[jira] [Commented] (RANGER-4038) Upgrade spring framework and spring security verisons
[ https://issues.apache.org/jira/browse/RANGER-4038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17699958#comment-17699958 ] Himanshu Maurya commented on RANGER-4038: - Hi [~pradeep] I have reported this based on CVE listed in [https://mvnrepository.com/artifact/org.springframework/spring-web/5.3.23] > Upgrade spring framework and spring security verisons > - > > Key: RANGER-4038 > URL: https://issues.apache.org/jira/browse/RANGER-4038 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Himanshu Maurya >Assignee: Himanshu Maurya >Priority: Major > > Pivotal Spring Framework up to (excluding) 6.0.0 suffers from a potential > remote code execution (RCE) issue if used for Java deserialization of > untrusted data. Depending on how the library is implemented within a product, > this issue may or not occur, and authentication may be required. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-4038) Upgrade spring framework and spring security verisons
[ https://issues.apache.org/jira/browse/RANGER-4038?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Himanshu Maurya updated RANGER-4038: Description: Pivotal Spring Framework up to (excluding) 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. (was: Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.) > Upgrade spring framework and spring security verisons > - > > Key: RANGER-4038 > URL: https://issues.apache.org/jira/browse/RANGER-4038 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Himanshu Maurya >Assignee: Himanshu Maurya >Priority: Major > > Pivotal Spring Framework up to (excluding) 6.0.0 suffers from a potential > remote code execution (RCE) issue if used for Java deserialization of > untrusted data. Depending on how the library is implemented within a product, > this issue may or not occur, and authentication may be required. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (RANGER-4127) Unable to delete the user if policy is created by same user and added in the policy item
[ https://issues.apache.org/jira/browse/RANGER-4127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17699953#comment-17699953 ] Pradeep Agrawal commented on RANGER-4127: - Commit link for 2.4 branch : https://github.com/apache/ranger/commit/262d53cc2ce6bd21bf0493451e605a9990a405e9 Commit link for master branch : https://github.com/apache/ranger/commit/85cf0c2da119af379bc1f818ab6a47c2315a14a9 > Unable to delete the user if policy is created by same user and added in the > policy item > > > Key: RANGER-4127 > URL: https://issues.apache.org/jira/browse/RANGER-4127 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Pradeep Agrawal >Assignee: Pradeep Agrawal >Priority: Major > Fix For: 3.0.0, 2.4.0 > > > *Steps to reproduce:* > Login from user having "admin" role access and create a user(for example > testuser1). The new user should have "admin" role. > Login from that user(testuser1) and go to create policy page of any ranger > service. Add the same user in policy item. Save the policy. Logout from the > current user(testuser1). > Login from some other user who have "admin" role and try to delete the user > "testuser1". > > Expected result: "testuser1 should be deleted and removed from policy. > Actual output: "*Error!* Error occurred during deleting Users: testuser1" > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (RANGER-4123) No policy found for given version
[ https://issues.apache.org/jira/browse/RANGER-4123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17699952#comment-17699952 ] Pradeep Agrawal commented on RANGER-4123: - Commit link for 2.4 branch : [https://github.com/apache/ranger/commit/02e976602f9b827d888213f3077c980acc17765c|https://github.com/apache/ranger/commit/5fe35623a444f5a5af816aecf1d787591933db78] Commit link for master branch : https://github.com/apache/ranger/commit/00f4934797e3481c739276cc0b7c4b70b7ec8584 > No policy found for given version > - > > Key: RANGER-4123 > URL: https://issues.apache.org/jira/browse/RANGER-4123 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: 0.7.0, 1.0.0, 0.7.1, 1.1.0, 2.0.0, 1.2.0, 2.1.0, 2.2.0, > 2.3.0, 2.4.0 >Reporter: Pradeep Agrawal >Assignee: Pradeep Agrawal >Priority: Major > Fix For: 3.0.0, 2.4.0 > > > When we click on a policy ID in ranger audit page, we may get this error. > "No policy found for given version" > This is happening after the upgrade from ranger-0.6 to ranger-2.4 version. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (RANGER-4109) Add unique constraint on resource_signature column of x_rms_service_resource table
