date:20231018

Re: Review Request 74683: RANGER-4484: made security-zones for the resource available in the request context

2023-10-18 Thread Madhan Neethiraj


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74683/
---

(Updated Oct. 19, 2023, 6:31 a.m.)


Review request for ranger, Ankita Sinha, Abhay Kulkarni, Ramesh Mani, and 
Subhrat Chaudhary.


Changes
---

addressed the review comment


Bugs: RANGER-4484
https://issues.apache.org/jira/browse/RANGER-4484


Repository: ranger


Description
---

- updated RangerDefaultRequestProcessor.preProcess() to compute security-zones 
for the accessed resource and store in context
- updated policy evaluation paths to obtain security-zone from the context, 
instead of computing


Diffs (updated)
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
 3373dbae9 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 fd78fd8e0 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
 0df8686e3 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
 6fa75d602 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 b505f495b 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
6799be200 


Diff: https://reviews.apache.org/r/74683/diff/2/

Changes: https://reviews.apache.org/r/74683/diff/1-2/


Testing
---

- verified that all tests pass successfully


Thanks,

Madhan Neethiraj

Re: Review Request 74683: RANGER-4484: made security-zones for the resource available in the request context

2023-10-18 Thread Ramesh Mani


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74683/#review225876
---


Ship it!




Ship It!

- Ramesh Mani


On Oct. 19, 2023, 3:49 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74683/
> ---
> 
> (Updated Oct. 19, 2023, 3:49 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Abhay Kulkarni, Ramesh Mani, and 
> Subhrat Chaudhary.
> 
> 
> Bugs: RANGER-4484
> https://issues.apache.org/jira/browse/RANGER-4484
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - updated RangerDefaultRequestProcessor.preProcess() to compute 
> security-zones for the accessed resource and store in context
> - updated policy evaluation paths to obtain security-zone from the context, 
> instead of computing
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
>  3373dbae9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  fd78fd8e0 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
>  0df8686e3 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
>  6fa75d602 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
>  b505f495b 
>   
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
> 6799be200 
> 
> 
> Diff: https://reviews.apache.org/r/74683/diff/1/
> 
> 
> Testing
> ---
> 
> - verified that all tests pass successfully
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74683: RANGER-4484: made security-zones for the resource available in the request context

2023-10-18 Thread Ramesh Mani


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74683/#review225875
---




agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
Lines 278 (patched)


Nit pick: No need of null check, instanceof should be enough.


- Ramesh Mani


On Oct. 19, 2023, 3:49 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74683/
> ---
> 
> (Updated Oct. 19, 2023, 3:49 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Abhay Kulkarni, Ramesh Mani, and 
> Subhrat Chaudhary.
> 
> 
> Bugs: RANGER-4484
> https://issues.apache.org/jira/browse/RANGER-4484
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - updated RangerDefaultRequestProcessor.preProcess() to compute 
> security-zones for the accessed resource and store in context
> - updated policy evaluation paths to obtain security-zone from the context, 
> instead of computing
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
>  3373dbae9 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
>  fd78fd8e0 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
>  0df8686e3 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
>  6fa75d602 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
>  b505f495b 
>   
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
> 6799be200 
> 
> 
> Diff: https://reviews.apache.org/r/74683/diff/1/
> 
> 
> Testing
> ---
> 
> - verified that all tests pass successfully
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

Re: Review Request 74682: RANGER-4483: added support for NOT_EQUALS in DB queries

2023-10-18 Thread Ramesh Mani


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74682/#review225873
---


Ship it!




Ship It!

- Ramesh Mani


On Oct. 19, 2023, 1:18 a.m., Madhan Neethiraj wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74682/
> ---
> 
> (Updated Oct. 19, 2023, 1:18 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Kishor Gollapalliwar, Abhay 
> Kulkarni, Mehul Parikh, Monika Kachhadiya, Pradeep Agrawal, Prashant Satam, 
> Ramesh Mani, Subhrat Chaudhary, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4483
> https://issues.apache.org/jira/browse/RANGER-4483
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> - updated enum SearchField.SEARCH_TYPE with addition of NOT_EQUALS
> - updated where-clause builder to handle the new enum value
> 
> 
> Diffs
> -
> 
>   security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java 
> e8aab9af5 
>   security-admin/src/main/java/org/apache/ranger/common/SearchField.java 
> a53a75cc4 
>   security-admin/src/main/java/org/apache/ranger/common/SearchUtil.java 
> 08002413c 
>   
> security-admin/src/test/java/org/apache/ranger/common/TestRangerSearchUtil.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/74682/diff/1/
> 
> 
> Testing
> ---
> 
> - added test cases
> - verified that all existing tests pass successfully
> 
> 
> Thanks,
> 
> Madhan Neethiraj
> 
>

[jira] [Commented] (RANGER-4401) Configurable Graalvm features

2023-10-18 Thread Bhavik Patel (Jira)



[ 
https://issues.apache.org/jira/browse/RANGER-4401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1018#comment-1018
 ] 

Bhavik Patel commented on RANGER-4401:
--

[~kishor.gollapalliwar] do we have any wiki guidelines to configure the 
required properties ? or you can list down in the Jira.
Also, we have to uncomment this part of code, right? 
https://github.com/apache/ranger/blob/master/agents-common/pom.xml#L167

> Configurable Graalvm features
> -
>
> Key: RANGER-4401
> URL: https://issues.apache.org/jira/browse/RANGER-4401
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Kishor Gollapalliwar
>Assignee: Kishor Gollapalliwar
>Priority: Major
> Fix For: 3.0.0
>
>
> Currently the only way of enabling GraalVm features/ options is by passing 
> JVM options. Which might not be feasible always. Hence we need a plugin 
> config, which will make GraalVm feature enabling configurable.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4484) security-zones for the resource should be available in the request context

2023-10-18 Thread Madhan Neethiraj (Jira)



 [ 
https://issues.apache.org/jira/browse/RANGER-4484?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Madhan Neethiraj updated RANGER-4484:
-
Attachment: RANGER-4484.patch

> security-zones for the resource should be available in the request context
> --
>
> Key: RANGER-4484
> URL: https://issues.apache.org/jira/browse/RANGER-4484
> Project: Ranger
>  Issue Type: Improvement
>  Components: plugins
>Reporter: Madhan Neethiraj
>Assignee: Madhan Neethiraj
>Priority: Major
> Fix For: 3.0.0
>
> Attachments: RANGER-4484.patch
>
>
> While authorizing access to a resource, Ranger policy engine first determines 
> the security-zone in which the resource belongs. This is used by the policy 
> engine to select the policies to use to authorize the access. Having the 
> security-zone stored in the context will be useful for other modules like 
> context enrichers.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Review Request 74683: made security-zones for the resource available in the request context

2023-10-18 Thread Madhan Neethiraj


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74683/
---

Review request for ranger, Ankita Sinha, Abhay Kulkarni, Ramesh Mani, and 
Subhrat Chaudhary.


