Review Request 74500: RANGER-4263 : LookupResource give blank response in new react UI
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74500/ --- Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Harshal Chavan, Kishor Gollapalliwar, Madhan Neethiraj, Mehul Parikh, Mugdha Varadkar, Nitin Galave, Pradeep Agrawal, and Velmurugan Periasamy. Bugs: RANGER-4263 https://issues.apache.org/jira/browse/RANGER-4263 Repository: ranger Description --- Ranger] : plugins/services/lookupResource give bank response in react API New react ui hit below api https://***2/service/plugins/services/lookupResource/cm_solr request data : without userInput {"resourceName":"collection","resources":{"collection":[]}} response : 204 = no content Ideally default resouce should be loaded and below request should be passed by click action {"userInput": "","resourceName":"collection","resources":{"collection":[]}} Expected : Default resouces should be lookup , If user clicks on dropdown or on text field 2) Add a loader to select 2 options while changing the resource field. 3) If the service definition of resources has singleValue : true then the user is not able to select more than one value. 4) if we enter * in resource value then it will load all the options. Diffs - security-admin/src/main/webapp/react-webapp/src/views/AuditEvent/AdminLogs/PolicyViewDetails.jsx e5c8bc399 security-admin/src/main/webapp/react-webapp/src/views/PolicyListing/AddUpdatePolicyForm.jsx a27cbaa28 security-admin/src/main/webapp/react-webapp/src/views/Resources/ResourceComp.jsx ae46317c1 security-admin/src/main/webapp/react-webapp/src/views/Resources/ResourceSelectComp.jsx PRE-CREATION Diff: https://reviews.apache.org/r/74500/diff/1/ Testing --- 1)Build and Verified Ranger Admin setup with this changes. 2) Validated below scenarios on old and new UI: 1. Tested Resource Based/Tag Based/ KMS Policy CRUD. 2. Tested Zone & Unzone policy CRUD. 3. Tested Security zone CRUD with multiple resources set. 3) Attached document regarding testing scenario on JIRA Thanks, Dhaval Rajpara
[jira] [Updated] (RANGER-4263) LookupResource give blank response in new react UI
[ https://issues.apache.org/jira/browse/RANGER-4263?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Dhaval Rajpara updated RANGER-4263: --- Attachment: Ranger_Policies_20230621_093238.xls > LookupResource give blank response in new react UI > -- > > Key: RANGER-4263 > URL: https://issues.apache.org/jira/browse/RANGER-4263 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Anupam Rai >Assignee: Dhaval Rajpara >Priority: Major > Labels: ranger-react > Attachments: 0001-RANGER-4263.patch, > Ranger_Policies_20230621_093238.xls > > > Ranger] : plugins/services/lookupResource give bank response in react API > New react ui hit below api > [https://***2/service/plugins/services/lookupResource/cm_solr|https://quasar-wqeuts-1.quasar-wqeuts.root.hwx.site:6182/service/plugins/services/lookupResource/cm_solr] > request data : without userInput > {code:java} > {"resourceName":"collection","resources":{"collection":[]}}{code} > response : > {code:java} > 204 = no content {code} > Ideally default resouce should be loaded and below request should be passed > by click action > {"userInput": "","resourceName":"collection","resources":\{"collection":[]}} > Expected : Default resouces should be lookup , If user clicks on dropdown or > on text field > 2) Add a loader to select 2 options while changing the resource field. > 3) If the service definition of resources has singleValue : true then the > user is not able to select more than one value. > 4) if we enter * in resource value then it will load all the options. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (RANGER-3884) POST request to /service/xusers/permission/user API results in ERROR_DUPLICATE_OBJECT error
[ https://issues.apache.org/jira/browse/RANGER-3884?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17737601#comment-17737601 ] Mohit Ambalkar commented on RANGER-3884: [~abhishek.patil] Assigning you to check this issue and let me know if you are still able to reproduce this issue > POST request to /service/xusers/permission/user API results in > ERROR_DUPLICATE_OBJECT error > --- > > Key: RANGER-3884 > URL: https://issues.apache.org/jira/browse/RANGER-3884 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Abhishek >Assignee: Abhishek >Priority: Major > > When a POST request is made to the url > \{RANGER_ADMIN_URL}//service/xusers/permission/user to assign permission on a > module to a user for the first time, the API works as expected and the > permission is > assigned to the user on the module. > But when the permission on the module is removed for the user from the UI, > and a POST request is made again to assign permission on the same module for > the same user, it results in the following error > {code:java|bgColor=#f4f5f7} > {"statusCode": 1,"msgDesc": "User with ID [76] is already assigned to > the module with ID [4]","messageList": [{"name": > "ERROR_DUPLICATE_OBJECT","rbKey": "xa.error.duplicate_object", > "message": "Error creating duplicate object"}]} {code} > *Steps to reproduce:-* > 1. Create a new user in Ranger Admin > 2. Make the following POST request using the newly created user's user id and > username with the following payload > {code:java|bgColor=#f4f5f7} > { "userId" : new_user_user_id, "moduleId" : 4, "isAllowed" : 1, > "userName" : new_user_username, "moduleName" : "Audits", "loginId" : > new_user_username} {code} > 3. The user will be granted permissions on the Audits module > 4. Go to the UI, remove the permissions for the user on the Audits module > 5. Then make a POST request to the same REST endpoint with the same payload. > Since the user did not have permissions on the Audits module, the user should > have > been granted access on the Audits module, but it results in the following > error > {code:java|bgColor=#f4f5f7} > {"statusCode": 1,"msgDesc": "User with ID [127] is already assigned > to the module with ID [4]","messageList": [{"name": > "ERROR_DUPLICATE_OBJECT","rbKey": "xa.error.duplicate_object", > "message": "Error creating duplicate object"}]} {code} > Also, the user id in the error message is always user_id_in_payload - 2. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (RANGER-3921) User with DROP ACL on "db=dummy; table=*; column=*" can do drop table and database.
[ https://issues.apache.org/jira/browse/RANGER-3921?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17737598#comment-17737598 ] Mohit Ambalkar commented on RANGER-3921: [~kirbyzhou] assigning you to check this issue and let me know if you are still able to reproduce the issue > User with DROP ACL on "db=dummy; table=*; column=*" can do drop table and > database. > --- > > Key: RANGER-3921 > URL: https://issues.apache.org/jira/browse/RANGER-3921 > Project: Ranger > Issue Type: Bug > Components: plugins >Affects Versions: 3.0.0, 2.3.0, 2.4.0 >Reporter: kirby zhou >Assignee: kirby zhou >Priority: Major > > In agents-common/src/test/resources/policyengine/test_policyengine_hive.json, > we have hive policy: > {code:java} > {"id":8,"name":"db=dummy; table=*; > column=*","isEnabled":true,"isAuditEnabled":true, > "resources":{"database":{"values":["dummy"]},"table":{"values":["*"]},"column":{"values":["*"]}}, > "policyItems":[ > {"accesses":[{"type":"create","isAllowed":true},{"type":"update","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["user1","user2"],"groups":[],"delegateAdmin":false} > ], > "allowExceptions":[ > {"accesses":[{"type":"create","isAllowed":true}, > {"type":"update","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false}, > {"accesses":[{"type":"create","isAllowed":true}, > {"type":"update","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false} > ] > } {code} > According to the general understanding, this is given the permission of > column level, rather than the permission of table level or database level. > > But these 2 new test case can pass: > {code:java} > {"name":"ALLOW 'drop dummy/*;' for user1", > "request":{ > "resource":{"elements":{"database":"dummy", "table": "dummy"}}, > > "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop > dummy/dummy for user1" > }, > "result":{"isAudited":true,"isAllowed":true,"policyId":8} > } > , > {"name":"ALLOW 'drop dummy;' for user1", > "request":{ > "resource":{"elements":{"database":"dummy"}}, > > "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop > dummy for user1" > }, > "result":{"isAudited":true,"isAllowed":true,"policyId":8} > } , > {"name":"ALLOW 'drop dummy/udf=dummy;' for user1", > "request":{ > "resource":{"elements":{"database":"dummy", "udf":"dummy"}}, > > "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop > dummy for user1" > }, > "result":{"isAudited":false,"isAllowed":true,"policyId":8} > } {code} > > This doesn't seem reasonable. A user who can not drop UDF, but can drop whole > database. > > Or can someone tell me how to only give users column-level permissions > without involving table or database? > > > > > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Assigned] (RANGER-3921) User with DROP ACL on "db=dummy; table=*; column=*" can do drop table and database.
