[jira] [Created] (RANGER-2573) Ranger hbase policy not taking effect if column-family name is given in policy
Anuja Leekha created RANGER-2573: Summary: Ranger hbase policy not taking effect if column-family name is given in policy Key: RANGER-2573 URL: https://issues.apache.org/jira/browse/RANGER-2573 Project: Ranger Issue Type: Bug Components: Ranger Affects Versions: 2.1.0 Reporter: Anuja Leekha Fix For: 2.1.0 SCENARIO: Create Hbase policy as: Hbase table: table1 HBase Column-family: family1 HBase Column: * User: Permissions: All As user with , Open hbase shell and give the following command: create 'table1','family1' org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user '' (action=create) -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Created] (RANGER-2224) 'drop temporary function ' command should be handled by 'global' resource and 'Temorary UDF Admin' permission.
Anuja Leekha created RANGER-2224: Summary: 'drop temporary function ' command should be handled by 'global' resource and 'Temorary UDF Admin' permission. Key: RANGER-2224 URL: https://issues.apache.org/jira/browse/RANGER-2224 Project: Ranger Issue Type: Bug Components: Ranger Affects Versions: 2.0.0 Reporter: Anuja Leekha Fix For: 2.0.0 'drop temporary function ' command should be handled by 'global' resource and 'Temorary UDF Admin' permission. As of today, in order to drop a temporary UDF, you need a policy with Database=* , UDF=* , permission=Drop. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (RANGER-2090) Empty start and end time Strings should be interpreted same as NULL in Ranger
Anuja Leekha created RANGER-2090: Summary: Empty start and end time Strings should be interpreted same as NULL in Ranger Key: RANGER-2090 URL: https://issues.apache.org/jira/browse/RANGER-2090 Project: Ranger Issue Type: Bug Components: Ranger Reporter: Anuja Leekha Fix For: master, 0.7.2, 1.1.0, 1.0.1 Empty start and end time Strings should be interpreted same as NULL in Ranger -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (RANGER-2066) Error in logging audit for Hbase Tag flow
Anuja Leekha created RANGER-2066:
Summary: Error in logging audit for Hbase Tag flow
Key: RANGER-2066
URL: https://issues.apache.org/jira/browse/RANGER-2066
Project: Ranger
Issue Type: Bug
Components: Ranger
Affects Versions: 1.0.0, master
Reporter: Anuja Leekha
Fix For: master, 1.1.0
ERROR SCENARIO:
Table emp has 2 col-families: personal_data(name,SSN,age) ; prof_data(role,
manager)
Column emp/prof_data/role is tagged with OFFICIAL tag.
Create following policies:
Rsrc policy allows R on *,*,*
Tag policy allows R on OFFICIAL tag (emp/prof_data/role).
'scan emp' audit shows 2 rows:
1. Resource: emp/personal_data
Name / Type: column-family
Allowed
Policy allowing: Access based policy [Tag column shows PII]
2. Resource: emp/prof_data
Name / Type: column-family
Allowed
Policy allowing: TAG based policy{color:#d04437} -> How can column level tag
based policy authorize whole of column family?{color}
TAG: OFFICIAL
This gives the impression that whole of personal_data column-family is tagged
with the OFFICIAL tag.
Solution: Audit should be generated column wise so that each column can show
the correct policy id authorizing it.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Created] (RANGER-2053) Import Ranger Policy(ies) failing with NullPointerException
Anuja Leekha created RANGER-2053: Summary: Import Ranger Policy(ies) failing with NullPointerException Key: RANGER-2053 URL: https://issues.apache.org/jira/browse/RANGER-2053 Project: Ranger Issue Type: Bug Components: Ranger Affects Versions: 1.1.0, 1.0.1 Reporter: Anuja Leekha Fix For: 1.1.0, 1.0.1 Trying to import policies through Ranger Admin UI fails with NPE. Error in logs: 2018-03-27 21:05:45,862 [http-bio-6080-exec-27] ERROR org.apache.ranger.rest.ServiceREST (ServiceREST.java:2185) - Error while importing policy from file!! java.lang.NullPointerException at org.apache.ranger.common.RangerSearchUtil.getSearchFilter(RangerSearchUtil.java:48) at org.apache.ranger.rest.ServiceREST.getServicePoliciesByName(ServiceREST.java:2541) at org.apache.ranger.rest.ServiceREST.deletePoliciesProvidedInServiceMap(ServiceREST.java:2315) at org.apache.ranger.rest.ServiceREST.importPoliciesFromFile(ServiceREST.java:2092) at org.apache.ranger.rest.ServiceREST$$FastClassBySpringCGLIB$$92dab672.invoke() at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:738) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:69) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (RANGER-2045) Hive column filter flag functionality has regression bug for 'xasecure.hive.describetable.showcolumns.authorization.option' set to 'none'
Anuja Leekha created RANGER-2045: Summary: Hive column filter flag functionality has regression bug for 'xasecure.hive.describetable.showcolumns.authorization.option' set to 'none' Key: RANGER-2045 URL: https://issues.apache.org/jira/browse/RANGER-2045 Project: Ranger Issue Type: Bug Components: Ranger Reporter: Anuja Leekha *Test scenario* 'xasecure.hive.describetable.showcolumns.authorization.option' set to 'none' Database 'testdb' has a table 'testtable1' with 3 columns 'name', 'age', 'city'. Hive Policy exists giving user 'hrt_1' 'select' privilege on DB='testdb', table='testtable1' and columns='name', 'age' [user does not have permissions on 'city' column]. "DESCRIBE testdb.testtable1" and "show columns in testdb.testtable1" commands show results with 'city' column included. When 'xasecure.hive.describetable.showcolumns.authorization.option' is set to 'none', Hive would follow default behavior and should deny DESCRIBE table and show column commands as the policy does not grant the test user access to all columns of the table. But the commands go through fine. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (RANGER-1612) When servicedef is accessed, one of the properties "enableDenyPolicies" is returned as "false" if there is no value set for it.
