[jira] [Commented] (RANGER-3778) Kerberos Login cause NullPointerException
[ https://issues.apache.org/jira/browse/RANGER-3778?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17551884#comment-17551884 ] kirby zhou commented on RANGER-3778: I have not get your point. I have deleted "import javax.servlet.http.cookie;" in patch rev 2. > Kerberos Login cause NullPointerException > - > > Key: RANGER-3778 > URL: https://issues.apache.org/jira/browse/RANGER-3778 > Project: Ranger > Issue Type: Bug > Components: admin >Affects Versions: 3.0.0, 2.3.0 >Reporter: kirby zhou >Priority: Blocker > Attachments: Screen Shot 2022-05-30 at 10.56.26 AM.png, > image-2022-06-01-21-10-04-463.png, image-2022-06-01-21-11-21-408.png, > image-2022-06-01-21-12-30-661.png, kirbyconf.tar.gz > > > Related to RANGER-3737 > I found NullPointerException happens again with kerberos login, this time is > due to sessionMgr. > The reason is that: sometimes RangerAuthenticationProvider is not managed by > spring but created by new in RangerKRBAuthenticationFilter > {code:java} > RangerAuthenticationProvider authenticationProvider = new > RangerAuthenticationProvider(); > Authentication authentication = > authenticationProvider.authenticate(finalAuthentication); > {code} > Only beans managed by spring is ensured to auto-wire its members. So at that > situation, userMgr and sessionMgr are both null. > But I do not know why we call authenticationProvider.authenticate here. > I have traced the code, After a series of condition judgments, the > authentication object passed in was returned finally without any > modification. And nothing happens such like register new session, access > database... Because at that point, user is already authenticated by Kerberos. > Something like that should work > {code:java} > --- > a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java > +++ > b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java > @@ -297,9 +297,7 @@ protected void doFilter(FilterChain filterChain, > final Authentication > finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "", > grantedAuths); > WebAuthenticationDetails webDetails = > new WebAuthenticationDetails(request); > ((AbstractAuthenticationToken) > finalAuthentication).setDetails(webDetails); > - RangerAuthenticationProvider > authenticationProvider = new RangerAuthenticationProvider(); > - Authentication authentication = > authenticationProvider.authenticate(finalAuthentication); > - authentication = > getGrantedAuthority(authentication); > + Authentication authentication = > getGrantedAuthority(finalAuthentication); > if (authentication != null && > authentication.isAuthenticated()) { > if > (request.getParameterMap().containsKey("doAs")) { > if > (!response.isCommitted()) { > {code} > Just for discuss > -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Resolved] (RANGER-3752) Restrict duplicate access types entries in policy creation
[ https://issues.apache.org/jira/browse/RANGER-3752?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pradeep Agrawal resolved RANGER-3752. - Resolution: Fixed [~kirbyzhou] : create another Jira and attach your proposed patch if you have any issue with this. Resolving this now. > Restrict duplicate access types entries in policy creation > -- > > Key: RANGER-3752 > URL: https://issues.apache.org/jira/browse/RANGER-3752 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Pradeep Agrawal >Assignee: Pradeep Agrawal >Priority: Major > Fix For: 3.0.0 > > Attachments: > 0001-RANGER-3752-Restrict-duplicate-access-types-entries-.patch > > -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (RANGER-3739) Add JWT filter in Ranger Admin
[ https://issues.apache.org/jira/browse/RANGER-3739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17551667#comment-17551667 ] Kishor Gollapalliwar commented on RANGER-3739: -- RR follow-up patch: https://reviews.apache.org/r/74014/ > Add JWT filter in Ranger Admin > -- > > Key: RANGER-3739 > URL: https://issues.apache.org/jira/browse/RANGER-3739 > Project: Ranger > Issue Type: Improvement > Components: Ranger >Reporter: Kishor Gollapalliwar >Assignee: Kishor Gollapalliwar >Priority: Major > Fix For: 3.0.0 > > > Add JWT auth filter in Ranger Admin, which authenticates browser & > non-browser JWT requests without altering existing authentication filters. > The existing authorization process must be alter to incorporate following > cases > |*Token*|*SSO Enabled*|*First Authorizer / Filter*| > |Present|Yes|RangerSSOAuthenticationFilter| > |Absent|Yes|RangerSSOAuthenticationFilter| > |Present|No|RangerJwtAuthFilter ({*}NEW{*})| > |Absent|No|RangerJwtAuthFilter ({*}NEW{*})| -- This message was sent by Atlassian Jira (v8.20.7#820007)
Review Request 74014: RANGER-3739: Add JWT filter in Ranger Admin
