Re: Review Request 74443: RANGER-4103 : Fix for improving logout mechanism in Ranger react code base.
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74443/#review225464 --- Ship it! Ship It! - Mugdha Varadkar On May 17, 2023, 1:30 p.m., Dhaval Rajpara wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74443/ > --- > > (Updated May 17, 2023, 1:30 p.m.) > > > Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Harshal Chavan, > Kishor Gollapalliwar, Madhan Neethiraj, Mehul Parikh, Mugdha Varadkar, Nitin > Galave, Pradeep Agrawal, and Velmurugan Periasamy. > > > Bugs: RANGER-4103 > https://issues.apache.org/jira/browse/RANGER-4103 > > > Repository: ranger > > > Description > --- > > While logout to react UI "Something went wrong" Page appear and than login > page come > > > Diffs > - > > security-admin/src/main/webapp/react-webapp/src/App.jsx 19c04056a > > security-admin/src/main/webapp/react-webapp/src/components/XATableLayout.jsx > ff0a6f959 > security-admin/src/main/webapp/react-webapp/src/hooks/usePrompt.js > 7840c4826 > security-admin/src/main/webapp/react-webapp/src/utils/XAEnums.js 75a59ebff > security-admin/src/main/webapp/react-webapp/src/utils/XAUtils.js bd57c53c4 > > security-admin/src/main/webapp/react-webapp/src/views/AuditEvent/AdminLogs/PolicyLogs.jsx > c49f0bda2 > > security-admin/src/main/webapp/react-webapp/src/views/AuditEvent/AdminLogs/SecurityZonelogs.jsx > 739e32aac > security-admin/src/main/webapp/react-webapp/src/views/ErrorPage.jsx > 0a71c5fb6 > security-admin/src/main/webapp/react-webapp/src/views/Header.jsx 9582ab6a3 > security-admin/src/main/webapp/react-webapp/src/views/Layout.jsx 135ed35c9 > > security-admin/src/main/webapp/react-webapp/src/views/ServiceManager/ServiceDefinition.jsx > ba7e7417b > > security-admin/src/main/webapp/react-webapp/src/views/ServiceManager/ServiceForm.jsx > c161572c1 > > security-admin/src/main/webapp/react-webapp/src/views/UserGroupRoleListing/users_details/UserListing.jsx > 71eee23c4 > > > Diff: https://reviews.apache.org/r/74443/diff/1/ > > > Testing > --- > > Tested that While logout ranger UI logout properly without displaing > "Something went wrong" page. > > > Thanks, > > Dhaval Rajpara > >
Re: Review Request 74170: RANGER-3947 fix thread leak in SolrCollectionBootstrapper
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74170/ --- (Updated May 18, 2023, 6:38 a.m.) Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Nikhil P, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy. Changes --- Updated log level to warning from severe Bugs: RANGER-3947 https://issues.apache.org/jira/browse/RANGER-3947 Repository: ranger Description --- Closing the solr cloud client in SolrCollectionBootstrapper's retry loop of creating solr config and collection. Without this new solr cloud client is created in every loop and new connection pools which will not be cleaned up and create large number of threads Diffs (updated) - embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/SolrCollectionBootstrapper.java fe4006f76 Diff: https://reviews.apache.org/r/74170/diff/2/ Changes: https://reviews.apache.org/r/74170/diff/1-2/ Testing --- Ran ranger-admin without ranger_audit config in zk and no contrib/solr_for_audit_setup/conf file which leads to retry loop and verified that threads aren't increasinng Thanks, Sai Sandeep Rangisetti
[jira] [Updated] (RANGER-4225) Possible Jackson serialization issue due to not comply with Java bean standards
[
https://issues.apache.org/jira/browse/RANGER-4225?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sercan Tekin updated RANGER-4225:
-
Fix Version/s: 3.0.0
> Possible Jackson serialization issue due to not comply with Java bean
> standards
> ---
>
> Key: RANGER-4225
> URL: https://issues.apache.org/jira/browse/RANGER-4225
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
>Affects Versions: 2.4.0
>Reporter: Sercan Tekin
>Assignee: Sercan Tekin
>Priority: Major
> Fix For: 3.0.0
>
> Attachments: RANGER-4225.patch
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> *PROBLEM:*
> Transitive Jackson-2 dependencies are included into Ranger's classpath in my
> env and conflicted with Jackson-1 dependencies.
> Jackson-2 uses Javabean naming conventions to figure out the Json properties
> in a Java class and some of the Ranger's model classes don't comply with the
> convention.
