name is only shown when access is allowed, I think it should also be 
> shown in case of deny operations enforced via Security zones.
>  
> Attached screenshots of Ranger Audits UI.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Closed] (RANGER-2985) User with all permission in ranger is not able to update volume

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2985?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla closed RANGER-2985.
---

> User with all permission in ranger is not able to update volume
> ---
>
> Key: RANGER-2985
> URL: https://issues.apache.org/jira/browse/RANGER-2985
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 2.1.0
>Reporter: Abhishek Shukla
>Assignee: Sailaja Polavarapu
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
> Attachments: 
> 0001-RANGER-2985-RANGER-2845-and-RAGNER-2848-Update-ozone.patch, 
> 0001-RANGER-2985-RANGER-2845-and-RAGNER-2848-Update-ozone.patch
>
>
> Ranger plugin for Ozone is not currently supporting read-acl & write-acl 
> access types because of which updating a volume operation is failing. 
> Include read-acl and write-acl access types, in ozone service def as well as 
> in default policies. Also, add a upgrade patch to handle upgrades.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Closed] (RANGER-2933) [Ranger Ozone Plugin] $USER Placeholder is not honoured in KEY resource path, Policy User Items

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2933?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla closed RANGER-2933.
---

>  [Ranger Ozone Plugin] $USER Placeholder is not honoured in KEY resource 
> path, Policy User Items
> 
>
> Key: RANGER-2933
> URL: https://issues.apache.org/jira/browse/RANGER-2933
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Affects Versions: 2.1.0
>Reporter: Abhishek Shukla
>Priority: Major
>  Labels: ranger
> Attachments: $USER_Policy.png, User_Policy_Audit.png
>
>
> Observed that $USER placeholder is not enforced while using it in either in 
> KEY value or User's value in Policy Item.
>  
> Test Policy:
> {noformat}
> 1. Resources: 
>volume - test-volume
>bucket - test-bucket
>key - user/$USER, user/$USER/*
> 2. Policy Item:
>User: $USER
>Permissions: All{noformat}
>  
> *Expected Result:* 
> Any user should be able to create user home directory
> *Actual Result:*
> The user is denied permission to create key.
> {noformat}
> [root@quasar-tyedwn-1 keytabs]# ozone fs -mkdir -p 
> o3fs://test-bucket.test-volume.ozone1/user/hrt_1 
> mkdir: User hr...@ad.halxg.cloudera.com doesn't have CREATE permission to 
> access key
> {noformat}
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Closed] (RANGER-2866) Ozone service should not allow creation of duplicate policies with same resources

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2866?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla closed RANGER-2866.
---

> Ozone service should not allow creation of duplicate policies with same 
> resources
> -
>
> Key: RANGER-2866
> URL: https://issues.apache.org/jira/browse/RANGER-2866
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Affects Versions: 2.1.0
>Reporter: Abhishek Shukla
>Priority: Major
>
> Observed that ozone service in ranger allows the creation of duplicate 
> policies with the same resources, while with other older services [hdfs etc] 
> we are not allowed to do that and we get the error message that there is an 
> existing policy with the same resources.
>  
> Creating this Jira for fixing this issue in ozone ranger service.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Closed] (RANGER-2932) [Ozone Ranger Plugin] Security Zones are not getting enforced during Authorization

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2932?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla closed RANGER-2932.
---

> [Ozone Ranger Plugin] Security Zones are not getting enforced during 
> Authorization
> --
>
> Key: RANGER-2932
> URL: https://issues.apache.org/jira/browse/RANGER-2932
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Affects Versions: 2.1.0
>Reporter: Abhishek Shukla
>Priority: Major
>  Labels: ranger
> Attachments: Finance Security Zone.png
>
>
> Observed that Security Zones for Ozone Plugin are not getting enforced, and 
> Ranger is relying on Non-Zone Policies for deciding the Access.
> Steps:
>  # Created a security zone *finance-zone-20200728123343* 
>  # There is no policy granting access to *volume-finance* in service 
> *finance-20200728123343* which is attached to the security zone created in 
> the 1st step.
>  # Create ozone volume *volume-finance* as a *hrt_21*  test user. [hrt_21 is 
> part of both users and finance groups]
> *Expected Result:* Volume creation should be denied as there is no policy 
> granting access in Zone attached service.
> *Actual Result:* Volume creation is successful using a Non-Zone policy 
> present [which provides access to hrt_21 test user]
>  
> Similar results are observed with multi-level resources [volume-bucket-key] 
> in the zone, where the zone policy is not honored instead it relies on the 
> Non-zone policy for deciding the access.
> Any inputs on how to debug this further?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Closed] (RANGER-2857) Create volume fails for a policy with specific volume/bucket/key names