Bugs: RANGER-4484
https://issues.apache.org/jira/browse/RANGER-4484


Repository: ranger


Description
---

- updated RangerDefaultRequestProcessor.preProcess() to compute security-zones 
for the accessed resource and store in context
- updated policy evaluation paths to obtain security-zone from the context, 
instead of computing


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
 3373dbae9 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
 fd78fd8e0 
  
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerRequestScriptEvaluator.java
 0df8686e3 
  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java
 6fa75d602 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 b505f495b 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
6799be200 


Diff: https://reviews.apache.org/r/74683/diff/1/


Testing
---

- verified that all tests pass successfully


Thanks,

Madhan Neethiraj

[jira] [Commented] (RANGER-4481) Add a configuration item to support Ranger client not using authentication

2023-10-18 Thread Xuze Yang (Jira)



[ 
https://issues.apache.org/jira/browse/RANGER-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17776988#comment-17776988
 ] 

Xuze Yang commented on RANGER-4481:
---

Add a configuration item to enable RangerAdminRESTClient's 
getRolesIfUpdated()/getServicePoliciesIfUpdated()/getServiceTagsIfUpdated() use 
unauthenticated http request may involve a large amount of work. Because we 
should add this configuration item in all plugin component's configuration file.

Another way, when the response code was 401, I tried to clear the supported 
cache through java reflection. This has been proven to be feasible.

!4.png!

Now I don't know which modification method is more reasonable, or there are 
other better modification methods.  [~madhan] [~kirbyzhou] 

> Add a configuration item to support Ranger client not using authentication
> --
>
> Key: RANGER-4481
> URL: https://issues.apache.org/jira/browse/RANGER-4481
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 2.1.0
>Reporter: Xuze Yang
>Priority: Major
> Attachments: 1.png, 2.png, 3.png, 4.png
>
>
> As described in RANGER-3602, ranger supports downloading policies and roles 
> through unauthenticated http requests even if kerberos is enabled on the 
> server. 
> But in terms of the current implementation of RangerAdminRESTClient, whether 
> to enable authenticated HTTP requests depends on the service in which it is 
> located. For example, if the Hadoop service has kerberos enabled, then the 
> RangerAdminRESTClient in the HDFS and Yarn plugins will also use 
> authenticated HTTP requests.
> I think this is not reasonable enough. In this case (both the Ranger server 
> and Hadoop are enabled for kerberos), the RangerAdminRESTClient of the HDFS 
> and Yarn plugins should also be allowed to download policies and roles 
> through unauthenticated HTTP requests.
> The reason why I proposed this improvement is due to a bug I encountered in 
> our production environment. I will introduce the bug I encountered later.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4481) Add a configuration item to support Ranger client not using authentication

2023-10-18 Thread Xuze Yang (Jira)



 [ 
https://issues.apache.org/jira/browse/RANGER-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Xuze Yang updated RANGER-4481:
--
Attachment: 4.png

> Add a configuration item to support Ranger client not using authentication
> --
>
> Key: RANGER-4481
> URL: https://issues.apache.org/jira/browse/RANGER-4481
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 2.1.0
>Reporter: Xuze Yang
>Priority: Major
> Attachments: 1.png, 2.png, 3.png, 4.png
>
>
> As described in RANGER-3602, ranger supports downloading policies and roles 
> through unauthenticated http requests even if kerberos is enabled on the 
> server. 
> But in terms of the current implementation of RangerAdminRESTClient, whether 
> to enable authenticated HTTP requests depends on the service in which it is 
> located. For example, if the Hadoop service has kerberos enabled, then the 
> RangerAdminRESTClient in the HDFS and Yarn plugins will also use 
> authenticated HTTP requests.
> I think this is not reasonable enough. In this case (both the Ranger server 
> and Hadoop are enabled for kerberos), the RangerAdminRESTClient of the HDFS 
> and Yarn plugins should also be allowed to download policies and roles 
> through unauthenticated HTTP requests.
> The reason why I proposed this improvement is due to a bug I encountered in 
> our production environment. I will introduce the bug I encountered later.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-4484) security-zones for the resource should be available in the request context

2023-10-18 Thread Madhan Neethiraj (Jira)

Madhan Neethiraj created RANGER-4484:


 Summary: security-zones for the resource should be available in 
the request context
 Key: RANGER-4484
 URL: https://issues.apache.org/jira/browse/RANGER-4484
 Project: Ranger
  Issue Type: Improvement
  Components: plugins
Reporter: Madhan Neethiraj
Assignee: Madhan Neethiraj


While authorizing access to a resource, Ranger policy engine first determines 
the security-zone in which the resource belongs. This is used by the policy 
engine to select the policies to use to authorize the access. Having the 
security-zone stored in the context will be useful for other modules like 
context enrichers.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4483) SearchField to support NOT_EQUALS search-type

2023-10-18 Thread Madhan Neethiraj (Jira)



 [ 
https://issues.apache.org/jira/browse/RANGER-4483?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Madhan Neethiraj updated RANGER-4483:
-
Attachment: RANGER-4483.patch

> SearchField to support NOT_EQUALS search-type
> -
>
> Key: RANGER-4483
> URL: https://issues.apache.org/jira/browse/RANGER-4483
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Madhan Neethiraj
>Assignee: Madhan Neethiraj
>Priority: Major
> Fix For: 3.0.0
>
> Attachments: RANGER-4483.patch
>
>
> Within Ranger admin server, searching the RDBMS store for entities (policies, 
> tags, security-zone, etc) can be performed with filters on fields using 
> various criterion like equals, partial-match, less-than, greater-than, etc. 
> It will be useful to support not-equals criteria as well.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (RANGER-4481) Add a configuration item to support Ranger client not using authentication

2023-10-18 Thread Xuze Yang (Jira)



[ 
https://issues.apache.org/jira/browse/RANGER-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17776964#comment-17776964
 ] 

Xuze Yang commented on RANGER-4481:
---

This is a bug in the openjdk code. Someone in the openjdk community has already 
raised an issue（[https://bugs.openjdk.org/browse/JDK-8208299]）, but the issue 
is still in an open state, and this issue still exists in the latest version of 
openjdk.

Therefore, it is necessary for us to provide a method to avoid the problem on 
the ranger side.

CC [~madhan] [~kirbyzhou] 

> Add a configuration item to support Ranger client not using authentication
> --
>
> Key: RANGER-4481
> URL: https://issues.apache.org/jira/browse/RANGER-4481
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 2.1.0
>Reporter: Xuze Yang
>Priority: Major
> Attachments: 1.png, 2.png, 3.png
>
>
> As described in RANGER-3602, ranger supports downloading policies and roles 
> through unauthenticated http requests even if kerberos is enabled on the 
> server. 
> But in terms of the current implementation of RangerAdminRESTClient, whether 
> to enable authenticated HTTP requests depends on the service in which it is 
> located. For example, if the Hadoop service has kerberos enabled, then the 
> RangerAdminRESTClient in the HDFS and Yarn plugins will also use 
> authenticated HTTP requests.
> I think this is not reasonable enough. In this case (both the Ranger server 
> and Hadoop are enabled for kerberos), the RangerAdminRESTClient of the HDFS 
> and Yarn plugins should also be allowed to download policies and roles 
> through unauthenticated HTTP requests.
> The reason why I proposed this improvement is due to a bug I encountered in 
> our production environment. I will introduce the bug I encountered later.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Comment Edited] (RANGER-4481) Add a configuration item to support Ranger client not using authentication

2023-10-18 Thread Xuze Yang (Jira)



[ 
https://issues.apache.org/jira/browse/RANGER-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17776958#comment-17776958
 ] 

Xuze Yang edited comment on RANGER-4481 at 10/19/23 1:25 AM:
-

{*}1. Problem phenomenon{*}:

>From a certain moment on, the ranger plugin of resourcemanager0 has been 
>unable to pull policies, and the error log is 401. The kerberos service is 
>normal, and as a comparison, the ranger plugin of resourcemanager1 can pull 
>policies normally. Resourcemanager0's error log:
{code:java}
2023-10-19 08:55:02,551 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting Roles. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn
2023-10-19 08:55:02,552 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn
2023-10-19 08:55:12,572 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting Roles. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn
2023-10-19 08:55:12,574 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn{code}
*2. Problem Cause Analysis：*

The normal process for the Ranger plugin to pull policies from the Ranger 
server：

1) For the first request, the server will reply with a 401 and carry "WWW 
Authenticate: Negotiate" in the HTTP header

!1.png!

