[ranger] branch master updated: RANGER-3484:Ranger usersync directory is being created as root owner
This is an automated email from the ASF dual-hosted git repository. bpatel pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 0258fcf RANGER-3484:Ranger usersync directory is being created as root owner 0258fcf is described below commit 0258fcf7ab25473b056fffc103840806c18fdcad Author: Bhavik Patel AuthorDate: Tue Oct 19 12:11:10 2021 +0530 RANGER-3484:Ranger usersync directory is being created as root owner --- unixauthservice/scripts/setup.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/unixauthservice/scripts/setup.py b/unixauthservice/scripts/setup.py index 5e19ea1..3ac686f 100755 --- a/unixauthservice/scripts/setup.py +++ b/unixauthservice/scripts/setup.py @@ -504,7 +504,8 @@ def main(): os.chown(ugsyncLogFolderName, ownerId, groupId) os.chown(rangerBaseDirName, ownerId, groupId) os.chown(usersyncBaseDirFullName, ownerId, groupId) - +os.chown(pid_dir_path, ownerId, groupId) +os.chmod(pid_dir_path, 0o755) initializeInitD(ownerName) #
[ranger] branch master updated: RANGER-3298. Add coarse option for Hive URI permission check
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new fcea574 RANGER-3298. Add coarse option for Hive URI permission check
fcea574 is described below
commit fcea57497766576c97591801fcd81e63b9a532b0
Author: Symious
AuthorDate: Fri May 28 00:20:50 2021 +0800
RANGER-3298. Add coarse option for Hive URI permission check
Signed-off-by: Ramesh Mani
---
.../hadoop/constants/RangerHadoopConstants.java| 2 +
hive-agent/conf/ranger-hive-security.xml | 8 +++
.../hive/authorizer/RangerHiveAuthorizer.java | 64 --
3 files changed, 46 insertions(+), 28 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
index 31e4c0f..6675125 100644
---
a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
+++
b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
@@ -42,6 +42,8 @@ public class RangerHadoopConstants {
public static final boolean
HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_DEFAULT_VALUE = true;
public static final String
HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP =
"xasecure.hive.describetable.showcolumns.authorization.option";
public static final String
HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP_DEFAULT_VALUE = "NONE";
+ public static final String HIVE_URI_PERMISSION_COARSE_CHECK =
"xasecure.hive.uri.permission.coarse.check";
+ public static final boolean
HIVE_URI_PERMISSION_COARSE_CHECK_DEFAULT_VALUE = false;
public static final String
HBASE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_PROP=
"xasecure.hbase.update.xapolicies.on.grant.revoke";
public static final boolean
HBASE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE = true;
diff --git a/hive-agent/conf/ranger-hive-security.xml
b/hive-agent/conf/ranger-hive-security.xml
index 3a5fc54..3f38dea 100644
--- a/hive-agent/conf/ranger-hive-security.xml
+++ b/hive-agent/conf/ranger-hive-security.xml
@@ -86,4 +86,12 @@
RangerRestClient read Timeout in Milli Seconds
+
+
+ xasecure.hive.uri.permission.coarse.check
+ false
+
+ Skip recursive permission check for URIs.
