Re: Review Request 74834: RANGER-4650: Hive plugin should make column-type available in masking expression

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74834/#review226402
---


Ship it!




Ship It!

- Ramesh Mani


On Feb. 10, 2024, 5:17 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74834/
> ---
> 
> (Updated Feb. 10, 2024, 5:17 a.m.)
> 
> 
> Review request for ranger, Anand Nadar, Asit Vadhavkar, Abhay Kulkarni, Mehul 
> Parikh, Monika Kachhadiya, Mugdha Varadkar, Pradeep Agrawal, Ramesh Mani, 
> Siddhesh Phatak, Subhrat Chaudhary, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4650
> https://issues.apache.org/jira/browse/RANGER-4650
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - in addition to {col} macro, Ranger Hive plugin now supports {colType} macro 
> as well, which will evaluate to the datatype of the column being masked
> 
> 
> Diffs
> -
> 
>   
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
>  44c66dfd9 
> 
> 
> Diff: https://reviews.apache.org/r/74834/diff/1/
> 
> 
> Testing
> ---
> 
> - verified that all existing tests pass successfully
> - verified with the following custom masking expression:
>   CASE WHEN '{colType}' == 'string' THEN mask_hash({col}) WHEN '{colType}' == 
> 'int' THEN mask({col}) ELSE NULL END
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74929: RANGER-4741: Hive plugin optimization to avoid excessive metastore API calls

[Ramesh Mani]

> On March 9, 2024, 11:23 p.m., Ramesh Mani wrote:
> > Ship It!

Fix and Ship it.


- Ramesh


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74929/#review226308
---


On March 8, 2024, 11:10 p.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74929/
> ---
> 
> (Updated March 8, 2024, 11:10 p.m.)
> 
> 
> Review request for ranger, Asit Vadhavkar, Kishor Gollapalliwar, Abhay 
> Kulkarni, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and 
> Subhrat Chaudhary.
> 
> 
> Bugs: RANGER-4741
> https://issues.apache.org/jira/browse/RANGER-4741
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> updated Ranger Hive authorizer to get owner of a table only once per query
> 
> 
> Diffs
> -
> 
>   
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
>  9b25e2b8a 
> 
> 
> Diff: https://reviews.apache.org/r/74929/diff/2/
> 
> 
> Testing
> ---
> 
> - verified that the optimization results in significantly reduced time to 
> authorize access to tables with large number of columns. For a table with 
> 4000 columns, the time taked reduced from 100 seconds to 1.5 seconds
> - verified that all existing tests pass successfully
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74929: RANGER-4741: Hive plugin optimization to avoid excessive metastore API calls

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74929/#review226308
---


Ship it!




Ship It!

- Ramesh Mani


On March 8, 2024, 11:10 p.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74929/
> ---
> 
> (Updated March 8, 2024, 11:10 p.m.)
> 
> 
> Review request for ranger, Asit Vadhavkar, Kishor Gollapalliwar, Abhay 
> Kulkarni, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and 
> Subhrat Chaudhary.
> 
> 
> Bugs: RANGER-4741
> https://issues.apache.org/jira/browse/RANGER-4741
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> updated Ranger Hive authorizer to get owner of a table only once per query
> 
> 
> Diffs
> -
> 
>   
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
>  9b25e2b8a 
> 
> 
> Diff: https://reviews.apache.org/r/74929/diff/2/
> 
> 
> Testing
> ---
> 
> - verified that the optimization results in significantly reduced time to 
> authorize access to tables with large number of columns. For a table with 
> 4000 columns, the time taked reduced from 100 seconds to 1.5 seconds
> - verified that all existing tests pass successfully
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74929: RANGER-4741: Hive plugin optimization to avoid excessive metastore API calls

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74929/#review226307
---




hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
Lines 3159 (patched)
<https://reviews.apache.org/r/74929/#comment314536>

LOG.info() => Log.debug()


- Ramesh Mani


On March 8, 2024, 11:10 p.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74929/
> ---
> 
> (Updated March 8, 2024, 11:10 p.m.)
> 
> 
> Review request for ranger, Asit Vadhavkar, Kishor Gollapalliwar, Abhay 
> Kulkarni, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and 
> Subhrat Chaudhary.
> 
> 
> Bugs: RANGER-4741
> https://issues.apache.org/jira/browse/RANGER-4741
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> updated Ranger Hive authorizer to get owner of a table only once per query
> 
> 
> Diffs
> -
> 
>   
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
>  9b25e2b8a 
> 
> 
> Diff: https://reviews.apache.org/r/74929/diff/2/
> 
> 
> Testing
> ---
> 
> - verified that the optimization results in significantly reduced time to 
> authorize access to tables with large number of columns. For a table with 
> 4000 columns, the time taked reduced from 100 seconds to 1.5 seconds
> - verified that all existing tests pass successfully
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

[jira] [Assigned] (RANGER-4638) Multiple Columns Revoke not generating policies with correct number of columns

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4638?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani reassigned RANGER-4638:
---

Assignee: Ramesh Mani

> Multiple Columns Revoke not generating policies with correct number of columns
> --
>
> Key: RANGER-4638
> URL: https://issues.apache.org/jira/browse/RANGER-4638
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 3.0.0
>    Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
>
> Multiple Columns Revoke not generating policies with correct number of 
> columns. E.G
> When  " revoke select(col1, col2,col3) on table demo.test from role Role3;" 
> is done, the generate policies is not revoking the columns. Currently revoke  
> statement is only revoking if the is only one column.
> Testing to done"
> Impala / Hive beeline.
> 1) "grant select(col1, col2, col3)  on table demo.test  to role Role1" 
>      "revoke select(col1, col2, col3) on table demo.test from role Role1"
> 2) "grant select(col1, col2, col3, col4)  on table demo.test  to role Role1" 
>       "revoke select(col1, col2, col3) on table demo.test from role Role1"
> HBASE shell
> grant 'nifi', 'RWXCA', 'test'
> revoke 'nifi', 'test'
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: Review Request 74825: RANGER-4638:Multiple Columns Revoke not generating policies with correct number of columns

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74825/
---

(Updated Jan. 29, 2024, 8:04 a.m.)


Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, 
Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Updated the patch to have the current flow of grant and revoke and added 
multiple columns grant and revoke flow as separate path. This will avoid 
regression on existing functionality and will help in address the unsupported 
features in current patch.


Bugs: RANGER-4638
https://issues.apache.org/jira/browse/RANGER-4638


Repository: ranger


Description
---

RANGER-4638:Multiple Columns Revoke not generating policies with correct number 
of columns


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 7fe2a2eb3 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
 0a14b387a 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
 f16157ce6 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
 e1cd89b70 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
 5eee8d11a 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
 ec22e01bf 
  
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceisSubSetMatcher.java
 PRE-CREATION 
  
agents-common/src/test/resources/resourcematcher/test_defaultpolicyresource_isSubset_matcher.json
 PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 
15a1e7118 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
84ee31ba2 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
cc9df27d6 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java 
60e34c0c7 
  security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 
a630e575b 


Diff: https://reviews.apache.org/r/74825/diff/6/

Changes: https://reviews.apache.org/r/74825/diff/5-6/


Testing
---

Impala / Hive beeline.

1) "grant select(col1, col2, col3)  on table demo.test  to role Role1"  => 
Create a Grant Policy for the given resource in Hadoop Sql
   

2) "grant select(col1, col2, col3, col4)  on table demo.test  to role Role1"  
=> updates the policy created in #1 with new col4 resource

 if  "revoke select(col1, col2, col3, col4) on table demo.test from role 
Role1" is done => Since all the columns are revoked for Select, we update the 
policy created in #1 with no policy Item for it.
 if  "revoke select(col1, col2, col3) on table demo.test from role Role1" 
is done => policy created in #1 will be updated to remove col1,col2,col3 from 
the policy to revoke the access.
 
3) If "revoke select(col1, col2, col3, col4) on table demo.test from role 
Role1" found 2 Matching polcies,  say 1st policy matched col1,col2,col3 and  
2nd Policy matched col4, then both the policies will be updated for revoking 
the corresponding column access.

4) When Multiple Premission are there on the policy and revoke is to remove one 
permission, then the policy will be updated by removing the revoked permission.
 Grant select on table demo.test  to role Role1
 Grant Alter on table demo.test  to role Role1
 Revoke alter table demo.test  to role Role1

 

HBASE shell

grant 'nifi', 'RWXCA', 'test'  => create policy with 'RWXCA' access for user 
nifi on table 'test'.


revoke 'nifi', 'test' => revoke access for user "nifi" on hbase table 'test'. 
Here policy will be removed.


Thanks,

Ramesh Mani

Re: Review Request 74825: RANGER-4638:Multiple Columns Revoke not generating policies with correct number of columns

[Ramesh Mani]

> On Jan. 19, 2024, 11:12 p.m., Madhan Neethiraj wrote:
> > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
> > Lines 1281 (patched)
> > <https://reviews.apache.org/r/74825/diff/4/?file=2284895#file2284895line1281>
> >
> > For grant, shouldn't the update be done only on 'exact-match' policy? 
> > Else, the update might end up granting the user access to more resources. 
> > Please review and update.
> > 
> > I think current grant implementation wouldn't need any update.

Madhan, Thanks for the review. With the multiple column grant in SELECT, there 
is a possiblity that user run the grant with addition columns, in that case the 
patch does update the existing policy for that user/group/role and accesstype 
if matches. 
e.g
1) "grant select(col1, col2, col3)  on table demo.test  to role Role1"  => 
Create a Grant Policy for the given resource in Hadoop Sql

2) "grant select(col1, col2, col3, col4)  on table demo.test  to role Role1"  
=> updates the policy created in #1 with new col4 resource

Addition test cases which are covered are here. Please review this. 
https://docs.google.com/document/d/19WLt10QmxFQjBbIFRqYCpd9lY46FoEaDSPRAXUn7vow/edit#heading=h.jhpqwr2prvv8


- Ramesh


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74825/#review226159
-------


On Jan. 24, 2024, 4:07 a.m., Ramesh Mani wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74825/
> ---
> 
> (Updated Jan. 24, 2024, 4:07 a.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, 
> Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-4638
> https://issues.apache.org/jira/browse/RANGER-4638
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> RANGER-4638:Multiple Columns Revoke not generating policies with correct 
> number of columns
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  7fe2a2eb3 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
>  0a14b387a 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
>  f16157ce6 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
>  e1cd89b70 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
>  5eee8d11a 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
>  ec22e01bf 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceisSubSetMatcher.java
>  PRE-CREATION 
>   
> agents-common/src/test/resources/resourcematcher/test_defaultpolicyresource_isSubset_matcher.json
>  PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 
> 15a1e7118 
>   
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
> 84ee31ba2 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> cc9df27d6 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java 
> 60e34c0c7 
>   security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 
> a630e575b 
> 
> 
> Diff: https://reviews.apache.org/r/74825/diff/5/
> 
> 
> Testing
> ---
> 
> Impala / Hive beeline.
> 
> 1) "grant select(col1, col2, col3)  on table demo.test  to role Role1"  => 
> Create a Grant Policy for the given resource in Hadoop Sql
>
> 
> 2) "grant select(col1, col2, col3, col4)  on table demo.test  to role Role1"  
> => updates the policy created in #1 with new col4 resource
> 
>  if  "revoke select(col1, col2, col3, col4) on table demo.test from role 
> Role1" is done => Since all the columns are revoked for Select, we update the 
> policy created in #1 with no policy Item for it.
>  if  "revoke select(col1, col2, col3) on table demo.test from role Role1" 
> is done => policy created in #1 will be updated to remove col1,col2,col3 from 
> the policy to revoke the access.
>  
> 3) If "revoke select(col1, col2, col3, col4) on table demo.t

Re: Review Request 74825: RANGER-4638:Multiple Columns Revoke not generating policies with correct number of columns

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74825/
---

(Updated Jan. 24, 2024, 4:07 a.m.)


Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, 
Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Fixed review comments


Bugs: RANGER-4638
https://issues.apache.org/jira/browse/RANGER-4638


Repository: ranger


Description
---

RANGER-4638:Multiple Columns Revoke not generating policies with correct number 
of columns


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 7fe2a2eb3 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
 0a14b387a 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
 f16157ce6 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
 e1cd89b70 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
 5eee8d11a 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
 ec22e01bf 
  
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceisSubSetMatcher.java
 PRE-CREATION 
  
agents-common/src/test/resources/resourcematcher/test_defaultpolicyresource_isSubset_matcher.json
 PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 
15a1e7118 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
84ee31ba2 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
cc9df27d6 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java 
60e34c0c7 
  security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 
a630e575b 


Diff: https://reviews.apache.org/r/74825/diff/5/

Changes: https://reviews.apache.org/r/74825/diff/4-5/


Testing
---

Impala / Hive beeline.

1) "grant select(col1, col2, col3)  on table demo.test  to role Role1"  => 
Create a Grant Policy for the given resource in Hadoop Sql
   

2) "grant select(col1, col2, col3, col4)  on table demo.test  to role Role1"  
=> updates the policy created in #1 with new col4 resource

 if  "revoke select(col1, col2, col3, col4) on table demo.test from role 
Role1" is done => Since all the columns are revoked for Select, we update the 
policy created in #1 with no policy Item for it.
 if  "revoke select(col1, col2, col3) on table demo.test from role Role1" 
is done => policy created in #1 will be updated to remove col1,col2,col3 from 
the policy to revoke the access.
 
3) If "revoke select(col1, col2, col3, col4) on table demo.test from role 
Role1" found 2 Matching polcies,  say 1st policy matched col1,col2,col3 and  
2nd Policy matched col4, then both the policies will be updated for revoking 
the corresponding column access.

4) When Multiple Premission are there on the policy and revoke is to remove one 
permission, then the policy will be updated by removing the revoked permission.
 Grant select on table demo.test  to role Role1
 Grant Alter on table demo.test  to role Role1
 Revoke alter table demo.test  to role Role1

 

HBASE shell

grant 'nifi', 'RWXCA', 'test'  => create policy with 'RWXCA' access for user 
nifi on table 'test'.


revoke 'nifi', 'test' => revoke access for user "nifi" on hbase table 'test'. 
Here policy will be removed.


Thanks,

Ramesh Mani

Re: Review Request 74825: RANGER-4638:Multiple Columns Revoke not generating policies with correct number of columns

[Ramesh Mani]

> On Jan. 18, 2024, 6:12 p.m., Abhay Kulkarni wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
> > Line 435 (original), 435 (patched)
> > <https://reviews.apache.org/r/74825/diff/1-2/?file=2284698#file2284698line435>
> >
> > If rangerAccessRequest contains exactly the same resource(s) specified 
> > in the GrantRevokeRequest, the call to getLikeMatchPolicyEvaluators() will 
> > not get all potentially matching policies. Please see if the resource to be 
> > searched needs to be one-level higher in the hierarchy. (if the resource in 
> > GrantRevokeRequest is a column, then the argument to 
> > getLikelyMatchPolicyEvaluators need to be the table(s) in which the columns 
> > may appear). Please review.

Verified that it worked as expected by return multiple policies.


- Ramesh


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74825/#review226146
---


On Jan. 19, 2024, 9:14 a.m., Ramesh Mani wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74825/
> ---
> 
> (Updated Jan. 19, 2024, 9:14 a.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, 
> Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-4638
> https://issues.apache.org/jira/browse/RANGER-4638
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> RANGER-4638:Multiple Columns Revoke not generating policies with correct 
> number of columns
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  7fe2a2eb3 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
>  0a14b387a 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
>  f16157ce6 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
>  e1cd89b70 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
>  5eee8d11a 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
>  ec22e01bf 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceisCompleteOrSomeMatchMatcher.java
>  PRE-CREATION 
>   
> agents-common/src/test/resources/resourcematcher/test_defaultpolicyresource_isCompleteOrSomeMatch_matcher.json
>  PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 
> 15a1e7118 
>   
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
> 84ee31ba2 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> cc9df27d6 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java 
> 60e34c0c7 
>   security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 
> a630e575b 
> 
> 
> Diff: https://reviews.apache.org/r/74825/diff/4/
> 
> 
> Testing
> ---
> 
> Impala / Hive beeline.
> 
> 1) "grant select(col1, col2, col3)  on table demo.test  to role Role1"  => 
> Create a Grant Policy for the given resource in Hadoop Sql
>
> 
> 2) "grant select(col1, col2, col3, col4)  on table demo.test  to role Role1"  
> => updates the policy created in #1 with new col4 resource
> 
>  if  "revoke select(col1, col2, col3, col4) on table demo.test from role 
> Role1" is done => Since all the columns are revoked for Select, we update the 
> policy created in #1 with no policy Item for it.
>  if  "revoke select(col1, col2, col3) on table demo.test from role Role1" 
> is done => policy created in #1 will be updated to remove col1,col2,col3 from 
> the policy to revoke the access.
>  
> 3) If "revoke select(col1, col2, col3, col4) on table demo.test from role 
> Role1" found 2 Matching polcies,  say 1st policy matched col1,col2,col3 and  
> 2nd Policy matched col4, then both the policies will be updated for revoking 
> the corresponding column access.
> 
> 4) When Multiple Premission are there on the policy and revoke is to remove 
> one permission, then the policy will be updated by removing the revo

Re: Review Request 74825: RANGER-4638:Multiple Columns Revoke not generating policies with correct number of columns

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74825/
---

(Updated Jan. 19, 2024, 9:14 a.m.)


Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, 
Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Review comments addressed


Bugs: RANGER-4638
https://issues.apache.org/jira/browse/RANGER-4638


Repository: ranger


Description
---

RANGER-4638:Multiple Columns Revoke not generating policies with correct number 
of columns


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 7fe2a2eb3 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
 0a14b387a 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
 f16157ce6 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
 e1cd89b70 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
 5eee8d11a 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
 ec22e01bf 
  
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceisCompleteOrSomeMatchMatcher.java
 PRE-CREATION 
  
agents-common/src/test/resources/resourcematcher/test_defaultpolicyresource_isCompleteOrSomeMatch_matcher.json
 PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 
15a1e7118 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
84ee31ba2 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
cc9df27d6 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java 
60e34c0c7 
  security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 
a630e575b 


Diff: https://reviews.apache.org/r/74825/diff/4/

Changes: https://reviews.apache.org/r/74825/diff/3-4/


Testing
---

Impala / Hive beeline.

1) "grant select(col1, col2, col3)  on table demo.test  to role Role1"  => 
Create a Grant Policy for the given resource in Hadoop Sql
   

2) "grant select(col1, col2, col3, col4)  on table demo.test  to role Role1"  
=> updates the policy created in #1 with new col4 resource

 if  "revoke select(col1, col2, col3, col4) on table demo.test from role 
Role1" is done => Since all the columns are revoked for Select, we update the 
policy created in #1 with no policy Item for it.
 if  "revoke select(col1, col2, col3) on table demo.test from role Role1" 
is done => policy created in #1 will be updated to remove col1,col2,col3 from 
the policy to revoke the access.
 
3) If "revoke select(col1, col2, col3, col4) on table demo.test from role 
Role1" found 2 Matching polcies,  say 1st policy matched col1,col2,col3 and  
2nd Policy matched col4, then both the policies will be updated for revoking 
the corresponding column access.

4) When Multiple Premission are there on the policy and revoke is to remove one 
permission, then the policy will be updated by removing the revoked permission.
 Grant select on table demo.test  to role Role1
 Grant Alter on table demo.test  to role Role1
 Revoke alter table demo.test  to role Role1

 

HBASE shell

grant 'nifi', 'RWXCA', 'test'  => create policy with 'RWXCA' access for user 
nifi on table 'test'.


revoke 'nifi', 'test' => revoke access for user "nifi" on hbase table 'test'. 
Here policy will be removed.


