Re: Review Request 74280: RANGER-4041 : Upgrade netty-all version to 4.1.86.Final

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74280/#review225165
---


Ship it!




Ship It!

- Vishal Suvagia


On Feb. 8, 2023, 6:56 a.m., Himanshu Maurya wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74280/
> ---
> 
> (Updated Feb. 8, 2023, 6:56 a.m.)
> 
> 
> Review request for ranger, bhavik patel, Dhaval Shah, Dineshkumar Yadav, 
> Harshal Chavan, Kishor Gollapalliwar, Madhan Neethiraj, Mehul Parikh, Nitin 
> Galave, Pradeep Agrawal, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4041
> https://issues.apache.org/jira/browse/RANGER-4041
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Upgraded netty-all version from 4.1.85.Final to 4.1.86.Final
> 
> 
> Diffs
> -
> 
>   pom.xml e402bcc5d 
> 
> 
> Diff: https://reviews.apache.org/r/74280/diff/1/
> 
> 
> Testing
> ---
> 
> Tested all CRUD operations like:-
> 1) Policies
> 2) Services
> 3) Zones
> 4) Users/Groups/Roles
> 5) Keys from KMS 
> 6) Checked all Audit event generate properly
> Also checked password and permission updation for users
> Run queries from backend for Hive, HBase, HDFS and YARN as different users 
> and checked the policies and plugins are working good
> 
> 
> Thanks,
> 
> Himanshu Maurya
> 
>

Re: Review Request 74215: RANGER-3976:Upgrade tomcat version to 8.5.83

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74215/#review224907
---


Ship it!




Ship It!

- Vishal Suvagia


On Nov. 24, 2022, 3:07 a.m., bhavik patel wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74215/
> ---
> 
> (Updated Nov. 24, 2022, 3:07 a.m.)
> 
> 
> Review request for ranger.
> 
> 
> Bugs: RANGER-3976
> https://issues.apache.org/jira/browse/RANGER-3976
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Upgrade tomcat version to 8.5.83
> 
> 
> Diffs
> -
> 
>   pom.xml bcb93ed74 
> 
> 
> Diff: https://reviews.apache.org/r/74215/diff/1/
> 
> 
> Testing
> ---
> 
> 1. Junit passed.
> 2. verified policy and user crud operations.
> 
> 
> Thanks,
> 
> bhavik patel
> 
>

Re: Review Request 74211: RANGER-3975:Upgrade netty-all version to 4.1.85.Final

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74211/#review224900
---


Ship it!




Ship It!

- Vishal Suvagia


On Nov. 22, 2022, 11:47 a.m., bhavik patel wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74211/
> ---
> 
> (Updated Nov. 22, 2022, 11:47 a.m.)
> 
> 
> Review request for ranger.
> 
> 
> Bugs: RANGER-3975
> https://issues.apache.org/jira/browse/RANGER-3975
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Upgrade netty-all version to 4.1.85.Final
> 
> 
> Diffs
> -
> 
>   pom.xml 44eef2a0c 
> 
> 
> Diff: https://reviews.apache.org/r/74211/diff/1/
> 
> 
> Testing
> ---
> 
> successfully able to build the package and Junit passed
> 
> 
> Thanks,
> 
> bhavik patel
> 
>

Re: Review Request 74209: RANGER-3972:Upgrade jettison version to 1.5.2

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74209/#review224898
---


Ship it!




Ship It!

- Vishal Suvagia


On Nov. 22, 2022, 8:29 a.m., bhavik patel wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74209/
> ---
> 
> (Updated Nov. 22, 2022, 8:29 a.m.)
> 
> 
> Review request for ranger.
> 
> 
> Bugs: RANGER-3972
> https://issues.apache.org/jira/browse/RANGER-3972
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Upgrade jettison version to 1.5.2
> 
> 
> Diffs
> -
> 
>   pom.xml 44eef2a0c 
> 
> 
> Diff: https://reviews.apache.org/r/74209/diff/1/
> 
> 
> Testing
> ---
> 
> successfully able to build the package and Junit passed
> 
> 
> Thanks,
> 
> bhavik patel
> 
>

Re: Review Request 74210: RANGER-3974:Upgrade jackson version to 2.14.0

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74210/#review224899
---


Ship it!




Ship It!

- Vishal Suvagia


On Nov. 22, 2022, 11:13 a.m., bhavik patel wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74210/
> ---
> 
> (Updated Nov. 22, 2022, 11:13 a.m.)
> 
> 
> Review request for ranger.
> 
> 
> Bugs: RANGER-3974
> https://issues.apache.org/jira/browse/RANGER-3974
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Upgrade jackson version to 2.14.0
> 
> 
> Diffs
> -
> 
>   pom.xml 44eef2a0ceba17d20bee69e441e7c05a90a53ae8 
> 
> 
> Diff: https://reviews.apache.org/r/74210/diff/1/
> 
> 
> Testing
> ---
> 
> successfully able to build the package and Junit passed.
> 
> 
> Thanks,
> 
> bhavik patel
> 
>

Re: Review Request 74208: RANGER-3971: Upgrade HBASE version to 2.4.6

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74208/#review224897
---


Ship it!




Ship It!

- Vishal Suvagia


On Nov. 23, 2022, 4:20 a.m., bhavik patel wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74208/
> ---
> 
> (Updated Nov. 23, 2022, 4:20 a.m.)
> 
> 
> Review request for ranger.
> 
> 
> Bugs: RANGER-3971
> https://issues.apache.org/jira/browse/RANGER-3971
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Upgrade HBASE version to 2.4.6
> 
> 
> Diffs
> -
> 
>   distro/src/main/assembly/admin-web.xml 9b7475492 
>   hbase-agent/pom.xml 7d2638c05 
>   
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
>  417c9c892 
>   pom.xml 44eef2a0c 
> 
> 
> Diff: https://reviews.apache.org/r/74208/diff/2/
> 
> 
> Testing
> ---
> 
> 1. Plugin communication is working.
> 2. Hbase service test-connections is working.
> 3. executed Junit using mvn
> 
> 
> Thanks,
> 
> bhavik patel
> 
>

Re: Review Request 74127: Ranger-3880 : Ranger setup fails for newer MySQL versions

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74127/#review224771
---




kms/scripts/dba_script.py
Lines 167 (patched)


Justus, Thank-you for the fix, the issue is reported for 2.3 version, but 
the fix is already in place for 2.3 version.

kms : 
https://github.com/apache/ranger/blob/ranger-2.3/kms/scripts/db_setup.py#L132-L134

can you kindly share which branch is the fix being applied to, do update 
the review request to reflect the same ?



security-admin/scripts/dba_script.py
Lines 194 (patched)


Same for this fix, it is already available in the 2.3 version:
security-admin : 
https://github.com/apache/ranger/blob/ranger-2.3/security-admin/scripts/db_setup.py#L850-L852


- Vishal Suvagia


On Oct. 6, 2022, 8:24 a.m., Justus wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74127/
> ---
> 
> (Updated Oct. 6, 2022, 8:24 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj and Selvamohan Neethiraj.
> 
> 
> Bugs: RANGER-3880
> https://issues.apache.org/jira/browse/RANGER-3880
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ranger Setup fails when using newer MySQL which requires to set useSSL to 
> false explicitly
> 
> 
> Diffs
> -
> 
>   kms/scripts/dba_script.py 544c1201b 
>   security-admin/scripts/dba_script.py 0ba396944 
> 
> 
> Diff: https://reviews.apache.org/r/74127/diff/1/
> 
> 
> Testing
> ---
> 
> The setup works fine.
> 
> 
> Thanks,
> 
> Justus
> 
>

Re: Review Request 74014: RANGER-3739: Add JWT filter in Ranger Admin -- follow-up patch

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74014/#review224488
---


Ship it!




Ship It!

