You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Barbara Eckman via Review Board <no...@reviews.apache.org> on 2022/09/26 19:17:48 UTC
Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/
-----------------------------------------------------------
Review request for ranger and madhan.
Bugs: Ranger-3855
https://issues.apache.org/jira/browse/Ranger-3855
Repository: ranger
Description
-------
RangerExternalUserStoreRetriever class Ranger-3855
Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/LICENSE PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/NOTICE PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/README.md PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/TokenInputs.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/pom.xml PRE-CREATION
plugin-nestedstructure/README.md ea878f6a2
Diff: https://reviews.apache.org/r/74142/diff/1/
Testing
-------
Thanks,
Barbara Eckman
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
- Barbara
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224760
-----------------------------------------------------------
On Sept. 26, 2022, 7:17 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Sept. 26, 2022, 7:17 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/LICENSE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/NOTICE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/README.md PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/TokenInputs.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/pom.xml PRE-CREATION
> plugin-nestedstructure/README.md ea878f6a2
>
>
> Diff: https://reviews.apache.org/r/74142/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
> > Lines 44 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270179#file2270179line44>
> >
> > Does this have sensitive information? If so, we should print in debug logs
Is that a question? "Should we print in debug logs?" I considered this along with a Comcast security colleague and decided that putting this warning in the README file was sufficient: "NOTE that if this code is run with debug logging enabled, there will be a very high likelihood that sensitive content will be emitted in the log.". If you don't think it's sufficient, I can remove printing it in the debug logs, but it seems as though it would be nice to see what's in there, if an error should occur that involves the file contents.
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
> > Lines 50 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270179#file2270179line50>
> >
> > Should strToken = null? So that the caller would know if the request failed?
I'm not against this, but I already raise an error if the request for token fails, and execution should halt after that, shouldn't it? Or am I missing your point?
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
> > Lines 63 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270179#file2270179line63>
> >
> > Instead of doing e.toString(), can we just pass "e" to the logger? So the stack trace will be printed?
done
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
> > Lines 64 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270179#file2270179line64>
> >
> > Since we are printing using logger, do we need to print to stderr also?
done, removed print to stderr
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java
> > Lines 60 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270180#file2270180line60>
> >
> > Can we pass the exception as ",e", so that we can print the stack trace?
done
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java
> > Lines 50 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270181#file2270181line50>
> >
> > Do we need to print in stderr
done
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
> > Lines 41 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270182#file2270182line41>
> >
> > Is it secure to print sensitive information?
see response to getBearerToken, line 44
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
> > Lines 50 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270182#file2270182line50>
> >
> > Is it secure to print sensitive information?
see response to getBearerToken, line 44
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
> > Lines 66 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270182#file2270182line66>
> >
> > Should pass the exception as parameter? So we can get the stack trace?
done
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
> > Lines 67 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270182#file2270182line67>
> >
> > Do we need to print this in stderr?
done
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java
> > Lines 69 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270186#file2270186line69>
> >
> > This seems to be internal comcast class. What happens if this is not available in the opensource?
Sorry, this was an oversight. It's fixed now.
- Barbara
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224760
-----------------------------------------------------------
On Sept. 26, 2022, 7:17 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Sept. 26, 2022, 7:17 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/LICENSE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/NOTICE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/README.md PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/TokenInputs.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/pom.xml PRE-CREATION
> plugin-nestedstructure/README.md ea878f6a2
>
>
> Diff: https://reviews.apache.org/r/74142/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> >
Thanks a lot, Bosco, for your meticulous comments! I did a lot of refactoring, to replace unirest with apache httpclient, and to bubble exceptions upward. I welcome your feedback as always!
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
> > Lines 34 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270179#file2270179line34>
> >
> > Could we document what this configFile should contain? If it is user entered, then can we validate that it has all the fields we are expecting?
Done: added description of required elements to the README file, and added validation of the required elements to the HandleSecrets class.
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
> > Lines 44 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270179#file2270179line44>
> >
> > Does this have sensitive information? If so, we should print in debug logs
>
> Barbara Eckman wrote:
> Is that a question? "Should we print in debug logs?" I considered this along with a Comcast security colleague and decided that putting this warning in the README file was sufficient: "NOTE that if this code is run with debug logging enabled, there will be a very high likelihood that sensitive content will be emitted in the log.". If you don't think it's sufficient, I can remove printing it in the debug logs, but it seems as though it would be nice to see what's in there, if an error should occur that involves the file contents.
I have removed the printing to debug log
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
> > Lines 50 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270179#file2270179line50>
> >
> > Should strToken = null? So that the caller would know if the request failed?
>
> Barbara Eckman wrote:
> I'm not against this, but I already raise an error if the request for token fails, and execution should halt after that, shouldn't it? Or am I missing your point?
Sorry, my last comment made no sense. I changed strToken's initialization to null.
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
> > Lines 58 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270179#file2270179line58>
> >
> > Should we check if the post was successfull? E.g. check for HTTP return code?
Done.
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
> > Lines 63 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270179#file2270179line63>
> >
> > Instead of doing e.toString(), can we just pass "e" to the logger? So the stack trace will be printed?
>
> Barbara Eckman wrote:
> done
I refactored to throw exceptions upward. Should I print to logger.error before throwing the exception?
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
> > Lines 67 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270179#file2270179line67>
> >
> > Would the response be null if the Unirest.post() throws an Exception? We could probably move this code within the try block above
Done
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java
> > Lines 35 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270180#file2270180line35>
> >
> > Any reason this is class member attribute rather than defining it within the method getFromDataFile(). If i t is okay to have it class member attribute, then should we worry about multi-thread safety scenarios?
