[PR] RANGER-4818: Fix updated users with role assignments from undergoing role reset to ROLE_USER [ranger]

2024-06-11 Thread via GitHub 


kumaab opened a new pull request, #315:
URL: https://github.com/apache/ranger/pull/315

   ## What changes were proposed in this pull request?
   
   Allow role resets for users not part of the group based role assignment 
rules in the last page of the paged requests from usersync to ranger admin. 
   
   ## How was this patch tested?
   
   In Progress


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Updated] (RANGER-4818) [usersync] Users undergoing role reset to ROLE_USER from ROLE_SYS_ADMIN

2024-06-11 Thread Abhishek Kumar (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-4818?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Kumar updated RANGER-4818:
---
Description: updateUserRoleAssignments function in XUserMgr (ranger-admin) 
resets the role of the user from admin to user role for users which are part of 
the request but are not part of the same page when paged requests are sent to 
ranger-admin from ranger-usersync.  (was: updateRoleAssignments on ranger-admin 
resets the role of the user from admin to user role for users which are part of 
the request but are not part of the same page when paged requests are sent to 
ranger-admin from ranger-usersync.)

> [usersync] Users undergoing role reset to ROLE_USER from ROLE_SYS_ADMIN
> ---
>
> Key: RANGER-4818
> URL: https://issues.apache.org/jira/browse/RANGER-4818
> Project: Ranger
>  Issue Type: Bug
>  Components: Ranger
>Affects Versions: 2.4.0
>Reporter: Abhishek Kumar
>Assignee: Abhishek Kumar
>Priority: Major
>
> updateUserRoleAssignments function in XUserMgr (ranger-admin) resets the role 
> of the user from admin to user role for users which are part of the request 
> but are not part of the same page when paged requests are sent to 
> ranger-admin from ranger-usersync.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-4818) [usersync] Users undergoing role reset to ROLE_USER from ROLE_SYS_ADMIN

2024-06-11 Thread Abhishek Kumar (Jira) 
Abhishek Kumar created RANGER-4818:
--

 Summary: [usersync] Users undergoing role reset to ROLE_USER from 
ROLE_SYS_ADMIN
 Key: RANGER-4818
 URL: https://issues.apache.org/jira/browse/RANGER-4818
 Project: Ranger
  Issue Type: Bug
  Components: Ranger
Affects Versions: 2.4.0
Reporter: Abhishek Kumar
Assignee: Abhishek Kumar


updateRoleAssignments on ranger-admin resets the role of the user from admin to 
user role for users which are part of the request but are not part of the same 
page when paged requests are sent to ranger-admin from ranger-usersync.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Re: Review Request 75045: RANGER-4817: Optimize Ranger HDFS Authorization by combining multiple authorization calls

2024-06-11 Thread Madhan Neethiraj 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/75045/#review226537
---




hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
Lines 114 (patched)


Consider retaining the datatype of value as Set (instead of 
List).



hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
Lines 121 (patched)


Most of these new members seem to be used to measure the performance 
improvements during dev testing. Consider removing them if they are not needed 
for production:
 - AUTHZ_METRICS_TEST_USER
 - DUMP_AUTHZ_CALL_INFO
 - SAVED_EVALUATIONS
 - SAVED_EVALUATIONS_LOG
 - SAVED_EVALUATIONS_LOG_INTERVAL_MS
 - SAVED_EVALUATIONS_NEXT_LOG_TIME
 - OPER_COUNTS
 - OPER_TIME_TAKEN
 - OP_COUNT_NEXT_LOG_TIME
 - ACCESS_TYPE_COUNTS
 - LOG_INTERVAL_MS
 - LAST_PATH_IN_THREAD
 - SAME_PATH_CALL_COUNT
 - ACE_INSTANCE_COUNT

Also, consider removing class OperTimeTracker as this is likely not needed 
in production.



hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
Lines 242 (patched)


Consider removing INSTANCE_INDEX and CALL_COUNT if these are not needed in 
production.


- Madhan Neethiraj


On June 11, 2024, 7:09 p.m., Abhay Kulkarni wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/75045/
> ---
> 
> (Updated June 11, 2024, 7:09 p.m.)
> 
> 
> Review request for ranger, madhan, Madhan Neethiraj, Ramesh Mani, and 
> Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4817
> https://issues.apache.org/jira/browse/RANGER-4817
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> The focus of optimizations described below is to minimize the number of times 
> the Ranger policy-engine is called to authorize a NameNode RPC without 
> modifying the Namenode authorization interface or authorization call sequence.
> 
> This optimization is possible as the Namenode calls the authorizer more than 
> once to authorize some RPCs, as observed during the testing.
> 
> The following boolean valued config parameter - 
> "ranger.hdfs.authz.enable.optimization" control the optimization behaviour; 
> default value is false which disables the optimization.
> 
> 
> Diffs
> -
> 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
>  6a614bf2d 
>   
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
>  a56ecb268 
>   
> hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
>  b11ee62a3 
>   
> ranger-hdfs-plugin-shim/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
>  22d0b450d 
> 
> 
> Diff: https://reviews.apache.org/r/75045/diff/1/
> 
> 
> Testing
> ---
> 
> Passes all unit tests.
> Verified the optimization by setting the config parameter 
> "ranger.hdfs.authz.enable.optimization" to true.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Review Request 75045: RANGER-4817: Optimize Ranger HDFS Authorization by combining multiple authorization calls

2024-06-11 Thread Abhay Kulkarni 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/75045/
---

Review request for ranger, madhan, Madhan Neethiraj, Ramesh Mani, and 
Velmurugan Periasamy.


