[jira] [Commented] (RANGER-3332) Script evaluator to support JSON style access to context details
[ https://issues.apache.org/jira/browse/RANGER-3332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17384483#comment-17384483 ] Madhan Neethiraj commented on RANGER-3332: -- Commit in master branch: {noformat} commit 280d0a694886931fe5587921083a767a70ce7183 (HEAD -> master, origin/master, origin/HEAD) Author: Madhan Neethiraj Date: Thu Jul 8 06:12:48 2021 -0700 RANGER-3332: script evaluator updated to provide JavaScript style access to details of request/user/groups/tags {noformat} Commit in ranger-2.2 branch: {noformat} commit 0c0271651b553409a604cf773dd3b29f0c07bd5d (HEAD -> ranger-2.2, origin/ranger-2.2) Author: Madhan Neethiraj Date: Thu Jul 8 06:12:48 2021 -0700 RANGER-3332: script evaluator updated to provide JavaScript style access to details of request/user/groups/tags (cherry picked from commit 280d0a694886931fe5587921083a767a70ce7183) {noformat} > Script evaluator to support JSON style access to context details > > > Key: RANGER-3332 > URL: https://issues.apache.org/jira/browse/RANGER-3332 > Project: Ranger > Issue Type: Improvement > Components: plugins >Reporter: Madhan Neethiraj >Assignee: Madhan Neethiraj >Priority: Major > Fix For: 3.0.0, 2.2.0 > > Attachments: RANGER-3332.patch > > > Script evaluator currently require use of methods to access context details, > like: > * ctx.getUser() > * ctx.getUserGroups() > * tag.getType() > * tag.getAttributes().get("emailAddress") > > This makes the script in conditions cumbersome to write and read. It will be > simpler to be able to access context details with Json style syntax, like: > * _ctx.user > * _ctx.userGroups > * _ctx.tag.type > * _ctx.tag.attributes.emailAddress -- This message was sent by Atlassian Jira (v8.3.4#803005)
Re: Review Request 73463: RANGER-3342 : Need to make the Ranger embedded server work directory configurable
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73463/#review223253 --- Ship it! Ship It! - Madhan Neethiraj On July 20, 2021, 9:37 a.m., Vishal Suvagia wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73463/ > --- > > (Updated July 20, 2021, 9:37 a.m.) > > > Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, > Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan > Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, > and Velmurugan Periasamy. > > > Bugs: RANGER-3342 > https://issues.apache.org/jira/browse/RANGER-3342 > > > Repository: ranger > > > Description > --- > > Currently the work directory for Ranger embedded server is not configurable. > Need to make the work directory configurable to a custom location so that > user can customize if required. > > > Diffs > - > > > embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java > 137168259d9aa55548a3953aff7def6d7228a9e5 > security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml > 8842071982f7a5831db4dcbcffd00d6a22a6fb2c > > > Diff: https://reviews.apache.org/r/73463/diff/2/ > > > Testing > --- > > Validated the changes locally. > > > Thanks, > > Vishal Suvagia > >
Re: Review Request 73444: RANGER-3332: script evaluator updated to provide JavaScript style access to details of request/user/groups/tags
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73444/#review223252 --- Ship it! Ship It! - Abhay Kulkarni On July 14, 2021, 4:14 p.m., Madhan Neethiraj wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73444/ > --- > > (Updated July 14, 2021, 4:14 p.m.) > > > Review request for ranger, Ankita Sinha, Don Bosco Durai, Abhay Kulkarni, > Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and > Velmurugan Periasamy. > > > Bugs: RANGER-3332 > https://issues.apache.org/jira/browse/RANGER-3332 > > > Repository: ranger > > > Description > --- > > Updated script condition evaluator to support JavaScript style access to > request/user/groups/tags detail. For example: > - _ctx.request.clusterType == 'azure' > - _ctx.tag.type == 'PII' && _ctx.userAttributes.dept == 'hr' > - _ctx.tag.attributes.pii_type = 'email' > > > Diffs > - > > > agents-common/src/main/java/org/apache/ranger/authorization/utils/JsonUtils.java > ee4cef6d6 > > agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptConditionEvaluator.java > b306f5150 > > agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerScriptExecutionContext.java > c0a8f9f35 > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java > ed2dffd91 > > agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerCustomConditionMatcherTest.java > 0a4dd4a02 > > > Diff: https://reviews.apache.org/r/73444/diff/2/ > > > Testing > --- > > - added unit tests > > > Thanks, > > Madhan Neethiraj > >
