Re: Review Request 74686: RANGER-4486: ZoneV2 partial update allows duplicate principals and tagServices

2023-10-19 Thread Madhan Neethiraj 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74686/#review225882
---


Ship it!




Ship It!

- Madhan Neethiraj


On Oct. 20, 2023, 6:30 a.m., Subhrat Chaudhary wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74686/
> ---
> 
> (Updated Oct. 20, 2023, 6:30 a.m.)
> 
> 
> Review request for ranger, Anand Nadar, Ankita Sinha, Madhan Neethiraj, 
> Monika Kachhadiya, and Prashant Satam.
> 
> 
> Bugs: RANGER-4486
> https://issues.apache.org/jira/browse/RANGER-4486
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> The PUT API - /service/public/v2/api/zones-v2/{zoneId}/partial allows 
> addition of duplicate principals (admin and auditor UGR) and tagServices.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerSecurityZoneHelper.java
>  facc305fe 
> 
> 
> Diff: https://reviews.apache.org/r/74686/diff/2/
> 
> 
> Testing
> ---
> 
> Validated the PUT API - /service/public/v2/api/zones-v2/{zoneId}/partial, by 
> passing duplicate tagService and adminUser in request repeatedly:
> 
> {
> "id": 5,
> "isEnabled": true,
> "createdBy": "Admin",
> "updatedBy": "Admin",
> "createTime": 1697718906795,
> "updateTime": 1697718906796,
> "name": "zone10",
> "services": {
> "hive1": {
> "resources": [
> {
> "id": 1,
> "resource": {
> "database": [
> "db10"
> ]
> }
> }
> ]
> }
> },
> "tagServicesToAdd": [
> "tag1", "tag1"
> ],
> "adminsToAdd": [
> {
> "type": "USER",
> "name": "mark"
> },
> {
> "type": "USER",
> "name": "mark"
> }
> ]
> }
> 
> The zone is updated with single adminUser and tagService:
> 
> {
> "id": 5,
> "isEnabled": true,
> "createdBy": "Admin",
> "updatedBy": "Admin",
> "createTime": 1697718906795,
> "updateTime": 1697775464068,
> "name": "zone10",
> "services": {
> "hive1": {
> "resources": [
> {
> "id": 1,
> "resource": {
> "database": [
> "db10"
> ]
> }
> }
> ]
> }
> },
> "tagServices": [
> "tag1"
> ],
> "admins": [
> {
> "type": "USER",
> "name": "mark"
> }
> ],
> "auditors": [
> {
> "type": "USER",
> "name": "mark"
> }
> ]
> }
> 
> 
> Thanks,
> 
> Subhrat Chaudhary
> 
>

Re: Review Request 74686: RANGER-4486: ZoneV2 partial update allows duplicate principals and tagServices

2023-10-19 Thread Subhrat Chaudhary via Review Board 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74686/
---

(Updated Oct. 20, 2023, noon)


Review request for ranger, Anand Nadar, Ankita Sinha, Madhan Neethiraj, Monika 
Kachhadiya, and Prashant Satam.


Changes
---

Addressed review comments


Bugs: RANGER-4486
https://issues.apache.org/jira/browse/RANGER-4486


Repository: ranger


Description
---

The PUT API - /service/public/v2/api/zones-v2/{zoneId}/partial allows addition 
of duplicate principals (admin and auditor UGR) and tagServices.


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerSecurityZoneHelper.java
 facc305fe 


Diff: https://reviews.apache.org/r/74686/diff/2/

Changes: https://reviews.apache.org/r/74686/diff/1-2/


Testing
---

Validated the PUT API - /service/public/v2/api/zones-v2/{zoneId}/partial, by 
passing duplicate tagService and adminUser in request repeatedly:

{
"id": 5,
"isEnabled": true,
"createdBy": "Admin",
"updatedBy": "Admin",
"createTime": 1697718906795,
"updateTime": 1697718906796,
"name": "zone10",
"services": {
"hive1": {
"resources": [
{
"id": 1,
"resource": {
"database": [
"db10"
]
}
}
]
}
},
"tagServicesToAdd": [
"tag1", "tag1"
],
"adminsToAdd": [
{
"type": "USER",
"name": "mark"
},
{
"type": "USER",
"name": "mark"
}
]
}

The zone is updated with single adminUser and tagService:

{
"id": 5,
"isEnabled": true,
"createdBy": "Admin",
"updatedBy": "Admin",
"createTime": 1697718906795,
"updateTime": 1697775464068,
"name": "zone10",
"services": {
"hive1": {
"resources": [
{
"id": 1,
"resource": {
"database": [
"db10"
]
}
}
]
}
},
"tagServices": [
"tag1"
],
"admins": [
{
"type": "USER",
"name": "mark"
}
],
"auditors": [
{
"type": "USER",
"name": "mark"
}
]
}


Thanks,

Subhrat Chaudhary

Re: Review Request 74673: RANGER-4461 : Implement best coding practices for validating user input.

2023-10-19 Thread Mugdha Varadkar 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74673/#review225881
---


Ship it!