Done
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java
> > Lines 48 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270180#file2270180line48>
> >
> > We should probably ident this properly. It seems as if though it is closing the try block.
Done
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java
> > Lines 39 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270181#file2270181line39>
> >
> > What should we do if the GetBearerToken.getBearerToken() fails for any reason?
I removed most of the try/catches from all classes, and added some thrown exceptions beyond what was already there. All exceptions now bubble up to RangerExternalUserStoreRetriever.
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java
> > Lines 49 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270181#file2270181line49>
> >
> > Should return from here or rethrow the exception if the Unirest.get() request fails?
addressed when refactoring to use apache httpclient library instead of unirest.
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
> > Lines 34 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270182#file2270182line34>
> >
> > Any reason we are having this has class static? It seems, line number 39 redefines it with the class method? Same the member attribute decodedSecrets also
Done.
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
> > Lines 41 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270182#file2270182line41>
> >
> > Is it secure to print sensitive information?
>
> Barbara Eckman wrote:
> see response to getBearerToken, line 44
I removed debug logging of sensitive info.
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
> > Lines 50 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270182#file2270182line50>
> >
> > Is it secure to print sensitive information?
>
> Barbara Eckman wrote:
> see response to getBearerToken, line 44
I removed debug logging of sensitive info.
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
> > Lines 55 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270182#file2270182line55>
> >
> > What is the purpose for this method? Is it just to read the entire file into a string object? If so, should we use class method like File.readString()?
I think File.readString() was not introduced until Java 11, but I found this and used it instead:
new String(Files.readAllBytes(Paths.get(configFile))));
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
> > Lines 56 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270182#file2270182line56>
> >
> > To optimize on memory, should we StringBuffer here?
I replaced the Scanner-based read with *new String(Files.readAllBytes(Paths.get(configFile)))*. The config files are very small (under 20 lines of json), so I'm inclined to not worry about memory for them. Do you agree?
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
> > Lines 59 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270182#file2270182line59>
> >
> > Can we use closable (try()) here? So that even there is an exception, the stream will be closed
The readFromFile method's use of Scanner was replaced, as suggested, by the simple *new String(Files.readAllBytes(Paths.get(configFile))))*. Does this obviate the need for closable try()?
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
> > Lines 73 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270182#file2270182line73>
> >
> > Can we use closable here? So that even on exception the stream is closed.
i used try-with-resources:
try ( FileWriter myWriter = new FileWriter(fileName);){
I think that does the same thing, right?
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
> > Lines 77 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270182#file2270182line77>
> >
> > Any reason we are supressing this error? Should we propagate for the caller so it can be handled appropriately?
Done.
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java
> > Lines 54 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270186#file2270186line54>
> >
> > Do we need to handle failure to getFromURL() method ?
Added thrown exceptions. All exceptions now bubble up to RangerExternalUserStoreRetriever.
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java
> > Lines 56 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270186#file2270186line56>
> >
> > Is it okay to ignore this exception?
> > Can we also remove the next line?
changes to throw exceptions upward made this comment irrelevant, I think....
> On Oct. 7, 2022, 1:30 a.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java
> > Lines 76 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270187#file2270187line76>
> >
> > Does need to be in the seperate line?
done
- Barbara
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224760
-----------------------------------------------------------
On Sept. 26, 2022, 7:17 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Sept. 26, 2022, 7:17 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/LICENSE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/NOTICE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/README.md PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/TokenInputs.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/pom.xml PRE-CREATION
> plugin-nestedstructure/README.md ea878f6a2
>
>
> Diff: https://reviews.apache.org/r/74142/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Don Bosco Durai <bo...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224760
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
Lines 34 (patched)
<https://reviews.apache.org/r/74142/#comment313543>
Could we document what this configFile should contain? If it is user entered, then can we validate that it has all the fields we are expecting?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
Lines 44 (patched)
<https://reviews.apache.org/r/74142/#comment313537>
Does this have sensitive information? If so, we should print in debug logs
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
Lines 50 (patched)
<https://reviews.apache.org/r/74142/#comment313540>
Should strToken = null? So that the caller would know if the request failed?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
Lines 58 (patched)
<https://reviews.apache.org/r/74142/#comment313542>
Should we check if the post was successfull? E.g. check for HTTP return code?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
Lines 63 (patched)
<https://reviews.apache.org/r/74142/#comment313538>
Instead of doing e.toString(), can we just pass "e" to the logger? So the stack trace will be printed?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
Lines 64 (patched)
<https://reviews.apache.org/r/74142/#comment313539>
Since we are printing using logger, do we need to print to stderr also?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
Lines 67 (patched)
<https://reviews.apache.org/r/74142/#comment313541>
Would the response be null if the Unirest.post() throws an Exception? We could probably move this code within the try block above
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java
Lines 35 (patched)
<https://reviews.apache.org/r/74142/#comment313547>
Any reason this is class member attribute rather than defining it within the method getFromDataFile(). If i t is okay to have it class member attribute, then should we worry about multi-thread safety scenarios?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java
Lines 48 (patched)
<https://reviews.apache.org/r/74142/#comment313545>
We should probably ident this properly. It seems as if though it is closing the try block.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java
Lines 60 (patched)
<https://reviews.apache.org/r/74142/#comment313546>
Can we pass the exception as ",e", so that we can print the stack trace?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java
Lines 39 (patched)
<https://reviews.apache.org/r/74142/#comment313548>
