Review Request 74850: RANGER-4669: checking users nested in roles and groups to get datasets shared with users

2024-01-22 Thread Subhrat Chaudhary via Review Board 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74850/
---

Review request for ranger, Anand Nadar, Ankita Sinha, Madhan Neethiraj, Monika 
Kachhadiya, Prashant Satam, and Siddhesh Phatak.


Bugs: RANGER-4669
https://issues.apache.org/jira/browse/RANGER-4669


Repository: ranger


Description
---

When dataset is shared with a user nested in a role i.e. user < group < role, 
and the user calls get dataset API with sharedWithMe=true, the dataset is not 
returned in response. To fix this, we are getting the roles associated with the 
groups associated with the calling user and updating the list of roles 
associated with a user, before the list of role is checked with roles in the 
policy item.


Diffs
-

  security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java 69b43f2dc 
  security-admin/src/main/java/org/apache/ranger/biz/GdsPolicyAdminCache.java 
97d4b2579 
  
security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDBProvider.java
 30d231797 
  
security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidationDataProvider.java
 2c8721e1e 


Diff: https://reviews.apache.org/r/74850/diff/1/


Testing
---

Validated following cases for get dataset API - /gds/dataset?sharedWithMe=true:
1. Dataset shared with group (associated with calling user) is returned in 
response.
2. Dataset shared with role (associated with calling group in case 1) is 
returned in response.
3. Dataset shared with public group (not directly shared with user/group/role 
of the calling user) is returned in response.

Validated all junits are passing.


Thanks,

Subhrat Chaudhary

[jira] [Updated] (RANGER-4671) Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases

2024-01-22 Thread Prashant Satam (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-4671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Prashant Satam updated RANGER-4671:
---
Attachment: (was: image-2024-01-23-12-20-46-315.png)

> Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases
> --
>
> Key: RANGER-4671
> URL: https://issues.apache.org/jira/browse/RANGER-4671
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Prashant Satam
>Assignee: Prashant Satam
>Priority: Major
> Attachments: Regression.png
>
>
> There was change in behaviour of DatasetInDataShare Object for below 
> mentioned 2 cases
> case 1 :    
> 1) create a user with Ranger ROLE as ROLE_USER
> 2)create a dataShare with the same user's account so the user will be 
> dataShare Admin
> 3)create a dataset the above user should be absent in dataset ACL 
> 4)create DatasetInDataShare object for these dataset,dataShare with status as 
> ACTIVE
> 5)update this DatasetInDataShare object  by the above created user's account 
> change the status from ACTIVE to GRANTED the response is 200 expected 
> response is 400 with validation message stating (Not a ADMIN for dataset)
> case 2:    
> 1) create a user with Ranger ROLE as ROLE_USER
> 2)create a dataShare with the same user's account so the user will be 
> dataShare Admin
> 3)create a dataset the above user should be absent in dataset ACL 
> 4)create DatasetInDataShare object for these dataset,dataShare with status as 
> ACTIVE
> 5)update this DatasetInDataShare object  by the above created user's account 
> change the status from ACTIVE to DENIED the response is 200 expected response 
> is 400 with validation message stating (Not a ADMIN for dataset)
> The Below image describes the 2 cases and its behaviour Before the change 
> (currently we get Response as 200 )
> !Regression.png!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4671) Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases

2024-01-22 Thread Prashant Satam (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-4671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Prashant Satam updated RANGER-4671:
---
Attachment: (was: Regression-Behaviour.png)

> Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases
> --
>
> Key: RANGER-4671
> URL: https://issues.apache.org/jira/browse/RANGER-4671
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Prashant Satam
>Assignee: Prashant Satam
>Priority: Major
> Attachments: Regression.png
>
>
> There was change in behaviour of DatasetInDataShare Object for below 
> mentioned 2 cases
> case 1 :    
> 1) create a user with Ranger ROLE as ROLE_USER
> 2)create a dataShare with the same user's account so the user will be 
> dataShare Admin
> 3)create a dataset the above user should be absent in dataset ACL 
> 4)create DatasetInDataShare object for these dataset,dataShare with status as 
> ACTIVE
> 5)update this DatasetInDataShare object  by the above created user's account 
> change the status from ACTIVE to GRANTED the response is 200 expected 
> response is 400 with validation message stating (Not a ADMIN for dataset)
> case 2:    
> 1) create a user with Ranger ROLE as ROLE_USER
> 2)create a dataShare with the same user's account so the user will be 
> dataShare Admin
> 3)create a dataset the above user should be absent in dataset ACL 
> 4)create DatasetInDataShare object for these dataset,dataShare with status as 
> ACTIVE
> 5)update this DatasetInDataShare object  by the above created user's account 
> change the status from ACTIVE to DENIED the response is 200 expected response 
> is 400 with validation message stating (Not a ADMIN for dataset)
> The Below image describes the 2 cases and its behaviour Before the change 
> (currently we get Response as 200 )
> !Regression.png!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Review Request 74852: RANGER-4671 : Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases

2024-01-22 Thread Prashant Satam 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74852/
---

Review request for ranger, Akshay Tupe, Anand Nadar, Ankita Sinha, Madhan 
Neethiraj, Monika Kachhadiya, Siddhesh Phatak, Subhrat Chaudhary, and Vanita 
Ubale.


Bugs: RANGER-4671
https://issues.apache.org/jira/browse/RANGER-4671


Repository: ranger


Description
---

There was change in behaviour of DatasetInDataShare Object for below mentioned 
2 cases

case 1 :

1) create a user with Ranger ROLE as ROLE_USER

2)create a dataShare with the same user's account so the user will be dataShare 
Admin

3)create a dataset the above user should be absent in dataset ACL 

4)create DatasetInDataShare object for these dataset,dataShare with status as 
ACTIVE

5)update this DatasetInDataShare object  by the above created user's account 
change the status from ACTIVE to GRANTED the response is 200 expected response 
is 400 with validation message stating (Not a ADMIN for dataset)

case 2:

1) create a user with Ranger ROLE as ROLE_USER

2)create a dataShare with the same user's account so the user will be dataShare 
Admin

3)create a dataset the above user should be absent in dataset ACL 

4)create DatasetInDataShare object for these dataset,dataShare with status as 
ACTIVE

5)update this DatasetInDataShare object  by the above created user's account 
change the status from ACTIVE to DENIED the response is 200 expected response 
is 400 with validation message stating (Not a ADMIN for dataset)


Diffs
-

  
security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
 a42a11ffb 


Diff: https://reviews.apache.org/r/74852/diff/1/


Testing
---

Steps to check :
For the above mentioned 2 cases we get response as 400 with validation message 
stating 
(Not a Dataset Admin)

Response Message

 "msgDesc": "[ Validation failure: error code[4106], reason[User [Test-User-6] 
is not an admin for dataset [Test_Dataset1]], field[null], subfield[null], 
type[]]"


Thanks,

Prashant Satam

[jira] [Updated] (RANGER-4671) Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases

2024-01-22 Thread Prashant Satam (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-4671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Prashant Satam updated RANGER-4671:
---
Description: 
There was change in behaviour of DatasetInDataShare Object for below mentioned 
2 cases

case 1 :    

1) create a user with Ranger ROLE as ROLE_USER

2)create a dataShare with the same user's account so the user will be dataShare 
Admin

3)create a dataset the above user should be absent in dataset ACL 

4)create DatasetInDataShare object for these dataset,dataShare with status as 
ACTIVE

5)update this DatasetInDataShare object  by the above created user's account 
change the status from ACTIVE to GRANTED the response is 200 expected response 
is 400 with validation message stating (Not a ADMIN for dataset)

case 2:    

1) create a user with Ranger ROLE as ROLE_USER

2)create a dataShare with the same user's account so the user will be dataShare 
Admin

3)create a dataset the above user should be absent in dataset ACL 

4)create DatasetInDataShare object for these dataset,dataShare with status as 
ACTIVE

5)update this DatasetInDataShare object  by the above created user's account 
change the status from ACTIVE to DENIED the response is 200 expected response 
is 400 with validation message stating (Not a ADMIN for dataset)

The Below image describes the 2 cases and its behaviour Before the change 
(currently we get Response as 200 )

!Regression.png!

  was:
There was change in behaviour of DatasetInDataShare Object for below mentioned 
2 cases

case 1 :    

1) create a user with Ranger ROLE as ROLE_USER

2)create a dataShare with the same user's account so the user will be dataShare 
Admin

3)create a dataset the above user should be absent in dataset ACL 

4)create DatasetInDataShare object for these dataset,dataShare with status as 
ACTIVE

5)update this DatasetInDataShare object  by the above created user's account 
change the status from ACTIVE to GRANTED the response is 200 expected response 
is 400 with validation message stating (Not a ADMIN for dataset)

case 2:    

1) create a user with Ranger ROLE as ROLE_USER

2)create a dataShare with the same user's account so the user will be dataShare 
Admin

3)create a dataset the above user should be absent in dataset ACL 

4)create DatasetInDataShare object for these dataset,dataShare with status as 
ACTIVE

5)update this DatasetInDataShare object  by the above created user's account 
change the status from ACTIVE to DENIED the response is 200 expected response 
is 400 with validation message stating (Not a ADMIN for dataset)

 

!image-2024-01-23-12-20-46-315.png!


> Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases
> --
>
> Key: RANGER-4671
> URL: https://issues.apache.org/jira/browse/RANGER-4671
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Prashant Satam
>Assignee: Prashant Satam
>Priority: Major
> Attachments: Regression-Behaviour.png, Regression.png, 
> image-2024-01-23-12-20-46-315.png
>
>
> There was change in behaviour of DatasetInDataShare Object for below 
> mentioned 2 cases
> case 1 :    
> 1) create a user with Ranger ROLE as ROLE_USER
> 2)create a dataShare with the same user's account so the user will be 
> dataShare Admin
> 3)create a dataset the above user should be absent in dataset ACL 
> 4)create DatasetInDataShare object for these dataset,dataShare with status as 
> ACTIVE
> 5)update this DatasetInDataShare object  by the above created user's account 
> change the status from ACTIVE to GRANTED the response is 200 expected 
> response is 400 with validation message stating (Not a ADMIN for dataset)
> case 2:    
> 1) create a user with Ranger ROLE as ROLE_USER
> 2)create a dataShare with the same user's account so the user will be 
> dataShare Admin
> 3)create a dataset the above user should be absent in dataset ACL 
> 4)create DatasetInDataShare object for these dataset,dataShare with status as 
> ACTIVE
> 5)update this DatasetInDataShare object  by the above created user's account 
> change the status from ACTIVE to DENIED the response is 200 expected response 
> is 400 with validation message stating (Not a ADMIN for dataset)
> The Below image describes the 2 cases and its behaviour Before the change 
> (currently we get Response as 200 )
> !Regression.png!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4671) Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases

2024-01-22 Thread Prashant Satam (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-4671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Prashant Satam updated RANGER-4671:
---
Attachment: Regression.png

> Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases
> --
>
> Key: RANGER-4671
> URL: https://issues.apache.org/jira/browse/RANGER-4671
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Prashant Satam
>Assignee: Prashant Satam
>Priority: Major
> Attachments: Regression-Behaviour.png, Regression.png, 
> image-2024-01-23-12-20-46-315.png
>
>
> There was change in behaviour of DatasetInDataShare Object for below 
> mentioned 2 cases
> case 1 :    
> 1) create a user with Ranger ROLE as ROLE_USER
> 2)create a dataShare with the same user's account so the user will be 
> dataShare Admin
> 3)create a dataset the above user should be absent in dataset ACL 
> 4)create DatasetInDataShare object for these dataset,dataShare with status as 
> ACTIVE
> 5)update this DatasetInDataShare object  by the above created user's account 
> change the status from ACTIVE to GRANTED the response is 200 expected 
> response is 400 with validation message stating (Not a ADMIN for dataset)
> case 2:    
> 1) create a user with Ranger ROLE as ROLE_USER
> 2)create a dataShare with the same user's account so the user will be 
> dataShare Admin
> 3)create a dataset the above user should be absent in dataset ACL 
> 4)create DatasetInDataShare object for these dataset,dataShare with status as 
> ACTIVE
> 5)update this DatasetInDataShare object  by the above created user's account 
> change the status from ACTIVE to DENIED the response is 200 expected response 
> is 400 with validation message stating (Not a ADMIN for dataset)
>  
> !image-2024-01-23-12-20-46-315.png!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4671) Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases

2024-01-22 Thread Prashant Satam (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-4671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Prashant Satam updated RANGER-4671:
---
Attachment: Regression-Behaviour.png

> Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases
> --
>
> Key: RANGER-4671
> URL: https://issues.apache.org/jira/browse/RANGER-4671
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Prashant Satam
>Assignee: Prashant Satam
>Priority: Major
> Attachments: Regression-Behaviour.png, 
> image-2024-01-23-12-20-46-315.png
>
>
> There was change in behaviour of 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4671) Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases

2024-01-22 Thread Prashant Satam (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-4671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Prashant Satam updated RANGER-4671:
---
Attachment: image-2024-01-23-12-20-46-315.png

> Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases
> --
>
> Key: RANGER-4671
> URL: https://issues.apache.org/jira/browse/RANGER-4671
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Prashant Satam
>Assignee: Prashant Satam
>Priority: Major
> Attachments: Regression-Behaviour.png, 
> image-2024-01-23-12-20-46-315.png
>
>
> There was change in behaviour of 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4671) Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases

2024-01-22 Thread Prashant Satam (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-4671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Prashant Satam updated RANGER-4671:
---
Description: 
There was change in behaviour of DatasetInDataShare Object for below mentioned 
2 cases

case 1 :    

1) create a user with Ranger ROLE as ROLE_USER

2)create a dataShare with the same user's account so the user will be dataShare 
Admin

3)create a dataset the above user should be absent in dataset ACL 

4)create DatasetInDataShare object for these dataset,dataShare with status as 
ACTIVE

5)update this DatasetInDataShare object  by the above created user's account 
change the status from ACTIVE to GRANTED the response is 200 expected response 
is 400 with validation message stating (Not a ADMIN for dataset)

case 2:    

1) create a user with Ranger ROLE as ROLE_USER

2)create a dataShare with the same user's account so the user will be dataShare 
Admin

3)create a dataset the above user should be absent in dataset ACL 

4)create DatasetInDataShare object for these dataset,dataShare with status as 
ACTIVE

5)update this DatasetInDataShare object  by the above created user's account 
change the status from ACTIVE to DENIED the response is 200 expected response 
is 400 with validation message stating (Not a ADMIN for dataset)

 

!image-2024-01-23-12-20-46-315.png!

  was:There was change in behaviour of 


> Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases
> --
>
> Key: RANGER-4671
> URL: https://issues.apache.org/jira/browse/RANGER-4671
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Prashant Satam
>Assignee: Prashant Satam
>Priority: Major
> Attachments: Regression-Behaviour.png, 
> image-2024-01-23-12-20-46-315.png
>
>
> There was change in behaviour of DatasetInDataShare Object for below 
> mentioned 2 cases
> case 1 :    
> 1) create a user with Ranger ROLE as ROLE_USER
> 2)create a dataShare with the same user's account so the user will be 
> dataShare Admin
> 3)create a dataset the above user should be absent in dataset ACL 
> 4)create DatasetInDataShare object for these dataset,dataShare with status as 
> ACTIVE
> 5)update this DatasetInDataShare object  by the above created user's account 
> change the status from ACTIVE to GRANTED the response is 200 expected 
> response is 400 with validation message stating (Not a ADMIN for dataset)
> case 2:    
> 1) create a user with Ranger ROLE as ROLE_USER
> 2)create a dataShare with the same user's account so the user will be 
> dataShare Admin
> 3)create a dataset the above user should be absent in dataset ACL 
> 4)create DatasetInDataShare object for these dataset,dataShare with status as 
> ACTIVE
> 5)update this DatasetInDataShare object  by the above created user's account 
> change the status from ACTIVE to DENIED the response is 200 expected response 
> is 400 with validation message stating (Not a ADMIN for dataset)
>  
> !image-2024-01-23-12-20-46-315.png!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4671) Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases

2024-01-22 Thread Prashant Satam (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-4671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Prashant Satam updated RANGER-4671:
---
Description: There was change in behaviour of 

> Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases
> --
>
> Key: RANGER-4671
> URL: https://issues.apache.org/jira/browse/RANGER-4671
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Prashant Satam
>Assignee: Prashant Satam
>Priority: Major
>
> There was change in behaviour of 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Assigned] (RANGER-4671) Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases

2024-01-22 Thread Prashant Satam (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-4671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Prashant Satam reassigned RANGER-4671:
--

Assignee: Prashant Satam

> Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases
> --
>
> Key: RANGER-4671
> URL: https://issues.apache.org/jira/browse/RANGER-4671
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Prashant Satam
>Assignee: Prashant Satam
>Priority: Major
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-4671) Noticed a change in Behaviour of DatasetInDataShare Object for 2 cases

2024-01-22 Thread Prashant Satam (Jira) 
Prashant Satam created RANGER-4671:
--

 Summary: Noticed a change in Behaviour of DatasetInDataShare 
Object for 2 cases
 Key: RANGER-4671
 URL: https://issues.apache.org/jira/browse/RANGER-4671
 Project: Ranger
  Issue Type: Improvement
  Components: Ranger
Reporter: Prashant Satam






--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: Review Request 74849: RANGER-4654 : Handle Dataset and Datashare creation errors gracefully

2024-01-22 Thread Madhan Neethiraj 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74849/#review226168
---


Ship it!




Ship It!