Ship It!

- Mugdha Varadkar


On Oct. 16, 2023, 7:31 a.m., Dhaval Rajpara wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74673/
> ---
> 
> (Updated Oct. 16, 2023, 7:31 a.m.)
> 
> 
> Review request for ranger, Brijesh Bhalala, Dhaval Shah, Dineshkumar Yadav, 
> Kishor Gollapalliwar, Madhan Neethiraj, Mehul Parikh, Mugdha Varadkar, 
> Pradeep Agrawal, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4461
> https://issues.apache.org/jira/browse/RANGER-4461
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Implement best coding practices for validating user input
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/webapp/scripts/modules/XAOverrides.js 369b0f65a 
>   security-admin/src/main/webapp/scripts/utils/XAUtils.js 3c5907099 
>   security-admin/src/main/webapp/scripts/views/kms/KMSTableLayout.js 
> 011649200 
>   
> security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionForm.js
>  7b8c4c809 
>   security-admin/src/main/webapp/scripts/views/policies/PermissionList.js 
> ca3db854d 
>   
> security-admin/src/main/webapp/scripts/views/policies/RangerPolicyConditions.js
>  d6c5295c1 
>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js 
> 118dfe215 
>   security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js 
> 40cfd6d62 
>   security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js 
> ebdd2a0b2 
>   security-admin/src/main/webapp/scripts/views/service/AuditFilterConfig.js 
> 27e2aaecb 
>   security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 
> d443327c8 
> 
> 
> Diff: https://reviews.apache.org/r/74673/diff/1/
> 
> 
> Testing
> ---
> 
> Validated below scenarios on old UI
> 1. Tested Resource Based/Tag Based/ KMS Service CRUD.
> 2. Tested Zone & Unzone policy CRUD.
> 3. Tested User/Group/ Role CRUD.
> 4. Tested Zone CRUD.
> 5. Tested Resource Based/Tag Based/ KMS Policy CRUD.
> 6. Tested reports/permissions/audits tab.
> 7. Tested Export and import feature.
> 
> 
> Thanks,
> 
> Dhaval Rajpara
> 
>

Re: Review Request 74686: RANGER-4486: ZoneV2 partial update allows duplicate principals and tagServices

2023-10-19 Thread Ramesh Mani 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74686/#review225880
---




agents-common/src/main/java/org/apache/ranger/plugin/util/RangerSecurityZoneHelper.java
Lines 185 (patched)


typo in the naming => addIfAbsent()


- Ramesh Mani


On Oct. 20, 2023, 4:28 a.m., Subhrat Chaudhary wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74686/
> ---
> 
> (Updated Oct. 20, 2023, 4:28 a.m.)
> 
> 
> Review request for ranger, Anand Nadar, Ankita Sinha, Madhan Neethiraj, 
> Monika Kachhadiya, and Prashant Satam.
> 
> 
> Bugs: RANGER-4486
> https://issues.apache.org/jira/browse/RANGER-4486
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> The PUT API - /service/public/v2/api/zones-v2/{zoneId}/partial allows 
> addition of duplicate principals (admin and auditor UGR) and tagServices.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerSecurityZoneHelper.java
>  facc305fe 
> 
> 
> Diff: https://reviews.apache.org/r/74686/diff/1/
> 
> 
> Testing
> ---
> 
> Validated the PUT API - /service/public/v2/api/zones-v2/{zoneId}/partial, by 
> passing duplicate tagService and adminUser in request repeatedly:
> 
> {
> "id": 5,
> "isEnabled": true,
> "createdBy": "Admin",
> "updatedBy": "Admin",
> "createTime": 1697718906795,
> "updateTime": 1697718906796,
> "name": "zone10",
> "services": {
> "hive1": {
> "resources": [
> {
> "id": 1,
> "resource": {
> "database": [
> "db10"
> ]
> }
> }
> ]
> }
> },
> "tagServicesToAdd": [
> "tag1", "tag1"
> ],
> "adminsToAdd": [
> {
> "type": "USER",
> "name": "mark"
> },
> {
> "type": "USER",
> "name": "mark"
> }
> ]
> }
> 
> The zone is updated with single adminUser and tagService:
> 
> {
> "id": 5,
> "isEnabled": true,
> "createdBy": "Admin",
> "updatedBy": "Admin",
> "createTime": 1697718906795,
> "updateTime": 1697775464068,
> "name": "zone10",
> "services": {
> "hive1": {
> "resources": [
> {
> "id": 1,
> "resource": {
> "database": [
> "db10"
> ]
> }
> }
> ]
> }
> },
> "tagServices": [
> "tag1"
> ],
> "admins": [
> {
> "type": "USER",
> "name": "mark"
> }
> ],
> "auditors": [
> {
> "type": "USER",
> "name": "mark"
> }
> ]
> }
> 
> 
> Thanks,
> 
> Subhrat Chaudhary
> 
>

Re: Review Request 74686: RANGER-4486: ZoneV2 partial update allows duplicate principals and tagServices

