Re: Review Request 62024: RANGER-1756: Handle role related restrictions for users having User role.

2017-09-27 Thread Nikhil P 


> On Sept. 28, 2017, 12:10 a.m., Ramesh Mani wrote:
> > security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
> > Line 361 (original), 370 (patched)
> > 
> >
> > will CollectionUtils.size be more 1?, if so change this check 
> > CollectionUtils.size(userRolesList) == 1  to 
> > CollectionUtils.size(userRolesList) > 0

we dont want code flow to go in if loop if userRolesList size is more than 1.If 
loop should be executed only when userRolesList contains one entry 
i.e.ROLE_USER.


- Nikhil


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62024/#review186457
---


On Sept. 27, 2017, 4:57 p.m., Nitin Galave wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62024/
> ---
> 
> (Updated Sept. 27, 2017, 4:57 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Fatima Khan, Gautam Borad, Mehul 
> Parikh, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1756
> https://issues.apache.org/jira/browse/RANGER-1756
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Handle role related restrictions for users having User role.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java 
> 320a9a4 
>   security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java 739ea05 
>   security-admin/src/main/webapp/scripts/utils/XAUtils.js ecf43ad 
> 
> 
> Diff: https://reviews.apache.org/r/62024/diff/4/
> 
> 
> Testing
> ---
> 
> Verified scenario's :
> 1. A user with ROLE_ADMIN able to see users which has USER_ROLE/ADMIN_ROLE.
> 2. A user with ROLE_KEYADMIN able to see users which has 
> USER_ROLE/KEYADMIN_ROLE.
> 3. A user with role ROLE_USER able to see only himself.
> 
> 
> Thanks,
> 
> Nitin Galave
> 
>

[jira] [Updated] (RANGER-1812) Object HTableDescriptor can be used directly at getTableList() method for HBaseClient class

2017-09-27 Thread WangYuan (JIRA) 

 [ 
https://issues.apache.org/jira/browse/RANGER-1812?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

WangYuan updated RANGER-1812:
-
Attachment: 0001-RANGER-1812-Object-HTableDescriptor-can-be-used-dire.patch

> Object HTableDescriptor can be used directly at getTableList() method for 
> HBaseClient class
> ---
>
> Key: RANGER-1812
> URL: https://issues.apache.org/jira/browse/RANGER-1812
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins, Ranger
>Affects Versions: master
>Reporter: WangYuan
>Assignee: WangYuan
>Priority: Minor
> Attachments: 
> 0001-RANGER-1812-Object-HTableDescriptor-can-be-used-dire.patch
>
>
> Object HTableDescriptor can be used directly at getTableList() method for 
> HBaseClient class
> {code:title=HBaseClient.java}
> public List getTableList(final String tableNameMatching, final 
> List existingTableList ) throws HadoopException {
> ... ...
> HTableDescriptor [] htds = admin.listTables(tableNameMatching);
> if (htds != null) {
> for (HTableDescriptor htd : admin.listTables(tableNameMatching)) {
> // The object htds can be used directly inestead of listTables once 
> again 
> // for (HTableDescriptor htd : htds )  
> String tableName = htd.getNameAsString();
> if (existingTableList != null && 
> existingTableList.contains(tableName)) {
>   continue;
> } else {
>tableList.add(htd.getNameAsString());
> }
>}
>  }
> ... ...
> }
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Review Request 62650: Object HTableDescriptor can be used directly at getTableList() method for HBaseClient class

2017-09-27 Thread wang yuan 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62650/
---

Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
Neethiraj, Velmurugan Periasamy, and Qiang Zhang.


Bugs: RANGER-1812
https://issues.apache.org/jira/browse/RANGER-1812


Repository: ranger


Description
---

Object HTableDescriptor can be used directly at getTableList() method for 
HBaseClient class

{code:title=HBaseClient.java}
public List getTableList(final String tableNameMatching, final 
List existingTableList ) throws HadoopException {
... ...
HTableDescriptor [] htds = admin.listTables(tableNameMatching);
if (htds != null) {
for (HTableDescriptor htd : admin.listTables(tableNameMatching)) {
// The object htds can be used directly inestead of listTables once 
again 
// for (HTableDescriptor htd : htds )  
  String tableName = htd.getNameAsString();
  if (existingTableList != null && 
existingTableList.contains(tableName)) {
continue;
  } else {
 tableList.add(htd.getNameAsString());
  }
 }
 }
... ...
}
{code}


Diffs
-

  
hbase-agent/src/main/java/org/apache/ranger/services/hbase/client/HBaseClient.java
 d9870e39 


Diff: https://reviews.apache.org/r/62650/diff/1/


Testing
---


Thanks,

wang yuan

[jira] [Created] (RANGER-1812) Object HTableDescriptor can be used directly at getTableList() method for HBaseClient class

2017-09-27 Thread WangYuan (JIRA) 
WangYuan created RANGER-1812:


 Summary: Object HTableDescriptor can be used directly at 
getTableList() method for HBaseClient class
 Key: RANGER-1812
 URL: https://issues.apache.org/jira/browse/RANGER-1812
 Project: Ranger
  Issue Type: Bug
  Components: plugins, Ranger
Affects Versions: master
Reporter: WangYuan
Assignee: WangYuan
Priority: Minor


Object HTableDescriptor can be used directly at getTableList() method for 
HBaseClient class

{code:title=HBaseClient.java}
public List getTableList(final String tableNameMatching, final 
List existingTableList ) throws HadoopException {
... ...
HTableDescriptor [] htds = admin.listTables(tableNameMatching);
if (htds != null) {
for (HTableDescriptor htd : admin.listTables(tableNameMatching)) {
// The object htds can be used directly inestead of listTables once 
again 
// for (HTableDescriptor htd : htds )  
  String tableName = htd.getNameAsString();
  if (existingTableList != null && 
existingTableList.contains(tableName)) {
continue;
  } else {
 tableList.add(htd.getNameAsString());
  }
 }
 }
... ...
}
{code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: Review Request 62436: RANGER-1779 : last resource gets duplicated during update policy if policy is created through public api rest call

2017-09-27 Thread Alejandro Fernandez 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62436/#review186486
---


Ship it!




Ship It!

- Alejandro Fernandez


On Sept. 27, 2017, 10:10 a.m., Nikhil P wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62436/
> ---
> 
> (Updated Sept. 27, 2017, 10:10 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay 
> Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan 
> Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1779
> https://issues.apache.org/jira/browse/RANGER-1779
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> 1) create a policy with multiple resource *,default using public api
> 2) go to ranger admin ui and update the policy without any change
> 3) again view the policy.
> Issue:
> default gets duplicated as resource in the policy.
> and even new entry is added in resource map table for the last resource.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
> da65074 
>   
> security-admin/src/main/java/org/apache/ranger/patch/PatchForNifiResourceUpdateExclude_J10008.java
>  634082c 
>   
> security-admin/src/main/java/org/apache/ranger/patch/PatchForNifiResourceUpdateExclude_J10011.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/62436/diff/4/
> 
> 
> Testing
> ---
> 
> 1)Verified if same resource does not get duplicated during create and update 
> policy.
> 2)Verified if resource duplication does not happen through public API and 
> Public APIv2 as well.
> 3)Verified if policies are getting created with multiple distinct resource.
> 
> 
> Thanks,
> 
> Nikhil P
> 
>

Re: Review Request 62437: RANGER-1779 : last resource gets duplicated during update policy if policy is created through public api rest call

2017-09-27 Thread Velmurugan Periasamy 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62437/#review186463
---


Ship it!