What should we do if the GetBearerToken.getBearerToken() fails for any reason?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java
Lines 49 (patched)
<https://reviews.apache.org/r/74142/#comment313550>
Should return from here or rethrow the exception if the Unirest.get() request fails?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java
Lines 50 (patched)
<https://reviews.apache.org/r/74142/#comment313549>
Do we need to print in stderr
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
Lines 34 (patched)
<https://reviews.apache.org/r/74142/#comment313551>
Any reason we are having this has class static? It seems, line number 39 redefines it with the class method? Same the member attribute decodedSecrets also
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
Lines 41 (patched)
<https://reviews.apache.org/r/74142/#comment313552>
Is it secure to print sensitive information?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
Lines 50 (patched)
<https://reviews.apache.org/r/74142/#comment313553>
Is it secure to print sensitive information?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
Lines 55 (patched)
<https://reviews.apache.org/r/74142/#comment313555>
What is the purpose for this method? Is it just to read the entire file into a string object? If so, should we use class method like File.readString()?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
Lines 56 (patched)
<https://reviews.apache.org/r/74142/#comment313558>
To optimize on memory, should we StringBuffer here?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
Lines 59 (patched)
<https://reviews.apache.org/r/74142/#comment313557>
Can we use closable (try()) here? So that even there is an exception, the stream will be closed
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
Lines 66 (patched)
<https://reviews.apache.org/r/74142/#comment313559>
Should pass the exception as parameter? So we can get the stack trace?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
Lines 67 (patched)
<https://reviews.apache.org/r/74142/#comment313560>
Do we need to print this in stderr?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
Lines 73 (patched)
<https://reviews.apache.org/r/74142/#comment313561>
Can we use closable here? So that even on exception the stream is closed.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
Lines 77 (patched)
<https://reviews.apache.org/r/74142/#comment313562>
Any reason we are supressing this error? Should we propagate for the caller so it can be handled appropriately?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java
Lines 54 (patched)
<https://reviews.apache.org/r/74142/#comment313563>
Do we need to handle failure to getFromURL() method ?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java
Lines 56 (patched)
<https://reviews.apache.org/r/74142/#comment313564>
Is it okay to ignore this exception?
Can we also remove the next line?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java
Lines 69 (patched)
<https://reviews.apache.org/r/74142/#comment313565>
This seems to be internal comcast class. What happens if this is not available in the opensource?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java
Lines 76 (patched)
<https://reviews.apache.org/r/74142/#comment313566>
Does need to be in the seperate line?
- Don Bosco Durai
On Sept. 26, 2022, 7:17 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Sept. 26, 2022, 7:17 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/LICENSE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/NOTICE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/README.md PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/TokenInputs.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/pom.xml PRE-CREATION
> plugin-nestedstructure/README.md ea878f6a2
>
>
> Diff: https://reviews.apache.org/r/74142/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
- Barbara
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224759
-----------------------------------------------------------
On Sept. 26, 2022, 7:17 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Sept. 26, 2022, 7:17 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/LICENSE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/NOTICE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/README.md PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/TokenInputs.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/pom.xml PRE-CREATION
> plugin-nestedstructure/README.md ea878f6a2
>
>
> Diff: https://reviews.apache.org/r/74142/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
> On Oct. 7, 2022, 1:21 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
> > Lines 19 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270179#file2270179line19>
> >
> > By convention, package names are in all lowercase letters. Consider renaming this package to "externalretrievers".
done
> On Oct. 7, 2022, 1:21 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
> > Lines 41 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270179#file2270179line41>
> >
> > How about using gson object instantiated at #32, instead of instantiating it for every call to getBearerToken()?
done
> On Oct. 7, 2022, 1:21 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
> > Lines 34 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270182#file2270182line34>
> >
> > static members encodedSecrets and decodedSecrets are unused. Please review and remove.
done
- Barbara
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224759
-----------------------------------------------------------
On Sept. 26, 2022, 7:17 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Sept. 26, 2022, 7:17 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/LICENSE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/NOTICE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/README.md PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/TokenInputs.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/pom.xml PRE-CREATION
> plugin-nestedstructure/README.md ea878f6a2
>
>
> Diff: https://reviews.apache.org/r/74142/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
> On Oct. 7, 2022, 1:21 a.m., Madhan Neethiraj wrote:
> >
Thanks a lot, Madhan, for your comments!
> On Oct. 7, 2022, 1:21 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
> > Lines 48 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270179#file2270179line48>
> >
> > Ranger libraries use HttpClient library for HTTP calls - https://hc.apache.org/httpcomponents-client-4.5.x/index.html#. To avoid additional dependency of unirest libraries, I suggest to use HttpClient library.
done.
> On Oct. 7, 2022, 1:21 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/pom.xml
> > Lines 18 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270189#file2270189line18>
> >
> > Is this pom.xml file necessary? Please review and remove if unused.
it was really only needed for unirest, which I have removed in favor of apache httpclient. So the pom.xml file has been removed.
- Barbara
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224759
-----------------------------------------------------------
On Sept. 26, 2022, 7:17 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Sept. 26, 2022, 7:17 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/LICENSE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/NOTICE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/README.md PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/TokenInputs.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/pom.xml PRE-CREATION
> plugin-nestedstructure/README.md ea878f6a2
>
>
> Diff: https://reviews.apache.org/r/74142/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224759
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
Lines 19 (patched)
<https://reviews.apache.org/r/74142/#comment313554>
By convention, package names are in all lowercase letters. Consider renaming this package to "externalretrievers".
