[jira] [Created] (RANGER-2010) Ranger Tagsync should use cookie based authentication for subsequent requests to Ranger admin

2018-03-05 Thread Nikhil Purbhe (JIRA)
Nikhil Purbhe created RANGER-2010:
-

 Summary: Ranger Tagsync should use cookie based authentication for 
subsequent requests to Ranger admin
 Key: RANGER-2010
 URL: https://issues.apache.org/jira/browse/RANGER-2010
 Project: Ranger
  Issue Type: Improvement
  Components: Ranger, tagsync
Reporter: Nikhil Purbhe
Assignee: Nikhil Purbhe
 Fix For: master


Ranger Tagsync should use cookie based authentication for subsequent requests 
to Ranger admin.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


Review Request 65914: Ranger 1948 : Support for Read-only Ranger Admin users

2018-03-05 Thread Fatima Khan

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65914/
---

Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, 
Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, and 
Sailaja Polavarapu.


Bugs: Ranger-1948
https://issues.apache.org/jira/browse/Ranger-1948


Repository: ranger


Description
---

This Jira is to cater to need of Auditor roles in Ranger Admin.  

We can introduce Auditor Roles for both the Administrator Roles in Ranger 
Admin. 
* Auditor (Readonly privileges from current Admin role user )
* KMS Auditor (Readonly privileges from current Keydmin role user )


Diffs
-

  security-admin/scripts/rolebasedusersearchutil.py d651461 
  security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java 15937c7 
  security-admin/src/main/java/org/apache/ranger/biz/AssetMgrBase.java 840bb38 
  security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java 03bcb60 
  security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 224f1a0 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
ecde444 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java a989c84 
  security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java 9eb8f1f 
  security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java 8341a73 
  security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java a110035 
  security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java c2fac0b 
  security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b713d12 
  security-admin/src/main/java/org/apache/ranger/common/RangerConstants.java 
e31e9d7 
  security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java 
0e99be1 
  security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java 
bcf9080 
  
security-admin/src/main/java/org/apache/ranger/patch/cliutil/RoleBasedUserSearchUtil.java
 d3a28f7 
  security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java 9f7cd26 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java cb7ca52 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java 
9c19bb0 
  security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java 9a9604f 
  
security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
 6951cbd 
  security-admin/src/main/java/org/apache/ranger/service/XTrxLogService.java 
4227d85 
  security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
87da9a0 
  unixauthservice/scripts/install.properties 88bce69 


Diff: https://reviews.apache.org/r/65914/diff/1/


Testing
---

Tested scenario's:
1.Tested admin user is able to create User role user.
2.Tested admin user is able to create Auditor role user.
3.Tested admin user is not able to create kms auditor role user.
4.Tested keyadmin user is able to create kms auditor.
5.Tested auditor is able to only view policies, users, services and audits.
6.Tested kms auditor is able to only view policies, users, services, audits and 
keys.
7.Tested auditor is able to see permission tab but kms auditor should not see 
permission tab.
8.Auditor role users are  not allowed to import/export policies
9.Verified syncing of users from auditor role :: if we add them in properties 
install.properties of usersync during initial start of usersync.Property value 
in install.properties will be GROUP_BASED_ROLE_ASSIGNMENT_RULES= 
&ROLE_ADMIN_AUDITOR:u:userName&ROLE_KEY_ADMIN_AUDITOR:u:userName&ROLE_KEY_ADMIN_AUDITOR:g:groupName&ROLE_ADMIN_AUDITOR:g:groupName


Thanks,

Fatima Khan



[jira] [Assigned] (RANGER-2009) HDFS resource delegation improvement

2018-03-05 Thread Nikhil Purbhe (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-2009?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nikhil Purbhe reassigned RANGER-2009:
-

Assignee: Nikhil Purbhe

> HDFS resource delegation improvement
> 
>
> Key: RANGER-2009
> URL: https://issues.apache.org/jira/browse/RANGER-2009
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Nikhil Purbhe
>Assignee: Nikhil Purbhe
>Priority: Major
> Fix For: master
>
>
> HDFS resource delegation improvement.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


[jira] [Updated] (RANGER-1948) Support for Read-only Ranger Admin users

2018-03-05 Thread Fatima Amjad Khan (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-1948?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Fatima Amjad Khan updated RANGER-1948:
--
Attachment: 0001-RANGER-1948-Support-for-Read-only-Ranger-Admin-users.patch

> Support for Read-only Ranger Admin users
> 
>
> Key: RANGER-1948
> URL: https://issues.apache.org/jira/browse/RANGER-1948
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: master
>Reporter: Fatima Amjad Khan
>Assignee: Fatima Amjad Khan
>Priority: Major
> Fix For: master
>
> Attachments: 
> 0001-RANGER-1948-Support-for-Read-only-Ranger-Admin-users.patch, 
> RANGER-1948_v1.patch, [UI]RANGER-1948.patch
>
>
> This JIRA is to cater to need of Auditor roles in Ranger Admin.  
> We can introduce Auditor Roles for both the Administrator Roles in Ranger 
> Admin. 
> * Auditor (Readonly privileges from current Admin role user )
> * KMS Auditor (Readonly privileges from current Keydmin role user ) 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


[jira] [Updated] (RANGER-1948) Support for Read-only Ranger Admin users

2018-03-05 Thread Fatima Amjad Khan (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-1948?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Fatima Amjad Khan updated RANGER-1948:
--
Attachment: (was: 
0001-RANGER-1998-Add-ability-to-specify-passwords-for-adm.patch)

> Support for Read-only Ranger Admin users
> 
>
> Key: RANGER-1948
> URL: https://issues.apache.org/jira/browse/RANGER-1948
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: master
>Reporter: Fatima Amjad Khan
>Assignee: Fatima Amjad Khan
>Priority: Major
> Fix For: master
>
> Attachments: 
> 0001-RANGER-1948-Support-for-Read-only-Ranger-Admin-users.patch, 
> RANGER-1948_v1.patch, [UI]RANGER-1948.patch
>
>
> This JIRA is to cater to need of Auditor roles in Ranger Admin.  
> We can introduce Auditor Roles for both the Administrator Roles in Ranger 
> Admin. 
> * Auditor (Readonly privileges from current Admin role user )
> * KMS Auditor (Readonly privileges from current Keydmin role user ) 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


[jira] [Updated] (RANGER-1948) Support for Read-only Ranger Admin users

2018-03-05 Thread Fatima Amjad Khan (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-1948?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Fatima Amjad Khan updated RANGER-1948:
--
Attachment: 0001-RANGER-1998-Add-ability-to-specify-passwords-for-adm.patch

> Support for Read-only Ranger Admin users
> 
>
> Key: RANGER-1948
> URL: https://issues.apache.org/jira/browse/RANGER-1948
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: master
>Reporter: Fatima Amjad Khan
>Assignee: Fatima Amjad Khan
>Priority: Major
> Fix For: master
>
> Attachments: 
> 0001-RANGER-1998-Add-ability-to-specify-passwords-for-adm.patch, 
> RANGER-1948_v1.patch, [UI]RANGER-1948.patch
>
>
> This JIRA is to cater to need of Auditor roles in Ranger Admin.  
> We can introduce Auditor Roles for both the Administrator Roles in Ranger 
> Admin. 
> * Auditor (Readonly privileges from current Admin role user )
> * KMS Auditor (Readonly privileges from current Keydmin role user ) 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


[jira] [Created] (RANGER-2009) HDFS resource delegation improvement

2018-03-05 Thread Nikhil Purbhe (JIRA)
Nikhil Purbhe created RANGER-2009:
-

 Summary: HDFS resource delegation improvement
 Key: RANGER-2009
 URL: https://issues.apache.org/jira/browse/RANGER-2009
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Reporter: Nikhil Purbhe
 Fix For: master


HDFS resource delegation improvement.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


Re: Review Request 65901: RANGER-1948: Support for Read-only Ranger Admin users (Ranger UI changes)

2018-03-05 Thread Nitin Galave

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65901/
---

(Updated March 6, 2018, 6:34 a.m.)


Review request for ranger, Fatima Khan, Gautam Borad, Mehul Parikh, and 
Velmurugan Periasamy.


Bugs: RANGER-1948
https://issues.apache.org/jira/browse/RANGER-1948


Repository: ranger


Description
---

This JIRA is to cater to need of Auditor roles in Ranger Admin.

We can introduce Auditor Roles for both the Administrator Roles in Ranger Admin.

