Re: Review Request 74274: RANGER-3991 : Upgrade underscore-min.js, underscore.js and moment-with-locales.min.js

[Himanshu Maurya]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74274/
---

(Updated Jan. 14, 2023, 2:24 p.m.)


Review request for ranger, bhavik patel, Dhaval Shah, Dineshkumar Yadav, 
Harshal Chavan, Kishor Gollapalliwar, Madhan Neethiraj, Mehul Parikh, Nitin 
Galave, Pradeep Agrawal, and Velmurugan Periasamy.


Repository: ranger


Description
---

Upgraded the version of underscore.js from 1.13.1 to 1.13.6 and the version of 
moment-with-locales.min.js from 2.27.0 to 2.29.4


Diffs
-

  
security-admin/src/main/webapp/libs/bower/moment/js/moment-with-locales.min.js 
877f00fe2 
  security-admin/src/main/webapp/libs/bower/underscore/js/underscore.js 
ef8706b0d 


Diff: https://reviews.apache.org/r/74274/diff/2/


Testing (updated)
---

Tested all CRUD operations like:-
1) Policies
2) Services
3) Zones
4) Users/Groups/Roles
5) Keys from KMS 
6) Checked all Audit event generate properly
Also checked password updation for users


Thanks,

Himanshu Maurya

[jira] [Commented] (RANGER-4041) Upgrade netty-all version to 4.1.86.Final

[Himanshu Maurya (Jira)]

[ 
https://issues.apache.org/jira/browse/RANGER-4041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17676904#comment-17676904
 ] 

Himanshu Maurya commented on RANGER-4041:
-

Review Link :- https://reviews.apache.org/r/74280/

> Upgrade netty-all version to 4.1.86.Final
> -
>
> Key: RANGER-4041
> URL: https://issues.apache.org/jira/browse/RANGER-4041
> Project: Ranger
>  Issue Type: Bug
>  Components: kms, Ranger
>Reporter: Himanshu Maurya
>Assignee: Himanshu Maurya
>Priority: Major
> Attachments: 
> 0001-RANGER-4041-Upgrade-netty-all-version-to-4.1.86.Fina.patch
>
>
> A StackOverflowError can be raised when parsing a malformed crafted message 
> due to an infinite recursion and When calling `DefaultHttpHeadesr.set` with 
> an _iterator_ of values, header value validation was not performed, allowing 
> malicious header values in the iterator to perform HTTP Response Splitting. 
> These issues have been patched in version 4.1.86.Final.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4041) Upgrade netty-all version to 4.1.86.Final

[Himanshu Maurya (Jira)]

 [ 
https://issues.apache.org/jira/browse/RANGER-4041?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Himanshu Maurya updated RANGER-4041:

Attachment: 0001-RANGER-4041-Upgrade-netty-all-version-to-4.1.86.Fina.patch

> Upgrade netty-all version to 4.1.86.Final
> -
>
> Key: RANGER-4041
> URL: https://issues.apache.org/jira/browse/RANGER-4041
> Project: Ranger
>  Issue Type: Bug
>  Components: kms, Ranger
>Reporter: Himanshu Maurya
>Assignee: Himanshu Maurya
>Priority: Major
> Attachments: 
> 0001-RANGER-4041-Upgrade-netty-all-version-to-4.1.86.Fina.patch
>
>
> A StackOverflowError can be raised when parsing a malformed crafted message 
> due to an infinite recursion and When calling `DefaultHttpHeadesr.set` with 
> an _iterator_ of values, header value validation was not performed, allowing 
> malicious header values in the iterator to perform HTTP Response Splitting. 
> These issues have been patched in version 4.1.86.Final.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Review Request 74280: RANGER-4041 : Upgrade netty-all version to 4.1.86.Final

[Himanshu Maurya]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74280/
---

Review request for ranger, bhavik patel, Dhaval Shah, Dineshkumar Yadav, 
Harshal Chavan, Kishor Gollapalliwar, Madhan Neethiraj, Mehul Parikh, Nitin 
Galave, Pradeep Agrawal, and Velmurugan Periasamy.