> For example, when the leading camelcase word is only one letter in length,
> then deserialized response is broken. The following is what I observed in
> Ranger;
> On Ranger UI side, this
> [code-block|https://github.com/apache/ranger/blob/ranger-1.2/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js#L224-L229]
> attempts to read vXStrings key in map, but the corresponding response has
> vxstrings:
> {code:java}
> {
> "startIndex": 0,
> "pageSize": 200,
> "totalCount": 11,
> "resultSize": 11,
> "sortType": "asc",
> "sortBy": "id",
> "listSize": 11,
> "vxstrings": [< here! This has to be vXStrings
> {
> "value": "public",
> ... {code}
> And this difference causes below issue while reading the property, therefore
> the corresponding dropdown has no values as excepted;
> {code:java}
> PermissionList.js?ver=build.version:226 Uncaught TypeError: Cannot read
> properties of undefined (reading 'map')
> at Object.results (PermissionList.js?ver=build.version:226:34)
> at Object.success (select2.js?ver=build.version:450:47)
> at u (jquery-3.3.1.min.js?ver=build.version:2:27457)
> at Object.fireWith [as resolveWith]
> (jquery-3.3.1.min.js?ver=build.version:2:28202)
> at k (jquery-3.3.1.min.js?ver=build.version:2:77651)
> at XMLHttpRequest.
> (jquery-3.3.1.min.js?ver=build.version:2:79907){code}
> *REFERENCES:*
> Please see this reference related to capital letters
> [http://futuretask.blogspot.com/2005/01/java-tip-6-dont-capitalize-first-two.html]
> "Don't capitalize first two letters of a bean property name. This is in our
> java standards. You should not create a java bean property name that begins
> with a capital letter in the 1st two places."
> Also you can see the same issue is reported here
> [https://stackoverflow.com/questions/30205006/why-does-jackson-2-not-recognize-the-first-capital-letter-if-the-leading-camel-c]
>
> *SOLUTION:*
> {{@JsonProperty}} annotation needs to be added for mapping the properties
> with their corresponding getter/setter methods. This will not effect Ranger's
> functionality directly, but it will provide consistency even if Jackson-2 is
> included into classpath.
> I have tested it locally after adding {{@JsonProperty}} and everything worked
> well.
> I will be providing a PR.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
Re: Review Request 74423: RANGER-4219: Grant permission in Impala engine not working with {user} in ranger policy
---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74423/#review225463
---
Ship it!
Ship It!
- Madhan Neethiraj
On May 17, 2023, 5:20 p.m., Abhay Kulkarni wrote:
>
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74423/
> ---
>
> (Updated May 17, 2023, 5:20 p.m.)
>
>
> Review request for ranger, madhan, Madhan Neethiraj, Pradeep Agrawal, and
> Ramesh Mani.
>
>
> Bugs: RANGER-4219
> https://issues.apache.org/jira/browse/RANGER-4219
>
>
> Repository: ranger
>
>
> Description
> ---
>
> 1. users "test" and user has its own database "utest"
> 2. Ranger policy to grant permissions:
> —
> Database: u
>
> {USER}
> table: *
> columns: *
>
> Allow Conditions: user: {USER}
>
> permission: ALL +Delegate Admin
> —
>
> The grant does not work for Impala GRANTs. The following error is seen.
>
> > GRANT SELECT ON TABLE utest.testtable TO ROLE rolename;
>
> The response is:
> InternalException: Error granting a privilege in Ranger. Ranger error
> message: HTTP 403 Error: User doesn't have necessary permission to grant
> access
>
>
> Diffs
> -
>
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
> 96e232b43
>
>
> Diff: https://reviews.apache.org/r/74423/diff/2/
>
>
> Testing
> ---
>
> Compiled and ran unit tests successfully.
> Verified the fix using cURL command to invoke secureGrant REST endpoint.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 74423: RANGER-4219: Grant permission in Impala engine not working with {user} in ranger policy
---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74423/
---
(Updated May 17, 2023, 5:20 p.m.)
Review request for ranger, madhan, Madhan Neethiraj, Pradeep Agrawal, and
Ramesh Mani.
Changes
---
Addressed review comment
Bugs: RANGER-4219
https://issues.apache.org/jira/browse/RANGER-4219
Repository: ranger
Description
---
1. users "test" and user has its own database "utest"
2. Ranger policy to grant permissions:
—
Database: u
{USER}
table: *
columns: *
Allow Conditions: user: {USER}
permission: ALL +Delegate Admin
—
The grant does not work for Impala GRANTs. The following error is seen.
> GRANT SELECT ON TABLE utest.testtable TO ROLE rolename;
The response is:
InternalException: Error granting a privilege in Ranger. Ranger error message:
HTTP 403 Error: User doesn't have necessary permission to grant access
Diffs (updated)
-
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
96e232b43
Diff: https://reviews.apache.org/r/74423/diff/2/
Changes: https://reviews.apache.org/r/74423/diff/1-2/
Testing
---
Compiled and ran unit tests successfully.
Verified the fix using cURL command to invoke secureGrant REST endpoint.
Thanks,
Abhay Kulkarni
Review Request 74443: RANGER-4103 : Fix for improving logout mechanism in Ranger react code base.