Auditor (Readonly privileges from current Admin role user )
KMS Auditor (Readonly privileges from current Keydmin role user )


Diffs
-

  security-admin/src/main/webapp/scripts/controllers/Controller.js 2be915f 
  security-admin/src/main/webapp/scripts/mgrs/SessionMgr.js e7a3856 
  security-admin/src/main/webapp/scripts/modules/globalize/message/en.js 
ef75e36 
  security-admin/src/main/webapp/scripts/utils/XAEnums.js 0e0958d 
  security-admin/src/main/webapp/scripts/utils/XAUtils.js 4fe7263 
  security-admin/src/main/webapp/scripts/views/common/TopNav.js aba71ef 
  security-admin/src/main/webapp/scripts/views/kms/KMSTableLayout.js 2749cea 
  
security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionForm.js
 d9c522c 
  
security-admin/src/main/webapp/scripts/views/permissions/ModulePermsTableLayout.js
 b46d526 
  
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js
 618207d 
  security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 
7aab1e2 
  security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js 
c8fc050 
  security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js 
e0470cf 
  
security-admin/src/main/webapp/scripts/views/service/RangerServiceViewDetail.js 
PRE-CREATION 
  security-admin/src/main/webapp/scripts/views/user/UserProfileForm.js d545a05 
  security-admin/src/main/webapp/scripts/views/users/GroupCreate.js b73f755 
  security-admin/src/main/webapp/scripts/views/users/UserCreate.js b8c5894 
  security-admin/src/main/webapp/scripts/views/users/UserForm.js bd3730b 
  security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 9febd99 
  security-admin/src/main/webapp/styles/xa.css 919e825 
  security-admin/src/main/webapp/templates/common/TopNav_tmpl.html d2ff968 
  security-admin/src/main/webapp/templates/helpers/XAHelpers.js f8479e4 
  security-admin/src/main/webapp/templates/kms/KmsTableLayout_tmpl.html 8107148 
  
security-admin/src/main/webapp/templates/permissions/ModulePermsTableLayout_tmpl.html
 52b36a1 
  
security-admin/src/main/webapp/templates/policies/RangerPolicyTableLayout_tmpl.html
 c49dc32 
  security-admin/src/main/webapp/templates/reports/UserAccessLayout_tmpl.html 
e185742 
  
security-admin/src/main/webapp/templates/service/RangerServiceViewDetail_tmpl.html
 PRE-CREATION 
  security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html 
b7d4967 


Diff: https://reviews.apache.org/r/65901/diff/1/


Testing (updated)
---

Tested scenario's:
1.Admin user is able to create User role user.
2.Admin user is able to create Auditor role user.
3.Admin user is not able to create kms auditor role user.
4.Keyadmin user is able to create kms auditor.
5.Auditor is able to only view policies, users, services and audits.
6.Kms auditor is able to only view policies, users, services, audits and keys.
7.Auditor is able to see permission tab but kms auditor should not see 
permission tab.


Thanks,

Nitin Galave



[jira] [Created] (RANGER-2008) Policy evaluation is failing for multiline policy conditions.

2018-03-05 Thread Nitin Galave (JIRA)
Nitin Galave created RANGER-2008:


 Summary: Policy evaluation is failing for multiline policy 
conditions.
 Key: RANGER-2008
 URL: https://issues.apache.org/jira/browse/RANGER-2008
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Reporter: Nitin Galave
Assignee: Nitin Galave
 Fix For: 1.0.0


Policy evaluation is failing for multi-line policy conditions.

To Reproduce :
Create tag-based policy with multi-line policy condition and also policy 
condition should contain *comma* in it.
eg ctx.getAttributeValue("DATA_ATR", "name").equals("data_val");

Expression entered in policy-condition is broken into 2 values as follow:
{code:java}
  "conditions": [
{
  "type": "expression",
  "values": [
"ctx.getAttributeValue(\u0027DATA_ATR\u0027",
" \u0027name\u0027).equals(\u0027data_val\u0027)"
  ]
}
  ],{code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


Review Request 65901: RANGER-1948: Support for Read-only Ranger Admin users (Ranger UI changes)

2018-03-05 Thread Nitin Galave

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65901/
---

Review request for ranger, Fatima Khan, Gautam Borad, Mehul Parikh, and 
Velmurugan Periasamy.


Bugs: RANGER-1948
https://issues.apache.org/jira/browse/RANGER-1948


Repository: ranger


Description
---

This JIRA is to cater to need of Auditor roles in Ranger Admin.

We can introduce Auditor Roles for both the Administrator Roles in Ranger Admin.

Auditor (Readonly privileges from current Admin role user )
KMS Auditor (Readonly privileges from current Keydmin role user )


Diffs
-

  security-admin/src/main/webapp/scripts/controllers/Controller.js 2be915f 
  security-admin/src/main/webapp/scripts/mgrs/SessionMgr.js e7a3856 
  security-admin/src/main/webapp/scripts/modules/globalize/message/en.js 
ef75e36 
  security-admin/src/main/webapp/scripts/utils/XAEnums.js 0e0958d 
  security-admin/src/main/webapp/scripts/utils/XAUtils.js 4fe7263 
  security-admin/src/main/webapp/scripts/views/common/TopNav.js aba71ef 
  security-admin/src/main/webapp/scripts/views/kms/KMSTableLayout.js 2749cea 
  
security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionForm.js
 d9c522c 
  
security-admin/src/main/webapp/scripts/views/permissions/ModulePermsTableLayout.js
 b46d526 
  
security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js
 618207d 
  security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 
7aab1e2 
  security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js 
c8fc050 
  security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js 
e0470cf 
  
security-admin/src/main/webapp/scripts/views/service/RangerServiceViewDetail.js 
PRE-CREATION 
  security-admin/src/main/webapp/scripts/views/user/UserProfileForm.js d545a05 
  security-admin/src/main/webapp/scripts/views/users/GroupCreate.js b73f755 
  security-admin/src/main/webapp/scripts/views/users/UserCreate.js b8c5894 
  security-admin/src/main/webapp/scripts/views/users/UserForm.js bd3730b 
  security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js 9febd99 
  security-admin/src/main/webapp/styles/xa.css 919e825 
  security-admin/src/main/webapp/templates/common/TopNav_tmpl.html d2ff968 
  security-admin/src/main/webapp/templates/helpers/XAHelpers.js f8479e4 
  security-admin/src/main/webapp/templates/kms/KmsTableLayout_tmpl.html 8107148 
  
security-admin/src/main/webapp/templates/permissions/ModulePermsTableLayout_tmpl.html
 52b36a1 
  
security-admin/src/main/webapp/templates/policies/RangerPolicyTableLayout_tmpl.html
 c49dc32 
  security-admin/src/main/webapp/templates/reports/UserAccessLayout_tmpl.html 
e185742 
  
security-admin/src/main/webapp/templates/service/RangerServiceViewDetail_tmpl.html
 PRE-CREATION 
  security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html 
b7d4967 


Diff: https://reviews.apache.org/r/65901/diff/1/


Testing
---

Tested scenario's:
1.Admin user is able to create User role user.
2.Admin user is able to create Auditor role user.
3.Admin user is not able to create kms auditor role user.
4.Keyadmin user is able to create kms auditor.
5.Auditor is able to only view policies, users, services and audits.
6.Kms auditor is able to only view policies, users, services, audits and keys.
7.Auditor and kms auditor is not able to see permission tab.


Thanks,

Nitin Galave



Re: Review Request 61021: RANGER-1672:Ranger supports plugin to enable, monitor and manage apache kylin

2018-03-05 Thread Qiang Zhang


> On 三月 5, 2018, 11:35 a.m., Colm O hEigeartaigh wrote:
> > Could you put together some instructions as to how to test this with a 
> > sample deployment?

Please refer the following docs and steps:

1. Kylin Installation Guide:
http://kylin.apache.org/docs23/install/index.html

2.Kylin Enable LDAP authentication:
http://kylin.apache.org/docs23/howto/howto_ldap_and_sso.html

3.Kylin Project Level ACL:
http://kylin.apache.org/docs23/tutorial/project_level_acl.html

4.Ranger Kylin Plugin Installation Guide:
https://cwiki.apache.org/confluence/display/RANGER/Kylin+Plugin

5.Create Kylin Service in RangerAdmin Web UI:
Service Name : kylindev
Username : user1
Password : yourPassword
Kylin URL: http://IP:7070

Configure the administrator user "user1" in LDAP for Kylin and 
click Test Connection success.

6.Create Kylin Policy in kylindev for Kylin user "user2":
Policy Name   : access2LearnKylin
Kylin Project : learn_kylin
Select User   : user2   
Permissions   : QUERY OPERATION MANAGEMENT ADMIN

Configure the non-administrator user "user2" in LDAP for Kylin,
User "user2" login Kylin WebUI could access to Kylin project "learn_kylin", 
and do some actions on cubes of project "learn_kylin" with different 
permissions.

7.Delete Kylin Policy "access2LearnKylin",
then user "user2" could not access to project "learn_kylin" in Kylin WebUI.


- Qiang


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61021/#review198621
---


On 三月 5, 2018, 8:23 a.m., Qiang Zhang wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/61021/
> ---
> 
> (Updated 三月 5, 2018, 8:23 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, 
> Selvamohan Neethiraj, sam  rome, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1672
> https://issues.apache.org/jira/browse/RANGER-1672
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ranger supports plugin to enable, monitor and manage apache kylin
> 
> 
> Diffs
> -
> 
>   agents-common/scripts/enable-agent.sh 7033f79 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
>  899bcac 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java 
> 6ba42d4 
>   agents-common/src/main/resources/service-defs/ranger-servicedef-kylin.json 
> PRE-CREATION 
>   plugin-kylin/.gitignore PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-audit-changes.cfg PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-audit.xml PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-security-changes.cfg PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-security.xml PRE-CREATION 
>   plugin-kylin/conf/ranger-policymgr-ssl-changes.cfg PRE-CREATION 
>   plugin-kylin/conf/ranger-policymgr-ssl.xml PRE-CREATION 
>   plugin-kylin/pom.xml PRE-CREATION 
>   plugin-kylin/scripts/install.properties PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/RangerServiceKylin.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinClient.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinResourceMgr.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/json/model/KylinProjectResponse.java
>  PRE-CREATION 
>   pom.xml 08593aa 
>   ranger-kylin-plugin-shim/.gitignore PRE-CREATION 
>   ranger-kylin-plugin-shim/pom.xml PRE-CREATION 
>   
> ranger-kylin-plugin-shim/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
>  PRE-CREATION 
>   src/main/assembly/admin-web.xml 29d728a 
>   src/main/assembly/plugin-kylin.xml PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/61021/diff/4/
> 
> 
> Testing
> ---
> 
> Tested
> 
> 
> Thanks,
> 
> Qiang Zhang
> 
>



[jira] [Updated] (RANGER-2007) ranger-tagsync's Kerberos ticket fails to renew

2018-03-05 Thread Abhay Kulkarni (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-2007?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhay Kulkarni updated RANGER-2007:
---
Fix Version/s: master

