[jira] [Created] (RANGER-2010) Ranger Tagsync should use cookie based authentication for subsequent requests to Ranger admin
Nikhil Purbhe created RANGER-2010: - Summary: Ranger Tagsync should use cookie based authentication for subsequent requests to Ranger admin Key: RANGER-2010 URL: https://issues.apache.org/jira/browse/RANGER-2010 Project: Ranger Issue Type: Improvement Components: Ranger, tagsync Reporter: Nikhil Purbhe Assignee: Nikhil Purbhe Fix For: master Ranger Tagsync should use cookie based authentication for subsequent requests to Ranger admin. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
Review Request 65914: Ranger 1948 : Support for Read-only Ranger Admin users
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65914/ --- Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, and Sailaja Polavarapu. Bugs: Ranger-1948 https://issues.apache.org/jira/browse/Ranger-1948 Repository: ranger Description --- This Jira is to cater to need of Auditor roles in Ranger Admin. We can introduce Auditor Roles for both the Administrator Roles in Ranger Admin. * Auditor (Readonly privileges from current Admin role user ) * KMS Auditor (Readonly privileges from current Keydmin role user ) Diffs - security-admin/scripts/rolebasedusersearchutil.py d651461 security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java 15937c7 security-admin/src/main/java/org/apache/ranger/biz/AssetMgrBase.java 840bb38 security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java 03bcb60 security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 224f1a0 security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ecde444 security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java a989c84 security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java 9eb8f1f security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java 8341a73 security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java a110035 security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java c2fac0b security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b713d12 security-admin/src/main/java/org/apache/ranger/common/RangerConstants.java e31e9d7 security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java 0e99be1 security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java bcf9080 security-admin/src/main/java/org/apache/ranger/patch/cliutil/RoleBasedUserSearchUtil.java d3a28f7 security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java 9f7cd26 security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java cb7ca52 security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java 9c19bb0 security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java 9a9604f security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java 6951cbd security-admin/src/main/java/org/apache/ranger/service/XTrxLogService.java 4227d85 security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 87da9a0 unixauthservice/scripts/install.properties 88bce69 Diff: https://reviews.apache.org/r/65914/diff/1/ Testing --- Tested scenario's: 1.Tested admin user is able to create User role user. 2.Tested admin user is able to create Auditor role user. 3.Tested admin user is not able to create kms auditor role user. 4.Tested keyadmin user is able to create kms auditor. 5.Tested auditor is able to only view policies, users, services and audits. 6.Tested kms auditor is able to only view policies, users, services, audits and keys. 7.Tested auditor is able to see permission tab but kms auditor should not see permission tab. 8.Auditor role users are not allowed to import/export policies 9.Verified syncing of users from auditor role :: if we add them in properties install.properties of usersync during initial start of usersync.Property value in install.properties will be GROUP_BASED_ROLE_ASSIGNMENT_RULES= &ROLE_ADMIN_AUDITOR:u:userName&ROLE_KEY_ADMIN_AUDITOR:u:userName&ROLE_KEY_ADMIN_AUDITOR:g:groupName&ROLE_ADMIN_AUDITOR:g:groupName Thanks, Fatima Khan
[jira] [Assigned] (RANGER-2009) HDFS resource delegation improvement
[ https://issues.apache.org/jira/browse/RANGER-2009?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nikhil Purbhe reassigned RANGER-2009: - Assignee: Nikhil Purbhe > HDFS resource delegation improvement > > > Key: RANGER-2009 > URL: https://issues.apache.org/jira/browse/RANGER-2009 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Nikhil Purbhe >Assignee: Nikhil Purbhe >Priority: Major > Fix For: master > > > HDFS resource delegation improvement. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (RANGER-1948) Support for Read-only Ranger Admin users
[ https://issues.apache.org/jira/browse/RANGER-1948?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Fatima Amjad Khan updated RANGER-1948: -- Attachment: 0001-RANGER-1948-Support-for-Read-only-Ranger-Admin-users.patch > Support for Read-only Ranger Admin users > > > Key: RANGER-1948 > URL: https://issues.apache.org/jira/browse/RANGER-1948 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: master >Reporter: Fatima Amjad Khan >Assignee: Fatima Amjad Khan >Priority: Major > Fix For: master > > Attachments: > 0001-RANGER-1948-Support-for-Read-only-Ranger-Admin-users.patch, > RANGER-1948_v1.patch, [UI]RANGER-1948.patch > > > This JIRA is to cater to need of Auditor roles in Ranger Admin. > We can introduce Auditor Roles for both the Administrator Roles in Ranger > Admin. > * Auditor (Readonly privileges from current Admin role user ) > * KMS Auditor (Readonly privileges from current Keydmin role user ) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (RANGER-1948) Support for Read-only Ranger Admin users
[ https://issues.apache.org/jira/browse/RANGER-1948?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Fatima Amjad Khan updated RANGER-1948: -- Attachment: (was: 0001-RANGER-1998-Add-ability-to-specify-passwords-for-adm.patch) > Support for Read-only Ranger Admin users > > > Key: RANGER-1948 > URL: https://issues.apache.org/jira/browse/RANGER-1948 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: master >Reporter: Fatima Amjad Khan >Assignee: Fatima Amjad Khan >Priority: Major > Fix For: master > > Attachments: > 0001-RANGER-1948-Support-for-Read-only-Ranger-Admin-users.patch, > RANGER-1948_v1.patch, [UI]RANGER-1948.patch > > > This JIRA is to cater to need of Auditor roles in Ranger Admin. > We can introduce Auditor Roles for both the Administrator Roles in Ranger > Admin. > * Auditor (Readonly privileges from current Admin role user ) > * KMS Auditor (Readonly privileges from current Keydmin role user ) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (RANGER-1948) Support for Read-only Ranger Admin users
[ https://issues.apache.org/jira/browse/RANGER-1948?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Fatima Amjad Khan updated RANGER-1948: -- Attachment: 0001-RANGER-1998-Add-ability-to-specify-passwords-for-adm.patch > Support for Read-only Ranger Admin users > > > Key: RANGER-1948 > URL: https://issues.apache.org/jira/browse/RANGER-1948 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: master >Reporter: Fatima Amjad Khan >Assignee: Fatima Amjad Khan >Priority: Major > Fix For: master > > Attachments: > 0001-RANGER-1998-Add-ability-to-specify-passwords-for-adm.patch, > RANGER-1948_v1.patch, [UI]RANGER-1948.patch > > > This JIRA is to cater to need of Auditor roles in Ranger Admin. > We can introduce Auditor Roles for both the Administrator Roles in Ranger > Admin. > * Auditor (Readonly privileges from current Admin role user ) > * KMS Auditor (Readonly privileges from current Keydmin role user ) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (RANGER-2009) HDFS resource delegation improvement
Nikhil Purbhe created RANGER-2009: - Summary: HDFS resource delegation improvement Key: RANGER-2009 URL: https://issues.apache.org/jira/browse/RANGER-2009 Project: Ranger Issue Type: Bug Components: Ranger Reporter: Nikhil Purbhe Fix For: master HDFS resource delegation improvement. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
Re: Review Request 65901: RANGER-1948: Support for Read-only Ranger Admin users (Ranger UI changes)
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65901/ --- (Updated March 6, 2018, 6:34 a.m.) Review request for ranger, Fatima Khan, Gautam Borad, Mehul Parikh, and Velmurugan Periasamy. Bugs: RANGER-1948 https://issues.apache.org/jira/browse/RANGER-1948 Repository: ranger Description --- This JIRA is to cater to need of Auditor roles in Ranger Admin. We can introduce Auditor Roles for both the Administrator Roles in Ranger Admin. Auditor (Readonly privileges from current Admin role user ) KMS Auditor (Readonly privileges from current Keydmin role user ) Diffs - security-admin/src/main/webapp/scripts/controllers/Controller.js 2be915f security-admin/src/main/webapp/scripts/mgrs/SessionMgr.js e7a3856 security-admin/src/main/webapp/scripts/modules/globalize/message/en.js ef75e36 security-admin/src/main/webapp/scripts/utils/XAEnums.js 0e0958d security-admin/src/main/webapp/scripts/utils/XAUtils.js 4fe7263 security-admin/src/main/webapp/scripts/views/common/TopNav.js aba71ef security-admin/src/main/webapp/scripts/views/kms/KMSTableLayout.js 2749cea security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionForm.js d9c522c security-admin/src/main/webapp/scripts/views/permissions/ModulePermsTableLayout.js b46d526 security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js 618207d security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 7aab1e2 security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js c8fc050 security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js e0470cf security-admin/src/main/webapp/scripts/views/service/RangerServiceViewDetail.js PRE-CREATION security-admin/src/main/webapp/scripts/views/user/UserProfileForm.js d545a05 security-admin/src/main/webapp/scripts/views/users/GroupCreate.js b73f755 security-admin/src/main/webapp/scripts/views/users/UserCreate.js b8c5894 security-admin/src/main/webapp/scripts/views/users/UserForm.js bd3730b security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 9febd99 security-admin/src/main/webapp/styles/xa.css 919e825 security-admin/src/main/webapp/templates/common/TopNav_tmpl.html d2ff968 security-admin/src/main/webapp/templates/helpers/XAHelpers.js f8479e4 security-admin/src/main/webapp/templates/kms/KmsTableLayout_tmpl.html 8107148 security-admin/src/main/webapp/templates/permissions/ModulePermsTableLayout_tmpl.html 52b36a1 security-admin/src/main/webapp/templates/policies/RangerPolicyTableLayout_tmpl.html c49dc32 security-admin/src/main/webapp/templates/reports/UserAccessLayout_tmpl.html e185742 security-admin/src/main/webapp/templates/service/RangerServiceViewDetail_tmpl.html PRE-CREATION security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html b7d4967 Diff: https://reviews.apache.org/r/65901/diff/1/ Testing (updated) --- Tested scenario's: 1.Admin user is able to create User role user. 2.Admin user is able to create Auditor role user. 3.Admin user is not able to create kms auditor role user. 4.Keyadmin user is able to create kms auditor. 5.Auditor is able to only view policies, users, services and audits. 6.Kms auditor is able to only view policies, users, services, audits and keys. 7.Auditor is able to see permission tab but kms auditor should not see permission tab. Thanks, Nitin Galave
[jira] [Created] (RANGER-2008) Policy evaluation is failing for multiline policy conditions.
