Re: Request to be a contributor in Apache Ranger

[Vanita Ubale]

Thanks a lot Madhan.

On Tue, 5 Sep, 2023, 8:59 pm madhan,  wrote:

> Vanita,
>
>
>
> Thank you for your interest in contributing to Apache Ranger. You now have
> contributor access.
>
>
>
> Welcome to Apache Ranger.
>
>
>
> Thanks,
>
> Madhan
>
> Apache Ranger PMC
>
>
>
>
>
> On 9/5/23, 8:01 AM, "Vanita Ubale"  wrote:
>
> Hello Team,
>
>
>
> I would like to contribute to the Apache Ranger project. Can you
>
> please add me as a contributor to the project?
>
> Email ID: vanitaubal...@gmail.com
>
> JIRA ID: vanitaubale
>
>
>
>
>
> Thanks,
>
>
>
> Vanita Ubale
>
>
>

Request to be a contributor in Apache Ranger

[Vanita Ubale]

Hello Team,

I would like to contribute to the Apache Ranger project. Can you
please add me as a contributor to the project?
Email ID: vanitaubal...@gmail.com
JIRA ID: vanitaubale


Thanks,

Vanita Ubale

Re: Review Request 74577: RANGER-4304: Update swagger version in Ranger

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74577/#review225720
---


Ship it!




Ship It!

- Madhan Neethiraj


On Sept. 5, 2023, 12:34 p.m., Mugdha Varadkar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74577/
> ---
> 
> (Updated Sept. 5, 2023, 12:34 p.m.)
> 
> 
> Review request for ranger, Brijesh Bhalala, Dhaval Rajpara, Madhan Neethiraj, 
> Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4304
> https://issues.apache.org/jira/browse/RANGER-4304
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Upgrading the swagger version to the latest available - 5.4.2
> 
> 
> Diffs
> -
> 
>   docs/src/site/resources/swagger-ui-bundle.js 
> 89bf4a9b3b0fda8de929f1052ddca98abc644ffa 
>   docs/src/site/resources/swagger-ui-es-bundle-core.js 
> cf16c6a8891d1ff509c5f53beace292e5c7e88c9 
>   docs/src/site/resources/swagger-ui-es-bundle.js 
> 328d693f6b21481511305dc6e11bbc0202417e55 
>   docs/src/site/resources/swagger-ui-standalone-preset.js 
> 39df72f598045eeae2eeb79ca5f9110857c5a16f 
>   docs/src/site/resources/swagger-ui.css 
> 267c5e141d0ae033dcfb6ce95c348d61b9b0fa47 
>   docs/src/site/resources/swagger-ui.js 
> 3a4f99719ed281d854af25b98b87c1b797b58c49 
>   docs/src/site/resources/swagger.html 
> 726b8d8f58bf013d65aef1c779c0f5e16a8a3322 
> 
> 
> Diff: https://reviews.apache.org/r/74577/diff/2/
> 
> 
> Testing
> ---
> 
> Tested changes on a cluster setup with Ranger Admin build with React JS code 
> base.
> 
> Successful completion of build command :
> mvn clean compile package -Psecurity-admin-react
> 
> 
> Thanks,
> 
> Mugdha Varadkar
> 
>

Re: Review Request 74581: RANGER-4392: Tag based policy with boolean expression is not working

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74581/#review225719
---


Ship it!




Ship It!

