Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security

2022-04-08 Thread bhavik patel 


> On April 8, 2022, 5:41 p.m., Kirby Zhou wrote:
> > security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
> > Lines 121 (patched)
> > 
> >
> > Can we store it in other_attributes to avoid change database schema?

I think other_attributes added for some other purpose as this attribute added 
for 2 more table. It's better to have new column.


- bhavik


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224283
---


On April 9, 2022, 5:29 a.m., bhavik patel wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> ---
> 
> (Updated April 9, 2022, 5:29 a.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay 
> Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, 
> Ramesh Mani, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Password history should be configured to restrict users from reusing their 
> last 4 or 5 passwords.
> 
> 
> Diffs
> -
> 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 
> 26282f770 
>   security-admin/db/mysql/patches/059-update-x-portal-user-table.sql 
> PRE-CREATION 
>   security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
> e2475cfbd 
>   security-admin/db/oracle/patches/059-update-x-portal-user-table..sql 
> PRE-CREATION 
>   security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
> f5c6ed8f5 
>   security-admin/db/postgres/patches/059-update-x-portal-user-table.sql 
> PRE-CREATION 
>   
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
>  1887d6da9 
>   security-admin/db/sqlanywhere/patches/059-update-x-portal-user-table.sql 
> PRE-CREATION 
>   security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 
> 642e54cd5 
>   security-admin/db/sqlserver/patches/059-update-x-portal-user-table.sql 
> PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5 
>   security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java 
> d0451b4d2 
>   security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
> e2bfc8fff 
>   security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java 
> f43b30196 
> 
> 
> Diff: https://reviews.apache.org/r/73922/diff/5/
> 
> 
> Testing
> ---
> 
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
> 
> 3. Once the basic review/discussion is done will fix the Test-cases
> 
> 
> Thanks,
> 
> bhavik patel
> 
>

Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security

2022-04-08 Thread bhavik patel 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/
---

(Updated April 9, 2022, 5:29 a.m.)


Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay 
Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, 
Ramesh Mani, and Velmurugan Periasamy.


Bugs: RANGER-3687
https://issues.apache.org/jira/browse/RANGER-3687


Repository: ranger


Description
---

Password history should be configured to restrict users from reusing their last 
4 or 5 passwords.


Diffs (updated)
-

  security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770 
  security-admin/db/mysql/patches/059-update-x-portal-user-table.sql 
PRE-CREATION 
  security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
e2475cfbd 
  security-admin/db/oracle/patches/059-update-x-portal-user-table..sql 
PRE-CREATION 
  security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
f5c6ed8f5 
  security-admin/db/postgres/patches/059-update-x-portal-user-table.sql 
PRE-CREATION 
  
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 
1887d6da9 
  security-admin/db/sqlanywhere/patches/059-update-x-portal-user-table.sql 
PRE-CREATION 
  security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 
642e54cd5 
  security-admin/db/sqlserver/patches/059-update-x-portal-user-table.sql 
PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5 
  security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java 
d0451b4d2 
  security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
e2bfc8fff 
  security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java f43b30196 


Diff: https://reviews.apache.org/r/73922/diff/5/

Changes: https://reviews.apache.org/r/73922/diff/4-5/


Testing
---

1. Verified the basic functionality of "/passwordchange" api
2. Verified "/secure/users" & "/secure/users/{id}" API’s

3. Once the basic review/discussion is done will fix the Test-cases


Thanks,

bhavik patel

[jira] [Updated] (RANGER-3697) Migrate all python scripts in Ranger to Python3

2022-04-08 Thread Abhishek Kumar (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3697?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Kumar updated RANGER-3697:
---
Description: 
Python 2 has sunset as of Jan 1, 2020. All scripts using python2 should 
eventually move to python3.

Python2 will no longer be supported, ranger 3.0 and onwards. 

Article: 
[https://www.python.org/doc/sunset-python-2/#:~:text=We%20have%20decided%20that%20January,as%20soon%20as%20you%20can.]
 

  was:
Python 2 has sunset as of Jan 1, 2020. All scripts using python2 should 
eventually move to python3.

Python2 will no longer be supported, ranger 3.0 and onwards. 

Article: 


> Migrate all python scripts in Ranger to Python3
> ---
>
> Key: RANGER-3697
> URL: https://issues.apache.org/jira/browse/RANGER-3697
> Project: Ranger
>  Issue Type: Improvement
>  Components: admin, Ranger
>Reporter: Abhishek Kumar
>Assignee: Abhishek Kumar
>Priority: Major
> Fix For: 3.0.0
>
>
> Python 2 has sunset as of Jan 1, 2020. All scripts using python2 should 
> eventually move to python3.
> Python2 will no longer be supported, ranger 3.0 and onwards. 
> Article: 
> [https://www.python.org/doc/sunset-python-2/#:~:text=We%20have%20decided%20that%20January,as%20soon%20as%20you%20can.]
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Updated] (RANGER-3697) Migrate all python scripts in Ranger to Python3

2022-04-08 Thread Abhishek Kumar (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3697?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Kumar updated RANGER-3697:
---
Description: 
Python 2 has sunset as of Jan 1, 2020. All scripts using python2 should 
eventually move to python3.

Python2 will no longer be supported, ranger 3.0 and onwards. 

Article: 

  was:Python 2 has sunset as of Jan 1, 2020. All scripts using python2 should 
eventually move to python3.


> Migrate all python scripts in Ranger to Python3
> ---
>
> Key: RANGER-3697
> URL: https://issues.apache.org/jira/browse/RANGER-3697
> Project: Ranger
>  Issue Type: Improvement
>  Components: admin, Ranger
>Reporter: Abhishek Kumar
>Assignee: Abhishek Kumar
>Priority: Major
> Fix For: 3.0.0
>
>
> Python 2 has sunset as of Jan 1, 2020. All scripts using python2 should 
> eventually move to python3.
> Python2 will no longer be supported, ranger 3.0 and onwards. 
> Article: 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Updated] (RANGER-3697) Migrate all python scripts in Ranger to Python3

2022-04-08 Thread Abhishek Kumar (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3697?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Kumar updated RANGER-3697:
---
Fix Version/s: 3.0.0

> Migrate all python scripts in Ranger to Python3
> ---
>
> Key: RANGER-3697
> URL: https://issues.apache.org/jira/browse/RANGER-3697
> Project: Ranger
>  Issue Type: Improvement
>  Components: admin, Ranger
>Reporter: Abhishek Kumar
>Assignee: Abhishek Kumar
>Priority: Major
> Fix For: 3.0.0
>
>
> Python 2 has sunset as of Jan 1, 2020. All scripts using python2 should 
> eventually move to python3.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3697) Migrate all python scripts in Ranger to Python3

2022-04-08 Thread Abhishek Kumar (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17519811#comment-17519811
 ] 

Abhishek Kumar commented on RANGER-3697:


Article explaining the need to remove python2: 
[https://www.python.org/doc/sunset-python-2/#:~:text=We%20have%20decided%20that%20January,as%20soon%20as%20you%20can.]
 

Following PEP 8 guidelines, it is best we have the snake case for file names, 
method names and variable names. 

The proposed changes will be effective only from ranger 3.0

> Migrate all python scripts in Ranger to Python3
> ---
>
> Key: RANGER-3697
> URL: https://issues.apache.org/jira/browse/RANGER-3697
> Project: Ranger
>  Issue Type: Improvement
>  Components: admin, Ranger
>Reporter: Abhishek Kumar
>Assignee: Abhishek Kumar
>Priority: Major
>
> Python 2 has sunset as of Jan 1, 2020. All scripts using python2 should 
> eventually move to python3.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Re: Review Request 73937: RANGER-3697: Python3 migration of all ranger python scripts

2022-04-08 Thread Abhishek Kumar 


> On April 7, 2022, 10:14 p.m., Ramesh Mani wrote:
> > security-admin/scripts/change_password_util.py
> > Lines 1 (patched)
> > 
> >
> > Deleting file changepasswordutil.py and creating with a new file name 
> > change_password_util.py may result in failure of the file not to be 
> > included in package or it may be reference in other scripts which has to be 
> > changed. Please refer all those reference and correct it or best to use the 
> > same name.
> 
> Kirby Zhou wrote:
> I suggest that this commit DO NOT change any filename, open a new review 
> to change filename.
> 
> Kirby Zhou wrote:
> This patch too heavy, may split it into 3 step?
> 
> 
> 1. migrate to python3
> 2. rename of identifier such as "propertyName -> property_name"
> 3. rename of file and related files.

I understand, the changes will require thorough testing. Following PEP 8 
guidelines, it is best we have the snake case for file names, method names and 
variable names. 
As suggested earlier I'll split the patch into multiple parts.


- Abhishek


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73937/#review224265
---


On April 7, 2022, 7:11 p.m., Abhishek  Kumar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73937/
> ---
> 
> (Updated April 7, 2022, 7:11 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, 
> Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3697
> https://issues.apache.org/jira/browse/RANGER-3697
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Python 2 has sunset as of Jan 1, 2020. All scripts using python2 should 
> eventually move to python3.
> 
> Initial Review - will be updated to include all scripts.
> 
> Changes include:
> 1. Support only for Python3 and above.
> 2. Conformity with PEP 8 guidelines.
> 3. Code optimizations and performance improvements.
> 
> 
> Diffs
> -
> 
>   agents-common/scripts/upgrade-plugin.py d865ee366 
>   agents-common/scripts/upgrade_plugin.py PRE-CREATION 
>   ranger-util/src/scripts/saveVersion.py 51227542d 
>   ranger-util/src/scripts/save_version.py PRE-CREATION 
>   security-admin/scripts/change_password_util.py PRE-CREATION 
>   security-admin/scripts/change_username_util.py PRE-CREATION 
>   security-admin/scripts/changepasswordutil.py e45dab643 
>   security-admin/scripts/changeusernameutil.py 699f945f0 
>   security-admin/scripts/deleteUserGroupUtil.py 1c9f58385 
>   security-admin/scripts/delete_user_group_util.py PRE-CREATION 
>   security-admin/scripts/ranger_credential_helper.py 85f29ac43 
>   security-admin/scripts/restrict_permissions.py b19bafe9b 
>   security-admin/scripts/role_based_user_search_util.py PRE-CREATION 
>   security-admin/scripts/rolebasedusersearchutil.py 612db33df 
>   security-admin/scripts/updateUserAndGroupNamesInJson.py c40ec4406 
>   security-admin/scripts/upgrade_admin.py 85f57b8ce 
>   security-admin/src/bin/ranger_install.py 39b9d1f81 
>   security-admin/src/bin/ranger_usersync.py 4374896c7 
>   security-admin/src/bin/service_start.py ea13b85af 
> 
> 
> Diff: https://reviews.apache.org/r/73937/diff/1/
> 
> 
> Testing
> ---
> 
> Pending.
> 
> 
> Thanks,
> 
> Abhishek  Kumar
> 
>

Re: Review Request 73937: RANGER-3697: Python3 migration of all ranger python scripts

2022-04-08 Thread Abhishek Kumar 


> On April 8, 2022, 2:12 p.m., Pradeep Agrawal wrote:
> > Currently python2 and python3 both are supported, why we want to remove 
> > python2 support ? Also What issues are you getting when you execute all 
> > these script in python3 ?