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
Lines 41 (patched)
<https://reviews.apache.org/r/74142/#comment313556>
How about using gson object instantiated at #32, instead of instantiating it for every call to getBearerToken()?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
Lines 48 (patched)
<https://reviews.apache.org/r/74142/#comment313536>
Ranger libraries use HttpClient library for HTTP calls - https://hc.apache.org/httpcomponents-client-4.5.x/index.html#. To avoid additional dependency of unirest libraries, I suggest to use HttpClient library.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
Lines 34 (patched)
<https://reviews.apache.org/r/74142/#comment313544>
static members encodedSecrets and decodedSecrets are unused. Please review and remove.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/pom.xml
Lines 18 (patched)
<https://reviews.apache.org/r/74142/#comment313535>
Is this pom.xml file necessary? Please review and remove if unused.
- Madhan Neethiraj
On Sept. 26, 2022, 7:17 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Sept. 26, 2022, 7:17 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/LICENSE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/NOTICE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/README.md PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/TokenInputs.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/pom.xml PRE-CREATION
> plugin-nestedstructure/README.md ea878f6a2
>
>
> Diff: https://reviews.apache.org/r/74142/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
> On Oct. 25, 2022, 7:43 a.m., Madhan Neethiraj wrote:
> >
Did you really mean to remove writeToFile() and encodeSecrets() from the project? I understand moving most of the HandleSecrets methods to getFromURL, but don't we want to give folks the tools to easily write to file secrets that are encoded the way we later decodethem?
> On Oct. 25, 2022, 7:43 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java
> > Lines 61 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270187#file2270187line61>
> >
> > A comment here with details of hour RangerRoles contents are used to create RangerUserStore object - wth an example.
Done.
> On Oct. 25, 2022, 7:43 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java
> > Lines 64 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270187#file2270187line64>
> >
> > Given roleName is initialized in init() method, consider moving compliing patter to this method - this will help avoid compiling on every call to retrieveUserStoreInfo().
done
> On Oct. 25, 2022, 7:43 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetBearerToken.java
> > Lines 62 (patched)
> > <https://reviews.apache.org/r/74142/diff/2/?file=2271457#file2271457line62>
> >
> > Did you mean to check if response is null? Shouldn't this be "response == null"?
Done
> On Oct. 25, 2022, 7:43 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java
> > Lines 85 (patched)
> > <https://reviews.apache.org/r/74142/diff/2/?file=2271459#file2271459line85>
> >
> > Perhaps flattenedAttrMap.put() should be after the for loop at #81?
I think you realized that it was in the right place as is-- that's where it is in your patch, I think..
> On Oct. 25, 2022, 7:43 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/RangerExternalUserStoreRetriever.java
> > Lines 56 (patched)
> > <https://reviews.apache.org/r/74142/diff/2/?file=2271462#file2271462line56>
> >
> > Since the user-store returned by a given instance of RangerExternalUserStoreRetriever always contains the same userAttrMap, it might be useful to instantiate RangerUserStore in init() method itself.
userStore is used in retrieveUserStoreInfo method as well as init, so it needs to be initiated outside.
- Barbara
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224827
-----------------------------------------------------------
On Oct. 21, 2022, 9:09 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Oct. 21, 2022, 9:09 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java 4e1d19556
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java 60c7f22f7
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java 1b9335339
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java c5e13dbba
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/LICENSE
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/NOTICE
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/README.md eaf9ae823
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java c7ab74bc7
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java 9eb50faa3
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/TokenInputs.java b9e1f0185
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/pom.xml d2914dbc0
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetBearerToken.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/HandleSecrets.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/RangerExternalUserStoreRetriever.java PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/74142/diff/2/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
> On Oct. 25, 2022, 7:43 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/RangerExternalUserStoreRetriever.java
> > Lines 56 (patched)
> > <https://reviews.apache.org/r/74142/diff/2/?file=2271462#file2271462line56>
> >
> > Since the user-store returned by a given instance of RangerExternalUserStoreRetriever always contains the same userAttrMap, it might be useful to instantiate RangerUserStore in init() method itself.
>
> Barbara Eckman wrote:
> userStore is used in retrieveUserStoreInfo method as well as init, so it needs to be initiated outside.
Now that the AllRangerUserStoreRetrievers class covers all retrievers, any given instance of it could contain one of 4 userAttrMaps, depending on the retriever used.
- Barbara
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224827
-----------------------------------------------------------
On Nov. 17, 2022, 9:15 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Nov. 17, 2022, 9:15 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/74142/diff/5/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224827
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java
Lines 37 (patched)
<https://reviews.apache.org/r/74142/#comment313690>
userStoreMap => userAttrMapping?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java
Lines 61 (patched)
<https://reviews.apache.org/r/74142/#comment313688>
A comment here with details of hour RangerRoles contents are used to create RangerUserStore object - wth an example.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java
Lines 64 (patched)
<https://reviews.apache.org/r/74142/#comment313689>
Given roleName is initialized in init() method, consider moving compliing patter to this method - this will help avoid compiling on every call to retrieveUserStoreInfo().
