Re: Review Request 73852: RANGER-3595, refactor the file layout of ranger-xxx-kms.tar.gz

2022-02-16 Thread bhavik patel 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73852/#review224066
---



Thanks for the deatiled info and cleaning up the packing.

can you please verify zone operations, import/export keys to jceks file and 
masterkey import/export operation.

I just wan to make we are not breaking the existing functionality’s.

- bhavik patel


On Feb. 16, 2022, 10:29 a.m., Kirby Zhou wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73852/
> ---
> 
> (Updated Feb. 16, 2022, 10:29 a.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, 
> Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Mehul 
> Parikh, pengjianhua, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal 
> Suvagia, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-3595
> https://issues.apache.org/jira/browse/RANGER-3595
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> There are lots of .class files under ews/webapp/, and never used. 
> 
> 
> 1. place web.xml at correct location
> 2. setup.sh want to patch hadoop-common.jar at runtime, it requires some file 
> inside ranger-kms.jar. But the patching of hadoop-common.jar is unnecessary. 
> 
> Regular webapp should have its own class files under 
> ews/webapp/WEB-INF/classes, and dependencies under ews/webapp/WEB-INF/lib, 
> and the Container should put its libraries under ews/lib. But at current, we 
> use directories sucn as ews/webapp/lib, ews/webapp/WEB-INF/classes/lib. It 
> looks dirty and ugly.
> 
> 
> My patch here makes KMS no longer bring ranger-kms.jar, and place classes and 
> web.xml at correct location. as a alternative of 
> https://reviews.apache.org/r/73816/
> 
> 
> Now: 
> ews/lib contains ews bootstrap jars, 
> ews/webapp/WEB-INF/classes contains KMS app itself, 
> ews/webapp/WEB-INF/lib contains KMS dependencies,
> ews/webapp/WEB-INF/lib/ranger-kms-plugin-impl contains ranger-kms-plugin.
> 
> Additionaly, kms/pom.xml even depends on original hadoop-kms, which can 
> confuse developers, so I removed it.
> 
> BTW: the bootstrap embedded server looks like too heavy and too much 
> dependeices.
> 
> 
> Diffs
> -
> 
>   distro/src/main/assembly/kms.xml 983a43e59 
>   kms/pom.xml 7a4f98df7 
>   kms/scripts/DBMK2HSM.sh 001199d97 
>   kms/scripts/DBMKTOAZUREKEYVAULT.sh cfe5a6b5e 
>   kms/scripts/DBMKTOKEYSECURE.sh c0aa6e58c 
>   kms/scripts/HSMMK2DB.sh 6c77f7340 
>   kms/scripts/KEYSECUREMKTOKMSDB.sh 340e05e2c 
>   kms/scripts/VerifyIsDBMasterkeyCorrect.sh 1c9a2e148 
>   kms/scripts/exportKeysToJCEKS.sh f3205789b 
>   kms/scripts/importJCEKSKeys.sh 5d4fe978f 
>   kms/scripts/ranger-kms 429a31e5a 
>   kms/scripts/setup.sh 2051df59a 
>   kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java 
> c899bdf98 
>   kms/src/main/resources/META-INF/context.xml  
>   kms/src/main/resources/WEB-INF/web.xml 5e2d489fe 
> 
> 
> Diff: https://reviews.apache.org/r/73852/diff/1/
> 
> 
> Testing
> ---
> 
> mvn clean pacakge
> fresh install and upgrade from 2.2.0
> 
> 
> Thanks,
> 
> Kirby Zhou
> 
>

[jira] [Created] (RANGER-3629) RANGER - Handle solr permissions during upgrade

2022-02-16 Thread Mateen N Mansoori (Jira) 
Mateen N Mansoori created RANGER-3629:
-

 Summary: RANGER -  Handle solr permissions during upgrade
 Key: RANGER-3629
 URL: https://issues.apache.org/jira/browse/RANGER-3629
 Project: Ranger
  Issue Type: Improvement
  Components: Ranger
Affects Versions: 3.0.0, 2.3.0
Reporter: Mateen N Mansoori
 Fix For: 3.0.0, 2.3.0


Write an upgrade java patch to handle solr permissions during upgrade.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Updated] (RANGER-3628) Support fine grain authorization for different solr objects

2022-02-16 Thread Mateen N Mansoori (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3628?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mateen N Mansoori updated RANGER-3628:
--
Description: 
Modify ranger solr plugin to allow granting the following privileges: * QUERY - 
read only privilege on an object
 * UPDATE - write only privilege on an object
 * * - read and write access

Privileges can be defined on the following objects:

admin
 * collections
 * cores
 * metrics
 * autoscaling
 * security

-  collection

-  config

 - schema

  was:
Modify ranger solr plugin to allow granting the following privileges: * QUERY - 
read only privilege on an object
 * UPDATE - write only privilege on an object
 * * - read and write access

Privileges can be defined on the following objects:

- admin
 * collections
 * cores
 * metrics
 * autoscaling
 * security

-  collection

-  config

 - schema


> Support fine grain authorization for different solr objects
> ---
>
> Key: RANGER-3628
> URL: https://issues.apache.org/jira/browse/RANGER-3628
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0, 2.3.0
>Reporter: Mateen N Mansoori
>Priority: Major
> Fix For: 3.0.0, 2.3.0
>
>
> Modify ranger solr plugin to allow granting the following privileges: * QUERY 
> - read only privilege on an object
>  * UPDATE - write only privilege on an object
>  * * - read and write access
> Privileges can be defined on the following objects:
> admin
>  * collections
>  * cores
>  * metrics
>  * autoscaling
>  * security
> -  collection
> -  config
>  - schema



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Updated] (RANGER-3628) Support fine grain authorization for different solr objects