Thanks,

Ramesh Mani

Re: Review Request 74825: RANGER-4638:Multiple Columns Revoke not generating policies with correct number of columns

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74825/
---

(Updated Jan. 19, 2024, 8:52 a.m.)


Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, 
Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

review comments addressed


Bugs: RANGER-4638
https://issues.apache.org/jira/browse/RANGER-4638


Repository: ranger


Description
---

RANGER-4638:Multiple Columns Revoke not generating policies with correct number 
of columns


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 7fe2a2eb3 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
 0a14b387a 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
 f16157ce6 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
 e1cd89b70 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
 5eee8d11a 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
 ec22e01bf 
  
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceisCompleteOrSomeMatchMatcher.java
 PRE-CREATION 
  
agents-common/src/test/resources/resourcematcher/test_defaultpolicyresource_isCompleteOrSomeMatch_matcher.json
 PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 
15a1e7118 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
84ee31ba2 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
cc9df27d6 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java 
60e34c0c7 
  security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 
a630e575b 


Diff: https://reviews.apache.org/r/74825/diff/3/

Changes: https://reviews.apache.org/r/74825/diff/2-3/


Testing
---

Impala / Hive beeline.

1) "grant select(col1, col2, col3)  on table demo.test  to role Role1"  => 
Create a Grant Policy for the given resource in Hadoop Sql
   

2) "grant select(col1, col2, col3, col4)  on table demo.test  to role Role1"  
=> updates the policy created in #1 with new col4 resource

 if  "revoke select(col1, col2, col3, col4) on table demo.test from role 
Role1" is done => Since all the columns are revoked for Select, we update the 
policy created in #1 with no policy Item for it.
 if  "revoke select(col1, col2, col3) on table demo.test from role Role1" 
is done => policy created in #1 will be updated to remove col1,col2,col3 from 
the policy to revoke the access.
 
3) If "revoke select(col1, col2, col3, col4) on table demo.test from role 
Role1" found 2 Matching polcies,  say 1st policy matched col1,col2,col3 and  
2nd Policy matched col4, then both the policies will be updated for revoking 
the corresponding column access.

4) When Multiple Premission are there on the policy and revoke is to remove one 
permission, then the policy will be updated by removing the revoked permission.
 Grant select on table demo.test  to role Role1
 Grant Alter on table demo.test  to role Role1
 Revoke alter table demo.test  to role Role1

 

HBASE shell

grant 'nifi', 'RWXCA', 'test'  => create policy with 'RWXCA' access for user 
nifi on table 'test'.


revoke 'nifi', 'test' => revoke access for user "nifi" on hbase table 'test'. 
Here policy will be removed.


Thanks,

Ramesh Mani

Re: Review Request 74825: RANGER-4638:Multiple Columns Revoke not generating policies with correct number of columns

[Ramesh Mani]

> On Jan. 10, 2024, 7:46 p.m., Abhay Kulkarni wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
> > Lines 394 (patched)
> > <https://reviews.apache.org/r/74825/diff/1/?file=2284689#file2284689line394>
> >
> > If there are many resource-evaluators, this will return false. Is that 
> > expected? Please review.

yes this is expected, same is done for exact match also.


> On Jan. 10, 2024, 7:46 p.m., Abhay Kulkarni wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
> > Lines 403 (patched)
> > <https://reviews.apache.org/r/74825/diff/1/?file=2284691#file2284691line403>
> >
> > Is the null check for the resourceValue needed here? In both cases, it 
> > is executing the same logic (lines 404 and 406. Please review.
> > 
> > Please consider if line 406 needs to be 
> > 
> > ret = matcher == null && matcher.isSomeMatch( resourceValue, 
> > evalContext);

This condition work as required, so no change needed. Suggetion will result in 
NPE.


> On Jan. 10, 2024, 7:46 p.m., Abhay Kulkarni wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
> > Lines 276 (patched)
> > <https://reviews.apache.org/r/74825/diff/1/?file=2284693#file2284693line279>
> >
> > Please review if this condition is correct. The first part of the 
> > condition may not be needed.
> > 
> > Can this condition be replaced with
> > 
> > ret = policyValues.containsAny(resValues);
> > 
> > ?

policyValues is a List, so will use isPolicyResourceContains(policyValues, 
resValues) method


- Ramesh


-------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74825/#review226124
---


On Jan. 17, 2024, 8:32 a.m., Ramesh Mani wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74825/
> ---
> 
> (Updated Jan. 17, 2024, 8:32 a.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, 
> Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-4638
> https://issues.apache.org/jira/browse/RANGER-4638
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> RANGER-4638:Multiple Columns Revoke not generating policies with correct 
> number of columns
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  7fe2a2eb3 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
>  0a14b387a 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
>  f16157ce6 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
>  e1cd89b70 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
>  5eee8d11a 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
>  ec22e01bf 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceisCompleteOrSomeMatchMatcher.java
>  PRE-CREATION 
>   
> agents-common/src/test/resources/resourcematcher/test_defaultpolicyresource_isCompleteOrSomeMatch_matcher.json
>  PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 
> 15a1e7118 
>   
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
> 84ee31ba2 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> cc9df27d6 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java 
> 60e34c0c7 
>   security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 
> a630e575b 
> 
> 
> Diff: https://reviews.apache.org/r/74825/diff/2/
> 
> 
> Testing
> ---
> 
> Impala / Hive beeline.
> 
> 1) "grant select(col1, col2, col3)  on table demo.test  to role Role1"  => 
> Create a Grant Policy for the given resource in Hadoop Sql
>
> 
> 2) "grant select(col1, col2, col3, col4)  on 

Re: Review Request 74825: RANGER-4638:Multiple Columns Revoke not generating policies with correct number of columns

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74825/
---

(Updated Jan. 17, 2024, 8:32 a.m.)


Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, 
Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Fixed review comments


Bugs: RANGER-4638
https://issues.apache.org/jira/browse/RANGER-4638


Repository: ranger


Description
---

RANGER-4638:Multiple Columns Revoke not generating policies with correct number 
of columns


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 7fe2a2eb3 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
 0a14b387a 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
 f16157ce6 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
 e1cd89b70 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
 5eee8d11a 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
 ec22e01bf 
  
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceisCompleteOrSomeMatchMatcher.java
 PRE-CREATION 
  
agents-common/src/test/resources/resourcematcher/test_defaultpolicyresource_isCompleteOrSomeMatch_matcher.json
 PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 
15a1e7118 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
84ee31ba2 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
cc9df27d6 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java 
60e34c0c7 
  security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 
a630e575b 


Diff: https://reviews.apache.org/r/74825/diff/2/

Changes: https://reviews.apache.org/r/74825/diff/1-2/


Testing (updated)
---

Impala / Hive beeline.

1) "grant select(col1, col2, col3)  on table demo.test  to role Role1"  => 
Create a Grant Policy for the given resource in Hadoop Sql
   

2) "grant select(col1, col2, col3, col4)  on table demo.test  to role Role1"  
=> updates the policy created in #1 with new col4 resource

 if  "revoke select(col1, col2, col3, col4) on table demo.test from role 
Role1" is done => Since all the columns are revoked for Select, we update the 
policy created in #1 with no policy Item for it.
 if  "revoke select(col1, col2, col3) on table demo.test from role Role1" 
is done => policy created in #1 will be updated to remove col1,col2,col3 from 
the policy to revoke the access.
 
3) If "revoke select(col1, col2, col3, col4) on table demo.test from role 
Role1" found 2 Matching polcies,  say 1st policy matched col1,col2,col3 and  
2nd Policy matched col4, then both the policies will be updated for revoking 
the corresponding column access.

4) When Multiple Premission are there on the policy and revoke is to remove one 
permission, then the policy will be updated by removing the revoked permission.
 Grant select on table demo.test  to role Role1
 Grant Alter on table demo.test  to role Role1
 Revoke alter table demo.test  to role Role1

 

HBASE shell

grant 'nifi', 'RWXCA', 'test'  => create policy with 'RWXCA' access for user 
nifi on table 'test'.


revoke 'nifi', 'test' => revoke access for user "nifi" on hbase table 'test'. 
Here policy will be removed.


Thanks,

Ramesh Mani

Review Request 74825: RANGER-4638:Multiple Columns Revoke not generating policies with correct number of columns

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74825/
---

Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, 
Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Bugs: RANGER-4638
https://issues.apache.org/jira/browse/RANGER-4638


Repository: ranger


Description
---

RANGER-4638:Multiple Columns Revoke not generating policies with correct number 
of columns


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 7fe2a2eb3 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
 0a14b387a 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
 f16157ce6 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerPolicyResourceMatcher.java
 e1cd89b70 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
 5eee8d11a 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
 ec22e01bf 
  
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestDefaultPolicyResourceisCompleteOrSomeMatchMatcher.java
 PRE-CREATION 
  
agents-common/src/test/resources/resourcematcher/test_defaultpolicyresource_isCompleteOrSomeMatch_matcher.json
 PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 
15a1e7118 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
84ee31ba2 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
cc9df27d6 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java 
60e34c0c7 
  security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 
a630e575b 


Diff: https://reviews.apache.org/r/74825/diff/1/


Testing
---

Impala / Hive beeline.

1) "grant select(col1, col2, col3)  on table demo.test  to role Role1"  => 
Create a Grant Policy for the given resource in Hadoop Sql
   

2) "grant select(col1, col2, col3, col4)  on table demo.test  to role Role1"  
=> updates the policy created in #1 with new col4 resource

 if  "revoke select(col1, col2, col3, col4) on table demo.test from role 
Role1" is done => Since all the columns are revoked for Select, we delete the 
policy created in #1
 if  "revoke select(col1, col2, col3) on table demo.test from role Role1" 
is done => policy created in #1 will be updated to remove col1,col2,col3 from 
the policy to revoke the access.

HBASE shell

grant 'nifi', 'RWXCA', 'test'  => create policy with 'RWXCA' access for user 
nifi on table 'test'.


revoke 'nifi', 'test' => revoke access for user "nifi" on hbase table 'test'. 
Here policy will be removed.


Thanks,

Ramesh Mani

[jira] [Created] (RANGER-4638) Multiple Columns Revoke not generating policies with correct number of columns

[Ramesh Mani (Jira)]

Ramesh Mani created RANGER-4638:
---

 Summary: Multiple Columns Revoke not generating policies with 
correct number of columns
 Key: RANGER-4638
 URL: https://issues.apache.org/jira/browse/RANGER-4638
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Affects Versions: 3.0.0
Reporter: Ramesh Mani


Multiple Columns Revoke not generating policies with correct number of columns. 
E.G

When  " revoke select(col1, col2,col3) on table demo.test from role Role3;" is 
done, the generate policies is not revoking the columns. Currently revoke  
statement is only revoking if the is only one column.

Testing to done"

Impala / Hive beeline.

1) "grant select(col1, col2, col3)  on table demo.test  to role Role1" 

     "revoke select(col1, col2, col3) on table demo.test from role Role1"

2) "grant select(col1, col2, col3, col4)  on table demo.test  to role Role1" 

      "revoke select(col1, col2, col3) on table demo.test from role Role1"

HBASE shell

grant 'nifi', 'RWXCA', 'test'

revoke 'nifi', 'test'

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: [DISCUSS] merge RANGER-3923 branch into master branch

[Ramesh Mani]

+1 for merging the RANGER-3923 branch into master. Thanks Madhan for
the effort. This is a significant enhancement enabling datasets'
authorization and auditing.

Regards,
Ramesh


On Tue, Jan 2, 2024 at 3:01 PM Madhan Neethiraj  wrote:

> (apologies for the resend; earlier mail had HTML formatting which got
> lost, now sending in plain text format)
>
> Rangers,
>
> For more than a year now, Apache Ranger community has been adding
> significant enhancements in RANGER-3923 branch. These enhancements enable
> business managers to manage access to datasets, instead of having data
> owners to manage access to individual resources like tables, columns,
> files, directories.
>
> In addition, this approach offers several benefits including:
>   - reduced time for users in getting access to data across multiple
> services, with a single policy update.
>   - business managers like project managers to manage access to datasets
> instead of multiple data owners, which reduces the time taken to get access
> to data.
>   - separation of responsibilities: data owners focus on building
> datasets, while business managers focus on managing access to datasets.
>   - eliminate the need to update access policies for any changes in
> datasets like add/remove/change resources.
>
> Apache Ranger community has built APIs and UI to manage datasets and
> access to datasets. Apache Ranger policy engine has been updated as well to
> support datasets. I propose merging these enhancements into master branch
> this week, and work towards releasing Apache Ranger 3.0 version, by next
> month. Please share your feedback.
>
> Looking forward to Apache Ranger 3.0 release!
>
> Thanks,
> Madhan
>
>
>

[jira] [Updated] (RANGER-4619) Fix NPE in the SHOW GRANT API of RangerHiveAuthorizer

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4619?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-4619:

Summary: Fix NPE in the SHOW GRANT API of RangerHiveAuthorizer  (was: Fix 
NPE in the SHOW GRANT API of RangerHiveAuthorizer.)

> Fix NPE in the SHOW GRANT API of RangerHiveAuthorizer
> -
>
> Key: RANGER-4619
> URL: https://issues.apache.org/jira/browse/RANGER-4619
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 3.0.0
>    Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Minor
>
>  When hive plugin  is not initialized, SHOW GRANT [principal_specification] 
> ON (ALL | [TABLE] table_or_view_name) command will result in NPE.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Assigned] (RANGER-4619) Fix NPE in the SHOW GRANT API of RangerHiveAuthorizer.

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4619?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani reassigned RANGER-4619:
---

Assignee: Ramesh Mani

> Fix NPE in the SHOW GRANT API of RangerHiveAuthorizer.
> --
>
> Key: RANGER-4619
> URL: https://issues.apache.org/jira/browse/RANGER-4619
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 3.0.0
>    Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Minor
>
>  When hive plugin  is not initialized, SHOW GRANT [principal_specification] 
> ON (ALL | [TABLE] table_or_view_name) command will result in NPE.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-4619) Fix NPE in the SHOW GRANT API of RangerHiveAuthorizer.

[Ramesh Mani (Jira)]

Ramesh Mani created RANGER-4619:
---

 Summary: Fix NPE in the SHOW GRANT API of RangerHiveAuthorizer.
 Key: RANGER-4619
 URL: https://issues.apache.org/jira/browse/RANGER-4619
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Affects Versions: 3.0.0
Reporter: Ramesh Mani


 When hive plugin  is not initialized, SHOW GRANT [principal_specification] ON 
(ALL | [TABLE] table_or_view_name) command will result in NPE.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: Review Request 74778: RANGER-4587: blog: dynamic expressions

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74778/#review226033
---


Ship it!




Ship It!

- Ramesh Mani


On Dec. 11, 2023, 2:16 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74778/
> ---
> 
> (Updated Dec. 11, 2023, 2:16 a.m.)
> 
> 
> Review request for ranger, Anand Nadar, Ankita Sinha, Abhay Kulkarni, Monika 
> Kachhadiya, Ramesh Mani, Sailaja Polavarapu, Subhrat Chaudhary, and 
> Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4587
> https://issues.apache.org/jira/browse/RANGER-4587
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> added blog with details of using dynamic expressions in Apache Ranger policies
> 
> 
> Diffs
> -
> 
>   docs/src/site/resources/blogs/dynamic_expressions.html PRE-CREATION 
>   docs/src/site/xdoc/blogs.xml 2f81ef7c4 
> 
> 
> Diff: https://reviews.apache.org/r/74778/diff/1/
> 
> 
> Testing
> ---
> 
> - built and ran updated docs with mvn site:run
> - verified that the new blog is seen in the blog list
> - verified that the new blog renders correctly in browser
> 
> 
> File Attachments
> 
> 
> Apache Ranger - dynamic expressions.pdf
>   
> https://reviews.apache.org/media/uploaded/files/2023/12/11/a8d4e7f9-5ec7-4527-9d3c-245c15f49573__Apache_Ranger_-_dynamic_expressions.pdf
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

[jira] [Comment Edited] (RANGER-4585) Support multiple columns policy creation in ranger for Grant / Revoke request

[Ramesh Mani (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-4585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17794448#comment-17794448
 ] 

Ramesh Mani edited comment on RANGER-4585 at 12/7/23 10:03 PM:
---

Review link : [https://reviews.apache.org/r/74777/]


was (Author: rmani):
Review link

> Support multiple columns policy creation in ranger for Grant / Revoke request
> -
>
> Key: RANGER-4585
> URL: https://issues.apache.org/jira/browse/RANGER-4585
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 3.0.0
>    Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
> Attachments: 
> 0001-RANGER-4585-Support-multiple-columns-policy-creation.patch
>
>
> Support multiple columns policy creation in ranger for Grant / Revoke request
> When request like "grant select ( col1, col2, col3, col4, col5, col6, col7, 
> col8, col9, col10) on table demo.data5 to role testrole_09289898" is done in 
> Impala or Hive ranger doesn't create those columns in a single policy. In 
> Impala case it create one grant for each of the column. In Hive it creates a 
> "*" column policy. This has to be modified to support creation of single 
> policy for grant with all the columns added.Same case for Revoke, need to 
> support update of the policies correctly.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4585) Support multiple columns policy creation in ranger for Grant / Revoke request

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4585?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-4585:

Attachment: 0001-RANGER-4585-Support-multiple-columns-policy-creation.patch

> Support multiple columns policy creation in ranger for Grant / Revoke request
> -
>
> Key: RANGER-4585
> URL: https://issues.apache.org/jira/browse/RANGER-4585
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 3.0.0
>    Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
> Attachments: 
> 0001-RANGER-4585-Support-multiple-columns-policy-creation.patch
>
>
> Support multiple columns policy creation in ranger for Grant / Revoke request
> When request like "grant select ( col1, col2, col3, col4, col5, col6, col7, 
> col8, col9, col10) on table demo.data5 to role testrole_09289898" is done in 
> Impala or Hive ranger doesn't create those columns in a single policy. In 
> Impala case it create one grant for each of the column. In Hive it creates a 
> "*" column policy. This has to be modified to support creation of single 
> policy for grant with all the columns added.Same case for Revoke, need to 
> support update of the policies correctly.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Review Request 74777: RANGER-4585:Support multiple columns policy creation in ranger for Grant / Revoke request

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74777/
---

Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, 
Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Bugs: RANGER-4585
https://issues.apache.org/jira/browse/RANGER-4585


Repository: ranger


Description
---

RANGER-4585:Support multiple columns policy creation in ranger for Grant / 
Revoke request


Diffs
-

  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
cffd177be 
  security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 
d049f9949 


Diff: https://reviews.apache.org/r/74777/diff/1/


Testing
---

- Testing done on select with mulitple and single columns in a VM via impala 
and hive shell.
-   grant select (col1, col2, col3, col4, col5, col6, col7, col8)  on table 
demo.data9 to role testrole1
-   revoke select(col1,col2) on table demo.data10 from role testrole1;
-   grant select (col1)  on table demo.data10 to role testrole2;
-   revoke select(col1)  on table demo.data10 from role testrole2;


Thanks,

Ramesh Mani

[jira] [Assigned] (RANGER-4585) Support multiple columns policy creation in ranger for Grant / Revoke request

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4585?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani reassigned RANGER-4585:
---

Assignee: Ramesh Mani

> Support multiple columns policy creation in ranger for Grant / Revoke request
> -
>
> Key: RANGER-4585
> URL: https://issues.apache.org/jira/browse/RANGER-4585
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 3.0.0
>    Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
>
> Support multiple columns policy creation in ranger for Grant / Revoke request
> When request like "grant select ( col1, col2, col3, col4, col5, col6, col7, 
> col8, col9, col10) on table demo.data5 to role testrole_09289898" is done in 
> Impala or Hive ranger doesn't create those columns in a single policy. In 
> Impala case it create one grant for each of the column. In Hive it creates a 
> "*" column policy. This has to be modified to support creation of single 
> policy for grant with all the columns added.Same case for Revoke, need to 
> support update of the policies correctly.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-4585) Support multiple columns policy creation in ranger for Grant / Revoke request

[Ramesh Mani (Jira)]

Ramesh Mani created RANGER-4585:
---

 Summary: Support multiple columns policy creation in ranger for 
Grant / Revoke request
 Key: RANGER-4585
 URL: https://issues.apache.org/jira/browse/RANGER-4585
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Affects Versions: 3.0.0
Reporter: Ramesh Mani


Support multiple columns policy creation in ranger for Grant / Revoke request
When request like "grant select ( col1, col2, col3, col4, col5, col6, col7, 
col8, col9, col10) on table demo.data5 to role testrole_09289898" is done in 
Impala or Hive ranger doesn't create those columns in a single policy. In 
Impala case it create one grant for each of the column. In Hive it creates a 
"*" column policy. This has to be modified to support creation of single policy 
for grant with all the columns added.Same case for Revoke, need to support 
update of the policies correctly.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: Review Request 74762: RANGER-4302: caching of ServiceGdsInfo in Ranger admin

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74762/#review226024
---


Ship it!




