You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Rotondi, Antonio " <an...@credit-suisse.com.INVALID> on 2023/05/16 10:18:31 UTC
Issue with abac on trino plugin
Hello to everyone.
We have built 2.4.0 from source code and deployed to open shift ranger and its trino plugin into our trino cluster.
We are enriching users with attributes taken from ldap by the synchuser.
When setting a row level policy in ranger, using a user attribute in the condition, it will fail with
ERROR - failed to initialize condition '_expression': script engine 'JavaScript' was not created
I will need to debug this but if you have some advise it will be greately welcome.
On thing important to report here is: even if the policy fails, permissions to the data are still granted!
I assume this not to be the intended behaviour.
Al lthe best,
Antonio Rotondi
=================================================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
California residents, click here https://www.credit-suisse.com/us/en/legal/privacy-statement.html
for information on your privacy rights. For other regions, unless otherwise specified, locate the
privacy policy at the bottom of your country page https://www.credit-suisse.com/global/en.html,
where applicable.
=================================================================================================
RE: Issue with abac on trino plugin
Posted by "Rotondi, Antonio " <an...@credit-suisse.com.INVALID>.
Hi all,
please let me know if I need to raise a jira for the access policy violation bug and, in case, give me indication about how to get access to the jira space.
Regarding the scrip engine instantiation, I will try to hardcode an association in the plugin.
Best regards,
Antonio Rotondi
IA Architecture
From: Rotondi, Antonio (RAGD 9)
Sent: 17 May 2023 13:02
To: Madhan Neethiraj <ma...@apache.org>; dev@ranger.apache.org
Subject: RE: Issue with abac on trino plugin
Another thing noticed is that the condition script in the row filter is checked four times!
2023-05-17T11:55:33.172Z INFO Query-20230517_115441_00003_dik7b-310 stdout ERROR - failed to evaluate condition '_expression': script engine not found
67082023-05-17T11:55:34.278Z INFO Query-20230517_115441_00003_dik7b-310 stdout ERROR - failed to evaluate condition '_expression': script engine not found
67092023-05-17T11:55:35.111Z INFO Query-20230517_115441_00003_dik7b-310 stdout ERROR - failed to evaluate condition '_expression': script engine not found
67102023-05-17T11:55:35.331Z INFO Query-20230517_115441_00003_dik7b-310 stdout ERROR - failed to evaluate condition '_expression': script engine not found
67112023-05-17T11:55:35.540Z INFO Query-20230517_115441_00003_dik7b-310 stdout ERROR - failed to evaluate condition '_expression': script engine not found
This slows down the query considerably.
Thanks,
Antonio Rotondi
IA Architecture
From: Rotondi, Antonio (RAGD 9)
Sent: 17 May 2023 12:49
To: Madhan Neethiraj <ma...@apache.org>>; dev@ranger.apache.org<ma...@ranger.apache.org>
Subject: RE: Issue with abac on trino plugin
Hi Madhan,
Thanks for your reply.
I applied the required change. I had to add the library to the trino plugin distro assembly as well and remove the nashorn one from the code base as there is not a version of that library for jdk>= 11.
I can see the js library in the trino plugin runtime dir:
[cid:image001.png@01D98A3E.A3942220]
However the problem still persists. I think that is due to the lack of entries in the “nameAssociations” map in ScriptEngineManager.
How I do set that?
Also I noticed that the return Boolean of isMatched in RangerScriptConditionEvaluator is set optimistically to true at the start of the method and not set to false in case of script failure:
} else {
String conditionType = condition != null ? condition.getType() : null;
LOG.error("failed to evaluate condition '" + conditionType + "': script engine not found");
}
This cases the check to succeed independently by the positive satisfaction of the condition, therefore granting access to the user.
