Re: Review Request 73443: RANGER-3329: Request for _any access-type is denied only when on all access-types are denied

2021-07-16 Thread Madhan Neethiraj 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73443/#review223240
---


Fix it, then Ship it!





agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
Lines 700 (patched)


Is the 'if' in #700 necessary? When allowResult is null, 
deniedAccessTypeCount will always be allAccessDefs.size(), right?


- Madhan Neethiraj


On July 17, 2021, 2:25 a.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73443/
> ---
> 
> (Updated July 17, 2021, 2:25 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3329
> https://issues.apache.org/jira/browse/RANGER-3329
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Currently a request for _any access-type is denied only if all access-types 
> in the service-def are denied by policies. Instead of this, the policy-engine 
> should deny _any access if there are no allowed accesses, and at least one of 
> the access-type is denied. This will help address following usecase:
> 
> when accessTypeRestrictions is defined on a resource i.e. only a subset of 
> access-types are shown in policy-UI, it will not be possible to create 
> policies that deny all accesses. In such cases, the proposed change will 
> enable denying _any access-type with only subset of access-types denied.
> 
> The fix is to deny the access with type _any only if all of access-types 
> "specified in the denying policy" are explicitly denied by policies.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
>  74a7a2615 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  3c0e32c2e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  03e37fe3d 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
>  696a3f6eb 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
>  f8eba5f96 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json
>  934655ba9 
>   agents-common/src/test/resources/policyengine/test_policyengine_hive.json 
> bd2f67b68 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json 
> a8ec02733 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_for_show_databases.json
>  f42df3eab 
> 
> 
> Diff: https://reviews.apache.org/r/73443/diff/3/
> 
> 
> Testing
> ---
> 
> Passed all existing test cases.
> Created a unit test for the use-case outlined in the JIRA, and ensured that 
> it passes.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

[GitHub] [ranger] alvaroqueiroz commented on pull request #110: Python ranger_client call_api - add case for 404 response

2021-07-16 Thread GitBox 


alvaroqueiroz commented on pull request #110:
URL: https://github.com/apache/ranger/pull/110#issuecomment-881809253


   @chia7712 thank you for your fast response, i will try to get the attention 
of the comitters


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [ranger] alvaroqueiroz commented on pull request #110: Python ranger_client call_api - add case for 404 response

2021-07-16 Thread GitBox 


alvaroqueiroz commented on pull request #110:
URL: https://github.com/apache/ranger/pull/110#issuecomment-881809121


   @mneethiraj can you take a look at this PR?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [ranger] chia7712 commented on pull request #110: Python ranger_client call_api - add case for 404 response

2021-07-16 Thread GitBox 


chia7712 commented on pull request #110:
URL: https://github.com/apache/ranger/pull/110#issuecomment-881808715


   > Can you help me with this CI error? :)
   
   I filed a PR (#105) to fix CI. However, I'm not Ranger committer so it needs 
love from other guys :)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [ranger] alvaroqueiroz edited a comment on pull request #110: Python ranger_client call_api - add case for 404 response

2021-07-16 Thread GitBox 


alvaroqueiroz edited a comment on pull request #110:
URL: https://github.com/apache/ranger/pull/110#issuecomment-881808391


   @chia7712 Can you help me with this CI error? :)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [ranger] alvaroqueiroz commented on pull request #110: Python ranger_client call_api - add case for 404 response

2021-07-16 Thread GitBox 


alvaroqueiroz commented on pull request #110:
URL: https://github.com/apache/ranger/pull/110#issuecomment-881808391


   @chia7712 Can you help me with de CI error? :)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [ranger] alvaroqueiroz opened a new pull request #110: Python ranger_client call_api - add case for 404 response

2021-07-16 Thread GitBox 


alvaroqueiroz opened a new pull request #110:
URL: https://github.com/apache/ranger/pull/110


   One exemple of problem:
   When using the method ranger.get_policy(), if the policy do not exists, i 
get the following error:
   
   
![image](https://user-images.githubusercontent.com/23335136/126023407-e0efa40c-28a9-4937-b570-fe72242a01d5.png)
   
   This will happen with other resources too.
   
   This happens because the API call do not have a case for dealing with the 
response 404 (resource do not exist).
   So i'm adding it


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: Review Request 73443: RANGER-3329: Request for _any access-type is denied only when on all access-types are denied

2021-07-16 Thread Abhay Kulkarni 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73443/
---

(Updated July 17, 2021, 2:25 a.m.)


Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, 
and Velmurugan Periasamy.


Changes
---

Addressed review comments. Fixed unit tests.


Bugs: RANGER-3329
https://issues.apache.org/jira/browse/RANGER-3329


Repository: ranger


Description
---

Currently a request for _any access-type is denied only if all access-types in 
the service-def are denied by policies. Instead of this, the policy-engine 
should deny _any access if there are no allowed accesses, and at least one of 
the access-type is denied. This will help address following usecase:

when accessTypeRestrictions is defined on a resource i.e. only a subset of 
access-types are shown in policy-UI, it will not be possible to create policies 
that deny all accesses. In such cases, the proposed change will enable denying 
_any access-type with only subset of access-types denied.

