[jira] [Updated] (RANGER-2728) Upgrade guava library version to 28.1
[ https://issues.apache.org/jira/browse/RANGER-2728?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pradeep Agrawal updated RANGER-2728: Summary: Upgrade guava library version to 28.1 (was: Upgrade guava library version) > Upgrade guava library version to 28.1 > - > > Key: RANGER-2728 > URL: https://issues.apache.org/jira/browse/RANGER-2728 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: 2.1.0 >Reporter: Pradeep Agrawal >Assignee: Pradeep Agrawal >Priority: Major > Fix For: 2.1.0 > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (RANGER-2728) Upgrade guava library version
Pradeep Agrawal created RANGER-2728: --- Summary: Upgrade guava library version Key: RANGER-2728 URL: https://issues.apache.org/jira/browse/RANGER-2728 Project: Ranger Issue Type: Bug Components: Ranger Affects Versions: 2.1.0 Reporter: Pradeep Agrawal Assignee: Pradeep Agrawal Fix For: 2.1.0 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (RANGER-2722) policies/hive/for-resource api call is returning deleted policies
[ https://issues.apache.org/jira/browse/RANGER-2722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034845#comment-17034845 ] Abhay Kulkarni commented on RANGER-2722: Additional commit details: master: [https://github.com/apache/ranger/commit/e9959c0c0b41684eace583cb3a68afa5ee97d7c5] > policies/hive/for-resource api call is returning deleted policies > - > > Key: RANGER-2722 > URL: https://issues.apache.org/jira/browse/RANGER-2722 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: master >Reporter: suja s >Assignee: Abhay Kulkarni >Priority: Major > Fix For: master, 2.1.0 > > > Scenario: > 1. Create a policy in a hive service for database='testdb1'. > 2. Ensure that no tag service is associated with this hive service. > 3. Delete all policies from the hive service. > Although, a get call to fetch all policies in ranger does not return any > policy for hive service, an api call > /service/public/v2/api/policies/hive/for-resource?resource:database='testdb1' > returns deleted policies. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (RANGER-2722) policies/hive/for-resource api call is returning deleted policies
[ https://issues.apache.org/jira/browse/RANGER-2722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034843#comment-17034843 ] Abhay Kulkarni commented on RANGER-2722: Additional commit to fix similar issue in the plugin side. Patch is available at the review board: [https://reviews.apache.org/r/72115/] > policies/hive/for-resource api call is returning deleted policies > - > > Key: RANGER-2722 > URL: https://issues.apache.org/jira/browse/RANGER-2722 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: master >Reporter: suja s >Assignee: Abhay Kulkarni >Priority: Major > Fix For: master, 2.1.0 > > > Scenario: > 1. Create a policy in a hive service for database='testdb1'. > 2. Ensure that no tag service is associated with this hive service. > 3. Delete all policies from the hive service. > Although, a get call to fetch all policies in ranger does not return any > policy for hive service, an api call > /service/public/v2/api/policies/hive/for-resource?resource:database='testdb1' > returns deleted policies. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (RANGER-2727) Ghost policy occurs in plugin when creating and getting policies concurrently
[
https://issues.apache.org/jira/browse/RANGER-2727?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034818#comment-17034818
]
Velmurugan Periasamy commented on RANGER-2727:
--
[~stigahuang] - it might be related to deltas. Did you set
ranger.admin.supports.policy.deltas to false and try? CC [~abhayk]
> Ghost policy occurs in plugin when creating and getting policies concurrently
> -
>
> Key: RANGER-2727
> URL: https://issues.apache.org/jira/browse/RANGER-2727
> Project: Ranger
> Issue Type: Bug
> Components: admin
>Reporter: Quanlong Huang
>Assignee: Quanlong Huang
>Priority: Major
> Attachments: create_delete_policy.py
>
>
> Attached a python script to reproduce this issue. It creates and deletes 10
> column masking policies repeatedly. Run it and refresh column masking
> policies in Hive service in Ranger Admin UI. Some policies won't be deleted
> after several rounds.
