Re: Review Request 73852: RANGER-3595, refactor the file layout of ranger-xxx-kms.tar.gz

2022-03-02 Thread Kirby Zhou 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73852/
---

(Updated 三月 3, 2022, 7:27 a.m.)


Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, 
Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Mehul 
Parikh, pengjianhua, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal 
Suvagia, Velmurugan Periasamy, and Qiang Zhang.


Changes
---

Sorry, fix PMD error


Bugs: RANGER-3595
https://issues.apache.org/jira/browse/RANGER-3595


Repository: ranger


Description
---

There are lots of .class files under ews/webapp/, and never used. 


1. place web.xml at correct location
2. setup.sh want to patch hadoop-common.jar at runtime, it requires some file 
inside ranger-kms.jar. But the patching of hadoop-common.jar is unnecessary. 

Regular webapp should have its own class files under 
ews/webapp/WEB-INF/classes, and dependencies under ews/webapp/WEB-INF/lib, and 
the Container should put its libraries under ews/lib. But at current, we use 
directories sucn as ews/webapp/lib, ews/webapp/WEB-INF/classes/lib. It looks 
dirty and ugly.


My patch here makes KMS no longer bring ranger-kms.jar, and place classes and 
web.xml at correct location. as a alternative of 
https://reviews.apache.org/r/73816/


Now: 
ews/lib contains ews bootstrap jars, 
ews/webapp/WEB-INF/classes contains KMS app itself, 
ews/webapp/WEB-INF/lib contains KMS dependencies,
ews/webapp/WEB-INF/lib/ranger-kms-plugin-impl contains ranger-kms-plugin.

Additionaly, kms/pom.xml even depends on original hadoop-kms, which can confuse 
developers, so I removed it.

BTW: the bootstrap embedded server looks like too heavy and too much 
dependeices.


Diffs (updated)
-

  distro/src/main/assembly/kms.xml f7605076e6294d9e76ca2f9205e0716932f4daf9 
  kms/pom.xml ade563f9479cf1519f222c6eddc6d9991f8422e5 
  kms/scripts/DBMK2HSM.sh 001199d97b21158795dbf7ae31e12d1500333541 
  kms/scripts/DBMKTOAZUREKEYVAULT.sh cfe5a6b5e65438ba7d50349a36c2dd3219c7092a 
  kms/scripts/DBMKTOKEYSECURE.sh c0aa6e58c27c7a827bcb557d7a7714eb55ecee63 
  kms/scripts/HSMMK2DB.sh 6c77f7340d9c761f980560f3cbf06f65f7c505ed 
  kms/scripts/KEYSECUREMKTOKMSDB.sh 340e05e2c215e5c046be5cd4c6832b7f0733822a 
  kms/scripts/VerifyIsDBMasterkeyCorrect.sh 
1c9a2e148959d8fe72e8d7e7b0fa4a810e942337 
  kms/scripts/exportKeysToJCEKS.sh f3205789b1da6df95c5e8cf174f4e96ef02b2164 
  kms/scripts/importJCEKSKeys.sh 5d4fe978fd00f3d86ef48299755689cee34b8331 
  kms/scripts/ranger-kms 429a31e5aac38e3bbcfc6bdd258818d9ecbf0161 
  kms/scripts/setup.sh 448042e9d1e9e0caaabf713282a4d509fb09c2e3 
  kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java 
c899bdf98327de5a86cf51470e96c6ad8e7e4079 
  kms/src/main/resources/META-INF/context.xml  
  kms/src/main/resources/WEB-INF/web.xml 
5e2d489fe632a16a5ed440bbbff41f558d2a2338 
  kms/src/main/resources/log4j-kmsaudit.properties 
0747f1e33ee2d6ada6c6a16938cadd2d55d6450d 


Diff: https://reviews.apache.org/r/73852/diff/5/

Changes: https://reviews.apache.org/r/73852/diff/4-5/


Testing
---

mvn clean pacakge
fresh install and upgrade from 2.2.0


Thanks,

Kirby Zhou

Re: Review Request 73852: RANGER-3595, refactor the file layout of ranger-xxx-kms.tar.gz

2022-03-02 Thread bhavik patel 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73852/#review224123
---



PMD failure :

https://pmd.github.io/pmd-6.29.0/pmd_rules_java_bestpractices.html#unusedimports;
 priority="4">
Avoid unused imports such as 'java.net.URL'







- bhavik patel


On March 3, 2022, 2:43 a.m., Kirby Zhou wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73852/
> ---
> 
> (Updated March 3, 2022, 2:43 a.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, 
> Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Mehul 
> Parikh, pengjianhua, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal 
> Suvagia, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-3595
> https://issues.apache.org/jira/browse/RANGER-3595
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> There are lots of .class files under ews/webapp/, and never used. 
> 
> 
> 1. place web.xml at correct location
> 2. setup.sh want to patch hadoop-common.jar at runtime, it requires some file 
> inside ranger-kms.jar. But the patching of hadoop-common.jar is unnecessary. 
> 
> Regular webapp should have its own class files under 
> ews/webapp/WEB-INF/classes, and dependencies under ews/webapp/WEB-INF/lib, 
> and the Container should put its libraries under ews/lib. But at current, we 
> use directories sucn as ews/webapp/lib, ews/webapp/WEB-INF/classes/lib. It 
> looks dirty and ugly.
> 
> 
> My patch here makes KMS no longer bring ranger-kms.jar, and place classes and 
> web.xml at correct location. as a alternative of 
> https://reviews.apache.org/r/73816/
> 
> 
> Now: 
> ews/lib contains ews bootstrap jars, 
> ews/webapp/WEB-INF/classes contains KMS app itself, 
> ews/webapp/WEB-INF/lib contains KMS dependencies,
> ews/webapp/WEB-INF/lib/ranger-kms-plugin-impl contains ranger-kms-plugin.
> 
> Additionaly, kms/pom.xml even depends on original hadoop-kms, which can 
> confuse developers, so I removed it.
> 
> BTW: the bootstrap embedded server looks like too heavy and too much 
> dependeices.
> 
> 
> Diffs
> -
> 
>   distro/src/main/assembly/kms.xml f7605076e6294d9e76ca2f9205e0716932f4daf9 
>   kms/pom.xml ade563f9479cf1519f222c6eddc6d9991f8422e5 
>   kms/scripts/DBMK2HSM.sh 001199d97b21158795dbf7ae31e12d1500333541 
>   kms/scripts/DBMKTOAZUREKEYVAULT.sh cfe5a6b5e65438ba7d50349a36c2dd3219c7092a 
>   kms/scripts/DBMKTOKEYSECURE.sh c0aa6e58c27c7a827bcb557d7a7714eb55ecee63 
>   kms/scripts/HSMMK2DB.sh 6c77f7340d9c761f980560f3cbf06f65f7c505ed 
>   kms/scripts/KEYSECUREMKTOKMSDB.sh 340e05e2c215e5c046be5cd4c6832b7f0733822a 
>   kms/scripts/VerifyIsDBMasterkeyCorrect.sh 
> 1c9a2e148959d8fe72e8d7e7b0fa4a810e942337 
>   kms/scripts/exportKeysToJCEKS.sh f3205789b1da6df95c5e8cf174f4e96ef02b2164 
>   kms/scripts/importJCEKSKeys.sh 5d4fe978fd00f3d86ef48299755689cee34b8331 
>   kms/scripts/ranger-kms 429a31e5aac38e3bbcfc6bdd258818d9ecbf0161 
>   kms/scripts/setup.sh 448042e9d1e9e0caaabf713282a4d509fb09c2e3 
>   kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java 
> c899bdf98327de5a86cf51470e96c6ad8e7e4079 
>   kms/src/main/resources/META-INF/context.xml  
>   kms/src/main/resources/WEB-INF/web.xml 
> 5e2d489fe632a16a5ed440bbbff41f558d2a2338 
>   kms/src/main/resources/log4j-kmsaudit.properties 
> 0747f1e33ee2d6ada6c6a16938cadd2d55d6450d 
> 
> 
> Diff: https://reviews.apache.org/r/73852/diff/4/
> 
> 
> Testing
> ---
> 
> mvn clean pacakge
> fresh install and upgrade from 2.2.0
> 
> 
> Thanks,
> 
> Kirby Zhou
> 
>

Re: Review Request 73852: RANGER-3595, refactor the file layout of ranger-xxx-kms.tar.gz

2022-03-02 Thread Kirby Zhou 


> On 三月 3, 2022, 5:25 a.m., bhavik patel wrote:
> > Patch has a conflict and please update the commit message.
> 
> Kirby Zhou wrote:
> what is your point about "commit message"?
> and what is the conflict?
> 
> I have tried apply it on 53b103c5826f115f05e011d883041471d7546a63.
> 
> kirbyzhou@Kirby-WorkBook ranger-master % git am 
> /Users/kirbyzhou/Downloads/0001-RANGER-3595-refactor-the-file-layout-of-kms.tar.patch
> Applying: RANGER-3595: refactor the file layout of kms.tar
> 
> kirbyzhou@Kirby-WorkBook ranger-master % git log
> commit 7a59dbd429accf46e1d9fff33638a9b12e0aca90 (HEAD)
> Author: ZhouTianling 
> Date:   Sat Jan 22 01:49:11 2022 +0800
> 
> RANGER-3595: refactor the file layout of kms.tar
> 
> commit 53b103c5826f115f05e011d883041471d7546a63 (sensors/master, 
> github/master, github/HEAD)
> Author: Viktor Somogyi-Vass 
> Date:   Mon Sep 20 17:23:29 2021 +0200
> 
> bhavik patel wrote:
> Uploaded patch name 
> is:"0001-put-classes-under-WEB-INF-like-regular-webapp.patch" which is not 
> same as "0001-RANGER-3595-refactor-the-file-layout-of-kms.tar.patch"

Maybe you need to clear your browser cache?
I have just downloaded the latest one, it is "0001-RANGER-3595...".


- Kirby


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73852/#review224119
---


On 三月 3, 2022, 2:43 a.m., Kirby Zhou wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73852/
> ---
> 
> (Updated 三月 3, 2022, 2:43 a.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, 
> Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Mehul 
> Parikh, pengjianhua, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal 
> Suvagia, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-3595
> https://issues.apache.org/jira/browse/RANGER-3595
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> There are lots of .class files under ews/webapp/, and never used. 
> 
> 
> 1. place web.xml at correct location
> 2. setup.sh want to patch hadoop-common.jar at runtime, it requires some file 
> inside ranger-kms.jar. But the patching of hadoop-common.jar is unnecessary. 
> 
> Regular webapp should have its own class files under 
> ews/webapp/WEB-INF/classes, and dependencies under ews/webapp/WEB-INF/lib, 
> and the Container should put its libraries under ews/lib. But at current, we 
> use directories sucn as ews/webapp/lib, ews/webapp/WEB-INF/classes/lib. It 
> looks dirty and ugly.
> 
> 
> My patch here makes KMS no longer bring ranger-kms.jar, and place classes and 
> web.xml at correct location. as a alternative of 
> https://reviews.apache.org/r/73816/
> 
> 
> Now: 
> ews/lib contains ews bootstrap jars, 
> ews/webapp/WEB-INF/classes contains KMS app itself, 
> ews/webapp/WEB-INF/lib contains KMS dependencies,
> ews/webapp/WEB-INF/lib/ranger-kms-plugin-impl contains ranger-kms-plugin.
> 
> Additionaly, kms/pom.xml even depends on original hadoop-kms, which can 
> confuse developers, so I removed it.
> 
> BTW: the bootstrap embedded server looks like too heavy and too much 
> dependeices.
> 
> 
> Diffs
> -
> 
>   distro/src/main/assembly/kms.xml f7605076e6294d9e76ca2f9205e0716932f4daf9 
>   kms/pom.xml ade563f9479cf1519f222c6eddc6d9991f8422e5 
>   kms/scripts/DBMK2HSM.sh 001199d97b21158795dbf7ae31e12d1500333541 
>   kms/scripts/DBMKTOAZUREKEYVAULT.sh cfe5a6b5e65438ba7d50349a36c2dd3219c7092a 
>   kms/scripts/DBMKTOKEYSECURE.sh c0aa6e58c27c7a827bcb557d7a7714eb55ecee63 
>   kms/scripts/HSMMK2DB.sh 6c77f7340d9c761f980560f3cbf06f65f7c505ed 
>   kms/scripts/KEYSECUREMKTOKMSDB.sh 340e05e2c215e5c046be5cd4c6832b7f0733822a 
>   kms/scripts/VerifyIsDBMasterkeyCorrect.sh 
> 1c9a2e148959d8fe72e8d7e7b0fa4a810e942337 
>   kms/scripts/exportKeysToJCEKS.sh f3205789b1da6df95c5e8cf174f4e96ef02b2164 
>   kms/scripts/importJCEKSKeys.sh 5d4fe978fd00f3d86ef48299755689cee34b8331 
>   kms/scripts/ranger-kms 429a31e5aac38e3bbcfc6bdd258818d9ecbf0161 
>   kms/scripts/setup.sh 448042e9d1e9e0caaabf713282a4d509fb09c2e3 
>   kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java 
> c899bdf98327de5a86cf51470e96c6ad8e7e4079 
>   kms/src/main/resources/META-INF/context.xml  
>   kms/src/main/resources/WEB-INF/web.xml 
> 5e2d489fe632a16a5ed440bbbff41f558d2a2338 
>   kms/src/main/resources/log4j-kmsaudit.properties 
> 0747f1e33ee2d6ada6c6a16938cadd2d55d6450d 
> 
> 
> Diff: https://reviews.apache.org/r/73852/diff/4/
> 
> 
> Testing
> ---
> 
> mvn clean pacakge
> fresh install and upgrade from 2.2.0
> 
> 
> Thanks,
> 
> Kirby Zhou
> 
>

