[jira] [Assigned] (RANGER-4052) Zone filter not getting cleared in landing page after deleting the zone from zone listing page in Ranger React
[ https://issues.apache.org/jira/browse/RANGER-4052?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Brijesh Bhalala reassigned RANGER-4052: --- Assignee: Brijesh Bhalala > Zone filter not getting cleared in landing page after deleting the zone > from zone listing page in Ranger React > > > Key: RANGER-4052 > URL: https://issues.apache.org/jira/browse/RANGER-4052 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Brijesh Bhalala >Assignee: Brijesh Bhalala >Priority: Major > Labels: ranger-react > > * Selecting the zone in zone filter at landing page, after selecting it > delete > the same zone from zone listing page. > * The zone dose not get cleared from zone filter in landing page. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (RANGER-4052) Zone filter not getting cleared in landing page after deleting the zone from zone listing page in Ranger React
Brijesh Bhalala created RANGER-4052: --- Summary: Zone filter not getting cleared in landing page after deleting the zone from zone listing page in Ranger React Key: RANGER-4052 URL: https://issues.apache.org/jira/browse/RANGER-4052 Project: Ranger Issue Type: Bug Components: Ranger Reporter: Brijesh Bhalala * Selecting the zone in zone filter at landing page, after selecting it delete the same zone from zone listing page. * The zone dose not get cleared from zone filter in landing page. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (RANGER-4027) Ranger asset ugsyncAudits rest api is giving access to the unauthorized user
[
https://issues.apache.org/jira/browse/RANGER-4027?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17678041#comment-17678041
]
Abhishek Kumar edited comment on RANGER-4027 at 1/18/23 1:16 AM:
-
/ugsyncAudits/\{syncSource}
API endpoint is deprecated and can be removed. The sync source can be used as a
search criterion in the API endpoint /ugsyncAudits to achieve the same.
was (Author: abhi_2110):
/ugsyncAudits/\\{syncSource} API endpoint is deprecated and can be removed. The
sync source can be used as a search criterion in the API endpoint /ugsyncAudits
to achieve the same.
> Ranger asset ugsyncAudits rest api is giving access to the unauthorized user
>
>
> Key: RANGER-4027
> URL: https://issues.apache.org/jira/browse/RANGER-4027
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
>Reporter: Abhilash Perla
>Priority: Major
>
> Test case steps followed:
> When we are calling the
> api([link|https://ranger.apache.org/apidocs/resource_AssetREST.html#resource_AssetREST_getUgsyncAudits_GET])
> with hrt_1 user(doesn't have admin privileges) we are getting response 403.
> Command or api request:
> {noformat}
> curl -iku hrt_1:Password@123
> 'https://ranger_base_url:6182/service/assets/ugsyncAudits'{noformat}
> The output:
> {noformat}
> HTTP/1.1 403 Forbidden
> Set-Cookie: RANGERADMINSESSIONID=2A265BF9974B392294B8B49ED8A2DEBC; Path=/;
> Secure; HttpOnly
> Cache-Control: no-cache, no-store, max-age=0, must-revalidate
> X-Frame-Options: DENY
> X-XSS-Protection: 1; mode=block
> Strict-Transport-Security: max-age=31536000; includeSubDomains
> Content-Security-Policy: default-src 'none'; script-src 'self'
> 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src
> 'self' 'unsafe-inline';font-src 'self'
> X-Permitted-Cross-Domain-Policies: none
> X-Content-Type-Options: nosniff
> Content-Type: application/json
> Transfer-Encoding: chunked
> Date: Thu, 22 Dec 2022 11:40:04 GMT
> Server: Apache Ranger
> User is not having permissions on the Audit module.{noformat}
> Then when this
> Api([link|https://ranger.apache.org/apidocs/resource_AssetREST.html#resource_AssetREST_getUgsyncAuditsBySyncSource_GET])
> is being called it is giving access.
