[jira] [Updated] (RANGER-3842) Ranger Kafka test connection timeout in Kerberos environment
[ https://issues.apache.org/jira/browse/RANGER-3842?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kejie updated RANGER-3842: -- Description: Excuse me, how can I configure my Kafka to work normally? The following is my related configuration and log information! ranger-admin.log {code:java} 2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198] ==> ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException ... ... ... 2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346] Request failed. loginId=null, logMessage=Unauthenticated access not allowed javax.ws.rs.WebApplicationException: null{code} This is my Kafka server.log {code:java} [2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false, user=root (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0}, serviceName=kmr_kafka (org.apache.ranger.admin.client.RangerAdminRESTClient){code} ranger-admin ui !image-2022-07-26-11-38-37-426.png! !image-2022-07-26-11-42-13-846.png! !image-2022-07-26-11-38-55-377.png! ranger-admin install.properties kerberos config {code:java} # Kerberos Config - spnego_principal=HTTP/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com spnego_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab token_valid=30 cookie_domain= cookie_path=/ admin_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com admin_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab lookup_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com lookup_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab hadoop_conf=/mnt/kmr/hadoop/1/hadoop-3.1.1/etc/hadoop {code} was: Excuse me, how can I configure my Kafka to work normally? The following is my related configuration and log information! ranger-admin.log {code:java} 2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198] ==> ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException ... ... ... 2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346] Request failed. loginId=null, logMessage=Unauthenticated access not allowed javax.ws.rs.WebApplicationException: null{code} This is my Kafka server.log {code:java} [2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false, user=root (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0}, serviceName=kmr_kafka (org.apache.ranger.admin.client.RangerAdminRESTClient){code} ranger-admin ui !image-2022-07-26-11-38-37-426.png! !image-2022-07-26-11-38-55-377.png! ranger-admin install.properties kerberos config {code:java} # Kerberos Config - spnego_principal=HTTP/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com spnego_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab token_valid=30 cookie_domain= cookie_path=/ admin_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com admin_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab lookup_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com lookup_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab hadoop_conf=/mnt/kmr/hadoop/1/hadoop-3.1.1/etc/hadoop {code} > Ranger Kafka test connection timeout in Kerberos environment > > > Key: RANGER-3842 > URL: https://issues.apache.org/jira/browse/RANGER-3842 > Project: Ranger > Issue Type: Bug > Components: plugins, Ranger >Affects Versions: 2.3.0 > Environment: linux >Reporter: kejie >Priority: Major > Attachments: image-2022-07-26-11-38-37-426.png, > image-2022-07-26-11-38-55-377.png, image-2022-07-26-11-42-13-846.png > > > Excuse me, how can I configure my Kafka to work normally? > The following is my related configuration and log information! > > ranger-admin.log > > {code:java} > 2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198] > ==> ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException > ... > ... > ... > 2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346] > Request failed. loginId=null, logMessage=Unauthenticated access not allowed > javax.ws.rs.WebApplicationException: null{code} > > > > > This is my Kafka server.log > > {code:java} > [2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false, > user=root (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0}, > serviceName=kmr_kafka > (org.apache.ranger.admin.client.RangerAdminRESTClient){code} > > > > ranger-admin ui > !image-2022-07-26-11-38-37-426.png! > !image-2022-07-26-11-42-13-846.png! > !image-2022-07-26-11-38-55-377.png! > ranger-admin install.properties kerberos config > {code:java} > # Kerberos Config - >
[jira] [Updated] (RANGER-3842) Ranger Kafka test connection timeout in Kerberos environment
[ https://issues.apache.org/jira/browse/RANGER-3842?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kejie updated RANGER-3842: -- Attachment: image-2022-07-26-11-42-13-846.png > Ranger Kafka test connection timeout in Kerberos environment > > > Key: RANGER-3842 > URL: https://issues.apache.org/jira/browse/RANGER-3842 > Project: Ranger > Issue Type: Bug > Components: plugins, Ranger >Affects Versions: 2.3.0 > Environment: linux >Reporter: kejie >Priority: Major > Attachments: image-2022-07-26-11-38-37-426.png, > image-2022-07-26-11-38-55-377.png, image-2022-07-26-11-42-13-846.png > > > Excuse me, how can I configure my Kafka to work normally? > The following is my related configuration and log information! > > ranger-admin.log > > {code:java} > 2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198] > ==> ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException > ... > ... > ... > 2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346] > Request failed. loginId=null, logMessage=Unauthenticated access not allowed > javax.ws.rs.WebApplicationException: null{code} > > > > > This is my Kafka server.log > > {code:java} > [2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false, > user=root (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0}, > serviceName=kmr_kafka > (org.apache.ranger.admin.client.RangerAdminRESTClient){code} > > > > ranger-admin ui > !image-2022-07-26-11-38-37-426.png! > > !image-2022-07-26-11-38-55-377.png! > ranger-admin install.properties kerberos config > {code:java} > # Kerberos Config - > spnego_principal=HTTP/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com > spnego_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab > token_valid=30 > cookie_domain= > cookie_path=/ > admin_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com > admin_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab > lookup_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com > lookup_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab > hadoop_conf=/mnt/kmr/hadoop/1/hadoop-3.1.1/etc/hadoop {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3842) Ranger Kafka test connection timeout in Kerberos environment