2023-10-19 Thread Madhan Neethiraj 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74686/#review225879
---




agents-common/src/main/java/org/apache/ranger/plugin/util/RangerSecurityZoneHelper.java
Line 163 (original), 163 (patched)


when users already has principal.getName(), else conditions in #165 and 
#167 be evaluated unnecessaitly. Consider adding following method and call it 
from here:

private void addIfAbsent(String item, List lst) {
  if (!lst.contains(item)) {
lst.add(item);
  }
}

if (principal.getType() == RangerPrincipal.PrincipalType.USER) {
  addIfAbsent(principal.getName(), users);
} else if (principal.getType() == RangerPrincipal.PrincipalType.GROUP) {
  addIfAbsent(principal.getName(), groups);
} else if (principal.getType() == RangerPrincipal.PrincipalType.ROLE) {
  addIfAbsent(principal.getName(), roles);
}



agents-common/src/main/java/org/apache/ranger/plugin/util/RangerSecurityZoneHelper.java
Lines 185 (patched)


addIfAbesnt => addTagServiceIfAbesnt


- Madhan Neethiraj


On Oct. 20, 2023, 4:28 a.m., Subhrat Chaudhary wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74686/
> ---
> 
> (Updated Oct. 20, 2023, 4:28 a.m.)
> 
> 
> Review request for ranger, Anand Nadar, Ankita Sinha, Madhan Neethiraj, 
> Monika Kachhadiya, and Prashant Satam.
> 
> 
> Bugs: RANGER-4486
> https://issues.apache.org/jira/browse/RANGER-4486
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> The PUT API - /service/public/v2/api/zones-v2/{zoneId}/partial allows 
> addition of duplicate principals (admin and auditor UGR) and tagServices.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerSecurityZoneHelper.java
>  facc305fe 
> 
> 
> Diff: https://reviews.apache.org/r/74686/diff/1/
> 
> 
> Testing
> ---
> 
> Validated the PUT API - /service/public/v2/api/zones-v2/{zoneId}/partial, by 
> passing duplicate tagService and adminUser in request repeatedly:
> 
> {
> "id": 5,
> "isEnabled": true,
> "createdBy": "Admin",
> "updatedBy": "Admin",
> "createTime": 1697718906795,
> "updateTime": 1697718906796,
> "name": "zone10",
> "services": {
> "hive1": {
> "resources": [
> {
> "id": 1,
> "resource": {
> "database": [
> "db10"
> ]
> }
> }
> ]
> }
> },
> "tagServicesToAdd": [
> "tag1", "tag1"
> ],
> "adminsToAdd": [
> {
> "type": "USER",
> "name": "mark"
> },
> {
> "type": "USER",
> "name": "mark"
> }
> ]
> }
> 
> The zone is updated with single adminUser and tagService:
> 
> {
> "id": 5,
> "isEnabled": true,
> "createdBy": "Admin",
> "updatedBy": "Admin",
> "createTime": 1697718906795,
> "updateTime": 1697775464068,
> "name": "zone10",
> "services": {
> "hive1": {
> "resources": [
> {
> "id": 1,
> "resource": {
> "database": [
> "db10"
> ]
> }
> }
> ]
> }
> },
> "tagServices": [
> "tag1"
> ],
> "admins": [
> {
> "type": "USER",
> "name": "mark"
> }
> ],
> "auditors": [
> {
> "type": "USER",
> "name": "mark"
> }
> ]
> }
> 
> 
> Thanks,
> 
> Subhrat Chaudhary
> 
>

[jira] [Commented] (RANGER-4479) Logs for admin and auditor roles for security zone is not capture in Audit Admin Tab.

2023-10-19 Thread Dhaval Rajpara (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-4479?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1573#comment-1573
 ] 

Dhaval Rajpara commented on RANGER-4479:


Hi [~madhan]

Yes sure i will add this changes to 
[RANGER-4280|https://issues.apache.org/jira/browse/RANGER-4280] patch.

Thanks

> Logs for admin and auditor roles for security zone is not capture in Audit 
> Admin Tab.
> -
>
> Key: RANGER-4479
> URL: https://issues.apache.org/jira/browse/RANGER-4479
> Project: Ranger
>  Issue Type: New Feature
>  Components: Ranger
>Reporter: Dhaval Rajpara
>Assignee: Dhaval Rajpara
>Priority: Major
>
> Added admin and auditor roles in a security zone in Jira 
> [RANGER-4274|https://issues.apache.org/jira/browse/RANGER-4274]. But the 
> related Audit admin log Update / delete / Create zone with roles log not 
> captured in the Admin tab.
> CC : [~madhan] / [~pradeep] / [~mehul] 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Review Request 74686: RANGER-4486: ZoneV2 partial update allows duplicate principals and tagServices

2023-10-19 Thread Subhrat Chaudhary via Review Board 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74686/
---

Review request for ranger, Anand Nadar, Ankita Sinha, Madhan Neethiraj, Monika 
Kachhadiya, and Prashant Satam.