> The api request:
> {noformat}
> curl -iku hrt_1:Password@123
> 'https://ranger_base_url:6182/service/assets/ugsyncAudits/random'{noformat}
> The output:
> {noformat}
> HTTP/1.1 200 OK
> Set-Cookie: RANGERADMINSESSIONID=66C3858FAD2599A431476ECFBDBFF0EF; Path=/;
> Secure; HttpOnly
> Cache-Control: no-cache, no-store, max-age=0, must-revalidate
> X-Frame-Options: DENY
> X-XSS-Protection: 1; mode=block
> Strict-Transport-Security: max-age=31536000; includeSubDomains
> Content-Security-Policy: default-src 'none'; script-src 'self'
> 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src
> 'self' 'unsafe-inline';font-src 'self'
> X-Permitted-Cross-Domain-Policies: none
> X-Content-Type-Options: nosniff
> Content-Type: application/json
> Transfer-Encoding: chunked
> Date: Thu, 22 Dec 2022 11:43:08 GMT
> Server: Apache Ranger
> {"startIndex":0,"pageSize":0,"totalCount":0,"resultSize":0,"queryTimeMS":1671709388359,"vxUgsyncAuditInfoList":[]}{noformat}
>
> Expected Output:
> When the API assets/ugsyncAudits/\{syncSource} is being called by hrt_1 user,
> his request should be access denied and should return a 403.
> Actual Output:
> The hrt_1 user is able to access this assets/ugsyncAudits/\{syncSource} api
> and his request is returning 200.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (RANGER-4027) Ranger asset ugsyncAudits rest api is giving access to the unauthorized user
[
https://issues.apache.org/jira/browse/RANGER-4027?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17678041#comment-17678041
]
Abhishek Kumar commented on RANGER-4027:
/ugsyncAudits/\\{syncSource} API endpoint is deprecated and can be removed. The
sync source can be used as a search criterion in the API endpoint /ugsyncAudits
to achieve the same.
> Ranger asset ugsyncAudits rest api is giving access to the unauthorized user
>
>
> Key: RANGER-4027
> URL: https://issues.apache.org/jira/browse/RANGER-4027
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
>Reporter: Abhilash Perla
>Priority: Major
>
> Test case steps followed:
> When we are calling the
> api([link|https://ranger.apache.org/apidocs/resource_AssetREST.html#resource_AssetREST_getUgsyncAudits_GET])
> with hrt_1 user(doesn't have admin privileges) we are getting response 403.
> Command or api request:
> {noformat}
> curl -iku hrt_1:Password@123
> 'https://ranger_base_url:6182/service/assets/ugsyncAudits'{noformat}
> The output:
> {noformat}
> HTTP/1.1 403 Forbidden
> Set-Cookie: RANGERADMINSESSIONID=2A265BF9974B392294B8B49ED8A2DEBC; Path=/;
> Secure; HttpOnly
> Cache-Control: no-cache, no-store, max-age=0, must-revalidate
> X-Frame-Options: DENY
> X-XSS-Protection: 1; mode=block
> Strict-Transport-Security: max-age=31536000; includeSubDomains
> Content-Security-Policy: default-src 'none'; script-src 'self'
> 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src
> 'self' 'unsafe-inline';font-src 'self'
> X-Permitted-Cross-Domain-Policies: none
> X-Content-Type-Options: nosniff
> Content-Type: application/json
> Transfer-Encoding: chunked
> Date: Thu, 22 Dec 2022 11:40:04 GMT
> Server: Apache Ranger
> User is not having permissions on the Audit module.{noformat}
> Then when this
> Api([link|https://ranger.apache.org/apidocs/resource_AssetREST.html#resource_AssetREST_getUgsyncAuditsBySyncSource_GET])
> is being called it is giving access.
