Re: Review Request 71583: RANGER-2512:RangerRolesRESTClient for serving user group roles to the plugins for evaluation -part2

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71583/#review218145
---




agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
Lines 62 (patched)


getRangerRoles() can return null if roleVersion is same as the currnet role 
version in DB - which will leave rangerRoles as null. Please review and update 
to handle this case.



agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
Line 65 (original), 72 (patched)


updatedServicePolicies() needs to be called even when no change in 
policyVersion ('if' at #64 is false) but roleVersion has changed. This will be 
missed since this line is inside 'if' block at #64. Please review and update.


- Madhan Neethiraj


On Oct. 9, 2019, 1:01 a.m., Ramesh Mani wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71583/
> ---
> 
> (Updated Oct. 9, 2019, 1:01 a.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, 
> Madhan Neethiraj, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2512
> https://issues.apache.org/jira/browse/RANGER-2512
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> RANGER-2512:RangerRolesRESTClient for serving user group roles to the plugins 
> for evaluation -part2
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
>  251a0ec 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCacheForEngineOptions.java
>  5cd82d8 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java 
> 2fec9a0 
>   security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java 9151a72 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
> edc886c 
>   security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 0d46ca8 
>   security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java c1ec629 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> 190c6f5 
>   
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java 
> e168278 
>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml 1a6b0bd 
> 
> 
> Diff: https://reviews.apache.org/r/71583/diff/7/
> 
> 
> Testing
> ---
> 
> - Addressed review comments in preview patch.
> - "ranger.support.for.service.specific.role.download" introduced to enable 
> role download by service. By default it is "false" and it will download all 
> the roles when add or update of roles happens. If set to "true" only these 
> services which uses the roles will get the updated roles.
> 
> 
> Thanks,
> 
> Ramesh Mani
> 
>

Re: Review Request 71583: RANGER-2512:RangerRolesRESTClient for serving user group roles to the plugins for evaluation -part2

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71583/#review218144
---


Ship it!




Ship It!

- Abhay Kulkarni


On Oct. 9, 2019, 1:01 a.m., Ramesh Mani wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71583/
> ---
> 
> (Updated Oct. 9, 2019, 1:01 a.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, 
> Madhan Neethiraj, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2512
> https://issues.apache.org/jira/browse/RANGER-2512
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> RANGER-2512:RangerRolesRESTClient for serving user group roles to the plugins 
> for evaluation -part2
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
>  251a0ec 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCacheForEngineOptions.java
>  5cd82d8 
>   agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java 
> 2fec9a0 
>   security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java 9151a72 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
> edc886c 
>   security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 0d46ca8 
>   security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java c1ec629 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> 190c6f5 
>   
> security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java 
> e168278 
>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml 1a6b0bd 
> 
> 
> Diff: https://reviews.apache.org/r/71583/diff/7/
> 
> 
> Testing
> ---
> 
> - Addressed review comments in preview patch.
> - "ranger.support.for.service.specific.role.download" introduced to enable 
> role download by service. By default it is "false" and it will download all 
> the roles when add or update of roles happens. If set to "true" only these 
> services which uses the roles will get the updated roles.
> 
> 
> Thanks,
> 
> Ramesh Mani
> 
>

Re: Review Request 71583: RANGER-2512:RangerRolesRESTClient for serving user group roles to the plugins for evaluation -part2

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71583/
---

(Updated Oct. 9, 2019, 1:01 a.m.)


Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, 
Madhan Neethiraj, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, 
and Velmurugan Periasamy.