Ship It!

- Ramesh Mani


On Nov. 28, 2023, 9:37 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74762/
> ---
> 
> (Updated Nov. 28, 2023, 9:37 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Abhay Kulkarni, Mehul Parikh, Monika 
> Kachhadiya, Pradeep Agrawal, Prashant Satam, Ramesh Mani, and Subhrat 
> Chaudhary.
> 
> 
> Bugs: RANGER-4302
> https://issues.apache.org/jira/browse/RANGER-4302
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - ServiceGdsInfoCache implemented using RangerCache as a refresh-on-access 
> cache
> - updated GdsDBStore.getGdsInfoIfUpdated() to get the latest gdsInfo from 
> ServiceGdsInfoCache
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/AutoClosableLock.java
>  270096a32 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCache.java 
> PRE-CREATION 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/util/RangerCacheTest.java
>  PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java 
> 589fcdd68 
>   
> security-admin/src/main/java/org/apache/ranger/common/ServiceGdsInfoCache.java
>  PRE-CREATION 
>   
> security-admin/src/main/java/org/apache/ranger/util/RangerCacheDBValueLoader.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/74762/diff/3/
> 
> 
> Testing
> ---
> 
> - verifed that cache loads from the database only if the database has later 
> version than cached
> 2023-11-28 08:25:07,363 [http-nio-6080-exec-1] INFO 
> [ServiceGdsInfoCache.java:121] Refreshed gdsVersionInfo: 
> serviceName=dev_yarn, lastKnownVersion=null, latestVersion=1
> 2023-11-28 08:25:08,532 [http-nio-6080-exec-7] INFO 
> [ServiceGdsInfoCache.java:121] Refreshed gdsVersionInfo: 
> serviceName=dev_hdfs, lastKnownVersion=null, latestVersion=119
> 2023-11-28 08:25:13,561 [http-nio-6080-exec-3] INFO 
> [ServiceGdsInfoCache.java:121] Refreshed gdsVersionInfo: 
> serviceName=dev_hive, lastKnownVersion=null, latestVersion=118
> 2023-11-28 08:26:07,606 [ranger-cache-1-ServiceGdsInfoCache1] INFO 
> [ServiceGdsInfoCache.java:125] No change in gdsVersionInfo: 
> serviceName=dev_yarn, lastKnownVersion=1, latestVersion=1
> 2023-11-28 08:26:08,614 [ranger-cache-1-ServiceGdsInfoCache2] INFO 
> [ServiceGdsInfoCache.java:125] No change in gdsVersionInfo: 
> serviceName=dev_hdfs, lastKnownVersion=119, latestVersion=119
> 2023-11-28 08:26:13,817 [ranger-cache-1-ServiceGdsInfoCache1] INFO 
> [ServiceGdsInfoCache.java:125] No change in gdsVersionInfo: 
> serviceName=dev_hive, lastKnownVersion=118, latestVersion=118
> ...
> 2023-11-28 09:24:24,514 [ranger-cache-1-ServiceGdsInfoCache1] INFO 
> [ServiceGdsInfoCache.java:125] No change in gdsVersionInfo: 
> serviceName=dev_yarn, lastKnownVersion=1, latestVersion=1
> 2023-11-28 09:24:25,761 [ranger-cache-1-ServiceGdsInfoCache2] INFO 
> [ServiceGdsInfoCache.java:121] Refreshed gdsVersionInfo: 
> serviceName=dev_hdfs, lastKnownVersion=119, latestVersion=120
> 2023-11-28 09:24:30,960 [ranger-cache-1-ServiceGdsInfoCache1] INFO 
> [ServiceGdsInfoCache.java:121] Refreshed gdsVersionInfo: 
> serviceName=dev_hive, lastKnownVersion=118, latestVersion=120
> - verified that plugin calls to download GDS info receive the latest version
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74745: RANGER-4282: updated audit logs to capture datasets and projects

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74745/#review225985
---


Ship it!




Ship It!

- Ramesh Mani


On Nov. 21, 2023, 7:01 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74745/
> ---
> 
> (Updated Nov. 21, 2023, 7:01 a.m.)
> 
> 
> Review request for ranger, Anand Nadar, Ankita Sinha, Brijesh Bhalala, Dhaval 
> Rajpara, Abhay Kulkarni, Mehul Parikh, Monika Kachhadiya, Mugdha Varadkar, 
> Ramesh Mani, Subhrat Chaudhary, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4282
> https://issues.apache.org/jira/browse/RANGER-4282
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - updated AuthzAuditEvent with 2 new fields: datasets, projects
> - updated plugin to populate these 2 new fields in generated audit logs
> - updated Solr and Elasticsearch schema to add new fields
> - RANGER-4536 tracks audit UI updates to support the new fields
> 
> 
> Diffs
> -
> 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/destination/ElasticSearchAuditDestination.java
>  1b17a934b 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
>  f2e96bf9b 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 
> e20d1a786 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/provider/solr/SolrAuditProvider.java
>  9cda3f8f3 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
>  c99465d7a 
>   dev-support/ranger-docker/config/solr-ranger_audits/managed-schema 
> c33f6de06 
>   
> security-admin/contrib/elasticsearch_for_audit_setup/conf/ranger_es_schema.json
>  801667bce 
>   security-admin/contrib/solr_for_audit_setup/conf/managed-schema c33f6de06 
>   
> security-admin/src/main/java/org/apache/ranger/amazon/cloudwatch/CloudWatchAccessAuditsService.java
>  0b36f6e90 
>   
> security-admin/src/main/java/org/apache/ranger/elasticsearch/ElasticSearchAccessAuditsService.java
>  4c9b049a0 
>   
> security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java
>  bb279349a 
>   security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java 
> cce18fafb 
> 
> 
> Diff: https://reviews.apache.org/r/74745/diff/2/
> 
> 
> Testing
> ---
> 
> - verified audit logs written to Solr include datasets and projects 
> associated with the resource
> - verified audit logs retrieved via REST API calls include datasets and 
> projects
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74746: RANGER-4538: updated plugin-status to record GDS info download details

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74746/#review225984
---


Ship it!




Ship It!

- Ramesh Mani


On Nov. 21, 2023, 6:04 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74746/
> ---
> 
> (Updated Nov. 21, 2023, 6:04 a.m.)
> 
> 
> Review request for ranger, Anand Nadar, Ankita Sinha, Brijesh Bhalala, Dhaval 
> Rajpara, Abhay Kulkarni, Monika Kachhadiya, Ramesh Mani, Subhrat Chaudhary, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4538
> https://issues.apache.org/jira/browse/RANGER-4538
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> updated GDS info download API to record download details in plugin status
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPluginInfo.java
>  238a98242 
>   security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java 8bbeba783 
>   security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java 1c312e5e9 
>   
> security-admin/src/main/java/org/apache/ranger/service/RangerPluginInfoService.java
>  3a4746def 
> 
> 
> Diff: https://reviews.apache.org/r/74746/diff/1/
> 
> 
> Testing
> ---
> 
> - verified that GDS download details are stored in column x_plugin_info.info:
> {
> "pluginCapabilities":  "f",
> "adminCapabilities":   "f",
> "roleDownloadedVersion":   "1",
> "roleDownloadTime":"1700517922727",
> "roleActiveVersion":   "-1",
> "roleActivationTime":  "0",
> "policyDownloadedVersion": "33",
> "policyDownloadTime":  "1700520586168",
> "policyActiveVersion": "32",
> "policyActivationTime":"1700519906012",
> "tagDownloadedVersion":"16",
> "tagDownloadTime": "1700533103456",
> "tagActiveVersion":"15",
> "tagActivationTime":   "1700532263341",
> "gdsDownloadedVersion":"127",
> "gdsDownloadTime": "1700533223180",
> "gdsActiveVersion":"126",
> "gdsActivationTime":   "1700532383325"
> }
> - verified that all existing tests pass successfully
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74745: RANGER-4282: updated audit logs to capture datasets and projects

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74745/#review225975
---




agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java
Line 112 (original), 112 (patched)
<https://reviews.apache.org/r/74745/#comment314348>

Does this fields need to be in Ranger UI, then we need to have another JIRA 
to update it.



security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java
Lines 133 (patched)
<https://reviews.apache.org/r/74745/#comment314347>

Commented-out statement, if not needed please remove.


- Ramesh Mani


On Nov. 20, 2023, 11:32 p.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74745/
> ---
> 
> (Updated Nov. 20, 2023, 11:32 p.m.)
> 
> 
> Review request for ranger, Anand Nadar, Ankita Sinha, Brijesh Bhalala, Dhaval 
> Rajpara, Abhay Kulkarni, Mehul Parikh, Monika Kachhadiya, Mugdha Varadkar, 
> Ramesh Mani, Subhrat Chaudhary, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4282
> https://issues.apache.org/jira/browse/RANGER-4282
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - updated AuthzAuditEvent with 2 new fields: datasets, projects
> - updated plugin to populate these 2 new fields in generated audit logs
> - updated Solr and Elasticsearch schema to add new fields
> - RANGER-4536 tracks audit UI updates to support the new fields
> 
> 
> Diffs
> -
> 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/destination/ElasticSearchAuditDestination.java
>  1b17a934b 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java
>  f2e96bf9b 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/model/AuthzAuditEvent.java 
> e20d1a786 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/provider/solr/SolrAuditProvider.java
>  9cda3f8f3 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
>  c99465d7a 
>   dev-support/ranger-docker/config/solr-ranger_audits/managed-schema 
> c33f6de06 
>   
> security-admin/contrib/elasticsearch_for_audit_setup/conf/ranger_es_schema.json
>  801667bce 
>   security-admin/contrib/solr_for_audit_setup/conf/managed-schema c33f6de06 
>   
> security-admin/src/main/java/org/apache/ranger/amazon/cloudwatch/CloudWatchAccessAuditsService.java
>  0b36f6e90 
>   
> security-admin/src/main/java/org/apache/ranger/elasticsearch/ElasticSearchAccessAuditsService.java
>  4c9b049a0 
>   
> security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java
>  4d96df6ea 
>   
> security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java
>  bb279349a 
>   security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java 
> cce18fafb 
> 
> 
> Diff: https://reviews.apache.org/r/74745/diff/1/
> 
> 
> Testing
> ---
> 
> - verified audit logs written to Solr include datasets and projects 
> associated with the resource
> - verified audit logs retrieved via REST API calls include datasets and 
> projects
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74741: RANGER-4530: fixed GDS update APIs to not require guid in payload

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74741/#review225962
---


Ship it!




Ship It!

- Ramesh Mani


On Nov. 16, 2023, 8:10 p.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74741/
> ---
> 
> (Updated Nov. 16, 2023, 8:10 p.m.)
> 
> 
> Review request for ranger, Anand Nadar, Ankita Sinha, Dhaval Rajpara, Abhay 
> Kulkarni, Mehul Parikh, Monika Kachhadiya, Mugdha Varadkar, Prashant Satam, 
> Ramesh Mani, and Subhrat Chaudhary.
> 
> 
> Bugs: RANGER-4530
> https://issues.apache.org/jira/browse/RANGER-4530
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - updated APIs to copy GUID value from existing object
> - removed unnecessary annotation from GET API calls: @Consumes({ 
> "application/json" })
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java 
> 6390f0547 
>   security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java b1dc9d37d 
> 
> 
> Diff: https://reviews.apache.org/r/74741/diff/1/
> 
> 
> Testing
> ---
> 
> - verified that update calls succeed even when GUID is not provided in the 
> payload
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74603: RANGER-4373: Deleting a role which is already present in policy is giving incorrect message.

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74603/#review225958
---


Ship it!




Ship It!

- Ramesh Mani


On Sept. 14, 2023, 11:46 a.m., sanket shelar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74603/
> ---
> 
> (Updated Sept. 14, 2023, 11:46 a.m.)
> 
> 
> Review request for ranger, dinesh  akhand, Kishor Gollapalliwar, Abhay 
> Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4373
> https://issues.apache.org/jira/browse/RANGER-4373
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> In case if a role is already present in policy and we try to delete the role 
> then we are getting message as "data not found" instead of "Role  can not be 
> deleted as it is referenced in one or more policies
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java 4bfaa862c 
>   security-admin/src/test/java/org/apache/ranger/rest/TestRoleREST.java 
> 2da72a1ea 
> 
> 
> Diff: https://reviews.apache.org/r/74603/diff/1/
> 
> 
> Testing
> ---
> 
> Tested for role delete scenarios.
> 
> 
> Thanks,
> 
> sanket shelar
> 
>

Re: Review Request 74721: RANGER-4515: Enhance perf-tracer to get CPU time when possible

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74721/#review225951
---


Ship it!




Ship It!

- Ramesh Mani


On Nov. 7, 2023, 9:23 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74721/
> ---
> 
> (Updated Nov. 7, 2023, 9:23 p.m.)
> 
> 
> Review request for ranger, madhan, Madhan Neethiraj, Mahesh Bandal, Ramesh 
> Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4515
> https://issues.apache.org/jira/browse/RANGER-4515
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Some JVM versions provide the precision of nanoseconds for CPU time as well 
> as user time. Use nanosecond precision whenever available.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/PerfDataRecorder.java
>  7e2c46fde 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfCollectorTracer.java
>  6e95a56ff 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracer.java
>  3c985c62c 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPerfTracerFactory.java
>  1a4e86dce 
> 
> 
> Diff: https://reviews.apache.org/r/74721/diff/2/
> 
> 
> Testing
> ---
> 
> Built ranger and ran all unit tests successfully.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 74722: RANGER-4516: moved getResourceACLs() implementation from RangerPolicyEngine to RangerPolicyEvaluator

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74722/#review225950
---


Ship it!




Ship It!

- Ramesh Mani


On Nov. 8, 2023, 1:06 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74722/
> ---
> 
> (Updated Nov. 8, 2023, 1:06 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Kishor 
> Gollapalliwar, Abhay Kulkarni, Mehul Parikh, Monika Kachhadiya, Pradeep 
> Agrawal, Ramesh Mani, Selvamohan Neethiraj, and Subhrat Chaudhary.
> 
> 
> Bugs: RANGER-4516
> https://issues.apache.org/jira/browse/RANGER-4516
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> updated getResourceACLs() implementation to move evaluator specific code from 
> RangerPolicyEngine to RangerPolicyEvaluator
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  12f8a1705 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
>  5650b9ea8 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyEvaluator.java
>  0d4886c57 
> 
> 
> Diff: https://reviews.apache.org/r/74722/diff/1/
> 
> 
> Testing
> ---
> 
> - verified that all existing unit tests pass successfully
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74698: RANGER-4035: DB schema update to persist XXAccessTypeDef.category

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74698/#review225922
---




security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
Lines 797 (patched)
<https://reviews.apache.org/r/74698/#comment314329>

1) Should there be db patch for the upgrade scenario for those databases?
https://github.com/apache/ranger/tree/master/security-admin/db/mysql/patches

2) Any specif reason why other databases are excluded from this change?


- Ramesh Mani


On Oct. 26, 2023, 6:09 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74698/
> ---
> 
> (Updated Oct. 26, 2023, 6:09 a.m.)
> 
> 
> Review request for ranger, Anand Nadar, Ankita Sinha, Abhay Kulkarni, Monika 
> Kachhadiya, Prashant Satam, Ramesh Mani, and Subhrat Chaudhary.
> 
> 
> Bugs: RANGER-4035
> https://issues.apache.org/jira/browse/RANGER-4035
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - added column x_access_type_def.category 
> - updated DB save/load modules to persist XXAccessTypeDef.category in the new 
> column
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractServiceStore.java
>  dc786a457 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 
> 17092d486 
>   security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
> 7371cd6d0 
>   security-admin/src/main/java/org/apache/ranger/entity/XXAccessTypeDef.java 
> 200a51d33 
>   
> security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java
>  86928193a 
> 
> 
> Diff: https://reviews.apache.org/r/74698/diff/2/
> 
> 
> Testing
> ---
> 
> - verified that catagory specified in XXAccessTypeDef.category is persisted 
> in the database
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74703: RANGER-3815: added support for validity-period/access-time condition in policy-items

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74703/#review225914
---


Ship it!




Ship It!

- Ramesh Mani


On Oct. 28, 2023, 10:40 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74703/
> ---
> 
> (Updated Oct. 28, 2023, 10:40 a.m.)
> 
> 
> Review request for ranger, Anand Nadar, Ankita Sinha, Abhay Kulkarni, Mehul 
> Parikh, Monika Kachhadiya, Mugdha Varadkar, Pradeep Agrawal, Prashant Satam, 
> Ramesh Mani, Subhrat Chaudhary, Vanita Ubale, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3815
> https://issues.apache.org/jira/browse/RANGER-3815
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - added support for following macros in condition expresion
>  -- IS_ACCESS_TIME_AFTER
>  -- IS_ACCESS_TIME_BEFORE
>  -- IS_ACCESS_TIME_BETWEEN
> - this enables policy authors to specify the time period in which 
> users/groups/roles should be granted/denied access
> - example: to grant access to user1 after '2024/01/01 09:00', add condition 
> IS_ACCESS_TIME_AFTER('2024/01/01 09:00')
> - example: to grant access to user1 until '2024/01/01 09:00', add condition 
> IS_ACCESS_TIME_BEFORE('2024/01/01 09:00')
> - example: to grant access to user1 from '2023/10/01 to 2024/01/01', add 
> condition IS_ACCESS_TIME_BETWEEN('2023/10/01', '2024/01/01')
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
>  884f69137 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java
>  fa59e8d58 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerTimeRangeChecker.java
>  PRE-CREATION 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/conditionevaluator/RangerRequestScriptEvaluatorTest.java
>  6705327d8 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/util/RangerTimeRangeCheckerTest.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/74703/diff/2/
> 
> 
> Testing
> ---
> 
> - added unit tests
> - verified that all existing tests pass successfully
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74685: RANGER-4485: refactored condition evaluator instantiation to avoid duplicate code

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74685/#review225891
---


Ship it!




Ship It!