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74443/ --- Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Harshal Chavan, Kishor Gollapalliwar, Madhan Neethiraj, Mehul Parikh, Mugdha Varadkar, Nitin Galave, Pradeep Agrawal, and Velmurugan Periasamy. Bugs: RANGER-4103 https://issues.apache.org/jira/browse/RANGER-4103 Repository: ranger Description --- While logout to react UI "Something went wrong" Page appear and than login page come Diffs - security-admin/src/main/webapp/react-webapp/src/App.jsx 19c04056a security-admin/src/main/webapp/react-webapp/src/components/XATableLayout.jsx ff0a6f959 security-admin/src/main/webapp/react-webapp/src/hooks/usePrompt.js 7840c4826 security-admin/src/main/webapp/react-webapp/src/utils/XAEnums.js 75a59ebff security-admin/src/main/webapp/react-webapp/src/utils/XAUtils.js bd57c53c4 security-admin/src/main/webapp/react-webapp/src/views/AuditEvent/AdminLogs/PolicyLogs.jsx c49f0bda2 security-admin/src/main/webapp/react-webapp/src/views/AuditEvent/AdminLogs/SecurityZonelogs.jsx 739e32aac security-admin/src/main/webapp/react-webapp/src/views/ErrorPage.jsx 0a71c5fb6 security-admin/src/main/webapp/react-webapp/src/views/Header.jsx 9582ab6a3 security-admin/src/main/webapp/react-webapp/src/views/Layout.jsx 135ed35c9 security-admin/src/main/webapp/react-webapp/src/views/ServiceManager/ServiceDefinition.jsx ba7e7417b security-admin/src/main/webapp/react-webapp/src/views/ServiceManager/ServiceForm.jsx c161572c1 security-admin/src/main/webapp/react-webapp/src/views/UserGroupRoleListing/users_details/UserListing.jsx 71eee23c4 Diff: https://reviews.apache.org/r/74443/diff/1/ Testing --- Tested that While logout ranger UI logout properly without displaing "Something went wrong" page. Thanks, Dhaval Rajpara
[jira] [Updated] (RANGER-4103) [Ranger-react] Fix for improving logout mechanism in Ranger react code base.
[ https://issues.apache.org/jira/browse/RANGER-4103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Dhaval Rajpara updated RANGER-4103: --- Attachment: 0001-RANGER-4103.patch > [Ranger-react] Fix for improving logout mechanism in Ranger react code base. > > > Key: RANGER-4103 > URL: https://issues.apache.org/jira/browse/RANGER-4103 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Dhaval Rajpara >Assignee: Dhaval Rajpara >Priority: Major > Labels: ranger-react > Attachments: 0001-RANGER-4103.patch > > > While logout to react UI "Something went wrong" Page appear and than login > page come -- This message was sent by Atlassian Jira (v8.20.10#820010)
RE: Issue with abac on trino plugin
Another thing noticed is that the condition script in the row filter is
checked four times!
2023-05-17T11:55:33.172Z INFO Query-20230517_115441_3_dik7b-310 stdout
ERROR - failed to evaluate condition '_expression': script engine not found
67082023-05-17T11:55:34.278Z INFO Query-20230517_115441_3_dik7b-310 stdout
ERROR - failed to evaluate condition '_expression': script engine not found
67092023-05-17T11:55:35.111Z INFO Query-20230517_115441_3_dik7b-310 stdout
ERROR - failed to evaluate condition '_expression': script engine not found
67102023-05-17T11:55:35.331Z INFO Query-20230517_115441_3_dik7b-310 stdout
ERROR - failed to evaluate condition '_expression': script engine not found
67112023-05-17T11:55:35.540Z INFO Query-20230517_115441_3_dik7b-310 stdout
ERROR - failed to evaluate condition '_expression': script engine not found
This slows down the query considerably.
Thanks,
Antonio Rotondi
IA Architecture
From: Rotondi, Antonio (RAGD 9)
Sent: 17 May 2023 12:49
To: Madhan Neethiraj ; dev@ranger.apache.org
Subject: RE: Issue with abac on trino plugin
Hi Madhan,
Thanks for your reply.
I applied the required change. I had to add the library to the trino plugin
distro assembly as well and remove the nashorn one from the code base as there
is not a version of that library for jdk>= 11.
I can see the js library in the trino plugin runtime dir:
[cid:image001.png@01D988BF.B1239310]
However the problem still persists. I think that is due to the lack of entries
in the “nameAssociations” map in ScriptEngineManager.
How I do set that?
Also I noticed that the return Boolean of isMatched in
RangerScriptConditionEvaluator is set optimistically to true at the start of
the method and not set to false in case of script failure:
} else {
String conditionType = condition != null ? condition.getType() : null;
LOG.error("failed to evaluate condition '" + conditionType + "': script
engine not found");
}
This cases the check to succeed independently by the positive satisfaction of
the condition, therefore granting access to the user.
