Re: Review Request 73907: RANGER-3676: support {OWNER} macro in tag-based policies

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73907/#review224192
---


Ship it!




Ship It!

- Ramesh Mani


On March 21, 2022, 9:13 p.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73907/
> ---
> 
> (Updated March 21, 2022, 9:13 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Kishor Gollapalliwar, Abhay 
> Kulkarni, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and 
> Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3676
> https://issues.apache.org/jira/browse/RANGER-3676
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - updated to carry resource owner to tag-based policy evaluation as well
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
>  ebe85e9a2 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java
>  39e190ca4 
>   
> agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
>  fad08e7f9 
> 
> 
> Diff: https://reviews.apache.org/r/73907/diff/1/
> 
> 
> Testing
> ---
> 
> - added unit tests to cover use of {OWNER} in tag-based policies
> - verified that all existing unit tests pass successfully
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

[jira] [Updated] (RANGER-3676) tag-based policies don't recognize {OWNER} in users as resource owners

[Madhan Neethiraj (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Madhan Neethiraj updated RANGER-3676:
-
Attachment: RANGER-3676.patch

> tag-based policies don't recognize {OWNER} in users as resource owners  
> 
>
> Key: RANGER-3676
> URL: https://issues.apache.org/jira/browse/RANGER-3676
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Reporter: Madhan Neethiraj
>Assignee: Madhan Neethiraj
>Priority: Major
> Attachments: RANGER-3676.patch
>
>
> Ranger policies allow setting up permissions for resource-owners by using 
> \{OWNER} as the username in policies. Currently this works only for 
> resource-based policies, and not for tag-based policies. Recognizing \{OWNER} 
> in tag-based policies can help address wider authorization needs, like:
> {noformat}
> tag:   SENSITIVE
> users: {OWNER}, groups: [ data-admins ]
> permissions:   [ select ]
> isDenyAllElse: true{noformat}
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Review Request 73907: RANGER-3676: support {OWNER} macro in tag-based policies

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73907/
---

Review request for ranger, Kishor Gollapalliwar, Abhay Kulkarni, Mehul Parikh, 
Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-3676
https://issues.apache.org/jira/browse/RANGER-3676


Repository: ranger


Description
---

- updated to carry resource owner to tag-based policy evaluation as well


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagAccessRequest.java
 ebe85e9a2 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerTagResource.java
 39e190ca4 
  
agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json
 fad08e7f9 


Diff: https://reviews.apache.org/r/73907/diff/1/


Testing
---

- added unit tests to cover use of {OWNER} in tag-based policies
- verified that all existing unit tests pass successfully


Thanks,

Madhan Neethiraj

[jira] [Created] (RANGER-3676) tag-based policies don't recognize {OWNER} in users as resource owners

[Madhan Neethiraj (Jira)]

Madhan Neethiraj created RANGER-3676:


 Summary: tag-based policies don't recognize {OWNER} in users as 
resource owners  
 Key: RANGER-3676
 URL: https://issues.apache.org/jira/browse/RANGER-3676
 Project: Ranger
  Issue Type: Bug
  Components: plugins
Reporter: Madhan Neethiraj
Assignee: Madhan Neethiraj


Ranger policies allow setting up permissions for resource-owners by using 
\{OWNER} as the username in policies. Currently this works only for 
resource-based policies, and not for tag-based policies. Recognizing \{OWNER} 
in tag-based policies can help address wider authorization needs, like:
{noformat}
tag:   SENSITIVE
users: {OWNER}, groups: [ data-admins ]
permissions:   [ select ]
isDenyAllElse: true{noformat}
 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Updated] (RANGER-3673) Need to enable cipher configuration for Usersync

[Vishal Suvagia (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Vishal Suvagia updated RANGER-3673:
---
Attachment: RANGER-3673.patch

> Need to enable cipher configuration  for Usersync
> -
>
> Key: RANGER-3673
> URL: https://issues.apache.org/jira/browse/RANGER-3673
> Project: Ranger
>  Issue Type: Improvement
>  Components: usersync
>Affects Versions: 3.0.0, 2.2.0
>Reporter: Vishal Suvagia
>Assignee: Vishal Suvagia
>Priority: Major
> Attachments: RANGER-3673.patch
>
>
> Ranger Usersync supports enabling for TLS, need to enable cipher suite 
> configuration for same.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3675) Upgrade tomcat due to intermittent READ TIMEOUT

