[jira] [Updated] (RANGER-3842) Ranger Kafka test connection timeout in Kerberos environment
[
https://issues.apache.org/jira/browse/RANGER-3842?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
kejie updated RANGER-3842:
--
Description:
Excuse me, how can I configure my Kafka to work normally?
The following is my related configuration and log information!
ranger-admin.log
{code:java}
2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198] ==>
ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException
...
...
...
2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346]
Request failed. loginId=null, logMessage=Unauthenticated access not allowed
javax.ws.rs.WebApplicationException: null{code}
This is my Kafka server.log
{code:java}
[2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false, user=root
(auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0},
serviceName=kmr_kafka
(org.apache.ranger.admin.client.RangerAdminRESTClient){code}
ranger-admin ui
!image-2022-07-26-11-38-37-426.png!
!image-2022-07-26-11-42-13-846.png!
!image-2022-07-26-11-38-55-377.png!
ranger-admin install.properties kerberos config
{code:java}
# Kerberos Config -
spnego_principal=HTTP/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
spnego_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
token_valid=30
cookie_domain=
cookie_path=/
admin_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
admin_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
lookup_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
lookup_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
hadoop_conf=/mnt/kmr/hadoop/1/hadoop-3.1.1/etc/hadoop {code}
was:
Excuse me, how can I configure my Kafka to work normally?
The following is my related configuration and log information!
ranger-admin.log
{code:java}
2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198] ==>
ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException
...
...
...
2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346]
Request failed. loginId=null, logMessage=Unauthenticated access not allowed
javax.ws.rs.WebApplicationException: null{code}
This is my Kafka server.log
{code:java}
[2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false, user=root
(auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0},
serviceName=kmr_kafka
(org.apache.ranger.admin.client.RangerAdminRESTClient){code}
ranger-admin ui
!image-2022-07-26-11-38-37-426.png!
!image-2022-07-26-11-38-55-377.png!
ranger-admin install.properties kerberos config
{code:java}
# Kerberos Config -
spnego_principal=HTTP/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
spnego_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
token_valid=30
cookie_domain=
cookie_path=/
admin_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
admin_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
lookup_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
lookup_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
hadoop_conf=/mnt/kmr/hadoop/1/hadoop-3.1.1/etc/hadoop {code}
> Ranger Kafka test connection timeout in Kerberos environment
>
>
> Key: RANGER-3842
> URL: https://issues.apache.org/jira/browse/RANGER-3842
> Project: Ranger
> Issue Type: Bug
> Components: plugins, Ranger
>Affects Versions: 2.3.0
> Environment: linux
>Reporter: kejie
>Priority: Major
> Attachments: image-2022-07-26-11-38-37-426.png,
> image-2022-07-26-11-38-55-377.png, image-2022-07-26-11-42-13-846.png
>
>
> Excuse me, how can I configure my Kafka to work normally?
> The following is my related configuration and log information!
>
> ranger-admin.log
>
> {code:java}
> 2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198]
> ==> ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException
> ...
> ...
> ...
> 2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346]
> Request failed. loginId=null, logMessage=Unauthenticated access not allowed
> javax.ws.rs.WebApplicationException: null{code}
>
>
>
>
> This is my Kafka server.log
>
> {code:java}
> [2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false,
> user=root (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0},
> serviceName=kmr_kafka
> (org.apache.ranger.admin.client.RangerAdminRESTClient){code}
>
>
>
> ranger-admin ui
> !image-2022-07-26-11-38-37-426.png!
> !image-2022-07-26-11-42-13-846.png!
> !image-2022-07-26-11-38-55-377.png!
> ranger-admin install.properties kerberos config
> {code:java}
> # Kerberos Config -
>
[jira] [Updated] (RANGER-3842) Ranger Kafka test connection timeout in Kerberos environment
[
https://issues.apache.org/jira/browse/RANGER-3842?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
kejie updated RANGER-3842:
--
Attachment: image-2022-07-26-11-42-13-846.png
> Ranger Kafka test connection timeout in Kerberos environment
>
>
> Key: RANGER-3842
> URL: https://issues.apache.org/jira/browse/RANGER-3842
> Project: Ranger
> Issue Type: Bug
> Components: plugins, Ranger
>Affects Versions: 2.3.0
> Environment: linux
>Reporter: kejie
>Priority: Major
> Attachments: image-2022-07-26-11-38-37-426.png,
> image-2022-07-26-11-38-55-377.png, image-2022-07-26-11-42-13-846.png
>
>
> Excuse me, how can I configure my Kafka to work normally?
> The following is my related configuration and log information!
>
> ranger-admin.log
>
> {code:java}
> 2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198]
> ==> ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException
> ...
> ...
> ...
> 2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346]
> Request failed. loginId=null, logMessage=Unauthenticated access not allowed
> javax.ws.rs.WebApplicationException: null{code}
>
>
>
>
> This is my Kafka server.log
>
> {code:java}
> [2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false,
> user=root (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0},
> serviceName=kmr_kafka
> (org.apache.ranger.admin.client.RangerAdminRESTClient){code}
>
>
>
> ranger-admin ui
> !image-2022-07-26-11-38-37-426.png!
>
> !image-2022-07-26-11-38-55-377.png!
> ranger-admin install.properties kerberos config
> {code:java}
> # Kerberos Config -
> spnego_principal=HTTP/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
> spnego_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
> token_valid=30
> cookie_domain=
> cookie_path=/
> admin_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
> admin_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
> lookup_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
> lookup_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
> hadoop_conf=/mnt/kmr/hadoop/1/hadoop-3.1.1/etc/hadoop {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (RANGER-3842) Ranger Kafka test connection timeout in Kerberos environment
[
https://issues.apache.org/jira/browse/RANGER-3842?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
kejie updated RANGER-3842:
--
Description:
Excuse me, how can I configure my Kafka to work normally?
The following is my related configuration and log information!
ranger-admin.log
{code:java}
2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198] ==>
ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException
...
...
...
2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346]
Request failed. loginId=null, logMessage=Unauthenticated access not allowed
javax.ws.rs.WebApplicationException: null{code}
This is my Kafka server.log
{code:java}
[2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false, user=root
(auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0},
serviceName=kmr_kafka
(org.apache.ranger.admin.client.RangerAdminRESTClient){code}
ranger-admin ui
!image-2022-07-26-11-38-37-426.png!
!image-2022-07-26-11-38-55-377.png!
ranger-admin install.properties kerberos config
{code:java}
# Kerberos Config -
spnego_principal=HTTP/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
spnego_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
token_valid=30
cookie_domain=
cookie_path=/
admin_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
admin_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
lookup_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
lookup_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
hadoop_conf=/mnt/kmr/hadoop/1/hadoop-3.1.1/etc/hadoop {code}
was:
Excuse me, how can I configure my Kafka to work normally?