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetBearerToken.java
Lines 1 (patched)
<https://reviews.apache.org/r/74142/#comment313674>
License header is missing. Please add.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetBearerToken.java
Lines 62 (patched)
<https://reviews.apache.org/r/74142/#comment313680>
Did you mean to check if response is null? Shouldn't this be "response == null"?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java
Lines 1 (patched)
<https://reviews.apache.org/r/74142/#comment313675>
License header is missing. Please add.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java
Lines 15 (patched)
<https://reviews.apache.org/r/74142/#comment313681>
userAttrMap is used only within getFromDataFile() method. Consider moving this instance member inside getFromDataFile() method.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java
Lines 1 (patched)
<https://reviews.apache.org/r/74142/#comment313676>
License header is missing. Please add.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java
Lines 24 (patched)
<https://reviews.apache.org/r/74142/#comment313682>
flattenedAttrMap is used only within getFromURL() method. Consider moving this instance member inside getFromURL() method.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java
Lines 85 (patched)
<https://reviews.apache.org/r/74142/#comment313683>
Perhaps flattenedAttrMap.put() should be after the for loop at #81?
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/HandleSecrets.java
Lines 1 (patched)
<https://reviews.apache.org/r/74142/#comment313677>
License header is missing. Please add.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/HandleSecrets.java
Lines 46 (patched)
<https://reviews.apache.org/r/74142/#comment313684>
verifyToken() is called only within this class. Consider marking this method as private.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/HandleSecrets.java
Lines 60 (patched)
<https://reviews.apache.org/r/74142/#comment313685>
Consider replacing for loop at #60 with the following:
if (h.containsKey("Content-Type") &&
!StringUtils.equalsIgnoreCase(h.get("Content-Type"), "application/x-www-form-urlencoded")) {
errorMessage += "Content-Type, if specified, must be \"application/x-www-form-urlencoded\"; ";
}
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md
Lines 1 (patched)
<https://reviews.apache.org/r/74142/#comment313678>
License header is missing. Please add.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/RangerExternalUserStoreRetriever.java
Lines 1 (patched)
<https://reviews.apache.org/r/74142/#comment313679>
License header is missing. Please add.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/RangerExternalUserStoreRetriever.java
Lines 14 (patched)
<https://reviews.apache.org/r/74142/#comment313686>
Following instance members are only used within init() method. Consider moving these as method local.
- configFile
- dataFile
- attrName
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/RangerExternalUserStoreRetriever.java
Lines 56 (patched)
<https://reviews.apache.org/r/74142/#comment313687>
Since the user-store returned by a given instance of RangerExternalUserStoreRetriever always contains the same userAttrMap, it might be useful to instantiate RangerUserStore in init() method itself.
- Madhan Neethiraj
On Oct. 21, 2022, 9:09 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Oct. 21, 2022, 9:09 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java 4e1d19556
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java 60c7f22f7
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java 1b9335339
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java c5e13dbba
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/LICENSE
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/NOTICE
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/README.md eaf9ae823
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java c7ab74bc7
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java 9eb50faa3
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/TokenInputs.java b9e1f0185
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/pom.xml d2914dbc0
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetBearerToken.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/HandleSecrets.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/RangerExternalUserStoreRetriever.java PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/74142/diff/2/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
> On Nov. 18, 2022, 12:29 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
> > Lines 66 (patched)
> > <https://reviews.apache.org/r/74142/diff/5/?file=2271947#file2271947line66>
> >
> > retrieveUserStoreInfo() returns userStore initialized in init() method. How are changes to user-attributes handled? For example:
> > 1. changes to user-roles assignment
> > 2. changes to attributes in remote server (retrieved via GetFromURL()).
> > 3. changes to attributes loaded from data file (retrieved via GetFromDataFile()
You are right. I moved the assignment of userAttrsMap to userStore to the retrieveUserStoreInfo method. Hopefully that will solve this problem.
> On Nov. 18, 2022, 12:29 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
> > Lines 198 (patched)
> > <https://reviews.apache.org/r/74142/diff/5/?file=2271947#file2271947line198>
> >
> > Please review and update the package name: com.comcast.dx.ranger.contextenricher.externalretrievers
Sorry, yes, done.
> On Nov. 18, 2022, 12:29 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
> > Lines 222 (patched)
> > <https://reviews.apache.org/r/74142/diff/5/?file=2271947#file2271947line222>
> >
> > rangerRoles is an instance member, hence it is not necessary to send as method parameter. Please review and update.
Done
> On Nov. 18, 2022, 12:29 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
> > Lines 226 (patched)
> > <https://reviews.apache.org/r/74142/diff/5/?file=2271947#file2271947line226>
> >
> > gson is unused. Please review and remove.
done.
> On Nov. 18, 2022, 12:29 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md
> > Lines 99 (patched)
> > <https://reviews.apache.org/r/74142/diff/5/?file=2271952#file2271952line99>
> >
> > roleName here actually refers to the prefix of the roleName in Ranger. Also, roleName here is the name of the user-attribute. Hence, consider renaming this to attrName.
> >
> > "retriever2_role": "attrName=salesRegion",
> > "retriever3_role": "attrName=sensitivityLevel"
Good idea. I need the "." for pattern matching against role names, in case one attrName is a prefix for another one, eg these roles: region.northeast and regionSales.northeast. But (duh) I can add that to the attrName before matching against roles, in the code rather requiring it in the servicedef. So I will change this. Thanks!