- Vishal Suvagia


On June 8, 2022, 3:19 p.m., Kishor Gollapalliwar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74014/
> ---
> 
> (Updated June 8, 2022, 3:19 p.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, 
> Jayendra Parab, Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, 
> Sailaja Polavarapu, Vishal Suvagia, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3739
> https://issues.apache.org/jira/browse/RANGER-3739
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Add JWT auth filter in Ranger Admin, which authenticates browser & 
> non-browser JWT requests without altering existing authentication filters.
> 
> The existing authorization process must be alter to incorporate following 
> cases
> 
> Token   SSO Enabled First Authorizer / Filter
> Present Yes RangerSSOAuthenticationFilter
> Absent  Yes RangerSSOAuthenticationFilter
> Present No  RangerJwtAuthFilter (NEW)
> Absent  No  RangerJwtAuthFilter (NEW)
> 
> Enabled JWT filter by default.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/resources/conf.dist/security-applicationContext.xml 
> 7db9c3850 
> 
> 
> Diff: https://reviews.apache.org/r/74014/diff/1/
> 
> 
> Testing
> ---
> 
> 1. mvn clean compile package install -U
> 2. Login ModHeader (chrome plugin): invalid JWT
> 3. Login ModHeader (chrome plugin): expired JWT
> 4. Login ModHeader (chrome plugin): tampered JWT
> 5. Login ModHeader (chrome plugin): valid JWT
> 6. Curl Access API: invalid JWT
> 7. Curl Access API: expired JWT
> 8. Curl Access API: tampered JWT
> 9. Curl Access API: valid JWT
> 
> 
> Thanks,
> 
> Kishor Gollapalliwar
> 
>

Re: Review Request 73965: RANGER-3739: Add JWT filter in Ranger Admin

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73965/#review224411
---


Ship it!




Ship It!

- Vishal Suvagia


On May 2, 2022, 11:53 a.m., Kishor Gollapalliwar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73965/
> ---
> 
> (Updated May 2, 2022, 11:53 a.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Abhay Kulkarni, 
> Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, Vishal 
> Suvagia, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3739
> https://issues.apache.org/jira/browse/RANGER-3739
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Add JWT auth filter in Ranger Admin, which authenticates browser & 
> non-browser JWT requests without altering existing authentication filters.
> 
> The existing authorization process must be alter to incorporate following 
> cases
> 
> Token SSO Enabled First Authorizer / Filter
> Present   Yes RangerSSOAuthenticationFilter
> AbsentYes RangerSSOAuthenticationFilter
> Present   No  RangerJwtAuthFilter (NEW)
> AbsentNo  RangerJwtAuthFilter (NEW)
> 
> 
> Diffs
> -
> 
>   security-admin/pom.xml eaa8db1c1 
>   
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerJwtAuthFilter.java
>  PRE-CREATION 
>   
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerJwtAuthWrapper.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/73965/diff/1/
> 
> 
> Testing
> ---
> 
> 1. mvn clean compile package install -U
> 2. Login ModHeader (chrome plugin): invalid JWT
> 3. Login ModHeader (chrome plugin): expired JWT
> 4. Login ModHeader (chrome plugin): tampered JWT
> 5. Login ModHeader (chrome plugin): valid JWT
> 6. Curl Access API: invalid JWT
> 7. Curl Access API: expired JWT
> 8. Curl Access API: tampered JWT
> 9. Curl Access API: valid JWT
> 
> 
> Thanks,
> 
> Kishor Gollapalliwar
> 
>

Re: Review Request 73973: RANGER-3740: Create Ranger Admin API to refresh tag cache

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73973/#review224409
---


Ship it!




Ship It!

- Vishal Suvagia


On May 5, 2022, 8:43 a.m., Kishor Gollapalliwar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73973/
> ---
> 
> (Updated May 5, 2022, 8:43 a.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Abhay Kulkarni, 
> Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Vishal Suvagia, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3740
> https://issues.apache.org/jira/browse/RANGER-3740
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Create Ranger Admin API to refresh tag cache, which will help refreshing 
> cache externally.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java 
> e99b38b4a 
>   
> security-admin/src/main/java/org/apache/ranger/common/RangerServiceTagsCache.java
>  93c283fbc 
>   security-admin/src/main/java/org/apache/ranger/rest/TagREST.java 8b0baf904 
> 
> 
> Diff: https://reviews.apache.org/r/73973/diff/2/
> 
> 
> Testing
> ---
> 
> 1. mvn clean compile package install -U
> 2. Hit API with empty service name 
> (http://localhost:6182/service/tags/tags/cache/reset)
> 3. Hit API with valid service name 
> (http://localhost:6182/service/tags/tags/cache/reset?serviceName=test_hdfs)
> 4. Hit API with invalid service name 
> (http://localhost:6182/service/tags/tags/cache/reset?serviceName=invalid_service)
> 
> 
> Thanks,
> 
> Kishor Gollapalliwar
> 
>

Re: Review Request 73958: RANGER-3727: Create common module for handling authentication

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73958/#review224394
---


Ship it!




Ship It!

- Vishal Suvagia


On April 28, 2022, 11:20 a.m., Kishor Gollapalliwar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73958/
> ---
> 
> (Updated April 28, 2022, 11:20 a.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Abhay Kulkarni, 
> Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja 
> Polavarapu, Vishal Suvagia, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3727
> https://issues.apache.org/jira/browse/RANGER-3727
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Create common sub-module which will be responsible to handle authentication 
> in project.
> Currently added only JWT auth support, with time will create follow-up 
> patches to add other auths (Kerberos, Delegation Token, etc).
> 
> 
> Diffs
> -
> 
>   pom.xml 52f493e8f 
>   ranger-authn/.gitignore PRE-CREATION 
>   ranger-authn/pom.xml PRE-CREATION 
>   ranger-authn/src/main/java/org/apache/ranger/authz/handler/RangerAuth.java 
> PRE-CREATION 
>   
> ranger-authn/src/main/java/org/apache/ranger/authz/handler/RangerAuthHandler.java
>  PRE-CREATION 
>   
> ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerDefaultJwtAuthHandler.java
>  PRE-CREATION 
>   
> ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/73958/diff/2/
> 
> 
> Testing
> ---
> 
> mvn clean compile package install -U
> 
> 
> Thanks,
> 
> Kishor Gollapalliwar
> 
>

Re: Review Request 73936: RANGER-3695 : Ranger Keystore alias should be configurable

[Vishal Suvagia via Review Board]

> On April 8, 2022, 4 a.m., bhavik patel wrote:
> > embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
> > Line 167 (original), 167 (patched)
> > 
> >
> > default should be "rangeradmin".
> 
> Vishal Suvagia wrote:
> Default is not required, it should be on the user to define the alias 
> value as it is configurable.
> 
> bhavik patel wrote:
> yeah, but if user doesn’t define then from the code it should set the 
> default value

Without the alias value also Ranger comes up fine. Hardcoding a value 
necessicates the keystore to be configured with that hard coded value.
This should not be the case and need to remove the hard coded value, only 
configure it if user defines it ?
Do you see any use case where this value is required mandatorily ?


- Vishal


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73936/#review224269
---


On April 7, 2022, 4:41 p.m., Vishal Suvagia wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73936/
> ---
> 
> (Updated April 7, 2022, 4:41 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, 
> Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan 
> Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3695
> https://issues.apache.org/jira/browse/RANGER-3695
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ranger requires keystore alias for TLS, However keystore alias should be  an 
> optional parameter, hence should be only configured
> if provided by the user.
> Fix contains changes to make the keystore alias optional.
> 
> 
> Diffs
> -
> 
>   
> embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
>  cae9075a7b7726ad5abf2b52f53f612d4223f712 
> 
> 
> Diff: https://reviews.apache.org/r/73936/diff/1/
> 
> 
> Testing
> ---
> 
> Validated changes on a local VM with TLS enabled.
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

Re: Review Request 73935: RANGER-3669 : Connection to DB fails for MySQL version above 8.0

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73935/
---

(Updated April 8, 2022, 10:57 a.m.)


Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam 
Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, 
Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Apologies had uploaded a previous version of patch by mistake, updated with 
proper fix.


Bugs: RANGER-3669
https://issues.apache.org/jira/browse/RANGER-3669


Repository: ranger


Description
---

Ranger KMS db setup script needs to be updated to support MySql versions 
greater than 8.0
Made changes to allow non-ssl connection with DB for Mysql version greater than 
8.0
made a fix to allow user to define the custom jdbc url which can be used in 
db-setup.
Added missing change for Ranger Admin db-setup in RANGER-3647


Diffs
-

  kms/scripts/db_setup.py 165e30d89443b7e8244ed965c34a5d7219e7d1f3 
  kms/scripts/install.properties 780509dcdd06c13e84f1a860213eb28f3556fa26 
  security-admin/scripts/db_setup.py eaae5c8990724d7ead703d747140a0c3c49289d7 


Diff: https://reviews.apache.org/r/73935/diff/1/


Testing
---

Validated changes locally with available Mysql-8.0 release.