The fix is to deny the access with type _any only if all of access-types 
"specified in the denying policy" are explicitly denied by policies.


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
 74a7a2615 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 3c0e32c2e 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 03e37fe3d 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 696a3f6eb 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyACLs.java
 f8eba5f96 
  
agents-common/src/test/resources/policyengine/test_policyengine_descendant_tags.json
 934655ba9 
  agents-common/src/test/resources/policyengine/test_policyengine_hive.json 
bd2f67b68 
  agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json 
a8ec02733 
  
agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_for_show_databases.json
 f42df3eab 


Diff: https://reviews.apache.org/r/73443/diff/3/

Changes: https://reviews.apache.org/r/73443/diff/2-3/


Testing
---

Passed all existing test cases.
Created a unit test for the use-case outlined in the JIRA, and ensured that it 
passes.


Thanks,

Abhay Kulkarni

Re: Review Request 73460: RANGER-3341: External user's role creation may fail in certain version of MariaDB

2021-07-16 Thread Mehul Parikh 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73460/#review223238
---


Ship it!




Ship It!

- Mehul Parikh


On July 15, 2021, 5:51 p.m., Pradeep Agrawal wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73460/
> ---
> 
> (Updated July 15, 2021, 5:51 p.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Abhay Kulkarni, Madhan Neethiraj, 
> Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, Vishal Suvagia, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-3341
> https://issues.apache.org/jira/browse/RANGER-3341
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> **Problem Statement:** During policy import on maria DB flavor it was 
> observed that when policy user is created, return object of XXPortalUser does 
> not have the generated unique id of the user, hence null value was assigned. 
> null user id can't be used for entries in x_portal_user_role table for the 
> same user. 
> 
> 
> **Proposed Solution:** once a XXPortalUser entry is created, a fresh call 
> need to made to fetch the same user details and if it has the generated 
> unique id then that id can be used for creating the roles of the same user.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java 
> 6483bbe1d 
>   security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 318c4ee0f 
>   security-admin/src/main/java/org/apache/ranger/service/XGroupService.java 
> 24cb43e54 
>   security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java 
> 202a113d8 
> 
> 
> Diff: https://reviews.apache.org/r/73460/diff/3/
> 
> 
> Testing
> ---
> 
> Tested the patch in MariaDB(10.3) and postgres DB(10.15) and issue is not 
> reproducible.
> 
> 
> Note: Kafka test cases failing with and without patch in my env. need to 
> recheck in other env.
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>

[jira] [Created] (RANGER-3342) Need to make the Ranger embedded server work directory configurable

2021-07-16 Thread Vishal Suvagia (Jira) 
Vishal Suvagia created RANGER-3342:
--

 Summary: Need to make the Ranger embedded server work directory 
configurable
 Key: RANGER-3342
 URL: https://issues.apache.org/jira/browse/RANGER-3342
 Project: Ranger
  Issue Type: Improvement
  Components: admin
Affects Versions: 2.1.0, 3.0.0
Reporter: Vishal Suvagia
Assignee: Vishal Suvagia


Currently the work directory for Ranger embedded server is not configurable. 
Need to make the work directory configurable to a custom location so that user 
can customize if required.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3338) Masking and Row filter policy are getting exported from report page when Policy type=Access

2021-07-16 Thread Nitin Galave (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nitin Galave updated RANGER-3338:
-
Fix Version/s: 2.2.0

> Masking and Row filter policy are getting exported from report page when 
> Policy type=Access
> ---
>
> Key: RANGER-3338
> URL: https://issues.apache.org/jira/browse/RANGER-3338
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Harshal Chavan
>Assignee: Nitin Galave
>Priority: Major
> Fix For: 2.2.0
>
> Attachments: 0001-RANGER-3338.patch
>
>
> Steps
> 1.Create a policy in hive masking and hive row.
> 2.Go to report page
> 3.Export excel, csv and json
> 4.Check the exported file it has masking and row filter policy also.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (RANGER-3338) Masking and Row filter policy are getting exported from report page when Policy type=Access

2021-07-16 Thread Nitin Galave (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17382019#comment-17382019
 ] 

Nitin Galave commented on RANGER-3338:
--

Committed to 
[Apache-master|https://github.com/apache/ranger/commit/a2d4360f581ae90d190e73b8947f4db9db132eea]
 branch.
Committed to 
[ranger-2.2|https://github.com/apache/ranger/commit/6bf1ff25e6964d34d7bfdf0224e96624d7dbfc14]
 branch.

> Masking and Row filter policy are getting exported from report page when 
> Policy type=Access
> ---
>
> Key: RANGER-3338
> URL: https://issues.apache.org/jira/browse/RANGER-3338
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Harshal Chavan
>Assignee: Nitin Galave
>Priority: Major
> Attachments: 0001-RANGER-3338.patch
>
>
> Steps
> 1.Create a policy in hive masking and hive row.
> 2.Go to report page
> 3.Export excel, csv and json
> 4.Check the exported file it has masking and row filter policy also.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)