Review Request 74864: RANGER-4691 : Only a Dataset admin user should be able to create a DatashareInDataset request with REQUESTED status
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74864/ --- Review request for ranger, Anand Nadar, Ankita Sinha, Madhan Neethiraj, Monika Kachhadiya, Prashant Sharma, Siddhesh Phatak, and Subhrat Chaudhary. Bugs: RANGER-4691 https://issues.apache.org/jira/browse/RANGER-4691 Repository: ranger Description --- CUrrently only a datashare admin is able to create a DatashareInDataset request in REQUESTED status. This should be the other way around, i.e only a Dataset admin user should be able to create a DatashareInDataset request with REQUESTED status. Diffs - security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java a42a11ffb Diff: https://reviews.apache.org/r/74864/diff/1/ Testing --- 1. Validated that when a dataset admin is able to create a DatashareInDataset request with REQUESTED status. 2. Validated that when a datashare admin tries to create a DatashareInDataset request, the api gives 400 response and a message that the user is not an admin for the dataset. Thanks, Anand Nadar
[jira] [Commented] (RANGER-4644) [Ranger UI] Clicking on the policy Id in the access audits (audits related to gds) leads to an error
[ https://issues.apache.org/jira/browse/RANGER-4644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17815138#comment-17815138 ] Abhishek commented on RANGER-4644: -- Got it. Thanks [~madhan] Currently, the GDS policies are not listed on the reports page. Can you please let me know if they should be listed on the reports page? Thank you > [Ranger UI] Clicking on the policy Id in the access audits (audits related to > gds) leads to an error > > > Key: RANGER-4644 > URL: https://issues.apache.org/jira/browse/RANGER-4644 > Project: Ranger > Issue Type: Sub-task > Components: admin, Ranger >Reporter: Abhishek >Assignee: Abhishek >Priority: Major > Labels: ranger-react > Attachments: Screenshot 2024-01-11 at 1.43.43 AM.png, > screenshot_with_fix.png > > > In the GDS access audits, if the user clicks on the policy id of a particular > audit, then it leads to an error. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (RANGER-4644) [Ranger UI] Clicking on the policy Id in the access audits (audits related to gds) leads to an error
[ https://issues.apache.org/jira/browse/RANGER-4644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17815067#comment-17815067 ] Madhan Neethiraj commented on RANGER-4644: -- {quote}Can you please let me know if there is any particular reason why the GDS servicedef is restricted from being fetched in the "/plugins/definitions" endpoint? {quote} [~abhishek.patil] - this is done to prevent UI from rendering GDS service in resource-based policies page. The fix you arrived at, to fetch the service-def by name, is the correct way to address the UI issue reported here. > [Ranger UI] Clicking on the policy Id in the access audits (audits related to > gds) leads to an error > > > Key: RANGER-4644 > URL: https://issues.apache.org/jira/browse/RANGER-4644 > Project: Ranger > Issue Type: Sub-task > Components: admin, Ranger >Reporter: Abhishek >Assignee: Abhishek >Priority: Major > Labels: ranger-react > Attachments: Screenshot 2024-01-11 at 1.43.43 AM.png, > screenshot_with_fix.png > > > In the GDS access audits, if the user clicks on the policy id of a particular > audit, then it leads to an error. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-4644) [Ranger UI] Clicking on the policy Id in the access audits (audits related to gds) leads to an error
[ https://issues.apache.org/jira/browse/RANGER-4644?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Abhishek updated RANGER-4644: - Attachment: screenshot_with_fix.png > [Ranger UI] Clicking on the policy Id in the access audits (audits related to > gds) leads to an error > > > Key: RANGER-4644 > URL: https://issues.apache.org/jira/browse/RANGER-4644 > Project: Ranger > Issue Type: Sub-task > Components: admin, Ranger >Reporter: Abhishek >Assignee: Abhishek >Priority: Major > Labels: ranger-react > Attachments: Screenshot 2024-01-11 at 1.43.43 AM.png, > screenshot_with_fix.png > > > In the GDS access audits, if the user clicks on the policy id of a particular > audit, then it leads to an error. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (RANGER-4644) [Ranger UI] Clicking on the policy Id in the access audits (audits related to gds) leads to an error