Ship It!

- Velmurugan Periasamy


On Sept. 27, 2017, 10:11 a.m., Nikhil P wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62437/
> ---
> 
> (Updated Sept. 27, 2017, 10:11 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay 
> Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan 
> Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1779
> https://issues.apache.org/jira/browse/RANGER-1779
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> 1) create a policy with multiple resource *,default using public api
> 2) go to ranger admin ui and update the policy without any change
> 3) again view the policy.
> Issue:
> default gets duplicated as resource in the policy.
> and even new entry is added in resource map table for the last resource.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
> 63fdf4f 
>   
> security-admin/src/main/java/org/apache/ranger/patch/PatchForNifiResourceUpdateExclude_J10008.java
>  634082c 
>   
> security-admin/src/main/java/org/apache/ranger/patch/PatchForNifiResourceUpdateExclude_J10011.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/62437/diff/4/
> 
> 
> Testing
> ---
> 
> 1)Verified if same resource does not get duplicated during create and update 
> policy.
> 2)Verified if resource duplication does not happen through public API and 
> Public APIv2 as well.
> 3)Verified if policies are getting created with multiple distinct resource.
> 
> 
> Thanks,
> 
> Nikhil P
> 
>

Re: Review Request 62436: RANGER-1779 : last resource gets duplicated during update policy if policy is created through public api rest call

2017-09-27 Thread Velmurugan Periasamy 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62436/#review186462
---


Ship it!




Ship It!

- Velmurugan Periasamy


On Sept. 27, 2017, 10:10 a.m., Nikhil P wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62436/
> ---
> 
> (Updated Sept. 27, 2017, 10:10 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay 
> Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan 
> Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1779
> https://issues.apache.org/jira/browse/RANGER-1779
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> 1) create a policy with multiple resource *,default using public api
> 2) go to ranger admin ui and update the policy without any change
> 3) again view the policy.
> Issue:
> default gets duplicated as resource in the policy.
> and even new entry is added in resource map table for the last resource.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
> da65074 
>   
> security-admin/src/main/java/org/apache/ranger/patch/PatchForNifiResourceUpdateExclude_J10008.java
>  634082c 
>   
> security-admin/src/main/java/org/apache/ranger/patch/PatchForNifiResourceUpdateExclude_J10011.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/62436/diff/4/
> 
> 
> Testing
> ---
> 
> 1)Verified if same resource does not get duplicated during create and update 
> policy.
> 2)Verified if resource duplication does not happen through public API and 
> Public APIv2 as well.
> 3)Verified if policies are getting created with multiple distinct resource.
> 
> 
> Thanks,
> 
> Nikhil P
> 
>

[jira] [Updated] (RANGER-1727) Ranger allows user to change an external user's password with 'null' old password

2017-09-27 Thread Velmurugan Periasamy (JIRA) 

 [ 
https://issues.apache.org/jira/browse/RANGER-1727?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-1727:
-
Fix Version/s: 0.7.2

> Ranger allows user to change an external user's password with 'null' old 
> password
> -
>
> Key: RANGER-1727
> URL: https://issues.apache.org/jira/browse/RANGER-1727
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Pradeep Agrawal
>Assignee: Fatima Amjad Khan
> Fix For: 1.0.0, 0.7.2
>
> Attachments: 0001-RANGER-1727.patch, 0001-RANGER-1727-V1.patch
>
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: Review Request 62024: RANGER-1756: Handle role related restrictions for users having User role.

2017-09-27 Thread Alejandro Fernandez 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62024/#review186458
---


Ship it!




Ship It!

- Alejandro Fernandez


On Sept. 27, 2017, 11:27 a.m., Nitin Galave wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62024/
> ---
> 
> (Updated Sept. 27, 2017, 11:27 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Fatima Khan, Gautam Borad, Mehul 
> Parikh, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1756
> https://issues.apache.org/jira/browse/RANGER-1756
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Handle role related restrictions for users having User role.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java 
> 320a9a4 
>   security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java 739ea05 
>   security-admin/src/main/webapp/scripts/utils/XAUtils.js ecf43ad 
> 
> 
> Diff: https://reviews.apache.org/r/62024/diff/4/
> 
> 
> Testing
> ---
> 
> Verified scenario's :
> 1. A user with ROLE_ADMIN able to see users which has USER_ROLE/ADMIN_ROLE.
> 2. A user with ROLE_KEYADMIN able to see users which has 
> USER_ROLE/KEYADMIN_ROLE.
> 3. A user with role ROLE_USER able to see only himself.
> 
> 
> Thanks,
> 
> Nitin Galave
> 
>

Re: Review Request 62024: RANGER-1756: Handle role related restrictions for users having User role.

2017-09-27 Thread Ramesh Mani 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62024/#review186457
---




security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
Lines 353 (patched)


why you need to create VXUserList() instance, just return the value from  
xUserMgr.searchXUsers(searchCriteria) as it was earlier.



security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
Line 361 (original), 370 (patched)


will CollectionUtils.size be more 1?, if so change this check 
CollectionUtils.size(userRolesList) == 1  to 
CollectionUtils.size(userRolesList) > 0


- Ramesh Mani


On Sept. 27, 2017, 11:27 a.m., Nitin Galave wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62024/
> ---
> 
> (Updated Sept. 27, 2017, 11:27 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Fatima Khan, Gautam Borad, Mehul 
> Parikh, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1756
> https://issues.apache.org/jira/browse/RANGER-1756
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Handle role related restrictions for users having User role.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java 
> 320a9a4 
>   security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java 739ea05 
>   security-admin/src/main/webapp/scripts/utils/XAUtils.js ecf43ad 
> 
> 
> Diff: https://reviews.apache.org/r/62024/diff/4/
> 
> 
> Testing
> ---
> 
> Verified scenario's :
> 1. A user with ROLE_ADMIN able to see users which has USER_ROLE/ADMIN_ROLE.
> 2. A user with ROLE_KEYADMIN able to see users which has 
> USER_ROLE/KEYADMIN_ROLE.
> 3. A user with role ROLE_USER able to see only himself.
> 
> 
> Thanks,
> 
> Nitin Galave
> 
>

Re: Review Request 62437: RANGER-1779 : last resource gets duplicated during update policy if policy is created through public api rest call