Nitin Galave created RANGER-2008: Summary: Policy evaluation is failing for multiline policy conditions. Key: RANGER-2008 URL: https://issues.apache.org/jira/browse/RANGER-2008 Project: Ranger Issue Type: Bug Components: Ranger Reporter: Nitin Galave Assignee: Nitin Galave Fix For: 1.0.0 Policy evaluation is failing for multi-line policy conditions. To Reproduce : Create tag-based policy with multi-line policy condition and also policy condition should contain *comma* in it. eg ctx.getAttributeValue("DATA_ATR", "name").equals("data_val"); Expression entered in policy-condition is broken into 2 values as follow: {code:java} "conditions": [ { "type": "expression", "values": [ "ctx.getAttributeValue(\u0027DATA_ATR\u0027", " \u0027name\u0027).equals(\u0027data_val\u0027)" ] } ],{code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
Review Request 65901: RANGER-1948: Support for Read-only Ranger Admin users (Ranger UI changes)
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65901/ --- Review request for ranger, Fatima Khan, Gautam Borad, Mehul Parikh, and Velmurugan Periasamy. Bugs: RANGER-1948 https://issues.apache.org/jira/browse/RANGER-1948 Repository: ranger Description --- This JIRA is to cater to need of Auditor roles in Ranger Admin. We can introduce Auditor Roles for both the Administrator Roles in Ranger Admin. Auditor (Readonly privileges from current Admin role user ) KMS Auditor (Readonly privileges from current Keydmin role user ) Diffs - security-admin/src/main/webapp/scripts/controllers/Controller.js 2be915f security-admin/src/main/webapp/scripts/mgrs/SessionMgr.js e7a3856 security-admin/src/main/webapp/scripts/modules/globalize/message/en.js ef75e36 security-admin/src/main/webapp/scripts/utils/XAEnums.js 0e0958d security-admin/src/main/webapp/scripts/utils/XAUtils.js 4fe7263 security-admin/src/main/webapp/scripts/views/common/TopNav.js aba71ef security-admin/src/main/webapp/scripts/views/kms/KMSTableLayout.js 2749cea security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionForm.js d9c522c security-admin/src/main/webapp/scripts/views/permissions/ModulePermsTableLayout.js b46d526 security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js 618207d security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 7aab1e2 security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js c8fc050 security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js e0470cf security-admin/src/main/webapp/scripts/views/service/RangerServiceViewDetail.js PRE-CREATION security-admin/src/main/webapp/scripts/views/user/UserProfileForm.js d545a05 security-admin/src/main/webapp/scripts/views/users/GroupCreate.js b73f755 security-admin/src/main/webapp/scripts/views/users/UserCreate.js b8c5894 security-admin/src/main/webapp/scripts/views/users/UserForm.js bd3730b security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 9febd99 security-admin/src/main/webapp/styles/xa.css 919e825 security-admin/src/main/webapp/templates/common/TopNav_tmpl.html d2ff968 security-admin/src/main/webapp/templates/helpers/XAHelpers.js f8479e4 security-admin/src/main/webapp/templates/kms/KmsTableLayout_tmpl.html 8107148 security-admin/src/main/webapp/templates/permissions/ModulePermsTableLayout_tmpl.html 52b36a1 security-admin/src/main/webapp/templates/policies/RangerPolicyTableLayout_tmpl.html c49dc32 security-admin/src/main/webapp/templates/reports/UserAccessLayout_tmpl.html e185742 security-admin/src/main/webapp/templates/service/RangerServiceViewDetail_tmpl.html PRE-CREATION security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html b7d4967 Diff: https://reviews.apache.org/r/65901/diff/1/ Testing --- Tested scenario's: 1.Admin user is able to create User role user. 2.Admin user is able to create Auditor role user. 3.Admin user is not able to create kms auditor role user. 4.Keyadmin user is able to create kms auditor. 5.Auditor is able to only view policies, users, services and audits. 6.Kms auditor is able to only view policies, users, services, audits and keys. 7.Auditor and kms auditor is not able to see permission tab. Thanks, Nitin Galave
Re: Review Request 61021: RANGER-1672:Ranger supports plugin to enable, monitor and manage apache kylin
> On 三月 5, 2018, 11:35 a.m., Colm O hEigeartaigh wrote: > > Could you put together some instructions as to how to test this with a > > sample deployment? Please refer the following docs and steps: 1. Kylin Installation Guide: http://kylin.apache.org/docs23/install/index.html 2.Kylin Enable LDAP authentication: http://kylin.apache.org/docs23/howto/howto_ldap_and_sso.html 3.Kylin Project Level ACL: http://kylin.apache.org/docs23/tutorial/project_level_acl.html 4.Ranger Kylin Plugin Installation Guide: https://cwiki.apache.org/confluence/display/RANGER/Kylin+Plugin 5.Create Kylin Service in RangerAdmin Web UI: Service Name : kylindev Username : user1 Password : yourPassword Kylin URL: http://IP:7070 Configure the administrator user "user1" in LDAP for Kylin and click Test Connection success. 6.Create Kylin Policy in kylindev for Kylin user "user2": Policy Name : access2LearnKylin Kylin Project : learn_kylin Select User : user2 Permissions : QUERY OPERATION MANAGEMENT ADMIN Configure the non-administrator user "user2" in LDAP for Kylin, User "user2" login Kylin WebUI could access to Kylin project "learn_kylin", and do some actions on cubes of project "learn_kylin" with different permissions. 7.Delete Kylin Policy "access2LearnKylin", then user "user2" could not access to project "learn_kylin" in Kylin WebUI. - Qiang --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/61021/#review198621 --- On 三月 5, 2018, 8:23 a.m., Qiang Zhang wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/61021/ > --- > > (Updated 三月 5, 2018, 8:23 a.m.) > > > Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O > hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, > Selvamohan Neethiraj, sam rome, and Velmurugan Periasamy. > > > Bugs: RANGER-1672 > https://issues.apache.org/jira/browse/RANGER-1672 > > > Repository: ranger > > > Description > --- > > Ranger supports plugin to enable, monitor and manage apache kylin > > > Diffs > - > > agents-common/scripts/enable-agent.sh 7033f79 > > agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java > 899bcac > > agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java > 6ba42d4 > agents-common/src/main/resources/service-defs/ranger-servicedef-kylin.json > PRE-CREATION > plugin-kylin/.gitignore PRE-CREATION > plugin-kylin/conf/ranger-kylin-audit-changes.cfg PRE-CREATION > plugin-kylin/conf/ranger-kylin-audit.xml PRE-CREATION > plugin-kylin/conf/ranger-kylin-security-changes.cfg PRE-CREATION > plugin-kylin/conf/ranger-kylin-security.xml PRE-CREATION > plugin-kylin/conf/ranger-policymgr-ssl-changes.cfg PRE-CREATION > plugin-kylin/conf/ranger-policymgr-ssl.xml PRE-CREATION > plugin-kylin/pom.xml PRE-CREATION > plugin-kylin/scripts/install.properties PRE-CREATION > > plugin-kylin/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java > PRE-CREATION > > plugin-kylin/src/main/java/org/apache/ranger/services/kylin/RangerServiceKylin.java > PRE-CREATION > > plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinClient.java > PRE-CREATION > > plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinResourceMgr.java > PRE-CREATION > > plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/json/model/KylinProjectResponse.java > PRE-CREATION > pom.xml 08593aa > ranger-kylin-plugin-shim/.gitignore PRE-CREATION > ranger-kylin-plugin-shim/pom.xml PRE-CREATION > > ranger-kylin-plugin-shim/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java > PRE-CREATION > src/main/assembly/admin-web.xml 29d728a > src/main/assembly/plugin-kylin.xml PRE-CREATION > > > Diff: https://reviews.apache.org/r/61021/diff/4/ > > > Testing > --- > > Tested > > > Thanks, > > Qiang Zhang > >
[jira] [Updated] (RANGER-2007) ranger-tagsync's Kerberos ticket fails to renew
[ https://issues.apache.org/jira/browse/RANGER-2007?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Abhay Kulkarni updated RANGER-2007: --- Fix Version/s: master > ranger-tagsync's Kerberos ticket fails to renew > --- > > Key: RANGER-2007 > URL: https://issues.apache.org/jira/browse/RANGER-2007 > Project: Ranger > Issue Type: Bug > Components: tagsync >Affects Versions: master >Reporter: Abhay Kulkarni >Assignee: Abhay Kulkarni >Priority: Major > Fix For: 1.0.0, master > > > Tagsync fails to upload tags to Ranger admin if ranger-tagsync process is > running for long time, due to failure to renew expired Kerberos ticket. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (RANGER-2007) ranger-tagsync's Kerberos ticket fails to renew
[ https://issues.apache.org/jira/browse/RANGER-2007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16387109#comment-16387109 ] Abhay Kulkarni edited comment on RANGER-2007 at 3/6/18 2:07 AM: Commit details: master - [https://git-wip-us.apache.org/repos/asf?p=ranger.git;a=commit;h=f96a9276f1b3ed920735e550a5c1cfe5cf560fe7] ranger-1.0 https://git-wip-us.apache.org/repos/asf?p=ranger.git;a=commit;h=5439720fd909ec6c78bbc72e7ae743bdcebbd097 was (Author: abhayk): Commit details: master - https://git-wip-us.apache.org/repos/asf?p=ranger.git;a=commit;h=f96a9276f1b3ed920735e550a5c1cfe5cf560fe7 > ranger-tagsync's Kerberos ticket fails to renew > --- > > Key: RANGER-2007 > URL: https://issues.apache.org/jira/browse/RANGER-2007 > Project: Ranger > Issue Type: Bug > Components: tagsync >Affects Versions: master >Reporter: Abhay Kulkarni >Assignee: Abhay Kulkarni >Priority: Major > Fix For: 1.0.0, master > > > Tagsync fails to upload tags to Ranger admin if ranger-tagsync process is > running for long time, due to failure to renew expired Kerberos ticket. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
Review Request 65910: RANGER-2006: Fix problems detected by static code analysis in ranger usersync for ldap sync source
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65910/ --- Review request for ranger, Ankita Sinha, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy. Bugs: RANGER-2006 https://issues.apache.org/jira/browse/RANGER-2006 Repository: ranger Description --- In order to prevent LDAP injection, added code to escape special characters in the ldap search filter that is dynamically generated for retriving nested groups. Diffs - ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapDeltaUserGroupBuilder.java 2852b320 ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java 6b2648d9 ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java 45eeb1bc Diff: https://reviews.apache.org/r/65910/diff/1/ Testing --- 1. Successfully ran all the existing unit tests 2. Ran some functional tests with Incremental sync and nested groups with Active directory. Thanks, Sailaja Polavarapu