Re: Review Request 73466: RANGER-3343: Ranger policy cache is incorrect in some scenario
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73466/#review223251 --- Ship it! Ship It! - Velmurugan Periasamy On July 20, 2021, 1:58 p.m., Abhay Kulkarni wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73466/ > --- > > (Updated July 20, 2021, 1:58 p.m.) > > > Review request for ranger, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, > Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-3343 > https://issues.apache.org/jira/browse/RANGER-3343 > > > Repository: ranger > > > Description > --- > > There are two external users : ranger_user(user role) and ranger_admin (admin > role). > > ranger_user is granted a delegated-admin privilege on some resource. > Log in to Ranger admin GUI from as ranger_admin and change the policy (first > policy item) for the resource. > Wait for policy sync. policy cache json is correct and it has both policy > item entries. > Log in to Ranger admin GUI as ranger_user user and change the policy to add > another policy item (second policy-item) with the delegated-admin box > unchecked. > Wait for policy sync. policy cache json is incorrect and it has only first > policy item entry. > > The fix ensures that the policy cache is not modified during creation of > delegated-admin processing policy engine. > > > Diffs > - > > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java > 99ae598a0 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > 03e37fe3d > > > Diff: https://reviews.apache.org/r/73466/diff/1/ > > > Testing > --- > > Tested the scenario and ensured that the Policy-cache is not modified, and > the downloaded policies are same as the database copy. > > > Thanks, > > Abhay Kulkarni > >
Re: Review Request 73466: RANGER-3343: Ranger policy cache is incorrect in some scenario
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73466/#review223250 --- Ship it! Ship It! - Pradeep Agrawal On July 20, 2021, 1:58 p.m., Abhay Kulkarni wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73466/ > --- > > (Updated July 20, 2021, 1:58 p.m.) > > > Review request for ranger, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, > Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-3343 > https://issues.apache.org/jira/browse/RANGER-3343 > > > Repository: ranger > > > Description > --- > > There are two external users : ranger_user(user role) and ranger_admin (admin > role). > > ranger_user is granted a delegated-admin privilege on some resource. > Log in to Ranger admin GUI from as ranger_admin and change the policy (first > policy item) for the resource. > Wait for policy sync. policy cache json is correct and it has both policy > item entries. > Log in to Ranger admin GUI as ranger_user user and change the policy to add > another policy item (second policy-item) with the delegated-admin box > unchecked. > Wait for policy sync. policy cache json is incorrect and it has only first > policy item entry. > > The fix ensures that the policy cache is not modified during creation of > delegated-admin processing policy engine. > > > Diffs > - > > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java > 99ae598a0 > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > 03e37fe3d > > > Diff: https://reviews.apache.org/r/73466/diff/1/ > > > Testing > --- > > Tested the scenario and ensured that the Policy-cache is not modified, and > the downloaded policies are same as the database copy. > > > Thanks, > > Abhay Kulkarni > >
Re: Review Request 73466: RANGER-3343: Ranger policy cache is incorrect in some scenario