2022-02-16 Thread Mateen N Mansoori (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3628?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mateen N Mansoori updated RANGER-3628:
--
Description: 
Modify ranger solr plugin to allow granting the following privileges: * QUERY - 
read only privilege on an object
 * UPDATE - write only privilege on an object
 * * - read and write access

Privileges can be defined on the following objects:

- admin
 * collections
 * cores
 * metrics
 * autoscaling
 * security

-  collection

-  config

 - schema

  was:
Modify ranger solr plugin to allow granting the following privileges: * QUERY - 
read only privilege on an object
 * UPDATE - write only privilege on an object
 * * - read and write access

Privileges can be defined on the following objects: * admin

 * collections
 * cores
 * metrics
 * autoscaling
 * security

 * collection
 * config
 * schema


> Support fine grain authorization for different solr objects
> ---
>
> Key: RANGER-3628
> URL: https://issues.apache.org/jira/browse/RANGER-3628
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0, 2.3.0
>Reporter: Mateen N Mansoori
>Priority: Major
> Fix For: 3.0.0, 2.3.0
>
>
> Modify ranger solr plugin to allow granting the following privileges: * QUERY 
> - read only privilege on an object
>  * UPDATE - write only privilege on an object
>  * * - read and write access
> Privileges can be defined on the following objects:
> - admin
>  * collections
>  * cores
>  * metrics
>  * autoscaling
>  * security
> -  collection
> -  config
>  - schema



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Created] (RANGER-3628) Support fine grain authorization for different solr objects

2022-02-16 Thread Mateen N Mansoori (Jira) 
Mateen N Mansoori created RANGER-3628:
-

 Summary: Support fine grain authorization for different solr 
objects
 Key: RANGER-3628
 URL: https://issues.apache.org/jira/browse/RANGER-3628
 Project: Ranger
  Issue Type: Improvement
  Components: Ranger
Affects Versions: 3.0.0, 2.3.0
Reporter: Mateen N Mansoori
 Fix For: 3.0.0, 2.3.0


Modify ranger solr plugin to allow granting the following privileges: * QUERY - 
read only privilege on an object
 * UPDATE - write only privilege on an object
 * * - read and write access

Privileges can be defined on the following objects: * admin

 * collections
 * cores
 * metrics
 * autoscaling
 * security

 * collection
 * config
 * schema



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

%u is always "-" in access log of ranger and kms?

2022-02-16 Thread KirbY ZhoU 
%u is always "-" in access log of ranger and kms?

defaultAccessLogPattern = servername.equalsIgnoreCase(KMS_SERVER_NAME) ? "%h %l 
%u %t \"%m %U\" %s %b" : "%h %l %u %t \"%r\" %s %b";

%l - Remote logical username from identd (always returns '-')
%u - Remote user that was authenticated (if any), else '-'

I have configured ranger and kms with Kerberos authentication, but both %l and 
%u field in access log are always "-".
Is that the expected behavior?

==> ranger_kms/log/access-localhost-2022-02-16.18.log <==
10.10.137.131 - - [16/Feb/2022:18:06:28 +0800] "GET /kms/v1/keys/names" 200 40
10.10.137.131 - - [16/Feb/2022:18:07:44 +0800] "GET /kms/v1/keys/names" 200 40
10.10.137.131 - - [16/Feb/2022:18:07:59 +0800] "GET /kms/v1/keys/names" 200 40

==> ranger_kms/log/access-localhost-2022-02-17.log <==
10.10.137.131 - - [17/Feb/2022:03:55:57 +] "GET 
/service/plugins/secure/policies/download/kmsdev?supportsPolicyDeltas=false=kms@ranger_kms-kmsdev==0=1=-1
 HTTP/1.1" 401 - "-" "Java/1.8.0_292"
10.10.137.131 - - [17/Feb/2022:03:55:57 +] "GET 
/service/plugins/secure/policies/download/kmsdev?supportsPolicyDeltas=false=kms@ranger_kms-kmsdev==0=1=-1
 HTTP/1.1" 200 4756 "-" "Java/1.8.0_292"
0:0:0:0:0:0:0:1 - - [17/Feb/2022:03:55:59 +] "GET /service/metrics/status 
HTTP/1.1" 200 795 "-" "curl/7.29.0"
10.10.137.131 - - [17/Feb/2022:03:56:28 +] "GET 
/service/roles/secure/download/kmsdev?pluginId=kms@ranger_kms-kmsdev==1645070157863=1=3
 HTTP/1.1" 304 - "-" "Java/1.8.0_292"
10.10.137.131 - - [17/Feb/2022:03:56:28 +] "GET 
/service/plugins/secure/policies/download/kmsdev?supportsPolicyDeltas=false=kms@ranger_kms-kmsdev==1645070158090=1=27
 HTTP/1.1" 304 - "-" "Java/1.8.0_292"