[ https://issues.apache.org/jira/browse/RANGER-3921?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mohit Ambalkar reassigned RANGER-3921: -- Assignee: kirby zhou (was: Mohit Ambalkar) > User with DROP ACL on "db=dummy; table=*; column=*" can do drop table and > database. > --- > > Key: RANGER-3921 > URL: https://issues.apache.org/jira/browse/RANGER-3921 > Project: Ranger > Issue Type: Bug > Components: plugins >Affects Versions: 3.0.0, 2.3.0, 2.4.0 >Reporter: kirby zhou >Assignee: kirby zhou >Priority: Major > > In agents-common/src/test/resources/policyengine/test_policyengine_hive.json, > we have hive policy: > {code:java} > {"id":8,"name":"db=dummy; table=*; > column=*","isEnabled":true,"isAuditEnabled":true, > "resources":{"database":{"values":["dummy"]},"table":{"values":["*"]},"column":{"values":["*"]}}, > "policyItems":[ > {"accesses":[{"type":"create","isAllowed":true},{"type":"update","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["user1","user2"],"groups":[],"delegateAdmin":false} > ], > "allowExceptions":[ > {"accesses":[{"type":"create","isAllowed":true}, > {"type":"update","isAllowed":true}],"users":["user1"],"groups":[],"delegateAdmin":false}, > {"accesses":[{"type":"create","isAllowed":true}, > {"type":"update","isAllowed":true},{"type":"drop","isAllowed":true}],"users":["user2"],"groups":[],"delegateAdmin":false} > ] > } {code} > According to the general understanding, this is given the permission of > column level, rather than the permission of table level or database level. > > But these 2 new test case can pass: > {code:java} > {"name":"ALLOW 'drop dummy/*;' for user1", > "request":{ > "resource":{"elements":{"database":"dummy", "table": "dummy"}}, > > "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop > dummy/dummy for user1" > }, > "result":{"isAudited":true,"isAllowed":true,"policyId":8} > } > , > {"name":"ALLOW 'drop dummy;' for user1", > "request":{ > "resource":{"elements":{"database":"dummy"}}, > > "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop > dummy for user1" > }, > "result":{"isAudited":true,"isAllowed":true,"policyId":8} > } , > {"name":"ALLOW 'drop dummy/udf=dummy;' for user1", > "request":{ > "resource":{"elements":{"database":"dummy", "udf":"dummy"}}, > > "accessType":"drop","user":"user1","userGroups":["users"],"requestData":"drop > dummy for user1" > }, > "result":{"isAudited":false,"isAllowed":true,"policyId":8} > } {code} > > This doesn't seem reasonable. A user who can not drop UDF, but can drop whole > database. > > Or can someone tell me how to only give users column-level permissions > without involving table or database? > > > > > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Resolved] (RANGER-4037) Audits are not getting generated for policy enforcement works based on policy condition
[ https://issues.apache.org/jira/browse/RANGER-4037?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Siddhant Sontakke resolved RANGER-4037. --- Resolution: Fixed > Audits are not getting generated for policy enforcement works based on policy > condition > > > Key: RANGER-4037 > URL: https://issues.apache.org/jira/browse/RANGER-4037 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Anupam Rai >Assignee: Siddhant Sontakke >Priority: Major > Attachments: Ranger - 4037 ticket testing.pdf > > > Audits are not getting generated for policy enforcement works based on policy > condition : > RangerNoneOfExpectedTagsPresentConditionEvaluator > Steps to reproduce : > - Apply policy conditions in service defs > {code:java} > "policyConditions": [ > { > "itemId": 1, > "name": "all-tag-present", > "evaluator": > "org.apache.ranger.plugin.conditionevaluator.RangerTagsAllPresentConditionEvaluator", > "evaluatorOptions": {}, > "label": "Tags All Present?", > "description": "Tags All Present?" > }, > { > "itemId": 2, > "name": "none-of-tag-present", > "evaluator": > "org.apache.ranger.plugin.conditionevaluator.RangerNoneOfExpectedTagsPresentConditionEvaluator", > "evaluatorOptions": {}, > "label": "None of Tags Present?", > "description": "None of Tags Present?" > }, > { > "itemId": 3, > "name": "any-of-tag-present", > "evaluator": > "org.apache.ranger.plugin.conditionevaluator.RangerAnyOfExpectedTagsPresentConditionEvaluator", > "evaluatorOptions": {}, > "label": "Any of Tags Present?", > "description": "Any of Tags Present?" > } ], {code} > Add tag based policy for with > RangerNoneOfExpectedTagsPresentConditionEvaluator tag including tag which is > used to created policy and give hive access to user > Try access tag related attribute in beeline > User will be denied and policy is enforced but in audit logs denied policy > wont be available . > Thanks -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-4263) LookupResource give blank response in new react UI