2017-09-27 Thread Alejandro Fernandez 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62437/#review186452
---




security-admin/src/main/java/org/apache/ranger/patch/PatchForNifiResourceUpdateExclude_J10011.java
Lines 108 (patched)


Might want to add some javadoc


- Alejandro Fernandez


On Sept. 27, 2017, 10:11 a.m., Nikhil P wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62437/
> ---
> 
> (Updated Sept. 27, 2017, 10:11 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay 
> Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan 
> Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1779
> https://issues.apache.org/jira/browse/RANGER-1779
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> 1) create a policy with multiple resource *,default using public api
> 2) go to ranger admin ui and update the policy without any change
> 3) again view the policy.
> Issue:
> default gets duplicated as resource in the policy.
> and even new entry is added in resource map table for the last resource.
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
> 63fdf4f 
>   
> security-admin/src/main/java/org/apache/ranger/patch/PatchForNifiResourceUpdateExclude_J10008.java
>  634082c 
>   
> security-admin/src/main/java/org/apache/ranger/patch/PatchForNifiResourceUpdateExclude_J10011.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/62437/diff/4/
> 
> 
> Testing
> ---
> 
> 1)Verified if same resource does not get duplicated during create and update 
> policy.
> 2)Verified if resource duplication does not happen through public API and 
> Public APIv2 as well.
> 3)Verified if policies are getting created with multiple distinct resource.
> 
> 
> Thanks,
> 
> Nikhil P
> 
>

Re: Review Request 62520: Here is a error in getStatusResponse() when post data exception for AtlasClient class

2017-09-27 Thread Alejandro Fernandez 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62520/#review186451
---


Ship it!




Ship It!

- Alejandro Fernandez


On Sept. 27, 2017, 1:59 a.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62520/
> ---
> 
> (Updated Sept. 27, 2017, 1:59 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1802
> https://issues.apache.org/jira/browse/RANGER-1802
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Here is a error in getStatusResponse() when post data exception for 
> AtlasClient class
> {code}
> try {
>   statusResponse = 
> webResource.type("application/x-www-form-urlencoded").post(ClientResponse.class,
>   formData);
>   } catch (Exception e) {
>   String msgDesc = "Unable to get a valid 
> statusResponse for " + "expected mime type : ["
>   + EXPECTED_MIME_TYPE + "] URL : 
> " + statusUrl + " - got null response.";
>   LOG.error(msgDesc);
>   }
> {code}
> 
> should be
> 
> {code}
> try {
>   statusResponse = 
> webResource.type("application/x-www-form-urlencoded").post(ClientResponse.class,
>   formData);
>   } catch (Exception e) {
>   String msgDesc = "Unable to get a valid 
> statusResponse for " + "expected mime type : 
> [application/x-www-form-urlencoded] URL : " + statusUrl + " - got null 
> response.";
>   LOG.error(msgDesc);
>   }
> {code}
> 
> 
> Diffs
> -
> 
>   
> plugin-atlas/src/main/java/org/apache/ranger/services/atlas/client/AtlasClient.java
>  c10da79c 
> 
> 
> Diff: https://reviews.apache.org/r/62520/diff/5/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> pengjianhua
> 
>

Re: Review Request 62567: RANGER-1727 : Ranger allows user to change an external user's password with 'null' old password

2017-09-27 Thread Alejandro Fernandez 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62567/#review186450
---


Ship it!




Ship It!

- Alejandro Fernandez


On Sept. 26, 2017, 11:56 a.m., Fatima Khan wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62567/
> ---
> 
> (Updated Sept. 26, 2017, 11:56 a.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, 
> Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja 
> Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1727
> https://issues.apache.org/jira/browse/RANGER-1727
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ranger allows user to change an external user's password with 'null' old 
> password
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java cc81029 
>   security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 447aebb 
>   security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java 
> d0fb3dc 
> 
> 
> Diff: https://reviews.apache.org/r/62567/diff/1/
> 
> 
> Testing
> ---
> 
> 1.External user is not able to change the password using ranger Api's (same 
> as ui).
> 2.Verified all the existing unit tests are passing.
> 3.Verified password change feature for internal users.
> 
> 
> Thanks,
> 
> Fatima Khan
> 
>

Re: Review Request 62534: RANGER-1748 : User is unable to update existing policy while importing policy from file

2017-09-27 Thread Alejandro Fernandez 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62534/#review186448
---


Fix it, then Ship it!





security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
Lines 2274 (patched)


Add some javadoc to this method.



security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
Lines 2275 (patched)


Nitpick, small typo in "Policies"


- Alejandro Fernandez


On Sept. 27, 2017, 3:52 a.m., bhavik patel wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62534/
> ---
> 
> (Updated Sept. 27, 2017, 3:52 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay 
> Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan 
> Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1748
> https://issues.apache.org/jira/browse/RANGER-1748
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Currently if user importing policy from file and user want's to update any 
> policy for a specific resource which is not allowed.
> 
> For the given resource following rules shall apply:
> 
> 1. If a policy contains one or more resources along with given resource then 
> the policy will not be exported.
> 2. If a policy contains one or more resources along with given resource then 
> the policy will not be deleted from target ranger during import call.
> 
> **Note:**
> Export policy example URL: 
> http://localhost:6080/service/plugins/policies/exportJson?serviceName=source_hive&polResource=employee&resource:database=employee&serviceType=hive&resourceMatchScope=self_or_ancestor
> Import policy example URL: 
> http://localhost:6080/service/plugins/policies/importPoliciesFromFile?updateIfExists=true&polResource=employee
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> f1ce3af 
> 
> 
> Diff: https://reviews.apache.org/r/62534/diff/1/
> 
> 
> Testing
> ---
> 
> 1. Verified policies are getting updated while importing from file for 
> specific resource.
> 
> 
> Thanks,
> 
> bhavik patel
> 
>

Re: Review Request 62024: RANGER-1756: Handle role related restrictions for users having User role.

2017-09-27 Thread Velmurugan Periasamy 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62024/#review186416
---


Fix it, then Ship it!





agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java
Line 74 (original), 74 (patched)


Fix PMD violation - Avoid unused local variable


- Velmurugan Periasamy


On Sept. 27, 2017, 11:27 a.m., Nitin Galave wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62024/
> ---
> 
> (Updated Sept. 27, 2017, 11:27 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Fatima Khan, Gautam Borad, Mehul 
> Parikh, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1756
> https://issues.apache.org/jira/browse/RANGER-1756
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Handle role related restrictions for users having User role.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java 
> 320a9a4 
>   security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java 739ea05 
>   security-admin/src/main/webapp/scripts/utils/XAUtils.js ecf43ad 
> 
> 
> Diff: https://reviews.apache.org/r/62024/diff/4/
> 
> 
> Testing
> ---
> 
> Verified scenario's :
> 1. A user with ROLE_ADMIN able to see users which has USER_ROLE/ADMIN_ROLE.
> 2. A user with ROLE_KEYADMIN able to see users which has 
> USER_ROLE/KEYADMIN_ROLE.
> 3. A user with role ROLE_USER able to see only himself.
> 
> 
> Thanks,
> 
> Nitin Galave
> 
>

Re: Review Request 62567: RANGER-1727 : Ranger allows user to change an external user's password with 'null' old password

2017-09-27 Thread Velmurugan Periasamy 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62567/#review186417
---


Ship it!