The following is my related configuration and log information!
ranger-admin.log
{code:java}
2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198] ==>
ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException
...
...
...
2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346]
Request failed. loginId=null, logMessage=Unauthenticated access not allowed
javax.ws.rs.WebApplicationException: null{code}
This is my Kafka server.log
{code:java}
[2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false, user=root
(auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0},
serviceName=kmr_kafka
(org.apache.ranger.admin.client.RangerAdminRESTClient){code}
ranger-admin ui
!image-2022-07-26-11-29-26-959.png!
!image-2022-07-26-11-34-17-217.png!
ranger-admin install.properties kerberos config
{code:java}
# Kerberos Config -
spnego_principal=HTTP/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
spnego_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
token_valid=30
cookie_domain=
cookie_path=/
admin_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
admin_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
lookup_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
lookup_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
hadoop_conf=/mnt/kmr/hadoop/1/hadoop-3.1.1/etc/hadoop {code}
> Ranger Kafka test connection timeout in Kerberos environment
>
>
> Key: RANGER-3842
> URL: https://issues.apache.org/jira/browse/RANGER-3842
> Project: Ranger
> Issue Type: Bug
> Components: plugins, Ranger
>Affects Versions: 2.3.0
> Environment: linux
>Reporter: kejie
>Priority: Major
> Attachments: image-2022-07-26-11-38-37-426.png,
> image-2022-07-26-11-38-55-377.png
>
>
> Excuse me, how can I configure my Kafka to work normally?
> The following is my related configuration and log information!
>
> ranger-admin.log
>
> {code:java}
> 2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198]
> ==> ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException
> ...
> ...
> ...
> 2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346]
> Request failed. loginId=null, logMessage=Unauthenticated access not allowed
> javax.ws.rs.WebApplicationException: null{code}
>
>
>
>
> This is my Kafka server.log
>
> {code:java}
> [2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false,
> user=root (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0},
> serviceName=kmr_kafka
> (org.apache.ranger.admin.client.RangerAdminRESTClient){code}
>
>
>
> ranger-admin ui
> !image-2022-07-26-11-38-37-426.png!
>
> !image-2022-07-26-11-38-55-377.png!
> ranger-admin install.properties kerberos config
> {code:java}
> # Kerberos Config -
> spnego_principal=HTTP/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
>
[jira] [Updated] (RANGER-3842) Ranger Kafka test connection timeout in Kerberos environment
[
https://issues.apache.org/jira/browse/RANGER-3842?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
kejie updated RANGER-3842:
--
Attachment: image-2022-07-26-11-38-55-377.png
> Ranger Kafka test connection timeout in Kerberos environment
>
>
> Key: RANGER-3842
> URL: https://issues.apache.org/jira/browse/RANGER-3842
> Project: Ranger
> Issue Type: Bug
> Components: plugins, Ranger
>Affects Versions: 2.3.0
> Environment: linux
>Reporter: kejie
>Priority: Major
> Attachments: image-2022-07-26-11-38-37-426.png,
> image-2022-07-26-11-38-55-377.png
>
>
> Excuse me, how can I configure my Kafka to work normally?
> The following is my related configuration and log information!
>
> ranger-admin.log
>
> {code:java}
> 2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198]
> ==> ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException
> ...
> ...
> ...
> 2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346]
> Request failed. loginId=null, logMessage=Unauthenticated access not allowed
> javax.ws.rs.WebApplicationException: null{code}
>
>
>
>
> This is my Kafka server.log
>
> {code:java}
> [2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false,
> user=root (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0},
> serviceName=kmr_kafka
> (org.apache.ranger.admin.client.RangerAdminRESTClient){code}
>
>
>
> ranger-admin ui
> !image-2022-07-26-11-29-26-959.png!
> !image-2022-07-26-11-34-17-217.png!
>
> ranger-admin install.properties kerberos config
> {code:java}
> # Kerberos Config -
> spnego_principal=HTTP/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
> spnego_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
> token_valid=30
> cookie_domain=
> cookie_path=/
> admin_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
> admin_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
> lookup_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
> lookup_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
> hadoop_conf=/mnt/kmr/hadoop/1/hadoop-3.1.1/etc/hadoop {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (RANGER-3842) Ranger Kafka test connection timeout in Kerberos environment
[
https://issues.apache.org/jira/browse/RANGER-3842?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
kejie updated RANGER-3842:
--
Attachment: image-2022-07-26-11-38-37-426.png
> Ranger Kafka test connection timeout in Kerberos environment
>
>
> Key: RANGER-3842
> URL: https://issues.apache.org/jira/browse/RANGER-3842
> Project: Ranger
> Issue Type: Bug
> Components: plugins, Ranger
>Affects Versions: 2.3.0
> Environment: linux
>Reporter: kejie
>Priority: Major
> Attachments: image-2022-07-26-11-38-37-426.png,
> image-2022-07-26-11-38-55-377.png
>
>
> Excuse me, how can I configure my Kafka to work normally?
> The following is my related configuration and log information!
>
> ranger-admin.log
>
> {code:java}
> 2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198]
> ==> ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException
> ...
> ...
> ...
> 2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346]
> Request failed. loginId=null, logMessage=Unauthenticated access not allowed
> javax.ws.rs.WebApplicationException: null{code}
>
>
>
>
> This is my Kafka server.log
>
> {code:java}
> [2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false,
> user=root (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0},
> serviceName=kmr_kafka
> (org.apache.ranger.admin.client.RangerAdminRESTClient){code}
>
>
>
> ranger-admin ui
> !image-2022-07-26-11-29-26-959.png!
> !image-2022-07-26-11-34-17-217.png!
>
> ranger-admin install.properties kerberos config
> {code:java}
> # Kerberos Config -
> spnego_principal=HTTP/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
> spnego_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
> token_valid=30
> cookie_domain=
> cookie_path=/
> admin_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
> admin_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
> lookup_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
> lookup_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
> hadoop_conf=/mnt/kmr/hadoop/1/hadoop-3.1.1/etc/hadoop {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (RANGER-3842) Ranger Kafka test connection timeout in Kerberos environment
kejie created RANGER-3842:
-
Summary: Ranger Kafka test connection timeout in Kerberos
environment
Key: RANGER-3842
URL: https://issues.apache.org/jira/browse/RANGER-3842
Project: Ranger
Issue Type: Bug
Components: plugins, Ranger
Affects Versions: 2.3.0
Environment: linux
Reporter: kejie
Excuse me, how can I configure my Kafka to work normally?
The following is my related configuration and log information!
ranger-admin.log
{code:java}
2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198] ==>
ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException
...
...
...
