[jira] [Commented] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger

2018-08-20 Thread Ankit Singhal (JIRA) 


[ 
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16586453#comment-16586453
 ] 

Ankit Singhal commented on RANGER-1958:
---

bq. Although the long-term solution for Ranger could be to implement the 
coprocessor hooks for Phoenix as how it has been done for HBase so that we can 
also authorize new entities like VIEW, SEQUENCES, FUNCTIONs (which can not be 
supported with native HBase ACLs) along with Table and Schema.
bq. Ankit Singhal - could you file a Jira for the above? Thanks. 
yes [~vperiasamy], just created RANGER-2194 for the same.

> [HBase] Implement getUserPermissions API of AccessControlService.Interface to 
> allow clients to access HBase permissions stored in Ranger
> 
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Reporter: Ankit Singhal
>Assignee: Ankit Singhal
>Priority: Major
> Attachments: RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198. 
> Currently, the implementation relies on some of the APIs provided by 
> AccessControlService.Interface to get the user permission of the table but we 
> see that the API "AccessControlService.Interface#getUserPermissions"  is not 
> yet implemented in Ranger authorization module for HBase and thus, we are 
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
>   public void getUserPermissions(RpcController controller, 
> AccessControlProtos.GetUserPermissionsRequest request, 
> RpcCallback done) {
>   LOG.debug("getUserPermissions(): ");
>   }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger 
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the 
> coprocessor hooks for Phoenix as how it has been done for HBase so that we 
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs  (which can 
> not be supported with native HBase ACLs) along with Table and Schema. 
> Let me know your thoughts, I can try to put up a patch soon.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (RANGER-2194) Implement ranger support for Phoenix

2018-08-20 Thread Ankit Singhal (JIRA) 
Ankit Singhal created RANGER-2194:
-

 Summary: Implement ranger support for Phoenix
 Key: RANGER-2194
 URL: https://issues.apache.org/jira/browse/RANGER-2194
 Project: Ranger
  Issue Type: New Feature
  Components: plugins
Reporter: Ankit Singhal


Currently, Phoenix relies on HBase coprocessor for authorization but there are 
some logical entities like View, Function, Sequence which cannot be mapped 
directly to entities in HBase and requires a separate authorization.

>From an implementation perspective, Phoenix also does pre-checks for access 
>with the help of coprocessor only.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (RANGER-1958) [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger

2018-08-20 Thread Ankit Singhal (JIRA) 


[ 
https://issues.apache.org/jira/browse/RANGER-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16586360#comment-16586360
 ] 

Ankit Singhal commented on RANGER-1958:
---

Sorry guys [~abhayk],[~rmani],[~vperiasamy], for not working on this for a long 
time. 
but now I have made the changes by leveraging getResourceACLs() API exposed by 
RANGER-2061 to implement getUserPermission() API of HBase and updated the 
request for review.
https://reviews.apache.org/r/65950/

> [HBase] Implement getUserPermissions API of AccessControlService.Interface to 
> allow clients to access HBase permissions stored in Ranger
> 
>
> Key: RANGER-1958
> URL: https://issues.apache.org/jira/browse/RANGER-1958
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Reporter: Ankit Singhal
>Assignee: Ankit Singhal
>Priority: Major
> Attachments: RANGER-1958.patch
>
>
> We have added the support of ACLs in Phoenix as part of PHOENIX-4198. 
> Currently, the implementation relies on some of the APIs provided by 
> AccessControlService.Interface to get the user permission of the table but we 
> see that the API "AccessControlService.Interface#getUserPermissions"  is not 
> yet implemented in Ranger authorization module for HBase and thus, we are 
> unable to access permissions stored for HBase Table in Phoenix.
> In class RangerAuthorizationCoprocessor
> {code}
> @Override
>   public void getUserPermissions(RpcController controller, 
> AccessControlProtos.GetUserPermissionsRequest request, 
> RpcCallback done) {
>   LOG.debug("getUserPermissions(): ");
>   }
> {code}
> If we just implement this API, we can leverage the current HBase Ranger 
> plugin for Phoenix too.
> Although the long-term solution for Ranger could be to implement the 
> coprocessor hooks for Phoenix as how it has been done for HBase so that we 
> can also authorize new entities like VIEW, SEQUENCES, FUNCTIONs  (which can 
> not be supported with native HBase ACLs) along with Table and Schema. 
> Let me know your thoughts, I can try to put up a patch soon.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Re: Review Request 65950: Add support to allow clients to access resource permissions stored in Ranger