Anuja Leekha created RANGER-1612: Summary: When servicedef is accessed, one of the properties "enableDenyPolicies" is returned as "false" if there is no value set for it. Key: RANGER-1612 URL: https://issues.apache.org/jira/browse/RANGER-1612 Project: Ranger Issue Type: Bug Components: Ranger Reporter: Anuja Leekha Fix For: 1.0.0, 0.7.1 During the migration of hive service def When servicedef is accessed, one of the properties "enableDenyPolicies" is returned as "false" if there is no value set for it. Now, hive service def has changed (because URL as a resource is added to it). So when servicedef is updated, enableDenyPolicies property is updated in the database to be "false" which should not happen. The migration script for service-def needs to check what the real value of this property is in the database and preserve it across migration. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (RANGER-1476) External users not editable through Ranger UI
[ https://issues.apache.org/jira/browse/RANGER-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Anuja Leekha updated RANGER-1476: - Request participants: (was: ) Fix Version/s: 0.7.1 > External users not editable through Ranger UI > - > > Key: RANGER-1476 > URL: https://issues.apache.org/jira/browse/RANGER-1476 > Project: Ranger > Issue Type: Bug > Components: Ranger >Reporter: Anuja Leekha >Priority: Critical > Labels: ranger > Fix For: 0.7.1 > > > External users not editable through Ranger UI. Need to be able to change role. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Created] (RANGER-1476) External users not editable through Ranger UI
Anuja Leekha created RANGER-1476: Summary: External users not editable through Ranger UI Key: RANGER-1476 URL: https://issues.apache.org/jira/browse/RANGER-1476 Project: Ranger Issue Type: Bug Components: Ranger Reporter: Anuja Leekha Priority: Critical External users not editable through Ranger UI. Need to be able to change role. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Created] (RANGER-1392) Hive test connection is failing even if jdbc.url configured is correct in Ranger 0.7.0
Anuja Leekha created RANGER-1392: Summary: Hive test connection is failing even if jdbc.url configured is correct in Ranger 0.7.0 Key: RANGER-1392 URL: https://issues.apache.org/jira/browse/RANGER-1392 Project: Ranger Issue Type: Bug Components: Ranger Reporter: Anuja Leekha Fix For: 0.7.0 even if jdbc.url is correct then also ranger hive test connection is failing. jdbc.url is configured to jdbc:hive2://ctr-e127-1486658464320-1453-01-04.hwx.site:2181,ctr-e127-1486658464320-1453-01-03.hwx.site:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;principal=hive/_h...@example.com;transportMode=http;httpPath=cliservice;ssl=true;sslTrustStore=/etc/security/serverKeys/hivetruststore.jks;trustStorePassword=changeit but during test connection it gives error: org.apache.ranger.plugin.client.HadoopException: Unable to connect to Hive Thrift Server instance.. Unable to connect to Hive Thrift Server instance.. Could not establish connection to jdbc:hive2://ctr-e127-1486658464320-1453-01-04.hwx.site:10001/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;principal=hive/_h...@example.com;transportMode=http;httpPath=cliservice;ssl=true;sslTrustStore=/etc/security/serverKeys/hivetruststore.jks;trustStorePassword=changeit: org.apache.hive.org.apache.http.client.ClientProtocolException. org.apache.hive.org.apache.http.client.ClientProtocolException. java.lang.RuntimeException: class org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback not org.apache.hive.org.apache.hadoop.security.GroupMappingServiceProvider. class org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback not org.apache.hive.org.apache.hadoop.security.GroupMappingServiceProvider. problem is during test connection hiveserver2 url is used dbc:hive2://ctr-e127-1486658464320-1453-01-04.hwx.site:10001/; and servicediscovery mode is zookeeper, tried to connect manually to this url , it failed due to same error, but when remove zookeeper service discovery parameter then i was able to connect using beeline. so it seems somewhere this url is being modified. This happens in non WE clusters as well. Though the error is somewhat different: 2017-02-16 00:24:23,432 [timed-executor-pool-0] INFO org.apache.ranger.plugin.client.BaseClient (BaseClient.java:125) - Init Lookup Login: security enabled, using lookupPrincipal/lookupKeytab 2017-02-16 00:24:23,436 [timed-executor-pool-0] INFO apache.ranger.services.hive.client.HiveClient (HiveClient.java:67) - Secured Mode: JDBC Connection done with preAuthenticated Subject 2017-02-16 00:24:23,481 [timed-executor-pool-0] ERROR apache.ranger.services.hive.client.HiveClient (HiveClient.java:433) - Unable to Connect to Hive org.apache.ranger.plugin.client.HadoopException: Unable to connect to Hive Thrift Server instance at org.apache.ranger.services.hive.client.HiveClient.initConnection(HiveClient.java:549) As per [~rmani]: Issue being this class org.apache.hive.org.apache.hadoop.security.GroupMappingServiceProvider from hive-jdbc-1.2.1000.2.6.0.0-*-standalone.jar is getting loaded by ranger class-loader where as org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback is loaded by Tomcat class-loader. One way to fix is to pack hive-jdbc-1.2.1000.2.6.0.0-*-standalone.jar in /usr/hdp/2.6.0.0-*/ranger-admin/ews/webapp/WEB-INF/lib so the type issue will be resolved. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
