You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Ramachandran (Jira)" <ji...@apache.org> on 2023/02/06 13:21:00 UTC

[jira] [Assigned] (RANGER-3063) 404 http status response on requesting an existing policy

     [ https://issues.apache.org/jira/browse/RANGER-3063?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ramachandran reassigned RANGER-3063:
------------------------------------

    Assignee: Ramachandran

> 404 http status response on requesting an existing policy
> ---------------------------------------------------------
>
>                 Key: RANGER-3063
>                 URL: https://issues.apache.org/jira/browse/RANGER-3063
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin
>    Affects Versions: 2.0.0
>         Environment: Cloudera, CDP (CDH) 7.1.3
> Hadoop - 3.1.1.7.1.3.0-100
> Ranger - 2.0.0.7.1.3.0-100
>            Reporter: Vyacheslav Tutrinov
>            Assignee: Ramachandran
>            Priority: Major
>
> I caught a strange behavior of the ranger admin REST API.
> The challenge was started as I saw that the 'cm_kms' service doesn't appear on the UI side however it exists in the REST API response.
> Then the trying to get policies list for this service respond by the list that contains the single policy:
> {code:bash}
> [root@vm path]# curl -XGET -u user:********** -v http://my-ranger-server-host:6080/service/public/v2/api/service/cm_kms/policy
> * About to connect() tomy-ranger-server-host port 6080 (#0)
> *   Trying 10.6.120.140...
> * Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0)
> * Server auth using Basic with user 'user'
> > GET /service/public/v2/api/service/cm_kms/policy HTTP/1.1
> > Authorization: Basic *********************
> > User-Agent: curl/7.29.0
> > Host: my-ranger-server-host:6080
> > Accept: */*
> > 
> < HTTP/1.1 200 OK
> < Set-Cookie: RANGERADMINSESSIONID=42E2616A84477202A0CB4442C9C4EA88; Path=/; HttpOnly
> < X-Frame-Options: DENY
> < X-XSS-Protection: 1; mode=block
> < Strict-Transport-Security: max-age=31536000; includeSubDomains
> < Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'
> < Cache-Control: no-cache, no-store, max-age=0, must-revalidate
> < Pragma: no-cache
> < Expires: 0
> < X-Content-Type-Options: nosniff
> < Content-Type: application/json
> < Transfer-Encoding: chunked
> < Date: Thu, 29 Oct 2020 07:11:15 GMT
> < Server: Apache Ranger
> < 
> [{"id":41,"guid":"52b42504-5798-4340-9da3-8e9188a3592f","isEnabled":true,"version":1,"service":"cm_kms","name":"all - keyname","policyType":0,"policyPriority":0,"description":"Policy for all - keyname","isAuditEnabled":true,"resources":{"keyname":{"values":["*"],"isExcludes":false,"isRecursive":false}},"policyItems":[{"accesses":[{"type":"create","isAllowed":true},{"type":"delete","isAllowed":true},{"type":"rollover","isAllowed":true},{"type":"setkeymaterial","isAllowed":true},{"type":"get","isAllowed":true},{"type":"getkeys","isAllowed":true},{"type":"getmetadata","isAllowed":true},{"type":"generateeek","isAllowed":true},{"type":"decrypteek","isAllowed":true}],"users":["keyadmin"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":true},{"accesses":[{"type":"getmetadata","isAllowed":true},{"type":"generateeek","isAllowed":true}],"users":["hdfs"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":true},{"accesses":[{"type":"getmetadata","isAllowed":true},{"type":"decrypteek","isAllowed":true}],"users":["hive"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"kms","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false}]
> {code}
> However the request for the specific policy by name 'all - keyname' responded by 404 status:
> {code:bash}
> [root@vm path]# curl -XGET -u user:********** -v http://my-ranger-server-host:6080/service/public/v2/api/service/cm_kms/policy/all%20-%20keyname
> * About to connect() to my-ranger-server-host port 6080 (#0)
> *   Trying 10.6.120.140...
> * Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0)
> * Server auth using Basic with user 'user'
> > GET /service/public/v2/api/service/cm_kms/policy/all%20-%20keyname HTTP/1.1
> > Authorization: Basic ***************************
> > User-Agent: curl/7.29.0
> > Host: my-ranger-server-host:6080
> > Accept: */*
> > 
> < HTTP/1.1 404 Not Found
> < Set-Cookie: RANGERADMINSESSIONID=2885FFB77C5B83345F5F6C0F4E7CB4D8; Path=/; HttpOnly
> < X-Frame-Options: DENY
> < X-XSS-Protection: 1; mode=block
> < Strict-Transport-Security: max-age=31536000; includeSubDomains
> < Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'
> < Cache-Control: no-cache, no-store, max-age=0, must-revalidate
> < Pragma: no-cache
> < Expires: 0
> < X-Content-Type-Options: nosniff
