[ranger] branch ranger-2.4 updated: RANGER-3983: Support getColumnMasks and getRowFilters in Trino SPI 376+
This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch ranger-2.4 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.4 by this push: new 69895d30a RANGER-3983: Support getColumnMasks and getRowFilters in Trino SPI 376+ 69895d30a is described below commit 69895d30a5047c940ca5117427e2ca36475b2ba2 Author: Ziyue Yang AuthorDate: Thu Dec 1 22:49:32 2022 -0800 RANGER-3983: Support getColumnMasks and getRowFilters in Trino SPI 376+ Signed-off-by: Madhan Neethiraj (cherry picked from commit 97137609e14342a3db2112be27c0e809b261e782) --- .../authorizer/RangerSystemAccessControl.java | 12 +++ .../authorizer/RangerSystemAccessControlTest.java | 8 +++ .../authorizer/RangerSystemAccessControl.java | 25 ++ 3 files changed, 45 insertions(+) diff --git a/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java b/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java index cc06187f4..c440bf394 100644 --- a/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java +++ b/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java @@ -42,6 +42,8 @@ import org.apache.ranger.plugin.service.RangerBasePlugin; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import com.google.common.collect.ImmutableList; + import java.io.IOException; import java.net.URL; import java.security.Principal; @@ -174,6 +176,11 @@ public class RangerSystemAccessControl return Optional.ofNullable(viewExpression); } + @Override + public List getRowFilters(SystemSecurityContext context, CatalogSchemaTableName tableName) { +return getRowFilter(context, tableName).map(ImmutableList::of).orElseGet(ImmutableList::of); + } + @Override public Optional getColumnMask(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) { RangerTrinoAccessRequest request = createAccessRequest( @@ -223,6 +230,11 @@ public class RangerSystemAccessControl return Optional.ofNullable(viewExpression); } + @Override + public List getColumnMasks(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) { +return getColumnMask(context, tableName, columnName, type).map(ImmutableList::of).orElseGet(ImmutableList::of); + } + @Override public Set filterCatalogs(SystemSecurityContext context, Set catalogs) { LOG.debug("==> RangerSystemAccessControl.filterCatalogs("+ catalogs + ")"); diff --git a/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java b/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java index d6c637e5a..eda87db4e 100644 --- a/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java +++ b/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java @@ -38,6 +38,7 @@ import org.junit.Test; import javax.security.auth.kerberos.KerberosPrincipal; import java.util.HashMap; +import java.util.List; import java.util.Map; import java.util.Optional; import java.util.Set; @@ -175,14 +176,21 @@ public class RangerSystemAccessControlTest { final VarcharType varcharType = VarcharType.createVarcharType(20); Optional ret = accessControlManager.getColumnMask(context(alice), aliceTable, "cast_me", varcharType); +List retArray = accessControlManager.getColumnMasks(context(alice), aliceTable, "cast_me", varcharType); assertNotNull(ret.get()); assertEquals(ret.get().getExpression(), "cast cast_me as varchar(20)"); +assertEquals(1, retArray.size()); +assertEquals("cast cast_me as varchar(20)", retArray.get(0).getExpression()); ret = accessControlManager.getColumnMask(context(alice), aliceTable,"do-not-cast-me", varcharType); +retArray = accessControlManager.getColumnMasks(context(alice), aliceTable,"do-not-cast-me", varcharType); assertFalse(ret.isPresent()); +assertTrue(retArray.isEmpty()); ret = accessControlManager.getRowFilter(context(alice), aliceTable); +retArray = accessControlManager.getRowFilters(context(alice), aliceTable); assertFalse(ret.isPresent()); +assertTrue(retArray.isEmpty()); accessControlManager.checkCanExecuteFunction(context(alice), functionName); accessControlManager.checkCanGrantExecuteFunctionPrivilege(context(alice), functionName, new TrinoPrincipal(USER, "grantee"), true); diff --git a/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java b/ranger-t
[ranger] branch master updated: RANGER-3983: Support getColumnMasks and getRowFilters in Trino SPI 376+