2) The internal httpUrlConnection class of Openjdk handles this by performing a 
kerberos authentication, and then placing the authentication result in the HTTP 
header field Authorization to request again

!2.png!

3) Afterwards, the server can provide the correct response, such as a 200 
response or a 304 response

abnormal:

When performing kerberos authentication, if the kdc service is abnormal, it 
will be determined that the service does not support kerberos authentication, 
and then this information will be stored in a global static map called 
'supported'. Subsequent requests will be obtained from the 'supported' based on 
the server hostname to determine whether authentication methods are supported

!3.png!

*Therefore, once the first failure occurs, it will be determined that the 
service does not support authentication, and the second HTTP request will never 
be triggered, resulting in the inability to obtain policies from the service 
forever.*


was (Author: xuze yang):
{*}1. Problem phenomenon{*}:

>From a certain moment on, the ranger plugin of resourcemanager0 has been 
>unable to pull policies, and the error log is 401. The kerberos service is 
>normal, and as a comparison, the ranger plugin of resourcemanager1 can pull 
>policies normally. Resourcemanager0's error log:
{code:java}
2023-10-19 08:55:02,551 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting Roles. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn
2023-10-19 08:55:02,552 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn
2023-10-19 08:55:12,572 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting Roles. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn
2023-10-19 08:55:12,574 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn{code}
*2. Problem Cause Analysis：*

The normal process for the Ranger plugin to pull policies from the Ranger 
server：

1) For the first request, the server will r

[jira] [Comment Edited] (RANGER-4481) Add a configuration item to support Ranger client not using authentication

2023-10-18 Thread Xuze Yang (Jira)



[ 
https://issues.apache.org/jira/browse/RANGER-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17776958#comment-17776958
 ] 

Xuze Yang edited comment on RANGER-4481 at 10/19/23 1:21 AM:
-

{*}1. Problem phenomenon{*}:

>From a certain moment on, the ranger plugin of resourcemanager0 has been 
>unable to pull policies, and the error log is 401. The kerberos service is 
>normal, and as a comparison, the ranger plugin of resourcemanager1 can pull 
>policies normally. Resourcemanager0's error log:
{code:java}
2023-10-19 08:55:02,551 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting Roles. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn
2023-10-19 08:55:02,552 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn
2023-10-19 08:55:12,572 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting Roles. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn
2023-10-19 08:55:12,574 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn{code}
*2. Problem Cause Analysis：*

The normal process for the Ranger plugin to pull policies from the Ranger 
server：

1) For the first request, the server will reply with a 401 and carry "WWW 
Authenticate: Negotiate" in the HTTP header

!1.png!

2) The internal httpUrlConnection class of Openjdk handles this by performing a 
kerberos authentication, and then placing the authentication result in the HTTP 
header field Authorization to request again

!2.png!

3) Afterwards, the server can provide the correct response, such as a 200 
response or a 304 response

When performing kerberos authentication, if the kdc service is abnormal, it 
will be determined that the service does not support kerberos authentication, 
and then this information will be stored in a global static map called 
'supported'. Subsequent requests will be obtained from the 'supported' based on 
the server hostname to determine whether authentication methods are supported

!3.png!

*Therefore, once the first failure occurs, it will be determined that the 
service does not support authentication, and the second HTTP request will never 
be triggered, resulting in the inability to obtain policies from the service 
forever.*


was (Author: xuze yang):
{*}Problem phenomenon{*}:

>From a certain moment on, the ranger plugin of resourcemanager0 has been 
>unable to pull policies, and the error log is 401. The kerberos service is 
>normal, and as a comparison, the ranger plugin of resourcemanager1 can pull 
>policies normally. Resourcemanager0's error log:
{code:java}
2023-10-19 08:55:02,551 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting Roles. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn
2023-10-19 08:55:02,552 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn
2023-10-19 08:55:12,572 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting Roles. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn
2023-10-19 08:55:12,574 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn{code}
*Problem Cause Analysis：*

The normal process for the Ranger plugin to pull policies from the Ranger 
server：

1) For the first request, the server will reply with a 401 a

[jira] [Commented] (RANGER-4481) Add a configuration item to support Ranger client not using authentication

2023-10-18 Thread Xuze Yang (Jira)



[ 
https://issues.apache.org/jira/browse/RANGER-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17776958#comment-17776958
 ] 

Xuze Yang commented on RANGER-4481:
---

{*}Problem phenomenon{*}:

>From a certain moment on, the ranger plugin of resourcemanager0 has been 
>unable to pull policies, and the error log is 401. The kerberos service is 
>normal, and as a comparison, the ranger plugin of resourcemanager1 can pull 
>policies normally. Resourcemanager0's error log:
{code:java}
2023-10-19 08:55:02,551 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting Roles. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn
2023-10-19 08:55:02,552 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn
2023-10-19 08:55:12,572 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting Roles. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn
2023-10-19 08:55:12,574 WARN 
org.apache.ranger.admin.client.RangerAdminRESTClient: Error getting policies. 
secureMode=true, 
user=hadoop/hdp-hadoop-hdp-resourcemanager-1.hdp-hadoop-hdp-resourcemanager.yangxuze.svc.cluster.lo...@dahua.com
 (auth:KERBEROS), response={"httpStatusCode":401,"statusCode":0}, 
serviceName=default-Yarn{code}
*Problem Cause Analysis：*

The normal process for the Ranger plugin to pull policies from the Ranger 
server：

1) For the first request, the server will reply with a 401 and carry "WWW 
Authenticate: Negotiate" in the HTTP header

!1.png!

2) The internal httpUrlConnection class of Openjdk handles this by performing a 
kerberos authentication, and then placing the authentication result in the HTTP 
header field Authorization to request again

!2.png!

3) Afterwards, the server can provide the correct response, such as a 200 
response or a 304 response

When performing kerberos authentication, if the kdc service is abnormal, it 
will be determined that the service does not support kerberos authentication, 
and then this information will be stored in a global static map called 
'supported'. Subsequent requests will be obtained from the 'supported' based on 
the server hostname to determine whether authentication methods are supported

!3.png!