A
Regards,
Antonio Rotondi
IA Architecture
+44 20 7883 6099 (*443 6099)
-----Original Message-----
From: Madhan Neethiraj <ma...@apache.org>>
Sent: 16 May 2023 22:34
To: dev@ranger.apache.org<ma...@ranger.apache.org>; Rotondi, Antonio (RAGD 9) <an...@credit-suisse.com>>
Subject: Re: Issue with abac on trino plugin
Hello Antonio,
If the JDK version running Trino is JDK 15 or later, libraries org.graalvm.js and org.graalvm.js-scriptengine (along with their dependencies) must be included in the plugin.
Currently there is no maven profile to build Ranger for a specific JDK version, like JDK15. Until this is in place, you can uncomment following blocks in agents-common/pom.xml and build Trino plugin.
https://urldefense.com/v3/__https://github.com/apache/ranger/blob/release-ranger-2.4.0/agents-common/pom.xml*L155__;Iw!!KXPsTJeyZY4CYP7Aps0!5TefpaJ2ZbDN9yI4Z9SN9vCqwPfjLX1zBOgxKCD3CwmoI_jRaD7Fr6QuR7Fz_lIO0XTO7OwU_eSdTaNGMY760nKy$<https://urldefense.com/v3/__https:/github.com/apache/ranger/blob/release-ranger-2.4.0/agents-common/pom.xml*L155__;Iw!!KXPsTJeyZY4CYP7Aps0!5TefpaJ2ZbDN9yI4Z9SN9vCqwPfjLX1zBOgxKCD3CwmoI_jRaD7Fr6QuR7Fz_lIO0XTO7OwU_eSdTaNGMY760nKy$> :
<!-- To be added for JDK15 and above
<dependency>
<groupId>org.graalvm.js</groupId>
<artifactId>js</artifactId>
<version>${graalvm.version}</version>
</dependency>
<dependency>
<groupId>org.graalvm.js</groupId>
<artifactId>js-scriptengine</artifactId>
<version>${graalvm.version}</version>
</dependency>
-->
Hope this helps.
Madhan
On 5/16/23, 3:18 AM, "Rotondi, Antonio" <antonio.rotondi@credit-suisse.com.INVA <ma...@credit-suisse.com.INVA>>LID> wrote:
Hello to everyone.
We have built 2.4.0 from source code and deployed to open shift ranger and its trino plugin into our trino cluster.
We are enriching users with attributes taken from ldap by the synchuser.
When setting a row level policy in ranger, using a user attribute in the condition, it will fail with
ERROR - failed to initialize condition '_expression': script engine 'JavaScript' was not created
I will need to debug this but if you have some advise it will be greately welcome.
On thing important to report here is: even if the policy fails, permissions to the data are still granted!
I assume this not to be the intended behaviour.
Al lthe best,
Antonio Rotondi
=================================================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html <http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html>
California residents, click here https://www.credit-suisse.com/us/en/legal/privacy-statement.html <https://www.credit-suisse.com/us/en/legal/privacy-statement.html>
for information on your privacy rights. For other regions, unless otherwise specified, locate the
privacy policy at the bottom of your country page https://www.credit-suisse.com/global/en.html <https://www.credit-suisse.com/global/en.html>,
where applicable.
=================================================================================================
=================================================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
California residents, click here https://www.credit-suisse.com/us/en/legal/privacy-statement.html
for information on your privacy rights. For other regions, unless otherwise specified, locate the
privacy policy at the bottom of your country page https://www.credit-suisse.com/global/en.html,
where applicable.
=================================================================================================
RE: Issue with abac on trino plugin
Posted by "Rotondi, Antonio " <an...@credit-suisse.com.INVALID>.
Another thing noticed is that the condition script in the row filter is checked four times!