Article explaining the need to remove python2: 
https://www.python.org/doc/sunset-python-2/#:~:text=We%20have%20decided%20that%20January,as%20soon%20as%20you%20can.
Testing is pending.


- Abhishek


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73937/#review224282
---


On April 7, 2022, 7:11 p.m., Abhishek  Kumar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73937/
> ---
> 
> (Updated April 7, 2022, 7:11 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, 
> Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3697
> https://issues.apache.org/jira/browse/RANGER-3697
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Python 2 has sunset as of Jan 1, 2020. All scripts using python2 should 
> eventually move to python3.
> 
> Initial Review - will be updated to include all scripts.
> 
> Changes include:
> 1. Support only for Python3 and above.
> 2. Conformity with PEP 8 guidelines.
> 3. Code optimizations and performance improvements.
> 
> 
> Diffs
> -
> 
>   agents-common/scripts/upgrade-plugin.py d865ee366 
>   agents-common/scripts/upgrade_plugin.py PRE-CREATION 
>   ranger-util/src/scripts/saveVersion.py 51227542d 
>   ranger-util/src/scripts/save_version.py PRE-CREATION 
>   security-admin/scripts/change_password_util.py PRE-CREATION 
>   security-admin/scripts/change_username_util.py PRE-CREATION 
>   security-admin/scripts/changepasswordutil.py e45dab643 
>   security-admin/scripts/changeusernameutil.py 699f945f0 
>   security-admin/scripts/deleteUserGroupUtil.py 1c9f58385 
>   security-admin/scripts/delete_user_group_util.py PRE-CREATION 
>   security-admin/scripts/ranger_credential_helper.py 85f29ac43 
>   security-admin/scripts/restrict_permissions.py b19bafe9b 
>   security-admin/scripts/role_based_user_search_util.py PRE-CREATION 
>   security-admin/scripts/rolebasedusersearchutil.py 612db33df 
>   security-admin/scripts/updateUserAndGroupNamesInJson.py c40ec4406 
>   security-admin/scripts/upgrade_admin.py 85f57b8ce 
>   security-admin/src/bin/ranger_install.py 39b9d1f81 
>   security-admin/src/bin/ranger_usersync.py 4374896c7 
>   security-admin/src/bin/service_start.py ea13b85af 
> 
> 
> Diff: https://reviews.apache.org/r/73937/diff/1/
> 
> 
> Testing
> ---
> 
> Pending.
> 
> 
> Thanks,
> 
> Abhishek  Kumar
> 
>

[jira] [Comment Edited] (RANGER-3691) Upgrade spring to 5.3.18 CVE-2022-22965

2022-04-08 Thread Ramesh Mani (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3691?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17519673#comment-17519673
 ] 

Ramesh Mani edited comment on RANGER-3691 at 4/8/22 6:35 PM:
-

[~kirbyzhou]  since this CVE 
[https://tanzu.vmware.com/security/cve-2022-22965|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965]
 doesn't affect Ranger as ranger doesn't use Spring MVC or Spring WebFlux and 
for the betterment of this we can do Apache Ranger 2.3 release where many bug 
fixes are done on top of 2.2 release. We don't do twice the effort to release 
this minor version just to upgrade the spring version. Let me know your opinion.


was (Author: rmani):
[~kirbyzhou]  since this CVE 
[https://tanzu.vmware.com/security/cve-2022-22965|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965]
 doesn't affect Ranger as ranger doesn't user Spring MVC or Spring WebFlux and 
for the betterment of this we can do Apache Ranger 2.3 release where many bug 
fixes are done on top of 2.2 release. We don't do twice the effort to release 
this minor version just to upgrade the spring version. Let me know your opinion.

> Upgrade spring to 5.3.18 CVE-2022-22965
> ---
>
> Key: RANGER-3691
> URL: https://issues.apache.org/jira/browse/RANGER-3691
> Project: Ranger
>  Issue Type: Bug
>  Components: admin, kms
>Reporter: kirby zhou
>Assignee: kirby zhou
>Priority: Blocker
> Fix For: 3.0.0
>
>
> [https://tanzu.vmware.com/security/cve-2022-22965|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965]
> [https://github.com/spring-projects/spring-framework/releases]
>  
> Spring has a new 0day Remote-Code-Execution problem, related to spring-beans 
> and JDK9+
> Fixed at spring 5.3.18 / 5.2.20
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3669) Connection to DB fails for MySQL version above 8.0

2022-04-08 Thread gomathinayagam (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17519742#comment-17519742
 ] 

gomathinayagam commented on RANGER-3669:


can you provide e.g. for this value [~vishalsuvagia] 

is_override_db_connection_string=false

db_override_connection_string=

> Connection to DB fails for MySQL version above 8.0
> --
>
> Key: RANGER-3669
> URL: https://issues.apache.org/jira/browse/RANGER-3669
> Project: Ranger
>  Issue Type: Improvement
>  Components: kms
>Affects Versions: 3.0.0
>Reporter: Vishal Suvagia
>Assignee: Vishal Suvagia
>Priority: Major
> Attachments: RANGER-3669.01.patch, RANGER-3669.patch
>
>
> Observed that Ranger KMS DB setup fails when using with MySQL version above 
> 8.0.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Comment Edited] (RANGER-3691) Upgrade spring to 5.3.18 CVE-2022-22965

2022-04-08 Thread Ramesh Mani (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3691?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17519673#comment-17519673
 ] 

Ramesh Mani edited comment on RANGER-3691 at 4/8/22 6:05 PM:
-

[~kirbyzhou]  since this CVE 
[https://tanzu.vmware.com/security/cve-2022-22965|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965]
 doesn't affect Ranger as ranger doesn't user Spring MVC or Spring WebFlux and 
for the betterment of this we can do Apache Ranger 2.3 release where many bug 
fixes are done on top of 2.2 release. We don't do twice the effort to release 
this minor version just to upgrade the spring version. Let me know your opinion.


was (Author: rmani):
[~kirbyzhou]  since this CVE 
[https://tanzu.vmware.com/security/cve-2022-22965|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965]
 doesn't affect Ranger as ranger doesn't user Spring MVC or Spring WebFlux and 
for the betterment of this we can do Apache Range 2.3 release where many bug 
fixes are done on top of 2.2 release. We don't do twice the effort to release 
this minor version just to upgrade the spring version. Let me know your opinion.

> Upgrade spring to 5.3.18 CVE-2022-22965
> ---
>
> Key: RANGER-3691
> URL: https://issues.apache.org/jira/browse/RANGER-3691
> Project: Ranger
>  Issue Type: Bug
>  Components: admin, kms
>Reporter: kirby zhou
>Assignee: kirby zhou
>Priority: Blocker
> Fix For: 3.0.0
>
>
> [https://tanzu.vmware.com/security/cve-2022-22965|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965]
> [https://github.com/spring-projects/spring-framework/releases]
>  
> Spring has a new 0day Remote-Code-Execution problem, related to spring-beans 
> and JDK9+
> Fixed at spring 5.3.18 / 5.2.20
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Comment Edited] (RANGER-3619) REST API should return 403 when authenticated client is not allowed to access API.

2022-04-08 Thread kirby zhou (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3619?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17519248#comment-17519248
 ] 

kirby zhou edited comment on RANGER-3619 at 4/8/22 5:47 PM:


tested with dual-instance HA done, nothing special happens.

 


was (Author: kirbyzhou):
Simple test with dual-instance HA done, nothing special happens.

 

