[jira] [Resolved] (HAWQ-1469) Don't expose RPS warning messages to command line

2017-05-17 Thread Lin Wen (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HAWQ-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lin Wen resolved HAWQ-1469.
---
Resolution: Fixed
  Assignee: Lin Wen  (was: Ed Espino)

> Don't expose RPS warning messages to command line
> -
>
> Key: HAWQ-1469
> URL: https://issues.apache.org/jira/browse/HAWQ-1469
> Project: Apache HAWQ
>  Issue Type: Sub-task
>  Components: Security
>Reporter: Lin Wen
>Assignee: Lin Wen
> Fix For: backlog
>
>
> RPS service address exposing to end-user is not secure, and we should not 
> expose it out.
> **Case 1: When master RPS is down, changing to standby RPS**
> Current behavior
> ```
> postgres=# select * from a;
> WARNING:  ranger plugin service from http://test1:8432/rps is unavailable : 
> Couldn't connect to server, try another http://test5:8432/rps
> ERROR:  permission denied for relation(s): public.a
> ``` 
> Warning should be removed.
> Expected
> ```
> postgres=# select * from a;
> ERROR:  permission denied for relation(s): public.a
> ```
> **Case 2: When both RPS are down, should only print that RPS is unavailable.**
> Current Behavior:
> ```
> postgres=# select * from a;
> WARNING:  ranger plugin service from http://test5:8432/rps is unavailable : 
> Couldn't connect to server, try another http://test1:8432/rps
> ERROR:  ranger plugin service from http://test1:8432/rps is unavailable : 
> Couldn't connect to server. (rangerrest.c:463)
> ```
> Expected
> ```
> postgres=# select * from a;
> ERROR:  ranger plugin service is unavailable : Couldn't connect to server. 
> (rangerrest.c:463)
> ```
> The warning message should be printed in cvs log file.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[GitHub] incubator-hawq pull request #1242: HAWQ-1469. Don't expose warning messages ...

2017-05-17 Thread linwen 
Github user linwen closed the pull request at:

https://github.com/apache/incubator-hawq/pull/1242


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Comment Edited] (HAWQ-1469) Don't expose RPS warning messages to command line

2017-05-17 Thread Lin Wen (JIRA) 

[ 
https://issues.apache.org/jira/browse/HAWQ-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16015047#comment-16015047
 ] 

Lin Wen edited comment on HAWQ-1469 at 5/18/17 2:50 AM:


Yes. If both master RPS and standby RPS are unavailable, this message is 
printed to console.
ERROR: ranger plugin service is unavailable : Couldn't connect to server. 
(rangerrest.c:463)

OK. We can make the message more descriptive. how about this?
ERROR: permission is unknown due to authorization failure, ranger plugin 
service is unavailable : Couldn't connect to server. (rangerrest.c:463)


was (Author: wlin):
Yes. If both master RPS and standby RPS are unavailable, this message is 
printed to console.
ERROR: ranger plugin service is unavailable : Couldn't connect to server. 
(rangerrest.c:463)

OK. We can make the message more descriptive. how about this?
ERROR: authorization failed, ranger plugin service is unavailable : Couldn't 
connect to server. (rangerrest.c:463)

> Don't expose RPS warning messages to command line
> -
>
> Key: HAWQ-1469
> URL: https://issues.apache.org/jira/browse/HAWQ-1469
> Project: Apache HAWQ
>  Issue Type: Sub-task
>  Components: Security
>Reporter: Lin Wen
>Assignee: Ed Espino
> Fix For: backlog
>
>
> RPS service address exposing to end-user is not secure, and we should not 
> expose it out.
> **Case 1: When master RPS is down, changing to standby RPS**
> Current behavior
> ```
> postgres=# select * from a;
> WARNING:  ranger plugin service from http://test1:8432/rps is unavailable : 
> Couldn't connect to server, try another http://test5:8432/rps
> ERROR:  permission denied for relation(s): public.a
> ``` 
> Warning should be removed.
> Expected
> ```
> postgres=# select * from a;
> ERROR:  permission denied for relation(s): public.a
> ```
> **Case 2: When both RPS are down, should only print that RPS is unavailable.**
> Current Behavior:
> ```
> postgres=# select * from a;
> WARNING:  ranger plugin service from http://test5:8432/rps is unavailable : 
> Couldn't connect to server, try another http://test1:8432/rps
> ERROR:  ranger plugin service from http://test1:8432/rps is unavailable : 
> Couldn't connect to server. (rangerrest.c:463)
> ```
> Expected
> ```
> postgres=# select * from a;
> ERROR:  ranger plugin service is unavailable : Couldn't connect to server. 
> (rangerrest.c:463)
> ```
> The warning message should be printed in cvs log file.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Comment Edited] (HAWQ-1469) Don't expose RPS warning messages to command line