+
+
diff --git
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index dc6e2eb..ad857e4 100644
---
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -66,6 +66,7 @@ import
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.hadoop.ipc.Server;
import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.model.RangerPolicy;
@@ -861,7 +862,7 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
}
if (shouldCheckAccess) {
- if (!isURIAccessAllowed(user, permission, path, fs)) {
+ if (!isURIAccessAllowed(user, permission, path, fs,
RangerHivePlugin.URIPermissionCoarseCheck)) {
throw new HiveAccessControlException(
String.format("Permission denied: user [%s] does not have
[%s] privilege on [%s]", user,
permission.name(), path));
@@ -959,7 +960,7 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
}
if (shouldCheckAccess) {
- if (!isURIAccessAllowed(user, permission, path, fs)) {
+ if (!isURIAccessAllowed(user, permission, path, fs,
RangerHivePlugin.URIPermissionCoarseCheck)) {
throw new HiveAccessControlException(
String.format("Permission denied: user [%s] does not have
[%s] privilege on [%s]", user,
permission.name(), path));
@@ -2098,41 +2099,46 @@ public class RangerHiveAuthorizer extends
RangerHiveAuthorizerBase {
}
private boolean isURIAccessAllowed(String userName, FsAction action, Path
filePath,
[ranger] branch master updated: RANGER-2967: Add support for Amazon CloudWatch Logs as an Audit Store
This is an automated email from the ASF dual-hosted git repository. pradeep pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 25def39 RANGER-2967: Add support for Amazon CloudWatch Logs as an Audit Store 25def39 is described below commit 25def39b1c833b4e18ff657929656be3c37bcd8f Author: Yao Zhou AuthorDate: Tue Aug 25 10:53:50 2020 +0530 RANGER-2967: Add support for Amazon CloudWatch Logs as an Audit Store Signed-off-by: pradeep --- agents-audit/pom.xml | 15 ++ .../AmazonCloudWatchAuditDestination.java | 182 + .../audit/provider/AuditProviderFactory.java | 2 + hbase-agent/conf/ranger-hbase-audit-changes.cfg| 5 + hbase-agent/scripts/install.properties | 12 ++ hdfs-agent/conf/ranger-hdfs-audit-changes.cfg | 5 + hdfs-agent/scripts/install.properties | 12 ++ hive-agent/conf/ranger-hive-audit-changes.cfg | 5 + hive-agent/scripts/install.properties | 12 ++ kms/scripts/install.properties | 12 ++ knox-agent/conf/ranger-knox-audit-changes.cfg | 5 + knox-agent/scripts/install.properties | 12 ++ plugin-atlas/conf/ranger-atlas-audit-changes.cfg | 6 + plugin-atlas/scripts/install.properties| 12 ++ .../conf/ranger-elasticsearch-audit-changes.cfg| 5 + plugin-elasticsearch/scripts/install.properties| 12 ++ plugin-kafka/conf/ranger-kafka-audit-changes.cfg | 5 + plugin-kafka/scripts/install.properties| 12 ++ plugin-kms/conf/ranger-kms-audit-changes.cfg | 5 + plugin-kylin/conf/ranger-kylin-audit-changes.cfg | 5 + plugin-kylin/scripts/install.properties| 12 ++ plugin-ozone/conf/ranger-ozone-audit-changes.cfg | 5 + plugin-ozone/scripts/install.properties| 12 ++ plugin-presto/conf/ranger-presto-audit-changes.cfg | 5 + plugin-presto/scripts/install.properties | 12 ++ plugin-solr/conf/ranger-solr-audit-changes.cfg | 5 + plugin-solr/scripts/install.properties | 12 ++ plugin-sqoop/conf/ranger-sqoop-audit-changes.cfg | 5 + plugin-sqoop/scripts/install.properties| 12 ++ plugin-yarn/conf/ranger-yarn-audit-changes.cfg | 5 + plugin-yarn/scripts/install.properties | 12 ++ .../AmazonCloudWatchAuditDestinationTest.java | 79 + storm-agent/conf/ranger-storm-audit-changes.cfg| 5 + storm-agent/scripts/install.properties | 12 ++ 34 files changed, 534 insertions(+) diff --git a/agents-audit/pom.xml b/agents-audit/pom.xml index 5607242..33fa256 100644 --- a/agents-audit/pom.xml +++ b/agents-audit/pom.xml @@ -31,6 +31,17 @@ 3.0.0-SNAPSHOT .. + + + +com.amazonaws +aws-java-sdk-bom +1.11.327 +pom +import + + + org.apache.ranger @@ -334,5 +345,9 @@ + +com.amazonaws +aws-java-sdk-logs + diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/destination/AmazonCloudWatchAuditDestination.java b/agents-audit/src/main/java/org/apache/ranger/audit/destination/AmazonCloudWatchAuditDestination.java new file mode 100644 index 000..b236a26 --- /dev/null +++ b/agents-audit/src/main/java/org/apache/ranger/audit/destination/AmazonCloudWatchAuditDestination.java @@ -0,0 +1,182 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.audit.destination; + +import java.util.Collection; +import java.util.Comparator; +import java.util.Properties; +import java.util.stream.Collectors; + +import com.amazonaws.services.logs.AWSLogs; +import com.amazonaws.services.logs.AWSLogsClientBuilder; +import com.amazonaws.services.logs.model.CreateLogStreamRequest; +import com.amazonaws.services.logs.model.InputLogEvent; +import
[ranger] branch master updated: RANGER-3538: Reduce the granularity of locking when building/retrieving a policy-engine within Ranger admin service
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new d3af747 RANGER-3538: Reduce the granularity of locking when
building/retrieving a policy-engine within Ranger admin service
d3af747 is described below
commit d3af7476dcab3719b8a75b506b10400640f3bf3e
Author: Abhay Kulkarni
AuthorDate: Tue Dec 7 16:58:25 2021 -0800
RANGER-3538: Reduce the granularity of locking when building/retrieving a
policy-engine within Ranger admin service
---
.../apache/ranger/biz/RangerPolicyAdminCache.java | 124 +
.../RangerPolicyAdminCacheForEngineOptions.java| 15 ++-
2 files changed, 89 insertions(+), 50 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
index 5a69231..47fa99c 100644
---
a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
+++
b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
@@ -22,6 +22,8 @@ package org.apache.ranger.biz;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
+import java.util.concurrent.locks.Lock;
+import java.util.concurrent.locks.ReentrantLock;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -37,9 +39,25 @@ import org.apache.ranger.plugin.util.RangerRoles;
import org.apache.ranger.plugin.util.ServicePolicies;
public class RangerPolicyAdminCache {
+
+ static class RangerPolicyAdminWrapper {
+ final RangerPolicyAdmin policyAdmin;
+ final Lock lock = new ReentrantLock();
+
+ RangerPolicyAdminWrapper(RangerPolicyAdmin policyAdmin) {
+ this.policyAdmin = policyAdmin;
+ }
+ RangerPolicyAdmin getPolicyAdmin() {
+ return policyAdmin;
+ }
+ Lock getLock() {
+ return lock;
+ }
+ }
+
private static final Log LOG =
LogFactory.getLog(RangerPolicyAdminCache.class);
- private final Map policyAdminCache =
Collections.synchronizedMap(new HashMap<>());
+ private final Map policyAdminCache =
Collections.synchronizedMap(new HashMap<>());
final RangerPolicyAdmin getServicePoliciesAdmin(String serviceName,
ServiceStore svcStore, RoleStore roleStore, SecurityZoneStore zoneStore,
RangerPolicyEngineOptions options) {
@@ -49,13 +67,13 @@ public class RangerPolicyAdminCache {
return null;
}
- RangerPolicyAdmin ret = policyAdminCache.get(serviceName);
-
longpolicyVersion;
longroleVersion;
RangerRoles roles;
boolean isRolesUpdated = true;
+ RangerPolicyAdminWrapper ret =
policyAdminCache.get(serviceName);
+
try {
if (ret == null) {
policyVersion = -1L;
@@ -68,8 +86,8 @@ public class RangerPolicyAdminCache {
}
}
} else {
- policyVersion = ret.getPolicyVersion();
- roleVersion = ret.getRoleVersion();
+ policyVersion =
ret.getPolicyAdmin().getPolicyVersion();
+ roleVersion =
ret.getPolicyAdmin().getRoleVersion();