Bugs: RANGER-4817
https://issues.apache.org/jira/browse/RANGER-4817


Repository: ranger


Description
---

The focus of optimizations described below is to minimize the number of times 
the Ranger policy-engine is called to authorize a NameNode RPC without 
modifying the Namenode authorization interface or authorization call sequence.

This optimization is possible as the Namenode calls the authorizer more than 
once to authorize some RPCs, as observed during the testing.

The following boolean valued config parameter - 
"ranger.hdfs.authz.enable.optimization" control the optimization behaviour; 
default value is false which disables the optimization.


Diffs
-

  
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
 6a614bf2d 
  
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java
 a56ecb268 
  
hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
 b11ee62a3 
  
ranger-hdfs-plugin-shim/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java
 22d0b450d 


Diff: https://reviews.apache.org/r/75045/diff/1/


Testing
---

Passes all unit tests.
Verified the optimization by setting the config parameter 
"ranger.hdfs.authz.enable.optimization" to true.


Thanks,

Abhay Kulkarni

[jira] [Assigned] (RANGER-4817) Optimize Ranger HDFS Authorization by combining multiple authorization calls

2024-06-11 Thread Abhay Kulkarni (Jira) 


 [ 
https://issues.apache.org/jira/browse/RANGER-4817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhay Kulkarni reassigned RANGER-4817:
--

Assignee: Abhay Kulkarni

> Optimize Ranger HDFS Authorization by combining multiple authorization calls
> 
>
> Key: RANGER-4817
> URL: https://issues.apache.org/jira/browse/RANGER-4817
> Project: Ranger
>  Issue Type: Improvement
>  Components: Ranger
>Reporter: Abhay Kulkarni
>Assignee: Abhay Kulkarni
>Priority: Major
>
> The focus of optimizations described below is to minimize the number of times 
> the Ranger policy-engine is called to authorize a NameNode RPC without 
> modifying the Namenode authorization interface or authorization call sequence.
> This optimization is possible as the Namenode calls the authorizer more than 
> once to authorize some RPCs, as observed during the testing. To ensure that 
> the authorizer is provided a consistent context to represent a RPC, some 
> improvements are needed in the Namenode. Related Namenode JIRAs are
> {*}HDFS-17478{*}: Avoid creation of AccessControlEnforcer object for every 
> call to the authorizer, and
> {*}HDFS-17500{*}: Provide operation name consistently in the caller-context 
> provided to checkPermissionWithContext() API.
> Ranger authorizer is updated to leverage this context to optimize 
> authorization calls for the RPC. In particular, the following RPC operations' 
> authorization logic is updated.
>  
> List of operations with optimized authorization checks.
>  # Create file: operation name “create” 
>  # Rename file: operation name “rename”
>  # Delete file: operation name “delete”
>  # Create directory: operation name “mkdirs”
>  # List directory contents: operation name “listStatus”
>  # Rename directory: operation name “rename”
>  # Delete directory: operation name “delete”
>  # Get Encryption Zone for a directory: operation name “getEZForPath”



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (RANGER-4817) Optimize Ranger HDFS Authorization by combining multiple authorization calls

2024-06-11 Thread Abhay Kulkarni (Jira) 
Abhay Kulkarni created RANGER-4817:
--

 Summary: Optimize Ranger HDFS Authorization by combining multiple 
authorization calls
 Key: RANGER-4817
 URL: https://issues.apache.org/jira/browse/RANGER-4817
 Project: Ranger
  Issue Type: Improvement
  Components: Ranger
Reporter: Abhay Kulkarni


The focus of optimizations described below is to minimize the number of times 
the Ranger policy-engine is called to authorize a NameNode RPC without 
modifying the Namenode authorization interface or authorization call sequence.

This optimization is possible as the Namenode calls the authorizer more than 
once to authorize some RPCs, as observed during the testing. To ensure that the 
authorizer is provided a consistent context to represent a RPC, some 
improvements are needed in the Namenode. Related Namenode JIRAs are

{*}HDFS-17478{*}: Avoid creation of AccessControlEnforcer object for every call 
to the authorizer, and

{*}HDFS-17500{*}: Provide operation name consistently in the caller-context 
provided to checkPermissionWithContext() API.

Ranger authorizer is updated to leverage this context to optimize authorization 
calls for the RPC. In particular, the following RPC operations' authorization 
logic is updated.

 

List of operations with optimized authorization checks.
 # Create file: operation name “create” 
 # Rename file: operation name “rename”
 # Delete file: operation name “delete”
 # Create directory: operation name “mkdirs”
 # List directory contents: operation name “listStatus”
 # Rename directory: operation name “rename”
 # Delete directory: operation name “delete”
 # Get Encryption Zone for a directory: operation name “getEZForPath”



--
This message was sent by Atlassian Jira
(v8.20.10#820010)