Bugs: RANGER-4486
https://issues.apache.org/jira/browse/RANGER-4486


Repository: ranger


Description
---

The PUT API - /service/public/v2/api/zones-v2/{zoneId}/partial allows addition 
of duplicate principals (admin and auditor UGR) and tagServices.


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerSecurityZoneHelper.java
 facc305fe 


Diff: https://reviews.apache.org/r/74686/diff/1/


Testing
---

Validated the PUT API - /service/public/v2/api/zones-v2/{zoneId}/partial, by 
passing duplicate tagService and adminUser in request repeatedly:

{
"id": 5,
"isEnabled": true,
"createdBy": "Admin",
"updatedBy": "Admin",
"createTime": 1697718906795,
"updateTime": 1697718906796,
"name": "zone10",
"services": {
"hive1": {
"resources": [
{
"id": 1,
"resource": {
"database": [
"db10"
]
}
}
]
}
},
"tagServicesToAdd": [
"tag1", "tag1"
],
"adminsToAdd": [
{
"type": "USER",
"name": "mark"
},
{
"type": "USER",
"name": "mark"
}
]
}

The zone is updated with single adminUser and tagService:

{
"id": 5,
"isEnabled": true,
"createdBy": "Admin",
"updatedBy": "Admin",
"createTime": 1697718906795,
"updateTime": 1697775464068,
"name": "zone10",
"services": {
"hive1": {
"resources": [
{
"id": 1,
"resource": {
"database": [
"db10"
]
}
}
]
}
},
"tagServices": [
"tag1"
],
"admins": [
{
"type": "USER",
"name": "mark"
}
],
"auditors": [
{
"type": "USER",
"name": "mark"
}
]
}


Thanks,

Subhrat Chaudhary

[jira] [Updated] (RANGER-4486) ZoneV2 partial update allows duplicate principals and tagServices

2023-10-19 Thread Subhrat Chaudhary (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-4486?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Subhrat Chaudhary updated RANGER-4486:
--
Description: 
In RANGER-4398 , we added support for incremental updates with the PUT API - 
/service/public/v2/api/zones-v2/\{zoneId}/partial. This allows addition of 
duplicate principals (admin and auditor UGR) and tagServices.

Steps to reproduce. Create a security-zone and update with above PUT API:
{code:java}
{
    "id": 5,
    "isEnabled": true,
    "createdBy": "Admin",
    "updatedBy": "Admin",
    "createTime": 1697718906795,
    "updateTime": 1697718906796,
    "name": "zone10",
    "services": {
        "hive1": {
            "resources": [
                {
                    "id": 1,
                    "resource": {
                        "database": [
                            "db10"
                        ]
                    }
                }
            ]
        }
    },
    "tagServicesToAdd": [
        "tag1"
    ],
    "adminsToAdd": [
        {
            "type": "USER",
            "name": "mark"
        }
    ]
}{code}
If we call the same API with same request again, it creates duplicate adminUser 
and tagService as below:
{code:java}
{
    "id": 5,
    "isEnabled": true,
    "createdBy": "Admin",
    "updatedBy": "Admin",
    "createTime": 1697718906795,
    "updateTime": 1697719001243,
    "name": "zone10",
    "services": {
        "hive1": {
            "resources": [
                {
                    "id": 1,
                    "resource": {
                        "database": [
                            "db10"
                        ]
                    }
                }
            ]
        }
    },
    "tagServices": [
        "tag1",
        "tag1"
    ],
    "admins": [
        {
            "type": "USER",
            "name": "mark"
        },
        {
            "type": "USER",
            "name": "mark"
        }
    ],
    "auditors": [
        {
            "type": "USER",
            "name": "mark"
        }
    ]
}{code}

  was:
In RANGER-4398 , we added support for incremental updates with the PUT API - 
/service/public/v2/api/zones-v2/\{zoneId}/partial. This allows addition of 
duplicate adminUsers, auditorUser and tagServices.

Steps to reproduce. Create a security-zone and update with above PUT API:
{code:java}
{
    "id": 5,
    "isEnabled": true,
    "createdBy": "Admin",
    "updatedBy": "Admin",
    "createTime": 1697718906795,
    "updateTime": 1697718906796,
    "name": "zone10",
    "services": {
        "hive1": {
            "resources": [
                {
                    "id": 1,
                    "resource": {
                        "database": [
                            "db10"
                        ]
                    }
                }
            ]
        }
    },
    "tagServicesToAdd": [
        "tag1"
    ],
    "adminsToAdd": [
        {
            "type": "USER",
            "name": "mark"
        }
    ]
}{code}
If we call the same API with same request again, it creates duplicate adminUser 
and tagService as below:
{code:java}
{
    "id": 5,
    "isEnabled": true,
    "createdBy": "Admin",
    "updatedBy": "Admin",
    "createTime": 1697718906795,
    "updateTime": 1697719001243,
    "name": "zone10",
    "services": {
        "hive1": {
            "resources": [
                {
                    "id": 1,
                    "resource": {
                        "database": [
                            "db10"
                        ]
                    }
                }
            ]
        }
    },
    "tagServices": [
        "tag1",
        "tag1"
    ],
    "admins": [
        {
            "type": "USER",
            "name": "mark"
        },
        {
            "type": "USER",
            "name": "mark"
        }
    ],
    "auditors": [
        {
            "type": "USER",
            "name": "mark"
        }
    ]
}{code}