2023-05-17T11:55:33.172Z INFO Query-20230517_115441_00003_dik7b-310 stdout ERROR - failed to evaluate condition '_expression': script engine not found
67082023-05-17T11:55:34.278Z INFO Query-20230517_115441_00003_dik7b-310 stdout ERROR - failed to evaluate condition '_expression': script engine not found
67092023-05-17T11:55:35.111Z INFO Query-20230517_115441_00003_dik7b-310 stdout ERROR - failed to evaluate condition '_expression': script engine not found
67102023-05-17T11:55:35.331Z INFO Query-20230517_115441_00003_dik7b-310 stdout ERROR - failed to evaluate condition '_expression': script engine not found
67112023-05-17T11:55:35.540Z INFO Query-20230517_115441_00003_dik7b-310 stdout ERROR - failed to evaluate condition '_expression': script engine not found
This slows down the query considerably.
Thanks,
Antonio Rotondi
IA Architecture
From: Rotondi, Antonio (RAGD 9)
Sent: 17 May 2023 12:49
To: Madhan Neethiraj <ma...@apache.org>; dev@ranger.apache.org
Subject: RE: Issue with abac on trino plugin
Hi Madhan,
Thanks for your reply.
I applied the required change. I had to add the library to the trino plugin distro assembly as well and remove the nashorn one from the code base as there is not a version of that library for jdk>= 11.
I can see the js library in the trino plugin runtime dir:
[cid:image001.png@01D988BF.B1239310]
However the problem still persists. I think that is due to the lack of entries in the “nameAssociations” map in ScriptEngineManager.
How I do set that?
Also I noticed that the return Boolean of isMatched in RangerScriptConditionEvaluator is set optimistically to true at the start of the method and not set to false in case of script failure:
} else {
String conditionType = condition != null ? condition.getType() : null;
LOG.error("failed to evaluate condition '" + conditionType + "': script engine not found");
}
This cases the check to succeed independently by the positive satisfaction of the condition, therefore granting access to the user.
A
Regards,
Antonio Rotondi
IA Architecture
+44 20 7883 6099 (*443 6099)
-----Original Message-----
From: Madhan Neethiraj <ma...@apache.org>>
Sent: 16 May 2023 22:34
To: dev@ranger.apache.org<ma...@ranger.apache.org>; Rotondi, Antonio (RAGD 9) <an...@credit-suisse.com>>
Subject: Re: Issue with abac on trino plugin
Hello Antonio,
If the JDK version running Trino is JDK 15 or later, libraries org.graalvm.js and org.graalvm.js-scriptengine (along with their dependencies) must be included in the plugin.
Currently there is no maven profile to build Ranger for a specific JDK version, like JDK15. Until this is in place, you can uncomment following blocks in agents-common/pom.xml and build Trino plugin.
https://urldefense.com/v3/__https://github.com/apache/ranger/blob/release-ranger-2.4.0/agents-common/pom.xml*L155__;Iw!!KXPsTJeyZY4CYP7Aps0!5TefpaJ2ZbDN9yI4Z9SN9vCqwPfjLX1zBOgxKCD3CwmoI_jRaD7Fr6QuR7Fz_lIO0XTO7OwU_eSdTaNGMY760nKy$<https://urldefense.com/v3/__https:/github.com/apache/ranger/blob/release-ranger-2.4.0/agents-common/pom.xml*L155__;Iw!!KXPsTJeyZY4CYP7Aps0!5TefpaJ2ZbDN9yI4Z9SN9vCqwPfjLX1zBOgxKCD3CwmoI_jRaD7Fr6QuR7Fz_lIO0XTO7OwU_eSdTaNGMY760nKy$> :
<!-- To be added for JDK15 and above
<dependency>
<groupId>org.graalvm.js</groupId>
<artifactId>js</artifactId>
<version>${graalvm.version}</version>
</dependency>
<dependency>
<groupId>org.graalvm.js</groupId>
<artifactId>js-scriptengine</artifactId>
<version>${graalvm.version}</version>
</dependency>
-->
Hope this helps.
Madhan
On 5/16/23, 3:18 AM, "Rotondi, Antonio" <antonio.rotondi@credit-suisse.com.INVA <ma...@credit-suisse.com.INVA>>LID> wrote:
Hello to everyone.
We have built 2.4.0 from source code and deployed to open shift ranger and its trino plugin into our trino cluster.