Re: Review Request 73852: RANGER-3595, refactor the file layout of ranger-xxx-kms.tar.gz

2022-03-02 Thread bhavik patel 


> On March 3, 2022, 5:25 a.m., bhavik patel wrote:
> > Patch has a conflict and please update the commit message.
> 
> Kirby Zhou wrote:
> what is your point about "commit message"?
> and what is the conflict?
> 
> I have tried apply it on 53b103c5826f115f05e011d883041471d7546a63.
> 
> kirbyzhou@Kirby-WorkBook ranger-master % git am 
> /Users/kirbyzhou/Downloads/0001-RANGER-3595-refactor-the-file-layout-of-kms.tar.patch
> Applying: RANGER-3595: refactor the file layout of kms.tar
> 
> kirbyzhou@Kirby-WorkBook ranger-master % git log
> commit 7a59dbd429accf46e1d9fff33638a9b12e0aca90 (HEAD)
> Author: ZhouTianling 
> Date:   Sat Jan 22 01:49:11 2022 +0800
> 
> RANGER-3595: refactor the file layout of kms.tar
> 
> commit 53b103c5826f115f05e011d883041471d7546a63 (sensors/master, 
> github/master, github/HEAD)
> Author: Viktor Somogyi-Vass 
> Date:   Mon Sep 20 17:23:29 2021 +0200

Uploaded patch name 
is:"0001-put-classes-under-WEB-INF-like-regular-webapp.patch" which is not same 
as "0001-RANGER-3595-refactor-the-file-layout-of-kms.tar.patch"


- bhavik


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73852/#review224119
---


On March 3, 2022, 2:43 a.m., Kirby Zhou wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73852/
> ---
> 
> (Updated March 3, 2022, 2:43 a.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, 
> Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Mehul 
> Parikh, pengjianhua, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal 
> Suvagia, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-3595
> https://issues.apache.org/jira/browse/RANGER-3595
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> There are lots of .class files under ews/webapp/, and never used. 
> 
> 
> 1. place web.xml at correct location
> 2. setup.sh want to patch hadoop-common.jar at runtime, it requires some file 
> inside ranger-kms.jar. But the patching of hadoop-common.jar is unnecessary. 
> 
> Regular webapp should have its own class files under 
> ews/webapp/WEB-INF/classes, and dependencies under ews/webapp/WEB-INF/lib, 
> and the Container should put its libraries under ews/lib. But at current, we 
> use directories sucn as ews/webapp/lib, ews/webapp/WEB-INF/classes/lib. It 
> looks dirty and ugly.
> 
> 
> My patch here makes KMS no longer bring ranger-kms.jar, and place classes and 
> web.xml at correct location. as a alternative of 
> https://reviews.apache.org/r/73816/
> 
> 
> Now: 
> ews/lib contains ews bootstrap jars, 
> ews/webapp/WEB-INF/classes contains KMS app itself, 
> ews/webapp/WEB-INF/lib contains KMS dependencies,
> ews/webapp/WEB-INF/lib/ranger-kms-plugin-impl contains ranger-kms-plugin.
> 
> Additionaly, kms/pom.xml even depends on original hadoop-kms, which can 
> confuse developers, so I removed it.
> 
> BTW: the bootstrap embedded server looks like too heavy and too much 
> dependeices.
> 
> 
> Diffs
> -
> 
>   distro/src/main/assembly/kms.xml f7605076e6294d9e76ca2f9205e0716932f4daf9 
>   kms/pom.xml ade563f9479cf1519f222c6eddc6d9991f8422e5 
>   kms/scripts/DBMK2HSM.sh 001199d97b21158795dbf7ae31e12d1500333541 
>   kms/scripts/DBMKTOAZUREKEYVAULT.sh cfe5a6b5e65438ba7d50349a36c2dd3219c7092a 
>   kms/scripts/DBMKTOKEYSECURE.sh c0aa6e58c27c7a827bcb557d7a7714eb55ecee63 
>   kms/scripts/HSMMK2DB.sh 6c77f7340d9c761f980560f3cbf06f65f7c505ed 
>   kms/scripts/KEYSECUREMKTOKMSDB.sh 340e05e2c215e5c046be5cd4c6832b7f0733822a 
>   kms/scripts/VerifyIsDBMasterkeyCorrect.sh 
> 1c9a2e148959d8fe72e8d7e7b0fa4a810e942337 
>   kms/scripts/exportKeysToJCEKS.sh f3205789b1da6df95c5e8cf174f4e96ef02b2164 
>   kms/scripts/importJCEKSKeys.sh 5d4fe978fd00f3d86ef48299755689cee34b8331 
>   kms/scripts/ranger-kms 429a31e5aac38e3bbcfc6bdd258818d9ecbf0161 
>   kms/scripts/setup.sh 448042e9d1e9e0caaabf713282a4d509fb09c2e3 
>   kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java 
> c899bdf98327de5a86cf51470e96c6ad8e7e4079 
>   kms/src/main/resources/META-INF/context.xml  
>   kms/src/main/resources/WEB-INF/web.xml 
> 5e2d489fe632a16a5ed440bbbff41f558d2a2338 
>   kms/src/main/resources/log4j-kmsaudit.properties 
> 0747f1e33ee2d6ada6c6a16938cadd2d55d6450d 
> 
> 
> Diff: https://reviews.apache.org/r/73852/diff/4/
> 
> 
> Testing
> ---
> 
> mvn clean pacakge
> fresh install and upgrade from 2.2.0
> 
> 
> Thanks,
> 
> Kirby Zhou
> 
>

Re: Review Request 73852: RANGER-3595, refactor the file layout of ranger-xxx-kms.tar.gz

2022-03-02 Thread bhavik patel 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73852/#review224119
---



Patch has a conflict and please update the commit message.

- bhavik patel


On March 3, 2022, 2:43 a.m., Kirby Zhou wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73852/
> ---
> 
> (Updated March 3, 2022, 2:43 a.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, 
> Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Mehul 
> Parikh, pengjianhua, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal 
> Suvagia, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-3595
> https://issues.apache.org/jira/browse/RANGER-3595
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> There are lots of .class files under ews/webapp/, and never used. 
> 
> 
> 1. place web.xml at correct location
> 2. setup.sh want to patch hadoop-common.jar at runtime, it requires some file 
> inside ranger-kms.jar. But the patching of hadoop-common.jar is unnecessary. 
> 
> Regular webapp should have its own class files under 
> ews/webapp/WEB-INF/classes, and dependencies under ews/webapp/WEB-INF/lib, 
> and the Container should put its libraries under ews/lib. But at current, we 
> use directories sucn as ews/webapp/lib, ews/webapp/WEB-INF/classes/lib. It 
> looks dirty and ugly.
> 
> 
> My patch here makes KMS no longer bring ranger-kms.jar, and place classes and 
> web.xml at correct location. as a alternative of 
> https://reviews.apache.org/r/73816/
> 
> 
> Now: 
> ews/lib contains ews bootstrap jars, 
> ews/webapp/WEB-INF/classes contains KMS app itself, 
> ews/webapp/WEB-INF/lib contains KMS dependencies,
> ews/webapp/WEB-INF/lib/ranger-kms-plugin-impl contains ranger-kms-plugin.
> 
> Additionaly, kms/pom.xml even depends on original hadoop-kms, which can 
> confuse developers, so I removed it.
> 
> BTW: the bootstrap embedded server looks like too heavy and too much 
> dependeices.
> 
> 
> Diffs
> -
> 
>   distro/src/main/assembly/kms.xml f7605076e6294d9e76ca2f9205e0716932f4daf9 
>   kms/pom.xml ade563f9479cf1519f222c6eddc6d9991f8422e5 
>   kms/scripts/DBMK2HSM.sh 001199d97b21158795dbf7ae31e12d1500333541 
>   kms/scripts/DBMKTOAZUREKEYVAULT.sh cfe5a6b5e65438ba7d50349a36c2dd3219c7092a 
>   kms/scripts/DBMKTOKEYSECURE.sh c0aa6e58c27c7a827bcb557d7a7714eb55ecee63 
>   kms/scripts/HSMMK2DB.sh 6c77f7340d9c761f980560f3cbf06f65f7c505ed 
>   kms/scripts/KEYSECUREMKTOKMSDB.sh 340e05e2c215e5c046be5cd4c6832b7f0733822a 
>   kms/scripts/VerifyIsDBMasterkeyCorrect.sh 
> 1c9a2e148959d8fe72e8d7e7b0fa4a810e942337 
>   kms/scripts/exportKeysToJCEKS.sh f3205789b1da6df95c5e8cf174f4e96ef02b2164 
>   kms/scripts/importJCEKSKeys.sh 5d4fe978fd00f3d86ef48299755689cee34b8331 
>   kms/scripts/ranger-kms 429a31e5aac38e3bbcfc6bdd258818d9ecbf0161 
>   kms/scripts/setup.sh 448042e9d1e9e0caaabf713282a4d509fb09c2e3 
>   kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java 
> c899bdf98327de5a86cf51470e96c6ad8e7e4079 
>   kms/src/main/resources/META-INF/context.xml  
>   kms/src/main/resources/WEB-INF/web.xml 
> 5e2d489fe632a16a5ed440bbbff41f558d2a2338 
>   kms/src/main/resources/log4j-kmsaudit.properties 
> 0747f1e33ee2d6ada6c6a16938cadd2d55d6450d 
> 
> 
> Diff: https://reviews.apache.org/r/73852/diff/4/
> 
> 
> Testing
> ---
> 
> mvn clean pacakge
> fresh install and upgrade from 2.2.0
> 
> 
> Thanks,
> 
> Kirby Zhou
> 
>

Re: Review Request 73867: RANGER-3630: Support wildcards, group short names, and list of memberof attribute DNs for computing user search filter

2022-03-02 Thread Pradeep Agrawal 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73867/#review224118
---




ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java
Lines 1282 (patched)


Do we need to handle closing exception or it will be handled by own.


- Pradeep Agrawal


On Feb. 25, 2022, 4:12 a.m., Sailaja Polavarapu wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73867/
> ---
> 
> (Updated Feb. 25, 2022, 4:12 a.m.)
> 
> 
> Review request for ranger, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, 
> and Ramesh Mani.
> 
> 
> Bugs: RANGER-3630
> https://issues.apache.org/jira/browse/RANGER-3630
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Introduced new usersync configuration "ranger.usersync.ldap.groupnames" that 
> accepts ";" separated list of group names with wildcards, shortname, or DN 
> format. During startup of usersync added logic to read this configuration to 
> compute the user search filter. Also added new unit tests to cover some 
> functional and error cases.
> 
> 
> Diffs
> -
> 
>   
> ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java
>  dae78e9f2 
>   
> ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
>  5f301651b 
>   ugsync/src/test/java/org/apache/ranger/usergroupsync/TestLdapUserGroup.java 
> 78bc56cd9 
> 
> 
> Diff: https://reviews.apache.org/r/73867/diff/1/
> 
> 
> Testing
> ---
> 
> 1. Patched cluster and ran some functional tests to verify the new logic
> 2. Ran few regression tests with AD/LDAP sync source
> 
> 
> Thanks,
> 
> Sailaja Polavarapu
> 
>

Re: Review Request 73885: RANGER-3651:Remove jersey1.x version dependency for knox plugin

2022-03-02 Thread bhavik patel 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73885/#review224117
---


Ship it!




Ship It!

- bhavik patel


On March 2, 2022, 8:02 p.m., Ramesh Mani wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73885/
> ---
> 
> (Updated March 2, 2022, 8:02 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, 
> Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> RANGER-3651:Remove jersey1.x version dependency for knox plugin
> 
> 
> Diffs
> -
> 
>   knox-agent/pom.xml e5d5af64a 
>   
> knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
>  c60d647ac 
> 
> 
> Diff: https://reviews.apache.org/r/73885/diff/1/
> 
> 
> Testing
> ---
> 
> - Testing done in local VM for knox plugin.
> 
> 
> Thanks,
> 
> Ramesh Mani
> 
>

Re: Review Request 73835: RANGER-3611 Uncatched NullPointerException when missing lastKnownVersion in ServiceREST::getServicePoliciesIfUpdated

2022-03-02 Thread bhavik patel 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73835/#review224116
---


Ship it!