File Attachments (updated)


RANGER-3669.01.patch
  
https://reviews.apache.org/media/uploaded/files/2022/04/08/48106a24-5c65-47d3-b971-7b69f5d7bb79__RANGER-3669.01.patch


Thanks,

Vishal Suvagia

Re: Review Request 73936: RANGER-3695 : Ranger Keystore alias should be configurable

[Vishal Suvagia via Review Board]

> On April 8, 2022, 4 a.m., bhavik patel wrote:
> > embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
> > Line 167 (original), 167 (patched)
> > 
> >
> > default should be "rangeradmin".

Default is not required, it should be on the user to define the alias value as 
it is configurable.


- Vishal


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73936/#review224269
---


On April 7, 2022, 4:41 p.m., Vishal Suvagia wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73936/
> ---
> 
> (Updated April 7, 2022, 4:41 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, 
> Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan 
> Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3695
> https://issues.apache.org/jira/browse/RANGER-3695
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ranger requires keystore alias for TLS, However keystore alias should be  an 
> optional parameter, hence should be only configured
> if provided by the user.
> Fix contains changes to make the keystore alias optional.
> 
> 
> Diffs
> -
> 
>   
> embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
>  cae9075a7b7726ad5abf2b52f53f612d4223f712 
> 
> 
> Diff: https://reviews.apache.org/r/73936/diff/1/
> 
> 
> Testing
> ---
> 
> Validated changes on a local VM with TLS enabled.
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

Review Request 73936: RANGER-3695 : Ranger Keystore alias should be configurable

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73936/
---

Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam 
Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, 
Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Bugs: RANGER-3695
https://issues.apache.org/jira/browse/RANGER-3695


Repository: ranger


Description
---

Ranger requires keystore alias for TLS, However keystore alias should be  an 
optional parameter, hence should be only configured
if provided by the user.
Fix contains changes to make the keystore alias optional.


Diffs
-

  
embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
 cae9075a7b7726ad5abf2b52f53f612d4223f712 


Diff: https://reviews.apache.org/r/73936/diff/1/


Testing
---

Validated changes on a local VM with TLS enabled.


Thanks,

Vishal Suvagia

Review Request 73935: RANGER-3669 : Connection to DB fails for MySQL version above 8.0

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73935/
---

Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam 
Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, 
Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Bugs: RANGER-3669
https://issues.apache.org/jira/browse/RANGER-3669


Repository: ranger


Description
---

Ranger KMS db setup script needs to be updated to support MySql versions 
greater than 8.0
Made changes to allow non-ssl connection with DB for Mysql version greater than 
8.0
made a fix to allow user to define the custom jdbc url which can be used in 
db-setup.
Added missing change for Ranger Admin db-setup in RANGER-3647


Diffs
-

  kms/scripts/db_setup.py 165e30d89443b7e8244ed965c34a5d7219e7d1f3 
  kms/scripts/install.properties 780509dcdd06c13e84f1a860213eb28f3556fa26 
  security-admin/scripts/db_setup.py eaae5c8990724d7ead703d747140a0c3c49289d7 


Diff: https://reviews.apache.org/r/73935/diff/1/


Testing
---

Validated changes locally with available Mysql-8.0 release.


Thanks,

Vishal Suvagia

Re: Review Request 72024: RANGER-2704 : Support browser login using kerberized authentication.

[Vishal Suvagia via Review Board]

> On April 4, 2022, 1:31 p.m., bhavik patel wrote:
> > security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
> > Lines 607 (patched)
> > 
> >
> > same method is there in RangerKrbFilter class

This is required to check for a kerberos authenticated user to redirect the 
user to login page once the user performs logout.


- Vishal


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72024/#review224245
---


On April 5, 2022, 12:24 p.m., Vishal Suvagia wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72024/
> ---
> 
> (Updated April 5, 2022, 12:24 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, 
> Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan 
> Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2704
> https://issues.apache.org/jira/browse/RANGER-2704
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Need to support browser login using kerberos authentication. Added a logout 
> for an unauthenticated user to redirect to the login page.
> 
> 
> Diffs
> -
> 
>   
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
>  223a991c76bae7d25f5ce89604d0a8a90d426fe5 
>   
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
>  abbf2d983beb30b59e5d3f6429d6fc226f735793 
>   security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
> 0a1128613dca50fe67ea3f891261f1ee449c46db 
> 
> 
> Diff: https://reviews.apache.org/r/72024/diff/2/
> 
> 
> Testing
> ---
> 
> Veriried kerberos ticket authentication is working on a kerberized browser.
> 
> 
> Steps to test for a kerberized browser:
> #1) For Kerberized browsers:
> #1> To open Chrome in kerberos enabled mode need to run below command:
>google-chrome --auth-server-whitelist="*ranger.testserver.com"
> #2> For Firefox, need to go to about:configs and then search for 
> negotiate and then add the host domain
> ranger.testserver.com to the property 
> "network.negotiate-auth.trusted-uris"
> #2) Perform kinit with the required user.
> #3) Open the Ranger Admin portal using FQDN of the server host.
> 
> 
> Known Issue: If there is no valid kerberos ticket, user lands on a blank page 
> and a short hack is to either append locallogin to the URL or refresh the 
> browser tab to redirect to the login page.
> P.S: this issue is not observed on Google Chrome browser
> 
> 
> File Attachments
> 
> 
> RANGER-2704.patch
>   
> https://reviews.apache.org/media/uploaded/files/2020/01/17/8c9682ca-1ade-4281-89e7-d43a8af09300__RANGER-2704.patch
> RANGER-2704.02.patch
>   
> https://reviews.apache.org/media/uploaded/files/2022/04/04/6e737bec-e640-4459-922c-353793172b12__RANGER-2704.02.patch
> RANGER-2704.03.patch
>   
> https://reviews.apache.org/media/uploaded/files/2022/04/05/31e52557-051e-40ba-bc34-5dc6418e06f8__RANGER-2704.03.patch
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

Re: Review Request 72024: RANGER-2704 : Support browser login using kerberized authentication.

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72024/
---

(Updated April 5, 2022, 12:24 p.m.)


Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam 
Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, 
Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

updated changes to address review comments.


Bugs: RANGER-2704
https://issues.apache.org/jira/browse/RANGER-2704


Repository: ranger


Description
---

Need to support browser login using kerberos authentication. Added a logout for 
an unauthenticated user to redirect to the login page.


Diffs
-

  
security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
 223a991c76bae7d25f5ce89604d0a8a90d426fe5 
  
security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
 abbf2d983beb30b59e5d3f6429d6fc226f735793 
  security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
0a1128613dca50fe67ea3f891261f1ee449c46db 


Diff: https://reviews.apache.org/r/72024/diff/2/


Testing
---

Veriried kerberos ticket authentication is working on a kerberized browser.


Steps to test for a kerberized browser:
#1) For Kerberized browsers:
#1> To open Chrome in kerberos enabled mode need to run below command:
   google-chrome --auth-server-whitelist="*ranger.testserver.com"
#2> For Firefox, need to go to about:configs and then search for negotiate 
and then add the host domain
ranger.testserver.com to the property 
"network.negotiate-auth.trusted-uris"
#2) Perform kinit with the required user.
#3) Open the Ranger Admin portal using FQDN of the server host.


Known Issue: If there is no valid kerberos ticket, user lands on a blank page 
and a short hack is to either append locallogin to the URL or refresh the 
browser tab to redirect to the login page.
P.S: this issue is not observed on Google Chrome browser


File Attachments (updated)


RANGER-2704.patch
  
https://reviews.apache.org/media/uploaded/files/2020/01/17/8c9682ca-1ade-4281-89e7-d43a8af09300__RANGER-2704.patch
RANGER-2704.02.patch
  
https://reviews.apache.org/media/uploaded/files/2022/04/04/6e737bec-e640-4459-922c-353793172b12__RANGER-2704.02.patch
RANGER-2704.03.patch
  
https://reviews.apache.org/media/uploaded/files/2022/04/05/31e52557-051e-40ba-bc34-5dc6418e06f8__RANGER-2704.03.patch


Thanks,

Vishal Suvagia

Re: Review Request 72024: RANGER-2704 : Support browser login using kerberized authentication.

