Review Request 74500: RANGER-4263 : LookupResource give blank response in new react UI
---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74500/
---
Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Harshal Chavan,
Kishor Gollapalliwar, Madhan Neethiraj, Mehul Parikh, Mugdha Varadkar, Nitin
Galave, Pradeep Agrawal, and Velmurugan Periasamy.
Bugs: RANGER-4263
https://issues.apache.org/jira/browse/RANGER-4263
Repository: ranger
Description
---
Ranger] : plugins/services/lookupResource give bank response in react API
New react ui hit below api
https://***2/service/plugins/services/lookupResource/cm_solr
request data : without userInput
{"resourceName":"collection","resources":{"collection":[]}}
response :
204 = no content
Ideally default resouce should be loaded and below request should be passed by
click action
{"userInput": "","resourceName":"collection","resources":{"collection":[]}}
Expected : Default resouces should be lookup , If user clicks on dropdown or on
text field
2) Add a loader to select 2 options while changing the resource field.
3) If the service definition of resources has singleValue : true then the user
is not able to select more than one value.
4) if we enter * in resource value then it will load all the options.
Diffs
-
security-admin/src/main/webapp/react-webapp/src/views/AuditEvent/AdminLogs/PolicyViewDetails.jsx
e5c8bc399
security-admin/src/main/webapp/react-webapp/src/views/PolicyListing/AddUpdatePolicyForm.jsx
a27cbaa28
security-admin/src/main/webapp/react-webapp/src/views/Resources/ResourceComp.jsx
ae46317c1
security-admin/src/main/webapp/react-webapp/src/views/Resources/ResourceSelectComp.jsx
PRE-CREATION
Diff: https://reviews.apache.org/r/74500/diff/1/
Testing
---
1)Build and Verified Ranger Admin setup with this changes.
2) Validated below scenarios on old and new UI:
1. Tested Resource Based/Tag Based/ KMS Policy CRUD.
2. Tested Zone & Unzone policy CRUD.
3. Tested Security zone CRUD with multiple resources set.
3) Attached document regarding testing scenario on JIRA
Thanks,
Dhaval Rajpara
[jira] [Updated] (RANGER-4263) LookupResource give blank response in new react UI
[
https://issues.apache.org/jira/browse/RANGER-4263?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dhaval Rajpara updated RANGER-4263:
---
Attachment: Ranger_Policies_20230621_093238.xls
> LookupResource give blank response in new react UI
> --
>
> Key: RANGER-4263
> URL: https://issues.apache.org/jira/browse/RANGER-4263
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
>Reporter: Anupam Rai
>Assignee: Dhaval Rajpara
>Priority: Major
> Labels: ranger-react
> Attachments: 0001-RANGER-4263.patch,
> Ranger_Policies_20230621_093238.xls
>
>
> Ranger] : plugins/services/lookupResource give bank response in react API
> New react ui hit below api
> [https://***2/service/plugins/services/lookupResource/cm_solr|https://quasar-wqeuts-1.quasar-wqeuts.root.hwx.site:6182/service/plugins/services/lookupResource/cm_solr]
> request data : without userInput
> {code:java}
> {"resourceName":"collection","resources":{"collection":[]}}{code}
> response :
> {code:java}
> 204 = no content {code}
> Ideally default resouce should be loaded and below request should be passed
> by click action
> {"userInput": "","resourceName":"collection","resources":\{"collection":[]}}
> Expected : Default resouces should be lookup , If user clicks on dropdown or
> on text field
> 2) Add a loader to select 2 options while changing the resource field.
> 3) If the service definition of resources has singleValue : true then the
> user is not able to select more than one value.
> 4) if we enter * in resource value then it will load all the options.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (RANGER-3884) POST request to /service/xusers/permission/user API results in ERROR_DUPLICATE_OBJECT error
[
https://issues.apache.org/jira/browse/RANGER-3884?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17737601#comment-17737601
]
Mohit Ambalkar commented on RANGER-3884:
[~abhishek.patil] Assigning you to check this issue and let me know if you are
still able to reproduce this issue
> POST request to /service/xusers/permission/user API results in
> ERROR_DUPLICATE_OBJECT error
> ---
>
> Key: RANGER-3884
> URL: https://issues.apache.org/jira/browse/RANGER-3884
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
>Reporter: Abhishek
>Assignee: Abhishek
>Priority: Major
>
> When a POST request is made to the url
> \{RANGER_ADMIN_URL}//service/xusers/permission/user to assign permission on a
> module to a user for the first time, the API works as expected and the
> permission is
> assigned to the user on the module.