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2857?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla closed RANGER-2857.
---

> Create volume fails for a policy with specific volume/bucket/key names
> --
>
> Key: RANGER-2857
> URL: https://issues.apache.org/jira/browse/RANGER-2857
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Affects Versions: 2.1.0
>Reporter: Abhishek Shukla
>Priority: Major
>
> *Test Policy Contents:*
> {noformat}
> {
> "resources": {
> "volume": {
> "values": [
> "volume-ojzj-1",
> "volume-ojzj-2"
> ],
> "isExcludes": false,
> "isRecursive": false
> },
> "bucket": {
> "values": [
> "bucket-jezv-1",
> "bucket-jezv-2"
> ],
> "isExcludes": false,
> "isRecursive": false
> },
> "key": {
> "values": [
> "key-wssb_1",
> "key-wssb_2"
> ],
> "isExcludes": false,
> "isRecursive": false
> }
> },
> "policyItems": [
> {
> "accesses": [
> {
> "type": "read",
> "isAllowed": true
> },
> {
> "type": "write",
> "isAllowed": true
> },
> {
> "type": "create",
> "isAllowed": true
> },
> {
> "type": "delete",
> "isAllowed": true
> }
> ],
> "users": [
> "hrt_qa"
> ],
> "groups": [],
> "roles": [],
> "conditions": [],
> "delegateAdmin": false
> }
> ],
> "denyPolicyItems": [],
> "allowExceptions": [],
> "denyExceptions": [],
> "dataMaskPolicyItems": [],
> "rowFilterPolicyItems": [],
> "serviceType": "ozone",
> "options": {},
> "validitySchedules": [],
> "policyLabels": [],
> "zoneName": "",
> "isDenyAllElse": false
> }{noformat}
>  
> *Ozone Client Commands:*
> {noformat}
> $ ozone sh volume create o3://ozone1/volume-ojzj-1
> INFO rpc.RpcClient: Creating Volume: volume-ojzj-1, with hrt_qa as owner.
> PERMISSION_DENIED User hrt_qa doesn't have CREATE permission to access volume
> $ ozone sh volume delete o3://ozone1/volume-ojzj-1
> PERMISSION_DENIED User hrt_qa doesn't have DELETE permission to access volume
> {noformat}
>  
> Now in the same test policy, if I select bucket as *none* or give wildcard 
> [*] for the bucket and key resources, the access is provided to create/delete 
> the volume.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Closed] (RANGER-2848) Update Ozone service definition resource type volume

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2848?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla closed RANGER-2848.
---

> Update Ozone service definition resource type volume
> 
>
> Key: RANGER-2848
> URL: https://issues.apache.org/jira/browse/RANGER-2848
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Affects Versions: 2.1.0
>Reporter: Abhishek Shukla
>Assignee: Sailaja Polavarapu
>Priority: Major
>  Labels: ozone
> Fix For: 3.0.0, 2.2.0
>
> Attachments: 
> 0001-RANGER-2985-RANGER-2845-and-RAGNER-2848-Update-ozone.patch, 
> 0001-RANGER-2985-RANGER-2845-and-RAGNER-2848-Update-ozone.patch
>
>
> * Set {{isRecursive}} flag to false in ozone service def for resource type 
> Volume
>  * We need to add the {{isRecursive}} flag to key resource [as a key can be a 
> directory in ozone] 
>  * Can we also add the {{isExcludes}} flag to the volume resource as part of 
> this change?
>  * _Improvement_: If {{isExcludes}} is set to True for high-level resources 
> [volume, bucket], the lower-level resources [bucket, key] should not be shown 
> in the UI?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Closed] (RANGER-2845) Cleanup ozone service configurations