> The api request:
> {noformat}
> curl -iku hrt_1:Password@123
> 'https://ranger_base_url:6182/service/assets/ugsyncAudits/random'{noformat}
> The output:
> {noformat}
> HTTP/1.1 200 OK
> Set-Cookie: RANGERADMINSESSIONID=66C3858FAD2599A431476ECFBDBFF0EF; Path=/;
> Secure; HttpOnly
> Cache-Control: no-cache, no-store, max-age=0, must-revalidate
> X-Frame-Options: DENY
> X-XSS-Protection: 1; mode=block
> Strict-Transport-Security: max-age=31536000; includeSubDomains
> Content-Security-Policy: default-src 'none'; script-src 'self'
> 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src
> 'self' 'unsafe-inline';font-src 'self'
> X-Permitted-Cross-Domain-Policies: none
> X-Content-Type-Options: nosniff
> Content-Type: application/json
> Transfer-Encoding: chunked
> Date: Thu, 22 Dec 2022 11:43:08 GMT
> Server: Apache Ranger
> {"startIndex":0,"pageSize":0,"totalCount":0,"resultSize":0,"queryTimeMS":1671709388359,"vxUgsyncAuditInfoList":[]}{noformat}
>
> Expected Output:
> When the API assets/ugsyncAudits/\{syncSource} is being called by hrt_1 user,
> his request should be access denied and should return a 403.
> Actual Output:
> The hrt_1 user is able to access this assets/ugsyncAudits/\{syncSource} api
> and his request is returning 200.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (RANGER-4048) Ranger asset ugsyncAudits/{syncSource} rest api is not handling the special characters input case
[
https://issues.apache.org/jira/browse/RANGER-4048?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17678040#comment-17678040
]
Abhishek Kumar commented on RANGER-4048:
/ugsyncAudits/\{syncSource} API endpoint is deprecated and can be removed. The
sync source can be used as a search criterion in the API endpoint /ugsyncAudits
to achieve the same.
> Ranger asset ugsyncAudits/{syncSource} rest api is not handling the special
> characters input case
> -
>
> Key: RANGER-4048
> URL: https://issues.apache.org/jira/browse/RANGER-4048
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
>Reporter: Abhilash Perla
>Priority: Minor
>
> Test case steps followed:
> Called the API with test user
> {noformat}
> https://{ranger_base_url}/service/assets/ugsyncAudits/^&*U#$nix{noformat}
> Expected Result: 400 with error handled.
> Actual Result: The error is not handled and returned bad request.
> Output:
> {noformat}
>
>
> HTTP Status 400 – Bad Request
>
> body {
> font-family: Tahoma, Arial, sans-serif;
> } h1,
> h2,
> h3,
> b {
> color: white;
> background-color: #525D76;
> } h1 {
> font-size: 22px;
> } h2 {
> font-size: 16px;
> } h3 {
> font-size: 14px;
> } p {
> font-size: 12px;
> } a {
> color: black;
> } .line {
> height: 1px;
> background-color: #525D76;
> border: none;
> }
>
>
> HTTP Status 400 – Bad Request
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
Re: Review Request 74279: RANGER-4042: Remove redundant ugsync poc package
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74279/#review225101 --- Ship it! Ship It! - Sailaja Polavarapu On Jan. 15, 2023, 11:01 p.m., Abhishek Kumar wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74279/ > --- > > (Updated Jan. 15, 2023, 11:01 p.m.) > > > Review request for ranger, Madhan Neethiraj and Sailaja Polavarapu. > > > Bugs: RANGER-4042 > https://issues.apache.org/jira/browse/RANGER-4042 > > > Repository: ranger > > > Description > --- > > org.apache.ranger.unixusersync.poc package and its classes are redundant and > unreferenced. This may be removed. > > > Diffs > - > > > ugsync/src/main/java/org/apache/ranger/unixusersync/poc/InvalidGroupException.java > 86197bfd6 > > ugsync/src/main/java/org/apache/ranger/unixusersync/poc/InvalidUserException.java > 0dca55e00 > ugsync/src/main/java/org/apache/ranger/unixusersync/poc/ListRangerUser.java > 4fa1ad05d > > ugsync/src/main/java/org/apache/ranger/unixusersync/poc/ListRangerUserGroup.java > 8d5bf2a17 > > ugsync/src/main/java/org/apache/ranger/unixusersync/poc/ListUserGroupTest.java > 6fc4c2db7 > ugsync/src/main/java/org/apache/ranger/unixusersync/poc/ListUserTest.java > 04f70d05d > > ugsync/src/main/java/org/apache/ranger/unixusersync/poc/RangerClientUserGroupMapping.java > 88a6c5d72 > > ugsync/src/main/java/org/apache/ranger/unixusersync/poc/RangerJSONParser.java > 0a3d6d7b8 > > ugsync/src/main/java/org/apache/ranger/unixusersync/poc/RangerUserGroupMapping.java > d1851277f > ugsync/src/main/java/org/apache/ranger/unixusersync/poc/RestClientPost.java > b4b69ecc2 > > > Diff: https://reviews.apache.org/r/74279/diff/1/ > > > Testing > --- > > mvn clean package runs fine. > No references found in the codebase. > > > Thanks, > > Abhishek Kumar > >
[jira] [Updated] (RANGER-4051) [Usersync] LDAP caseconversion causes Ranger to change login
[ https://issues.apache.org/jira/browse/RANGER-4051?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Abhishek Pal updated RANGER-4051: - Flags: Important > [Usersync] LDAP caseconversion causes Ranger to change login > > > Key: RANGER-4051 > URL: https://issues.apache.org/jira/browse/RANGER-4051 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Abhishek Pal >Priority: Critical > > Currently, when in ranger, if we login to the admin account, it logs into > 'admin'. > After enabling the caseconversion property to say upper-case, this changes > into ADMIN, which causes it to treat this as a new account. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (RANGER-4051) [Usersync] LDAP caseconversion causes Ranger to change login
Abhishek Pal created RANGER-4051: Summary: [Usersync] LDAP caseconversion causes Ranger to change login Key: RANGER-4051 URL: https://issues.apache.org/jira/browse/RANGER-4051 Project: Ranger Issue Type: Bug Components: Ranger Reporter: Abhishek Pal Currently, when in ranger, if we login to the admin account, it logs into 'admin'. After enabling the caseconversion property to say upper-case, this changes into ADMIN, which causes it to treat this as a new account. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (RANGER-4050) Session Inactivity Timeout: Ranger react UI part.
Dhaval Rajpara created RANGER-4050: -- Summary: Session Inactivity Timeout: Ranger react UI part. Key: RANGER-4050 URL: https://issues.apache.org/jira/browse/RANGER-4050 Project: Ranger Issue Type: New Feature Components: Ranger Reporter: Dhaval Rajpara Assignee: Dhaval Rajpara *Background* Ranger users who log in via one of the supported authentication flavors stay logged in until they choose to log out. This is a security hole in the scenario where the user has logged in and has left their desk. The inactivity does not result in early log out. This implementation addresses that problem. *Scenarios* * Login to single session. * Login to multiple tabs. * Login to multiple services each having its own inactivity detection and logout implementation. -- This message was sent by Atlassian Jira (v8.20.10#820010)
Re: Review Request 74259: RANGER-3998: Support Ranger KMS integration with AWS KMS
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74259/ --- (Updated 一月 17, 2023, 9:49 a.m.) Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal Suvagia, and Velmurugan Periasamy. Changes --- Rebase to HEAD Bugs: ranger-3998 https://issues.apache.org/jira/browse/ranger-3998 Repository: ranger Description --- AWS KMS is widely used by many customers. Therefore, RangerKMS should support hosting MasterKey to AWS KMS. Diffs (updated) - distro/src/main/assembly/kms.xml 4b4a2ac8e kms/config/kms-webapp/dbks-site.xml 258d331d8 kms/pom.xml e97b993d7 kms/scripts/install.properties 0e5da3c75 kms/scripts/setup.sh f723e09bb kms/src/main/java/org/apache/hadoop/crypto/key/RangerAWSKMSProvider.java PRE-CREATION kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 429d1ce45 kms/src/main/java/org/apache/hadoop/crypto/key/RangerTencentKMSProvider.java 1f0125967 Diff: https://reviews.apache.org/r/74259/diff/5/ Changes: https://reviews.apache.org/r/74259/diff/4-5/ Testing --- Tested under macos-13 and centos-8 Thanks, Kirby Zhou
