[jira] [Updated] (RANGER-2810) Kafka with Ranger plugin will fail

2020-05-17 Thread Pradeep Agrawal (Jira)


 [ 
https://issues.apache.org/jira/browse/RANGER-2810?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pradeep Agrawal updated RANGER-2810:

Priority: Blocker  (was: Critical)

> Kafka with Ranger plugin will fail
> --
>
> Key: RANGER-2810
> URL: https://issues.apache.org/jira/browse/RANGER-2810
> Project: Ranger
>  Issue Type: Bug
>  Components: audit
>Affects Versions: 2.0.0
> Environment: CentOS Linux release 7.6.1810 (Core)
> Ranger 2.0.0
>Reporter: bright.zhou
>Assignee: Pradeep Agrawal
>Priority: Blocker
>
> We use Ranger plugin to admin acls of Kafka cluster. At first , everything is 
> ok, but after 10h+ of kafka start, there is something wrong occured, we can 
> see error log in kafka-root.log, the error log is `Authentication failed 
> during authentication due to xxx with SASL mechanism GSSAPI: GSS context targ 
> name protocol error: x `。To solve this we had to restart Kafka, It's so 
> strange that if i change `authorizer.class.name` to 
> `kafka.security.auth.SimpleAclAuthorizer` it will be ok . In theory, ranger 
> is related with acls and not related with SASL authentication,so i want to 
> ask for help.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


Re: Review Request 72500: RANGER-2823: RangerResouceTrie.copySubTree() does not set up TrieNode's child nodes correctly

2020-05-17 Thread Pradeep Agrawal

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72500/#review220800
---


Ship it!




Ship It!

- Pradeep Agrawal


On May 12, 2020, 4:51 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72500/
> ---
> 
> (Updated May 12, 2020, 4:51 p.m.)
> 
> 
> Review request for ranger and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-2823
> https://issues.apache.org/jira/browse/RANGER-2823
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ranger uses Trie object (instance of RangerResourceTrie class) to index 
> policies, tags and zones for efficient searching. The API to deep-copy Trie 
> object does not work correctly, as the information about the child nodes in a 
> TrieNode is not replicated correctly.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceTrie.java
>  e7d913c54 
> 
> 
> Diff: https://reviews.apache.org/r/72500/diff/1/
> 
> 
> Testing
> ---
> 
> Tested by exercising copying existing Trie object and asserting that copy 
> contains the same TrieNode hierarchy as original Trie.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>



Re: Review Request 72517: RANGER-2828:RangerExportPolicy with resource filter fails to fetch policies

2020-05-17 Thread Pradeep Agrawal

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72517/#review220799
---


Ship it!




Ship It!

- Pradeep Agrawal


On May 16, 2020, 6:28 a.m., Ramesh Mani wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72517/
> ---
> 
> (Updated May 16, 2020, 6:28 a.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, 
> Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Selvamohan Neethiraj, 
> Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2828
> https://issues.apache.org/jira/browse/RANGER-2828
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> RANGER-2828:RangerExportPolicy with resource filter fails to fetch policies
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
> 857a597 
> 
> 
> Diff: https://reviews.apache.org/r/72517/diff/2/
> 
> 
> Testing
> ---
> 
> Verified in local vm with curl
> curl -k -u admin:admin --verbose -X GET 
> 'http://172.25.34.170:6080/service/plugins/policies/exportJson?serviceName=c349_hive=SZ_SL:database=SZ_SL=hive=self_or_ancestor=full'
>  curl -k -u admin:admin --verbose -X GET 
> 'http://172.25.34.170:6080/service/plugins/policies/exportJson?serviceName=c349_hive=SZ_SL:database=SZ_SL=hive=self_or_ancestor'
> 
> 
> Thanks,
> 
> Ramesh Mani
> 
>



Review Request 72524: RANGER-2830: Update Java patch entry for RANGER-2826 changes

2020-05-17 Thread Pradeep Agrawal

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72524/
---

Review request for ranger, Ankita Sinha, Bolke de Bruin, Don Bosco Durai, 
bhavik patel, Colm O hEigeartaigh, Gautam Borad, Jayendra Parab, Abhay 
Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, pengjianhua, 
Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, Velmurugan Periasamy, 
Qiang Zhang, and Zsombor Gegesy.