[Kishor Gollapalliwar (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-3675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17509917#comment-17509917
 ] 

Kishor Gollapalliwar commented on RANGER-3675:
--

RR: https://reviews.apache.org/r/73905/

> Upgrade tomcat due to intermittent READ TIMEOUT
> ---
>
> Key: RANGER-3675
> URL: https://issues.apache.org/jira/browse/RANGER-3675
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Kishor Gollapalliwar
>Assignee: Kishor Gollapalliwar
>Priority: Major
>
> There are intermittent READ-TIMEOUTs observed in tomcat 8.5.75 upgrade it to 
> 8.5.76



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Created] (RANGER-3675) Upgrade tomcat due to intermittent READ TIMEOUT

[Kishor Gollapalliwar (Jira)]

Kishor Gollapalliwar created RANGER-3675:


 Summary: Upgrade tomcat due to intermittent READ TIMEOUT
 Key: RANGER-3675
 URL: https://issues.apache.org/jira/browse/RANGER-3675
 Project: Ranger
  Issue Type: Improvement
  Components: Ranger
Reporter: Kishor Gollapalliwar
Assignee: Kishor Gollapalliwar


There are intermittent READ-TIMEOUTs observed in tomcat 8.5.75 upgrade it to 
8.5.76



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Re: Review Request 73903: RANGER-3667 : Improve feedback in policy creation UI when resource does not exist.

[Mehul Parikh]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73903/#review224189
---


Ship it!




Ship It!

- Mehul Parikh


On March 21, 2022, 11:58 a.m., Dhaval Rajpara wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73903/
> ---
> 
> (Updated March 21, 2022, 11:58 a.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Harshal Chavan, 
> Kishor Gollapalliwar, Mateen Mansoori, Mehul Parikh, Nitin Galave, Pradeep 
> Agrawal, Vishal Suvagia, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3667
> https://issues.apache.org/jira/browse/RANGER-3667
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> 1. In Ranger's policy creation UI, when a resource (e.g. Hive database or 
> table name) is entered in the Policy Details, the autocomplete feature will 
> proactively present a dropdown of possible matches to known resource names 
> pulled from the service, which the user can then select to populate the 
> fields in the policy. 
> 
> 
> 2. If there is only one match to an existing resource name, then only that 
> single name will be presented in the dropdown. 
> 
> 
> 3. If there are no matches, then the text already entered into the field will 
> be presented in the autocomplete dropdown. This behavior is exactly the same 
> as (2) whether the resource exists or not. 
> 
> 
> 4. While there are some use cases where a policy may need to be created prior 
> to creating the actual resource itself, there is no validation or feedback in 
> the UI to indicate if a resource name already exists. In the case of a simple 
> typo error, this lack of feedback can result in the creation of invalid 
> policies that are then difficult to isolate and fix. 
> 
> 
> This request is to include some additional feedback ("not found" message or 
> similar) in the UI, to indicate when a resource does not exist. This would 
> also assist in identifying communication issues between Ranger and the 
> backend services.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/webapp/scripts/utils/XAUtils.js fa4916547 
>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js 
> 5b3940a10 
>   
> security-admin/src/main/webapp/scripts/views/security_zone/ZoneResourceForm.js
>  68092fd62 
>   
> security-admin/src/main/webapp/scripts/views/service/ServiceAuditFilterResources.js
>  2cfdfd937 
>   security-admin/src/main/webapp/styles/xa.css ef3347be3 
> 
> 
> Diff: https://reviews.apache.org/r/73903/diff/2/
> 
> 
> Testing
> ---
> 
> checked resources in policy creation, zone creation, service creation page 
> and 
> All case "create" tag display while creating new option in select2 except 
> 1) Resource path field not display Create tag.
> 2) Policy resource with "validationRegEx" not display Create tag
> 
> 
> Thanks,
> 
> Dhaval Rajpara
> 
>

Re: Review Request 73878: RANGER-3647 : Connection to DB fails for MySQL version above 8.0

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73878/
---

(Updated March 21, 2022, 2:17 p.m.)


Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam 
Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, 
Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Request to kindly review the patch.


Bugs: RANGER-3647
https://issues.apache.org/jira/browse/RANGER-3647


Repository: ranger


Description
---

Observed that Ranger DB setup fails when using with MySQL version above 8.0.