[Vishal Suvagia via Review Board]

> On March 1, 2022, 3:25 a.m., Kirby Zhou wrote:
> > What will happens at following situation?
> > 
> > 1. A kerberosized browser with unauthorized principal want to login to 
> > ranger by HTML form using another user/password.
> > 
> > 2. A kerberosized browser with different KDC want to login to ranger by by 
> > HTML form using another user/password.
> 
> Vishal Suvagia wrote:
> Hi Kirby Zhou,
> There is a flag to enable/disable kerberos based authentication for 
> Ranger UI, it is disabled by default. If the kerberos auth is enabled by 
> setting the flag and any user wants to use user/password credentials to login 
> to Ranger UI it can be done by appending the "/locallogin" to the Ranger URL.
> For e.g : If url for Ranger UI is http://abc.cluster.com:6080 then the 
> local-login url will be http://abc.cluster.com:6080/locallogin
>   using this url, user can get the login page and enter the 
> required user/password credentials.
> 
> Kirby Zhou wrote:
> I known that: If a browser without kerberos try to access 
> kerberos-enabled Ranger UI, it will be forwarded to 
> http://abc.cluster.com:6080/login.jsp
> 
> What I donot know is that: a kerbero-authenticated browser, but its 
> kerberos ticket is rejected by Ranger UI by many ways, what will happen.
> 
> Should I have to let my browser logout kerberos? Or I have to add 
> /locallogin by hand in address bar?

Q) A kerbero-authenticated browser, but its kerberos ticket is rejected by 
Ranger UI by many ways, what will happen.
A) If the ticket is invalid, user will be redirected to the Ranger Login page. 
If it does land on a blank page, user can perform a refresh to get the login 
page.


- Vishal


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72024/#review224105
---


On April 4, 2022, 1:04 p.m., Vishal Suvagia wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72024/
> ---
> 
> (Updated April 4, 2022, 1:04 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, 
> Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan 
> Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2704
> https://issues.apache.org/jira/browse/RANGER-2704
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Need to support browser login using kerberos authentication. Added a logout 
> for an unauthenticated user to redirect to the login page.
> 
> 
> Diffs
> -
> 
>   
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
>  223a991c76bae7d25f5ce89604d0a8a90d426fe5 
>   
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
>  abbf2d983beb30b59e5d3f6429d6fc226f735793 
>   security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
> 0a1128613dca50fe67ea3f891261f1ee449c46db 
> 
> 
> Diff: https://reviews.apache.org/r/72024/diff/2/
> 
> 
> Testing
> ---
> 
> Veriried kerberos ticket authentication is working on a kerberized browser.
> 
> 
> Steps to test for a kerberized browser:
> #1) For Kerberized browsers:
> #1> To open Chrome in kerberos enabled mode need to run below command:
>google-chrome --auth-server-whitelist="*ranger.testserver.com"
> #2> For Firefox, need to go to about:configs and then search for 
> negotiate and then add the host domain
> ranger.testserver.com to the property 
> "network.negotiate-auth.trusted-uris"
> #2) Perform kinit with the required user.
> #3) Open the Ranger Admin portal using FQDN of the server host.
> 
> 
> Known Issue: If there is no valid kerberos ticket, user lands on a blank page 
> and a short hack is to either append locallogin to the URL or refresh the 
> browser tab to redirect to the login page.
> P.S: this issue is not observed on Google Chrome browser
> 
> 
> File Attachments
> 
> 
> RANGER-2704.patch
>   
> https://reviews.apache.org/media/uploaded/files/2020/01/17/8c9682ca-1ade-4281-89e7-d43a8af09300__RANGER-2704.patch
> RANGER-2704.02.patch
>   
> https://reviews.apache.org/media/uploaded/files/2022/04/04/6e737bec-e640-4459-922c-353793172b12__RANGER-2704.02.patch
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

Re: Review Request 72024: RANGER-2704 : Support browser login using kerberized authentication.

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72024/
---

(Updated April 4, 2022, 1:04 p.m.)


Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam 
Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, 
Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Updated patch to remove unnecessary changes.


Bugs: RANGER-2704
https://issues.apache.org/jira/browse/RANGER-2704


Repository: ranger


Description
---

Need to support browser login using kerberos authentication. Added a logout for 
an unauthenticated user to redirect to the login page.


Diffs
-

  
security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
 223a991c76bae7d25f5ce89604d0a8a90d426fe5 
  
security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
 abbf2d983beb30b59e5d3f6429d6fc226f735793 
  security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
0a1128613dca50fe67ea3f891261f1ee449c46db 


Diff: https://reviews.apache.org/r/72024/diff/2/


Testing (updated)
---

Veriried kerberos ticket authentication is working on a kerberized browser.


Steps to test for a kerberized browser:
#1) For Kerberized browsers:
#1> To open Chrome in kerberos enabled mode need to run below command:
   google-chrome --auth-server-whitelist="*ranger.testserver.com"
#2> For Firefox, need to go to about:configs and then search for negotiate 
and then add the host domain
ranger.testserver.com to the property 
"network.negotiate-auth.trusted-uris"
#2) Perform kinit with the required user.
#3) Open the Ranger Admin portal using FQDN of the server host.


Known Issue: If there is no valid kerberos ticket, user lands on a blank page 
and a short hack is to either append locallogin to the URL or refresh the 
browser tab to redirect to the login page.
P.S: this issue is not observed on Google Chrome browser


File Attachments (updated)


RANGER-2704.patch
  
https://reviews.apache.org/media/uploaded/files/2020/01/17/8c9682ca-1ade-4281-89e7-d43a8af09300__RANGER-2704.patch
RANGER-2704.02.patch
  
https://reviews.apache.org/media/uploaded/files/2022/04/04/6e737bec-e640-4459-922c-353793172b12__RANGER-2704.02.patch


Thanks,

Vishal Suvagia

Re: Review Request 73878: RANGER-3647 : Connection to DB fails for MySQL version above 8.0

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73878/
---

(Updated March 21, 2022, 2:17 p.m.)


Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam 
Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, 
Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Request to kindly review the patch.


Bugs: RANGER-3647
https://issues.apache.org/jira/browse/RANGER-3647


Repository: ranger


Description
---

Observed that Ranger DB setup fails when using with MySQL version above 8.0.


Diffs
-

  security-admin/scripts/db_setup.py ad823b31012c6bee36c29e1f85adc747d4de02ac 
  security-admin/scripts/install.properties 
22868fa316a8b9a7da32218b0d0b5cf9c855ef9e 
  security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java 
b3c41a9d15b8bfe88bcc59e04917284a3fef6dc5 


Diff: https://reviews.apache.org/r/73878/diff/2/


Testing
---

Validated locally by setting up Ranger with available Mysql-8.0 release.


File Attachments


RANGER-3647-01.patch
  
https://reviews.apache.org/media/uploaded/files/2022/03/16/696cd10b-37c0-4caf-8d00-32d80770574c__RANGER-3647-01.patch


Thanks,

Vishal Suvagia

Re: Review Request 72024: RANGER-2704 : Support browser login using kerberized authentication.

[Vishal Suvagia via Review Board]

> On March 1, 2022, 3:25 a.m., Kirby Zhou wrote:
> > What will happens at following situation?
> > 
> > 1. A kerberosized browser with unauthorized principal want to login to 
> > ranger by HTML form using another user/password.
> > 
> > 2. A kerberosized browser with different KDC want to login to ranger by by 
> > HTML form using another user/password.

Hi Kirby Zhou,
There is a flag to enable/disable kerberos based authentication for Ranger UI, 
it is disabled by default. If the kerberos auth is enabled by setting the flag 
and any user wants to use user/password credentials to login to Ranger UI it 
can be done by appending the "/locallogin" to the Ranger URL.
For e.g : If url for Ranger UI is http://abc.cluster.com:6080 then the 
local-login url will be http://abc.cluster.com:6080/locallogin
  using this url, user can get the login page and enter the required 
user/password credentials.