Ship It!

- bhavik patel


On March 3, 2022, 3:48 a.m., Kirby Zhou wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73835/
> ---
> 
> (Updated March 3, 2022, 3:48 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, 
> Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen 
> Mansoori, Mehul Parikh, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal 
> Suvagia, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3611
> https://issues.apache.org/jira/browse/RANGER-3611
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> A simple Rest API call by CURL will cause uncatched NullPointerException in 
> logs.
> It happens at some spring generated code. Set a value to lastKnownVersion 
> will fix it
>  
> Actual:
> 
> ```
> ]% curl -v  http://localhost:6080/service/plugins/policies/download/hdfsdev
> ... 
> < HTTP/1.1 404 Not Found
> ...
>  No Message here 
> * Closing connection 0 
> ```
> 
> And logs in catalina.out
> 
> ```
> EVERE: Servlet.service() for servlet [REST Service] in context with path [] 
> threw exception
> java.lang.NullPointerException
>   at 
> org.apache.ranger.rest.ServiceREST.getServicePoliciesIfUpdated(ServiceREST.java:3054)
>   at 
> org.apache.ranger.rest.ServiceREST$$FastClassBySpringCGLIB$$92dab672.invoke()
>   at 
> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
>   at 
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:779)
>   at 
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
>   at 
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:750)
>   at 
> org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:123)
>   at 
> org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:388)
>   at 
> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:119)
>   at 
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
>   at 
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:750)
>   at 
> org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:692)
>   at 
> org.apache.ranger.rest.ServiceREST$$EnhancerBySpringCGLIB$$43bccb60.getServicePoliciesIfUpdated()
>   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>   at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>   at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>   at java.lang.reflect.Method.invoke(Method.java:498)
>   at 
> com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>   at 
> com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
>   at 
> com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
>   at 
> com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
>   at 
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>   at 
> com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
>   at 
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>   at 
> com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
>   at 
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542)
>   at 
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473)
>   at 
> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419)
>   at 
> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409)
>   at 
> com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:409)
>   at 
>

[jira] [Updated] (RANGER-3611) Uncatched NullPointerException when missing lastKnownVersion in ServiceREST::getServicePoliciesIfUpdated

2022-03-02 Thread kirby zhou (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3611?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

kirby zhou updated RANGER-3611:
---
Attachment: (was: 
0001-fix-NullPtrException-in-API-policies-download.patch)

> Uncatched NullPointerException when missing lastKnownVersion in 
> ServiceREST::getServicePoliciesIfUpdated
> 
>
> Key: RANGER-3611
> URL: https://issues.apache.org/jira/browse/RANGER-3611
> Project: Ranger
>  Issue Type: Bug
>  Components: admin
>Affects Versions: 2.2.0, 2.3.0
>Reporter: kirby zhou
>Priority: Minor
>
> A simple Rest API call by CURL will cause uncatched NullPointerException in 
> logs.
> Actual:
>  
> {code:java}
> ]% curl -v http://localhost:6080/service/plugins/policies/download/hdfsdev
> ... 
> < HTTP/1.1 404 Not Found
> ...
>  No Message here 
> * Closing connection 0 {code}
>  
> And logs in catalina.out
> {code:java}
> EVERE: Servlet.service() for servlet [REST Service] in context with path [] 
> threw exception
> java.lang.NullPointerException
>   at 
> org.apache.ranger.rest.ServiceREST.getServicePoliciesIfUpdated(ServiceREST.java:3054)
>   at 
> org.apache.ranger.rest.ServiceREST$$FastClassBySpringCGLIB$$92dab672.invoke()
>   at 
> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
>   at 
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:779)
>   at 
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
>   at 
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:750)
>   at 
> org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:123)
>   at 
> org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:388)
>   at 
> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:119)
>   at 
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
>   at 
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:750)
>   at 
> org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:692)
>   at 
> org.apache.ranger.rest.ServiceREST$$EnhancerBySpringCGLIB$$43bccb60.getServicePoliciesIfUpdated()
>   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>   at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>   at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>   at java.lang.reflect.Method.invoke(Method.java:498)
>   at 
> com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>   at 
> com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
>   at 
> com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
>   at 
> com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
>   at 
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>   at 
> com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
>   at 
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>   at 
> com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
>   at 
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542)
>   at 
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473)
>   at 
> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419)
>   at 
> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409)
>   at 
> com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:409)
>   at 
> com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:558)
>   at 
> com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:733)
>   at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
>   at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:232)
>

Re: Review Request 73835: RANGER-3611 Uncatched NullPointerException when missing lastKnownVersion in ServiceREST::getServicePoliciesIfUpdated

2022-03-02 Thread Kirby Zhou 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73835/
---

(Updated 三月 3, 2022, 3:48 a.m.)


Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam 
Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, 
Mehul Parikh, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal Suvagia, and 
Velmurugan Periasamy.


Changes
---

fix bug on more apis


Bugs: RANGER-3611
https://issues.apache.org/jira/browse/RANGER-3611


Repository: ranger


Description
---

A simple Rest API call by CURL will cause uncatched NullPointerException in 
logs.
It happens at some spring generated code. Set a value to lastKnownVersion will 
fix it
 
Actual:

```
]% curl -v  http://localhost:6080/service/plugins/policies/download/hdfsdev
... 
< HTTP/1.1 404 Not Found
...
 No Message here 
* Closing connection 0 
```