[ https://issues.apache.org/jira/browse/RANGER-4109?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17699951#comment-17699951 ] Pradeep Agrawal commented on RANGER-4109: - Commit link for 2.4 branch : https://github.com/apache/ranger/commit/02e976602f9b827d888213f3077c980acc17765c Commit link for master branch : https://github.com/apache/ranger/commit/d5ae8af36d589c78dd4fd2d5336c0cc0fee36eab > Add unique constraint on resource_signature column of x_rms_service_resource > table > -- > > Key: RANGER-4109 > URL: https://issues.apache.org/jira/browse/RANGER-4109 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Pradeep Agrawal >Assignee: Pradeep Agrawal >Priority: Major > Fix For: 3.0.0 > > Attachments: > 0001-RANGER-4109-Add-unique-constraint-on-resource_signat.patch > > > Add unique constraint on resource_signature column of x_rms_service_resource > table -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (RANGER-4038) Upgrade spring framework and spring security verisons
[ https://issues.apache.org/jira/browse/RANGER-4038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17699941#comment-17699941 ] Pradeep Agrawal commented on RANGER-4038: - What is the affected version. Latest code base is using 5.3.23 > Upgrade spring framework and spring security verisons > - > > Key: RANGER-4038 > URL: https://issues.apache.org/jira/browse/RANGER-4038 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Himanshu Maurya >Assignee: Himanshu Maurya >Priority: Major > > Pivotal Spring Framework through 5.3.16 suffers from a potential remote code > execution (RCE) issue if used for Java deserialization of untrusted data. > Depending on how the library is implemented within a product, this issue may > or not occur, and authentication may be required. -- This message was sent by Atlassian Jira (v8.20.10#820010)
Re: Review Request 74343: RANGER-4127: Unable to delete the user if policy is created by same user and added in the policy item
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74343/#review225265 --- Ship it! Ship It! - Abhay Kulkarni On March 9, 2023, 9:27 a.m., Pradeep Agrawal wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74343/ > --- > > (Updated March 9, 2023, 9:27 a.m.) > > > Review request for ranger, Abhishek Kumar, Dineshkumar Yadav, Kishor > Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Nikhil P, Pradeep Agrawal, > Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-4127 > https://issues.apache.org/jira/browse/RANGER-4127 > > > Repository: ranger > > > Description > --- > > **Problem Statement:** > Currently RangerPolicy object are being fetched from DB bit early and kept in > memory. After that the References of user are deleted from other tables. > Later The same RangerPolicy object which has few references of the same user > is being used to update the policy. Since the user's references are removed > it fails with ForeignKeyConstraintViolation Error. > > Steps to reproduce: > Login from user having "admin" role access and create a user(for example > testuser1). The new user should have "admin" role. > Login from that user(testuser1) and go to create policy page of any ranger > service. Add the same user in policy item. Save the policy. Logout from the > current user(testuser1). > Login from some other user who have "admin" role and try to delete the user > "testuser1". > > output: "Error! Error occurred during deleting Users: testuser1" > > **Proposed solution:** > > Load the Ranger Policies of the user after removing the references of > x_portal_user table from child table. > > > Diffs > - > > security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 49a74cd1e > > > Diff: https://reviews.apache.org/r/74343/diff/1/ > > > Testing > --- > > Login from user having "admin" role access and created a user "testuser2" > with "admin" role. Logout from "admin" user. > Login from "testuser2" and created a HDFS policy with "testuser2" in the > policy item. Logout from "testuser2" user. > Login from "admin" user and delete the user "testuser2". > > Actual result: "testuser2" was deleted and removed from HDFS policy. > > > Thanks, > > Pradeep Agrawal > >
Re: Review Request 74338: RANGER-4123: No policy found for given version