Bugs: RANGER-2830
https://issues.apache.org/jira/browse/RANGER-2830


Repository: ranger


Description
---

**Problem Statement: ** 
1) RANGER-2826 adds a java patch with sequence J10037; while its already exists 
https://github.com/apache/ranger/blob/master/security-admin/src/main/java/org/apache/ranger/patch/PatchForMigratingRangerServiceResource_J10037.java
2) Java patch entry is not in ranger core db schema file.

**Proposed solution:** 
1) Rename PatchForPrestoToSupportPresto333_J10037.java to 
PatchForPrestoToSupportPresto333_J10038.java
2) Add Java patch J10038 entry in all flavor of the ranger core db schema files.


Diffs
-

  security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 4bd242a89 
  security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
719a83c5b 
  security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
71930f205 
  
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 
388a7007e 
  security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 
3f9e47b26 
  
security-admin/src/main/java/org/apache/ranger/patch/PatchForPrestoToSupportPresto333_J10037.java
 17405c726 


Diff: https://reviews.apache.org/r/72524/diff/1/


Testing
---

Build successful with the patch.


Thanks,

Pradeep Agrawal



[jira] [Created] (RANGER-2830) Update Java patch entry for RANGER-2826 changes

2020-05-17 Thread Pradeep Agrawal (Jira)
Pradeep Agrawal created RANGER-2830:
---

 Summary: Update Java patch entry for RANGER-2826 changes
 Key: RANGER-2830
 URL: https://issues.apache.org/jira/browse/RANGER-2830
 Project: Ranger
  Issue Type: Sub-task
  Components: Ranger
Affects Versions: 2.1.0
Reporter: Pradeep Agrawal
Assignee: Pradeep Agrawal
 Fix For: 2.1.0


RANGER-2826 has a java patch of which entries in consolidated db schema patch 
will be needed.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


Re: Review Request 72520: RANGER-2829: plugins to support super-users/groups, and audit-exclude-users/groups/roles via configurations

2020-05-17 Thread Abhay Kulkarni

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72520/#review220797
---


Ship it!




Ship It!

- Abhay Kulkarni


On May 17, 2020, 8:16 p.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72520/
> ---
> 
> (Updated May 17, 2020, 8:16 p.m.)
> 
> 
> Review request for ranger, Kishor Gollapalliwar, Abhay Kulkarni, Mehul 
> Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2829
> https://issues.apache.org/jira/browse/RANGER-2829
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Updated RangerBasePlugins to read super-users/groups and 
> audit-exclude-users/groups/roles from plugin config
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
>  89a31ccf6 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
>  41b24920d 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
>  2567edb29 
> 
> 
> Diff: https://reviews.apache.org/r/72520/diff/1/
> 
> 
> Testing
> ---
> 
> - verified manually by using updated agents-common library
> - updated unit tests to read super-users/groups, 
> audit-exclude-users/groups/roles from plugin-config
> - verified that unit tests pass
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>



Re: Regarding contributor grant

2020-05-17 Thread Madhan Neethiraj
Sid,

Thanks for your interest in contributing to Apache Ranger. You have been added 
as a contributor. Welcome to Apache Ranger community!

Regards,
Madhan

On 5/11/20, 1:54 PM, "sidharth mishra"  wrote:

Hi All,

I would like to be a contributor for Ranger. I would really appreciate if
you can grant me the permission.

Regards,
Sid




Review Request 72520: RANGER-2829: plugins to support super-users/groups, and audit-exclude-users/groups/roles via configurations

2020-05-17 Thread Madhan Neethiraj

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72520/
---

Review request for ranger, Kishor Gollapalliwar, Abhay Kulkarni, Mehul Parikh, 
Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-2829
https://issues.apache.org/jira/browse/RANGER-2829


Repository: ranger


Description
---

Updated RangerBasePlugins to read super-users/groups and 
audit-exclude-users/groups/roles from plugin config


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
 89a31ccf6 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
 41b24920d 
  
agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
 2567edb29 


Diff: https://reviews.apache.org/r/72520/diff/1/


Testing
---

- verified manually by using updated agents-common library
- updated unit tests to read super-users/groups, 
audit-exclude-users/groups/roles from plugin-config
- verified that unit tests pass