We are enriching users with attributes taken from ldap by the synchuser.
When setting a row level policy in ranger, using a user attribute in the condition, it will fail with
ERROR - failed to initialize condition '_expression': script engine 'JavaScript' was not created
I will need to debug this but if you have some advise it will be greately welcome.
On thing important to report here is: even if the policy fails, permissions to the data are still granted!
I assume this not to be the intended behaviour.
Al lthe best,
Antonio Rotondi
=================================================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html <http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html>
California residents, click here https://www.credit-suisse.com/us/en/legal/privacy-statement.html <https://www.credit-suisse.com/us/en/legal/privacy-statement.html>
for information on your privacy rights. For other regions, unless otherwise specified, locate the
privacy policy at the bottom of your country page https://www.credit-suisse.com/global/en.html <https://www.credit-suisse.com/global/en.html>,
where applicable.
=================================================================================================
=================================================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
California residents, click here https://www.credit-suisse.com/us/en/legal/privacy-statement.html
for information on your privacy rights. For other regions, unless otherwise specified, locate the
privacy policy at the bottom of your country page https://www.credit-suisse.com/global/en.html,
where applicable.
=================================================================================================
RE: Issue with abac on trino plugin
Posted by "Rotondi, Antonio " <an...@credit-suisse.com.INVALID>.
Hi Madhan,
Thanks for your reply.
I applied the required change. I had to add the library to the trino plugin distro assembly as well and remove the nashorn one from the code base as there is not a version of that library for jdk>= 11.
I can see the js library in the trino plugin runtime dir:
[cid:image001.png@01D988BB.4FA278D0]
However the problem still persists. I think that is due to the lack of entries in the “nameAssociations” map in ScriptEngineManager.
How I do set that?
Also I noticed that the return Boolean of isMatched in RangerScriptConditionEvaluator is set optimistically to true at the start of the method and not set to false in case of script failure:
} else {
String conditionType = condition != null ? condition.getType() : null;
LOG.error("failed to evaluate condition '" + conditionType + "': script engine not found");
}
This cases the check to succeed independently by the positive satisfaction of the condition, therefore granting access to the user.
A
Regards,
Antonio Rotondi
IA Architecture
+44 20 7883 6099 (*443 6099)
-----Original Message-----
From: Madhan Neethiraj <ma...@apache.org>>
Sent: 16 May 2023 22:34
To: dev@ranger.apache.org<ma...@ranger.apache.org>; Rotondi, Antonio (RAGD 9) <an...@credit-suisse.com>>
Subject: Re: Issue with abac on trino plugin
Hello Antonio,
If the JDK version running Trino is JDK 15 or later, libraries org.graalvm.js and org.graalvm.js-scriptengine (along with their dependencies) must be included in the plugin.
Currently there is no maven profile to build Ranger for a specific JDK version, like JDK15. Until this is in place, you can uncomment following blocks in agents-common/pom.xml and build Trino plugin.
https://urldefense.com/v3/__https://github.com/apache/ranger/blob/release-ranger-2.4.0/agents-common/pom.xml*L155__;Iw!!KXPsTJeyZY4CYP7Aps0!5TefpaJ2ZbDN9yI4Z9SN9vCqwPfjLX1zBOgxKCD3CwmoI_jRaD7Fr6QuR7Fz_lIO0XTO7OwU_eSdTaNGMY760nKy$<https://urldefense.com/v3/__https:/github.com/apache/ranger/blob/release-ranger-2.4.0/agents-common/pom.xml*L155__;Iw!!KXPsTJeyZY4CYP7Aps0!5TefpaJ2ZbDN9yI4Z9SN9vCqwPfjLX1zBOgxKCD3CwmoI_jRaD7Fr6QuR7Fz_lIO0XTO7OwU_eSdTaNGMY760nKy$> :
<!-- To be added for JDK15 and above
<dependency>
<groupId>org.graalvm.js</groupId>
<artifactId>js</artifactId>
<version>${graalvm.version}</version>
</dependency>
<dependency>
<groupId>org.graalvm.js</groupId>
<artifactId>js-scriptengine</artifactId>
<version>${graalvm.version}</version>
</dependency>
-->
Hope this helps.