- Madhan Neethiraj


On Sept. 5, 2023, 8:50 a.m., Mugdha Varadkar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74581/
> ---
> 
> (Updated Sept. 5, 2023, 8:50 a.m.)
> 
> 
> Review request for ranger, Brijesh Bhalala, Dhaval Rajpara, Mehul Parikh, and 
> Nikunj Pansuriya.
> 
> 
> Bugs: RANGER-4392
> https://issues.apache.org/jira/browse/RANGER-4392
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Steps to reproduce : 
> 
> Precondition
> 
> 1. Hive table with name "testtable1_polcond" exists with tag with attributes 
> expire_date, and name. Expiry date is in the future, and name has value: 
> "hivetag".
> 2. A ranger tag-based policy exists with "Accessed after expiry_date": no, 
> and the following boolean expression:
> 
> ctx.getAttributeValue("VALID_HIVETABLE_TAG_24", "name").equals("hivetag");
> 
> providing access to user test_user
> 
> Test steps
> 
> 1. As user test_user in beeline, execute:
> 
> select * from testdb1_polcond.testtable1_polcond;
> 
> Expected behavior: Query should be executed successfully as tag based policy 
> provides access.
> 
> Actual behavior : Permisson denied. In hive logs, the following is seen:
> 
> 2023-08-28 11:43:34,716 INFO  org.apache.hadoop.hive.ql.Driver: 
> [a95535bb-6daf-466b-9464-fe505f224a0b etp597410879-285]: Compiling command(q
> ueryId=hive_20230828114334_adddcc28-722b-48ae-b0c9-0662a1661435): select * 
> from testdb1_polcond.testtable1_polcond
> 
> 
> 2023-08-28 11:43:34,944 ERROR 
> org.apache.ranger.plugin.policyengine.RangerRequestScriptEvaluator: 
> [a95535bb-6daf-466b-9464-fe505f224a0b etp5
> 97410879-285]: RangerRequestScriptEvaluator.evaluateScript(): failed to 
> evaluate script, exception=javax.script.ScriptException: org.graalvm
> .polyglot.PolyglotException: SyntaxError: :1:66 Expected , but found eof
> exit=null;quit=null;ctx.getAttributeValue("VALID_HIVETABLE_TAG_82"
> 
> 
> Policy condition response :
> curl -u 'admin:Admin123' 
> 'https://test-leyqrl-1.test-leyqrl.root.hwx.site:6182/service/plugins/policies/102'
>  \
> -H 'Accept: application/json, text/plain, {*}/{*}' \
> --insecure
> 
> In the resulting json, the value for the policy condition is the following:
> "conditions": [
> {
> "type": "accessed-after-expiry",
> "values": [
> "no"
> ]
> },
> {
> "type": "expression",
> "values": [
> "ctx.getAttributeValue(\"VALID_HIVETABLE_TAG_82\"",
> "\"name\").equals(\"hivetag\");"
> ]
> }
> ],
> 
> It looks as if Ranger Admin would split the content of the "expression" field 
> along the comma, and that's what leads to syntax error in hive logs.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/webapp/react-webapp/src/components/Editable.jsx 
> 75f7fcff1199345df593ed97c5b7cf0beebd3aca 
>   
> security-admin/src/main/webapp/react-webapp/src/views/PolicyListing/AddUpdatePolicyForm.jsx
>  51df2e378a7415936317c6463b4413293e0a9c4c 
>   
> security-admin/src/main/webapp/react-webapp/src/views/PolicyListing/PolicyConditionsComp.jsx
>  32d80280984e550027c34c41bda46fda7d5bf07f 
> 
> 
> Diff: https://reviews.apache.org/r/74581/diff/1/
> 
> 
> Testing
> ---
> 
> Tested changes on a cluster setup with Ranger Admin build with React JS code 
> base.
> 
> Verified below policy condition getting saved correctly from Ranger Admin UI.
> ```
> ctx.getAttributeValue("VALID_HIVETABLE_TAG_24", "name").equals("hivetag");
> ```
> 
> 
> Successful completion of build command :
> mvn clean compile package -Psecurity-admin-react
> 
> 
> Thanks,
> 
> Mugdha Varadkar
> 
>

Re: Review Request 74577: RANGER-4304: Update swagger version in Ranger

[Mugdha Varadkar]

> On Aug. 31, 2023, 3:01 p.m., Madhan Neethiraj wrote:
> > docs/src/site/resources/index.js
> > Lines 39 (patched)
> > 
> >
> > Only change in this file is whitespace related. Please consider 
> > exclusing this file from the patch.

Excluded the whitespace related changes in updated patch-set.


