[jira] [Created] (RANGER-3959) condition expression validation
Madhan Neethiraj created RANGER-3959: Summary: condition expression validation Key: RANGER-3959 URL: https://issues.apache.org/jira/browse/RANGER-3959 Project: Ranger Issue Type: Bug Components: plugins Affects Versions: 2.3.0 Reporter: Madhan Neethiraj Assignee: Madhan Neethiraj Improve validation of condition expressions used in Ranger policies. -- This message was sent by Atlassian Jira (v8.20.10#820010)
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74142/ --- (Updated Nov. 3, 2022, 5:36 p.m.) Review request for ranger and madhan. Bugs: Ranger-3855 https://issues.apache.org/jira/browse/Ranger-3855 Repository: ranger Description --- RangerExternalUserStoreRetriever class Ranger-3855 Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization. I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams. In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions. Diffs (updated) - agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java PRE-CREATION agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE PRE-CREATION agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE PRE-CREATION agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION dev-support/spotbugsIncludeFile.xml 3621e8c08 plugin-nestedstructure/README.md ea878f6a2 Diff: https://reviews.apache.org/r/74142/diff/4/ Changes: https://reviews.apache.org/r/74142/diff/3-4/ Testing --- Thanks, Barbara Eckman
[jira] [Commented] (RANGER-2128) Implement SparkSQL plugin
[ https://issues.apache.org/jira/browse/RANGER-2128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17628439#comment-17628439 ] Zhou Yifan commented on RANGER-2128: [~bpatel] Very glad to help. Could you provide more details about the problems in testing? > Implement SparkSQL plugin > - > > Key: RANGER-2128 > URL: https://issues.apache.org/jira/browse/RANGER-2128 > Project: Ranger > Issue Type: New Feature > Components: plugins, Ranger >Affects Versions: 1.1.0 >Reporter: t oo >Assignee: Kent Yao >Priority: Major > Attachments: image-2022-10-10-14-25-30-218.png, support_ranger11.tgz > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Implement SparkSQL plugin -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Assigned] (RANGER-3883) emailchange and passwordchange User REST API's work even when invalid user id is used in the url
[
https://issues.apache.org/jira/browse/RANGER-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ramachandran reassigned RANGER-3883:
Assignee: Ramachandran
> emailchange and passwordchange User REST API's work even when invalid user id
> is used in the url
>
>
> Key: RANGER-3883
> URL: https://issues.apache.org/jira/browse/RANGER-3883
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
>Reporter: Abhishek
>Assignee: Ramachandran
>Priority: Major
> Attachments:
> 0001-RANGER-3883-When-a-POST-request-is-made-to-the-follo.patch
>
>
> When a POST request is made to the following APIs return 200 status code even
> when the userId is invalid .
> # {RANGER_ADMIN_URL}/service/users/\{USER_ID}/passwordchange
> # \{RANGER_ADMIN_URL}/service/users/\{USER_ID}/emailchange
> Ideally, the API's must return 404 not found when using an invalid userid in
> the url,
> but in the case of the aforementioned APIs, POST request results in status
> code 200.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (RANGER-3883) emailchange and passwordchange User REST API's work even when invalid user id is used in the url
[
https://issues.apache.org/jira/browse/RANGER-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17628404#comment-17628404
]
Ramachandran commented on RANGER-3883:
--
Review is available here :[https://reviews.apache.org/r/74189/] cc >>
[~mad...@apache.org]
> emailchange and passwordchange User REST API's work even when invalid user id
> is used in the url
>
>
> Key: RANGER-3883
> URL: https://issues.apache.org/jira/browse/RANGER-3883
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
>Reporter: Abhishek
>Priority: Major
> Attachments:
> 0001-RANGER-3883-When-a-POST-request-is-made-to-the-follo.patch
>
>
> When a POST request is made to the following APIs return 200 status code even
> when the userId is invalid .