> REST API should return 403 when authenticated client is not allowed to access 
> API.
> --
>
> Key: RANGER-3619
> URL: https://issues.apache.org/jira/browse/RANGER-3619
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 3.0.0, 2.2.0
>Reporter: kirby zhou
>Priority: Major
>
> REST API should return 403-Forbidden when authenticated client is not allowed 
> to access API to avoid crash Ranger Clients.
>  
> Now, some API returns 401-Unauthorized instead of 403-Forbidden when client 
> is already passed authentication but now allowed to do something.
> In general, this will not cause any serious problems. However, there is a 
> flaw in the SPNEGO protocol implementation of Java HTTPUrlConnection. It 
> causes the Client to throw an unexpected exception. This will trouble the 
> operators and developers.
>  
> Let me show you how it happens:
>  
> For example:
>  
> The RangerAdminClient inside KMS  want to access API 
> "/service/secure/policies/download", but the principal is not in the 
> allowlist.
>  
>  # RangerAdminClient is based on Jersey-Client
>  # JerseyClient sends a HTTP-request to Ranger Service without authentication 
> information
>  # Tomcat/Spring inside Ranger returns 401 with HTTP header 
> “WWW-Authentication: Neogotiate”
>  # JerseyClient sends request again with Kerberos/SPNEGO authentication 
> tokens.
>  # Tomcat/Spring inside Ranger accept the authentication, then call 
> ServiceRest::getSecureServicePoliciesIfUpdated to reply the API calling.
>  # ServiceRest::getSecureServicePoliciesIfUpdated checks allowlist of “kms 
> service”, and refuse client with 401.
>  # Tomcat/Spring inside Ranger returns 401 with HTTP header 
> “WWW-Authentication: Neogotiate….” for notifying RangerAdminClient the 
> authentication is passed.
>  
> Now, there is a malformed state. HTTP-status code told client authenticate is 
> failed, but HTTP header told client authentication is passed.
>  
> In the RangerAdminClient side, 
>  
>  # sun.net.www.protocol.http.HttpURLConnection.getInputStream0() see the 
> second 401.
>  # 'inNegotiate' = true, so it is in the progress of _Negotiate._
>  # It checks that: if "WWW-Authenticate: Negotiate" exist then disable 
> negotiate for following code to avoid try {_}Negotiate once again{_}.
>  # But "WWW-Authenticate: Negotiate xczsd324…" does not the rule above.
>  # So HttpURLConnection calls AuthenticationInfo.sendHeaders to generate a 
> new request header.
>  # Wow, Null exception happens.
>  # Logs "ERROR RangerAdminRESTClient - Error getting policies; Received NULL 
> response!!. secureMode=true, user=… (auth:KERBEROS), serviceName=kmsdev"
>  # Log of KMS: "ERROR RangerAdminRESTClient - Failed to get response, Error 
> is : java.lang.RuntimeException: java.lang.NullPointerException"
>  
> This log makes admin confused.
>  
>  
> {code:java}
> //ServiceRest::getServicePoliciesIfUpdated
> if (isAllowed) {
> //...
> } else {
>httpCode = HttpServletResponse.SC_UNAUTHORIZED;
> }
>  {code}
> {code:java}
> // sun.net.www.protocol.http.HttpURLConnection.getInputStream0()
> // Read comments labeled "Failed Negotiate" for details.
> boolean dontUseNegotiate = false;
> Iterator iter = responses.multiValueIterator("WWW-Authenticate");
> while (iter.hasNext()) {
> String value = iter.next().trim();
> if (value.equalsIgnoreCase("Negotiate") ||
> value.equalsIgnoreCase("Kerberos")) {
> if (!inNegotiate) {
> inNegotiate = true;
> } else {
> dontUseNegotiate = true;
> doingNTLM2ndStage = false;
> serverAuthentication = null;
> }
> break;
> }
> }
> /**
>  * Failed Negotiate
>  *
>  * In some cases, the Negotiate auth is supported for the
>  * remote host but the negotiate process still fails (For
>  * example, if the web page is located on a backend server
>  * and delegation is needed but fails). The authentication
>  * process will start again, and we need to detect this
>  * kind of failure and do proper fallback (say, to NTLM).
>  *
>  * In order to achieve this, the inNegotiate flag is set
>  * when the first negotiate challenge is met (and reset
>  * if authentication is finished). If a fresh new negotiate
>  * challenge (no parameter) is found while inNegotiate is
>  * set, we know there's a failed auth attempt recently.
>  * Here we'll

Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security

2022-04-08 Thread Kirby Zhou 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224283
---




security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
Lines 121 (patched)


Can we store it in other_attributes to avoid change database schema?



security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
Lines 431 (patched)


Can you move this line to init or consturctor?



security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
Lines 515 (patched)


typo here


- Kirby Zhou


On 四月 8, 2022, 2:01 p.m., bhavik patel wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> ---
> 
> (Updated 四月 8, 2022, 2:01 p.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay 
> Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, 
> Ramesh Mani, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Password history should be configured to restrict users from reusing their 
> last 4 or 5 passwords.
> 
> 
> Diffs
> -
> 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 
> 26282f770 
>   security-admin/db/mysql/patches/059-update-x-portal-user-table.sql 
> PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5 
>   security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java 
> d0451b4d2 
>   security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
> e2bfc8fff 
> 
> 
> Diff: https://reviews.apache.org/r/73922/diff/4/
> 
> 
> Testing
> ---
> 
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
> 
> 3. Once the basic review/discussion is done will fix the Test-cases
> 
> 
> Thanks,
> 
> bhavik patel
> 
>

[jira] [Commented] (RANGER-3691) Upgrade spring to 5.3.18 CVE-2022-22965

2022-04-08 Thread Ramesh Mani (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3691?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17519673#comment-17519673
 ] 

Ramesh Mani commented on RANGER-3691:
-

[~kirbyzhou]  since this CVE 
[https://tanzu.vmware.com/security/cve-2022-22965|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965]
 doesn't affect Ranger as ranger doesn't user Spring MVC or Spring WebFlux and 
for the betterment of this we can do Apache Range 2.3 release where many bug 
fixes are done on top of 2.2 release. We don't do twice the effort to release 
this minor version just to upgrade the spring version. Let me know your opinion.

> Upgrade spring to 5.3.18 CVE-2022-22965
> ---
>
> Key: RANGER-3691
> URL: https://issues.apache.org/jira/browse/RANGER-3691
> Project: Ranger
>  Issue Type: Bug
>  Components: admin, kms
>Reporter: kirby zhou
>Assignee: kirby zhou
>Priority: Blocker
> Fix For: 3.0.0
>
>
> [https://tanzu.vmware.com/security/cve-2022-22965|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965]
> [https://github.com/spring-projects/spring-framework/releases]
>  
> Spring has a new 0day Remote-Code-Execution problem, related to spring-beans 
> and JDK9+
> Fixed at spring 5.3.18 / 5.2.20
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Re: Review Request 73937: RANGER-3697: Python3 migration of all ranger python scripts

2022-04-08 Thread Pradeep Agrawal 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73937/#review224282
---



Currently python2 and python3 both are supported, why we want to remove python2 
support ? Also What issues are you getting when you execute all these script in 
python3 ?

- Pradeep Agrawal


On April 7, 2022, 7:11 p.m., Abhishek  Kumar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73937/
> ---
> 
> (Updated April 7, 2022, 7:11 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, 
> Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3697
> https://issues.apache.org/jira/browse/RANGER-3697
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Python 2 has sunset as of Jan 1, 2020. All scripts using python2 should 
> eventually move to python3.
> 
> Initial Review - will be updated to include all scripts.
> 
> Changes include:
> 1. Support only for Python3 and above.
> 2. Conformity with PEP 8 guidelines.
> 3. Code optimizations and performance improvements.
> 
> 
> Diffs
> -
> 
>   agents-common/scripts/upgrade-plugin.py d865ee366 
>   agents-common/scripts/upgrade_plugin.py PRE-CREATION 
>   ranger-util/src/scripts/saveVersion.py 51227542d 
>   ranger-util/src/scripts/save_version.py PRE-CREATION 
>   security-admin/scripts/change_password_util.py PRE-CREATION 
>   security-admin/scripts/change_username_util.py PRE-CREATION 
>   security-admin/scripts/changepasswordutil.py e45dab643 
>   security-admin/scripts/changeusernameutil.py 699f945f0 
>   security-admin/scripts/deleteUserGroupUtil.py 1c9f58385 
>   security-admin/scripts/delete_user_group_util.py PRE-CREATION 
>   security-admin/scripts/ranger_credential_helper.py 85f29ac43 
>   security-admin/scripts/restrict_permissions.py b19bafe9b 
>   security-admin/scripts/role_based_user_search_util.py PRE-CREATION 
>   security-admin/scripts/rolebasedusersearchutil.py 612db33df 
>   security-admin/scripts/updateUserAndGroupNamesInJson.py c40ec4406 
>   security-admin/scripts/upgrade_admin.py 85f57b8ce 
>   security-admin/src/bin/ranger_install.py 39b9d1f81 
>   security-admin/src/bin/ranger_usersync.py 4374896c7 
>   security-admin/src/bin/service_start.py ea13b85af 
> 
> 
> Diff: https://reviews.apache.org/r/73937/diff/1/
> 
> 
> Testing
> ---
> 
> Pending.
> 
> 
> Thanks,
> 
> Abhishek  Kumar
> 
>

Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security

2022-04-08 Thread bhavik patel 


> On April 1, 2022, 9:22 a.m., Kirby Zhou wrote:
> > A question.
> > If admin want to change other user's password, The rule shoud be forced or 
> > not?
> > If not, how the code to impl it?
> 
> bhavik patel wrote:
> yes, that rule is forced.
> 
> Kirby Zhou wrote:
> I consider admin do not love it. Especially when admin needs to reset 
> someone's password to a specific value.
> 
> bhavik patel wrote:
> That’s also true, I thought og having the same functionality throughout 
> the application.
> 
> @PMC any suggestions?

As of now reverted this changes.


- bhavik


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224237
---


On April 8, 2022, 2:01 p.m., bhavik patel wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> ---
> 
> (Updated April 8, 2022, 2:01 p.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay 
> Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, 
> Ramesh Mani, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Password history should be configured to restrict users from reusing their 
> last 4 or 5 passwords.
> 
> 
> Diffs
> -
> 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 
> 26282f770 
>   security-admin/db/mysql/patches/059-update-x-portal-user-table.sql 
> PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5 
>   security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java 
> d0451b4d2 
>   security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
> e2bfc8fff 
> 
> 
> Diff: https://reviews.apache.org/r/73922/diff/4/
> 
> 
> Testing
> ---
> 
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
> 
> 3. Once the basic review/discussion is done will fix the Test-cases
> 
> 
> Thanks,
> 
> bhavik patel
> 
>

Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security

2022-04-08 Thread bhavik patel 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/
---

(Updated April 8, 2022, 2:01 p.m.)


Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay 
Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, 
Ramesh Mani, and Velmurugan Periasamy.


Bugs: RANGER-3687
https://issues.apache.org/jira/browse/RANGER-3687


Repository: ranger


Description
---

Password history should be configured to restrict users from reusing their last 
4 or 5 passwords.


Diffs (updated)
-

  security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770 
  security-admin/db/mysql/patches/059-update-x-portal-user-table.sql 
PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5 
  security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java 
d0451b4d2 
  security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
e2bfc8fff 


Diff: https://reviews.apache.org/r/73922/diff/4/

Changes: https://reviews.apache.org/r/73922/diff/3-4/


Testing
---

1. Verified the basic functionality of "/passwordchange" api
2. Verified "/secure/users" & "/secure/users/{id}" API’s

3. Once the basic review/discussion is done will fix the Test-cases


Thanks,

bhavik patel

Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security

2022-04-08 Thread bhavik patel 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/
---

(Updated April 8, 2022, 1:55 p.m.)


Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay 
Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, 
Ramesh Mani, and Velmurugan Periasamy.


Bugs: RANGER-3687
https://issues.apache.org/jira/browse/RANGER-3687


Repository: ranger


Description
---

Password history should be configured to restrict users from reusing their last 
4 or 5 passwords.


