[jira] [Assigned] (RANGER-4820) Support authorization of multiple accesses grouped by access groups in one policy engine call
[ https://issues.apache.org/jira/browse/RANGER-4820?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Abhay Kulkarni reassigned RANGER-4820: -- Assignee: Abhay Kulkarni > Support authorization of multiple accesses grouped by access groups in one > policy engine call > - > > Key: RANGER-4820 > URL: https://issues.apache.org/jira/browse/RANGER-4820 > Project: Ranger > Issue Type: Improvement > Components: Ranger >Reporter: Abhay Kulkarni >Assignee: Abhay Kulkarni >Priority: Major > > Currently, Ranger policy engine supports authorization of multiple accesses > for a given resource in a single call to the Ranger plugin's > isAccessAllowed() API. However, it has some limitations which are addressed > by this JIRA. > Limitation: If multiple accesses are to be authorized, then the current > authorization logic in Ranger policy engine is designed to allow the request > to succeed (that is, grant access) only if all requested accesses are granted. > This Jira supports organizing accesses in groups where each group is granted > access if any access in the group is allowed, and the request is successful > (that is, user is allowed access) only if all groups are granted access. -- This message was sent by Atlassian Jira (v8.20.10#820010)
Review Request 75047: RANGER-4820: Support authorization of multiple accesses grouped by access groups in one policy engine call
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/75047/ --- Review request for ranger, Dineshkumar Yadav, madhan, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, and Velmurugan Periasamy. Bugs: RANGER-4820 https://issues.apache.org/jira/browse/RANGER-4820 Repository: ranger Description --- Currently, Ranger policy engine supports authorization of multiple accesses for a given resource in a single call to the Ranger plugin's isAccessAllowed() API. However, it has some limitations which are addressed by this JIRA. Limitation: If multiple accesses are to be authorized, then the current authorization logic in Ranger policy engine is designed to allow the request to succeed (that is, grant access) only if all requested accesses are granted. This Jira supports organizing accesses in groups where each group is granted access if any access in the group is allowed, and the request is successful (that is, user is allowed access) only if all groups are granted access. Diffs - agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b0dc7a461 agents-common/src/main/java/org/apache/ranger/plugin/policyengine/gds/GdsPolicyEngine.java 6a6709254 agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java c43ec4c2f agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java df0352ca9 agents-common/src/test/resources/policyengine/test_policyengine_hdfs_multiple_accesses.json 8962c5a3f hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java c892bced3 Diff: https://reviews.apache.org/r/75047/diff/1/ Testing --- Updated the unit tests for muliple access (agents-common/src/test/resources/policyengine/test_policyengine_hdfs_multiple_accesses.json). Ran all unit tests successfully. Thanks, Abhay Kulkarni
[jira] [Created] (RANGER-4820) Support authorization of multiple accesses grouped by access groups in one policy engine call
Abhay Kulkarni created RANGER-4820: -- Summary: Support authorization of multiple accesses grouped by access groups in one policy engine call Key: RANGER-4820 URL: https://issues.apache.org/jira/browse/RANGER-4820 Project: Ranger Issue Type: Improvement Components: Ranger Reporter: Abhay Kulkarni Currently, Ranger policy engine supports authorization of multiple accesses for a given resource in a single call to the Ranger plugin's isAccessAllowed() API. However, it has some limitations which are addressed by this JIRA. Limitation: If multiple accesses are to be authorized, then the current authorization logic in Ranger policy engine is designed to allow the request to succeed (that is, grant access) only if all requested accesses are granted. This Jira supports organizing accesses in groups where each group is granted access if any access in the group is allowed, and the request is successful (that is, user is allowed access) only if all groups are granted access. -- This message was sent by Atlassian Jira (v8.20.10#820010)
Re: Review Request 75045: RANGER-4817: Optimize Ranger HDFS Authorization by combining multiple authorization calls
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/75045/#review226539 --- Ship it! Ship It! - Madhan Neethiraj On June 12, 2024, 4:42 p.m., Abhay Kulkarni wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/75045/ > --- > > (Updated June 12, 2024, 4:42 p.m.) > > > Review request for ranger, madhan, Madhan Neethiraj, Ramesh Mani, and > Velmurugan Periasamy. > > > Bugs: RANGER-4817 > https://issues.apache.org/jira/browse/RANGER-4817 > > > Repository: ranger > > > Description > --- > > The focus of optimizations described below is to minimize the number of times > the Ranger policy-engine is called to authorize a NameNode RPC without > modifying the Namenode authorization interface or authorization call sequence. > > This optimization is possible as the Namenode calls the authorizer more than > once to authorize some RPCs, as observed during the testing. > > The following boolean valued config parameter - > "ranger.hdfs.authz.enable.optimization" control the optimization behaviour; > default value is false which disables the optimization. > > > Diffs > - > > > agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java > 6a614bf2d > > agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java > a56ecb268 > > hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java > b11ee62a3 > > ranger-hdfs-plugin-shim/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java > 22d0b450d > > > Diff: https://reviews.apache.org/r/75045/diff/2/ > > > Testing > --- > > Passes all unit tests. > Verified the optimization by setting the config parameter > "ranger.hdfs.authz.enable.optimization" to true. > > > Thanks, > > Abhay Kulkarni > >