- Vishal


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72024/#review224105
---


On Feb. 28, 2022, 7:35 p.m., Vishal Suvagia wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72024/
> ---
> 
> (Updated Feb. 28, 2022, 7:35 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, 
> Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan 
> Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2704
> https://issues.apache.org/jira/browse/RANGER-2704
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Need to support browser login using kerberos authentication. Added a logout 
> for an unauthenticated user to redirect to the login page.
> 
> 
> Diffs
> -
> 
>   
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
>  223a991c76bae7d25f5ce89604d0a8a90d426fe5 
>   
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
>  abbf2d983beb30b59e5d3f6429d6fc226f735793 
>   security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
> 0a1128613dca50fe67ea3f891261f1ee449c46db 
> 
> 
> Diff: https://reviews.apache.org/r/72024/diff/2/
> 
> 
> Testing
> ---
> 
> Veriried kerberos ticket authentication is working on a kerberized browser.
> 
> 
> Steps to test for a kerberized browser:
> #1) For Kerberized browsers:
> #1> To open Chrome in kerberos enabled mode need to run below command:
>google-chrome --auth-server-whitelist="*ranger.testserver.com"
> #2> For Firefox, need to go to about:configs and then search for 
> negotiate and then add the host domain
> ranger.testserver.com to the property 
> "network.negotiate-auth.trusted-uris"
> #2) Perform kinit with the required user.
> #3) Open the Ranger Admin portal using FQDN of the server host.
> 
> 
> File Attachments
> 
> 
> RANGER-2704.patch
>   
> https://reviews.apache.org/media/uploaded/files/2020/01/17/8c9682ca-1ade-4281-89e7-d43a8af09300__RANGER-2704.patch
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

Re: Review Request 72024: RANGER-2704 : Support browser login using kerberized authentication.

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72024/
---

(Updated Feb. 28, 2022, 7:35 p.m.)


Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam 
Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, 
Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Bugs: RANGER-2704
https://issues.apache.org/jira/browse/RANGER-2704


Repository: ranger


Description
---

Need to support browser login using kerberos authentication. Added a logout for 
an unauthenticated user to redirect to the login page.


Diffs
-

  
security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
 223a991c76bae7d25f5ce89604d0a8a90d426fe5 
  
security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
 abbf2d983beb30b59e5d3f6429d6fc226f735793 
  security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
0a1128613dca50fe67ea3f891261f1ee449c46db 


Diff: https://reviews.apache.org/r/72024/diff/2/


Testing
---

Veriried kerberos ticket authentication is working on a kerberized browser.


Steps to test for a kerberized browser:
#1) For Kerberized browsers:
#1> To open Chrome in kerberos enabled mode need to run below command:
   google-chrome --auth-server-whitelist="*ranger.testserver.com"
#2> For Firefox, need to go to about:configs and then search for negotiate 
and then add the host domain
ranger.testserver.com to the property 
"network.negotiate-auth.trusted-uris"
#2) Perform kinit with the required user.
#3) Open the Ranger Admin portal using FQDN of the server host.


File Attachments


RANGER-2704.patch
  
https://reviews.apache.org/media/uploaded/files/2020/01/17/8c9682ca-1ade-4281-89e7-d43a8af09300__RANGER-2704.patch


Thanks,

Vishal Suvagia

Review Request 73636: RANGER-3418 : Rotated Ranger admin access logs aren't getting removed

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73636/
---

Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam 
Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, 
Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Bugs: RANGER-3418
https://issues.apache.org/jira/browse/RANGER-3418


Repository: ranger


Description
---

Ranger admin access logs in the configured log directory aren't removed and 
keeps up utilizing unused space. Need to have access logs configurable to have 
older logs purged.


Diffs
-

  
embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
 62a188b95233eb5d07e253030819819cc50d4565 


Diff: https://reviews.apache.org/r/73636/diff/1/


Testing
---

Validated the changes locally.


Thanks,

Vishal Suvagia

Re: Review Request 73568: RANGER-3398: Duplicate JAVA patch suffix should not be allowed

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73568/#review223450
---


Ship it!




Ship It!

- Vishal Suvagia


On Sept. 6, 2021, 7:44 a.m., Kishor Gollapalliwar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73568/
> ---
> 
> (Updated Sept. 6, 2021, 7:44 a.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, 
> Pradeep Agrawal, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3398
> https://issues.apache.org/jira/browse/RANGER-3398
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Duplicate JAVA suffix is allowed. Currently we need a manual human 
> intervention to find and correct. Use case in details as follows.
> 
> ## Use-Case:
> 
> 1. Say user1 & user2 working on a fix in Ranger and they both need JAVA patch 
> changes.
> 2. Assume user1 needs to update table1 and user2 needs to update table2 using 
> java.
> 3. Both Checked latest JAVA patch suffix (say it is _J10050). And used suffix 
> _J10051 for their JAVA files
> 4. If both commits ends up merging. The setup script will apply ONLY one of 
> the both JAVA files (suffixed _J10051) randomly.
> 
> ## Reproduce Steps:
> 
> 1. cd /security-admin/src/main/java/org/apache/ranger/patch/
> 2. Update suffix of last 2 patches such that both contains same suffix
> 3. mvn clean compile package install -U #build ranger
> 4. setup ranger
> 
> To avoid this, we need to fail maven build itself if there are duplicate 
> suffix.
> 
> 
> Diffs
> -
> 
>   security-admin/pom.xml 7ee2b22b2 
> 
> 
> Diff: https://reviews.apache.org/r/73568/diff/1/
> 
> 
> Testing
> ---
> 
> ## In-Valid cases
> 
> 1. Same prefixed files inside patches directory
> 2. Same prefixed files inside audit directory
> 3. Same prefixed files first inside patches second inside audit directory
> 
> ## Valid cases
> 
> 1. NO duplicate prefix
> 
> ## Build
> 
> mvn clean compile package install -U
> 
> 
> Thanks,
> 
> Kishor Gollapalliwar
> 
>

Re: Review Request 73505: RANGER-3355 : Update the current logging mechanism to use custom log4j conf.

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73505/#review223320
---


Ship it!




Ship It!

- Vishal Suvagia


On Aug. 6, 2021, 2:38 p.m., Mateen Mansoori wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73505/
> ---
> 
> (Updated Aug. 6, 2021, 2:38 p.m.)
> 
> 
> Review request for ranger, Dineshkumar Yadav, Jayendra Parab, Abhay Kulkarni, 
> Mehul Parikh, Mugdha Varadkar, Pradeep Agrawal, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3355
> https://issues.apache.org/jira/browse/RANGER-3355
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Update the current logging mechanism to use custom log4j.properties file.
> 
> 
> Diffs
> -
> 
>   embeddedwebserver/scripts/ranger-admin-services.sh 0bc06e1d1 
>   security-admin/scripts/db_setup.py 4dcf6c98f 
>   security-admin/scripts/install.properties 6cde15dff 
>   security-admin/scripts/setup.sh df8d64f0c 
>   security-admin/src/main/webapp/WEB-INF/log4j.properties b47554cdc 
> 
> 
> Diff: https://reviews.apache.org/r/73505/diff/1/
> 
> 
> Testing
> ---
> 
> Tested on local VM.
> Tested : By providing custom location for log4j conf file, Also with defualt 
> log4j conf and default log directory.
> 
> 
> Thanks,
> 
> Mateen Mansoori
> 
>

Review Request 73479: RANGER-3342 : Addendum fix Need to make the Ranger embedded server work directory configurable

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73479/
---

Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam 
Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, 
Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Bugs: RANGER-3342
https://issues.apache.org/jira/browse/RANGER-3342


Repository: ranger


Description
---

Earlier fix included a Logger check for Log Level Fine, but the LOG get level 
is found to be null leading to a
NullPointerException.


Diffs
-

  
embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
 d3b10845556a20915f37e84b26ad050791e5495e 


Diff: https://reviews.apache.org/r/73479/diff/1/


Testing
---

Validated on a cluster.


Thanks,

Vishal Suvagia

Re: Review Request 73463: RANGER-3342 : Need to make the Ranger embedded server work directory configurable

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73463/
---

(Updated July 20, 2021, 9:37 a.m.)


Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam 
Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, 
Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Updated patch to address review comments.


Bugs: RANGER-3342
https://issues.apache.org/jira/browse/RANGER-3342


Repository: ranger


Description
---

Currently the work directory for Ranger embedded server is not configurable.
Need to make the work directory configurable to a custom location so that user 
can customize if required.


Diffs (updated)
-

  
embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
 137168259d9aa55548a3953aff7def6d7228a9e5 
  security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
8842071982f7a5831db4dcbcffd00d6a22a6fb2c 


Diff: https://reviews.apache.org/r/73463/diff/2/

Changes: https://reviews.apache.org/r/73463/diff/1-2/


Testing
---

Validated the changes locally.


Thanks,

Vishal Suvagia

Review Request 73463: RANGER-3342 : Need to make the Ranger embedded server work directory configurable

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73463/
---

Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam 
Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, 
Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Bugs: RANGER-3342
https://issues.apache.org/jira/browse/RANGER-3342


Repository: ranger


Description
---

Currently the work directory for Ranger embedded server is not configurable.
Need to make the work directory configurable to a custom location so that user 
can customize if required.