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2845?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla closed RANGER-2845.
---

> Cleanup ozone service configurations
> 
>
> Key: RANGER-2845
> URL: https://issues.apache.org/jira/browse/RANGER-2845
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Affects Versions: 2.1.0
>Reporter: Abhishek Shukla
>Assignee: Sailaja Polavarapu
>Priority: Minor
>  Labels: ozone
> Fix For: 3.0.0, 2.2.0
>
> Attachments: 
> 0001-RANGER-2985-RANGER-2845-and-RAGNER-2848-Update-ozone.patch, 
> 0001-RANGER-2985-RANGER-2845-and-RAGNER-2848-Update-ozone.patch
>
>
> Creating this Jira for cleaning up/removing unused configs in ozone service.
> {noformat}
> dfs.datanode.kerberos.principal
> dfs.namenode.kerberos.principal
> dfs.secondary.namenode.kerberos.principal
> {noformat}
>  
> Other configs like these [Are we consuming these or should these be removed?]:
> {noformat}
> Authorization Enabled
> Common Name for Certificate
> {noformat}
>  
> Improvements:
> {noformat}
> Password config should only be shown in the UI or mandatory if Authentication 
> Type is Simple?
> {noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Closed] (RANGER-2924) [Ranger Latest Admin UI] Security Zones are not clickable to select different security zones

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2924?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla closed RANGER-2924.
---

> [Ranger Latest Admin UI] Security Zones are not clickable to select different 
> security zones
> 
>
> Key: RANGER-2924
> URL: https://issues.apache.org/jira/browse/RANGER-2924
> Project: Ranger
>  Issue Type: Bug
>  Components: admin
>Affects Versions: 2.1.0
>Reporter: Abhishek Shukla
>Priority: Major
>  Labels: ranger
> Attachments: Screenshot 2020-07-24 at 1.25.54 PM.png
>
>
> Observed that in the New Ranger Admin UI, Security Zones Page, we are not 
> able to click on different security zones in the sidebar.
> !Screenshot 2020-07-24 at 1.25.54 PM.png|width=301,height=175!  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (RANGER-3258) Update default hbase audit filters to filter out unwanted audits

[Abhishek Shukla (Jira)]

Abhishek Shukla created RANGER-3258:
---

 Summary: Update default hbase audit filters to filter out unwanted 
audits
 Key: RANGER-3258
 URL: https://issues.apache.org/jira/browse/RANGER-3258
 Project: Ranger
  Issue Type: Improvement
  Components: audit
Affects Versions: 2.2.0
Reporter: Abhishek Shukla


Can we update the default HBase audit filters as follows: 

This will filter out HBase audits related to default, hbase, atlas_janus, 
ATLAS_ENTITY_AUDIT_EVENTS table access by hbase service user.
{code:java}
[
  {
"accessResult":"DENIED",
"isAudited":true
  },
  {
"resources":{
  "table":{
"values":[
  "*-ROOT-*",
  "*.META.*",
  "*_acl_*",
  "hbase:meta",
  "hbase:acl",
  "default",
  "hbase"
]
  }
},
"users":[
  "hbase"
],
"isAudited":false
  },
  {
"resources":{
  "table":{
"values":[
  "atlas_janus",
  "ATLAS_ENTITY_AUDIT_EVENTS"
]
  },
  "column-family":{
"values":[
  "*"
]
  },
  "column":{
"values":[
  "*"
]
  }
},
"users":[
  "atlas",
  "hbase"
],
"isAudited":false
  },
  {
"users":[
  "hbase"
],
"actions":[
  "balance"
],
"isAudited":false
  }
]
{code}

cc [~dineshkumar-yadav]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3256) [Ranger Audit Filters] SHOW_ROLES is not filtered out in ranger audits

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3256?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla updated RANGER-3256:

Description: 
Ranger Hive Service Audit Filters:
{noformat}
[
{'actions':['METADATA OPERATION', 'SHOW_ROLES'], 'isAudited': false}, 
{'accessTypes':['_any'], 'isAudited': false} 
]
{noformat}
Beeline Query: 
{noformat}
> show roles;{noformat}
Observed that METADATA OPERATION actions are filtered out but the same is not 
happening for SHOW_ROLES

 

We are hitting this issue with default hive audit filters as well.