> Delete them manually in Ranger Admin UI will get an error as
> org.apache.ranger.plugin.model.RangerPolicy :Data Not Found for given Id
> Can't neither view them nor edit them. The web UI will hang. Ranger logs
> reveal the same error:
> {code}
> 2020-02-10 03:08:05,597 [http-bio-6080-exec-2] INFO
> org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:63) - Request
> failed. loginId=admin, logMessage=org.apache.ranger.plugin.model.RangerPolicy
> :Data Not Found for given Id
> javax.ws.rs.WebApplicationException
> at
> org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56)
> at
> org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:301)
> at
> org.apache.ranger.service.RangerBaseModelService.read(RangerBaseModelService.java:240)
> at
> org.apache.ranger.biz.ServiceDBStore.getPolicy(ServiceDBStore.java:2171)
> at org.apache.ranger.rest.ServiceREST.getPolicy(ServiceREST.java:1829)
> at
> org.apache.ranger.rest.ServiceREST$$FastClassBySpringCGLIB$$92dab672.invoke()
> at
> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
> at
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:736)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
> at
> org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
> at
> org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282)
> at
> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
> at
> org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:671)
> at
> org.apache.ranger.rest.ServiceREST$$EnhancerBySpringCGLIB$$315c4133.getPolicy()
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
> at
> com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
> at
> com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
> at
> com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
> at
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> at
> com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
> at
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> at
> com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
> at
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1542)
> at
> com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1473)
> at
> com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1419)
> at
>
Re: Review Request 72106: RANGER-2718: Utility to update user and group names in stored policy json
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/72106/#review219550 --- Ship it! Ship It! - Velmurugan Periasamy On Feb. 10, 2020, 5:28 p.m., Pradeep Agrawal wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/72106/ > --- > > (Updated Feb. 10, 2020, 5:28 p.m.) > > > Review request for ranger. > > > Bugs: RANGER-2718 > https://issues.apache.org/jira/browse/RANGER-2718 > > > Repository: ranger > > > Description > --- > > **Problem Statement:** When The case conversion property to syncs > users/groups is changed then in the ranger admin user/group names get updated > but the user/group is not updated in policy json. > > **Proposed solution:** A standalone utility can be added to update the users > and groups name in the policy json as they(existing user/groups) appear in > ranger db. > > > **Note:** > There could be few other issues while syncing users with diffrent case but > the below ones are not covered in this patch. > 1) user name case was changed in x_user table but not in the x_portal_user > table. > 2) user name case may not change if user is added in the security zone. > 5) Behaviour might be different in different DB flavours. > 6) user/group name in service config may not change > > > Diffs > - > > security-admin/scripts/updateUserAndGroupNamesInJson.py PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/patch/cliutil/UpdateUserAndGroupNamesInJson.java > PRE-CREATION > > > Diff: https://reviews.apache.org/r/72106/diff/1/ > > > Testing > --- > > applied the patch in the master branch and built it. > > untar the generated ranger--admin.tar.gz file. > > updated install.properties and run the setup.sh with old ranger db name, > username and related credentials > > run the command 'python updateUserAndGroupNamesInJson.py' > > Utility should update the user and groups name in the policy json as > they(existing user/groups) appears in UI > > > Thanks, > > Pradeep Agrawal > >
Re: Review Request 72115: RANGER-2722: policies/hive/for-resource api call is returning deleted policies
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/72115/#review219549 --- Ship it! Ship It! - Velmurugan Periasamy On Feb. 11, 2020, 6:55 p.m., Abhay Kulkarni wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/72115/ > --- > > (Updated Feb. 11, 2020, 6:55 p.m.) > > > Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Velmurugan > Periasamy. > > > Bugs: RANGER-2722 > https://issues.apache.org/jira/browse/RANGER-2722 > > > Repository: ranger > > > Description > --- > > This patch addresses another manifestation of the same underlying issue but > on the plugin side. > > > Diffs > - > > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java > 75fbd64fd > > > Diff: https://reviews.apache.org/r/72115/diff/1/ > > > Testing > --- > > Tested with a Hive service in a cluster. After deleting the last policy, > ensured that the policy engine is rebuilt within the plugin with no policies. > Ensured that any access requests are denied with this policy engine. > > > Thanks, > > Abhay Kulkarni > >
Re: Review Request 72115: RANGER-2722: policies/hive/for-resource api call is returning deleted policies
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/72115/#review219548 --- Ship it! Ship It! - Madhan Neethiraj On Feb. 11, 2020, 6:55 p.m., Abhay Kulkarni wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/72115/ > --- > > (Updated Feb. 11, 2020, 6:55 p.m.) > > > Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Velmurugan > Periasamy. > > > Bugs: RANGER-2722 > https://issues.apache.org/jira/browse/RANGER-2722 > > > Repository: ranger > > > Description > --- > > This patch addresses another manifestation of the same underlying issue but > on the plugin side. > > > Diffs > - > > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java > 75fbd64fd > > > Diff: https://reviews.apache.org/r/72115/diff/1/ > > > Testing > --- > > Tested with a Hive service in a cluster. After deleting the last policy, > ensured that the policy engine is rebuilt within the plugin with no policies. > Ensured that any access requests are denied with this policy engine. > > > Thanks, > > Abhay Kulkarni > >
Review Request 72115: RANGER-2722: policies/hive/for-resource api call is returning deleted policies
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/72115/ --- Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Velmurugan Periasamy. Bugs: RANGER-2722 https://issues.apache.org/jira/browse/RANGER-2722 Repository: ranger Description --- This patch addresses another manifestation of the same underlying issue but on the plugin side. Diffs - agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java 75fbd64fd Diff: https://reviews.apache.org/r/72115/diff/1/ Testing --- Tested with a Hive service in a cluster. After deleting the last policy, ensured that the policy engine is rebuilt within the plugin with no policies. Ensured that any access requests are denied with this policy engine. Thanks, Abhay Kulkarni
[jira] [Commented] (RANGER-2727) Ghost policy occurs in plugin when creating and getting policies concurrently
[
https://issues.apache.org/jira/browse/RANGER-2727?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034437#comment-17034437
]
Quanlong Huang commented on RANGER-2727:
I can't reproduce it in the master branch. I think the configuration maters but
I don't know how to dump the whole set of configs of Ranger Admin. Is it
doable? Is there a page like the /conf page of NameNode or HiveServer2?