Diffs
-

  
embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
 137168259d9aa55548a3953aff7def6d7228a9e5 
  security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
8842071982f7a5831db4dcbcffd00d6a22a6fb2c 


Diff: https://reviews.apache.org/r/73463/diff/1/


Testing
---

Validated the changes locally.


Thanks,

Vishal Suvagia

Re: Review Request 73393: RANGER-3303: Improve error handling in Ranger Solr bootstrap

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73393/#review223087
---


Ship it!




Ship It!

- Vishal Suvagia


On June 2, 2021, 7:31 a.m., Mahesh Bandal wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73393/
> ---
> 
> (Updated June 2, 2021, 7:31 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, 
> Gautam Borad, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul 
> Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-3303
> https://issues.apache.org/jira/browse/RANGER-3303
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Handle retries for failure during upload configs and validate ranger_audits 
> collection after create collection action.
> 
> 
> Diffs
> -
> 
>   
> embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/SolrCollectionBootstrapper.java
>  a14b84efa 
> 
> 
> Diff: https://reviews.apache.org/r/73393/diff/2/
> 
> 
> Testing
> ---
> 
> Ranger installation and setup successful.
> Done sanity testing on ranger.
> 
> 
> Thanks,
> 
> Mahesh Bandal
> 
>

Re: Review Request 73360: RANGER-3287 : Implement best practices for logging.

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73360/
---

(Updated May 20, 2021, 12:15 p.m.)


Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam 
Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, 
Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Updated changes as recommended


Bugs: RANGER-3287
https://issues.apache.org/jira/browse/RANGER-3287


Repository: ranger


Description
---

Implement best practices for logging


Diffs (updated)
-

  security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java 
fb892d5c1c3ea6a2b8b74db4d09a886cf1363187 


Diff: https://reviews.apache.org/r/73360/diff/2/

Changes: https://reviews.apache.org/r/73360/diff/1-2/


Testing
---

Validated changes locally.


Thanks,

Vishal Suvagia

Review Request 73360: RANGER-3287 : Implement best practices for logging.

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73360/
---

Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam 
Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, 
Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Bugs: RANGER-3287
https://issues.apache.org/jira/browse/RANGER-3287


Repository: ranger


Description
---

Implement best practices for logging


Diffs
-

  security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java 
fb892d5c1c3ea6a2b8b74db4d09a886cf1363187 


Diff: https://reviews.apache.org/r/73360/diff/1/


Testing
---

Validated changes locally.


Thanks,

Vishal Suvagia

Re: Review Request 73348: RANGER-3251: [Ranger Audit Filters UI] Tag, KMS service not showing the audit filters in UI section

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73348/#review222982
---


Ship it!




Ship It!

- Vishal Suvagia


On May 12, 2021, 5:25 a.m., Kishor Gollapalliwar wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73348/
> ---
> 
> (Updated May 12, 2021, 5:25 a.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Abhay Kulkarni, 
> Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Vishal Suvagia, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-3251
> https://issues.apache.org/jira/browse/RANGER-3251
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Observed that for Tag and KMS service, while clicking on view service button, 
> we are not displaying the audit filters in UI section, instead, we are 
> displaying it as configs. [While the same works for other services like hdfs, 
> hive, etc]
> 
> 
> Diffs
> -
> 
>   agents-common/src/main/resources/service-defs/ranger-servicedef-kms.json 
> 5a2915cea 
>   agents-common/src/main/resources/service-defs/ranger-servicedef-tag.json 
> 7b72f45c1 
> 
> 
> Diff: https://reviews.apache.org/r/73348/diff/1/
> 
> 
> Testing
> ---
> 
> 1. Updated serviceDef with REST endpoint
> 2. List all servcieDefs with REST endpoint
> 3. Login to Ranger Admin and navigated to dashboard
> 4. Updated existing services (previous filter)
> 5. Created new services
> 6. Updated services (new filter)
> 7. Deleted services (new & old)
> 8. Verified upgrade with few services for each service type
> 9. Verified build: mvn clean compile package install
> 
> 
> Thanks,
> 
> Kishor Gollapalliwar
> 
>

Re: Review Request 73338: RANGER-3275 : Need to update solr-config.xml in the ranger-audits collection config-set

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73338/
---

(Updated May 6, 2021, 4:43 p.m.)


Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam 
Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, 
Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Bugs: RANGER-3275
https://issues.apache.org/jira/browse/RANGER-3275


Repository: ranger


Description
---

The solrconfig.xml in the config-set for Ranger needs to be updated in correct 
order to use the ttl configuration properly, without which the documents do not 
contain the ttl and will not expire or purge out even after the ttl is set.


Diffs
-

  security-admin/contrib/solr_for_audit_setup/conf/solrconfig.xml 
2216f665fd197e066585fe527645b218ab25a221 


Diff: https://reviews.apache.org/r/73338/diff/1/


Testing
---

Tested the changes locally, ttl is getting applied to the created documents.


Thanks,

Vishal Suvagia

Re: Review Request 73037: RANGER-3087 :: Making db_setup.py fool-proof and robust

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73037/
---

(Updated Dec. 1, 2020, 4:38 a.m.)


Review request for ranger, Ankita Sinha, Gautam Borad, Jayendra Parab, Mehul 
Parikh, Pradeep Agrawal, and Velmurugan Periasamy.


Bugs: RANGER-3087
https://issues.apache.org/jira/browse/RANGER-3087


Repository: ranger


Description
---

When a user configures a small heap size in install.properties, vm creation in 
db_setup.py fails to apply the java patches with below error.

Error occurred during initialization of VM
Initial heap size set to a larger value than the maximum heap size

As a fix, adding checks for low heap size and setting default heap-size 
accordingly.


Diffs
-

  security-admin/scripts/db_setup.py b448738d11af4dc3508f1c982d323593d2b676f1 


Diff: https://reviews.apache.org/r/73037/diff/1/


Testing
---

Validated changes for fresh install and upgrade from ranger-1.0 to master and 
ranger-2.2 to master with heap-size less than 1024M and 2G.


Thanks,

Vishal Suvagia

Review Request 69509: RANGER-2304 : Need to add property dfs.permissions.ContentSummary.subAccess when enabling Ranger HDFS plugin manually.

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69509/
---

Review request for ranger, Ankita Sinha, bhavik patel, Colm O hEigeartaigh, 
Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, pengjianhua, 
Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, Velmurugan Periasamy, and 
Qiang Zhang.


Bugs: RANGER-2304
https://issues.apache.org/jira/browse/RANGER-2304


Repository: ranger


Description
---

As part of fixes in HDFS-14112 and RANGER-2297, need to update the script that 
handles setting up HDFS authorizer when Ranger HDFS plugin is enabled/disabled, 
as below:
   * Set the property dfs.permissions.ContentSummary.subAccess in hdfs-site.xml 
to ‘true’ when Ranger plugin is   
 enabled.
   * Remove the property dfs.permissions.ContentSummary.subAccess in 
hdfs-site.xml or set to ‘false’ when Ranger plugin
 is disabled.


Diffs
-

  hdfs-agent/conf/hdfs-site-changes.cfg 8088b43f8 
  hdfs-agent/disable-conf/hdfs-site-changes.cfg 652bf2ee8 


Diff: https://reviews.apache.org/r/69509/diff/1/


Testing
---

Tested with a fresh install on Cent-OS, the property 
dfs.permissions.ContentSummary.subAccess is set to true when Ranger HDFS plugin 
is enabled manually.


Thanks,

Vishal Suvagia

Review Request 69112: RANGER-2259 : Need to provide appropriate permisssions for unix-auth files.

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69112/
---

Review request for ranger, Ankita Sinha, Colm O hEigeartaigh, Gautam Borad, 
Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, pengjianhua, Pradeep Agrawal, 
Ramesh Mani, Sailaja Polavarapu, Velmurugan Periasamy, and Qiang Zhang.


Bugs: RANGER-2259
https://issues.apache.org/jira/browse/RANGER-2259


Repository: ranger


Description
---

Need to provide appropriate file level permissions for unix-auth files.


Diffs
-

  unixauthservice/scripts/setup.py e0c8c830ff13aa8abae3c0b20e89e2a27a07d099 


Diff: https://reviews.apache.org/r/69112/diff/1/


Testing
---

Verified with a fresh installation, appropriate permissions are getting applied.


Thanks,

Vishal Suvagia

Re: Review Request 69083: RANGER-2251 : Need to provide options for making java heap size memory configurable in Ranger services.