Changes
---

Review requested addressed


Bugs: RANGER-2512
https://issues.apache.org/jira/browse/RANGER-2512


Repository: ranger


Description
---

RANGER-2512:RangerRolesRESTClient for serving user group roles to the plugins 
for evaluation -part2


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
 251a0ec 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCacheForEngineOptions.java
 5cd82d8 
  agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java 
2fec9a0 
  security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java 9151a72 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
edc886c 
  security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 0d46ca8 
  security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java c1ec629 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 190c6f5 
  security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java 
e168278 
  security-admin/src/main/resources/META-INF/jpa_named_queries.xml 1a6b0bd 


Diff: https://reviews.apache.org/r/71583/diff/7/

Changes: https://reviews.apache.org/r/71583/diff/6-7/


Testing
---

- Addressed review comments in preview patch.
- "ranger.support.for.service.specific.role.download" introduced to enable role 
download by service. By default it is "false" and it will download all the 
roles when add or update of roles happens. If set to "true" only these services 
which uses the roles will get the updated roles.


Thanks,

Ramesh Mani

[jira] [Created] (RANGER-2611) Ranger should fall back to default TrustManagers if no trust store is specified

[Todd Lipcon (Jira)]

Todd Lipcon created RANGER-2611:
---

 Summary: Ranger should fall back to default TrustManagers if no 
trust store is specified
 Key: RANGER-2611
 URL: https://issues.apache.org/jira/browse/RANGER-2611
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Reporter: Todd Lipcon


Currently if no truststore is specified, the Ranger SSL code path will refuse 
to connect, giving an error message "TrustManager is not specified".

Specifying a trust store should not be necessary if the ranger server has its 
cert signed by a CA that is already trusted by the JVM, for example because the 
cert is signed by a public CA, or a private CA cert has been put into the 
default JVM trust store, or because it has been configured via Java system 
properties on the command line.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: Review Request 71583: RANGER-2512:RangerRolesRESTClient for serving user group roles to the plugins for evaluation -part2

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71583/
---

(Updated Oct. 8, 2019, 11:04 p.m.)


Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, 
Madhan Neethiraj, Pradeep Agrawal, Selvamohan Neethiraj, Sailaja Polavarapu, 
and Velmurugan Periasamy.


Changes
---

Addressed review comments, Addressed issue with Delegate admin privilege with 
Role policy.


Bugs: RANGER-2512
https://issues.apache.org/jira/browse/RANGER-2512


Repository: ranger


Description
---

RANGER-2512:RangerRolesRESTClient for serving user group roles to the plugins 
for evaluation -part2


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCache.java
 251a0ec 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineCacheForEngineOptions.java
 5cd82d8 
  agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java 
2fec9a0 
  security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java 9151a72 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
edc886c 
  security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java 0d46ca8 
  security-admin/src/main/java/org/apache/ranger/db/XXRoleDao.java c1ec629 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 190c6f5 
  security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java 
e168278 
  security-admin/src/main/resources/META-INF/jpa_named_queries.xml 1a6b0bd 


Diff: https://reviews.apache.org/r/71583/diff/6/

Changes: https://reviews.apache.org/r/71583/diff/5-6/


Testing
---

- Addressed review comments in preview patch.
- "ranger.support.for.service.specific.role.download" introduced to enable role 
download by service. By default it is "false" and it will download all the 
roles when add or update of roles happens. If set to "true" only these services 
which uses the roles will get the updated roles.


Thanks,

Ramesh Mani

Re: [REPORT] Apache Ranger - Sep-2019

[Madhan Neethiraj]

+1 for the report.

Selva - thanks for compiling the report. Please update for a typo: siwtch => 
switch.

Madhan



On 10/8/19, 9:38 AM, "Selvamohan Neethiraj"  wrote:

Apache Ranger PMC: 
 
Could you please review draft board report below and provide your feedback.
 