A
Regards,
Antonio Rotondi
IA Architecture
+44 20 7883 6099 (*443 6099)
-Original Message-
From: Madhan Neethiraj mailto:mad...@apache.org>>
Sent: 16 May 2023 22:34
To: dev@ranger.apache.org; Rotondi, Antonio (RAGD
9) mailto:antonio.roto...@credit-suisse.com>>
Subject: Re: Issue with abac on trino plugin
Hello Antonio,
If the JDK version running Trino is JDK 15 or later, libraries org.graalvm.js
and org.graalvm.js-scriptengine (along with their dependencies) must be
included in the plugin.
Currently there is no maven profile to build Ranger for a specific JDK version,
like JDK15. Until this is in place, you can uncomment following blocks in
agents-common/pom.xml and build Trino plugin.
https://urldefense.com/v3/__https://github.com/apache/ranger/blob/release-ranger-2.4.0/agents-common/pom.xml*L155__;Iw!!KXPsTJeyZY4CYP7Aps0!5TefpaJ2ZbDN9yI4Z9SN9vCqwPfjLX1zBOgxKCD3CwmoI_jRaD7Fr6QuR7Fz_lIO0XTO7OwU_eSdTaNGMY760nKy$
:
Hope this helps.
Madhan
On 5/16/23, 3:18 AM, "Rotondi, Antonio"
mailto:antonio.roto...@credit-suisse.com.inva>LID>
wrote:
Hello to everyone.
We have built 2.4.0 from source code and deployed to open shift ranger and its
trino plugin into our trino cluster.
We are enriching users with attributes taken from ldap by the synchuser.
When setting a row level policy in ranger, using a user attribute in the
condition, it will fail with
ERROR - failed to initialize condition '_expression': script engine
'JavaScript' was not created
I will need to debug this but if you have some advise it will be greately
welcome.
On thing important to report here is: even if the policy fails, permissions to
the data are still granted!
I assume this not to be the intended behaviour.
Al lthe best,
Antonio Rotondi
=
Please access the attached hyperlink for an important electronic communications
disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
California residents, click here
https://www.credit-suisse.com/us/en/legal/privacy-statement.html
for information on your privacy rights. For other regions, unless otherwise
specified, locate the
privacy policy at the bottom of your country page
https://www.credit-suisse.com/global/en.html
RE: Issue with abac on trino plugin
Hi Madhan,
Thanks for your reply.
I applied the required change. I had to add the library to the trino plugin
distro assembly as well and remove the nashorn one from the code base as there
is not a version of that library for jdk>= 11.
I can see the js library in the trino plugin runtime dir:
[cid:image001.png@01D988BB.4FA278D0]
However the problem still persists. I think that is due to the lack of entries
in the “nameAssociations” map in ScriptEngineManager.
How I do set that?
Also I noticed that the return Boolean of isMatched in
RangerScriptConditionEvaluator is set optimistically to true at the start of
the method and not set to false in case of script failure:
} else {
String conditionType = condition != null ? condition.getType() : null;
LOG.error("failed to evaluate condition '" + conditionType + "': script
engine not found");
}
This cases the check to succeed independently by the positive satisfaction of
the condition, therefore granting access to the user.
A
Regards,
Antonio Rotondi
IA Architecture
+44 20 7883 6099 (*443 6099)
-Original Message-
From: Madhan Neethiraj mailto:mad...@apache.org>>
Sent: 16 May 2023 22:34
To: dev@ranger.apache.org; Rotondi, Antonio (RAGD
9) mailto:antonio.roto...@credit-suisse.com>>
Subject: Re: Issue with abac on trino plugin
Hello Antonio,
If the JDK version running Trino is JDK 15 or later, libraries org.graalvm.js
and org.graalvm.js-scriptengine (along with their dependencies) must be
included in the plugin.
Currently there is no maven profile to build Ranger for a specific JDK version,
like JDK15. Until this is in place, you can uncomment following blocks in
agents-common/pom.xml and build Trino plugin.
https://urldefense.com/v3/__https://github.com/apache/ranger/blob/release-ranger-2.4.0/agents-common/pom.xml*L155__;Iw!!KXPsTJeyZY4CYP7Aps0!5TefpaJ2ZbDN9yI4Z9SN9vCqwPfjLX1zBOgxKCD3CwmoI_jRaD7Fr6QuR7Fz_lIO0XTO7OwU_eSdTaNGMY760nKy$
:
Hope this helps.
Madhan
On 5/16/23, 3:18 AM, "Rotondi, Antonio"
mailto:antonio.roto...@credit-suisse.com.inva>LID>
wrote:
Hello to everyone.
We have built 2.4.0 from source code and deployed to open shift ranger and its
trino plugin into our trino cluster.
We are enriching users with attributes taken from ldap by the synchuser.
When setting a row level policy in ranger, using a user attribute in the
condition, it will fail with
ERROR - failed to initialize condition '_expression': script engine
'JavaScript' was not created
I will need to debug this but if you have some advise it will be greately
welcome.
On thing important to report here is: even if the policy fails, permissions to
the data are still granted!