- Madhan Neethiraj


On Jan. 22, 2024, 1:29 p.m., Abhishek Patil wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74849/
> ---
> 
> (Updated Jan. 22, 2024, 1:29 p.m.)
> 
> 
> Review request for ranger, Brijesh Bhalala, Dhaval Rajpara, Madhan Neethiraj, 
> Mehul Parikh, Mugdha Varadkar, and Ramesh Mani.
> 
> 
> Bugs: RANGER-4654
> https://issues.apache.org/jira/browse/RANGER-4654
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Whenever a datashare or a dataset is being created/updated with a name which 
> is already present,
> then the UI shows "Data not found" message and shows options to return to 
> home page.
> The error has to be handled gracefully.
> Ideally, in such scenarios, the user should be able to modify the dataset / 
> datashare creation form by changing the name and submit the same form with 
> other existing details (This is the behavior with policy / service 
> creation/update form).
> 
> 
> Diffs
> -
> 
>   
> security-admin/src/main/webapp/react-webapp/src/views/GovernedData/Dataset/AddDatasetView.jsx
>  7851e7c26 
>   
> security-admin/src/main/webapp/react-webapp/src/views/GovernedData/Dataset/DatasetDetailLayout.jsx
>  a8857e0eb 
>   
> security-admin/src/main/webapp/react-webapp/src/views/GovernedData/Datashare/AddSharedResourceComp.jsx
>  23c34d2e7 
>   
> security-admin/src/main/webapp/react-webapp/src/views/GovernedData/Datashare/DatashareDetailLayout.jsx
>  b6c83c9cd 
> 
> 
> Diff: https://reviews.apache.org/r/74849/diff/1/
> 
> 
> Testing
> ---
> 
> 1. Dataset creation with an existing name
> Tried to create a dataset with an existing name, an error was shown that a 
> dataset with the same name exists and the page was not redirected to "Data 
> not found".
> The user can go back in the same form and edit the dataset name, and submit 
> the form again, rest of the details are saved.
> 
> 2. Edit the dataset and try to set the name to an existing name
> The form is submitted, but an error is shown that a dataset with an existing 
> name is present, and the user can edit the dataset name.
> The page is not redirected to "Data not found".
> 
> 3. Datashare edit form with an existing datashare name
> The form is submitted, but an error is shown that a dataset with an existing 
> name is present, and the user can edit the datashare name.
> The page is not redirected to "Data not found".
> 
> 4. Datashare create form with an existing datatshare name
> No changes to this form as the issue was already handled.
> The page does not redirect to "Data not found".
> 
> 5. Shared resource creation with an existing resource name
> Earlier, if a user tried creating a shared resource with an existing name,
> the error message displayed was "Validation failure", and it was not 
> descriptive.
> The issue has been fixed to display the proper error message.
> 
> 
> Thanks,
> 
> Abhishek Patil
> 
>

Re: Review Request 74841: RANGER-4662 : GdsVersion should update after deleting user, group

2024-01-22 Thread Madhan Neethiraj 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74841/#review226167
---


Ship it!




Ship It!

- Madhan Neethiraj


On Jan. 18, 2024, 6:51 a.m., Prashant Satam wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74841/
> ---
> 
> (Updated Jan. 18, 2024, 6:51 a.m.)
> 
> 
> Review request for ranger, Akshay Tupe, Anand Nadar, Ankita Sinha, Madhan 
> Neethiraj, Monika Kachhadiya, Siddhesh Phatak, Subhrat Chaudhary, and Vanita 
> Ubale.
> 
> 
> Bugs: RANGER-4662
> https://issues.apache.org/jira/browse/RANGER-4662
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Currently when we delete user,group which is referenced in gds policy then 
> GdsVersion (can check by GET API /service/gds/download/{serviceName})is not 
> updated after the action it needs to be updated.
> 
> Steps :
> 
> 1)create a user and resource service 
> 
> 2)create a dataset , and dataShare (with the resource service),and a 
> sharedResource (with dataShare),also create mapping of dataset with dataShare 
> as ACTIVE
> 
> 3)create a GDS policy for the dataset
> 
> 4)Update dataset policy and add created user to it for this actions the 
> GdsVersion is updated we can check by (GET API 
> /service/gds/download/{serviceName})
> 
> 5)but when we delete the created user which is in Gds dataset policy then the 
> GdsVersion is not updated we need to update it
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 287400259 
>   security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java 
> ce48c8279 
> 
> 
> Diff: https://reviews.apache.org/r/74841/diff/1/
> 
> 
> Testing
> ---
> 
> Steps to check :
> 1)create a user and resource service 
> 
> 2)create a dataset , and dataShare (with the resource service),and a 
> sharedResource (with dataShare),also create mapping of dataset with dataShare 
> as ACTIVE
> 
> 3)create a GDS policy for the dataset
> 
> 4)Update dataset policy and add created user to it 
> 
> 5)when we delete the created user then the GdsVersion is updated
> 
> 
> Thanks,
> 
> Prashant Satam
> 
>