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69083/
---

(Updated Oct. 22, 2018, 9:01 a.m.)


Review request for ranger, Ankita Sinha, Colm O hEigeartaigh, Gautam Borad, 
Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, 
Sailaja Polavarapu, and Velmurugan Periasamy.


Changes
---

Updating review request.


Bugs: RANGER-2251
https://issues.apache.org/jira/browse/RANGER-2251


Repository: ranger


Description
---

Need to make java heap size memory configurable for Ranger services.


Diffs (updated)
-

  embeddedwebserver/scripts/ranger-admin-services.sh 
990d3c7922351f298277792baa2551efa5e7a1cc 
  kms/scripts/ranger-kms 604d7014c5584d5feef26975c7bfffd8c2194f1e 
  security-admin/scripts/db_setup.py 5ac312fba9c3ddfb8c345d2c2551bab9c49fd67b 
  security-admin/scripts/install.properties 
34c52ebe58b59892ebf5f8fd66d81a73264aa049 
  tagsync/scripts/ranger-tagsync-services.sh 
6fcdf1562569f6203da309936e4762395c9036f0 
  unixauthservice/scripts/ranger-usersync-services.sh 
0c03c5a18eb9a15740df8398e96fc14104277dd2 


Diff: https://reviews.apache.org/r/69083/diff/2/

Changes: https://reviews.apache.org/r/69083/diff/1-2/


Testing
---

Tested with fresh installation for heapsize to be effective for Ranger: Admin, 
Usersycnc, Tagsync and KMS services.


Thanks,

Vishal Suvagia

Review Request 69083: RANGER-2251 : Need to provide options for making java heap size memory configurable in Ranger services.

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69083/
---

Review request for ranger, Ankita Sinha, Colm O hEigeartaigh, Gautam Borad, 
Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, 
Sailaja Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-2251
https://issues.apache.org/jira/browse/RANGER-2251


Repository: ranger


Description
---

Need to make java heap size memory configurable for Ranger services.


Diffs
-

  embeddedwebserver/scripts/ranger-admin-services.sh 
990d3c7922351f298277792baa2551efa5e7a1cc 
  kms/scripts/ranger-kms 604d7014c5584d5feef26975c7bfffd8c2194f1e 
  security-admin/scripts/db_setup.py 5ac312fba9c3ddfb8c345d2c2551bab9c49fd67b 
  security-admin/scripts/install.properties 
34c52ebe58b59892ebf5f8fd66d81a73264aa049 
  tagsync/scripts/ranger-tagsync-services.sh 
6fcdf1562569f6203da309936e4762395c9036f0 
  unixauthservice/scripts/ranger-usersync-services.sh 
0c03c5a18eb9a15740df8398e96fc14104277dd2 
  unixauthservice/scripts/setup.py e0c8c830ff13aa8abae3c0b20e89e2a27a07d099 


Diff: https://reviews.apache.org/r/69083/diff/1/


Testing
---

Tested with fresh installation for heapsize to be effective for Ranger: Admin, 
Usersycnc, Tagsync and KMS services.


Thanks,

Vishal Suvagia

Re: Review Request 68681: RANGER-2213 Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.90.

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68681/#review208553
---



@Qiang Zhang, Kindly add the testing done with this patch ?

- Vishal Suvagia


On Sept. 11, 2018, 3:07 a.m., Qiang Zhang wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68681/
> ---
> 
> (Updated Sept. 11, 2018, 3:07 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Nitin Galave, pengjianhua, 
> Ramesh Mani, Selvamohan Neethiraj, sam  rome, Venkat Ranganathan, and 
> Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2213
> https://issues.apache.org/jira/browse/RANGER-2213
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> [SECURITY] CVE-2018-1336
> Severity: High 
> Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 
> 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.
> Description: An improper handing of overflow in the UTF-8 decoder with 
> supplementary characters can lead to an infinite loop in the decoder causing 
> a Denial of Service.
> 
> CVE-2018-8014
> Description: The defaults settings for the CORS filter provided in Apache 
> Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 
> 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is 
> expected that users of the CORS filter will have configured it appropriately 
> for their environment rather than using it in the default configuration. 
> Therefore, it is expected that most users will not be impacted by this issue.
> 
> CVE-2018-8034
> Description: The host name verification when using TLS with the WebSocket 
> client was missing. It is now enabled by default. 
> Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 
> 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
> 
> 
> Diffs
> -
> 
>   pom.xml ae3f4be4c 
> 
> 
> Diff: https://reviews.apache.org/r/68681/diff/1/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> Qiang Zhang
> 
>

Review Request 66509: RANGER-2060 : Knox proxy with knox-sso is not working for ranger

[Vishal Suvagia via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66509/
---

Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay 
Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Sailaja Polavarapu, 
and Velmurugan Periasamy.


Bugs: RANGER-2060
https://issues.apache.org/jira/browse/RANGER-2060


Repository: ranger


Description
---

Knox proxy with Knox-SSO is not working in a case when HA is enabled for both 
Ranger and Knox.

If Ranger-HA url is rangerha.abc.com:6080 with individual Ranger hosts as 
ranger1.abc.com:6080 and ranger2.abc.com:6080 with Knox hosted on  
knoxha.abc.com:8443 and individual knox hosts as knox1.abc.com and 
knox2.abc.com.

If Ranger load-balancer URL is used in the knox topology for knox-proxy ui.xml, 
redirected url gets corrupted as:
knoxha.abc.com:8443/gateway/?originalUrl=https://knoxha.abc.com:8443,%20knox1.abc.com:8443/gateway//ranger

Additionally: Individually enabling Knox-SSO gives 401-Unauthorized error for 
Ranger to login.


Diffs
-

  
security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
 ec6d78d 
  
security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
 22ba524 


Diff: https://reviews.apache.org/r/66509/diff/1/


Testing
---

Verified Knox-SSO and Knox-Proxy authentication to be working for Ranger-Admin 
in simple and kerberos enabled environments.


Thanks,

Vishal Suvagia

Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.

[Vishal Suvagia via Review Board]

> On Nov. 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > 
> >
> > @PengJianhua,
> > I used attached patch and did a build on  my local machine 
> > using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a 
> > ranger-admin-services start. I am getting error in catalina.out file as the 
> > Tomcat server start itself is failing(PS: attached log file on apache jira).
> > 
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> > 
> > Did the attached patch work for you without adding this dependency ? If 
> > yes Kindly share how did this work for you !
> 
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your 
> local maven repository. Then compile the ranger project using the following 
> command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
> 
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service 
> start using the compiled packaged bits. Are you able to access Ranger UI ?
> 
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this 
> issue. If I guess good, you should be more in-depth understanding of how to 
> use ranger, please refer to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
> 
> bhavik patel wrote:
> @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, 
> the service start itself is failing and also got the same error in 
> catalina.out which Vishal has attached on jira. 
> 
> Not sure how it's working for you!!!
> 
> Colm O hEigeartaigh wrote:
> It also fails for me with errors in catalina.out like:
> 
> INFO: validateJarFile(../lib/javax.servlet-api-3.1.0.jar) - jar not 
> loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: 
> javax/servlet/Servlet.class
> 
> pengjianhua wrote:
> I compiled the source that I built the patch.Based on the compiling's 
> version I've been testing and verify whether the issue effected the ranger's 
> function. Maybe our lastest modifications introduced new issues. I will also 
> compile the lastest source to further verify the problem you mentioned.
> 
> pengjianhua wrote:
> I'm sorry. In this patch I lacked the tomcat-annotations-api dependency 
> package. I had fixed this patch. Thanks!
> 
> pengjianhua wrote:
> Hi Colm and bhavik patel, Is there any problem now, if there is no 
> problem, I will merge this issue.
> 
> Vishal Suvagia wrote:
> Hi Pengjianhua,
>The versions for  org.apache.tomcat -> annotations-api 
> present here -> 
> https://mvnrepository.com/artifact/org.apache.tomcat/annotations-api do not 
> have a specific build for 7.0.82 (last stable build version is 6.0.53). 
> Additionally recent fixes from tomcat devs suggest that the 
> tomcat.annotations-api has been removed from tomcat-embed-core shipments in 
> favour of javax.annotations-api refer -> 
> https://bz.apache.org/bugzilla/show_bug.cgi?id=61439.
> 
> pengjianhua wrote:
> Ok. Thanks. How do you think we should deal with this issue? Should we 
> upgrade directly to tomcat7.0.83 or is there a better way to handle this 
> issue?
> 
> Vishal Suvagia wrote:
> Pengjianhua, Sadly looks like there is no tomcat-7.0.83 build out yet. 
> From what I have tried we will need to add a new dependency for 
> javax.annotation-api -> 
> https://mvnrepository.com/artifact/javax.annotation/javax.annotation-api.
> 
> pengjianhua wrote:
> Hi Vishal Suvagia, please reference to 
> http://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core/7.0.82
>  and 
> http://mvnrepository.com/artifact/org.apache.tomcat/tomcat-annotations-api/7.0.82.