I assume this not to be the intended behaviour.
Al lthe best,
Antonio Rotondi
=
Please access the attached hyperlink for an important electronic communications
disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
California residents, click here
https://www.credit-suisse.com/us/en/legal/privacy-statement.html
for information on your privacy rights. For other regions, unless otherwise
specified, locate the
privacy policy at the bottom of your country page
https://www.credit-suisse.com/global/en.html
,
where applicable.
=
=
Please access the attached hyperlink for an important electronic communications
disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
California residents, click here
https://www.credit-suisse.com/us/en/legal/privacy-statement.html
for information on your privacy rights. For other regions, unless otherwise
specified, locate the
privacy policy at the bottom of your country page
https://www.credit-suisse.com/global/en.html,
where applicable.
=
[jira] [Updated] (RANGER-4103) [Ranger-react] Fix for improving logout mechanism in Ranger react code base.
[ https://issues.apache.org/jira/browse/RANGER-4103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Dhaval Rajpara updated RANGER-4103: --- Summary: [Ranger-react] Fix for improving logout mechanism in Ranger react code base. (was: [Ranger-react] Fix for improving logout mechanism in Ranger react code base) > [Ranger-react] Fix for improving logout mechanism in Ranger react code base. > > > Key: RANGER-4103 > URL: https://issues.apache.org/jira/browse/RANGER-4103 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Dhaval Rajpara >Assignee: Dhaval Rajpara >Priority: Major > Labels: ranger-react > > While logout to react UI "Something went wrong" Page appear and than login > page come -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-4103) [Ranger-react]Something went wrong page display while log out.
[ https://issues.apache.org/jira/browse/RANGER-4103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Dhaval Rajpara updated RANGER-4103: --- Attachment: (was: 0001-RANGER-4103.patch) > [Ranger-react]Something went wrong page display while log out. > -- > > Key: RANGER-4103 > URL: https://issues.apache.org/jira/browse/RANGER-4103 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Dhaval Rajpara >Assignee: Dhaval Rajpara >Priority: Major > Labels: ranger-react > > While logout to react UI "Something went wrong" Page appear and than login > page come -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-4103) [Ranger-react] Fix for improving logout mechanism in Ranger react code base
[ https://issues.apache.org/jira/browse/RANGER-4103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Dhaval Rajpara updated RANGER-4103: --- Summary: [Ranger-react] Fix for improving logout mechanism in Ranger react code base (was: [Ranger-react]Something went wrong page display while log out.) > [Ranger-react] Fix for improving logout mechanism in Ranger react code base > --- > > Key: RANGER-4103 > URL: https://issues.apache.org/jira/browse/RANGER-4103 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Dhaval Rajpara >Assignee: Dhaval Rajpara >Priority: Major > Labels: ranger-react > > While logout to react UI "Something went wrong" Page appear and than login > page come -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (RANGER-4241) Fix sql patch 65 syntax issue for oracle db
[ https://issues.apache.org/jira/browse/RANGER-4241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17723408#comment-17723408 ] Pradeep Agrawal commented on RANGER-4241: - Commit link : https://github.com/apache/ranger/commit/d1a5ee36ac458fe9f87e7e6a5ae320a74c09f703 > Fix sql patch 65 syntax issue for oracle db > --- > > Key: RANGER-4241 > URL: https://issues.apache.org/jira/browse/RANGER-4241 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: 3.0.0, 2.4.0 >Reporter: Pradeep Agrawal >Assignee: Pradeep Agrawal >Priority: Major > Fix For: 3.0.0, 2.4.1 > > Attachments: > 0001-RANGER-4241-Fix-sql-patch-65-syntax-issue-for-oracle.patch > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
Re: Review Request 74434: DOC SITE : Recent revamp of doc site has some issues when accessed via mobile or ipad
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74434/#review225462 --- Ship it! Ship It! - Dhaval Rajpara On May 17, 2023, 4:56 a.m., stalin nadar wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74434/ > --- > > (Updated May 17, 2023, 4:56 a.m.) > > > Review request for ranger, Brijesh Bhalala, Dhaval Rajpara, Dharmesh Makwana, > Nitin Galave, and Selvamohan Neethiraj. > > > Bugs: RANGER-4233 > https://issues.apache.org/jira/browse/RANGER-4233 > > > Repository: ranger > > > Description > --- > > The documentation website has recently undergone a revamp, but it seems to > have some issues when accessed via mobile devices or iPads. The issues could > be related to the website's layout making it difficult for users to access > the site's content or navigate through it on smaller screens. > > > Diffs > - > > docs/src/site/resources/css/custom.css a0592ced5 > > > Diff: https://reviews.apache.org/r/74434/diff/1/ > > > Testing > --- > > I have used the Chrome Developer Tools to simulate accessing the website on > different screen sizes, including those of mobile phones and tablets. > > > Thanks, > > stalin nadar > >
Re: Review Request 74431: Add flag based support for mounting db volume in dev-support scripts
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74431/ --- (Updated May 17, 2023, 9:44 a.m.) Review request for ranger and Jai Patel. Repository: ranger Description --- Currently, the DB which gets used via dev-support scripts is not mounted to any local storage. As a result, we lose all data if docker containers are shutdown and brought up again. Raising this ticket to have a flag based support for mounting the db volumes. Diffs (updated) - dev-support/ranger-docker/.env 3f795abde dev-support/ranger-docker/docker-compose.ranger-postgres-mounted.yml PRE-CREATION ranger_in_docker 2057bde3e Diff: https://reviews.apache.org/r/74431/diff/5/ Changes: https://reviews.apache.org/r/74431/diff/4-5/ Testing --- tested and verified in UI. mounted db changes are visible Thanks, Mohit Ambalkar
[jira] [Commented] (RANGER-3921) User with DROP ACL on "db=dummy; table=*; column=*" can do drop table and database.