Diffs
-

  security-admin/scripts/db_setup.py ad823b31012c6bee36c29e1f85adc747d4de02ac 
  security-admin/scripts/install.properties 
22868fa316a8b9a7da32218b0d0b5cf9c855ef9e 
  security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java 
b3c41a9d15b8bfe88bcc59e04917284a3fef6dc5 


Diff: https://reviews.apache.org/r/73878/diff/2/


Testing
---

Validated locally by setting up Ranger with available Mysql-8.0 release.


File Attachments


RANGER-3647-01.patch
  
https://reviews.apache.org/media/uploaded/files/2022/03/16/696cd10b-37c0-4caf-8d00-32d80770574c__RANGER-3647-01.patch


Thanks,

Vishal Suvagia

Re: Review Request 73903: RANGER-3667 : Improve feedback in policy creation UI when resource does not exist.

[Dhaval Rajpara]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73903/
---

(Updated March 21, 2022, 11:58 a.m.)


Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Harshal Chavan, 
Kishor Gollapalliwar, Mateen Mansoori, Mehul Parikh, Nitin Galave, Pradeep 
Agrawal, Vishal Suvagia, and Velmurugan Periasamy.


Bugs: RANGER-3667
https://issues.apache.org/jira/browse/RANGER-3667


Repository: ranger


Description
---

1. In Ranger's policy creation UI, when a resource (e.g. Hive database or table 
name) is entered in the Policy Details, the autocomplete feature will 
proactively present a dropdown of possible matches to known resource names 
pulled from the service, which the user can then select to populate the fields 
in the policy. 


2. If there is only one match to an existing resource name, then only that 
single name will be presented in the dropdown. 


3. If there are no matches, then the text already entered into the field will 
be presented in the autocomplete dropdown. This behavior is exactly the same as 
(2) whether the resource exists or not. 


4. While there are some use cases where a policy may need to be created prior 
to creating the actual resource itself, there is no validation or feedback in 
the UI to indicate if a resource name already exists. In the case of a simple 
typo error, this lack of feedback can result in the creation of invalid 
policies that are then difficult to isolate and fix. 


This request is to include some additional feedback ("not found" message or 
similar) in the UI, to indicate when a resource does not exist. This would also 
assist in identifying communication issues between Ranger and the backend 
services.


Diffs (updated)
-

  security-admin/src/main/webapp/scripts/utils/XAUtils.js fa4916547 
  security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js 
5b3940a10 
  
security-admin/src/main/webapp/scripts/views/security_zone/ZoneResourceForm.js 
68092fd62 
  
security-admin/src/main/webapp/scripts/views/service/ServiceAuditFilterResources.js
 2cfdfd937 
  security-admin/src/main/webapp/styles/xa.css ef3347be3 


Diff: https://reviews.apache.org/r/73903/diff/2/

Changes: https://reviews.apache.org/r/73903/diff/1-2/


Testing (updated)
---

checked resources in policy creation, zone creation, service creation page and 
All case "create" tag display while creating new option in select2 except 
1) Resource path field not display Create tag.
2) Policy resource with "validationRegEx" not display Create tag


Thanks,

Dhaval Rajpara

[jira] [Updated] (RANGER-3667) Improve feedback in policy creation UI when resource does not exist

[Dhaval Rajpara (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3667?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dhaval Rajpara updated RANGER-3667:
---
Attachment: 0002-RANGER-3667.patch

> Improve feedback in policy creation UI when resource does not exist
> ---
>
> Key: RANGER-3667
> URL: https://issues.apache.org/jira/browse/RANGER-3667
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Dhaval Rajpara
>Assignee: Dhaval Rajpara
>Priority: Major
> Attachments: 0001-RANGER-3667.patch, 0002-RANGER-3667.patch
>
>
> 1. In Ranger's policy creation UI, when a resource (e.g. Hive database or 
> table name) is entered in the Policy Details, the autocomplete feature will 
> proactively present a dropdown of possible matches to known resource names 
> pulled from the service, which the user can then select to populate the 
> fields in the policy. 
> 2. If there is only one match to an existing resource name, then only that 
> single name will be presented in the dropdown. 
> 3. If there are no matches, then the text already entered into the field will 
> be presented in the autocomplete dropdown. This behavior is exactly the same 
> as (2) whether the resource exists or not. 
> 4. While there are some use cases where a policy may need to be created prior 
> to creating the actual resource itself, there is no validation or feedback in 
> the UI to indicate if a resource name already exists. In the case of a simple 
> typo error, this lack of feedback can result in the creation of invalid 
> policies that are then difficult to isolate and fix. 
> This request is to include some additional feedback ("not found" message or 
> similar) in the UI, to indicate when a resource does not exist. This would 
> also assist in identifying communication issues between Ranger and the 
> backend services.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3674) Fix PMD issue