*Therefore, once the first failure occurs, it will be determined that the 
service does not support authentication, and the second HTTP request will never 
be triggered, resulting in the inability to obtain policies from the service 
forever.*

> Add a configuration item to support Ranger client not using authentication
> --
>
> Key: RANGER-4481
> URL: https://issues.apache.org/jira/browse/RANGER-4481
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 2.1.0
>Reporter: Xuze Yang
>Priority: Major
> Attachments: 1.png, 2.png, 3.png
>
>
> As described in RANGER-3602, ranger supports downloading policies and roles 
> through unauthenticated http requests even if kerberos is enabled on the 
> server. 
> But in terms of the current implementation of RangerAdminRESTClient, whether 
> to enable authenticated HTTP requests depends on the service in which it is 
> located. For example, if the Hadoop service has kerberos enabled, then the 
> RangerAdminRESTClient in the HDFS and Yarn plugins will also use 
> authenticated HTTP requests.
> I think this is not reasonable enough. In this case (both the Ranger server 
> and Hadoop are enabled for kerberos), the RangerAdminRESTClient of the HDFS 
> and Yarn plugins should also be allowed to download policies and roles 
> through unauthenticated HTTP requests.
> The reason why I proposed this improvement is due to a bug I encountered in 
> our production environment. I will introduce the bug I encountered later.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Review Request 74682: RANGER-4483: added support for NOT_EQUALS in DB queries

2023-10-18 Thread Madhan Neethiraj


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74682/
---

Review request for ranger, Ankita Sinha, Kishor Gollapalliwar, Abhay Kulkarni, 
Mehul Parikh, Monika Kachhadiya, Pradeep Agrawal, Prashant Satam, Ramesh Mani, 
Subhrat Chaudhary, and Velmurugan Periasamy.


Bugs: RANGER-4483
https://issues.apache.org/jira/browse/RANGER-4483


Repository: ranger


Description
---

- updated enum SearchField.SEARCH_TYPE with addition of NOT_EQUALS
- updated where-clause builder to handle the new enum value


Diffs
-

  security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java 
e8aab9af5 
  security-admin/src/main/java/org/apache/ranger/common/SearchField.java 
a53a75cc4 
  security-admin/src/main/java/org/apache/ranger/common/SearchUtil.java 
08002413c 
  
security-admin/src/test/java/org/apache/ranger/common/TestRangerSearchUtil.java 
PRE-CREATION 


Diff: https://reviews.apache.org/r/74682/diff/1/


Testing
---

- added test cases
- verified that all existing tests pass successfully


Thanks,

Madhan Neethiraj

[jira] [Updated] (RANGER-4481) Add a configuration item to support Ranger client not using authentication

2023-10-18 Thread Xuze Yang (Jira)



 [ 
https://issues.apache.org/jira/browse/RANGER-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Xuze Yang updated RANGER-4481:
--
Attachment: 3.png

> Add a configuration item to support Ranger client not using authentication
> --
>
> Key: RANGER-4481
> URL: https://issues.apache.org/jira/browse/RANGER-4481
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 2.1.0
>Reporter: Xuze Yang
>Priority: Major
> Attachments: 1.png, 2.png, 3.png
>
>
> As described in RANGER-3602, ranger supports downloading policies and roles 
> through unauthenticated http requests even if kerberos is enabled on the 
> server. 
> But in terms of the current implementation of RangerAdminRESTClient, whether 
> to enable authenticated HTTP requests depends on the service in which it is 
> located. For example, if the Hadoop service has kerberos enabled, then the 
> RangerAdminRESTClient in the HDFS and Yarn plugins will also use 
> authenticated HTTP requests.
> I think this is not reasonable enough. In this case (both the Ranger server 
> and Hadoop are enabled for kerberos), the RangerAdminRESTClient of the HDFS 
> and Yarn plugins should also be allowed to download policies and roles 
> through unauthenticated HTTP requests.
> The reason why I proposed this improvement is due to a bug I encountered in 
> our production environment. I will introduce the bug I encountered later.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4481) Add a configuration item to support Ranger client not using authentication

2023-10-18 Thread Xuze Yang (Jira)



 [ 
https://issues.apache.org/jira/browse/RANGER-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Xuze Yang updated RANGER-4481:
--
Attachment: 1.png

> Add a configuration item to support Ranger client not using authentication
> --
>
> Key: RANGER-4481
> URL: https://issues.apache.org/jira/browse/RANGER-4481
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 2.1.0
>Reporter: Xuze Yang
>Priority: Major
> Attachments: 1.png, 2.png
>
>
> As described in RANGER-3602, ranger supports downloading policies and roles 
> through unauthenticated http requests even if kerberos is enabled on the 
> server. 
> But in terms of the current implementation of RangerAdminRESTClient, whether 
> to enable authenticated HTTP requests depends on the service in which it is 
> located. For example, if the Hadoop service has kerberos enabled, then the 
> RangerAdminRESTClient in the HDFS and Yarn plugins will also use 
> authenticated HTTP requests.
> I think this is not reasonable enough. In this case (both the Ranger server 
> and Hadoop are enabled for kerberos), the RangerAdminRESTClient of the HDFS 
> and Yarn plugins should also be allowed to download policies and roles 
> through unauthenticated HTTP requests.
> The reason why I proposed this improvement is due to a bug I encountered in 
> our production environment. I will introduce the bug I encountered later.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4481) Add a configuration item to support Ranger client not using authentication

2023-10-18 Thread Xuze Yang (Jira)



 [ 
https://issues.apache.org/jira/browse/RANGER-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Xuze Yang updated RANGER-4481:
--
Attachment: 2.png

> Add a configuration item to support Ranger client not using authentication
> --
>
> Key: RANGER-4481
> URL: https://issues.apache.org/jira/browse/RANGER-4481
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 2.1.0
>Reporter: Xuze Yang
>Priority: Major
> Attachments: 1.png, 2.png
>
>
> As described in RANGER-3602, ranger supports downloading policies and roles 
> through unauthenticated http requests even if kerberos is enabled on the 
> server. 
> But in terms of the current implementation of RangerAdminRESTClient, whether 
> to enable authenticated HTTP requests depends on the service in which it is 
> located. For example, if the Hadoop service has kerberos enabled, then the 
> RangerAdminRESTClient in the HDFS and Yarn plugins will also use 
> authenticated HTTP requests.
> I think this is not reasonable enough. In this case (both the Ranger server 
> and Hadoop are enabled for kerberos), the RangerAdminRESTClient of the HDFS 
> and Yarn plugins should also be allowed to download policies and roles 
> through unauthenticated HTTP requests.
> The reason why I proposed this improvement is due to a bug I encountered in 
> our production environment. I will introduce the bug I encountered later.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-4483) SearchField to support NOT_EQUALS search-type

2023-10-18 Thread Madhan Neethiraj (Jira)

Madhan Neethiraj created RANGER-4483:


 Summary: SearchField to support NOT_EQUALS search-type
 Key: RANGER-4483
 URL: https://issues.apache.org/jira/browse/RANGER-4483
 Project: Ranger
  Issue Type: Improvement
  Components: Ranger
Reporter: Madhan Neethiraj
Assignee: Madhan Neethiraj


Within Ranger admin server, searching the RDBMS store for entities (policies, 
tags, security-zone, etc) can be performed with filters on fields using various 
criterion like equals, partial-match, less-than, greater-than, etc. It will be 
useful to support not-equals criteria as well.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: Review Request 74678: RANGER:4397:API to get DataShare id, name, description List

2023-10-18 Thread Madhan Neethiraj


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74678/#review225872
---




security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java
Line 1385 (original), 1386 (patched)


Instead of treating excludeDatasetId as a boolean flag, consider using this 
query-parameter to specify that datasetId that needs to be excluded. This 
should be used in the database query to exclude this dataset (with use of "!=" 
operator).