Ship It!

- Velmurugan Periasamy


On Sept. 26, 2017, 11:56 a.m., Fatima Khan wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62567/
> ---
> 
> (Updated Sept. 26, 2017, 11:56 a.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, 
> Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja 
> Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1727
> https://issues.apache.org/jira/browse/RANGER-1727
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ranger allows user to change an external user's password with 'null' old 
> password
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java cc81029 
>   security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 447aebb 
>   security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java 
> d0fb3dc 
> 
> 
> Diff: https://reviews.apache.org/r/62567/diff/1/
> 
> 
> Testing
> ---
> 
> 1.External user is not able to change the password using ranger Api's (same 
> as ui).
> 2.Verified all the existing unit tests are passing.
> 3.Verified password change feature for internal users.
> 
> 
> Thanks,
> 
> Fatima Khan
> 
>

[jira] [Commented] (RANGER-1796) Updated masking policy for hive to support for deny/allowException/denyExceptions

2017-09-27 Thread Madhan Neethiraj (JIRA) 

[ 
https://issues.apache.org/jira/browse/RANGER-1796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16182703#comment-16182703
 ] 

Madhan Neethiraj commented on RANGER-1796:
--

bq. you still use the previous way to deal with the case. 
[~peng.jianhua] - then why is this change (to allow deny & exceptions for 
masking policies) necessary?

> Updated masking policy for hive  to support for 
> deny/allowException/denyExceptions
> --
>
> Key: RANGER-1796
> URL: https://issues.apache.org/jira/browse/RANGER-1796
> Project: Ranger
>  Issue Type: New Feature
>  Components: plugins
>Affects Versions: 1.0.0, master
>Reporter: peng.jianhua
>Assignee: peng.jianhua
>  Labels: newbie, patch
> Attachments: 
> 0001-RANGER-1796-Updated-masking-policy-for-hive-to-suppo.patch, 
> masking-03.png, masking2.png, usecase-01.png
>
>
> Masking policy for hive  should support for 
> deny/allowException/denyExceptions to meet further business needs. Such as 
> masking policy for hive should support as following scene and so on:
> USER1, USER2 and USER3 belong to the user group GROUPA. Select GROUPA group 
> when created masking policy. The USER1 does not use masking and USER2, USER3 
> need masking.
> We rigorously tested this issue. The test result shows that the feature is ok.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (RANGER-1811) Ranger Admin UI Policy Folder Hierarchies for organizing lots of policies

2017-09-27 Thread Hari Sekhon (JIRA) 

 [ 
https://issues.apache.org/jira/browse/RANGER-1811?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Hari Sekhon updated RANGER-1811:

Description: 
Feature Request to add policy folder hierarchy organization with the ability to 
expand / collapse sections of hierarchies.

A customer has requested this because they are using the Ranger API to generate 
policies and have nearly 12,000 policies for each of the HDFS and Hive 
services, scrolling through 400 pages of policies in Ranger Admin UI doesn't 
make sense.

This is somewhat offset by the policy search feature but in terms of 
organization once you have a lot of policies it makes sense to be able to put 
them in folder hierarchies that you can expand / collapse rather than having a 
flat list of 12,000 policies.

  was:
Feature Request to add policy folder hierarchy organization with the ability to 
expand/collapse sections of hierarchies.

A customer has requested this because they are using the Ranger API to generate 
policies and have nearly 12,000 policies for each of the HDFS and Hive 
services, scrolling through 400 pages of policies in Ranger Admin UI doesn't 
make sense.

This is somewhat offset by the policy search feature but in terms of 
organization once you have a lot of policies it makes sense to be able to put 
them in folder hierarchies that you can expand/collapse rather than having a 
flat list of 12,000 policies.


> Ranger Admin UI Policy Folder Hierarchies for organizing lots of policies
> -
>
> Key: RANGER-1811
> URL: https://issues.apache.org/jira/browse/RANGER-1811
> Project: Ranger
>  Issue Type: New Feature
>  Components: admin, Ranger
>Affects Versions: 0.7.0
> Environment: HDP 2.6.1
>Reporter: Hari Sekhon
>
> Feature Request to add policy folder hierarchy organization with the ability 
> to expand / collapse sections of hierarchies.
> A customer has requested this because they are using the Ranger API to 
> generate policies and have nearly 12,000 policies for each of the HDFS and 
> Hive services, scrolling through 400 pages of policies in Ranger Admin UI 
> doesn't make sense.
> This is somewhat offset by the policy search feature but in terms of 
> organization once you have a lot of policies it makes sense to be able to put 
> them in folder hierarchies that you can expand / collapse rather than having 
> a flat list of 12,000 policies.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (RANGER-1811) Ranger Admin UI Policy Folder Hierarchies for organizing lots of policies

2017-09-27 Thread Hari Sekhon (JIRA) 

 [ 
https://issues.apache.org/jira/browse/RANGER-1811?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Hari Sekhon updated RANGER-1811:

Description: 
Feature Request to add policy folder hierarchy organization with ability to 
expand/collapse sections of hierarchies.

A customer has requested this because they are using the Ranger API to generate 
policies and have nearly 12,000 policies for each of the HDFS and Hive 
services, scrolling through 400 pages of policies in Ranger Admin UI doesn't 
make sense.

This is somewhat offset by the policy search feature but in terms of 
organization once you have a lot of policies it makes sense to be able to put 
them in folder hierarchies that you can expand/collapse rather than having a 
flat list of 12,000 policies.

  was:
Feature Request to add policy folder hierarchy organization with ability to 
expand/collapse sections of hierarchies.

A customer has requested this because they are using the Ranger API to generate 
policies and have nearly 12,000 policies for each of the HDFS and Hive services 
in Ranger, scrolling through 400 pages of policies doesn't make sense.

This is somewhat offset by the policy search feature but in terms of 
organization once you have a lot of policies it makes sense to be able to put 
them in folder hierarchies that you can expand/collapse rather than having a 
flat list of 12,000 policies.