Attached screenshots.

cc [~rmani]

  was:
Ranger Hive Service Audit Filters:
{noformat}
[
{'actions':['METADATA OPERATION', 'SHOW_ROLES'], 'isAudited': false}, 
{'accessTypes':['_any'], 'isAudited': false} 
]
{noformat}
Beeline Query: 
{noformat}
> show roles;{noformat}
Observed that METADATA OPERATION actions are filtered out but the same is not 
happening for SHOW_ROLES

 

We are hitting this issue with default hive audit filters as well.

Attached screenshots.


> [Ranger Audit Filters] SHOW_ROLES is not filtered out in ranger audits
> --
>
> Key: RANGER-3256
> URL: https://issues.apache.org/jira/browse/RANGER-3256
> Project: Ranger
>  Issue Type: Bug
>  Components: audit
>Affects Versions: 2.2.0, 2.1.1
>Reporter: Abhishek Shukla
>Priority: Major
> Attachments: default_hive_audit_filters.png, 
> hive_audits_show_roles.png
>
>
> Ranger Hive Service Audit Filters:
> {noformat}
> [
> {'actions':['METADATA OPERATION', 'SHOW_ROLES'], 'isAudited': false}, 
> {'accessTypes':['_any'], 'isAudited': false} 
> ]
> {noformat}
> Beeline Query: 
> {noformat}
> > show roles;{noformat}
> Observed that METADATA OPERATION actions are filtered out but the same is not 
> happening for SHOW_ROLES
>  
> We are hitting this issue with default hive audit filters as well.
> Attached screenshots.
> cc [~rmani]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3257) Update default kafka audit filters to filter out unwanted audits

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla updated RANGER-3257:

Description: 
Can we update the default Kafka audit filters as follows: 

This will filter out Kafka audits related to ATLAS_SPARK_HOOK, topic describe 
action, etc
{code:java}
[
  {
"accessResult":"DENIED",
"isAudited":true
  },
  {
"resources":{
  "topic":{
"values":[
  "ATLAS_ENTITIES",
  "ATLAS_HOOK",
  "ATLAS_SPARK_HOOK"
]
  }
},
"users":[
  "atlas"
],
"actions":[
  "describe",
  "publish",
  "consume"
],
"isAudited":false
  },
  {
"resources":{
  "topic":{
"values":[
  "ATLAS_HOOK"
]
  }
},
"users":[
  "hive",
  "hbase",
  "impala",
  "nifi"
],
"actions":[
  "publish",
  "describe"
],
"isAudited":false
  },
  {
"resources":{
  "topic":{
"values":[
  "ATLAS_ENTITIES"
]
  }
},
"users":[
  "rangertagsync"
],
"actions":[
  "consume",
  "describe"
],
"isAudited":false
  },
  {
"resources":{
  "consumergroup":{
"values":[
  "*"
]
  }
},
"users":[
  "atlas",
  "rangertagsync"
],
"actions":[
  "consume"
],
"isAudited":false
  },
  {
"users":[
  "kafka_service_user_name"
],
"isAudited":false
  }
]
{code}

cc [~dineshkumar-yadav]

  was:
Can we update the default Kafka audit filters as follows: 

