You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Sailaja Polavarapu <sp...@hortonworks.com> on 2020/02/15 02:03:35 UTC

Review Request 72136: RANGER-2723: Support ldap attribute based document level control for solr plugin

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72136/
-----------------------------------------------------------

Review request for ranger, Abhay Kulkarni, Ramesh Mani, and Velmurugan Periasamy.


Bugs: RANGER-2723
    https://issues.apache.org/jira/browse/RANGER-2723


Repository: ranger


Description
-------

Added new context enricher to download userstore to solr plugin. Also integrated Sentry changes to RangerSolrAuthorizer to use the ldap attributes and add it to the filter query to while querying documents in solr.


Diffs
-----

  agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java 87d0190e6 
  agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminClient.java 58eb00a4e 
  agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java e5f97477b 
  agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminUserStoreRetriever.java PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreEnricher.java PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreRetriever.java PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java bd980ce09 
  agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java 0b492ab99 
  plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/FieldToAttributeMapping.java PRE-CREATION 
  plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java 4538a5bf2 
  plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/SubsetQueryPlugin.java PRE-CREATION 


Diff: https://reviews.apache.org/r/72136/diff/1/


Testing
-------

1. Patched test cluster and verified userstore is download to solr plugin
2. Also verified basic funtionality based on some ldap attributes while querying solr documents.


Thanks,

Sailaja Polavarapu

Re: Review Request 72136: RANGER-2723: Support ldap attribute based document level control for solr plugin

Posted by Abhay Kulkarni <ak...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72136/#review219853
-----------------------------------------------------------


Ship it!




Ship It!

- Abhay Kulkarni


On March 3, 2020, 9:06 p.m., Sailaja Polavarapu wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72136/
> -----------------------------------------------------------
> 
> (Updated March 3, 2020, 9:06 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Ramesh Mani, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2723
>     https://issues.apache.org/jira/browse/RANGER-2723
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Added new context enricher to download userstore to solr plugin. Also integrated Sentry changes to RangerSolrAuthorizer to use the ldap attributes and add it to the filter query to while querying documents in solr.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java 87d0190e6 
>   agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminClient.java 58eb00a4e 
>   agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java e5f97477b 
>   agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminUserStoreRetriever.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreEnricher.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreRetriever.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java bd980ce09 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java 0b492ab99 
>   plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/FieldToAttributeMapping.java PRE-CREATION 
>   plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java 4538a5bf2 
>   plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/SubsetQueryPlugin.java PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/72136/diff/2/
> 
> 
> Testing
> -------
> 
> 1. Patched test cluster and verified userstore is download to solr plugin
> 2. Also verified basic funtionality based on some ldap attributes while querying solr documents.
> 
> 
> Thanks,
> 
> Sailaja Polavarapu
> 
>

Re: Review Request 72136: RANGER-2723: Support ldap attribute based document level control for solr plugin

Posted by Sailaja Polavarapu <sp...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72136/
-----------------------------------------------------------

(Updated March 3, 2020, 9:06 p.m.)


Review request for ranger, Abhay Kulkarni, Ramesh Mani, and Velmurugan Periasamy.


Changes
-------

Incorporated review comments


Bugs: RANGER-2723
    https://issues.apache.org/jira/browse/RANGER-2723


Repository: ranger


Description
-------

Added new context enricher to download userstore to solr plugin. Also integrated Sentry changes to RangerSolrAuthorizer to use the ldap attributes and add it to the filter query to while querying documents in solr.


Diffs (updated)
-----

  agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java 87d0190e6 
  agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminClient.java 58eb00a4e 
  agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java e5f97477b 
  agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminUserStoreRetriever.java PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreEnricher.java PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreRetriever.java PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java bd980ce09 
  agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java 0b492ab99 
  plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/FieldToAttributeMapping.java PRE-CREATION 
  plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java 4538a5bf2 
  plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/SubsetQueryPlugin.java PRE-CREATION 


Diff: https://reviews.apache.org/r/72136/diff/2/

Changes: https://reviews.apache.org/r/72136/diff/1-2/


Testing
-------

1. Patched test cluster and verified userstore is download to solr plugin
2. Also verified basic funtionality based on some ldap attributes while querying solr documents.


Thanks,

Sailaja Polavarapu

Re: Review Request 72136: RANGER-2723: Support ldap attribute based document level control for solr plugin

Posted by Sailaja Polavarapu <sp...@hortonworks.com>.


> On Feb. 15, 2020, 8 p.m., Abhay Kulkarni wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreEnricher.java
> > Lines 45 (patched)
> > <https://reviews.apache.org/r/72136/diff/1/?file=2211349#file2211349line45>
> >
> >     Is it required that Solr service definition is updated to include this context-enricher? If so, it needs to be included in this patch. Also, if it is included, a Java patch for upgrading Solr service definition also needs to be included.

Ldap attribute based authorization is optional. Since there is a public api to update service def, I didn't include the context-enricher config in Solr Service definition by default


> On Feb. 15, 2020, 8 p.m., Abhay Kulkarni wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreEnricher.java
> > Lines 74 (patched)
> > <https://reviews.apache.org/r/72136/diff/1/?file=2211349#file2211349line74>
> >
> >     If the class-name for UserStoreRetriever is not provided, should it default to some known class (which populates UserStore using adminRESTClient)?

