You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Pradeep Agrawal <pr...@gmail.com> on 2022/06/17 11:41:24 UTC

Review Request 74029: RANGER-3795: Fix java patch J10033 and J10046 failure

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74029/
-----------------------------------------------------------

Review request for ranger, bhavik patel, Dhaval Shah, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-3795
    https://issues.apache.org/jira/browse/RANGER-3795


Repository: ranger


Description
-------

**Problem Statement:** During kafka policy porting to new db schema via java patch PatchForMigratingOldRegimePolicyJson_J10046,  it finds a kafka default policy which has user kafka and rangerlookup in it. If these users do not exist in ranger-admin then ranger policy porting to new schema may fail. 

Note: The issue is observed only when older version of ranger installation does not have PatchForMigratingOldRegimePolicyJson_J10046 applied in it.

**Proposed solution:** Earlier Ranger has restriction that policy user should be created before policy creation, but in current version ranger policy creation API can create the policy user if it does not exist in ranger db. 
During the porting/migrating the ranger policy to new ranger db schema we can add the same implementation to avoid any upgrade failure and make the ranger upgrade step consistent with run time behavior. 

I have made similar changes in older patches also J10019 and J10033.


Diffs
-----

  security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 4f2527223 
  security-admin/src/main/java/org/apache/ranger/patch/PatchForKafkaServiceDefUpdate_J10033.java 9302c130f 
  security-admin/src/main/java/org/apache/ranger/patch/PatchForMigratingOldRegimePolicyJson_J10046.java 74ea7b2c6 
  security-admin/src/main/java/org/apache/ranger/patch/PatchForUpdatingPolicyJson_J10019.java 6dcf3f264 


Diff: https://reviews.apache.org/r/74029/diff/1/


Testing
-------

1) Installed ranger from 1.x branch build and created kafka service and policy in it without the "kafka" or "rangerlookup" in the kafka service or policy.
2) Applied the patch on Apache ranger master branch, build and generate the tar file.
3) Untar the ranger admin and provide the same config which was used in ranger 1.x version (refer step 1 above)
4) Run the setup.sh script and it will apply all the java patches without any failure.
5) restart ranger-admin and check the kafka service policies.


Thanks,

Pradeep Agrawal

Re: Review Request 74029: RANGER-3795: Fix java patch J10033 and J10046 failure

Posted by Mehul Parikh <xs...@gmail.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74029/#review224524
-----------------------------------------------------------


Ship it!




Ship It!

- Mehul Parikh


On June 17, 2022, 11:41 a.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74029/
> -----------------------------------------------------------
> 
> (Updated June 17, 2022, 11:41 a.m.)
> 
> 
> Review request for ranger, bhavik patel, Dhaval Shah, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3795
>     https://issues.apache.org/jira/browse/RANGER-3795
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> **Problem Statement:** During kafka policy porting to new db schema via java patch PatchForMigratingOldRegimePolicyJson_J10046,  it finds a kafka default policy which has user kafka and rangerlookup in it. If these users do not exist in ranger-admin then ranger policy porting to new schema may fail. 
> 
> Note: The issue is observed only when older version of ranger installation does not have PatchForMigratingOldRegimePolicyJson_J10046 applied in it.
> 
> **Proposed solution:** Earlier Ranger has restriction that policy user should be created before policy creation, but in current version ranger policy creation API can create the policy user if it does not exist in ranger db. 
> During the porting/migrating the ranger policy to new ranger db schema we can add the same implementation to avoid any upgrade failure and make the ranger upgrade step consistent with run time behavior. 
> 
> I have made similar changes in older patches also J10019 and J10033.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 4f2527223 
>   security-admin/src/main/java/org/apache/ranger/patch/PatchForKafkaServiceDefUpdate_J10033.java 9302c130f 
>   security-admin/src/main/java/org/apache/ranger/patch/PatchForMigratingOldRegimePolicyJson_J10046.java 74ea7b2c6 
>   security-admin/src/main/java/org/apache/ranger/patch/PatchForUpdatingPolicyJson_J10019.java 6dcf3f264 
> 
> 
> Diff: https://reviews.apache.org/r/74029/diff/1/
> 
> 
> Testing
> -------
> 
> 1) Installed ranger from 1.x branch build and created kafka service and policy in it without the "kafka" or "rangerlookup" in the kafka service or policy.
> 2) Applied the patch on Apache ranger master branch, build and generate the tar file.
> 3) Untar the ranger admin and provide the same config which was used in ranger 1.x version (refer step 1 above)
> 4) Run the setup.sh script and it will apply all the java patches without any failure.
> 5) restart ranger-admin and check the kafka service policies.
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>

Re: Review Request 74029: RANGER-3795: Fix java patch J10033 and J10046 failure

Posted by Pradeep Agrawal <pr...@gmail.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74029/#review224517
-----------------------------------------------------------




security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
Line 2495 (original), 2495 (patched)
<https://reviews.apache.org/r/74029/#comment313266>

    Please review this line. 
    Without this changes user is not getting created during patch execution,  but user is created only after the patch execution fails or completes. Hence review this and please find if there will be any impact of this change.


- Pradeep Agrawal


On June 17, 2022, 11:41 a.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74029/
> -----------------------------------------------------------
> 
> (Updated June 17, 2022, 11:41 a.m.)
> 
> 
> Review request for ranger, bhavik patel, Dhaval Shah, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3795
>     https://issues.apache.org/jira/browse/RANGER-3795
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> **Problem Statement:** During kafka policy porting to new db schema via java patch PatchForMigratingOldRegimePolicyJson_J10046,  it finds a kafka default policy which has user kafka and rangerlookup in it. If these users do not exist in ranger-admin then ranger policy porting to new schema may fail. 
> 
> Note: The issue is observed only when older version of ranger installation does not have PatchForMigratingOldRegimePolicyJson_J10046 applied in it.
> 
> **Proposed solution:** Earlier Ranger has restriction that policy user should be created before policy creation, but in current version ranger policy creation API can create the policy user if it does not exist in ranger db. 
> During the porting/migrating the ranger policy to new ranger db schema we can add the same implementation to avoid any upgrade failure and make the ranger upgrade step consistent with run time behavior. 
> 
> I have made similar changes in older patches also J10019 and J10033.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 4f2527223 
>   security-admin/src/main/java/org/apache/ranger/patch/PatchForKafkaServiceDefUpdate_J10033.java 9302c130f 
>   security-admin/src/main/java/org/apache/ranger/patch/PatchForMigratingOldRegimePolicyJson_J10046.java 74ea7b2c6 
>   security-admin/src/main/java/org/apache/ranger/patch/PatchForUpdatingPolicyJson_J10019.java 6dcf3f264 
> 
> 
> Diff: https://reviews.apache.org/r/74029/diff/1/
> 
> 
> Testing
> -------
> 
> 1) Installed ranger from 1.x branch build and created kafka service and policy in it without the "kafka" or "rangerlookup" in the kafka service or policy.
> 2) Applied the patch on Apache ranger master branch, build and generate the tar file.
> 3) Untar the ranger admin and provide the same config which was used in ranger 1.x version (refer step 1 above)
> 4) Run the setup.sh script and it will apply all the java patches without any failure.
> 5) restart ranger-admin and check the kafka service policies.
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>