172.20.9.129 - - [17/Feb/2022:03:58:31 +] "GET 
/libs/bower/requirejs/js/require.js HTTP/1.1" 200 86483 
"http://10.10.137.131:6080/index.html; "Mozilla/5.0 (Macintosh; Intel Mac OS X 
10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15"
172.20.9.129 - - [17/Feb/2022:03:58:32 +] "GET 
/scripts/Main.min.js?ver=2.2.0 HTTP/1.1" 200 2592368 
"http://10.10.137.131:6080/index.html; "Mozilla/5.0 (Macintosh; Intel Mac OS X 
10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15"
172.20.9.129 - - [17/Feb/2022:03:58:33 +] "GET /service/plugins/csrfconf 
HTTP/1.1" 200 258 "http://10.10.137.131:6080/index.html; "Mozilla/5.0 
(Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) 
Version/15.3 Safari/605.1.15"
172.20.9.129 - - [17/Feb/2022:03:58:33 +] "GET 
/service/users/profile?_=1645070371919 HTTP/1.1" 200 1500 
"http://10.10.137.131:6080/index.html; "Mozilla/5.0 (Macintosh; Intel Mac OS X 
10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15"
172.20.9.129 - - [17/Feb/2022:03:58:33 +] "GET /images/avatar.png HTTP/1.1" 
200 761 "http://10.10.137.131:6080/index.html; "Mozilla/5.0 (Macintosh; Intel 
Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 
Safari/605.1.15"
172.20.9.129 - - [17/Feb/2022:03:58:33 +] "GET /service/plugins/checksso 
HTTP/1.1" 200 15 "http://10.10.137.131:6080/index.html; "Mozilla/5.0 
(Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) 
Version/15.3 Safari/605.1.15"
172.20.9.129 - - [17/Feb/2022:03:58:33 +] "GET 
/service/plugins/definitions?page=0=25=0=serviceTypeId&_=1645070371920
 HTTP/1.1" 200 19939 "http://10.10.137.131:6080/index.html; "Mozilla/5.0 
(Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) 
Version/15.3 Safari/605.1.15"

RANGER eclipse .project would always be auto-modified by vscode

2022-02-16 Thread KirbY ZhoU 
Is it acceptable to commit it to mainline, or we should remove ".project" from 
git?

diff --git a/.project b/.project
index 38afddad9..d5e63850c 100644
--- a/.project
+++ b/.project
@@ -14,4 +14,15 @@

org.eclipse.m2e.core.maven2Nature

+   
+   
+   1645060707224
+   
+   30
+   
+   
org.eclipse.core.resources.regexFilterMatcher
+   
node_modules|.git|__CREATED_BY_JAVA_LANGUAGE_SERVER__
+   
+   
+

[jira] [Commented] (RANGER-3623) Add ability to enable anonymous download of policy/role/tag

2022-02-16 Thread kirby zhou (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17493614#comment-17493614
 ] 

kirby zhou commented on RANGER-3623:


review request

https://reviews.apache.org/r/73846/

> Add ability to enable anonymous download of policy/role/tag
> ---
>
> Key: RANGER-3623
> URL: https://issues.apache.org/jira/browse/RANGER-3623
> Project: Ranger
>  Issue Type: Improvement
>  Components: admin
>Affects Versions: 3.0.0, 2.3.0
>Reporter: kirby zhou
>Priority: Major
> Attachments: add-downloadonly-option.patch
>
>
> Currently, we have an option ranger.admin.allow.unauthenticated.access to 
> allow unauthenticated clients to perform a series of API operations. This 
> option allows the client to perform both dangerous grant/revoke permission 
> operation and relatively safe download operation.
> In many cases, allowing anonymous downloading of policy is not a serious risk 
> problem. On the contrary, the complicated kerberos and SSL settings make it 
> difficult for ranger plugin embedded in third-party services to complete the 
> task of refreshing policy, which may be a bigger problem. In particular, 
> refresh failure often has no obvious features for administrators to discover.
> Therefore, I suggest that ranger increase the ability to allow client to 
> download policy/tag/roles anonymously.
> There are two ways to achieve it.
>  
> 1. Just limit the ability of  "ranger.admin.allow.unauthenticated.access=true"
> which needs to modify 
> "security-admin/src/main/resources/conf.dist/security-applicationContext.xml" 
> to remove dangerous operations from '
> security="none"'.
>  
> 2. Add a candidate value "downloadonly" to 
> "ranger.admin.allow.unauthenticated.access"
> Which needs modify ServiceRest.Java and BizUtil.java to implement the 
> enhanced checking logic. 
>  
> I have a patch for method2



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Re: Review Request 73807: Support Ranger KMS integration with TencentKMS

2022-02-16 Thread Kirby Zhou 


> On 二月 16, 2022, 12:36 p.m., Dhaval Shah wrote:
> > Still the same issue with pom.xml

Have you downloaded the latest version of patch?

Or we have different HEADs of master?


```
% git fetch --all
Fetching github

% git checkout github/master
HEAD is now at 5f8d001bc RANGER-3625: fixed incorrect LOG.isDebugEnabled() 
condition in RangerHiveAuthorizer

% curl 'https://reviews.apache.org/r/73807/diff/raw/' > xx.patch  
  % Total% Received % Xferd  Average Speed   TimeTime Time  Current
 Dload  Upload   Total   SpentLeft  Speed
100 42594  100 425940 0  18855  0  0:00:02  0:00:02 --:--:-- 18930

% sha1sum xx.patch 
529adbfd7f2097d49906c48d44ea1ee0daa11e18  xx.patch

% git apply --check  xx.patch

% echo $?
0