And logs in catalina.out

```
EVERE: Servlet.service() for servlet [REST Service] in context with path [] 
threw exception
java.lang.NullPointerException
at 
org.apache.ranger.rest.ServiceREST.getServicePoliciesIfUpdated(ServiceREST.java:3054)
at 
org.apache.ranger.rest.ServiceREST$$FastClassBySpringCGLIB$$92dab672.invoke()
at 
org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
at 
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:779)
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
at 
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:750)
at 
org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:123)
at 
org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:388)
at 
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:119)
at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at 
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:750)
at 
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:692)
at 
org.apache.ranger.rest.ServiceREST$$EnhancerBySpringCGLIB$$43bccb60.getServicePoliciesIfUpdated()
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
at 
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
at 
com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
at 
com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
at 
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at 
com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
at 
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at 
com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
at 
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542)
at 
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473)
at 
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419)
at 
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1409)
at 
com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:409)
at 
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:558)
at 
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:733)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:232)
at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:167)
at

Re: Review Request 73852: RANGER-3595, refactor the file layout of ranger-xxx-kms.tar.gz

2022-03-02 Thread Kirby Zhou 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73852/
---

(Updated 三月 3, 2022, 2:43 a.m.)


Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, 
Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Mehul 
Parikh, pengjianhua, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal 
Suvagia, Velmurugan Periasamy, and Qiang Zhang.


Changes
---

sync with log4j removing


Bugs: RANGER-3595
https://issues.apache.org/jira/browse/RANGER-3595


Repository: ranger


Description
---

There are lots of .class files under ews/webapp/, and never used. 


1. place web.xml at correct location
2. setup.sh want to patch hadoop-common.jar at runtime, it requires some file 
inside ranger-kms.jar. But the patching of hadoop-common.jar is unnecessary. 

Regular webapp should have its own class files under 
ews/webapp/WEB-INF/classes, and dependencies under ews/webapp/WEB-INF/lib, and 
the Container should put its libraries under ews/lib. But at current, we use 
directories sucn as ews/webapp/lib, ews/webapp/WEB-INF/classes/lib. It looks 
dirty and ugly.


My patch here makes KMS no longer bring ranger-kms.jar, and place classes and 
web.xml at correct location. as a alternative of 
https://reviews.apache.org/r/73816/


Now: 
ews/lib contains ews bootstrap jars, 
ews/webapp/WEB-INF/classes contains KMS app itself, 
ews/webapp/WEB-INF/lib contains KMS dependencies,
ews/webapp/WEB-INF/lib/ranger-kms-plugin-impl contains ranger-kms-plugin.

Additionaly, kms/pom.xml even depends on original hadoop-kms, which can confuse 
developers, so I removed it.

BTW: the bootstrap embedded server looks like too heavy and too much 
dependeices.


Diffs (updated)
-

  distro/src/main/assembly/kms.xml f7605076e6294d9e76ca2f9205e0716932f4daf9 
  kms/pom.xml ade563f9479cf1519f222c6eddc6d9991f8422e5 
  kms/scripts/DBMK2HSM.sh 001199d97b21158795dbf7ae31e12d1500333541 
  kms/scripts/DBMKTOAZUREKEYVAULT.sh cfe5a6b5e65438ba7d50349a36c2dd3219c7092a 
  kms/scripts/DBMKTOKEYSECURE.sh c0aa6e58c27c7a827bcb557d7a7714eb55ecee63 
  kms/scripts/HSMMK2DB.sh 6c77f7340d9c761f980560f3cbf06f65f7c505ed 
  kms/scripts/KEYSECUREMKTOKMSDB.sh 340e05e2c215e5c046be5cd4c6832b7f0733822a 
  kms/scripts/VerifyIsDBMasterkeyCorrect.sh 
1c9a2e148959d8fe72e8d7e7b0fa4a810e942337 
  kms/scripts/exportKeysToJCEKS.sh f3205789b1da6df95c5e8cf174f4e96ef02b2164 
  kms/scripts/importJCEKSKeys.sh 5d4fe978fd00f3d86ef48299755689cee34b8331 
  kms/scripts/ranger-kms 429a31e5aac38e3bbcfc6bdd258818d9ecbf0161 
  kms/scripts/setup.sh 448042e9d1e9e0caaabf713282a4d509fb09c2e3 
  kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java 
c899bdf98327de5a86cf51470e96c6ad8e7e4079 
  kms/src/main/resources/META-INF/context.xml  
  kms/src/main/resources/WEB-INF/web.xml 
5e2d489fe632a16a5ed440bbbff41f558d2a2338 


Diff: https://reviews.apache.org/r/73852/diff/3/

Changes: https://reviews.apache.org/r/73852/diff/2-3/


Testing
---

mvn clean pacakge
fresh install and upgrade from 2.2.0


Thanks,

Kirby Zhou

Re: Review Request 73852: RANGER-3595, refactor the file layout of ranger-xxx-kms.tar.gz

2022-03-02 Thread Kirby Zhou 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73852/
---

(Updated 三月 3, 2022, 2:28 a.m.)


Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, 
Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Mehul 
Parikh, pengjianhua, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal 
Suvagia, Velmurugan Periasamy, and Qiang Zhang.


Changes
---

rebase to HEAD of master


Bugs: RANGER-3595
https://issues.apache.org/jira/browse/RANGER-3595


Repository: ranger


Description
---

There are lots of .class files under ews/webapp/, and never used. 


1. place web.xml at correct location
2. setup.sh want to patch hadoop-common.jar at runtime, it requires some file 
inside ranger-kms.jar. But the patching of hadoop-common.jar is unnecessary. 

Regular webapp should have its own class files under 
ews/webapp/WEB-INF/classes, and dependencies under ews/webapp/WEB-INF/lib, and 
the Container should put its libraries under ews/lib. But at current, we use 
directories sucn as ews/webapp/lib, ews/webapp/WEB-INF/classes/lib. It looks 
dirty and ugly.


My patch here makes KMS no longer bring ranger-kms.jar, and place classes and 
web.xml at correct location. as a alternative of 
https://reviews.apache.org/r/73816/


Now: 
ews/lib contains ews bootstrap jars, 
ews/webapp/WEB-INF/classes contains KMS app itself, 
ews/webapp/WEB-INF/lib contains KMS dependencies,
ews/webapp/WEB-INF/lib/ranger-kms-plugin-impl contains ranger-kms-plugin.

Additionaly, kms/pom.xml even depends on original hadoop-kms, which can confuse 
developers, so I removed it.

BTW: the bootstrap embedded server looks like too heavy and too much 
dependeices.


Diffs (updated)
-

  distro/src/main/assembly/kms.xml f7605076e6294d9e76ca2f9205e0716932f4daf9 
  kms/pom.xml ade563f9479cf1519f222c6eddc6d9991f8422e5 
  kms/scripts/DBMK2HSM.sh 001199d97b21158795dbf7ae31e12d1500333541 
  kms/scripts/DBMKTOAZUREKEYVAULT.sh cfe5a6b5e65438ba7d50349a36c2dd3219c7092a 
  kms/scripts/DBMKTOKEYSECURE.sh c0aa6e58c27c7a827bcb557d7a7714eb55ecee63 
  kms/scripts/HSMMK2DB.sh 6c77f7340d9c761f980560f3cbf06f65f7c505ed 
  kms/scripts/KEYSECUREMKTOKMSDB.sh 340e05e2c215e5c046be5cd4c6832b7f0733822a 
  kms/scripts/VerifyIsDBMasterkeyCorrect.sh 
1c9a2e148959d8fe72e8d7e7b0fa4a810e942337 
  kms/scripts/exportKeysToJCEKS.sh f3205789b1da6df95c5e8cf174f4e96ef02b2164 
  kms/scripts/importJCEKSKeys.sh 5d4fe978fd00f3d86ef48299755689cee34b8331 
  kms/scripts/ranger-kms 429a31e5aac38e3bbcfc6bdd258818d9ecbf0161 
  kms/scripts/setup.sh 448042e9d1e9e0caaabf713282a4d509fb09c2e3 
  kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java 
c899bdf98327de5a86cf51470e96c6ad8e7e4079 
  kms/src/main/resources/META-INF/context.xml  
  kms/src/main/resources/WEB-INF/web.xml 
5e2d489fe632a16a5ed440bbbff41f558d2a2338 


Diff: https://reviews.apache.org/r/73852/diff/2/

Changes: https://reviews.apache.org/r/73852/diff/1-2/


Testing
---

mvn clean pacakge
fresh install and upgrade from 2.2.0


Thanks,

Kirby Zhou

[jira] [Updated] (RANGER-3459) Upgrade Ranger's Kafka dependency to 2.8

2022-03-02 Thread Andras Katona (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3459?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andras Katona updated RANGER-3459:
--
Fix Version/s: 3.0.0

> Upgrade Ranger's Kafka dependency to 2.8
> 
>
> Key: RANGER-3459
> URL: https://issues.apache.org/jira/browse/RANGER-3459
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins, Ranger
>Reporter: Andras Katona
>Assignee: Andras Katona
>Priority: Major
> Fix For: 3.0.0
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>




--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3459) Upgrade Ranger's Kafka dependency to 2.8

2022-03-02 Thread Ramesh Mani (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3459?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17500375#comment-17500375
 ] 

Ramesh Mani commented on RANGER-3459:
-

[~akatona]  commit to master. Thanks.

> Upgrade Ranger's Kafka dependency to 2.8
> 
>
> Key: RANGER-3459
> URL: https://issues.apache.org/jira/browse/RANGER-3459
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins, Ranger
>Reporter: Andras Katona
>Assignee: Andras Katona
>Priority: Major
>  Time Spent: 20m
>  Remaining Estimate: 0h
>




--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3010) Rest API 'addUsersAndGroups' issue

2022-03-02 Thread Madhan Neethiraj (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17500369#comment-17500369
 ] 

Madhan Neethiraj commented on RANGER-3010:
--

[~ankita] - can you please help with this? Thanks!

> Rest API 'addUsersAndGroups' issue
> --
>
> Key: RANGER-3010
> URL: https://issues.apache.org/jira/browse/RANGER-3010
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: leo sun
>Priority: Major
>
> I want to use Ranger API functions - addUsersAndGroups & removeUsersAndGroups 
> to manage users and groups of role. But official reference don't have 
> suitable example for these two APIs. And my all attempts failed.
> Another point: For example, I found the input type of addUsersAndGroups is 
> Boolean on official web, but the input of the implement function is two 
> string list and one boolean.
> I don't know how to use it. Could you help me with this? [~abhayk]



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Review Request 73885: RANGER-3651:Remove jersey1.x version dependency for knox plugin

2022-03-02 Thread Ramesh Mani 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73885/
---

Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, 
Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Repository: ranger


Description
---

RANGER-3651:Remove jersey1.x version dependency for knox plugin


Diffs
-

  knox-agent/pom.xml e5d5af64a 
  
knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
 c60d647ac 


Diff: https://reviews.apache.org/r/73885/diff/1/


Testing
---

- Testing done in local VM for knox plugin.


Thanks,

Ramesh Mani

[jira] [Updated] (RANGER-3651) Remove jersey1.x version dependency for knox plugin

2022-03-02 Thread Ramesh Mani (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3651?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-3651:

Affects Version/s: 2.3.0
   (was: 2.2.0)

> Remove jersey1.x version dependency for knox plugin
> ---
>
> Key: RANGER-3651
> URL: https://issues.apache.org/jira/browse/RANGER-3651
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0, 2.3.0
>Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Minor
>
> Remove jersey1.x version dependency for Knox plugin.  Knox plugin depends on 
> Jersey 2.x libraries  and having a jersey 1.x library results in class 
> compatibility issue.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Created] (RANGER-3651) Remove jersey1.x version dependency for knox plugin

2022-03-02 Thread Ramesh Mani (Jira) 
Ramesh Mani created RANGER-3651:
---

 Summary: Remove jersey1.x version dependency for knox plugin
 Key: RANGER-3651
 URL: https://issues.apache.org/jira/browse/RANGER-3651
 Project: Ranger
  Issue Type: Improvement
  Components: Ranger
Affects Versions: 2.2.0, 3.0.0
Reporter: Ramesh Mani
Assignee: Ramesh Mani


Remove jersey1.x version dependency for Knox plugin.  Knox plugin depends on 
Jersey 2.x libraries  and having a jersey 1.x library results in class 
compatibility issue.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3632) Improve ranger logs, RENAME_ON_ROTATE and others

2022-03-02 Thread kirby zhou (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17500245#comment-17500245
 ] 

kirby zhou commented on RANGER-3632:


[https://reviews.apache.org/r/73884/] for 2.3 branch

> Improve ranger logs,  RENAME_ON_ROTATE and others
> -
>
> Key: RANGER-3632
> URL: https://issues.apache.org/jira/browse/RANGER-3632
> Project: Ranger
>  Issue Type: Improvement
>  Components: admin, kms
>Affects Versions: 3.0.0, 2.3.0
>Reporter: kirby zhou
>Assignee: kirby zhou
>Priority: Major
> Fix For: 3.0.0
>
>
> Currently, the filename of the access-log in use has a timestamp as the 
> suffix. This brings trouble to some log monitoring and analysis programs, 
> such as "tail -f access-log"
> Need to add an option to enable tomcat's RenameOnRotate capability to fix the 
> file name of access-log.
>  
> {code:java}
> // in EmbeddedServer::start()
> valve.setRenameOnRotate(
> EmbeddedServerUtil.getConfig(ACCESS_LOG_RENAME_ON_ROTATE,  false);
> );{code}
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Re: Review Request 73884: RANGER-3632 log improve, cherry-pick from master

2022-03-02 Thread Kirby Zhou 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73884/
---

(Updated 三月 2, 2022, 3:33 p.m.)


Review request for ranger.


Summary (updated)
-

RANGER-3632 log improve, cherry-pick from master


Bugs: RANGER-3632
https://issues.apache.org/jira/browse/RANGER-3632


Repository: ranger


Description
---

See https://reviews.apache.org/r/73857/


Diffs
-

  dev-support/ranger-docker/scripts/ranger-admin-install.properties 
f4e623c5aa2865e29e756359eb9a2c4f33f58e36 
  embeddedwebserver/scripts/ranger-admin-services.sh 
54ac410561a34f069c2f62e8a5d2467de4e43bed 
  
embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
 f5636e180ee98876c4afe08ae7b01c98f1f6cee0 
  
embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServerUtil.java
 b05db77e6acbf7c11631c3feae1b660d522e1ea5 
  ranger-tools/scripts/README.txt 81b5b6678174dd9da79aa083fbe4b73ce8e4bc94 
  security-admin/scripts/changepasswordutil.py 
c9c4edcb68514ff6862c89783186cdcaf74bfb17 
  security-admin/scripts/changeusernameutil.py 
45c0ef74866d6fb6b72f566574b2c804d3f7d36b 
  security-admin/scripts/db_setup.py 40a5fb232df3f581195cdbf1c1d6fff9482f2940 
  security-admin/scripts/install.properties 
5a8b00c1375951d3c35a84f1fa40654877e788b1 
  security-admin/scripts/rolebasedusersearchutil.py 
f9feddce2ff1357fc0ba2c7c1a8890221893a9b4 
  security-admin/scripts/setup.sh d6cb5611d2a2bb21072295fa7cb2b5eb2f13b6aa 
  security-admin/scripts/updateUserAndGroupNamesInJson.py 
b115d22415a7db4d2ba2b44aae9d2bd166d0f7e2 
  security-admin/src/bin/ranger_install.py 
90ac92a0ea2abf60aadbdcad5054e843a5d90530 
  security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
0a1128613dca50fe67ea3f891261f1ee449c46db 
  security-admin/src/main/webapp/WEB-INF/db_patch.logback.xml PRE-CREATION 
  security-admin/src/main/webapp/WEB-INF/logback.xml  
  tagsync/scripts/setup.py 29ad7fa885697534748b76187070a4ffa177633f 
  unixauthservice/scripts/setup.py 4fcfdd8b9c0f8b38699bec24d22483893316e54a 


Diff: https://reviews.apache.org/r/73884/diff/1/


Testing
---


Thanks,

Kirby Zhou

Review Request 73884: RANGER-3623 log improve, cherry-pick from master

2022-03-02 Thread Kirby Zhou 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73884/
---

Review request for ranger.


Bugs: RANGER-3623
https://issues.apache.org/jira/browse/RANGER-3623


Repository: ranger


Description
---

See https://reviews.apache.org/r/73857/


Diffs
-

  dev-support/ranger-docker/scripts/ranger-admin-install.properties 
f4e623c5aa2865e29e756359eb9a2c4f33f58e36 
  embeddedwebserver/scripts/ranger-admin-services.sh 
54ac410561a34f069c2f62e8a5d2467de4e43bed 
  
embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
 f5636e180ee98876c4afe08ae7b01c98f1f6cee0 
  
embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServerUtil.java
 b05db77e6acbf7c11631c3feae1b660d522e1ea5 
  ranger-tools/scripts/README.txt 81b5b6678174dd9da79aa083fbe4b73ce8e4bc94 
  security-admin/scripts/changepasswordutil.py 
c9c4edcb68514ff6862c89783186cdcaf74bfb17 
  security-admin/scripts/changeusernameutil.py 
45c0ef74866d6fb6b72f566574b2c804d3f7d36b 
  security-admin/scripts/db_setup.py 40a5fb232df3f581195cdbf1c1d6fff9482f2940 
  security-admin/scripts/install.properties 
5a8b00c1375951d3c35a84f1fa40654877e788b1 
  security-admin/scripts/rolebasedusersearchutil.py 
f9feddce2ff1357fc0ba2c7c1a8890221893a9b4 
  security-admin/scripts/setup.sh d6cb5611d2a2bb21072295fa7cb2b5eb2f13b6aa 
  security-admin/scripts/updateUserAndGroupNamesInJson.py 
b115d22415a7db4d2ba2b44aae9d2bd166d0f7e2 
  security-admin/src/bin/ranger_install.py 
90ac92a0ea2abf60aadbdcad5054e843a5d90530 
  security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
0a1128613dca50fe67ea3f891261f1ee449c46db 
  security-admin/src/main/webapp/WEB-INF/db_patch.logback.xml PRE-CREATION 
  security-admin/src/main/webapp/WEB-INF/logback.xml  
  tagsync/scripts/setup.py 29ad7fa885697534748b76187070a4ffa177633f 
  unixauthservice/scripts/setup.py 4fcfdd8b9c0f8b38699bec24d22483893316e54a 


Diff: https://reviews.apache.org/r/73884/diff/1/


Testing
---


Thanks,

Kirby Zhou

Re: Review Request 73877: RANGER-3459: Upgrade Kafka dependency to 2.8

2022-03-02 Thread Ramesh Mani 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73877/#review224115
---


Ship it!




Ship It!

- Ramesh Mani


On Feb. 28, 2022, 1:18 p.m., Andras Katona wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73877/
> ---
> 
> (Updated Feb. 28, 2022, 1:18 p.m.)
> 
> 
> Review request for ranger and Ramesh Mani.
> 
> 
> Bugs: RANGER-3459
> https://issues.apache.org/jira/browse/RANGER-3459
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Using Kafka 2.8.1 in Ranger requires some code changes
> 
> 
> Diffs
> -
> 
>   
> plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerGSSTest.java
>  fe600b1ea 
>   
> plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerSASLSSLTest.java
>  6f4538549 
>   
> plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java
>  113ac3686 
>   
> plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerTopicCreationTest.java
>  a12817eba 
>   pom.xml ce0d13452 
> 
> 
> Diff: https://reviews.apache.org/r/73877/diff/1/
> 
> 
> Testing
> ---
> 
> maven executed tests, see PR too: https://github.com/apache/ranger/pull/134
> 
> 
> Thanks,
> 
> Andras Katona
> 
>

Re: Review Request 73882: RANGER-3600: Ranger service tags import request failure

2022-03-02 Thread Abhay Kulkarni 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73882/#review224114
---




security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java
Line 156 (original), 156 (patched)


This changes the semantics of the REST API. Why is this change required? 
Please review.


- Abhay Kulkarni


On March 2, 2022, 1:09 p.m., Pradeep Agrawal wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73882/
> ---
> 
> (Updated March 2, 2022, 1:09 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, 
> Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3600
> https://issues.apache.org/jira/browse/RANGER-3600
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> **Problem Statement:** Ranger service tag import request may fail if 
> RangerServiceResource objects of ServiceTags objects does not have ranger 
> service name attribute values. 
> 
> **Proposed Solution** 
> 1) Use service name avaiable in the parent object(Servicetag object)
> 2) Do not prune service name field while populating the RangerServiceResource 
> objects of the ServiceTag object.
> 3) If guid is missing or service resource is not found based on guid then try 
> to find based on resource signature value. if not exist then do the create 
> operation.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerServiceTagsDeltaUtil.java
>  76d5fd989 
>   
> security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java 
> 3897f48e2 
> 
> 
> Diff: https://reviews.apache.org/r/73882/diff/1/
> 
> 
> Testing
> ---
> 
> Tested the patch and able to import ServiceTags even if ServiceTags json does 
> not have service names in RangerServiceResource objects.
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>

[jira] [Updated] (RANGER-3600) Ranger service tags import request failure

2022-03-02 Thread Pradeep Agrawal (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3600?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pradeep Agrawal updated RANGER-3600:

Attachment: 0001-RANGER-3600-Ranger-service-tags-import-request-failu.patch

> Ranger service tags import request failure
> --
>
> Key: RANGER-3600
> URL: https://issues.apache.org/jira/browse/RANGER-3600
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Pradeep Agrawal
>Assignee: Pradeep Agrawal
>Priority: Major
> Fix For: 3.0.0
>
> Attachments: 
> 0001-RANGER-3600-Ranger-service-tags-import-request-failu.patch
>
>
> Ranger service tag import request may fail if RangerServiceResource objects 
> of ServiceTags objects does not have ranger service name attribute values. 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Review Request 73882: RANGER-3600: Ranger service tags import request failure

2022-03-02 Thread Pradeep Agrawal 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73882/
---

Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, 
Sailaja Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-3600
https://issues.apache.org/jira/browse/RANGER-3600


Repository: ranger


Description
---

**Problem Statement:** Ranger service tag import request may fail if 
RangerServiceResource objects of ServiceTags objects does not have ranger 
service name attribute values. 

**Proposed Solution** 
1) Use service name avaiable in the parent object(Servicetag object)
2) Do not prune service name field while populating the RangerServiceResource 
objects of the ServiceTag object.
3) If guid is missing or service resource is not found based on guid then try 
to find based on resource signature value. if not exist then do the create 
operation.


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerServiceTagsDeltaUtil.java
 76d5fd989 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java 
3897f48e2 


Diff: https://reviews.apache.org/r/73882/diff/1/


Testing
---

Tested the patch and able to import ServiceTags even if ServiceTags json does 
not have service names in RangerServiceResource objects.


Thanks,

Pradeep Agrawal

[jira] [Commented] (RANGER-3010) Rest API 'addUsersAndGroups' issue

2022-03-02 Thread Nixon Rodrigues (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17500134#comment-17500134
 ] 

Nixon Rodrigues commented on RANGER-3010:
-

[~Leo Pard]  where is patch ? can you contribute back  and upload here if it is 
possible

> Rest API 'addUsersAndGroups' issue
> --
>
> Key: RANGER-3010
> URL: https://issues.apache.org/jira/browse/RANGER-3010
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: leo sun
>Priority: Major
>
> I want to use Ranger API functions - addUsersAndGroups & removeUsersAndGroups 
> to manage users and groups of role. But official reference don't have 
> suitable example for these two APIs. And my all attempts failed.
> Another point: For example, I found the input type of addUsersAndGroups is 
> Boolean on official web, but the input of the implement function is two 
> string list and one boolean.
> I don't know how to use it. Could you help me with this? [~abhayk]



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3010) Rest API 'addUsersAndGroups' issue

2022-03-02 Thread leo sun (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17500122#comment-17500122
 ] 

leo sun commented on RANGER-3010:
-

This API indeed have some logical mistakes, I think. I have added patch on this 
part which can make it work.

> Rest API 'addUsersAndGroups' issue
> --
>
> Key: RANGER-3010
> URL: https://issues.apache.org/jira/browse/RANGER-3010
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: leo sun
>Priority: Major
>
> I want to use Ranger API functions - addUsersAndGroups & removeUsersAndGroups 
> to manage users and groups of role. But official reference don't have 
> suitable example for these two APIs. And my all attempts failed.
> Another point: For example, I found the input type of addUsersAndGroups is 
> Boolean on official web, but the input of the implement function is two 
> string list and one boolean.
> I don't know how to use it. Could you help me with this? [~abhayk]



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3619) REST API should return 403 when authenticated client is not allowed to access API.

2022-03-02 Thread kirby zhou (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3619?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17500115#comment-17500115
 ] 

kirby zhou commented on RANGER-3619:


[https://reviews.apache.org/r/73881/]

 

> REST API should return 403 when authenticated client is not allowed to access 
> API.
> --
>
> Key: RANGER-3619
> URL: https://issues.apache.org/jira/browse/RANGER-3619
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 3.0.0, 2.2.0
>Reporter: kirby zhou
>Priority: Major
>
> REST API should return 403-Forbidden when authenticated client is not allowed 
> to access API to avoid crash Ranger Clients.
>  
> Now, some API returns 401-Unauthorized instead of 403-Forbidden when client 
> is already passed authentication but now allowed to do something.
> In general, this will not cause any serious problems. However, there is a 
> flaw in the SPNEGO protocol implementation of Java HTTPUrlConnection. It 
> causes the Client to throw an unexpected exception. This will trouble the 
> operators and developers.
>  
> Let me show you how it happens:
>  
> For example:
>  
> The RangerAdminClient inside KMS  want to access API 
> "/service/secure/policies/download", but the principal is not in the 
> allowlist.
>  
>  # RangerAdminClient is based on Jersey-Client
>  # JerseyClient sends a HTTP-request to Ranger Service without authentication 
> information
>  # Tomcat/Spring inside Ranger returns 401 with HTTP header 
> “WWW-Authentication: Neogotiate”
>  # JerseyClient sends request again with Kerberos/SPNEGO authentication 
> tokens.
>  # Tomcat/Spring inside Ranger accept the authentication, then call 
> ServiceRest::getSecureServicePoliciesIfUpdated to reply the API calling.
>  # ServiceRest::getSecureServicePoliciesIfUpdated checks allowlist of “kms 
> service”, and refuse client with 401.
>  # Tomcat/Spring inside Ranger returns 401 with HTTP header 
> “WWW-Authentication: Neogotiate….” for notifying RangerAdminClient the 
> authentication is passed.
>  
> Now, there is a malformed state. HTTP-status code told client authenticate is 
> failed, but HTTP header told client authentication is passed.
>  
> In the RangerAdminClient side, 
>  
>  # sun.net.www.protocol.http.HttpURLConnection.getInputStream0() see the 
> second 401.
>  # 'inNegotiate' = true, so it is in the progress of _Negotiate._
>  # It checks that: if "WWW-Authenticate: Negotiate" exist then disable 
> negotiate for following code to avoid try {_}Negotiate once again{_}.
>  # But "WWW-Authenticate: Negotiate xczsd324…" does not the rule above.
>  # So HttpURLConnection calls AuthenticationInfo.sendHeaders to generate a 
> new request header.
>  # Wow, Null exception happens.
>  # Logs "ERROR RangerAdminRESTClient - Error getting policies; Received NULL 
> response!!. secureMode=true, user=… (auth:KERBEROS), serviceName=kmsdev"
>  # Log of KMS: "ERROR RangerAdminRESTClient - Failed to get response, Error 
> is : java.lang.RuntimeException: java.lang.NullPointerException"
>  
> This log makes admin confused.
>  
>  
> {code:java}
> //ServiceRest::getServicePoliciesIfUpdated
> if (isAllowed) {
> //...
> } else {
>httpCode = HttpServletResponse.SC_UNAUTHORIZED;
> }
>  {code}
> {code:java}
> // sun.net.www.protocol.http.HttpURLConnection.getInputStream0()
> // Read comments labeled "Failed Negotiate" for details.
> boolean dontUseNegotiate = false;
> Iterator iter = responses.multiValueIterator("WWW-Authenticate");
> while (iter.hasNext()) {
