[jira] [Created] (RANGER-4399) Need to fix zone drop-down option in policy listing for user not having 'Security Zone' module permission
Mugdha Varadkar created RANGER-4399: --- Summary: Need to fix zone drop-down option in policy listing for user not having 'Security Zone' module permission Key: RANGER-4399 URL: https://issues.apache.org/jira/browse/RANGER-4399 Project: Ranger Issue Type: Bug Components: Ranger Affects Versions: 3.0.0 Reporter: Mugdha Varadkar Assignee: Mugdha Varadkar While testing permission module use cases, developer found one case for user role. Policy listing page stuck on loading when 'Security Zone' module permission of user with user-role is revoked. By default user with user role has permission to 'Security Zone' module. Impact here is user with user-role will not be able to access policies from policy listing page in Ranger Admin UI with React JS. However there is a work around which is to give permission to the user with user-role in the 'Security Zone' module. Need to provide a fix to handle this use case where we should not use the modules level API and try to implement and use API which is open to access data even if user don't have permission on certain modules. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Assigned] (RANGER-4395) Need to stop addition of Duplicate Resources to SharedResource Table
[ https://issues.apache.org/jira/browse/RANGER-4395?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Prashant Satam reassigned RANGER-4395: -- Assignee: Prashant Satam > Need to stop addition of Duplicate Resources to SharedResource Table > > > Key: RANGER-4395 > URL: https://issues.apache.org/jira/browse/RANGER-4395 > Project: Ranger > Issue Type: Task > Components: Ranger >Reporter: Prashant Satam >Assignee: Prashant Satam >Priority: Major > > Currently we are not validating SharedResource Objects resources field if > they are already present in the database ,we need to add that validation -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Assigned] (RANGER-4359) GDS: Need new api to get details of dataShare listing page.
[ https://issues.apache.org/jira/browse/RANGER-4359?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Prashant Satam reassigned RANGER-4359: -- Assignee: Prashant Satam > GDS: Need new api to get details of dataShare listing page. > --- > > Key: RANGER-4359 > URL: https://issues.apache.org/jira/browse/RANGER-4359 > Project: Ranger > Issue Type: Task > Components: Ranger >Reporter: Prashant Satam >Assignee: Prashant Satam >Priority: Major > > Need API which gives the below details: > 1)RangerDataShare > 2)ResourceCounts > 3)ShareStatus > > This api should filter out the list of datashare according to the permission > available for the logged in user. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-4398) Security-zone API enhancements to support incremental updates and resource pagination
[ https://issues.apache.org/jira/browse/RANGER-4398?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-4398: - Attachment: RANGER-4398.patch > Security-zone API enhancements to support incremental updates and resource > pagination > - > > Key: RANGER-4398 > URL: https://issues.apache.org/jira/browse/RANGER-4398 > Project: Ranger > Issue Type: Improvement > Components: Ranger >Reporter: Madhan Neethiraj >Assignee: Madhan Neethiraj >Priority: Major > Fix For: 3.0.0 > > Attachments: RANGER-4398.patch > > > Security-zone API should support incremental changes to resources > (add/update/remove), to make it easier to work with zones with large number > of resources. Also, API to retrieve resources one page at a time will be > helpful. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[DRAFT][REPORT] Apache Ranger - Quarterly period ending August 2023