This will filter out Kafka audits related to ATLAS_SPARK_HOOK, topic describe 
action, etc
{code:java}
[
  {
"accessResult":"DENIED",
"isAudited":true
  },
  {
"resources":{
  "topic":{
"values":[
  "ATLAS_ENTITIES",
  "ATLAS_HOOK",
  "ATLAS_SPARK_HOOK"
]
  }
},
"users":[
  "atlas"
],
"actions":[
  "describe",
  "publish",
  "consume"
],
"isAudited":false
  },
  {
"resources":{
  "topic":{
"values":[
  "ATLAS_HOOK"
]
  }
},
"users":[
  "hive",
  "hbase",
  "impala",
  "nifi"
],
"actions":[
  "publish",
  "describe"
],
"isAudited":false
  },
  {
"resources":{
  "topic":{
"values":[
  "ATLAS_ENTITIES"
]
  }
},
"users":[
  "rangertagsync"
],
"actions":[
  "consume",
  "describe"
],
"isAudited":false
  },
  {
"resources":{
  "consumergroup":{
"values":[
  "*"
]
  }
},
"users":[
  "atlas",
  "rangertagsync"
],
"actions":[
  "consume"
],
"isAudited":false
  },
  {
"users":[
  "kafka_service_user_name"
],
"isAudited":false
  }
]
{code}


> Update default kafka audit filters to filter out unwanted audits
> 
>
> Key: RANGER-3257
> URL: https://issues.apache.org/jira/browse/RANGER-3257
> Project: Ranger
>  Issue Type: Improvement
>  Components: audit
>Affects Versions: 2.2.0
>Reporter: Abhishek Shukla
>Priority: Major
>
> Can we update the default Kafka audit filters as follows: 
> This will filter out Kafka audits related to ATLAS_SPARK_HOOK, topic describe 
> action, etc
> {code:java}
> [
>   {
> "accessResult":"DENIED",
> "isAudited":true
>   },
>   {
> "resources":{
>   "topic":{
> "values":[
>   "ATLAS_ENTITIES",
>   "ATLAS_HOOK",
>   "ATLAS_SPARK_HOOK"
> ]
>   }
> },
> "users":[
>   "atlas"
> ],
> "actions":[
>   "describe",
>   "publish",
>   "consume"
> ],
> "isAudited":false
>   },
>   {
> "resources":{
>   "topic":{
> "values":[
>   "ATLAS_HOOK"
> ]
>   }
> },
> "users":[
>   "hive",
>   "hbase",
>   "impala",
>   "nifi"
> ],
> "actions":[
>   "publish",
>   "describe"
> ],
> "isAudited":false
>   },
>   {
> "resources":{
>   "topic":{
> "values":[
>   "ATLAS_ENTITIES"
> ]
>   }
> },
> "users":[
>   "rangertagsync"
> ],
> "actions":[
>   "consume",
>   "describe"
> ],
> "isAudited":false
>   },
>   {
> "resources":{
>   "consumergroup":{
> "values":[
>   "*"
> ]
>   }
> },
> "users":[
>   "atlas",
>   "rangertagsync"
> ],
> "actions":[
>   "consume"
> ],
> "isAudited":false
>   },
>   {
> "users":[
>   "kafka_service_user_name"
> ],
> "isAudited":false
>   }
> ]
> {code}
> cc [~dineshkumar-yadav]



--
This message was sent by Atlassian Jira

[jira] [Created] (RANGER-3257) Update default kafka audit filters to filter out unwanted audits

[Abhishek Shukla (Jira)]

Abhishek Shukla created RANGER-3257:
---

 Summary: Update default kafka audit filters to filter out unwanted 
audits
 Key: RANGER-3257
 URL: https://issues.apache.org/jira/browse/RANGER-3257
 Project: Ranger
  Issue Type: Improvement
  Components: audit
Affects Versions: 2.2.0
Reporter: Abhishek Shukla


Can we update the default Kafka audit filters as follows: 