[
https://issues.apache.org/jira/browse/RANGER-3921?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17723393#comment-17723393
]
Mohit Ambalkar commented on RANGER-3921:
*Ideally column level does not support drop condition*
The policy above applied is inappropriate so try without drop condition which
could satisfy ur use case [~kirbyzhou]
> User with DROP ACL on "db=dummy; table=*; column=*" can do drop table and
> database.
> ---
>
> Key: RANGER-3921
> URL: https://issues.apache.org/jira/browse/RANGER-3921
> Project: Ranger
> Issue Type: Bug
> Components: plugins
>Affects Versions: 3.0.0, 2.3.0, 2.4.0
>Reporter: kirby zhou
>Assignee: Mohit Ambalkar
>Priority: Major
>
> In agents-common/src/test/resources/policyengine/test_policyengine_hive.json,
> we have hive policy:
> {code:java}
> {"id":8,"name":"db=dummy; table=*;
> column=*","isEnabled":true,"isAuditEnabled":true,
> "resources":{"database":{"values":["dummy"]},"table":{"values":["*"]},"column":{"values":["*"]}},
> "policyItems":[
> {"accesses":[{"type":"create","isAllowed":true},{"type":"update","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["user1","user2"],"groups":[],"delegateAdmin":false}
> ],
> "allowExceptions":[
> {"accesses":[{"type":"create","isAllowed":true},
> {"type":"update","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false},
> {"accesses":[{"type":"create","isAllowed":true},
> {"type":"update","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false}
> ]
> } {code}
> According to the general understanding, this is given the permission of
> column level, rather than the permission of table level or database level.
>
> But these 2 new test case can pass:
> {code:java}
> {"name":"ALLOW 'drop dummy/*;' for user1",
> "request":{
> "resource":{"elements":{"database":"dummy", "table": "dummy"}},
>
> "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop
> dummy/dummy for user1"
> },
> "result":{"isAudited":true,"isAllowed":true,"policyId":8}
> }
> ,
> {"name":"ALLOW 'drop dummy;' for user1",
> "request":{
> "resource":{"elements":{"database":"dummy"}},
>
> "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop
> dummy for user1"
> },
> "result":{"isAudited":true,"isAllowed":true,"policyId":8}
> } ,
> {"name":"ALLOW 'drop dummy/udf=dummy;' for user1",
> "request":{
> "resource":{"elements":{"database":"dummy", "udf":"dummy"}},
>
> "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop
> dummy for user1"
> },
> "result":{"isAudited":false,"isAllowed":true,"policyId":8}
> } {code}
>
> This doesn't seem reasonable. A user who can not drop UDF, but can drop whole
> database.
>
> Or can someone tell me how to only give users column-level permissions
> without involving table or database?
>
>
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Comment Edited] (RANGER-3884) POST request to /service/xusers/permission/user API results in ERROR_DUPLICATE_OBJECT error
[
https://issues.apache.org/jira/browse/RANGER-3884?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17722714#comment-17722714
]
Mohit Ambalkar edited comment on RANGER-3884 at 5/17/23 9:09 AM:
-
*[~abhishek.patil] Can you try with put request instead of post*
** API :[http://localhost:6080/service/xusers/permission/4]
Json body:
{
"id": 4,
"createDate": "2023-04-26T04:58:41Z",
"updateDate": "2023-05-04T08:48:17Z",
"userId": 21,
"userName" :"temp4",
"owner": "Admin",
"groupPermList": [],
"isAllowed": 1,
"loginId" : "admin",
"module": "Audit",
"updatedBy": "Admin",
"url": "",
"userPermList": [
{ "userId": 21, "moduleId": 4, "isAllowed": 1 }
]
}
When we grant audit permission to a new user, an object is created in the
x_module_perm table. When we later make changes to the same user, only the
attribute values are allowed to change. If permission is denied, the value is
set to 0. If permission is granted, the value changes to 1.
