----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/68128/#review207073 -----------------------------------------------------------
plugin-elasticsearch/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuthorizer.java Lines 99 (patched) <https://reviews.apache.org/r/68128/#comment290256> I don't get it, why this clientIPAddress is used. This is not a client IP address, but the current ElasticServer's address. This could confuse the users. Why not leaving just empty, if ES won't provide it automatically? plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/client/ElasticsearchClient.java Lines 139 (patched) <https://reviews.apache.org/r/68128/#comment290258> I guess, joptsimple.internal.Strings.EMPTY is just "". I don't think, it is good idea to depend on a library just for this - and this library is not directly included in the pom. ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/RangerElasticserachPlugin.java Lines 50 (patched) <https://reviews.apache.org/r/68128/#comment290259> RangerElasticserachPlugin -> RangerElasticsearchPlugin ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/action/filter/RangerSecurityActionFilter.java Lines 76 (patched) <https://reviews.apache.org/r/68128/#comment290262> Isn't it possible to get the user's IP address from action.remoteAddress()? I'm not too familiar with ES inner workings. ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/action/filter/RangerSecurityActionFilter.java Lines 88 (patched) <https://reviews.apache.org/r/68128/#comment290261> Isn't it a security problem, if no user name is there, the plugin allows everything? - Zsombor Gegesy On Aug. 1, 2018, 9:27 a.m., Qiang Zhang wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/68128/ > ----------------------------------------------------------- > > (Updated Aug. 1, 2018, 9:27 a.m.) > > > Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O > hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, > Selvamohan Neethiraj, sam rome, Venkat Ranganathan, and Velmurugan Periasamy. > > > Bugs: RANGER-2170 > https://issues.apache.org/jira/browse/RANGER-2170 > > > Repository: ranger > > > Description > ------- > > Elasticsearch is a distributed, RESTful search and analytics engine capable > of solving a growing number of use cases. > Like Apache Solr, it is also an index server based on Lucence. > Ranger supports plugin to enable, monitor and manage Elasticsearch, > to control index security of Elasticsearch. > > As there is X-Pack plugin for the Elasticsearch, but it is not free. > X-Pack is an Elastic Stack extension that bundles security, alerting, > monitoring, reporting, > and graph capabilities into one easy-to-install package. > We refer to the Indices Privileges design of X-Pack, > by keeping the permissions consistent, > to make user use ranger Elasticsearch plugin easily. > Reference X-Pack Indices Privileges: > https://www.elastic.co/guide/en/x-pack/current/security-privileges.html > > Here we develop Ranger Elasticsearch plugin, based on Elasticsearch version > 6.2.2. > Elasticsearch 6.2.2 was released in February 20, 2018, reference > release-notes: > https://www.elastic.co/guide/en/elasticsearch/reference/6.2/release-notes-6.2.2.html > Not like other system, Elasticsearch has no basic authentication, > it uses X-pack plugin to support basic authentication, > role-based access control, SSL/TLS encryption, LDAP and so on. > Not like X-pack, our Ranger Elasticsearch plugin is designed to do > authorization, > it is to control index of Elasticsearch without authentication, > this plugin should work with other Elasticsearch plugin to authenticate users. > > > Diffs > ----- > > agents-common/scripts/enable-agent.sh ce0dc8c > agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java > e654f2b > > agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java > 5e74da8 > > agents-common/src/main/resources/service-defs/ranger-servicedef-elasticsearch.json > PRE-CREATION > plugin-elasticsearch/.gitignore PRE-CREATION > plugin-elasticsearch/conf/ranger-elasticsearch-audit-changes.cfg > PRE-CREATION > plugin-elasticsearch/conf/ranger-elasticsearch-audit.xml PRE-CREATION > plugin-elasticsearch/conf/ranger-elasticsearch-security-changes.cfg > PRE-CREATION > plugin-elasticsearch/conf/ranger-elasticsearch-security.xml PRE-CREATION > plugin-elasticsearch/conf/ranger-policymgr-ssl-changes.cfg PRE-CREATION > plugin-elasticsearch/conf/ranger-policymgr-ssl.xml PRE-CREATION > plugin-elasticsearch/pom.xml PRE-CREATION > plugin-elasticsearch/scripts/install.properties PRE-CREATION > > plugin-elasticsearch/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuthorizer.java > PRE-CREATION > > plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/RangerServiceElasticsearch.java > PRE-CREATION > > plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/client/ElasticsearchClient.java > PRE-CREATION > > plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/client/ElasticsearchResourceMgr.java > PRE-CREATION > > plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/privilege/IndexPrivilege.java > PRE-CREATION > > plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/privilege/IndexPrivilegeUtils.java > PRE-CREATION > pom.xml 8d7ea13 > ranger-elasticsearch-plugin-shim/.gitignore PRE-CREATION > ranger-elasticsearch-plugin-shim/conf/plugin-descriptor.properties > PRE-CREATION > ranger-elasticsearch-plugin-shim/conf/plugin-security.policy PRE-CREATION > ranger-elasticsearch-plugin-shim/pom.xml PRE-CREATION > > ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAccessControl.java > PRE-CREATION > > ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuthorizer.java > PRE-CREATION > > ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/RangerElasticserachPlugin.java > PRE-CREATION > > ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/action/filter/RangerSecurityActionFilter.java > PRE-CREATION > > ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/authc/user/UsernamePasswordToken.java > PRE-CREATION > > ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/rest/filter/RangerSecurityRestFilter.java > PRE-CREATION > src/main/assembly/admin-web.xml d0f3545 > src/main/assembly/plugin-elasticsearch.xml PRE-CREATION > > > Diff: https://reviews.apache.org/r/68128/diff/1/ > > > Testing > ------- > > #Test Steps: > > 1.Intall > Ranger Elasticsearch Plugin Installation Guide > https://cwiki.apache.org/confluence/display/RANGER/Elasticsearch+Plugin > Include install Elasticsearch and Ranger Elasticsearch Plugin, > and verify install result. > > 2.Create policy in Ranger Admin > User "elasticsearch" has all permissions on all indices. > User "yuwen" has permission "read" on index "twitter". > > 3.Test permission > > 3.1 successful: > curl -u elasticsearch:xxx -X GET "localhost:9200/twitter/_stats?pretty" > curl -u elasticsearch:xxx -X GET "localhost:9200/twitter2/_stats?pretty" > curl -u yuwen:xxx -X GET "localhost:9200/twitter/_stats?pretty" > > 3.2 failed: > curl -X GET "localhost:9200/twitter/_stats?pretty" > { > "error" : { > "root_cause" : [ > { > "type" : "status_exception", > "reason" : "Error: User is null, the request requires user > authentication." > } > ], > "type" : "status_exception", > "reason" : "Error: User is null, the request requires user > authentication." > }, > "status" : 401 > } > > curl -u yuwen:xxx -X GET "localhost:9200/twitter2/_stats?pretty" > { > "error" : { > "root_cause" : [ > { > "type" : "status_exception", > "reason" : "Error: User[yuwen] could not do > action[indices:monitor/stats] on index[twitter2]" > } > ], > "type" : "status_exception", > "reason" : "Error: User[yuwen] could not do action[indices:monitor/stats] > on index[twitter2]" > }, > "status" : 403 > } > > > Thanks, > > Qiang Zhang > >