```


- Kirby


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73807/#review224060
---


On 二月 16, 2022, 10:37 a.m., Kirby Zhou wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73807/
> ---
> 
> (Updated 二月 16, 2022, 10:37 a.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, 
> Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Mehul 
> Parikh, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal Suvagia, and 
> Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3580
> https://issues.apache.org/jira/browse/RANGER-3580
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ranger KMS integration with TencentKMS
> - This task is to integrate the RANGER KMS Service with TencentKMS.
> - To Configure RANGER KMS Service with TencentKMS below configurations need 
> to be added in install.properties file bfore running the setup.sh
> 
> ```
> # Do you use Tencent Cloud KMS? 
> TENCENT_KMS_ENABLED=true 
> # MasterKeyID on Tencent Cloud
> TENCENT_MASTERKEY_ID=YourKeyID
> # Login ID
> TENCENT_CLIENT_ID=YourClientLoginId
> # Login password
> TENCENT_CLIENT_SECRET=YourClientLoginSecret
> # Tencent Cloud area, see Tencent Cloud SDK for details. 
> TENCENT_CLIENT_REGION=ap-beijing
> ```
> 
> Run the setup.sh, It will add the below configs in dbks-site.xml
> ```
> 
> 
> ranger.kms.tencentkms.enabled
> false
> Flag for Tencent KMS
> 
> 
> ranger.kms.tencent.client.id
> 
> Tencent Client Id
> 
> 
> ranger.kms.tencent.client.secret
> 
> Tencent Client Secret
> 
> 
> ranger.kms.tencent.client.secret.alias
> ranger.ks.tencent.client.secret
> Tencent Client Secret Alias
> 
> 
> ranger.kms.tencent.client.region
> ap-beijing
> Tencent Client Id
> 
> 
> ranger.kms.tencent.masterkey.id
> 
> Tencent master key name
> 
> 
> ```
> 
> Generally, we don't want the account bound by KMS to have the right to create 
> a Key in TencentKMS. So we have to create Master Key on TencentKMS web 
> console at first.
> Start the kms service, On start Master Key from TencentKMS should be used.
> 
> 
> Diffs
> -
> 
>   distro/src/main/assembly/kms.xml 983a43e5938ecc6a02e918f587d7a8913678087e 
>   kms/config/kms-webapp/dbks-site.xml 
> 07de4d494b5d72609b47752109fc40a9e016f6ab 
>   kms/pom.xml 7a4f98df7a2244a2ae4158b32b047d77db01b0f2 
>   kms/scripts/install.properties 31143d3426565a338c308dc1a7ea8304f3f4e102 
>   kms/scripts/setup.sh 2051df59a8bb0be11ba7a54e547f78cf5a0dca36 
>   
> kms/src/main/java/org/apache/hadoop/crypto/key/AzureKeyVaultClientAuthenticator.java
>  f96cbb7561b2c1a29b7f42c9fb3ed810b05b5054 
>   kms/src/main/java/org/apache/hadoop/crypto/key/DBToAzureKeyVault.java 
> bacc928570283708daef7a2573707fddd7ca096e 
>   kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 
> 4324439ba66f9f0fb68d570f1964ed6caa8c07bd 
>   kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java 
> 5234dc7422793b3b88dcc4574fafcf34556fa33f 
>   kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 
> 74c54a7a6f50878ce0f226d72a5e2c5554a0d4e5 
>   
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyVaultKeyGenerator.java
>  c661268c3c25362e428884a3bb34d88d827e7f31 
>   
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerTencentKMSProvider.java 
> PRE-CREATION 
>   pom.xml 8a19c2de42f4ae7acff3ee9b2e399b870ef406f3 
> 
> 
> Diff: https://reviews.apache.org/r/73807/diff/8/
> 
> 
> Testing
> ---
> 
> + mvn clean compile test verify 
> + Fresh setup
> 
> 
> File Attachments
> 
> 
> 0001-add-TencentKMS-as-MasterKeyProvider.patch
>   
>

Re: Review Request 73566: RANGER-3389 Swagger UI support for Ranger REST API

2022-02-16 Thread Nitin Galave 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73566/#review224062
---




docs/src/site/resources/index.html
Lines 49 (patched)


Can you please add closing  tag



security-admin/src/main/webapp/templates/common/ProfileBar_tmpl.html
Lines 25 (patched)


Typo error : API documentation


- Nitin Galave


On Sept. 3, 2021, 10:48 p.m., Steven Ramirez wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73566/
> ---
> 
> (Updated Sept. 3, 2021, 10:48 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Ramesh Mani, Sailaja Polavarapu, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3389
> https://issues.apache.org/jira/browse/RANGER-3389
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Under the Docs folder, I have added the distribution files for swagger UI. 
> Along with this I have also modified the profile bar template under security 
> admin to include a link to the swagger UI. THis will now provide interactive 
> documentation for users using the ranger admin UI, where they can view all 
> the REST APIs as well as test them out by making requests from the swagger UI.
> 
> 
> Diffs
> -
> 
>   distro/src/main/assembly/admin-web.xml 3fc054d7c 
>   docs/src/site/resources/index.html PRE-CREATION 
>   docs/src/site/resources/index.js PRE-CREATION 
>   docs/src/site/resources/swagger-ui-bundle.js PRE-CREATION 
>   docs/src/site/resources/swagger-ui-es-bundle-core.js PRE-CREATION 
>   docs/src/site/resources/swagger-ui-es-bundle.js PRE-CREATION 
>   docs/src/site/resources/swagger-ui-standalone-preset.js PRE-CREATION 
>   docs/src/site/resources/swagger-ui.css PRE-CREATION 
>   docs/src/site/resources/swagger-ui.js PRE-CREATION 
>   enunciate.xml 13b465b55 
>   pom.xml 8d81988d4 
>   security-admin/src/main/webapp/templates/common/ProfileBar_tmpl.html 
> 285d10617 
> 
> 
> Diff: https://reviews.apache.org/r/73566/diff/2/
> 
> 
> Testing
> ---
> 
> - Have ensured that the desired files are built under ranger-admin module
> - Have checked that requests and responses are being recieved and correctly 
> displayed
> - Made sure that get requests do not have a X-XSRF-HEADER but all other 
> requests will have "" as their X-XSRF-HEADER attribute.
> 
> 
> Thanks,
> 
> Steven Ramirez
> 
>

Re: Review Request 73807: Support Ranger KMS integration with TencentKMS

2022-02-16 Thread Dhaval Shah 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73807/#review224060
---