[ https://issues.apache.org/jira/browse/RANGER-3842?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kejie updated RANGER-3842: -- Description: Excuse me, how can I configure my Kafka to work normally? The following is my related configuration and log information! ranger-admin.log {code:java} 2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198] ==> ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException ... ... ... 2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346] Request failed. loginId=null, logMessage=Unauthenticated access not allowed javax.ws.rs.WebApplicationException: null{code} This is my Kafka server.log {code:java} [2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false, user=root (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0}, serviceName=kmr_kafka (org.apache.ranger.admin.client.RangerAdminRESTClient){code} ranger-admin ui !image-2022-07-26-11-38-37-426.png! !image-2022-07-26-11-38-55-377.png! ranger-admin install.properties kerberos config {code:java} # Kerberos Config - spnego_principal=HTTP/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com spnego_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab token_valid=30 cookie_domain= cookie_path=/ admin_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com admin_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab lookup_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com lookup_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab hadoop_conf=/mnt/kmr/hadoop/1/hadoop-3.1.1/etc/hadoop {code} was: Excuse me, how can I configure my Kafka to work normally? The following is my related configuration and log information! ranger-admin.log {code:java} 2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198] ==> ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException ... ... ... 2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346] Request failed. loginId=null, logMessage=Unauthenticated access not allowed javax.ws.rs.WebApplicationException: null{code} This is my Kafka server.log {code:java} [2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false, user=root (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0}, serviceName=kmr_kafka (org.apache.ranger.admin.client.RangerAdminRESTClient){code} ranger-admin ui !image-2022-07-26-11-29-26-959.png! !image-2022-07-26-11-34-17-217.png! ranger-admin install.properties kerberos config {code:java} # Kerberos Config - spnego_principal=HTTP/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com spnego_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab token_valid=30 cookie_domain= cookie_path=/ admin_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com admin_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab lookup_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com lookup_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab hadoop_conf=/mnt/kmr/hadoop/1/hadoop-3.1.1/etc/hadoop {code} > Ranger Kafka test connection timeout in Kerberos environment > > > Key: RANGER-3842 > URL: https://issues.apache.org/jira/browse/RANGER-3842 > Project: Ranger > Issue Type: Bug > Components: plugins, Ranger >Affects Versions: 2.3.0 > Environment: linux >Reporter: kejie >Priority: Major > Attachments: image-2022-07-26-11-38-37-426.png, > image-2022-07-26-11-38-55-377.png > > > Excuse me, how can I configure my Kafka to work normally? > The following is my related configuration and log information! > > ranger-admin.log > > {code:java} > 2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198] > ==> ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException > ... > ... > ... > 2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346] > Request failed. loginId=null, logMessage=Unauthenticated access not allowed > javax.ws.rs.WebApplicationException: null{code} > > > > > This is my Kafka server.log > > {code:java} > [2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false, > user=root (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0}, > serviceName=kmr_kafka > (org.apache.ranger.admin.client.RangerAdminRESTClient){code} > > > > ranger-admin ui > !image-2022-07-26-11-38-37-426.png! > > !image-2022-07-26-11-38-55-377.png! > ranger-admin install.properties kerberos config > {code:java} > # Kerberos Config - > spnego_principal=HTTP/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com >
[jira] [Updated] (RANGER-3842) Ranger Kafka test connection timeout in Kerberos environment
[ https://issues.apache.org/jira/browse/RANGER-3842?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kejie updated RANGER-3842: -- Attachment: image-2022-07-26-11-38-55-377.png > Ranger Kafka test connection timeout in Kerberos environment > > > Key: RANGER-3842 > URL: https://issues.apache.org/jira/browse/RANGER-3842 > Project: Ranger > Issue Type: Bug > Components: plugins, Ranger >Affects Versions: 2.3.0 > Environment: linux >Reporter: kejie >Priority: Major > Attachments: image-2022-07-26-11-38-37-426.png, > image-2022-07-26-11-38-55-377.png > > > Excuse me, how can I configure my Kafka to work normally? > The following is my related configuration and log information! > > ranger-admin.log > > {code:java} > 2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198] > ==> ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException > ... > ... > ... > 2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346] > Request failed. loginId=null, logMessage=Unauthenticated access not allowed > javax.ws.rs.WebApplicationException: null{code} > > > > > This is my Kafka server.log > > {code:java} > [2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false, > user=root (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0}, > serviceName=kmr_kafka > (org.apache.ranger.admin.client.RangerAdminRESTClient){code} > > > > ranger-admin ui > !image-2022-07-26-11-29-26-959.png! > !image-2022-07-26-11-34-17-217.png! > > ranger-admin install.properties kerberos config > {code:java} > # Kerberos Config - > spnego_principal=HTTP/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com > spnego_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab > token_valid=30 > cookie_domain= > cookie_path=/ > admin_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com > admin_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab > lookup_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com > lookup_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab > hadoop_conf=/mnt/kmr/hadoop/1/hadoop-3.1.1/etc/hadoop {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3842) Ranger Kafka test connection timeout in Kerberos environment
[ https://issues.apache.org/jira/browse/RANGER-3842?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kejie updated RANGER-3842: -- Attachment: image-2022-07-26-11-38-37-426.png > Ranger Kafka test connection timeout in Kerberos environment > > > Key: RANGER-3842 > URL: https://issues.apache.org/jira/browse/RANGER-3842 > Project: Ranger > Issue Type: Bug > Components: plugins, Ranger >Affects Versions: 2.3.0 > Environment: linux >Reporter: kejie >Priority: Major > Attachments: image-2022-07-26-11-38-37-426.png, > image-2022-07-26-11-38-55-377.png > > > Excuse me, how can I configure my Kafka to work normally? > The following is my related configuration and log information! > > ranger-admin.log > > {code:java} > 2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198] > ==> ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException > ... > ... > ... > 2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346] > Request failed. loginId=null, logMessage=Unauthenticated access not allowed > javax.ws.rs.WebApplicationException: null{code} > > > > > This is my Kafka server.log > > {code:java} > [2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false, > user=root (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0}, > serviceName=kmr_kafka > (org.apache.ranger.admin.client.RangerAdminRESTClient){code} > > > > ranger-admin ui > !image-2022-07-26-11-29-26-959.png! > !image-2022-07-26-11-34-17-217.png! > > ranger-admin install.properties kerberos config > {code:java} > # Kerberos Config - > spnego_principal=HTTP/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com > spnego_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab > token_valid=30 > cookie_domain= > cookie_path=/ > admin_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com > admin_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab > lookup_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com > lookup_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab > hadoop_conf=/mnt/kmr/hadoop/1/hadoop-3.1.1/etc/hadoop {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (RANGER-3842) Ranger Kafka test connection timeout in Kerberos environment