[jira] [Created] (RANGER-4670) Hbase plugin configurable authorization level (table, column family, column)

2024-01-22 Thread Fateh Singh (Jira) 
Fateh Singh created RANGER-4670:
---

 Summary: Hbase plugin configurable authorization level (table, 
column family, column)
 Key: RANGER-4670
 URL: https://issues.apache.org/jira/browse/RANGER-4670
 Project: Ranger
  Issue Type: Improvement
  Components: Ranger
Reporter: Fateh Singh
Assignee: Fateh Singh


Currently hbase plugin authoirization at table, column family and column level 
which causes slowness when large number of columns exist. Having a 
configuration to short circuit this authorization at different levels based on 
customer need can provide performance gains.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Review Request 74849: RANGER-4654 : Handle Dataset and Datashare creation errors gracefully

2024-01-22 Thread Abhishek Patil 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74849/
---

Review request for ranger, Brijesh Bhalala, Dhaval Rajpara, Madhan Neethiraj, 
Mehul Parikh, Mugdha Varadkar, and Ramesh Mani.


Bugs: RANGER-4654
https://issues.apache.org/jira/browse/RANGER-4654


Repository: ranger


Description
---

Whenever a datashare or a dataset is being created/updated with a name which is 
already present,
then the UI shows "Data not found" message and shows options to return to home 
page.
The error has to be handled gracefully.
Ideally, in such scenarios, the user should be able to modify the dataset / 
datashare creation form by changing the name and submit the same form with 
other existing details (This is the behavior with policy / service 
creation/update form).


Diffs
-

  
security-admin/src/main/webapp/react-webapp/src/views/GovernedData/Dataset/AddDatasetView.jsx
 7851e7c26 
  
security-admin/src/main/webapp/react-webapp/src/views/GovernedData/Dataset/DatasetDetailLayout.jsx
 a8857e0eb 
  
security-admin/src/main/webapp/react-webapp/src/views/GovernedData/Datashare/AddSharedResourceComp.jsx
 23c34d2e7 
  
security-admin/src/main/webapp/react-webapp/src/views/GovernedData/Datashare/DatashareDetailLayout.jsx
 b6c83c9cd 


Diff: https://reviews.apache.org/r/74849/diff/1/


Testing
---

1. Dataset creation with an existing name
Tried to create a dataset with an existing name, an error was shown that a 
dataset with the same name exists and the page was not redirected to "Data not 
found".
The user can go back in the same form and edit the dataset name, and submit the 
form again, rest of the details are saved.

2. Edit the dataset and try to set the name to an existing name
The form is submitted, but an error is shown that a dataset with an existing 
name is present, and the user can edit the dataset name.
The page is not redirected to "Data not found".

3. Datashare edit form with an existing datashare name
The form is submitted, but an error is shown that a dataset with an existing 
name is present, and the user can edit the datashare name.
The page is not redirected to "Data not found".

4. Datashare create form with an existing datatshare name
No changes to this form as the issue was already handled.
The page does not redirect to "Data not found".

5. Shared resource creation with an existing resource name
Earlier, if a user tried creating a shared resource with an existing name,
the error message displayed was "Validation failure", and it was not 
descriptive.
The issue has been fixed to display the proper error message.


Thanks,

Abhishek Patil

[jira] [Resolved] (RANGER-3081) Handle object locking process during policy creation in HA cluster

2024-01-22 Thread Dineshkumar Yadav (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-3081?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dineshkumar Yadav resolved RANGER-3081.
---
Resolution: Cannot Reproduce

> Handle object locking process during policy creation in HA cluster
> --
>
> Key: RANGER-3081
> URL: https://issues.apache.org/jira/browse/RANGER-3081
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Dineshkumar Yadav
>Assignee: Dineshkumar Yadav
>Priority: Major
>
> Observed intermittent issue during policy creation in HA environment.
> DB object get locked while creating resources associated with policy. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-4669) Nested user in role is not conisdered when getting datasets shared with user

2024-01-22 Thread Subhrat Chaudhary (Jira) 
Subhrat Chaudhary created RANGER-4669:
-