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74338/#review225264 --- Ship it! Ship It! - Abhay Kulkarni On March 6, 2023, 10:14 a.m., Pradeep Agrawal wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74338/ > --- > > (Updated March 6, 2023, 10:14 a.m.) > > > Review request for ranger, Abhishek Kumar, Dineshkumar Yadav, Kishor > Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Nikhil P, Pradeep Agrawal, > Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-4123 > https://issues.apache.org/jira/browse/RANGER-4123 > > > Repository: ranger > > > Description > --- > > **Problem Statement:** > During the ranger upgrade process, Java patch J10019 updates the policy and > policy json is also updated in policy_text column of each row. However policy > update entry is not being captured in x_data_hist. whenever we click on > policy id link of access audit page the /plugins/policies/eventTime API is > called along with corresponding policy id and version. if x_data_hist table > does contain such entry then API request fails with error message "No policy > found for given version" > > **Proposed solution:** The proposed changes shall create an entry in > x_data_hist table for each policy which is being updated. > > > Diffs > - > > > security-admin/src/main/java/org/apache/ranger/patch/PatchForUpdatingPolicyJson_J10019.java > 6eb3315e7 > > > Diff: https://reviews.apache.org/r/74338/diff/1/ > > > Testing > --- > > Without this patch x_data_hist was not having any entry after the execution > of patch J10019. > However after this change the x_data_hist table is populated and API call is > working. > > > Thanks, > > Pradeep Agrawal > >
Re: Review Request 74327: RANGER-4109: Add unique constraint on resource_signature column of x_rms_service_resource table
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74327/#review225263 --- Ship it! Ship It! - Abhay Kulkarni On Feb. 28, 2023, 7:12 a.m., Pradeep Agrawal wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74327/ > --- > > (Updated Feb. 28, 2023, 7:12 a.m.) > > > Review request for ranger, Abhishek Kumar, Dineshkumar Yadav, Kishor > Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Nikhil P, Pradeep Agrawal, > Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-4109 > https://issues.apache.org/jira/browse/RANGER-4109 > > > Repository: ranger > > > Description > --- > > RANGER-3067 is adding index on resource_signature column of > x_rms_service_resource table but its not a unique index and may cause > duplication of entries. To avoid this situation the key index should be > changed to unique index. > > > Diffs > - > > security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql > 9a79fe8ad > > security-admin/db/mysql/patches/065-add-uk-on-x_rms_service_resource-resource_signature.sql > PRE-CREATION > security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql > fd6cec9a7 > > security-admin/db/oracle/patches/065-add-uk-on-x_rms_service_resource-resource_signature.sql > PRE-CREATION > security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql > 4d5a8cedf > > security-admin/db/postgres/patches/065-add-uk-on-x_rms_service_resource-resource_signature.sql > PRE-CREATION > > security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql > 3ed2a5b9c > > security-admin/db/sqlanywhere/patches/065-add-uk-on-x_rms_service_resource-resource_signature.sql > PRE-CREATION > security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql > ca8f7da1f > > security-admin/db/sqlserver/patches/065-add-uk-on-x_rms_service_resource-resource_signature.sql > PRE-CREATION > > > Diff: https://reviews.apache.org/r/74327/diff/2/ > > > Testing > --- > > Tested fresh and upgrade installation, This patch is removing the existing > index and adding the unique index on resource_signature column of > x_rms_service_resource table. > Tested the patch for mysql, postgres and oracle DB flavors. > > > Thanks, > > Pradeep Agrawal > >
[GitHub] [ranger] fateh288 opened a new pull request, #234: RANGER 4131: Use SessionState to log clientIP in RangerHiveAuthorizer
fateh288 opened a new pull request, #234: URL: https://github.com/apache/ranger/pull/234 ## What changes were proposed in this pull request? ipc.Server when used to fetch clientip does not work. SessionState works and logs client IP. ## How was this patch tested? From beeline enter commands to CREATE ROLE --- client ip is now visible after new patch https://user-images.githubusercontent.com/12212643/224787198-b63e1191-28a8-42f5-a487-a4ee7377cca9.png;> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: Review Request 74346: RANGER-4122: Reorganize checkAdminAccess() and serveral authority check method.