> ranger-tagsync's Kerberos ticket fails to renew
> ---
>
> Key: RANGER-2007
> URL: https://issues.apache.org/jira/browse/RANGER-2007
> Project: Ranger
>  Issue Type: Bug
>  Components: tagsync
>Affects Versions: master
>Reporter: Abhay Kulkarni
>Assignee: Abhay Kulkarni
>Priority: Major
> Fix For: 1.0.0, master
>
>
> Tagsync fails to upload tags to Ranger admin if ranger-tagsync process is 
> running for long time, due to failure to renew expired Kerberos ticket.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


[jira] [Comment Edited] (RANGER-2007) ranger-tagsync's Kerberos ticket fails to renew

2018-03-05 Thread Abhay Kulkarni (JIRA)

[ 
https://issues.apache.org/jira/browse/RANGER-2007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16387109#comment-16387109
 ] 

Abhay Kulkarni edited comment on RANGER-2007 at 3/6/18 2:07 AM:


Commit details:

master -

[https://git-wip-us.apache.org/repos/asf?p=ranger.git;a=commit;h=f96a9276f1b3ed920735e550a5c1cfe5cf560fe7]

 

ranger-1.0

https://git-wip-us.apache.org/repos/asf?p=ranger.git;a=commit;h=5439720fd909ec6c78bbc72e7ae743bdcebbd097


was (Author: abhayk):
Commit details:

master -

https://git-wip-us.apache.org/repos/asf?p=ranger.git;a=commit;h=f96a9276f1b3ed920735e550a5c1cfe5cf560fe7

> ranger-tagsync's Kerberos ticket fails to renew
> ---
>
> Key: RANGER-2007
> URL: https://issues.apache.org/jira/browse/RANGER-2007
> Project: Ranger
>  Issue Type: Bug
>  Components: tagsync
>Affects Versions: master
>Reporter: Abhay Kulkarni
>Assignee: Abhay Kulkarni
>Priority: Major
> Fix For: 1.0.0, master
>
>
> Tagsync fails to upload tags to Ranger admin if ranger-tagsync process is 
> running for long time, due to failure to renew expired Kerberos ticket.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


Review Request 65910: RANGER-2006: Fix problems detected by static code analysis in ranger usersync for ldap sync source

2018-03-05 Thread Sailaja Polavarapu

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65910/
---

Review request for ranger, Ankita Sinha, Gautam Borad, Abhay Kulkarni, Madhan 
Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja 
Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-2006
https://issues.apache.org/jira/browse/RANGER-2006


Repository: ranger


Description
---

In order to prevent LDAP injection, added code to escape special characters in 
the ldap search filter that is dynamically generated for retriving nested 
groups.


Diffs
-

  
ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapDeltaUserGroupBuilder.java
 2852b320 
  
ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java
 6b2648d9 
  
ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
 45eeb1bc 


Diff: https://reviews.apache.org/r/65910/diff/1/


Testing
---

1. Successfully ran all the existing unit tests
2. Ran some functional tests with Incremental sync and nested groups with 
Active directory.


Thanks,

Sailaja Polavarapu



Re: Review Request 65909: ranger-tagsync's Kerberos ticket fails to renew

2018-03-05 Thread Ramesh Mani

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65909/#review198665
---


Ship it!




Ship It!

- Ramesh Mani


On March 5, 2018, 11:54 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/65909/
> ---
> 
> (Updated March 5, 2018, 11:54 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Velmurugan 
> Periasamy.
> 
> 
> Bugs: RANGER-2007
> https://issues.apache.org/jira/browse/RANGER-2007
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Tagsync fails to upload tags to Ranger admin if ranger-tagsync process is 
> running for long time, due to failure to renew expired Kerberos ticket.
> 
> 
> Diffs
> -
> 
>   
> tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java 
> 45997e408 
> 
> 
> Diff: https://reviews.apache.org/r/65909/diff/1/
> 
> 
> Testing
> ---
> 
> Tested with a long running, kerberized cluster
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>



Review Request 65909: ranger-tagsync's Kerberos ticket fails to renew

2018-03-05 Thread Abhay Kulkarni

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65909/
---

Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Velmurugan 
Periasamy.


Bugs: RANGER-2007
https://issues.apache.org/jira/browse/RANGER-2007


Repository: ranger


Description
---

Tagsync fails to upload tags to Ranger admin if ranger-tagsync process is 
running for long time, due to failure to renew expired Kerberos ticket.


Diffs
-

  tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java 
45997e408 


Diff: https://reviews.apache.org/r/65909/diff/1/


Testing
---

Tested with a long running, kerberized cluster


Thanks,

Abhay Kulkarni



[jira] [Updated] (RANGER-2007) ranger-tagsync's Kerberos ticket fails to renew

2018-03-05 Thread Abhay Kulkarni (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-2007?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhay Kulkarni updated RANGER-2007:
---
Description: Tagsync fails to upload tags to Ranger admin if ranger-tagsync 
process is running for long time, due to failure to renew expired Kerberos 
ticket.  (was: Tagsync failes to upload tags to Ranger admin if ranger-tagsync 
process is running for long time, due to failure to renew expired Kerberos 
ticket.)

> ranger-tagsync's Kerberos ticket fails to renew
> ---
>
> Key: RANGER-2007
> URL: https://issues.apache.org/jira/browse/RANGER-2007
> Project: Ranger
>  Issue Type: Bug
>  Components: tagsync
>Affects Versions: master
>Reporter: Abhay Kulkarni
>Assignee: Abhay Kulkarni
>Priority: Major
> Fix For: 1.0.0
>
>
> Tagsync fails to upload tags to Ranger admin if ranger-tagsync process is 
> running for long time, due to failure to renew expired Kerberos ticket.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


[jira] [Created] (RANGER-2007) ranger-tagsync's Kerberos ticket fails to renew

2018-03-05 Thread Abhay Kulkarni (JIRA)
Abhay Kulkarni created RANGER-2007:
--

 Summary: ranger-tagsync's Kerberos ticket fails to renew
 Key: RANGER-2007
 URL: https://issues.apache.org/jira/browse/RANGER-2007
 Project: Ranger
  Issue Type: Bug
  Components: tagsync
Affects Versions: master
Reporter: Abhay Kulkarni
 Fix For: 1.0.0


Tagsync failes to upload tags to Ranger admin if ranger-tagsync process is 
running for long time, due to failure to renew expired Kerberos ticket.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


[jira] [Assigned] (RANGER-2007) ranger-tagsync's Kerberos ticket fails to renew

2018-03-05 Thread Abhay Kulkarni (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-2007?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhay Kulkarni reassigned RANGER-2007:
--

Assignee: Abhay Kulkarni

> ranger-tagsync's Kerberos ticket fails to renew
> ---
>
> Key: RANGER-2007
> URL: https://issues.apache.org/jira/browse/RANGER-2007
> Project: Ranger
>  Issue Type: Bug
>  Components: tagsync
>Affects Versions: master
>Reporter: Abhay Kulkarni
>Assignee: Abhay Kulkarni
>Priority: Major
> Fix For: 1.0.0
>
>
> Tagsync failes to upload tags to Ranger admin if ranger-tagsync process is 
> running for long time, due to failure to renew expired Kerberos ticket.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


Re: Review Request 65739: RANGER-1985: Auditing for Ranger usersync operations

2018-03-05 Thread Velmurugan Periasamy

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65739/#review198659
---


Ship it!




Ship It!

- Velmurugan Periasamy


On March 5, 2018, 7:14 p.m., Sailaja Polavarapu wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/65739/
> ---
> 
> (Updated March 5, 2018, 7:14 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Gautam Borad, Abhay Kulkarni, Madhan 
> Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja 
> Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1985
> https://issues.apache.org/jira/browse/RANGER-1985
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Added code to support auditing for Ranger Usersync operations. This includes 
> auditing for all the sync sources (unix, file, and LDAP/AD) for every sync 
> interval. Also includes Rest API for showing these audits in Ranger UI.
> 
> 
> Diffs
> -
> 
>   security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 9e8fcadf 
>   
> security-admin/db/mysql/patches/031-create-schema-for-usersync-audit-info.sql 
> PRE-CREATION 
>   security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 
> 55d44a11 
>   
> security-admin/db/oracle/patches/031-create-schema-for-usersync-audit-info.sql
>  PRE-CREATION 
>   security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
> ef9ece7c 
>   
> security-admin/db/postgres/patches/031-create-schema-for-usersync-audit-info.sql
>  PRE-CREATION 
>   
> security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
>  c98d3627 
>   
> security-admin/db/sqlanywhere/patches/031-create-schema-for-usersync-audit-info.sql
>  PRE-CREATION 
>   security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 
> 61e81a0a 
>   
> security-admin/db/sqlserver/patches/031-create-schema-for-usersync-audit-info.sql
>  PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java 034053d2 
>   security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 71298a41 
>   security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 
> 4a02e26b 
>   security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 
> d61cbc7b 
>   security-admin/src/main/java/org/apache/ranger/db/XXUgsyncAuditInfoDao.java 
> PRE-CREATION 
>   
> security-admin/src/main/java/org/apache/ranger/entity/XXUgsyncAuditInfo.java 
> PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java 3c274e3f 
>   security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java a07c243a 
>   
> security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java
>  460c7fda 
>   
> security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java
>  PRE-CREATION 
>   
> security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoServiceBase.java
>  PRE-CREATION 
>   
> security-admin/src/main/java/org/apache/ranger/view/VXFileSyncSourceInfo.java 
> PRE-CREATION 
>   
> security-admin/src/main/java/org/apache/ranger/view/VXLdapSyncSourceInfo.java 
> PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/view/VXUgsyncAuditInfo.java 
> PRE-CREATION 
>   
> security-admin/src/main/java/org/apache/ranger/view/VXUgsyncAuditInfoList.java
>  PRE-CREATION 
>   
> security-admin/src/main/java/org/apache/ranger/view/VXUnixSyncSourceInfo.java 
> PRE-CREATION 
>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml 35ba30d9 
>   security-admin/src/main/resources/META-INF/persistence.xml 20f5bbac 
>   
> ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapDeltaUserGroupBuilder.java
>  2852b320 
>   
> ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java
>  18366ef1 
>   
> ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java
>  6b2648d9 
>   
> ugsync/src/main/java/org/apache/ranger/unixusersync/model/FileSyncSourceInfo.java
>  PRE-CREATION 
>   
> ugsync/src/main/java/org/apache/ranger/unixusersync/model/LdapSyncSourceInfo.java
>  PRE-CREATION 
>   
> ugsync/src/main/java/org/apache/ranger/unixusersync/model/UgsyncAuditInfo.java
>  PRE-CREATION 
>   
> ugsync/src/main/java/org/apache/ranger/unixusersync/model/UnixSyncSourceInfo.java
>  PRE-CREATION 
>   
> ugsync/src/main/java/org/apache/ranger/unixusersync/process/FileSourceUserGroupBuilder.java
>  713c8688 
>   
> ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
>  864d884d 
>   
> ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java
>  60ce08d1 
>   ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGr

Re: Review Request 65739: RANGER-1985: Auditing for Ranger usersync operations

2018-03-05 Thread Sailaja Polavarapu

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65739/
---

(Updated March 5, 2018, 7:14 p.m.)


