[ranger] branch master updated: RANGER-3484:Ranger usersync directory is being created as root owner
This is an automated email from the ASF dual-hosted git repository. bpatel pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 0258fcf RANGER-3484:Ranger usersync directory is being created as root owner 0258fcf is described below commit 0258fcf7ab25473b056fffc103840806c18fdcad Author: Bhavik Patel AuthorDate: Tue Oct 19 12:11:10 2021 +0530 RANGER-3484:Ranger usersync directory is being created as root owner --- unixauthservice/scripts/setup.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/unixauthservice/scripts/setup.py b/unixauthservice/scripts/setup.py index 5e19ea1..3ac686f 100755 --- a/unixauthservice/scripts/setup.py +++ b/unixauthservice/scripts/setup.py @@ -504,7 +504,8 @@ def main(): os.chown(ugsyncLogFolderName, ownerId, groupId) os.chown(rangerBaseDirName, ownerId, groupId) os.chown(usersyncBaseDirFullName, ownerId, groupId) - +os.chown(pid_dir_path, ownerId, groupId) +os.chmod(pid_dir_path, 0o755) initializeInitD(ownerName) #
[ranger] branch master updated: RANGER-3298. Add coarse option for Hive URI permission check
This is an automated email from the ASF dual-hosted git repository. rmani pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new fcea574 RANGER-3298. Add coarse option for Hive URI permission check fcea574 is described below commit fcea57497766576c97591801fcd81e63b9a532b0 Author: Symious AuthorDate: Fri May 28 00:20:50 2021 +0800 RANGER-3298. Add coarse option for Hive URI permission check Signed-off-by: Ramesh Mani --- .../hadoop/constants/RangerHadoopConstants.java| 2 + hive-agent/conf/ranger-hive-security.xml | 8 +++ .../hive/authorizer/RangerHiveAuthorizer.java | 64 -- 3 files changed, 46 insertions(+), 28 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java index 31e4c0f..6675125 100644 --- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java +++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java @@ -42,6 +42,8 @@ public class RangerHadoopConstants { public static final boolean HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_DEFAULT_VALUE = true; public static final String HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP = "xasecure.hive.describetable.showcolumns.authorization.option"; public static final String HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP_DEFAULT_VALUE = "NONE"; + public static final String HIVE_URI_PERMISSION_COARSE_CHECK = "xasecure.hive.uri.permission.coarse.check"; + public static final boolean HIVE_URI_PERMISSION_COARSE_CHECK_DEFAULT_VALUE = false; public static final String HBASE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_PROP= "xasecure.hbase.update.xapolicies.on.grant.revoke"; public static final boolean HBASE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE = true; diff --git a/hive-agent/conf/ranger-hive-security.xml b/hive-agent/conf/ranger-hive-security.xml index 3a5fc54..3f38dea 100644 --- a/hive-agent/conf/ranger-hive-security.xml +++ b/hive-agent/conf/ranger-hive-security.xml @@ -86,4 +86,12 @@ RangerRestClient read Timeout in Milli Seconds + + + xasecure.hive.uri.permission.coarse.check + false + + Skip recursive permission check for URIs. + + diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index dc6e2eb..ad857e4 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -66,6 +66,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs; import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.hadoop.ipc.Server; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.ranger.authorization.hadoop.config.RangerConfiguration; import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants; import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.plugin.model.RangerPolicy; @@ -861,7 +862,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { } if (shouldCheckAccess) { - if (!isURIAccessAllowed(user, permission, path, fs)) { + if (!isURIAccessAllowed(user, permission, path, fs, RangerHivePlugin.URIPermissionCoarseCheck)) { throw new HiveAccessControlException( String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", user, permission.name(), path)); @@ -959,7 +960,7 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { } if (shouldCheckAccess) { - if (!isURIAccessAllowed(user, permission, path, fs)) { + if (!isURIAccessAllowed(user, permission, path, fs, RangerHivePlugin.URIPermissionCoarseCheck)) { throw new HiveAccessControlException( String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", user, permission.name(), path)); @@ -2098,41 +2099,46 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { } private boolean isURIAccessAllowed(String userName, FsAction action, Path filePath,
[ranger] branch master updated: RANGER-2967: Add support for Amazon CloudWatch Logs as an Audit Store