2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346]
Request failed. loginId=null, logMessage=Unauthenticated access not allowed
javax.ws.rs.WebApplicationException: null{code}
This is my Kafka server.log
{code:java}
[2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false, user=root
(auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0},
serviceName=kmr_kafka
(org.apache.ranger.admin.client.RangerAdminRESTClient){code}
ranger-admin ui
!image-2022-07-26-11-29-26-959.png!
!image-2022-07-26-11-34-17-217.png!
ranger-admin install.properties kerberos config
{code:java}
# Kerberos Config -
spnego_principal=HTTP/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
spnego_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
token_valid=30
cookie_domain=
cookie_path=/
admin_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
admin_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
lookup_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com
lookup_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab
hadoop_conf=/mnt/kmr/hadoop/1/hadoop-3.1.1/etc/hadoop {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Comment Edited] (RANGER-3839) Ranger Tag based policy with ability to show metadata for covered resource
[
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17571099#comment-17571099
]
Madhan Neethiraj edited comment on RANGER-3839 at 7/25/22 9:30 PM:
---
[~in.rames...@gmail.com] - commands {{{}SHOW DATABASES{}}}, {{USE
__}} and {{SHOW TABLES}} don't require any additional policies to
be setup. These commands look if user has _any_ permission on the accessed
database/table or a sub-resource in its hierarchy (i.e., tables or columns).
I verified the following with Hive plugin from master branch:
# Login as user=hive in beeline and execute following statements to create
table hr.employee:
** {{create database hr;}}
** {{create table hr.employee(id int, name striNumbered listng, ssn string,
address string);}}
# Login as user=user1 in beeline and execute statement {{use hr;}} This
results in following error, as the user doesn't have access to any resource
within database=hr.
*
** {{Error: Error while compiling statement: FAILED:
HiveAccessControlException Permission denied: user [user1] does not have [USE]
privilege on [hr] (state=42000,code=4)}}
# Now add tag PII on column hr.employee.ssn, with the following:
{code:java}
{
"op": "add_or_update",
"serviceName": "dev_hive",
"tagDefinitions": {
"0": { "name": "PII" }
},
"tags": {
"0": { "type": "PII" }
},
"serviceResources": [
{
"id": 0,
"serviceName": "dev_hive",
"resourceElements": {
"database": { "values": [ "hr" ] },
"table": { "values": [ "employee" ] },
"column": { "values": [ "ssn" ] }
}
}
],
"resourceToTagIds": {
"0": [ "0" ]
}
}{code}
# Create a tag-based policy for tag=PII to allow {{hive:select}} access to
user1
# Now execute following commands as user1:
** {{show databases;}} hr database is included in returned list
** {{use hr;}} - the command succeeds.
** {{show tables;}} employee table is included in returned list
Please verify your usecase with above details. I see couple of missing
details/issues in the example detailed in this Jira description.
# missing: association of tag=RESTRICTED on column=employee.personal.city.
Please make sure that the tag is associated with the column.
# Policy for tag=RESTRICTED is show to have id=1, but audit log has
policyId=101. Is the access allowed by a different policy?
was (Author: madhan.neethiraj):
[~in.rames...@gmail.com] - commands {{{}SHOW DATABASES{}}}, {{USE
__}} and {{SHOW TABLES}} don't require any additional policies to
be setup. These commands look if user has _any_ permission on the accessed
database/table or a sub-resource in its hierarchy (i.e., tables or columns).
I verified the following with Hive plugin from master branch:
# Login as user=hive in beeline and execute following statements to create
table hr.employee:
** {{create database hr;}}
** {{create table hr.employee(id int, name string, ssn string, address
string);}}
# Login as user=user1 in beeline and execute statement {{use hr;}} This
results in following error, as the user doesn't have access to any resource
within database=hr.
*
** {{Error: Error while compiling statement: FAILED:
HiveAccessControlException Permission denied: user [user1] does not have [USE]
privilege on [hr] (state=42000,code=4)}}
# Now add tag PII on column hr.employee.ssn, with the following:
{
"op": "add_or_update",
"serviceName": "dev_hive",
"tagDefinitions": \{ "0": { "name": "PII" } },
"tags": \{ "0":{ "type": "PII" } },
"serviceResources": [
{
"id": 0,
"serviceName": "dev_hive",
"resourceElements": {
"database": \{ "values": [ "hr" ] }
"table": \{ "values": [ "employee" ] }
"column": \{ "values": [ "ssn" ] }
}
],
"resourceToTagIds": \{ "0": [ "0" ] }
}
# Create a tag-based policy for tag=PII to allow {{hive:select}} access to
user1
# Now execute following commands as user1:
** {{show databases;}} hr database is included in returned list
** {{use hr;}} - the command succeeds.
** {{show tables;}} employee table is included in returned list
Please verify your usecase with above details. I see couple of missing
details/issues in the example detailed in this Jira description.
# missing: association of tag=RESTRICTED on column=employee.personal.city.
Please make sure that the tag is associated with the column.
# Policy for tag=RESTRICTED is show to have id=1, but audit log has
policyId=101. Is the access allowed by a different policy?
> Ranger Tag based policy with ability to show metadata for covered resource
> --
>
> Key: RANGER-3839
> URL:
[jira] [Comment Edited] (RANGER-3839) Ranger Tag based policy with ability to show metadata for covered resource
[
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17571099#comment-17571099
]
Madhan Neethiraj edited comment on RANGER-3839 at 7/25/22 9:25 PM:
---
[~in.rames...@gmail.com] - commands {{{}SHOW DATABASES{}}}, {{USE
__}} and {{SHOW TABLES}} don't require any additional policies to
be setup. These commands look if user has _any_ permission on the accessed
database/table or a sub-resource in its hierarchy (i.e., tables or columns).
I verified the following with Hive plugin from master branch:
# Login as user=hive in beeline and execute following statements to create
table hr.employee:
** {{create database hr;}}
** {{create table hr.employee(id int, name string, ssn string, address
string);}}
# Login as user=user1 in beeline and execute statement {{use hr;}} This
results in following error, as the user doesn't have access to any resource
within database=hr.
*
** {{Error: Error while compiling statement: FAILED:
HiveAccessControlException Permission denied: user [user1] does not have [USE]
privilege on [hr] (state=42000,code=4)}}
# Now add tag PII on column hr.employee.ssn, with the following:
{
"op": "add_or_update",
"serviceName": "dev_hive",
"tagDefinitions": \{ "0": { "name": "PII" } },
"tags": \{ "0":{ "type": "PII" } },
"serviceResources": [
{
"id": 0,
"serviceName": "dev_hive",
"resourceElements": {
"database": \{ "values": [ "hr" ] }
"table": \{ "values": [ "employee" ] }
"column": \{ "values": [ "ssn" ] }
}
],
"resourceToTagIds": \{ "0": [ "0" ] }
}
# Create a tag-based policy for tag=PII to allow {{hive:select}} access to
user1
# Now execute following commands as user1:
** {{show databases;}} hr database is included in returned list
** {{use hr;}} - the command succeeds.
** {{show tables;}} employee table is included in returned list
Please verify your usecase with above details. I see couple of missing
details/issues in the example detailed in this Jira description.