Re: Review Request 65909: ranger-tagsync's Kerberos ticket fails to renew
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65909/#review198665 --- Ship it! Ship It! - Ramesh Mani On March 5, 2018, 11:54 p.m., Abhay Kulkarni wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/65909/ > --- > > (Updated March 5, 2018, 11:54 p.m.) > > > Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Velmurugan > Periasamy. > > > Bugs: RANGER-2007 > https://issues.apache.org/jira/browse/RANGER-2007 > > > Repository: ranger > > > Description > --- > > Tagsync fails to upload tags to Ranger admin if ranger-tagsync process is > running for long time, due to failure to renew expired Kerberos ticket. > > > Diffs > - > > > tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java > 45997e408 > > > Diff: https://reviews.apache.org/r/65909/diff/1/ > > > Testing > --- > > Tested with a long running, kerberized cluster > > > Thanks, > > Abhay Kulkarni > >
Review Request 65909: ranger-tagsync's Kerberos ticket fails to renew
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65909/ --- Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Velmurugan Periasamy. Bugs: RANGER-2007 https://issues.apache.org/jira/browse/RANGER-2007 Repository: ranger Description --- Tagsync fails to upload tags to Ranger admin if ranger-tagsync process is running for long time, due to failure to renew expired Kerberos ticket. Diffs - tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java 45997e408 Diff: https://reviews.apache.org/r/65909/diff/1/ Testing --- Tested with a long running, kerberized cluster Thanks, Abhay Kulkarni
[jira] [Updated] (RANGER-2007) ranger-tagsync's Kerberos ticket fails to renew
[ https://issues.apache.org/jira/browse/RANGER-2007?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Abhay Kulkarni updated RANGER-2007: --- Description: Tagsync fails to upload tags to Ranger admin if ranger-tagsync process is running for long time, due to failure to renew expired Kerberos ticket. (was: Tagsync failes to upload tags to Ranger admin if ranger-tagsync process is running for long time, due to failure to renew expired Kerberos ticket.) > ranger-tagsync's Kerberos ticket fails to renew > --- > > Key: RANGER-2007 > URL: https://issues.apache.org/jira/browse/RANGER-2007 > Project: Ranger > Issue Type: Bug > Components: tagsync >Affects Versions: master >Reporter: Abhay Kulkarni >Assignee: Abhay Kulkarni >Priority: Major > Fix For: 1.0.0 > > > Tagsync fails to upload tags to Ranger admin if ranger-tagsync process is > running for long time, due to failure to renew expired Kerberos ticket. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (RANGER-2007) ranger-tagsync's Kerberos ticket fails to renew
Abhay Kulkarni created RANGER-2007: -- Summary: ranger-tagsync's Kerberos ticket fails to renew Key: RANGER-2007 URL: https://issues.apache.org/jira/browse/RANGER-2007 Project: Ranger Issue Type: Bug Components: tagsync Affects Versions: master Reporter: Abhay Kulkarni Fix For: 1.0.0 Tagsync failes to upload tags to Ranger admin if ranger-tagsync process is running for long time, due to failure to renew expired Kerberos ticket. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (RANGER-2007) ranger-tagsync's Kerberos ticket fails to renew
[ https://issues.apache.org/jira/browse/RANGER-2007?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Abhay Kulkarni reassigned RANGER-2007: -- Assignee: Abhay Kulkarni > ranger-tagsync's Kerberos ticket fails to renew > --- > > Key: RANGER-2007 > URL: https://issues.apache.org/jira/browse/RANGER-2007 > Project: Ranger > Issue Type: Bug > Components: tagsync >Affects Versions: master >Reporter: Abhay Kulkarni >Assignee: Abhay Kulkarni >Priority: Major > Fix For: 1.0.0 > > > Tagsync failes to upload tags to Ranger admin if ranger-tagsync process is > running for long time, due to failure to renew expired Kerberos ticket. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
Re: Review Request 65739: RANGER-1985: Auditing for Ranger usersync operations
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65739/#review198659 --- Ship it! Ship It! - Velmurugan Periasamy On March 5, 2018, 7:14 p.m., Sailaja Polavarapu wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/65739/ > --- > > (Updated March 5, 2018, 7:14 p.m.) > > > Review request for ranger, Ankita Sinha, Gautam Borad, Abhay Kulkarni, Madhan > Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja > Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-1985 > https://issues.apache.org/jira/browse/RANGER-1985 > > > Repository: ranger > > > Description > --- > > Added code to support auditing for Ranger Usersync operations. This includes > auditing for all the sync sources (unix, file, and LDAP/AD) for every sync > interval. Also includes Rest API for showing these audits in Ranger UI. > > > Diffs > - > > security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 9e8fcadf > > security-admin/db/mysql/patches/031-create-schema-for-usersync-audit-info.sql > PRE-CREATION > security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql > 55d44a11 > > security-admin/db/oracle/patches/031-create-schema-for-usersync-audit-info.sql > PRE-CREATION > security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql > ef9ece7c > > security-admin/db/postgres/patches/031-create-schema-for-usersync-audit-info.sql > PRE-CREATION > > security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql > c98d3627 > > security-admin/db/sqlanywhere/patches/031-create-schema-for-usersync-audit-info.sql > PRE-CREATION > security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql > 61e81a0a > > security-admin/db/sqlserver/patches/031-create-schema-for-usersync-audit-info.sql > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java 034053d2 > security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 71298a41 > security-admin/src/main/java/org/apache/ranger/common/AppConstants.java > 4a02e26b > security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java > d61cbc7b > security-admin/src/main/java/org/apache/ranger/db/XXUgsyncAuditInfoDao.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/entity/XXUgsyncAuditInfo.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java 3c274e3f > security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java a07c243a > > security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java > 460c7fda > > security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoServiceBase.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/view/VXFileSyncSourceInfo.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/view/VXLdapSyncSourceInfo.java > PRE-CREATION > security-admin/src/main/java/org/apache/ranger/view/VXUgsyncAuditInfo.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/view/VXUgsyncAuditInfoList.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/view/VXUnixSyncSourceInfo.java > PRE-CREATION > security-admin/src/main/resources/META-INF/jpa_named_queries.xml 35ba30d9 > security-admin/src/main/resources/META-INF/persistence.xml 20f5bbac > > ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapDeltaUserGroupBuilder.java > 2852b320 > > ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java > 18366ef1 > > ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java > 6b2648d9 > > ugsync/src/main/java/org/apache/ranger/unixusersync/model/FileSyncSourceInfo.java > PRE-CREATION > > ugsync/src/main/java/org/apache/ranger/unixusersync/model/LdapSyncSourceInfo.java > PRE-CREATION > > ugsync/src/main/java/org/apache/ranger/unixusersync/model/UgsyncAuditInfo.java > PRE-CREATION > > ugsync/src/main/java/org/apache/ranger/unixusersync/model/UnixSyncSourceInfo.java > PRE-CREATION > > ugsync/src/main/java/org/apache/ranger/unixusersync/process/FileSourceUserGroupBuilder.java > 713c8688 > > ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java > 864d884d > > ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java > 60ce08d1 > ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGr
Re: Review Request 65739: RANGER-1985: Auditing for Ranger usersync operations
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65739/ --- (Updated March 5, 2018, 7:14 p.m.) Review request for ranger, Ankita Sinha, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy. Changes --- Fixed minor PMD violations Bugs: RANGER-1985 https://issues.apache.org/jira/browse/RANGER-1985 Repository: ranger Description --- Added code to support auditing for Ranger Usersync operations. This includes auditing for all the sync sources (unix, file, and LDAP/AD) for every sync interval. Also includes Rest API for showing these audits in Ranger UI. Diffs (updated) - security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 9e8fcadf security-admin/db/mysql/patches/031-create-schema-for-usersync-audit-info.sql PRE-CREATION security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 55d44a11 security-admin/db/oracle/patches/031-create-schema-for-usersync-audit-info.sql PRE-CREATION security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql ef9ece7c security-admin/db/postgres/patches/031-create-schema-for-usersync-audit-info.sql PRE-CREATION security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql c98d3627 security-admin/db/sqlanywhere/patches/031-create-schema-for-usersync-audit-info.sql PRE-CREATION security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 61e81a0a security-admin/db/sqlserver/patches/031-create-schema-for-usersync-audit-info.sql PRE-CREATION security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java 034053d2 security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 71298a41 security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 4a02e26b security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java d61cbc7b security-admin/src/main/java/org/apache/ranger/db/XXUgsyncAuditInfoDao.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/entity/XXUgsyncAuditInfo.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java 3c274e3f security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java a07c243a security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java 460c7fda security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoServiceBase.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/view/VXFileSyncSourceInfo.