This is an automated email from the ASF dual-hosted git repository. pradeep pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 25def39 RANGER-2967: Add support for Amazon CloudWatch Logs as an Audit Store 25def39 is described below commit 25def39b1c833b4e18ff657929656be3c37bcd8f Author: Yao Zhou AuthorDate: Tue Aug 25 10:53:50 2020 +0530 RANGER-2967: Add support for Amazon CloudWatch Logs as an Audit Store Signed-off-by: pradeep --- agents-audit/pom.xml | 15 ++ .../AmazonCloudWatchAuditDestination.java | 182 + .../audit/provider/AuditProviderFactory.java | 2 + hbase-agent/conf/ranger-hbase-audit-changes.cfg| 5 + hbase-agent/scripts/install.properties | 12 ++ hdfs-agent/conf/ranger-hdfs-audit-changes.cfg | 5 + hdfs-agent/scripts/install.properties | 12 ++ hive-agent/conf/ranger-hive-audit-changes.cfg | 5 + hive-agent/scripts/install.properties | 12 ++ kms/scripts/install.properties | 12 ++ knox-agent/conf/ranger-knox-audit-changes.cfg | 5 + knox-agent/scripts/install.properties | 12 ++ plugin-atlas/conf/ranger-atlas-audit-changes.cfg | 6 + plugin-atlas/scripts/install.properties| 12 ++ .../conf/ranger-elasticsearch-audit-changes.cfg| 5 + plugin-elasticsearch/scripts/install.properties| 12 ++ plugin-kafka/conf/ranger-kafka-audit-changes.cfg | 5 + plugin-kafka/scripts/install.properties| 12 ++ plugin-kms/conf/ranger-kms-audit-changes.cfg | 5 + plugin-kylin/conf/ranger-kylin-audit-changes.cfg | 5 + plugin-kylin/scripts/install.properties| 12 ++ plugin-ozone/conf/ranger-ozone-audit-changes.cfg | 5 + plugin-ozone/scripts/install.properties| 12 ++ plugin-presto/conf/ranger-presto-audit-changes.cfg | 5 + plugin-presto/scripts/install.properties | 12 ++ plugin-solr/conf/ranger-solr-audit-changes.cfg | 5 + plugin-solr/scripts/install.properties | 12 ++ plugin-sqoop/conf/ranger-sqoop-audit-changes.cfg | 5 + plugin-sqoop/scripts/install.properties| 12 ++ plugin-yarn/conf/ranger-yarn-audit-changes.cfg | 5 + plugin-yarn/scripts/install.properties | 12 ++ .../AmazonCloudWatchAuditDestinationTest.java | 79 + storm-agent/conf/ranger-storm-audit-changes.cfg| 5 + storm-agent/scripts/install.properties | 12 ++ 34 files changed, 534 insertions(+) diff --git a/agents-audit/pom.xml b/agents-audit/pom.xml index 5607242..33fa256 100644 --- a/agents-audit/pom.xml +++ b/agents-audit/pom.xml @@ -31,6 +31,17 @@ 3.0.0-SNAPSHOT .. + + + +com.amazonaws +aws-java-sdk-bom +1.11.327 +pom +import + + + org.apache.ranger @@ -334,5 +345,9 @@ + +com.amazonaws +aws-java-sdk-logs + diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/destination/AmazonCloudWatchAuditDestination.java b/agents-audit/src/main/java/org/apache/ranger/audit/destination/AmazonCloudWatchAuditDestination.java new file mode 100644 index 000..b236a26 --- /dev/null +++ b/agents-audit/src/main/java/org/apache/ranger/audit/destination/AmazonCloudWatchAuditDestination.java @@ -0,0 +1,182 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.audit.destination; + +import java.util.Collection; +import java.util.Comparator; +import java.util.Properties; +import java.util.stream.Collectors; + +import com.amazonaws.services.logs.AWSLogs; +import com.amazonaws.services.logs.AWSLogsClientBuilder; +import com.amazonaws.services.logs.model.CreateLogStreamRequest; +import com.amazonaws.services.logs.model.InputLogEvent; +import
[ranger] branch master updated: RANGER-3538: Reduce the granularity of locking when building/retrieving a policy-engine within Ranger admin service
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new d3af747 RANGER-3538: Reduce the granularity of locking when building/retrieving a policy-engine within Ranger admin service d3af747 is described below commit d3af7476dcab3719b8a75b506b10400640f3bf3e Author: Abhay Kulkarni AuthorDate: Tue Dec 7 16:58:25 2021 -0800 RANGER-3538: Reduce the granularity of locking when building/retrieving a policy-engine within Ranger admin service --- .../apache/ranger/biz/RangerPolicyAdminCache.java | 124 + .../RangerPolicyAdminCacheForEngineOptions.java| 15 ++- 2 files changed, 89 insertions(+), 50 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java index 5a69231..47fa99c 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java @@ -22,6 +22,8 @@ package org.apache.ranger.biz; import java.util.Collections; import java.util.HashMap; import java.util.Map; +import java.util.concurrent.locks.Lock; +import java.util.concurrent.locks.ReentrantLock; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -37,9 +39,25 @@ import org.apache.ranger.plugin.util.RangerRoles; import org.apache.ranger.plugin.util.ServicePolicies; public class RangerPolicyAdminCache { + + static class RangerPolicyAdminWrapper { + final RangerPolicyAdmin policyAdmin; + final Lock lock = new ReentrantLock(); + + RangerPolicyAdminWrapper(RangerPolicyAdmin policyAdmin) { + this.policyAdmin = policyAdmin; + } + RangerPolicyAdmin getPolicyAdmin() { + return policyAdmin; + } + Lock getLock() { + return lock; + } + } + private static final