Review request for ranger, Ankita Sinha, Gautam Borad, Abhay Kulkarni, Madhan 
Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja 
Polavarapu, and Velmurugan Periasamy.


Changes
---

Fixed minor PMD violations


Bugs: RANGER-1985
https://issues.apache.org/jira/browse/RANGER-1985


Repository: ranger


Description
---

Added code to support auditing for Ranger Usersync operations. This includes 
auditing for all the sync sources (unix, file, and LDAP/AD) for every sync 
interval. Also includes Rest API for showing these audits in Ranger UI.


Diffs (updated)
-

  security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql 9e8fcadf 
  security-admin/db/mysql/patches/031-create-schema-for-usersync-audit-info.sql 
PRE-CREATION 
  security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql 55d44a11 
  
security-admin/db/oracle/patches/031-create-schema-for-usersync-audit-info.sql 
PRE-CREATION 
  security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql 
ef9ece7c 
  
security-admin/db/postgres/patches/031-create-schema-for-usersync-audit-info.sql
 PRE-CREATION 
  
security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql 
c98d3627 
  
security-admin/db/sqlanywhere/patches/031-create-schema-for-usersync-audit-info.sql
 PRE-CREATION 
  security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql 
61e81a0a 
  
security-admin/db/sqlserver/patches/031-create-schema-for-usersync-audit-info.sql
 PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java 034053d2 
  security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 71298a41 
  security-admin/src/main/java/org/apache/ranger/common/AppConstants.java 
4a02e26b 
  security-admin/src/main/java/org/apache/ranger/db/RangerDaoManagerBase.java 
d61cbc7b 
  security-admin/src/main/java/org/apache/ranger/db/XXUgsyncAuditInfoDao.java 
PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/entity/XXUgsyncAuditInfo.java 
PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java 3c274e3f 
  security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java a07c243a 
  
security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java
 460c7fda 
  
security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java
 PRE-CREATION 
  
security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoServiceBase.java
 PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/view/VXFileSyncSourceInfo.java 
PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/view/VXLdapSyncSourceInfo.java 
PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/view/VXUgsyncAuditInfo.java 
PRE-CREATION 
  
security-admin/src/main/java/org/apache/ranger/view/VXUgsyncAuditInfoList.java 
PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/view/VXUnixSyncSourceInfo.java 
PRE-CREATION 
  security-admin/src/main/resources/META-INF/jpa_named_queries.xml 35ba30d9 
  security-admin/src/main/resources/META-INF/persistence.xml 20f5bbac 
  
ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapDeltaUserGroupBuilder.java
 2852b320 
  
ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java
 18366ef1 
  
ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java
 6b2648d9 
  
ugsync/src/main/java/org/apache/ranger/unixusersync/model/FileSyncSourceInfo.java
 PRE-CREATION 
  
ugsync/src/main/java/org/apache/ranger/unixusersync/model/LdapSyncSourceInfo.java
 PRE-CREATION 
  
ugsync/src/main/java/org/apache/ranger/unixusersync/model/UgsyncAuditInfo.java 
PRE-CREATION 
  
ugsync/src/main/java/org/apache/ranger/unixusersync/model/UnixSyncSourceInfo.java
 PRE-CREATION 
  
ugsync/src/main/java/org/apache/ranger/unixusersync/process/FileSourceUserGroupBuilder.java
 713c8688 
  
ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
 864d884d 
  
ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java
 60ce08d1 
  ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSink.java 
494efc21 


Diff: https://reviews.apache.org/r/65739/diff/7/

Changes: https://reviews.apache.org/r/65739/diff/6-7/


Testing
---

1. Tested with different types of sync sources (Unix, File, and LDAP/AD)
2. Also tested with incremental sync enabled for AD sync source.
3. Tested the Rest API for showing audits in Ranger UI.


Thanks,

Sailaja Polavarapu



[jira] [Assigned] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger

2018-03-05 Thread Ramesh Mani (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani reassigned RANGER-1958:
---

Assignee: Ramesh Mani

> [HBase] Implement getUserPermissions API of AccessControlService.Interface to 
> allow clients to access HBase permissions stored in Ranger
> 
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Reporter: Ankit Singhal
>Assignee: Ramesh Mani
>Priority: Major
> Attachments: RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198. 
> Currently, the implementation relies on some of the APIs provided by 
> AccessControlService.Interface to get the user permission of the table but we 
> see that the API "AccessControlService.Interface#getUserPermissions"  is not 
> yet implemented in Ranger authorization module for HBase and thus, we are 
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
>   public void getUserPermissions(RpcController controller, 
> AccessControlProtos.GetUserPermissionsRequest request, 
> RpcCallback done) {
>   LOG.debug("getUserPermissions(): ");
>   }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger 
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the 
> coprocessor hooks for Phoenix as how it has been done for HBase so that we 
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs  (which can 
> not be supported with native HBase ACLs) along with Table and Schema. 
> Let me know your thoughts, I can try to put up a patch soon.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


[jira] [Commented] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger

2018-03-05 Thread Ramesh Mani (JIRA)

[ 
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16386533#comment-16386533
 ] 

Ramesh Mani commented on RANGER-1958:
-

[~an...@apache.org] Thanks for the Patch! That was quick. Please create a 
review request here in [https://reviews.apache.org/dashboard/] 

 

> [HBase] Implement getUserPermissions API of AccessControlService.Interface to 
> allow clients to access HBase permissions stored in Ranger
> 
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Reporter: Ankit Singhal
>Assignee: Ankita Sinha
>Priority: Major
> Attachments: RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198. 
> Currently, the implementation relies on some of the APIs provided by 
> AccessControlService.Interface to get the user permission of the table but we 
> see that the API "AccessControlService.Interface#getUserPermissions"  is not 
> yet implemented in Ranger authorization module for HBase and thus, we are 
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
>   public void getUserPermissions(RpcController controller, 
> AccessControlProtos.GetUserPermissionsRequest request, 
> RpcCallback done) {
>   LOG.debug("getUserPermissions(): ");
>   }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger 
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the 
> coprocessor hooks for Phoenix as how it has been done for HBase so that we 
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs  (which can 
> not be supported with native HBase ACLs) along with Table and Schema. 
> Let me know your thoughts, I can try to put up a patch soon.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


[jira] [Assigned] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger

2018-03-05 Thread Ramesh Mani (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramesh Mani reassigned RANGER-1958:
---

Assignee: Ankita Sinha  (was: Ramesh Mani)

> [HBase] Implement getUserPermissions API of AccessControlService.Interface to 
> allow clients to access HBase permissions stored in Ranger
> 
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Reporter: Ankit Singhal
>Assignee: Ankita Sinha
>Priority: Major
> Attachments: RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198. 
> Currently, the implementation relies on some of the APIs provided by 
> AccessControlService.Interface to get the user permission of the table but we 
> see that the API "AccessControlService.Interface#getUserPermissions"  is not 
> yet implemented in Ranger authorization module for HBase and thus, we are 
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
>   public void getUserPermissions(RpcController controller, 
> AccessControlProtos.GetUserPermissionsRequest request, 
> RpcCallback done) {
>   LOG.debug("getUserPermissions(): ");
>   }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger 
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the 
> coprocessor hooks for Phoenix as how it has been done for HBase so that we 
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs  (which can 
> not be supported with native HBase ACLs) along with Table and Schema. 
> Let me know your thoughts, I can try to put up a patch soon.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


Re: Review Request 65854: RANGER-1999: Ranger policy engine updates to support list-of-values in access reource

2018-03-05 Thread Madhan Neethiraj


> On March 5, 2018, 9:57 a.m., Zsombor Gegesy wrote:
> > Instead of using Objects, and casting to Collection or String, why didn't 
> > you use either just Collection - and use 
> > Collection.singleton(resourceName), or introduce a new 'ResourceMatch' 
> > type, with a 'SingleResourceMatch' and a 'AnyOfResourceMatch' subtypes ? So 
> > later a 'AllOfResourceMatch' could be introduced, if needed. Sure, a better 
> > name could be easily picked.
> >  Relaying on runtime class casts from 'Object' makes the code more fragile 
> > - it will be easy to forget later to update the code, because the compiler 
> > won't complain.

@Zsombor - having generic 'Object' as the type for access-resouce value can 
enable extensions that can use types other than string/collection. 
Policy engine framework doesn't need to be restricted on specific types. Only 2 
places need to deal with this: resource-matcher and trie-lookup. With this 
commit, I updated both to deal with string/collection type values. 
Current framework allows for registration of new type of resouce-matcher along 
with service-def. Not sure if such approach is feasible for trie-lookup - which 
arranges the policies based on string type resource values; for other resource 
types, trie can simply return complete policy-list.