2018-08-20 Thread Ankit Singhal 


> On March 7, 2018, 11:31 p.m., Abhay Kulkarni wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
> > Line 384 (original), 384 (patched)
> > 
> >
> > Please consider adding another method with a diffrent signature to get 
> > list of RangerPolicyItemEvaluators, instead of changing signature and 
> > implementation of this critical method.
> > 
> > Signature of new method may look like:
> > 
> > List getDeterminingPolicyItems(String user, 
> > Set userGroups, List accessType);
> > 
> > Then have the caller provide list of all available hbase accessTypes - 
> > they can be figured out from hbase Service-definition).
> > 
> > Method implementation may call getDeterminingPolicyItem for each 
> > accessType to build a list.
> > 
> > This will isolate current implementation from hbase specific changes.
> > 
> > Thanks!

Now using getResourceAcls API from RANGER-2061.


- Ankit


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65950/#review198831
---


On Aug. 20, 2018, 6:14 p.m., Ankit Singhal wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/65950/
> ---
> 
> (Updated Aug. 20, 2018, 6:14 p.m.)
> 
> 
> Review request for ranger and Ramesh Mani.
> 
> 
> Bugs: RANGER-1958
> https://issues.apache.org/jira/browse/RANGER-1958
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> RANGER-1958 [HBase] Implement getUserPermissions API of 
> AccessControlService.Interface to allow clients to access HBase permissions 
> stored in Ranger
> 
> 
> Diffs
> -
> 
>   
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
>  cdaad00a4 
>   
> hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
>  d85339a09 
>   
> hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java
>  38408855d 
>   hbase-agent/src/test/resources/hbase-policies.json b7b44c9ea 
> 
> 
> Diff: https://reviews.apache.org/r/65950/diff/2/
> 
> 
> Testing
> ---
> 
> Unit testing is done
> 
> 
> Thanks,
> 
> Ankit Singhal
> 
>

Re: Review Request 65950: Add support to allow clients to access resource permissions stored in Ranger

2018-08-20 Thread Ankit Singhal 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65950/
---

(Updated Aug. 20, 2018, 6:14 p.m.)


Review request for ranger and Ramesh Mani.


Changes
---

Now leveraged RANGER-2061 to implement getUserPermissions() API of HBase plugin


Bugs: RANGER-1958
https://issues.apache.org/jira/browse/RANGER-1958


Repository: ranger


Description
---

RANGER-1958 [HBase] Implement getUserPermissions API of 
AccessControlService.Interface to allow clients to access HBase permissions 
stored in Ranger


Diffs (updated)
-

  
hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
 cdaad00a4 
  
hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
 d85339a09 
  
hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java
 38408855d 
  hbase-agent/src/test/resources/hbase-policies.json b7b44c9ea 


Diff: https://reviews.apache.org/r/65950/diff/2/

Changes: https://reviews.apache.org/r/65950/diff/1-2/


Testing
---

Unit testing is done


Thanks,

Ankit Singhal

Review Request 68428: RANGER-1935/RANGER-1738 - Upgrade Ranger to support Apache Hadoop 3.0.0

2018-08-20 Thread Colm O hEigeartaigh 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68428/
---

Review request for ranger.


Bugs: RANGER-1935
https://issues.apache.org/jira/browse/RANGER-1935


Repository: ranger


Description
---

Upgrade Ranger to use Apache Hadoop 3.0.0. Some comments:

- KMS reencryptEncryptedKey not implemented.
- HDFS unit test - HDFSContentSummaryTest test failing. @Ignore'd for now, I'll 
create a separate JIRA for this.
- Hive tests commented out - waiting for Hive upgrade task.
- Admin service users not appearing so in the patch it's using the old Hadoop 
jars. I'll create a separate JIRA for this to upgrade it as well.


