Re: Review Request 73367: RANGER-3294:AccessResult attribute with isAudited as false not filtered in Ranger Audit Filter

[Ramesh Mani]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73367/
---

(Updated May 27, 2021, 11:15 p.m.)


Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, 
Mehul Parikh, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan 
Periasamy.


Changes
---

Fixed review comments


Bugs: RANGER-3294
https://issues.apache.org/jira/browse/RANGER-3294


Repository: ranger


Description
---

RANGER-3294:AccessResult attribute with isAudited as false not filtered in 
Ranger Audit Filter


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerPluginConfig.java
 7b34f77da 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 ecfc9ad14 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
 4d7fb6c87 
  
hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
 539d4c148 
  
plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java
 1f965823c 


Diff: https://reviews.apache.org/r/73367/diff/2/

Changes: https://reviews.apache.org/r/73367/diff/1-2/


Testing (updated)
---

- Verified in local VM for audit filter to filter out Allow and deny request in 
Hive.
- Verified YARN and HDFS fallback and audit related to it.


Thanks,

Ramesh Mani

Review Request 73389: RANGER-3299 : Upgrading the bouncycastle version for bcprov-jdk15on

[Dhaval Shah]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73389/
---

Review request for ranger, bhavik patel, Dineshkumar Yadav, Jayendra Parab, 
Kishor Gollapalliwar, Abhay Kulkarni, Mehul Parikh, Ramesh Mani, and Velmurugan 
Periasamy.


Bugs: RANGER-3299
https://issues.apache.org/jira/browse/RANGER-3299


Repository: ranger


Description
---

Ranger is pulling in bcprov-jdk15on 1.59
./usr/lib/ranger-kms/ews/webapp/lib/bcprov-jdk15on-1.59.jar

It will good to upgrade it to 1.68 to avoid any security issue.


Diffs
-

  pom.xml e508dd1f8 


Diff: https://reviews.apache.org/r/73389/diff/1/


Testing
---

1.) Build Succeeded.
2.) Ranger KMS is fetching the bcprov-jdk15on-1.68.jar


Thanks,

Dhaval Shah

[jira] [Updated] (RANGER-3299) Upgrading the bouncycastle version for bcprov-jdk15on

[Dhaval Shah (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dhaval Shah updated RANGER-3299:

Description: 
Ranger is pulling in bcprov-jdk15on 1.59
./usr/lib/ranger-kms/ews/webapp/lib/bcprov-jdk15on-1.59.jar

It will good to upgrade it to 1.68 to avoid any security issue.

  was:
Ranger is pulling in bcprov-jdk15on 1.61 
./usr/lib/ranger-kms/ews/webapp/lib/bcprov-jdk15on-1.61.jar

It will good to upgrade it to 1.68 to avoid any security issue.


> Upgrading the bouncycastle version for bcprov-jdk15on
> -
>
> Key: RANGER-3299
> URL: https://issues.apache.org/jira/browse/RANGER-3299
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Dhaval Shah
>Assignee: Dhaval Shah
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
>
> Ranger is pulling in bcprov-jdk15on 1.59
> ./usr/lib/ranger-kms/ews/webapp/lib/bcprov-jdk15on-1.59.jar
> It will good to upgrade it to 1.68 to avoid any security issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3299) Upgrading the bouncycastle version for bcprov-jdk15on

[Dhaval Shah (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dhaval Shah updated RANGER-3299:

Fix Version/s: 2.2.0

> Upgrading the bouncycastle version for bcprov-jdk15on
> -
>
> Key: RANGER-3299
> URL: https://issues.apache.org/jira/browse/RANGER-3299
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Dhaval Shah
>Assignee: Dhaval Shah
>Priority: Major
> Fix For: 2.2.0
>
>
> Ranger is pulling in bcprov-jdk15on 1.61 
> ./usr/lib/ranger-kms/ews/webapp/lib/bcprov-jdk15on-1.61.jar
> It will good to upgrade it to 1.68 to avoid any security issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3299) Upgrading the bouncycastle version for bcprov-jdk15on

[Dhaval Shah (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dhaval Shah updated RANGER-3299:

Fix Version/s: 3.0.0

> Upgrading the bouncycastle version for bcprov-jdk15on
> -
>
> Key: RANGER-3299
> URL: https://issues.apache.org/jira/browse/RANGER-3299
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Dhaval Shah
>Assignee: Dhaval Shah
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
>
> Ranger is pulling in bcprov-jdk15on 1.61 
> ./usr/lib/ranger-kms/ews/webapp/lib/bcprov-jdk15on-1.61.jar
> It will good to upgrade it to 1.68 to avoid any security issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (RANGER-3299) Upgrading the bouncycastle version for bcprov-jdk15on

[Dhaval Shah (Jira)]

Dhaval Shah created RANGER-3299:
---

 Summary: Upgrading the bouncycastle version for bcprov-jdk15on
 Key: RANGER-3299
 URL: https://issues.apache.org/jira/browse/RANGER-3299
 Project: Ranger
  Issue Type: Improvement
  Components: Ranger
Reporter: Dhaval Shah
Assignee: Dhaval Shah


Ranger is pulling in bcprov-jdk15on 1.61 
./usr/lib/ranger-kms/ews/webapp/lib/bcprov-jdk15on-1.61.jar

It will good to upgrade it to 1.68 to avoid any security issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: Review Request 73344: RANGER-3231 Ranger should use kafka Authorizer from KIP-504

[Chia-Ping Tsai]