> On Nov. 18, 2022, 12:29 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md
> > Lines 132 (patched)
> > <https://reviews.apache.org/r/74142/diff/5/?file=2271952#file2271952line132>
> >
> > Given each retriever handles a single attribute, 'name' option many not be useful/necessary. Consider the following simplified option string:
> > "retriever0_api": "attrName=partner,userStoreURL=http://localhost:8000/security/getPartnersByUser",
> > "retriever1_api": "attrName=ownedResources,dataFile=/var/ranger/data/userOwnerResource.txt",
> > "retriever2_role": "attrName=salesRegion",
> > "retriever3_role": "attrName=sensitivityLevel"
What you say makes sense. Originally I had thought the name was useful for documentation, at least. But now each retriever does the same thing: maps a user to an attribute. So if attrName is given, no additional documentation is needed.
So I made the change.
> On Nov. 18, 2022, 12:29 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md
> > Lines 134 (patched)
> > <https://reviews.apache.org/r/74142/diff/5/?file=2271952#file2271952line134>
> >
> > serviceType and serviceName are unused. Please review and remove from #134 and #135.
Yes, sorry, I thought I'd fixed that.
- Barbara
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224885
-----------------------------------------------------------
On Nov. 17, 2022, 9:15 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Nov. 17, 2022, 9:15 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/74142/diff/5/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224885
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
Lines 66 (patched)
<https://reviews.apache.org/r/74142/#comment313739>
retrieveUserStoreInfo() returns userStore initialized in init() method. How are changes to user-attributes handled? For example:
1. changes to user-roles assignment
2. changes to attributes in remote server (retrieved via GetFromURL()).
3. changes to attributes loaded from data file (retrieved via GetFromDataFile()
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
Lines 198 (patched)
<https://reviews.apache.org/r/74142/#comment313733>
Please review and update the package name: com.comcast.dx.ranger.contextenricher.externalretrievers
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
Lines 222 (patched)
<https://reviews.apache.org/r/74142/#comment313734>
rangerRoles is an instance member, hence it is not necessary to send as method parameter. Please review and update.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
Lines 226 (patched)
<https://reviews.apache.org/r/74142/#comment313735>
gson is unused. Please review and remove.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md
Lines 99 (patched)
<https://reviews.apache.org/r/74142/#comment313736>
roleName here actually refers to the prefix of the roleName in Ranger. Also, roleName here is the name of the user-attribute. Hence, consider renaming this to attrName.
"retriever2_role": "attrName=salesRegion",
"retriever3_role": "attrName=sensitivityLevel"
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md
Lines 132 (patched)
<https://reviews.apache.org/r/74142/#comment313738>
Given each retriever handles a single attribute, 'name' option many not be useful/necessary. Consider the following simplified option string:
"retriever0_api": "attrName=partner,userStoreURL=http://localhost:8000/security/getPartnersByUser",
"retriever1_api": "attrName=ownedResources,dataFile=/var/ranger/data/userOwnerResource.txt",
"retriever2_role": "attrName=salesRegion",
"retriever3_role": "attrName=sensitivityLevel"
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md
Lines 134 (patched)
<https://reviews.apache.org/r/74142/#comment313737>
serviceType and serviceName are unused. Please review and remove from #134 and #135.
- Madhan Neethiraj
On Nov. 17, 2022, 9:15 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Nov. 17, 2022, 9:15 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/74142/diff/5/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
> On Nov. 18, 2022, 6:02 p.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
> > Lines 59 (patched)
> > <https://reviews.apache.org/r/74142/diff/6/?file=2271953#file2271953line59>
> >
> > allUserAttrMap is initialized only in init(), which is called only once. Shouldn't this be updated in retrieveUserStoreInfo() as well?
I made it an instance member, and moved its initialization outside of init() to line 42. Does that not work?
- Barbara
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224887
-----------------------------------------------------------
On Nov. 18, 2022, 5:45 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Nov. 18, 2022, 5:45 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/74142/diff/6/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
> On Nov. 18, 2022, 6:02 p.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
> > Lines 59 (patched)
> > <https://reviews.apache.org/r/74142/diff/6/?file=2271953#file2271953line59>
> >
> > allUserAttrMap is initialized only in init(), which is called only once. Shouldn't this be updated in retrieveUserStoreInfo() as well?
>
> Barbara Eckman wrote:
> I made it an instance member, and moved its initialization outside of init() to line 42. Does that not work?
Done.
- Barbara
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224887
-----------------------------------------------------------
On Nov. 28, 2022, 9:45 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Nov. 28, 2022, 9:45 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/74142/diff/7/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224887
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
Lines 59 (patched)
<https://reviews.apache.org/r/74142/#comment313747>
allUserAttrMap is initialized only in init(), which is called only once. Shouldn't this be updated in retrieveUserStoreInfo() as well?
- Madhan Neethiraj
On Nov. 18, 2022, 5:45 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Nov. 18, 2022, 5:45 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/74142/diff/6/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224929
-----------------------------------------------------------
Ship it!
Ship It!
- Madhan Neethiraj
On Nov. 29, 2022, 10:52 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Nov. 29, 2022, 10:52 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/RangerMultiSourceUserStoreRetriever.java PRE-CREATION
> dev-support/spotbugsIncludeFile.xml 3621e8c08
>
>
> Diff: https://reviews.apache.org/r/74142/diff/8/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/
-----------------------------------------------------------
(Updated Nov. 29, 2022, 10:52 p.m.)
Review request for ranger and madhan.