Diffs (updated)
-

  security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 26282f770 
  security-admin/db/mysql/patches/059-update-x-portal-user-table.sql 
PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5 
  security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java 
d0451b4d2 
  security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
e2bfc8fff 


Diff: https://reviews.apache.org/r/73922/diff/3/

Changes: https://reviews.apache.org/r/73922/diff/2-3/


Testing
---

1. Verified the basic functionality of "/passwordchange" api
2. Verified "/secure/users" & "/secure/users/{id}" API’s

3. Once the basic review/discussion is done will fix the Test-cases


Thanks,

bhavik patel

Re: Review Request 73922: RANGER-3687: Password Policy Best Practices for Strong Security

2022-04-08 Thread Kirby Zhou 


> On 四月 1, 2022, 6:04 a.m., Kirby Zhou wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
> > Line 1412 (original), 1424 (patched)
> > 
> >
> > It not works for FIPS.
> > FIPS require random salt, so we can not compare oldPassword and 
> > newPassword, encoded-oldPassword and encoded-newPassword directy,
> 
> bhavik patel wrote:
> That's true and That’s the main reason I pinged in the Jira to discuss 
> the approach.
> 
> Kirby Zhou wrote:
> You can simply call the old version function in a loop.
> 
> bhavik patel wrote:
> if we execute in the loop than also the result will be same unless we 
> have the old salt value.
> 
> bhavik patel wrote:
> @Kirby Zhou, If you have FIPS enabled environment then can you please 
> update this patch for the same and raise new Review Request(with all the 
> changes)

Read the old code, you actully have the old salt value. It is in the 
encoded-password.


- Kirby


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73922/#review224233
---


On 四月 1, 2022, 7:50 a.m., bhavik patel wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73922/
> ---
> 
> (Updated 四月 1, 2022, 7:50 a.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kirby Zhou, Abhay 
> Kulkarni, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, 
> Ramesh Mani, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3687
> https://issues.apache.org/jira/browse/RANGER-3687
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Password history should be configured to restrict users from reusing their 
> last 4 or 5 passwords.
> 
> 
> Diffs
> -
> 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 
> 26282f770 
>   security-admin/db/mysql/patches/059-update-x-portal-user-table.sql 
> PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 0e61038d5 
>   security-admin/src/main/java/org/apache/ranger/entity/XXPortalUser.java 
> d0451b4d2 
>   security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
> e2bfc8fff 
> 
> 
> Diff: https://reviews.apache.org/r/73922/diff/2/
> 
> 
> Testing
> ---
> 
> 1. Verified the basic functionality of "/passwordchange" api
> 2. Verified "/secure/users" & "/secure/users/{id}" API’s
> 
> 3. Once the basic review/discussion is done will fix the Test-cases
> 
> 
> Thanks,
> 
> bhavik patel
> 
>

Re: Review Request 73933: RANGER-3702 : Export policy in excel is failing

2022-04-08 Thread Kirby Zhou 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73933/#review224278
---


Ship it!




Ship It!

- Kirby Zhou


On 四月 8, 2022, 11:15 a.m., Mateen Mansoori wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73933/
> ---
> 
> (Updated 四月 8, 2022, 11:15 a.m.)
> 
> 
> Review request for ranger, bhavik patel, Madhan Neethiraj, Mehul Parikh, and 
> Pradeep Agrawal.
> 
> 
> Bugs: RANGER-3702
> https://issues.apache.org/jira/browse/RANGER-3702
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Due to missing dependency on classpath - Export policy in excel is failing 
> with the below error : 
> 
> java.lang.NoClassDefFoundError: org/apache/logging/log4j/LogManager
> at org.apache.poi.POIDocument.(POIDocument.java:65)
> 
> 
> Diffs
> -
> 
>   security-admin/pom.xml a2060e1c2 
> 
> 
> Diff: https://reviews.apache.org/r/73933/diff/2/
> 
> 
> Testing
> ---
> 
> - Build succeeded 
> - Test on local VM - policy export in excel,csv and json all are working fine.
> 
> 
> Thanks,
> 
> Mateen Mansoori
> 
>

Re: Review Request 73936: RANGER-3695 : Ranger Keystore alias should be configurable

2022-04-08 Thread Vishal Suvagia via Review Board 


> On April 8, 2022, 4 a.m., bhavik patel wrote:
> > embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
> > Line 167 (original), 167 (patched)
> > 
> >
> > default should be "rangeradmin".
> 
> Vishal Suvagia wrote:
> Default is not required, it should be on the user to define the alias 
> value as it is configurable.
> 
> bhavik patel wrote:
> yeah, but if user doesn’t define then from the code it should set the 
> default value

Without the alias value also Ranger comes up fine. Hardcoding a value 
necessicates the keystore to be configured with that hard coded value.
This should not be the case and need to remove the hard coded value, only 
configure it if user defines it ?
Do you see any use case where this value is required mandatorily ?


- Vishal


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73936/#review224269
---


On April 7, 2022, 4:41 p.m., Vishal Suvagia wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73936/
> ---
> 
> (Updated April 7, 2022, 4:41 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, 
> Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan 
> Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3695
> https://issues.apache.org/jira/browse/RANGER-3695
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ranger requires keystore alias for TLS, However keystore alias should be  an 
> optional parameter, hence should be only configured
> if provided by the user.
> Fix contains changes to make the keystore alias optional.
> 
> 
> Diffs
> -
> 
>   
> embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
>  cae9075a7b7726ad5abf2b52f53f612d4223f712 
> 
> 
> Diff: https://reviews.apache.org/r/73936/diff/1/
> 
> 
> Testing
> ---
> 
> Validated changes on a local VM with TLS enabled.
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

Re: Review Request 73933: RANGER-3702 : Export policy in excel is failing

2022-04-08 Thread Mateen Mansoori 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73933/
---

(Updated April 8, 2022, 11:15 a.m.)


Review request for ranger, bhavik patel, Madhan Neethiraj, Mehul Parikh, and 
Pradeep Agrawal.


Changes
---

Handled review comment.


Bugs: RANGER-3702
https://issues.apache.org/jira/browse/RANGER-3702


Repository: ranger


Description
---

Due to missing dependency on classpath - Export policy in excel is failing with 
the below error : 

java.lang.NoClassDefFoundError: org/apache/logging/log4j/LogManager
at org.apache.poi.POIDocument.(POIDocument.java:65)


Diffs (updated)
-

  security-admin/pom.xml a2060e1c2 


Diff: https://reviews.apache.org/r/73933/diff/2/

Changes: https://reviews.apache.org/r/73933/diff/1-2/


Testing
---

- Build succeeded 
- Test on local VM - policy export in excel,csv and json all are working fine.


Thanks,

Mateen Mansoori

Re: Review Request 73936: RANGER-3695 : Ranger Keystore alias should be configurable

2022-04-08 Thread bhavik patel 


> On April 8, 2022, 4 a.m., bhavik patel wrote:
> > embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
> > Line 167 (original), 167 (patched)
> > 
> >
> > default should be "rangeradmin".
> 
> Vishal Suvagia wrote:
> Default is not required, it should be on the user to define the alias 
> value as it is configurable.

yeah, but if user doesn’t define then from the code it should set the default 
value


- bhavik


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73936/#review224269
---


On April 7, 2022, 4:41 p.m., Vishal Suvagia wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73936/
> ---
> 
> (Updated April 7, 2022, 4:41 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, 
> Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan 
> Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3695
> https://issues.apache.org/jira/browse/RANGER-3695
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ranger requires keystore alias for TLS, However keystore alias should be  an 
> optional parameter, hence should be only configured
> if provided by the user.
> Fix contains changes to make the keystore alias optional.
> 
> 
> Diffs
> -
> 
>   
> embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
>  cae9075a7b7726ad5abf2b52f53f612d4223f712 
> 
> 
> Diff: https://reviews.apache.org/r/73936/diff/1/
> 
> 
> Testing
> ---
> 
> Validated changes on a local VM with TLS enabled.
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

Re: Review Request 73935: RANGER-3669 : Connection to DB fails for MySQL version above 8.0

2022-04-08 Thread Vishal Suvagia via Review Board 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73935/
---

(Updated April 8, 2022, 10:57 a.m.)


Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam 
Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, 
Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Apologies had uploaded a previous version of patch by mistake, updated with 
proper fix.


Bugs: RANGER-3669
https://issues.apache.org/jira/browse/RANGER-3669


Repository: ranger


Description
---

Ranger KMS db setup script needs to be updated to support MySql versions 
greater than 8.0
Made changes to allow non-ssl connection with DB for Mysql version greater than 
8.0
made a fix to allow user to define the custom jdbc url which can be used in 
db-setup.
Added missing change for Ranger Admin db-setup in RANGER-3647


Diffs
-

  kms/scripts/db_setup.py 165e30d89443b7e8244ed965c34a5d7219e7d1f3 
  kms/scripts/install.properties 780509dcdd06c13e84f1a860213eb28f3556fa26 
  security-admin/scripts/db_setup.py eaae5c8990724d7ead703d747140a0c3c49289d7 


Diff: https://reviews.apache.org/r/73935/diff/1/


Testing
---

Validated changes locally with available Mysql-8.0 release.


File Attachments (updated)


RANGER-3669.01.patch
  
https://reviews.apache.org/media/uploaded/files/2022/04/08/48106a24-5c65-47d3-b971-7b69f5d7bb79__RANGER-3669.01.patch


Thanks,

Vishal Suvagia

Re: Review Request 73936: RANGER-3695 : Ranger Keystore alias should be configurable

2022-04-08 Thread Vishal Suvagia via Review Board 


> On April 8, 2022, 4 a.m., bhavik patel wrote:
> > embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
> > Line 167 (original), 167 (patched)
> > 
> >
> > default should be "rangeradmin".

Default is not required, it should be on the user to define the alias value as 
it is configurable.