Log LOG = LogFactory.getLog(RangerPolicyAdminCache.class); - private final Map policyAdminCache = Collections.synchronizedMap(new HashMap<>()); + private final Map policyAdminCache = Collections.synchronizedMap(new HashMap<>()); final RangerPolicyAdmin getServicePoliciesAdmin(String serviceName, ServiceStore svcStore, RoleStore roleStore, SecurityZoneStore zoneStore, RangerPolicyEngineOptions options) { @@ -49,13 +67,13 @@ public class RangerPolicyAdminCache { return null; } - RangerPolicyAdmin ret = policyAdminCache.get(serviceName); - longpolicyVersion; longroleVersion; RangerRoles roles; boolean isRolesUpdated = true; + RangerPolicyAdminWrapper ret = policyAdminCache.get(serviceName); + try { if (ret == null) { policyVersion = -1L; @@ -68,8 +86,8 @@ public class RangerPolicyAdminCache { } } } else { - policyVersion = ret.getPolicyVersion(); - roleVersion = ret.getRoleVersion(); + policyVersion = ret.getPolicyAdmin().getPolicyVersion(); + roleVersion = ret.getPolicyAdmin().getRoleVersion(); roles = roleStore.getRoles(serviceName, roleVersion); if (roles == null) { // No changes to roles @@ -82,70 +100,88 @@ public class RangerPolicyAdminCache { if (policies != null) { ret = addOrUpdatePolicyAdmin(ret, policies, roles, options); - } else { + if (ret == null) { - LOG.error("getPolicyAdmin(" + serviceName + "): failed to get any policies from service-store"); + LOG.error("getPolicyAdmin(" + serviceName + "): failed to build engine from policies from service-store"); } else { if (isRolesUpdated) { - ret.setRoles(roles); + ret.getPolicyAdmin().setRoles(roles); } } } } catch (Exception exception) { LOG.error("getPolicyAdmin(" + serviceName + "): failed to get latest
[ranger] branch master updated: RANGER-3502: Make GET zone APIs accessible to authorized users only
This is an automated email from the ASF dual-hosted git repository. pradeep pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new b61ed9f RANGER-3502: Make GET zone APIs accessible to authorized users only b61ed9f is described below commit b61ed9f7ac3c7a0c07056cba21d8c9440b05d28a Author: Kishor Gollapalliwar AuthorDate: Mon Dec 6 17:49:53 2021 +0530 RANGER-3502: Make GET zone APIs accessible to authorized users only Signed-off-by: pradeep --- .../plugin/model/RangerSecurityZoneHeaderInfo.java | 55 + .../plugin/model/RangerServiceHeaderInfo.java | 67 .../org/apache/ranger/biz/SecurityZoneDBStore.java | 14 .../org/apache/ranger/db/XXSecurityZoneDao.java| 15 .../ranger/db/XXSecurityZoneRefServiceDao.java | 21 + .../ranger/db/XXSecurityZoneRefTagServiceDao.java | 21 + .../java/org/apache/ranger/rest/PublicAPIsv2.java | 75 +- .../org/apache/ranger/rest/SecurityZoneREST.java | 56 - .../main/resources/META-INF/jpa_named_queries.xml | 20 - .../main/webapp/scripts/controllers/Controller.js | 5 +- .../webapp/scripts/views/UploadServicePolicy.js| 83 ++- .../scripts/views/policymanager/ServiceLayout.js | 67 +--- .../views/policymanager/ServiceLayoutSidebar.js| 92 +++--- .../webapp/scripts/views/reports/AuditLayout.js| 15 ++-- .../scripts/views/reports/UserAccessLayout.js | 9 ++- .../org/apache/ranger/rest/TestPublicAPIsv2.java | 68 +++- .../apache/ranger/rest/TestSecurityZoneREST.java | 28 ++- 17 files changed, 557 insertions(+), 154 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZoneHeaderInfo.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZoneHeaderInfo.java new file mode 100644 index 000..e9d6b1b --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZoneHeaderInfo.java @@ -0,0 +1,55 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ranger.plugin.model; + +import javax.xml.bind.annotation.XmlAccessType; +import javax.xml.bind.annotation.XmlAccessorType; +import javax.xml.bind.annotation.XmlRootElement; + +import org.codehaus.jackson.annotate.JsonAutoDetect; +import org.codehaus.jackson.annotate.JsonAutoDetect.Visibility; +import org.codehaus.jackson.map.annotate.JsonSerialize; + +@JsonAutoDetect(getterVisibility = Visibility.NONE, setterVisibility = Visibility.NONE, fieldVisibility = Visibility.ANY) +@JsonSerialize(include = JsonSerialize.Inclusion.NON_NULL) +@XmlRootElement +@XmlAccessorType(XmlAccessType.FIELD) +public class RangerSecurityZoneHeaderInfo extends RangerBaseModelObject implements java.io.Serializable { +private static final long serialVersionUID = 1L; +private Stringname; + +public RangerSecurityZoneHeaderInfo() { +super(); +setId(-1L); +setName(""); +} + +public RangerSecurityZoneHeaderInfo(Long id, String name) { +super(); +setId(id); +setName(name); +} + +public String getName() { +return name; +} + +public void setName(String name) { +this.name = name; +} +} \ No newline at end of file diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java new file mode 100644 index 000..4343f6f --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java @@ -0,0 +1,67 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may