Bugs: Ranger-3855
https://issues.apache.org/jira/browse/Ranger-3855
Repository: ranger
Description
-------
RangerExternalUserStoreRetriever class Ranger-3855
Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/RangerMultiSourceUserStoreRetriever.java PRE-CREATION
dev-support/spotbugsIncludeFile.xml 3621e8c08
Diff: https://reviews.apache.org/r/74142/diff/8/
Changes: https://reviews.apache.org/r/74142/diff/7-8/
Testing
-------
Thanks,
Barbara Eckman
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
> On Nov. 29, 2022, 5 a.m., Madhan Neethiraj wrote:
> >
Thank you for your comments, as always!
> On Nov. 29, 2022, 5 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
> > Lines 39 (patched)
> > <https://reviews.apache.org/r/74142/diff/7/?file=2272183#file2272183line39>
> >
> > Consider renaming AllRangerUserStoreRetrievers to RangerMultiSourceUserStoreRetriever.
Cool.
> On Nov. 29, 2022, 5 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
> > Lines 42 (patched)
> > <https://reviews.apache.org/r/74142/diff/7/?file=2272183#file2272183line42>
> >
> > To avoid creation of RangerRoleUtils for every call to retrieveUserStoreInfo(), in #246, consider replacing "RangerRoles rangerRoles" here with "RangerRoleUtil roleUtil". This should be refreshed only when role updates are downloaded in #62.
Yep.
> On Nov. 29, 2022, 5 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
> > Lines 43 (patched)
> > <https://reviews.apache.org/r/74142/diff/7/?file=2272183#file2272183line43>
> >
> > allUserAttrsMap is used only within retrieveUserStoreInfo(). Consider moving #43 to within this method i.e. avoid instance member.
Yep, I thought of that last night after I uploaded the Diff.
> On Nov. 29, 2022, 5 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
> > Lines 44 (patched)
> > <https://reviews.apache.org/r/74142/diff/7/?file=2272183#file2272183line44>
> >
> > enricherOptionsMap => retrieverOptions
Yep. That name was from a much earlier version and never updated.
> On Nov. 29, 2022, 5 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
> > Lines 62 (patched)
> > <https://reviews.apache.org/r/74142/diff/7/?file=2272183#file2272183line62>
> >
> > Consider sending existing roles version to getRolesIfUpdated() so that roles will be downloaded from Ranger only when there are updates.
Good.
> On Nov. 29, 2022, 5 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java
> > Lines 55 (patched)
> > <https://reviews.apache.org/r/74142/diff/7/?file=2272185#file2272185line55>
> >
> > To ensure httpClient is closed, consider moving #55 to within try() at #62.
good
- Barbara
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224914
-----------------------------------------------------------
On Nov. 28, 2022, 9:45 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Nov. 28, 2022, 9:45 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/74142/diff/7/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224914
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
Lines 39 (patched)
<https://reviews.apache.org/r/74142/#comment313759>
Consider renaming AllRangerUserStoreRetrievers to RangerMultiSourceUserStoreRetriever.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
Lines 42 (patched)
<https://reviews.apache.org/r/74142/#comment313763>
To avoid creation of RangerRoleUtils for every call to retrieveUserStoreInfo(), in #246, consider replacing "RangerRoles rangerRoles" here with "RangerRoleUtil roleUtil". This should be refreshed only when role updates are downloaded in #62.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
Lines 43 (patched)
<https://reviews.apache.org/r/74142/#comment313761>
allUserAttrsMap is used only within retrieveUserStoreInfo(). Consider moving #43 to within this method i.e. avoid instance member.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
Lines 44 (patched)
<https://reviews.apache.org/r/74142/#comment313762>
enricherOptionsMap => retrieverOptions
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
Lines 62 (patched)
<https://reviews.apache.org/r/74142/#comment313764>
Consider sending existing roles version to getRolesIfUpdated() so that roles will be downloaded from Ranger only when there are updates.
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java
Lines 55 (patched)
<https://reviews.apache.org/r/74142/#comment313760>
To ensure httpClient is closed, consider moving #55 to within try() at #62.
- Madhan Neethiraj
On Nov. 28, 2022, 9:45 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Nov. 28, 2022, 9:45 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/74142/diff/7/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/
-----------------------------------------------------------
(Updated Nov. 28, 2022, 9:45 p.m.)
Review request for ranger and madhan.
Changes
-------
refactor AllRetrievers to move population of userStore from init() to retrieveUserStoreInfo
Bugs: Ranger-3855
https://issues.apache.org/jira/browse/Ranger-3855
Repository: ranger
Description
-------
RangerExternalUserStoreRetriever class Ranger-3855
Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION
Diff: https://reviews.apache.org/r/74142/diff/7/
Changes: https://reviews.apache.org/r/74142/diff/6-7/
Testing
-------
Thanks,
Barbara Eckman
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/
-----------------------------------------------------------
(Updated Nov. 18, 2022, 5:45 p.m.)
Review request for ranger and madhan.
Bugs: Ranger-3855
https://issues.apache.org/jira/browse/Ranger-3855
Repository: ranger
Description
-------
RangerExternalUserStoreRetriever class Ranger-3855
Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION
Diff: https://reviews.apache.org/r/74142/diff/6/
Changes: https://reviews.apache.org/r/74142/diff/5-6/
Testing
-------
Thanks,
Barbara Eckman
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/
-----------------------------------------------------------
(Updated Nov. 17, 2022, 9:15 p.m.)
Review request for ranger and madhan.