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/view/VXLdapSyncSourceInfo.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/view/VXUgsyncAuditInfo.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/view/VXUgsyncAuditInfoList.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/view/VXUnixSyncSourceInfo.java PRE-CREATION security-admin/src/main/resources/META-INF/jpa_named_queries.xml 35ba30d9 security-admin/src/main/resources/META-INF/persistence.xml 20f5bbac ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapDeltaUserGroupBuilder.java 2852b320 ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java 18366ef1 ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java 6b2648d9 ugsync/src/main/java/org/apache/ranger/unixusersync/model/FileSyncSourceInfo.java PRE-CREATION ugsync/src/main/java/org/apache/ranger/unixusersync/model/LdapSyncSourceInfo.java PRE-CREATION ugsync/src/main/java/org/apache/ranger/unixusersync/model/UgsyncAuditInfo.java PRE-CREATION ugsync/src/main/java/org/apache/ranger/unixusersync/model/UnixSyncSourceInfo.java PRE-CREATION ugsync/src/main/java/org/apache/ranger/unixusersync/process/FileSourceUserGroupBuilder.java 713c8688 ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java 864d884d ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java 60ce08d1 ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSink.java 494efc21 Diff: https://reviews.apache.org/r/65739/diff/7/ Changes: https://reviews.apache.org/r/65739/diff/6-7/ Testing --- 1. Tested with different types of sync sources (Unix, File, and LDAP/AD) 2. Also tested with incremental sync enabled for AD sync source. 3. Tested the Rest API for showing audits in Ranger UI. Thanks, Sailaja Polavarapu
[jira] [Assigned] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
[ https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ramesh Mani reassigned RANGER-1958: --- Assignee: Ramesh Mani > [HBase] Implement getUserPermissions API of AccessControlService.Interface to > allow clients to access HBase permissions stored in Ranger > > > Key: RANGER-1958 > URL: https://issues.apache.org/jira/browse/RANGER-1958 > Project: Ranger > Issue Type: Bug > Components: plugins >Reporter: Ankit Singhal >Assignee: Ramesh Mani >Priority: Major > Attachments: RANGER-1958.patch > > > We have added the support of ACLs in Phoenix as part of PHOENIX-4198. > Currently, the implementation relies on some of the APIs provided by > AccessControlService.Interface to get the user permission of the table but we > see that the API "AccessControlService.Interface#getUserPermissions" is not > yet implemented in Ranger authorization module for HBase and thus, we are > unable to access permissions stored for HBase Table in Phoenix. > In class RangerAuthorizationCoprocessor > {code} > @Override > public void getUserPermissions(RpcController controller, > AccessControlProtos.GetUserPermissionsRequest request, > RpcCallback done) { > LOG.debug("getUserPermissions(): "); > } > {code} > If we just implement this API, we can leverage the current HBase Ranger > plugin for Phoenix too. > Although the long-term solution for Ranger could be to implement the > coprocessor hooks for Phoenix as how it has been done for HBase so that we > can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can > not be supported with native HBase ACLs) along with Table and Schema. > Let me know your thoughts, I can try to put up a patch soon. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
[ https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16386533#comment-16386533 ] Ramesh Mani commented on RANGER-1958: - [~an...@apache.org] Thanks for the Patch! That was quick. Please create a review request here in [https://reviews.apache.org/dashboard/] > [HBase] Implement getUserPermissions API of AccessControlService.Interface to > allow clients to access HBase permissions stored in Ranger > > > Key: RANGER-1958 > URL: https://issues.apache.org/jira/browse/RANGER-1958 > Project: Ranger > Issue Type: Bug > Components: plugins >Reporter: Ankit Singhal >Assignee: Ankita Sinha >Priority: Major > Attachments: RANGER-1958.patch > > > We have added the support of ACLs in Phoenix as part of PHOENIX-4198. > Currently, the implementation relies on some of the APIs provided by > AccessControlService.Interface to get the user permission of the table but we > see that the API "AccessControlService.Interface#getUserPermissions" is not > yet implemented in Ranger authorization module for HBase and thus, we are > unable to access permissions stored for HBase Table in Phoenix. > In class RangerAuthorizationCoprocessor > {code} > @Override > public void getUserPermissions(RpcController controller, > AccessControlProtos.GetUserPermissionsRequest request, > RpcCallback done) { > LOG.debug("getUserPermissions(): "); > } > {code} > If we just implement this API, we can leverage the current HBase Ranger > plugin for Phoenix too. > Although the long-term solution for Ranger could be to implement the > coprocessor hooks for Phoenix as how it has been done for HBase so that we > can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can > not be supported with native HBase ACLs) along with Table and Schema. > Let me know your thoughts, I can try to put up a patch soon. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
[ https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ramesh Mani reassigned RANGER-1958: --- Assignee: Ankita Sinha (was: Ramesh Mani) > [HBase] Implement getUserPermissions API of AccessControlService.Interface to > allow clients to access HBase permissions stored in Ranger > > > Key: RANGER-1958 > URL: https://issues.apache.org/jira/browse/RANGER-1958 > Project: Ranger > Issue Type: Bug > Components: plugins >Reporter: Ankit Singhal >Assignee: Ankita Sinha >Priority: Major > Attachments: RANGER-1958.patch > > > We have added the support of ACLs in Phoenix as part of PHOENIX-4198. > Currently, the implementation relies on some of the APIs provided by > AccessControlService.Interface to get the user permission of the table but we > see that the API "AccessControlService.Interface#getUserPermissions" is not > yet implemented in Ranger authorization module for HBase and thus, we are > unable to access permissions stored for HBase Table in Phoenix. > In class RangerAuthorizationCoprocessor > {code} > @Override > public void getUserPermissions(RpcController controller, > AccessControlProtos.GetUserPermissionsRequest request, > RpcCallback done) { > LOG.debug("getUserPermissions(): "); > } > {code} > If we just implement this API, we can leverage the current HBase Ranger > plugin for Phoenix too. > Although the long-term solution for Ranger could be to implement the > coprocessor hooks for Phoenix as how it has been done for HBase so that we > can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can > not be supported with native HBase ACLs) along with Table and Schema. > Let me know your thoughts, I can try to put up a patch soon. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
Re: Review Request 65854: RANGER-1999: Ranger policy engine updates to support list-of-values in access reource
> On March 5, 2018, 9:57 a.m., Zsombor Gegesy wrote: > > Instead of using Objects, and casting to Collection or String, why didn't > > you use either just Collection - and use > > Collection.singleton(resourceName), or introduce a new 'ResourceMatch' > > type, with a 'SingleResourceMatch' and a 'AnyOfResourceMatch' subtypes ? So > > later a 'AllOfResourceMatch' could be introduced, if needed. Sure, a better > > name could be easily picked. > > Relaying on runtime class casts from 'Object' makes the code more fragile > > - it will be easy to forget later to update the code, because the compiler > > won't complain. @Zsombor - having generic 'Object' as the type for access-resouce value can enable extensions that can use types other than string/collection. Policy engine framework doesn't need to be restricted on specific types. Only 2 places need to deal with this: resource-matcher and trie-lookup. With this commit, I updated both to deal with string/collection type values. Current framework allows for registration of new type of resouce-matcher along with service-def. Not sure if such approach is feasible for trie-lookup - which arranges the policies based on string type resource values; for other resource types, trie can simply return complete policy-list. - Madhan --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65854/#review198619 --- On March 1, 2018, 8:41 p.m., Madhan Neethiraj wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/65854/ > --- > > (Updated March 1, 2018, 8:41 p.m.) > > > Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Nixon Rodrigues, > and Ramesh Mani. > > > Bugs: RANGER-1999 > https://issues.apache.org/jira/browse/RANGER-1999 > > > Repository: ranger > > > Description > --- > > Updated policy engine module to handle resources with multiple values > > > Diffs > - > > > agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java > 2835cddd > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java > 2ee616a1 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java > 58004862 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java > 18bb1f44 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java > 9fcefbe0 > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java > 415263ee > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java > acd599a7 > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java > a7399eed > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java > 8183dedb > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java > eab9dbc7 > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java > aad78340 > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java > f6c1e4d5 > > agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java > bcd15779 > > agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java > e2c7c270 > agents-common/src/test/resources/policyengine/test_policyengine_atlas.json > PRE-CREATION > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java > e4eafc69 > > ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java > 0008808e > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 5b7d0859 > > > Diff: https://reviews.apache.org/r/65854/diff/2/ > > > Testing > --- > > - added unit tests to validate the enhancements > > > Thanks, > > Madhan Neethiraj > >
Re: Review Request 65894: Remove invalid packages and import commands package to installer to fixed RANGER-1469 defect.