Still the same issue with pom.xml

- Dhaval Shah


On Feb. 16, 2022, 10:37 a.m., Kirby Zhou wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73807/
> ---
> 
> (Updated Feb. 16, 2022, 10:37 a.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, 
> Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Mehul 
> Parikh, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal Suvagia, and 
> Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3580
> https://issues.apache.org/jira/browse/RANGER-3580
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ranger KMS integration with TencentKMS
> - This task is to integrate the RANGER KMS Service with TencentKMS.
> - To Configure RANGER KMS Service with TencentKMS below configurations need 
> to be added in install.properties file bfore running the setup.sh
> 
> ```
> # Do you use Tencent Cloud KMS? 
> TENCENT_KMS_ENABLED=true 
> # MasterKeyID on Tencent Cloud
> TENCENT_MASTERKEY_ID=YourKeyID
> # Login ID
> TENCENT_CLIENT_ID=YourClientLoginId
> # Login password
> TENCENT_CLIENT_SECRET=YourClientLoginSecret
> # Tencent Cloud area, see Tencent Cloud SDK for details. 
> TENCENT_CLIENT_REGION=ap-beijing
> ```
> 
> Run the setup.sh, It will add the below configs in dbks-site.xml
> ```
> 
> 
> ranger.kms.tencentkms.enabled
> false
> Flag for Tencent KMS
> 
> 
> ranger.kms.tencent.client.id
> 
> Tencent Client Id
> 
> 
> ranger.kms.tencent.client.secret
> 
> Tencent Client Secret
> 
> 
> ranger.kms.tencent.client.secret.alias
> ranger.ks.tencent.client.secret
> Tencent Client Secret Alias
> 
> 
> ranger.kms.tencent.client.region
> ap-beijing
> Tencent Client Id
> 
> 
> ranger.kms.tencent.masterkey.id
> 
> Tencent master key name
> 
> 
> ```
> 
> Generally, we don't want the account bound by KMS to have the right to create 
> a Key in TencentKMS. So we have to create Master Key on TencentKMS web 
> console at first.
> Start the kms service, On start Master Key from TencentKMS should be used.
> 
> 
> Diffs
> -
> 
>   distro/src/main/assembly/kms.xml 983a43e5938ecc6a02e918f587d7a8913678087e 
>   kms/config/kms-webapp/dbks-site.xml 
> 07de4d494b5d72609b47752109fc40a9e016f6ab 
>   kms/pom.xml 7a4f98df7a2244a2ae4158b32b047d77db01b0f2 
>   kms/scripts/install.properties 31143d3426565a338c308dc1a7ea8304f3f4e102 
>   kms/scripts/setup.sh 2051df59a8bb0be11ba7a54e547f78cf5a0dca36 
>   
> kms/src/main/java/org/apache/hadoop/crypto/key/AzureKeyVaultClientAuthenticator.java
>  f96cbb7561b2c1a29b7f42c9fb3ed810b05b5054 
>   kms/src/main/java/org/apache/hadoop/crypto/key/DBToAzureKeyVault.java 
> bacc928570283708daef7a2573707fddd7ca096e 
>   kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 
> 4324439ba66f9f0fb68d570f1964ed6caa8c07bd 
>   kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java 
> 5234dc7422793b3b88dcc4574fafcf34556fa33f 
>   kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 
> 74c54a7a6f50878ce0f226d72a5e2c5554a0d4e5 
>   
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyVaultKeyGenerator.java
>  c661268c3c25362e428884a3bb34d88d827e7f31 
>   
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerTencentKMSProvider.java 
> PRE-CREATION 
>   pom.xml 8a19c2de42f4ae7acff3ee9b2e399b870ef406f3 
> 
> 
> Diff: https://reviews.apache.org/r/73807/diff/8/
> 
> 
> Testing
> ---
> 
> + mvn clean compile test verify 
> + Fresh setup
> 
> 
> File Attachments
> 
> 
> 0001-add-TencentKMS-as-MasterKeyProvider.patch
>   
> https://reviews.apache.org/media/uploaded/files/2022/01/19/c0ec963d-95f0-4e77-823d-b7de9d5d54e6__0001-add-TencentKMS-as-MasterKeyProvider.patch
> 
> 
> Thanks,
> 
> Kirby Zhou
> 
>

Re: Review Request 73344: RANGER-3231 Ranger should use kafka Authorizer from KIP-504

2022-02-16 Thread Andras Katona via Review Board 


> On Feb. 11, 2022, 8:38 a.m., Andras Katona wrote:
> > plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
> > Lines 151 (patched)
> > 
> >
> > this whole authorization for only one action could be extracted to a 
> > private method which would return a single result.
> > imho just would be nicer
> > ```
> >   private AuthorizationResult authorize(AuthorizableRequestContext 
> > requestContext, Action action) {
> > ```
> 
> Andras Katona wrote:
> Sorry, placed the comment at the wrong place, basically the authorize 
> method would just look like this:
> ```
>   @Override
>   public List authorize(AuthorizableRequestContext 
> requestContext, List actions) {
> return actions.stream()
> .map(action -> authorize(requestContext, action))
> .collect(Collectors.toList());
>   }
> ```
> So not just the final block could be extracted but the whole current 
> authorize method content could be made to handle one action only and the 
> mentioned above would make the collection of the results.