However, when we remove the permission, the object with the user ID and module
ID is not deleted from the x_module_perm table. Only the ‘is allowed’ attribute
value is changed. Consequently, when we use a POST method, it checks every time
whether the object with the given user ID and module ID is present or not. This
leads to the following error:
{ "statusCode": 1, "msgDesc": "User with ID [76] is already assigned to the
module with ID [4]", "messageList": [
{ "name": "ERROR_DUPLICATE_OBJECT", "rbKey": "xa.error.duplicate_object",
"message": "Error creating duplicate object" }
]}
Therefore, can you try using PUT request and see if satisfies your use-case
was (Author: JIRAUSER299721):
*Can you try with put request instead of post*
** API :[http://localhost:6080/service/xusers/permission/4]
Json body:
{
"id": 4,
"createDate": "2023-04-26T04:58:41Z",
"updateDate": "2023-05-04T08:48:17Z",
"userId": 21,
"userName" :"temp4",
"owner": "Admin",
"groupPermList": [],
"isAllowed": 1,
"loginId" : "admin",
"module": "Audit",
"updatedBy": "Admin",
"url": "",
"userPermList": [
{
"userId": 21,
"moduleId": 4,
"isAllowed": 1
}
]
}
When we grant audit permission to a new user, an object is created in the
x_module_perm table. When we later make changes to the same user, only the
attribute values are allowed to change. If permission is denied, the value is
set to 0. If permission is granted, the value changes to 1.
However, when we remove the permission, the object with the user ID and module
ID is not deleted from the x_module_perm table. Only the ‘is allowed’ attribute
value is changed. Consequently, when we use a POST method, it checks every time
whether the object with the given user ID and module ID is present or not. This
leads to the following error:
{"statusCode": 1,"msgDesc": "User with ID [76] is already assigned to
the module with ID [4]","messageList": [{"name":
"ERROR_DUPLICATE_OBJECT","rbKey": "xa.error.duplicate_object",
"message": "Error creating duplicate object"}]}
Therefore, can you try using PUT request and see if satisfies your use-case
> POST request to /service/xusers/permission/user API results in
> ERROR_DUPLICATE_OBJECT error
> ---
>
> Key: RANGER-3884
> URL: https://issues.apache.org/jira/browse/RANGER-3884
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
>Reporter: Abhishek
>Assignee: Mohit Ambalkar
>Priority: Major
>
> When a POST request is made to the url
> \{RANGER_ADMIN_URL}//service/xusers/permission/user to assign permission on a
> module to a user for the first time, the API works as expected and the
> permission is
> assigned to the user on the module.
> But when the permission on the module is removed for the user from the UI,
> and a POST request is made again to assign permission on the same module for
> the same user, it results in the following error
> {code:java|bgColor=#f4f5f7}
> {"statusCode": 1,"msgDesc": "User with ID [76] is already assigned to
> the module with ID [4]","messageList": [{"name":
> "ERROR_DUPLICATE_OBJECT","rbKey": "xa.error.duplicate_object",
> "message": "Error creating duplicate object"}]} {code}
> *Steps to reproduce:-*
> 1. Create a new user in Ranger Admin
> 2. Make the following POST request using the newly created user's user id and
> username with the following payload
> {code:java|bgColor=#f4f5f7}
> { "userId" : new_user_user_id, "moduleId" : 4, "isAllowed" : 1,
> "userName" : new_user_username, "moduleName" : "Audits", "loginId
RE: [jira] [Commented] (RANGER-3751) ElasticSearch Audit shows wrong date on Ranger-admin UI
I can confirm this.
Regards,
Antonio Rotondi
IA Architecture
-Original Message-
From: Anatoly (Jira)
Sent: 17 May 2023 08:12
To: dev@ranger.apache.org
Subject: [jira] [Commented] (RANGER-3751) ElasticSearch Audit shows wrong date
on Ranger-admin UI
[
https://urldefense.com/v3/__https://issues.apache.org/jira/browse/RANGER-3751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17723369*comment-17723369__;Iw!!KXPsTJeyZY4CYP7Aps0!62GL8LNTAoIIett4LgkS8q1w4RFZwVuy3vVRz4qfaDDBn6mX_fOv08_n2ahTdgvpVnlLwS-jsoOp0TP_zkUBXg$
]
Anatoly commented on RANGER-3751:
-
version 2.4.0 also has this bug
> ElasticSearch Audit shows wrong date on Ranger-admin UI
> ---
>
> Key: RANGER-3751
> URL:
> https://urldefense.com/v3/__https://issues.apache.org/jira/browse/RANGER-3751__;!!KXPsTJeyZY4CYP7Aps0!62GL8LNTAoIIett4LgkS8q1w4RFZwVuy3vVRz4qfaDDBn6mX_fOv08_n2ahTdgvpVnlLwS-jsoOp0TOFJxSGUw$
>
> Project: Ranger
> Issue Type: Bug
> Components: admin, audit
>Affects Versions: 3.0.0, 2.3.0
>Reporter: Aakash Nand
>Priority: Major
> Attachments: admin-ui-audit-screen.png
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Recently AmazonCloudWatch support was added to the audit module in this
> commit.