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65894/#review198623 --- Ship it! Ship It! - Zsombor Gegesy On March 4, 2018, 3:56 p.m., Qiang Zhang wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/65894/ > --- > > (Updated March 4, 2018, 3:56 p.m.) > > > Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O > hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, > Selvamohan Neethiraj, sam rome, and Velmurugan Periasamy. > > > Bugs: RANGER-2005 > https://issues.apache.org/jira/browse/RANGER-2005 > > > Repository: ranger > > > Description > --- > > Remove invalid packages and import commands package to installer to fixed > RANGER-1469 defect. > > Some imported pakcages are not used. > Some packages are imported repeatedly. > The commands package is missing in usersync installer when merged the > RANGER-1469. > > I built, installed and carefully tested this issue after installed. > > > Diffs > - > > unixauthservice/scripts/setup.py 3fd0dd9 > > > Diff: https://reviews.apache.org/r/65894/diff/1/ > > > Testing > --- > > > Thanks, > > Qiang Zhang > >
Re: Review Request 61021: RANGER-1672:Ranger supports plugin to enable, monitor and manage apache kylin
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/61021/#review198621 --- Could you put together some instructions as to how to test this with a sample deployment? - Colm O hEigeartaigh On March 5, 2018, 8:23 a.m., Qiang Zhang wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/61021/ > --- > > (Updated March 5, 2018, 8:23 a.m.) > > > Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O > hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, > Selvamohan Neethiraj, sam rome, and Velmurugan Periasamy. > > > Bugs: RANGER-1672 > https://issues.apache.org/jira/browse/RANGER-1672 > > > Repository: ranger > > > Description > --- > > Ranger supports plugin to enable, monitor and manage apache kylin > > > Diffs > - > > agents-common/scripts/enable-agent.sh 7033f79 > > agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java > 899bcac > > agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java > 6ba42d4 > agents-common/src/main/resources/service-defs/ranger-servicedef-kylin.json > PRE-CREATION > plugin-kylin/.gitignore PRE-CREATION > plugin-kylin/conf/ranger-kylin-audit-changes.cfg PRE-CREATION > plugin-kylin/conf/ranger-kylin-audit.xml PRE-CREATION > plugin-kylin/conf/ranger-kylin-security-changes.cfg PRE-CREATION > plugin-kylin/conf/ranger-kylin-security.xml PRE-CREATION > plugin-kylin/conf/ranger-policymgr-ssl-changes.cfg PRE-CREATION > plugin-kylin/conf/ranger-policymgr-ssl.xml PRE-CREATION > plugin-kylin/pom.xml PRE-CREATION > plugin-kylin/scripts/install.properties PRE-CREATION > > plugin-kylin/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java > PRE-CREATION > > plugin-kylin/src/main/java/org/apache/ranger/services/kylin/RangerServiceKylin.java > PRE-CREATION > > plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinClient.java > PRE-CREATION > > plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinResourceMgr.java > PRE-CREATION > > plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/json/model/KylinProjectResponse.java > PRE-CREATION > pom.xml 08593aa > ranger-kylin-plugin-shim/.gitignore PRE-CREATION > ranger-kylin-plugin-shim/pom.xml PRE-CREATION > > ranger-kylin-plugin-shim/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java > PRE-CREATION > src/main/assembly/admin-web.xml 29d728a > src/main/assembly/plugin-kylin.xml PRE-CREATION > > > Diff: https://reviews.apache.org/r/61021/diff/4/ > > > Testing > --- > > Tested > > > Thanks, > > Qiang Zhang > >
[jira] [Updated] (RANGER-1889) List Users belonging to Group in Group tab
[ https://issues.apache.org/jira/browse/RANGER-1889?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nitin Galave updated RANGER-1889: - Attachment: RANGER-1889.1.patch > List Users belonging to Group in Group tab > -- > > Key: RANGER-1889 > URL: https://issues.apache.org/jira/browse/RANGER-1889 > Project: Ranger > Issue Type: Improvement > Components: admin >Affects Versions: 0.7.0 > Environment: HDP 2.6.1 + Kerberos >Reporter: Hari Sekhon >Assignee: Nitin Galave >Priority: Major > Fix For: 1.0.0 > > Attachments: RANGER-1889.1.patch, RANGER-1889.matser.patch > > > Request to add the list of users inside each group page on the Settings -> > Groups -> "" Group Detail page. > Currently one can see the list of groups a specific user belongs to in the > groups column on the User List page, but cannot see all users belonging to a > specific group as there is no users column on the Group List page (probably > just as well as it could be large), but once clicking on a specific group the > Group Detail page lists only Group Name and Description fields, it should > have a long listing of users that are members of that specific group. > This is important for auditing purposes as most policies are set on a group > basis yet there is no current way in the Ranger UI to see all the users in > that group. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
Re: Reviews
Yes I ran into this issue before - you can explicitly ask for permission to resolve RRs from INFRA. I resolved a bunch of outstanding issue there - the easiest way to check is just to click on the JIRA link and see if it's resolved or not. Colm. On Mon, Mar 5, 2018 at 10:02 AM, Zsombor wrote: > Hi Rangers, > > Could you please mark your review requests as 'submitted' when it's > merged into master ? > It's not clear, if there are a separate admin privileges to mark > someone else's RR - or at least I don't have that privileges. > Currently, there are 53 open requests: > https://reviews.apache.org/dashboard/?group=ranger&view=to-group and > it's very hard to find which one is still open. > I bet, at least 5, but it's hard to find the needle in the haystack. > > > Thanks, > Zsombor > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
[jira] [Updated] (RANGER-1948) Support for Read-only Ranger Admin users
[ https://issues.apache.org/jira/browse/RANGER-1948?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nitin Galave updated RANGER-1948: - Attachment: [UI]RANGER-1948.patch > Support for Read-only Ranger Admin users > > > Key: RANGER-1948 > URL: https://issues.apache.org/jira/browse/RANGER-1948 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: master >Reporter: Fatima Amjad Khan >Assignee: Fatima Amjad Khan >Priority: Major > Fix For: master > > Attachments: RANGER-1948_v1.patch, [UI]RANGER-1948.patch > > > This JIRA is to cater to need of Auditor roles in Ranger Admin. > We can introduce Auditor Roles for both the Administrator Roles in Ranger > Admin. > * Auditor (Readonly privileges from current Admin role user ) > * KMS Auditor (Readonly privileges from current Keydmin role user ) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
Reviews
Hi Rangers, Could you please mark your review requests as 'submitted' when it's merged into master ? It's not clear, if there are a separate admin privileges to mark someone else's RR - or at least I don't have that privileges. Currently, there are 53 open requests: https://reviews.apache.org/dashboard/?group=ranger&view=to-group and it's very hard to find which one is still open. I bet, at least 5, but it's hard to find the needle in the haystack. Thanks, Zsombor
[jira] [Commented] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
[ https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16385874#comment-16385874 ] Ankit Singhal commented on RANGER-1958: --- [~rmani], can you please review the attached patch. > [HBase] Implement getUserPermissions API of AccessControlService.Interface to > allow clients to access HBase permissions stored in Ranger > > > Key: RANGER-1958 > URL: https://issues.apache.org/jira/browse/RANGER-1958 > Project: Ranger > Issue Type: Bug > Components: plugins >Reporter: Ankit Singhal >Priority: Major > Attachments: RANGER-1958.patch > > > We have added the support of ACLs in Phoenix as part of PHOENIX-4198. > Currently, the implementation relies on some of the APIs provided by > AccessControlService.Interface to get the user permission of the table but we > see that the API "AccessControlService.Interface#getUserPermissions" is not > yet implemented in Ranger authorization module for HBase and thus, we are > unable to access permissions stored for HBase Table in Phoenix. > In class RangerAuthorizationCoprocessor > {code} > @Override > public void getUserPermissions(RpcController controller, > AccessControlProtos.GetUserPermissionsRequest request, > RpcCallback done) { > LOG.debug("getUserPermissions(): "); > } > {code} > If we just implement this API, we can leverage the current HBase Ranger > plugin for Phoenix too. > Although the long-term solution for Ranger could be to implement the > coprocessor hooks for Phoenix as how it has been done for HBase so that we > can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can > not be supported with native HBase ACLs) along with Table and Schema. > Let me know your thoughts, I can try to put up a patch soon. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
[ https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ankit Singhal updated RANGER-1958: -- Attachment: RANGER-1958.patch > [HBase] Implement getUserPermissions API of AccessControlService.Interface to > allow clients to access HBase permissions stored in Ranger > > > Key: RANGER-1958 > URL: https://issues.apache.org/jira/browse/RANGER-1958 > Project: Ranger > Issue Type: Bug > Components: plugins >Reporter: Ankit Singhal >Priority: Major > Attachments: RANGER-1958.patch > > > We have added the support of ACLs in Phoenix as part of PHOENIX-4198. > Currently, the implementation relies on some of the APIs provided by > AccessControlService.Interface to get the user permission of the table but we > see that the API "AccessControlService.Interface#getUserPermissions" is not > yet implemented in Ranger authorization module for HBase and thus, we are > unable to access permissions stored for HBase Table in Phoenix. > In class RangerAuthorizationCoprocessor > {code} > @Override > public void getUserPermissions(RpcController controller, > AccessControlProtos.GetUserPermissionsRequest request, > RpcCallback done) { > LOG.debug("getUserPermissions(): "); > } > {code} > If we just implement this API, we can leverage the current HBase Ranger > plugin for Phoenix too. > Although the long-term solution for Ranger could be to implement the > coprocessor hooks for Phoenix as how it has been done for HBase so that we > can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can > not be supported with native HBase ACLs) along with Table and Schema. > Let me know your thoughts, I can try to put up a patch soon. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