kejie created RANGER-3842: - Summary: Ranger Kafka test connection timeout in Kerberos environment Key: RANGER-3842 URL: https://issues.apache.org/jira/browse/RANGER-3842 Project: Ranger Issue Type: Bug Components: plugins, Ranger Affects Versions: 2.3.0 Environment: linux Reporter: kejie Excuse me, how can I configure my Kafka to work normally? The following is my related configuration and log information! ranger-admin.log {code:java} 2022-07-26 02:52:13,658 [http-nio-6080-exec-9] ERROR [ServiceMgr.java:198] ==> ServiceMgr.validateConfig Error:java.util.concurrent.TimeoutException ... ... ... 2022-07-26 00:00:28,532 [http-nio-6080-exec-5] INFO [RESTErrorUtil.java:346] Request failed. loginId=null, logMessage=Unauthenticated access not allowed javax.ws.rs.WebApplicationException: null{code} This is my Kafka server.log {code:java} [2022-07-26 11:27:05,359] WARN Error getting Roles. secureMode=false, user=root (auth:SIMPLE), response={"httpStatusCode":400,"statusCode":0}, serviceName=kmr_kafka (org.apache.ranger.admin.client.RangerAdminRESTClient){code} ranger-admin ui !image-2022-07-26-11-29-26-959.png! !image-2022-07-26-11-34-17-217.png! ranger-admin install.properties kerberos config {code:java} # Kerberos Config - spnego_principal=HTTP/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com spnego_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab token_valid=30 cookie_domain= cookie_path=/ admin_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com admin_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab lookup_principal=hadoop/kmr-58106bd2-gn-127160a8-master-1-1.ksc@kingsoft.com lookup_keytab=/etc/kmr/krb5/data/keytabs/kmr.keytab hadoop_conf=/mnt/kmr/hadoop/1/hadoop-3.1.1/etc/hadoop {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (RANGER-3839) Ranger Tag based policy with ability to show metadata for covered resource
[ https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17571099#comment-17571099 ] Madhan Neethiraj edited comment on RANGER-3839 at 7/25/22 9:30 PM: --- [~in.rames...@gmail.com] - commands {{{}SHOW DATABASES{}}}, {{USE __}} and {{SHOW TABLES}} don't require any additional policies to be setup. These commands look if user has _any_ permission on the accessed database/table or a sub-resource in its hierarchy (i.e., tables or columns). I verified the following with Hive plugin from master branch: # Login as user=hive in beeline and execute following statements to create table hr.employee: ** {{create database hr;}} ** {{create table hr.employee(id int, name striNumbered listng, ssn string, address string);}} # Login as user=user1 in beeline and execute statement {{use hr;}} This results in following error, as the user doesn't have access to any resource within database=hr. * ** {{Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [user1] does not have [USE] privilege on [hr] (state=42000,code=4)}} # Now add tag PII on column hr.employee.ssn, with the following: {code:java} { "op": "add_or_update", "serviceName": "dev_hive", "tagDefinitions": { "0": { "name": "PII" } }, "tags": { "0": { "type": "PII" } }, "serviceResources": [ { "id": 0, "serviceName": "dev_hive", "resourceElements": { "database": { "values": [ "hr" ] }, "table": { "values": [ "employee" ] }, "column": { "values": [ "ssn" ] } } } ], "resourceToTagIds": { "0": [ "0" ] } }{code} # Create a tag-based policy for tag=PII to allow {{hive:select}} access to user1 # Now execute following commands as user1: ** {{show databases;}} hr database is included in returned list ** {{use hr;}} - the command succeeds. ** {{show tables;}} employee table is included in returned list Please verify your usecase with above details. I see couple of missing details/issues in the example detailed in this Jira description. # missing: association of tag=RESTRICTED on column=employee.personal.city. Please make sure that the tag is associated with the column. # Policy for tag=RESTRICTED is show to have id=1, but audit log has policyId=101. Is the access allowed by a different policy? was (Author: madhan.neethiraj): [~in.rames...@gmail.com] - commands {{{}SHOW DATABASES{}}}, {{USE __}} and {{SHOW TABLES}} don't require any additional policies to be setup. These commands look if user has _any_ permission on the accessed database/table or a sub-resource in its hierarchy (i.e., tables or columns). I verified the following with Hive plugin from master branch: # Login as user=hive in beeline and execute following statements to create table hr.employee: ** {{create database hr;}} ** {{create table hr.employee(id int, name string, ssn string, address string);}} # Login as user=user1 in beeline and execute statement {{use hr;}} This results in following error, as the user doesn't have access to any resource within database=hr. * ** {{Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [user1] does not have [USE] privilege on [hr] (state=42000,code=4)}} # Now add tag PII on column hr.employee.ssn, with the following: { "op": "add_or_update", "serviceName": "dev_hive", "tagDefinitions": \{ "0": { "name": "PII" } }, "tags": \{ "0":{ "type": "PII" } }, "serviceResources": [ { "id": 0, "serviceName": "dev_hive", "resourceElements": { "database": \{ "values": [ "hr" ] } "table": \{ "values": [ "employee" ] } "column": \{ "values": [ "ssn" ] } } ], "resourceToTagIds": \{ "0": [ "0" ] } } # Create a tag-based policy for tag=PII to allow {{hive:select}} access to user1 # Now execute following commands as user1: ** {{show databases;}} hr database is included in returned list ** {{use hr;}} - the command succeeds. ** {{show tables;}} employee table is included in returned list Please verify your usecase with above details. I see couple of missing details/issues in the example detailed in this Jira description. # missing: association of tag=RESTRICTED on column=employee.personal.city. Please make sure that the tag is associated with the column. # Policy for tag=RESTRICTED is show to have id=1, but audit log has policyId=101. Is the access allowed by a different policy? > Ranger Tag based policy with ability to show metadata for covered resource > -- > > Key: RANGER-3839 > URL:
[jira] [Comment Edited] (RANGER-3839) Ranger Tag based policy with ability to show metadata for covered resource
[ https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17571099#comment-17571099 ] Madhan Neethiraj edited comment on RANGER-3839 at 7/25/22 9:25 PM: --- [~in.rames...@gmail.com] - commands {{{}SHOW DATABASES{}}}, {{USE __}} and {{SHOW TABLES}} don't require any additional policies to be setup. These commands look if user has _any_ permission on the accessed database/table or a sub-resource in its hierarchy (i.e., tables or columns). I verified the following with Hive plugin from master branch: # Login as user=hive in beeline and execute following statements to create table hr.employee: ** {{create database hr;}} ** {{create table hr.employee(id int, name string, ssn string, address string);}} # Login as user=user1 in beeline and execute statement {{use hr;}} This results in following error, as the user doesn't have access to any resource within database=hr. * ** {{Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [user1] does not have [USE] privilege on [hr] (state=42000,code=4)}} # Now add tag PII on column hr.employee.ssn, with the following: { "op": "add_or_update", "serviceName": "dev_hive", "tagDefinitions": \{ "0": { "name": "PII" } }, "tags": \{ "0":{ "type": "PII" } }, "serviceResources": [ { "id": 0, "serviceName": "dev_hive", "resourceElements": { "database": \{ "values": [ "hr" ] } "table": \{ "values": [ "employee" ] } "column": \{ "values": [ "ssn" ] } } ], "resourceToTagIds": \{ "0": [ "0" ] } } # Create a tag-based policy for tag=PII to allow {{hive:select}} access to user1 # Now execute following commands as user1: ** {{show databases;}} hr database is included in returned list ** {{use hr;}} - the command succeeds. ** {{show tables;}} employee table is included in returned list Please verify your usecase with above details. I see couple of missing details/issues in the example detailed in this Jira description. # missing: association of tag=RESTRICTED on column=employee.personal.city. Please make sure that the tag is associated with the column. # Policy for tag=RESTRICTED is show to have id=1, but audit log has policyId=101. Is the access allowed by a different policy? was (Author: madhan.neethiraj): [~in.rames...