- Madhan


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65854/#review198619
---


On March 1, 2018, 8:41 p.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/65854/
> ---
> 
> (Updated March 1, 2018, 8:41 p.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Nixon Rodrigues, 
> and Ramesh Mani.
> 
> 
> Bugs: RANGER-1999
> https://issues.apache.org/jira/browse/RANGER-1999
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Updated policy engine module to handle resources with multiple values
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java
>  2835cddd 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java
>  2ee616a1 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java
>  58004862 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java
>  18bb1f44 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java
>  9fcefbe0 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
>  415263ee 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
>  acd599a7 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
>  a7399eed 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
>  8183dedb 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java
>  eab9dbc7 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
>  aad78340 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
>  f6c1e4d5 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
>  bcd15779 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java
>  e2c7c270 
>   agents-common/src/test/resources/policyengine/test_policyengine_atlas.json 
> PRE-CREATION 
>   
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java
>  e4eafc69 
>   
> ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java
>  0008808e 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> 5b7d0859 
> 
> 
> Diff: https://reviews.apache.org/r/65854/diff/2/
> 
> 
> Testing
> ---
> 
> - added unit tests to validate the enhancements
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>



Re: Review Request 65894: Remove invalid packages and import commands package to installer to fixed RANGER-1469 defect.

2018-03-05 Thread Zsombor Gegesy

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65894/#review198623
---


Ship it!




Ship It!

- Zsombor Gegesy


On March 4, 2018, 3:56 p.m., Qiang Zhang wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/65894/
> ---
> 
> (Updated March 4, 2018, 3:56 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, 
> Selvamohan Neethiraj, sam  rome, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2005
> https://issues.apache.org/jira/browse/RANGER-2005
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Remove invalid packages and import commands package to installer to fixed 
> RANGER-1469 defect.
> 
> Some imported pakcages are not used.
> Some packages are imported repeatedly.
> The commands package is missing in usersync installer when merged the 
> RANGER-1469.
> 
> I built, installed and carefully tested this issue after installed.
> 
> 
> Diffs
> -
> 
>   unixauthservice/scripts/setup.py 3fd0dd9 
> 
> 
> Diff: https://reviews.apache.org/r/65894/diff/1/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> Qiang Zhang
> 
>



Re: Review Request 61021: RANGER-1672:Ranger supports plugin to enable, monitor and manage apache kylin

2018-03-05 Thread Colm O hEigeartaigh

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61021/#review198621
---



Could you put together some instructions as to how to test this with a sample 
deployment?

- Colm O hEigeartaigh


On March 5, 2018, 8:23 a.m., Qiang Zhang wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/61021/
> ---
> 
> (Updated March 5, 2018, 8:23 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, 
> Selvamohan Neethiraj, sam  rome, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1672
> https://issues.apache.org/jira/browse/RANGER-1672
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Ranger supports plugin to enable, monitor and manage apache kylin
> 
> 
> Diffs
> -
> 
>   agents-common/scripts/enable-agent.sh 7033f79 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
>  899bcac 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java 
> 6ba42d4 
>   agents-common/src/main/resources/service-defs/ranger-servicedef-kylin.json 
> PRE-CREATION 
>   plugin-kylin/.gitignore PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-audit-changes.cfg PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-audit.xml PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-security-changes.cfg PRE-CREATION 
>   plugin-kylin/conf/ranger-kylin-security.xml PRE-CREATION 
>   plugin-kylin/conf/ranger-policymgr-ssl-changes.cfg PRE-CREATION 
>   plugin-kylin/conf/ranger-policymgr-ssl.xml PRE-CREATION 
>   plugin-kylin/pom.xml PRE-CREATION 
>   plugin-kylin/scripts/install.properties PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/RangerServiceKylin.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinClient.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinResourceMgr.java
>  PRE-CREATION 
>   
> plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/json/model/KylinProjectResponse.java
>  PRE-CREATION 
>   pom.xml 08593aa 
>   ranger-kylin-plugin-shim/.gitignore PRE-CREATION 
>   ranger-kylin-plugin-shim/pom.xml PRE-CREATION 
>   
> ranger-kylin-plugin-shim/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
>  PRE-CREATION 
>   src/main/assembly/admin-web.xml 29d728a 
>   src/main/assembly/plugin-kylin.xml PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/61021/diff/4/
> 
> 
> Testing
> ---
> 
> Tested
> 
> 
> Thanks,
> 
> Qiang Zhang
> 
>



[jira] [Updated] (RANGER-1889) List Users belonging to Group in Group tab

2018-03-05 Thread Nitin Galave (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-1889?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nitin Galave updated RANGER-1889:
-
Attachment: RANGER-1889.1.patch

> List Users belonging to Group in Group tab
> --
>
> Key: RANGER-1889
> URL: https://issues.apache.org/jira/browse/RANGER-1889
> Project: Ranger
>  Issue Type: Improvement
>  Components: admin
>Affects Versions: 0.7.0
> Environment: HDP 2.6.1 + Kerberos
>Reporter: Hari Sekhon
>Assignee: Nitin Galave
>Priority: Major
> Fix For: 1.0.0
>
> Attachments: RANGER-1889.1.patch, RANGER-1889.matser.patch
>
>
> Request to add the list of users inside each group page on the Settings -> 
> Groups -> "" Group Detail page.
> Currently one can see the list of groups a specific user belongs to in the 
> groups column on the User List page, but cannot see all users belonging to a 
> specific group as there is no users column on the Group List page (probably 
> just as well as it could be large), but once clicking on a specific group the 
> Group Detail page lists only Group Name and Description fields, it should 
> have a long listing of users that are members of that specific group.
> This is important for auditing purposes as most policies are set on a group 
> basis yet there is no current way in the Ranger UI to see all the users in 
> that group.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


Re: Reviews

2018-03-05 Thread Colm O hEigeartaigh
Yes I ran into this issue before - you can explicitly ask for permission to
resolve RRs from INFRA. I resolved a bunch of outstanding issue there - the
easiest way to check is just to click on the JIRA link and see if it's
resolved or not.

Colm.

On Mon, Mar 5, 2018 at 10:02 AM, Zsombor  wrote:

> Hi Rangers,
>
>  Could you please mark your review requests as 'submitted' when it's
> merged into master ?
> It's not clear, if there are a separate admin privileges to mark
> someone else's RR - or at least I don't have that privileges.
> Currently, there are 53 open requests:
> https://reviews.apache.org/dashboard/?group=ranger&view=to-group and
> it's very hard to find which one is still open.
> I bet, at least 5, but it's hard to find the needle in the haystack.
>
>
> Thanks,
>  Zsombor
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com


[jira] [Updated] (RANGER-1948) Support for Read-only Ranger Admin users

2018-03-05 Thread Nitin Galave (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-1948?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nitin Galave updated RANGER-1948:
-
Attachment: [UI]RANGER-1948.patch

> Support for Read-only Ranger Admin users
> 
>
> Key: RANGER-1948
> URL: https://issues.apache.org/jira/browse/RANGER-1948
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: master
>Reporter: Fatima Amjad Khan
>Assignee: Fatima Amjad Khan
>Priority: Major
> Fix For: master
>
> Attachments: RANGER-1948_v1.patch, [UI]RANGER-1948.patch
>
>
> This JIRA is to cater to need of Auditor roles in Ranger Admin.  
> We can introduce Auditor Roles for both the Administrator Roles in Ranger 
> Admin. 
> * Auditor (Readonly privileges from current Admin role user )
> * KMS Auditor (Readonly privileges from current Keydmin role user ) 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


Reviews

2018-03-05 Thread Zsombor
Hi Rangers,

 Could you please mark your review requests as 'submitted' when it's
merged into master ?
It's not clear, if there are a separate admin privileges to mark
someone else's RR - or at least I don't have that privileges.
Currently, there are 53 open requests:
https://reviews.apache.org/dashboard/?group=ranger&view=to-group and
it's very hard to find which one is still open.
I bet, at least 5, but it's hard to find the needle in the haystack.


Thanks,
 Zsombor


[jira] [Commented] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger

2018-03-05 Thread Ankit Singhal (JIRA)

[ 
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16385874#comment-16385874
 ] 

Ankit Singhal commented on RANGER-1958:
---

[~rmani], can you please review the attached patch. 

> [HBase] Implement getUserPermissions API of AccessControlService.Interface to 
> allow clients to access HBase permissions stored in Ranger
> 
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Reporter: Ankit Singhal
>Priority: Major
> Attachments: RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198. 
> Currently, the implementation relies on some of the APIs provided by 
> AccessControlService.Interface to get the user permission of the table but we 
> see that the API "AccessControlService.Interface#getUserPermissions"  is not 
> yet implemented in Ranger authorization module for HBase and thus, we are 
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
>   public void getUserPermissions(RpcController controller, 
> AccessControlProtos.GetUserPermissionsRequest request, 
> RpcCallback done) {
>   LOG.debug("getUserPermissions(): ");
>   }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger 
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the 
> coprocessor hooks for Phoenix as how it has been done for HBase so that we 
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs  (which can 
> not be supported with native HBase ACLs) along with Table and Schema. 
> Let me know your thoughts, I can try to put up a patch soon.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


[jira] [Updated] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger

2018-03-05 Thread Ankit Singhal (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ankit Singhal updated RANGER-1958:
--
Attachment: RANGER-1958.patch

> [HBase] Implement getUserPermissions API of AccessControlService.Interface to 
> allow clients to access HBase permissions stored in Ranger
> 
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Reporter: Ankit Singhal
>Priority: Major
> Attachments: RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198. 
> Currently, the implementation relies on some of the APIs provided by 
> AccessControlService.Interface to get the user permission of the table but we 
> see that the API "AccessControlService.Interface#getUserPermissions"  is not 
> yet implemented in Ranger authorization module for HBase and thus, we are 
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
>   public void getUserPermissions(RpcController controller, 
> AccessControlProtos.GetUserPermissionsRequest request, 
> RpcCallback done) {
>   LOG.debug("getUserPermissions(): ");
>   }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger 
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the 
> coprocessor hooks for Phoenix as how it has been done for HBase so that we 
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs  (which can 
> not be supported with native HBase ACLs) along with Table and Schema. 
> Let me know your thoughts, I can try to put up a patch soon.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


Re: Review Request 65854: RANGER-1999: Ranger policy engine updates to support list-of-values in access reource

2018-03-05 Thread Zsombor Gegesy

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65854/#review198619
---



Instead of using Objects, and casting to Collection or String, why didn't you 
use either just Collection - and use 
Collection.singleton(resourceName), or introduce a new 'ResourceMatch' type, 
with a 'SingleResourceMatch' and a 'AnyOfResourceMatch' subtypes ? So later a 
'AllOfResourceMatch' could be introduced, if needed. Sure, a better name could 
be easily picked.
 Relaying on runtime class casts from 'Object' makes the code more fragile - it 
will be easy to forget later to update the code, because the compiler won't 
complain.