Re: Review Request 65854: RANGER-1999: Ranger policy engine updates to support list-of-values in access reource
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65854/#review198619 --- Instead of using Objects, and casting to Collection or String, why didn't you use either just Collection - and use Collection.singleton(resourceName), or introduce a new 'ResourceMatch' type, with a 'SingleResourceMatch' and a 'AnyOfResourceMatch' subtypes ? So later a 'AllOfResourceMatch' could be introduced, if needed. Sure, a better name could be easily picked. Relaying on runtime class casts from 'Object' makes the code more fragile - it will be easy to forget later to update the code, because the compiler won't complain. - Zsombor Gegesy On March 1, 2018, 9:41 p.m., Madhan Neethiraj wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/65854/ > --- > > (Updated March 1, 2018, 9:41 p.m.) > > > Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Nixon Rodrigues, > and Ramesh Mani. > > > Bugs: RANGER-1999 > https://issues.apache.org/jira/browse/RANGER-1999 > > > Repository: ranger > > > Description > --- > > Updated policy engine module to handle resources with multiple values > > > Diffs > - > > > agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java > 2835cddd > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java > 2ee616a1 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java > 58004862 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java > 18bb1f44 > > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java > 9fcefbe0 > > agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java > 415263ee > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java > acd599a7 > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java > a7399eed > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java > 8183dedb > > agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java > eab9dbc7 > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java > aad78340 > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java > f6c1e4d5 > > agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java > bcd15779 > > agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java > e2c7c270 > agents-common/src/test/resources/policyengine/test_policyengine_atlas.json > PRE-CREATION > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java > e4eafc69 > > ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java > 0008808e > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 5b7d0859 > > > Diff: https://reviews.apache.org/r/65854/diff/2/ > > > Testing > --- > > - added unit tests to validate the enhancements > > > Thanks, > > Madhan Neethiraj > >
[jira] [Commented] (RANGER-1672) Ranger supports plugin to enable, monitor and manage apache kylin
[ https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16385768#comment-16385768 ] Qiang Zhang commented on RANGER-1672: - Kylin version 2.3.0 has been released in 2018-03-04. http://kylin.apache.org/docs23/release_notes.html Update ranger kylin plugin to meet with kylin 2.3.0. Review Requet: https://reviews.apache.org/r/61021/ Solution patch, please see attachment: [patch|https://issues.apache.org/jira/secure/attachment/12912988/0001-RANGER-1672-Ranger-supports-plugin-to-enable-monitor.patch] Implementation details: [1_KylinServiceManager|https://issues.apache.org/jira/secure/attachment/12912989/1_KylinServiceManager.jpg] [2_EditKylinService|https://issues.apache.org/jira/secure/attachment/12912990/2_EditKylinService.jpg] [3_ListKylinPolicies|https://issues.apache.org/jira/secure/attachment/12912991/3_ListKylinPolicies.jpg] [4_EditKylinPolicy|https://issues.apache.org/jira/secure/attachment/12912992/4_EditKylinPolicy.jpg] [5_KylinAuditLog|https://issues.apache.org/jira/secure/attachment/12912993/5_KylinAuditLog.jpg] [6_KylinPlugins|https://issues.apache.org/jira/secure/attachment/12912994/6_KylinPlugins.jpg] [7_KylinPluginStatus|https://issues.apache.org/jira/secure/attachment/12912995/7_KylinPluginStatus.jpg] > Ranger supports plugin to enable, monitor and manage apache kylin > - > > Key: RANGER-1672 > URL: https://issues.apache.org/jira/browse/RANGER-1672 > Project: Ranger > Issue Type: New Feature > Components: plugins >Reporter: Qiang Zhang >Assignee: Qiang Zhang >Priority: Major > Labels: newbie, patch > Attachments: > 0001-RANGER-1672-Ranger-supports-plugin-to-enable-monitor.patch, > 1_KylinServiceManager.jpg, 2_EditKylinService.jpg, 3_ListKylinPolicies.jpg, > 4_EditKylinPolicy.jpg, 5_KylinAuditLog.jpg, 6_KylinPlugins.jpg, > 7_KylinPluginStatus.jpg > > > Apache Kylin is an open source Distributed Analytics Engine designed to > provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop > supporting extremely large datasets, original contributed from eBay Inc. > Apache Kylin lets user query massive data set at sub-second latency in 3 > steps. > 1. Identify a Star Schema on Hadoop. > 2. Build Cube from the identified tables. > 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or > RESTful API. > We should support that using Ranger to control kylin's access rights for > project and cube. > Specific implementation plan is as following: > On the ranger website, administrators can configure policies to control user > access to projects and cube permissions. > Kylin provides an abstract class and authorization interfaces for use by the > ranger plugin. kylin instantiates ranger plugin’s implementation class when > starting(this class extends the abstract class provided by kylin). > Ranger plugin periodically polls ranger admin, updates the policy to the > local, and updates project and cube access rights based on policy information. > In the Kylin side: > 1. Kylin provides an abstract class that enables the ranger plugin's > implementation class to extend. > 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin > implementation class's name. > 3. Instantiate the ranger plugin implementation class when starting kylin. > 4. kylin provides authorization interfaces for ranger plugin calls. > 5. According to the ranger authorization configuration item, hide kylin's > authorization management page. > 6. Using ranger manager access rights of the kylin does not affect kylin's > existing permissions functions and logic. > In the Ranger side: > 1. Ranger plugin will periodically polls ranger admin, updates the policy to > the local. > 2. The ranger plugin invoking the authorization interfaces provided by kylin > to updates the project and cube access rights based on the policy information. > reference link:https://issues.apache.org/jira/browse/KYLIN-2703 -- This message was sent by Atlassian JIRA (v7.6.3#76005)
Re: Review Request 61021: RANGER-1672:Ranger supports plugin to enable, monitor and manage apache kylin
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/61021/ --- (Updated 三月 5, 2018, 8:23 a.m.) Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, Selvamohan Neethiraj, sam rome, and Velmurugan Periasamy. Changes --- Kylin version 2.3.0 has been released in 2018-03-04. http://kylin.apache.org/docs23/release_notes.html Update ranger kylin plugin to meet with kylin 2.3.0. Bugs: RANGER-1672 https://issues.apache.org/jira/browse/RANGER-1672 Repository: ranger Description --- Ranger supports plugin to enable, monitor and manage apache kylin Diffs (updated) - agents-common/scripts/enable-agent.sh 7033f79 agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java 899bcac agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java 6ba42d4 agents-common/src/main/resources/service-defs/ranger-servicedef-kylin.json PRE-CREATION plugin-kylin/.gitignore PRE-CREATION plugin-kylin/conf/ranger-kylin-audit-changes.cfg PRE-CREATION plugin-kylin/conf/ranger-kylin-audit.xml PRE-CREATION plugin-kylin/conf/ranger-kylin-security-changes.cfg PRE-CREATION plugin-kylin/conf/ranger-kylin-security.xml PRE-CREATION plugin-kylin/conf/ranger-policymgr-ssl-changes.cfg PRE-CREATION plugin-kylin/conf/ranger-policymgr-ssl.xml PRE-CREATION plugin-kylin/pom.xml PRE-CREATION plugin-kylin/scripts/install.properties PRE-CREATION plugin-kylin/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java PRE-CREATION plugin-kylin/src/main/java/org/apache/ranger/services/kylin/RangerServiceKylin.java PRE-CREATION plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinClient.java PRE-CREATION plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinResourceMgr.java PRE-CREATION plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/json/model/KylinProjectResponse.java PRE-CREATION pom.xml 08593aa ranger-kylin-plugin-shim/.gitignore PRE-CREATION ranger-kylin-plugin-shim/pom.xml PRE-CREATION ranger-kylin-plugin-shim/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java PRE-CREATION src/main/assembly/admin-web.xml 29d728a src/main/assembly/plugin-kylin.xml PRE-CREATION Diff: https://reviews.apache.org/r/61021/diff/4/ Changes: https://reviews.apache.org/r/61021/diff/3-4/ Testing --- Tested Thanks, Qiang Zhang
[jira] [Updated] (RANGER-1672) Ranger supports plugin to enable, monitor and manage apache kylin