[Bhavik Patel (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-3674?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17509662#comment-17509662
 ] 

Bhavik Patel commented on RANGER-3674:
--

master branch commit link: 
[https://github.com/apache/ranger/commit/8fc17b27d34462ba38904dd899d4b920e362f058]
ranger-2.3 branch commit link: 
https://github.com/apache/ranger/commit/39ea1534a98c51ba8b88e7313b7b3d851298b3e6

> Fix PMD issue 
> --
>
> Key: RANGER-3674
> URL: https://issues.apache.org/jira/browse/RANGER-3674
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 3.0.0, 2.3.0
>Reporter: Bhavik Patel
>Assignee: Bhavik Patel
>Priority: Major
> Fix For: 3.0.0, 2.3.0
>
> Attachments: 0001-RANGER-3674-Fix-PMD-issue.patch
>
>
> https://issues.apache.org/jira/browse/RANGER-2362 introduce PMD issue



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Updated] (RANGER-3674) Fix PMD issue

[Bhavik Patel (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3674?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavik Patel updated RANGER-3674:
-
Attachment: 0001-RANGER-3674-Fix-PMD-issue.patch

> Fix PMD issue 
> --
>
> Key: RANGER-3674
> URL: https://issues.apache.org/jira/browse/RANGER-3674
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 3.0.0, 2.3.0
>Reporter: Bhavik Patel
>Assignee: Bhavik Patel
>Priority: Major
> Fix For: 3.0.0, 2.3.0
>
> Attachments: 0001-RANGER-3674-Fix-PMD-issue.patch
>
>
> https://issues.apache.org/jira/browse/RANGER-2362 introduce PMD issue



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Created] (RANGER-3674) Fix PMD issue

[Bhavik Patel (Jira)]

Bhavik Patel created RANGER-3674:


 Summary: Fix PMD issue 
 Key: RANGER-3674
 URL: https://issues.apache.org/jira/browse/RANGER-3674
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Affects Versions: 3.0.0, 2.3.0
Reporter: Bhavik Patel
Assignee: Bhavik Patel
 Fix For: 3.0.0, 2.3.0


https://issues.apache.org/jira/browse/RANGER-2362 introduce PMD issue



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Re: Review Request 73835: RANGER-3611 Uncatched NullPointerException when missing lastKnownVersion in ServiceREST::getServicePoliciesIfUpdated

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73835/#review224186
---




security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java
Line 677 (original), 677 (patched)


If there is no change in this file, please remove it from the patch


- Ramesh Mani


On March 3, 2022, 3:48 a.m., Kirby Zhou wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73835/
> ---
> 
> (Updated March 3, 2022, 3:48 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, 
> Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen 
> Mansoori, Mehul Parikh, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal 
> Suvagia, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3611
> https://issues.apache.org/jira/browse/RANGER-3611
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> A simple Rest API call by CURL will cause uncatched NullPointerException in 
> logs.
> It happens at some spring generated code. Set a value to lastKnownVersion 
> will fix it
>  
> Actual:
> 
> ```
> ]% curl -v  http://localhost:6080/service/plugins/policies/download/hdfsdev
> ... 
> < HTTP/1.1 404 Not Found
> ...
>  No Message here 
> * Closing connection 0 
> ```
> 
> And logs in catalina.out
> 
> ```
> EVERE: Servlet.service() for servlet [REST Service] in context with path [] 
> threw exception
> java.lang.NullPointerException
>   at 
> org.apache.ranger.rest.ServiceREST.getServicePoliciesIfUpdated(ServiceREST.java:3054)
>   at 
> org.apache.ranger.rest.ServiceREST$$FastClassBySpringCGLIB$$92dab672.invoke()
>   at 
> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
>   at 
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:779)
>   at 
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
>   at 
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:750)
>   at 
> org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:123)
>   at 
> org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:388)
>   at 
> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:119)
>   at 
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
>   at 
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:750)
>   at 
> org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:692)
>   at 
> org.apache.ranger.rest.ServiceREST$$EnhancerBySpringCGLIB$$43bccb60.getServicePoliciesIfUpdated()
>   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>   at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>   at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>   at java.lang.reflect.Method.invoke(Method.java:498)
>   at 
> com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
>   at 
> com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
>   at 
> com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
>   at 
> com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
>   at 
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>   at 
> com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
>   at 
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
>   at 
> com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
>   at 
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542)
>   at 
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473)
>   at 
> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419)
>   at 
> 