This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 97137609e RANGER-3983: Support getColumnMasks and getRowFilters in Trino SPI 376+ 97137609e is described below commit 97137609e14342a3db2112be27c0e809b261e782 Author: Ziyue Yang AuthorDate: Thu Dec 1 22:49:32 2022 -0800 RANGER-3983: Support getColumnMasks and getRowFilters in Trino SPI 376+ Signed-off-by: Madhan Neethiraj --- .../authorizer/RangerSystemAccessControl.java | 12 +++ .../authorizer/RangerSystemAccessControlTest.java | 8 +++ .../authorizer/RangerSystemAccessControl.java | 25 ++ 3 files changed, 45 insertions(+) diff --git a/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java b/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java index cc06187f4..c440bf394 100644 --- a/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java +++ b/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java @@ -42,6 +42,8 @@ import org.apache.ranger.plugin.service.RangerBasePlugin; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import com.google.common.collect.ImmutableList; + import java.io.IOException; import java.net.URL; import java.security.Principal; @@ -174,6 +176,11 @@ public class RangerSystemAccessControl return Optional.ofNullable(viewExpression); } + @Override + public List getRowFilters(SystemSecurityContext context, CatalogSchemaTableName tableName) { +return getRowFilter(context, tableName).map(ImmutableList::of).orElseGet(ImmutableList::of); + } + @Override public Optional getColumnMask(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) { RangerTrinoAccessRequest request = createAccessRequest( @@ -223,6 +230,11 @@ public class RangerSystemAccessControl return Optional.ofNullable(viewExpression); } + @Override + public List getColumnMasks(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) { +return getColumnMask(context, tableName, columnName, type).map(ImmutableList::of).orElseGet(ImmutableList::of); + } + @Override public Set filterCatalogs(SystemSecurityContext context, Set catalogs) { LOG.debug("==> RangerSystemAccessControl.filterCatalogs("+ catalogs + ")"); diff --git a/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java b/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java index d6c637e5a..eda87db4e 100644 --- a/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java +++ b/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java @@ -38,6 +38,7 @@ import org.junit.Test; import javax.security.auth.kerberos.KerberosPrincipal; import java.util.HashMap; +import java.util.List; import java.util.Map; import java.util.Optional; import java.util.Set; @@ -175,14 +176,21 @@ public class RangerSystemAccessControlTest { final VarcharType varcharType = VarcharType.createVarcharType(20); Optional ret = accessControlManager.getColumnMask(context(alice), aliceTable, "cast_me", varcharType); +List retArray = accessControlManager.getColumnMasks(context(alice), aliceTable, "cast_me", varcharType); assertNotNull(ret.get()); assertEquals(ret.get().getExpression(), "cast cast_me as varchar(20)"); +assertEquals(1, retArray.size()); +assertEquals("cast cast_me as varchar(20)", retArray.get(0).getExpression()); ret = accessControlManager.getColumnMask(context(alice), aliceTable,"do-not-cast-me", varcharType); +retArray = accessControlManager.getColumnMasks(context(alice), aliceTable,"do-not-cast-me", varcharType); assertFalse(ret.isPresent()); +assertTrue(retArray.isEmpty()); ret = accessControlManager.getRowFilter(context(alice), aliceTable); +retArray = accessControlManager.getRowFilters(context(alice), aliceTable); assertFalse(ret.isPresent()); +assertTrue(retArray.isEmpty()); accessControlManager.checkCanExecuteFunction(context(alice), functionName); accessControlManager.checkCanGrantExecuteFunctionPrivilege(context(alice), functionName, new TrinoPrincipal(USER, "grantee"), true); diff --git a/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/R
[ranger] branch ranger-2.4 updated: RANGER-3986: Upgrade trino guice dependency to 5.1.0
This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch ranger-2.4 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.4 by this push: new ee1508fd7 RANGER-3986: Upgrade trino guice dependency to 5.1.0 ee1508fd7 is described below commit ee1508fd75e6ca2027f9c57e1b0b09f2a822eddd Author: Ziyue Yang AuthorDate: Thu Dec 1 21:48:25 2022 -0800 RANGER-3986: Upgrade trino guice dependency to 5.1.0 Signed-off-by: Madhan Neethiraj (cherry picked from commit fcf46f5abc8ded745e802815710e36e88af374d6) --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 703e326dc..3f3c91bba 100644 --- a/pom.xml +++ b/pom.xml @@ -223,7 +223,7 @@ 0.192 2.0.0 -4.2.2 +5.1.0 26.0-jre 2.0.1.Final 1.1
[ranger] branch master updated: RANGER-3986: Upgrade trino guice dependency to 5.1.0
This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new fcf46f5ab RANGER-3986: Upgrade trino guice dependency to 5.1.0 fcf46f5ab is described below commit fcf46f5abc8ded745e802815710e36e88af374d6 Author: Ziyue Yang AuthorDate: Thu Dec 1 21:48:25 2022 -0800 RANGER-3986: Upgrade trino guice dependency to 5.1.0 Signed-off-by: Madhan Neethiraj --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 9835ffbf8..dc09328dc 100644 --- a/pom.xml +++ b/pom.xml @@ -225,7 +225,7 @@ 0.192 2.0.0 -4.2.2 +5.1.0 26.0-jre 2.0.1.Final 1.1