- Ramesh Mani


On Oct. 19, 2023, 7:37 p.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74685/
> ---
> 
> (Updated Oct. 19, 2023, 7:37 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Kishor Gollapalliwar, Abhay 
> Kulkarni, Monika Kachhadiya, Pradeep Agrawal, Prashant Satam, Ramesh Mani, 
> and Subhrat Chaudhary.
> 
> 
> Bugs: RANGER-4485
> https://issues.apache.org/jira/browse/RANGER-4485
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> refactored instantiation of conditions evaluators in 
> RangerCustomerConditionEvaluator to avoid code duplication
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCustomConditionEvaluator.java
>  6f15eed8e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  8e908f6a9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
>  2528aeafa 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java 
> 53eb0f81e 
>   security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 
> 83f662518 
>   
> security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java
>  dcbfbfdc2 
>   
> security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefService.java
>  31f698292 
> 
> 
> Diff: https://reviews.apache.org/r/74685/diff/1/
> 
> 
> Testing
> ---
> 
> - verified that all existing tests pass successfully
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74686: RANGER-4486: ZoneV2 partial update allows duplicate principals and tagServices

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74686/#review225880
---




agents-common/src/main/java/org/apache/ranger/plugin/util/RangerSecurityZoneHelper.java
Lines 185 (patched)
<https://reviews.apache.org/r/74686/#comment314291>

typo in the naming => addIfAbsent()


- Ramesh Mani


On Oct. 20, 2023, 4:28 a.m., Subhrat Chaudhary wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74686/
> ---
> 
> (Updated Oct. 20, 2023, 4:28 a.m.)
> 
> 
> Review request for ranger, Anand Nadar, Ankita Sinha, Madhan Neethiraj, 
> Monika Kachhadiya, and Prashant Satam.
> 
> 
> Bugs: RANGER-4486
> https://issues.apache.org/jira/browse/RANGER-4486
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> The PUT API - /service/public/v2/api/zones-v2/{zoneId}/partial allows 
> addition of duplicate principals (admin and auditor UGR) and tagServices.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerSecurityZoneHelper.java
>  facc305fe 
> 
> 
> Diff: https://reviews.apache.org/r/74686/diff/1/
> 
> 
> Testing
> ---
> 
> Validated the PUT API - /service/public/v2/api/zones-v2/{zoneId}/partial, by 
> passing duplicate tagService and adminUser in request repeatedly:
> 
> {
> "id": 5,
> "isEnabled": true,
> "createdBy": "Admin",
> "updatedBy": "Admin",
> "createTime": 1697718906795,
> "updateTime": 1697718906796,
> "name": "zone10",
> "services": {
> "hive1": {
> "resources": [
> {
> "id": 1,
> "resource": {
> "database": [
> "db10"
> ]
> }
> }
> ]
> }
> },
> "tagServicesToAdd": [
> "tag1", "tag1"
> ],
> "adminsToAdd": [
> {
> "type": "USER",
> "name": "mark"
> },
> {
> "type": "USER",
> "name": "mark"
> }
> ]
> }
> 
> The zone is updated with single adminUser and tagService:
> 
> {
> "id": 5,
> "isEnabled": true,
> "createdBy": "Admin",
> "updatedBy": "Admin",
> "createTime": 1697718906795,
> "updateTime": 1697775464068,
> "name": "zone10",
> "services": {
> "hive1": {
> "resources": [
> {
> "id": 1,
> "resource": {
> "database": [
> "db10"
> ]
> }
> }
> ]
> }
> },
> "tagServices": [
> "tag1"
> ],
> "admins": [
> {
> "type": "USER",
> "name": "mark"
> }
> ],
> "auditors": [
> {
> "type": "USER",
> "name": "mark"
> }
> ]
> }
> 
> 
> Thanks,
> 
> Subhrat Chaudhary
> 
>

Re: Review Request 74683: RANGER-4484: made security-zones for the resource available in the request context

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74683/#review225876
---


Ship it!




Ship It!

- Ramesh Mani


On Oct. 19, 2023, 3:49 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74683/
> ---
> 
> (Updated Oct. 19, 2023, 3:49 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Abhay Kulkarni, Ramesh Mani, and 
> Subhrat Chaudhary.
> 
> 
> Bugs: RANGER-4484
> https://issues.apache.org/jira/browse/RANGER-4484
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - updated RangerDefaultRequestProcessor.preProcess() to compute 
> security-zones for the accessed resource and store in context
> - updated policy evaluation paths to obtain security-zone from the context, 
> instead of computing
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
>  3373dbae9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  fd78fd8e0 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
>  0df8686e3 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
>  6fa75d602 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
>  b505f495b 
>   
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
> 6799be200 
> 
> 
> Diff: https://reviews.apache.org/r/74683/diff/1/
> 
> 
> Testing
> ---
> 
> - verified that all tests pass successfully
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74683: RANGER-4484: made security-zones for the resource available in the request context

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74683/#review225875
---




agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
Lines 278 (patched)
<https://reviews.apache.org/r/74683/#comment314286>

Nit pick: No need of null check, instanceof should be enough.


- Ramesh Mani


On Oct. 19, 2023, 3:49 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74683/
> ---
> 
> (Updated Oct. 19, 2023, 3:49 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Abhay Kulkarni, Ramesh Mani, and 
> Subhrat Chaudhary.
> 
> 
> Bugs: RANGER-4484
> https://issues.apache.org/jira/browse/RANGER-4484
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - updated RangerDefaultRequestProcessor.preProcess() to compute 
> security-zones for the accessed resource and store in context
> - updated policy evaluation paths to obtain security-zone from the context, 
> instead of computing
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
>  3373dbae9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  fd78fd8e0 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
>  0df8686e3 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
>  6fa75d602 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
>  b505f495b 
>   
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
> 6799be200 
> 
> 
> Diff: https://reviews.apache.org/r/74683/diff/1/
> 
> 
> Testing
> ---
> 
> - verified that all tests pass successfully
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74682: RANGER-4483: added support for NOT_EQUALS in DB queries

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74682/#review225873
---


Ship it!




Ship It!

- Ramesh Mani


On Oct. 19, 2023, 1:18 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74682/
> ---
> 
> (Updated Oct. 19, 2023, 1:18 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Kishor Gollapalliwar, Abhay 
> Kulkarni, Mehul Parikh, Monika Kachhadiya, Pradeep Agrawal, Prashant Satam, 
> Ramesh Mani, Subhrat Chaudhary, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4483
> https://issues.apache.org/jira/browse/RANGER-4483
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - updated enum SearchField.SEARCH_TYPE with addition of NOT_EQUALS
> - updated where-clause builder to handle the new enum value
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java 
> e8aab9af5 
>   security-admin/src/main/java/org/apache/ranger/common/SearchField.java 
> a53a75cc4 
>   security-admin/src/main/java/org/apache/ranger/common/SearchUtil.java 
> 08002413c 
>   
> security-admin/src/test/java/org/apache/ranger/common/TestRangerSearchUtil.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/74682/diff/1/
> 
> 
> Testing
> ---
> 
> - added test cases
> - verified that all existing tests pass successfully
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74628: RANGER-4440: option to store compressed Json text in x_security_zone.jsonData

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74628/#review225796
---


Ship it!




Ship It!

- Ramesh Mani


On Sept. 28, 2023, 7:11 p.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74628/
> ---
> 
> (Updated Sept. 28, 2023, 7:11 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Mehul Parikh, MonicaCH MonicaCH, 
> Prashant Satam, Ramesh Mani, Subhrat Chaudhary, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4440
> https://issues.apache.org/jira/browse/RANGER-4440
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - updated security-zone write/read to support Gzip compressed text in 
> x_security_zone.jsonData.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java
>  8202b00b2 
>   
> agents-common/src/test/java/org/apache/ranger/authorization/utils/TestStringUtil.java
>  5317dd2d6 
>   security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java 
> 44bca7489 
>   
> security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneServiceService.java
>  476d1511b 
> 
> 
> Diff: https://reviews.apache.org/r/74628/diff/1/
> 
> 
> Testing
> ---
> 
> - added unit tests
> - verified that Security zone CRUD works with GZip compressed text in 
> x_security_zone.jsonData. This requires compression to be enabled with 
> configuration ranger.admin.store.security.zone.compress.json_data=true
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

[jira] [Comment Edited] (RANGER-4404) Audit to hdfs for orc format feature stabilisation

[Ramesh Mani (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-4404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17764835#comment-17764835
 ] 

Ramesh Mani edited comment on RANGER-4404 at 9/14/23 3:57 PM:
--

[~bpatel] Yes directly writing into ORC format and copying is what I was 
thinking of, but in this process we should not lose audit in case of failure. 

Json to ORC conversion tool looks promising  an if we processes parallelly. 
Will check it out. Thanks.


was (Author: rmani):
[~bpatel] Yes directly writing into ORC format and copying is what I was 
thinking of, but in this process we should not loose audit it case of failure. 

Json to ORC conversion tool looks promising  an if we processes parallelly. 
Will check it out. Thanks.

> Audit to hdfs for orc format feature stabilisation
> --
>
> Key: RANGER-4404
> URL: https://issues.apache.org/jira/browse/RANGER-4404
> Project: Ranger
>  Issue Type: Improvement
>  Components: audit
>Affects Versions: 3.0.0, 2.4.0
>Reporter: Bhavik Patel
>Assignee: Bhavik Patel
>Priority: Major
>
> Currently if we have 50GB audit log file in spool directory then it is taking 
> 4-5hr for the conversion and writing to HDFS.
> Also, we are observing below error logs
> {code:java}
>  ERROR [AuditFileQueueSpool_hdfs_destWriter] provider.BaseAuditHandler: Error 
> writing to log file.
> java.lang.RuntimeException: Overflow of newLength. 
> smallBuffer.length=1073741824, nextElemLength=38
>     at 
> org.apache.hadoop.hive.ql.exec.vector.BytesColumnVector.increaseBufferSpace(BytesColumnVector.java:311)
>     at 
> org.apache.hadoop.hive.ql.exec.vector.BytesColumnVector.setVal(BytesColumnVector.java:182)
>     at 
> org.apache.hadoop.hive.ql.exec.vector.BytesColumnVector.setVal(BytesColumnVector.java:207)
>     at org.apache.ranger.audit.utils.ORCFileUtil.log(ORCFileUtil.java:143)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter$1.run(RangerORCAuditWriter.java:77)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter$1.run(RangerORCAuditWriter.java:73)
>     at java.security.AccessController.doPrivileged(Native Method)
>     at javax.security.auth.Subject.doAs(Subject.java:422)
>     at 
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1762)
>     at 
> org.apache.ranger.audit.provider.MiscUtil.executePrivilegedAction(MiscUtil.java:541)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter.logAuditAsORC(RangerORCAuditWriter.java:73)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter.logAsORC(RangerORCAuditWriter.java:159)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter.log(RangerORCAuditWriter.java:112)
>     at 
> org.apache.ranger.audit.destination.HDFSAuditDestination.logJSON(HDFSAuditDestination.java:78)
>     at 
> org.apache.ranger.audit.destination.HDFSAuditDestination.log(HDFSAuditDestination.java:163)
>     at 
> org.apache.ranger.audit.queue.AuditFileQueueSpool.sendEvent(AuditFileQueueSpool.java:926)
>     at 
> org.apache.ranger.audit.queue.AuditFileQueueSpool.logEvent(AuditFileQueueSpool.java:913)
>     at 
> org.apache.ranger.audit.queue.AuditFileQueueSpool.runLogAudit(AuditFileQueueSpool.java:847)
>     at 
> org.apache.ranger.audit.queue.AuditFileQueueSpool.run(AuditFileQueueSpool.java:790)
>  {code}
> hive-storage-api version upgrade(>=2.7.3) required to resolve the above error.
> Current version is 2.7.2
> cc: [~rmani]  [~fateh288] 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: Review Request 74599: RANGER-4407 : Add server side validation for service audit filter

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74599/#review225756
---


Ship it!




Ship It!

- Ramesh Mani


On Sept. 13, 2023, 3:51 p.m., Dineshkumar Yadav wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74599/
> ---
> 
> (Updated Sept. 13, 2023, 3:51 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Rajpara, Kishor 
> Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Mugdha 
> Varadkar, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4407
> https://issues.apache.org/jira/browse/RANGER-4407
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Added server side validation for Ranger Audits & added UI side fix to catch 
> any error while parsing the service audit filters
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
> 84b096e9b 
>   
> security-admin/src/main/webapp/react-webapp/src/views/ServiceManager/ServiceDefinition.jsx
>  696c25c8c 
>   
> security-admin/src/main/webapp/react-webapp/src/views/ServiceManager/ServiceViewDetails.jsx
>  52279345f 
> 
> 
> Diff: https://reviews.apache.org/r/74599/diff/2/
> 
> 
> Testing
> ---
> 
> Manual testing done using curl requests as well as from UI.
> 
> 
> Thanks,
> 
> Dineshkumar Yadav
> 
>

[jira] [Commented] (RANGER-4404) Audit to hdfs for orc format feature stabilisation

[Ramesh Mani (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-4404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17764835#comment-17764835
 ] 

Ramesh Mani commented on RANGER-4404:
-

[~bpatel] Yes directly writing into ORC format and copying is what I was 
thinking of, but in this process we should not loose audit it case of failure. 

Json to ORC conversion tool looks promising  an if we processes parallelly. 
Will check it out. Thanks.

> Audit to hdfs for orc format feature stabilisation
> --
>
> Key: RANGER-4404
> URL: https://issues.apache.org/jira/browse/RANGER-4404
> Project: Ranger
>  Issue Type: Improvement
>  Components: audit
>Affects Versions: 3.0.0, 2.4.0
>Reporter: Bhavik Patel
>Assignee: Bhavik Patel
>Priority: Major
>
> Currently if we have 50GB audit log file in spool directory then it is taking 
> 4-5hr for the conversion and writing to HDFS.
> Also, we are observing below error logs
> {code:java}
>  ERROR [AuditFileQueueSpool_hdfs_destWriter] provider.BaseAuditHandler: Error 
> writing to log file.
> java.lang.RuntimeException: Overflow of newLength. 
> smallBuffer.length=1073741824, nextElemLength=38
>     at 
> org.apache.hadoop.hive.ql.exec.vector.BytesColumnVector.increaseBufferSpace(BytesColumnVector.java:311)
>     at 
> org.apache.hadoop.hive.ql.exec.vector.BytesColumnVector.setVal(BytesColumnVector.java:182)
>     at 
> org.apache.hadoop.hive.ql.exec.vector.BytesColumnVector.setVal(BytesColumnVector.java:207)
>     at org.apache.ranger.audit.utils.ORCFileUtil.log(ORCFileUtil.java:143)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter$1.run(RangerORCAuditWriter.java:77)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter$1.run(RangerORCAuditWriter.java:73)
>     at java.security.AccessController.doPrivileged(Native Method)
>     at javax.security.auth.Subject.doAs(Subject.java:422)
>     at 
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1762)
>     at 
> org.apache.ranger.audit.provider.MiscUtil.executePrivilegedAction(MiscUtil.java:541)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter.logAuditAsORC(RangerORCAuditWriter.java:73)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter.logAsORC(RangerORCAuditWriter.java:159)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter.log(RangerORCAuditWriter.java:112)
>     at 
> org.apache.ranger.audit.destination.HDFSAuditDestination.logJSON(HDFSAuditDestination.java:78)
>     at 
> org.apache.ranger.audit.destination.HDFSAuditDestination.log(HDFSAuditDestination.java:163)
>     at 
> org.apache.ranger.audit.queue.AuditFileQueueSpool.sendEvent(AuditFileQueueSpool.java:926)
>     at 
> org.apache.ranger.audit.queue.AuditFileQueueSpool.logEvent(AuditFileQueueSpool.java:913)
>     at 
> org.apache.ranger.audit.queue.AuditFileQueueSpool.runLogAudit(AuditFileQueueSpool.java:847)
>     at 
> org.apache.ranger.audit.queue.AuditFileQueueSpool.run(AuditFileQueueSpool.java:790)
>  {code}
> hive-storage-api version upgrade(>=2.7.3) required to resolve the above error.
> Current version is 2.7.2
> cc: [~rmani]  [~fateh288] 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (RANGER-4404) Audit to hdfs for orc format feature stabilisation

[Ramesh Mani (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-4404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17764800#comment-17764800
 ] 

Ramesh Mani commented on RANGER-4404:
-

[~bpatel]  Thanks for raising this. 

On the time taken to convert 50 gb of log , where do you think that more of the 
time spent? Could parallelizing the batch process of files help in this case? I 
mean multiple threads  ( partitioning) based on the number of files and 
processing it parallel will help in this case?

> Audit to hdfs for orc format feature stabilisation
> --
>
> Key: RANGER-4404
> URL: https://issues.apache.org/jira/browse/RANGER-4404
> Project: Ranger
>  Issue Type: Improvement
>  Components: audit
>Affects Versions: 3.0.0, 2.4.0
>Reporter: Bhavik Patel
>Assignee: Bhavik Patel
>Priority: Major
>
> Currently if we have 50GB audit log file in spool directory then it is taking 
> 4-5hr for the conversion and writing to HDFS.
> Also, we are observing below error logs
> {code:java}
>  ERROR [AuditFileQueueSpool_hdfs_destWriter] provider.BaseAuditHandler: Error 
> writing to log file.
> java.lang.RuntimeException: Overflow of newLength. 
> smallBuffer.length=1073741824, nextElemLength=38
>     at 
> org.apache.hadoop.hive.ql.exec.vector.BytesColumnVector.increaseBufferSpace(BytesColumnVector.java:311)
>     at 
> org.apache.hadoop.hive.ql.exec.vector.BytesColumnVector.setVal(BytesColumnVector.java:182)
>     at 
> org.apache.hadoop.hive.ql.exec.vector.BytesColumnVector.setVal(BytesColumnVector.java:207)
>     at org.apache.ranger.audit.utils.ORCFileUtil.log(ORCFileUtil.java:143)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter$1.run(RangerORCAuditWriter.java:77)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter$1.run(RangerORCAuditWriter.java:73)
>     at java.security.AccessController.doPrivileged(Native Method)
>     at javax.security.auth.Subject.doAs(Subject.java:422)
>     at 
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1762)
>     at 
> org.apache.ranger.audit.provider.MiscUtil.executePrivilegedAction(MiscUtil.java:541)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter.logAuditAsORC(RangerORCAuditWriter.java:73)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter.logAsORC(RangerORCAuditWriter.java:159)
>     at 
> org.apache.ranger.audit.utils.RangerORCAuditWriter.log(RangerORCAuditWriter.java:112)
>     at 
> org.apache.ranger.audit.destination.HDFSAuditDestination.logJSON(HDFSAuditDestination.java:78)
>     at 
> org.apache.ranger.audit.destination.HDFSAuditDestination.log(HDFSAuditDestination.java:163)
>     at 
> org.apache.ranger.audit.queue.AuditFileQueueSpool.sendEvent(AuditFileQueueSpool.java:926)
>     at 
> org.apache.ranger.audit.queue.AuditFileQueueSpool.logEvent(AuditFileQueueSpool.java:913)
>     at 
> org.apache.ranger.audit.queue.AuditFileQueueSpool.runLogAudit(AuditFileQueueSpool.java:847)
>     at 
> org.apache.ranger.audit.queue.AuditFileQueueSpool.run(AuditFileQueueSpool.java:790)
>  {code}
> hive-storage-api version upgrade(>=2.7.3) required to resolve the above error.
> Current version is 2.7.2
> cc: [~rmani]  [~fateh288] 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: Review Request 74580: RANGER-4391: updated plugin to support using user-groups from Ranger admin

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74580/#review225716
---


Ship it!




Ship It!