# missing: association of tag=RESTRICTED on column=employee.personal.city.
Please make sure that the tag is associated with the column.
# Policy for tag=RESTRICTED is show to have id=1, but audit log has
policyId=101. Is the access allowed by a different policy?
was (Author: madhan.neethiraj):
[~in.rames...@gmail.com] - commands {{{}SHOW DATABASES{}}}, {{USE
__}} and {{SHOW TABLES}} don't require any additional policies to
be setup. These commands look if user has _any_ permission on the accessed
database/table or a sub-resource in its hierarchy (i.e., tables or columns).
I verified the following with Hive plugin from master branch:
# Login as user=hive in beeline and execute following statements to create
table hr.employee:
** {{create database hr;}}
** {{create table hr.employee(id int, name string, ssn string, address
string);}}
# Login as user=user1 in beeline and execute statement {{use hr;}} This
results in following error, as the user doesn't have access to any resource
within database=hr.
** {{Error: Error while compiling statement: FAILED:
HiveAccessControlException Permission denied: user [user1] does not have [USE]
privilege on [hr] (state=42000,code=4)}}
# Now add tag PII on column hr.employee.ssn, with the following:
{{{}}
{{ "op": "add_or_update",}}
{{ "serviceName": "dev_hive",}}
{{ "tagDefinitions": \{ "0": { "name": "PII" } },}}
{{ "tags": \{ "0": { "type": "PII" } },}}
{{ "serviceResources": [}}
{{ {
"id": 0,
"serviceName": "dev_hive",
"resourceElements": {
"database": \{ "values": [ "hr" ] },
"table": \{ "values": [ "employee" ] },
"column": \{ "values": [ "ssn" ] }
}
}}}
{{ ],}}
{{ "resourceToTagIds": \{ "0": [ "0" ] }}}
{{ }}}
# Create a tag-based policy for tag=PII to allow {{hive:select}} access to
user1
# Now execute following commands as user1:
** {{show databases;}} hr database is included in returned list
** {{use hr;}} - the command succeeds.
** {{show tables;}} employee table is included in returned list
Please verify your usecase with above details. I see couple of missing
details/issues in the example detailed in this Jira description.
# missing: association of tag=RESTRICTED on column=employee.personal.city.
Please make sure that the tag is associated with the column.
# Policy for tag=RESTRICTED is show to have id=1, but audit log has
policyId=101. Is the access allowed by a different policy?
> Ranger Tag based policy with ability to show metadata for covered resource
> --
>
> Key: RANGER-3839
> URL:
[jira] [Commented] (RANGER-3839) Ranger Tag based policy with ability to show metadata for covered resource
[
https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17571099#comment-17571099
]
Madhan Neethiraj commented on RANGER-3839:
--
[~in.rames...@gmail.com] - commands {{{}SHOW DATABASES{}}}, {{USE
__}} and {{SHOW TABLES}} don't require any additional policies to
be setup. These commands look if user has _any_ permission on the accessed
database/table or a sub-resource in its hierarchy (i.e., tables or columns).
I verified the following with Hive plugin from master branch:
# Login as user=hive in beeline and execute following statements to create
table hr.employee:
** {{create database hr;}}
** {{create table hr.employee(id int, name string, ssn string, address
string);}}
# Login as user=user1 in beeline and execute statement {{use hr;}} This
results in following error, as the user doesn't have access to any resource
within database=hr.
** {{Error: Error while compiling statement: FAILED:
HiveAccessControlException Permission denied: user [user1] does not have [USE]
privilege on [hr] (state=42000,code=4)}}
# Now add tag PII on column hr.employee.ssn, with the following:
{{{}}
{{ "op": "add_or_update",}}
{{ "serviceName": "dev_hive",}}
{{ "tagDefinitions": \{ "0": { "name": "PII" } },}}
{{ "tags": \{ "0": { "type": "PII" } },}}
{{ "serviceResources": [}}
{{ {
"id": 0,
"serviceName": "dev_hive",
"resourceElements": {
"database": \{ "values": [ "hr" ] },
"table": \{ "values": [ "employee" ] },
"column": \{ "values": [ "ssn" ] }
}
}}}
{{ ],}}
{{ "resourceToTagIds": \{ "0": [ "0" ] }}}
{{ }}}
# Create a tag-based policy for tag=PII to allow {{hive:select}} access to
user1
# Now execute following commands as user1:
** {{show databases;}} hr database is included in returned list
** {{use hr;}} - the command succeeds.
** {{show tables;}} employee table is included in returned list
Please verify your usecase with above details. I see couple of missing
details/issues in the example detailed in this Jira description.
# missing: association of tag=RESTRICTED on column=employee.personal.city.
Please make sure that the tag is associated with the column.
# Policy for tag=RESTRICTED is show to have id=1, but audit log has
policyId=101. Is the access allowed by a different policy?
> Ranger Tag based policy with ability to show metadata for covered resource
> --
>
> Key: RANGER-3839
> URL: https://issues.apache.org/jira/browse/RANGER-3839
> Project: Ranger
> Issue Type: New Feature
> Components: plugins
>Reporter: Ramesh Bhanan Byndoor
>Priority: Major
>
> Have a use case around this for trino and hive where user should be able to
> see allowed parents along with child table
>
> For below case from here
> [https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266]
>
> Resource
>
> {code:java}
> {
> "serviceName": "cl1_hive",
> "resourceElements": {
> "database": {
> "values": ["employee"]
> },
> "table": {
> "values": ["personal"]
> },
> "column": {
> "values": ["city"]
> }
> },
> "id": 3,
> "guid": "employee.personal.city-guid"
> }
> {code}
> Policy
> {code:java}
> {
> "id": 1,
> "name": "RESTRICTED_TAG_POLICY",
> "isEnabled": true,
> "isAuditEnabled": true,
> "resources": {
> "tag": {
> "values": ["RESTRICTED"],
> "isRecursive": false
> }
> },
> "policyItems": [{
> "accesses": [{
> "type": "hive:select",
> "isAllowed": true
> }],
> "users": ["hive", "user1"],
> "groups": [],
> "delegateAdmin": false,
> "conditions": [{
> "type": "expression",
> "values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"]
> }]
> }]
> }{code}
> The test below is working as expected
> {code:java}
> {
> "name": "ALLOW 'select city from employee.personal;' for user1 using
> RESTRICTED tag",
> "request": {
> "resource": {
> "elements": {
> "database": "employee",
> "table": "personal",
> "column": "city"
> }
> },
> "accessType": "select",
> "user": "user1",
> "userGroups": [],
> "requestData": "select city from employee.personal;' for user1"
> },
> "result": {
> "isAudited": true,
> "isAllowed": true,
> "policyId": 101
> }
> }{code}
> The expectation is how
[jira] [Updated] (RANGER-3829) Incremental Sync value is always true under Ranger Audit (Usersync)
[
https://issues.apache.org/jira/browse/RANGER-3829?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj updated RANGER-3829:
-
Fix Version/s: 2.4.0
> Incremental Sync value is always true under Ranger Audit (Usersync)
> ---
>
> Key: RANGER-3829
> URL: https://issues.apache.org/jira/browse/RANGER-3829
> Project: Ranger
> Issue Type: Bug
> Components: usersync
>Reporter: Abhishek Kumar
>Assignee: Abhishek Kumar
>Priority: Major
> Fix For: 3.0.0, 2.4.0
>
>
> Disabled the Incremental Sync in the Usersync configs but the *_Ranger UI ->
> Audit -> Usersync -> Sync Details_* shows the Incremental Sync value as
> always true.