This will filter out Kafka audits related to ATLAS_SPARK_HOOK, topic describe 
action, etc
{code:java}
[
  {
"accessResult":"DENIED",
"isAudited":true
  },
  {
"resources":{
  "topic":{
"values":[
  "ATLAS_ENTITIES",
  "ATLAS_HOOK",
  "ATLAS_SPARK_HOOK"
]
  }
},
"users":[
  "atlas"
],
"actions":[
  "describe",
  "publish",
  "consume"
],
"isAudited":false
  },
  {
"resources":{
  "topic":{
"values":[
  "ATLAS_HOOK"
]
  }
},
"users":[
  "hive",
  "hbase",
  "impala",
  "nifi"
],
"actions":[
  "publish",
  "describe"
],
"isAudited":false
  },
  {
"resources":{
  "topic":{
"values":[
  "ATLAS_ENTITIES"
]
  }
},
"users":[
  "rangertagsync"
],
"actions":[
  "consume",
  "describe"
],
"isAudited":false
  },
  {
"resources":{
  "consumergroup":{
"values":[
  "*"
]
  }
},
"users":[
  "atlas",
  "rangertagsync"
],
"actions":[
  "consume"
],
"isAudited":false
  },
  {
"users":[
  "kafka_service_user_name"
],
"isAudited":false
  }
]
{code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (RANGER-3256) [Ranger Audit Filters] SHOW_ROLES is not filtered out in ranger audits

[Abhishek Shukla (Jira)]

Abhishek Shukla created RANGER-3256:
---

 Summary: [Ranger Audit Filters] SHOW_ROLES is not filtered out in 
ranger audits
 Key: RANGER-3256
 URL: https://issues.apache.org/jira/browse/RANGER-3256
 Project: Ranger
  Issue Type: Bug
  Components: audit
Affects Versions: 2.2.0, 2.1.1
Reporter: Abhishek Shukla
 Attachments: default_hive_audit_filters.png, hive_audits_show_roles.png

Ranger Hive Service Audit Filters:
{noformat}
[
{'actions':['METADATA OPERATION', 'SHOW_ROLES'], 'isAudited': false}, 
{'accessTypes':['_any'], 'isAudited': false} 
]
{noformat}
Beeline Query: 
{noformat}
> show roles;{noformat}
Observed that METADATA OPERATION actions are filtered out but the same is not 
happening for SHOW_ROLES

 

We are hitting this issue with default hive audit filters as well.

Attached screenshots.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3256) [Ranger Audit Filters] SHOW_ROLES is not filtered out in ranger audits

[Abhishek Shukla (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3256?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Shukla updated RANGER-3256:

Attachment: hive_audits_show_roles.png
default_hive_audit_filters.png

> [Ranger Audit Filters] SHOW_ROLES is not filtered out in ranger audits
> --
>
> Key: RANGER-3256
> URL: https://issues.apache.org/jira/browse/RANGER-3256
> Project: Ranger
>  Issue Type: Bug
>  Components: audit
>Affects Versions: 2.2.0, 2.1.1
>Reporter: Abhishek Shukla
>Priority: Major
> Attachments: default_hive_audit_filters.png, 
> hive_audits_show_roles.png
>
>
> Ranger Hive Service Audit Filters:
> {noformat}
> [
> {'actions':['METADATA OPERATION', 'SHOW_ROLES'], 'isAudited': false}, 
> {'accessTypes':['_any'], 'isAudited': false} 
> ]
> {noformat}
> Beeline Query: 
> {noformat}
> > show roles;{noformat}
> Observed that METADATA OPERATION actions are filtered out but the same is not 
> happening for SHOW_ROLES
>  
> We are hitting this issue with default hive audit filters as well.
> Attached screenshots.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[GitHub] [ranger] Xinshiyou opened a new pull request #99: RANGER-3255 : Lost nessary pre-check for Empty input argument

[GitBox]

Xinshiyou opened a new pull request #99:
URL: https://github.com/apache/ranger/pull/99


   exception fixed : https://issues.apache.org/jira/browse/RANGER-3255


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Updated] (RANGER-3255) Lost nessary pre-check for Empty input argument

[Shiyou xin (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3255?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Shiyou xin updated RANGER-3255:
---
Description: 
If configure file not found, or lost nessary configure urls, then a exception 
happens as following :