> But when the permission on the module is removed for the user from the UI,
> and a POST request is made again to assign permission on the same module for
> the same user, it results in the following error
> {code:java|bgColor=#f4f5f7}
> {"statusCode": 1,"msgDesc": "User with ID [76] is already assigned to
> the module with ID [4]","messageList": [{"name":
> "ERROR_DUPLICATE_OBJECT","rbKey": "xa.error.duplicate_object",
> "message": "Error creating duplicate object"}]} {code}
> *Steps to reproduce:-*
> 1. Create a new user in Ranger Admin
> 2. Make the following POST request using the newly created user's user id and
> username with the following payload
> {code:java|bgColor=#f4f5f7}
> { "userId" : new_user_user_id, "moduleId" : 4, "isAllowed" : 1,
> "userName" : new_user_username, "moduleName" : "Audits", "loginId" :
> new_user_username} {code}
> 3. The user will be granted permissions on the Audits module
> 4. Go to the UI, remove the permissions for the user on the Audits module
> 5. Then make a POST request to the same REST endpoint with the same payload.
> Since the user did not have permissions on the Audits module, the user should
> have
> been granted access on the Audits module, but it results in the following
> error
> {code:java|bgColor=#f4f5f7}
> {"statusCode": 1,"msgDesc": "User with ID [127] is already assigned
> to the module with ID [4]","messageList": [{"name":
> "ERROR_DUPLICATE_OBJECT","rbKey": "xa.error.duplicate_object",
> "message": "Error creating duplicate object"}]} {code}
> Also, the user id in the error message is always user_id_in_payload - 2.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (RANGER-3921) User with DROP ACL on "db=dummy; table=*; column=*" can do drop table and database.
[
https://issues.apache.org/jira/browse/RANGER-3921?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17737598#comment-17737598
]
Mohit Ambalkar commented on RANGER-3921:
[~kirbyzhou] assigning you to check this issue and let me know if you are still
able to reproduce the issue
> User with DROP ACL on "db=dummy; table=*; column=*" can do drop table and
> database.
> ---
>
> Key: RANGER-3921
> URL: https://issues.apache.org/jira/browse/RANGER-3921
> Project: Ranger
> Issue Type: Bug
> Components: plugins
>Affects Versions: 3.0.0, 2.3.0, 2.4.0
>Reporter: kirby zhou
>Assignee: kirby zhou
>Priority: Major
>
> In agents-common/src/test/resources/policyengine/test_policyengine_hive.json,
> we have hive policy:
> {code:java}
> {"id":8,"name":"db=dummy; table=*;
> column=*","isEnabled":true,"isAuditEnabled":true,
> "resources":{"database":{"values":["dummy"]},"table":{"values":["*"]},"column":{"values":["*"]}},
> "policyItems":[
> {"accesses":[{"type":"create","isAllowed":true},{"type":"update","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["user1","user2"],"groups":[],"delegateAdmin":false}
> ],
> "allowExceptions":[
> {"accesses":[{"type":"create","isAllowed":true},
> {"type":"update","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false},
> {"accesses":[{"type":"create","isAllowed":true},
> {"type":"update","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false}
> ]
> } {code}
> According to the general understanding, this is given the permission of
> column level, rather than the permission of table level or database level.
>
> But these 2 new test case can pass:
> {code:java}
> {"name":"ALLOW 'drop dummy/*;' for user1",
> "request":{
> "resource":{"elements":{"database":"dummy", "table": "dummy"}},
>
> "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop
> dummy/dummy for user1"
> },
> "result":{"isAudited":true,"isAllowed":true,"policyId":8}
> }
> ,
> {"name":"ALLOW 'drop dummy;' for user1",
> "request":{
> "resource":{"elements":{"database":"dummy"}},
>
> "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop
> dummy for user1"
> },
> "result":{"isAudited":true,"isAllowed":true,"policyId":8}
> } ,
> {"name":"ALLOW 'drop dummy/udf=dummy;' for user1",
> "request":{
> "resource":{"elements":{"database":"dummy", "udf":"dummy"}},
>
> "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop
> dummy for user1"
> },
> "result":{"isAudited":false,"isAllowed":true,"policyId":8}
> } {code}
>
> This doesn't seem reasonable. A user who can not drop UDF, but can drop whole
> database.