- Ramesh Mani


On Sept. 1, 2023, 8:36 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74580/
> ---
> 
> (Updated Sept. 1, 2023, 8:36 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Abhay Kulkarni, Mehul Parikh, Monika 
> Kachhadiya, Pradeep Agrawal, Ramesh Mani, Subhrat Chaudhary, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-4391
> https://issues.apache.org/jira/browse/RANGER-4391
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - when the plugin is configured with use.rangerGroups=true, groups found in 
> Ranger for the user will be used for authorization
> -- when configured with use.only.rangerGroups=true, request.userGroups will 
> be replaced with groups found in Ranger
> -- when configured with use.only.rangerGroups=false, request.userGroups will 
> be added with groups found in Ranger
> - when configured with convert.emailToUser=true, if user name is an email 
> address, it will be replaced with corresponding username
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
>  ad1ce0986 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerAuthContext.java
>  78bd4232e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
>  9249b3295 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
>  fa06ef634 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerUserStoreUtil.java
>  f66eb1fb0 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java 
> 01c4a8283 
> 
> 
> Diff: https://reviews.apache.org/r/74580/diff/2/
> 
> 
> Testing
> ---
> 
> - verified that the plugin uses Ranger groups for authorization when 
> configurations were set as above
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74573: RANGER-4290: Adding uiHint attribute in policy condition

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74573/#review225704
---


Ship it!




Ship It!

- Ramesh Mani


On Aug. 29, 2023, 10:57 a.m., sanket shelar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74573/
> ---
> 
> (Updated Aug. 29, 2023, 10:57 a.m.)
> 
> 
> Review request for ranger, Dineshkumar Yadav, Kishor Gollapalliwar, Abhay 
> Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Sailaja 
> Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4290
> https://issues.apache.org/jira/browse/RANGER-4290
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> RANGER-4157  introduced addition of Policy conditions to all service-defs. 
> However, this update does not include uiHint attribute in policy condition. 
> This needs to be fixed so that uiHint attribute will be available in all 
> service-defs.
> 
> 
> Diffs
> -
> 
>   
> security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java
>  91d5f26bc 
> 
> 
> Diff: https://reviews.apache.org/r/74573/diff/1/
> 
> 
> Testing
> ---
> 
> Tested for service-defs and UiHint attribute is present in policy condition.
> 
> 
> Thanks,
> 
> sanket shelar
> 
>

Re: Review Request 74567: RANGER-4380: updated purge API to support purging of x_policy_export_audit records

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74567/#review225692
---


Ship it!




Ship It!

- Ramesh Mani


On Aug. 26, 2023, 9:16 p.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74567/
> ---
> 
> (Updated Aug. 26, 2023, 9:16 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Monika Kachhadiya, Pradeep 
> Agrawal, Ramesh Mani, Subhrat Chaudhary, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4380
> https://issues.apache.org/jira/browse/RANGER-4380
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - updated /server/purge/records REST API to support record type 
> policy_export_logs
> - updated Python client to support API purge_records(record_type, 
> retention_days)
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerPurgeResult.java
>  PRE-CREATION 
>   intg/src/main/python/apache_ranger/client/ranger_client.py 9731c266c 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
> 9b02229e1 
>   
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyExportAuditDao.java 
> deed28e47 
>   security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 
> 1bdac859c 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> 852c163df 
>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml cf6ebad95 
> 
> 
> Diff: https://reviews.apache.org/r/74567/diff/1/
> 
> 
> Testing
> ---
> 
> - verified that purging works with following Python calls
> ```
> >>> from apache_ranger.client.ranger_client import RangerClient
> >>> 
> >>> ranger = RangerClient('http://localhost:6080', ('admin', 'rangerR0cks!'))
> >>> 
> >>> ranger.purge_records('login_records', 10)
> [{'recordType': 'login_records', 'totalRecordCount': 8, 'purgedRecordCount': 
> 8}]
> >>> 
> >>> ranger.purge_records('trx_records', 10)
> [{'recordType': 'trx_records', 'totalRecordCount': 293, 'purgedRecordCount': 
> 293}]
> >>> 
> >>> ranger.purge_records('policy_export_logs', 10)
> [{'recordType': 'policy_export_logs', 'totalRecordCount': 130594, 
> 'purgedRecordCount': 100043}]
> >>> 
> ```
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74560: RANGER-4379: Assorted debugging help : save policy-cache at Ranger-admin and policy-cache as well as downloaded policy-deltas on plugin side.

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74560/#review225690
---


Ship it!




Ship It!

- Ramesh Mani


On Aug. 26, 2023, 1:32 a.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74560/
> ---
> 
> (Updated Aug. 26, 2023, 1:32 a.m.)
> 
> 
> Review request for ranger, madhan, Madhan Neethiraj, Mehul Parikh, Pradeep 
> Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4379
> https://issues.apache.org/jira/browse/RANGER-4379
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Assorted debugging help : 
> 1. Save policy-cache at Ranger-admin and policy-cache as well as downloaded 
> policy-deltas on plugin side.
> 
> Relevant configuration variables:
> 
> Plugin:
> ranger.plugin..preserve.deltas [default:false]
> ranger.plugin..max.versions.to.preserve [default: 50]
> 
> Ranger Admin:
> ranger.admin.policy.save.to.disk [default:false]
> ranger.admin.policy.max.versions.to.save.to.disk [default:1]
> 
> 2. Better formatting of Trie dump
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
>  647059203 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
>  9249b3295 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
>  c130309ea 
>   
> security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
>  9fda659ac 
> 
> 
> Diff: https://reviews.apache.org/r/74560/diff/3/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 74560: RANGER-4379: Assorted debugging help : save policy-cache at Ranger-admin and policy-cache as well as downloaded policy-deltas on plugin side.

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74560/#review225688
---




agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
Lines 461 (patched)
<https://reviews.apache.org/r/74560/#comment314143>

Nit pick: for better readability its better to have  the policy-cache file 
saving operation to a method.


- Ramesh Mani


On Aug. 25, 2023, 6:10 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74560/
> ---
> 
> (Updated Aug. 25, 2023, 6:10 p.m.)
> 
> 
> Review request for ranger, madhan, Madhan Neethiraj, Mehul Parikh, Pradeep 
> Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4379
> https://issues.apache.org/jira/browse/RANGER-4379
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Assorted debugging help : 
> 1. Save policy-cache at Ranger-admin and policy-cache as well as downloaded 
> policy-deltas on plugin side.
> 
> Relevant configuration variables:
> 
> Plugin:
> ranger.plugin..preserve.deltas [default:false]
> ranger.plugin..max.versions.to.preserve [default: 50]
> 
> Ranger Admin:
> ranger.admin.policy.save.to.disk [default:false]
> ranger.admin.policy.max.versions.to.save.to.disk [default:1]
> 
> 2. Better formatting of Trie dump
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
>  647059203 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
>  9249b3295 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
>  c130309ea 
>   
> security-admin/src/main/java/org/apache/ranger/common/RangerServicePoliciesCache.java
>  9fda659ac 
> 
> 
> Diff: https://reviews.apache.org/r/74560/diff/2/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

[jira] [Commented] (RANGER-4178) NoClassDefFoundError: org/apache/hadoop/hive/ql/exec/vector/ColumnVector

[Ramesh Mani (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-4178?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17758772#comment-17758772
 ] 

Ramesh Mani commented on RANGER-4178:
-

[~bpatel]  This patch has been merged. Please close the Jira and review 
request. Thanks.

> NoClassDefFoundError: org/apache/hadoop/hive/ql/exec/vector/ColumnVector
> 
>
> Key: RANGER-4178
> URL: https://issues.apache.org/jira/browse/RANGER-4178
> Project: Ranger
>  Issue Type: Bug
>  Components: audit
>Affects Versions: 3.0.0, 2.2.0, 2.3.0
>Reporter: Bhavik Patel
>Assignee: Bhavik Patel
>Priority: Critical
> Attachments: 
> 0001-RANGER-4178-NoClassDefFoundError-org-apache-hadoop-h.patch, 
> 0001-RANGER-4178-Only-xasecure.audit.destination.hdfs.bat.patch
>
>
> Observed below error when enabled audit type as ORC format.
> NoClassDefFoundError: org/apache/hadoop/hive/ql/exec/vector/ColumnVector
> https://issues.apache.org/jira/browse/RANGER-1837
> https://issues.apache.org/jira/browse/RANGER-3235
> cc: [~rmani] 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: Review Request 74387: RANGER-4178 : NoClassDefFoundError: org/apache/hadoop/hive/ql/exec/vector/ColumnVector

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74387/#review225662
---


Ship it!




Ship It!

- Ramesh Mani


On April 18, 2023, 1:43 p.m., bhavik patel wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74387/
> ---
> 
> (Updated April 18, 2023, 1:43 p.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Kirby Zhou, Abhay Kulkarni, Madhan 
> Neethiraj, Pradeep Agrawal, Ramesh Mani, ru jia, Vishal Suvagia, and 
> zhouyifan279.
> 
> 
> Bugs: RANGER-4178
> https://issues.apache.org/jira/browse/RANGER-4178
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Observed below error when enabled audit type as ORC format.
> 
> NoClassDefFoundError: org/apache/hadoop/hive/ql/exec/vector/ColumnVector
> 
> 
> Diffs
> -
> 
>   agents-audit/pom.xml aba33e227 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/utils/RangerORCAuditWriter.java
>  26d2b433c 
>   distro/src/main/assembly/hbase-agent.xml ff53ca2c2 
>   distro/src/main/assembly/hdfs-agent.xml 15254c9da 
>   distro/src/main/assembly/kms.xml 4b4a2ac8e 
>   distro/src/main/assembly/knox-agent.xml fa92ea0dc 
>   distro/src/main/assembly/plugin-atlas.xml d35061274 
>   distro/src/main/assembly/plugin-elasticsearch.xml 0b8aaee27 
>   distro/src/main/assembly/plugin-kafka.xml ed8ef6159 
>   distro/src/main/assembly/plugin-kms.xml 7cf8dd702 
>   distro/src/main/assembly/plugin-kylin.xml 74b9f4362 
>   distro/src/main/assembly/plugin-ozone.xml 1b5d1cdc7 
>   distro/src/main/assembly/plugin-presto.xml 82d1610aa 
>   distro/src/main/assembly/plugin-solr.xml 382b57092 
>   distro/src/main/assembly/plugin-sqoop.xml 13f74dc79 
>   distro/src/main/assembly/plugin-trino.xml 60b083ed6 
>   distro/src/main/assembly/plugin-yarn.xml c0a8ca3af 
>   distro/src/main/assembly/storm-agent.xml 908415ffa 
>   pom.xml de0617e2a 
> 
> 
> Diff: https://reviews.apache.org/r/74387/diff/2/
> 
> 
> Testing
> ---
> 
> Verified on Dev environment for HDFS, YARN, HIVE and HBASE plugins.
> 
> 
> Thanks,
> 
> bhavik patel
> 
>

[jira] [Commented] (RANGER-4178) NoClassDefFoundError: org/apache/hadoop/hive/ql/exec/vector/ColumnVector

[Ramesh Mani (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-4178?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17755602#comment-17755602
 ] 

Ramesh Mani commented on RANGER-4178:
-

[~fateh288]  Could we have a separate Jira for addressing  the issue of 2 
configuration. In that way we can merge the patch for this Jira followed by 
yours?

> NoClassDefFoundError: org/apache/hadoop/hive/ql/exec/vector/ColumnVector
> 
>
> Key: RANGER-4178
> URL: https://issues.apache.org/jira/browse/RANGER-4178
> Project: Ranger
>  Issue Type: Bug
>  Components: audit
>Affects Versions: 3.0.0, 2.2.0, 2.3.0
>Reporter: Bhavik Patel
>Assignee: Bhavik Patel
>Priority: Critical
> Attachments: 
> 0001-RANGER-4178-NoClassDefFoundError-org-apache-hadoop-h.patch, 
> 0001-RANGER-4178-Only-xasecure.audit.destination.hdfs.bat.patch
>
>
> Observed below error when enabled audit type as ORC format.
> NoClassDefFoundError: org/apache/hadoop/hive/ql/exec/vector/ColumnVector
> https://issues.apache.org/jira/browse/RANGER-1837
> https://issues.apache.org/jira/browse/RANGER-3235
> cc: [~rmani] 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: Review Request 74543: RANGER-4350: removed @Xml annotations

[Ramesh Mani]

> On Aug. 11, 2023, 7:20 a.m., Ramesh Mani wrote:
> > Ship It!

Verified, all tests passed and build went fine.


- Ramesh


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74543/#review225649
---


On Aug. 10, 2023, 4:46 p.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74543/
> ---
> 
> (Updated Aug. 10, 2023, 4:46 p.m.)
> 
> 
> Review request for ranger, Abhishek  Kumar, Ankita Sinha, Abhay Kulkarni, 
> Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Siddhesh Phatak, Sailaja 
> Polavarapu, Subhrat Chaudhary, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4350
> https://issues.apache.org/jira/browse/RANGER-4350
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> removed @Xml annotations from classes serialized in REST APIs, as XML format 
> is not supported since RANGER-2928
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagForEval.java
>  bb329fac4 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/AuditFilter.java 
> 57116d46b 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/GroupInfo.java 
> 279972227 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerBaseModelObject.java
>  9196d86bb 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerMetrics.java 
> ab52a1f0e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPluginInfo.java
>  8a5734ba3 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
> e52b0d614 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyDelta.java
>  e4d9b3a40 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java 
> c7b3699df 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZone.java
>  bd10ff1df 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZoneHeaderInfo.java
>  30214d325 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java 
> 326c91cfb 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java
>  e70a16592 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java
>  9891c06c2 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceResource.java
>  b7cf7cebb 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceTags.java
>  c27869227 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTag.java 
> fae8c86c2 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTagDef.java 
> 8ace55673 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTagResourceMap.java
>  e72df418c 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerValidityRecurrence.java
>  41f19554e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerValiditySchedule.java
>  d09200684 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/ServiceDeleteResponse.java
>  9069402f1 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/UserInfo.java 
> 382e006b9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
>  51afef47c 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/ResourceLookupContext.java
>  0191be0db 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/store/StoredServiceResource.java
>  0d1378d36 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
>  67498182c 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRoleRequest.java
>  f10041c21 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRequestedResources.java
>  3d62c7230 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRoles.java 
> 507b908bb 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerUserStore.java
>  543622796 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
>  e022a1b17 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceTags.java 
> 96fd02873 
>   kms/src/main/java/org/apache/ranger/entity/XXDBBase

Re: Review Request 74543: RANGER-4350: removed @Xml annotations

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74543/#review225649
---


Ship it!




Ship It!

- Ramesh Mani


On Aug. 10, 2023, 4:46 p.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74543/
> ---
> 
> (Updated Aug. 10, 2023, 4:46 p.m.)
> 
> 
> Review request for ranger, Abhishek  Kumar, Ankita Sinha, Abhay Kulkarni, 
> Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Siddhesh Phatak, Sailaja 
> Polavarapu, Subhrat Chaudhary, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4350
> https://issues.apache.org/jira/browse/RANGER-4350
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> removed @Xml annotations from classes serialized in REST APIs, as XML format 
> is not supported since RANGER-2928
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagForEval.java
>  bb329fac4 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/AuditFilter.java 
> 57116d46b 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/GroupInfo.java 
> 279972227 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerBaseModelObject.java
>  9196d86bb 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerMetrics.java 
> ab52a1f0e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPluginInfo.java
>  8a5734ba3 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicy.java 
> e52b0d614 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyDelta.java
>  e4d9b3a40 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerRole.java 
> c7b3699df 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZone.java
>  bd10ff1df 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZoneHeaderInfo.java
>  30214d325 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerService.java 
> 326c91cfb 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java
>  e70a16592 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java
>  9891c06c2 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceResource.java
>  b7cf7cebb 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceTags.java
>  c27869227 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTag.java 
> fae8c86c2 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTagDef.java 
> 8ace55673 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTagResourceMap.java
>  e72df418c 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerValidityRecurrence.java
>  41f19554e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerValiditySchedule.java
>  d09200684 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/ServiceDeleteResponse.java
>  9069402f1 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/UserInfo.java 
> 382e006b9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceACLs.java
>  51afef47c 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/ResourceLookupContext.java
>  0191be0db 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/store/StoredServiceResource.java
>  0d1378d36 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java
>  67498182c 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRoleRequest.java
>  f10041c21 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRequestedResources.java
>  3d62c7230 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRoles.java 
> 507b908bb 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerUserStore.java
>  543622796 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
>  e022a1b17 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceTags.java 
> 96fd02873 
>   kms/src/main/java/org/apache/ranger/entity/XXDBBase.java 4c78a95b9 
>   kms/src/main/java/org/apache/ranger/entity/XXRangerKeyStore.java 8defd

Re: Review Request 74538: RANGER-4345 plugin side metrics on polling from the policy server

[Ramesh Mani]

> On Aug. 8, 2023, 10:45 p.m., Ramesh Mani wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
> > Lines 121 (patched)
> > <https://reviews.apache.org/r/74538/diff/2/?file=2278101#file2278101line121>
> >
> > Thanks for the contribution.
> > Could you please have the MetricRegistry() as a generic 
> > RangerMetricRegistry() in org.apache.ranger.plugin.util package of 
> > agents-common module and have the other services like PolicyRefresh which 
> > you have implemented on can utilize it?
> 
> Sai Sandeep Rangisetti wrote:
> Should I make it static/singleton class or should it be so that all the 
> classes like PolicyRefresher or RangerRESTClient make thier own instance of 
> RangerMetricRegistry. Is there a better way I can depend on 
> RangerMetricRegistry.

Please make it as regular class so other services can instantiate it. Since 
plugins are the one which is going to use it lets have it agents-common only.