- Madhan Neethiraj


On Oct. 18, 2023, 8:53 a.m., Prashant Satam wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74678/
> ---
> 
> (Updated Oct. 18, 2023, 8:53 a.m.)
> 
> 
> Review request for ranger, Anand Nadar, Ankita Sinha, Madhan Neethiraj, 
> Monika Kachhadiya, and Subhrat Chaudhary.
> 
> 
> Bugs: RANGER-4397
> https://issues.apache.org/jira/browse/RANGER-4397
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Dataset Details >> Add a Datashare >> List Datashares pop up,
> Need a GET API to get all datashares, based on LIST ACL for current user
> Exclude existing one for which request is is available GRANTED, ACTIVE, 
> REQUESTED states 
> Response: id, Name, Descrption
> Request: datasetId, excludeExistingDataShare
> Filter: partial search on datashare name, Pagination
> 
> 
> Diffs
> -
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
> 93bd7f73d 
>   security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java 
> 10986823d 
>   security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java 
> 719d8a900 
>   
> security-admin/src/main/java/org/apache/ranger/db/XXGdsDataShareInDatasetDao.java
>  7637b275d 
>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml 547913488 
> 
> 
> Diff: https://reviews.apache.org/r/74678/diff/3/
> 
> 
> Testing
> ---
> 
> 1)Create 1 dataset
> 2)create multiple dataShares
> 3)Link datasets to dataShares with status as ACITVE as well as DENIED
> 4)Get dataShares by GET-API(/service/gds/datashare/) using query param 
> excludeDatasetId=true
> 5)You will only get dataShares which are not mapped to any dataset and 
> existing mapped datashares having status(DENIED,NONE)
> 
> Request-> 
> (/service/gds/datashare/?excludeDatasetId=true&datasetId=1&dataShareNamePartial=RangerDataShare11)
> Response>
> {
> "startIndex": 0,
> "pageSize": 200,
> "totalCount": 1,
> "resultSize": 1,
> "sortType": "dataShareId",
> "sortBy": "asc",
> "queryTimeMS": 1697525773619,
> "list": [
> {
> "id": 3,
> "guid": "cb7a8d8e-b082-4c4c-98c7-25b204e8b83c",
> "isEnabled": true,
> "createdBy": "Admin",
> "updatedBy": "Admin",
> "createTime": 1697525717000,
> "updateTime": 1697525717000,
> "version": 1,
> "name": "RangerDataShare11",
> "acl": {
> "users": {
> "admin": "ADMIN"
> }
> },
> "service": "Ranger_hive",
> "zone": " "
> }
> ],
> "listSize": 1
> }
> 
> 
> Thanks,
> 
> Prashant Satam
> 
>

[jira] [Commented] (RANGER-4476) trino filter

2023-10-18 Thread Bhavik Patel (Jira)



[ 
https://issues.apache.org/jira/browse/RANGER-4476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17776673#comment-17776673
 ] 

Bhavik Patel commented on RANGER-4476:
--

With java-8 and 11 we are able to build without any code changes but with 
jdk-17 I am observing the above issue.

> trino filter
> 
>
> Key: RANGER-4476
> URL: https://issues.apache.org/jira/browse/RANGER-4476
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins, Ranger
>Affects Versions: 3.0.0
>Reporter: Andrey Pilipyuk
>Priority: Major
>  Labels: Trino
>
> hello there
> i trying to enable trino plugin, i have successful connect check
> but when i try to make policy i have an error in logs 
> 2023-10-16 13:39:09,055 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/trino-jdbc-423.jar
> 2023-10-16 13:39:09,055 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/ranger-trino-plugin-3.0.0-SNAPSHOT.jar
> 2023-10-16 13:39:09,056 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/trino-spi-423.jar
> 2023-10-16 13:39:09,078 [timed-executor-pool-0] WARN 
> [SecureClientLogin.java:123] Can't find keyTab Path : null
> 2023-10-16 13:39:09,079 [timed-executor-pool-0] WARN 
> [SecureClientLogin.java:127] Can't find principal : null
> 2023-10-16 13:39:09,084 [timed-executor-pool-0] INFO [BaseClient.java:126] 
> Init Login: security not enabled, using username
> 2023-10-16 13:39:09,501 [timed-executor-pool-0] ERROR 
> [TrinoResourceManager.java:168] Could not initiate a TrinoClient timedTask
> can you please tell me how i can debug it, or some prefirences to trino from 
> ranger



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-4482) Upgrade Tomcat to 8.5.94 (for CVE fixes) in all Ranger services

2023-10-18 Thread Sanket Shelar (Jira)

Sanket Shelar created RANGER-4482:
-

 Summary: Upgrade Tomcat to 8.5.94 (for CVE fixes) in all Ranger 
services
 Key: RANGER-4482
 URL: https://issues.apache.org/jira/browse/RANGER-4482
 Project: Ranger
  Issue Type: Task
  Components: Ranger
Reporter: Sanket Shelar
Assignee: Sanket Shelar


Tomcat needs be upgraded to 8.5.94 to address the below CVE.

CVE-2023-45648
[https://nvd.nist.gov/vuln/detail/CVE-2023-45648]
CVE-2023-42795
[https://nvd.nist.gov/vuln/detail/CVE-2023-42795]
CVE-2023-42794
[https://nvd.nist.gov/vuln/detail/CVE-2023-42794]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: [PR] RANGER-2128: Implementation of Ranger Spark SQL plugin [ranger]

2023-10-18 Thread via GitHub



ManoharVanam commented on PR #26:
URL: https://github.com/apache/ranger/pull/26#issuecomment-1768339387

   will this work with spark-submit cluster mode without passing keytab?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Commented] (RANGER-4239) Upgrade trino version

2023-10-18 Thread Andrey Pilipyuk (Jira)



[ 
https://issues.apache.org/jira/browse/RANGER-4239?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17776629#comment-17776629
 ] 

Andrey Pilipyuk commented on RANGER-4239:
-

сan you please tell which version is supported by ranger in master branch in 
github?

> Upgrade trino version
> -
>
> Key: RANGER-4239
> URL: https://issues.apache.org/jira/browse/RANGER-4239
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 3.0.0
>Reporter: qingbo jiao
>Assignee: Siddhant Sontakke
>Priority: Minor
>  Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> The current version of trino integrated in the ranger is 377, and the latest 
> version of trino has reached 417. Should the version of trino be upgraded to 
> 4XX?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (RANGER-4476) trino filter

2023-10-18 Thread Andrey Pilipyuk (Jira)



[ 
https://issues.apache.org/jira/browse/RANGER-4476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17776625#comment-17776625
 ] 

Andrey Pilipyuk commented on RANGER-4476:
-

i think that i already have this dependences.

i was build plugin with java 8 before

> trino filter
> 
>
> Key: RANGER-4476
> URL: https://issues.apache.org/jira/browse/RANGER-4476
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins, Ranger
>Affects Versions: 3.0.0
>Reporter: Andrey Pilipyuk
>Priority: Major
>  Labels: Trino
>
> hello there
> i trying to enable trino plugin, i have successful connect check
> but when i try to make policy i have an error in logs 
> 2023-10-16 13:39:09,055 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/trino-jdbc-423.jar
> 2023-10-16 13:39:09,055 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/ranger-trino-plugin-3.0.0-SNAPSHOT.jar
> 2023-10-16 13:39:09,056 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/trino-spi-423.jar
> 2023-10-16 13:39:09,078 [timed-executor-pool-0] WARN 
> [SecureClientLogin.java:123] Can't find keyTab Path : null
> 2023-10-16 13:39:09,079 [timed-executor-pool-0] WARN 
> [SecureClientLogin.java:127] Can't find principal : null
> 2023-10-16 13:39:09,084 [timed-executor-pool-0] INFO [BaseClient.java:126] 
> Init Login: security not enabled, using username
> 2023-10-16 13:39:09,501 [timed-executor-pool-0] ERROR 
> [TrinoResourceManager.java:168] Could not initiate a TrinoClient timedTask
> can you please tell me how i can debug it, or some prefirences to trino from 
> ranger



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4481) Add a configuration item to support Ranger client not using authentication

2023-10-18 Thread Xuze Yang (Jira)



 [ 
https://issues.apache.org/jira/browse/RANGER-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Xuze Yang updated RANGER-4481:
--
Description: 
As described in RANGER-3602, ranger supports downloading policies and roles 
through unauthenticated http requests even if kerberos is enabled on the 
server. 