I just realized that the (common) rangerPlugin has an isAccessAllowed method 
which accepts lists of requests, it would be nice to call that and refactor the 
code


- Andras


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73344/#review224038
---


On June 7, 2021, 8:08 a.m., Chia-Ping Tsai wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73344/
> ---
> 
> (Updated June 7, 2021, 8:08 a.m.)
> 
> 
> Review request for ranger.
> 
> 
> Bugs: RANGER-3231
> https://issues.apache.org/jira/browse/RANGER-3231
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> As described in the KIP, `org.apache.kafka.server.authorizer.Authorizer` is 
> an improvement over `kafka.security.auth.Authorizer` and it's a pure Java 
> interface (instead of Scala).
> `kafka.security.auth.Authorizer` has been deprecated since December 2019 and 
> it will be removed in Apache Kafka 3.0 (roughly planned for July/August).
> See the KIP for more details:
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-504+-+Add+new+Java+Authorizer+Interface
> 
> 
> Diffs
> -
> 
>   plugin-kafka/pom.xml 010707d99 
>   
> plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
>  2a1b812e0 
>   ranger-kafka-plugin-shim/pom.xml fd1dc3cde 
>   
> ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
>  9d72ae0c8 
> 
> 
> Diff: https://reviews.apache.org/r/73344/diff/3/
> 
> 
> Testing
> ---
> 
> run `mvn clean test` and all pass on my local.
> 
> 
> File Attachments
> 
> 
> RANGER-3231.v1.patch
>   
> https://reviews.apache.org/media/uploaded/files/2021/05/18/4e2f190f-c871-4115-b554-0e6041a5a5a6__RANGER-3231.v1.patch
> 
> 
> Thanks,
> 
> Chia-Ping Tsai
> 
>

Re: Review Request 73807: Support Ranger KMS integration with TencentKMS

2022-02-16 Thread Kirby Zhou 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73807/
---

(Updated 二月 16, 2022, 10:37 a.m.)


Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, 
Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Mehul 
Parikh, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal Suvagia, and 
Velmurugan Periasamy.


Changes
---

I am sorry, I confused the patch version.


Bugs: RANGER-3580
https://issues.apache.org/jira/browse/RANGER-3580


Repository: ranger


Description
---

Ranger KMS integration with TencentKMS
- This task is to integrate the RANGER KMS Service with TencentKMS.
- To Configure RANGER KMS Service with TencentKMS below configurations need to 
be added in install.properties file bfore running the setup.sh

```
# Do you use Tencent Cloud KMS? 
TENCENT_KMS_ENABLED=true 
# MasterKeyID on Tencent Cloud
TENCENT_MASTERKEY_ID=YourKeyID
# Login ID
TENCENT_CLIENT_ID=YourClientLoginId
# Login password
TENCENT_CLIENT_SECRET=YourClientLoginSecret
# Tencent Cloud area, see Tencent Cloud SDK for details. 
TENCENT_CLIENT_REGION=ap-beijing
```

Run the setup.sh, It will add the below configs in dbks-site.xml
```


ranger.kms.tencentkms.enabled
false
Flag for Tencent KMS


ranger.kms.tencent.client.id

Tencent Client Id


ranger.kms.tencent.client.secret

Tencent Client Secret


ranger.kms.tencent.client.secret.alias
ranger.ks.tencent.client.secret
Tencent Client Secret Alias


ranger.kms.tencent.client.region
ap-beijing
Tencent Client Id


ranger.kms.tencent.masterkey.id

Tencent master key name


```

Generally, we don't want the account bound by KMS to have the right to create a 
Key in TencentKMS. So we have to create Master Key on TencentKMS web console at 
first.
Start the kms service, On start Master Key from TencentKMS should be used.


Diffs (updated)
-

  distro/src/main/assembly/kms.xml 983a43e5938ecc6a02e918f587d7a8913678087e 
  kms/config/kms-webapp/dbks-site.xml 07de4d494b5d72609b47752109fc40a9e016f6ab 
  kms/pom.xml 7a4f98df7a2244a2ae4158b32b047d77db01b0f2 
  kms/scripts/install.properties 31143d3426565a338c308dc1a7ea8304f3f4e102 
  kms/scripts/setup.sh 2051df59a8bb0be11ba7a54e547f78cf5a0dca36 
  
kms/src/main/java/org/apache/hadoop/crypto/key/AzureKeyVaultClientAuthenticator.java
 f96cbb7561b2c1a29b7f42c9fb3ed810b05b5054 
  kms/src/main/java/org/apache/hadoop/crypto/key/DBToAzureKeyVault.java 
bacc928570283708daef7a2573707fddd7ca096e 
  kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 
4324439ba66f9f0fb68d570f1964ed6caa8c07bd 
  kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java 
5234dc7422793b3b88dcc4574fafcf34556fa33f 
  kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 
74c54a7a6f50878ce0f226d72a5e2c5554a0d4e5 
  
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyVaultKeyGenerator.java 
c661268c3c25362e428884a3bb34d88d827e7f31 
  kms/src/main/java/org/apache/hadoop/crypto/key/RangerTencentKMSProvider.java 
PRE-CREATION 
  pom.xml 8a19c2de42f4ae7acff3ee9b2e399b870ef406f3 


Diff: https://reviews.apache.org/r/73807/diff/8/

Changes: https://reviews.apache.org/r/73807/diff/7-8/


Testing
---

+ mvn clean compile test verify 
+ Fresh setup


File Attachments


0001-add-TencentKMS-as-MasterKeyProvider.patch
  
https://reviews.apache.org/media/uploaded/files/2022/01/19/c0ec963d-95f0-4e77-823d-b7de9d5d54e6__0001-add-TencentKMS-as-MasterKeyProvider.patch


Thanks,

Kirby Zhou

[jira] [Commented] (RANGER-3595) Tar of KMS contains rubbish files

2022-02-16 Thread kirby zhou (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17493152#comment-17493152
 ] 

kirby zhou commented on RANGER-3595:


An alternative, [https://reviews.apache.org/r/73852/]

Put classes under ews/webapp/WEB-INF/classes, it works.