Thanks,
Selva-


## Description:
 - Apache Ranger is a framework to enable, monitor and manage comprehensive
   data security across the Hadoop platform

## Issues:
 - There are no issues requiring board attention at this time

## Activity:
 - Community has just released a major release - 2.0.0 and working on 2.1.0 
release.
 - Jira: has usual amount of activities in the community. +100(added)
   -72(resolved) over last 3 months

## Health report:
- Completed release of Apache Ranger 2.0.0 with major upgrade to support 
latest release of Hive, HBase and Hadoop.  
- Community is working on 2.1.0 release with
   - minor Fixes to 2.0.0 releases
   - Java 11 support
   - able to specify multiple ranger host (w/o load balancer)
   - siwtch logging framework to slf4j
 - Also, discussing new features for next major releases
   - authorization plugin for sparkSQL, ElasticSearch and Druid

## PMC changes:
 - Currently 20 PMC members
 - Sailaja Polavarapu was added to the PMC on 2019-09-18.

## Committer base changes:
 - Currently 29 committers
 - Nikhil Purbhe was added as a committer on Wed May 22 2019

## Releases:
 - Apache Ranger 2.0.0 was released on 2019-08-07.
 - Apache Ranger 1.2.0 was released on 2018-10-04.
 - Apache Ranger 1.1.0 was released on 2018-07-09.

## Mailing list activity:
 - Regular activity continues.
 - dev@ranger.apache.org:
- 1216 emails sent to list (905 in previous quarter)
 - u...@ranger.apache.org:
- 15 emails sent to list (43 in previous quarter)

## JIRA activity:
 - 100 JIRA tickets created in the last 3 months
 - 72 JIRA tickets closed/resolved in the last 3 months

[jira] [Commented] (RANGER-1912) Ranger setup fails with mariadb/mysql when binary logging is enabled

[Sean Roberts (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-1912?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16947169#comment-16947169
 ] 

Sean Roberts commented on RANGER-1912:
--

This is occurring again in HDP 3.1.4, so the issue wasn't resolved or has been 
re-introduced.

> Ranger setup fails with mariadb/mysql when binary logging is enabled
> 
>
> Key: RANGER-1912
> URL: https://issues.apache.org/jira/browse/RANGER-1912
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 0.4.0, 0.5.0, 0.6.0, 0.7.0
>Reporter: Pradeep Agrawal
>Assignee: Pradeep Agrawal
>Priority: Major
> Fix For: 1.0.0
>
> Attachments: 
> 0001-RANGER-1912-Ranger-setup-fails-with-MySQL-when-binar.patch
>
>
> Ranger Admin installation fails when using MariaDB/MySQL with binary logging 
> enabled.
> The install should work even if binary logging is enabled.
> *Problem Statement:* Currently MySQL DB patch 007 and 008 is having MySQL UDF 
> functions which are not DETERMINISTIC
> When you create a stored function, you must declare either that it is 
> deterministic or that it does not modify data. Otherwise, it may be unsafe 
> for data recovery or replication.
> By default, for a CREATE FUNCTION statement to be accepted, at least one of 
> DETERMINISTIC, NO SQL, or READS SQL DATA must be specified explicitly. 
> Otherwise, an error occurs: 
> {code:java}
> ERROR 1418 (HY000): This function has none of DETERMINISTIC, NO SQL, or READS 
> SQL DATA in its declaration and binary logging is enabled (you *might* want 
> to use the less safe log_bin_trust_function_creators variable)
> {code}
> Although it is possible to create a deterministic stored function without 
> specifying DETERMINISTIC, you cannot execute this function using 
> statement-based binary logging. To execute such a function, you must use 
> row-based or mixed binary logging. Alternatively, if you explicitly specify 
> DETERMINISTIC in the function definition, you can use any kind of logging, 
> including statement-based logging.
> To relax the preceding conditions on function creation (that you must have 
> the SUPER privilege and that a function must be declared deterministic or to 
> not modify data), set the global log_bin_trust_function_creators system 
> variable to 1. By default, this variable has a value of 0, but you can change 
> it like this: 
> {code:java}
> SET GLOBAL log_bin_trust_function_creators = 1;
> {code}
> If binary logging is not enabled, log_bin_trust_function_creators does not 
> apply. SUPER is not required for function creation unless, as described 
> previously, the DEFINER value in the function definition requires it.
> *Proposed Solution:* We can remove usage of stored function and it can be 
> replaced with the stored procedure.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: Review Request 71593: RANGER-2610: NPE in PolicyRefresher if service-policies in policy-cache contain only service definition

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71593/#review218137
---


Ship it!