> # {RANGER_ADMIN_URL}/service/users/\{USER_ID}/passwordchange
> # \{RANGER_ADMIN_URL}/service/users/\{USER_ID}/emailchange
> Ideally, the API's must return 404 not found when using an invalid userid in
> the url,
> but in the case of the aforementioned APIs, POST request results in status
> code 200.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (RANGER-3883) emailchange and passwordchange User REST API's work even when invalid user id is used in the url
[
https://issues.apache.org/jira/browse/RANGER-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ramachandran updated RANGER-3883:
-
Attachment: 0001-RANGER-3883-When-a-POST-request-is-made-to-the-follo.patch
> emailchange and passwordchange User REST API's work even when invalid user id
> is used in the url
>
>
> Key: RANGER-3883
> URL: https://issues.apache.org/jira/browse/RANGER-3883
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
>Reporter: Abhishek
>Priority: Major
> Attachments:
> 0001-RANGER-3883-When-a-POST-request-is-made-to-the-follo.patch
>
>
> When a POST request is made to the following APIs return 200 status code even
> when the userId is invalid .
> # {RANGER_ADMIN_URL}/service/users/\{USER_ID}/passwordchange
> # \{RANGER_ADMIN_URL}/service/users/\{USER_ID}/emailchange
> Ideally, the API's must return 404 not found when using an invalid userid in
> the url,
> but in the case of the aforementioned APIs, POST request results in status
> code 200.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
Review Request 74189: POST/PUT REST API's work even when invalid user id or Id is used in the url
---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74189/
---
Review request for ranger, Madhan Neethiraj, Nikhil P, Pradeep Agrawal, Ramesh
Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-3883
https://issues.apache.org/jira/browse/RANGER-3883
Repository: ranger
Description
---
When a POST request is made to the following APIs return 200 status code even
when the userId is invalid .
When a POST/PUT request is made to the following APIs return 200 status code
even when the userId or id is invalid.
Ranger is not honouring Id
/service/users/{USER_ID}/passwordchange
/service/users/{USER_ID}/emailchange
/assets/{id}
/permission/{id}
/services/{id}
/definitions/{id}
/secure/groups/{id}
/policies/{id}
Ideally, the APIs must return 404 or Bad request(400) not found when using an
invalid userid or id in the URL
But in this case, the POST/PUT request results in status code 200 instead of 400
Diffs
-
security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java a0ba3b750
security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java 2e7e90bb4
security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
293107f24
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
9bccf1089
security-admin/src/main/java/org/apache/ranger/rest/UserREST.java 5fc18034b
security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java dd12048ac
security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java
abd4b1c1c
security-admin/src/test/java/org/apache/ranger/rest/TestPublicAPIs.java
2bf5ee6c9
security-admin/src/test/java/org/apache/ranger/rest/TestPublicAPIsv2.java
1069f013d
security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
375135a5a
security-admin/src/test/java/org/apache/ranger/rest/TestUserREST.java
48cd7face
security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java
2b25ba813
Diff: https://reviews.apache.org/r/74189/diff/1/
Testing
---
Thanks,
Ramachandran Krishnan
[jira] [Commented] (RANGER-2128) Implement SparkSQL plugin
[ https://issues.apache.org/jira/browse/RANGER-2128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17628338#comment-17628338 ] Bhavik Patel commented on RANGER-2128: -- [~zhouyifan279] I have rebased the Ranger-Sparksql(RANGER-2128) plugin patch but while testing I have observed policy download and commands are not working as expected. Will you please help on this? > Implement SparkSQL plugin > - > > Key: RANGER-2128 > URL: https://issues.apache.org/jira/browse/RANGER-2128 > Project: Ranger > Issue Type: New Feature > Components: plugins, Ranger >Affects Versions: 1.1.0 >Reporter: t oo >Assignee: Kent Yao >Priority: Major > Attachments: image-2022-10-10-14-25-30-218.png, support_ranger11.tgz > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Implement SparkSQL plugin -- This message was sent by Atlassian Jira (v8.20.10#820010)