> Ranger Admin UI Policy Folder Hierarchies for organizing lots of policies
> -
>
> Key: RANGER-1811
> URL: https://issues.apache.org/jira/browse/RANGER-1811
> Project: Ranger
>  Issue Type: New Feature
>  Components: admin, Ranger
>Affects Versions: 0.7.0
> Environment: HDP 2.6.1
>Reporter: Hari Sekhon
>
> Feature Request to add policy folder hierarchy organization with ability to 
> expand/collapse sections of hierarchies.
> A customer has requested this because they are using the Ranger API to 
> generate policies and have nearly 12,000 policies for each of the HDFS and 
> Hive services, scrolling through 400 pages of policies in Ranger Admin UI 
> doesn't make sense.
> This is somewhat offset by the policy search feature but in terms of 
> organization once you have a lot of policies it makes sense to be able to put 
> them in folder hierarchies that you can expand/collapse rather than having a 
> flat list of 12,000 policies.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (RANGER-1811) Ranger Admin UI Policy Folder Hierarchies for organizing lots of policies

2017-09-27 Thread Hari Sekhon (JIRA) 

 [ 
https://issues.apache.org/jira/browse/RANGER-1811?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Hari Sekhon updated RANGER-1811:

Description: 
Feature Request to add policy folder hierarchy organization with the ability to 
expand/collapse sections of hierarchies.

A customer has requested this because they are using the Ranger API to generate 
policies and have nearly 12,000 policies for each of the HDFS and Hive 
services, scrolling through 400 pages of policies in Ranger Admin UI doesn't 
make sense.

This is somewhat offset by the policy search feature but in terms of 
organization once you have a lot of policies it makes sense to be able to put 
them in folder hierarchies that you can expand/collapse rather than having a 
flat list of 12,000 policies.

  was:
Feature Request to add policy folder hierarchy organization with ability to 
expand/collapse sections of hierarchies.

A customer has requested this because they are using the Ranger API to generate 
policies and have nearly 12,000 policies for each of the HDFS and Hive 
services, scrolling through 400 pages of policies in Ranger Admin UI doesn't 
make sense.

This is somewhat offset by the policy search feature but in terms of 
organization once you have a lot of policies it makes sense to be able to put 
them in folder hierarchies that you can expand/collapse rather than having a 
flat list of 12,000 policies.


> Ranger Admin UI Policy Folder Hierarchies for organizing lots of policies
> -
>
> Key: RANGER-1811
> URL: https://issues.apache.org/jira/browse/RANGER-1811
> Project: Ranger
>  Issue Type: New Feature
>  Components: admin, Ranger
>Affects Versions: 0.7.0
> Environment: HDP 2.6.1
>Reporter: Hari Sekhon
>
> Feature Request to add policy folder hierarchy organization with the ability 
> to expand/collapse sections of hierarchies.
> A customer has requested this because they are using the Ranger API to 
> generate policies and have nearly 12,000 policies for each of the HDFS and 
> Hive services, scrolling through 400 pages of policies in Ranger Admin UI 
> doesn't make sense.
> This is somewhat offset by the policy search feature but in terms of 
> organization once you have a lot of policies it makes sense to be able to put 
> them in folder hierarchies that you can expand/collapse rather than having a 
> flat list of 12,000 policies.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (RANGER-1811) Ranger Admin UI Policy Folder Hierarchies for organizing lots of policies

2017-09-27 Thread Hari Sekhon (JIRA) 
Hari Sekhon created RANGER-1811:
---

 Summary: Ranger Admin UI Policy Folder Hierarchies for organizing 
lots of policies
 Key: RANGER-1811
 URL: https://issues.apache.org/jira/browse/RANGER-1811
 Project: Ranger
  Issue Type: New Feature
  Components: admin, Ranger
Affects Versions: 0.7.0
 Environment: HDP 2.6.1
Reporter: Hari Sekhon


Feature Request to add policy folder hierarchy organization with ability to 
expand/collapse sections of hierarchies.

A customer has requested this because they are using the Ranger API to generate 
policies and have nearly 12,000 policies for each of the HDFS and Hive services 
in Ranger, scrolling through 400 pages of policies doesn't make sense.

This is somewhat offset by the policy search feature but in terms of 
organization once you have a lot of policies it makes sense to be able to put 
them in folder hierarchies that you can expand/collapse rather than having a 
flat list of 12,000 policies.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (RANGER-1806) Good coding practice in Ranger recommended by static code analysis

2017-09-27 Thread Fatima Amjad Khan (JIRA) 

[ 
https://issues.apache.org/jira/browse/RANGER-1806?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16182522#comment-16182522
 ] 

Fatima Amjad Khan commented on RANGER-1806:
---

Committed on Master : 
https://github.com/apache/ranger/commit/243b72965a26e5b2efbb77f00fb88d5ef2ca6b9c
Committed on ranger-0.7 : 
https://github.com/apache/ranger/commit/78ffe3f534398e0a4127827ad73671c136581b71

> Good coding practice in Ranger recommended by static code analysis
> --
>
> Key: RANGER-1806
> URL: https://issues.apache.org/jira/browse/RANGER-1806
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: master, 0.7.1
>Reporter: Fatima Amjad Khan
>Assignee: Fatima Amjad Khan
> Fix For: master, 0.7.1
>
> Attachments: 0001-RANGER-1806.patch, 0001-RANGER-1806-v1.patch
>
>
> Good coding practice in Ranger recommended by static code analysis on the 
> last commit made.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (RANGER-1779) last resource gets duplicated during update policy if policy is created through public api rest call

2017-09-27 Thread Nikhil Purbhe (JIRA) 

 [ 
https://issues.apache.org/jira/browse/RANGER-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nikhil Purbhe updated RANGER-1779:
--
Attachment: RANGER-1779_3 _0.7.patch
RANGER-1779_3.patch

> last resource gets duplicated during update policy if policy is created 
> through public api rest call
> 
>
> Key: RANGER-1779
> URL: https://issues.apache.org/jira/browse/RANGER-1779
> Project: Ranger
>  Issue Type: Bug
>  Components: admin
>Affects Versions: master
>Reporter: Deepak Sharma
>Assignee: Nikhil Purbhe
> Fix For: 1.0.0, 0.7.2
>
> Attachments: RANGER-1779-0.7.patch, RANGER-1779_3 _0.7.patch, 
> RANGER-1779_3.patch, RANGER-1779.patch
>
>
> scenario:
> 1) create a policy with multiple resource *,default using public api
> 2) go to ranger admin ui and update the policy without any change
> 3) again view the policy.
> Issue:
> default gets duplicated as resource in the policy.
> and even new entry is added in resource map table for the last resource.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: Review Request 61021: RANGER-1672:Ranger supports plugin to enable, monitor and manage apache kylin

2017-09-27 Thread pengjianhua 


> On 九月 27, 2017, 9:33 a.m., pengjianhua wrote:
> > The https://issues.apache.org/jira/browse/KYLIN-2703 I submitted had been 
> > resolved. Our test experts have rigorously tested this issue. At the same 
> > time the Kyligence company which is Apache kylin's main contributor will 
> > soon use this feature.
> 
> Colm O hEigeartaigh wrote:
> When will Kylin 2.2.0 be released? If we merge a dependency on a SNAPSHOT 
> version in Ranger, we can't release Ranger until Kylin is released. Do you 
> have any documentation on how to set up a simple test-scenario?

