Re: Review Request 68128: RANGER-2170:Ranger supports plugin to enable, monitor and manage Elasticsearch

Zsombor Gegesy Fri, 10 Aug 2018 05:50:21 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68128/#review207073
-----------------------------------------------------------





plugin-elasticsearch/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuthorizer.java
Lines 99 (patched)
<https://reviews.apache.org/r/68128/#comment290256>

    I don't get it, why this clientIPAddress is used. This is not a client IP 
address, but the current ElasticServer's address. This could confuse the users. 
Why not leaving just empty, if ES won't provide it automatically?



plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/client/ElasticsearchClient.java
Lines 139 (patched)
<https://reviews.apache.org/r/68128/#comment290258>

    I guess, joptsimple.internal.Strings.EMPTY is just "". I don't think, it is 
good idea to depend on a library just for this - and this library is not 
directly included in the pom.



ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/RangerElasticserachPlugin.java
Lines 50 (patched)
<https://reviews.apache.org/r/68128/#comment290259>

    RangerElasticserachPlugin -> RangerElasticsearchPlugin



ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/action/filter/RangerSecurityActionFilter.java
Lines 76 (patched)
<https://reviews.apache.org/r/68128/#comment290262>

    Isn't it possible to get the user's IP address from action.remoteAddress()? 
I'm not too familiar with ES inner workings.



ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/action/filter/RangerSecurityActionFilter.java
Lines 88 (patched)
<https://reviews.apache.org/r/68128/#comment290261>

    Isn't it a security problem, if no user name is there, the plugin allows 
everything?