> < Content-Type: application/json
> < Transfer-Encoding: chunked
> < Date: Thu, 29 Oct 2020 07:43:14 GMT
> < Server: Apache Ranger
> < 
> * Connection #0 to host my-ranger-server-host left intact
> Not found
> {code}
> PUT request to update the policy responds the same way (404), but POST request to create policy with the same name responds by 400 status - a policy with 'all - keyname' already exists
> But the similar call chain works (GET list of polcies, GET policy by name) perfectly for the 'cm_hdfs' service policies:
> {code:bash}
> [root@vm path]# curl -XGET -u user:*********** -v http://my-ranger-server-host:6080/service/public/v2/api/service/cm_hdfs/policy
> * About to connect() to my-ranger-server-host port 6080 (#0)
> *   Trying 10.6.120.140...
> * Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0)
> * Server auth using Basic with user 'user'
> > GET /service/public/v2/api/service/cm_hdfs/policy HTTP/1.1
> > Authorization: Basic *************************
> > User-Agent: curl/7.29.0
> > Host: my-ranger-server-host:6080
> > Accept: */*
> > 
> < HTTP/1.1 200 OK
> < Set-Cookie: RANGERADMINSESSIONID=9D112823529E0F1695CB94A4C5081C0E; Path=/; HttpOnly
> < X-Frame-Options: DENY
> < X-XSS-Protection: 1; mode=block
> < Strict-Transport-Security: max-age=31536000; includeSubDomains
> < Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'
> < Cache-Control: no-cache, no-store, max-age=0, must-revalidate
> < Pragma: no-cache
> < Expires: 0
> < X-Content-Type-Options: nosniff
> < Content-Type: application/json
> < Transfer-Encoding: chunked
> < Date: Thu, 29 Oct 2020 07:44:32 GMT
> < Server: Apache Ranger
> < 
> [{"id":1,"guid":"3c1fafbb-bf6c-4916-9ae5-e36ec28a1071","isEnabled":true,"version":13,"service":"cm_hdfs","name":"all - path","policyType":0,"policyPriority":0,"description":"Policy for all - path","isAuditEnabled":true,"resources":{"path":{"values":["/*"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":["rangertagsync","hdfs"],"groups":["cloudera-scm","hadoop"],"roles":[],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"hdfs","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false},{"id":2,"guid":"422c3e21-4162-43e8-a884-74791e6e4b39","isEnabled":true,"version":1,"service":"cm_hdfs","name":"kms-audit-path","policyType":0,"policyPriority":0,"description":"Policy for kms-audit-path","isAuditEnabled":true,"resources":{"path":{"values* Connection #0 to host vtutr01-vm0.bdauto.wandisco.com left intact
> ":["/ranger/audit/kms"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":["keyadmin"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":false}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"hdfs","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false}]
>  
>  
>  
> [root@vm path]# curl -XGET -u user:**************** -v http://my-ranger-server-host:6080/service/public/v2/api/service/cm_hdfs/policy/all%20-%20path
> * About to connect() to my-ranger-server-host port 6080 (#0)
> *   Trying 10.6.120.140...
> * Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0)
> * Server auth using Basic with user 'user'
> > GET /service/public/v2/api/service/cm_hdfs/policy/all%20-%20path HTTP/1.1
> > Authorization: Basic *********************
> > User-Agent: curl/7.29.0
> > Host: my-ranger-server-host:6080
> > Accept: */*
> > 
> < HTTP/1.1 200 OK
> < Set-Cookie: RANGERADMINSESSIONID=4179CB624F0F54402CAE4F6158A0082F; Path=/; HttpOnly
> < X-Frame-Options: DENY
> < X-XSS-Protection: 1; mode=block
> < Strict-Transport-Security: max-age=31536000; includeSubDomains
> < Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'
> < Cache-Control: no-cache, no-store, max-age=0, must-revalidate
> < Pragma: no-cache
> < Expires: 0
> < X-Content-Type-Options: nosniff
> < Content-Type: application/json
> < Transfer-Encoding: chunked
> < Date: Thu, 29 Oct 2020 07:45:19 GMT
> < Server: Apache Ranger
> < 
> * Connection #0 to host my-ranger-server-host left intact
> {"id":1,"guid":"3c1fafbb-bf6c-4916-9ae5-e36ec28a1071","isEnabled":true,"version":13,"service":"cm_hdfs","name":"all - path","policyType":0,"policyPriority":0,"description":"Policy for all - path","isAuditEnabled":true,"resources":{"path":{"values":["/*"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":["rangertagsync","hdfs"],"groups":["cloudera-scm","hadoop"],"roles":[],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"hdfs","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false}
> {code}
> And IDE debugger says me that the filtered policies list size is equals to 0 (org.apache.ranger.rest.PublicAPIsv2#getPolicyByName)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)