But in terms of the current implementation of RangerAdminRESTClient, whether to 
enable authenticated HTTP requests depends on the service in which it is 
located. For example, if the Hadoop service has kerberos enabled, then the 
RangerAdminRESTClient in the HDFS and Yarn plugins will also use authenticated 
HTTP requests.

I think this is not reasonable enough. In this case (both the Ranger server and 
Hadoop are enabled for kerberos), the RangerAdminRESTClient of the HDFS and 
Yarn plugins should also be allowed to download policies and roles through 
unauthenticated HTTP requests.
The reason why I proposed this improvement is due to a bug I encountered in our 
production environment. I will introduce the bug I encountered later.

  was:
As described in 
[RANGER-3602|https://issues.apache.org/jira/browse/RANGER-3602], ranger 
supports downloading policies and roles through unauthenticated http requests 
even if kerberos is enabled on the server. 

But in terms of the current implementation of RangerAdminRESTClient, whether to 
enable authenticated HTTP requests depends on the service in which it is 
located. For example, if the Hadoop service has kerberos enabled, then the 
RangerAdminRESTClient in the HDFS and Yarn plugins will also use authenticated 
HTTP requests.

I think this is not reasonable enough. In this case (both the Ranger server and 
Hadoop are enabled for kerberos), the RangerAdminRESTClient of the HDFS and 
Yarn plugins should also be allowed to download policies and roles through 
unauthenticated HTTP requests.


> Add a configuration item to support Ranger client not using authentication
> --
>
> Key: RANGER-4481
> URL: https://issues.apache.org/jira/browse/RANGER-4481
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Affects Versions: 2.1.0
>Reporter: Xuze Yang
>Priority: Major
>
> As described in RANGER-3602, ranger supports downloading policies and roles 
> through unauthenticated http requests even if kerberos is enabled on the 
> server. 
> But in terms of the current implementation of RangerAdminRESTClient, whether 
> to enable authenticated HTTP requests depends on the service in which it is 
> located. For example, if the Hadoop service has kerberos enabled, then the 
> RangerAdminRESTClient in the HDFS and Yarn plugins will also use 
> authenticated HTTP requests.
> I think this is not reasonable enough. In this case (both the Ranger server 
> and Hadoop are enabled for kerberos), the RangerAdminRESTClient of the HDFS 
> and Yarn plugins should also be allowed to download policies and roles 
> through unauthenticated HTTP requests.
> The reason why I proposed this improvement is due to a bug I encountered in 
> our production environment. I will introduce the bug I encountered later.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-4481) Add a configuration item to support Ranger client not using authentication

2023-10-18 Thread Xuze Yang (Jira)

Xuze Yang created RANGER-4481:
-

 Summary: Add a configuration item to support Ranger client not 
using authentication
 Key: RANGER-4481
 URL: https://issues.apache.org/jira/browse/RANGER-4481
 Project: Ranger
  Issue Type: Improvement
  Components: Ranger
Affects Versions: 2.1.0
Reporter: Xuze Yang


As described in 
[RANGER-3602|https://issues.apache.org/jira/browse/RANGER-3602], ranger 
supports downloading policies and roles through unauthenticated http requests 
even if kerberos is enabled on the server. 

But in terms of the current implementation of RangerAdminRESTClient, whether to 
enable authenticated HTTP requests depends on the service in which it is 
located. For example, if the Hadoop service has kerberos enabled, then the 
RangerAdminRESTClient in the HDFS and Yarn plugins will also use authenticated 
HTTP requests.

I think this is not reasonable enough. In this case (both the Ranger server and 
Hadoop are enabled for kerberos), the RangerAdminRESTClient of the HDFS and 
Yarn plugins should also be allowed to download policies and roles through 
unauthenticated HTTP requests.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Review Request 74681: RANGER:4480:Disable pagination for GDS APIs

2023-10-18 Thread Prashant Satam


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74681/
---

Review request for ranger, Anand Nadar, Ankita Sinha, Madhan Neethiraj, Monika 
Kachhadiya, and Subhrat Chaudhary.


Bugs: RANGER-4480
https://issues.apache.org/jira/browse/RANGER-4480


Repository: ranger


Description
---

In case of GDS we cannot apply pagination from DB side Directly as some filters 
are after the DB results with pagination enabled we get result in batch size of 
200 then this result is incomplete to apply filters which are after the DB 
result (i.e filters which are in code only)


Diffs
-

  agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
93bd7f73d 
  security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java 10986823d 
  security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java 
719d8a900 
  
security-admin/src/main/java/org/apache/ranger/service/RangerGdsDataShareService.java
 6a93e44dc 
  
security-admin/src/main/java/org/apache/ranger/service/RangerGdsDatasetService.java
 072889f1d 
  
security-admin/src/main/java/org/apache/ranger/service/RangerGdsProjectService.java
 4ccb063fe 
  
security-admin/src/main/java/org/apache/ranger/service/RangerGdsSharedResourceService.java
 4bdb09f4d 


Diff: https://reviews.apache.org/r/74681/diff/1/


Testing
---

1)Create shared resources more than default pageSize i.e 200
2)use GET-API > (/service/gds/resource) to fetch resource which has 
resourceContains = resource_1 this shared resource should be beyond the 
pageSize 200 
3)In response you will receive the shared resource having resource as 
resource_1 which was beyond 200th position in DB
Request -> (/service/gds/resource?resourceContains=resource_1)
Response->
{
"startIndex": 0,
"pageSize": 200,
"totalCount": 1,
"resultSize": 1,
"sortType": "sharedResourceId",
"sortBy": "asc",
"queryTimeMS": 1697626402403,
"list": [
{
"id": 388,
"guid": "1d9e2fcf-8cc8-45b0-ab87-3f596c04350a",
"isEnabled": true,
"createdBy": "Admin",
"updatedBy": "Admin",
"createTime": 1697192628000,
"updateTime": 1697192628000,
"version": 1,
"description": "This is RangerResource",
"options": {
"property1": "This is Options 1",
"property2": "This is Options 2"
},
"additionalInfo": {
"property1": "This is AdditionalInfo 1",
"property2": "This is AdditionalInfo 2"
},
"name": "RangerResource_399",
"dataShareId": 1,
"resource": {
"RAngerResourceName": {
"values": [
"res_399",
"res_399"
],
"isExcludes": true,
"isRecursive": true
}
},
"conditionExpr": "conditionExpr_1",
"accessTypes": [
"Resource_Access_type_1",
"Resource_Access_type_2"
],
"profiles": [
"resource_profile_1",
"resource_profile_2"
]
}
],
"listSize": 1
}


Thanks,

Prashant Satam

[jira] [Updated] (RANGER-4480) Disable pagination for GDS APIs

2023-10-18 Thread Prashant Satam (Jira)