Re: Review Request 75045: RANGER-4817: Optimize Ranger HDFS Authorization by combining multiple authorization calls
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/75045/ --- (Updated June 12, 2024, 4:42 p.m.) Review request for ranger, madhan, Madhan Neethiraj, Ramesh Mani, and Velmurugan Periasamy. Changes --- Addressed review comments Bugs: RANGER-4817 https://issues.apache.org/jira/browse/RANGER-4817 Repository: ranger Description --- The focus of optimizations described below is to minimize the number of times the Ranger policy-engine is called to authorize a NameNode RPC without modifying the Namenode authorization interface or authorization call sequence. This optimization is possible as the Namenode calls the authorizer more than once to authorize some RPCs, as observed during the testing. The following boolean valued config parameter - "ranger.hdfs.authz.enable.optimization" control the optimization behaviour; default value is false which disables the optimization. Diffs (updated) - agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java 6a614bf2d agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java a56ecb268 hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java b11ee62a3 ranger-hdfs-plugin-shim/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java 22d0b450d Diff: https://reviews.apache.org/r/75045/diff/2/ Changes: https://reviews.apache.org/r/75045/diff/1-2/ Testing --- Passes all unit tests. Verified the optimization by setting the config parameter "ranger.hdfs.authz.enable.optimization" to true. Thanks, Abhay Kulkarni
[jira] [Updated] (RANGER-4816) build Trino Ranger plugin in Trino project
[ https://issues.apache.org/jira/browse/RANGER-4816?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-4816: - Attachment: (was: RANGER-4810.patch) > build Trino Ranger plugin in Trino project > -- > > Key: RANGER-4816 > URL: https://issues.apache.org/jira/browse/RANGER-4816 > Project: Ranger > Issue Type: Sub-task > Components: plugins >Reporter: Madhan Neethiraj >Assignee: Madhan Neethiraj >Priority: Major > Attachments: RANGER-4810-trino-repo.patch > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (RANGER-4816) build Trino Ranger plugin in Trino project
[ https://issues.apache.org/jira/browse/RANGER-4816?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Madhan Neethiraj updated RANGER-4816: - Attachment: RANGER-4810-trino-repo.patch > build Trino Ranger plugin in Trino project > -- > > Key: RANGER-4816 > URL: https://issues.apache.org/jira/browse/RANGER-4816 > Project: Ranger > Issue Type: Sub-task > Components: plugins >Reporter: Madhan Neethiraj >Assignee: Madhan Neethiraj >Priority: Major > Attachments: RANGER-4810-trino-repo.patch, RANGER-4810.patch > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Assigned] (RANGER-4777) Improve API /public/v2/api/service-headers to filter services depending on user role
[ https://issues.apache.org/jira/browse/RANGER-4777?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Dineshkumar Yadav reassigned RANGER-4777: - Assignee: Rakesh Gupta (was: Madhan Neethiraj) > Improve API /public/v2/api/service-headers to filter services depending on > user role > > > Key: RANGER-4777 > URL: https://issues.apache.org/jira/browse/RANGER-4777 > Project: Ranger > Issue Type: Bug > Components: admin, Ranger >Reporter: Mugdha Varadkar >Assignee: Rakesh Gupta >Priority: Major > > Need to update the API - "/public/v2/api/service-headers" introduce in > RANGER-4533 with below : > # The API should be accessible for non-admin users as well. @PreAuthrize > annotation can be removed. > # Filtering of services depending on user role like done for existing API - > "/plugins/services" > cc [~dineshkumar-yadav] / [~Dhaval.Rajpara] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Assigned] (RANGER-4711) Show grant on table command is not audited by ranger
[ https://issues.apache.org/jira/browse/RANGER-4711?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Guru Thejus reassigned RANGER-4711: --- Assignee: Guru Thejus > Show grant on table command is not audited by ranger > > > Key: RANGER-4711 > URL: https://issues.apache.org/jira/browse/RANGER-4711 > Project: Ranger > Issue Type: Bug > Components: audit >Reporter: suja s >Assignee: Guru Thejus >Priority: Major > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (RANGER-4819) Proposal to Upgrade All React.js Dependent Libraries
Dhaval Rajpara created RANGER-4819: -- Summary: Proposal to Upgrade All React.js Dependent Libraries Key: RANGER-4819 URL: https://issues.apache.org/jira/browse/RANGER-4819 Project: Ranger Issue Type: Bug Components: Ranger Reporter: Dhaval Rajpara Assignee: Dhaval Rajpara Upgrading all dependent libraries for React.js in our project. This will ensure we are using the latest versions, improving security, performance, and compatibility with new features. # babel/traverse # axios # braces # follow-redirects # json5 # loader-utils # minimist # moment # terser # webpack # webpack-dev-middleware -- This message was sent by Atlassian Jira (v8.20.10#820010)