2017-05-17 Thread Lin Wen (JIRA) 

[ 
https://issues.apache.org/jira/browse/HAWQ-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16015047#comment-16015047
 ] 

Lin Wen edited comment on HAWQ-1469 at 5/18/17 2:49 AM:


Yes. If both master RPS and standby RPS are unavailable, this message is 
printed to console.
ERROR: ranger plugin service is unavailable : Couldn't connect to server. 
(rangerrest.c:463)

OK. We can make the message more descriptive. how about this?
ERROR: authorization failed, ranger plugin service is unavailable : Couldn't 
connect to server. (rangerrest.c:463)


was (Author: wlin):
Yes. If both master RPS and standby RPS are unavailable, this message is 
printed to console.
ERROR: ranger plugin service is unavailable : Couldn't connect to server. 
(rangerrest.c:463)

OK. We can make the message more descriptive. how about this?
ERROR: authentication failed, ranger plugin service is unavailable : Couldn't 
connect to server. (rangerrest.c:463)

> Don't expose RPS warning messages to command line
> -
>
> Key: HAWQ-1469
> URL: https://issues.apache.org/jira/browse/HAWQ-1469
> Project: Apache HAWQ
>  Issue Type: Sub-task
>  Components: Security
>Reporter: Lin Wen
>Assignee: Ed Espino
> Fix For: backlog
>
>
> RPS service address exposing to end-user is not secure, and we should not 
> expose it out.
> **Case 1: When master RPS is down, changing to standby RPS**
> Current behavior
> ```
> postgres=# select * from a;
> WARNING:  ranger plugin service from http://test1:8432/rps is unavailable : 
> Couldn't connect to server, try another http://test5:8432/rps
> ERROR:  permission denied for relation(s): public.a
> ``` 
> Warning should be removed.
> Expected
> ```
> postgres=# select * from a;
> ERROR:  permission denied for relation(s): public.a
> ```
> **Case 2: When both RPS are down, should only print that RPS is unavailable.**
> Current Behavior:
> ```
> postgres=# select * from a;
> WARNING:  ranger plugin service from http://test5:8432/rps is unavailable : 
> Couldn't connect to server, try another http://test1:8432/rps
> ERROR:  ranger plugin service from http://test1:8432/rps is unavailable : 
> Couldn't connect to server. (rangerrest.c:463)
> ```
> Expected
> ```
> postgres=# select * from a;
> ERROR:  ranger plugin service is unavailable : Couldn't connect to server. 
> (rangerrest.c:463)
> ```
> The warning message should be printed in cvs log file.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (HAWQ-1469) Don't expose RPS warning messages to command line

2017-05-17 Thread Lin Wen (JIRA) 

[ 
https://issues.apache.org/jira/browse/HAWQ-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16015047#comment-16015047
 ] 

Lin Wen commented on HAWQ-1469:
---

Yes. If both master RPS and standby RPS are unavailable, this message is 
printed to console.
ERROR: ranger plugin service is unavailable : Couldn't connect to server. 
(rangerrest.c:463)

OK. We can make the message more descriptive. how about this?
ERROR: authentication failed, ranger plugin service is unavailable : Couldn't 
connect to server. (rangerrest.c:463)

> Don't expose RPS warning messages to command line
> -
>
> Key: HAWQ-1469
> URL: https://issues.apache.org/jira/browse/HAWQ-1469
> Project: Apache HAWQ
>  Issue Type: Sub-task
>  Components: Security
>Reporter: Lin Wen
>Assignee: Ed Espino
> Fix For: backlog
>
>
> RPS service address exposing to end-user is not secure, and we should not 
> expose it out.
> **Case 1: When master RPS is down, changing to standby RPS**
> Current behavior
> ```
> postgres=# select * from a;
> WARNING:  ranger plugin service from http://test1:8432/rps is unavailable : 
> Couldn't connect to server, try another http://test5:8432/rps
> ERROR:  permission denied for relation(s): public.a
> ``` 
> Warning should be removed.
> Expected
> ```
> postgres=# select * from a;
> ERROR:  permission denied for relation(s): public.a
> ```
> **Case 2: When both RPS are down, should only print that RPS is unavailable.**
> Current Behavior:
> ```
> postgres=# select * from a;
> WARNING:  ranger plugin service from http://test5:8432/rps is unavailable : 
> Couldn't connect to server, try another http://test1:8432/rps
> ERROR:  ranger plugin service from http://test1:8432/rps is unavailable : 
> Couldn't connect to server. (rangerrest.c:463)
> ```
> Expected
> ```
> postgres=# select * from a;
> ERROR:  ranger plugin service is unavailable : Couldn't connect to server. 
> (rangerrest.c:463)
> ```
> The warning message should be printed in cvs log file.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[GitHub] incubator-hawq issue #1181: HAWQ-1398. Fixing invalid references in log stat...