>
> I could see the configs as -
> {code:java}
> [root@c3245-node2 conf]# cat ranger-ugsync-site.xml | grep -a2 delta
>
>
> ranger.usersync.ldap.deltasync
> false
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (RANGER-3387) Ranger Admin Header Validation.
[ https://issues.apache.org/jira/browse/RANGER-3387?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3387: - Fix Version/s: 2.4.0 > Ranger Admin Header Validation. > --- > > Key: RANGER-3387 > URL: https://issues.apache.org/jira/browse/RANGER-3387 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: 2.2.0 >Reporter: Mateen N Mansoori >Assignee: Sailaja Polavarapu >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: > 0001-RANGER-3387-Added-extra-validation-for-handling-PUT-.patch, > 0001-RANGER-3387-Ranger-Admin-Header-Validation.patch > > > Ranger Admin Header Validation. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3789) Upgrade Handlebars version to 4.7.7
[ https://issues.apache.org/jira/browse/RANGER-3789?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3789: - Fix Version/s: 2.4.0 > Upgrade Handlebars version to 4.7.7 > --- > > Key: RANGER-3789 > URL: https://issues.apache.org/jira/browse/RANGER-3789 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: 3.0.0 >Reporter: Bhavik Patel >Assignee: Dhaval Rajpara >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: 0001-RANGER-3789.patch > > > Upgrade Handlebars version to 4.7.7 as current version is affected with CVEs -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3165) Upgrade Elasticsearch version in Ranger to Elasticsearch 7.10.2
[ https://issues.apache.org/jira/browse/RANGER-3165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3165: - Fix Version/s: 2.4.0 > Upgrade Elasticsearch version in Ranger to Elasticsearch 7.10.2 > --- > > Key: RANGER-3165 > URL: https://issues.apache.org/jira/browse/RANGER-3165 > Project: Ranger > Issue Type: Improvement > Components: Ranger >Affects Versions: 3.0.0 >Reporter: YangCheng >Assignee: Bhavik Patel >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: > 0001-RANGER-3165-Upgrade-Elasticsearch-version-in-Ranger-.patch > > > Current ES version 7.6.0 affected with many CVE's issue, 7.10.2 is the last > version of elasticsearch based on Apache license, so it's better to update > the version to 7.10.2 > > > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3822) RangerService outputs password information in plaintext
[
https://issues.apache.org/jira/browse/RANGER-3822?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj updated RANGER-3822:
-
Fix Version/s: 2.4.0
> RangerService outputs password information in plaintext
> ---
>
> Key: RANGER-3822
> URL: https://issues.apache.org/jira/browse/RANGER-3822
> Project: Ranger
> Issue Type: Improvement
> Components: admin
>Affects Versions: 1.2.0, 2.2.0
>Reporter: Binhua Hu
>Assignee: Binhua Hu
>Priority: Major
> Fix For: 3.0.0, 2.4.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> RangerService outputs information in plaintext, causing the component
> password to be leaked.For example, when the Ranger service with the same name
> is created repeatedly, the password information of relevant components will
> be printed in the log.
> {code:java}
> 2022-07-11 10:08:59,505 [http-bio-6080-exec-4] ERROR
> org.apache.ranger.rest.ServiceRest(SericeREST.java:672) -
> createService(RangerService={id={null} guid={null} isEnabled={true}
> createdBy={null} updateBy={null} createTime={Thu Jan 01 08:00:00 GMT+8:00
> 1970} updateTime={Thu Jan 01 08:00:00 GMT+8:00 1970} version={1}
> name={service-kafka} type={kafka} description={null} tagService={null}
> configs={password={123456} username={admin}} policyVersion={0}
> policyUpdateTime={Thu Jan 01 08:00:00 GMT+8:00 1970} tagVersion={1}
> tagUpdateTime={Thu Jan 01 08:00:00 GMT+8:00 1970}}) failed{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (RANGER-3763) The max limit of the requested entities is not configurable in tagsync
[ https://issues.apache.org/jira/browse/RANGER-3763?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3763: - Fix Version/s: 2.4.0 > The max limit of the requested entities is not configurable in tagsync > -- > > Key: RANGER-3763 > URL: https://issues.apache.org/jira/browse/RANGER-3763 > Project: Ranger > Issue Type: Improvement > Components: tagsync >Affects Versions: 1.2.0, 2.2.0 >Reporter: Binhua Hu >Assignee: Binhua Hu >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Time Spent: 50m > Remaining Estimate: 0h > > The requested entity size Is set to a fixed value(1) in the Tagsync > source code(AtlasRESTTagSource), which has the following problems > 1. If the atlas server limits the request body size, tagsync needs to be > repackaged to fit the server Settings > 2. Debugging in the source code will print the full request body. If the > requested entities size cannot be adjusted, the log view will be affected -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3670) Policy update creates unnecessary entries in transaction log table
[ https://issues.apache.org/jira/browse/RANGER-3670?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3670: - Fix Version/s: 2.4.0 > Policy update creates unnecessary entries in transaction log table > -- > > Key: RANGER-3670 > URL: https://issues.apache.org/jira/browse/RANGER-3670 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: 2.2.0 >Reporter: Madhan Neethiraj >Assignee: Abhishek Kumar >Priority: Major > Fix For: 2.4.0 > > > When a policy is updated, Ranger creates entries in x_trx_log table for each > updated field in the policy. For example, when a policy is disabled, > following record is added in this table: > > ||object_id||object_name||attr_name||prev_val||new_val|| > |6|all - database|Policy Status|true|false| > > Following 2 additional records are added in this table even though these > fields are not updated in the policy: > ||object_id||object_name||attr_name||prev_val||new_val|| > |6|all - database|Validity Schedules|[]|[]| > |6|all - database|Policy Conditions| | | > > Above entries should be avoided. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3825) Ranger internal user is unable to change his password after the upgrade.