I'm confused that In my local branch, "ranger.admin.supports.policy.deltas" is
true (shown in the debug logs). But it's not explicitly set in either
ranger-admin-default-site.xml or ranger-admin-site.xml. Are there other places
that we can set this?
I think there may be other config options need to be set to reproduce this
issue.
> Ghost policy occurs in plugin when creating and getting policies concurrently
> -
>
> Key: RANGER-2727
> URL: https://issues.apache.org/jira/browse/RANGER-2727
> Project: Ranger
> Issue Type: Bug
> Components: admin
>Reporter: Quanlong Huang
>Assignee: Quanlong Huang
>Priority: Major
> Attachments: create_delete_policy.py
>
>
> Attached a python script to reproduce this issue. It creates and deletes 10
> column masking policies repeatedly. Run it and refresh column masking
> policies in Hive service in Ranger Admin UI. Some policies won't be deleted
> after several rounds.
> Delete them manually in Ranger Admin UI will get an error as
> org.apache.ranger.plugin.model.RangerPolicy :Data Not Found for given Id
> Can't neither view them nor edit them. The web UI will hang. Ranger logs
> reveal the same error:
> {code}
> 2020-02-10 03:08:05,597 [http-bio-6080-exec-2] INFO
> org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:63) - Request
> failed. loginId=admin, logMessage=org.apache.ranger.plugin.model.RangerPolicy
> :Data Not Found for given Id
> javax.ws.rs.WebApplicationException
> at
> org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:56)
> at
> org.apache.ranger.common.RESTErrorUtil.createRESTException(RESTErrorUtil.java:301)
> at
> org.apache.ranger.service.RangerBaseModelService.read(RangerBaseModelService.java:240)
> at
> org.apache.ranger.biz.ServiceDBStore.getPolicy(ServiceDBStore.java:2171)
> at org.apache.ranger.rest.ServiceREST.getPolicy(ServiceREST.java:1829)
> at
> org.apache.ranger.rest.ServiceREST$$FastClassBySpringCGLIB$$92dab672.invoke()
> at
> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
> at
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:736)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
> at
> org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
> at
> org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282)
> at
> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
> at
> org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:671)
> at
> org.apache.ranger.rest.ServiceREST$$EnhancerBySpringCGLIB$$315c4133.getPolicy()
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
> at
> com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
> at
> com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
> at
> com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
> at
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> at
> com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
> at
> com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
> at
>
[jira] [Commented] (RANGER-2705) Group sync does does not parse DNs properly
[
https://issues.apache.org/jira/browse/RANGER-2705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034265#comment-17034265
]
Lars Francke commented on RANGER-2705:
--
Thanks for looking at this [~spolavarapu].
Yes, we're using groupSearchFirstEnabled because we only want to retrieve a
particular set of groups (I have to admit that I already forgot some of the
details but I can check again next week). If we do not use groupSearchFirst
Usersync retrieves all groups for the users and those go into the thousands
with this customer. So we'd like to do it the other way around: Only sync a
subset of groups.
"Francke\, Lars" is the DN but what we'd really like/need is the
"sAMAccountName". So this issue is only step one and I haven't checked whether
Ranger supports the next step. It now needs to map those DNs to the full user
names it retrieved from the user search and then look up their proper user name.
I hope that helps? If not I'm back with the customer next week and can check on
it then and provide a more detailed response.
> Group sync does does not parse DNs properly
> ---
>
> Key: RANGER-2705
> URL: https://issues.apache.org/jira/browse/RANGER-2705
> Project: Ranger
> Issue Type: Bug
> Components: usersync
>Reporter: Lars Francke
>Priority: Major
>
> When we have enabled user & group search
> ({{ranger.usersync.group.search.first.enabled}} = false) we expect Ranger to
> get the groups and its members and compare them to what already exists.
> Our DN/CN looks like this:
> {code:java}
> CN=Francke\, Lars,OU=bla bla.
> {code}
> Our CN contains a comma but the {{getShortUserName}} method in
> {{LdapDeltaUserGroupBuilder}} has this piece of code:
> {code:java}
> StringTokenizer stc = new StringTokenizer(longUserName, ",");
> String firstToken = stc.nextToken();{code}
> The intention is that it gets the "{{CN=Francke\, Lars}}" part (the first
> part of the comma-separated DN) but that doesn't work if that contains a
> comma itself. It is escaped but Ranger just splits at the comma. That's
> definitely a bug. It should use the {{LdapName}} class instead and/or parse
> according to the RFC 2253 but maybe even that is wrong what it really should
> probably do is the same as user sync?
> This way we currently cannot use (incremental) group sync at all because if
> we do we don't get any groups at all as the user search doesn't take its own
> groups when group sync is also enabled (this was another surprise).
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