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74014/ --- Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, Vishal Suvagia, and Velmurugan Periasamy. Repository: ranger Description --- Add JWT auth filter in Ranger Admin, which authenticates browser & non-browser JWT requests without altering existing authentication filters. The existing authorization process must be alter to incorporate following cases Token SSO Enabled First Authorizer / Filter Present Yes RangerSSOAuthenticationFilter Absent Yes RangerSSOAuthenticationFilter Present No RangerJwtAuthFilter (NEW) Absent No RangerJwtAuthFilter (NEW) Enabled JWT filter by default. Diffs - security-admin/src/main/resources/conf.dist/security-applicationContext.xml 7db9c3850 Diff: https://reviews.apache.org/r/74014/diff/1/ Testing --- 1. mvn clean compile package install -U 2. Login ModHeader (chrome plugin): invalid JWT 3. Login ModHeader (chrome plugin): expired JWT 4. Login ModHeader (chrome plugin): tampered JWT 5. Login ModHeader (chrome plugin): valid JWT 6. Curl Access API: invalid JWT 7. Curl Access API: expired JWT 8. Curl Access API: tampered JWT 9. Curl Access API: valid JWT Thanks, Kishor Gollapalliwar
[jira] [Commented] (RANGER-3740) Create Ranger Admin API to refresh tag cache
[ https://issues.apache.org/jira/browse/RANGER-3740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17551593#comment-17551593 ] Kishor Gollapalliwar commented on RANGER-3740: -- master follow-up commit: https://github.com/apache/ranger/commit/2a057768fc6a345fce013a89c72d5d67d0df666d > Create Ranger Admin API to refresh tag cache > > > Key: RANGER-3740 > URL: https://issues.apache.org/jira/browse/RANGER-3740 > Project: Ranger > Issue Type: Improvement > Components: Ranger >Reporter: Kishor Gollapalliwar >Assignee: Kishor Gollapalliwar >Priority: Major > Fix For: 3.0.0 > > > Create Ranger Admin API to refresh tag cache, which will help refreshing > cache externally. -- This message was sent by Atlassian Jira (v8.20.7#820007)
Re: Review Request 74006: RANGER-3740: Create Ranger Admin API to refresh tag cache -- follow-up patch
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74006/#review224486 --- Ship it! Ship It! - Mehul Parikh On June 1, 2022, 3:15 p.m., Kishor Gollapalliwar wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74006/ > --- > > (Updated June 1, 2022, 3:15 p.m.) > > > Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Abhay Kulkarni, > Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Vishal Suvagia, > and Velmurugan Periasamy. > > > Bugs: RANGER-3740 > https://issues.apache.org/jira/browse/RANGER-3740 > > > Repository: ranger > > > Description > --- > > Create Ranger Admin API to refresh tag cache, which will help refreshing > cache externally. > > Problem: In the current API, if a user accidently do not pass service_name, > it resets everything. > > Changes: > 1. Updated existing API: enforcing service_name as mandatory parameter > 2. Created new API: reset/ remove everything (all service policy cache) > > > Diffs > - > > security-admin/src/main/java/org/apache/ranger/rest/TagREST.java 79dbdc76d > > > Diff: https://reviews.apache.org/r/74006/diff/1/ > > > Testing > --- > > 1. mvn clean compile package install -U > 2. Hit API without service name > (http://localhost:6080/service/tags/tags/cache/reset) > 3. Hit API with empty service name > (http://localhost:6080/service/tags/tags/cache/reset?serviceName=) > 4. Hit API with invalid service name > (http://localhost:6080/service/tags/tags/cache/reset?serviceName=invalid_service) > 5. Hit API with valid service name > (http://localhost:6080/service/tags/tags/cache/reset?serviceName=test_hdfs) > 6. Hit API with valid service name when cache is empty > (http://localhost:6080/service/tags/tags/cache/reset?serviceName=test_hdfs) > 7. Hit API when cache is not empty > (http://localhost:6080/service/tags/tags/cache/reset-all) > 8. Hit API when cache is empty > (http://localhost:6080/service/tags/tags/cache/reset-all) > > > Thanks, > > Kishor Gollapalliwar > >
Re: Review Request 74008: RANGER-3780: Upgrade tomcat to 8.5.79
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74008/#review224485 --- Ship it! Ship It! - Mehul Parikh On June 2, 2022, 3:43 p.m., Pradeep Agrawal wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74008/ > --- > > (Updated June 2, 2022, 3:43 p.m.) > > > Review request for ranger, bhavik patel, Dhaval Shah, Abhay Kulkarni, Madhan > Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-3780 > https://issues.apache.org/jira/browse/RANGER-3780 > > > Repository: ranger > > > Description > --- > > Here I am proposing to change tomcat version > > from 8.5.78 ==> 8.5.79 > > Changelog link : > https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.79_(schultz) > > > Diffs > - > > pom.xml b0bdcc56f > > > Diff: https://reviews.apache.org/r/74008/diff/1/ > > > Testing > --- > > Tested Ranger admin installation, user login, usersync and other crud > operations on service, policy, user and group module. > > > Thanks, > > Pradeep Agrawal > >