- Vishal


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73936/#review224269
---


On April 7, 2022, 4:41 p.m., Vishal Suvagia wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73936/
> ---
> 
> (Updated April 7, 2022, 4:41 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, 
> Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan 
> Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3695
> https://issues.apache.org/jira/browse/RANGER-3695
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ranger requires keystore alias for TLS, However keystore alias should be  an 
> optional parameter, hence should be only configured
> if provided by the user.
> Fix contains changes to make the keystore alias optional.
> 
> 
> Diffs
> -
> 
>   
> embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
>  cae9075a7b7726ad5abf2b52f53f612d4223f712 
> 
> 
> Diff: https://reviews.apache.org/r/73936/diff/1/
> 
> 
> Testing
> ---
> 
> Validated changes on a local VM with TLS enabled.
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

[jira] [Updated] (RANGER-3669) Connection to DB fails for MySQL version above 8.0

2022-04-08 Thread Vishal Suvagia (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3669?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Vishal Suvagia updated RANGER-3669:
---
Attachment: RANGER-3669.01.patch

> Connection to DB fails for MySQL version above 8.0
> --
>
> Key: RANGER-3669
> URL: https://issues.apache.org/jira/browse/RANGER-3669
> Project: Ranger
>  Issue Type: Improvement
>  Components: kms
>Affects Versions: 3.0.0
>Reporter: Vishal Suvagia
>Assignee: Vishal Suvagia
>Priority: Major
> Attachments: RANGER-3669.01.patch, RANGER-3669.patch
>
>
> Observed that Ranger KMS DB setup fails when using with MySQL version above 
> 8.0.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Assigned] (RANGER-3019) Typo in UserGroupSyncConfig

2022-04-08 Thread Bhavik Patel (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3019?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavik Patel reassigned RANGER-3019:


Assignee: Sailaja Polavarapu  (was: Bhavik Patel)

> Typo in UserGroupSyncConfig
> ---
>
> Key: RANGER-3019
> URL: https://issues.apache.org/jira/browse/RANGER-3019
> Project: Ranger
>  Issue Type: Bug
>  Components: usersync
>Reporter: Dave Beech
>Assignee: Sailaja Polavarapu
>Priority: Trivial
>
> [https://github.com/apache/ranger/blob/master/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java#L156]
> {{private static final String DEFAULT_OTHER_USER_ATTRIBUTES = 
> "userurincipaluame,";}}
> seems like it should be userprincipalname



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Resolved] (RANGER-2159) AdminWebUI start - wrong ranger.service.https.attrib.keystore.keyalias does not throw excpetion

2022-04-08 Thread Bhavik Patel (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-2159?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavik Patel resolved RANGER-2159.
--
Resolution: Duplicate

> AdminWebUI start - wrong ranger.service.https.attrib.keystore.keyalias does 
> not throw excpetion
> ---
>
> Key: RANGER-2159
> URL: https://issues.apache.org/jira/browse/RANGER-2159
> Project: Ranger
>  Issue Type: Bug
>  Components: admin
>Affects Versions: 1.1.0
>Reporter: t oo
>Priority: Major
>
> WIth all ssl values configured but 
> ranger.service.https.attrib.keystore.keyalias having a value of an alias name 
> that does not exist in the jks of the file referred to by 
> ranger.https.attrib.keystore.file. Then run ranger-admin start, the process 
> launches, no errors/exceptions BUT netstat -anp reveals no process listening 
> on port 6182, curl/browser does not resolve for port 6182.
>  
> Purpose of this Jira is to make the ranger-admin process exit and print an 
> exception whenever the tomcat webserver does not listen on 6182, rather than 
> current behavior now where admin process stays running.
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3696) java.lang.NoClassDefFoundError: org/slf4j/LoggerFactory

2022-04-08 Thread kirby zhou (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17519475#comment-17519475
 ] 

kirby zhou commented on RANGER-3696:


[https://reviews.apache.org/r/73938/]

Need more people to test.

 

 

> java.lang.NoClassDefFoundError: org/slf4j/LoggerFactory
> ---
>
> Key: RANGER-3696
> URL: https://issues.apache.org/jira/browse/RANGER-3696
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Affects Versions: 2.2.0
> Environment: Apache Ranger ElasticSearch Plugin: 
> ranger-2.2.0-elasticsearch-plugin.tar.gz
> elasticsearch version: 7.6.0 
> OS: Ubuntu 20.04.4
>Reporter: MohdSiddique Bagwan
>Priority: Blocker
>
> Please find the versions I am using 
> *Apache Ranger ElasticSearch Plugin:* ranger-2.2.0-elasticsearch-plugin.tar.gz
> *elasticsearch version:* 7.6.0 
> *OS:* Ubuntu 20.04.4
> I installed the apache ranger elasticsearch plugin on elastic search host, 
> while starting elasticsearch service I am getting below error:
> Note: Without ranger plugin the elasticsearch plugin is working perfect. It 
> would be very helpful if you redirect me to documentation on how to install 
> ranger-2.2.0-elasticsearch-plugin.tar.gz on 7.6.0 & above. 
> {code:java}
> service elasticsearch start
>  * Starting Elasticsearch Server                                              
>                                                                               
>                                                sysctl: setting key 
> "vm.max_map_count", ignoring: Read-only file system
> OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in 
> version 9.0 and will likely be removed in a future release.
>                                                                               
>                                                                               
>                                         [ OK ]
> root@3b8fcbe634f3:~# fatal error in thread [main], exiting
> java.lang.NoClassDefFoundError: org/slf4j/LoggerFactory
>         at 
> org.apache.ranger.authorization.elasticsearch.plugin.RangerElasticsearchPlugin.(RangerElasticsearchPlugin.java:52)
>         at 
> java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>  Method)
>         at 
> java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>         at 
> java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>         at 
> java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
>         at 
> java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:481)
>         at 
> org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:607)
>         at 
> org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556)
>         at 
> org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471)
>         at 
> org.elasticsearch.plugins.PluginsService.(PluginsService.java:163)
>         at org.elasticsearch.node.Node.(Node.java:313)
>         at org.elasticsearch.node.Node.(Node.java:257)
>         at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:221)
>         at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:221)
>         at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:349)
>         at 
> org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:170)
>         at 
> org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161)
>         at 
> org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
>         at 
> org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:125)
>         at org.elasticsearch.cli.Command.main(Command.java:90)
>         at 
> org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126)
>         at 
> org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92)
> Caused by: java.lang.ClassNotFoundException: org.slf4j.LoggerFactory
>         at 
> java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:436)
>         at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:588)
>         at 
> java.base/java.net.FactoryURLClassLoader.loadClass(URLClassLoader.java:864)
>         at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
>         ... 22 more {code}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Review Request 73938: RANGER-3696 add log4j2 binding to elasticsearch plugin

2022-04-08 Thread Kirby Zhou 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73938/
---

Review request for ranger.


Bugs: RANGER-3696
https://issues.apache.org/jira/browse/RANGER-3696


Repository: ranger


Description
---

elasticsearch plugin use slf4j, but elasticsearch takes log4j2.
And there os no log4j and slf4j adapter existing.

So need to add slf4j-api and its log4j2 binding to dist package


Diffs
-

  distro/src/main/assembly/plugin-elasticsearch.xml 0b8aaee27 
  pom.xml 5afaa39ff 
  ranger-elasticsearch-plugin-shim/pom.xml 5a02be9b5 
  ranger-plugin-classloader/pom.xml bcc02812a 


Diff: https://reviews.apache.org/r/73938/diff/1/


Testing
---

Need somebody to verify, I can just do very simple test.


Thanks,

Kirby Zhou

[jira] [Resolved] (RANGER-2889) hbase access failed where hbase.security.authorization is true

2022-04-08 Thread Bhavik Patel (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-2889?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavik Patel resolved RANGER-2889.
--
Resolution: Not A Problem

> hbase access failed where hbase.security.authorization is true
> --
>
> Key: RANGER-2889
> URL: https://issues.apache.org/jira/browse/RANGER-2889
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Affects Versions: 2.0.0
>Reporter: Chao Wang
>Priority: Major
>
> hbase.security.authorization is true in hbase-site-changes.cfg.after 
> HBASE-22375, HBase authorization both AccessChecker and AccessController. if 
> hbase.security.authorization is true, hbase acl will open, so AccessChecker 
> will check authorization. but only we want to ranger, hbase acl table is 
> null. finally I hope alter hbase.security.authorization to false , because 
> RangerAuthorizationCoprocessor do not use this configuration.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Assigned] (RANGER-3019) Typo in UserGroupSyncConfig

2022-04-08 Thread Bhavik Patel (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3019?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavik Patel reassigned RANGER-3019:


Assignee: Bhavik Patel

> Typo in UserGroupSyncConfig
> ---
>
> Key: RANGER-3019
> URL: https://issues.apache.org/jira/browse/RANGER-3019
> Project: Ranger
>  Issue Type: Bug
>  Components: usersync
>Reporter: Dave Beech
>Assignee: Bhavik Patel
>Priority: Trivial
>
> [https://github.com/apache/ranger/blob/master/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java#L156]
> {{private static final String DEFAULT_OTHER_USER_ATTRIBUTES = 
> "userurincipaluame,";}}
> seems like it should be userprincipalname



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3113) AccessType 'configure' should be replaced by 'alter' in plugin-kafka

2022-04-08 Thread Bhavik Patel (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3113?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17519468#comment-17519468
 ] 

Bhavik Patel commented on RANGER-3113:
--

can you please update the patch at review board ?

> AccessType 'configure' should be replaced by 'alter' in plugin-kafka
> 
>
> Key: RANGER-3113
> URL: https://issues.apache.org/jira/browse/RANGER-3113
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Affects Versions: 2.0.0, 2.1.0
>Reporter: rujia
>Priority: Minor
>
> kafka-plugin map 'alter' ACL to 'configure' AccessType now, and it is better 
> to use 'alter' instead of configure in ranger



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Resolved] (RANGER-3164) Fix build ranger-base docker image error

2022-04-08 Thread Bhavik Patel (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3164?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavik Patel resolved RANGER-3164.
--
Resolution: Not A Problem

Try with the latest master branch commit.

Feel free to reopen.

> Fix build ranger-base docker image error
> 
>
> Key: RANGER-3164
> URL: https://issues.apache.org/jira/browse/RANGER-3164
> Project: Ranger
>  Issue Type: Improvement
>  Components: build-infra
>Reporter: Xie Lei
>Priority: Major
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> !image-2021-01-28-09-26-38-962.png!