- Mugdha


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74577/#review225713
---


On Sept. 5, 2023, 12:34 p.m., Mugdha Varadkar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74577/
> ---
> 
> (Updated Sept. 5, 2023, 12:34 p.m.)
> 
> 
> Review request for ranger, Brijesh Bhalala, Dhaval Rajpara, Madhan Neethiraj, 
> Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4304
> https://issues.apache.org/jira/browse/RANGER-4304
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Upgrading the swagger version to the latest available - 5.4.2
> 
> 
> Diffs
> -
> 
>   docs/src/site/resources/swagger-ui-bundle.js 
> 89bf4a9b3b0fda8de929f1052ddca98abc644ffa 
>   docs/src/site/resources/swagger-ui-es-bundle-core.js 
> cf16c6a8891d1ff509c5f53beace292e5c7e88c9 
>   docs/src/site/resources/swagger-ui-es-bundle.js 
> 328d693f6b21481511305dc6e11bbc0202417e55 
>   docs/src/site/resources/swagger-ui-standalone-preset.js 
> 39df72f598045eeae2eeb79ca5f9110857c5a16f 
>   docs/src/site/resources/swagger-ui.css 
> 267c5e141d0ae033dcfb6ce95c348d61b9b0fa47 
>   docs/src/site/resources/swagger-ui.js 
> 3a4f99719ed281d854af25b98b87c1b797b58c49 
>   docs/src/site/resources/swagger.html 
> 726b8d8f58bf013d65aef1c779c0f5e16a8a3322 
> 
> 
> Diff: https://reviews.apache.org/r/74577/diff/2/
> 
> 
> Testing
> ---
> 
> Tested changes on a cluster setup with Ranger Admin build with React JS code 
> base.
> 
> Successful completion of build command :
> mvn clean compile package -Psecurity-admin-react
> 
> 
> Thanks,
> 
> Mugdha Varadkar
> 
>

Re: Review Request 74577: RANGER-4304: Update swagger version in Ranger

[Mugdha Varadkar]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74577/
---

(Updated Sept. 5, 2023, 12:34 p.m.)


Review request for ranger, Brijesh Bhalala, Dhaval Rajpara, Madhan Neethiraj, 
Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-4304
https://issues.apache.org/jira/browse/RANGER-4304


Repository: ranger


Description
---

Upgrading the swagger version to the latest available - 5.4.2


Diffs (updated)
-

  docs/src/site/resources/swagger-ui-bundle.js 
89bf4a9b3b0fda8de929f1052ddca98abc644ffa 
  docs/src/site/resources/swagger-ui-es-bundle-core.js 
cf16c6a8891d1ff509c5f53beace292e5c7e88c9 
  docs/src/site/resources/swagger-ui-es-bundle.js 
328d693f6b21481511305dc6e11bbc0202417e55 
  docs/src/site/resources/swagger-ui-standalone-preset.js 
39df72f598045eeae2eeb79ca5f9110857c5a16f 
  docs/src/site/resources/swagger-ui.css 
267c5e141d0ae033dcfb6ce95c348d61b9b0fa47 
  docs/src/site/resources/swagger-ui.js 
3a4f99719ed281d854af25b98b87c1b797b58c49 
  docs/src/site/resources/swagger.html 726b8d8f58bf013d65aef1c779c0f5e16a8a3322 


Diff: https://reviews.apache.org/r/74577/diff/2/

Changes: https://reviews.apache.org/r/74577/diff/1-2/


Testing
---

Tested changes on a cluster setup with Ranger Admin build with React JS code 
base.

Successful completion of build command :
mvn clean compile package -Psecurity-admin-react


Thanks,

Mugdha Varadkar

[jira] [Updated] (RANGER-4304) Update swagger version in Ranger

[Mugdha Varadkar (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4304?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mugdha Varadkar updated RANGER-4304:

Attachment: 0002-RANGER-4304.patch

> Update swagger version in Ranger
> 
>
> Key: RANGER-4304
> URL: https://issues.apache.org/jira/browse/RANGER-4304
> Project: Ranger
>  Issue Type: Improvement
>  Components: documentation
>Reporter: Arnout Engelen
>Assignee: Mugdha Varadkar
>Priority: Major
> Attachments: 0001-RANGER-4304.patch, 0002-RANGER-4304.patch
>
>
> The Ranger website embeds a Swagger UI, AFAICS currently version 2.2.10. 
> Older versions of swagger, such as this one, suffer from a number of security 
> weaknesses.
>  
> While fortunately [https://ranger.apache.org|https://ranger.apache.org/] does 
> not have any sensitive cookies or login mechanism or similar, so there isn't 
> really anything to compromise, it would be good to update to a recent version 
> of Swagger. Could you look into that?
>  
> It is somewhat unclear to me whether the ranger site is maintained in SVN 
> ([https://svn.apache.org/viewvc/ranger/site/)] or git 
> ([https://github.com/apache/ranger-site])



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-4396) Dataset lookup is failing in GDS policy

[Subhrat Chaudhary (Jira)]

Subhrat Chaudhary created RANGER-4396:
-

 Summary: Dataset lookup is failing in GDS policy
 Key: RANGER-4396
 URL: https://issues.apache.org/jira/browse/RANGER-4396
 Project: Ranger
  Issue Type: Sub-task
  Components: admin
Reporter: Subhrat Chaudhary