> String value = iter.next().trim();
> if (value.equalsIgnoreCase("Negotiate") ||
> value.equalsIgnoreCase("Kerberos")) {
> if (!inNegotiate) {
> inNegotiate = true;
> } else {
> dontUseNegotiate = true;
> doingNTLM2ndStage = false;
> serverAuthentication = null;
> }
> break;
> }
> }
> /**
>  * Failed Negotiate
>  *
>  * In some cases, the Negotiate auth is supported for the
>  * remote host but the negotiate process still fails (For
>  * example, if the web page is located on a backend server
>  * and delegation is needed but fails). The authentication
>  * process will start again, and we need to detect this
>  * kind of failure and do proper fallback (say, to NTLM).
>  *
>  * In order to achieve this, the inNegotiate flag is set
>  * when the first negotiate challenge is met (and reset
>  * if authentication is finished). If a fresh new negotiate
>  * challenge (no parameter) is found while inNegotiate is
>  * set, we know there's a failed auth attempt recently.
>  * Here we'll ignore the header line so that fallback
>  * can be practiced.
>  *
>  * inNegotiateProxy is for proxy authentication.
>  */
>   {code}
>  
>  
>  
>  



--
This

Review Request 73881: RANGER-3619: REST API returns 403 when authed user has no permission.

2022-03-02 Thread Kirby Zhou 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73881/
---

Review request for ranger.


Bugs: RANGER-3619
https://issues.apache.org/jira/browse/RANGER-3619


Repository: ranger


Description
---

REST API should return 403-Forbidden when authenticated client is not allowed 
to access API to avoid crash Ranger Clients.

 
Now, some API returns 401-Unauthorized instead of 403-Forbidden when client is 
already passed authentication but now allowed to do something.
In general, this will not cause any serious problems. However, there is a flaw 
in the SPNEGO protocol implementation of Java HTTPUrlConnection. It causes the 
Client to throw an unexpected exception. This will trouble the operators and 
developers.
 
Let me show you how it happens:
 
For example:
 
The RangerAdminClient inside KMS  want to access API 
"/service/secure/policies/download", but the principal is not in the allowlist.
 
RangerAdminClient is based on Jersey-Client
JerseyClient sends a HTTP-request to Ranger Service without authentication 
information
Tomcat/Spring inside Ranger returns 401 with HTTP header “WWW-Authentication: 
Neogotiate”
JerseyClient sends request again with Kerberos/SPNEGO authentication tokens.
Tomcat/Spring inside Ranger accept the authentication, then call 
ServiceRest::getSecureServicePoliciesIfUpdated to reply the API calling.
ServiceRest::getSecureServicePoliciesIfUpdated checks allowlist of “kms 
service”, and refuse client with 401.
Tomcat/Spring inside Ranger returns 401 with HTTP header “WWW-Authentication: 
Neogotiate….” for notifying RangerAdminClient the authentication is passed.
 
Now, there is a malformed state. HTTP-status code told client authenticate is 
failed, but HTTP header told client authentication is passed.
 
In the RangerAdminClient side, 
 
sun.net.www.protocol.http.HttpURLConnection.getInputStream0() see the second 
401.
'inNegotiate' = true, so it is in the progress of Negotiate.
It checks that: if "WWW-Authenticate: Negotiate" exist then disable negotiate 
for following code to avoid try Negotiate once again.
But "WWW-Authenticate: Negotiate xczsd324…" does not the rule above.
So HttpURLConnection calls AuthenticationInfo.sendHeaders to generate a new 
request header.
Wow, Null exception happens.
Logs "ERROR RangerAdminRESTClient - Error getting policies; Received NULL 
response!!. secureMode=true, user=… (auth:KERBEROS), serviceName=kmsdev"
Log of KMS: "ERROR RangerAdminRESTClient - Failed to get response, Error is : 
java.lang.RuntimeException: java.lang.NullPointerException"
 
This log makes admin confused.


Diffs
-

  security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 
1ec1df0a3d09577c52e503532d5aea87ad6cd72d 
  security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java 
935435044624a38ce7b0b9c7401e3f3dbacc0f65 
  security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 
8109968e4d55de9e7875fb56590e50522fba32cb 
  security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java 
e3cdef1c2ba6411cf4d4a26cd49e56e9017f3e93 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
098188e3b9f1f837727c7d279a4fab1f0aa84e34 
  security-admin/src/main/java/org/apache/ranger/rest/TagREST.java 
10f91e037180a50287b8d0b0fa0ea3eec0d7f415 
  security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java 
451805321d050dda06a0f2b66a9b945411632e2f 
  
security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
 5d7cbdc679c010a7b88c85324e6f9912cba29fe6 
  
security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
 223a991c76bae7d25f5ce89604d0a8a90d426fe5 


Diff: https://reviews.apache.org/r/73881/diff/1/


Testing
---


Thanks,

Kirby Zhou

Re: Review Request 73854: RANGER-3629 : Handle solr permissions during upgrade

2022-03-02 Thread bhavik patel 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73854/#review224113
---


Ship it!




Ship It!

- bhavik patel


On Feb. 22, 2022, 4:22 p.m., Mateen Mansoori wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73854/
> ---
> 
> (Updated Feb. 22, 2022, 4:22 p.m.)
> 
> 
> Review request for ranger, Jayendra Parab, Mehul Parikh, Sailaja Polavarapu, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3629
> https://issues.apache.org/jira/browse/RANGER-3629
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Handling permissions during upgrades
> Since we are moving to a finer grained privilege model, a 100% mapping will 
> likely not be possible.
> 
> When a user has solr_admin access type privileges on all collections (*), we 
> are mapping it to:
> - admin=*->(QERY and UPDATE)
> - collection=*->(QERY and UPDATE)
> - schemas=*->(QERY and UPDATE)
> - configs=*->(QERY and UPDATE)
> 
> When a user has solr_admin access type on a particular collection 
> collection_name, we are mapping it to
> - collection=collection_name->(QERY and UPDATE)
> - schemas=collection_name->(QERY and UPDATE)
> 
> One should verify their permissions after the upgrade.
> 
> 
> Diffs
> -
> 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 
> b603f96cd 
>   security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
> c111a28f6 
>   security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
> 854a2c676 
>   
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
>  b45eace3b 
>   security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 
> adec99857 
>   
> security-admin/src/main/java/org/apache/ranger/patch/PatchForSolrSvcDefAndPoliciesUpdate_J10055.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/73854/diff/1/
> 
> 
> Testing
> ---
> 
> Verified upgrade on local/cluser - policies are getting migrated as per 
> description.
> 
> 
> Thanks,
> 
> Mateen Mansoori
> 
>

Re: Review Request 73853: RANGER-3628 : Support fine grain authorization for different solr objects

2022-03-02 Thread bhavik patel 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73853/#review224112
---




plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java
Lines 651 (patched)


Is this intentional?



plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/SolrAuthzUtil.java
Lines 66 (patched)


Remove the condition and use the placeholder in debug logger.


- bhavik patel


On Feb. 25, 2022, 7:09 a.m., Mateen Mansoori wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73853/
> ---
> 
> (Updated Feb. 25, 2022, 7:09 a.m.)
> 
> 
> Review request for ranger, Mehul Parikh, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-3628
> https://issues.apache.org/jira/browse/RANGER-3628
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Modifying ranger solr plugin to allow granting the following privileges:
>   
>- QUERY - read only privilege on an object
>- UPDATE - write only privilege on an object
>- All - read and write access
> 
> Privileges can be defined on the following objects:
> 
> - admin
> - collections
> - cores
> - metrics
> - autoscaling
> - security
> - collection
> - config
> - schema
> 
> 
> Diffs
> -
> 
>   agents-common/src/main/resources/service-defs/ranger-servicedef-solr.json 
> dfaa2f701 
>   
> plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuditHandler.java
>  359211cb2 
>   
> plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java
>  d4dd7b0ec 
>   
> plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/SolrAuthzUtil.java
>  PRE-CREATION 
>   
> plugin-solr/src/main/java/org/apache/ranger/services/solr/RangerServiceSolr.java
>  97909ae54 
>   
> plugin-solr/src/main/java/org/apache/ranger/services/solr/RangerSolrConstants.java
>  PRE-CREATION 
>   
> plugin-solr/src/main/java/org/apache/ranger/services/solr/client/ServiceSolrClient.java
>  5f7b9b924 
>   
> ranger-solr-plugin-shim/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java
>  3a10bc2af 
> 
> 
> Diff: https://reviews.apache.org/r/73853/diff/2/
> 
> 
> Testing
> ---
> 
> Tested on cluster with by covering test cases as per new implementation.
> 
> 
> Thanks,
> 
> Mateen Mansoori
> 
>

Re: Review Request 73879: RANGER-3650: fix unit test of blockAuditorRoleUser

2022-03-02 Thread bhavik patel 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73879/#review224111
---


Ship it!




Ship It!

- bhavik patel


On March 2, 2022, 10:32 a.m., Kirby Zhou wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73879/
> ---
> 
> (Updated March 2, 2022, 10:32 a.m.)
> 
> 
> Review request for ranger.
> 
> 
> Bugs: RANGER-3650
> https://issues.apache.org/jira/browse/RANGER-3650
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> The old commit is buggy and meaningless.
>  
> * testBlockAuditorRoleUserThrowsErrorForAuditKeyAdmin
> * testBlockAuditorRoleUserThrowsErrorForAuditUserAdmin
> * testBlockAuditorRoleUserSuccess
> 
> The 3 tests should test behavior of RangerBizUtil::blockAuditorRoleUser.
> But it constructs a mocked RangerBizUtil, and stub blockAuditorRoleUser. The 
> real RangerBizUtil::blockAuditorRoleUser is never being tested.
> 
> These @Mock annotated class members are invalid.
> 
> * currentUserSession
> * vXResponse 
> * context
> * contextUtil
> 
> These members are not member of RangerBizUtil, so can not be injected into 
> rangerBizUtil, we should not use it as class member.
> 
> 
> Diffs
> -
> 
>   security-admin/src/test/java/org/apache/ranger/biz/TestRangerBizUtil.java 
> 22e290a666deaac42fc0106302abd151e135bd47 
> 
> 
> Diff: https://reviews.apache.org/r/73879/diff/2/
> 
> 
> Testing
> ---
> 
> mvn test
> 
> 
> Thanks,
> 
> Kirby Zhou
> 
>

[jira] [Commented] (RANGER-3231) Ranger should use kafka Authorizer from KIP-504

2022-03-02 Thread Andras Katona (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17500088#comment-17500088
 ] 

Andras Katona commented on RANGER-3231:
---

I've prepared a reviewboard request: https://reviews.apache.org/r/73880/, which 
is practically the same as the above mentioned PR 
(https://github.com/apache/ranger/pull/133).

It differs from the previous patch:
* start method is implemented too as [AclAuthorizer does in 
Kafka|https://github.com/apache/kafka/blob/f089bea7ed9fee2bad7084e6b40561ff6935ce5f/core/src/main/scala/kafka/security/authorizer/AclAuthorizer.scala#L194-L195]
* unsupported methods in Ranger-Kafka plugin are throwing/wrapping 
UnsupportedOperationException instead of returning empty
* calling the base-ranger plugin isAccessAllowed method with a list of requests 
instead of one-by-one - to support bulk-like authorization better


> Ranger should use kafka Authorizer from KIP-504
> ---
>
> Key: RANGER-3231
> URL: https://issues.apache.org/jira/browse/RANGER-3231
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Ismael Juma
>Assignee: Chia-Ping Tsai
>Priority: Major
>  Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> As described in the KIP, `org.apache.kafka.server.authorizer.Authorizer` is 
> an improvement over `kafka.security.auth.Authorizer` and it's a pure Java 
> interface (instead of Scala).
> `kafka.security.auth.Authorizer` has been deprecated since December 2019 and 
> it will be removed in Apache Kafka 3.0 (roughly planned for July/August).
> See the KIP for more details:
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-504+-+Add+new+Java+Authorizer+Interface



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Assigned] (RANGER-3231) Ranger should use kafka Authorizer from KIP-504

2022-03-02 Thread Andras Katona (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3231?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andras Katona reassigned RANGER-3231:
-

Assignee: Andras Katona  (was: Chia-Ping Tsai)

> Ranger should use kafka Authorizer from KIP-504
> ---
>
> Key: RANGER-3231
> URL: https://issues.apache.org/jira/browse/RANGER-3231
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Ismael Juma
>Assignee: Andras Katona
>Priority: Major
>  Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> As described in the KIP, `org.apache.kafka.server.authorizer.Authorizer` is 
> an improvement over `kafka.security.auth.Authorizer` and it's a pure Java 
> interface (instead of Scala).
> `kafka.security.auth.Authorizer` has been deprecated since December 2019 and 
> it will be removed in Apache Kafka 3.0 (roughly planned for July/August).
> See the KIP for more details:
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-504+-+Add+new+Java+Authorizer+Interface



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Review Request 73880: RANGER-3231: Ranger-Kafka-Plugin implementing Kafka Authorizer from KIP-504

2022-03-02 Thread Andras Katona via Review Board 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73880/
---

Review request for ranger and Ramesh Mani.


Bugs: RANGER-3231
https://issues.apache.org/jira/browse/RANGER-3231


Repository: ranger


Description
---

kafka.security.auth.Authorizer has been deprecated since December 2019, and
it's removed in Apache Kafka 3.0


Diffs
-

  plugin-kafka/pom.xml d95f591fe 
  
plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
 97a2f2ec7 
  ranger-kafka-plugin-shim/pom.xml 3264138a8 
  
ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
 b84b765c2 


Diff: https://reviews.apache.org/r/73880/diff/1/


Testing
---

unit tests executed via maven

related PR: https://github.com/apache/ranger/pull/133 - currently executing 