Re: Review Request 73898: RANGER-2362: Limit Login Attempt Failure

[bhavik patel]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73898/#review224185
---


Ship it!




Ship It!

- bhavik patel


On March 21, 2022, 3:10 a.m., Kirby Zhou wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73898/
> ---
> 
> (Updated March 21, 2022, 3:10 a.m.)
> 
> 
> Review request for ranger, Bhavik Bavishi, Abhay Kulkarni, Madhan Neethiraj, 
> and Pradeep Agrawal.
> 
> 
> Bugs: RANGER-2362
> https://issues.apache.org/jira/browse/RANGER-2362
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> RANGER-2362
> 
> 
> Here is a simple demo code for discussion.
> 
> Hard-codeed:
> we limit 3 failures per 30 minutes. A successful login will reset the counter.
> 
> 
> BTW: I think the code of RangerAuthenticationProvider is a bit anti-pattern.
> 
> 1. We new RangerAuthenticationProvider at each time user login. It is 
> unreasonable, it should be a bean.
> 
> see RangerKRBAuthenticationFilter.java and RangerSSOAuthenticationFilter.java
> 
> 2. We new Jdbc/AD/Ldap/Pam authentication provider in 
> RangerAuthenticationProvider at each time user login.
> 
> 3. The member 'private LdapAuthenticator authenticator' seems useless
> 
> 4. The RangerAuthenticationProvider seem should be replaced with 
> ProviderManager or something like spring configuration.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java 
> 6b002cff994dd431a83ef46f10ee839fb83dafbb 
>   security-admin/src/main/java/org/apache/ranger/db/XXAuthSessionDao.java 
> b0270e9d45aa5b5543735318eea4e22683cbfece 
>   
> security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
>  8f7abbe7df3d0344c7b5b1af89f7322d82a0d238 
>   
> security-admin/src/main/java/org/apache/ranger/security/listener/SpringEventListener.java
>  af5622a5f756db931a7173ad01d8c4162d5ee05a 
>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml 
> b56cd26751b35aef245483ef903768d9a9ece61d 
>   security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
> 2471f6ac0b5cce97e98a28dd7f1f8faee171f02e 
> 
> 
> Diff: https://reviews.apache.org/r/73898/diff/3/
> 
> 
> Testing
> ---
> 
> Self tested
> 
> 
> Thanks,
> 
> Kirby Zhou
> 
>

Re: Review Request 73898: RANGER-2362: Limit Login Attempt Failure

[bhavik patel]

> On March 21, 2022, 5:09 a.m., bhavik patel wrote:
> > we have to check the successive login failure with in 30min, so default 
> > login lockout window time should be updated to "1800" sec
> 
> Kirby Zhou wrote:
> I do not get your point.
> 
> Current code is to limit user can only have 5 failure in 300 seconds.
> 
> You point is to limit user can only have 5 failure in 1800 seconds? Maybe 
> it is too long.

Yeah, you are right.
Sorry, I got confused but now it clear.