[ https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Qiang Zhang updated RANGER-1672: Attachment: 7_KylinPluginStatus.jpg 6_KylinPlugins.jpg 5_KylinAuditLog.jpg 4_EditKylinPolicy.jpg 3_ListKylinPolicies.jpg 2_EditKylinService.jpg 1_KylinServiceManager.jpg 0001-RANGER-1672-Ranger-supports-plugin-to-enable-monitor.patch > Ranger supports plugin to enable, monitor and manage apache kylin > - > > Key: RANGER-1672 > URL: https://issues.apache.org/jira/browse/RANGER-1672 > Project: Ranger > Issue Type: New Feature > Components: plugins >Reporter: Qiang Zhang >Assignee: Qiang Zhang >Priority: Major > Labels: newbie, patch > Attachments: > 0001-RANGER-1672-Ranger-supports-plugin-to-enable-monitor.patch, > 1_KylinServiceManager.jpg, 2_EditKylinService.jpg, 3_ListKylinPolicies.jpg, > 4_EditKylinPolicy.jpg, 5_KylinAuditLog.jpg, 6_KylinPlugins.jpg, > 7_KylinPluginStatus.jpg > > > Apache Kylin is an open source Distributed Analytics Engine designed to > provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop > supporting extremely large datasets, original contributed from eBay Inc. > Apache Kylin lets user query massive data set at sub-second latency in 3 > steps. > 1. Identify a Star Schema on Hadoop. > 2. Build Cube from the identified tables. > 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or > RESTful API. > We should support that using Ranger to control kylin's access rights for > project and cube. > Specific implementation plan is as following: > On the ranger website, administrators can configure policies to control user > access to projects and cube permissions. > Kylin provides an abstract class and authorization interfaces for use by the > ranger plugin. kylin instantiates ranger plugin’s implementation class when > starting(this class extends the abstract class provided by kylin). > Ranger plugin periodically polls ranger admin, updates the policy to the > local, and updates project and cube access rights based on policy information. > In the Kylin side: > 1. Kylin provides an abstract class that enables the ranger plugin's > implementation class to extend. > 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin > implementation class's name. > 3. Instantiate the ranger plugin implementation class when starting kylin. > 4. kylin provides authorization interfaces for ranger plugin calls. > 5. According to the ranger authorization configuration item, hide kylin's > authorization management page. > 6. Using ranger manager access rights of the kylin does not affect kylin's > existing permissions functions and logic. > In the Ranger side: > 1. Ranger plugin will periodically polls ranger admin, updates the policy to > the local. > 2. The ranger plugin invoking the authorization interfaces provided by kylin > to updates the project and cube access rights based on the policy information. > reference link:https://issues.apache.org/jira/browse/KYLIN-2703 -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (RANGER-1672) Ranger supports plugin to enable, monitor and manage apache kylin
[ https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Qiang Zhang updated RANGER-1672: Attachment: (was: NewKylinService.jpg) > Ranger supports plugin to enable, monitor and manage apache kylin > - > > Key: RANGER-1672 > URL: https://issues.apache.org/jira/browse/RANGER-1672 > Project: Ranger > Issue Type: New Feature > Components: plugins >Reporter: Qiang Zhang >Assignee: Qiang Zhang >Priority: Major > Labels: newbie, patch > Attachments: > 0001-RANGER-1672-Ranger-supports-plugin-to-enable-monitor.patch, > 1_KylinServiceManager.jpg, 2_EditKylinService.jpg, 3_ListKylinPolicies.jpg, > 4_EditKylinPolicy.jpg, 5_KylinAuditLog.jpg, 6_KylinPlugins.jpg, > 7_KylinPluginStatus.jpg > > > Apache Kylin is an open source Distributed Analytics Engine designed to > provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop > supporting extremely large datasets, original contributed from eBay Inc. > Apache Kylin lets user query massive data set at sub-second latency in 3 > steps. > 1. Identify a Star Schema on Hadoop. > 2. Build Cube from the identified tables. > 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or > RESTful API. > We should support that using Ranger to control kylin's access rights for > project and cube. > Specific implementation plan is as following: > On the ranger website, administrators can configure policies to control user > access to projects and cube permissions. > Kylin provides an abstract class and authorization interfaces for use by the > ranger plugin. kylin instantiates ranger plugin’s implementation class when > starting(this class extends the abstract class provided by kylin). > Ranger plugin periodically polls ranger admin, updates the policy to the > local, and updates project and cube access rights based on policy information. > In the Kylin side: > 1. Kylin provides an abstract class that enables the ranger plugin's > implementation class to extend. > 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin > implementation class's name. > 3. Instantiate the ranger plugin implementation class when starting kylin. > 4. kylin provides authorization interfaces for ranger plugin calls. > 5. According to the ranger authorization configuration item, hide kylin's > authorization management page. > 6. Using ranger manager access rights of the kylin does not affect kylin's > existing permissions functions and logic. > In the Ranger side: > 1. Ranger plugin will periodically polls ranger admin, updates the policy to > the local. > 2. The ranger plugin invoking the authorization interfaces provided by kylin > to updates the project and cube access rights based on the policy information. > reference link:https://issues.apache.org/jira/browse/KYLIN-2703 -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (RANGER-1672) Ranger supports plugin to enable, monitor and manage apache kylin
[ https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Qiang Zhang updated RANGER-1672: Attachment: (was: NewKylinPolicy.jpg) > Ranger supports plugin to enable, monitor and manage apache kylin > - > > Key: RANGER-1672 > URL: https://issues.apache.org/jira/browse/RANGER-1672 > Project: Ranger > Issue Type: New Feature > Components: plugins >Reporter: Qiang Zhang >Assignee: Qiang Zhang >Priority: Major > Labels: newbie, patch > Attachments: NewKylinService.jpg > > > Apache Kylin is an open source Distributed Analytics Engine designed to > provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop > supporting extremely large datasets, original contributed from eBay Inc. > Apache Kylin lets user query massive data set at sub-second latency in 3 > steps. > 1. Identify a Star Schema on Hadoop. > 2. Build Cube from the identified tables. > 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or > RESTful API. > We should support that using Ranger to control kylin's access rights for > project and cube. > Specific implementation plan is as following: > On the ranger website, administrators can configure policies to control user > access to projects and cube permissions. > Kylin provides an abstract class and authorization interfaces for use by the > ranger plugin. kylin instantiates ranger plugin’s implementation class when > starting(this class extends the abstract class provided by kylin). > Ranger plugin periodically polls ranger admin, updates the policy to the > local, and updates project and cube access rights based on policy information. > In the Kylin side: > 1. Kylin provides an abstract class that enables the ranger plugin's > implementation class to extend. > 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin > implementation class's name. > 3. Instantiate the ranger plugin implementation class when starting kylin. > 4. kylin provides authorization interfaces for ranger plugin calls. > 5. According to the ranger authorization configuration item, hide kylin's > authorization management page. > 6. Using ranger manager access rights of the kylin does not affect kylin's > existing permissions functions and logic. > In the Ranger side: > 1. Ranger plugin will periodically polls ranger admin, updates the policy to > the local. > 2. The ranger plugin invoking the authorization interfaces provided by kylin > to updates the project and cube access rights based on the policy information. > reference link:https://issues.apache.org/jira/browse/KYLIN-2703 -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (RANGER-1672) Ranger supports plugin to enable, monitor and manage apache kylin
[ https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Qiang Zhang updated RANGER-1672: Attachment: (was: KylinPolicies.jpg) > Ranger supports plugin to enable, monitor and manage apache kylin > - > > Key: RANGER-1672 > URL: https://issues.apache.org/jira/browse/RANGER-1672 > Project: Ranger > Issue Type: New Feature > Components: plugins >Reporter: Qiang Zhang >Assignee: Qiang Zhang >Priority: Major > Labels: newbie, patch > Attachments: NewKylinService.jpg > > > Apache Kylin is an open source Distributed Analytics Engine designed to > provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop > supporting extremely large datasets, original contributed from eBay Inc. > Apache Kylin lets user query massive data set at sub-second latency in 3 > steps. > 1. Identify a Star Schema on Hadoop. > 2. Build Cube from the identified tables. > 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or > RESTful API. > We should support that using Ranger to control kylin's access rights for > project and cube. > Specific implementation plan is as following: > On the ranger website, administrators can configure policies to control user > access to projects and cube permissions. > Kylin provides an abstract class and authorization interfaces for use by the > ranger plugin. kylin instantiates ranger plugin’s implementation class when > starting(this class extends the abstract class provided by kylin). > Ranger plugin periodically polls ranger admin, updates the policy to the > local, and updates project and cube access rights based on policy information. > In the Kylin side: > 1. Kylin provides an abstract class that enables the ranger plugin's > implementation class to extend. > 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin > implementation class's name. > 3. Instantiate the ranger plugin implementation class when starting kylin. > 4. kylin provides authorization interfaces for ranger plugin calls. > 5. According to the ranger authorization configuration item, hide kylin's > authorization management page. > 6. Using ranger manager access rights of the kylin does not affect kylin's > existing permissions functions and logic. > In the Ranger side: > 1. Ranger plugin will periodically polls ranger admin, updates the policy to > the local. > 2. The ranger plugin invoking the authorization interfaces provided by kylin > to updates the project and cube access rights based on the policy information. > reference link:https://issues.apache.org/jira/browse/KYLIN-2703 -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (RANGER-1672) Ranger supports plugin to enable, monitor and manage apache kylin