In case the class name is not provided, we are logging an error. I don't think we need to process any further.


> On Feb. 15, 2020, 8 p.m., Abhay Kulkarni wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreEnricher.java
> > Lines 504 (patched)
> > <https://reviews.apache.org/r/72136/diff/1/?file=2211349#file2211349line504>
> >
> >     Is this intended to the implementation of RangerUserStoreRetriever.retrieveUserStoreInfo()? Please review.

Removed this as this is implemented in RangerAdminUserStoreRetriever which extends RangerUserStoreRetriever


> On Feb. 15, 2020, 8 p.m., Abhay Kulkarni wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreRetriever.java
> > Lines 28 (patched)
> > <https://reviews.apache.org/r/72136/diff/1/?file=2211350#file2211350line28>
> >
> >     A class implementing RangerUserStoreRetriever needs to be included in the patch. Please review.

RangerAdminUserStoreRetriever class extends RangerUserStoreRetriever and has the implementations.


- Sailaja


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72136/#review219596
-----------------------------------------------------------


On March 3, 2020, 9:06 p.m., Sailaja Polavarapu wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72136/
> -----------------------------------------------------------
> 
> (Updated March 3, 2020, 9:06 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Ramesh Mani, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2723
>     https://issues.apache.org/jira/browse/RANGER-2723
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Added new context enricher to download userstore to solr plugin. Also integrated Sentry changes to RangerSolrAuthorizer to use the ldap attributes and add it to the filter query to while querying documents in solr.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java 87d0190e6 
>   agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminClient.java 58eb00a4e 
>   agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java e5f97477b 
>   agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminUserStoreRetriever.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreEnricher.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreRetriever.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java bd980ce09 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java 0b492ab99 
>   plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/FieldToAttributeMapping.java PRE-CREATION 
>   plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java 4538a5bf2 
>   plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/SubsetQueryPlugin.java PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/72136/diff/2/
> 
> 
> Testing
> -------
> 
> 1. Patched test cluster and verified userstore is download to solr plugin
> 2. Also verified basic funtionality based on some ldap attributes while querying solr documents.
> 
> 
> Thanks,
> 
> Sailaja Polavarapu
> 
>

Re: Review Request 72136: RANGER-2723: Support ldap attribute based document level control for solr plugin

Posted by Abhay Kulkarni <ak...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72136/#review219596
-----------------------------------------------------------




agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreEnricher.java
Lines 45 (patched)
<https://reviews.apache.org/r/72136/#comment307777>

    Is it required that Solr service definition is updated to include this context-enricher? If so, it needs to be included in this patch. Also, if it is included, a Java patch for upgrading Solr service definition also needs to be included.



agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreEnricher.java
Lines 74 (patched)
<https://reviews.apache.org/r/72136/#comment307774>

    If the class-name for UserStoreRetriever is not provided, should it default to some known class (which populates UserStore using adminRESTClient)?



agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreEnricher.java
Lines 504 (patched)
<https://reviews.apache.org/r/72136/#comment307772>

    Is this intended to the implementation of RangerUserStoreRetriever.retrieveUserStoreInfo()? Please review.



agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreRetriever.java
Lines 28 (patched)
<https://reviews.apache.org/r/72136/#comment307773>

    A class implementing RangerUserStoreRetriever needs to be included in the patch. Please review.



plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java
Lines 370 (patched)
<https://reviews.apache.org/r/72136/#comment307775>

    Would this cause a lot of logging output? Please review and consider logging it at level DEBUG.



plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java
Lines 384 (patched)
<https://reviews.apache.org/r/72136/#comment307776>

    Is it possible for getUserStoreEnricher() to return null even though attrEnabled is set to true? If so, please check for null to avoid potential NPE.


- Abhay Kulkarni


On Feb. 15, 2020, 2:03 a.m., Sailaja Polavarapu wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72136/
> -----------------------------------------------------------
> 
> (Updated Feb. 15, 2020, 2:03 a.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Ramesh Mani, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2723
>     https://issues.apache.org/jira/browse/RANGER-2723
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Added new context enricher to download userstore to solr plugin. Also integrated Sentry changes to RangerSolrAuthorizer to use the ldap attributes and add it to the filter query to while querying documents in solr.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java 87d0190e6 
>   agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminClient.java 58eb00a4e 
>   agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java e5f97477b 
>   agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminUserStoreRetriever.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreEnricher.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreRetriever.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java bd980ce09 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java 0b492ab99 
>   plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/FieldToAttributeMapping.java PRE-CREATION 
>   plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java 4538a5bf2 
>   plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/SubsetQueryPlugin.java PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/72136/diff/1/
> 
> 
> Testing
> -------
> 
> 1. Patched test cluster and verified userstore is download to solr plugin
> 2. Also verified basic funtionality based on some ldap attributes while querying solr documents.
> 
> 
> Thanks,
> 
> Sailaja Polavarapu
> 
>