Bugs: Ranger-3855
https://issues.apache.org/jira/browse/Ranger-3855
Repository: ranger
Description
-------
RangerExternalUserStoreRetriever class Ranger-3855
Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION
Diff: https://reviews.apache.org/r/74142/diff/5/
Changes: https://reviews.apache.org/r/74142/diff/4-5/
Testing
-------
Thanks,
Barbara Eckman
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/
-----------------------------------------------------------
(Updated Nov. 3, 2022, 5:36 p.m.)
Review request for ranger and madhan.
Bugs: Ranger-3855
https://issues.apache.org/jira/browse/Ranger-3855
Repository: ranger
Description
-------
RangerExternalUserStoreRetriever class Ranger-3855
Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION
dev-support/spotbugsIncludeFile.xml 3621e8c08
plugin-nestedstructure/README.md ea878f6a2
Diff: https://reviews.apache.org/r/74142/diff/4/
Changes: https://reviews.apache.org/r/74142/diff/3-4/
Testing
-------
Thanks,
Barbara Eckman
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/
-----------------------------------------------------------
(Updated Nov. 2, 2022, 8:18 p.m.)
Review request for ranger and madhan.
Changes
-------
Here's what I hope will be close to the final revision: I refactored into a single userStoreRetriever class that calls methods to accommodate multiple userStoreRetriever enrichers of the two currently supported source types: "api" (formerly "external") and "role" (roles-based).
Bugs: Ranger-3855
https://issues.apache.org/jira/browse/Ranger-3855
Repository: ranger
Description
-------
RangerExternalUserStoreRetriever class Ranger-3855
Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION
dev-support/spotbugsIncludeFile.xml 3621e8c08
plugin-nestedstructure/README.md ea878f6a2
Diff: https://reviews.apache.org/r/74142/diff/3/
Changes: https://reviews.apache.org/r/74142/diff/2-3/
Testing
-------
Thanks,
Barbara Eckman
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/
-----------------------------------------------------------
(Updated Oct. 21, 2022, 9:09 p.m.)
Review request for ranger and madhan.
Changes
-------
added a new diff. I guess since the package name changed, or because of how I updated this repo from my working repo, the diff just shows deleted files and new files. There is also a lot of refactoring between diff 1 and diff 2. if this diff is not acceptable, let me know. (I might also need help on how to do better at updating this repo from my working repo.) I'm sorry if I'm causing undue inconvenience.
Bugs: Ranger-3855
https://issues.apache.org/jira/browse/Ranger-3855
Repository: ranger
Description
-------
RangerExternalUserStoreRetriever class Ranger-3855
Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java 4e1d19556
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java 60c7f22f7
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java 1b9335339
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java c5e13dbba
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/LICENSE
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/NOTICE
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/README.md eaf9ae823
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java c7ab74bc7
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java 9eb50faa3
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/TokenInputs.java b9e1f0185
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/pom.xml d2914dbc0
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetBearerToken.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/HandleSecrets.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/RangerExternalUserStoreRetriever.java PRE-CREATION
Diff: https://reviews.apache.org/r/74142/diff/2/
Changes: https://reviews.apache.org/r/74142/diff/1-2/
Testing
-------
Thanks,
Barbara Eckman
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Barbara Eckman via Review Board <no...@reviews.apache.org>.
> On Oct. 15, 2022, 4:17 p.m., Don Bosco Durai wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
> > Lines 44 (patched)
> > <https://reviews.apache.org/r/74142/diff/1/?file=2270179#file2270179line44>
> >
> > Yes, it was a question. I was not sure whether we are printing would have sensitive information. If it doesn't the suggestion is not to print them. The reason being, it is common for applications to be configured to DEBUG level during troubleshooting sessions and also in some cases, these logs are sent to external systems like DataDog (in the cloud) or other log aggregation tools and it would be difficult to enforce any policies in those tools.
I removed debug logging for sensitive info everywhere. It will make debugging harder but I agree it is necessary.
- Barbara
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224797
-----------------------------------------------------------
On Nov. 3, 2022, 5:36 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Nov. 3, 2022, 5:36 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION
> dev-support/spotbugsIncludeFile.xml 3621e8c08
> plugin-nestedstructure/README.md ea878f6a2
>
>
> Diff: https://reviews.apache.org/r/74142/diff/4/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>
Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855
Posted by Don Bosco Durai <bo...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/#review224797
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
Lines 44 (patched)
<https://reviews.apache.org/r/74142/#comment313628>
Yes, it was a question. I was not sure whether we are printing would have sensitive information. If it doesn't the suggestion is not to print them. The reason being, it is common for applications to be configured to DEBUG level during troubleshooting sessions and also in some cases, these logs are sent to external systems like DataDog (in the cloud) or other log aggregation tools and it would be difficult to enforce any policies in those tools.
- Don Bosco Durai
On Sept. 26, 2022, 7:17 p.m., Barbara Eckman wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74142/
> -----------------------------------------------------------
>
> (Updated Sept. 26, 2022, 7:17 p.m.)
>
>
> Review request for ranger and madhan.
>
>
> Bugs: Ranger-3855
> https://issues.apache.org/jira/browse/Ranger-3855
>
>
> Repository: ranger
>
>
> Description
> -------
>
> RangerExternalUserStoreRetriever class Ranger-3855
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization.
>
> I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams.
>
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/LICENSE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/NOTICE PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/README.md PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/TokenInputs.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/pom.xml PRE-CREATION
> plugin-nestedstructure/README.md ea878f6a2
>
>
> Diff: https://reviews.apache.org/r/74142/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Barbara Eckman
>
>