@gmail.com] - commands {{{}SHOW DATABASES{}}}, {{USE __}} and {{SHOW TABLES}} don't require any additional policies to be setup. These commands look if user has _any_ permission on the accessed database/table or a sub-resource in its hierarchy (i.e., tables or columns). I verified the following with Hive plugin from master branch: # Login as user=hive in beeline and execute following statements to create table hr.employee: ** {{create database hr;}} ** {{create table hr.employee(id int, name string, ssn string, address string);}} # Login as user=user1 in beeline and execute statement {{use hr;}} This results in following error, as the user doesn't have access to any resource within database=hr. ** {{Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [user1] does not have [USE] privilege on [hr] (state=42000,code=4)}} # Now add tag PII on column hr.employee.ssn, with the following: {{{}} {{ "op": "add_or_update",}} {{ "serviceName": "dev_hive",}} {{ "tagDefinitions": \{ "0": { "name": "PII" } },}} {{ "tags": \{ "0": { "type": "PII" } },}} {{ "serviceResources": [}} {{ { "id": 0, "serviceName": "dev_hive", "resourceElements": { "database": \{ "values": [ "hr" ] }, "table": \{ "values": [ "employee" ] }, "column": \{ "values": [ "ssn" ] } } }}} {{ ],}} {{ "resourceToTagIds": \{ "0": [ "0" ] }}} {{ }}} # Create a tag-based policy for tag=PII to allow {{hive:select}} access to user1 # Now execute following commands as user1: ** {{show databases;}} hr database is included in returned list ** {{use hr;}} - the command succeeds. ** {{show tables;}} employee table is included in returned list Please verify your usecase with above details. I see couple of missing details/issues in the example detailed in this Jira description. # missing: association of tag=RESTRICTED on column=employee.personal.city. Please make sure that the tag is associated with the column. # Policy for tag=RESTRICTED is show to have id=1, but audit log has policyId=101. Is the access allowed by a different policy? > Ranger Tag based policy with ability to show metadata for covered resource > -- > > Key: RANGER-3839 > URL:
[jira] [Commented] (RANGER-3839) Ranger Tag based policy with ability to show metadata for covered resource
[ https://issues.apache.org/jira/browse/RANGER-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17571099#comment-17571099 ] Madhan Neethiraj commented on RANGER-3839: -- [~in.rames...@gmail.com] - commands {{{}SHOW DATABASES{}}}, {{USE __}} and {{SHOW TABLES}} don't require any additional policies to be setup. These commands look if user has _any_ permission on the accessed database/table or a sub-resource in its hierarchy (i.e., tables or columns). I verified the following with Hive plugin from master branch: # Login as user=hive in beeline and execute following statements to create table hr.employee: ** {{create database hr;}} ** {{create table hr.employee(id int, name string, ssn string, address string);}} # Login as user=user1 in beeline and execute statement {{use hr;}} This results in following error, as the user doesn't have access to any resource within database=hr. ** {{Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [user1] does not have [USE] privilege on [hr] (state=42000,code=4)}} # Now add tag PII on column hr.employee.ssn, with the following: {{{}} {{ "op": "add_or_update",}} {{ "serviceName": "dev_hive",}} {{ "tagDefinitions": \{ "0": { "name": "PII" } },}} {{ "tags": \{ "0": { "type": "PII" } },}} {{ "serviceResources": [}} {{ { "id": 0, "serviceName": "dev_hive", "resourceElements": { "database": \{ "values": [ "hr" ] }, "table": \{ "values": [ "employee" ] }, "column": \{ "values": [ "ssn" ] } } }}} {{ ],}} {{ "resourceToTagIds": \{ "0": [ "0" ] }}} {{ }}} # Create a tag-based policy for tag=PII to allow {{hive:select}} access to user1 # Now execute following commands as user1: ** {{show databases;}} hr database is included in returned list ** {{use hr;}} - the command succeeds. ** {{show tables;}} employee table is included in returned list Please verify your usecase with above details. I see couple of missing details/issues in the example detailed in this Jira description. # missing: association of tag=RESTRICTED on column=employee.personal.city. Please make sure that the tag is associated with the column. # Policy for tag=RESTRICTED is show to have id=1, but audit log has policyId=101. Is the access allowed by a different policy? > Ranger Tag based policy with ability to show metadata for covered resource > -- > > Key: RANGER-3839 > URL: https://issues.apache.org/jira/browse/RANGER-3839 > Project: Ranger > Issue Type: New Feature > Components: plugins >Reporter: Ramesh Bhanan Byndoor >Priority: Major > > Have a use case around this for trino and hive where user should be able to > see allowed parents along with child table > > For below case from here > [https://github.com/apache/ranger/blob/release-ranger-2.3.0/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive_filebased.json#L266] > > Resource > > {code:java} > { > "serviceName": "cl1_hive", > "resourceElements": { > "database": { > "values": ["employee"] > }, > "table": { > "values": ["personal"] > }, > "column": { > "values": ["city"] > } > }, > "id": 3, > "guid": "employee.personal.city-guid" > } > {code} > Policy > {code:java} > { > "id": 1, > "name": "RESTRICTED_TAG_POLICY", > "isEnabled": true, > "isAuditEnabled": true, > "resources": { > "tag": { > "values": ["RESTRICTED"], > "isRecursive": false > } > }, > "policyItems": [{ > "accesses": [{ > "type": "hive:select", > "isAllowed": true > }], > "users": ["hive", "user1"], > "groups": [], > "delegateAdmin": false, > "conditions": [{ > "type": "expression", > "values": ["if ( tagAttr.get('score') < 2 ) ctx.result = true;"] > }] > }] > }{code} > The test below is working as expected > {code:java} > { > "name": "ALLOW 'select city from employee.personal;' for user1 using > RESTRICTED tag", > "request": { > "resource": { > "elements": { > "database": "employee", > "table": "personal", > "column": "city" > } > }, > "accessType": "select", > "user": "user1", > "userGroups": [], > "requestData": "select city from employee.personal;' for user1" > }, > "result": { > "isAudited": true, > "isAllowed": true, > "policyId": 101 > } > }{code} > The expectation is how
[jira] [Updated] (RANGER-3829) Incremental Sync value is always true under Ranger Audit (Usersync)
[ https://issues.apache.org/jira/browse/RANGER-3829?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3829: - Fix Version/s: 2.4.0 > Incremental Sync value is always true under Ranger Audit (Usersync) > --- > > Key: RANGER-3829 > URL: https://issues.apache.org/jira/browse/RANGER-3829 > Project: Ranger > Issue Type: Bug > Components: usersync >Reporter: Abhishek Kumar >Assignee: Abhishek Kumar >Priority: Major > Fix For: 3.0.0, 2.4.0 > > > Disabled the Incremental Sync in the Usersync configs but the *_Ranger UI -> > Audit -> Usersync -> Sync Details_* shows the Incremental Sync value as > always true. > > I could see the configs as - > {code:java} > [root@c3245-node2 conf]# cat ranger-ugsync-site.xml | grep -a2 delta > > > ranger.usersync.ldap.deltasync > false > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3387) Ranger Admin Header Validation.