- bhavik


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73898/#review224182
---


On March 21, 2022, 3:10 a.m., Kirby Zhou wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73898/
> ---
> 
> (Updated March 21, 2022, 3:10 a.m.)
> 
> 
> Review request for ranger, Bhavik Bavishi, Abhay Kulkarni, Madhan Neethiraj, 
> and Pradeep Agrawal.
> 
> 
> Bugs: RANGER-2362
> https://issues.apache.org/jira/browse/RANGER-2362
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> RANGER-2362
> 
> 
> Here is a simple demo code for discussion.
> 
> Hard-codeed:
> we limit 3 failures per 30 minutes. A successful login will reset the counter.
> 
> 
> BTW: I think the code of RangerAuthenticationProvider is a bit anti-pattern.
> 
> 1. We new RangerAuthenticationProvider at each time user login. It is 
> unreasonable, it should be a bean.
> 
> see RangerKRBAuthenticationFilter.java and RangerSSOAuthenticationFilter.java
> 
> 2. We new Jdbc/AD/Ldap/Pam authentication provider in 
> RangerAuthenticationProvider at each time user login.
> 
> 3. The member 'private LdapAuthenticator authenticator' seems useless
> 
> 4. The RangerAuthenticationProvider seem should be replaced with 
> ProviderManager or something like spring configuration.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java 
> 6b002cff994dd431a83ef46f10ee839fb83dafbb 
>   security-admin/src/main/java/org/apache/ranger/db/XXAuthSessionDao.java 
> b0270e9d45aa5b5543735318eea4e22683cbfece 
>   
> security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
>  8f7abbe7df3d0344c7b5b1af89f7322d82a0d238 
>   
> security-admin/src/main/java/org/apache/ranger/security/listener/SpringEventListener.java
>  af5622a5f756db931a7173ad01d8c4162d5ee05a 
>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml 
> b56cd26751b35aef245483ef903768d9a9ece61d 
>   security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
> 2471f6ac0b5cce97e98a28dd7f1f8faee171f02e 
> 
> 
> Diff: https://reviews.apache.org/r/73898/diff/3/
> 
> 
> Testing
> ---
> 
> Self tested
> 
> 
> Thanks,
> 
> Kirby Zhou
> 
>

Re: Review Request 73898: RANGER-2362: Limit Login Attempt Failure

[Kirby Zhou]

> On 三月 21, 2022, 5:09 a.m., bhavik patel wrote:
> > we have to check the successive login failure with in 30min, so default 
> > login lockout window time should be updated to "1800" sec

I do not get your point.

Current code is to limit user can only have 5 failure in 300 seconds.

You point is to limit user can only have 5 failure in 1800 seconds? Maybe it is 
too long.


- Kirby


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73898/#review224182
---


On 三月 21, 2022, 3:10 a.m., Kirby Zhou wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73898/
> ---
> 
> (Updated 三月 21, 2022, 3:10 a.m.)
> 
> 
> Review request for ranger, Bhavik Bavishi, Abhay Kulkarni, Madhan Neethiraj, 
> and Pradeep Agrawal.
> 
> 
> Bugs: RANGER-2362
> https://issues.apache.org/jira/browse/RANGER-2362
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> RANGER-2362
> 
> 
> Here is a simple demo code for discussion.
> 
> Hard-codeed:
> we limit 3 failures per 30 minutes. A successful login will reset the counter.
> 
> 
> BTW: I think the code of RangerAuthenticationProvider is a bit anti-pattern.
> 
> 1. We new RangerAuthenticationProvider at each time user login. It is 
> unreasonable, it should be a bean.
> 
> see RangerKRBAuthenticationFilter.java and RangerSSOAuthenticationFilter.java
> 
> 2. We new Jdbc/AD/Ldap/Pam authentication provider in 
> RangerAuthenticationProvider at each time user login.
> 
> 3. The member 'private LdapAuthenticator authenticator' seems useless
> 
> 4. The RangerAuthenticationProvider seem should be replaced with 
> ProviderManager or something like spring configuration.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java 
> 6b002cff994dd431a83ef46f10ee839fb83dafbb 
>   security-admin/src/main/java/org/apache/ranger/db/XXAuthSessionDao.java 
> b0270e9d45aa5b5543735318eea4e22683cbfece 
>   
> security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
>  8f7abbe7df3d0344c7b5b1af89f7322d82a0d238 
>   
> security-admin/src/main/java/org/apache/ranger/security/listener/SpringEventListener.java
>  af5622a5f756db931a7173ad01d8c4162d5ee05a 
>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml 
> b56cd26751b35aef245483ef903768d9a9ece61d 
>   security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
> 2471f6ac0b5cce97e98a28dd7f1f8faee171f02e 
> 
> 
> Diff: https://reviews.apache.org/r/73898/diff/3/
> 
> 
> Testing
> ---
> 
> Self tested
> 
> 
> Thanks,
> 
> Kirby Zhou
> 
>