[ https://issues.apache.org/jira/browse/RANGER-4263?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Dhaval Rajpara updated RANGER-4263: --- Attachment: 0001-RANGER-4263.patch > LookupResource give blank response in new react UI > -- > > Key: RANGER-4263 > URL: https://issues.apache.org/jira/browse/RANGER-4263 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Anupam Rai >Assignee: Dhaval Rajpara >Priority: Major > Labels: ranger-react > Attachments: 0001-RANGER-4263.patch > > > Ranger] : plugins/services/lookupResource give bank response in react API > New react ui hit below api > [https://***2/service/plugins/services/lookupResource/cm_solr|https://quasar-wqeuts-1.quasar-wqeuts.root.hwx.site:6182/service/plugins/services/lookupResource/cm_solr] > request data : without userInput > {code:java} > {"resourceName":"collection","resources":{"collection":[]}}{code} > response : > {code:java} > 204 = no content {code} > Ideally default resouce should be loaded and below request should be passed > by click action > {"userInput": "","resourceName":"collection","resources":\{"collection":[]}} > Expected : Default resouces should be lookup , If user clicks on dropdown or > on text field > 2) Add a loader to select 2 options while changing the resource field. > 3) If the service definition of resources has singleValue : true then the > user is not able to select more than one value. > 4) if we enter * in resource value then it will load all the options. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Assigned] (RANGER-3884) POST request to /service/xusers/permission/user API results in ERROR_DUPLICATE_OBJECT error
[ https://issues.apache.org/jira/browse/RANGER-3884?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mohit Ambalkar reassigned RANGER-3884: -- Assignee: Abhishek (was: Mohit Ambalkar) > POST request to /service/xusers/permission/user API results in > ERROR_DUPLICATE_OBJECT error > --- > > Key: RANGER-3884 > URL: https://issues.apache.org/jira/browse/RANGER-3884 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Abhishek >Assignee: Abhishek >Priority: Major > > When a POST request is made to the url > \{RANGER_ADMIN_URL}//service/xusers/permission/user to assign permission on a > module to a user for the first time, the API works as expected and the > permission is > assigned to the user on the module. > But when the permission on the module is removed for the user from the UI, > and a POST request is made again to assign permission on the same module for > the same user, it results in the following error > {code:java|bgColor=#f4f5f7} > {"statusCode": 1,"msgDesc": "User with ID [76] is already assigned to > the module with ID [4]","messageList": [{"name": > "ERROR_DUPLICATE_OBJECT","rbKey": "xa.error.duplicate_object", > "message": "Error creating duplicate object"}]} {code} > *Steps to reproduce:-* > 1. Create a new user in Ranger Admin > 2. Make the following POST request using the newly created user's user id and > username with the following payload > {code:java|bgColor=#f4f5f7} > { "userId" : new_user_user_id, "moduleId" : 4, "isAllowed" : 1, > "userName" : new_user_username, "moduleName" : "Audits", "loginId" : > new_user_username} {code} > 3. The user will be granted permissions on the Audits module > 4. Go to the UI, remove the permissions for the user on the Audits module > 5. Then make a POST request to the same REST endpoint with the same payload. > Since the user did not have permissions on the Audits module, the user should > have > been granted access on the Audits module, but it results in the following > error > {code:java|bgColor=#f4f5f7} > {"statusCode": 1,"msgDesc": "User with ID [127] is already assigned > to the module with ID [4]","messageList": [{"name": > "ERROR_DUPLICATE_OBJECT","rbKey": "xa.error.duplicate_object", > "message": "Error creating duplicate object"}]} {code} > Also, the user id in the error message is always user_id_in_payload - 2. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Assigned] (RANGER-4287) Security zone UI: remove validation that mandates at least one service/resource