Ok. The Kylin 2.2.0 will be released  in late October.


- pengjianhua


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61021/#review186391
---


On 九月 27, 2017, 9:19 a.m., Qiang Zhang wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/61021/
> ---
> 
> (Updated 九月 27, 2017, 9:19 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, 
> Selvamohan Neethiraj, sam  rome, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1672
> https://issues.apache.org/jira/browse/RANGER-1672
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ranger supports plugin to enable, monitor and manage apache kylin
> 
> 
> Diffs
> -
> 
>   agents-common/scripts/enable-agent.sh d31a264 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
>  9463ab8 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java 
> 58cdd35 
>   agents-common/src/main/resources/service-defs/ranger-servicedef-kylin.json 
> PRE-CREATION 
>   plugin-kylin/.gitignore PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-audit-changes.cfg PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-audit.xml PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-security-changes.cfg PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-security.xml PRE-CREATION 
>   plugin-kylin/conf/ranger-policymgr-ssl-changes.cfg PRE-CREATION 
>   plugin-kylin/conf/ranger-policymgr-ssl.xml PRE-CREATION 
>   plugin-kylin/pom.xml PRE-CREATION 
>   plugin-kylin/scripts/install.properties PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/RangerServiceKylin.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinClient.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinResourceMgr.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/json/model/KylinCubeResponse.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/json/model/KylinProjectResponse.java
>  PRE-CREATION 
>   pom.xml 3958014 
>   ranger-kylin-plugin-shim/.gitignore PRE-CREATION 
>   ranger-kylin-plugin-shim/pom.xml PRE-CREATION 
>   
> ranger-kylin-plugin-shim/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
>  PRE-CREATION 
>   src/main/assembly/admin-web.xml 0e97818 
>   src/main/assembly/plugin-kylin.xml PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/61021/diff/3/
> 
> 
> Testing
> ---
> 
> Tested
> 
> 
> Thanks,
> 
> Qiang Zhang
> 
>

Re: Review Request 62024: RANGER-1756: Handle role related restrictions for users having User role.

2017-09-27 Thread Nitin Galave 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62024/
---

(Updated Sept. 27, 2017, 11:27 a.m.)


Review request for ranger, Ankita Sinha, Fatima Khan, Gautam Borad, Mehul 
Parikh, and Velmurugan Periasamy.


Changes
---

Updated patch with best coding practices.


Bugs: RANGER-1756
https://issues.apache.org/jira/browse/RANGER-1756


Repository: ranger


Description
---

Handle role related restrictions for users having User role.


Diffs (updated)
-

  agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java 
320a9a4 
  security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java 739ea05 
  security-admin/src/main/webapp/scripts/utils/XAUtils.js ecf43ad 


Diff: https://reviews.apache.org/r/62024/diff/4/

Changes: https://reviews.apache.org/r/62024/diff/3-4/


Testing
---

Verified scenario's :
1. A user with ROLE_ADMIN able to see users which has USER_ROLE/ADMIN_ROLE.
2. A user with ROLE_KEYADMIN able to see users which has 
USER_ROLE/KEYADMIN_ROLE.
3. A user with role ROLE_USER able to see only himself.


Thanks,

Nitin Galave

Re: Review Request 62538: Good coding practice in Ranger recommended by static code analysis

2017-09-27 Thread Mehul Parikh 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62538/#review186396
---


Ship it!




Ship It!

- Mehul Parikh


On Sept. 26, 2017, 1:39 p.m., Fatima Khan wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62538/
> ---
> 
> (Updated Sept. 26, 2017, 1:39 p.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, 
> Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja 
> Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1806
> https://issues.apache.org/jira/browse/RANGER-1806
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Good coding practice in Ranger recommended by static code analysis on
> 1.RoleBasedUserSearchUtil.java
> 2.TestRoleBasedUserSearchUtil.java
> 
> 
> Diffs
> -
> 
>   
> security-admin/src/main/java/org/apache/ranger/patch/cliutil/RoleBasedUserSearchUtil.java
>  0459be6 
>   
> security-admin/src/test/java/org/apache/ranger/patch/cliutil/TestRoleBasedUserSearchUtil.java
>  83eab7a 
> 
> 
> Diff: https://reviews.apache.org/r/62538/diff/2/
> 
> 
> Testing
> ---
> 
> 1.Tested SSO Authentication
> 2.Junit test was successful
> 
> 
> Thanks,
> 
> Fatima Khan
> 
>

Re: Review Request 62520: Here is a error in getStatusResponse() when post data exception for AtlasClient class

2017-09-27 Thread Colm O hEigeartaigh 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62520/#review186395
---


Ship it!




Ship It!

- Colm O hEigeartaigh


On Sept. 27, 2017, 1:59 a.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62520/
> ---
> 
> (Updated Sept. 27, 2017, 1:59 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1802
> https://issues.apache.org/jira/browse/RANGER-1802
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Here is a error in getStatusResponse() when post data exception for 
> AtlasClient class
> {code}
> try {
>   statusResponse = 
> webResource.type("application/x-www-form-urlencoded").post(ClientResponse.class,
>   formData);
>   } catch (Exception e) {
>   String msgDesc = "Unable to get a valid 
> statusResponse for " + "expected mime type : ["
>   + EXPECTED_MIME_TYPE + "] URL : 
> " + statusUrl + " - got null response.";
>   LOG.error(msgDesc);
>   }
> {code}
> 
> should be
> 
> {code}
> try {
>   statusResponse = 
> webResource.type("application/x-www-form-urlencoded").post(ClientResponse.class,
>   formData);
>   } catch (Exception e) {
>   String msgDesc = "Unable to get a valid 
> statusResponse for " + "expected mime type : 
> [application/x-www-form-urlencoded] URL : " + statusUrl + " - got null 
> response.";
>   LOG.error(msgDesc);
>   }
> {code}
> 
> 
> Diffs
> -
> 
>   
> plugin-atlas/src/main/java/org/apache/ranger/services/atlas/client/AtlasClient.java
>  c10da79c 
> 
> 
> Diff: https://reviews.apache.org/r/62520/diff/5/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> pengjianhua
> 
>

Re: Review Request 61021: RANGER-1672:Ranger supports plugin to enable, monitor and manage apache kylin

2017-09-27 Thread Colm O hEigeartaigh 


> On Sept. 27, 2017, 9:33 a.m., pengjianhua wrote:
> > The https://issues.apache.org/jira/browse/KYLIN-2703 I submitted had been 
> > resolved. Our test experts have rigorously tested this issue. At the same 
> > time the Kyligence company which is Apache kylin's main contributor will 
> > soon use this feature.

When will Kylin 2.2.0 be released? If we merge a dependency on a SNAPSHOT 
version in Ranger, we can't release Ranger until Kylin is released. Do you have 
any documentation on how to set up a simple test-scenario?