Ship It!

- Madhan Neethiraj


On Oct. 8, 2019, 6:34 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71593/
> ---
> 
> (Updated Oct. 8, 2019, 6:34 p.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-2610
> https://issues.apache.org/jira/browse/RANGER-2610
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> If plugin cannot connect to ranger-admin server to download policies, it 
> attempts to load policies from local policy cache file. If that file contains 
> only service-definition, then policy-refresher code throws NPE. It does not 
> affect access evaluation, however, it is better to check for such condition 
> and avoid a NPE in plugin code.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  b81f50c8f 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
>  d4d790274 
> 
> 
> Diff: https://reviews.apache.org/r/71593/diff/1/
> 
> 
> Testing
> ---
> 
> Ran all unit tests.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Review Request 71593: RANGER-2610: NPE in PolicyRefresher if service-policies in policy-cache contain only service definition

[Abhay Kulkarni]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71593/
---

Review request for ranger and Madhan Neethiraj.


Bugs: RANGER-2610
https://issues.apache.org/jira/browse/RANGER-2610


Repository: ranger


Description
---

If plugin cannot connect to ranger-admin server to download policies, it 
attempts to load policies from local policy cache file. If that file contains 
only service-definition, then policy-refresher code throws NPE. It does not 
affect access evaluation, however, it is better to check for such condition and 
avoid a NPE in plugin code.


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 b81f50c8f 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java 
d4d790274 


Diff: https://reviews.apache.org/r/71593/diff/1/


Testing
---

Ran all unit tests.


Thanks,

Abhay Kulkarni

[jira] [Created] (RANGER-2610) NPE in PolicyRefresher if service-policies in policy-cache contain only service definition

[Abhay Kulkarni (Jira)]

Abhay Kulkarni created RANGER-2610:
--

 Summary: NPE in PolicyRefresher if service-policies in 
policy-cache contain only service definition
 Key: RANGER-2610
 URL: https://issues.apache.org/jira/browse/RANGER-2610
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Affects Versions: master
Reporter: Abhay Kulkarni
Assignee: Abhay Kulkarni
 Fix For: master


If plugin cannot connect to ranger-admin server to download policies, it 
attempts to load policies from local policy cache file. If that file contains 
only service-definition, then policy-refresher code throws NPE. It does not 
affect access evaluation, however, it is better to check for such condition and 
avoid a NPE in plugin code.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (RANGER-2584) Disable deny and exceptions in policies for NiFi

[Madhan Neethiraj (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-2584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16947092#comment-16947092
 ] 

Madhan Neethiraj commented on RANGER-2584:
--

+1 for the patch. Thanks [~bbende]!

> Disable deny and exceptions in policies for NiFi
> 
>
> Key: RANGER-2584
> URL: https://issues.apache.org/jira/browse/RANGER-2584
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Matt Gilman
>Assignee: Bryan Bende
>Priority: Minor
> Fix For: 2.1.0
>
> Attachments: 
> 0001-RANGER-2584-Disable-deny-and-exception-in-policies-f.patch
>
>
> NiFi's policies are effectively whitelisting allowed users and groups. NiFi 
> puts forth a best effort to map Ranger policy model into NiFi policy model. 
> We should attempt to align these by disabling deny and exceptions in policies.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (RANGER-2607) Disable deny and exceptions in policies for NiFi Registry

[Madhan Neethiraj (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-2607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16947090#comment-16947090
 ] 

Madhan Neethiraj commented on RANGER-2607:
--

+1 for the patch. Thanks [~bbende]!