- Ramesh


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74538/#review225639
---


On Aug. 8, 2023, 3:32 p.m., Sai Sandeep Rangisetti wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74538/
> ---
> 
> (Updated Aug. 8, 2023, 3:32 p.m.)
> 
> 
> Review request for ranger, Kishor Gollapalliwar, Abhay Kulkarni, Madhan 
> Neethiraj, Mehul Parikh, Pradeep Agrawal, and Ramachandran Krishnan.
> 
> 
> Bugs: RANGER-4345
> https://issues.apache.org/jira/browse/RANGER-4345
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Add metrics in the plugins for increased visibility on what is happening in 
> the systems
> 
> 
> Diffs
> -
> 
>   agents-common/pom.xml b753c1368 
>   
> agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfigConstants.java
>  374c78c5e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
>  c130309ea 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
>  e54313403 
> 
> 
> Diff: https://reviews.apache.org/r/74538/diff/2/
> 
> 
> Testing
> ---
> 
> Compiled and installed the hbase plugin and verified that metrics are being 
> published to jmx. Simulated failures by blocking port and verified timeout 
> and retry metrics are also being published
> 
> 
> Thanks,
> 
> Sai Sandeep Rangisetti
> 
>

[jira] [Commented] (RANGER-4349) AtlasTagSource is hardcoded to commit offset to ATLAS_ENTITIES

[Ramesh Mani (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-4349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17752548#comment-17752548
 ] 

Ramesh Mani commented on RANGER-4349:
-

[~szyorz]  Thank you for the contribution. Committed to apache ranger master 
https://github.com/apache/ranger/commit/a5461808742ef0f40410f326fdf236619e81ca4f

> AtlasTagSource is hardcoded to commit offset to ATLAS_ENTITIES
> --
>
> Key: RANGER-4349
> URL: https://issues.apache.org/jira/browse/RANGER-4349
> Project: Ranger
>  Issue Type: Bug
>  Components: tagsync
>Affects Versions: 3.0.0, 2.4.0
>Reporter: Szymon Orzechowski
>Assignee: Szymon Orzechowski
>Priority: Major
> Fix For: 3.0.0
>
> Attachments: RANGER-4349.patch
>
>
> AtlasTagSource.commitToKafka() is hard coded to commit offset to topic 
> ATLAS_ENTITIES.  The topic to which entity events are sent from Atlas and 
> received by Ranger Tagsync is determined by 
> atlas.notification.entities.topic.name property in 
> atlas-application.properties file. By default, it is ATLAS_ENTITIES but some 
> might configure it to a different name in which case Tagsync would be 
> committing offset to the wrong topic.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4349) AtlasTagSource is hardcoded to commit offset to ATLAS_ENTITIES

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-4349:

Fix Version/s: 3.0.0

> AtlasTagSource is hardcoded to commit offset to ATLAS_ENTITIES
> --
>
> Key: RANGER-4349
> URL: https://issues.apache.org/jira/browse/RANGER-4349
> Project: Ranger
>  Issue Type: Bug
>  Components: tagsync
>Affects Versions: 3.0.0, 2.4.0
>Reporter: Szymon Orzechowski
>Assignee: Szymon Orzechowski
>Priority: Major
> Fix For: 3.0.0
>
> Attachments: RANGER-4349.patch
>
>
> AtlasTagSource.commitToKafka() is hard coded to commit offset to topic 
> ATLAS_ENTITIES.  The topic to which entity events are sent from Atlas and 
> received by Ranger Tagsync is determined by 
> atlas.notification.entities.topic.name property in 
> atlas-application.properties file. By default, it is ATLAS_ENTITIES but some 
> might configure it to a different name in which case Tagsync would be 
> committing offset to the wrong topic.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: Review Request 74541: RANGER-4349: AtlasTagSource.commitToKafka() should commit the offset to the topic from which the message came from.

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74541/#review225645
---


Ship it!




Ship It!

- Ramesh Mani


On Aug. 9, 2023, 8:03 p.m., Szymon Orzechowski wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74541/
> ---
> 
> (Updated Aug. 9, 2023, 8:03 p.m.)
> 
> 
> Review request for ranger, Abhishek  Kumar and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-4349
> https://issues.apache.org/jira/browse/RANGER-4349
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> AtlasTagSource.commitToKafka() is hard coded to commit offset to topic 
> ATLAS_ENTITIES.  The topic to which entity events are sent from Atlas and 
> received by Ranger Tagsync is determined by 
> atlas.notification.entities.topic.name property in 
> atlas-application.properties file. By default, it is ATLAS_ENTITIES but some 
> might configure it to a different name in which case Tagsync would be 
> committing offset to the wrong topic.
> 
> 
> Diffs
> -
> 
>   
> tagsync/src/main/java/org/apache/ranger/tagsync/source/atlas/AtlasTagSource.java
>  071f52c4a 
> 
> 
> Diff: https://reviews.apache.org/r/74541/diff/1/
> 
> 
> Testing
> ---
> 
> Checked on my cluster and verified if `mvn clean test` passes
> 
> 
> Thanks,
> 
> Szymon Orzechowski
> 
>

Re: Review Request 74538: RANGER-4345 plugin side metrics on polling from the policy server

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74538/#review225639
---




agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
Lines 121 (patched)
<https://reviews.apache.org/r/74538/#comment314106>

Thanks for the contribution.
Could you please have the MetricRegistry() as a generic 
RangerMetricRegistry() in org.apache.ranger.plugin.util package of 
agents-common module and have the other services like PolicyRefresh which you 
have implemented on can utilize it?



agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
Lines 311 (patched)
<https://reviews.apache.org/r/74538/#comment314107>

serviceDefSetInPlugin already set it line 307


- Ramesh Mani


On Aug. 8, 2023, 3:32 p.m., Sai Sandeep Rangisetti wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74538/
> ---
> 
> (Updated Aug. 8, 2023, 3:32 p.m.)
> 
> 
> Review request for ranger, Kishor Gollapalliwar, Abhay Kulkarni, Madhan 
> Neethiraj, Mehul Parikh, Pradeep Agrawal, and Ramachandran Krishnan.
> 
> 
> Bugs: RANGER-4345
> https://issues.apache.org/jira/browse/RANGER-4345
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Add metrics in the plugins for increased visibility on what is happening in 
> the systems
> 
> 
> Diffs
> -
> 
>   agents-common/pom.xml b753c1368 
>   
> agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfigConstants.java
>  374c78c5e 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
>  c130309ea 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
>  e54313403 
> 
> 
> Diff: https://reviews.apache.org/r/74538/diff/2/
> 
> 
> Testing
> ---
> 
> Compiled and installed the hbase plugin and verified that metrics are being 
> published to jmx. Simulated failures by blocking port and verified timeout 
> and retry metrics are also being published
> 
> 
> Thanks,
> 
> Sai Sandeep Rangisetti
> 
>

Re: Review Request 74536: RANGER-4341: Logout api call through idle timeout gets aborted

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74536/#review225631
---


Ship it!




Ship It!

- Ramesh Mani


On Aug. 7, 2023, 2:46 p.m., Mugdha Varadkar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74536/
> ---
> 
> (Updated Aug. 7, 2023, 2:46 p.m.)
> 
> 
> Review request for ranger, Brijesh Bhalala, Dhaval Rajpara, Madhan Neethiraj, 
> Mehul Parikh, and Nikunj Pansuriya.
> 
> 
> Bugs: RANGER-4341
> https://issues.apache.org/jira/browse/RANGER-4341
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Fixing the logout api call which get aborted during idle timeout on firefox 
> browser.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/webapp/react-webapp/src/utils/XAUtils.js 
> 74b213a9d9169a13919a8de392054fd2201d4a6b 
>   
> security-admin/src/main/webapp/react-webapp/src/views/SideBar/SideBarBody.jsx 
> 3aa56de263ceec8aa1738783c47abbef21845600 
> 
> 
> Diff: https://reviews.apache.org/r/74536/diff/1/
> 
> 
> Testing
> ---
> 
> Tested changes on a cluster setup with Ranger Admin build with React JS code 
> base by setting below property to verify logout through idle timeout.
> 
>
>   ranger.service.inactivity.timeout
>   40
>
> 
> 
> Successful completion of build command :
> mvn clean compile package -Psecurity-admin-react
> 
> 
> Thanks,
> 
> Mugdha Varadkar
> 
>

Re: Review Request 74530: RANGER-4336: added configurations to enable status logging in audit framework

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74530/#review225626
---


Ship it!




Ship It!

- Ramesh Mani


On July 28, 2023, 12:07 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74530/
> ---
> 
> (Updated July 28, 2023, 12:07 a.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Monika 
> Kachhadiya, Pradeep Agrawal, Ramesh Mani, Siddhesh Phatak, and Subhrat 
> Chaudhary.
> 
> 
> Bugs: RANGER-4336
> https://issues.apache.org/jira/browse/RANGER-4336
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - added configurations to enable status logging in audit framework
> - audit status are logged at INFO level
> - updated unit test to avoid retaining of unncessary objects in memory
> 
> 
> Diffs
> -
> 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java
>  8511ce9cb 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditAsyncQueue.java 
> 68527d37d 
>   security-admin/src/test/java/org/apache/ranger/audit/TestConsumer.java 
> 579485663 
> 
> 
> Diff: https://reviews.apache.org/r/74530/diff/1/
> 
> 
> Testing
> ---
> 
> - verified that audit status is logged when 
> xasecure.audit.log.status.log.enabled is set to true
> - verified that all unit tests pass successfully
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74529: RANGER-4332: updated AuditBatchQueue.log() to block instead of throwing 'Queue full' exception

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74529/#review225614
---


Ship it!




Ship It!

- Ramesh Mani


On July 26, 2023, 10:37 p.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74529/
> ---
> 
> (Updated July 26, 2023, 10:37 p.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Monika 
> Kachhadiya, Ramesh Mani, Siddhesh Phatak, and Subhrat Chaudhary.
> 
> 
> Bugs: RANGER-4332
> https://issues.apache.org/jira/browse/RANGER-4332
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> updated AuditBatchQueue.log() to block instead of throwing 'Queue full' 
> exception
> 
> 
> Diffs
> -
> 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditBatchQueue.java 
> d9cd52b59 
>   security-admin/src/test/java/org/apache/ranger/audit/TestAuditQueue.java 
> d30854bef 
> 
> 
> Diff: https://reviews.apache.org/r/74529/diff/1/
> 
> 
> Testing
> ---
> 
> - updated unit test to cover this scenario
> - verified that all tests pass successfully
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74515: RANGER-4316: path recursive matcher fix to correctly handle path ending with separator

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74515/#review225606
---


Ship it!




Ship It!

- Ramesh Mani


On July 13, 2023, 8:53 p.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74515/
> ---
> 
> (Updated July 13, 2023, 8:53 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Monika Kachhadiya, Ramesh Mani, 
> and Subhrat Chaudhary.
> 
> 
> Bugs: RANGER-4316
> https://issues.apache.org/jira/browse/RANGER-4316
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> updated path matcher to correctly handle path ending with separator
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
>  1af967fbd 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcherTest.java
>  5e8efb720 
>   
> agents-common/src/test/resources/resourcematcher/test_resourcematcher_path.json
>  97765f94d 
> 
> 
> Diff: https://reviews.apache.org/r/74515/diff/1/
> 
> 
> Testing
> ---
> 
> - added test cases to validate handling of paths ending with separator
> - updated 2 existing test cases
> - verified that all other test cases pass successfully
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74471: RANGER-4274: updated security-zones to support admin-roles and audit-roles

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74471/#review225533
---


Ship it!




Ship It!

- Ramesh Mani


On June 9, 2023, 6:15 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74471/
> ---
> 
> (Updated June 9, 2023, 6:15 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Rajpara, Abhay Kulkarni, 
> Mehul Parikh, Mugdha Varadkar, Nitin Galave, Pradeep Agrawal, Ramesh Mani, 
> Sailaja Polavarapu, Subhrat Chaudhary, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4274
> https://issues.apache.org/jira/browse/RANGER-4274
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - added attributes: RangerSecurityZone.adminRoles, 
> RangerSecurityZone.auditRoles
> -
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
>  f44b9d9a1 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZone.java
>  7327f3fe2 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
>  ca899979a 
>   intg/src/main/python/apache_ranger/model/ranger_security_zone.py 9b3eec623 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 
> 66ae5060a 
>   security-admin/db/mysql/patches/075-create-sz-role-ref-table.sql 
> PRE-CREATION 
>   security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
> bfa6dd572 
>   security-admin/db/oracle/patches/075-create-sz-ref-role-table.sql 
> PRE-CREATION 
>   security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
> 8dd90c1b8 
>   security-admin/db/postgres/patches/075-create-sz-ref-role-table.sql 
> PRE-CREATION 
>   
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
>  3a614e44e 
>   security-admin/db/sqlanywhere/patches/075-create-sz-ref-role-table.sql 
> PRE-CREATION 
>   security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 
> bbef08859 
>   security-admin/db/sqlserver/patches/075-create-sz-ref-role-table.sql 
> PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java 
> c19e3e1a1 
>   
> security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneRefUpdater.java
>  ebc26528c 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java 
> 77f86a0ad 
>   security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 
> 10d73a76c 
>   
> security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefRoleDao.java
>  PRE-CREATION 
>   
> security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefRole.java
>  PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java 
> 53aafae94 
>   
> security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneServiceService.java
>  dfa9fbb69 
>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml d3cdecdca 
> 
> 
> Diff: https://reviews.apache.org/r/74471/diff/2/
> 
> 
> Testing
> ---
> 
> - verified that adminRoles and auditRoles specified in security zone are 
> persisted in Ranger
> - verified that users in adminRoles are allowed to update admin and audit 
> users/groups/roles
> - verified that roles referenced in security-zone could not be removed
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74471: RANGER-4274: updated security-zones to support admin-roles and audit-roles

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74471/#review225531
---




security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
Line 1816 (original), 1833 (patched)
<https://reviews.apache.org/r/74471/#comment314083>

Should we add the new db patch "066" entry to x_db_versiosh_h table?


- Ramesh Mani


On June 8, 2023, 1:44 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74471/
> ---
> 
> (Updated June 8, 2023, 1:44 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Rajpara, Abhay Kulkarni, 
> Mehul Parikh, Mugdha Varadkar, Nitin Galave, Pradeep Agrawal, Ramesh Mani, 
> Sailaja Polavarapu, Subhrat Chaudhary, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4274
> https://issues.apache.org/jira/browse/RANGER-4274
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - added attributes: RangerSecurityZone.adminRoles, 
> RangerSecurityZone.auditRoles
> -
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/errors/ValidationErrorCode.java
>  f44b9d9a1 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZone.java
>  7327f3fe2 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
>  ca899979a 
>   intg/src/main/python/apache_ranger/model/ranger_security_zone.py 9b3eec623 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 
> 66ae5060a 
>   security-admin/db/mysql/patches/066-create-sz-role-ref-table.sql 
> PRE-CREATION 
>   security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
> bfa6dd572 
>   security-admin/db/oracle/patches/066-create-sz-ref-role-table.sql 
> PRE-CREATION 
>   security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
> 8dd90c1b8 
>   security-admin/db/postgres/patches/066-create-sz-ref-role-table.sql 
> PRE-CREATION 
>   
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
>  3a614e44e 
>   security-admin/db/sqlanywhere/patches/066-create-sz-ref-role-table.sql 
> PRE-CREATION 
>   security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 
> bbef08859 
>   security-admin/db/sqlserver/patches/066-create-sz-ref-role-table.sql 
> PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java 
> c19e3e1a1 
>   
> security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneRefUpdater.java
>  ebc26528c 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java 
> 77f86a0ad 
>   security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 
> 10d73a76c 
>   
> security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefRoleDao.java
>  PRE-CREATION 
>   
> security-admin/src/main/java/org/apache/ranger/entity/XXSecurityZoneRefRole.java
>  PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java 
> 53aafae94 
>   
> security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneServiceService.java
>  dfa9fbb69 
>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml d3cdecdca 
> 
> 
> Diff: https://reviews.apache.org/r/74471/diff/1/
> 
> 
> Testing
> ---
> 
> - verified that adminRoles and auditRoles specified in security zone are 
> persisted in Ranger
> - verified that users in adminRoles are allowed to update admin and audit 
> users/groups/roles
> - verified that roles referenced in security-zone could not be removed
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Review Request 74470: RANGER-3939: Implement acls, createAcls and deleteAcls in Kafka Authorizer

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74470/
---

Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.


Bugs: RANGER-3939
https://issues.apache.org/jira/browse/RANGER-3939


Repository: ranger


Description
---

RANGER-3939: Implement acls, createAcls and deleteAcls in Kafka Authorizer


Diffs
-

  
plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuditHandler.java
 57a888e9a 
  
plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
 96a36abe9 
  
plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/utils/RangerKafkaCheckAccess.java
 PRE-CREATION 
  
plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/utils/RangerKafkaGrantAccess.java
 PRE-CREATION 
  
plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/utils/RangerKafkaListAccess.java
 PRE-CREATION 
  
plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/utils/RangerKafkaRevokeAccess.java
 PRE-CREATION 
  
plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/utils/RangerKafkaUtils.java
 PRE-CREATION 


Diff: https://reviews.apache.org/r/74470/diff/1/


Testing
---

TESTING


CREATE /kafktest/kafka-client.conf

security.protocol=SASL_SSL
ssl.truststore.location=truststore.jks
sasl.kerberos.service.name=kafka
sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required 
useKeyTab=true storeKey=true useTicketCache=false keyTab="kafka.keytab" 
principal="";


List acl:

kafka-acls --bootstrap-server ssl-cluster:9093 --command-config  
/kafkatest/kafka-client.conf --list --topic connect-configs

kafka-acls --bootstrap-server ssl-cluster:9093 --command-config  
/kafkatest/kafka-client.conf --list --cluster test_cluster1

afka-acls --bootstrap-server ssl-cluster:9093 --command-config  
/kafkatest/kafka-client.conf --list --cluster


Create acl:


kafka-acls --bootstrap-server ssl-cluster:9093 --command-config  
/kafkatest/kafka-client.conf --add --allow-principal User:testuser1 --operation 
read --topic finance-topic


kafka-acls --bootstrap-server ssl-cluster:9093 --command-config  
/kafkatest/kafka-client.conf --add --allow-principal Group:mysql --operation 
read --topic finance-topic

kafka-acls --bootstrap-server ssl-cluster:9093 --command-config  
/kafkatest/kafka-client.conf --add --allow-principal Group:mysql 
--allow-principal User:testuser1 --operation read --topic finance-topic

kafka-acls --bootstrap-server ssl-cluster:9093 --command-config  
/kafkatest/kafka-client.conf --add --allow-principal User:testuser1  -operation 
read --topic finance-topic --resource-pattern-type  prefixed

Revoke acl:

 kafka-acls --bootstrap-server ssl-cluster:9093 --command-config  
/kafkatest/kafka-client.conf --remove --allow-principal Group:mysql -operation 
read --topic finance-topic

  kafka-acls --bootstrap-server ssl-cluster:9093 --command-config  
/kafkatest/kafka-client.conf --remove --allow-principal User:testuser1  
-operation read --topic finance-topic


Not Support for this first cut:
--allow-host and --deny-host
Host name in the api call
This is not support as this requires grant/revoke ranger api to support the 
creation of policy condition for the policy that is getting created
--deny-principal
Grant except and Revoke except
This needs Grant and Revoke Api to support “exception” policy creation.