[ https://issues.apache.org/jira/browse/RANGER-4644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17814932#comment-17814932 ] Abhishek commented on RANGER-4644: -- Currently, the issue can be solved by fetching the gds servicedef by name only for cases when the service type in the access audits is equal to gds. Attaching the screenshot with the fix for reference Thank you > [Ranger UI] Clicking on the policy Id in the access audits (audits related to > gds) leads to an error > > > Key: RANGER-4644 > URL: https://issues.apache.org/jira/browse/RANGER-4644 > Project: Ranger > Issue Type: Sub-task > Components: admin, Ranger >Reporter: Abhishek >Assignee: Abhishek >Priority: Major > Labels: ranger-react > Attachments: Screenshot 2024-01-11 at 1.43.43 AM.png > > > In the GDS access audits, if the user clicks on the policy id of a particular > audit, then it leads to an error. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (RANGER-4644) [Ranger UI] Clicking on the policy Id in the access audits (audits related to gds) leads to an error
[ https://issues.apache.org/jira/browse/RANGER-4644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17814846#comment-17814846 ] Abhishek commented on RANGER-4644: -- Hi [~madhan] , Can you please let me know if there is any particular reason why the GDS servicedef is restricted from being fetched in the "/plugins/definitions" endpoint? Reference :- [https://github.com/apache/ranger/blob/834c211c6d95b6c20399d21535dda5010740383e/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefServiceBase.java#L627] The issue mentioned in the Jira is taking place because, during the rendering of the policy details popup in the UI (from the access audits), a request is being made to "plugins/defintions" endpoint to find the servicedef for the GDS policy, and the response does not contain the GDS servicedef, which leads to an error on the UI. Thank you > [Ranger UI] Clicking on the policy Id in the access audits (audits related to > gds) leads to an error > > > Key: RANGER-4644 > URL: https://issues.apache.org/jira/browse/RANGER-4644 > Project: Ranger > Issue Type: Sub-task > Components: admin, Ranger >Reporter: Abhishek >Assignee: Abhishek >Priority: Major > Labels: ranger-react > Attachments: Screenshot 2024-01-11 at 1.43.43 AM.png > > > In the GDS access audits, if the user clicks on the policy id of a particular > audit, then it leads to an error. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-4692) Sorting on the Ranger Admin - Plugin Status page by event(Download,Activation)
[ https://issues.apache.org/jira/browse/RANGER-4692?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Rakesh Gupta updated RANGER-4692: - Description: Currently there are different type like (Policy, Role, Tag, and GDS) on plugin status. when we have plugins(large enough to accommodate in single page), It will be helpful to identify any out-of-sync plugins based on download times, sorting them by policyDownloadTime, tagDownloadTime, roleDownloadTime and gdsDownloadTime. was: Currently there are different type like (Policy, Role, Tag, and GDS) on plugin status. when we have plugins(large enough to accommodate in single page), It will be helpful to identify any out-of-sync plugins based on download times, sorting them by policyDownloadTime, tagDownloadTime, and roleDownloadTime. > Sorting on the Ranger Admin - Plugin Status page by event(Download,Activation) > -- > > Key: RANGER-4692 > URL: https://issues.apache.org/jira/browse/RANGER-4692 > Project: Ranger > Issue Type: New Feature > Components: Ranger >Reporter: Rakesh Gupta >Assignee: Rakesh Gupta >Priority: Major > > Currently there are different type like (Policy, Role, Tag, and GDS) on > plugin status. > when we have plugins(large enough to accommodate in single page), It will be > helpful to identify any out-of-sync plugins based on download times, sorting > them by policyDownloadTime, tagDownloadTime, roleDownloadTime and > gdsDownloadTime. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-4692) Sorting on the Ranger Admin - Plugin Status page by event(Download,Activation)
