Re: Review Request 73497: RANGER-3360: Best Practice: Use updated policy object after pruning the policy object

2021-08-02 Thread Madhan Neethiraj

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73497/#review223301
---




agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
Line 124 (original), 124 (patched)


A safe/easier fix will be to reassign 'policy':
  policy = getPolicy(); // so that changes done in super.init() are used 
going forward


- Madhan Neethiraj


On Aug. 2, 2021, 8:13 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73497/
> ---
> 
> (Updated Aug. 2, 2021, 8:13 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3360
> https://issues.apache.org/jira/browse/RANGER-3360
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ensure that pruned policy (with the policy-items that have delegated-admin 
> flag set to false removed from copy of the original policy) is used when 
> building policy-engine for delegated-admin processing,
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
>  5c6083e6b 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  831b6d4ad 
> 
> 
> Diff: https://reviews.apache.org/r/73497/diff/1/
> 
> 
> Testing
> ---
> 
> Passed all unit tests.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>



Re: Review Request 73497: RANGER-3360: Best Practice: Use updated policy object after pruning the policy object

2021-08-02 Thread Pradeep Agrawal

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73497/#review223300
---


Ship it!




Ship It!

- Pradeep Agrawal


On Aug. 2, 2021, 8:13 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73497/
> ---
> 
> (Updated Aug. 2, 2021, 8:13 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3360
> https://issues.apache.org/jira/browse/RANGER-3360
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ensure that pruned policy (with the policy-items that have delegated-admin 
> flag set to false removed from copy of the original policy) is used when 
> building policy-engine for delegated-admin processing,
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
>  5c6083e6b 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  831b6d4ad 
> 
> 
> Diff: https://reviews.apache.org/r/73497/diff/1/
> 
> 
> Testing
> ---
> 
> Passed all unit tests.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>



Re: Review Request 73497: RANGER-3360: Best Practice: Use updated policy object after pruning the policy object

2021-08-02 Thread Velmurugan Periasamy

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73497/#review223299
---


Ship it!




Ship It!

- Velmurugan Periasamy


On Aug. 2, 2021, 8:13 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73497/
> ---
> 
> (Updated Aug. 2, 2021, 8:13 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, 
> and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3360
> https://issues.apache.org/jira/browse/RANGER-3360
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ensure that pruned policy (with the policy-items that have delegated-admin 
> flag set to false removed from copy of the original policy) is used when 
> building policy-engine for delegated-admin processing,
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
>  5c6083e6b 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
>  831b6d4ad 
> 
> 
> Diff: https://reviews.apache.org/r/73497/diff/1/
> 
> 
> Testing
> ---
> 
> Passed all unit tests.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>



Review Request 73497: RANGER-3360: Best Practice: Use updated policy object after pruning the policy object

2021-08-02 Thread Abhay Kulkarni

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73497/
---

Review request for ranger, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, and 
Velmurugan Periasamy.


Bugs: RANGER-3360
https://issues.apache.org/jira/browse/RANGER-3360


Repository: ranger


Description
---

Ensure that pruned policy (with the policy-items that have delegated-admin flag 
set to false removed from copy of the original policy) is used when building 
policy-engine for delegated-admin processing,


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
 5c6083e6b 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
 831b6d4ad 


Diff: https://reviews.apache.org/r/73497/diff/1/


Testing
---

Passed all unit tests.


Thanks,

Abhay Kulkarni



[jira] [Assigned] (RANGER-3360) Best Practice: Use updated policy object after pruning the policy object

2021-08-02 Thread Abhay Kulkarni (Jira)


 [ 
https://issues.apache.org/jira/browse/RANGER-3360?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhay Kulkarni reassigned RANGER-3360:
--

Assignee: Abhay Kulkarni

> Best Practice: Use updated policy object after pruning the policy object
> 
>
> Key: RANGER-3360
> URL: https://issues.apache.org/jira/browse/RANGER-3360
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 3.0.0, 2.2.0
>Reporter: Pradeep Agrawal
>Assignee: Abhay Kulkarni
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
>




--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[jira] [Updated] (RANGER-3360) Best Practice: Use updated policy object after pruning the policy object

2021-08-02 Thread Pradeep Agrawal (Jira)