> Disable deny and exceptions in policies for NiFi Registry
> -
>
> Key: RANGER-2607
> URL: https://issues.apache.org/jira/browse/RANGER-2607
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Bryan Bende
>Assignee: Bryan Bende
>Priority: Minor
> Fix For: 2.1.0
>
> Attachments: 
> 0001-RANGER-2607-Disable-deny-and-exception-in-policies-f.patch
>
>
> This Jira is the same change as described in RANGER-2584, but this is for 
> nifi-registry instead of nifi.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[REPORT] Apache Ranger - Sep-2019

[Selvamohan Neethiraj]

Apache Ranger PMC: 
 
Could you please review draft board report below and provide your feedback.
 

Thanks,
Selva-


## Description:
 - Apache Ranger is a framework to enable, monitor and manage comprehensive
   data security across the Hadoop platform

## Issues:
 - There are no issues requiring board attention at this time

## Activity:
 - Community has just released a major release - 2.0.0 and working on 2.1.0 
release.
 - Jira: has usual amount of activities in the community. +100(added)
   -72(resolved) over last 3 months

## Health report:
- Completed release of Apache Ranger 2.0.0 with major upgrade to support latest 
release of Hive, HBase and Hadoop.  
- Community is working on 2.1.0 release with
   - minor Fixes to 2.0.0 releases
   - Java 11 support
   - able to specify multiple ranger host (w/o load balancer)
   - siwtch logging framework to slf4j
 - Also, discussing new features for next major releases
   - authorization plugin for sparkSQL, ElasticSearch and Druid

## PMC changes:
 - Currently 20 PMC members
 - Sailaja Polavarapu was added to the PMC on 2019-09-18.

## Committer base changes:
 - Currently 29 committers
 - Nikhil Purbhe was added as a committer on Wed May 22 2019

## Releases:
 - Apache Ranger 2.0.0 was released on 2019-08-07.
 - Apache Ranger 1.2.0 was released on 2018-10-04.
 - Apache Ranger 1.1.0 was released on 2018-07-09.

## Mailing list activity:
 - Regular activity continues.
 - dev@ranger.apache.org:
- 1216 emails sent to list (905 in previous quarter)
 - u...@ranger.apache.org:
- 15 emails sent to list (43 in previous quarter)

## JIRA activity:
 - 100 JIRA tickets created in the last 3 months
 - 72 JIRA tickets closed/resolved in the last 3 months

[jira] [Commented] (RANGER-2607) Disable deny and exceptions in policies for NiFi Registry

[Bryan Bende (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-2607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16947040#comment-16947040
 ] 

Bryan Bende commented on RANGER-2607:
-

[~madhan] thanks for taking a look... yes we are ok with that, we would just 
like it changed for new installs going forward.

> Disable deny and exceptions in policies for NiFi Registry
> -
>
> Key: RANGER-2607
> URL: https://issues.apache.org/jira/browse/RANGER-2607
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Bryan Bende
>Assignee: Bryan Bende
>Priority: Minor
> Fix For: 2.1.0
>
> Attachments: 
> 0001-RANGER-2607-Disable-deny-and-exception-in-policies-f.patch
>
>
> This Jira is the same change as described in RANGER-2584, but this is for 
> nifi-registry instead of nifi.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (RANGER-2584) Disable deny and exceptions in policies for NiFi

[Bryan Bende (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-2584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16947039#comment-16947039
 ] 

Bryan Bende commented on RANGER-2584:
-

[~madhan] thanks for taking a look... yes we are ok with that, we would just 
like it changed for new installs going forward.