> Tar of KMS contains rubbish files
> -
>
> Key: RANGER-3595
> URL: https://issues.apache.org/jira/browse/RANGER-3595
> Project: Ranger
>  Issue Type: Improvement
>  Components: kms
>Reporter: kirby zhou
>Priority: Major
>
> There are lots of .class files under ews/webapp/. They wont be loaded by any 
> classpath. And they are duplicated against files inside 
> ews/webapp/lib/ranger-kms-3.0.0-SNAPSHOT.jar.
> It seems dirty and may cause some security problem.
> {code:bash}
> #] tar tf target/ranger-3.0.0-SNAPSHOT-kms.tar.gz ranger-3.0.0-SNAPSHOT-kms/ 
> | egrep 'ews/webapp/org'  | head 
> ranger-3.0.0-SNAPSHOT-kms/ews/webapp/org/
> ranger-3.0.0-SNAPSHOT-kms/ews/webapp/org/apache/
> ranger-3.0.0-SNAPSHOT-kms/ews/webapp/org/apache/ranger/
> ranger-3.0.0-SNAPSHOT-kms/ews/webapp/org/apache/ranger/kms/
> ranger-3.0.0-SNAPSHOT-kms/ews/webapp/org/apache/ranger/kms/biz/
> ranger-3.0.0-SNAPSHOT-kms/ews/webapp/org/apache/ranger/kms/dao/
> ranger-3.0.0-SNAPSHOT-kms/ews/webapp/org/apache/ranger/entity/
> ranger-3.0.0-SNAPSHOT-kms/ews/webapp/org/apache/hadoop/
> ranger-3.0.0-SNAPSHOT-kms/ews/webapp/org/apache/hadoop/crypto/
> ranger-3.0.0-SNAPSHOT-kms/ews/webapp/org/apache/hadoop/crypto/key/
> //代码占位符
> {code}
>  * The reason is that:
> distro/src/main/assembly/kms.xml
>  
> {code:java}
> 
> true
> 
> org.apache.ranger:ranger-kms
> 
> 
> ews/webapp
> false
> true
> 
>  {code}
> Why ?
>  
> The secret is in kms/scripts/setup.sh:
>  
> {code:java}
> setup_kms(){
>         #copying ranger kms provider 
>         oldP=${PWD}
>         cd $PWD/ews/webapp
>         log "[I] Adding ranger kms provider as services in hadoop-common jar"
>         for f in lib/hadoop-common*.jar
>         do
>                  ${JAVA_HOME}/bin/jar -uf ${f}  
> META-INF/services/org.apache.hadoop.crypto.key.KeyProviderFactory
>                 chown ${unix_user}:${unix_group} ${f}
>         done
>         cd ${oldP}
> }
> {code}
>  
>  
> The code above is VERY VERY DIRTY!
> It hacks into  hadoop-common.jar., Overwrite resource 
> "META-INF/services/org.apache.hadoop.crypto.key.KeyProviderFactory". Ensure 
> the following code can load 
> 'org.apache.hadoop.crypto.key.RangerKeyStoreProvider$Factory' by 
> 'META-INF/.../KeyProviderFactory'.
>  
>  
> {code:java}
> // org.apache.hadoop.crypto.key: KeyProviderFactory.java 
> private static final ServiceLoader serviceLoader = 
> ServiceLoader.load(KeyProviderFactory.class, 
> KeyProviderFactory.class.getClassLoader());
> {code}
>  
>  
> But this is unnecessary.
> ServiceLoader will read all resources with the same name using the 
> ClassLoader of KeyProviderFactory. We just need to put a jar contains that 
> property side by side of hadoop-common.jar ( ews/webapp/lib/ ). And 
> ranger-kms-3.0.0-SNAPSHOT.jar already here.
> {code:java}
> % tar tf ../target/ranger-*-kms.tar.gz | egrep 'kms[^/]*\.jar|hadoop-common'
> ranger-3.0.0-SNAPSHOT-kms/ews/webapp/lib/ranger-kms-3.0.0-SNAPSHOT.jar
> ranger-3.0.0-SNAPSHOT-kms/ews/webapp/lib/hadoop-common-3.3.0.jar
> ...
> % tar tf target/ranger-kms-3.0.0-SNAPSHOT.jar | fgrep ProviderFactory
> META-INF/services/org.apache.hadoop.crypto.key.KeyProviderFactory
> {code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Review Request 73852: RANGER-3595, refactor the file layout of ranger-xxx-kms.tar.gz

2022-02-16 Thread Kirby Zhou 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73852/
---

Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, 
Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Mehul 
Parikh, pengjianhua, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal 
Suvagia, Velmurugan Periasamy, and Qiang Zhang.


Bugs: RANGER-3595
https://issues.apache.org/jira/browse/RANGER-3595


Repository: ranger


Description
---

There are lots of .class files under ews/webapp/, and never used. 


1. place web.xml at correct location
2. setup.sh want to patch hadoop-common.jar at runtime, it requires some file 
inside ranger-kms.jar. But the patching of hadoop-common.jar is unnecessary. 

Regular webapp should have its own class files under 
ews/webapp/WEB-INF/classes, and dependencies under ews/webapp/WEB-INF/lib, and 
the Container should put its libraries under ews/lib. But at current, we use 
directories sucn as ews/webapp/lib, ews/webapp/WEB-INF/classes/lib. It looks 
dirty and ugly.


My patch here makes KMS no longer bring ranger-kms.jar, and place classes and 
web.xml at correct location. as a alternative of 
https://reviews.apache.org/r/73816/


Now: 
ews/lib contains ews bootstrap jars, 
ews/webapp/WEB-INF/classes contains KMS app itself, 
ews/webapp/WEB-INF/lib contains KMS dependencies,
ews/webapp/WEB-INF/lib/ranger-kms-plugin-impl contains ranger-kms-plugin.

Additionaly, kms/pom.xml even depends on original hadoop-kms, which can confuse 
developers, so I removed it.

BTW: the bootstrap embedded server looks like too heavy and too much 
dependeices.