 [ 
https://issues.apache.org/jira/browse/RANGER-3360?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pradeep Agrawal updated RANGER-3360:

Summary: Best Practice: Use updated policy object after pruning the policy 
object  (was: non delegate admin user are able to grant access even without 
having delegate admin priv)

> Best Practice: Use updated policy object after pruning the policy object
> 
>
> Key: RANGER-3360
> URL: https://issues.apache.org/jira/browse/RANGER-3360
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 3.0.0, 2.2.0
>Reporter: Pradeep Agrawal
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
>




--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[jira] [Updated] (RANGER-3360) non delegate admin user are able to grant access even without having delegate admin priv

2021-08-02 Thread Pradeep Agrawal (Jira)


 [ 
https://issues.apache.org/jira/browse/RANGER-3360?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pradeep Agrawal updated RANGER-3360:

Description: (was: # create ranger admin policy for hrt_21 to allow all 
the privilege
 # use hrt_21 user to grant the privilege with grant option to user hrt_11
 # use hrt_21 user to grant the privilege without grant option to user hrt_12
 # use hrt_12 user to grant the privilege to any other user eg: hrt_13

Expected Result: hrt_12 should not be able to grant privilege to any other user 
as delegate admin/grant option is false for
Actual Result: hrt_12 successfully able to grant privilege to other users

audit shows that operation was allowed by the same policy when actor does not 
have delegate admin privilege)

> non delegate admin user are able to grant access even without having delegate 
> admin priv
> 
>
> Key: RANGER-3360
> URL: https://issues.apache.org/jira/browse/RANGER-3360
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 3.0.0, 2.2.0
>Reporter: Pradeep Agrawal
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
>




--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[jira] [Updated] (RANGER-3360) non delegate admin user are able to grant access even without having delegate admin priv

2021-08-02 Thread Pradeep Agrawal (Jira)


 [ 
https://issues.apache.org/jira/browse/RANGER-3360?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pradeep Agrawal updated RANGER-3360:

Fix Version/s: (was: 2.0.1)
   2.2.0

> non delegate admin user are able to grant access even without having delegate 
> admin priv
> 
>
> Key: RANGER-3360
> URL: https://issues.apache.org/jira/browse/RANGER-3360
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 3.0.0, 2.2.0
>Reporter: Pradeep Agrawal
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
>
> # create ranger admin policy for hrt_21 to allow all the privilege
>  # use hrt_21 user to grant the privilege with grant option to user hrt_11
>  # use hrt_21 user to grant the privilege without grant option to user hrt_12
>  # use hrt_12 user to grant the privilege to any other user eg: hrt_13
> Expected Result: hrt_12 should not be able to grant privilege to any other 
> user as delegate admin/grant option is false for
> Actual Result: hrt_12 successfully able to grant privilege to other users
> audit shows that operation was allowed by the same policy when actor does not 
> have delegate admin privilege



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[jira] [Created] (RANGER-3360) non delegate admin user are able to grant access even without having delegate admin priv

2021-08-02 Thread Pradeep Agrawal (Jira)
Pradeep Agrawal created RANGER-3360:
---

 Summary: non delegate admin user are able to grant access even 
without having delegate admin priv
 Key: RANGER-3360
 URL: https://issues.apache.org/jira/browse/RANGER-3360
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Affects Versions: 3.0.0, 2.2.0
Reporter: Pradeep Agrawal
 Fix For: 2.0.1, 3.0.0


# create ranger admin policy for hrt_21 to allow all the privilege
 # use hrt_21 user to grant the privilege with grant option to user hrt_11
 # use hrt_21 user to grant the privilege without grant option to user hrt_12
 # use hrt_12 user to grant the privilege to any other user eg: hrt_13

Expected Result: hrt_12 should not be able to grant privilege to any other user 
as delegate admin/grant option is false for
Actual Result: hrt_12 successfully able to grant privilege to other users

audit shows that operation was allowed by the same policy when actor does not 
have delegate admin privilege



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[GitHub] [ranger] alvaroqueiroz commented on pull request #110: Python ranger_client call_api - add case for 404 response

2021-08-02 Thread GitBox


alvaroqueiroz commented on pull request #110:
URL: https://github.com/apache/ranger/pull/110#issuecomment-891028836


   @mneethiraj ?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org




Review Request 73496: RANGER-3359: Upgrade json-smart and nimbus-jose-jwt libraries

2021-08-02 Thread Pradeep Agrawal

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73496/
---

Review request for ranger, Abhishek  Kumar, Dhaval Shah, Abhay Kulkarni, Madhan 
Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, Vishal Suvagia, and 
Velmurugan Periasamy.