[ranger] branch ranger-2.4 updated: RANGER-3863: fix to enable build in Apple M1/M2 environment
This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch ranger-2.4 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.4 by this push: new 7153686e0 RANGER-3863: fix to enable build in Apple M1/M2 environment 7153686e0 is described below commit 7153686e01d56ccfffc47c58a30dea745506582e Author: ziyue yang AuthorDate: Thu Dec 1 17:03:06 2022 -0800 RANGER-3863: fix to enable build in Apple M1/M2 environment Signed-off-by: Madhan Neethiraj (cherry picked from commit d9d5c2dab7f1fca7b390f5a95cc89b45fa55d377) --- pom.xml| 6 +++--- security-admin/pom.xml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pom.xml b/pom.xml index 61d8429fd..703e326dc 100644 --- a/pom.xml +++ b/pom.xml @@ -209,9 +209,9 @@ 5.0.3 2.11.3 2.11.3 -0.0.2 -5.2.0 -5.2.0 +1.0.0 +5.7.0 +5.7.0 0.192 2.0.0 diff --git a/security-admin/pom.xml b/security-admin/pom.xml index 8aa68afe6..b81f2c1d8 100644 --- a/security-admin/pom.xml +++ b/security-admin/pom.xml @@ -850,7 +850,7 @@ com.github.eirslett frontend-maven-plugin -1.6 +1.12.1 ${project.build.directory} ${project.build.directory}
[ranger] branch dependabot/npm_and_yarn/security-admin/src/test/javascript/decode-uri-component-0.2.2 created (now e4fa0b017)
This is an automated email from the ASF dual-hosted git repository. github-bot pushed a change to branch dependabot/npm_and_yarn/security-admin/src/test/javascript/decode-uri-component-0.2.2 in repository https://gitbox.apache.org/repos/asf/ranger.git at e4fa0b017 Bump decode-uri-component in /security-admin/src/test/javascript No new revisions were added by this update.
[ranger] branch master updated: RANGER-3863: fix to enable build in Apple M1/M2 environment
This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new d9d5c2dab RANGER-3863: fix to enable build in Apple M1/M2 environment d9d5c2dab is described below commit d9d5c2dab7f1fca7b390f5a95cc89b45fa55d377 Author: ziyue yang AuthorDate: Thu Dec 1 17:03:06 2022 -0800 RANGER-3863: fix to enable build in Apple M1/M2 environment Signed-off-by: Madhan Neethiraj --- pom.xml| 6 +++--- security-admin/pom.xml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pom.xml b/pom.xml index 7b0dd14c5..9835ffbf8 100644 --- a/pom.xml +++ b/pom.xml @@ -211,9 +211,9 @@ 5.0.3 2.14.0 2.14.0 -0.0.2 -5.2.0 -5.2.0 +1.0.0 +5.7.0 +5.7.0 0.192 2.0.0 diff --git a/security-admin/pom.xml b/security-admin/pom.xml index 5e24dd846..54bd231d8 100644 --- a/security-admin/pom.xml +++ b/security-admin/pom.xml @@ -928,7 +928,7 @@ com.github.eirslett frontend-maven-plugin -1.6 +1.12.1 ${project.build.directory} ${project.build.directory}
[ranger] branch ranger-2.4 updated: RANGER-3855: added RangerMultiSourceUserStoreRetriever implementation
This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch ranger-2.4 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.4 by this push: new 2218bfa97 RANGER-3855: added RangerMultiSourceUserStoreRetriever implementation 2218bfa97 is described below commit 2218bfa97bbd5b767230eec6291f5793a2ad0daa Author: Eckman, Barbara AuthorDate: Thu Nov 17 16:11:45 2022 -0500 RANGER-3855: added RangerMultiSourceUserStoreRetriever implementation Signed-off-by: Madhan Neethiraj (cherry picked from commit f510319fb23bc23c71e08780e0b59d502b9590d3) --- .../externalretrievers/GetFromDataFile.java| 75 + .../externalretrievers/GetFromURL.java | 224 + .../contextenricher/externalretrievers/LICENSE | 202 .../contextenricher/externalretrievers/NOTICE | 18 + .../contextenricher/externalretrievers/README.md | 137 .../RangerMultiSourceUserStoreRetriever.java | 365 + .../ranger/plugin/util/RangerRolesProvider.java| 2 +- .../apache/ranger/plugin/util/RangerRolesUtil.java | 2 +- dev-support/spotbugsIncludeFile.xml| 1 + 9 files changed, 1024 insertions(+), 2 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java new file mode 100644 index 0..93cf38aac --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java @@ -0,0 +1,75 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.contextenricher.externalretrievers; + +import org.apache.ranger.plugin.contextenricher.RangerAbstractContextEnricher; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.util.HashMap; +import java.util.Map; +import java.util.Properties; + +public class GetFromDataFile { +private static final Logger LOG = LoggerFactory.getLogger(GetFromDataFile.class); + +public Map> getFromDataFile(String dataFile, String attrName) { +if (LOG.isDebugEnabled()) { +LOG.debug("==> getFromDataFile(dataFile={}, attrName={})", dataFile, attrName); +} + +Map> ret = new HashMap<>(); + +// create an instance so that readProperties() can be used! +RangerAbstractContextEnricher ce = new RangerAbstractContextEnricher() { +@Override +public void enrich(RangerAccessRequest rangerAccessRequest) { +} +}; + +Properties prop = ce.readProperties(dataFile); + +if (prop == null) { +LOG.warn("getFromDataFile({}, {}): failed to read file", dataFile, attrName); +} else { +if (LOG.isDebugEnabled()) { +LOG.debug("read from datafile {}: {}", dataFile, prop); +} + +// reformat UserAttrsProp into UserStore format: +// format of UserAttrsProp: Map +// format of UserStore: Map> +for (String user : prop.stringPropertyNames()) { +Map userAttrs = new HashMap<>(); + +userAttrs.put(attrName, prop.getProperty(user)); + +ret.put(user, userAttrs); +} +} + +if (LOG.isDebugEnabled()) { +LOG.debug("<== getFromDataFile(dataFile={}, attrName={}): ret={}", dataFile, attrName, ret); +} + +return ret; +} +} diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java new file mode 100644 index 0..f9eae3574 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java @@ -0,0 +1,224 @@ +/* + * Licensed to the Apache Software Foundation (ASF) unde
[ranger] branch master updated: RANGER-3855: added RangerMultiSourceUserStoreRetriever implementation
This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new f510319fb RANGER-3855: added RangerMultiSourceUserStoreRetriever implementation f510319fb is described below commit f510319fb23bc23c71e08780e0b59d502b9590d3 Author: Eckman, Barbara AuthorDate: Thu Nov 17 16:11:45 2022 -0500 RANGER-3855: added RangerMultiSourceUserStoreRetriever implementation Signed-off-by: Madhan Neethiraj --- .../externalretrievers/GetFromDataFile.java| 75 + .../externalretrievers/GetFromURL.java | 224 + .../contextenricher/externalretrievers/LICENSE | 202 .../contextenricher/externalretrievers/NOTICE | 18 + .../contextenricher/externalretrievers/README.md | 137 .../RangerMultiSourceUserStoreRetriever.java | 365 + .../ranger/plugin/util/RangerRolesProvider.java| 2 +- .../apache/ranger/plugin/util/RangerRolesUtil.java | 2 +- dev-support/spotbugsIncludeFile.xml| 1 + 9 files changed, 1024 insertions(+), 2 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java new file mode 100644 index 0..93cf38aac --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java @@ -0,0 +1,75 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.contextenricher.externalretrievers; + +import org.apache.ranger.plugin.contextenricher.RangerAbstractContextEnricher; +import org.apache.ranger.plugin.policyengine.RangerAccessRequest; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.util.HashMap; +import java.util.Map; +import java.util.Properties; + +public class GetFromDataFile { +private static final Logger LOG = LoggerFactory.getLogger(GetFromDataFile.class); + +public Map> getFromDataFile(String dataFile, String attrName) { +if (LOG.isDebugEnabled()) { +LOG.debug("==> getFromDataFile(dataFile={}, attrName={})", dataFile, attrName); +} + +Map> ret = new HashMap<>(); + +// create an instance so that readProperties() can be used! +RangerAbstractContextEnricher ce = new RangerAbstractContextEnricher() { +@Override +public void enrich(RangerAccessRequest rangerAccessRequest) { +} +}; + +Properties prop = ce.readProperties(dataFile); + +if (prop == null) { +LOG.warn("getFromDataFile({}, {}): failed to read file", dataFile, attrName); +} else { +if (LOG.isDebugEnabled()) { +LOG.debug("read from datafile {}: {}", dataFile, prop); +} + +// reformat UserAttrsProp into UserStore format: +// format of UserAttrsProp: Map +// format of UserStore: Map> +for (String user : prop.stringPropertyNames()) { +Map userAttrs = new HashMap<>(); + +userAttrs.put(attrName, prop.getProperty(user)); + +ret.put(user, userAttrs); +} +} + +if (LOG.isDebugEnabled()) { +LOG.debug("<== getFromDataFile(dataFile={}, attrName={}): ret={}", dataFile, attrName, ret); +} + +return ret; +} +} diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java new file mode 100644 index 0..f9eae3574 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java @@ -0,0 +1,224 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distri
[ranger] branch dependabot/npm_and_yarn/security-admin/src/test/javascript/minimatch-and-mocha-3.1.2 created (now 7066e9b31)
This is an automated email from the ASF dual-hosted git repository. github-bot pushed a change to branch dependabot/npm_and_yarn/security-admin/src/test/javascript/minimatch-and-mocha-3.1.2 in repository https://gitbox.apache.org/repos/asf/ranger.git at 7066e9b31 Bump minimatch and mocha in /security-admin/src/test/javascript No new revisions were added by this update.