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Resolved] (RANGER-3181) Avoid using plaintext/hard-coded key while generating secret key

2022-04-08 Thread Bhavik Patel (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3181?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavik Patel resolved RANGER-3181.
--
Resolution: Not A Problem

> Avoid using plaintext/hard-coded key while generating secret key
> 
>
> Key: RANGER-3181
> URL: https://issues.apache.org/jira/browse/RANGER-3181
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Md Mahir Asef Kabir
>Priority: Major
>
> We are a security research team at Virginia Tech. We are doing an empirical 
> study about the usefulness of the existing security vulnerability detection 
> tools. The following is a reported vulnerability by certain tools. We'll so 
> appreciate it if you can give any feedback on it.
> *Security Location:* 
> in file 
> [https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java]
>  in line 76, new PBEKeySpec(encryptKey) is invoked with hard-code key, which 
> is defined in line 125.
> *Security Impact:* 
> Cryptographic keys should not be kept in the source code. The source code can 
> be widely shared in an enterprise environment and is certainly shared in open 
> source. The use of a hard-coded cryptographic key significantly increases the 
> possibility that encrypted data may be recovered.
> *suggestions:*
> To be managed safely, passwords and secret keys should be stored in separate 
> configuration files. 
> Useful link:
> [https://cwe.mitre.org/data/definitions/321.html]
> [https://www.appmarq.com/public/tqi,1039028,CWE-327-Avoid-weak-encryption-providing-not-sufficient-key-size-JEE]
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Resolved] (RANGER-3183) Avoid insufficient iteration length in creating PBE #882

2022-04-08 Thread Bhavik Patel (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3183?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavik Patel resolved RANGER-3183.
--
Resolution: Not A Problem

iteration parameter is configurable, you can update the properties for your 
cluster.

> Avoid insufficient iteration length in creating PBE #882
> 
>
> Key: RANGER-3183
> URL: https://issues.apache.org/jira/browse/RANGER-3183
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Md Mahir Asef Kabir
>Priority: Major
>
> We found a security vulnerability in file: 
> [https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java]
>  line 311, PBEParameterSpec used a iteration = 20
> Security Impact:
> To achieve strong encryption, the iteration should be larger than 1000.
> Useful links:
> [https://vulncat.fortify.com/en/detail?id=desc.semantic.cpp.weak_cryptographic_hash_hardcoded_pbe_salt]
> [https://cwe.mitre.org/data/definitions/760.html]
> [http://www.crypto-it.net/eng/theory/pbe.html#part_salt]
> [https://www.appmarq.com/public/tqi,1039022,CWE-916Cryptographic-HashAvoid-using-Insecure-PBE-Iteration-Count]
> Solution we suggest
> We suggest setting the iteration larger than 1000
> Please share with us your opinions/comments if there is any
> Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-2737) Ranger REST API returns different infomation when GET user by id and by name

2022-04-08 Thread Bhavik Patel (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-2737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17519458#comment-17519458
 ] 

Bhavik Patel commented on RANGER-2737:
--

can you please put your patch at review board : https://reviews.apache.org

> Ranger REST API returns different infomation when GET user by id and by name
> 
>
> Key: RANGER-2737
> URL: https://issues.apache.org/jira/browse/RANGER-2737
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Yijun Wang
>Priority: Major
> Attachments: RANGER-2737.patch
>
>
> [https://github.com/apache/ranger/blob/master/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java]
> @Path("/users/userName/\{userName}") - return XUserInfo without a group list
> @Path("/users/\{id}") - return XUserInfo with a group list
> If no specific reasons, they should return the same information.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Resolved] (RANGER-2926) Issue in setting up Audit Log with ElasticSearch

2022-04-08 Thread Bhavik Patel (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-2926?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavik Patel resolved RANGER-2926.
--
Resolution: Not A Problem

Feel free to reopen.

> Issue in setting up Audit Log with ElasticSearch 
> -
>
> Key: RANGER-2926
> URL: https://issues.apache.org/jira/browse/RANGER-2926
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 2.0.0
>Reporter: Bhanu
>Priority: Major
>
> Hi,
> We are using Ranger 2.1.0.
> Trying to setup AuditLog with ElasticSearch Server having version 7.0.1
> We have configured the Ranger with all details but there is an error that is 
> keep on coming as below. Please let me know where we are going wrong here. We 
> have tried recreating the index multiple times with all below parameters
> 2020-07-27T13:08:35.233Z ERROR org.apache.ranger.audit.queue.AuditBatchQueue0 
> org.apache.ranger.audit.provider.BaseAuditHandler Error sending message to 
> ElasticSearch
> org.elasticsearch.action.ActionRequestValidationException: Validation Failed: 
> 1: type is missing;2: type is missing;
>  at org.elasticsearch.action.bulk.BulkRequest.validate(BulkRequest.java:393)
>  at 
> org.elasticsearch.client.RestHighLevelClient.performRequest(RestHighLevelClient.java:1480)
>  at 
> org.elasticsearch.client.RestHighLevelClient.performRequestAndParseEntity(RestHighLevelClient.java:1454)
>  at 
> org.elasticsearch.client.RestHighLevelClient.bulk(RestHighLevelClient.java:497)
>  at 
> org.apache.ranger.audit.destination.ElasticSearchAuditDestination.log(ElasticSearchAuditDestination.java:125)
>  at 
> org.apache.ranger.audit.queue.AuditBatchQueue.runLogAudit(AuditBatchQueue.java:309)
>  at 
> org.apache.ranger.audit.queue.AuditBatchQueue.run(AuditBatchQueue.java:215)
>  at java.base/java.lang.Thread.run(Thread.java:834)
> 2020-07-27T13:08:35.233Z WARN org.apache.ranger.audit.queue.AuditBatchQueue0 
> org.apache.ranger.audit.provider.BaseAuditHandler failed to log audit event: 
> \{"repoType":17,"repo":"prestostg-tkg","reqUser":"bdasari","evtTime":"2020-07-27
>  
> 13:08:35.102","resource":"hive_stg/ref_maritz","resType":"schema","action":"select","result":1,"agent":"presto","policy":21,"enforcer":"ranger-acl","agentHost":"coordinator2-694c5dbbb6-msh58","logType":"RangerAudit","id":"f733c835-c9ee-4507-b917-9eb822303d2b-792211","seq_num":1584423,"event_count":1,"event_dur_ms":0,"tags":[],"cluster_name":"","policy_version":148},
>  errorMessage=
> 2020-07-27T13:08:35.233Z WARN org.apache.ranger.audit.queue.AuditBatchQueue0 
> org.apache.ranger.audit.provider.BaseAuditHandler Log failure count: 4 in 
> past 01:30.003 minutes; 792212 during process lifetime



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Resolved] (RANGER-3380) After building, while trying to deploy ranger-admin getting some generic errors.

2022-04-08 Thread Bhavik Patel (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3380?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavik Patel resolved RANGER-3380.
--
Resolution: Not A Problem

> After building, while trying to deploy ranger-admin getting some generic 
> errors.
> 
>
> Key: RANGER-3380
> URL: https://issues.apache.org/jira/browse/RANGER-3380
> Project: Ranger
>  Issue Type: Bug
>  Components: admin
>Affects Versions: 2.1.0
> Environment: centos 6 base aws ec2
>Reporter: ajay
>Priority: Blocker
>
> Getting these two errors when trying to deploy ranger after building from 
> source(which had multiple warnings)
> ​​Error: Could not find or load main class org.apache.util.sql.Jisql
> _/usr/local/ranger-2.1.1-SNAPSHOT-admin/ews/webapp/WEB-INF/lib: Not a 
> directory_
> _Error: Could not find or load main class 
> org.apache.ranger.common.RangerVersionInfo_



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3409) Update Jackson and remove Codehaus version

2022-04-08 Thread Bhavik Patel (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17519453#comment-17519453
 ] 

Bhavik Patel commented on RANGER-3409:
--

Can you please update the patch with the latest commit.

> Update Jackson and remove Codehaus version
> --
>
> Key: RANGER-3409
> URL: https://issues.apache.org/jira/browse/RANGER-3409
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0
>Reporter: Andrew Charneski
>Priority: Major
>
> An old version of Jackson (Codehaus Jackson 1.9.13) is still being used. 
> Jackson has since moved namespaces with a reorganized library structure. 
> Update all references to the older version to use the newer version (which is 
> currently used in some modules).



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3632) Improve ranger logs, RENAME_ON_ROTATE and others

2022-04-08 Thread kirby zhou (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17519424#comment-17519424
 ] 

kirby zhou commented on RANGER-3632:


 

[~pradeep]  [~bpatel]  Please check it again.

[https://reviews.apache.org/r/73884/]

 

Note: there some bugs in the review system.

My new patch only adds logback-test.xml for new, do not touch the follwing 
files, but review system tell me them changed

dev-support/ranger-docker/scripts/ranger-admin-install-postgres.properties    
dev-support/ranger-docker/scripts/ranger-admin-install.properties    
security-admin/scripts/db_setup.py    
security-admin/scripts/install.properties    
security-admin/scripts/setup.sh    
security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml    
tagsync/scripts/setup.py    
unixauthservice/scripts/setup.py

 

> Improve ranger logs,  RENAME_ON_ROTATE and others
> -
>
> Key: RANGER-3632
> URL: https://issues.apache.org/jira/browse/RANGER-3632
> Project: Ranger
>  Issue Type: Improvement
>  Components: admin, kms
>Affects Versions: 3.0.0, 2.3.0
>Reporter: kirby zhou
>Assignee: kirby zhou
>Priority: Major
> Fix For: 3.0.0, 2.3.0
>
>
> Currently, the filename of the access-log in use has a timestamp as the 
> suffix. This brings trouble to some log monitoring and analysis programs, 
> such as "tail -f access-log"
> Need to add an option to enable tomcat's RenameOnRotate capability to fix the 
> file name of access-log.
>  
> {code:java}
> // in EmbeddedServer::start()
> valve.setRenameOnRotate(
> EmbeddedServerUtil.getConfig(ACCESS_LOG_RENAME_ON_ROTATE,  false);
> );{code}
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3691) Upgrade spring to 5.3.18 CVE-2022-22965

2022-04-08 Thread kirby zhou (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3691?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17519414#comment-17519414
 ] 

kirby zhou commented on RANGER-3691:


Way 1:  migrate from log4j to slf4j/logback log system

I think it is too heavy for 2.2.1, there are series of patches. 