Bugs: RANGER-3359
https://issues.apache.org/jira/browse/RANGER-3359


Repository: ranger


Description
---

Here I am proposing to Upgrade json-smart version to 2.3.1 and nimbus-jose-jwt 
to 8.22.1

This patch will also fix the version inconsistency in different modules as 
different version of jars being pulled due to dependency.


Diffs
-

  agents-audit/pom.xml 0b16e53bd 
  agents-common/pom.xml 39efb0c19 
  agents-cred/pom.xml 254d0c1f1 
  credentialbuilder/pom.xml 59d239bb5 
  embeddedwebserver/pom.xml 2d14f3abd 
  kms/pom.xml b65b0b2b2 
  pom.xml 8d81988d4 
  security-admin/pom.xml f64e74781 


Diff: https://reviews.apache.org/r/73496/diff/1/


Testing
---


Thanks,

Pradeep Agrawal



[jira] [Updated] (RANGER-3359) Upgrade json-smart and nimbus-jose-jwt libraries

2021-08-02 Thread Pradeep Agrawal (Jira)


 [ 
https://issues.apache.org/jira/browse/RANGER-3359?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pradeep Agrawal updated RANGER-3359:

Attachment: 0001-RANGER-3359-Upgrade-json-smart-and-nimbus-jose-jwt-l.patch

> Upgrade json-smart and nimbus-jose-jwt libraries
> 
>
> Key: RANGER-3359
> URL: https://issues.apache.org/jira/browse/RANGER-3359
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Pradeep Agrawal
>Assignee: Pradeep Agrawal
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
> Attachments: 
> 0001-RANGER-3359-Upgrade-json-smart-and-nimbus-jose-jwt-l.patch
>
>
> Proposal to upgrade json-smart version to 2.3.1 and nimbus-jose-jwt version 
> to 8.22.1 and make it same in all the ranger modules.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[jira] [Created] (RANGER-3359) Upgrade json-smart and nimbus-jose-jwt libraries

2021-08-02 Thread Pradeep Agrawal (Jira)
Pradeep Agrawal created RANGER-3359:
---

 Summary: Upgrade json-smart and nimbus-jose-jwt libraries
 Key: RANGER-3359
 URL: https://issues.apache.org/jira/browse/RANGER-3359
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Reporter: Pradeep Agrawal
Assignee: Pradeep Agrawal
 Fix For: 3.0.0, 2.2.0


Proposal to upgrade json-smart version to 2.3.1 and nimbus-jose-jwt version to 
8.22.1 and make it same in all the ranger modules.

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[jira] [Commented] (RANGER-3259) [Ranger Audit Filter] Ranger role is allowed to delete, even if its used in audit filters

2021-08-02 Thread Dineshkumar Yadav (Jira)


[ 
https://issues.apache.org/jira/browse/RANGER-3259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17391445#comment-17391445
 ] 

Dineshkumar Yadav commented on RANGER-3259:
---

Ranger-master commit  
[https://github.com/apache/ranger/commit/cfc033007bcafb1d115825a5c9ed23d4a1a30ee0]

Ranger-2.2 commit 
[https://github.com/apache/ranger/commit/5b186d543a3c671bfdc792135266184ab5c585d9]

> [Ranger Audit Filter] Ranger role is allowed to delete, even if its used in 
> audit filters
> -
>
> Key: RANGER-3259
> URL: https://issues.apache.org/jira/browse/RANGER-3259
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 2.2.0
>Reporter: Abhishek Shukla
>Assignee: Dineshkumar Yadav
>Priority: Major
>
> Observed that we are able to delete ranger role, even if the role is used in 
> ranger audit filters in some service plugin.
>  
> While if the same ranger role is present in some ranger policy we are not 
> allowed to delete the role unless we remove the role usage from policy OR 
> delete the policy itself.
> cc [~rmani]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)