> ZoneV2 partial update allows duplicate principals and tagServices
> -
>
> Key: RANGER-4486
> URL: https://issues.apache.org/jira/browse/RANGER-4486
> Project: Ranger
>  Issue Type: Bug
>  Components: admin
>Reporter: Subhrat Chaudhary
>Assignee: Subhrat Chaudhary
>Priority: Major
>
> In RANGER-4398 , we added support for incremental updates with the PUT API - 
> /service/public/v2/api/zones-v2/\{zoneId}/partial. This allows addition of 
> duplicate principals (admin and auditor UGR) and tagServices.
> Steps to reproduce. Create a security-zone and update with above PUT API:
> {code:java}
> {
>     "id": 5,
>     "isEnabled": true,
>     "createdBy": "Admin",
>     "updatedBy": "Admin",
>     "createTime": 1697718906795,
>     "updateTime": 1697718906796,
>     "name": "zone10",
>     "servic

[jira] [Updated] (RANGER-4486) ZoneV2 partial update allows duplicate principals and tagServices

2023-10-19 Thread Subhrat Chaudhary (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-4486?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Subhrat Chaudhary updated RANGER-4486:
--
Summary: ZoneV2 partial update allows duplicate principals and tagServices  
(was: ZoneV2 partial update allows duplicate users and tagServices)

> ZoneV2 partial update allows duplicate principals and tagServices
> -
>
> Key: RANGER-4486
> URL: https://issues.apache.org/jira/browse/RANGER-4486
> Project: Ranger
>  Issue Type: Bug
>  Components: admin
>Reporter: Subhrat Chaudhary
>Assignee: Subhrat Chaudhary
>Priority: Major
>
> In RANGER-4398 , we added support for incremental updates with the PUT API - 
> /service/public/v2/api/zones-v2/\{zoneId}/partial. This allows addition of 
> duplicate adminUsers, auditorUser and tagServices.
> Steps to reproduce. Create a security-zone and update with above PUT API:
> {code:java}
> {
>     "id": 5,
>     "isEnabled": true,
>     "createdBy": "Admin",
>     "updatedBy": "Admin",
>     "createTime": 1697718906795,
>     "updateTime": 1697718906796,
>     "name": "zone10",
>     "services": {
>         "hive1": {
>             "resources": [
>                 {
>                     "id": 1,
>                     "resource": {
>                         "database": [
>                             "db10"
>                         ]
>                     }
>                 }
>             ]
>         }
>     },
>     "tagServicesToAdd": [
>         "tag1"
>     ],
>     "adminsToAdd": [
>         {
>             "type": "USER",
>             "name": "mark"
>         }
>     ]
> }{code}
> If we call the same API with same request again, it creates duplicate 
> adminUser and tagService as below:
> {code:java}
> {
>     "id": 5,
>     "isEnabled": true,
>     "createdBy": "Admin",
>     "updatedBy": "Admin",
>     "createTime": 1697718906795,
>     "updateTime": 1697719001243,
>     "name": "zone10",
>     "services": {
>         "hive1": {
>             "resources": [
>                 {
>                     "id": 1,
>                     "resource": {
>                         "database": [
>                             "db10"
>                         ]
>                     }
>                 }
>             ]
>         }
>     },
>     "tagServices": [
>         "tag1",
>         "tag1"
>     ],
>     "admins": [
>         {
>             "type": "USER",
>             "name": "mark"
>         },
>         {
>             "type": "USER",
>             "name": "mark"
>         }
>     ],
>     "auditors": [
>         {
>             "type": "USER",
>             "name": "mark"
>         }
>     ]
> }{code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-4486) ZoneV2 partial update allows duplicate users and tagServices

2023-10-19 Thread Subhrat Chaudhary (Jira) 
Subhrat Chaudhary created RANGER-4486:
-

 Summary: ZoneV2 partial update allows duplicate users and 
tagServices
 Key: RANGER-4486
 URL: https://issues.apache.org/jira/browse/RANGER-4486
 Project: Ranger
  Issue Type: Bug
  Components: admin
Reporter: Subhrat Chaudhary
Assignee: Subhrat Chaudhary


In RANGER-4398 , we added support for incremental updates with the PUT API - 
/service/public/v2/api/zones-v2/\{zoneId}/partial. This allows addition of 
duplicate adminUsers, auditorUser and tagServices.