- Zsombor Gegesy


On Aug. 1, 2018, 9:27 a.m., Qiang Zhang wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68128/
> -----------------------------------------------------------
> 
> (Updated Aug. 1, 2018, 9:27 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, 
> Selvamohan Neethiraj, sam  rome, Venkat Ranganathan, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2170
>     https://issues.apache.org/jira/browse/RANGER-2170
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Elasticsearch is a distributed, RESTful search and analytics engine capable 
> of solving a growing number of use cases. 
> Like Apache Solr, it is also an index server based on Lucence.
> Ranger supports plugin to enable, monitor and manage Elasticsearch,
> to control index security of Elasticsearch.
> 
> As there is X-Pack plugin for the Elasticsearch, but it is not free.
> X-Pack is an Elastic Stack extension that bundles security, alerting, 
> monitoring, reporting, 
> and graph capabilities into one easy-to-install package.
> We refer to the Indices Privileges design of X-Pack,
> by keeping the permissions consistent,
> to make user use ranger Elasticsearch plugin easily.
> Reference X-Pack Indices Privileges:
> https://www.elastic.co/guide/en/x-pack/current/security-privileges.html
> 
> Here we develop Ranger Elasticsearch plugin, based on Elasticsearch version 
> 6.2.2.
> Elasticsearch 6.2.2 was released in February 20, 2018, reference 
> release-notes:
> https://www.elastic.co/guide/en/elasticsearch/reference/6.2/release-notes-6.2.2.html
> Not like other system, Elasticsearch has no basic authentication, 
> it uses X-pack plugin to support basic authentication, 
> role-based access control, SSL/TLS encryption, LDAP and so on.
> Not like X-pack, our Ranger Elasticsearch plugin is designed to do 
> authorization,
> it is to control index of Elasticsearch without authentication,
> this plugin should work with other Elasticsearch plugin to authenticate users.
> 
> 
> Diffs
> -----
> 
>   agents-common/scripts/enable-agent.sh ce0dc8c 
>   agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java 
> e654f2b 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
>  5e74da8 
>   
> agents-common/src/main/resources/service-defs/ranger-servicedef-elasticsearch.json
>  PRE-CREATION 
>   plugin-elasticsearch/.gitignore PRE-CREATION 
>   plugin-elasticsearch/conf/ranger-elasticsearch-audit-changes.cfg 
> PRE-CREATION 
>   plugin-elasticsearch/conf/ranger-elasticsearch-audit.xml PRE-CREATION 
>   plugin-elasticsearch/conf/ranger-elasticsearch-security-changes.cfg 
> PRE-CREATION 
>   plugin-elasticsearch/conf/ranger-elasticsearch-security.xml PRE-CREATION 
>   plugin-elasticsearch/conf/ranger-policymgr-ssl-changes.cfg PRE-CREATION 
>   plugin-elasticsearch/conf/ranger-policymgr-ssl.xml PRE-CREATION 
>   plugin-elasticsearch/pom.xml PRE-CREATION 
>   plugin-elasticsearch/scripts/install.properties PRE-CREATION 
>   
> plugin-elasticsearch/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuthorizer.java
>  PRE-CREATION 
>   
> plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/RangerServiceElasticsearch.java
>  PRE-CREATION 
>   
> plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/client/ElasticsearchClient.java
>  PRE-CREATION 
>   
> plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/client/ElasticsearchResourceMgr.java
>  PRE-CREATION 
>   
> plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/privilege/IndexPrivilege.java
>  PRE-CREATION 
>   
> plugin-elasticsearch/src/main/java/org/apache/ranger/services/elasticsearch/privilege/IndexPrivilegeUtils.java
>  PRE-CREATION 
>   pom.xml 8d7ea13 
>   ranger-elasticsearch-plugin-shim/.gitignore PRE-CREATION 
>   ranger-elasticsearch-plugin-shim/conf/plugin-descriptor.properties 
> PRE-CREATION 
>   ranger-elasticsearch-plugin-shim/conf/plugin-security.policy PRE-CREATION 
>   ranger-elasticsearch-plugin-shim/pom.xml PRE-CREATION 
>   
> ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAccessControl.java
>  PRE-CREATION 
>   
> ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/authorizer/RangerElasticsearchAuthorizer.java
>  PRE-CREATION 
>   
> ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/RangerElasticserachPlugin.java
>  PRE-CREATION 
>   
> ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/action/filter/RangerSecurityActionFilter.java
>  PRE-CREATION 
>   
> ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/authc/user/UsernamePasswordToken.java
>  PRE-CREATION 
>   
> ranger-elasticsearch-plugin-shim/src/main/java/org/apache/ranger/authorization/elasticsearch/plugin/rest/filter/RangerSecurityRestFilter.java
>  PRE-CREATION 
>   src/main/assembly/admin-web.xml d0f3545 
>   src/main/assembly/plugin-elasticsearch.xml PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/68128/diff/1/
> 
> 
> Testing
> -------
> 
> #Test Steps:
> 
> 1.Intall
> Ranger Elasticsearch Plugin Installation Guide        
> https://cwiki.apache.org/confluence/display/RANGER/Elasticsearch+Plugin
> Include install Elasticsearch and Ranger Elasticsearch Plugin,
> and verify install result.
> 
> 2.Create policy in Ranger Admin
> User "elasticsearch" has all permissions on all indices.
> User "yuwen" has permission "read" on index "twitter".
> 
> 3.Test permission
> 
> 3.1 successful:
> curl -u elasticsearch:xxx -X GET "localhost:9200/twitter/_stats?pretty"
> curl -u elasticsearch:xxx -X GET "localhost:9200/twitter2/_stats?pretty"
> curl -u yuwen:xxx -X GET "localhost:9200/twitter/_stats?pretty"
> 
> 3.2 failed:
> curl -X GET "localhost:9200/twitter/_stats?pretty"
> {
>   "error" : {
>     "root_cause" : [
>       {
>         "type" : "status_exception",
>         "reason" : "Error: User is null, the request requires user 
> authentication."
>       }
>     ],
>     "type" : "status_exception",
>     "reason" : "Error: User is null, the request requires user 
> authentication."
>   },
>   "status" : 401
> }
> 
> curl -u yuwen:xxx -X GET "localhost:9200/twitter2/_stats?pretty"
> {
>   "error" : {
>     "root_cause" : [
>       {
>         "type" : "status_exception",
>         "reason" : "Error: User[yuwen] could not do 
> action[indices:monitor/stats] on index[twitter2]"
>       }
>     ],
>     "type" : "status_exception",
>     "reason" : "Error: User[yuwen] could not do action[indices:monitor/stats] 
> on index[twitter2]"
>   },
>   "status" : 403
> }
> 
> 
> Thanks,
> 
> Qiang Zhang
> 
>

Re: Review Request 68128: RANGER-2170:Ranger supports plugin to enable, monitor and manage Elasticsearch

Reply via email to