Madhan
On 5/16/23, 3:18 AM, "Rotondi, Antonio" <antonio.rotondi@credit-suisse.com.INVA <ma...@credit-suisse.com.INVA>>LID> wrote:
Hello to everyone.
We have built 2.4.0 from source code and deployed to open shift ranger and its trino plugin into our trino cluster.
We are enriching users with attributes taken from ldap by the synchuser.
When setting a row level policy in ranger, using a user attribute in the condition, it will fail with
ERROR - failed to initialize condition '_expression': script engine 'JavaScript' was not created
I will need to debug this but if you have some advise it will be greately welcome.
On thing important to report here is: even if the policy fails, permissions to the data are still granted!
I assume this not to be the intended behaviour.
Al lthe best,
Antonio Rotondi
=================================================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html <http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html>
California residents, click here https://www.credit-suisse.com/us/en/legal/privacy-statement.html <https://www.credit-suisse.com/us/en/legal/privacy-statement.html>
for information on your privacy rights. For other regions, unless otherwise specified, locate the
privacy policy at the bottom of your country page https://www.credit-suisse.com/global/en.html <https://www.credit-suisse.com/global/en.html>,
where applicable.
=================================================================================================
=================================================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
California residents, click here https://www.credit-suisse.com/us/en/legal/privacy-statement.html
for information on your privacy rights. For other regions, unless otherwise specified, locate the
privacy policy at the bottom of your country page https://www.credit-suisse.com/global/en.html,
where applicable.
=================================================================================================
Re: Issue with abac on trino plugin
Posted by Madhan Neethiraj <ma...@apache.org>.
Hello Antonio,
If the JDK version running Trino is JDK 15 or later, libraries org.graalvm.js and org.graalvm.js-scriptengine (along with their dependencies) must be included in the plugin.
Currently there is no maven profile to build Ranger for a specific JDK version, like JDK15. Until this is in place, you can uncomment following blocks in agents-common/pom.xml and build Trino plugin.
https://github.com/apache/ranger/blob/release-ranger-2.4.0/agents-common/pom.xml#L155:
<!-- To be added for JDK15 and above
<dependency>
<groupId>org.graalvm.js</groupId>
<artifactId>js</artifactId>
<version>${graalvm.version}</version>
</dependency>
<dependency>
<groupId>org.graalvm.js</groupId>
<artifactId>js-scriptengine</artifactId>
<version>${graalvm.version}</version>
</dependency>
-->
Hope this helps.
Madhan
On 5/16/23, 3:18 AM, "Rotondi, Antonio" <antonio.rotondi@credit-suisse.com.INVA <ma...@credit-suisse.com.INVA>LID> wrote:
Hello to everyone.
We have built 2.4.0 from source code and deployed to open shift ranger and its trino plugin into our trino cluster.
We are enriching users with attributes taken from ldap by the synchuser.
When setting a row level policy in ranger, using a user attribute in the condition, it will fail with
ERROR - failed to initialize condition '_expression': script engine 'JavaScript' was not created
I will need to debug this but if you have some advise it will be greately welcome.
On thing important to report here is: even if the policy fails, permissions to the data are still granted!
I assume this not to be the intended behaviour.
Al lthe best,
Antonio Rotondi
=================================================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html <http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html>
California residents, click here https://www.credit-suisse.com/us/en/legal/privacy-statement.html <https://www.credit-suisse.com/us/en/legal/privacy-statement.html>
for information on your privacy rights. For other regions, unless otherwise specified, locate the
privacy policy at the bottom of your country page https://www.credit-suisse.com/global/en.html <https://www.credit-suisse.com/global/en.html>,
where applicable.
=================================================================================================