Thanks,

Madhan Neethiraj



[jira] [Created] (RANGER-2829) support to specify super-users/groups and audit-exclude-users/groups via plugin config

2020-05-17 Thread Madhan Neethiraj (Jira)
Madhan Neethiraj created RANGER-2829:


 Summary: support to specify super-users/groups and 
audit-exclude-users/groups via plugin config
 Key: RANGER-2829
 URL: https://issues.apache.org/jira/browse/RANGER-2829
 Project: Ranger
  Issue Type: Improvement
  Components: plugins
Reporter: Madhan Neethiraj
Assignee: Madhan Neethiraj


Updates in RANGER-785 added APIs for Ranger plugin implementations to specify 
list of users/groups for whom all access should be allowed without requiring 
explicit policies. This is useful for services like HBase, Kafka which have the 
notion of super users/groups. In addition, updates in RANGER-2780 added APIs to 
specify list of users/groups/roles for whom audit logs are to be skipped.

The plugin implementation need to explicitly call these APIs to specify list of 
super users/groups, and audit-exclude users/groups/roles. Enhancing 
RangerBasePlugin to read such users/groups/roles list from plugin configuration 
will help avoid each implementation to call these APIs.

For example, with the following configurations in 
{{ranger-kafka-security.xml}}, Kafka plugin should allow all accesses to user 
{{kafka}}, and not generate audit logs for accesses from user {{kafka}}:
{noformat}
ranger.plugin.kafka.super.users=kafka
ranger.plugin.kafka.audit.exclude.users=kafka{noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[jira] [Resolved] (RANGER-2826) Update Presto Plugin to support PrestoSql 333

2020-05-17 Thread Madhan Neethiraj (Jira)


 [ 
https://issues.apache.org/jira/browse/RANGER-2826?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Madhan Neethiraj resolved RANGER-2826.
--
Fix Version/s: 2.1.0
 Assignee: Bolke de Bruin
   Resolution: Fixed

Thank you [~bolke] for the patch!
{noformat}
The following commit(s) were added to refs/heads/master by this push:
 new 454537a  RANGER-2826: updated Presto plugin to support PrestoSQL 
version 333
454537a is described below

commit 454537a95494477312b592256cd38878d004a167
Author: Bolke de Bruin 
AuthorDate: Thu May 14 22:21:55 2020 +0200

RANGER-2826: updated Presto plugin to support PrestoSQL version 333

Signed-off-by: Madhan Neethiraj 
{noformat}

> Update Presto Plugin to support PrestoSql 333
> -
>
> Key: RANGER-2826
> URL: https://issues.apache.org/jira/browse/RANGER-2826
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Bolke de Bruin
>Assignee: Bolke de Bruin
>Priority: Major
> Fix For: 2.1.0
>
> Attachments: 0001-RANGER-2826-Add-support-for-PrestoSQL-333.patch
>
>
> PrestoSql has updated its security API again and made it backwards 
> incompatible. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


Re: Review Request 72513: Add support for Presto 333

2020-05-17 Thread Madhan Neethiraj

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72513/#review220796
---


Ship it!




Ship It!

- Madhan Neethiraj


On May 17, 2020, 7:38 a.m., Bolke de Bruin wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72513/
> ---
> 
> (Updated May 17, 2020, 7:38 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, 
> and Ramesh Mani.
> 
> 
> Bugs: https://jira.apache.org/jira/browse/RANGER-2826
> 
> https://issues.apache.org/jira/browse/https://jira.apache.org/jira/browse/RANGER-2826
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Presto 332/333 are backwards incompatible.
> 
> 
> Diffs
> -
> 
>   agents-common/src/main/resources/service-defs/ranger-servicedef-presto.json 
> 4d5b79582 
>   
> plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
>  d4521a392 
>   
> plugin-presto/src/test/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControlTest.java
>  c00d51986 
>   plugin-presto/src/test/resources/presto-policies.json 28eabf2d6 
>   pom.xml ebce7c9f0 
>   
> ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
>  bfb3a5961 
>   
> security-admin/src/main/java/org/apache/ranger/patch/PatchForPrestoToSupportPresto333_J10037.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/72513/diff/2/
> 
> 
> Testing
> ---
> 
> Unit tests updated. Production.
> 
> 
> Thanks,
> 
> Bolke de Bruin
> 
>



Re: Review Request 72513: Add support for Presto 333

2020-05-17 Thread Bolke de Bruin


> On May 15, 2020, 2:43 p.m., Madhan Neethiraj wrote:
> > agents-common/src/main/resources/service-defs/ranger-servicedef-presto.json
> > Lines 164 (patched)
> > 
> >
> > Changes in service-def (like addition of resources/access-types, 
> > changes in access-types/data-mask/row-filter) will not be applied to 
> > existing service-def in Ranger. Updating existing service-def would require 
> > a Java patch. Please file a JIRA to track Java patch to handle this.