 
{code:java}
db99f639017bc9bbd71a7c5772adc1545ca83ec0 
RANGER-3632: accesslog RENAME_ON_ROTATE, del log4j remains
 
7f81994d9bcfd29f07a18ab3554204dff5cbe4b6
RANGER-3631: logback.xml updated to fix incorrect format, set maxHistory=15 and 
cleanHistoryOnStart=true
 
54d491cdee6f2704b7862e45c03317fc8536bf68
RANGER-3498 : RANGER : Remove log4j1 dependencies.
 
cec500b00e6c979196b6a1ed59df5817dc25e204
RANGER-3498: replaced use of org.apache.log4j and org.apache.commons.logging 
with org.slf4j {code}
Way 2: upgrade log4j2 to latest 2.17.2, 

You can refer to this commit and rewrite a commit.
{code:java}
ac27d800e1494ee045cc374252799d50fdfbc060
RANGER-3547:Upgrade to use log4j 2.16.0+ version to ensure that we are using 
supported version of log4j {code}

> Upgrade spring to 5.3.18 CVE-2022-22965
> ---
>
> Key: RANGER-3691
> URL: https://issues.apache.org/jira/browse/RANGER-3691
> Project: Ranger
>  Issue Type: Bug
>  Components: admin, kms
>Reporter: kirby zhou
>Assignee: kirby zhou
>Priority: Blocker
> Fix For: 3.0.0
>
>
> [https://tanzu.vmware.com/security/cve-2022-22965|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965]
> [https://github.com/spring-projects/spring-framework/releases]
>  
> Spring has a new 0day Remote-Code-Execution problem, related to spring-beans 
> and JDK9+
> Fixed at spring 5.3.18 / 5.2.20
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3632) Improve ranger logs, RENAME_ON_ROTATE and others

2022-04-08 Thread kirby zhou (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3632?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17519399#comment-17519399
 ] 

kirby zhou commented on RANGER-3632:


Some testcase can cause NullPointerException when log level == DEBUG.
 # TestSecurityZoneREST.java at 
org.apache.ranger.plugin.model.RangerSecurityZone$RangerSecurityZoneService.toString
 # TestPolicyDb.java at 
org.apache.ranger.plugin.policyengine.RangerPolicyRepository.init
 # TestUserMgr.java at org.apache.ranger.biz.UserMgr.updateRoleForExternalUsers

Before RANGER-3632 commit, these problems are hidden by 
"src/main/webapp/WEB-INF/logback.xml".

Now I can add a file to hidden it again,  

"security-admin/src/test/resources/logback-test.xml"
{code:java}



  
  

 {code}
 

> Improve ranger logs,  RENAME_ON_ROTATE and others
> -
>
> Key: RANGER-3632
> URL: https://issues.apache.org/jira/browse/RANGER-3632
> Project: Ranger
>  Issue Type: Improvement
>  Components: admin, kms
>Affects Versions: 3.0.0, 2.3.0
>Reporter: kirby zhou
>Assignee: kirby zhou
>Priority: Major
> Fix For: 3.0.0, 2.3.0
>
>
> Currently, the filename of the access-log in use has a timestamp as the 
> suffix. This brings trouble to some log monitoring and analysis programs, 
> such as "tail -f access-log"
> Need to add an option to enable tomcat's RenameOnRotate capability to fix the 
> file name of access-log.
>  
> {code:java}
> // in EmbeddedServer::start()
> valve.setRenameOnRotate(
> EmbeddedServerUtil.getConfig(ACCESS_LOG_RENAME_ON_ROTATE,  false);
> );{code}
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Updated] (RANGER-3693) Ranger - Upgrade tomcat to 8.5.78

2022-04-08 Thread Bhavik Patel (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavik Patel updated RANGER-3693:
-
Fix Version/s: 3.0.0

> Ranger - Upgrade tomcat to 8.5.78
> -
>
> Key: RANGER-3693
> URL: https://issues.apache.org/jira/browse/RANGER-3693
> Project: Ranger
>  Issue Type: Task
>  Components: Ranger
>Affects Versions: 3.0.0
>Reporter: Mateen N Mansoori
>Assignee: Mateen Mansoori
>Priority: Major
> Fix For: 3.0.0
>
>
> Currently ranger is pulling tomcat - 8.5.76, This task is to upgrade tomcat 
> version to 8.5.78.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3693) Ranger - Upgrade tomcat to 8.5.78

2022-04-08 Thread Bhavik Patel (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17519352#comment-17519352
 ] 

Bhavik Patel commented on RANGER-3693:
--

master branch commit link: 
https://github.com/apache/ranger/commit/fe158d5ba36ebbb0ded649121adfa765f6b1a1d7

> Ranger - Upgrade tomcat to 8.5.78
> -
>
> Key: RANGER-3693
> URL: https://issues.apache.org/jira/browse/RANGER-3693
> Project: Ranger
>  Issue Type: Task
>  Components: Ranger
>Reporter: Mateen N Mansoori
>Assignee: Mateen Mansoori
>Priority: Major
>
> Currently ranger is pulling tomcat - 8.5.76, This task is to upgrade tomcat 
> version to 8.5.78.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Re: Review Request 73933: RANGER-3702 : Export policy in excel is failing

2022-04-08 Thread Kirby Zhou 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73933/#review224274
---




security-admin/pom.xml
Lines 749 (patched)


org.apache.logging.log4j:log4j-to-slf4j is required too.Otherwise your 
log4j4 api log is standalone from slf4j-logback system


- Kirby Zhou


On 四月 7, 2022, 8:43 a.m., Mateen Mansoori wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73933/
> ---
> 
> (Updated 四月 7, 2022, 8:43 a.m.)
> 
> 
> Review request for ranger, bhavik patel, Madhan Neethiraj, Mehul Parikh, and 
> Pradeep Agrawal.
> 
> 
> Bugs: RANGER-3702
> https://issues.apache.org/jira/browse/RANGER-3702
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Due to missing dependency on classpath - Export policy in excel is failing 
> with the below error : 
> 
> java.lang.NoClassDefFoundError: org/apache/logging/log4j/LogManager
> at org.apache.poi.POIDocument.(POIDocument.java:65)
> 
> 
> Diffs
> -
> 
>   security-admin/pom.xml a2060e1c2 
> 
> 
> Diff: https://reviews.apache.org/r/73933/diff/1/
> 
> 
> Testing
> ---
> 
> - Build succeeded 
> - Test on local VM - policy export in excel,csv and json all are working fine.
> 
> 
> Thanks,
> 
> Mateen Mansoori
> 
>

[jira] [Updated] (RANGER-2892) NoClassDefFoundError occur when HDFS write audit to ES

2022-04-08 Thread Ramesh Mani (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-2892?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-2892:

Summary: NoClassDefFoundError occur when HDFS write audit to ES  (was: 
NoClassDeFoundError occur when HDFS write audit to ES)

> NoClassDefFoundError occur when HDFS write audit to ES
> --
>
> Key: RANGER-2892
> URL: https://issues.apache.org/jira/browse/RANGER-2892
> Project: Ranger
>  Issue Type: Bug
>  Components: audit
>Reporter: rujia
>Priority: Major
>
> When enable audit for es, HDFS will throw NoClassDeFoundError: 
> org.apache.logging.log4j.LogManager, it miss log4j-api in it's classpath.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Resolved] (RANGER-2892) NoClassDeFoundError occur when HDFS write audit to ES

2022-04-08 Thread Bhavik Patel (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-2892?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavik Patel resolved RANGER-2892.
--
Resolution: Duplicate

> NoClassDeFoundError occur when HDFS write audit to ES
> -
>
> Key: RANGER-2892
> URL: https://issues.apache.org/jira/browse/RANGER-2892
> Project: Ranger
>  Issue Type: Bug
>  Components: audit
>Reporter: rujia
>Priority: Major
>
> When enable audit for es, HDFS will throw NoClassDeFoundError: 
> org.apache.logging.log4j.LogManager, it miss log4j-api in it's classpath.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Re: Review Request 73841: RANGER-3612: Ranger plugin should cause kms to fail at startup when auth to krb5 failed.

2022-04-08 Thread Kirby Zhou 


> On 四月 8, 2022, 6:12 a.m., bhavik patel wrote:
> > your patch is Supporting auto recovery when KDC is down for sometime?

If KDC is up at startup, and then down for sometime, This situation is already 
supported by the old code.

My patch is to let KMS quit directly if it can't connect to KDC or fails to 
authenticate during the startup phase.


- Kirby


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73841/#review224272
---


On 三月 2, 2022, 3:51 a.m., Kirby Zhou wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73841/
> ---
> 
> (Updated 三月 2, 2022, 3:51 a.m.)
> 
> 
> Review request for ranger, Bhavik Bavishi, Dhaval Shah, Dineshkumar Yadav, 
> Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen 
> Mansoori, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, VaradreawiZTV 
> VaradreawiZTV, Vishal Suvagia, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3612
> https://issues.apache.org/jira/browse/RANGER-3612
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> If we install ranger agent to KMS, the agent would auth itself to KDC at 
> startup. But if it failed due to network or keytab problem, it just print a 
> log in ranger-kms-.log, and the KMS can never recover to refresh 
> its policies.
> 
> ]$ tail -f log/ranger-kms-ranger_kms-.log  | fgrep ERROR 
> 2022-02-09 19:00:18,227 ERROR MiscUtil - Failed to login with given keytab 
> and principal
> 
> There seems only one chance for plugin to auth to KDC, so it can not auto 
> recover.
> And MiscUtil.authWithKerberos never fail when auth failed, so KMS would not 
> die when the plugin failed.
> 
> This situation is too unfriendly to administrators. 
> KMS should either Die or Auto-Recover when its ranger-agent auth to KDC 
> failed.
> 
> My patch here is let it die on startup. Auto recovery is only useful when KDC 
> temporarily unavailable.
> 
> 
> Diffs
> -
> 
>   agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java 
> b69e27693 
>   
> plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
>  799eb322c 
>   
> ranger-kms-plugin-shim/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
>  7fa36ce79 
> 
> 
> Diff: https://reviews.apache.org/r/73841/diff/1/
> 
> 
> Testing
> ---
> 
> mvn clean compile package test
> 
> 
> Thanks,
> 
> Kirby Zhou
> 
>

[jira] [Commented] (RANGER-3492) Support update when loading serviceDef json file during initialization

2022-04-08 Thread Bhavik Patel (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17519328#comment-17519328
 ] 

Bhavik Patel commented on RANGER-3492:
--

please update the patch at review board 

> Support update when loading serviceDef  json file during initialization
> ---
>
> Key: RANGER-3492
> URL: https://issues.apache.org/jira/browse/RANGER-3492
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Affects Versions: 2.1.0
>Reporter: Hervor
>Priority: Major
>  Labels: patch
> Attachments: 
> 0001-RANGER_3492-Support-update-when-loading-serviceDef-j.patch
>
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> Support update when loading serviceDef  json file during initialization
> improve getOrCreateServiceDef()  to support update serviceDef json file