Repository: ranger


Description
---

Upgraded netty-all version from 4.1.85.Final to 4.1.86.Final


Diffs
-

  pom.xml e402bcc5d 


Diff: https://reviews.apache.org/r/74280/diff/1/


Testing
---

Tested all CRUD operations like:-
1) Policies
2) Services
3) Zones
4) Users/Groups/Roles
5) Keys from KMS 
6) Checked all Audit event generate properly
Also checked password and permission updation for users
Run queries from backend for Hive, HBase, HDFS and YARN as different users and 
checked the policies and plugins are working good


Thanks,

Himanshu Maurya

Re: Review Request 74268: RANGER-4031:Not able to fetch Policy details using guid /api/policy/guid/{guid} without service name

[Kirby Zhou]

> On 一月 6, 2023, 3:58 a.m., Kirby Zhou wrote:
> > Ship It!
> 
> Ramachandran Krishnan wrote:
> Hi Madhan,
> Based on Kirby Zhou review comments ,we addressed the security constraint 
> when serviceName and zoneName is not passed 
> I believe this fix will cover all the edge cases as well .
> 
> Madhan Neethiraj wrote:
> When both serviceName and zoneName are not provided, the lookup should 
> only be based on guid. Why restrict to only UNZONED_SECURITY_ZONE_ID?
> 
> @Kirby - can you please share more details of security issue in looking 
> for policy with guid only?
> 
> Ramachandran Krishnan wrote:
> Hi Madhan/Kirby,
> Security Zone is a feature that provides an ability in Ranger to separate 
> resource policies into different zones.
> It also enables multiple administrators to setup different policies, 
> based on the zones that they are assigned to.
> In this case ,we might fetch the policies which are tagged with some 
> security zone .I feel this could be security thread
> when Sales Admin see the policy which tagged with  Finance Admin.Due to 
> that ,we added defaulut zone Id which is not tied to any security Zone
> Please correct me If I am wrong
> 
> Madhan Neethiraj wrote:
> Ramachandran - before a policy is returned to the caller, Ranger ensures 
> that the caller has appropriate privileges. If caller doesn't have privilege 
> to view a policy, error code 403 (SC_FORBIDDEN) will be returned - refer to 
> ServiceREST.ensureAdminAndAuditAccess(policy). There is no security concern 
> here.
> 
> Ramachandran Krishnan wrote:
> Thanks Madhan for pointing out .If the caller doesn't have privilege to 
> view a policy, error code 403 (SC_FORBIDDEN) will be returned.
> So it will not leak any security contraint.It makes sense 
> Kirby,
> It would be great if you elobrate a bit where this will create security 
> concenrn when we are not passing default Zone Id
> 
> Kirby Zhou wrote:
> Madhan is right, ServiceREST.ensureAdminAndAuditAccess seems is enough to 
> prenvet unauthorized access when there is no zone id passed.
> It is not a security risk now.
> 
> But my concern is that the semantics of API have been changed and 
> inconsistent.
> 
> In the old code:
> if guid, serviceName and zoneName is given, it returns policy match guid, 
> serviceName and zoneName together,
> if only guid and serviceName is given, it returns policy match guid, 
> serviceName and RANGER_UNZONED_SECURITY_ZONE_ID together.
> 
> I think guid+zoneName / guid only based queries should follow the same 
> principle as above.
> 
> It may confuse some automatic processes which believe that the returned 
> policies are always in the given zone ( or unzoned ).
> 
> Ramachandran Krishnan wrote:
> Madhan/Kirby,
> It would be great if we finalize the things whether we can keep the 
> default zoneId along with guid when zoneName is not passed like old code way 
> or Do we need to strict to guid only when zoneName is not passed
> 
> Madhan Neethiraj wrote:
> This change in REST API to retrieve a policy by GUI was necessary to deal 
> with the case where the caller doesn't know the service name. How does this 
> patch deal with cases where the caller doesn't know the zone name? The search 
> is restricted only to UNZONED i.e. will exclude policies in security zones. 
> This doesn't look correct. Hence I suggested to not add zoneId filter in this 
> case.
> 
> > It may confuse some automatic processes which believe that the returned 
> policies are always in the given zone ( or unzoned ). 
> 
> Kirby - in this case, would the automatic process know of the 
> security-zone in which to find the policies? If not, it will fail to retrieve 
> the policy simply by searching for guid - as the search will only look for 
> policies in UNZONED. Is is alright?

Madhan - in this case, the automatic process should know its zone , or it just 
want to find in unzoned guids.

A compromise method is that we add a parameter to indicate whether to search in 
all zones or in the unzoned range.
Such as "ZoneName=_ALL_" or "ZoneName=_UNZONED_" ?


- Kirby


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74268/#review225068
---


On 一月 5, 2023, 10:15 a.m., Ramachandran Krishnan wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74268/
> ---
> 
> (Updated 一月 5, 2023, 10:15 a.m.)
> 
> 
> Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, 
> Mehul Parikh, Nikhil P, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, 
> Sailaja Polavarapu, Subhrat Chaudhary, and Velmurugan