> However, this commit also changed the _toDate_ method of
> _ElasticSearchAccessAuditsService.java_ because of which the event time on
> the Audit screen is showing the wrong date from 1970. The error stack is as
> follows:
> {noformat}
> 2022-05-08 07:04:22,887 [http-nio-6080-exec-6] ERROR [MiscUtil.java:938]
> Error converting value to date. Value = 2022-05-08T06:42:01.621Z
> java.lang.IllegalArgumentException: null
> at java.base/java.util.Date.parse(Date.java:616)
> at java.base/java.util.Date.(Date.java:274)
> at org.apache.ranger.audit.provider.MiscUtil.toDate(MiscUtil.java:936)
> at
> org.apache.ranger.elasticsearch.ElasticSearchAccessAuditsService.populateViewBean(ElasticSearchAccessAuditsService.java:260)
> at
> org.apache.ranger.elasticsearch.ElasticSearchAccessAuditsService.searchXAccessAudits(ElasticSearchAccessAuditsService.java:95)
> at org.apache.ranger.biz.AssetMgr.getAccessLogs(AssetMgr.java:1139)
> at org.apache.ranger.rest.AssetREST.getAccessLogs(AssetREST.java:672)
> at
> org.apache.ranger.rest.AssetREST$$FastClassBySpringCGLIB$$8cffcb6d.invoke()
> at
> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
> at
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:793)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
> at
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:763)
> at
> org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:61)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
> at
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:763)
> at
> org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:123){noformat}
>
>
> The screenshot shows the erroneous date on ranger-admin
>
> Please refer:
> https://urldefense.com/v3/__https://github.com/apache/ranger/commit/71744d3ff8e0db7f0a49881a891e77edf0ea518d*r73132360__;Iw!!KXPsTJeyZY4CYP7Aps0!62GL8LNTAoIIett4LgkS8q1w4RFZwVuy3vVRz4qfaDDBn6mX_fOv08_n2ahTdgvpVnlLwS-jsoOp0TOuUPaOuw$
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
=
Please access the attached hyperlink for an important electronic communications
disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
California residents, click here
https://www.credit-suisse.com/us/en/legal/privacy-statement.html
for information on your privacy rights. For other regions, unless otherwise
specified, locate the
privacy policy at the bottom of your country page
https://www.credit-suisse.com/global/en.html,
where applicable.
=
[jira] [Commented] (RANGER-3751) ElasticSearch Audit shows wrong date on Ranger-admin UI
[
https://issues.apache.org/jira/browse/RANGER-3751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17723369#comment-17723369
]
Anatoly commented on RANGER-3751:
-
version 2.4.0 also has this bug
> ElasticSearch Audit shows wrong date on Ranger-admin UI
> ---
>
> Key: RANGER-3751
> URL: https://issues.apache.org/jira/browse/RANGER-3751
> Project: Ranger
> Issue Type: Bug
> Components: admin, audit
>Affects Versions: 3.0.0, 2.3.0
>Reporter: Aakash Nand
>Priority: Major
> Attachments: admin-ui-audit-screen.png
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Recently AmazonCloudWatch support was added to the audit module in this
> commit.
> However, this commit also changed the _toDate_ method of
> _ElasticSearchAccessAuditsService.java_ because of which the event time on
> the Audit screen is showing the wrong date from 1970. The error stack is as
> follows:
> {noformat}
> 2022-05-08 07:04:22,887 [http-nio-6080-exec-6] ERROR [MiscUtil.java:938]
> Error converting value to date. Value = 2022-05-08T06:42:01.621Z
> java.lang.IllegalArgumentException: null
> at java.base/java.util.Date.parse(Date.java:616)
> at java.base/java.util.Date.(Date.java:274)
> at org.apache.ranger.audit.provider.MiscUtil.toDate(MiscUtil.java:936)
> at
> org.apache.ranger.elasticsearch.ElasticSearchAccessAuditsService.populateViewBean(ElasticSearchAccessAuditsService.java:260)
> at
> org.apache.ranger.elasticsearch.ElasticSearchAccessAuditsService.searchXAccessAudits(ElasticSearchAccessAuditsService.java:95)
> at org.apache.ranger.biz.AssetMgr.getAccessLogs(AssetMgr.java:1139)
> at org.apache.ranger.rest.AssetREST.getAccessLogs(AssetREST.java:672)
> at
> org.apache.ranger.rest.AssetREST$$FastClassBySpringCGLIB$$8cffcb6d.invoke()
> at
> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
> at
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:793)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
> at
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:763)
> at
> org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:61)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
> at
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:763)
> at
> org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:123){noformat}
>
>
> The screenshot shows the erroneous date on ranger-admin
>
> Please refer:
> https://github.com/apache/ranger/commit/71744d3ff8e0db7f0a49881a891e77edf0ea518d#r73132360
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