Steps to reproduce. Create a security-zone and update with above PUT API:
{code:java}
{
    "id": 5,
    "isEnabled": true,
    "createdBy": "Admin",
    "updatedBy": "Admin",
    "createTime": 1697718906795,
    "updateTime": 1697718906796,
    "name": "zone10",
    "services": {
        "hive1": {
            "resources": [
                {
                    "id": 1,
                    "resource": {
                        "database": [
                            "db10"
                        ]
                    }
                }
            ]
        }
    },
    "tagServicesToAdd": [
        "tag1"
    ],
    "adminsToAdd": [
        {
            "type": "USER",
            "name": "mark"
        }
    ]
}{code}
If we call the same API with same request again, it creates duplicate adminUser 
and tagService as below:
{code:java}
{
    "id": 5,
    "isEnabled": true,
    "createdBy": "Admin",
    "updatedBy": "Admin",
    "createTime": 1697718906795,
    "updateTime": 1697719001243,
    "name": "zone10",
    "services": {
        "hive1": {
            "resources": [
                {
                    "id": 1,
                    "resource": {
                        "database": [
                            "db10"
                        ]
                    }
                }
            ]
        }
    },
    "tagServices": [
        "tag1",
        "tag1"
    ],
    "admins": [
        {
            "type": "USER",
            "name": "mark"
        },
        {
            "type": "USER",
            "name": "mark"
        }
    ],
    "auditors": [
        {
            "type": "USER",
            "name": "mark"
        }
    ]
}{code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4485) refactor condition evaluator instantiation to avoid duplicate code

2023-10-19 Thread Madhan Neethiraj (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-4485?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Madhan Neethiraj updated RANGER-4485:
-
Attachment: RANGER-4485.patch

> refactor condition evaluator instantiation to avoid duplicate code
> --
>
> Key: RANGER-4485
> URL: https://issues.apache.org/jira/browse/RANGER-4485
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Madhan Neethiraj
>Assignee: Madhan Neethiraj
>Priority: Major
> Fix For: 3.0.0
>
> Attachments: RANGER-4485.patch
>
>
> Policy engine uses methods in RangerCustomerConditionEvaluator to instantiate 
> condition evaluators. These methods can be refactored to avoid code 
> duplication and to make these methods useable outside of conditions in 
> policies - for example in GDS (RANGER-3923).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Review Request 74685: RANGER-4485: refactored condition evaluator instantiation to avoid duplicate code

2023-10-19 Thread Madhan Neethiraj 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74685/
---

Review request for ranger, Ankita Sinha, Kishor Gollapalliwar, Abhay Kulkarni, 
Monika Kachhadiya, Pradeep Agrawal, Prashant Satam, Ramesh Mani, and Subhrat 
Chaudhary.


Bugs: RANGER-4485
https://issues.apache.org/jira/browse/RANGER-4485


Repository: ranger


Description
---

refactored instantiation of conditions evaluators in 
RangerCustomerConditionEvaluator to avoid code duplication


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCustomConditionEvaluator.java
 6f15eed8e 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 8e908f6a9 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
 2528aeafa 
  agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java 
53eb0f81e 
  security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 
83f662518 
  
security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java
 dcbfbfdc2 
  
security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefService.java
 31f698292 


Diff: https://reviews.apache.org/r/74685/diff/1/


Testing
---

- verified that all existing tests pass successfully


Thanks,

Madhan Neethiraj

[jira] [Assigned] (RANGER-4485) refactor condition evaluator instantiation to avoid duplicate code

2023-10-19 Thread Madhan Neethiraj (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-4485?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Madhan Neethiraj reassigned RANGER-4485:


Assignee: Madhan Neethiraj

> refactor condition evaluator instantiation to avoid duplicate code
> --
>
> Key: RANGER-4485
> URL: https://issues.apache.org/jira/browse/RANGER-4485
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Madhan Neethiraj
>Assignee: Madhan Neethiraj
>Priority: Major
>
> Policy engine uses methods in RangerCustomerConditionEvaluator to instantiate 
> condition evaluators. These methods can be refactored to avoid code 
> duplication and to make these methods useable outside of conditions in 
> policies - for example in GDS (RANGER-3923).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-4485) refactor condition evaluator instantiation to avoid duplicate code

2023-10-19 Thread Madhan Neethiraj (Jira) 
Madhan Neethiraj created RANGER-4485:


 Summary: refactor condition evaluator instantiation to avoid 
duplicate code
 Key: RANGER-4485
 URL: https://issues.apache.org/jira/browse/RANGER-4485
 Project: Ranger
  Issue Type: Improvement
  Components: plugins
Reporter: Madhan Neethiraj


Policy engine uses methods in RangerCustomerConditionEvaluator to instantiate 
condition evaluators. These methods can be refactored to avoid code duplication 
and to make these methods useable outside of conditions in policies - for 
example in GDS (RANGER-3923).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4482) Upgrade Tomcat to 8.5.94 (for CVE fixes) in all Ranger services

2023-10-19 Thread Sanket Shelar (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-4482?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sanket Shelar updated RANGER-4482:
--
Attachment: 0001-RANGER-4482.patch