>
> Or can someone tell me how to only give users column-level permissions
> without involving table or database?
>
>
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Assigned] (RANGER-3921) User with DROP ACL on "db=dummy; table=*; column=*" can do drop table and database.
[
https://issues.apache.org/jira/browse/RANGER-3921?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mohit Ambalkar reassigned RANGER-3921:
--
Assignee: kirby zhou (was: Mohit Ambalkar)
> User with DROP ACL on "db=dummy; table=*; column=*" can do drop table and
> database.
> ---
>
> Key: RANGER-3921
> URL: https://issues.apache.org/jira/browse/RANGER-3921
> Project: Ranger
> Issue Type: Bug
> Components: plugins
>Affects Versions: 3.0.0, 2.3.0, 2.4.0
>Reporter: kirby zhou
>Assignee: kirby zhou
>Priority: Major
>
> In agents-common/src/test/resources/policyengine/test_policyengine_hive.json,
> we have hive policy:
> {code:java}
> {"id":8,"name":"db=dummy; table=*;
> column=*","isEnabled":true,"isAuditEnabled":true,
> "resources":{"database":{"values":["dummy"]},"table":{"values":["*"]},"column":{"values":["*"]}},
> "policyItems":[
> {"accesses":[{"type":"create","isAllowed":true},{"type":"update","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["user1","user2"],"groups":[],"delegateAdmin":false}
> ],
> "allowExceptions":[
> {"accesses":[{"type":"create","isAllowed":true},
> {"type":"update","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false},
> {"accesses":[{"type":"create","isAllowed":true},
> {"type":"update","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false}
> ]
> } {code}
> According to the general understanding, this is given the permission of
> column level, rather than the permission of table level or database level.
>
> But these 2 new test case can pass:
> {code:java}
> {"name":"ALLOW 'drop dummy/*;' for user1",
> "request":{
> "resource":{"elements":{"database":"dummy", "table": "dummy"}},
>
> "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop
> dummy/dummy for user1"
> },
> "result":{"isAudited":true,"isAllowed":true,"policyId":8}
> }
> ,
> {"name":"ALLOW 'drop dummy;' for user1",
> "request":{
> "resource":{"elements":{"database":"dummy"}},
>
> "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop
> dummy for user1"
> },
> "result":{"isAudited":true,"isAllowed":true,"policyId":8}
> } ,
> {"name":"ALLOW 'drop dummy/udf=dummy;' for user1",
> "request":{
> "resource":{"elements":{"database":"dummy", "udf":"dummy"}},
>
> "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop
> dummy for user1"
> },
> "result":{"isAudited":false,"isAllowed":true,"policyId":8}
> } {code}
>
> This doesn't seem reasonable. A user who can not drop UDF, but can drop whole
> database.
>
> Or can someone tell me how to only give users column-level permissions
> without involving table or database?
>
>
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Resolved] (RANGER-4037) Audits are not getting generated for policy enforcement works based on policy condition
[
https://issues.apache.org/jira/browse/RANGER-4037?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Siddhant Sontakke resolved RANGER-4037.
---
Resolution: Fixed
> Audits are not getting generated for policy enforcement works based on policy
> condition
>
>
> Key: RANGER-4037
> URL: https://issues.apache.org/jira/browse/RANGER-4037
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
>Reporter: Anupam Rai
>Assignee: Siddhant Sontakke
>Priority: Major
> Attachments: Ranger - 4037 ticket testing.pdf
>
>
> Audits are not getting generated for policy enforcement works based on policy
> condition :
> RangerNoneOfExpectedTagsPresentConditionEvaluator
> Steps to reproduce :
> - Apply policy conditions in service defs
> {code:java}
> "policyConditions": [
> {
> "itemId": 1,
> "name": "all-tag-present",
> "evaluator":
> "org.apache.ranger.plugin.conditionevaluator.RangerTagsAllPresentConditionEvaluator",
> "evaluatorOptions": {},
> "label": "Tags All Present?",
> "description": "Tags All Present?"
> },
> {
> "itemId": 2,
> "name": "none-of-tag-present",
> "evaluator":
> "org.apache.ranger.plugin.conditionevaluator.RangerNoneOfExpectedTagsPresentConditionEvaluator",
> "evaluatorOptions": {},
> "label": "None of Tags Present?",
> "description": "None of Tags Present?"