[ranger] branch ranger-2.4 updated: RANGER-3978: Docker setup for Ranger KMS - fix to enable restart of container - #2
This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch ranger-2.4 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.4 by this push: new ddb46668d RANGER-3978: Docker setup for Ranger KMS - fix to enable restart of container - #2 ddb46668d is described below commit ddb46668d88a906724bbba548bd464b5672b8596 Author: Madhan Neethiraj AuthorDate: Wed Nov 30 08:43:18 2022 -0800 RANGER-3978: Docker setup for Ranger KMS - fix to enable restart of container - #2 (cherry picked from commit 7bfc0ad68a7342d4f30140102b50f4ef985ec6af) --- dev-support/ranger-docker/scripts/ranger-kms.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dev-support/ranger-docker/scripts/ranger-kms.sh b/dev-support/ranger-docker/scripts/ranger-kms.sh index 0424f832b..be5519e40 100755 --- a/dev-support/ranger-docker/scripts/ranger-kms.sh +++ b/dev-support/ranger-docker/scripts/ranger-kms.sh @@ -35,6 +35,9 @@ then fi fi +# delete PID file if exists +rm -f /var/run/ranger_kms/rangerkms.pid + cd ${RANGER_HOME}/kms && ./ranger-kms-services.sh start RANGER_KMS_PID=`ps -ef | grep -v grep | grep "Dproc_rangerkms" | awk '{print $2}'`
[ranger] branch master updated: RANGER-3978: Docker setup for Ranger KMS - fix to enable restart of container - #2
This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 7bfc0ad68 RANGER-3978: Docker setup for Ranger KMS - fix to enable restart of container - #2 7bfc0ad68 is described below commit 7bfc0ad68a7342d4f30140102b50f4ef985ec6af Author: Madhan Neethiraj AuthorDate: Wed Nov 30 08:43:18 2022 -0800 RANGER-3978: Docker setup for Ranger KMS - fix to enable restart of container - #2 --- dev-support/ranger-docker/scripts/ranger-kms.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dev-support/ranger-docker/scripts/ranger-kms.sh b/dev-support/ranger-docker/scripts/ranger-kms.sh index 0424f832b..be5519e40 100755 --- a/dev-support/ranger-docker/scripts/ranger-kms.sh +++ b/dev-support/ranger-docker/scripts/ranger-kms.sh @@ -35,6 +35,9 @@ then fi fi +# delete PID file if exists +rm -f /var/run/ranger_kms/rangerkms.pid + cd ${RANGER_HOME}/kms && ./ranger-kms-services.sh start RANGER_KMS_PID=`ps -ef | grep -v grep | grep "Dproc_rangerkms" | awk '{print $2}'`
[ranger] branch ranger-2.4 updated: RANGER-3982: updated Python client to support Ranger KMS REST APIs
This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch ranger-2.4 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.4 by this push: new 28f3c09d1 RANGER-3982: updated Python client to support Ranger KMS REST APIs 28f3c09d1 is described below commit 28f3c09d1fb32bd72414b927f63b66100e7ea0dd Author: Madhan Neethiraj AuthorDate: Wed Nov 23 17:17:50 2022 -0800 RANGER-3982: updated Python client to support Ranger KMS REST APIs (cherry picked from commit d0c6bdb6eb193d849bbf0cea8d7c425c0901981d) --- intg/src/main/python/README.md | 110 ++- .../python/apache_ranger/client/ranger_client.py | 29 +++- .../apache_ranger/client/ranger_kms_client.py | 157 + intg/src/main/python/apache_ranger/exceptions.py | 11 +- .../main/python/apache_ranger/model/ranger_base.py | 17 ++- .../main/python/apache_ranger/model/ranger_kms.py | 77 ++ intg/src/main/python/apache_ranger/utils.py| 26 +++- intg/src/main/python/setup.py | 2 +- 8 files changed, 411 insertions(+), 18 deletions(-) diff --git a/intg/src/main/python/README.md b/intg/src/main/python/README.md index f21628fb0..46de769fc 100644 --- a/intg/src/main/python/README.md +++ b/intg/src/main/python/README.md @@ -35,7 +35,7 @@ Verify if apache-ranger client is installed: Package Version - -apache-ranger 0.0.7 +apache-ranger 0.0.8 ``` ## Usage @@ -120,4 +120,112 @@ ranger.delete_service_by_id(created_service.id) print('deleted service: id=' + str(created_service.id)) ``` + +```python test_ranger_kms.py``` +```python +# test_ranger_kms.py +from apache_ranger.client.ranger_kms_client import RangerKMSClient +from apache_ranger.client.ranger_client import HadoopSimpleAuth +from apache_ranger.model.ranger_kms import RangerKey +import time + + +## +## Step 1: create a client to connect to Apache Ranger KMS +## +kms_url = 'http://localhost:9292' +kms_auth = HadoopSimpleAuth('keyadmin') + +# For Kerberos authentication +# +# from requests_kerberos import HTTPKerberosAuth +# +# kms_auth = HTTPKerberosAuth() +# +# For HTTP Basic authentication +# +# kms_auth = ('keyadmin', 'rangerR0cks!') + +kms_client = RangerKMSClient(kms_url, kms_auth) + + + +## +## Step 2: Let's call KMS APIs +## + +kms_status = kms_client.kms_status() +print('kms_status():', kms_status) +print() + +key_name = 'test_' + str(int(time.time() * 1000)) + +key = kms_client.create_key(RangerKey({'name':key_name})) +print('create_key(' + key_name + '):', key) +print() + +rollover_key = kms_client.rollover_key(key_name, key.material) +print('rollover_key(' + key_name + '):', rollover_key) +print() + +kms_client.invalidate_cache_for_key(key_name) +print('invalidate_cache_for_key(' + key_name + ')') +print() + +key_metadata = kms_client.get_key_metadata(key_name) +print('get_key_metadata(' + key_name + '):', key_metadata) +print() + +current_key = kms_client.get_current_key(key_name) +print('get_current_key(' + key_name + '):', current_key) +print() + +encrypted_keys = kms_client.generate_encrypted_key(key_name, 6) +print('generate_encrypted_key(' + key_name + ', ' + str(6) + '):') +for i in range(len(encrypted_keys)): + encrypted_key = encrypted_keys[i] + decrypted_key = kms_client.decrypt_encrypted_key(key_name, encrypted_key.versionName, encrypted_key.iv, encrypted_key.encryptedKeyVersion.material) + reencrypted_key = kms_client.reencrypt_encrypted_key(key_name, encrypted_key.versionName, encrypted_key.iv, encrypted_key.encryptedKeyVersion.material) + print(' encrypted_keys[' + str(i) + ']: ', encrypted_key) + print(' decrypted_key[' + str(i) + ']: ', decrypted_key) + print(' reencrypted_key[' + str(i) + ']:', reencrypted_key) +print() + +reencrypted_keys = kms_client.batch_reencrypt_encrypted_keys(key_name, encrypted_keys) +print('batch_reencrypt_encrypted_keys(' + key_name + ', ' + str(len(encrypted_keys)) + '):') +for i in range(len(reencrypted_keys)): + print(' batch_reencrypt_encrypted_key[' + str(i) + ']:', reencrypted_keys[i]) +print() + +key_versions = kms_client.get_key_versions(key_name) +print('get_key_versions(' + key_name + '):', len(key_versions)) +for i in range(len(key_versions)): + print(' key_versions[' + str(i) + ']:', key_versions[i]) +print() + +for i in range(len(key_versions)): + key_version = kms_client.get_key_version(key_versions[i].versionName) + print('get_key_version(' + str(i) + '):', key_version) +print() + +key_names = kms_client.get_key_names() +print('get_key_names():', len(key_names)) +for i in range(len(key_names)): + print(' key_name[' + str(i) + ']:', key_names[i]) +print() + +keys_metadata = kms_client.get_keys_metadata(key_names) +print('get_keys_metadata(' + str(key_names) + '):', len(keys_metadata)) +for i in range(len(keys_metadata)): + print(' key_
[ranger] branch master updated: RANGER-3982: updated Python client to support Ranger KMS REST APIs