[ https://issues.apache.org/jira/browse/RANGER-3387?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3387: - Fix Version/s: 2.4.0 > Ranger Admin Header Validation. > --- > > Key: RANGER-3387 > URL: https://issues.apache.org/jira/browse/RANGER-3387 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: 2.2.0 >Reporter: Mateen N Mansoori >Assignee: Sailaja Polavarapu >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: > 0001-RANGER-3387-Added-extra-validation-for-handling-PUT-.patch, > 0001-RANGER-3387-Ranger-Admin-Header-Validation.patch > > > Ranger Admin Header Validation. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3789) Upgrade Handlebars version to 4.7.7
[ https://issues.apache.org/jira/browse/RANGER-3789?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3789: - Fix Version/s: 2.4.0 > Upgrade Handlebars version to 4.7.7 > --- > > Key: RANGER-3789 > URL: https://issues.apache.org/jira/browse/RANGER-3789 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: 3.0.0 >Reporter: Bhavik Patel >Assignee: Dhaval Rajpara >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: 0001-RANGER-3789.patch > > > Upgrade Handlebars version to 4.7.7 as current version is affected with CVEs -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3165) Upgrade Elasticsearch version in Ranger to Elasticsearch 7.10.2
[ https://issues.apache.org/jira/browse/RANGER-3165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3165: - Fix Version/s: 2.4.0 > Upgrade Elasticsearch version in Ranger to Elasticsearch 7.10.2 > --- > > Key: RANGER-3165 > URL: https://issues.apache.org/jira/browse/RANGER-3165 > Project: Ranger > Issue Type: Improvement > Components: Ranger >Affects Versions: 3.0.0 >Reporter: YangCheng >Assignee: Bhavik Patel >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: > 0001-RANGER-3165-Upgrade-Elasticsearch-version-in-Ranger-.patch > > > Current ES version 7.6.0 affected with many CVE's issue, 7.10.2 is the last > version of elasticsearch based on Apache license, so it's better to update > the version to 7.10.2 > > > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3822) RangerService outputs password information in plaintext
[ https://issues.apache.org/jira/browse/RANGER-3822?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3822: - Fix Version/s: 2.4.0 > RangerService outputs password information in plaintext > --- > > Key: RANGER-3822 > URL: https://issues.apache.org/jira/browse/RANGER-3822 > Project: Ranger > Issue Type: Improvement > Components: admin >Affects Versions: 1.2.0, 2.2.0 >Reporter: Binhua Hu >Assignee: Binhua Hu >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > RangerService outputs information in plaintext, causing the component > password to be leaked.For example, when the Ranger service with the same name > is created repeatedly, the password information of relevant components will > be printed in the log. > {code:java} > 2022-07-11 10:08:59,505 [http-bio-6080-exec-4] ERROR > org.apache.ranger.rest.ServiceRest(SericeREST.java:672) - > createService(RangerService={id={null} guid={null} isEnabled={true} > createdBy={null} updateBy={null} createTime={Thu Jan 01 08:00:00 GMT+8:00 > 1970} updateTime={Thu Jan 01 08:00:00 GMT+8:00 1970} version={1} > name={service-kafka} type={kafka} description={null} tagService={null} > configs={password={123456} username={admin}} policyVersion={0} > policyUpdateTime={Thu Jan 01 08:00:00 GMT+8:00 1970} tagVersion={1} > tagUpdateTime={Thu Jan 01 08:00:00 GMT+8:00 1970}}) failed{code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3763) The max limit of the requested entities is not configurable in tagsync
[ https://issues.apache.org/jira/browse/RANGER-3763?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3763: - Fix Version/s: 2.4.0 > The max limit of the requested entities is not configurable in tagsync > -- > > Key: RANGER-3763 > URL: https://issues.apache.org/jira/browse/RANGER-3763 > Project: Ranger > Issue Type: Improvement > Components: tagsync >Affects Versions: 1.2.0, 2.2.0 >Reporter: Binhua Hu >Assignee: Binhua Hu >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Time Spent: 50m > Remaining Estimate: 0h > > The requested entity size Is set to a fixed value(1) in the Tagsync > source code(AtlasRESTTagSource), which has the following problems > 1. If the atlas server limits the request body size, tagsync needs to be > repackaged to fit the server Settings > 2. Debugging in the source code will print the full request body. If the > requested entities size cannot be adjusted, the log view will be affected -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3670) Policy update creates unnecessary entries in transaction log table
[ https://issues.apache.org/jira/browse/RANGER-3670?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3670: - Fix Version/s: 2.4.0 > Policy update creates unnecessary entries in transaction log table > -- > > Key: RANGER-3670 > URL: https://issues.apache.org/jira/browse/RANGER-3670 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: 2.2.0 >Reporter: Madhan Neethiraj >Assignee: Abhishek Kumar >Priority: Major > Fix For: 2.4.0 > > > When a policy is updated, Ranger creates entries in x_trx_log table for each > updated field in the policy. For example, when a policy is disabled, > following record is added in this table: > > ||object_id||object_name||attr_name||prev_val||new_val|| > |6|all - database|Policy Status|true|false| > > Following 2 additional records are added in this table even though these > fields are not updated in the policy: > ||object_id||object_name||attr_name||prev_val||new_val|| > |6|all - database|Validity Schedules|[]|[]| > |6|all - database|Policy Conditions| | | > > Above entries should be avoided. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3825) Ranger internal user is unable to change his password after the upgrade.