2017-05-17 Thread paul-guo- 
Github user paul-guo- commented on the issue:

https://github.com/apache/incubator-hawq/pull/1181
  
You should check into the apache repo. github repo is just a mirror which
will keep sync-ed with the apache repo.

See
https://cwiki.apache.org/confluence/display/HAWQ/Contributing+to+HAWQ

2017-05-16 23:13 GMT+08:00 Kyle Dunn :

> Looks like my Apache user kdunn926 does not have write permissions to
> this repo. @edespino 
>
> $ git push https://kdunn...@github.com/apache/incubator-hawq
> Password for 'https://kdunn...@github.com':
> remote: Permission to apache/incubator-hawq.git denied to kdunn926.
> fatal: unable to access 
'https://kdunn...@github.com/apache/incubator-hawq/': The requested URL 
returned error: 403
>
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub
> 
,
> or mute the thread
> 

> .
>



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Commented] (HAWQ-1469) Don't expose RPS warning messages to command line

2017-05-17 Thread Lisa Owen (JIRA) 

[ 
https://issues.apache.org/jira/browse/HAWQ-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16014269#comment-16014269
 ] 

Lisa Owen commented on HAWQ-1469:
-

when rps is unavailable, looks like the following error message will be 
displayed:
ERROR: ranger plugin service is unavailable : Couldn't connect to server. 
(rangerrest.c:463)

question - under what conditions will this error message be displayed - on 
every database object access by every user until hawq connects with a working 
rps?

this message is very relevant to the administrator - he/she would presumably 
know that ranger authentication for hawq was in use in the cluster.  the 
message may be less meaningful to end users.  they may have no knowledge of the 
underlying authentication configured for hawq.  i am wondering if it might make 
sense to include "authentication" or other info in the text to make the message 
more descriptive.

> Don't expose RPS warning messages to command line
> -
>
> Key: HAWQ-1469
> URL: https://issues.apache.org/jira/browse/HAWQ-1469
> Project: Apache HAWQ
>  Issue Type: Sub-task
>  Components: Security
>Reporter: Lin Wen
>Assignee: Ed Espino
> Fix For: backlog
>
>
> RPS service address exposing to end-user is not secure, and we should not 
> expose it out.
> **Case 1: When master RPS is down, changing to standby RPS**
> Current behavior
> ```
> postgres=# select * from a;
> WARNING:  ranger plugin service from http://test1:8432/rps is unavailable : 
> Couldn't connect to server, try another http://test5:8432/rps
> ERROR:  permission denied for relation(s): public.a
> ``` 
> Warning should be removed.
> Expected
> ```
> postgres=# select * from a;
> ERROR:  permission denied for relation(s): public.a
> ```
> **Case 2: When both RPS are down, should only print that RPS is unavailable.**
> Current Behavior:
> ```
> postgres=# select * from a;
> WARNING:  ranger plugin service from http://test5:8432/rps is unavailable : 
> Couldn't connect to server, try another http://test1:8432/rps
> ERROR:  ranger plugin service from http://test1:8432/rps is unavailable : 
> Couldn't connect to server. (rangerrest.c:463)
> ```
> Expected
> ```
> postgres=# select * from a;
> ERROR:  ranger plugin service is unavailable : Couldn't connect to server. 
> (rangerrest.c:463)
> ```
> The warning message should be printed in cvs log file.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[GitHub] incubator-hawq issue #1242: HAWQ-1469. Don't expose warning messages to comm...

2017-05-17 Thread paul-guo- 
Github user paul-guo- commented on the issue:

https://github.com/apache/incubator-hawq/pull/1242
  
+1


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq pull request #1242: HAWQ-1469. Don't expose warning messages ...