[ https://issues.apache.org/jira/browse/RANGER-3825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3825: - Fix Version/s: 2.4.0 > Ranger internal user is unable to change his password after the upgrade. > > > Key: RANGER-3825 > URL: https://issues.apache.org/jira/browse/RANGER-3825 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: 2.2.0, 2.3.0 >Reporter: Pradeep Agrawal >Assignee: Pradeep Agrawal >Priority: Critical > Fix For: 3.0.0, 2.4.0 > > Attachments: > 0001-RANGER-3825-Ranger-internal-user-is-unable-to-change.patch > > > Ranger internal user is unable to change his password after the upgrade. > Workaround : Ranger admin user can change the password of other users. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3798) Ranger API Resource Metrics REST "Up time of JVM" does not update.
[ https://issues.apache.org/jira/browse/RANGER-3798?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3798: - Fix Version/s: 2.4.0 > Ranger API Resource Metrics REST "Up time of JVM" does not update. > -- > > Key: RANGER-3798 > URL: https://issues.apache.org/jira/browse/RANGER-3798 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Dineshkumar Yadav >Assignee: Dineshkumar Yadav >Priority: Minor > Fix For: 3.0.0, 2.4.0 > > > Ranger API Resource Metrics REST, one of the attribute "Up time of JVM" does > not get updated value over the period of time . -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3807) getUserRoles API gives 200 for non existing user passed to this API
[
https://issues.apache.org/jira/browse/RANGER-3807?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj updated RANGER-3807:
-
Fix Version/s: 2.4.0
> getUserRoles API gives 200 for non existing user passed to this API
> ---
>
> Key: RANGER-3807
> URL: https://issues.apache.org/jira/browse/RANGER-3807
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
>Reporter: Anupam Rai
>Assignee: Pradeep Agrawal
>Priority: Major
> Fix For: 3.0.0, 2.4.0
>
> Attachments:
> 0001-RANGER-3807-getUserRoles-API-gives-200-for-non-exist.patch
>
>
> Steps to reproduce :
> 1. Hit this API /roles/roles/user/\{user} with any random string
> 2. We should get any error message if user is not available
> Actual : We are getting 200 response for any random string
> Https status : 200 OK
> {code:java}
> [] {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (RANGER-3813) Fix ConcurrentModificationException in UnixUserGroupBuilder
[ https://issues.apache.org/jira/browse/RANGER-3813?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3813: - Fix Version/s: 2.4.0 > Fix ConcurrentModificationException in UnixUserGroupBuilder > --- > > Key: RANGER-3813 > URL: https://issues.apache.org/jira/browse/RANGER-3813 > Project: Ranger > Issue Type: Bug > Components: usersync >Affects Versions: 2.2.0 >Reporter: Abhishek Kumar >Assignee: Abhishek Kumar >Priority: Major > Fix For: 3.0.0, 2.4.0 > > > Line number 426 in > ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java > updates the map while iteration which raises the exception > ConcurrentModificationException, the jira tracks the fix for the same. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3623) Add ability to enable anonymous download of policy/role/tag
[ https://issues.apache.org/jira/browse/RANGER-3623?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3623: - Fix Version/s: 2.4.0 > Add ability to enable anonymous download of policy/role/tag > --- > > Key: RANGER-3623 > URL: https://issues.apache.org/jira/browse/RANGER-3623 > Project: Ranger > Issue Type: Improvement > Components: admin >Affects Versions: 3.0.0, 2.3.0 >Reporter: kirby zhou >Assignee: kirby zhou >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: add-downloadonly-option.patch > > > Currently, we have an option ranger.admin.allow.unauthenticated.access to > allow unauthenticated clients to perform a series of API operations. This > option allows the client to perform both dangerous grant/revoke permission > operation and relatively safe download operation. > In many cases, allowing anonymous downloading of policy is not a serious risk > problem. On the contrary, the complicated kerberos and SSL settings make it > difficult for ranger plugin embedded in third-party services to complete the > task of refreshing policy, which may be a bigger problem. In particular, > refresh failure often has no obvious features for administrators to discover. > Therefore, I suggest that ranger increase the ability to allow client to > download policy/tag/roles anonymously. > There are two ways to achieve it. > > 1. Just limit the ability of "ranger.admin.allow.unauthenticated.access=true" > which needs to modify > "security-admin/src/main/resources/conf.dist/security-applicationContext.xml" > to remove dangerous operations from ' > security="none"'. > > 2. Add a candidate value "downloadonly" to > "ranger.admin.allow.unauthenticated.access" > Which needs modify ServiceRest.Java and BizUtil.java to implement the > enhanced checking logic. > > I have a patch for method2 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3814) IS_IN_ROLE(roleName) condition always returns false
[ https://issues.apache.org/jira/browse/RANGER-3814?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3814: - Fix Version/s: 2.4.0 > IS_IN_ROLE(roleName) condition always returns false > --- > > Key: RANGER-3814 > URL: https://issues.apache.org/jira/browse/RANGER-3814 > Project: Ranger > Issue Type: Bug > Components: plugins >Affects Versions: 2.3.0 >Reporter: Madhan Neethiraj >Assignee: Madhan Neethiraj >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: RANGER-3814.patch > > > Implementation of IS_IN_ROLE() condition uses request.userRoles to determine > if the user is in the given role. However, request.userRoles is not populated > with the roles for the current user; hence IS_IN_ROLE() condition fails. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3794) Improve performance of delete users/groups utility
[ https://issues.apache.org/jira/browse/RANGER-3794?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3794: - Fix Version/s: 2.4.0 > Improve performance of delete users/groups utility > -- > > Key: RANGER-3794 > URL: https://issues.apache.org/jira/browse/RANGER-3794 > Project: Ranger > Issue Type: Improvement > Components: Ranger >Reporter: Fateh Singh >Assignee: Fateh Singh >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: > 0001-RANGER-3794-Improve-performance-of-delete-users-grou.patch > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3840) SHOW DATABASES command should list databases owned by the user
[
https://issues.apache.org/jira/browse/RANGER-3840?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj updated RANGER-3840:
-
Fix Version/s: 2.4.0
> SHOW DATABASES command should list databases owned by the user
> --
>
> Key: RANGER-3840
> URL: https://issues.apache.org/jira/browse/RANGER-3840
> Project: Ranger
> Issue Type: Bug
> Components: plugins
>Reporter: Madhan Neethiraj
>Assignee: Madhan Neethiraj
>Priority: Major
> Fix For: 3.0.0, 2.4.0
>
> Attachments: RANGER-3840.patch
>
>
> SHOW DATABASES command returns only databases in which the user has some
> access i.e., it will exclude databases in which the user has no permission.