In GDS policy, while selecting Dataset, Dataset lookup is failing with 
NullPointerException



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4395) Need to stop addition of Duplicate Resources to SharedResource Table

[Prashant Satam (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4395?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Prashant Satam updated RANGER-4395:
---
Summary: Need to stop addition of Duplicate Resources to SharedResource 
Table  (was: Need to stop adding Duplicate Resources to SharedResource Table)

> Need to stop addition of Duplicate Resources to SharedResource Table
> 
>
> Key: RANGER-4395
> URL: https://issues.apache.org/jira/browse/RANGER-4395
> Project: Ranger
>  Issue Type: Task
>  Components: Ranger
>Reporter: Prashant Satam
>Priority: Major
>
> Currently we are not validating SharedResource Objects resources field if 
> they are already present in the database ,we need to add that validation



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-4395) Need to stop adding Duplicate Resources to SharedResource Table

[Prashant Satam (Jira)]

Prashant Satam created RANGER-4395:
--

 Summary: Need to stop adding Duplicate Resources to SharedResource 
Table
 Key: RANGER-4395
 URL: https://issues.apache.org/jira/browse/RANGER-4395
 Project: Ranger
  Issue Type: Task
  Components: Ranger
Reporter: Prashant Satam


Currently we are not validating SharedResource Objects resources field if they 
are already present in the database ,we need to add that validation



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (RANGER-4390) ORC audit fails with null pointer exception when filequeue buffer size and orc buffer size are not equal

[Bhavik Patel (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-4390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17762027#comment-17762027
 ] 

Bhavik Patel commented on RANGER-4390:
--

I can see the same error when xasecure.audit.destination.hdfs.orc.buffersize > 
xasecure.audit.destination.hdfs.batch.filequeue.filespool.buffer.size

> ORC audit fails with null pointer exception when filequeue buffer size and 
> orc buffer size are not equal
> 
>
> Key: RANGER-4390
> URL: https://issues.apache.org/jira/browse/RANGER-4390
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Fateh Singh
>Priority: Major
>
> Steps to reproduce:
> Change config values in unit test case testAuditFileQueueSpoolORC() in 
> TestAuditQueue.java
> xasecure.audit.destination.hdfs.orc.buffersize=5
> xasecure.audit.destination.hdfs.batch.filequeue.filespool.buffer.size=10
> If both are same then error not observed
> Sample config from test case to reproduce issue:
> Configs:
> {code:java}
> {xasecure.audit.destination.hdfs.orc.buffersize=5, 
> xasecure.audit.destination.hdfs.batch.filequeue.filespool.dir=target/spool, 
> xasecure.audit.destination.hdfs.batch.queuetype=filequeue, 
> xasecure.audit.destination.hdfs.batch.filequeue.filespool.buffer.size=10, 
> xasecure.audit.destination.hdfs.batch.filequeue.filetype=orc, 
> xasecure.audit.is.enabled=true, 
> xasecure.audit.destination.hdfs.filename.format=%app-type%_ranger_audit.orc, 
> xasecure.audit.destination.hdfs=enable, 
> xasecure.audit.destination.hdfs.orc.stripesize=10, 
> xasecure.audit.destination.hdfs.dir=target/testAuditFileQueueSpoolORC, 
> xasecure.audit.destination.hdfs.orc.compression=none, 
> xasecure.audit.destination.hdfs.batch.filequeue.filespool.file.rollover.sec=5}{code}
> Error logs:
> {code:java}
> 13:52:49.800 [AuditFileQueueSpool_hdfs_destWriter] ERROR 
> org.apache.ranger.audit.provider.BaseAuditHandler - Error writing to log file.
> java.lang.NullPointerException: null
>     at java.lang.System.arraycopy(Native Method)
>     at org.apache.hadoop.io.Text.set(Text.java:225)
>     at org.apache.orc.impl.StringRedBlackTree.add(StringRedBlackTree.java:59)
>     at 
> org.apache.orc.impl.writer.StringTreeWriter.writeBatch(StringTreeWriter.java:70)
>     at 
> org.apache.orc.impl.writer.StructTreeWriter.writeRootBatch(StructTreeWriter.java:56)
>     at org.apache.orc.impl.WriterImpl.addRowBatch(WriterImpl.java:574)
>     at org.apache.ranger.audit.utils.ORCFileUtil.log(ORCFileUtil.java:147)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter$1.run(RangerORCAuditWriter.java:77)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter$1.run(RangerORCAuditWriter.java:73)
>     at java.security.AccessController.doPrivileged(Native Method)
>     at javax.security.auth.Subject.doAs(Subject.java:422)
>     at 
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1845)
>     at 
> org.apache.ranger.audit.provider.MiscUtil.executePrivilegedAction(MiscUtil.java:544)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter.logAuditAsORC(RangerORCAuditWriter.java:73)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter.logAsORC(RangerORCAuditWriter.java:159)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter.log(RangerORCAuditWriter.java:112)
>     at 
> org.apache.ranger.audit.destination.HDFSAuditDestination.logJSON(HDFSAuditDestination.java:79)
>     at 
> org.apache.ranger.audit.destination.HDFSAuditDestination.log(HDFSAuditDestination.java:171)
>     at 
> org.apache.ranger.audit.queue.AuditFileQueueSpool.sendEvent(AuditFileQueueSpool.java:926)
>     at 
> org.apache.ranger.audit.queue.AuditFileQueueSpool.logEvent(AuditFileQueueSpool.java:904)
>     at 
> org.apache.ranger.audit.queue.AuditFileQueueSpool.runLogAudit(AuditFileQueueSpool.java:847)
>     at 
> org.apache.ranger.audit.queue.AuditFileQueueSpool.run(AuditFileQueueSpool.java:790)
>     at java.lang.Thread.run(Thread.java:750) {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-4394) Java patches to support GDS changes