 Summary: Nested user in role is not conisdered when getting 
datasets shared with user
 Key: RANGER-4669
 URL: https://issues.apache.org/jira/browse/RANGER-4669
 Project: Ranger
  Issue Type: Bug
  Components: admin
Reporter: Subhrat Chaudhary
Assignee: Subhrat Chaudhary


When dataset is shared with a user nested in a role i.e. user < group < role, 
and the user calls get dataset API with sharedWithMe=true, the dataset is not 
returned in response. Please find the steps to reproduce:
 * Add a user user1 with ranger role - USER.
 * Add a group grp1, map grp1 with user user1.
 * Create a role - role1, add the group grp1 to the role role1.
 * Create a dataset - ds1 with any other user as admin i.e. user2.
 * Create a dataset policy for the dataset - ds1, with all access to the role - 
role1.
 * Call the get dataset API with query-param sharedWithMe=true - 
/gds/dataset?sharedWithMe=true.

Expected: the dataset ds1 will be returned in the response.

Actual: the dataset ds1 is not returned in the response



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: Review Request 74841: RANGER-4662 : GdsVersion should update after deleting user, group

2024-01-22 Thread Prashant Satam 


> On Jan. 19, 2024, 6:10 p.m., Madhan Neethiraj wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
> > Lines 2173 (patched)
> > 
> >
> > updateDatasetPolicy()/updateProjectPolicy() can fail if the caller is 
> > not have admin or dataset/project admin privilege.
> > 
> > Consider handling this inside ServiceDBStore.updatePolicy(), to call 
> > updateGdsVersionForDataset()/ updateGdsVersionForProject() for GDS service 
> > policies.

For deletion of user/group it is only allowed if incomming user is ranger ADMIN 
if not the flow is blocked , and for update of Gds Policy we would need to call 
prepareDatasetPolicy() in GdsDBStore so we cannot directly go by 
ServiceDBStore.updatePolicy() method also the GdsDBStore.updateDatasetPolicy() 
internally calls  ServiceDBStore.updatePolicy() method


- Prashant


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74841/#review226156
---


On Jan. 18, 2024, 6:51 a.m., Prashant Satam wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74841/
> ---
> 
> (Updated Jan. 18, 2024, 6:51 a.m.)
> 
> 
> Review request for ranger, Akshay Tupe, Anand Nadar, Ankita Sinha, Madhan 
> Neethiraj, Monika Kachhadiya, Siddhesh Phatak, Subhrat Chaudhary, and Vanita 
> Ubale.
> 
> 
> Bugs: RANGER-4662
> https://issues.apache.org/jira/browse/RANGER-4662
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Currently when we delete user,group which is referenced in gds policy then 
> GdsVersion (can check by GET API /service/gds/download/{serviceName})is not 
> updated after the action it needs to be updated.
> 
> Steps :
> 
> 1)create a user and resource service 
> 
> 2)create a dataset , and dataShare (with the resource service),and a 
> sharedResource (with dataShare),also create mapping of dataset with dataShare 
> as ACTIVE
> 
> 3)create a GDS policy for the dataset
> 
> 4)Update dataset policy and add created user to it for this actions the 
> GdsVersion is updated we can check by (GET API 
> /service/gds/download/{serviceName})
> 
> 5)but when we delete the created user which is in Gds dataset policy then the 
> GdsVersion is not updated we need to update it
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 287400259 
>   security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java 
> ce48c8279 
> 
> 
> Diff: https://reviews.apache.org/r/74841/diff/1/
> 
> 
> Testing
> ---
> 
> Steps to check :
> 1)create a user and resource service 
> 
> 2)create a dataset , and dataShare (with the resource service),and a 
> sharedResource (with dataShare),also create mapping of dataset with dataShare 
> as ACTIVE
> 
> 3)create a GDS policy for the dataset
> 
> 4)Update dataset policy and add created user to it 
> 
> 5)when we delete the created user then the GdsVersion is updated
> 
> 
> Thanks,
> 
> Prashant Satam
> 
>

Re: Review Request 74763: RANGER-4607: Ranger REST API improvements

2024-01-22 Thread Pradeep Agrawal 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74763/
---

(Updated Jan. 22, 2024, 9:59 a.m.)


Review request for ranger, Abhishek  Kumar, bhavik patel, Dhaval Shah, 
Dineshkumar Yadav, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, 
Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.


Changes
---

updated review request


Bugs: RANGER-4607
https://issues.apache.org/jira/browse/RANGER-4607


Repository: ranger


Description
---

**Problem Statement:** Ranger REST API responses are not proper. Most of the 
legacy REST API's response format are not correct and gives false information.