[ https://issues.apache.org/jira/browse/RANGER-4692?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Rakesh Gupta updated RANGER-4692: - Description: Currently there are different type like (Policy, Role, Tag, and GDS) on plugin status. when we have plugins(large enough to accommodate in single page), It will be helpful to identify any out-of-sync plugins based on download times, sorting them by policyDownloadTime, tagDownloadTime, and roleDownloadTime. was: Currently there are different type like (Policy, Role, Tag, and GDS) on plugin status. when we have plugins(large enough to accommodate in single page), It will be helpful to identify any out-of-sync issues based on download times, sorting them by policyDownloadTime, tagDownloadTime, and roleDownloadTime. > Sorting on the Ranger Admin - Plugin Status page by event(Download,Activation) > -- > > Key: RANGER-4692 > URL: https://issues.apache.org/jira/browse/RANGER-4692 > Project: Ranger > Issue Type: New Feature > Components: Ranger >Reporter: Rakesh Gupta >Assignee: Rakesh Gupta >Priority: Major > > Currently there are different type like (Policy, Role, Tag, and GDS) on > plugin status. > when we have plugins(large enough to accommodate in single page), It will be > helpful to identify any out-of-sync plugins based on download times, sorting > them by policyDownloadTime, tagDownloadTime, and roleDownloadTime. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (RANGER-4692) Sorting on the Ranger Admin - Plugin Status page by event(Download,Activation)
Rakesh Gupta created RANGER-4692: Summary: Sorting on the Ranger Admin - Plugin Status page by event(Download,Activation) Key: RANGER-4692 URL: https://issues.apache.org/jira/browse/RANGER-4692 Project: Ranger Issue Type: New Feature Components: Ranger Reporter: Rakesh Gupta Assignee: Rakesh Gupta Currently there are different type like (Policy, Role, Tag, and GDS) on plugin status. when we have plugins(large enough to accommodate in single page), It will be helpful to identify any out-of-sync issues based on download times, sorting them by policyDownloadTime, tagDownloadTime, and roleDownloadTime. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Assigned] (RANGER-4691) GDS: Only a Dataset admin user should be able to create a DatashareInDataset request with REQUESTED status
[ https://issues.apache.org/jira/browse/RANGER-4691?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Anand Nadar reassigned RANGER-4691: --- Assignee: Anand Nadar > GDS: Only a Dataset admin user should be able to create a DatashareInDataset > request with REQUESTED status > -- > > Key: RANGER-4691 > URL: https://issues.apache.org/jira/browse/RANGER-4691 > Project: Ranger > Issue Type: Task > Components: admin >Reporter: Anand Nadar >Assignee: Anand Nadar >Priority: Critical > > When a datashareInDataset request is created for REQUESTED status, it should > only be allowed by the dataset admin users. > If any other user attempts to create the request with REQUESTED status, then > validation error should be thrown saying that the user is not the dataset > owner. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (RANGER-4691) GDS: Only a Dataset admin user should be able to create a DatashareInDataset request with REQUESTED status
Anand Nadar created RANGER-4691: --- Summary: GDS: Only a Dataset admin user should be able to create a DatashareInDataset request with REQUESTED status Key: RANGER-4691 URL: https://issues.apache.org/jira/browse/RANGER-4691 Project: Ranger Issue Type: Task Components: admin Reporter: Anand Nadar When a datashareInDataset request is created for REQUESTED status, it should only be allowed by the dataset admin users. If any other user attempts to create the request with REQUESTED status, then validation error should be thrown saying that the user is not the dataset owner. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Assigned] (RANGER-4690) Access Audits - Resource policy version used for mask policy leading to Error page
[ https://issues.apache.org/jira/browse/RANGER-4690?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sanket Shelar reassigned RANGER-4690: - Assignee: Sanket Shelar > Access Audits - Resource policy version used for mask policy leading to Error > page > -- > > Key: RANGER-4690 > URL: https://issues.apache.org/jira/browse/RANGER-4690 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: suja s >Assignee: Sanket Shelar >Priority: Major > > Create a ranger hive policy for user u1 to access table t1. > Create table t1 and add data > Edit the policy to have multiple versions. Polocy version is now 'y' > Create a ranger hive masking policy for one of the columns of t1. > Edit the policy to have multiple versions. Policy version is less than 'y' > example, if resource policy version is 5, have masking policy version as 4. > Try insert command on t1. It fails now as there is a masking policy. > Inspect access audits on ranger admin UI. Click on policyid for the denied > audit for insert > CURRENT BEHAVIOUR: > Access audits show version of resource policy for mask policy id, so querying > for policy details leads to data not found error page > Policy cache json file on plugin side has the right version, x_policy table > has the right entries for corresponding masking policy -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (RANGER-4690) Access Audits - Resource policy version used for mask policy leading to Error page