> On 五月 18, 2021, 6:25 a.m., Ramesh Mani wrote:
> > plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
> > Line 176 (original), 231 (patched)
> > 
> >
> > can resourcePattern() be null. please check
> 
> Chia-Ping Tsai wrote:
> 
> https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/server/authorizer/Authorizer.java#L181
> 
> https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/AuthHelper.scala#L48
> 
> https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/AuthHelper.scala#L63
> 
> https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/AuthHelper.scala#L122
> 
> I have checked all usages and there is no null. Also, the fields in 
> ResourcePattern are not null (see 
> https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/resource/ResourcePattern.java#L48)

BTW, I have filed a patch to kafka to make sure the field is NOT null (see 
https://github.com/apache/kafka/pull/10764)


- Chia-Ping


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73344/#review223006
---


On 五月 18, 2021, 4:16 a.m., Chia-Ping Tsai wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73344/
> ---
> 
> (Updated 五月 18, 2021, 4:16 a.m.)
> 
> 
> Review request for ranger.
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> As described in the KIP, `org.apache.kafka.server.authorizer.Authorizer` is 
> an improvement over `kafka.security.auth.Authorizer` and it's a pure Java 
> interface (instead of Scala).
> `kafka.security.auth.Authorizer` has been deprecated since December 2019 and 
> it will be removed in Apache Kafka 3.0 (roughly planned for July/August).
> See the KIP for more details:
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-504+-+Add+new+Java+Authorizer+Interface
> 
> 
> Diffs
> -
> 
>   
> plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
>  2a1b812e0 
>   
> ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
>  9d72ae0c8 
> 
> 
> Diff: https://reviews.apache.org/r/73344/diff/2/
> 
> 
> Testing
> ---
> 
> run `mvn clean test` and all pass on my local.
> 
> 
> File Attachments
> 
> 
> RANGER-3231.v1.patch
>   
> https://reviews.apache.org/media/uploaded/files/2021/05/18/4e2f190f-c871-4115-b554-0e6041a5a5a6__RANGER-3231.v1.patch
> 
> 
> Thanks,
> 
> Chia-Ping Tsai
> 
>

[GitHub] [ranger] symious opened a new pull request #101: RANGER-3298. Add coarse option for Hive URI permission check

[GitBox]

symious opened a new pull request #101:
URL: https://github.com/apache/ranger/pull/101


   In `RangerHiveAuthorizer`, the function of `checkPrivileges` will check the 
permission for the `HivePrivilegeObject` with 
`FileUtils.isActionPermittedForFileHierarchy`, and this method will check the 
permission for all the files under the related directory by default.
   
   For a large table with thousands of files, this operation will take a long 
time, leading to breaking the SLA. Besides, in the default implementation of 
`StorageBasedAuthorizationProvider` in Hive, only the directories will be 
checked too. 
   
   This ticket is to add a config for users to do a coarse check for URI 
permission check. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Created] (RANGER-3298) Add coarse URI check for Hive Agent

[Janus Chow (Jira)]

Janus Chow created RANGER-3298:
--

 Summary: Add coarse URI check for Hive Agent
 Key: RANGER-3298
 URL: https://issues.apache.org/jira/browse/RANGER-3298
 Project: Ranger
  Issue Type: Improvement
  Components: plugins
Reporter: Janus Chow


In `RangerHiveAuthorizer`, the function of `checkPrivileges` will check the 
permission for the `HivePrivilegeObject` with 
`FileUtils.isActionPermittedForFileHierarchy`, and this method will check the 
permission for all the files under the related directory by default.

For a large table with thousands of files, this operation will take a long 
time, leading to breaking the SLA. Besides, in the default implementation of 
`StorageBasedAuthorizationProvider` in Hive, only the directories will be 
checked too. 

This ticket is to add a config for users to do a coarse check for URI 
permission check. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (RANGER-3253) Make incremental policy change computation more resilient

[Velmurugan Periasamy (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-3253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-3253:
-
Fix Version/s: 2.2.0
   3.0.0

> Make incremental policy change computation more resilient
> -
>
> Key: RANGER-3253
> URL: https://issues.apache.org/jira/browse/RANGER-3253
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Abhay Kulkarni
>Assignee: Abhay Kulkarni
>Priority: Major
> Fix For: 3.0.0, 2.2.0
>
>
> Ranger admin, when incremental policies are enabled, retrieves changes to 
> policies from database since last provided policy-version and applies these 
> changes on the cached policies to compute new set of policies. This 
> computation needs to be more resilient - for example - if a change suggests 
> that a policy is created, but it already exists in the policy-cache, then it 
> should not be added again.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[GitHub] [ranger] martin-g commented on pull request #96: RANGER-3243 Fix build due to hive exec and JDK 8 specific class

[GitBox]

martin-g commented on pull request #96:
URL: https://github.com/apache/ranger/pull/96#issuecomment-849586396


   @rameeshm I've created few JIRA tickets and ReviewBoards with improvements 
but so far I have no any feedback. Did I do everything properly ?
   https://issues.apache.org/jira/browse/RANGER-3243
   https://issues.apache.org/jira/browse/RANGER-3244
   https://issues.apache.org/jira/browse/RANGER-3245


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Commented] (RANGER-2693) Authorize new Hive Operations in RangerHiveAuthorizer

[zhangbutao (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-2693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17352347#comment-17352347
 ] 

zhangbutao commented on RANGER-2693:


Any update?

> Authorize new Hive Operations in RangerHiveAuthorizer
> -
>
> Key: RANGER-2693
> URL: https://issues.apache.org/jira/browse/RANGER-2693
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 2.1.0
>Reporter: Ramesh Mani
>Assignee: Ramesh Mani
>Priority: Minor
>
> Authorize new Hive Operations in RangerHiveAuthorizer. 
> Following operations are newly added and ranger should authorize those.
>  CREATE_SCHEDULED_QUERY
> ALTER_SCHEDULED_QUERY
> DROP_SCHEDULED_QUERY



--
This message was sent by Atlassian Jira
(v8.3.4#803005)