> Upgrade Tomcat to 8.5.94 (for CVE fixes) in all Ranger services
> ---
>
> Key: RANGER-4482
> URL: https://issues.apache.org/jira/browse/RANGER-4482
> Project: Ranger
>  Issue Type: Task
>  Components: Ranger
>Reporter: Sanket Shelar
>Assignee: Sanket Shelar
>Priority: Major
> Attachments: 0001-RANGER-4482.patch
>
>
> Tomcat needs be upgraded to 8.5.94 to address the below CVE.
> CVE-2023-45648
> [https://nvd.nist.gov/vuln/detail/CVE-2023-45648]
> CVE-2023-42795
> [https://nvd.nist.gov/vuln/detail/CVE-2023-42795]
> CVE-2023-42794
> [https://nvd.nist.gov/vuln/detail/CVE-2023-42794]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Review Request 74684: RANGER-4482: Upgrade Tomcat to 8.5.94 (for CVE fixes) in all Ranger services

2023-10-19 Thread sanket shelar 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74684/
---

Review request for ranger, Dineshkumar Yadav, Kishor Gollapalliwar, Abhay 
Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Sailaja Polavarapu, 
and Velmurugan Periasamy.


Bugs: RANGER-4482
https://issues.apache.org/jira/browse/RANGER-4482


Repository: ranger


Description
---

Tomcat needs be upgraded to 8.5.94 to address the below CVE.

CVE-2023-45648
https://nvd.nist.gov/vuln/detail/CVE-2023-45648
CVE-2023-42795
https://nvd.nist.gov/vuln/detail/CVE-2023-42795
CVE-2023-42794
https://nvd.nist.gov/vuln/detail/CVE-2023-42794


Diffs
-

  pom.xml 115580ada 


Diff: https://reviews.apache.org/r/74684/diff/1/


Testing
---


Thanks,

sanket shelar

[jira] [Commented] (RANGER-4418) Upgrade hadoop version and use shaded hadoop client artifacts

2023-10-19 Thread Bhavik Patel (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-4418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1190#comment-1190
 ] 

Bhavik Patel commented on RANGER-4418:
--

how did you validated your changes?

> Upgrade hadoop version and use shaded hadoop client artifacts
> -
>
> Key: RANGER-4418
> URL: https://issues.apache.org/jira/browse/RANGER-4418
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 2.3.0, 2.4.0
>Reporter: YUBI LEE
>Priority: Major
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> - Upgrade the hadoop version Ranger uses.
> - Try to use shaded hadoop client artifacts if possible.
> Related issue: https://issues.apache.org/jira/browse/HADOOP-11804
> If shaded hadoop client artifacts ({{hadoop-client-api}}, 
> {{hadoop-client-runtime}}) are used, Ranger will be free to use any version 
> of thirdparty libraries without collision.
> I will make a pull request soon.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: Review Request 74678: RANGER:4397:API to get DataShare id, name, description List

2023-10-19 Thread Prashant Satam 


> On Oct. 18, 2023, 9:01 p.m., Madhan Neethiraj wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
> > Line 1385 (original), 1386 (patched)
> > 
> >
> > Instead of treating excludeDatasetId as a boolean flag, consider using 
> > this query-parameter to specify that datasetId that needs to be excluded. 
> > This should be used in the database query to exclude this dataset (with use 
> > of "!=" operator).

After getting dataShares != datasetId from dataShareInDataset service the 
result will require more queries to complete itself as we need is
 *)get dataShares which are not mapped to any dataset AND existing mapped 
datashares {to the datasetId}having status(DENIED,NONE)


- Prashant


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74678/#review225872
---


On Oct. 18, 2023, 8:53 a.m., Prashant Satam wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74678/
> ---
> 
> (Updated Oct. 18, 2023, 8:53 a.m.)
> 
> 
> Review request for ranger, Anand Nadar, Ankita Sinha, Madhan Neethiraj, 
> Monika Kachhadiya, and Subhrat Chaudhary.
> 
> 
> Bugs: RANGER-4397
> https://issues.apache.org/jira/browse/RANGER-4397
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Dataset Details >> Add a Datashare >> List Datashares pop up,
> Need a GET API to get all datashares, based on LIST ACL for current user
> Exclude existing one for which request is is available GRANTED, ACTIVE, 
> REQUESTED states 
> Response: id, Name, Descrption
> Request: datasetId, excludeExistingDataShare
> Filter: partial search on datashare name, Pagination
> 
> 
> Diffs
> -
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
> 93bd7f73d 
>   security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java 
> 10986823d 
>   security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java 
> 719d8a900 
>   
> security-admin/src/main/java/org/apache/ranger/db/XXGdsDataShareInDatasetDao.java
>  7637b275d 
>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml 547913488 
> 
> 
> Diff: https://reviews.apache.org/r/74678/diff/3/
> 
> 
> Testing
> ---
> 
> 1)Create 1 dataset
> 2)create multiple dataShares
> 3)Link datasets to dataShares with status as ACITVE as well as DENIED
> 4)Get dataShares by GET-API(/service/gds/datashare/) using query param 
> excludeDatasetId=true
> 5)You will only get dataShares which are not mapped to any dataset and 
> existing mapped datashares having status(DENIED,NONE)
> 
> Request-> 
> (/service/gds/datashare/?excludeDatasetId=true&datasetId=1&dataShareNamePartial=RangerDataShare11)
> Response>
> {
> "startIndex": 0,
> "pageSize": 200,
> "totalCount": 1,
> "resultSize": 1,
> "sortType": "dataShareId",
> "sortBy": "asc",
> "queryTimeMS": 1697525773619,
> "list": [
> {
> "id": 3,
> "guid": "cb7a8d8e-b082-4c4c-98c7-25b204e8b83c",
> "isEnabled": true,
> "createdBy": "Admin",
> "updatedBy": "Admin",
> "createTime": 1697525717000,
> "updateTime": 1697525717000,
> "version": 1,
> "name": "RangerDataShare11",
> "acl": {
> "users": {
> "admin": "ADMIN"
> }
> },
> "service": "Ranger_hive",
> "zone": " "
> }
> ],
> "listSize": 1
> }
> 
> 
> Thanks,
> 
> Prashant Satam
> 
>