Rangers: Here is the board report of Apache Ranger for the period, Quarter ending August-31-2023: Please review and let me know if you want me to add/change anything. Thanks, Selva- ## Description: Apache Ranger is a framework to enable, monitor and manage comprehensive data security - consistently across various data processing services. ## Issues: There are no issues requiring board attention at this time ## Membership Data: - Apache Ranger was founded 2017-01-17 (6 years ago). - There are 32 committers and 18 PMC members in this project. - The Committer-to-PMC ratio is roughly 8:5. ##Community changes, past quarter: - No new PMC members. Last addition was Sailaja Polavarapu on 2019-09-18. - Last addition to Committer was Dineshkumar Yadav on 2023-02-06. - One PMC member has resigned (Allan Gates) on 2023-04-05. ## Project Activity: - Working on ranger 3.0.0 version features and bugfixes. - Updated ranger website with new look and feel. - Working to move ranger docs (ranger website content) from ranger source repo to ranger-site repo. - Generally, less activities in the community after our 2.4.0 release; After we publish the release plan for 3.0.0, community activities will increase. ## Community Health: -1105 emails in dev@ranger.apache.org in this quarter (-26% change from past quarter) - 7 emails in u...@ranger.apache.org in this quarter (-59% change from past quarter) - 112 issues opened in JIRA in this quarter(-16% change from past quarter) - 78 issues closed in JIRA in this quarter(-30% change from past quarter) - 92 commits in this quarter (-46% change from past quarter) - 22 code contributors in this quarter(-26% change from past quarter) - 16 PRs opened on GitHub in this quarter (-50% change from past quarter) - 10 PRs closed on GitHub in this quarter (-58% change from past quarter) ## Most Recent releases: - Apache Ranger 2.4.0 was released on 2023-03-30 - Apache Ranger 2.3.0 was released on 2022-07-06 - Apache Ranger 2.2.0 was released on 2021-11-01
[jira] [Updated] (RANGER-4377) Fix to use "public/v2/api/zone-headers" api to get list of zones in Access Logs and Report pages
[ https://issues.apache.org/jira/browse/RANGER-4377?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mugdha Varadkar updated RANGER-4377: Fix Version/s: 3.0.0 > Fix to use "public/v2/api/zone-headers" api to get list of zones in Access > Logs and Report pages > > > Key: RANGER-4377 > URL: https://issues.apache.org/jira/browse/RANGER-4377 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Mugdha Varadkar >Assignee: Mugdha Varadkar >Priority: Major > Labels: ranger-react > Fix For: 3.0.0 > > Attachments: 0001-RANGER-4377.patch > > > Ranger Admin with React JS should use "public/v2/api/zone-headers" api to get > list of zones. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (RANGER-4392) Tag based policy with boolean expression is not working
[
https://issues.apache.org/jira/browse/RANGER-4392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17762722#comment-17762722
]
Dineshkumar Yadav commented on RANGER-4392:
---
apache commit :
https://github.com/apache/ranger/commit/2f1b005a1f304906ccd5a10aa15d04babe1524d8
> Tag based policy with boolean expression is not working
> ---
>
> Key: RANGER-4392
> URL: https://issues.apache.org/jira/browse/RANGER-4392
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
>Reporter: Mugdha Varadkar
>Assignee: Mugdha Varadkar
>Priority: Major
> Labels: ranger-react
> Attachments: 0001-RANGER-4392.patch
>
>
> h3. Reproduction
> h4. Precondition
> 1. Hive table with name "testtable1_polcond" exists with tag with attributes
> expire_date, and name. Expiry date is in the future, and name has value:
> "hivetag".
> 2. A ranger tag-based policy exists with "Accessed after expiry_date": no,
> and the following boolean expression:
> {code:java}
> ctx.getAttributeValue("VALID_HIVETABLE_TAG_24", "name").equals("hivetag");
> {code}
> providing access to user test_user
> h4. Test steps
> 1. As user test_user in beeline, execute:
> {code:java}
> select * from testdb1_polcond.testtable1_polcond;
> {code}
> h4. Expected behavior
> Query should be executed successfully as tag based policy provides access.
> h4. Actual behavior
> Permisson denied. In hive logs, the following is seen:
> {code:java}
> 2023-08-28 11:43:34,716 INFO org.apache.hadoop.hive.ql.Driver:
> [a95535bb-6daf-466b-9464-fe505f224a0b etp597410879-285]: Compiling command(q
> ueryId=hive_20230828114334_adddcc28-722b-48ae-b0c9-0662a1661435): select *
> from testdb1_polcond.testtable1_polcond
> ...