 [ 
https://issues.apache.org/jira/browse/RANGER-4480?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Prashant Satam updated RANGER-4480:
---
Description: In case of GDS we cannot apply pagination from DB side 
Directly as some filters are after the DB results with pagination enabled we 
get result in batch size of 200 then this result is incomplete to apply filters 
which are after the DB result (i.e filters which are in code only) 

> Disable pagination for GDS APIs
> ---
>
> Key: RANGER-4480
> URL: https://issues.apache.org/jira/browse/RANGER-4480
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Prashant Satam
>Assignee: Prashant Satam
>Priority: Major
>
> In case of GDS we cannot apply pagination from DB side Directly as some 
> filters are after the DB results with pagination enabled we get result in 
> batch size of 200 then this result is incomplete to apply filters which are 
> after the DB result (i.e filters which are in code only) 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Assigned] (RANGER-4480) Disable pagination for GDS APIs

2023-10-18 Thread Prashant Satam (Jira)



 [ 
https://issues.apache.org/jira/browse/RANGER-4480?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Prashant Satam reassigned RANGER-4480:
--

Assignee: Prashant Satam

> Disable pagination for GDS APIs
> ---
>
> Key: RANGER-4480
> URL: https://issues.apache.org/jira/browse/RANGER-4480
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Reporter: Prashant Satam
>Assignee: Prashant Satam
>Priority: Major
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-4480) Disable pagination for GDS APIs

2023-10-18 Thread Prashant Satam (Jira)

Prashant Satam created RANGER-4480:
--

 Summary: Disable pagination for GDS APIs
 Key: RANGER-4480
 URL: https://issues.apache.org/jira/browse/RANGER-4480
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Reporter: Prashant Satam






--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (RANGER-4476) trino filter

2023-10-18 Thread Bhavik Patel (Jira)



[ 
https://issues.apache.org/jira/browse/RANGER-4476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17776602#comment-17776602
 ] 

Bhavik Patel commented on RANGER-4476:
--

* Trino latest version only support jdk-17 only.
 * With jdk-17 I am observing the below error while build the trino plugin

{code:java}
agents-common/src/main/java/org/apache/ranger/plugin/util/NashornScriptEngineCreator.java:[26,32]
 error: package jdk.nashorn.api.scripting does not exist{code}


how did resolved this?

> trino filter
> 
>
> Key: RANGER-4476
> URL: https://issues.apache.org/jira/browse/RANGER-4476
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins, Ranger
>Affects Versions: 3.0.0
>Reporter: Andrey Pilipyuk
>Priority: Major
>  Labels: Trino
>
> hello there
> i trying to enable trino plugin, i have successful connect check
> but when i try to make policy i have an error in logs 
> 2023-10-16 13:39:09,055 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/trino-jdbc-423.jar
> 2023-10-16 13:39:09,055 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/ranger-trino-plugin-3.0.0-SNAPSHOT.jar
> 2023-10-16 13:39:09,056 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/trino-spi-423.jar
> 2023-10-16 13:39:09,078 [timed-executor-pool-0] WARN 
> [SecureClientLogin.java:123] Can't find keyTab Path : null
> 2023-10-16 13:39:09,079 [timed-executor-pool-0] WARN 
> [SecureClientLogin.java:127] Can't find principal : null
> 2023-10-16 13:39:09,084 [timed-executor-pool-0] INFO [BaseClient.java:126] 
> Init Login: security not enabled, using username
> 2023-10-16 13:39:09,501 [timed-executor-pool-0] ERROR 
> [TrinoResourceManager.java:168] Could not initiate a TrinoClient timedTask
> can you please tell me how i can debug it, or some prefirences to trino from 
> ranger



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Comment Edited] (RANGER-4476) trino filter

2023-10-18 Thread Andrey Pilipyuk (Jira)



[ 
https://issues.apache.org/jira/browse/RANGER-4476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17776589#comment-17776589
 ] 

Andrey Pilipyuk edited comment on RANGER-4476 at 10/18/23 10:06 AM:


i am using trino version 423.

i tried to build plugin with maven on openjdk 8,11,17 and have same result


was (Author: JIRAUSER302210):
i am using trino version 423.

i tried build plugin with maven on openjdk 8,11,17 and have same result

> trino filter
> 
>
> Key: RANGER-4476
> URL: https://issues.apache.org/jira/browse/RANGER-4476
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins, Ranger
>Affects Versions: 3.0.0
>Reporter: Andrey Pilipyuk
>Priority: Major
>  Labels: Trino
>
> hello there
> i trying to enable trino plugin, i have successful connect check
> but when i try to make policy i have an error in logs 
> 2023-10-16 13:39:09,055 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/trino-jdbc-423.jar
> 2023-10-16 13:39:09,055 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/ranger-trino-plugin-3.0.0-SNAPSHOT.jar
> 2023-10-16 13:39:09,056 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/trino-spi-423.jar
> 2023-10-16 13:39:09,078 [timed-executor-pool-0] WARN 
> [SecureClientLogin.java:123] Can't find keyTab Path : null
> 2023-10-16 13:39:09,079 [timed-executor-pool-0] WARN 
> [SecureClientLogin.java:127] Can't find principal : null
> 2023-10-16 13:39:09,084 [timed-executor-pool-0] INFO [BaseClient.java:126] 
> Init Login: security not enabled, using username
> 2023-10-16 13:39:09,501 [timed-executor-pool-0] ERROR 
> [TrinoResourceManager.java:168] Could not initiate a TrinoClient timedTask
> can you please tell me how i can debug it, or some prefirences to trino from 
> ranger



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (RANGER-4476) trino filter

2023-10-18 Thread Andrey Pilipyuk (Jira)



[ 
https://issues.apache.org/jira/browse/RANGER-4476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17776589#comment-17776589
 ] 

Andrey Pilipyuk commented on RANGER-4476:
-

i am using trino version 423.

i tried build plugin with maven on openjdk 8,11,17 and have same result

> trino filter
> 
>
> Key: RANGER-4476
> URL: https://issues.apache.org/jira/browse/RANGER-4476
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins, Ranger
>Affects Versions: 3.0.0
>Reporter: Andrey Pilipyuk
>Priority: Major
>  Labels: Trino
>
> hello there
> i trying to enable trino plugin, i have successful connect check
> but when i try to make policy i have an error in logs 
> 2023-10-16 13:39:09,055 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/trino-jdbc-423.jar
> 2023-10-16 13:39:09,055 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/ranger-trino-plugin-3.0.0-SNAPSHOT.jar
> 2023-10-16 13:39:09,056 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/trino-spi-423.jar
> 2023-10-16 13:39:09,078 [timed-executor-pool-0] WARN 
> [SecureClientLogin.java:123] Can't find keyTab Path : null
> 2023-10-16 13:39:09,079 [timed-executor-pool-0] WARN 
> [SecureClientLogin.java:127] Can't find principal : null
> 2023-10-16 13:39:09,084 [timed-executor-pool-0] INFO [BaseClient.java:126] 
> Init Login: security not enabled, using username
> 2023-10-16 13:39:09,501 [timed-executor-pool-0] ERROR 
> [TrinoResourceManager.java:168] Could not initiate a TrinoClient timedTask
> can you please tell me how i can debug it, or some prefirences to trino from 
> ranger



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: Review Request 74678: RANGER:4397:API to get DataShare id, name, description List

2023-10-18 Thread Prashant Satam


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74678/
---

(Updated Oct. 18, 2023, 8:53 a.m.)