[ https://issues.apache.org/jira/browse/RANGER-3825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3825: - Fix Version/s: 2.4.0 > Ranger internal user is unable to change his password after the upgrade. > > > Key: RANGER-3825 > URL: https://issues.apache.org/jira/browse/RANGER-3825 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: 2.2.0, 2.3.0 >Reporter: Pradeep Agrawal >Assignee: Pradeep Agrawal >Priority: Critical > Fix For: 3.0.0, 2.4.0 > > Attachments: > 0001-RANGER-3825-Ranger-internal-user-is-unable-to-change.patch > > > Ranger internal user is unable to change his password after the upgrade. > Workaround : Ranger admin user can change the password of other users. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3798) Ranger API Resource Metrics REST "Up time of JVM" does not update.
[ https://issues.apache.org/jira/browse/RANGER-3798?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3798: - Fix Version/s: 2.4.0 > Ranger API Resource Metrics REST "Up time of JVM" does not update. > -- > > Key: RANGER-3798 > URL: https://issues.apache.org/jira/browse/RANGER-3798 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Dineshkumar Yadav >Assignee: Dineshkumar Yadav >Priority: Minor > Fix For: 3.0.0, 2.4.0 > > > Ranger API Resource Metrics REST, one of the attribute "Up time of JVM" does > not get updated value over the period of time . -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3807) getUserRoles API gives 200 for non existing user passed to this API
[ https://issues.apache.org/jira/browse/RANGER-3807?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3807: - Fix Version/s: 2.4.0 > getUserRoles API gives 200 for non existing user passed to this API > --- > > Key: RANGER-3807 > URL: https://issues.apache.org/jira/browse/RANGER-3807 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Anupam Rai >Assignee: Pradeep Agrawal >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: > 0001-RANGER-3807-getUserRoles-API-gives-200-for-non-exist.patch > > > Steps to reproduce : > 1. Hit this API /roles/roles/user/\{user} with any random string > 2. We should get any error message if user is not available > Actual : We are getting 200 response for any random string > Https status : 200 OK > {code:java} > [] {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3813) Fix ConcurrentModificationException in UnixUserGroupBuilder
[ https://issues.apache.org/jira/browse/RANGER-3813?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3813: - Fix Version/s: 2.4.0 > Fix ConcurrentModificationException in UnixUserGroupBuilder > --- > > Key: RANGER-3813 > URL: https://issues.apache.org/jira/browse/RANGER-3813 > Project: Ranger > Issue Type: Bug > Components: usersync >Affects Versions: 2.2.0 >Reporter: Abhishek Kumar >Assignee: Abhishek Kumar >Priority: Major > Fix For: 3.0.0, 2.4.0 > > > Line number 426 in > ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java > updates the map while iteration which raises the exception > ConcurrentModificationException, the jira tracks the fix for the same. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3623) Add ability to enable anonymous download of policy/role/tag
[ https://issues.apache.org/jira/browse/RANGER-3623?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3623: - Fix Version/s: 2.4.0 > Add ability to enable anonymous download of policy/role/tag > --- > > Key: RANGER-3623 > URL: https://issues.apache.org/jira/browse/RANGER-3623 > Project: Ranger > Issue Type: Improvement > Components: admin >Affects Versions: 3.0.0, 2.3.0 >Reporter: kirby zhou >Assignee: kirby zhou >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: add-downloadonly-option.patch > > > Currently, we have an option ranger.admin.allow.unauthenticated.access to > allow unauthenticated clients to perform a series of API operations. This > option allows the client to perform both dangerous grant/revoke permission > operation and relatively safe download operation. > In many cases, allowing anonymous downloading of policy is not a serious risk > problem. On the contrary, the complicated kerberos and SSL settings make it > difficult for ranger plugin embedded in third-party services to complete the > task of refreshing policy, which may be a bigger problem. In particular, > refresh failure often has no obvious features for administrators to discover. > Therefore, I suggest that ranger increase the ability to allow client to > download policy/tag/roles anonymously. > There are two ways to achieve it. > > 1. Just limit the ability of "ranger.admin.allow.unauthenticated.access=true" > which needs to modify > "security-admin/src/main/resources/conf.dist/security-applicationContext.xml" > to remove dangerous operations from ' > security="none"'. > > 2. Add a candidate value "downloadonly" to > "ranger.admin.allow.unauthenticated.access" > Which needs modify ServiceRest.Java and BizUtil.java to implement the > enhanced checking logic. > > I have a patch for method2 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3814) IS_IN_ROLE(roleName) condition always returns false
[ https://issues.apache.org/jira/browse/RANGER-3814?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3814: - Fix Version/s: 2.4.0 > IS_IN_ROLE(roleName) condition always returns false > --- > > Key: RANGER-3814 > URL: https://issues.apache.org/jira/browse/RANGER-3814 > Project: Ranger > Issue Type: Bug > Components: plugins >Affects Versions: 2.3.0 >Reporter: Madhan Neethiraj >Assignee: Madhan Neethiraj >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: RANGER-3814.patch > > > Implementation of IS_IN_ROLE() condition uses request.userRoles to determine > if the user is in the given role. However, request.userRoles is not populated > with the roles for the current user; hence IS_IN_ROLE() condition fails. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3794) Improve performance of delete users/groups utility
[ https://issues.apache.org/jira/browse/RANGER-3794?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3794: - Fix Version/s: 2.4.0 > Improve performance of delete users/groups utility > -- > > Key: RANGER-3794 > URL: https://issues.apache.org/jira/browse/RANGER-3794 > Project: Ranger > Issue Type: Improvement > Components: Ranger >Reporter: Fateh Singh >Assignee: Fateh Singh >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: > 0001-RANGER-3794-Improve-performance-of-delete-users-grou.patch > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3840) SHOW DATABASES command should list databases owned by the user