> 2023-08-28 11:43:34,944 ERROR
> org.apache.ranger.plugin.policyengine.RangerRequestScriptEvaluator:
> [a95535bb-6daf-466b-9464-fe505f224a0b etp5
> 97410879-285]: RangerRequestScriptEvaluator.evaluateScript(): failed to
> evaluate script, exception=javax.script.ScriptException: org.graalvm
> .polyglot.PolyglotException: SyntaxError: :1:66 Expected , but found eof
> exit=null;quit=null;ctx.getAttributeValue("VALID_HIVETABLE_TAG_82"
> {code}
> Policy condition response :
> {code:java}
> curl -u 'admin:Admin123'
> 'https://quasar-leyqrl-1.quasar-leyqrl.root.hwx.site:6182/service/plugins/policies/102'
> \
> -H 'Accept: application/json, text/plain, \{*}/\{*}' \
> --insecure
> {code}
> In the resulting json, the value for the policy condition is the following:
> {code:java}
> "conditions": [
> {
> "type": "accessed-after-expiry",
> "values": [
> "no"
> ]
> },
> {
> "type": "expression",
> "values": [
> "ctx.getAttributeValue(\"VALID_HIVETABLE_TAG_82\"",
> "\"name\").equals(\"hivetag\");"
> ]
> }
> ],
> {code}
> It looks as if Ranger Admin would split the content of the "expression" field
> along the comma, and that's what leads to syntax error in hive logs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (RANGER-4381) [Ranger React UI] Difference in user lookup API request in permissions module page between React UI and BackBone UI
[ https://issues.apache.org/jira/browse/RANGER-4381?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Brijesh Bhalala updated RANGER-4381: Attachment: 0002-RANGER-4381.patch > [Ranger React UI] Difference in user lookup API request in permissions module > page between React UI and BackBone UI > --- > > Key: RANGER-4381 > URL: https://issues.apache.org/jira/browse/RANGER-4381 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Abhishek >Assignee: Brijesh Bhalala >Priority: Major > Labels: ranger-react > Fix For: 3.0.0 > > Attachments: 0001-RANGER-4381.patch, 0002-RANGER-4381.patch > > > In Ranger backbone UI, when trying to add users to a particular permissions > module, > when typing the user name, the user lookup is done only for users who are > visible. > In React UI, the lookup is not being restricted to visible users. > Ideally, if a user is hidden, it would mean that the user is deleted from the > source, > and in such scenarios, the users must not be listed for user lookups. > This is a regression from the previous UI behaviour. -- This message was sent by Atlassian Jira (v8.20.10#820010)
Re: Review Request 74584: RANGER-4381: Difference in user lookup API request in permissions module page between React UI and BackBone UI
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74584/ --- (Updated Sept. 7, 2023, 12:55 p.m.) Review request for ranger, Dhaval Rajpara, Dineshkumar Yadav, Madhan Neethiraj, Mehul Parikh, Mugdha Varadkar, Nikunj Pansuriya, and Nitin Galave. Bugs: RANGER-4381 https://issues.apache.org/jira/browse/RANGER-4381 Repository: ranger Description --- In Ranger backbone UI, when trying to add users to a particular permissions module, when typing the user name, the user lookup is done only for users who are visible. In React UI, the lookup is not being restricted to visible users. Ideally, if a user is hidden, it would mean that the user is deleted from the source, and in such scenarios, the users must not be listed for user lookups. This is a regression from the previous UI behaviour. Diffs (updated) - security-admin/src/main/webapp/react-webapp/src/styles/style.css aaa54a380 security-admin/src/main/webapp/react-webapp/src/views/PermissionsModule/EditPermission.jsx a3e55dfbd security-admin/src/main/webapp/react-webapp/src/views/SecurityZone/SecurityZoneForm.jsx c506ee0f8 security-admin/src/main/webapp/react-webapp/src/views/UserGroupRoleListing/groups_details/GroupListing.jsx 2ba0ca068 security-admin/src/main/webapp/react-webapp/src/views/UserGroupRoleListing/users_details/UserListing.jsx 1890168e5 Diff: https://reviews.apache.org/r/74584/diff/2/ Changes: https://reviews.apache.org/r/74584/diff/1-2/ Testing --- Tested changes on a cluster setup with Ranger Admin build with React JS code base. Verfified the visibility functionality of users/groups listing tables, security zone form & permission module Successful completion of build command : mvn clean compile package -Psecurity-admin-react Thanks, Brijesh Bhalala
Review Request 74582: RANGER-4398: security-zone API enhancements to support incremental updates and resource pagination
---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74582/
---
Review request for ranger, Anand Nadar, Abhay Kulkarni, Mehul Parikh, Monika
Kachhadiya, Pradeep Agrawal, Ramesh Mani, Subhrat Chaudhary, and Velmurugan
Periasamy.