Review request for ranger, Anand Nadar, Ankita Sinha, Madhan Neethiraj, Monika 
Kachhadiya, and Subhrat Chaudhary.


Bugs: RANGER-4397
https://issues.apache.org/jira/browse/RANGER-4397


Repository: ranger


Description (updated)
---

Dataset Details >> Add a Datashare >> List Datashares pop up,
Need a GET API to get all datashares, based on LIST ACL for current user
Exclude existing one for which request is is available GRANTED, ACTIVE, 
REQUESTED states 
Response: id, Name, Descrption
Request: datasetId, excludeExistingDataShare
Filter: partial search on datashare name, Pagination


Diffs (updated)
-

  agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java 
93bd7f73d 
  security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java 10986823d 
  security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java 
719d8a900 
  
security-admin/src/main/java/org/apache/ranger/db/XXGdsDataShareInDatasetDao.java
 7637b275d 
  security-admin/src/main/resources/META-INF/jpa_named_queries.xml 547913488 


Diff: https://reviews.apache.org/r/74678/diff/2/

Changes: https://reviews.apache.org/r/74678/diff/1-2/


Testing (updated)
---

1)Create 1 dataset
2)create multiple dataShares
3)Link datasets to dataShares with status as ACITVE as well as DENIED
4)Get dataShares by GET-API(/service/gds/datashare/) using query param 
excludeDatasetId=true
5)You will only get dataShares which are not mapped to any dataset and existing 
mapped datashares having status(DENIED,NONE)

Request-> 
(/service/gds/datashare/?excludeDatasetId=true&datasetId=1&dataShareNamePartial=RangerDataShare11)
Response>
{
"startIndex": 0,
"pageSize": 200,
"totalCount": 1,
"resultSize": 1,
"sortType": "dataShareId",
"sortBy": "asc",
"queryTimeMS": 1697525773619,
"list": [
{
"id": 3,
"guid": "cb7a8d8e-b082-4c4c-98c7-25b204e8b83c",
"isEnabled": true,
"createdBy": "Admin",
"updatedBy": "Admin",
"createTime": 1697525717000,
"updateTime": 1697525717000,
"version": 1,
"name": "RangerDataShare11",
"acl": {
"users": {
"admin": "ADMIN"
}
},
"service": "Ranger_hive",
"zone": " "
}
],
"listSize": 1
}


Thanks,

Prashant Satam

[jira] [Commented] (RANGER-4476) trino filter

2023-10-18 Thread Bhavik Patel (Jira)



[ 
https://issues.apache.org/jira/browse/RANGER-4476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17776561#comment-17776561
 ] 

Bhavik Patel commented on RANGER-4476:
--

which version of trino you are using? and how you compiled the trino plugin?

> trino filter
> 
>
> Key: RANGER-4476
> URL: https://issues.apache.org/jira/browse/RANGER-4476
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins, Ranger
>Affects Versions: 3.0.0
>Reporter: Andrey Pilipyuk
>Priority: Major
>  Labels: Trino
>
> hello there
> i trying to enable trino plugin, i have successful connect check
> but when i try to make policy i have an error in logs 
> 2023-10-16 13:39:09,055 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/trino-jdbc-423.jar
> 2023-10-16 13:39:09,055 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/ranger-trino-plugin-3.0.0-SNAPSHOT.jar
> 2023-10-16 13:39:09,056 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/trino-spi-423.jar
> 2023-10-16 13:39:09,078 [timed-executor-pool-0] WARN 
> [SecureClientLogin.java:123] Can't find keyTab Path : null
> 2023-10-16 13:39:09,079 [timed-executor-pool-0] WARN 
> [SecureClientLogin.java:127] Can't find principal : null
> 2023-10-16 13:39:09,084 [timed-executor-pool-0] INFO [BaseClient.java:126] 
> Init Login: security not enabled, using username
> 2023-10-16 13:39:09,501 [timed-executor-pool-0] ERROR 
> [TrinoResourceManager.java:168] Could not initiate a TrinoClient timedTask
> can you please tell me how i can debug it, or some prefirences to trino from 
> ranger



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4476) trino filter

2023-10-18 Thread Andrey Pilipyuk (Jira)



 [ 
https://issues.apache.org/jira/browse/RANGER-4476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrey Pilipyuk updated RANGER-4476:

Labels: Trino  (was: )

> trino filter
> 
>
> Key: RANGER-4476
> URL: https://issues.apache.org/jira/browse/RANGER-4476
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins, Ranger
>Affects Versions: 3.0.0
>Reporter: Andrey Pilipyuk
>Priority: Major
>  Labels: Trino
>
> hello there
> i trying to enable trino plugin, i have successful connect check
> but when i try to make policy i have an error in logs 
> 2023-10-16 13:39:09,055 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/trino-jdbc-423.jar
> 2023-10-16 13:39:09,055 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/ranger-trino-plugin-3.0.0-SNAPSHOT.jar
> 2023-10-16 13:39:09,056 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/trino-spi-423.jar
> 2023-10-16 13:39:09,078 [timed-executor-pool-0] WARN 
> [SecureClientLogin.java:123] Can't find keyTab Path : null
> 2023-10-16 13:39:09,079 [timed-executor-pool-0] WARN 
> [SecureClientLogin.java:127] Can't find principal : null
> 2023-10-16 13:39:09,084 [timed-executor-pool-0] INFO [BaseClient.java:126] 
> Init Login: security not enabled, using username
> 2023-10-16 13:39:09,501 [timed-executor-pool-0] ERROR 
> [TrinoResourceManager.java:168] Could not initiate a TrinoClient timedTask
> can you please tell me how i can debug it, or some prefirences to trino from 
> ranger



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (RANGER-4476) trino filter

2023-10-18 Thread Andrey Pilipyuk (Jira)



 [ 
https://issues.apache.org/jira/browse/RANGER-4476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrey Pilipyuk updated RANGER-4476:

Component/s: plugins

> trino filter
> 
>
> Key: RANGER-4476
> URL: https://issues.apache.org/jira/browse/RANGER-4476
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins, Ranger
>Affects Versions: 3.0.0
>Reporter: Andrey Pilipyuk
>Priority: Major
>
> hello there
> i trying to enable trino plugin, i have successful connect check
> but when i try to make policy i have an error in logs 
> 2023-10-16 13:39:09,055 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/trino-jdbc-423.jar
> 2023-10-16 13:39:09,055 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/ranger-trino-plugin-3.0.0-SNAPSHOT.jar
> 2023-10-16 13:39:09,056 [https-jsse-nio-6182-exec-6] WARN 
> [ServiceMgr.java:476] getFilesInDirectory('ranger-plugins/trino'): adding 
> /opt/ranger-admin-3.0.0/ews/webapp/WEB-INF/classes/ranger-plugins/trino/trino-spi-423.jar
> 2023-10-16 13:39:09,078 [timed-executor-pool-0] WARN 
> [SecureClientLogin.java:123] Can't find keyTab Path : null
> 2023-10-16 13:39:09,079 [timed-executor-pool-0] WARN 
> [SecureClientLogin.java:127] Can't find principal : null
> 2023-10-16 13:39:09,084 [timed-executor-pool-0] INFO [BaseClient.java:126] 
> Init Login: security not enabled, using username
> 2023-10-16 13:39:09,501 [timed-executor-pool-0] ERROR 
> [TrinoResourceManager.java:168] Could not initiate a TrinoClient timedTask
> can you please tell me how i can debug it, or some prefirences to trino from 
> ranger



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

39 matches

Mail list logo