- Colm


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61021/#review186391
---


On Sept. 27, 2017, 9:19 a.m., Qiang Zhang wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/61021/
> ---
> 
> (Updated Sept. 27, 2017, 9:19 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, 
> Selvamohan Neethiraj, sam  rome, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1672
> https://issues.apache.org/jira/browse/RANGER-1672
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ranger supports plugin to enable, monitor and manage apache kylin
> 
> 
> Diffs
> -
> 
>   agents-common/scripts/enable-agent.sh d31a264 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
>  9463ab8 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java 
> 58cdd35 
>   agents-common/src/main/resources/service-defs/ranger-servicedef-kylin.json 
> PRE-CREATION 
>   plugin-kylin/.gitignore PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-audit-changes.cfg PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-audit.xml PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-security-changes.cfg PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-security.xml PRE-CREATION 
>   plugin-kylin/conf/ranger-policymgr-ssl-changes.cfg PRE-CREATION 
>   plugin-kylin/conf/ranger-policymgr-ssl.xml PRE-CREATION 
>   plugin-kylin/pom.xml PRE-CREATION 
>   plugin-kylin/scripts/install.properties PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/RangerServiceKylin.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinClient.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinResourceMgr.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/json/model/KylinCubeResponse.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/json/model/KylinProjectResponse.java
>  PRE-CREATION 
>   pom.xml 3958014 
>   ranger-kylin-plugin-shim/.gitignore PRE-CREATION 
>   ranger-kylin-plugin-shim/pom.xml PRE-CREATION 
>   
> ranger-kylin-plugin-shim/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
>  PRE-CREATION 
>   src/main/assembly/admin-web.xml 0e97818 
>   src/main/assembly/plugin-kylin.xml PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/61021/diff/3/
> 
> 
> Testing
> ---
> 
> Tested
> 
> 
> Thanks,
> 
> Qiang Zhang
> 
>

Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.81.

2017-09-27 Thread bhavik patel 


> On Sept. 22, 2017, 9:11 a.m., bhavik patel wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > 
> >
> > @pengjianhua : This change needs thorough testing of Ranger Admin as 
> > well as Ranger KMS in Simple,  Kerberos, SSL, KnoxSSO, KnoxProxy enabled 
> > environments.  
> > 
> > Also need to check all features on jdk 1.7 as well as 1.8. Also, 
> > atleast one plugin communication needs to be verified. 
> > 
> > Can you please confirm: all these cases are tested before commiting 
> > this patch. 
> > 
> > This is based on earlier experience of updating tomcat version.
> 
> pengjianhua wrote:
> Ok. We have a complete automated integration test environment for Ranger. 
> I had tested the functions of Ranger using our automated integration test 
> environment. The test results show that there is no problem. I will further 
> test the effect of this issue for ranger using our automated integration test 
> environment in tonight and tomorrow.
> 
> Qiang Zhang wrote:
> @bhavik patel: Do you have further suggestions? If not, I'll fix the 
> issue.

@Qiang Zhang: If Peng Jianhua can confirm that there integration test covered 
all the above scenario which i mentioned above(especially on SSL environment).


- bhavik


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review185959
---


On Sept. 22, 2017, 8:35 a.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> ---
> 
> (Updated Sept. 22, 2017, 8:35 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> [Security Vulnerability Alert] Tomcat Information leakage and remote code 
> execution vulnerabilities.
> 
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
> 
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with 
> HTTP PUTs enabled, it was possible to upload a JSP file to the server via a 
> specially crafted request. This JSP could then be requested and any code it 
> contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 
> 7.0.80, it was possible to use a specially crafted request, bypass security 
> constraints, or get the source code of JSPs for resources served by the 
> VirtualDirContext, thereby cased code disclosure.
> 
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
> 
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two 
> vulnerabilities and recommends upgrading to the latest version.
> 
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> 
> 
> Diffs
> -
> 
>   pom.xml 3958014c 
> 
> 
> Diff: https://reviews.apache.org/r/62495/diff/1/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> pengjianhua
> 
>

Re: Review Request 62437: RANGER-1779 : last resource gets duplicated during update policy if policy is created through public api rest call

2017-09-27 Thread Nikhil P 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62437/
---

(Updated Sept. 27, 2017, 3:41 p.m.)


Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay 
Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, 
Sailaja Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-1779
https://issues.apache.org/jira/browse/RANGER-1779


Repository: ranger


Description
---

1) create a policy with multiple resource *,default using public api
2) go to ranger admin ui and update the policy without any change
3) again view the policy.
Issue:
default gets duplicated as resource in the policy.
and even new entry is added in resource map table for the last resource.


Diffs (updated)
-

  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
63fdf4f 
  
security-admin/src/main/java/org/apache/ranger/patch/PatchForNifiResourceUpdateExclude_J10008.java
 634082c 
  
security-admin/src/main/java/org/apache/ranger/patch/PatchForNifiResourceUpdateExclude_J10011.java
 PRE-CREATION 


Diff: https://reviews.apache.org/r/62437/diff/4/

Changes: https://reviews.apache.org/r/62437/diff/3-4/


Testing
---

1)Verified if same resource does not get duplicated during create and update 
policy.
2)Verified if resource duplication does not happen through public API and 
Public APIv2 as well.
3)Verified if policies are getting created with multiple distinct resource.


Thanks,

Nikhil P

Re: Review Request 62436: RANGER-1779 : last resource gets duplicated during update policy if policy is created through public api rest call

2017-09-27 Thread Nikhil P 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62436/
---

(Updated Sept. 27, 2017, 3:40 p.m.)


Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay 
Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, 
Sailaja Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-1779
https://issues.apache.org/jira/browse/RANGER-1779


Repository: ranger


Description
---

1) create a policy with multiple resource *,default using public api
2) go to ranger admin ui and update the policy without any change
3) again view the policy.
Issue:
default gets duplicated as resource in the policy.
and even new entry is added in resource map table for the last resource.


Diffs (updated)
-

  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
da65074 
  
security-admin/src/main/java/org/apache/ranger/patch/PatchForNifiResourceUpdateExclude_J10008.java
 634082c 
  
security-admin/src/main/java/org/apache/ranger/patch/PatchForNifiResourceUpdateExclude_J10011.java
 PRE-CREATION 


Diff: https://reviews.apache.org/r/62436/diff/4/

Changes: https://reviews.apache.org/r/62436/diff/3-4/


Testing
---

1)Verified if same resource does not get duplicated during create and update 
policy.
2)Verified if resource duplication does not happen through public API and 
Public APIv2 as well.
3)Verified if policies are getting created with multiple distinct resource.


Thanks,

Nikhil P

Re: Review Request 61021: RANGER-1672:Ranger supports plugin to enable, monitor and manage apache kylin

2017-09-27 Thread pengjianhua 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61021/#review186391
---


Ship it!