[Subhrat Chaudhary (Jira)]

Subhrat Chaudhary created RANGER-4394:
-

 Summary: Java patches to support GDS changes
 Key: RANGER-4394
 URL: https://issues.apache.org/jira/browse/RANGER-4394
 Project: Ranger
  Issue Type: Sub-task
  Components: admin
Reporter: Subhrat Chaudhary


We need java patches to support the changes in existing tables / addition of 
new tables/columns in ranger DB.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4393) with direct API call, ranger is allowing to add more than 1 dataset in a dataset policy

[Prashant Satam (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Prashant Satam updated RANGER-4393:
---
Description: With direct API call, ranger is allowing to add more than 1 
dataset i.e(datasetName) in a dataset policy. It is blocked from UI. We need to 
block it+ from backend also.  (was: With direct API call, ranger is allowing to 
add more than 1 dataset i.e(datasetName) in a dataset policy. It is blocked 
from UI. We need to blocked from backend also.)

> with direct API call, ranger is allowing to add more than 1 dataset in a 
> dataset policy
> ---
>
> Key: RANGER-4393
> URL: https://issues.apache.org/jira/browse/RANGER-4393
> Project: Ranger
>  Issue Type: Task
>  Components: Ranger
>Reporter: Prashant Satam
>Priority: Major
>
> With direct API call, ranger is allowing to add more than 1 dataset 
> i.e(datasetName) in a dataset policy. It is blocked from UI. We need to block 
> it+ from backend also.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4393) with direct API call, ranger is allowing to add more than 1 dataset in a dataset policy

[Prashant Satam (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Prashant Satam updated RANGER-4393:
---
Description: With direct API call, ranger is allowing to add more than 1 
dataset i.e(datasetName) in a dataset policy. It is blocked from UI. We need to 
block it from backend also.  (was: With direct API call, ranger is allowing to 
add more than 1 dataset i.e(datasetName) in a dataset policy. It is blocked 
from UI. We need to block it+ from backend also.)

> with direct API call, ranger is allowing to add more than 1 dataset in a 
> dataset policy
> ---
>
> Key: RANGER-4393
> URL: https://issues.apache.org/jira/browse/RANGER-4393
> Project: Ranger
>  Issue Type: Task
>  Components: Ranger
>Reporter: Prashant Satam
>Priority: Major
>
> With direct API call, ranger is allowing to add more than 1 dataset 
> i.e(datasetName) in a dataset policy. It is blocked from UI. We need to block 
> it from backend also.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-4393) with direct API call, ranger is allowing to add more than 1 dataset in a dataset policy

[Prashant Satam (Jira)]

Prashant Satam created RANGER-4393:
--

 Summary: with direct API call, ranger is allowing to add more than 
1 dataset in a dataset policy
 Key: RANGER-4393
 URL: https://issues.apache.org/jira/browse/RANGER-4393
 Project: Ranger
  Issue Type: Task
  Components: Ranger
Reporter: Prashant Satam


With direct API call, ranger is allowing to add more than 1 dataset 
i.e(datasetName) in a dataset policy. It is blocked from UI. We need to blocked 
from backend also.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Review Request 74581: RANGER-4392: Tag based policy with boolean expression is not working

[Mugdha Varadkar]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74581/
---

Review request for ranger, Brijesh Bhalala, Dhaval Rajpara, Mehul Parikh, and 
Nikunj Pansuriya.