- Zsombor Gegesy


On March 1, 2018, 9:41 p.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/65854/
> ---
> 
> (Updated March 1, 2018, 9:41 p.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Nixon Rodrigues, 
> and Ramesh Mani.
> 
> 
> Bugs: RANGER-1999
> https://issues.apache.org/jira/browse/RANGER-1999
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Updated policy engine module to handle resources with multiple values
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java
>  2835cddd 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResource.java
>  2ee616a1 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceImpl.java
>  58004862 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResourceReadOnly.java
>  18bb1f44 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerMutableResource.java
>  9fcefbe0 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyresourcematcher/RangerDefaultPolicyResourceMatcher.java
>  415263ee 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
>  acd599a7 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerDefaultResourceMatcher.java
>  a7399eed 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerResourceMatcher.java
>  8183dedb 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/ResourceMatcher.java
>  eab9dbc7 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
>  aad78340 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerResourceTrie.java
>  f6c1e4d5 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
>  bcd15779 
>   
> agents-common/src/test/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcherTest.java
>  e2c7c270 
>   agents-common/src/test/resources/policyengine/test_policyengine_atlas.json 
> PRE-CREATION 
>   
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveResource.java
>  e4eafc69 
>   
> ranger-tools/src/main/java/org/apache/ranger/policyengine/perftest/v2/RangerPolicyFactory.java
>  0008808e 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> 5b7d0859 
> 
> 
> Diff: https://reviews.apache.org/r/65854/diff/2/
> 
> 
> Testing
> ---
> 
> - added unit tests to validate the enhancements
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>



[jira] [Commented] (RANGER-1672) Ranger supports plugin to enable, monitor and manage apache kylin

2018-03-05 Thread Qiang Zhang (JIRA)

[ 
https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16385768#comment-16385768
 ] 

Qiang Zhang commented on RANGER-1672:
-

Kylin version 2.3.0 has been released in 2018-03-04.
http://kylin.apache.org/docs23/release_notes.html

Update ranger kylin plugin to meet with kylin 2.3.0.
Review Requet:
https://reviews.apache.org/r/61021/

Solution patch, please see attachment:
[patch|https://issues.apache.org/jira/secure/attachment/12912988/0001-RANGER-1672-Ranger-supports-plugin-to-enable-monitor.patch]

Implementation details:
[1_KylinServiceManager|https://issues.apache.org/jira/secure/attachment/12912989/1_KylinServiceManager.jpg]
[2_EditKylinService|https://issues.apache.org/jira/secure/attachment/12912990/2_EditKylinService.jpg]
[3_ListKylinPolicies|https://issues.apache.org/jira/secure/attachment/12912991/3_ListKylinPolicies.jpg]
[4_EditKylinPolicy|https://issues.apache.org/jira/secure/attachment/12912992/4_EditKylinPolicy.jpg]
[5_KylinAuditLog|https://issues.apache.org/jira/secure/attachment/12912993/5_KylinAuditLog.jpg]
[6_KylinPlugins|https://issues.apache.org/jira/secure/attachment/12912994/6_KylinPlugins.jpg]
[7_KylinPluginStatus|https://issues.apache.org/jira/secure/attachment/12912995/7_KylinPluginStatus.jpg]

> Ranger supports plugin to enable, monitor and manage apache kylin
> -
>
> Key: RANGER-1672
> URL: https://issues.apache.org/jira/browse/RANGER-1672
> Project: Ranger
>  Issue Type: New Feature
>  Components: plugins
>Reporter: Qiang Zhang
>Assignee: Qiang Zhang
>Priority: Major
>  Labels: newbie, patch
> Attachments: 
> 0001-RANGER-1672-Ranger-supports-plugin-to-enable-monitor.patch, 
> 1_KylinServiceManager.jpg, 2_EditKylinService.jpg, 3_ListKylinPolicies.jpg, 
> 4_EditKylinPolicy.jpg, 5_KylinAuditLog.jpg, 6_KylinPlugins.jpg, 
> 7_KylinPluginStatus.jpg
>
>
> Apache Kylin is an open source Distributed Analytics Engine designed to 
> provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop 
> supporting extremely large datasets, original contributed from eBay Inc. 
> Apache Kylin lets user query massive data set at sub-second latency in 3 
> steps.
> 1. Identify a Star Schema on Hadoop.
> 2. Build Cube from the identified tables.
> 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or 
> RESTful API.
> We should support that using Ranger to control kylin's access rights for 
> project and cube.
> Specific implementation plan is as following:
> On the ranger website, administrators can configure policies to control user 
> access to projects and cube permissions.
> Kylin provides an abstract class and authorization interfaces for use by the 
> ranger plugin. kylin instantiates ranger plugin’s implementation class when 
> starting(this class extends the abstract class provided by kylin).
> Ranger plugin periodically polls ranger admin, updates the policy to the 
> local, and updates project and cube access rights based on policy information.
> In the Kylin side:
> 1. Kylin provides an abstract class that enables the ranger plugin's 
> implementation class to extend.
> 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin 
> implementation class's name.
> 3. Instantiate the ranger plugin implementation class when starting kylin.
> 4. kylin provides authorization interfaces for ranger plugin calls.
> 5. According to the ranger authorization configuration item, hide kylin's 
> authorization management page.
> 6. Using ranger manager access rights of the kylin does not affect kylin's 
> existing permissions functions and logic.
> In the Ranger side:
> 1. Ranger plugin will periodically polls ranger admin, updates the policy to 
> the local.
> 2. The ranger plugin invoking the authorization interfaces provided by kylin 
> to updates the project and cube access rights based on the policy information.
> reference link:https://issues.apache.org/jira/browse/KYLIN-2703



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


Re: Review Request 61021: RANGER-1672:Ranger supports plugin to enable, monitor and manage apache kylin

2018-03-05 Thread Qiang Zhang

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61021/
---

(Updated 三月 5, 2018, 8:23 a.m.)


Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, 
Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, Selvamohan Neethiraj, 
sam  rome, and Velmurugan Periasamy.


Changes
---

Kylin version 2.3.0 has been released in 2018-03-04.
http://kylin.apache.org/docs23/release_notes.html

Update ranger kylin plugin to meet with kylin 2.3.0.


Bugs: RANGER-1672
https://issues.apache.org/jira/browse/RANGER-1672


Repository: ranger


Description
---

Ranger supports plugin to enable, monitor and manage apache kylin


Diffs (updated)
-

  agents-common/scripts/enable-agent.sh 7033f79 
  
agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
 899bcac 
  agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java 
6ba42d4 
  agents-common/src/main/resources/service-defs/ranger-servicedef-kylin.json 
PRE-CREATION 
  plugin-kylin/.gitignore PRE-CREATION 
  plugin-kylin/conf/ranger-kylin-audit-changes.cfg PRE-CREATION 
  plugin-kylin/conf/ranger-kylin-audit.xml PRE-CREATION 
  plugin-kylin/conf/ranger-kylin-security-changes.cfg PRE-CREATION 
  plugin-kylin/conf/ranger-kylin-security.xml PRE-CREATION 
  plugin-kylin/conf/ranger-policymgr-ssl-changes.cfg PRE-CREATION 
  plugin-kylin/conf/ranger-policymgr-ssl.xml PRE-CREATION 
  plugin-kylin/pom.xml PRE-CREATION 
  plugin-kylin/scripts/install.properties PRE-CREATION 
  
plugin-kylin/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
 PRE-CREATION 
  
plugin-kylin/src/main/java/org/apache/ranger/services/kylin/RangerServiceKylin.java
 PRE-CREATION 
  
plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinClient.java
 PRE-CREATION 
  
plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinResourceMgr.java
 PRE-CREATION 
  
plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/json/model/KylinProjectResponse.java
 PRE-CREATION 
  pom.xml 08593aa 
  ranger-kylin-plugin-shim/.gitignore PRE-CREATION 
  ranger-kylin-plugin-shim/pom.xml PRE-CREATION 
  
ranger-kylin-plugin-shim/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
 PRE-CREATION 
  src/main/assembly/admin-web.xml 29d728a 
  src/main/assembly/plugin-kylin.xml PRE-CREATION 


Diff: https://reviews.apache.org/r/61021/diff/4/

Changes: https://reviews.apache.org/r/61021/diff/3-4/


Testing
---

Tested


Thanks,

Qiang Zhang



[jira] [Updated] (RANGER-1672) Ranger supports plugin to enable, monitor and manage apache kylin

2018-03-05 Thread Qiang Zhang (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Qiang Zhang updated RANGER-1672:

Attachment: 7_KylinPluginStatus.jpg
6_KylinPlugins.jpg
5_KylinAuditLog.jpg
4_EditKylinPolicy.jpg
3_ListKylinPolicies.jpg
2_EditKylinService.jpg
1_KylinServiceManager.jpg
0001-RANGER-1672-Ranger-supports-plugin-to-enable-monitor.patch

> Ranger supports plugin to enable, monitor and manage apache kylin
> -
>
> Key: RANGER-1672
> URL: https://issues.apache.org/jira/browse/RANGER-1672
> Project: Ranger
>  Issue Type: New Feature
>  Components: plugins
>Reporter: Qiang Zhang
>Assignee: Qiang Zhang
>Priority: Major
>  Labels: newbie, patch
> Attachments: 
> 0001-RANGER-1672-Ranger-supports-plugin-to-enable-monitor.patch, 
> 1_KylinServiceManager.jpg, 2_EditKylinService.jpg, 3_ListKylinPolicies.jpg, 
> 4_EditKylinPolicy.jpg, 5_KylinAuditLog.jpg, 6_KylinPlugins.jpg, 
> 7_KylinPluginStatus.jpg
>
>
> Apache Kylin is an open source Distributed Analytics Engine designed to 
> provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop 
> supporting extremely large datasets, original contributed from eBay Inc. 
> Apache Kylin lets user query massive data set at sub-second latency in 3 
> steps.
> 1. Identify a Star Schema on Hadoop.
> 2. Build Cube from the identified tables.
> 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or 
> RESTful API.
> We should support that using Ranger to control kylin's access rights for 
> project and cube.
> Specific implementation plan is as following:
> On the ranger website, administrators can configure policies to control user 
> access to projects and cube permissions.
> Kylin provides an abstract class and authorization interfaces for use by the 
> ranger plugin. kylin instantiates ranger plugin’s implementation class when 
> starting(this class extends the abstract class provided by kylin).
> Ranger plugin periodically polls ranger admin, updates the policy to the 
> local, and updates project and cube access rights based on policy information.
> In the Kylin side:
> 1. Kylin provides an abstract class that enables the ranger plugin's 
> implementation class to extend.
> 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin 
> implementation class's name.
> 3. Instantiate the ranger plugin implementation class when starting kylin.
> 4. kylin provides authorization interfaces for ranger plugin calls.
> 5. According to the ranger authorization configuration item, hide kylin's 
> authorization management page.
> 6. Using ranger manager access rights of the kylin does not affect kylin's 
> existing permissions functions and logic.
> In the Ranger side:
> 1. Ranger plugin will periodically polls ranger admin, updates the policy to 
> the local.
> 2. The ranger plugin invoking the authorization interfaces provided by kylin 
> to updates the project and cube access rights based on the policy information.
> reference link:https://issues.apache.org/jira/browse/KYLIN-2703



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


[jira] [Updated] (RANGER-1672) Ranger supports plugin to enable, monitor and manage apache kylin

2018-03-05 Thread Qiang Zhang (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Qiang Zhang updated RANGER-1672:

Attachment: (was: NewKylinService.jpg)

> Ranger supports plugin to enable, monitor and manage apache kylin
> -
>
> Key: RANGER-1672
> URL: https://issues.apache.org/jira/browse/RANGER-1672
> Project: Ranger
>  Issue Type: New Feature
>  Components: plugins
>Reporter: Qiang Zhang
>Assignee: Qiang Zhang
>Priority: Major
>  Labels: newbie, patch
> Attachments: 
> 0001-RANGER-1672-Ranger-supports-plugin-to-enable-monitor.patch, 
> 1_KylinServiceManager.jpg, 2_EditKylinService.jpg, 3_ListKylinPolicies.jpg, 
> 4_EditKylinPolicy.jpg, 5_KylinAuditLog.jpg, 6_KylinPlugins.jpg, 
> 7_KylinPluginStatus.jpg
>
>
> Apache Kylin is an open source Distributed Analytics Engine designed to 
> provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop 
> supporting extremely large datasets, original contributed from eBay Inc. 
> Apache Kylin lets user query massive data set at sub-second latency in 3 
> steps.
> 1. Identify a Star Schema on Hadoop.
> 2. Build Cube from the identified tables.
> 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or 
> RESTful API.
> We should support that using Ranger to control kylin's access rights for 
> project and cube.
> Specific implementation plan is as following:
> On the ranger website, administrators can configure policies to control user 
> access to projects and cube permissions.
> Kylin provides an abstract class and authorization interfaces for use by the 
> ranger plugin. kylin instantiates ranger plugin’s implementation class when 
> starting(this class extends the abstract class provided by kylin).
> Ranger plugin periodically polls ranger admin, updates the policy to the 
> local, and updates project and cube access rights based on policy information.
> In the Kylin side:
> 1. Kylin provides an abstract class that enables the ranger plugin's 
> implementation class to extend.
> 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin 
> implementation class's name.
> 3. Instantiate the ranger plugin implementation class when starting kylin.
> 4. kylin provides authorization interfaces for ranger plugin calls.
> 5. According to the ranger authorization configuration item, hide kylin's 
> authorization management page.
> 6. Using ranger manager access rights of the kylin does not affect kylin's 
> existing permissions functions and logic.
> In the Ranger side:
> 1. Ranger plugin will periodically polls ranger admin, updates the policy to 
> the local.
> 2. The ranger plugin invoking the authorization interfaces provided by kylin 
> to updates the project and cube access rights based on the policy information.
> reference link:https://issues.apache.org/jira/browse/KYLIN-2703



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


[jira] [Updated] (RANGER-1672) Ranger supports plugin to enable, monitor and manage apache kylin

2018-03-05 Thread Qiang Zhang (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Qiang Zhang updated RANGER-1672:

Attachment: (was: NewKylinPolicy.jpg)

> Ranger supports plugin to enable, monitor and manage apache kylin
> -
>
> Key: RANGER-1672
> URL: https://issues.apache.org/jira/browse/RANGER-1672
> Project: Ranger
>  Issue Type: New Feature
>  Components: plugins
>Reporter: Qiang Zhang
>Assignee: Qiang Zhang
>Priority: Major
>  Labels: newbie, patch
> Attachments: NewKylinService.jpg
>
>
> Apache Kylin is an open source Distributed Analytics Engine designed to 
> provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop 
> supporting extremely large datasets, original contributed from eBay Inc. 
> Apache Kylin lets user query massive data set at sub-second latency in 3 
> steps.
> 1. Identify a Star Schema on Hadoop.
> 2. Build Cube from the identified tables.
> 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or 
> RESTful API.
> We should support that using Ranger to control kylin's access rights for 
> project and cube.
> Specific implementation plan is as following:
> On the ranger website, administrators can configure policies to control user 
> access to projects and cube permissions.
> Kylin provides an abstract class and authorization interfaces for use by the 
> ranger plugin. kylin instantiates ranger plugin’s implementation class when 
> starting(this class extends the abstract class provided by kylin).
> Ranger plugin periodically polls ranger admin, updates the policy to the 
> local, and updates project and cube access rights based on policy information.
> In the Kylin side:
> 1. Kylin provides an abstract class that enables the ranger plugin's 
> implementation class to extend.
> 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin 
> implementation class's name.
> 3. Instantiate the ranger plugin implementation class when starting kylin.
> 4. kylin provides authorization interfaces for ranger plugin calls.
> 5. According to the ranger authorization configuration item, hide kylin's 
> authorization management page.
> 6. Using ranger manager access rights of the kylin does not affect kylin's 
> existing permissions functions and logic.
> In the Ranger side:
> 1. Ranger plugin will periodically polls ranger admin, updates the policy to 
> the local.
> 2. The ranger plugin invoking the authorization interfaces provided by kylin 
> to updates the project and cube access rights based on the policy information.
> reference link:https://issues.apache.org/jira/browse/KYLIN-2703



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


[jira] [Updated] (RANGER-1672) Ranger supports plugin to enable, monitor and manage apache kylin

2018-03-05 Thread Qiang Zhang (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Qiang Zhang updated RANGER-1672:

Attachment: (was: KylinPolicies.jpg)

> Ranger supports plugin to enable, monitor and manage apache kylin
> -
>
> Key: RANGER-1672
> URL: https://issues.apache.org/jira/browse/RANGER-1672
> Project: Ranger
>  Issue Type: New Feature
>  Components: plugins
>Reporter: Qiang Zhang
>Assignee: Qiang Zhang
>Priority: Major
>  Labels: newbie, patch
> Attachments: NewKylinService.jpg
>
>
> Apache Kylin is an open source Distributed Analytics Engine designed to 
> provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop 
> supporting extremely large datasets, original contributed from eBay Inc. 
> Apache Kylin lets user query massive data set at sub-second latency in 3 
> steps.
> 1. Identify a Star Schema on Hadoop.
> 2. Build Cube from the identified tables.
> 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or 
> RESTful API.
> We should support that using Ranger to control kylin's access rights for 
> project and cube.
> Specific implementation plan is as following:
> On the ranger website, administrators can configure policies to control user 
> access to projects and cube permissions.
> Kylin provides an abstract class and authorization interfaces for use by the 
> ranger plugin. kylin instantiates ranger plugin’s implementation class when 
> starting(this class extends the abstract class provided by kylin).
> Ranger plugin periodically polls ranger admin, updates the policy to the 
> local, and updates project and cube access rights based on policy information.
> In the Kylin side:
> 1. Kylin provides an abstract class that enables the ranger plugin's 
> implementation class to extend.
> 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin 
> implementation class's name.
> 3. Instantiate the ranger plugin implementation class when starting kylin.
> 4. kylin provides authorization interfaces for ranger plugin calls.
> 5. According to the ranger authorization configuration item, hide kylin's 
> authorization management page.
> 6. Using ranger manager access rights of the kylin does not affect kylin's 
> existing permissions functions and logic.
> In the Ranger side:
> 1. Ranger plugin will periodically polls ranger admin, updates the policy to 
> the local.
> 2. The ranger plugin invoking the authorization interfaces provided by kylin 
> to updates the project and cube access rights based on the policy information.
> reference link:https://issues.apache.org/jira/browse/KYLIN-2703