The https://issues.apache.org/jira/browse/KYLIN-2703 I submitted had been 
resolved. Our test experts have rigorously tested this issue. At the same time 
the Kyligence company which is Apache kylin's main contributor will soon use 
this feature.

- pengjianhua


On 九月 27, 2017, 9:19 a.m., Qiang Zhang wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/61021/
> ---
> 
> (Updated 九月 27, 2017, 9:19 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, 
> Selvamohan Neethiraj, sam  rome, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1672
> https://issues.apache.org/jira/browse/RANGER-1672
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ranger supports plugin to enable, monitor and manage apache kylin
> 
> 
> Diffs
> -
> 
>   agents-common/scripts/enable-agent.sh d31a264 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
>  9463ab8 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java 
> 58cdd35 
>   agents-common/src/main/resources/service-defs/ranger-servicedef-kylin.json 
> PRE-CREATION 
>   plugin-kylin/.gitignore PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-audit-changes.cfg PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-audit.xml PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-security-changes.cfg PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-security.xml PRE-CREATION 
>   plugin-kylin/conf/ranger-policymgr-ssl-changes.cfg PRE-CREATION 
>   plugin-kylin/conf/ranger-policymgr-ssl.xml PRE-CREATION 
>   plugin-kylin/pom.xml PRE-CREATION 
>   plugin-kylin/scripts/install.properties PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/RangerServiceKylin.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinClient.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinResourceMgr.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/json/model/KylinCubeResponse.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/json/model/KylinProjectResponse.java
>  PRE-CREATION 
>   pom.xml 3958014 
>   ranger-kylin-plugin-shim/.gitignore PRE-CREATION 
>   ranger-kylin-plugin-shim/pom.xml PRE-CREATION 
>   
> ranger-kylin-plugin-shim/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
>  PRE-CREATION 
>   src/main/assembly/admin-web.xml 0e97818 
>   src/main/assembly/plugin-kylin.xml PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/61021/diff/3/
> 
> 
> Testing
> ---
> 
> Tested
> 
> 
> Thanks,
> 
> Qiang Zhang
> 
>

Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.81.

2017-09-27 Thread Qiang Zhang 


> On 九月 22, 2017, 9:11 a.m., bhavik patel wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > 
> >
> > @pengjianhua : This change needs thorough testing of Ranger Admin as 
> > well as Ranger KMS in Simple,  Kerberos, SSL, KnoxSSO, KnoxProxy enabled 
> > environments.  
> > 
> > Also need to check all features on jdk 1.7 as well as 1.8. Also, 
> > atleast one plugin communication needs to be verified. 
> > 
> > Can you please confirm: all these cases are tested before commiting 
> > this patch. 
> > 
> > This is based on earlier experience of updating tomcat version.
> 
> pengjianhua wrote:
> Ok. We have a complete automated integration test environment for Ranger. 
> I had tested the functions of Ranger using our automated integration test 
> environment. The test results show that there is no problem. I will further 
> test the effect of this issue for ranger using our automated integration test 
> environment in tonight and tomorrow.

@bhavik patel: Do you have further suggestions? If not, I'll fix the issue.


- Qiang


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review185959
---


On 九月 22, 2017, 8:35 a.m., pengjianhua wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> ---
> 
> (Updated 九月 22, 2017, 8:35 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan 
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
> 
> 
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> [Security Vulnerability Alert] Tomcat Information leakage and remote code 
> execution vulnerabilities.
> 
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
> 
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with 
> HTTP PUTs enabled, it was possible to upload a JSP file to the server via a 
> specially crafted request. This JSP could then be requested and any code it 
> contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 
> 7.0.80, it was possible to use a specially crafted request, bypass security 
> constraints, or get the source code of JSPs for resources served by the 
> VirtualDirContext, thereby cased code disclosure.
> 
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
> 
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two 
> vulnerabilities and recommends upgrading to the latest version.
> 
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> 
> 
> Diffs
> -
> 
>   pom.xml 3958014c 
> 
> 
> Diff: https://reviews.apache.org/r/62495/diff/1/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> pengjianhua
> 
>

Re: Re: Fw: Regarding upgrading of Tomcat [SECURITY] Apache Tomcat Possibleadditional RCE via JSP upload

2017-09-27 Thread peng.jianhua 
My test result shows that there is no problem.  We will fix the issue.















Thanks


Jianhua Peng








发件人:Jianhua Peng
收件人: 
抄送人:  
日 期 :2017年09月27日 14:42
主 题 :Re: Fw: Regarding upgrading of Tomcat [SECURITY] Apache Tomcat 
Possibleadditional RCE via JSP upload






I am furture testing and evaluating the effect of RANGER-1797 for ranger using 
our automated integration test environment. Please have a better opinion also 
feedback to me.















Thanks


Jianhua Peng














发件人: 
收件人:  
日 期 :2017年09月27日 13:57
主 题 :Fw: Regarding upgrading of Tomcat [SECURITY] Apache Tomcat 
Possibleadditional RCE via JSP upload





Hi All, FYI, Please find below mail from Mark a member of Apache Tomcat 
security team.
 Looks like Tomcat team is working on fixing the CVE issues.
 For the same issue RANGER-1797 is created (to upgrade to Tomcat 7.0.81 
which also seems to be vulnerable.), can we please evaluate the risks of
 updating Tomcat version.

Thanks
Vishal Suvagia.
---


On Wednesday, 20 September 2017 2:41 PM, Mark Thomas  wrote:


All,

Following the announcement of CVE-2017-12615 [1], the Apache Tomcat
Security Team has received multiple reports that a similar vulnerability
exists in all current Tomcat versions and affects all operating systems.

Unfortunately, one of these reports was made via the public bug tracker
[2] rather than responsibly via the Tomcat Security Team's private
mailing list [3].

We have not yet completed our investigation of these reports but, based
on the volume, and our initial investigation they appear to be valid.

From an initial analysis of the reports received, the vulnerability only
affects the following configurations:

Default Servlet
- Default Servlet configured with readonly="false"
  AND
- Untrusted users are permitted to perform HTTP PUT requests

WebDAV Servlet
- WebDAV Servlet configured with readonly="false"
  AND
- Untrusted users are permitted to perform HTTP PUT requests
  AND
- The documented advice not to map the WebDAV servlet as the Default
  servlet has been ignored

Please note that:
 - The WebDAV servlet is disabled by default
 - The default value for the readonly parameter is true for both the
  Default servlet and the WebDAV servlet

Therefore, a default Tomcat installation is not affected by this
potential vulnerability.

Based on our understanding to date, the potential vulnerability may be
mitigated by any of the following:
- setting readonly to true for the Default servlet and WebDAV servlet
- blocking HTTP methods that permit resource modification for untrusted
  users

We will provide updates to the community as our investigation of these
reports continues.

Mark
on behalf of the Apache Tomcat Security Team


[1] http://markmail.org/message/xqfchebiy6fjmvjz
[2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
[3] http://tomcat.apache.org/security.html