Bugs: RANGER-4398
https://issues.apache.org/jira/browse/RANGER-4398
Repository: ranger
Description
---
- updated RangerSecurityZone with additional of following fields for each
resource: id, createdBy/Time, updatedBy/Time
- introduced RangerSecurityZoneV2, a wrapper over RangerSecurityZone, to make
it easier for incremental changes
- added following REST APIs and corresponding Python APIs:
-- POST /service/public/v2/api/zones-v2
-- PUT/service/public/v2/api/zones-v2
-- GET/service/public/v2/api/zones-v2
-- GET/service/public/v2/api/zones-v2/name/{name}
-- GET/service/public/v2/api/zones-v2/{id}
-- PUT/service/public/v2/api/zones-v2/resources/name/{name}/{serviceName}
-- DELETE /service/public/v2/api/zones-v2/resources/name/{name}/{serviceName}
-- GET/service/public/v2/api/zones-v2/resources/name/{name}/{serviceName}
-- PUT/service/public/v2/api/zones-v2/resources/{id}/{serviceName}
-- DELETE /service/public/v2/api/zones-v2/resources/{id}/{serviceName}
-- GET/service/public/v2/api/zones-v2/resources/{id}/{serviceName}
Diffs
-
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPrincipal.java
PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZone.java
71d64ca83
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZoneV2.java
PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerSecurityZoneHelper.java
PRE-CREATION
intg/src/main/python/apache_ranger/client/ranger_client.py 484a42128
intg/src/main/python/apache_ranger/model/ranger_base.py 2111534d0
intg/src/main/python/apache_ranger/model/ranger_principal.py PRE-CREATION
intg/src/main/python/apache_ranger/model/ranger_security_zone.py 6faa15744
intg/src/main/python/setup.py 0a4b1c66e
security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
cd906ed22
security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java
55d6aaac5
Diff: https://reviews.apache.org/r/74582/diff/1/
Testing
---
- verified that new REST APIs work correctly using Python scripts
- verified that all existing tests pass successfully
Thanks,
Madhan Neethiraj
[jira] [Created] (RANGER-4398) Security-zone API enhancements to support incremental updates and resource pagination
Madhan Neethiraj created RANGER-4398: Summary: Security-zone API enhancements to support incremental updates and resource pagination Key: RANGER-4398 URL: https://issues.apache.org/jira/browse/RANGER-4398 Project: Ranger Issue Type: Improvement Components: Ranger Reporter: Madhan Neethiraj Assignee: Madhan Neethiraj Security-zone API should support incremental changes to resources (add/update/remove), to make it easier to work with zones with large number of resources. Also, API to retrieve resources one page at a time will be helpful. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Resolved] (RANGER-3688) Resource based masking policy with override priority
[
https://issues.apache.org/jira/browse/RANGER-3688?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj resolved RANGER-3688.
--
Fix Version/s: 3.0.0
2.3.0
Resolution: Fixed
master branch:
{noformat}
commit bd4461e245c0f6f1b154c57e1ba6ef1472e5e6e3
Author: Madhan Neethiraj
Date: Tue Mar 29 14:06:21 2022 -0700
RANGER-3688: resource-based masking policy doesn't override tag-based policy
{noformat}
ranger-2.4 branch:
{noformat}
commit 79f4efc4396abb09befff5639281a6f757723a18
Author: Madhan Neethiraj
Date: Tue Mar 29 14:06:21 2022 -0700
RANGER-3688: resource-based masking policy doesn't override tag-based policy
(cherry picked from commit bd4461e245c0f6f1b154c57e1ba6ef1472e5e6e3)
{noformat}
> Resource based masking policy with override priority
>
>
> Key: RANGER-3688
> URL: https://issues.apache.org/jira/browse/RANGER-3688
> Project: Ranger
> Issue Type: Bug
> Components: plugins
>Reporter: Madhan Neethiraj
>Assignee: Madhan Neethiraj
>Priority: Major
> Fix For: 3.0.0, 2.3.0
>
>
> Apache Ranger policy model provides policy priority to override decisions
> made by normal priority policies. This can be used to provide (temporary)
> access to resources when another policy might deny access - for example:
> * access to finance database is to be allowed only for users in
> finance-users group; everyone else is should be denied access
> * access to a subset of tables/columns in finance database should be allowed
> for users in auditors group
> Above requirement can be met by creating following 2 policies:
> * policy #1: resource: \{ database=finance }, groups: [ finance ],
> permissions: [ all ], isDenyAllElse: true
> * policy #2: resource: \{ database=finance, table=audit* }, groups: [
> auditors ], permissions: [ select ], priority: override
>
> Such policy override works well for access requests, even across tag-based
> and resource-based policies. However, for data-masking policies, the decision
> made by a tag-based masking policy are not overridden by resource-based
> policies with override priority. For example:
> * tag-masking-policy #1: tag=SENSITIVE, group=analyst, maskType=redact,
> priority=normal
> * resource-masking-policy #2: resource: \{ database=customer, table=order,
> column=amount }, groups: [ analyst ], maskType=none, priority=override
>
> Above policies should allow users in analyst group to see unmasked value of
> customer.order.amount column, even when the column is tagged as SENSITIVE.
> Currently users in analyst group will only see values with redact masking
> applied.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (RANGER-4397) API to get DataShare id,name List
Prashant Satam created RANGER-4397: -- Summary: API to get DataShare id,name List Key: RANGER-4397 URL: https://issues.apache.org/jira/browse/RANGER-4397 Project: Ranger Issue Type: Sub-task Components: Ranger Reporter: Prashant Satam -- This message was sent by Atlassian Jira (v8.20.10#820010)