Bugs: RANGER-4392
https://issues.apache.org/jira/browse/RANGER-4392


Repository: ranger


Description
---

Steps to reproduce : 

Precondition

1. Hive table with name "testtable1_polcond" exists with tag with attributes 
expire_date, and name. Expiry date is in the future, and name has value: 
"hivetag".
2. A ranger tag-based policy exists with "Accessed after expiry_date": no, and 
the following boolean expression:

ctx.getAttributeValue("VALID_HIVETABLE_TAG_24", "name").equals("hivetag");

providing access to user test_user

Test steps

1. As user test_user in beeline, execute:

select * from testdb1_polcond.testtable1_polcond;

Expected behavior: Query should be executed successfully as tag based policy 
provides access.

Actual behavior : Permisson denied. In hive logs, the following is seen:

2023-08-28 11:43:34,716 INFO  org.apache.hadoop.hive.ql.Driver: 
[a95535bb-6daf-466b-9464-fe505f224a0b etp597410879-285]: Compiling command(q
ueryId=hive_20230828114334_adddcc28-722b-48ae-b0c9-0662a1661435): select * from 
testdb1_polcond.testtable1_polcond


2023-08-28 11:43:34,944 ERROR 
org.apache.ranger.plugin.policyengine.RangerRequestScriptEvaluator: 
[a95535bb-6daf-466b-9464-fe505f224a0b etp5
97410879-285]: RangerRequestScriptEvaluator.evaluateScript(): failed to 
evaluate script, exception=javax.script.ScriptException: org.graalvm
.polyglot.PolyglotException: SyntaxError: :1:66 Expected , but found eof
exit=null;quit=null;ctx.getAttributeValue("VALID_HIVETABLE_TAG_82"


Policy condition response :
curl -u 'admin:Admin123' 
'https://test-leyqrl-1.test-leyqrl.root.hwx.site:6182/service/plugins/policies/102'
 \
-H 'Accept: application/json, text/plain, {*}/{*}' \
--insecure

In the resulting json, the value for the policy condition is the following:
"conditions": [
{
"type": "accessed-after-expiry",
"values": [
"no"
]
},
{
"type": "expression",
"values": [
"ctx.getAttributeValue(\"VALID_HIVETABLE_TAG_82\"",
"\"name\").equals(\"hivetag\");"
]
}
],

It looks as if Ranger Admin would split the content of the "expression" field 
along the comma, and that's what leads to syntax error in hive logs.


Diffs
-

  security-admin/src/main/webapp/react-webapp/src/components/Editable.jsx 
75f7fcff1199345df593ed97c5b7cf0beebd3aca 
  
security-admin/src/main/webapp/react-webapp/src/views/PolicyListing/AddUpdatePolicyForm.jsx
 51df2e378a7415936317c6463b4413293e0a9c4c 
  
security-admin/src/main/webapp/react-webapp/src/views/PolicyListing/PolicyConditionsComp.jsx
 32d80280984e550027c34c41bda46fda7d5bf07f 


Diff: https://reviews.apache.org/r/74581/diff/1/


Testing
---

Tested changes on a cluster setup with Ranger Admin build with React JS code 
base.

Verified below policy condition getting saved correctly from Ranger Admin UI.
```
ctx.getAttributeValue("VALID_HIVETABLE_TAG_24", "name").equals("hivetag");
```


Successful completion of build command :
mvn clean compile package -Psecurity-admin-react


Thanks,

Mugdha Varadkar

[jira] [Updated] (RANGER-4392) Tag based policy with boolean expression is not working

[Mugdha Varadkar (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4392?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mugdha Varadkar updated RANGER-4392:

Attachment: 0001-RANGER-4392.patch

> Tag based policy with boolean expression is not working
> ---
>
> Key: RANGER-4392
> URL: https://issues.apache.org/jira/browse/RANGER-4392
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Mugdha Varadkar
>Assignee: Mugdha Varadkar
>Priority: Major
>  Labels: ranger-react
> Attachments: 0001-RANGER-4392.patch
>
>
> h3. Reproduction
> h4. Precondition
> 1. Hive table with name "testtable1_polcond" exists with tag with attributes 
> expire_date, and name. Expiry date is in the future, and name has value: 
> "hivetag".
> 2. A ranger tag-based policy exists with "Accessed after expiry_date": no, 
> and the following boolean expression:
> {code:java}
> ctx.getAttributeValue("VALID_HIVETABLE_TAG_24", "name").equals("hivetag");
> {code}
> providing access to user test_user
> h4. Test steps
> 1. As user test_user in beeline, execute:
> {code:java}
> select * from testdb1_polcond.testtable1_polcond;
> {code}
> h4. Expected behavior
> Query should be executed successfully as tag based policy provides access.
> h4. Actual behavior
> Permisson denied. In hive logs, the following is seen:
> {code:java}
> 2023-08-28 11:43:34,716 INFO  org.apache.hadoop.hive.ql.Driver: 
> [a95535bb-6daf-466b-9464-fe505f224a0b etp597410879-285]: Compiling command(q
> ueryId=hive_20230828114334_adddcc28-722b-48ae-b0c9-0662a1661435): select * 
> from testdb1_polcond.testtable1_polcond
> ...
> 2023-08-28 11:43:34,944 ERROR 
> org.apache.ranger.plugin.policyengine.RangerRequestScriptEvaluator: 
> [a95535bb-6daf-466b-9464-fe505f224a0b etp5
> 97410879-285]: RangerRequestScriptEvaluator.evaluateScript(): failed to 
> evaluate script, exception=javax.script.ScriptException: org.graalvm
> .polyglot.PolyglotException: SyntaxError: :1:66 Expected , but found eof
> exit=null;quit=null;ctx.getAttributeValue("VALID_HIVETABLE_TAG_82"
> {code}
> Policy condition response :
> {code:java}
> curl -u 'admin:Admin123' 
> 'https://quasar-leyqrl-1.quasar-leyqrl.root.hwx.site:6182/service/plugins/policies/102'
>  \
> -H 'Accept: application/json, text/plain, \{*}/\{*}' \
> --insecure
> {code}
> In the resulting json, the value for the policy condition is the following:
> {code:java}
> "conditions": [
>                 {
>                     "type": "accessed-after-expiry",
>                     "values": [
>                         "no"
>                     ]
>                 },
>                 {
>                     "type": "expression",
>                     "values": [
>                         "ctx.getAttributeValue(\"VALID_HIVETABLE_TAG_82\"",
>                         "\"name\").equals(\"hivetag\");"
>                     ]
>                 }
>             ],
> {code}
> It looks as if Ranger Admin would split the content of the "expression" field 
> along the comma, and that's what leads to syntax error in hive logs.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-4392) Tag based policy with boolean expression is not working

[Mugdha Varadkar (Jira)]

Mugdha Varadkar created RANGER-4392:
---

 Summary: Tag based policy with boolean expression is not working
 Key: RANGER-4392
 URL: https://issues.apache.org/jira/browse/RANGER-4392
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Reporter: Mugdha Varadkar
Assignee: Mugdha Varadkar


h3. Reproduction
h4. Precondition

1. Hive table with name "testtable1_polcond" exists with tag with attributes 
expire_date, and name. Expiry date is in the future, and name has value: 
"hivetag".
2. A ranger tag-based policy exists with "Accessed after expiry_date": no, and 
the following boolean expression:
{code:java}
ctx.getAttributeValue("VALID_HIVETABLE_TAG_24", "name").equals("hivetag");
{code}
providing access to user test_user
h4. Test steps

1. As user test_user in beeline, execute:
{code:java}
select * from testdb1_polcond.testtable1_polcond;
{code}
h4. Expected behavior

Query should be executed successfully as tag based policy provides access.
h4. Actual behavior

Permisson denied. In hive logs, the following is seen:
{code:java}
2023-08-28 11:43:34,716 INFO  org.apache.hadoop.hive.ql.Driver: 
[a95535bb-6daf-466b-9464-fe505f224a0b etp597410879-285]: Compiling command(q
ueryId=hive_20230828114334_adddcc28-722b-48ae-b0c9-0662a1661435): select * from 
testdb1_polcond.testtable1_polcond

...

