----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74142/#review224760 -----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java Lines 34 (patched) <https://reviews.apache.org/r/74142/#comment313543> Could we document what this configFile should contain? If it is user entered, then can we validate that it has all the fields we are expecting? agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java Lines 44 (patched) <https://reviews.apache.org/r/74142/#comment313537> Does this have sensitive information? If so, we should print in debug logs agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java Lines 50 (patched) <https://reviews.apache.org/r/74142/#comment313540> Should strToken = null? So that the caller would know if the request failed? agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java Lines 58 (patched) <https://reviews.apache.org/r/74142/#comment313542> Should we check if the post was successfull? E.g. check for HTTP return code? agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java Lines 63 (patched) <https://reviews.apache.org/r/74142/#comment313538> Instead of doing e.toString(), can we just pass "e" to the logger? So the stack trace will be printed? agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java Lines 64 (patched) <https://reviews.apache.org/r/74142/#comment313539> Since we are printing using logger, do we need to print to stderr also? agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java Lines 67 (patched) <https://reviews.apache.org/r/74142/#comment313541> Would the response be null if the Unirest.post() throws an Exception? We could probably move this code within the try block above agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java Lines 35 (patched) <https://reviews.apache.org/r/74142/#comment313547> Any reason this is class member attribute rather than defining it within the method getFromDataFile(). If i t is okay to have it class member attribute, then should we worry about multi-thread safety scenarios? agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java Lines 48 (patched) <https://reviews.apache.org/r/74142/#comment313545> We should probably ident this properly. It seems as if though it is closing the try block. agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java Lines 60 (patched) <https://reviews.apache.org/r/74142/#comment313546> Can we pass the exception as ",e", so that we can print the stack trace? agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java Lines 39 (patched) <https://reviews.apache.org/r/74142/#comment313548> What should we do if the GetBearerToken.getBearerToken() fails for any reason? agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java Lines 49 (patched) <https://reviews.apache.org/r/74142/#comment313550> Should return from here or rethrow the exception if the Unirest.get() request fails? agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java Lines 50 (patched) <https://reviews.apache.org/r/74142/#comment313549> Do we need to print in stderr agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java Lines 34 (patched) <https://reviews.apache.org/r/74142/#comment313551> Any reason we are having this has class static? It seems, line number 39 redefines it with the class method? Same the member attribute decodedSecrets also agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java Lines 41 (patched) <https://reviews.apache.org/r/74142/#comment313552> Is it secure to print sensitive information? agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java Lines 50 (patched) <https://reviews.apache.org/r/74142/#comment313553> Is it secure to print sensitive information? agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java Lines 55 (patched) <https://reviews.apache.org/r/74142/#comment313555> What is the purpose for this method? Is it just to read the entire file into a string object? If so, should we use class method like File.readString()? agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java Lines 56 (patched) <https://reviews.apache.org/r/74142/#comment313558> To optimize on memory, should we StringBuffer here? agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java Lines 59 (patched) <https://reviews.apache.org/r/74142/#comment313557> Can we use closable (try()) here? So that even there is an exception, the stream will be closed agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java Lines 66 (patched) <https://reviews.apache.org/r/74142/#comment313559> Should pass the exception as parameter? So we can get the stack trace? agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java Lines 67 (patched) <https://reviews.apache.org/r/74142/#comment313560> Do we need to print this in stderr? agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java Lines 73 (patched) <https://reviews.apache.org/r/74142/#comment313561> Can we use closable here? So that even on exception the stream is closed. agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java Lines 77 (patched) <https://reviews.apache.org/r/74142/#comment313562> Any reason we are supressing this error? Should we propagate for the caller so it can be handled appropriately? agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java Lines 54 (patched) <https://reviews.apache.org/r/74142/#comment313563> Do we need to handle failure to getFromURL() method ? agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java Lines 56 (patched) <https://reviews.apache.org/r/74142/#comment313564> Is it okay to ignore this exception? Can we also remove the next line? agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java Lines 69 (patched) <https://reviews.apache.org/r/74142/#comment313565> This seems to be internal comcast class. What happens if this is not available in the opensource? agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java Lines 76 (patched) <https://reviews.apache.org/r/74142/#comment313566> Does need to be in the seperate line? - Don Bosco Durai On Sept. 26, 2022, 7:17 p.m., Barbara Eckman wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74142/ > ----------------------------------------------------------- > > (Updated Sept. 26, 2022, 7:17 p.m.) > > > Review request for ranger and madhan. > > > Bugs: Ranger-3855 > https://issues.apache.org/jira/browse/Ranger-3855 > > > Repository: ranger > > > Description > ------- > > RangerExternalUserStoreRetriever class Ranger-3855 > > Ranger version 3.0.0 provides a means, via a context enricher, to add or > retrieve attributes to the database of users for whom Ranger controls access. > This permits syntax like "Dumbo" in $USER.aliases any Ranger policy > condition, including row and tag filters. This greatly enhances the ability > to provide custom Attribute-based Access Control based on the specific > business needs of one's organization. > > I believe that the original assumption was that such attributes would be > added to AD/LDAP and enter Ranger via regular user sync's. However, this > process does not currently work with Azure AD, which many organizations use. > Neither does it provide timely support for organizations for whom adding each > new attribute to AD would be subject to prolonged scrutiny by overworked > security teams. > > In the spirit of the RangerAdminUserStoreRetriever context enricher, we have > written a RangerExternalUserStoreRetriever class which adds arbitrary > attributes to Ranger users via external API calls, thus freeing additions to > the UserStore from dependency on AD/LDAP. We have also written a > RangerRoleUserStoreRetriever class, which transforms role membership into > user attributes, for ease of use in complex policy conditions. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/LICENSE > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/NOTICE > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/README.md > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/TokenInputs.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/pom.xml > PRE-CREATION > plugin-nestedstructure/README.md ea878f6a2 > > > Diff: https://reviews.apache.org/r/74142/diff/1/ > > > Testing > ------- > > > Thanks, > > Barbara Eckman > >