[jira] [Updated] (RANGER-4023) UserStoreEnricher is not enabled if only mask conditon has attribute based expression

2023-10-19 Thread Subhrat Chaudhary (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-4023?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Subhrat Chaudhary updated RANGER-4023:
--
Description: 
We added the support for user/attribute based expressions in masking condition 
in RANGER-3865 . When only the mask condition has an user/group attribute based 
expression, RangerUserStoreEnricher is not enabled in plugin end.

Steps to reproduce (for Hive):
 * Create a resource based access policy:
 ** Resources: database=testdb, table=employee, column=*
 ** Allow condition policy item: group=public, permissions=select
 * Create a masking policy:
 ** Resources: database=testdb, table=employee, column=salary
 ** Allow condition policy item: group=public, permissions=select
 ** *Masking Option= Custom (CASE WHEN id IN (${{{}USER.employee_id{}}}) THEN 
salary ELSE '0' END)*
 * Add following attributes to the user jack:
 ** *employee_id : 1,2*
 * We have following data in Hive:
 ** 
||id||name||salary||
|1|john|5600|
|2|jane|5300|
|3|jack|6700|
|4|harry|9500|

 * When *select * from testdb.employee;* query is executed (as the user jack), 
the expectation is {*}salary of the employee john and jane should be displayed 
as it is, while for others it should be 0{*}. In actual result, salary of all 
the employees is '0'.
 * In plugin end, the RangerUserstore cache file userstore.json is not created.

  was:
We added the support for user/attribute based expressions in masking condition 
in RANGER-3865 . When only the mask condition has an user/group attribute based 
expression, RangerUserStoreEnricher is not enabled in plugin end.

Steps to reproduce (for Hive):
 * Create a resource based access policy:
 ** Resources: database=testdb, table=employee, column=*
 ** Allow condition policy item: group=public, permissions=select
 * Create a masking policy:
 ** Resources: database=testdb, table=employee, column=salary
 ** Allow condition policy item: group=public, permissions=select
 ** *Masking Option= Custom (CASE WHEN id IN (${{{}USER.employee_id{}}}) THEN 
salary ELSE '0' END)*
 * Add following attributes to the user jack:
 ** *employee_id : 1,2*
 * We have following data in Hive:
 ** 
||id||name||salary||
|1|john|5600|
|2|jane|5300|
|3|jack|6700|
|4|harry|9500|

 * When *select * from testdb.employee;* query is executed, the expectation is 
{*}salary of the employee john and jane should be displayed as it is, while for 
others it should be 0{*}. In actual result, salary of all the employees is '0'.
 * In plugin end, the RangerUserstore cache file userstore.json is not created.


> UserStoreEnricher is not enabled if only mask conditon has attribute based 
> expression
> -
>
> Key: RANGER-4023
> URL: https://issues.apache.org/jira/browse/RANGER-4023
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Reporter: Subhrat Chaudhary
>Assignee: Subhrat Chaudhary
>Priority: Major
> Fix For: 3.0.0, 2.4.1
>
>
> We added the support for user/attribute based expressions in masking 
> condition in RANGER-3865 . When only the mask condition has an user/group 
> attribute based expression, RangerUserStoreEnricher is not enabled in plugin 
> end.
> Steps to reproduce (for Hive):
>  * Create a resource based access policy:
>  ** Resources: database=testdb, table=employee, column=*
>  ** Allow condition policy item: group=public, permissions=select
>  * Create a masking policy:
>  ** Resources: database=testdb, table=employee, column=salary
>  ** Allow condition policy item: group=public, permissions=select
>  ** *Masking Option= Custom (CASE WHEN id IN (${{{}USER.employee_id{}}}) THEN 
> salary ELSE '0' END)*
>  * Add following attributes to the user jack:
>  ** *employee_id : 1,2*
>  * We have following data in Hive:
>  ** 
> ||id||name||salary||
> |1|john|5600|
> |2|jane|5300|
> |3|jack|6700|
> |4|harry|9500|
>  * When *select * from testdb.employee;* query is executed (as the user 
> jack), the expectation is {*}salary of the employee john and jane should be 
> displayed as it is, while for others it should be 0{*}. In actual result, 
> salary of all the employees is '0'.
>  * In plugin end, the RangerUserstore cache file userstore.json is not 
> created.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)