suja s created RANGER-4690: -- Summary: Access Audits - Resource policy version used for mask policy leading to Error page Key: RANGER-4690 URL: https://issues.apache.org/jira/browse/RANGER-4690 Project: Ranger Issue Type: Bug Components: Ranger Reporter: suja s Create a ranger hive policy for user u1 to access table t1. Create table t1 and add data Edit the policy to have multiple versions. Polocy version is now 'y' Create a ranger hive masking policy for one of the columns of t1. Edit the policy to have multiple versions. Policy version is less than 'y' example, if resource policy version is 5, have masking policy version as 4. Try insert command on t1. It fails now as there is a masking policy. Inspect access audits on ranger admin UI. Click on policyid for the denied audit for insert CURRENT BEHAVIOUR: Access audits show version of resource policy for mask policy id, so querying for policy details leads to data not found error page Policy cache json file on plugin side has the right version, x_policy table has the right entries for corresponding masking policy -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-4689) Fix Ranger Javapatch failure even if service-defs do not exist in ranger DB
[ https://issues.apache.org/jira/browse/RANGER-4689?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pradeep Agrawal updated RANGER-4689: Attachment: 0001-RANGER-4689-Fix-Ranger-Javapatch-failure-even-if-ser.patch > Fix Ranger Javapatch failure even if service-defs do not exist in ranger DB > --- > > Key: RANGER-4689 > URL: https://issues.apache.org/jira/browse/RANGER-4689 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: 3.0.0 >Reporter: Pradeep Agrawal >Assignee: Pradeep Agrawal >Priority: Major > Attachments: > 0001-RANGER-4689-Fix-Ranger-Javapatch-failure-even-if-ser.patch > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
Review Request 74862: RANGER-4689: Fix Ranger Javapatch failure even if service-defs do not exist in ranger DB
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74862/ --- Review request for ranger, Abhishek Kumar, bhavik patel, Dhaval Shah, Dineshkumar Yadav, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy. Bugs: RANGER-4689 https://issues.apache.org/jira/browse/RANGER-4689 Repository: ranger Description --- **Problem Statement:** In a certain environment its possible that user may not have all service-defs, in that case while upgrading to higher version of ranger some java patches may fail. **Proposed solution: ** We need to add a check and skip the execution of java patches if related service-def does not exist in ranger db. Diffs - security-admin/src/main/java/org/apache/ranger/patch/PatchForHBaseServiceDefUpdate_J10035.java 75fa78ad9 security-admin/src/main/java/org/apache/ranger/patch/PatchForHiveServiceDefUpdate_J10027.java fa319bdb8 security-admin/src/main/java/org/apache/ranger/patch/PatchForMigratingOldRegimePolicyJson_J10046.java dbffc5663 security-admin/src/main/java/org/apache/ranger/patch/PatchForOzoneServiceDefConfigUpdate_J10051.java 8d3cfd3de security-admin/src/main/java/org/apache/ranger/patch/PatchForOzoneServiceDefUpdate_J10041.java 538093a98 security-admin/src/main/java/org/apache/ranger/patch/PatchForTagServiceDefUpdate_J10028.java 785e871f2 security-admin/src/main/java/org/apache/ranger/patch/PatchForUpdatingPolicyJson_J10019.java 9b99b942c Diff: https://reviews.apache.org/r/74862/diff/1/ Testing --- 1) Installed ranger from 1.x branch build along with following property ranger.supportedcomponents => kafka,knox,tag 2) Applied the patch on Apache ranger master branch, build and generate the tar file. 3) Untar the ranger admin and provided the same config which was used in ranger 1.x version (refer step 1 above) 4) Run the setup.sh script and all the java patches applied without any failure. 5) restarted ranger-admin and able to see the ranger ui. Thanks, Pradeep Agrawal