> However, Ranger Hive authorizer does not take into permissions given to
> database owner user while processing list of databases for SHOW DATABASES
> command.
> Consider the following usecase:
> # User user1 is the owner for database db_user1
> # User user2 is the owner for database db_user2
> # For user1, databases list returned by SHOW DATABASES should include
> db_user1 - since default policies allow \{OWNER} user all permissions in the
> database
> # Similarly, for user2, databases list returned by SHOW DATABASES command
> should include db_user2
> However, the databases list returned by SHOW DATABASES command does not
> include the database owned by the user - unless additional policies
> explicitly grant the user permissions in the database.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (RANGER-3782) RANGER - Upgrade spring-security version to 5.6.5
[ https://issues.apache.org/jira/browse/RANGER-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3782: - Fix Version/s: 2.4.0 > RANGER - Upgrade spring-security version to 5.6.5 > - > > Key: RANGER-3782 > URL: https://issues.apache.org/jira/browse/RANGER-3782 > Project: Ranger > Issue Type: Task > Components: Ranger >Affects Versions: 3.0.0 >Reporter: Mateen N Mansoori >Assignee: Mateen Mansoori >Priority: Major > Fix For: 3.0.0, 2.4.0 > > > Currently ranger is pulling spring-security version-5.6.3, upgrade it to 5.6.5 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3780) Ranger - Upgrade tomcat to 8.5.79
[ https://issues.apache.org/jira/browse/RANGER-3780?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3780: - Fix Version/s: 2.4.0 > Ranger - Upgrade tomcat to 8.5.79 > - > > Key: RANGER-3780 > URL: https://issues.apache.org/jira/browse/RANGER-3780 > Project: Ranger > Issue Type: Task > Components: Ranger >Affects Versions: 3.0.0, 2.3.0 >Reporter: Pradeep Agrawal >Assignee: Pradeep Agrawal >Priority: Major > Fix For: 3.0.0, 2.4.0 > > > This task is to upgrade tomcat version to 8.5.79 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3812) update Python client to support multiple resource sets in a policy
[ https://issues.apache.org/jira/browse/RANGER-3812?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3812: - Fix Version/s: 2.4.0 > update Python client to support multiple resource sets in a policy > -- > > Key: RANGER-3812 > URL: https://issues.apache.org/jira/browse/RANGER-3812 > Project: Ranger > Issue Type: Sub-task > Components: intg >Reporter: Madhan Neethiraj >Assignee: Madhan Neethiraj >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: RANGER-3812.patch > > > Python client should be updated to support new attribute > RangerPolicy.additionalResources. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3712) Update Apache Ranger website for 2.3.0 release
[ https://issues.apache.org/jira/browse/RANGER-3712?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3712: - Fix Version/s: 2.4.0 > Update Apache Ranger website for 2.3.0 release > --- > > Key: RANGER-3712 > URL: https://issues.apache.org/jira/browse/RANGER-3712 > Project: Ranger > Issue Type: Sub-task > Components: Ranger >Affects Versions: 3.0.0 >Reporter: Ramesh Mani >Assignee: Ramesh Mani >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: > 0001-RANGER-3712-Update-Apache-Ranger-website-for-2.3.0-r.patch > > > Update Apache Ranger website for 2.3.0 release -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3818) Upgrade Solr to 8.11.2
[ https://issues.apache.org/jira/browse/RANGER-3818?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3818: - Fix Version/s: 2.4.0 > Upgrade Solr to 8.11.2 > -- > > Key: RANGER-3818 > URL: https://issues.apache.org/jira/browse/RANGER-3818 > Project: Ranger > Issue Type: Improvement > Components: plugins >Reporter: Kengo Seki >Assignee: Kengo Seki >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: 0001-RANGER-3818-Upgrade-Solr-to-8.11.2.patch > > > [According to the Solr > site|https://solr.apache.org/downloads.html#about-versions-and-support], > older versions than 8.11 are already EOL'd. It should be upgraded to 8.11.x > at least. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3796) Enhancement to support multiple resource sets in a policy
[
https://issues.apache.org/jira/browse/RANGER-3796?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Madhan Neethiraj updated RANGER-3796:
-
Fix Version/s: 2.4.0
> Enhancement to support multiple resource sets in a policy
> -
>
> Key: RANGER-3796
> URL: https://issues.apache.org/jira/browse/RANGER-3796
> Project: Ranger
> Issue Type: Improvement
> Components: plugins
>Reporter: Madhan Neethiraj
>Assignee: Madhan Neethiraj
>Priority: Major
> Fix For: 3.0.0, 2.4.0
>
> Attachments: RANGER-3796-2.patch, RANGER-3796.patch
>
>
> Ranger policy model allows multiple resources to be covered in a single
> policy. For example, by use of wildcards/macros/resource-list – as shown
> below:
> {noformat}
> - database: test_db, table: *, column: *
> - path: /home/{USER}
> - storageaccount: finance, relativepath: [ /taxes, /reports ] {noformat}
>
> It will be useful to extend this to support multiple resource sets in a
> policy, like:
> {noformat}
> - { database: db1, table: tb1, columns: * }, { database: db2, table: *,
> column: * }
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (RANGER-3820) Upgrade Netty version to 4.1.78.Final
[ https://issues.apache.org/jira/browse/RANGER-3820?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3820: - Fix Version/s: 2.4.0 > Upgrade Netty version to 4.1.78.Final > - > > Key: RANGER-3820 > URL: https://issues.apache.org/jira/browse/RANGER-3820 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: 3.0.0 >Reporter: Bhavik Patel >Assignee: Bhavik Patel >Priority: Major > Fix For: 2.4.0 > > Attachments: > 0001-RANGER-3820-Upgrade-Netty-version-to-4.1.78.Final.patch > > > Upgrade Netty version to 4.1.78.Final -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3806) Group's users mapping entry failing whenever primary key auto-increment is not set to 1 in db
[ https://issues.apache.org/jira/browse/RANGER-3806?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3806: - Fix Version/s: 2.4.0 > Group's users mapping entry failing whenever primary key auto-increment is > not set to 1 in db > - > > Key: RANGER-3806 > URL: https://issues.apache.org/jira/browse/RANGER-3806 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Pradeep Agrawal >Assignee: Pradeep Agrawal >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: > 0001-RANGER-3806-Group-s-users-mapping-entry-failing-when.patch > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3767) Add text message in HDFS and YARN policy pages to highlight the fallback ACL option
[ https://issues.apache.org/jira/browse/RANGER-3767?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3767: - Fix Version/s: 2.4.0 > Add text message in HDFS and YARN policy pages to highlight the fallback ACL > option > --- > > Key: RANGER-3767 > URL: https://issues.apache.org/jira/browse/RANGER-3767 > Project: Ranger > Issue Type: Improvement > Components: Ranger >Affects Versions: 3.0.0 >Reporter: Dhaval Rajpara >Assignee: Dhaval Rajpara >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: 0001-RANGER-3767.patch > > > HDFS and YARN policy pages need to show a text message highlighting the > fallback ACL option. By default, fallback is enabled for these components. > Showing this message in policy page will allow customers to understand the > behavior better and decide. > Message could be something like below. > "By default, fallback to [HDFS|Yarn] ACLs are enabled. If access cannot be > determined by Ranger policies, authorization will fall back to [HDFS|Yarn] > ACLs. If this behavior needs to be changed, modify [HDFS plugin config|Yarn > plugin config]" -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3819) Upgrade springframework version
[ https://issues.apache.org/jira/browse/RANGER-3819?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3819: - Fix Version/s: 2.4.0 > Upgrade springframework version > --- > > Key: RANGER-3819 > URL: https://issues.apache.org/jira/browse/RANGER-3819 > Project: Ranger > Issue Type: Bug > Components: admin >Affects Versions: 3.0.0 >Reporter: Bhavik Patel >Assignee: Bhavik Patel >Priority: Major > Fix For: 2.4.0 > > Attachments: 0001-RANGER-3819-Upgrade-springframework-version.patch > > > Upgrade springframework version 5.3.21 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Resolved] (RANGER-3829) Incremental Sync value is always true under Ranger Audit (Usersync)
[
https://issues.apache.org/jira/browse/RANGER-3829?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pradeep Agrawal resolved RANGER-3829.