[ https://issues.apache.org/jira/browse/RANGER-3840?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3840: - Fix Version/s: 2.4.0 > SHOW DATABASES command should list databases owned by the user > -- > > Key: RANGER-3840 > URL: https://issues.apache.org/jira/browse/RANGER-3840 > Project: Ranger > Issue Type: Bug > Components: plugins >Reporter: Madhan Neethiraj >Assignee: Madhan Neethiraj >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: RANGER-3840.patch > > > SHOW DATABASES command returns only databases in which the user has some > access i.e., it will exclude databases in which the user has no permission. > However, Ranger Hive authorizer does not take into permissions given to > database owner user while processing list of databases for SHOW DATABASES > command. > Consider the following usecase: > # User user1 is the owner for database db_user1 > # User user2 is the owner for database db_user2 > # For user1, databases list returned by SHOW DATABASES should include > db_user1 - since default policies allow \{OWNER} user all permissions in the > database > # Similarly, for user2, databases list returned by SHOW DATABASES command > should include db_user2 > However, the databases list returned by SHOW DATABASES command does not > include the database owned by the user - unless additional policies > explicitly grant the user permissions in the database. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3782) RANGER - Upgrade spring-security version to 5.6.5
[ https://issues.apache.org/jira/browse/RANGER-3782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3782: - Fix Version/s: 2.4.0 > RANGER - Upgrade spring-security version to 5.6.5 > - > > Key: RANGER-3782 > URL: https://issues.apache.org/jira/browse/RANGER-3782 > Project: Ranger > Issue Type: Task > Components: Ranger >Affects Versions: 3.0.0 >Reporter: Mateen N Mansoori >Assignee: Mateen Mansoori >Priority: Major > Fix For: 3.0.0, 2.4.0 > > > Currently ranger is pulling spring-security version-5.6.3, upgrade it to 5.6.5 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3780) Ranger - Upgrade tomcat to 8.5.79
[ https://issues.apache.org/jira/browse/RANGER-3780?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3780: - Fix Version/s: 2.4.0 > Ranger - Upgrade tomcat to 8.5.79 > - > > Key: RANGER-3780 > URL: https://issues.apache.org/jira/browse/RANGER-3780 > Project: Ranger > Issue Type: Task > Components: Ranger >Affects Versions: 3.0.0, 2.3.0 >Reporter: Pradeep Agrawal >Assignee: Pradeep Agrawal >Priority: Major > Fix For: 3.0.0, 2.4.0 > > > This task is to upgrade tomcat version to 8.5.79 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3812) update Python client to support multiple resource sets in a policy
[ https://issues.apache.org/jira/browse/RANGER-3812?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3812: - Fix Version/s: 2.4.0 > update Python client to support multiple resource sets in a policy > -- > > Key: RANGER-3812 > URL: https://issues.apache.org/jira/browse/RANGER-3812 > Project: Ranger > Issue Type: Sub-task > Components: intg >Reporter: Madhan Neethiraj >Assignee: Madhan Neethiraj >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: RANGER-3812.patch > > > Python client should be updated to support new attribute > RangerPolicy.additionalResources. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3712) Update Apache Ranger website for 2.3.0 release
[ https://issues.apache.org/jira/browse/RANGER-3712?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3712: - Fix Version/s: 2.4.0 > Update Apache Ranger website for 2.3.0 release > --- > > Key: RANGER-3712 > URL: https://issues.apache.org/jira/browse/RANGER-3712 > Project: Ranger > Issue Type: Sub-task > Components: Ranger >Affects Versions: 3.0.0 >Reporter: Ramesh Mani >Assignee: Ramesh Mani >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: > 0001-RANGER-3712-Update-Apache-Ranger-website-for-2.3.0-r.patch > > > Update Apache Ranger website for 2.3.0 release -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3818) Upgrade Solr to 8.11.2
[ https://issues.apache.org/jira/browse/RANGER-3818?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3818: - Fix Version/s: 2.4.0 > Upgrade Solr to 8.11.2 > -- > > Key: RANGER-3818 > URL: https://issues.apache.org/jira/browse/RANGER-3818 > Project: Ranger > Issue Type: Improvement > Components: plugins >Reporter: Kengo Seki >Assignee: Kengo Seki >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: 0001-RANGER-3818-Upgrade-Solr-to-8.11.2.patch > > > [According to the Solr > site|https://solr.apache.org/downloads.html#about-versions-and-support], > older versions than 8.11 are already EOL'd. It should be upgraded to 8.11.x > at least. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3796) Enhancement to support multiple resource sets in a policy
[ https://issues.apache.org/jira/browse/RANGER-3796?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3796: - Fix Version/s: 2.4.0 > Enhancement to support multiple resource sets in a policy > - > > Key: RANGER-3796 > URL: https://issues.apache.org/jira/browse/RANGER-3796 > Project: Ranger > Issue Type: Improvement > Components: plugins >Reporter: Madhan Neethiraj >Assignee: Madhan Neethiraj >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: RANGER-3796-2.patch, RANGER-3796.patch > > > Ranger policy model allows multiple resources to be covered in a single > policy. For example, by use of wildcards/macros/resource-list – as shown > below: > {noformat} > - database: test_db, table: *, column: * > - path: /home/{USER} > - storageaccount: finance, relativepath: [ /taxes, /reports ] {noformat} > > It will be useful to extend this to support multiple resource sets in a > policy, like: > {noformat} > - { database: db1, table: tb1, columns: * }, { database: db2, table: *, > column: * } > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3820) Upgrade Netty version to 4.1.78.Final
[ https://issues.apache.org/jira/browse/RANGER-3820?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3820: - Fix Version/s: 2.4.0 > Upgrade Netty version to 4.1.78.Final > - > > Key: RANGER-3820 > URL: https://issues.apache.org/jira/browse/RANGER-3820 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: 3.0.0 >Reporter: Bhavik Patel >Assignee: Bhavik Patel >Priority: Major > Fix For: 2.4.0 > > Attachments: > 0001-RANGER-3820-Upgrade-Netty-version-to-4.1.78.Final.patch > > > Upgrade Netty version to 4.1.78.Final -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3806) Group's users mapping entry failing whenever primary key auto-increment is not set to 1 in db
[ https://issues.apache.org/jira/browse/RANGER-3806?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3806: - Fix Version/s: 2.4.0 > Group's users mapping entry failing whenever primary key auto-increment is > not set to 1 in db > - > > Key: RANGER-3806 > URL: https://issues.apache.org/jira/browse/RANGER-3806 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Pradeep Agrawal >Assignee: Pradeep Agrawal >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: > 0001-RANGER-3806-Group-s-users-mapping-entry-failing-when.patch > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3767) Add text message in HDFS and YARN policy pages to highlight the fallback ACL option