**Proposed Solution:** This review request shall address multiple issues 
related to old APIs.
The list of issues which shall be addressed with review request are :

RANGER-4545: DELETE /assets/resources/{resource_id} API should return proper 
status code for non admin users
RANGER-4546: /assets/ugsyncAudits/{sync_source} API is accessible by user 
without permission on audit module
RANGER-4548: Return proper error message in the response for /tags/tags, 
/tags/resources and /tags/types API for non admin users
RANGER-4547: The reponse metrics (pagination values) for the 
/assets/ugsyncAudits/{sync_source} API is not proper
RANGER-4549: Non admin users cannot access /public/v2/api/roles/names and 
/public/v2/api/roles/name/{name} API, but can access /public/v2/api/roles API
RANGER-4551: No response returned for /assets/policyList/{service_name} API
RANGER-4550: API request to /assets/resource/{id} returns no response
RANGER-4552: Response metrics for /assets/report is not proper, and pagination 
does not work
RANGER-4553: Response metrics for /xaudit/trx_log not proper
RANGER-4554: Response metrics for /assets/resources not proper
RANGER-4555: Response metrics for /assets/assets API not proper
RANGER-4573: /xaudit/trx_log API not accessible by keyadmin user
RANGER-4578: /xuser/groupgroups and /xuser/groupusers APIs allow creation of 
entities even without groupId / userId fields in the request
RANGER-4574: /public/v2/api/service/{service_name}/policy/{policy_name} API 
returns policies for users without access to the policy
RANGER-4575: /plugins/policy/{policy_id}/version/{version_number} API returns 
policies for users without access to the policy
RANGER-4576: User without access to policy is able to fetch policy details 
using /plugins/policies/{service_type}/for-resource API endpoint
RANGER-4577: UI and API behaviour for fetching users not consistent for 
keyadmin users
RANGER-4589: keyadmin user can update the user password via UI but cannot 
update the user password using /users/{user_id}/passwordchange API
RANGER-4588: /xaudit/trx_log/{trx_log_id} is not accessible by keyadmin user
RANGER-4591: keyadmin user can access non kms related admin audits using 
/assets/report/{transaction_id} API
RANGER-4594: keyadmin user can mark ROLE_USER users as disabled by setting 
status to 0 using /users API
RANGER-4595: keyadmin user able to view the user permission objects via /users 
API
RANGER-4596: keyadmin can fetch the details of admin and auditor users through 
/users API endpoint
RANGER-4598: ROLE_USER cannot acccess /xusers/groups API but can access 
/xusers/groups/groupName/{group_name} API
RANGER-4586: XUserREST and UserREST API improvement for keyadmin users

Note: For individual issue fix please refer patch file attached in the 
respective jira tickets.


Diffs (updated)
-

  security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java 6f1bcc40e 
  security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java d5393603e 
  security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java 75371f4b2 
  security-admin/src/main/java/org/apache/ranger/biz/XAuditMgrBase.java 
c90296cf6 
  security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 287400259 
  security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java be077e789 
  security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java 4bfaa862c 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
1147d9b1a 
  security-admin/src/main/java/org/apache/ranger/rest/TagREST.java 6d0019f70 
  security-admin/src/main/java/org/apache/ranger/rest/UserREST.java c6557b11c 
  security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java 0a3c524b5 
  security-admin/src/main/java/org/apache/ranger/service/XGroupService.java 
1f033b33d 
  security-admin/src/main/java/org/apache/ranger/service/XTrxLogService.java 
676552e6e 
  
security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java
 7fa96fbd0 
  security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java b6c43133b 
  security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java 
ce48c8279

[jira] [Commented] (RANGER-4667) Replace Nashron script engine with GraalVM

2024-01-22 Thread Bhavik Patel (Jira) 


[ 
https://issues.apache.org/jira/browse/RANGER-4667?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17809333#comment-17809333
 ] 

Bhavik Patel commented on RANGER-4667:
--

Yes, [~madhan] I reviewed 
[RANGER-3970|https://issues.apache.org/jira/browse/RANGER-3970] and 
[RANGER-4401|https://issues.apache.org/jira/browse/RANGER-4401]. 

> Replace Nashron script engine with GraalVM
> --
>
> Key: RANGER-4667
> URL: https://issues.apache.org/jira/browse/RANGER-4667
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins, Ranger
>Reporter: Bhavik Patel
>Priority: Major
>
> Replace Nashron scrip engine with default GraalVM engine this will help in 
> support for JDK-17
> cc: [~madhan] / [~rdonbosco] / [~sneethir] / [~kishor.gollapalliwar] / 
> [~bosco] 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)