Thanks,

Ramesh Mani

[jira] [Updated] (RANGER-3939) Implement acls, createAcls and deleteAcls in Kafka Authorizer

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3939?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-3939:

Fix Version/s: 3.0.0

> Implement acls, createAcls and deleteAcls in Kafka Authorizer
> -
>
> Key: RANGER-3939
> URL: https://issues.apache.org/jira/browse/RANGER-3939
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Daniel Urban
>    Assignee: Ramesh Mani
>Priority: Major
> Fix For: 3.0.0
>
>
> Currently, the Kafka Authorizer only implements the .authorize method. This 
> is (mostly) enough to support authorization checks in the Kafka API endpoints.
> But the Kafka protocol also has support for describing and managing ACLs. 
> These endpoints do not work with the Ranger plugin, as it requires the acls, 
> createAcls and deleteAcls endpoints to be correctly implemented. This can 
> cause issues with tools and clients relying on the Kafka ACL API.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-3939) Implement acls, createAcls and deleteAcls in Kafka Authorizer

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3939?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-3939:

Affects Version/s: 3.0.0

> Implement acls, createAcls and deleteAcls in Kafka Authorizer
> -
>
> Key: RANGER-3939
> URL: https://issues.apache.org/jira/browse/RANGER-3939
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Affects Versions: 3.0.0
>Reporter: Daniel Urban
>Assignee: Ramesh Mani
>Priority: Major
> Fix For: 3.0.0
>
>
> Currently, the Kafka Authorizer only implements the .authorize method. This 
> is (mostly) enough to support authorization checks in the Kafka API endpoints.
> But the Kafka protocol also has support for describing and managing ACLs. 
> These endpoints do not work with the Ranger plugin, as it requires the acls, 
> createAcls and deleteAcls endpoints to be correctly implemented. This can 
> cause issues with tools and clients relying on the Kafka ACL API.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-3809) Implement authorizeByResourceType method of Kafka Authorizer

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3809?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-3809:

Fix Version/s: 3.0.0

> Implement authorizeByResourceType method of Kafka Authorizer
> 
>
> Key: RANGER-3809
> URL: https://issues.apache.org/jira/browse/RANGER-3809
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Affects Versions: 3.0.0
>Reporter: Andras Katona
>Assignee: Ramesh Mani
>Priority: Major
> Fix For: 3.0.0
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> In Kafka 2.8 this new authorization method was introduced mainly to ease 
> authorization (setup) of idempotent producers.
> The default implementation of {{authorizeByResourceType}} uses 
> [acls()|https://github.com/apache/kafka/blob/a3c7017ff7e543b50f84110195690a253f19d9cf/clients/src/main/java/org/apache/kafka/server/authorizer/Authorizer.java#L154]
>   which is [not 
> implemented|https://github.com/apache/ranger/blob/fc7ad98fbb2ee7bb7d4cd3329abc438a73e0444a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java#L332-L335]
>  in Kafka Ranger Plugin, but it is not really efficient and it is recommended 
> to implement/override it in custom authorizer implementation (meaning Ranger 
> in our case).
> {code}
> /**
>  * Check if the caller is authorized to perform the given ACL operation 
> on at least one
>  * resource of the given type.
>  *
>  * Custom authorizer implementations should consider overriding this 
> default implementation because:
>  * 1. The default implementation iterates all AclBindings multiple times, 
> without any caching
>  *by principal, host, operation, permission types, and resource 
> types. More efficient
>  *implementations may be added in custom authorizers that directly 
> access cached entries.
>  * 2. The default implementation cannot integrate with any audit logging 
> included in the
>  *authorizer implementation.
>  * 3. The default implementation does not support any custom authorizer 
> configs or other access
>  *rules apart from ACLs.
>  *
>  * @param requestContext Request context including request resourceType, 
> security protocol and listener name
>  * @param op The ACL operation to check
>  * @param resourceType   The resource type to check
>  * @return   Return {@link AuthorizationResult#ALLOWED} if 
> the caller is authorized
>  *   to perform the given ACL operation on at least 
> one resource of the
>  *   given type. Return {@link 
> AuthorizationResult#DENIED} otherwise.
>  */
> default AuthorizationResult 
> authorizeByResourceType(AuthorizableRequestContext requestContext, 
> AclOperation op, ResourceType resourceType) {
> {code}
> In Kafka 3.0.1, 3.1.1 and 3.2.0, producers are idempotent by default 
> (KAFKA-13598) and the authorization of producer initialization fails, in case 
> the user doesn't have the deprecated idempotent_write access, as it will call 
> the {{authorizeByResourceType}} and that calls {{acls}}.
> {code}
>   public Iterable acls(AclBindingFilter filter) {
> logger.error("(getting) acls is not supported by Ranger for Kafka");
> throw new UnsupportedOperationException("(getting) acls is not supported 
> by Ranger for Kafka");
>   }
> {code}
> With [this 
> commit|https://github.com/apache/ranger/commit/0ec279474e0439f6c5e7d4497db191fb7cc99bc1]
>  {{authorizeByResourceType}} got an implementation with a basic validation 
> check and a (constant) denial response. It's just making 
> UnsupportedOperationException disappear and having an expected response for 
> initProducer authorization.
> Until the proper implementation is done, the idempotent_write access should 
> be granted for the producer.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4061) Grant and Revoke Request should support Allow Exception

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-4061:

Fix Version/s: 3.0.0

> Grant and Revoke Request should support  Allow Exception
> 
>
> Key: RANGER-4061
> URL: https://issues.apache.org/jira/browse/RANGER-4061
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0
>    Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
> Fix For: 3.0.0
>
>
> Current Grant and Revoke functionality in Apache Ranger Supports only request 
> to create Allowed Permission. But there are services like Kafka where the ACL 
> grant can have clauses like allow certain users / Groups / hosts except users 
> / Groups / hosts.
> For this enhance the current Ranger Grant Revoke Api to include a new member 
> to hold the “AllowException” policyItem which can be added by the services 
> which supports this.
> By this enhancement Grant Revoke Api will add the “Allow Exception” 
> policyItem for the policy that will be created.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Assigned] (RANGER-3939) Implement acls, createAcls and deleteAcls in Kafka Authorizer

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3939?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani reassigned RANGER-3939:
---

Assignee: Ramesh Mani

> Implement acls, createAcls and deleteAcls in Kafka Authorizer
> -
>
> Key: RANGER-3939
> URL: https://issues.apache.org/jira/browse/RANGER-3939
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Daniel Urban
>    Assignee: Ramesh Mani
>Priority: Major
>
> Currently, the Kafka Authorizer only implements the .authorize method. This 
> is (mostly) enough to support authorization checks in the Kafka API endpoints.
> But the Kafka protocol also has support for describing and managing ACLs. 
> These endpoints do not work with the Ranger plugin, as it requires the acls, 
> createAcls and deleteAcls endpoints to be correctly implemented. This can 
> cause issues with tools and clients relying on the Kafka ACL API.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Comment Edited] (RANGER-4165) Support SELF_OR_PREFIX resource matching scope in Ranger Authorization

[Ramesh Mani (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17723252#comment-17723252
 ] 

Ramesh Mani edited comment on RANGER-4165 at 5/25/23 3:31 PM:
--

Attached reworked Patch from [~madhan] 

[https://reviews.apache.org/r/74454/diff/3#0]

 

[~abhayk]  Please review this patch. Thanks.

 


was (Author: rmani):
Attached reworked Patch from [~madhan] 

[https://reviews.apache.org/r/74441/]

[~abhayk]  Please review this patch. Thanks.

 

>  Support SELF_OR_PREFIX resource matching scope in Ranger Authorization
> ---
>
> Key: RANGER-4165
> URL: https://issues.apache.org/jira/browse/RANGER-4165
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0
>    Reporter: Ramesh Mani
>Assignee: Madhan Neethiraj
>Priority: Major
>
>  Support SELF_OR_PREFIX resource matching scope in Ranger Authorization
>  * introduced resource-element matching scope SELF_OR_PREFIX, which can be 
> used to ask Ranger policy engine the following -- check if a user/group/role 
> has read access in any path/file under directory /dept/hr/ -- check if a 
> user/group/role has select access to any table having name that starts with 
> emp_ under database name hr
>  * moved SELF_OR_CHILD from enum resource-matching-scope to enum 
> resource-element-matching-scope
> This is need to create an api which can find whether a user/group is 
> authorized to the given operation on any resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the 
> caller is authorized to perform the given ACL operation on at least one 
> resource of the given type.
> [https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType])



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4165) Support SELF_OR_PREFIX resource matching scope in Ranger Authorization

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-4165:

Description: 
 Support SELF_OR_PREFIX resource matching scope in Ranger Authorization
 * introduced resource-element matching scope SELF_OR_PREFIX, which can be used 
to ask Ranger policy engine the following -- check if a user/group/role has 
read access in any path/file under directory /dept/hr/ -- check if a 
user/group/role has select access to any table having name that starts with 
emp_ under database name hr
 * moved SELF_OR_CHILD from enum resource-matching-scope to enum 
resource-element-matching-scope

This is need to create an api which can find whether a user/group is authorized 
to the given operation on any resource of give type.

This is needed to implement a Ranger Kafka authorizer API which checks if the 
caller is authorized to perform the given ACL operation on at least one 
resource of the given type.

[https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType])

  was:
 Support SELF_OR_PREFIX resource matching scope in Ranger Authorization

This is need to create an api which can find whether a user/group is authorized 
to the given operation on any resource of give type.

This is needed to implement a Ranger Kafka authorizer API which checks if the 
caller is authorized to perform the given ACL operation on at least one 
resource of the given type.

[https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType])


>  Support SELF_OR_PREFIX resource matching scope in Ranger Authorization
> ---
>
> Key: RANGER-4165
> URL: https://issues.apache.org/jira/browse/RANGER-4165
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0
>    Reporter: Ramesh Mani
>Assignee: Madhan Neethiraj
>Priority: Major
>
>  Support SELF_OR_PREFIX resource matching scope in Ranger Authorization
>  * introduced resource-element matching scope SELF_OR_PREFIX, which can be 
> used to ask Ranger policy engine the following -- check if a user/group/role 
> has read access in any path/file under directory /dept/hr/ -- check if a 
> user/group/role has select access to any table having name that starts with 
> emp_ under database name hr
>  * moved SELF_OR_CHILD from enum resource-matching-scope to enum 
> resource-element-matching-scope
> This is need to create an api which can find whether a user/group is 
> authorized to the given operation on any resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the 
> caller is authorized to perform the given ACL operation on at least one 
> resource of the given type.
> [https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType])



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Comment Edited] (RANGER-4165) Support SELF_OR_PREFIX resource matching scope in Ranger Authorization

[Ramesh Mani (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17723252#comment-17723252
 ] 

Ramesh Mani edited comment on RANGER-4165 at 5/24/23 3:10 PM:
--

Attached reworked Patch from [~madhan] 

[https://reviews.apache.org/r/74441/]

[~abhayk]  Please review this patch. Thanks.

 


was (Author: rmani):
Attached reworked Patch from [~madhan] 

[https://reviews.apache.org/r/74441/diff/2#index_header]

[~abhayk]  Please review this patch. Thanks.

 

>  Support SELF_OR_PREFIX resource matching scope in Ranger Authorization
> ---
>
> Key: RANGER-4165
> URL: https://issues.apache.org/jira/browse/RANGER-4165
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0
>    Reporter: Ramesh Mani
>Assignee: Madhan Neethiraj
>Priority: Major
>
>  Support SELF_OR_PREFIX resource matching scope in Ranger Authorization
> This is need to create an api which can find whether a user/group is 
> authorized to the given operation on any resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the 
> caller is authorized to perform the given ACL operation on at least one 
> resource of the given type.
> [https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType])



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Assigned] (RANGER-4165) Support SELF_OR_PREFIX resource matching scope in Ranger Authorization

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani reassigned RANGER-4165:
---

Assignee: Madhan Neethiraj  (was: Ramesh Mani)

>  Support SELF_OR_PREFIX resource matching scope in Ranger Authorization
> ---
>
> Key: RANGER-4165
> URL: https://issues.apache.org/jira/browse/RANGER-4165
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0
>    Reporter: Ramesh Mani
>Assignee: Madhan Neethiraj
>Priority: Major
>
>  Support SELF_OR_PREFIX resource matching scope in Ranger Authorization
> This is need to create an api which can find whether a user/group is 
> authorized to the given operation on any resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the 
> caller is authorized to perform the given ACL operation on at least one 
> resource of the given type.
> [https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType])



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: Review Request 74441: RANGER-4165: Support SELF_OR_PREFIX resource matching scope in Ranger Authorization

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74441/
---

(Updated May 23, 2023, 11:18 p.m.)


Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.


Changes
---

Updated the test case in the description


Bugs: RANGER-4165
https://issues.apache.org/jira/browse/RANGER-4165


Repository: ranger


Description
---

RANGER-4165:API to find whether a user/group is authorized to the given 
operation on any resource of give type


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
 e0a86c398 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
 6a38747f4 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
 e561c4c7c 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
 4887c0112 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java
 6aec330d7 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
 b5b26702c 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
 f89d51e35 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 eee1e1f1b 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
 e887730c9 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
 032d4487c 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
 c421388e7 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
 5fa5b68d4 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
 0cb3e0fed 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerURLResourceMatcher.java
 ee2fff3ed 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java
 5df4f1e3a 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 b505f495b 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceEvaluatorsRetriever.java
 e60fe055b 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPathResourceTrie.java
 30a7215a6 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
 b2a5151e5 
  
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java
 e31437fc1 
  
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcherTest.java
 ad21b3239 
  
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcherTest.java
 8fe3be9cc 
  
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerURLResourceMatcherTest.java
 2b7f27200 
  
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestResourceMatcher.java
 ea7bc01f2 
  agents-common/src/test/resources/policyengine/test_policyengine_aws.json 
118bef534 
  agents-common/src/test/resources/policyengine/test_policyengine_kafka.json 
PRE-CREATION 


Diff: https://reviews.apache.org/r/74441/diff/2/


Testing (updated)
---

Testing done with TestCase.
-- Request has to set the resource = " " and  resourceMatchingScope =  
"SELF_OR_PREFIX",
example:  
{"name":"Any topic Consume access for user3",
  "request":{
"resource":{"elements":{"topic":""}}, "resourceMatchingScope": 
"SELF_OR_PREFIX",
"accessType":"consume","user":"user3","userGroups":[]
  },
  "result":{"isAudited":true,"isAllowed":true,"policyId":102}
}
-- Policy maintained => user1 will have access to consume on several topics, 
this call should result in "ALLOWED".

-- Testing done with new tests in 
agents-common/src/test/resources/policyengine/test_policyengine_kafka.json


-- Ran all the PolicyEngine and plugin tests.


Thanks,

Ramesh Mani

[jira] [Comment Edited] (RANGER-4165) Support SELF_OR_PREFIX resource matching scope in Ranger Authorization

[Ramesh Mani (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17723252#comment-17723252
 ] 

Ramesh Mani edited comment on RANGER-4165 at 5/23/23 7:24 PM:
--

Attached reworked Patch from [~madhan] 

[https://reviews.apache.org/r/74441/diff/2#index_header]

[~abhayk]  Please review this patch. Thanks.

 


was (Author: rmani):
Attached reworked Patch from [~madhan] 

[https://reviews.apache.org/r/74441/diff/1#index_header]

[~abhayk]  Please review this patch. Thanks.

 

>  Support SELF_OR_PREFIX resource matching scope in Ranger Authorization
> ---
>
> Key: RANGER-4165
> URL: https://issues.apache.org/jira/browse/RANGER-4165
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0
>    Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
>
>  Support SELF_OR_PREFIX resource matching scope in Ranger Authorization
> This is need to create an api which can find whether a user/group is 
> authorized to the given operation on any resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the 
> caller is authorized to perform the given ACL operation on at least one 
> resource of the given type.
> [https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType])



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: Review Request 74441: RANGER-4165: Support SELF_OR_PREFIX resource matching scope in Ranger Authorization

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74441/
---

(Updated May 23, 2023, 7:22 p.m.)


Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.


Changes
---

RANGER-4165: Support SELF_OR_PREFIX resource matching scope in Ranger 
Authorization


Summary (updated)
-

RANGER-4165: Support SELF_OR_PREFIX resource matching scope in Ranger 
Authorization


Bugs: RANGER-4165
https://issues.apache.org/jira/browse/RANGER-4165


Repository: ranger


Description
---

RANGER-4165:API to find whether a user/group is authorized to the given 
operation on any resource of give type


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
 e0a86c398 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
 6a38747f4 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestImpl.java
 e561c4c7c 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestReadOnly.java
 4887c0112 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequestWrapper.java
 6aec330d7 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
 b5b26702c 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
 f89d51e35 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 eee1e1f1b 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
 e887730c9 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
 032d4487c 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
 c421388e7 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
 5fa5b68d4 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
 0cb3e0fed 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerURLResourceMatcher.java
 ee2fff3ed 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java
 5df4f1e3a 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 b505f495b 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceEvaluatorsRetriever.java
 e60fe055b 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPathResourceTrie.java
 30a7215a6 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
 b2a5151e5 
  
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java
 e31437fc1 
  
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcherTest.java
 ad21b3239 
  
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcherTest.java
 8fe3be9cc 
  
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerURLResourceMatcherTest.java
 2b7f27200 
  
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/TestResourceMatcher.java
 ea7bc01f2 
  agents-common/src/test/resources/policyengine/test_policyengine_aws.json 
118bef534 
  agents-common/src/test/resources/policyengine/test_policyengine_kafka.json 
PRE-CREATION 


Diff: https://reviews.apache.org/r/74441/diff/2/

Changes: https://reviews.apache.org/r/74441/diff/1-2/


Testing
---

Testing done with TestCase.
-- Request has to set the resource = " " and  resourceMatchingScope =  
"SELF_OR_PREFIX",
example:  
{"name":"Any topic Consume access for user3",
  "request":{
"resource":{"elements":{"topic":""}}, "resourceMatchingScope": 
"SELF_OR_PREFIX",
"accessType":"consume","user":"user3","userGroups":[],
"context": {"RESOURCE_TYPE": "topic"}
  },
  "result":{"isAudited":true,"isAllowed":true,"policyId":102}
}
-- Policy maintained => user1 will have access to consume on several topics, 
this call should result in "ALLOWED".

-- Testing done with new tests in 
agents-common/src/test/resources/policyengine/test_policyengine_kafka.json


-- Ran all the PolicyEngine and plugin tests.


Thanks,

Ramesh Mani

[jira] [Updated] (RANGER-4165) Support SELF_OR_PREFIX resource matching scope in Ranger Authorization

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-4165:

Description: 
 Support SELF_OR_PREFIX resource matching scope in Ranger Authorization

This is need to create an api which can find whether a user/group is authorized 
to the given operation on any resource of give type.

This is needed to implement a Ranger Kafka authorizer API which checks if the 
caller is authorized to perform the given ACL operation on at least one 
resource of the given type.

[https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType])

  was:
API to find whether a user/group is authorized to the given operation on any 
resource of give type.

This is needed to implement a Ranger Kafka authorizer API which checks if the 
caller is authorized to perform the given ACL operation on at least one 
resource of the given type.

[https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType])


>  Support SELF_OR_PREFIX resource matching scope in Ranger Authorization
> ---
>
> Key: RANGER-4165
> URL: https://issues.apache.org/jira/browse/RANGER-4165
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0
>    Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
>
>  Support SELF_OR_PREFIX resource matching scope in Ranger Authorization
> This is need to create an api which can find whether a user/group is 
> authorized to the given operation on any resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the 
> caller is authorized to perform the given ACL operation on at least one 
> resource of the given type.
> [https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType])



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4165) Support SELF_OR_PREFIX resource matching scope in Ranger Authorization

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-4165:

Summary:  Support SELF_OR_PREFIX resource matching scope in Ranger 
Authorization  (was: API to find whether a user/group is authorized to the 
given operation on any resource of give type)

>  Support SELF_OR_PREFIX resource matching scope in Ranger Authorization
> ---
>
> Key: RANGER-4165
> URL: https://issues.apache.org/jira/browse/RANGER-4165
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0
>    Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
>
> API to find whether a user/group is authorized to the given operation on any 
> resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the 
> caller is authorized to perform the given ACL operation on at least one 
> resource of the given type.
> [https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType])



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (RANGER-4165) API to find whether a user/group is authorized to the given operation on any resource of give type

[Ramesh Mani (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17723252#comment-17723252
 ] 

Ramesh Mani commented on RANGER-4165:
-

Attached reworked Patch from [~madhan] 

[https://reviews.apache.org/r/74441/diff/1#index_header]

[~abhayk]  Please review this patch. Thanks.

 

> API to find whether a user/group is authorized to the given operation on any 
> resource of give type
> --
>
> Key: RANGER-4165
> URL: https://issues.apache.org/jira/browse/RANGER-4165
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0
>Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
>
> API to find whether a user/group is authorized to the given operation on any 
> resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the 
> caller is authorized to perform the given ACL operation on at least one 
> resource of the given type.
> [https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType])



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: Review Request 74441: RANGER-4165:API to find whether a user/group is authorized to the given operation on any resource of give type

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74441/
---

(Updated May 16, 2023, 6:33 p.m.)


Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.