[ https://issues.apache.org/jira/browse/RANGER-3767?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3767: - Fix Version/s: 2.4.0 > Add text message in HDFS and YARN policy pages to highlight the fallback ACL > option > --- > > Key: RANGER-3767 > URL: https://issues.apache.org/jira/browse/RANGER-3767 > Project: Ranger > Issue Type: Improvement > Components: Ranger >Affects Versions: 3.0.0 >Reporter: Dhaval Rajpara >Assignee: Dhaval Rajpara >Priority: Major > Fix For: 3.0.0, 2.4.0 > > Attachments: 0001-RANGER-3767.patch > > > HDFS and YARN policy pages need to show a text message highlighting the > fallback ACL option. By default, fallback is enabled for these components. > Showing this message in policy page will allow customers to understand the > behavior better and decide. > Message could be something like below. > "By default, fallback to [HDFS|Yarn] ACLs are enabled. If access cannot be > determined by Ranger policies, authorization will fall back to [HDFS|Yarn] > ACLs. If this behavior needs to be changed, modify [HDFS plugin config|Yarn > plugin config]" -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3819) Upgrade springframework version
[ https://issues.apache.org/jira/browse/RANGER-3819?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3819: - Fix Version/s: 2.4.0 > Upgrade springframework version > --- > > Key: RANGER-3819 > URL: https://issues.apache.org/jira/browse/RANGER-3819 > Project: Ranger > Issue Type: Bug > Components: admin >Affects Versions: 3.0.0 >Reporter: Bhavik Patel >Assignee: Bhavik Patel >Priority: Major > Fix For: 2.4.0 > > Attachments: 0001-RANGER-3819-Upgrade-springframework-version.patch > > > Upgrade springframework version 5.3.21 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Resolved] (RANGER-3829) Incremental Sync value is always true under Ranger Audit (Usersync)
[ https://issues.apache.org/jira/browse/RANGER-3829?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pradeep Agrawal resolved RANGER-3829. - Fix Version/s: 3.0.0 Resolution: Fixed https://github.com/apache/ranger/commit/3bd591fbd1f0434b47263c2d99cf634f5ace8dd0 > Incremental Sync value is always true under Ranger Audit (Usersync) > --- > > Key: RANGER-3829 > URL: https://issues.apache.org/jira/browse/RANGER-3829 > Project: Ranger > Issue Type: Bug > Components: usersync >Reporter: Abhishek Kumar >Assignee: Abhishek Kumar >Priority: Major > Fix For: 3.0.0 > > > Disabled the Incremental Sync in the Usersync configs but the *_Ranger UI -> > Audit -> Usersync -> Sync Details_* shows the Incremental Sync value as > always true. > > I could see the configs as - > {code:java} > [root@c3245-node2 conf]# cat ranger-ugsync-site.xml | grep -a2 delta > > > ranger.usersync.ldap.deltasync > false > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
Re: Review Request 74058: RANGER-3829: Incremental Sync Value to be read from usersync config
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74058/#review224580 --- Ship it! Ship It! - Pradeep Agrawal On July 19, 2022, 1:51 a.m., Abhishek Kumar wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74058/ > --- > > (Updated July 19, 2022, 1:51 a.m.) > > > Review request for ranger, Sailaja Polavarapu and Velmurugan Periasamy. > > > Bugs: RANGER-3829 > https://issues.apache.org/jira/browse/RANGER-3829 > > > Repository: ranger > > > Description > --- > > Config parameter ranger.usersync.ldap.deltasync is hardcoded to true, the > review allows the param to be read from config file. > > > Diffs > - > > > ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java > 550775f65 > > > Diff: https://reviews.apache.org/r/74058/diff/2/ > > > Testing > --- > > Tested on remote cluster. > > > Thanks, > > Abhishek Kumar > >
[jira] [Updated] (RANGER-3841) update version ranger-2.4 to 2.4.0-SNAPSHOT
[ https://issues.apache.org/jira/browse/RANGER-3841?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3841: - Attachment: RANGER-3841.patch > update version ranger-2.4 to 2.4.0-SNAPSHOT > --- > > Key: RANGER-3841 > URL: https://issues.apache.org/jira/browse/RANGER-3841 > Project: Ranger > Issue Type: Task > Components: Ranger >Reporter: Madhan Neethiraj >Assignee: Madhan Neethiraj >Priority: Major > Attachments: RANGER-3841.patch > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-3664) Ranger KMS : Add refresh functionality on kms key listing page.
[ https://issues.apache.org/jira/browse/RANGER-3664?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-3664: - Fix Version/s: 2.4.0 (was: 2.3.0) > Ranger KMS : Add refresh functionality on kms key listing page. > --- > > Key: RANGER-3664 > URL: https://issues.apache.org/jira/browse/RANGER-3664 > Project: Ranger > Issue Type: Improvement > Components: kms, Ranger >Reporter: Mateen N Mansoori >Assignee: Dhaval Rajpara >Priority: Major > Fix For: 3.0.0, 2.4.0 > > > Add refresh functionality on kms key listing page. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Resolved] (RANGER-3710) Release Apache Ranger 2.3.0
[ https://issues.apache.org/jira/browse/RANGER-3710?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj resolved RANGER-3710. -- Resolution: Fixed > Release Apache Ranger 2.3.0 > --- > > Key: RANGER-3710 > URL: https://issues.apache.org/jira/browse/RANGER-3710 > Project: Ranger > Issue Type: Task > Components: Ranger >Affects Versions: 2.3.0 >Reporter: Ramesh Mani >Assignee: Ramesh Mani >Priority: Major > Fix For: 2.3.0 > > > Release Apache Ranger 2.3.0 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Resolved] (RANGER-3714) Update version in branch-2.0 to 2.4.0-SNAPSHOT
[ https://issues.apache.org/jira/browse/RANGER-3714?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj resolved RANGER-3714. -- Fix Version/s: 2.4.0 Resolution: Duplicate Addressed in RANGER-3841. > Update version in branch-2.0 to 2.4.0-SNAPSHOT > -- > > Key: RANGER-3714 > URL: https://issues.apache.org/jira/browse/RANGER-3714 > Project: Ranger > Issue Type: Sub-task > Components: Ranger >Affects Versions: 2.3.0 >Reporter: Ramesh Mani >Priority: Major > Fix For: 2.4.0 > > > Update version in branch-2.0 to 2.4.0-SNAPSHOT -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (RANGER-3841) update version ranger-2.4 to 2.4.0-SNAPSHOT
Madhan Neethiraj created RANGER-3841: Summary: update version ranger-2.4 to 2.4.0-SNAPSHOT Key: RANGER-3841 URL: https://issues.apache.org/jira/browse/RANGER-3841 Project: Ranger Issue Type: Task Components: Ranger Reporter: Madhan Neethiraj Assignee: Madhan Neethiraj -- This message was sent by Atlassian Jira (v8.20.10#820010)