checks, last time failed with unrelated compile error: missing dependency


Thanks,

Andras Katona

[GitHub] [ranger] akatona84 commented on pull request #133: RANGER-3231: Ranger-Kafka-Plugin implementing Kafka Authorizer from KIP-504

2022-03-02 Thread GitBox 


akatona84 commented on pull request #133:
URL: https://github.com/apache/ranger/pull/133#issuecomment-1056837821


   Thank you, @urbandan . Now I'm going to just rebase to see if the checks 
would work (some snapshot dependency was not available)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Commented] (RANGER-3010) Rest API 'addUsersAndGroups' issue

2022-03-02 Thread Nixon Rodrigues (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17500072#comment-17500072
 ] 

Nixon Rodrigues commented on RANGER-3010:
-

[~kulkabhay] 

Facing similar issue.
Can you please guide how to send payload to API 
_*/roles/\{id}/addUsersAndGroups*_ ?

cc : [~bhavikpatel], [~madhan]

> Rest API 'addUsersAndGroups' issue
> --
>
> Key: RANGER-3010
> URL: https://issues.apache.org/jira/browse/RANGER-3010
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: leo sun
>Priority: Major
>
> I want to use Ranger API functions - addUsersAndGroups & removeUsersAndGroups 
> to manage users and groups of role. But official reference don't have 
> suitable example for these two APIs. And my all attempts failed.
> Another point: For example, I found the input type of addUsersAndGroups is 
> Boolean on official web, but the input of the implement function is two 
> string list and one boolean.
> I don't know how to use it. Could you help me with this? [~abhayk]



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[GitHub] [ranger] urbandan commented on a change in pull request #133: RANGER-3231: Ranger-Kafka-Plugin implementing Kafka Authorizer from KIP-504

2022-03-02 Thread GitBox 


urbandan commented on a change in pull request #133:
URL: https://github.com/apache/ranger/pull/133#discussion_r817599735



##
File path: 
ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
##
@@ -19,272 +19,200 @@
 
 package org.apache.ranger.authorization.kafka.authorizer;
 
+import java.io.IOException;
+import java.util.List;
 import java.util.Map;
-
+import java.util.concurrent.CompletionStage;
+
+import org.apache.kafka.common.Endpoint;
+import org.apache.kafka.common.acl.AclBinding;
+import org.apache.kafka.common.acl.AclBindingFilter;
+import org.apache.kafka.server.authorizer.AclCreateResult;
+import org.apache.kafka.server.authorizer.AclDeleteResult;
+import org.apache.kafka.server.authorizer.Action;
+import org.apache.kafka.server.authorizer.AuthorizableRequestContext;
+import org.apache.kafka.server.authorizer.AuthorizationResult;
+import org.apache.kafka.server.authorizer.Authorizer;
+import org.apache.kafka.server.authorizer.AuthorizerServerInfo;
 import org.apache.ranger.plugin.classloader.RangerPluginClassLoader;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import scala.collection.immutable.Set;
-import kafka.network.RequestChannel.Session;
-import kafka.security.auth.Acl;
-import kafka.security.auth.Authorizer;
-import org.apache.kafka.common.security.auth.KafkaPrincipal;
-import kafka.security.auth.Operation;
-import kafka.security.auth.Resource;
+public class RangerKafkaAuthorizer implements Authorizer {
+  private static final Logger logger = 
LoggerFactory.getLogger(RangerKafkaAuthorizer.class);
+
+  private static final String RANGER_PLUGIN_TYPE = "kafka";
+  private static final String RANGER_KAFKA_AUTHORIZER_IMPL_CLASSNAME = 
"org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer";
 
+  private Authorizer rangerKafkaAuthorizerImpl = null;
+  private RangerPluginClassLoader rangerPluginClassLoader = null;
 
-//public class RangerKafkaAuthorizer extends Authorizer {
-public class RangerKafkaAuthorizer implements Authorizer {
-   private static final Logger LOG  = 
LoggerFactory.getLogger(RangerKafkaAuthorizer.class);
-
-   private static final String   RANGER_PLUGIN_TYPE  = 
"kafka";
-   private static final String   RANGER_KAFKA_AUTHORIZER_IMPL_CLASSNAME  = 
"org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer";
-
-   private Authorizer  rangerKakfaAuthorizerImpl = null;
-   private RangerPluginClassLoader rangerPluginClassLoader   = null;
-   
-   public RangerKafkaAuthorizer() {
-   if(LOG.isDebugEnabled()) {
-   LOG.debug("==> 
RangerKafkaAuthorizer.RangerKafkaAuthorizer()");
-   }
-
-   this.init();
-
-   if(LOG.isDebugEnabled()) {
-   LOG.debug("<== 
RangerKafkaAuthorizer.RangerKafkaAuthorizer()");
-   }
-   }
-   
-   private void init(){
-   if(LOG.isDebugEnabled()) {
-   LOG.debug("==> RangerKafkaAuthorizer.init()");
-   }
-
-   try {
-   
-   rangerPluginClassLoader = 
RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass());
-   
-   @SuppressWarnings("unchecked")
-   Class cls = (Class) 
Class.forName(RANGER_KAFKA_AUTHORIZER_IMPL_CLASSNAME, true, 
rangerPluginClassLoader);
-
-   activatePluginClassLoader();
-
-   rangerKakfaAuthorizerImpl = cls.newInstance();
-   } catch (Exception e) {
-   // check what need to be done
-   LOG.error("Error Enabling RangerKafkaPlugin", e);
-   } finally {
-   deactivatePluginClassLoader();
-   }
-
-   if(LOG.isDebugEnabled()) {
-   LOG.debug("<== RangerKafkaAuthorizer.init()");
-   }
-   }
-
-   @Override
-   public void configure(Map configs) {
-   if(LOG.isDebugEnabled()) {
-   LOG.debug("==> 
RangerKafkaAuthorizer.configure(Map)");
-   }
-
-   try {
-   activatePluginClassLoader();
-
-   rangerKakfaAuthorizerImpl.configure(configs);
-   } finally {
-   deactivatePluginClassLoader();
-   }
-
-   if(LOG.isDebugEnabled()) {
-   LOG.debug("<== 
RangerKafkaAuthorizer.configure(Map)");
-   }
-   }
-
-   @Override
-   public void close() {
-   if(LOG.isDebugEnabled()) {
-   LOG.debug("==> RangerKafkaAuthorizer.close()");
-   }
-
-   try {
-   activatePluginClassLoader();
-   
-

[jira] [Updated] (RANGER-3600) Ranger service tags import request failure

2022-03-02 Thread Pradeep Agrawal (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3600?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pradeep Agrawal updated RANGER-3600:

Description: Ranger service tag import request may fail if 
RangerServiceResource objects of ServiceTags objects does not have ranger 
service name attribute values. 

> Ranger service tags import request failure
> --
>
> Key: RANGER-3600
> URL: https://issues.apache.org/jira/browse/RANGER-3600
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Pradeep Agrawal
>Assignee: Pradeep Agrawal
>Priority: Major
> Fix For: 3.0.0
>
>
> Ranger service tag import request may fail if RangerServiceResource objects 
> of ServiceTags objects does not have ranger service name attribute values. 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Updated] (RANGER-3600) Ranger service tags import request failure

2022-03-02 Thread Pradeep Agrawal (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3600?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pradeep Agrawal updated RANGER-3600:

Summary: Ranger service tags import request failure  (was: Add fallback 
support in RangerPolicy)

> Ranger service tags import request failure
> --
>
> Key: RANGER-3600
> URL: https://issues.apache.org/jira/browse/RANGER-3600
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Pradeep Agrawal
>Assignee: Pradeep Agrawal
>Priority: Major
> Fix For: 3.0.0
>
>




--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Re: Review Request 73852: RANGER-3595, refactor the file layout of ranger-xxx-kms.tar.gz

2022-03-02 Thread bhavik patel 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73852/#review224110
---



Please rebase the patch and update the commit message format

- bhavik patel


On Feb. 16, 2022, 10:29 a.m., Kirby Zhou wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73852/
> ---
> 
> (Updated Feb. 16, 2022, 10:29 a.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, 
> Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Mehul 
> Parikh, pengjianhua, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal 
> Suvagia, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-3595
> https://issues.apache.org/jira/browse/RANGER-3595
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> There are lots of .class files under ews/webapp/, and never used. 
> 
> 
> 1. place web.xml at correct location
> 2. setup.sh want to patch hadoop-common.jar at runtime, it requires some file 
> inside ranger-kms.jar. But the patching of hadoop-common.jar is unnecessary. 
> 
> Regular webapp should have its own class files under 
> ews/webapp/WEB-INF/classes, and dependencies under ews/webapp/WEB-INF/lib, 
> and the Container should put its libraries under ews/lib. But at current, we 
> use directories sucn as ews/webapp/lib, ews/webapp/WEB-INF/classes/lib. It 
> looks dirty and ugly.
> 
> 
> My patch here makes KMS no longer bring ranger-kms.jar, and place classes and 
> web.xml at correct location. as a alternative of 
> https://reviews.apache.org/r/73816/
> 
> 
> Now: 
> ews/lib contains ews bootstrap jars, 
> ews/webapp/WEB-INF/classes contains KMS app itself, 
> ews/webapp/WEB-INF/lib contains KMS dependencies,
> ews/webapp/WEB-INF/lib/ranger-kms-plugin-impl contains ranger-kms-plugin.
> 
> Additionaly, kms/pom.xml even depends on original hadoop-kms, which can 
> confuse developers, so I removed it.
> 
> BTW: the bootstrap embedded server looks like too heavy and too much 
> dependeices.
> 
> 
> Diffs
> -
> 
>   distro/src/main/assembly/kms.xml 983a43e59 
>   kms/pom.xml 7a4f98df7 
>   kms/scripts/DBMK2HSM.sh 001199d97 
>   kms/scripts/DBMKTOAZUREKEYVAULT.sh cfe5a6b5e 
>   kms/scripts/DBMKTOKEYSECURE.sh c0aa6e58c 
>   kms/scripts/HSMMK2DB.sh 6c77f7340 
>   kms/scripts/KEYSECUREMKTOKMSDB.sh 340e05e2c 
>   kms/scripts/VerifyIsDBMasterkeyCorrect.sh 1c9a2e148 
>   kms/scripts/exportKeysToJCEKS.sh f3205789b 
>   kms/scripts/importJCEKSKeys.sh 5d4fe978f 
>   kms/scripts/ranger-kms 429a31e5a 
>   kms/scripts/setup.sh 2051df59a 
>   kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java 
> c899bdf98 
>   kms/src/main/resources/META-INF/context.xml  
>   kms/src/main/resources/WEB-INF/web.xml 5e2d489fe 
> 
> 
> Diff: https://reviews.apache.org/r/73852/diff/1/
> 
> 
> Testing
> ---
> 
> mvn clean pacakge
> fresh install and upgrade from 2.2.0
> 
> 
> Thanks,
> 
> Kirby Zhou
> 
>

[jira] [Created] (RANGER-3650) unit test of blockAuditorRoleUser in RANGER-2095 commit is meaningless.

2022-03-02 Thread kirby zhou (Jira) 
kirby zhou created RANGER-3650:
--

 Summary: unit test of blockAuditorRoleUser in RANGER-2095 commit 
is meaningless.
 Key: RANGER-3650
 URL: https://issues.apache.org/jira/browse/RANGER-3650
 Project: Ranger
  Issue Type: Bug
  Components: admin
Affects Versions: 3.0.0, 2.3.0
Reporter: kirby zhou


The old commit is buggy and meaningless.
 * testBlockAuditorRoleUserThrowsErrorForAuditKeyAdmin
 * testBlockAuditorRoleUserThrowsErrorForAuditUserAdmin
 * testBlockAuditorRoleUserSuccess

The 3 tests should test behavior of RangerBizUtil::blockAuditorRoleUser.
But it constructs a mocked RangerBizUtil, and stub blockAuditorRoleUser. The 
real RangerBizUtil::blockAuditorRoleUser is never being tested.

These @Mock annotated class members are invalid.
 * currentUserSession
 * vXResponse
 * context
 * contextUtil

These members are not member of RangerBizUtil, so can not be injected into 
rangerBizUtil, we should not use it as class member.

 

New Patch is here https://reviews.apache.org/r/73879/



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3632) Improve ranger logs, RENAME_ON_ROTATE and others

2022-03-02 Thread Bhavik Patel (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17500047#comment-17500047
 ] 

Bhavik Patel commented on RANGER-3632:
--

Please raise separate Review  Request for 2.3 branch.

> Improve ranger logs,  RENAME_ON_ROTATE and others
> -
>
> Key: RANGER-3632
> URL: https://issues.apache.org/jira/browse/RANGER-3632
> Project: Ranger
>  Issue Type: Improvement
>  Components: admin, kms
>Affects Versions: 3.0.0, 2.3.0
>Reporter: kirby zhou
>Assignee: kirby zhou
>Priority: Major
> Fix For: 3.0.0
>
>
> Currently, the filename of the access-log in use has a timestamp as the 
> suffix. This brings trouble to some log monitoring and analysis programs, 
> such as "tail -f access-log"
> Need to add an option to enable tomcat's RenameOnRotate capability to fix the 
> file name of access-log.
>  
> {code:java}
> // in EmbeddedServer::start()
> valve.setRenameOnRotate(
> EmbeddedServerUtil.getConfig(ACCESS_LOG_RENAME_ON_ROTATE,  false);
> );{code}
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3632) Improve ranger logs, RENAME_ON_ROTATE and others

2022-03-02 Thread Bhavik Patel (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17500046#comment-17500046
 ] 

Bhavik Patel commented on RANGER-3632:
--

master branch commit link: 
https://github.com/apache/ranger/commit/438578d2d7eab0d7136149e24cb811bcb8cd0cf2

> Improve ranger logs,  RENAME_ON_ROTATE and others
> -
>
> Key: RANGER-3632
> URL: https://issues.apache.org/jira/browse/RANGER-3632
> Project: Ranger
>  Issue Type: Improvement
>  Components: admin, kms
>Affects Versions: 3.0.0, 2.3.0
>Reporter: kirby zhou
>Priority: Major
> Fix For: 3.0.0
>
>
> Currently, the filename of the access-log in use has a timestamp as the 
> suffix. This brings trouble to some log monitoring and analysis programs, 
> such as "tail -f access-log"
> Need to add an option to enable tomcat's RenameOnRotate capability to fix the 
> file name of access-log.
>  
> {code:java}
> // in EmbeddedServer::start()
> valve.setRenameOnRotate(
> EmbeddedServerUtil.getConfig(ACCESS_LOG_RENAME_ON_ROTATE,  false);
> );{code}
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Assigned] (RANGER-3632) Improve ranger logs, RENAME_ON_ROTATE and others

2022-03-02 Thread Bhavik Patel (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavik Patel reassigned RANGER-3632:


Assignee: kirby zhou

> Improve ranger logs,  RENAME_ON_ROTATE and others
> -
>
> Key: RANGER-3632
> URL: https://issues.apache.org/jira/browse/RANGER-3632
> Project: Ranger
>  Issue Type: Improvement
>  Components: admin, kms
>Affects Versions: 3.0.0, 2.3.0
>Reporter: kirby zhou
>Assignee: kirby zhou
>Priority: Major
> Fix For: 3.0.0
>
>
> Currently, the filename of the access-log in use has a timestamp as the 