RANGER-2795 is tracking this


> On May 15, 2020, 2:43 p.m., Madhan Neethiraj wrote:
> > agents-common/src/main/resources/service-defs/ranger-servicedef-presto.json
> > Lines 266 (patched)
> > 
> >
> > I suggest to not change itemId of existing entries; and assign 
> > itemId=13 for the new entry 'execute'.

Sure. Is itemid used anywhere?


> On May 15, 2020, 2:43 p.m., Madhan Neethiraj wrote:
> > plugin-presto/src/test/resources/presto-policies.json
> > Line 1013 (original), 1187 (patched)
> > 
> >
> > Row-filter expressions are likely to refer to columns in the table for 
> > which the filter is applied. When wildcard is allowed in row-filter 
> > policies, it might be challenging to make sure that the row-filter 
> > expression is valid for all the tables covered by the wildcard. When the 
> > row-filter is invalid for a table, the query will fail. Hence wildCard was 
> > disabled for row-filters. Please review to make sure that this is clearly 
> > understood.

I understand your point, however, this is already in the master, you are 
commenting on an update to the test policies which are a reflection of what is 
currently in master.


- Bolke


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72513/#review220783
---


On May 17, 2020, 7:38 a.m., Bolke de Bruin wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72513/
> ---
> 
> (Updated May 17, 2020, 7:38 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, 
> and Ramesh Mani.
> 
> 
> Bugs: https://jira.apache.org/jira/browse/RANGER-2826
> 
> https://issues.apache.org/jira/browse/https://jira.apache.org/jira/browse/RANGER-2826
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Presto 332/333 are backwards incompatible.
> 
> 
> Diffs
> -
> 
>   agents-common/src/main/resources/service-defs/ranger-servicedef-presto.json 
> 4d5b79582 
>   
> plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
>  d4521a392 
>   
> plugin-presto/src/test/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControlTest.java
>  c00d51986 
>   plugin-presto/src/test/resources/presto-policies.json 28eabf2d6 
>   pom.xml ebce7c9f0 
>   
> ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
>  bfb3a5961 
>   
> security-admin/src/main/java/org/apache/ranger/patch/PatchForPrestoToSupportPresto333_J10037.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/72513/diff/2/
> 
> 
> Testing
> ---
> 
> Unit tests updated. Production.
> 
> 
> Thanks,
> 
> Bolke de Bruin
> 
>



Re: Review Request 72513: Add support for Presto 333

2020-05-17 Thread Bolke de Bruin

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72513/
---

(Updated May 17, 2020, 7:38 a.m.)


Review request for ranger, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, and 
Ramesh Mani.


Changes
---

- Added upgrade patch
- Addressed comments


Bugs: https://jira.apache.org/jira/browse/RANGER-2826

https://issues.apache.org/jira/browse/https://jira.apache.org/jira/browse/RANGER-2826


Repository: ranger


Description
---

Presto 332/333 are backwards incompatible.


Diffs (updated)
-

  agents-common/src/main/resources/service-defs/ranger-servicedef-presto.json 
4d5b79582 
  
plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
 d4521a392 
  
plugin-presto/src/test/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControlTest.java
 c00d51986 
  plugin-presto/src/test/resources/presto-policies.json 28eabf2d6 
  pom.xml ebce7c9f0 
  
ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
 bfb3a5961 
  
security-admin/src/main/java/org/apache/ranger/patch/PatchForPrestoToSupportPresto333_J10037.java
 PRE-CREATION 


Diff: https://reviews.apache.org/r/72513/diff/2/

Changes: https://reviews.apache.org/r/72513/diff/1-2/


Testing
---

Unit tests updated. Production.


Thanks,

Bolke de Bruin