2017-05-17 Thread linwen 
Github user linwen commented on a diff in the pull request:

https://github.com/apache/incubator-hawq/pull/1242#discussion_r116961874
  
--- Diff: src/backend/libpq/rangerrest.c ---
@@ -453,23 +453,30 @@ static int call_ranger_rest(CURL_HANDLE curl_handle, 
const char* request)
{
if (retry > 1)
{
-   elog(WARNING, "ranger plugin service from 
http://%s:%d/rps is unavailable : %s, try another http://%s:%d/rps\n";,
+   /* Don't expose this warning message to client, 
just record in log.
+* The value of whereToSendOutput is 
DestRemote, so set it to DestNone
+* and set back after write a warning message 
in log file.
+*/
+   CommandDest commandDest = whereToSendOutput;
+   whereToSendOutput = DestNone;
+   elog(WARNING, "ranger plugin service from 
http://%s:%d/rps is unavailable : %s, "
+   "trying ranger plugin service 
at http://%s:%d/rps\n";,
--- End diff --

When master RPS doesn't work due to some reason, and hawq begins to talk 
with standby RPS, a warning message should be recorded in log file, so that 
administrators can solve the master RPS problem. elog(LOG, ...) won't expose to 
console(by default, client_min_sessages is NOTICE), but in this switch case, a 
warning should be recorded. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq pull request #1242: HAWQ-1469. Don't expose warning messages ...

2017-05-17 Thread paul-guo- 
Github user paul-guo- commented on a diff in the pull request:

https://github.com/apache/incubator-hawq/pull/1242#discussion_r116960903
  
--- Diff: src/backend/libpq/rangerrest.c ---
@@ -453,23 +453,30 @@ static int call_ranger_rest(CURL_HANDLE curl_handle, 
const char* request)
{
if (retry > 1)
{
-   elog(WARNING, "ranger plugin service from 
http://%s:%d/rps is unavailable : %s, try another http://%s:%d/rps\n";,
+   /* Don't expose this warning message to client, 
just record in log.
+* The value of whereToSendOutput is 
DestRemote, so set it to DestNone
+* and set back after write a warning message 
in log file.
+*/
+   CommandDest commandDest = whereToSendOutput;
+   whereToSendOutput = DestNone;
+   elog(WARNING, "ranger plugin service from 
http://%s:%d/rps is unavailable : %s, "
+   "trying ranger plugin service 
at http://%s:%d/rps\n";,
--- End diff --

If so, why not just remove the code and add comments here? Does elog(LOG, 
...) possibly expose this to users?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-hawq pull request #1242: HAWQ-1469. Don't expose warning messages ...

2017-05-17 Thread linwen 
GitHub user linwen opened a pull request:

https://github.com/apache/incubator-hawq/pull/1242

HAWQ-1469. Don't expose warning messages to command line when switch 
between master and standby RPS.

Please review. Thanks! 

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/linwen/incubator-hawq hawq-1469

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/incubator-hawq/pull/1242.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1242


commit d719f9ddc8f948d00bd6d8ca687ce1f0d5ee4345
Author: Wen Lin 
Date:   2017-05-17T09:57:45Z

HAWQ-1469. Don't expose warning messages to command line when switch 
between master and standby RPS.




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[jira] [Created] (HAWQ-1469) Don't expose RPS warning messages to command line

2017-05-17 Thread Lin Wen (JIRA) 
Lin Wen created HAWQ-1469:
-

 Summary: Don't expose RPS warning messages to command line
 Key: HAWQ-1469
 URL: https://issues.apache.org/jira/browse/HAWQ-1469
 Project: Apache HAWQ
  Issue Type: Sub-task
  Components: Security
Reporter: Lin Wen
Assignee: Ed Espino


RPS service address exposing to end-user is not secure, and we should not 
expose it out.

**Case 1: When master RPS is down, changing to standby RPS**
Current behavior
```
postgres=# select * from a;
WARNING:  ranger plugin service from http://test1:8432/rps is unavailable : 
Couldn't connect to server, try another http://test5:8432/rps
ERROR:  permission denied for relation(s): public.a
``` 
Warning should be removed.
Expected
```
postgres=# select * from a;
ERROR:  permission denied for relation(s): public.a
```

**Case 2: When both RPS are down, should only print that RPS is unavailable.**
Current Behavior:
```
postgres=# select * from a;
WARNING:  ranger plugin service from http://test5:8432/rps is unavailable : 
Couldn't connect to server, try another http://test1:8432/rps
ERROR:  ranger plugin service from http://test1:8432/rps is unavailable : 
Couldn't connect to server. (rangerrest.c:463)
```
Expected
```
postgres=# select * from a;
ERROR:  ranger plugin service is unavailable : Couldn't connect to server. 
(rangerrest.c:463)
```

The warning message should be printed in cvs log file.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)