[ https://issues.apache.org/jira/browse/RANGER-4287?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mohit Ambalkar reassigned RANGER-4287: -- Assignee: Mohit Ambalkar > Security zone UI: remove validation that mandates at least one > service/resource > --- > > Key: RANGER-4287 > URL: https://issues.apache.org/jira/browse/RANGER-4287 > Project: Ranger > Issue Type: Improvement > Components: admin >Reporter: Madhan Neethiraj >Assignee: Mohit Ambalkar >Priority: Major > > RANGER-4286 removed the restriction that a security zone must have at least > one service and one resource. UI should be updated to remove this validation, > to allow create/update of security zones with no service/resource. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (RANGER-4275) Trino audit not showing access type and client IP
[ https://issues.apache.org/jira/browse/RANGER-4275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17737542#comment-17737542 ] sneha_surjuse edited comment on RANGER-4275 at 6/27/23 10:10 AM: - I have written a method to retrieve the client IP address, but it only returns the container's IP address. I am unable to fetch the local client IP address. was (Author: JIRAUSER300317): I have written method for getClientIP but it gives container IpAddress, I do not able to fetch local clientIpAddress. > Trino audit not showing access type and client IP > -- > > Key: RANGER-4275 > URL: https://issues.apache.org/jira/browse/RANGER-4275 > Project: Ranger > Issue Type: Bug > Components: audit >Reporter: sneha_surjuse >Assignee: sneha_surjuse >Priority: Major > Attachments: Screenshot 2023-06-08 at 3.28.08 PM.png, Screenshot > 2023-06-08 at 3.33.40 PM.png > > > When working with Trino and reviewing the audit logs, I've noticed that the > access type and client IP address information is not displayed, while its > displayed when working with hive. > I have attached a file below to see the difference > 1st for Trino > 2nd for Hive -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (RANGER-4275) Trino audit not showing access type and client IP
[ https://issues.apache.org/jira/browse/RANGER-4275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17737542#comment-17737542 ] sneha_surjuse commented on RANGER-4275: --- I have written method for getClientIP but it gives container IpAddress, I do not able to fetch local clientIpAddress. > Trino audit not showing access type and client IP > -- > > Key: RANGER-4275 > URL: https://issues.apache.org/jira/browse/RANGER-4275 > Project: Ranger > Issue Type: Bug > Components: audit >Reporter: sneha_surjuse >Assignee: sneha_surjuse >Priority: Major > Attachments: Screenshot 2023-06-08 at 3.28.08 PM.png, Screenshot > 2023-06-08 at 3.33.40 PM.png > > > When working with Trino and reviewing the audit logs, I've noticed that the > access type and client IP address information is not displayed, while its > displayed when working with hive. > I have attached a file below to see the difference > 1st for Trino > 2nd for Hive -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (RANGER-4196) Tomcat metrics collection
[ https://issues.apache.org/jira/browse/RANGER-4196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17737457#comment-17737457 ] Bhavik Patel commented on RANGER-4196: -- [~vikkumar] are you working on this? > Tomcat metrics collection > -- > > Key: RANGER-4196 > URL: https://issues.apache.org/jira/browse/RANGER-4196 > Project: Ranger > Issue Type: Improvement > Components: Ranger >Reporter: Vikas Kumar >Assignee: Vikas Kumar >Priority: Major > > Like "JVM mterics" and other application metrics, Tomcat related metrics > would be very useful for following use cases: > In case client gets "SoketTimeout" or Connection refused errors, having such > metrics at server end will really help triaging the issue. > It should contain following metrics: > # maxAllowedConnection > # currentActiveConnectionCount > # ConnectionTimeout > # acceptCount > # maxContainerThreadsCount > # activeContainerThreadsCount > # minSpareThreadsCount // corePoolSize > And other useful metrics. -- This message was sent by Atlassian Jira (v8.20.10#820010)