> },
> {
> "itemId": 3,
> "name": "any-of-tag-present",
> "evaluator":
> "org.apache.ranger.plugin.conditionevaluator.RangerAnyOfExpectedTagsPresentConditionEvaluator",
> "evaluatorOptions": {},
> "label": "Any of Tags Present?",
> "description": "Any of Tags Present?"
> } ], {code}
> Add tag based policy for with
> RangerNoneOfExpectedTagsPresentConditionEvaluator tag including tag which is
> used to created policy and give hive access to user
> Try access tag related attribute in beeline
> User will be denied and policy is enforced but in audit logs denied policy
> wont be available .
> Thanks
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (RANGER-4263) LookupResource give blank response in new react UI
[
https://issues.apache.org/jira/browse/RANGER-4263?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dhaval Rajpara updated RANGER-4263:
---
Attachment: 0001-RANGER-4263.patch
> LookupResource give blank response in new react UI
> --
>
> Key: RANGER-4263
> URL: https://issues.apache.org/jira/browse/RANGER-4263
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
>Reporter: Anupam Rai
>Assignee: Dhaval Rajpara
>Priority: Major
> Labels: ranger-react
> Attachments: 0001-RANGER-4263.patch
>
>
> Ranger] : plugins/services/lookupResource give bank response in react API
> New react ui hit below api
> [https://***2/service/plugins/services/lookupResource/cm_solr|https://quasar-wqeuts-1.quasar-wqeuts.root.hwx.site:6182/service/plugins/services/lookupResource/cm_solr]
> request data : without userInput
> {code:java}
> {"resourceName":"collection","resources":{"collection":[]}}{code}
> response :
> {code:java}
> 204 = no content {code}
> Ideally default resouce should be loaded and below request should be passed
> by click action
> {"userInput": "","resourceName":"collection","resources":\{"collection":[]}}
> Expected : Default resouces should be lookup , If user clicks on dropdown or
> on text field
> 2) Add a loader to select 2 options while changing the resource field.
> 3) If the service definition of resources has singleValue : true then the
> user is not able to select more than one value.
> 4) if we enter * in resource value then it will load all the options.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Assigned] (RANGER-3884) POST request to /service/xusers/permission/user API results in ERROR_DUPLICATE_OBJECT error
[
https://issues.apache.org/jira/browse/RANGER-3884?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mohit Ambalkar reassigned RANGER-3884:
--
Assignee: Abhishek (was: Mohit Ambalkar)
> POST request to /service/xusers/permission/user API results in
> ERROR_DUPLICATE_OBJECT error
> ---
>
> Key: RANGER-3884
> URL: https://issues.apache.org/jira/browse/RANGER-3884
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
>Reporter: Abhishek
>Assignee: Abhishek
>Priority: Major
>
> When a POST request is made to the url
> \{RANGER_ADMIN_URL}//service/xusers/permission/user to assign permission on a
> module to a user for the first time, the API works as expected and the
> permission is
> assigned to the user on the module.
> But when the permission on the module is removed for the user from the UI,
> and a POST request is made again to assign permission on the same module for
> the same user, it results in the following error
> {code:java|bgColor=#f4f5f7}
> {"statusCode": 1,"msgDesc": "User with ID [76] is already assigned to
> the module with ID [4]","messageList": [{"name":
> "ERROR_DUPLICATE_OBJECT","rbKey": "xa.error.duplicate_object",
> "message": "Error creating duplicate object"}]} {code}
> *Steps to reproduce:-*
> 1. Create a new user in Ranger Admin
> 2. Make the following POST request using the newly created user's user id and
> username with the following payload
> {code:java|bgColor=#f4f5f7}
> { "userId" : new_user_user_id, "moduleId" : 4, "isAllowed" : 1,
> "userName" : new_user_username, "moduleName" : "Audits", "loginId" :
> new_user_username} {code}
> 3. The user will be granted permissions on the Audits module
> 4. Go to the UI, remove the permissions for the user on the Audits module
> 5. Then make a POST request to the same REST endpoint with the same payload.