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74346/ --- (Updated 三月 13, 2023, 5:49 p.m.) Review request for ranger, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, Subhrat Chaudhary, and Velmurugan Periasamy. Bugs: RANGER-4122 https://issues.apache.org/jira/browse/RANGER-4122 Repository: ranger Description --- I have checked the implementation of checkAdminAccess() in @XAuditMgr, @UserMgr and @XUserMgr, it turns out that these methods are the same so I unify them into @RangerAuthorizationHelper. @RangerAuthoritizationHelper is in Request scope, which means Spring container would bind an instance to each HttpRequest. In this way, Ranger Admin could return Error as soo as possible when the UserSession or LoginId of current request is invalid. Additionally, @checkAdminAccess in RangerBizUtil seems to be inconsistent with those above and I use isAdmin() instead. Diffs (updated) - security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 4581112fe security-admin/src/main/java/org/apache/ranger/biz/RangerAuthorizationHelper.java PRE-CREATION security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java f9294c1e1 security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java 421b2312d security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java d5393603e security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java 75371f4b2 security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 49a74cd1e security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java faad41c6c security-admin/src/test/java/org/apache/ranger/biz/TestRangerAuthorizationHelper.java PRE-CREATION security-admin/src/test/java/org/apache/ranger/biz/TestRangerBizUtil.java 22e290a66 security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java b6c43133b security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java 528f4e511 security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java 74744e6cf Diff: https://reviews.apache.org/r/74346/diff/2/ Changes: https://reviews.apache.org/r/74346/diff/1-2/ Testing --- Tested Ranger build using below command, mvn clean compile package -DskipTests -Psecurity-admin-react Successfully setup Ranger Admin UI with updated react 18.2.0 version. File Attachments 0001-RANGER-4122-Reorganize-checkAdminAccess-and-serveral.patch https://reviews.apache.org/media/uploaded/files/2023/03/12/97095ba9-00e3-4e95-be7c-9c0ee9133249__0001-RANGER-4122-Reorganize-checkAdminAccess-and-serveral.patch Thanks, YiJi Gao
[jira] [Created] (RANGER-4131) clientIP is not logged for create/grant/revoke role operations via hive beeline
Fateh Singh created RANGER-4131: --- Summary: clientIP is not logged for create/grant/revoke role operations via hive beeline Key: RANGER-4131 URL: https://issues.apache.org/jira/browse/RANGER-4131 Project: Ranger Issue Type: Bug Components: Ranger Reporter: Fateh Singh Assignee: Fateh Singh For user operations via hive beeline to create role, grant role to user, revoke role from user ranger access audits are not displaying clientIP -- This message was sent by Atlassian Jira (v8.20.10#820010)
Re: Review Request 74342: RANGER-4126:Fetching getDBVersion in BaseDao class in the security-admin-web throws Exception for Oracle Database
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74342/ --- (Updated March 13, 2023, 2:50 p.m.) Review request for ranger, Don Bosco Durai, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, Subhrat Chaudhary, and Velmurugan Periasamy. Bugs: RANGER-4126 https://issues.apache.org/jira/browse/RANGER-4126 Repository: ranger Description --- The `getDBVersion` function in `BaseDao` in the security-admin-web module throws exception even for successful query execution for Oracle DB since it tries to cast an Array of Objects to a String. Diffs (updated) - security-admin/src/main/java/org/apache/ranger/common/db/BaseDao.java 418557bcb security-admin/src/main/java/org/apache/ranger/patch/cliutil/MetricUtil.java 8a13a1712 Diff: https://reviews.apache.org/r/74342/diff/3/ Changes: https://reviews.apache.org/r/74342/diff/2-3/ Testing --- Tested with Oracle DB and works fine Thanks, Ramachandran Krishnan
Re: Review Request 74342: RANGER-4126:Fetching getDBVersion in BaseDao class in the security-admin-web throws Exception for Oracle Database
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74342/ --- (Updated March 13, 2023, 2:33 p.m.) Review request for ranger, Don Bosco Durai, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, Subhrat Chaudhary, and Velmurugan Periasamy. Bugs: RANGER-4126 https://issues.apache.org/jira/browse/RANGER-4126 Repository: ranger Description --- The `getDBVersion` function in `BaseDao` in the security-admin-web module throws exception even for successful query execution for Oracle DB since it tries to cast an Array of Objects to a String. Diffs (updated) - 0001-RANGER-4126-Fetching-getDBVersion-in-BaseDao-class-i.patch PRE-CREATION security-admin/src/main/java/org/apache/ranger/common/db/BaseDao.java 418557bcb security-admin/src/main/java/org/apache/ranger/patch/cliutil/MetricUtil.java 8a13a1712 Diff: https://reviews.apache.org/r/74342/diff/2/ Changes: https://reviews.apache.org/r/74342/diff/1-2/ Testing --- Tested with Oracle DB and works fine Thanks, Ramachandran Krishnan
[jira] [Updated] (RANGER-4038) Upgrade spring framework and spring security verisons
[ https://issues.apache.org/jira/browse/RANGER-4038?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Himanshu Maurya updated RANGER-4038: Summary: Upgrade spring framework and spring security verisons (was: Upgrade springframework.version from 5.3.23 to 6.0.0) > Upgrade spring framework and spring security verisons > - > > Key: RANGER-4038 > URL: https://issues.apache.org/jira/browse/RANGER-4038 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Himanshu Maurya >Assignee: Himanshu Maurya >Priority: Major > > Pivotal Spring Framework through 5.3.16 suffers from a potential remote code > execution (RCE) issue if used for Java deserialization of untrusted data. > Depending on how the library is implemented within a product, this issue may > or not occur, and authentication may be required. -- This message was sent by Atlassian Jira (v8.20.10#820010)