Diffs
-

  distro/src/main/assembly/kms.xml 983a43e59 
  kms/pom.xml 7a4f98df7 
  kms/scripts/DBMK2HSM.sh 001199d97 
  kms/scripts/DBMKTOAZUREKEYVAULT.sh cfe5a6b5e 
  kms/scripts/DBMKTOKEYSECURE.sh c0aa6e58c 
  kms/scripts/HSMMK2DB.sh 6c77f7340 
  kms/scripts/KEYSECUREMKTOKMSDB.sh 340e05e2c 
  kms/scripts/VerifyIsDBMasterkeyCorrect.sh 1c9a2e148 
  kms/scripts/exportKeysToJCEKS.sh f3205789b 
  kms/scripts/importJCEKSKeys.sh 5d4fe978f 
  kms/scripts/ranger-kms 429a31e5a 
  kms/scripts/setup.sh 2051df59a 
  kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java 
c899bdf98 
  kms/src/main/resources/META-INF/context.xml  
  kms/src/main/resources/WEB-INF/web.xml 5e2d489fe 


Diff: https://reviews.apache.org/r/73852/diff/1/


Testing
---

mvn clean pacakge
fresh install and upgrade from 2.2.0


Thanks,

Kirby Zhou

Re: Review Request 73807: Support Ranger KMS integration with TencentKMS

2022-02-16 Thread Dhaval Shah 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73807/#review224057
---



Facing conflict in pom.xml

git apply ~/Downloads/0001-add-TencentKMS-as-MasterKeyProvider.patch --check
error: patch failed: pom.xml:181
error: pom.xml: patch does not apply

- Dhaval Shah


On Feb. 15, 2022, 8:48 a.m., Kirby Zhou wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73807/
> ---
> 
> (Updated Feb. 15, 2022, 8:48 a.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, 
> Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Mehul 
> Parikh, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal Suvagia, and 
> Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3580
> https://issues.apache.org/jira/browse/RANGER-3580
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ranger KMS integration with TencentKMS
> - This task is to integrate the RANGER KMS Service with TencentKMS.
> - To Configure RANGER KMS Service with TencentKMS below configurations need 
> to be added in install.properties file bfore running the setup.sh
> 
> ```
> # Do you use Tencent Cloud KMS? 
> TENCENT_KMS_ENABLED=true 
> # MasterKeyID on Tencent Cloud
> TENCENT_MASTERKEY_ID=YourKeyID
> # Login ID
> TENCENT_CLIENT_ID=YourClientLoginId
> # Login password
> TENCENT_CLIENT_SECRET=YourClientLoginSecret
> # Tencent Cloud area, see Tencent Cloud SDK for details. 
> TENCENT_CLIENT_REGION=ap-beijing
> ```
> 
> Run the setup.sh, It will add the below configs in dbks-site.xml
> ```
> 
> 
> ranger.kms.tencentkms.enabled
> false
> Flag for Tencent KMS
> 
> 
> ranger.kms.tencent.client.id
> 
> Tencent Client Id
> 
> 
> ranger.kms.tencent.client.secret
> 
> Tencent Client Secret
> 
> 
> ranger.kms.tencent.client.secret.alias
> ranger.ks.tencent.client.secret
> Tencent Client Secret Alias
> 
> 
> ranger.kms.tencent.client.region
> ap-beijing
> Tencent Client Id
> 
> 
> ranger.kms.tencent.masterkey.id
> 
> Tencent master key name
> 
> 
> ```
> 
> Generally, we don't want the account bound by KMS to have the right to create 
> a Key in TencentKMS. So we have to create Master Key on TencentKMS web 
> console at first.
> Start the kms service, On start Master Key from TencentKMS should be used.
> 
> 
> Diffs
> -
> 
>   distro/src/main/assembly/kms.xml 983a43e5938ecc6a02e918f587d7a8913678087e 
>   kms/config/kms-webapp/dbks-site.xml 
> 07de4d494b5d72609b47752109fc40a9e016f6ab 
>   kms/pom.xml 7a4f98df7a2244a2ae4158b32b047d77db01b0f2 
>   kms/scripts/install.properties 31143d3426565a338c308dc1a7ea8304f3f4e102 
>   kms/scripts/setup.sh 2051df59a8bb0be11ba7a54e547f78cf5a0dca36 
>   
> kms/src/main/java/org/apache/hadoop/crypto/key/AzureKeyVaultClientAuthenticator.java
>  f96cbb7561b2c1a29b7f42c9fb3ed810b05b5054 
>   kms/src/main/java/org/apache/hadoop/crypto/key/DBToAzureKeyVault.java 
> bacc928570283708daef7a2573707fddd7ca096e 
>   kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 
> 4324439ba66f9f0fb68d570f1964ed6caa8c07bd 
>   kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java 
> 5234dc7422793b3b88dcc4574fafcf34556fa33f 
>   kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 
> 74c54a7a6f50878ce0f226d72a5e2c5554a0d4e5 
>   
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyVaultKeyGenerator.java
>  c661268c3c25362e428884a3bb34d88d827e7f31 
>   
> kms/src/main/java/org/apache/hadoop/crypto/key/RangerTencentKMSProvider.java 
> PRE-CREATION 
>   pom.xml 8a19c2de42f4ae7acff3ee9b2e399b870ef406f3 
> 
> 
> Diff: https://reviews.apache.org/r/73807/diff/7/
> 
> 
> Testing
> ---
> 
> + mvn clean compile test verify 
> + Fresh setup
> 
> 
> File Attachments
> 
> 
> 0001-add-TencentKMS-as-MasterKeyProvider.patch
>   
> https://reviews.apache.org/media/uploaded/files/2022/01/19/c0ec963d-95f0-4e77-823d-b7de9d5d54e6__0001-add-TencentKMS-as-MasterKeyProvider.patch
> 
> 
> Thanks,
> 
> Kirby Zhou
> 
>