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3648) Alt-text hover-over for long policy names

2022-04-08 Thread Nitin Galave (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17519326#comment-17519326
 ] 

Nitin Galave commented on RANGER-3648:
--

This looks good

> Alt-text hover-over for long policy names
> -
>
> Key: RANGER-3648
> URL: https://issues.apache.org/jira/browse/RANGER-3648
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Ryan Jendoubi
>Priority: Minor
> Attachments: image-2022-02-28-16-00-58-330.png, 
> image-2022-02-28-16-02-46-830.png
>
>
> *As a* user of the Ranger UI
> *I want* to see the full names of policies without clicking in to them, even 
> if the names are quite long
> *So that* I don't have to navigate or open modal dialogs to differentiate 
> policies with long names which may begin the same way.
> This is often achieved in other software by using the browser's built-in 
> behaviour for alt tags to make a simple "pop up" when the element is hovered 
> over.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Assigned] (RANGER-3623) Add ability to enable anonymous download of policy/role/tag

2022-04-08 Thread Bhavik Patel (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3623?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavik Patel reassigned RANGER-3623:


Assignee: kirby zhou

> Add ability to enable anonymous download of policy/role/tag
> ---
>
> Key: RANGER-3623
> URL: https://issues.apache.org/jira/browse/RANGER-3623
> Project: Ranger
>  Issue Type: Improvement
>  Components: admin
>Affects Versions: 3.0.0, 2.3.0
>Reporter: kirby zhou
>Assignee: kirby zhou
>Priority: Major
> Attachments: add-downloadonly-option.patch
>
>
> Currently, we have an option ranger.admin.allow.unauthenticated.access to 
> allow unauthenticated clients to perform a series of API operations. This 
> option allows the client to perform both dangerous grant/revoke permission 
> operation and relatively safe download operation.
> In many cases, allowing anonymous downloading of policy is not a serious risk 
> problem. On the contrary, the complicated kerberos and SSL settings make it 
> difficult for ranger plugin embedded in third-party services to complete the 
> task of refreshing policy, which may be a bigger problem. In particular, 
> refresh failure often has no obvious features for administrators to discover.
> Therefore, I suggest that ranger increase the ability to allow client to 
> download policy/tag/roles anonymously.
> There are two ways to achieve it.
>  
> 1. Just limit the ability of  "ranger.admin.allow.unauthenticated.access=true"
> which needs to modify 
> "security-admin/src/main/resources/conf.dist/security-applicationContext.xml" 
> to remove dangerous operations from '
> security="none"'.
>  
> 2. Add a candidate value "downloadonly" to 
> "ranger.admin.allow.unauthenticated.access"
> Which needs modify ServiceRest.Java and BizUtil.java to implement the 
> enhanced checking logic. 
>  
> I have a patch for method2



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Re: Review Request 73841: RANGER-3612: Ranger plugin should cause kms to fail at startup when auth to krb5 failed.

2022-04-08 Thread bhavik patel 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73841/#review224272
---



your patch is Supporting auto recovery when KDC is down for sometime?

- bhavik patel


On March 2, 2022, 3:51 a.m., Kirby Zhou wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73841/
> ---
> 
> (Updated March 2, 2022, 3:51 a.m.)
> 
> 
> Review request for ranger, Bhavik Bavishi, Dhaval Shah, Dineshkumar Yadav, 
> Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen 
> Mansoori, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, VaradreawiZTV 
> VaradreawiZTV, Vishal Suvagia, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3612
> https://issues.apache.org/jira/browse/RANGER-3612
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> If we install ranger agent to KMS, the agent would auth itself to KDC at 
> startup. But if it failed due to network or keytab problem, it just print a 
> log in ranger-kms-.log, and the KMS can never recover to refresh 
> its policies.
> 
> ]$ tail -f log/ranger-kms-ranger_kms-.log  | fgrep ERROR 
> 2022-02-09 19:00:18,227 ERROR MiscUtil - Failed to login with given keytab 
> and principal
> 
> There seems only one chance for plugin to auth to KDC, so it can not auto 
> recover.
> And MiscUtil.authWithKerberos never fail when auth failed, so KMS would not 
> die when the plugin failed.
> 
> This situation is too unfriendly to administrators. 
> KMS should either Die or Auto-Recover when its ranger-agent auth to KDC 
> failed.
> 
> My patch here is let it die on startup. Auto recovery is only useful when KDC 
> temporarily unavailable.
> 
> 
> Diffs
> -
> 
>   agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java 
> b69e27693 
>   
> plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
>  799eb322c 
>   
> ranger-kms-plugin-shim/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
>  7fa36ce79 
> 
> 
> Diff: https://reviews.apache.org/r/73841/diff/1/
> 
> 
> Testing
> ---
> 
> mvn clean compile package test
> 
> 
> Thanks,
> 
> Kirby Zhou
> 
>

[jira] [Assigned] (RANGER-3612) KMS should either Die or Auto-Recover when its ranger-agent auth to KDC failed

2022-04-08 Thread Bhavik Patel (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3612?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavik Patel reassigned RANGER-3612:


Assignee: kirby zhou

> KMS should either Die or Auto-Recover when its ranger-agent auth to KDC failed
> --
>
> Key: RANGER-3612
> URL: https://issues.apache.org/jira/browse/RANGER-3612
> Project: Ranger
>  Issue Type: Bug
>  Components: kms, plugins
>Affects Versions: 3.0.0, 2.2.0
>Reporter: kirby zhou
>Assignee: kirby zhou
>Priority: Major
>
> If we install ranger agent to KMS, the agent would auth itself to KDC at 
> startup. But if it failed, it just print a log in ranger-kms-.log, 
> and the KMS can never recover to refresh its policies.
> {code:java}
> ]$ tail -f log/ranger-kms-ranger_kms-.log  | fgrep ERROR 
> 2022-02-09 19:00:18,227 ERROR MiscUtil - Failed to login with given keytab 
> and principal{code}
> {code:java}
> package org.apache.ranger.authorization.kms.authorizer;
> public class RangerKmsAuthorizer implements Runnable, KeyACLs {
> RangerKmsAuthorizer(Configuration conf) { 
>authWithKerberos(conf); 
> }
> private void authWithKerberos(Configuration conf) {
>     MiscUtil.authWithKerberos(keytab, principal, nameRules);
> }
> }
> package org.apache.ranger.audit.provider;
> public class MiscUtil {
> public static void authWithKerberos(...) {
>   try {
> {
>   UserGroupInformation ugi = UserGroupInformation
>  .loginUserFromKeytabAndReturnUGI(spnegoPrincipals[0],
>  keytab);
>   MiscUtil.setUGILoginUser(ugi, null);
>  }
>   } catch (Throwable t) {
> logger.error("Failed to login with given keytab and principal", t);
>   }
> }
> }{code}
>  
> There seems only one chance for plugin to auth to KDC, so it can not auto 
> recover.
> And MiscUtil.authWithKerberos never fail when auth failed, so KMS would not 
> die when the plugin failed.
> This situation is too unfriendly to administrators. It should be fixed.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3648) Alt-text hover-over for long policy names

2022-04-08 Thread Bhavik Patel (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17519323#comment-17519323
 ] 

Bhavik Patel commented on RANGER-3648:
--

[~Dhaval.Rajpara]  [~ni3galave]  any feedback on this ?

> Alt-text hover-over for long policy names
> -
>
> Key: RANGER-3648
> URL: https://issues.apache.org/jira/browse/RANGER-3648
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Ryan Jendoubi
>Priority: Minor
> Attachments: image-2022-02-28-16-00-58-330.png, 
> image-2022-02-28-16-02-46-830.png
>
>
> *As a* user of the Ranger UI
> *I want* to see the full names of policies without clicking in to them, even 
> if the names are quite long
> *So that* I don't have to navigate or open modal dialogs to differentiate 
> policies with long names which may begin the same way.
> This is often achieved in other software by using the browser's built-in 
> behaviour for alt tags to make a simple "pop up" when the element is hovered 
> over.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3010) Rest API 'addUsersAndGroups' issue

2022-04-08 Thread Bhavik Patel (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17519321#comment-17519321
 ] 

Bhavik Patel commented on RANGER-3010:
--

can you please provide patch at review board : 
https://reviews.apache.org/dashboard/

> Rest API 'addUsersAndGroups' issue
> --
>
> Key: RANGER-3010
> URL: https://issues.apache.org/jira/browse/RANGER-3010
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: leo sun
>Priority: Major
>  Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> I want to use Ranger API functions - addUsersAndGroups & removeUsersAndGroups 
> to manage users and groups of role. But official reference don't have 
> suitable example for these two APIs. And my all attempts failed.
> Another point: For example, I found the input type of addUsersAndGroups is 
> Boolean on official web, but the input of the implement function is two 
> string list and one boolean.
> I don't know how to use it. Could you help me with this? [~abhayk]



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (RANGER-3255) Lost nessary pre-check for Empty input argument

2022-04-08 Thread Bhavik Patel (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-3255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17519319#comment-17519319
 ] 

Bhavik Patel commented on RANGER-3255:
--

can you raise the Request at review board : 
https://reviews.apache.org/dashboard/

> Lost nessary pre-check for Empty input argument
> ---
>
> Key: RANGER-3255
> URL: https://issues.apache.org/jira/browse/RANGER-3255
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Affects Versions: 2.1.0, 3.0.0, 2.2.0
>Reporter: Shiyou xin
>Priority: Major
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> If configure file not found, or lost nessary configure urls, then a exception 
> happens as following :
> {{2021-04-27 10:46:30,658 ERROR 
> org.apache.hadoop.hdfs.server.namenode.NameNode: Failed to start namenode.
>  java.lang.IllegalArgumentException: bound must be positive
>  at java.util.Random.nextInt(Random.java:388)
>  at 
> org.apache.ranger.plugin.util.RangerRESTClient.(RangerRESTClient.java:120)
>  at 
> org.apache.ranger.admin.client.RangerAdminRESTClient.init(RangerAdminRESTClient.java:778)
>  at 
> org.apache.ranger.admin.client.RangerAdminRESTClient.init(RangerAdminRESTClient.java:116)}}
>  
> Maybe, we should add a pre-check.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)