Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855

[Madhan Neethiraj]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224885
---




agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
Lines 66 (patched)


retrieveUserStoreInfo() returns userStore initialized in init() method. How 
are changes to user-attributes handled? For example:
1. changes to user-roles assignment
2. changes to attributes in remote server (retrieved via GetFromURL()).
3. changes to attributes loaded from data file (retrieved via 
GetFromDataFile()



agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
Lines 198 (patched)


Please review and update the package name: 
com.comcast.dx.ranger.contextenricher.externalretrievers



agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
Lines 222 (patched)


rangerRoles is an instance member, hence it is not necessary to send as 
method parameter. Please review and update.



agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
Lines 226 (patched)


gson is unused. Please review and remove.



agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md
Lines 99 (patched)


roleName here actually refers to the prefix of the roleName in Ranger. 
Also, roleName here is the name of the user-attribute. Hence, consider renaming 
this to attrName.

  "retriever2_role": "attrName=salesRegion",
  "retriever3_role": "attrName=sensitivityLevel"



agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md
Lines 132 (patched)


Given each retriever handles a single attribute, 'name' option many not be 
useful/necessary. Consider the following simplified option string:
 "retriever0_api":  
"attrName=partner,userStoreURL=http://localhost:8000/security/getPartnersByUser;,
 "retriever1_api":  
"attrName=ownedResources,dataFile=/var/ranger/data/userOwnerResource.txt",
 "retriever2_role": "attrName=salesRegion",
 "retriever3_role": "attrName=sensitivityLevel"



agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md
Lines 134 (patched)


serviceType and serviceName are unused. Please review and remove from #134 
and #135.


- Madhan Neethiraj


On Nov. 17, 2022, 9:15 p.m., Barbara Eckman wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> ---
> 
> (Updated Nov. 17, 2022, 9:15 p.m.)
> 
> 
> Review request for ranger and madhan.
> 
> 
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> RangerExternalUserStoreRetriever class Ranger-3855
> 
> Ranger version 3.0.0 provides a means, via a context enricher, to add or 
> retrieve attributes to the database of users for whom Ranger controls access. 
> This permits syntax like "Dumbo" in $USER.aliases any Ranger policy 
> condition, including row and tag filters.   This greatly enhances the ability 
> to provide custom Attribute-based Access Control based on the specific 
> business needs of one's organization.
> 
> I believe that the original assumption was that such attributes would be 
> added to AD/LDAP and enter Ranger via regular user sync's. However, this 
> process does not currently work with Azure AD, which many organizations use. 
> Neither does it provide timely support for organizations for whom adding each 
> new attribute to AD would be subject to prolonged scrutiny by overworked 
> security teams.  
> 
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have 
> written a RangerExternalUserStoreRetriever class which adds arbitrary 
> attributes to Ranger users via external API calls, thus freeing additions to 
> the UserStore from dependency on AD/LDAP.   We have also written a 
> RangerRoleUserStoreRetriever class, which transforms role membership into 
> user attributes, for ease of use in complex policy conditions.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java

Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855

[Barbara Eckman via Review Board]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/
---

(Updated Nov. 17, 2022, 9:15 p.m.)


Review request for ranger and madhan.


Bugs: Ranger-3855
https://issues.apache.org/jira/browse/Ranger-3855


Repository: ranger


Description
---

RangerExternalUserStoreRetriever class Ranger-3855

Ranger version 3.0.0 provides a means, via a context enricher, to add or 
retrieve attributes to the database of users for whom Ranger controls access. 
This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, 
including row and tag filters.   This greatly enhances the ability to provide 
custom Attribute-based Access Control based on the specific business needs of 
one's organization.

I believe that the original assumption was that such attributes would be added 
to AD/LDAP and enter Ranger via regular user sync's. However, this process does 
not currently work with Azure AD, which many organizations use. Neither does it 
provide timely support for organizations for whom adding each new attribute to 
AD would be subject to prolonged scrutiny by overworked security teams.  

In the spirit of the RangerAdminUserStoreRetriever context enricher, we have 
written a RangerExternalUserStoreRetriever class which adds arbitrary 
attributes to Ranger users via external API calls, thus freeing additions to 
the UserStore from dependency on AD/LDAP.   We have also written a 
RangerRoleUserStoreRetriever class, which transforms role membership into user 
attributes, for ease of use in complex policy conditions.


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md
 PRE-CREATION 


Diff: https://reviews.apache.org/r/74142/diff/5/

Changes: https://reviews.apache.org/r/74142/diff/4-5/


Testing
---


Thanks,

Barbara Eckman

Re: Review Request 74194: RANGER-3962: Add preload directive to HSTS header

[Mehul Parikh]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74194/#review224884
---


Ship it!




Ship It!

- Mehul Parikh


On Nov. 8, 2022, 11:37 a.m., Mahesh Bandal wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74194/
> ---
> 
> (Updated Nov. 8, 2022, 11:37 a.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kishor 
> Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep 
> Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3962
> https://issues.apache.org/jira/browse/RANGER-3962
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> "Preload" directive is absent in HSTS header. As security its recommended to 
> have within HSTS header.
> 
> 
> Diffs
> -
> 
>   kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSMDCFilter.java 
> 1174f0bd6 
>   
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
>  9f83daf9a 
>   security-admin/src/main/webapp/login.jsp df234efd9 
> 
> 
> Diff: https://reviews.apache.org/r/74194/diff/1/
> 
> 
> Testing
> ---
> 
> 1. Ranger maven build successful -> mvn clean compile verify test install
> 2. Ranger Setup & install successful
> 3. Performed sanity testing.
> 
> 
> Thanks,
> 
> Mahesh Bandal
> 
>

Re: Review Request 74192: RANGER-3961: AuditFileSpool logs out all events that were not audited successfully

[Mehul Parikh]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74192/#review224883
---


Ship it!




Ship It!

- Mehul Parikh


On Nov. 8, 2022, 11:37 a.m., Mahesh Bandal wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74192/
> ---
> 
> (Updated Nov. 8, 2022, 11:37 a.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Kishor 
> Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep 
> Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3961
> https://issues.apache.org/jira/browse/RANGER-3961
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> At AuditFileSpool.java#L904, the variable lines holds all the events that are 
> in current batch, that is 1000 by default (~0.5MB of strings). The batch can 
> be configured even higher that makes things worse.
> 
> If there is an issue in audit, a lot of huge strings will be logged out.
> 
> Suggesting to remove lines variable and/or add lines.size() to know how many 
> events were not sent.
> 
> 
> Diffs
> -
> 
>   
> agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditFileSpool.java 
> edce2461a 
> 
> 
> Diff: https://reviews.apache.org/r/74192/diff/1/
> 
> 
> Testing
> ---
> 
> 1. Ranger maven build successful -> mvn clean compile verify test install
> 2. Ranger Setup & install successful
> 3. Performed sanity testing.
> 
> 
> Thanks,
> 
> Mahesh Bandal
> 
>