> suffix. This brings trouble to some log monitoring and analysis programs, 
> such as "tail -f access-log"
> Need to add an option to enable tomcat's RenameOnRotate capability to fix the 
> file name of access-log.
>  
> {code:java}
> // in EmbeddedServer::start()
> valve.setRenameOnRotate(
> EmbeddedServerUtil.getConfig(ACCESS_LOG_RENAME_ON_ROTATE,  false);
> );{code}
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Updated] (RANGER-3632) Improve ranger logs, RENAME_ON_ROTATE and others

2022-03-02 Thread Bhavik Patel (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavik Patel updated RANGER-3632:
-
Fix Version/s: 3.0.0

> Improve ranger logs,  RENAME_ON_ROTATE and others
> -
>
> Key: RANGER-3632
> URL: https://issues.apache.org/jira/browse/RANGER-3632
> Project: Ranger
>  Issue Type: Improvement
>  Components: admin, kms
>Affects Versions: 3.0.0, 2.3.0
>Reporter: kirby zhou
>Priority: Major
> Fix For: 3.0.0
>
>
> Currently, the filename of the access-log in use has a timestamp as the 
> suffix. This brings trouble to some log monitoring and analysis programs, 
> such as "tail -f access-log"
> Need to add an option to enable tomcat's RenameOnRotate capability to fix the 
> file name of access-log.
>  
> {code:java}
> // in EmbeddedServer::start()
> valve.setRenameOnRotate(
> EmbeddedServerUtil.getConfig(ACCESS_LOG_RENAME_ON_ROTATE,  false);
> );{code}
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3647) Connection to DB fails for MySQL version above 8.0

2022-03-02 Thread Bhavik Patel (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3647?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17500044#comment-17500044
 ] 

Bhavik Patel commented on RANGER-3647:
--

[~vishalsuvagia] Please add the error/exception in the Description 

> Connection to DB fails for MySQL version above 8.0
> --
>
> Key: RANGER-3647
> URL: https://issues.apache.org/jira/browse/RANGER-3647
> Project: Ranger
>  Issue Type: Improvement
>  Components: admin
>Affects Versions: 3.0.0
>Reporter: Vishal Suvagia
>Assignee: Vishal Suvagia
>Priority: Major
> Attachments: RANGER-3647.patch
>
>
> Observed that Ranger DB setup fails when using with MySQL version above 8.0.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Resolved] (RANGER-2095) Add unit tests for new read only admin-auditor/kms-auditor roles functionality

2022-03-02 Thread Bhavik Patel (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-2095?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavik Patel resolved RANGER-2095.
--
Resolution: Done

> Add unit tests for new read only admin-auditor/kms-auditor roles functionality
> --
>
> Key: RANGER-2095
> URL: https://issues.apache.org/jira/browse/RANGER-2095
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Bhavik Patel
>Assignee: Bhavik Patel
>Priority: Critical
> Fix For: 1.1.0
>
> Attachments: RANGER-2095-master.patch
>
>
> Add unit tests for new read only admin-auditor/kms-auditor roles functionality



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-2095) Add unit tests for new read only admin-auditor/kms-auditor roles functionality

2022-03-02 Thread Bhavik Patel (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-2095?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17500042#comment-17500042
 ] 

Bhavik Patel commented on RANGER-2095:
--

Might be the test code is not synced with latest master branch.

Please create separate Jira to fix the bug.

> Add unit tests for new read only admin-auditor/kms-auditor roles functionality
> --
>
> Key: RANGER-2095
> URL: https://issues.apache.org/jira/browse/RANGER-2095
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Bhavik Patel
>Assignee: Bhavik Patel
>Priority: Critical
> Fix For: 1.1.0
>
> Attachments: RANGER-2095-master.patch
>
>
> Add unit tests for new read only admin-auditor/kms-auditor roles functionality



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-2095) Add unit tests for new read only admin-auditor/kms-auditor roles functionality

2022-03-02 Thread kirby zhou (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-2095?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17500034#comment-17500034
 ] 

kirby zhou commented on RANGER-2095:


[https://reviews.apache.org/r/73879/]

Please review it.

> Add unit tests for new read only admin-auditor/kms-auditor roles functionality
> --
>
> Key: RANGER-2095
> URL: https://issues.apache.org/jira/browse/RANGER-2095
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Bhavik Patel
>Assignee: Bhavik Patel
>Priority: Critical
> Fix For: 1.1.0
>
> Attachments: RANGER-2095-master.patch
>
>
> Add unit tests for new read only admin-auditor/kms-auditor roles functionality



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Review Request 73879: RANGER-2095: unit test in old commit is meaningless, fixed here.

2022-03-02 Thread Kirby Zhou 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73879/
---

Review request for ranger.


Bugs: RANGER-2095
https://issues.apache.org/jira/browse/RANGER-2095


Repository: ranger


Description
---

The old commit is buggy and meaningless.
 
* testBlockAuditorRoleUserThrowsErrorForAuditKeyAdmin
* testBlockAuditorRoleUserThrowsErrorForAuditUserAdmin
* testBlockAuditorRoleUserSuccess

The 3 tests should test behavior of RangerBizUtil::blockAuditorRoleUser.
But it constructs a mocked RangerBizUtil, and stub blockAuditorRoleUser. The 
real RangerBizUtil::blockAuditorRoleUser is never being tested.

These @Mock annotated class members are invalid.

* currentUserSession
* vXResponse 
* context
* contextUtil

These members are not member of RangerBizUtil, so can not be injected into 
rangerBizUtil, we should not use it as class member.


Diffs
-

  security-admin/src/test/java/org/apache/ranger/biz/TestRangerBizUtil.java 
22e290a666deaac42fc0106302abd151e135bd47 


Diff: https://reviews.apache.org/r/73879/diff/1/


Testing
---

mvn test


Thanks,

Kirby Zhou

Re: Review Request 72024: RANGER-2704 : Support browser login using kerberized authentication.

2022-03-02 Thread Kirby Zhou 


> On 三月 1, 2022, 3:25 a.m., Kirby Zhou wrote:
> > What will happens at following situation?
> > 
> > 1. A kerberosized browser with unauthorized principal want to login to 
> > ranger by HTML form using another user/password.
> > 
> > 2. A kerberosized browser with different KDC want to login to ranger by by 
> > HTML form using another user/password.
> 
> Vishal Suvagia wrote:
> Hi Kirby Zhou,
> There is a flag to enable/disable kerberos based authentication for 
> Ranger UI, it is disabled by default. If the kerberos auth is enabled by 
> setting the flag and any user wants to use user/password credentials to login 
> to Ranger UI it can be done by appending the "/locallogin" to the Ranger URL.
> For e.g : If url for Ranger UI is http://abc.cluster.com:6080 then the 
> local-login url will be http://abc.cluster.com:6080/locallogin
>   using this url, user can get the login page and enter the 
> required user/password credentials.

I known that: If a browser without kerberos try to access kerberos-enabled 
Ranger UI, it will be forwarded to http://abc.cluster.com:6080/login.jsp

What I donot know is that: a kerbero-authenticated browser, but its kerberos 
ticket is rejected by Ranger UI by many ways, what will happen.

Should I have to let my browser logout kerberos? Or I have to add /locallogin 
by hand in address bar?


- Kirby


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72024/#review224105
---


On 二月 28, 2022, 7:35 p.m., Vishal Suvagia wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72024/
> ---
> 
> (Updated 二月 28, 2022, 7:35 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, 
> Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan 
> Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2704
> https://issues.apache.org/jira/browse/RANGER-2704
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Need to support browser login using kerberos authentication. Added a logout 
> for an unauthenticated user to redirect to the login page.
> 
> 
> Diffs
> -
> 
>   
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
>  223a991c76bae7d25f5ce89604d0a8a90d426fe5 
>   
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
>  abbf2d983beb30b59e5d3f6429d6fc226f735793 
>   security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
> 0a1128613dca50fe67ea3f891261f1ee449c46db 
> 
> 
> Diff: https://reviews.apache.org/r/72024/diff/2/
> 
> 
> Testing
> ---
> 
> Veriried kerberos ticket authentication is working on a kerberized browser.
> 
> 
> Steps to test for a kerberized browser:
> #1) For Kerberized browsers:
> #1> To open Chrome in kerberos enabled mode need to run below command:
>google-chrome --auth-server-whitelist="*ranger.testserver.com"
> #2> For Firefox, need to go to about:configs and then search for 
> negotiate and then add the host domain
> ranger.testserver.com to the property 
> "network.negotiate-auth.trusted-uris"
> #2) Perform kinit with the required user.
> #3) Open the Ranger Admin portal using FQDN of the server host.
> 
> 
> File Attachments
> 
> 
> RANGER-2704.patch
>   
> https://reviews.apache.org/media/uploaded/files/2020/01/17/8c9682ca-1ade-4281-89e7-d43a8af09300__RANGER-2704.patch
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

Re: Review Request 72024: RANGER-2704 : Support browser login using kerberized authentication.

2022-03-02 Thread Vishal Suvagia via Review Board 


> On March 1, 2022, 3:25 a.m., Kirby Zhou wrote:
> > What will happens at following situation?
> > 
> > 1. A kerberosized browser with unauthorized principal want to login to 
> > ranger by HTML form using another user/password.
> > 
> > 2. A kerberosized browser with different KDC want to login to ranger by by 
> > HTML form using another user/password.

Hi Kirby Zhou,
There is a flag to enable/disable kerberos based authentication for Ranger UI, 
it is disabled by default. If the kerberos auth is enabled by setting the flag 
and any user wants to use user/password credentials to login to Ranger UI it 
can be done by appending the "/locallogin" to the Ranger URL.
For e.g : If url for Ranger UI is http://abc.cluster.com:6080 then the 
local-login url will be http://abc.cluster.com:6080/locallogin
  using this url, user can get the login page and enter the required 
user/password credentials.


- Vishal


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72024/#review224105
---


On Feb. 28, 2022, 7:35 p.m., Vishal Suvagia wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72024/
> ---
> 
> (Updated Feb. 28, 2022, 7:35 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, 
> Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan 
> Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2704
> https://issues.apache.org/jira/browse/RANGER-2704
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Need to support browser login using kerberos authentication. Added a logout 
> for an unauthenticated user to redirect to the login page.
> 
> 
> Diffs
> -
> 
>   
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
>  223a991c76bae7d25f5ce89604d0a8a90d426fe5 
>   
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
>  abbf2d983beb30b59e5d3f6429d6fc226f735793 
>   security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
> 0a1128613dca50fe67ea3f891261f1ee449c46db 
> 
> 
> Diff: https://reviews.apache.org/r/72024/diff/2/
> 
> 
> Testing
> ---
> 
> Veriried kerberos ticket authentication is working on a kerberized browser.
> 
> 
> Steps to test for a kerberized browser:
> #1) For Kerberized browsers:
> #1> To open Chrome in kerberos enabled mode need to run below command:
>google-chrome --auth-server-whitelist="*ranger.testserver.com"
> #2> For Firefox, need to go to about:configs and then search for 
> negotiate and then add the host domain
> ranger.testserver.com to the property 
> "network.negotiate-auth.trusted-uris"
> #2) Perform kinit with the required user.
> #3) Open the Ranger Admin portal using FQDN of the server host.
> 
> 
> File Attachments
> 
> 
> RANGER-2704.patch
>   
> https://reviews.apache.org/media/uploaded/files/2020/01/17/8c9682ca-1ade-4281-89e7-d43a8af09300__RANGER-2704.patch
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

[jira] [Commented] (RANGER-2095) Add unit tests for new read only admin-auditor/kms-auditor roles functionality

2022-03-02 Thread kirby zhou (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-2095?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=1741#comment-1741
 ] 

kirby zhou commented on RANGER-2095:


Even the 2 class member is invalid usage of @Mock.

currentUserSession and vXResponse is not member of RangerBizUtil, and can not 
be injected.

 
{code:java}
@Mock
UserSessionBase currentUserSession;
@Mock
VXResponse vXResponse; {code}

> Add unit tests for new read only admin-auditor/kms-auditor roles functionality
> --
>
> Key: RANGER-2095
> URL: https://issues.apache.org/jira/browse/RANGER-2095
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Bhavik Patel
>Assignee: Bhavik Patel
>Priority: Critical
> Fix For: 1.1.0
>
> Attachments: RANGER-2095-master.patch
>
>
> Add unit tests for new read only admin-auditor/kms-auditor roles functionality



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Reopened] (RANGER-2095) Add unit tests for new read only admin-auditor/kms-auditor roles functionality

2022-03-02 Thread kirby zhou (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-2095?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

kirby zhou reopened RANGER-2095:


The patch is buggy:

 
 * testBlockAuditorRoleUserThrowsErrorForAuditKeyAdmin
 * testBlockAuditorRoleUserThrowsErrorForAuditUserAdmin
 * testBlockAuditorRoleUserSuccess

The 3 tests should test behavior of RangerBizUtil::blockAuditorRoleUser.

But it constructs a mocked RangerBizUtil, and stub blockAuditorRoleUser. The 
real RangerBizUtil::blockAuditorRoleUser is never being executed.

> Add unit tests for new read only admin-auditor/kms-auditor roles functionality
> --
>
> Key: RANGER-2095
> URL: https://issues.apache.org/jira/browse/RANGER-2095
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Bhavik Patel
>Assignee: Bhavik Patel
>Priority: Critical
> Fix For: 1.1.0
>
> Attachments: RANGER-2095-master.patch
>
>
> Add unit tests for new read only admin-auditor/kms-auditor roles functionality



--
This message was sent by Atlassian Jira
(v8.20.1#820001)