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


[jira] [Updated] (RANGER-1672) Ranger supports plugin to enable, monitor and manage apache kylin

2018-03-05 Thread Qiang Zhang (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Qiang Zhang updated RANGER-1672:

Attachment: (was: 
0001-RANGER-1672-Ranger-supports-plugin-to-enable-monitor.patch)

> Ranger supports plugin to enable, monitor and manage apache kylin
> -
>
> Key: RANGER-1672
> URL: https://issues.apache.org/jira/browse/RANGER-1672
> Project: Ranger
>  Issue Type: New Feature
>  Components: plugins
>Reporter: Qiang Zhang
>Assignee: Qiang Zhang
>Priority: Major
>  Labels: newbie, patch
> Attachments: NewKylinPolicy.jpg, NewKylinService.jpg
>
>
> Apache Kylin is an open source Distributed Analytics Engine designed to 
> provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop 
> supporting extremely large datasets, original contributed from eBay Inc. 
> Apache Kylin lets user query massive data set at sub-second latency in 3 
> steps.
> 1. Identify a Star Schema on Hadoop.
> 2. Build Cube from the identified tables.
> 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or 
> RESTful API.
> We should support that using Ranger to control kylin's access rights for 
> project and cube.
> Specific implementation plan is as following:
> On the ranger website, administrators can configure policies to control user 
> access to projects and cube permissions.
> Kylin provides an abstract class and authorization interfaces for use by the 
> ranger plugin. kylin instantiates ranger plugin’s implementation class when 
> starting(this class extends the abstract class provided by kylin).
> Ranger plugin periodically polls ranger admin, updates the policy to the 
> local, and updates project and cube access rights based on policy information.
> In the Kylin side:
> 1. Kylin provides an abstract class that enables the ranger plugin's 
> implementation class to extend.
> 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin 
> implementation class's name.
> 3. Instantiate the ranger plugin implementation class when starting kylin.
> 4. kylin provides authorization interfaces for ranger plugin calls.
> 5. According to the ranger authorization configuration item, hide kylin's 
> authorization management page.
> 6. Using ranger manager access rights of the kylin does not affect kylin's 
> existing permissions functions and logic.
> In the Ranger side:
> 1. Ranger plugin will periodically polls ranger admin, updates the policy to 
> the local.
> 2. The ranger plugin invoking the authorization interfaces provided by kylin 
> to updates the project and cube access rights based on the policy information.
> reference link:https://issues.apache.org/jira/browse/KYLIN-2703



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


[jira] [Updated] (RANGER-1672) Ranger supports plugin to enable, monitor and manage apache kylin

2018-03-05 Thread Qiang Zhang (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Qiang Zhang updated RANGER-1672:

Attachment: (was: KylinPlugins.jpg)

> Ranger supports plugin to enable, monitor and manage apache kylin
> -
>
> Key: RANGER-1672
> URL: https://issues.apache.org/jira/browse/RANGER-1672
> Project: Ranger
>  Issue Type: New Feature
>  Components: plugins
>Reporter: Qiang Zhang
>Assignee: Qiang Zhang
>Priority: Major
>  Labels: newbie, patch
> Attachments: NewKylinService.jpg
>
>
> Apache Kylin is an open source Distributed Analytics Engine designed to 
> provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop 
> supporting extremely large datasets, original contributed from eBay Inc. 
> Apache Kylin lets user query massive data set at sub-second latency in 3 
> steps.
> 1. Identify a Star Schema on Hadoop.
> 2. Build Cube from the identified tables.
> 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or 
> RESTful API.
> We should support that using Ranger to control kylin's access rights for 
> project and cube.
> Specific implementation plan is as following:
> On the ranger website, administrators can configure policies to control user 
> access to projects and cube permissions.
> Kylin provides an abstract class and authorization interfaces for use by the 
> ranger plugin. kylin instantiates ranger plugin’s implementation class when 
> starting(this class extends the abstract class provided by kylin).
> Ranger plugin periodically polls ranger admin, updates the policy to the 
> local, and updates project and cube access rights based on policy information.
> In the Kylin side:
> 1. Kylin provides an abstract class that enables the ranger plugin's 
> implementation class to extend.
> 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin 
> implementation class's name.
> 3. Instantiate the ranger plugin implementation class when starting kylin.
> 4. kylin provides authorization interfaces for ranger plugin calls.
> 5. According to the ranger authorization configuration item, hide kylin's 
> authorization management page.
> 6. Using ranger manager access rights of the kylin does not affect kylin's 
> existing permissions functions and logic.
> In the Ranger side:
> 1. Ranger plugin will periodically polls ranger admin, updates the policy to 
> the local.
> 2. The ranger plugin invoking the authorization interfaces provided by kylin 
> to updates the project and cube access rights based on the policy information.
> reference link:https://issues.apache.org/jira/browse/KYLIN-2703



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


[jira] [Updated] (RANGER-1672) Ranger supports plugin to enable, monitor and manage apache kylin

2018-03-05 Thread Qiang Zhang (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Qiang Zhang updated RANGER-1672:

Attachment: (was: KylinServiceEntry.jpg)

> Ranger supports plugin to enable, monitor and manage apache kylin
> -
>
> Key: RANGER-1672
> URL: https://issues.apache.org/jira/browse/RANGER-1672
> Project: Ranger
>  Issue Type: New Feature
>  Components: plugins
>Reporter: Qiang Zhang
>Assignee: Qiang Zhang
>Priority: Major
>  Labels: newbie, patch
> Attachments: NewKylinService.jpg
>
>
> Apache Kylin is an open source Distributed Analytics Engine designed to 
> provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop 
> supporting extremely large datasets, original contributed from eBay Inc. 
> Apache Kylin lets user query massive data set at sub-second latency in 3 
> steps.
> 1. Identify a Star Schema on Hadoop.
> 2. Build Cube from the identified tables.
> 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or 
> RESTful API.
> We should support that using Ranger to control kylin's access rights for 
> project and cube.
> Specific implementation plan is as following:
> On the ranger website, administrators can configure policies to control user 
> access to projects and cube permissions.
> Kylin provides an abstract class and authorization interfaces for use by the 
> ranger plugin. kylin instantiates ranger plugin’s implementation class when 
> starting(this class extends the abstract class provided by kylin).
> Ranger plugin periodically polls ranger admin, updates the policy to the 
> local, and updates project and cube access rights based on policy information.
> In the Kylin side:
> 1. Kylin provides an abstract class that enables the ranger plugin's 
> implementation class to extend.
> 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin 
> implementation class's name.
> 3. Instantiate the ranger plugin implementation class when starting kylin.
> 4. kylin provides authorization interfaces for ranger plugin calls.
> 5. According to the ranger authorization configuration item, hide kylin's 
> authorization management page.
> 6. Using ranger manager access rights of the kylin does not affect kylin's 
> existing permissions functions and logic.
> In the Ranger side:
> 1. Ranger plugin will periodically polls ranger admin, updates the policy to 
> the local.
> 2. The ranger plugin invoking the authorization interfaces provided by kylin 
> to updates the project and cube access rights based on the policy information.
> reference link:https://issues.apache.org/jira/browse/KYLIN-2703



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)


[jira] [Updated] (RANGER-1672) Ranger supports plugin to enable, monitor and manage apache kylin

2018-03-05 Thread Qiang Zhang (JIRA)

 [ 
https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Qiang Zhang updated RANGER-1672:

Attachment: (was: KylinAuditLog.jpg)

> Ranger supports plugin to enable, monitor and manage apache kylin
> -
>
> Key: RANGER-1672
> URL: https://issues.apache.org/jira/browse/RANGER-1672
> Project: Ranger
>  Issue Type: New Feature
>  Components: plugins
>Reporter: Qiang Zhang
>Assignee: Qiang Zhang
>Priority: Major
>  Labels: newbie, patch
> Attachments: NewKylinPolicy.jpg, NewKylinService.jpg
>
>
> Apache Kylin is an open source Distributed Analytics Engine designed to 
> provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop 
> supporting extremely large datasets, original contributed from eBay Inc. 
> Apache Kylin lets user query massive data set at sub-second latency in 3 
> steps.
> 1. Identify a Star Schema on Hadoop.
> 2. Build Cube from the identified tables.
> 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or 
> RESTful API.
> We should support that using Ranger to control kylin's access rights for 
> project and cube.
> Specific implementation plan is as following:
> On the ranger website, administrators can configure policies to control user 
> access to projects and cube permissions.
> Kylin provides an abstract class and authorization interfaces for use by the 
> ranger plugin. kylin instantiates ranger plugin’s implementation class when 
> starting(this class extends the abstract class provided by kylin).
> Ranger plugin periodically polls ranger admin, updates the policy to the 
> local, and updates project and cube access rights based on policy information.
> In the Kylin side:
> 1. Kylin provides an abstract class that enables the ranger plugin's 
> implementation class to extend.
> 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin 
> implementation class's name.
> 3. Instantiate the ranger plugin implementation class when starting kylin.
> 4. kylin provides authorization interfaces for ranger plugin calls.
> 5. According to the ranger authorization configuration item, hide kylin's 
> authorization management page.
> 6. Using ranger manager access rights of the kylin does not affect kylin's 
> existing permissions functions and logic.
> In the Ranger side:
> 1. Ranger plugin will periodically polls ranger admin, updates the policy to 
> the local.
> 2. The ranger plugin invoking the authorization interfaces provided by kylin 
> to updates the project and cube access rights based on the policy information.
> reference link:https://issues.apache.org/jira/browse/KYLIN-2703



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)