> Since the user did not have permissions on the Audits module, the user should
> have
> been granted access on the Audits module, but it results in the following
> error
> {code:java|bgColor=#f4f5f7}
> {"statusCode": 1,"msgDesc": "User with ID [127] is already assigned
> to the module with ID [4]","messageList": [{"name":
> "ERROR_DUPLICATE_OBJECT","rbKey": "xa.error.duplicate_object",
> "message": "Error creating duplicate object"}]} {code}
> Also, the user id in the error message is always user_id_in_payload - 2.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Assigned] (RANGER-4287) Security zone UI: remove validation that mandates at least one service/resource
[ https://issues.apache.org/jira/browse/RANGER-4287?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mohit Ambalkar reassigned RANGER-4287: -- Assignee: Mohit Ambalkar > Security zone UI: remove validation that mandates at least one > service/resource > --- > > Key: RANGER-4287 > URL: https://issues.apache.org/jira/browse/RANGER-4287 > Project: Ranger > Issue Type: Improvement > Components: admin >Reporter: Madhan Neethiraj >Assignee: Mohit Ambalkar >Priority: Major > > RANGER-4286 removed the restriction that a security zone must have at least > one service and one resource. UI should be updated to remove this validation, > to allow create/update of security zones with no service/resource. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (RANGER-4275) Trino audit not showing access type and client IP
[ https://issues.apache.org/jira/browse/RANGER-4275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17737542#comment-17737542 ] sneha_surjuse edited comment on RANGER-4275 at 6/27/23 10:10 AM: - I have written a method to retrieve the client IP address, but it only returns the container's IP address. I am unable to fetch the local client IP address. was (Author: JIRAUSER300317): I have written method for getClientIP but it gives container IpAddress, I do not able to fetch local clientIpAddress. > Trino audit not showing access type and client IP > -- > > Key: RANGER-4275 > URL: https://issues.apache.org/jira/browse/RANGER-4275 > Project: Ranger > Issue Type: Bug > Components: audit >Reporter: sneha_surjuse >Assignee: sneha_surjuse >Priority: Major > Attachments: Screenshot 2023-06-08 at 3.28.08 PM.png, Screenshot > 2023-06-08 at 3.33.40 PM.png > > > When working with Trino and reviewing the audit logs, I've noticed that the > access type and client IP address information is not displayed, while its > displayed when working with hive. > I have attached a file below to see the difference > 1st for Trino > 2nd for Hive -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (RANGER-4275) Trino audit not showing access type and client IP
[ https://issues.apache.org/jira/browse/RANGER-4275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17737542#comment-17737542 ] sneha_surjuse commented on RANGER-4275: --- I have written method for getClientIP but it gives container IpAddress, I do not able to fetch local clientIpAddress. > Trino audit not showing access type and client IP > -- > > Key: RANGER-4275 > URL: https://issues.apache.org/jira/browse/RANGER-4275 > Project: Ranger > Issue Type: Bug > Components: audit >Reporter: sneha_surjuse >Assignee: sneha_surjuse >Priority: Major > Attachments: Screenshot 2023-06-08 at 3.28.08 PM.png, Screenshot > 2023-06-08 at 3.33.40 PM.png > > > When working with Trino and reviewing the audit logs, I've noticed that the > access type and client IP address information is not displayed, while its > displayed when working with hive. > I have attached a file below to see the difference > 1st for Trino > 2nd for Hive -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (RANGER-4196) Tomcat metrics collection
[ https://issues.apache.org/jira/browse/RANGER-4196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17737457#comment-17737457 ] Bhavik Patel commented on RANGER-4196: -- [~vikkumar] are you working on this? > Tomcat metrics collection > -- > > Key: RANGER-4196 > URL: https://issues.apache.org/jira/browse/RANGER-4196 > Project: Ranger > Issue Type: Improvement > Components: Ranger >Reporter: Vikas Kumar >Assignee: Vikas Kumar >Priority: Major > > Like "JVM mterics" and other application metrics, Tomcat related metrics > would be very useful for following use cases: > In case client gets "SoketTimeout" or Connection refused errors, having such > metrics at server end will really help triaging the issue. > It should contain following metrics: > # maxAllowedConnection > # currentActiveConnectionCount > # ConnectionTimeout > # acceptCount > # maxContainerThreadsCount > # activeContainerThreadsCount > # minSpareThreadsCount // corePoolSize > And other useful metrics. -- This message was sent by Atlassian Jira (v8.20.10#820010)