Re: Review Request 73912: RANGER-3682 Unify the ways that rangerkeystore to encapsulate zonekey
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73912/ --- (Updated 一月 17, 2023, 9:34 a.m.) Review request for ranger, Bhavik Bavishi, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Madhan Neethiraj, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, VaradreawiZTV VaradreawiZTV, Vishal Suvagia, and Velmurugan Periasamy. Changes --- Rebase to HEAD Bugs: RANGER-3682 https://issues.apache.org/jira/browse/RANGER-3682 Repository: ranger Description --- Unify the ways that rangerkeystore to encapsulate zonekey Now we have 2 styles of MasterKeyProvider: 1. RangerMasterKey, RangerHSM, RangerSafenetKeySecure 2. RangerAzureKeyVaultKeyGenerator, RangerGoogleCloudHSMProvider, RangerTencentKMSProvider Style 1 can get out master key string from provider, Style 2 can not. In old, I add a flag KeyVaultEnabled to distinguish them. KeyVaultEnabled=false means style1, true means style2 RangerKeyStore with style1 use SecretKeyEntry with SealedObject to store a key and do encryption / decryption by itself. RangerKeyStore with style2 use SecretKeyByteEntry to store a key and let MK provider to encryption / decryption. These are ugly and hard to maintain. I refactor it by removing SecretKeyEntry, and let providers of style1 do encryption / decryption. Add a common base class of RangerMasterKey, RangerHSM andd RangerSafenetKeySecure, named AbstractRangerMasterKey. It provides the common logic of encryptZoneKey and decryptZoneKey. And, there is no unified method to initialize a master key provider. Duplicate code is distributed in RangerKeyStoreProvider and a bunch of CLI classes. I made a new RangerKMSMKIFactory class to unify it. Diffs (updated) - kms/src/main/java/org/apache/hadoop/crypto/key/AbstractRangerMasterKey.java PRE-CREATION kms/src/main/java/org/apache/hadoop/crypto/key/DBToAzureKeyVault.java 39de0a503 kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java a1a6f348b kms/src/main/java/org/apache/hadoop/crypto/key/MigrateDBMKeyToGCP.java d3b717a8a kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 1935a0185 kms/src/main/java/org/apache/hadoop/crypto/key/RangerGoogleCloudHSMProvider.java a61cabb1b kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java 90ef729b2 kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSMKI.java b09cd5bad kms/src/main/java/org/apache/hadoop/crypto/key/RangerKMSMKIFactory.java PRE-CREATION kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java 7188b19b2 kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 429d1ce45 kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java b6fc32950 kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java eb8a90a71 kms/src/main/java/org/apache/hadoop/crypto/key/VerifyIsDBMasterkeyCorrect.java 632e728f4 kms/src/main/java/org/apache/hadoop/crypto/key/VerifyIsHSMMasterkeyCorrect.java e5ebeb783 kms/src/main/java/org/apache/ranger/kms/biz/RangerKMSStartUp.java 8b0f74eac kms/src/test/java/org/apache/hadoop/crypto/key/kms/TestRangerKeyStore.java bcdf2e337 kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/RangerMasterKeyTest.java f420322ca Diff: https://reviews.apache.org/r/73912/diff/4/ Changes: https://reviews.apache.org/r/73912/diff/3-4/ Testing --- Tested by fresh install and update. Thanks, Kirby Zhou