2023-08-28 11:43:34,944 ERROR 
org.apache.ranger.plugin.policyengine.RangerRequestScriptEvaluator: 
[a95535bb-6daf-466b-9464-fe505f224a0b etp5
97410879-285]: RangerRequestScriptEvaluator.evaluateScript(): failed to 
evaluate script, exception=javax.script.ScriptException: org.graalvm
.polyglot.PolyglotException: SyntaxError: :1:66 Expected , but found eof
exit=null;quit=null;ctx.getAttributeValue("VALID_HIVETABLE_TAG_82"
{code}

Policy condition response :
{code:java}
curl -u 'admin:Admin123' 
'https://quasar-leyqrl-1.quasar-leyqrl.root.hwx.site:6182/service/plugins/policies/102'
 \
-H 'Accept: application/json, text/plain, \{*}/\{*}' \
--insecure
{code}
In the resulting json, the value for the policy condition is the following:
{code:java}
"conditions": [
                {
                    "type": "accessed-after-expiry",
                    "values": [
                        "no"
                    ]
                },
                {
                    "type": "expression",
                    "values": [
                        "ctx.getAttributeValue(\"VALID_HIVETABLE_TAG_82\"",
                        "\"name\").equals(\"hivetag\");"
                    ]
                }
            ],
{code}
It looks as if Ranger Admin would split the content of the "expression" field 
along the comma, and that's what leads to syntax error in hive logs.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

RE: Update permission on trino service resource policy

[Rotondi, Antonio (UBS Group)]

HI team,
is there a special channel where to address this kind of questions?
I ported Ranger to jkd17 and to Trino 422 and can contribute to the dev if I 
get permissions.

At this stage I hacked the trino plugin to use insert checks for updates in the 
SystemAccessControl. To work more extensively on the Ranger admin side I would 
need some background about why updates are forbidden by default in trino plugin.

Many thanks,


Antonio Rotondi
IA Data Engineering

From: Rotondi, Antonio (RAGD 9)
Sent: 24 August 2023 12:03
To: dev@ranger.apache.org
Subject: RE: Update permission on trino service resource policy

I checked the Trino RangerYstemAccessControl class and it shows:

enum TrinoAccessType {

CREATE, DROP, SELECT, INSERT, DELETE, USE, ALTER, ALL, GRANT, REVOKE, SHOW, 
IMPERSONATE, EXECUTE;

}

Why UPDATE is missing and why it is missing in the permission checkbox drop 
list?
[cid:image001.png@01D9DFDB.076A5020]
This is Ranger 2.,4.0


Many thanks,

Antonio Rotondi
IA Data Engineering

From: Rotondi, Antonio (RAGD 9)
Sent: 24 August 2023 11:26
To: dev@ranger.apache.org
Subject: Update permission on trino service resource policy

Hi team,
We use a ranger plugin in our trino cluster. We enabled all permissions on a 
trino resource and we can select and select records but update requests are 
denied. The update permission option is not even showing in the list of 
permission at all when creating a resource policy for Trino.
I cannot find any Jira specific to this issue.
Thanks for any pointer.

Antonio Rotondi
IA Data Engineering


This email is sent to you from Credit Suisse, a UBS Group company.

=
 
Please access the attached hyperlink for an important electronic communications 
disclaimer: 
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html 

California residents, click here 
https://www.credit-suisse.com/us/en/legal/privacy-statement.html 
for information on your privacy rights. For other regions, unless otherwise 
specified, locate the 
privacy policy at the bottom of your country page 
https://www.credit-suisse.com/global/en.html, 
where applicable. 
=
 

[jira] [Updated] (RANGER-4383) In Audit, Plugin Status tab if the record of respective service is in second page then Service Type filter for that service would show no result

[Brijesh Bhalala (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4383?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Brijesh Bhalala updated RANGER-4383:

Priority: Major  (was: Minor)

> In Audit, Plugin Status tab if the record of respective service is in second 
> page then Service Type filter for that service would show no result
> 
>
> Key: RANGER-4383
> URL: https://issues.apache.org/jira/browse/RANGER-4383
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Vishal Bhavsar
>Assignee: Brijesh Bhalala
>Priority: Major
>  Labels: ranger-react
>
> In Audit, Plugin Status tab if the records of respective service for eg KMS 
> is in second page then Service Type filter for that service would show no 
> result.
> Workaround is using Service Name filter.
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)