{{2021-04-27 10:46:30,658 ERROR 
org.apache.hadoop.hdfs.server.namenode.NameNode: Failed to start namenode.
 java.lang.IllegalArgumentException: bound must be positive
 at java.util.Random.nextInt(Random.java:388)
 at 
org.apache.ranger.plugin.util.RangerRESTClient.(RangerRESTClient.java:120)
 at 
org.apache.ranger.admin.client.RangerAdminRESTClient.init(RangerAdminRESTClient.java:778)
 at 
org.apache.ranger.admin.client.RangerAdminRESTClient.init(RangerAdminRESTClient.java:116)}}

 

Maybe, we should add a pre-check.

  was:
If configure file not found, or lost nessary configure urls, then a exception 
happens as following :

{{2021-04-27 10:46:30,658 ERROR 
org.apache.hadoop.hdfs.server.namenode.NameNode: Failed to start namenode.
java.lang.IllegalArgumentException: bound must be positive
at java.util.Random.nextInt(Random.java:388)
at 
org.apache.ranger.plugin.util.RangerRESTClient.(RangerRESTClient.java:120)
at 
org.apache.ranger.admin.client.RangerAdminRESTClient.init(RangerAdminRESTClient.java:778)
at 
org.apache.ranger.admin.client.RangerAdminRESTClient.init(RangerAdminRESTClient.java:116)}}


> Lost nessary pre-check for Empty input argument
> ---
>
> Key: RANGER-3255
> URL: https://issues.apache.org/jira/browse/RANGER-3255
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Affects Versions: 2.1.0, 3.0.0, 2.2.0
>Reporter: Shiyou xin
>Priority: Major
>
> If configure file not found, or lost nessary configure urls, then a exception 
> happens as following :
> {{2021-04-27 10:46:30,658 ERROR 
> org.apache.hadoop.hdfs.server.namenode.NameNode: Failed to start namenode.
>  java.lang.IllegalArgumentException: bound must be positive
>  at java.util.Random.nextInt(Random.java:388)
>  at 
> org.apache.ranger.plugin.util.RangerRESTClient.(RangerRESTClient.java:120)
>  at 
> org.apache.ranger.admin.client.RangerAdminRESTClient.init(RangerAdminRESTClient.java:778)
>  at 
> org.apache.ranger.admin.client.RangerAdminRESTClient.init(RangerAdminRESTClient.java:116)}}
>  
> Maybe, we should add a pre-check.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (RANGER-3255) Lost nessary pre-check for Empty input argument

[Shiyou xin (Jira)]

Shiyou xin created RANGER-3255:
--

 Summary: Lost nessary pre-check for Empty input argument
 Key: RANGER-3255
 URL: https://issues.apache.org/jira/browse/RANGER-3255
 Project: Ranger
  Issue Type: Bug
  Components: plugins
Affects Versions: 2.1.0, 3.0.0, 2.2.0
Reporter: Shiyou xin


If configure file not found, or lost nessary configure urls, then a exception 
happens as following :

{{2021-04-27 10:46:30,658 ERROR 
org.apache.hadoop.hdfs.server.namenode.NameNode: Failed to start namenode.
java.lang.IllegalArgumentException: bound must be positive
at java.util.Random.nextInt(Random.java:388)
at 
org.apache.ranger.plugin.util.RangerRESTClient.(RangerRESTClient.java:120)
at 
org.apache.ranger.admin.client.RangerAdminRESTClient.init(RangerAdminRESTClient.java:778)
at 
org.apache.ranger.admin.client.RangerAdminRESTClient.init(RangerAdminRESTClient.java:116)}}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-2704) Support browser login using kerberized authentication

[Vishal Suvagia (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2704?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Vishal Suvagia updated RANGER-2704:
---
Attachment: RANGER-2704.patch

> Support browser login using kerberized authentication
> -
>
> Key: RANGER-2704
> URL: https://issues.apache.org/jira/browse/RANGER-2704
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Vishal Suvagia
>Assignee: Vishal Suvagia
>Priority: Minor
> Attachments: RANGER-2704.patch
>
>
> Need to support browser login using kerberos authentication.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)