Pengjianhua, my bad, looks like I missed on the tomcat-annotations-api, will 
drop the issue.


- Vishal


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
---


On Dec. 5, 2017, 2:59 a.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> ---
> 
> (Updated Dec. 5, 2017, 2:59 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> 

Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.

[Vishal Suvagia via Review Board]

> On Nov. 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > 
> >
> > @PengJianhua,
> > I used attached patch and did a build on  my local machine 
> > using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a 
> > ranger-admin-services start. I am getting error in catalina.out file as the 
> > Tomcat server start itself is failing(PS: attached log file on apache jira).
> > 
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> > 
> > Did the attached patch work for you without adding this dependency ? If 
> > yes Kindly share how did this work for you !
> 
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your 
> local maven repository. Then compile the ranger project using the following 
> command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
> 
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service 
> start using the compiled packaged bits. Are you able to access Ranger UI ?
> 
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this 
> issue. If I guess good, you should be more in-depth understanding of how to 
> use ranger, please refer to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
> 
> bhavik patel wrote:
> @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, 
> the service start itself is failing and also got the same error in 
> catalina.out which Vishal has attached on jira. 
> 
> Not sure how it's working for you!!!
> 
> Colm O hEigeartaigh wrote:
> It also fails for me with errors in catalina.out like:
> 
> INFO: validateJarFile(../lib/javax.servlet-api-3.1.0.jar) - jar not 
> loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: 
> javax/servlet/Servlet.class
> 
> pengjianhua wrote:
> I compiled the source that I built the patch.Based on the compiling's 
> version I've been testing and verify whether the issue effected the ranger's 
> function. Maybe our lastest modifications introduced new issues. I will also 
> compile the lastest source to further verify the problem you mentioned.
> 
> pengjianhua wrote:
> I'm sorry. In this patch I lacked the tomcat-annotations-api dependency 
> package. I had fixed this patch. Thanks!
> 
> pengjianhua wrote:
> Hi Colm and bhavik patel, Is there any problem now, if there is no 
> problem, I will merge this issue.
> 
> Vishal Suvagia wrote:
> Hi Pengjianhua,
>The versions for  org.apache.tomcat -> annotations-api 
> present here -> 
> https://mvnrepository.com/artifact/org.apache.tomcat/annotations-api do not 
> have a specific build for 7.0.82 (last stable build version is 6.0.53). 
> Additionally recent fixes from tomcat devs suggest that the 
> tomcat.annotations-api has been removed from tomcat-embed-core shipments in 
> favour of javax.annotations-api refer -> 
> https://bz.apache.org/bugzilla/show_bug.cgi?id=61439.
> 
> pengjianhua wrote:
> Ok. Thanks. How do you think we should deal with this issue? Should we 
> upgrade directly to tomcat7.0.83 or is there a better way to handle this 
> issue?

Pengjianhua, Sadly looks like there is no tomcat-7.0.83 build out yet. From 
what I have tried we will need to add a new dependency for javax.annotation-api 
-> https://mvnrepository.com/artifact/javax.annotation/javax.annotation-api.


- Vishal


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
---


On Dec. 5, 2017, 2:59 a.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> ---
> 
> (Updated Dec. 5, 2017, 2:59 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> [Security Vulnerability Alert] Tomcat Information leakage and remote code 
> execution vulnerabilities.
> 
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
> 
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with 
> HTTP PUTs enabled, it was possible to upload a JSP file to the server via a 
> specially crafted request. This JSP could then be 

Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.

[Vishal Suvagia via Review Board]

> On Nov. 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > 
> >
> > @PengJianhua,
> > I used attached patch and did a build on  my local machine 
> > using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a 
> > ranger-admin-services start. I am getting error in catalina.out file as the 
> > Tomcat server start itself is failing(PS: attached log file on apache jira).
> > 
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> > 
> > Did the attached patch work for you without adding this dependency ? If 
> > yes Kindly share how did this work for you !
> 
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your 
> local maven repository. Then compile the ranger project using the following 
> command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
> 
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service 
> start using the compiled packaged bits. Are you able to access Ranger UI ?
> 
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this 
> issue. If I guess good, you should be more in-depth understanding of how to 
> use ranger, please refer to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
> 
> bhavik patel wrote:
> @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, 
> the service start itself is failing and also got the same error in 
> catalina.out which Vishal has attached on jira. 
> 
> Not sure how it's working for you!!!
> 
> Colm O hEigeartaigh wrote:
> It also fails for me with errors in catalina.out like:
> 
> INFO: validateJarFile(../lib/javax.servlet-api-3.1.0.jar) - jar not 
> loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: 
> javax/servlet/Servlet.class
> 
> pengjianhua wrote:
> I compiled the source that I built the patch.Based on the compiling's 
> version I've been testing and verify whether the issue effected the ranger's 
> function. Maybe our lastest modifications introduced new issues. I will also 
> compile the lastest source to further verify the problem you mentioned.
> 
> pengjianhua wrote:
> I'm sorry. In this patch I lacked the tomcat-annotations-api dependency 
> package. I had fixed this patch. Thanks!
> 
> pengjianhua wrote:
> Hi Colm and bhavik patel, Is there any problem now, if there is no 
> problem, I will merge this issue.

Hi Pengjianhua,
   The versions for  org.apache.tomcat -> annotations-api present 
here -> https://mvnrepository.com/artifact/org.apache.tomcat/annotations-api do 
not have a specific build for 7.0.82 (last stable build version is 6.0.53). 
Additionally recent fixes from tomcat devs suggest that the 
tomcat.annotations-api has been removed from tomcat-embed-core shipments in 
favour of javax.annotations-api refer -> 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61439.


- Vishal


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
---


On Dec. 5, 2017, 2:59 a.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> ---
> 
> (Updated Dec. 5, 2017, 2:59 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> [Security Vulnerability Alert] Tomcat Information leakage and remote code 
> execution vulnerabilities.
> 
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
> 
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with 
> HTTP PUTs enabled, it was possible to upload a JSP file to the server via a 
> specially crafted request. This JSP could then be requested and any code it 
> contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 
> 7.0.80, it was possible to use a specially crafted request, bypass security 
> constraints, or get the source code of JSPs for resources served by the 
> VirtualDirContext, thereby cased code disclosure.
> 
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
> 
> Solution
> The official 

Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.

[Vishal Suvagia via Review Board]

> On Nov. 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > 
> >
> > @PengJianhua,
> > I used attached patch and did a build on  my local machine 
> > using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a 
> > ranger-admin-services start. I am getting error in catalina.out file as the 
> > Tomcat server start itself is failing(PS: attached log file on apache jira).
> > 
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> > 
> > Did the attached patch work for you without adding this dependency ? If 
> > yes Kindly share how did this work for you !
> 
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your 
> local maven repository. Then compile the ranger project using the following 
> command:
> sudo mvn clean compile package assembly:assembly install -DskipTests

Pengjianhua, the compile goes through fine. But did Ranger-Admin service start 
using the compiled packaged bits. Are you able to access Ranger UI ?


- Vishal


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
---


On Nov. 30, 2017, 1:55 p.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> ---
> 
> (Updated Nov. 30, 2017, 1:55 p.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> [Security Vulnerability Alert] Tomcat Information leakage and remote code 
> execution vulnerabilities.
> 
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
> 
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with 
> HTTP PUTs enabled, it was possible to upload a JSP file to the server via a 
> specially crafted request. This JSP could then be requested and any code it 
> contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 
> 7.0.80, it was possible to use a specially crafted request, bypass security 
> constraints, or get the source code of JSPs for resources served by the 
> VirtualDirContext, thereby cased code disclosure.
> 
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
> 
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two 
> vulnerabilities and recommends upgrading to the latest version.
> 
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
> 
> 
> Diffs
> -
> 
>   pom.xml 589cd6ac 
> 
> 
> Diff: https://reviews.apache.org/r/62495/diff/3/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> pengjianhua
> 
>