[ https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Qiang Zhang updated RANGER-1672: Attachment: (was: 0001-RANGER-1672-Ranger-supports-plugin-to-enable-monitor.patch) > Ranger supports plugin to enable, monitor and manage apache kylin > - > > Key: RANGER-1672 > URL: https://issues.apache.org/jira/browse/RANGER-1672 > Project: Ranger > Issue Type: New Feature > Components: plugins >Reporter: Qiang Zhang >Assignee: Qiang Zhang >Priority: Major > Labels: newbie, patch > Attachments: NewKylinPolicy.jpg, NewKylinService.jpg > > > Apache Kylin is an open source Distributed Analytics Engine designed to > provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop > supporting extremely large datasets, original contributed from eBay Inc. > Apache Kylin lets user query massive data set at sub-second latency in 3 > steps. > 1. Identify a Star Schema on Hadoop. > 2. Build Cube from the identified tables. > 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or > RESTful API. > We should support that using Ranger to control kylin's access rights for > project and cube. > Specific implementation plan is as following: > On the ranger website, administrators can configure policies to control user > access to projects and cube permissions. > Kylin provides an abstract class and authorization interfaces for use by the > ranger plugin. kylin instantiates ranger plugin’s implementation class when > starting(this class extends the abstract class provided by kylin). > Ranger plugin periodically polls ranger admin, updates the policy to the > local, and updates project and cube access rights based on policy information. > In the Kylin side: > 1. Kylin provides an abstract class that enables the ranger plugin's > implementation class to extend. > 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin > implementation class's name. > 3. Instantiate the ranger plugin implementation class when starting kylin. > 4. kylin provides authorization interfaces for ranger plugin calls. > 5. According to the ranger authorization configuration item, hide kylin's > authorization management page. > 6. Using ranger manager access rights of the kylin does not affect kylin's > existing permissions functions and logic. > In the Ranger side: > 1. Ranger plugin will periodically polls ranger admin, updates the policy to > the local. > 2. The ranger plugin invoking the authorization interfaces provided by kylin > to updates the project and cube access rights based on the policy information. > reference link:https://issues.apache.org/jira/browse/KYLIN-2703 -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (RANGER-1672) Ranger supports plugin to enable, monitor and manage apache kylin
[ https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Qiang Zhang updated RANGER-1672: Attachment: (was: KylinPlugins.jpg) > Ranger supports plugin to enable, monitor and manage apache kylin > - > > Key: RANGER-1672 > URL: https://issues.apache.org/jira/browse/RANGER-1672 > Project: Ranger > Issue Type: New Feature > Components: plugins >Reporter: Qiang Zhang >Assignee: Qiang Zhang >Priority: Major > Labels: newbie, patch > Attachments: NewKylinService.jpg > > > Apache Kylin is an open source Distributed Analytics Engine designed to > provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop > supporting extremely large datasets, original contributed from eBay Inc. > Apache Kylin lets user query massive data set at sub-second latency in 3 > steps. > 1. Identify a Star Schema on Hadoop. > 2. Build Cube from the identified tables. > 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or > RESTful API. > We should support that using Ranger to control kylin's access rights for > project and cube. > Specific implementation plan is as following: > On the ranger website, administrators can configure policies to control user > access to projects and cube permissions. > Kylin provides an abstract class and authorization interfaces for use by the > ranger plugin. kylin instantiates ranger plugin’s implementation class when > starting(this class extends the abstract class provided by kylin). > Ranger plugin periodically polls ranger admin, updates the policy to the > local, and updates project and cube access rights based on policy information. > In the Kylin side: > 1. Kylin provides an abstract class that enables the ranger plugin's > implementation class to extend. > 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin > implementation class's name. > 3. Instantiate the ranger plugin implementation class when starting kylin. > 4. kylin provides authorization interfaces for ranger plugin calls. > 5. According to the ranger authorization configuration item, hide kylin's > authorization management page. > 6. Using ranger manager access rights of the kylin does not affect kylin's > existing permissions functions and logic. > In the Ranger side: > 1. Ranger plugin will periodically polls ranger admin, updates the policy to > the local. > 2. The ranger plugin invoking the authorization interfaces provided by kylin > to updates the project and cube access rights based on the policy information. > reference link:https://issues.apache.org/jira/browse/KYLIN-2703 -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (RANGER-1672) Ranger supports plugin to enable, monitor and manage apache kylin
[ https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Qiang Zhang updated RANGER-1672: Attachment: (was: KylinServiceEntry.jpg) > Ranger supports plugin to enable, monitor and manage apache kylin > - > > Key: RANGER-1672 > URL: https://issues.apache.org/jira/browse/RANGER-1672 > Project: Ranger > Issue Type: New Feature > Components: plugins >Reporter: Qiang Zhang >Assignee: Qiang Zhang >Priority: Major > Labels: newbie, patch > Attachments: NewKylinService.jpg > > > Apache Kylin is an open source Distributed Analytics Engine designed to > provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop > supporting extremely large datasets, original contributed from eBay Inc. > Apache Kylin lets user query massive data set at sub-second latency in 3 > steps. > 1. Identify a Star Schema on Hadoop. > 2. Build Cube from the identified tables. > 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or > RESTful API. > We should support that using Ranger to control kylin's access rights for > project and cube. > Specific implementation plan is as following: > On the ranger website, administrators can configure policies to control user > access to projects and cube permissions. > Kylin provides an abstract class and authorization interfaces for use by the > ranger plugin. kylin instantiates ranger plugin’s implementation class when > starting(this class extends the abstract class provided by kylin). > Ranger plugin periodically polls ranger admin, updates the policy to the > local, and updates project and cube access rights based on policy information. > In the Kylin side: > 1. Kylin provides an abstract class that enables the ranger plugin's > implementation class to extend. > 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin > implementation class's name. > 3. Instantiate the ranger plugin implementation class when starting kylin. > 4. kylin provides authorization interfaces for ranger plugin calls. > 5. According to the ranger authorization configuration item, hide kylin's > authorization management page. > 6. Using ranger manager access rights of the kylin does not affect kylin's > existing permissions functions and logic. > In the Ranger side: > 1. Ranger plugin will periodically polls ranger admin, updates the policy to > the local. > 2. The ranger plugin invoking the authorization interfaces provided by kylin > to updates the project and cube access rights based on the policy information. > reference link:https://issues.apache.org/jira/browse/KYLIN-2703 -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (RANGER-1672) Ranger supports plugin to enable, monitor and manage apache kylin
[ https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Qiang Zhang updated RANGER-1672: Attachment: (was: KylinAuditLog.jpg) > Ranger supports plugin to enable, monitor and manage apache kylin > - > > Key: RANGER-1672 > URL: https://issues.apache.org/jira/browse/RANGER-1672 > Project: Ranger > Issue Type: New Feature > Components: plugins >Reporter: Qiang Zhang >Assignee: Qiang Zhang >Priority: Major > Labels: newbie, patch > Attachments: NewKylinPolicy.jpg, NewKylinService.jpg > > > Apache Kylin is an open source Distributed Analytics Engine designed to > provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop > supporting extremely large datasets, original contributed from eBay Inc. > Apache Kylin lets user query massive data set at sub-second latency in 3 > steps. > 1. Identify a Star Schema on Hadoop. > 2. Build Cube from the identified tables. > 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or > RESTful API. > We should support that using Ranger to control kylin's access rights for > project and cube. > Specific implementation plan is as following: > On the ranger website, administrators can configure policies to control user > access to projects and cube permissions. > Kylin provides an abstract class and authorization interfaces for use by the > ranger plugin. kylin instantiates ranger plugin’s implementation class when > starting(this class extends the abstract class provided by kylin). > Ranger plugin periodically polls ranger admin, updates the policy to the > local, and updates project and cube access rights based on policy information. > In the Kylin side: > 1. Kylin provides an abstract class that enables the ranger plugin's > implementation class to extend. > 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin > implementation class's name. > 3. Instantiate the ranger plugin implementation class when starting kylin. > 4. kylin provides authorization interfaces for ranger plugin calls. > 5. According to the ranger authorization configuration item, hide kylin's > authorization management page. > 6. Using ranger manager access rights of the kylin does not affect kylin's > existing permissions functions and logic. > In the Ranger side: > 1. Ranger plugin will periodically polls ranger admin, updates the policy to > the local. > 2. The ranger plugin invoking the authorization interfaces provided by kylin > to updates the project and cube access rights based on the policy information. > reference link:https://issues.apache.org/jira/browse/KYLIN-2703 -- This message was sent by Atlassian JIRA (v7.6.3#76005)