Bugs: RANGER-4165
https://issues.apache.org/jira/browse/RANGER-4165


Repository: ranger


Description
---

RANGER-4165:API to find whether a user/group is authorized to the given 
operation on any resource of give type


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
 6a38747f4 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
 f89d51e35 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 96e232b43 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
 c421388e7 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
 5fa5b68d4 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java
 5df4f1e3a 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 b505f495b 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPathResourceTrie.java
 30a7215a6 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
 b2a5151e5 
  
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcherTest.java
 8fe3be9cc 
  agents-common/src/test/resources/policyengine/test_policyengine_kafka.json 
PRE-CREATION 


Diff: https://reviews.apache.org/r/74441/diff/1/


Testing (updated)
---

Testing done with TestCase.
-- Request has to set the resource = " " and  resourceMatchingScope =  
"SELF_OR_PREFIX",
example:  
{"name":"Any topic Consume access for user3",
  "request":{
"resource":{"elements":{"topic":""}}, "resourceMatchingScope": 
"SELF_OR_PREFIX",
"accessType":"consume","user":"user3","userGroups":[],
"context": {"RESOURCE_TYPE": "topic"}
  },
  "result":{"isAudited":true,"isAllowed":true,"policyId":102}
}
-- Policy maintained => user1 will have access to consume on several topics, 
this call should result in "ALLOWED".

-- Testing done with new tests in 
agents-common/src/test/resources/policyengine/test_policyengine_kafka.json


-- Ran all the PolicyEngine and plugin tests.


Thanks,

Ramesh Mani

Review Request 74441: RANGER-4165:API to find whether a user/group is authorized to the given operation on any resource of give type

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74441/
---

Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.


Bugs: RANGER-4165
https://issues.apache.org/jira/browse/RANGER-4165


Repository: ranger


Description
---

RANGER-4165:API to find whether a user/group is authorized to the given 
operation on any resource of give type


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessRequest.java
 6a38747f4 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
 f89d51e35 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 96e232b43 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
 c421388e7 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcher.java
 5fa5b68d4 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java
 5df4f1e3a 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 b505f495b 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPathResourceTrie.java
 30a7215a6 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
 b2a5151e5 
  
agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerPathResourceMatcherTest.java
 8fe3be9cc 
  agents-common/src/test/resources/policyengine/test_policyengine_kafka.json 
PRE-CREATION 


Diff: https://reviews.apache.org/r/74441/diff/1/


Testing
---


Thanks,

Ramesh Mani

Re: Review Request 74404: RANGER-4165:API to find whether a user/group is authorized to the given operation on any resource of give type

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74404/
---

(Updated May 11, 2023, 1:58 p.m.)


Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.


Bugs: RANGER-4165
https://issues.apache.org/jira/browse/RANGER-4165


Repository: ranger


Description
---

RANGER-4165:API to find whether a user/group is authorized to the given 
operation on any resource of give type


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
 e0a86c398 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
 ca899979a 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
 3864f30d2 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 e75bb722c 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
 b5b26702c 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
 f89d51e35 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
 032d4487c 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
 c421388e7 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java
 5df4f1e3a 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 b505f495b 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceEvaluatorsRetriever.java
 e60fe055b 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
 b2a5151e5 
  agents-common/src/test/resources/policyengine/test_policyengine_kafka.json 
PRE-CREATION 
  
agents-common/src/test/resources/resourcematcher/test_resourcematcher_default.json
 779f57a0b 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
97a384f30 


Diff: https://reviews.apache.org/r/74404/diff/1/


Testing (updated)
---

- Testing done with TestCase.
-- Request has to set the resource as "*_any*_" and add a 
request context "RESOURCE_TYPE" = "".
  example: resource => "_any_topic",  context => "topic" , operation => 
consume, user => "user1"
-- Policy maintained => user1 will have access to consume on several 
topics, this call should result in "ALLOWED".

-- Testing done with new tests in 
agents-common/src/test/resources/policyengine/test_policyengine_kafka.json

-- Ran all the PolicyEngine and plugin tests.


Thanks,

Ramesh Mani

Re: Review Request 74404: RANGER-4165:API to find whether a user/group is authorized to the given operation on any resource of give type

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74404/
---

(Updated May 5, 2023, 3:51 p.m.)


Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.


Changes
---

Testing descriptiosn changed


Bugs: RANGER-4165
https://issues.apache.org/jira/browse/RANGER-4165


Repository: ranger


Description
---

RANGER-4165:API to find whether a user/group is authorized to the given 
operation on any resource of give type


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
 e0a86c398 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
 ca899979a 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
 3864f30d2 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 e75bb722c 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
 b5b26702c 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
 f89d51e35 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
 032d4487c 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
 c421388e7 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java
 5df4f1e3a 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 b505f495b 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceEvaluatorsRetriever.java
 e60fe055b 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
 b2a5151e5 
  agents-common/src/test/resources/policyengine/test_policyengine_kafka.json 
PRE-CREATION 
  
agents-common/src/test/resources/resourcematcher/test_resourcematcher_default.json
 779f57a0b 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
97a384f30 


Diff: https://reviews.apache.org/r/74404/diff/1/


Testing (updated)
---

- Testing done with TestCase.
-- Request has to set the resource as "_any_" and add a 
request context "RESOURCE_TYPE" = "".
  example: resource => "_any_topic",  context => "topic" , operation => 
consume, user => "user1"
-- Policy maintained => user1 will have access to consume on several 
topics, this call should result in "ALLOWED".

-- Testing done with new tests in 
agents-common/src/test/resources/policyengine/test_policyengine_kafka.json

-- Ran all the PolicyEngine and plugin tests.


Thanks,

Ramesh Mani

Re: Review Request 74422: RANGER-4218: enable users to be designated as service admins via their groups

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74422/#review225446
---


Ship it!




Ship It!

- Ramesh Mani


On April 29, 2023, 8:30 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74422/
> ---
> 
> (Updated April 29, 2023, 8:30 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Rajpara, Abhay Kulkarni, 
> Mehul Parikh, Monika Kachhadiya, Mugdha Varadkar, Nitin Galave, Ramesh Mani, 
> Sailaja Polavarapu, Subhrat Chaudhary, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4218
> https://issues.apache.org/jira/browse/RANGER-4218
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> updated to consider users in groups listed in service-config 
> service.admin.groups as service admins
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 
> 155fa357d 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
> 60903cc97 
>   security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java 
> 691ab52b3 
> 
> 
> Diff: https://reviews.apache.org/r/74422/diff/1/
> 
> 
> Testing
> ---
> 
> - updated unit tests to cover service admins via configuration 
> service.admin.groups
> - verified in Ranger UI that users in groups included in service-config 
> service.admin.groups are allowed manage policies in the service
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Review Request 74404: RANGER-4165:API to find whether a user/group is authorized to the given operation on any resource of give type

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74404/
---

Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.


Bugs: RANGER-4165
https://issues.apache.org/jira/browse/RANGER-4165


Repository: ranger


Description
---

RANGER-4165:API to find whether a user/group is authorized to the given 
operation on any resource of give type


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
 e0a86c398 
  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerSecurityZoneValidator.java
 ca899979a 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
 3864f30d2 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 e75bb722c 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
 b5b26702c 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
 f89d51e35 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
 032d4487c 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
 c421388e7 
  
agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java
 5df4f1e3a 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 b505f495b 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceEvaluatorsRetriever.java
 e60fe055b 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
 b2a5151e5 
  agents-common/src/test/resources/policyengine/test_policyengine_kafka.json 
PRE-CREATION 
  
agents-common/src/test/resources/resourcematcher/test_resourcematcher_default.json
 779f57a0b 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
97a384f30 


Diff: https://reviews.apache.org/r/74404/diff/1/


Testing
---

- Testing done with TestCase.
-- Request has to set the resource as "_any_" and add a 
request context "RESOURCE_TYPE" = "".
  example: resource => "_any_topic",  context => "topic" , operation => 
consume, user => "user1"
-- Policy maintained => user1 will have access to consume on any topic, but 
the this call result in "ALLOWED".

-- Testing done with new in 
agents-common/src/test/resources/policyengine/test_policyengine_kafka.json

-- Ran all the PolicyEngine and plugin tests.


Thanks,

Ramesh Mani

[jira] [Updated] (RANGER-4165) API to find whether a user/group is authorized to the given operation on any resource of give type

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-4165:

Summary: API to find whether a user/group is authorized to the given 
operation on any resource of give type  (was: API to find whether a user/group 
is authorized to the give operation on any resource of give type)

> API to find whether a user/group is authorized to the given operation on any 
> resource of give type
> --
>
> Key: RANGER-4165
> URL: https://issues.apache.org/jira/browse/RANGER-4165
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0
>Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
>
> API to find whether a user/group is authorized to the given operation on any 
> resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the 
> caller is authorized to perform the given ACL operation on at least one 
> resource of the given type.
> [https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType])



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4165) API to find whether a user/group is authorized to the give operation on any resource of give type

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-4165:

Description: 
API to find whether a user/group is authorized to the given operation on any 
resource of give type.

This is needed to implement a Ranger Kafka authorizer API which checks if the 
caller is authorized to perform the given ACL operation on at least one 
resource of the given type.

[https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType])

  was:
API to find whether a user/group is authorized to the give operation on any 
resource of give type.

This is needed to implement a Ranger Kafka authorizer API which checks if the 
caller is authorized to perform the given ACL operation on at least one 
resource of the given type.

https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType)


> API to find whether a user/group is authorized to the give operation on any 
> resource of give type
> -
>
> Key: RANGER-4165
> URL: https://issues.apache.org/jira/browse/RANGER-4165
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0
>Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
>
> API to find whether a user/group is authorized to the given operation on any 
> resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the 
> caller is authorized to perform the given ACL operation on at least one 
> resource of the given type.
> [https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType])



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: Review Request 74379: RANGER-4164:Adding contributor name into ranger

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74379/#review225349
---


Ship it!




Ship It!

- Ramesh Mani


On April 4, 2023, 3:41 p.m., Ramachandran Krishnan wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74379/
> ---
> 
> (Updated April 4, 2023, 3:41 p.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, 
> Mehul Parikh, Nikhil P, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4164
> https://issues.apache.org/jira/browse/RANGER-4164
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> RANGER-4164:Adding contributor name into ranger
> 
> 
> Diffs
> -
> 
>   docs/pom.xml 94f90abe6 
> 
> 
> Diff: https://reviews.apache.org/r/74379/diff/2/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> Ramachandran Krishnan
> 
>

[jira] [Commented] (RANGER-4165) API to find whether a user/group is authorized to the give operation on any resource of give type

[Ramesh Mani (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17707430#comment-17707430
 ] 

Ramesh Mani commented on RANGER-4165:
-

[~mad...@apache.org]  Thanks for the clarification and suggestion. I shall 
check on this.

> API to find whether a user/group is authorized to the give operation on any 
> resource of give type
> -
>
> Key: RANGER-4165
> URL: https://issues.apache.org/jira/browse/RANGER-4165
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0
>Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
>
> API to find whether a user/group is authorized to the give operation on any 
> resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the 
> caller is authorized to perform the given ACL operation on at least one 
> resource of the given type.
> https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4165) API to find whether a user/group is authorized to the give operation on any resource of give type

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani updated RANGER-4165:

Affects Version/s: 3.0.0

> API to find whether a user/group is authorized to the give operation on any 
> resource of give type
> -
>
> Key: RANGER-4165
> URL: https://issues.apache.org/jira/browse/RANGER-4165
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0
>Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
>
> API to find whether a user/group is authorized to the give operation on any 
> resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the 
> caller is authorized to perform the given ACL operation on at least one 
> resource of the given type.
> https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Comment Edited] (RANGER-4165) API to find whether a user/group is authorized to the give operation on any resource of give type

[Ramesh Mani (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17707395#comment-17707395
 ] 

Ramesh Mani edited comment on RANGER-4165 at 3/31/23 7:02 PM:
--

[~mad...@apache.org] [~abhayk] 

Currently policeEngine apis doesn't have a way to figure of this request. All 
we can do it run through all the polices and find all the resources of given 
type and run the authorizer for each of those resources found for the caller.  
This may not be the efficient way to get the result.  

Is there a better way to find this like having cache for resources in the 
policies and  run through the policy engine?


was (Author: rmani):
[~mad...@apache.org] [~abhayk] 

Currently policeEngine apis doesn't have a way to figure of this request. All 
we can do it run through all the polices and find all the resources of given 
type and run the authorizer for each of those resources found for the call.  
This may not be the efficient way to get the result.  

Is there a better way to find this like having cache for resources in the 
policies and  run through the policy engine?

> API to find whether a user/group is authorized to the give operation on any 
> resource of give type
> -
>
> Key: RANGER-4165
> URL: https://issues.apache.org/jira/browse/RANGER-4165
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>    Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
>
> API to find whether a user/group is authorized to the give operation on any 
> resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the 
> caller is authorized to perform the given ACL operation on at least one 
> resource of the given type.
> https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (RANGER-4165) API to find whether a user/group is authorized to the give operation on any resource of give type

[Ramesh Mani (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17707395#comment-17707395
 ] 

Ramesh Mani commented on RANGER-4165:
-

[~mad...@apache.org] [~abhayk] 

Currently policeEngine apis doesn't have a way to figure of this request. All 
we can do it run through all the polices and find all the resources of given 
type and run the authorizer for each of those resources found for the call.  
This may not be the efficient way to get the result.  

Is there a better way to find this like having cache for resources in the 
policies and  run through the policy engine?

> API to find whether a user/group is authorized to the give operation on any 
> resource of give type
> -
>
> Key: RANGER-4165
> URL: https://issues.apache.org/jira/browse/RANGER-4165
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>    Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
>
> API to find whether a user/group is authorized to the give operation on any 
> resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the 
> caller is authorized to perform the given ACL operation on at least one 
> resource of the given type.
> https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Assigned] (RANGER-4165) API to find whether a user/group is authorized to the give operation on any resource of give type

[Ramesh Mani (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani reassigned RANGER-4165:
---

Assignee: Ramesh Mani

> API to find whether a user/group is authorized to the give operation on any 
> resource of give type
> -
>
> Key: RANGER-4165
> URL: https://issues.apache.org/jira/browse/RANGER-4165
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>    Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Major
>
> API to find whether a user/group is authorized to the give operation on any 
> resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the 
> caller is authorized to perform the given ACL operation on at least one 
> resource of the given type.
> https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-4165) API to find whether a user/group is authorized to the give operation on any resource of give type

[Ramesh Mani (Jira)]

Ramesh Mani created RANGER-4165:
---

 Summary: API to find whether a user/group is authorized to the 
give operation on any resource of give type
 Key: RANGER-4165
 URL: https://issues.apache.org/jira/browse/RANGER-4165
 Project: Ranger
  Issue Type: Improvement
  Components: Ranger
Reporter: Ramesh Mani


API to find whether a user/group is authorized to the give operation on any 
resource of give type.

This is needed to implement a Ranger Kafka authorizer API which checks if the 
caller is authorized to perform the given ACL operation on at least one 
resource of the given type.

https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: [VOTE] Apache Ranger 2.4.0 Release - rc2

[Ramesh Mani]

+1 for Apache Ranger 2.4.0 rc2

- Build from the source
https://dist.apache.org/repos/dist/dev/ranger/2.4.0-rc2/apache-ranger-2.4.0.tar.gz
file was
successful.
- Verified some of the source code in tar files built.
- Verified PGP signature.
- Verified SHA256 / 512 hash.

Thank you Selva for Apache Ranger 2.4.0 release candidate #2

Thanks,
Ramesh

On Mon, Mar 27, 2023 at 8:41 PM Selvamohan Neethiraj 
wrote:

> Rangers:
>
> Apache Ranger 2.4.0 release candidate #2 is now available for a vote
> within the dev community.
> Links to the release artifacts are given below. Please review and vote.
>
> The vote will be open for at least 72 hours or until necessary votes are
> reached.
> [   ] +1 approve
> [   ] +0 no opinion
> [   ] -1 disapprove (and reason why)
>
> Thanks,
> Selva-
> Ranger PMC
>
> List of issues / improvements addressed in this release:  click-here <
> https://issues.apache.org/jira/browse/RANGER-4154?jql=project=RANGER%20and%20fixVersion%20%20=%202.4.0%20and%20status%20=%20Resolved%20ORDER%20BY%20key%20desc
> >
>
> Git tag for the release:
> https://github.com/apache/ranger/tree/release-2.4.0-rc2
> Sources for the release:
> https://dist.apache.org/repos/dist/dev/ranger/2.4.0-rc2/apache-ranger-2.4.0.tar.gz
>
> Source release verification:
> PGP Signature:
> https://dist.apache.org/repos/dist/dev/ranger/2.4.0-rc2/apache-ranger-2.4.0.tar.gz.asc
> SHA256
> 
> Hash:
> https://dist.apache.org/repos/dist/dev/ranger/2.4.0-rc2/apache-ranger-2.4.0.tar.gz.sha256
> SHA512
> 
> Hash:
> https://dist.apache.org/repos/dist/dev/ranger/2.4.0-rc2/apache-ranger-2.4.0.tar.gz.sha512
>
> Keys to verify the signature:
> https://dist.apache.org/repos/dist/release/ranger/KEYS
>
> Click Here <
> https://issues.apache.org/jira/issues/?jql=project=RANGER%20and%20fixVersion%20%20=%202.4.0%20and%20status%20=%20Resolved%20and%20type%20in%20(%22New%20Feature%22,%20Improvement)%20ORDER%20BY%20key%20desc>
> to view New Features/Enhancements in this release.
>
>
>
>
>
>

Re: Review Request 74336: RANGER-4121: fix for NPE in security-zone update validation

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74336/#review225251
---


Ship it!




Ship It!

- Ramesh Mani


On March 4, 2023, 9:53 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74336/
> ---
> 
> (Updated March 4, 2023, 9:53 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Kishor Gollapalliwar, Abhay 
> Kulkarni, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and 
> Subhrat Chaudhary.
> 
> 
> Bugs: RANGER-4121
> https://issues.apache.org/jira/browse/RANGER-4121
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - updated security-zone validation API to use Objects.equals() to avoid NPE
> - updated validation to handle public group in zone.adminUserGroups and 
> zone.auditUserGroups
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java 
> 9ea222401 
>   security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java 
> 5dcde8678 
> 
> 
> Diff: https://reviews.apache.org/r/74336/diff/1/
> 
> 
> Testing
> ---
> 
> - verified that updating security-zone with null for description doesn't 
> result in NPE
> - verified that all unit tests pass successfully
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74335: RANGER-4117: service-def option to include expression condition implicitly

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74335/#review225248
---


Ship it!




Ship It!

- Ramesh Mani


On March 3, 2023, 6:06 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74335/
> ---
> 
> (Updated March 3, 2023, 6:06 a.m.)
> 
> 
> Review request for ranger, Abhishek  Kumar, Ankita Sinha, Kishor 
> Gollapalliwar, Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, 
> Sailaja Polavarapu, Subhrat Chaudhary, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4117
> https://issues.apache.org/jira/browse/RANGER-4117
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - when a service-def has option enableImplicitConditionExpression set to 
> true, Ranger will automatically include condition-def named _expression of 
> type RangerScriptConditionEvaluator
> - default value for this option is derived from Ranger admin configuration 
> ranger.servicedef.enableImplicitConditionExpression
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceDef.java
>  05dde4edf 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java 
> fe1cf9244 
>   security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 
> 6cc3509d8 
>   
> security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java
>  954c10e74 
>   
> security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefService.java
>  032f2f870 
> 
> 
> Diff: https://reviews.apache.org/r/74335/diff/1/
> 
> 
> Testing
> ---
> 
> - verified that policy UI shows expression condition for all services
> - verified CRUD of policies that use expression condition
> - added unit tests to verify implicit addition of expression condition-def
> - verified that all unit tests pass successfully
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>