Diffs
-

  
agents-audit/src/main/java/org/apache/ranger/audit/utils/InMemoryJAASConfiguration.java
 0f291389f 
  credentialbuilder/pom.xml 461dcd0b6 
  hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/HDFSRangerTest.java 
a7215ce92 
  
hive-agent/src/test/java/org/apache/ranger/services/hive/HIVERangerAuthorizerTest.java
 7dc5c54b0 
  kms/pom.xml 6fc190f35 
  
kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/EagerKeyGeneratorKeyProviderCryptoExtension.java
 f853a844b 
  kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java be3700ffa 
  
kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java
 ada9a56f4 
  kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSWebApp.java 
b2540cb42 
  knox-agent/pom.xml 1d8fdae62 
  
plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
 a4de016ea 
  pom.xml ae3f4be4c 
  ranger-examples/plugin-sampleapp/pom.xml bef0f5c1f 
  ranger-storm-plugin-shim/pom.xml 89efe34de 
  
ranger-yarn-plugin-shim/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
 7b7f1f303 
  security-admin/pom.xml 84bbd6650 
  src/main/assembly/hbase-agent.xml 3ebc334d1 
  src/main/assembly/hdfs-agent.xml 561d13737 
  src/main/assembly/hive-agent.xml 03bd31a55 
  src/main/assembly/kms.xml 7fbc1410c 
  src/main/assembly/knox-agent.xml 8357d4989 
  src/main/assembly/plugin-atlas.xml 8f4a64cb6 
  src/main/assembly/plugin-kafka.xml 97ff8ad1b 
  src/main/assembly/plugin-kms.xml 6d15f2a10 
  src/main/assembly/plugin-kylin.xml f4e082007 
  src/main/assembly/plugin-solr.xml de30bfb13 
  src/main/assembly/plugin-sqoop.xml d2bd69ab3 
  src/main/assembly/plugin-yarn.xml c6a48e888 
  src/main/assembly/ranger-tools.xml 249de9a2d 
  src/main/assembly/storm-agent.xml fdaf67863 
  src/main/assembly/tagsync.xml d1b83df42 
  src/main/assembly/usersync.xml d170d8c1c 
  storm-agent/pom.xml a084e6891 
  tagsync/pom.xml e98cf63dc 
  ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml d49001a65 
  
ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfig.java
 9a77cedf7 
  ugsync/pom.xml f4c24e739 
  unixauthclient/pom.xml cd3d15604 
  unixauthservice/pom.xml 2c0ed2eef 


Diff: https://reviews.apache.org/r/68428/diff/1/


Testing
---

Tested plugins: HDFS, Yarn, Storm (uses Hadoop 2.7.1), Knox, HBase, KMS, Sqoop, 
Kafka, Solr, usersync. Test admin service works OK.


Thanks,

Colm O hEigeartaigh

[jira] [Updated] (RANGER-1935) Upgrade Ranger to support Apache Hadoop 3.0.0

2018-08-20 Thread Colm O hEigeartaigh (JIRA) 


 [ 
https://issues.apache.org/jira/browse/RANGER-1935?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh updated RANGER-1935:

Attachment: 0001-RANGER-1935-Upgrade-Ranger-to-support-Apache-Hadoop-.patch

> Upgrade Ranger to support Apache Hadoop 3.0.0
> -
>
> Key: RANGER-1935
> URL: https://issues.apache.org/jira/browse/RANGER-1935
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Colm O hEigeartaigh
>Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 2.0.0
>
> Attachments: 
> 0001-RANGER-1935-Upgrade-Ranger-to-support-Apache-Hadoop-.patch, 
> 0001-RANGER-1935-Upgrade-Ranger-to-support-Apache-Hadoop-.patch
>
>
> This task is to upgrade Ranger to support Apache Hadoop 3.0.0. Here are some 
> notes about the upgrade:
> a) The Hive plugin needs the Hadoop 3.0.0 jars to run the tests properly, as 
> Hive only supports the older Hadoop version, so an exclusion and some 
> additional 3.0.0 dependencies need to be added.
> b) The Storm plugin bundles the hadoop-auth jars in storm-core (although they 
> really should be renamed here). Therefore, we have no option but to package 
> Storm with the Hadoop 2.7.x jars, until such time that Storm upgrades the 
> Hadoop dependency.
> This is an initial patch to get some feedback. If there is broad agreement on 
> the upgrade I will test the distributions properly.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)