> Disable deny and exceptions in policies for NiFi
> 
>
> Key: RANGER-2584
> URL: https://issues.apache.org/jira/browse/RANGER-2584
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Matt Gilman
>Assignee: Bryan Bende
>Priority: Minor
> Fix For: 2.1.0
>
> Attachments: 
> 0001-RANGER-2584-Disable-deny-and-exception-in-policies-f.patch
>
>
> NiFi's policies are effectively whitelisting allowed users and groups. NiFi 
> puts forth a best effort to map Ranger policy model into NiFi policy model. 
> We should attempt to align these by disabling deny and exceptions in policies.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (RANGER-2609) delete permission not present on presto service def json

[Jira]

Pedro Gonçalves Rossi Rodrigues created RANGER-2609:
---

 Summary: delete permission not present on presto service def json
 Key: RANGER-2609
 URL: https://issues.apache.org/jira/browse/RANGER-2609
 Project: Ranger
  Issue Type: Bug
  Components: plugins
Affects Versions: 2.0.0, 2.1.0
Reporter: Pedro Gonçalves Rossi Rodrigues


in here 
([https://github.com/apache/ranger/blob/master/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java#L274)]
 the code check if the user can delete from table and that is ok, but here 
([https://github.com/apache/ranger/blob/master/agents-common/src/main/resources/service-defs/ranger-servicedef-presto.json#L97)]
 the code doesn't expose the delete access to the ranger ui which leads all 
delete from table queries to be denied



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (RANGER-2584) Disable deny and exceptions in policies for NiFi

[Madhan Neethiraj (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-2584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16946996#comment-16946996
 ] 

Madhan Neethiraj commented on RANGER-2584:
--

[~bbende] - the update looks good. However, note that the fix will not impact 
Ranger instances that already have nifi service-def; this will work for new 
Ranger instances and Ranger instances that didn't have nifi service-def.

> Disable deny and exceptions in policies for NiFi
> 
>
> Key: RANGER-2584
> URL: https://issues.apache.org/jira/browse/RANGER-2584
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Matt Gilman
>Assignee: Bryan Bende
>Priority: Minor
> Fix For: 2.1.0
>
> Attachments: 
> 0001-RANGER-2584-Disable-deny-and-exception-in-policies-f.patch
>
>
> NiFi's policies are effectively whitelisting allowed users and groups. NiFi 
> puts forth a best effort to map Ranger policy model into NiFi policy model. 
> We should attempt to align these by disabling deny and exceptions in policies.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (RANGER-2607) Disable deny and exceptions in policies for NiFi Registry

[Madhan Neethiraj (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-2607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16946994#comment-16946994
 ] 

Madhan Neethiraj commented on RANGER-2607:
--

[~bbende] - the update looks good. However, note that the fix will not impact 
Ranger instances that already have nifi-registry service-def; this will work 
for new Ranger instances and Ranger instances that didn't have nifi-registry 
service-def.

> Disable deny and exceptions in policies for NiFi Registry
> -
>
> Key: RANGER-2607
> URL: https://issues.apache.org/jira/browse/RANGER-2607
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Bryan Bende
>Assignee: Bryan Bende
>Priority: Minor
> Fix For: 2.1.0
>
> Attachments: 
> 0001-RANGER-2607-Disable-deny-and-exception-in-policies-f.patch
>
>
> This Jira is the same change as described in RANGER-2584, but this is for 
> nifi-registry instead of nifi.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-2607) Disable deny and exceptions in policies for NiFi Registry

[Bryan Bende (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2607?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bryan Bende updated RANGER-2607:

Attachment: 0001-RANGER-2607-Disable-deny-and-exception-in-policies-f.patch

> Disable deny and exceptions in policies for NiFi Registry
> -
>
> Key: RANGER-2607
> URL: https://issues.apache.org/jira/browse/RANGER-2607
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Bryan Bende
>Assignee: Bryan Bende
>Priority: Minor
> Attachments: 
> 0001-RANGER-2607-Disable-deny-and-exception-in-policies-f.patch
>
>
> This Jira is the same change as described in RANGER-2584, but this is for 
> nifi-registry instead of nifi.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-2584) Disable deny and exceptions in policies for NiFi

[Bryan Bende (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2584?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bryan Bende updated RANGER-2584:

Attachment: 0001-RANGER-2584-Disable-deny-and-exception-in-policies-f.patch

> Disable deny and exceptions in policies for NiFi
> 
>
> Key: RANGER-2584
> URL: https://issues.apache.org/jira/browse/RANGER-2584
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Matt Gilman
>Assignee: Bryan Bende
>Priority: Minor
> Attachments: 
> 0001-RANGER-2584-Disable-deny-and-exception-in-policies-f.patch
>
>
> NiFi's policies are effectively whitelisting allowed users and groups. NiFi 
> puts forth a best effort to map Ranger policy model into NiFi policy model. 
> We should attempt to align these by disabling deny and exceptions in policies.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-2608) Create profile for building only security-admin assemby

[Bryan Bende (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-2608?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bryan Bende updated RANGER-2608:

Attachment: 0001-RANGER-2608-Adding-profile-to-build-security-admin-a.patch

> Create profile for building only security-admin assemby
> ---
>
> Key: RANGER-2608
> URL: https://issues.apache.org/jira/browse/RANGER-2608
> Project: Ranger
>  Issue Type: Improvement
>  Components: admin
>Reporter: Bryan Bende
>Assignee: Bryan Bende
>Priority: Trivial
> Attachments: 
> 0001-RANGER-2608-Adding-profile-to-build-security-admin-a.patch
>
>
> The root pom has several profiles for building only a single assembly, but 
> there isn't one for building only the security-admin assembly.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (RANGER-2608) Create profile for building only security-admin assemby

[Bryan Bende (Jira)]

Bryan Bende created RANGER-2608:
---

 Summary: Create profile for building only security-admin assemby
 Key: RANGER-2608
 URL: https://issues.apache.org/jira/browse/RANGER-2608
 Project: Ranger
  Issue Type: Improvement
  Components: admin
Reporter: Bryan Bende
Assignee: Bryan Bende


The root pom has several profiles for building only a single assembly, but 
there isn't one for building only the security-admin assembly.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (RANGER-2607) Disable deny and exceptions in policies for NiFi Registry

[Bryan Bende (Jira)]

Bryan Bende created RANGER-2607:
---

 Summary: Disable deny and exceptions in policies for NiFi Registry
 Key: RANGER-2607
 URL: https://issues.apache.org/jira/browse/RANGER-2607
 Project: Ranger
  Issue Type: Improvement
  Components: plugins
Reporter: Bryan Bende
Assignee: Bryan Bende


This Jira is the same change as described in RANGER-2584, but this is for 
nifi-registry instead of nifi.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (RANGER-2606) Maven central deployment publishing only the top level ranger artifact

[Velmurugan Periasamy (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-2606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16946811#comment-16946811
 ] 

Velmurugan Periasamy edited comment on RANGER-2606 at 10/8/19 12:53 PM:


Thanks [~sneethiraj]. I was able to publish all 2.0.0 artifacts. 
https://search.maven.org/search?q=g:org.apache.ranger



was (Author: vperiasamy):
Thanks [~sneethiraj]. I was able to publish the artifacts. 
https://search.maven.org/search?q=g:org.apache.ranger


> Maven central deployment publishing only the top level ranger artifact
> --
>
> Key: RANGER-2606
> URL: https://issues.apache.org/jira/browse/RANGER-2606
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 2.0.0, 2.1.0
>Reporter: Velmurugan Periasamy
>Assignee: Selvamohan Neethiraj
>Priority: Major
> Fix For: 2.1.0
>
> Attachments: 
> 0001-RANGER-2606-Added-all-modules-to-the-sign-artifacts-master-branch.patch, 
> 0001-RANGER-2606-added-module-to-sign-artifacts-profile-t.patch
>
>
> Following these instructions to publish Apache Ranger artifacts to maven 
> central. 
> https://cwiki.apache.org/confluence/display/RANGER/Publishing+Apache+Ranger+artifacts+to+Maven+Central
> This used to work before, but now it is deploying only the top level 
> artifact. Most likely was caused by 
> https://issues.apache.org/jira/browse/RANGER-2243 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (RANGER-2606) Maven central deployment publishing only the top level ranger artifact