roles = roleStore.getRoles(serviceName,
roleVersion);
if (roles == null) { // No changes to roles
@@ -82,70 +100,88 @@ public class RangerPolicyAdminCache {
if (policies != null) {
ret = addOrUpdatePolicyAdmin(ret, policies,
roles, options);
- } else {
+
if (ret == null) {
- LOG.error("getPolicyAdmin(" +
serviceName + "): failed to get any policies from service-store");
+ LOG.error("getPolicyAdmin(" +
serviceName + "): failed to build engine from policies from service-store");
} else {
if (isRolesUpdated) {
- ret.setRoles(roles);
+
ret.getPolicyAdmin().setRoles(roles);
}
}
}
} catch (Exception exception) {
LOG.error("getPolicyAdmin(" + serviceName + "): failed
to get latest
[ranger] branch master updated: RANGER-3502: Make GET zone APIs accessible to authorized users only
This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new b61ed9f RANGER-3502: Make GET zone APIs accessible to authorized
users only
b61ed9f is described below
commit b61ed9f7ac3c7a0c07056cba21d8c9440b05d28a
Author: Kishor Gollapalliwar
AuthorDate: Mon Dec 6 17:49:53 2021 +0530
RANGER-3502: Make GET zone APIs accessible to authorized users only
Signed-off-by: pradeep
---
.../plugin/model/RangerSecurityZoneHeaderInfo.java | 55 +
.../plugin/model/RangerServiceHeaderInfo.java | 67
.../org/apache/ranger/biz/SecurityZoneDBStore.java | 14
.../org/apache/ranger/db/XXSecurityZoneDao.java| 15
.../ranger/db/XXSecurityZoneRefServiceDao.java | 21 +
.../ranger/db/XXSecurityZoneRefTagServiceDao.java | 21 +
.../java/org/apache/ranger/rest/PublicAPIsv2.java | 75 +-
.../org/apache/ranger/rest/SecurityZoneREST.java | 56 -
.../main/resources/META-INF/jpa_named_queries.xml | 20 -
.../main/webapp/scripts/controllers/Controller.js | 5 +-
.../webapp/scripts/views/UploadServicePolicy.js| 83 ++-
.../scripts/views/policymanager/ServiceLayout.js | 67 +---
.../views/policymanager/ServiceLayoutSidebar.js| 92 +++---
.../webapp/scripts/views/reports/AuditLayout.js| 15 ++--
.../scripts/views/reports/UserAccessLayout.js | 9 ++-
.../org/apache/ranger/rest/TestPublicAPIsv2.java | 68 +++-
.../apache/ranger/rest/TestSecurityZoneREST.java | 28 ++-
17 files changed, 557 insertions(+), 154 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZoneHeaderInfo.java
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZoneHeaderInfo.java
new file mode 100644
index 000..e9d6b1b
--- /dev/null
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZoneHeaderInfo.java
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.plugin.model;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlRootElement;
+
+import org.codehaus.jackson.annotate.JsonAutoDetect;
+import org.codehaus.jackson.annotate.JsonAutoDetect.Visibility;
+import org.codehaus.jackson.map.annotate.JsonSerialize;
+
+@JsonAutoDetect(getterVisibility = Visibility.NONE, setterVisibility =
Visibility.NONE, fieldVisibility = Visibility.ANY)
+@JsonSerialize(include = JsonSerialize.Inclusion.NON_NULL)
+@XmlRootElement
+@XmlAccessorType(XmlAccessType.FIELD)
+public class RangerSecurityZoneHeaderInfo extends RangerBaseModelObject
implements java.io.Serializable {
+private static final long serialVersionUID = 1L;
+private Stringname;
+
+public RangerSecurityZoneHeaderInfo() {
+super();
+setId(-1L);
+setName("");
+}
+
+public RangerSecurityZoneHeaderInfo(Long id, String name) {
+super();
+setId(id);
+setName(name);
+}
+
+public String getName() {
+return name;
+}
+
+public void setName(String name) {
+this.name = name;
+}
+}
\ No newline at end of file
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java
new file mode 100644
index 000..4343f6f
--- /dev/null
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java
@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may