This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new d0c6bdb6e RANGER-3982: updated Python client to support Ranger KMS REST APIs d0c6bdb6e is described below commit d0c6bdb6eb193d849bbf0cea8d7c425c0901981d Author: Madhan Neethiraj AuthorDate: Wed Nov 23 17:17:50 2022 -0800 RANGER-3982: updated Python client to support Ranger KMS REST APIs --- intg/src/main/python/README.md | 110 ++- .../python/apache_ranger/client/ranger_client.py | 29 +++- .../apache_ranger/client/ranger_kms_client.py | 157 + intg/src/main/python/apache_ranger/exceptions.py | 11 +- .../main/python/apache_ranger/model/ranger_base.py | 17 ++- .../main/python/apache_ranger/model/ranger_kms.py | 77 ++ intg/src/main/python/apache_ranger/utils.py| 26 +++- intg/src/main/python/setup.py | 2 +- 8 files changed, 411 insertions(+), 18 deletions(-) diff --git a/intg/src/main/python/README.md b/intg/src/main/python/README.md index f21628fb0..46de769fc 100644 --- a/intg/src/main/python/README.md +++ b/intg/src/main/python/README.md @@ -35,7 +35,7 @@ Verify if apache-ranger client is installed: Package Version - -apache-ranger 0.0.7 +apache-ranger 0.0.8 ``` ## Usage @@ -120,4 +120,112 @@ ranger.delete_service_by_id(created_service.id) print('deleted service: id=' + str(created_service.id)) ``` + +```python test_ranger_kms.py``` +```python +# test_ranger_kms.py +from apache_ranger.client.ranger_kms_client import RangerKMSClient +from apache_ranger.client.ranger_client import HadoopSimpleAuth +from apache_ranger.model.ranger_kms import RangerKey +import time + + +## +## Step 1: create a client to connect to Apache Ranger KMS +## +kms_url = 'http://localhost:9292' +kms_auth = HadoopSimpleAuth('keyadmin') + +# For Kerberos authentication +# +# from requests_kerberos import HTTPKerberosAuth +# +# kms_auth = HTTPKerberosAuth() +# +# For HTTP Basic authentication +# +# kms_auth = ('keyadmin', 'rangerR0cks!') + +kms_client = RangerKMSClient(kms_url, kms_auth) + + + +## +## Step 2: Let's call KMS APIs +## + +kms_status = kms_client.kms_status() +print('kms_status():', kms_status) +print() + +key_name = 'test_' + str(int(time.time() * 1000)) + +key = kms_client.create_key(RangerKey({'name':key_name})) +print('create_key(' + key_name + '):', key) +print() + +rollover_key = kms_client.rollover_key(key_name, key.material) +print('rollover_key(' + key_name + '):', rollover_key) +print() + +kms_client.invalidate_cache_for_key(key_name) +print('invalidate_cache_for_key(' + key_name + ')') +print() + +key_metadata = kms_client.get_key_metadata(key_name) +print('get_key_metadata(' + key_name + '):', key_metadata) +print() + +current_key = kms_client.get_current_key(key_name) +print('get_current_key(' + key_name + '):', current_key) +print() + +encrypted_keys = kms_client.generate_encrypted_key(key_name, 6) +print('generate_encrypted_key(' + key_name + ', ' + str(6) + '):') +for i in range(len(encrypted_keys)): + encrypted_key = encrypted_keys[i] + decrypted_key = kms_client.decrypt_encrypted_key(key_name, encrypted_key.versionName, encrypted_key.iv, encrypted_key.encryptedKeyVersion.material) + reencrypted_key = kms_client.reencrypt_encrypted_key(key_name, encrypted_key.versionName, encrypted_key.iv, encrypted_key.encryptedKeyVersion.material) + print(' encrypted_keys[' + str(i) + ']: ', encrypted_key) + print(' decrypted_key[' + str(i) + ']: ', decrypted_key) + print(' reencrypted_key[' + str(i) + ']:', reencrypted_key) +print() + +reencrypted_keys = kms_client.batch_reencrypt_encrypted_keys(key_name, encrypted_keys) +print('batch_reencrypt_encrypted_keys(' + key_name + ', ' + str(len(encrypted_keys)) + '):') +for i in range(len(reencrypted_keys)): + print(' batch_reencrypt_encrypted_key[' + str(i) + ']:', reencrypted_keys[i]) +print() + +key_versions = kms_client.get_key_versions(key_name) +print('get_key_versions(' + key_name + '):', len(key_versions)) +for i in range(len(key_versions)): + print(' key_versions[' + str(i) + ']:', key_versions[i]) +print() + +for i in range(len(key_versions)): + key_version = kms_client.get_key_version(key_versions[i].versionName) + print('get_key_version(' + str(i) + '):', key_version) +print() + +key_names = kms_client.get_key_names() +print('get_key_names():', len(key_names)) +for i in range(len(key_names)): + print(' key_name[' + str(i) + ']:', key_names[i]) +print() + +keys_metadata = kms_client.get_keys_metadata(key_names) +print('get_keys_metadata(' + str(key_names) + '):', len(keys_metadata)) +for i in range(len(keys_metadata)): + print(' key_metadata[' + str(i) + ']:', keys_metadata[i]) +print() + +key = kms_client.get_key(key