[Velmurugan Periasamy (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-2606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16946811#comment-16946811
 ] 

Velmurugan Periasamy commented on RANGER-2606:
--

Thanks [~sneethiraj]. I was able to publish the artifacts. 
https://search.maven.org/search?q=g:org.apache.ranger


> Maven central deployment publishing only the top level ranger artifact
> --
>
> Key: RANGER-2606
> URL: https://issues.apache.org/jira/browse/RANGER-2606
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 2.0.0, 2.1.0
>Reporter: Velmurugan Periasamy
>Assignee: Selvamohan Neethiraj
>Priority: Major
> Fix For: 2.1.0
>
> Attachments: 
> 0001-RANGER-2606-Added-all-modules-to-the-sign-artifacts-master-branch.patch, 
> 0001-RANGER-2606-added-module-to-sign-artifacts-profile-t.patch
>
>
> Following these instructions to publish Apache Ranger artifacts to maven 
> central. 
> https://cwiki.apache.org/confluence/display/RANGER/Publishing+Apache+Ranger+artifacts+to+Maven+Central
> This used to work before, but now it is deploying only the top level 
> artifact. Most likely was caused by 
> https://issues.apache.org/jira/browse/RANGER-2243 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: Review Request 71572: RANGER-2600: Ranger Login Sessions audits always show "Login Type" as "Username/Password" even for kerberos login

[Velmurugan Periasamy]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71572/#review218130
---


Ship it!




Ship It!

- Velmurugan Periasamy


On Oct. 7, 2019, 9:28 a.m., Sailaja Polavarapu wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71572/
> ---
> 
> (Updated Oct. 7, 2019, 9:28 a.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, 
> Nitin Galave, Ramesh Mani, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2600
> https://issues.apache.org/jira/browse/RANGER-2600
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Added kerberos Auth Type to support different login methods so that the audit 
> logs show properly.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/entity/XXAuthSession.java 
> c277158cd 
>   
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
>  5c825d839 
>   
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
>  eb40cfdf2 
>   security-admin/src/main/java/org/apache/ranger/util/RangerEnumUtil.java 
> 059b75a42 
>   security-admin/src/main/webapp/scripts/utils/XAEnums.js a4a4e0b85 
> 
> 
> Diff: https://reviews.apache.org/r/71572/diff/3/
> 
> 
> Testing
> ---
> 
> 1. Patched cluster and verified both username/password login and kerberos 
> login are working fine.
> 
> 
> Thanks,
> 
> Sailaja Polavarapu
> 
>

Re: Review Request 71587: RANGER-2606: added module to sign-artifacts profile to enable publish of all modules

[Velmurugan Periasamy]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71587/#review218129
---


Ship it!




Ship It!

- Velmurugan Periasamy


On Oct. 8, 2019, 2 a.m., Selvamohan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71587/
> ---
> 
> (Updated Oct. 8, 2019, 2 a.m.)
> 
> 
> Review request for ranger, Colm O hEigeartaigh, Abhay Kulkarni, Ramesh Mani, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2606
> https://issues.apache.org/jira/browse/RANGER-2606
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Added all modules to the sign-artifacts profile to fix this issue ...
> 
> 
> Diffs
> -
> 
>   pom.xml bb2e84728 
> 
> 
> Diff: https://reviews.apache.org/r/71587/diff/2/
> 
> 
> Testing
> ---
> 
> Ran it from v2.0 release codebase to check if it is able to upload as part of 
> the deployment. It works!
> * Also, fixed some of the TAB characters (replaced with SPACE to look nice)
> 
> 
> Thanks,
> 
> Selvamohan Neethiraj
> 
>