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73466/ --- (Updated July 20, 2021, 1:58 p.m.) Review request for ranger, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy. Bugs: RANGER-3343 https://issues.apache.org/jira/browse/RANGER-3343 Repository: ranger Description (updated) --- There are two external users : ranger_user(user role) and ranger_admin (admin role). ranger_user is granted a delegated-admin privilege on some resource. Log in to Ranger admin GUI from as ranger_admin and change the policy (first policy item) for the resource. Wait for policy sync. policy cache json is correct and it has both policy item entries. Log in to Ranger admin GUI as ranger_user user and change the policy to add another policy item (second policy-item) with the delegated-admin box unchecked. Wait for policy sync. policy cache json is incorrect and it has only first policy item entry. The fix ensures that the policy cache is not modified during creation of delegated-admin processing policy engine. Diffs - agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java 99ae598a0 agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java 03e37fe3d Diff: https://reviews.apache.org/r/73466/diff/1/ Testing --- Tested the scenario and ensured that the Policy-cache is not modified, and the downloaded policies are same as the database copy. Thanks, Abhay Kulkarni
Re: Review Request 73452: RANGER-3023: Permission tab takes longer time to load with large number of users and group_users data
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73452/ --- (Updated July 20, 2021, 1:52 p.m.) Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy. Bugs: RANGER-3023 https://issues.apache.org/jira/browse/RANGER-3023 Repository: ranger Description --- GET API /service/xusers/permission takes longer time to load with following number of users and group mappings in db. select count(*) from x_user; 109040 select count(*) from x_portal_user; 109038 select count(*) from x_group_users; 689952 Current problem : For every ModuleDef, db call to fetch all XXUser, XXPortalUser and creating a Map object using xUserService.getXXPortalUserIdXXUserMap() is a costly operation. Similarly for xGroupService.getXXGroupIdXXGroupMap(). Solution: In the following patch, I have overriedden searchModuleDef function in XModuleDefService which will fetch users and groups only once. i.e. Map xXPortalUserIdXXUserMap = xUserService.getXXPortalUserIdXXUserMap(); Map xXGroupMap = xGroupService.getXXGroupIdXXGroupMap(); These two objects will be passed to an overloaded method populateViewBean() Diffs - security-admin/src/main/java/org/apache/ranger/service/XModuleDefService.java d5ca38548 Diff: https://reviews.apache.org/r/73452/diff/2/ Testing --- xUserService.getXXPortalUserIdXXUserMap() takes approximately 2000 milliseconds. xGroupService.getXXGroupIdXXGroupMap() takes approximately 500 milliseconds. Before patch, XModuleDefServiceBase.searchModuleDef() took 30252 milliseconds. After patch, XModuleDefService.searchModuleDef() took 13766 milliseconds. GET API /service/xusers/permission response improved by ~16 seconds for the above mentioned dataset. Thanks, Mahesh Bandal
Re: Review Request 73463: RANGER-3342 : Need to make the Ranger embedded server work directory configurable
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73463/ --- (Updated July 20, 2021, 9:37 a.m.) Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy. Changes --- Updated patch to address review comments. Bugs: RANGER-3342 https://issues.apache.org/jira/browse/RANGER-3342 Repository: ranger Description --- Currently the work directory for Ranger embedded server is not configurable. Need to make the work directory configurable to a custom location so that user can customize if required. Diffs (updated) - embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java 137168259d9aa55548a3953aff7def6d7228a9e5 security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 8842071982f7a5831db4dcbcffd00d6a22a6fb2c Diff: https://reviews.apache.org/r/73463/diff/2/ Changes: https://reviews.apache.org/r/73463/diff/1-2/ Testing --- Validated the changes locally. Thanks, Vishal Suvagia
[jira] [Updated] (RANGER-3342) Need to make the Ranger embedded server work directory configurable
[ https://issues.apache.org/jira/browse/RANGER-3342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vishal Suvagia updated RANGER-3342: --- Attachment: RANGER-3342.01.patch > Need to make the Ranger embedded server work directory configurable > --- > > Key: RANGER-3342 > URL: https://issues.apache.org/jira/browse/RANGER-3342 > Project: Ranger > Issue Type: Improvement > Components: admin >Affects Versions: 2.1.0, 3.0.0 >Reporter: Vishal Suvagia >Assignee: Vishal Suvagia >Priority: Major > Attachments: RANGER-3342.01.patch, RANGER-3342.patch > > > Currently the work directory for Ranger embedded server is not configurable. > Need to make the work directory configurable to a custom location so that > user can customize if required. -- This message was sent by Atlassian Jira (v8.3.4#803005)