[ranger] branch ranger-2.4 updated: RANGER-3825: Ranger admin user is unable to change another user email after the upgrade
This is an automated email from the ASF dual-hosted git repository. pradeep pushed a commit to branch ranger-2.4 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.4 by this push: new 1f7e5a025 RANGER-3825: Ranger admin user is unable to change another user email after the upgrade 1f7e5a025 is described below commit 1f7e5a025f537fa54e9a0929340aaa8a7d8f1465 Author: pradeep AuthorDate: Wed Sep 28 19:27:36 2022 +0530 RANGER-3825: Ranger admin user is unable to change another user email after the upgrade --- .../src/main/java/org/apache/ranger/biz/UserMgr.java | 16 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java index f921654cc..eaaa15a11 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java @@ -530,17 +530,17 @@ public class UserMgr { MessageEnums.OPER_NO_PERMISSION, null, null, "" + changeEmail); } - } else { - String encryptedOldPwd = encrypt(gjUser.getLoginId(), changeEmail.getOldPassword()); + } else { + String encryptedOldPwd = encrypt(gjUser.getLoginId(), changeEmail.getOldPassword()); + if (!stringUtil.equals(encryptedOldPwd, gjUser.getPassword())) { + encryptedOldPwd = encryptWithOlderAlgo(gjUser.getLoginId(), changeEmail.getOldPassword()); if (!stringUtil.equals(encryptedOldPwd, gjUser.getPassword())) { - logger.info("changeEmailAddress(). Invalid password. changeEmail=" - + changeEmail); - throw restErrorUtil.createRESTException( - "serverMsg.userMgrWrongPassword", - MessageEnums.OPER_NO_PERMISSION, null, null, "" - + changeEmail); + logger.info("changeEmailAddress(). Invalid password. changeEmail=" + changeEmail); + throw restErrorUtil.createRESTException("serverMsg.userMgrWrongPassword", + MessageEnums.OPER_NO_PERMISSION, null, null, "" + changeEmail); } } + } // Normalize email. Make it lower case gjUser.setEmailAddress(stringUtil.normalizeEmail(changeEmail
[ranger] branch master updated: RANGER-3825: Ranger admin user is unable to change another user email after the upgrade
This is an automated email from the ASF dual-hosted git repository. pradeep pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 32687a172 RANGER-3825: Ranger admin user is unable to change another user email after the upgrade 32687a172 is described below commit 32687a172b0da31cf01b285a0123a81dcd7e6da9 Author: pradeep AuthorDate: Wed Sep 28 19:27:36 2022 +0530 RANGER-3825: Ranger admin user is unable to change another user email after the upgrade --- security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java index 086c6e5d7..d5393603e 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java @@ -472,9 +472,12 @@ public class UserMgr { } else { String encryptedOldPwd = encrypt(gjUser.getLoginId(), changeEmail.getOldPassword()); if (!stringUtil.equals(encryptedOldPwd, gjUser.getPassword())) { - logger.info("changeEmailAddress(). Invalid password. changeEmail=" + changeEmail); - throw restErrorUtil.createRESTException("serverMsg.userMgrWrongPassword", - MessageEnums.OPER_NO_PERMISSION, null, null, "" + changeEmail); + encryptedOldPwd = encryptWithOlderAlgo(gjUser.getLoginId(), changeEmail.getOldPassword()); + if (!stringUtil.equals(encryptedOldPwd, gjUser.getPassword())) { + logger.info("changeEmailAddress(). Invalid password. changeEmail=" + changeEmail); + throw restErrorUtil.createRESTException("serverMsg.userMgrWrongPassword", + MessageEnums.OPER_NO_PERMISSION, null, null, "" + changeEmail); + } } }