-
Fix Version/s: 3.0.0
Resolution: Fixed
https://github.com/apache/ranger/commit/3bd591fbd1f0434b47263c2d99cf634f5ace8dd0
> Incremental Sync value is always true under Ranger Audit (Usersync)
> ---
>
> Key: RANGER-3829
> URL: https://issues.apache.org/jira/browse/RANGER-3829
> Project: Ranger
> Issue Type: Bug
> Components: usersync
>Reporter: Abhishek Kumar
>Assignee: Abhishek Kumar
>Priority: Major
> Fix For: 3.0.0
>
>
> Disabled the Incremental Sync in the Usersync configs but the *_Ranger UI ->
> Audit -> Usersync -> Sync Details_* shows the Incremental Sync value as
> always true.
>
> I could see the configs as -
> {code:java}
> [root@c3245-node2 conf]# cat ranger-ugsync-site.xml | grep -a2 delta
>
>
> ranger.usersync.ldap.deltasync
> false
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
Re: Review Request 74058: RANGER-3829: Incremental Sync Value to be read from usersync config
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74058/#review224580 --- Ship it! Ship It! - Pradeep Agrawal On July 19, 2022, 1:51 a.m., Abhishek Kumar wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74058/ > --- > > (Updated July 19, 2022, 1:51 a.m.) > > > Review request for ranger, Sailaja Polavarapu and Velmurugan Periasamy. > > > Bugs: RANGER-3829 > https://issues.apache.org/jira/browse/RANGER-3829 > > > Repository: ranger > > > Description > --- > > Config parameter ranger.usersync.ldap.deltasync is hardcoded to true, the > review allows the param to be read from config file. > > > Diffs > - > > > ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java > 550775f65 > > > Diff: https://reviews.apache.org/r/74058/diff/2/ > > > Testing > --- > > Tested on remote cluster. > > > Thanks, > > Abhishek Kumar > >
[jira] [Updated] (RANGER-3841) update version ranger-2.4 to 2.4.0-SNAPSHOT
[ https://issues.apache.org/jira/browse/RANGER-3841?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3841: - Attachment: RANGER-3841.patch > update version ranger-2.4 to 2.4.0-SNAPSHOT > --- > > Key: RANGER-3841 > URL: https://issues.apache.org/jira/browse/RANGER-3841 > Project: Ranger > Issue Type: Task > Components: Ranger >Reporter: Madhan Neethiraj >Assignee: Madhan Neethiraj >Priority: Major > Attachments: RANGER-3841.patch > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3664) Ranger KMS : Add refresh functionality on kms key listing page.
[ https://issues.apache.org/jira/browse/RANGER-3664?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3664: - Fix Version/s: 2.4.0 (was: 2.3.0) > Ranger KMS : Add refresh functionality on kms key listing page. > --- > > Key: RANGER-3664 > URL: https://issues.apache.org/jira/browse/RANGER-3664 > Project: Ranger > Issue Type: Improvement > Components: kms, Ranger >Reporter: Mateen N Mansoori >Assignee: Dhaval Rajpara >Priority: Major > Fix For: 3.0.0, 2.4.0 > > > Add refresh functionality on kms key listing page. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Resolved] (RANGER-3710) Release Apache Ranger 2.3.0
[ https://issues.apache.org/jira/browse/RANGER-3710?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj resolved RANGER-3710. -- Resolution: Fixed > Release Apache Ranger 2.3.0 > --- > > Key: RANGER-3710 > URL: https://issues.apache.org/jira/browse/RANGER-3710 > Project: Ranger > Issue Type: Task > Components: Ranger >Affects Versions: 2.3.0 >Reporter: Ramesh Mani >Assignee: Ramesh Mani >Priority: Major > Fix For: 2.3.0 > > > Release Apache Ranger 2.3.0 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Resolved] (RANGER-3714) Update version in branch-2.0 to 2.4.0-SNAPSHOT
[ https://issues.apache.org/jira/browse/RANGER-3714?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj resolved RANGER-3714. -- Fix Version/s: 2.4.0 Resolution: Duplicate Addressed in RANGER-3841. > Update version in branch-2.0 to 2.4.0-SNAPSHOT > -- > > Key: RANGER-3714 > URL: https://issues.apache.org/jira/browse/RANGER-3714 > Project: Ranger > Issue Type: Sub-task > Components: Ranger >Affects Versions: 2.3.0 >Reporter: Ramesh Mani >Priority: Major > Fix For: 2.4.0 > > > Update version in branch-2.0 to 2.4.0-SNAPSHOT -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (RANGER-3841) update version ranger-2.4 to 2.4.0-SNAPSHOT
Madhan Neethiraj created RANGER-3841: Summary: update version ranger-2.4 to 2.4.0-SNAPSHOT Key: RANGER-3841 URL: https://issues.apache.org/jira/browse/RANGER-3841 Project: Ranger Issue Type: Task Components: Ranger Reporter: Madhan Neethiraj Assignee: Madhan Neethiraj -- This message was sent by Atlassian Jira (v8.20.10#820010)
