You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2020/12/04 15:51:21 UTC
[ranger] branch master updated (7b82a84 -> 4195eab)
This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git.
from 7b82a84 RANGER-2927: updated description for apache-ranger PyPi project
new cbd4cdb RANGER-3092: KMS fails to start with NullPointerException in catalina.out logs
new 9146836 RANGER-3095: not able to list the keys with a user whose id contains non latin character
new 4195eab RANGER-3033: hive authorior should impl getRoleGrantInfoForPrincipal() interface
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../ranger/server/tomcat/EmbeddedServer.java | 12 ++++--
.../hive/authorizer/RangerHiveAuthorizer.java | 48 ++++++++++++++++++++++
kms/scripts/ranger-kms | 3 +-
.../main/java/org/apache/ranger/biz/KmsKeyMgr.java | 19 +++++----
.../java/org/apache/ranger/common/StringUtil.java | 7 ++++
.../main/java/org/apache/ranger/rest/XKeyREST.java | 8 ++--
.../ranger/tagsync/process/TagSynchronizer.java | 12 ++++--
.../authentication/UnixAuthenticationService.java | 12 ++++--
8 files changed, 98 insertions(+), 23 deletions(-)
[ranger] 02/03: RANGER-3095: not able to list the keys with a user
whose id contains non latin character
Posted by pr...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 9146836b281fc7342250f57b40f612060afadb52
Author: mateenmansoori <ma...@gmail.com>
AuthorDate: Wed Dec 2 13:25:25 2020 +0530
RANGER-3095: not able to list the keys with a user whose id contains non latin character
Signed-off-by: pradeep <pr...@apache.org>
---
.../main/java/org/apache/ranger/biz/KmsKeyMgr.java | 19 ++++++++++---------
.../java/org/apache/ranger/common/StringUtil.java | 7 +++++++
.../main/java/org/apache/ranger/rest/XKeyREST.java | 8 ++++----
3 files changed, 21 insertions(+), 13 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
index 8582eeb..2890cc5 100755
--- a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
@@ -106,12 +106,12 @@ public class KmsKeyMgr {
@Autowired
RangerDaoManagerBase rangerDaoManagerBase;
-
+
@Autowired
RangerBizUtil rangerBizUtil;
@SuppressWarnings("unchecked")
- public VXKmsKeyList searchKeys(HttpServletRequest request, String repoName) throws Exception{
+ public VXKmsKeyList searchKeys(HttpServletRequest request, String repoName) throws Exception {
String providers[] = null;
try {
providers = getKMSURL(repoName);
@@ -131,7 +131,7 @@ public class KmsKeyMgr {
if(providers!=null){
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
+ String currentUserLoginId = StringUtil.getUTFEncodedString(ContextUtil.getCurrentUserLoginId());
String keyLists = KMS_KEY_LIST_URI.replaceAll(
Pattern.quote("${userName}"), currentUserLoginId);
connProvider = providers[i];
@@ -142,6 +142,7 @@ public class KmsKeyMgr {
}else{
uri = uri.concat("?doAs="+currentUserLoginId);
}
+
final WebResource r = c.resource(uri);
try {
String response = null;
@@ -237,7 +238,7 @@ public class KmsKeyMgr {
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
String rollRest = KMS_ROLL_KEY_URI.replaceAll(Pattern.quote("${alias}"), vXKey.getName());
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
+ String currentUserLoginId = StringUtil.getUTFEncodedString(ContextUtil.getCurrentUserLoginId());
String uri = providers[i] + (providers[i].endsWith("/") ? rollRest : ("/" + rollRest));
if(!isKerberos){
uri = uri.concat("?user.name="+currentUserLoginId);
@@ -292,7 +293,7 @@ public class KmsKeyMgr {
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
String deleteRest = KMS_DELETE_KEY_URI.replaceAll(Pattern.quote("${alias}"), name);
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
+ String currentUserLoginId = StringUtil.getUTFEncodedString(ContextUtil.getCurrentUserLoginId());
String uri = providers[i] + (providers[i].endsWith("/") ? deleteRest : ("/" + deleteRest));
if(!isKerberos){
uri = uri.concat("?user.name="+currentUserLoginId);
@@ -344,7 +345,7 @@ public class KmsKeyMgr {
if(providers!=null){
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
+ String currentUserLoginId = StringUtil.getUTFEncodedString(ContextUtil.getCurrentUserLoginId());
String uri = providers[i] + (providers[i].endsWith("/") ? KMS_ADD_KEY_URI : ("/" + KMS_ADD_KEY_URI));
if(!isKerberos){
uri = uri.concat("?user.name="+currentUserLoginId);
@@ -398,7 +399,7 @@ public class KmsKeyMgr {
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
String keyRest = KMS_KEY_METADATA_URI.replaceAll(Pattern.quote("${alias}"), name);
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
+ String currentUserLoginId = StringUtil.getUTFEncodedString(ContextUtil.getCurrentUserLoginId());
String uri = providers[i] + (providers[i].endsWith("/") ? keyRest : ("/" + keyRest));
if(!isKerberos){
uri = uri.concat("?user.name="+currentUserLoginId);
@@ -433,11 +434,11 @@ public class KmsKeyMgr {
}
return null;
}
-
+
public VXKmsKey getKeyFromUri(String provider, String name, boolean isKerberos, String repoName) throws Exception {
Client c = getClient();
String keyRest = KMS_KEY_METADATA_URI.replaceAll(Pattern.quote("${alias}"), name);
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
+ String currentUserLoginId = StringUtil.getUTFEncodedString(ContextUtil.getCurrentUserLoginId());
String uri = provider + (provider.endsWith("/") ? keyRest : ("/" + keyRest));
if(!isKerberos){
uri = uri.concat("?user.name="+currentUserLoginId);
diff --git a/security-admin/src/main/java/org/apache/ranger/common/StringUtil.java b/security-admin/src/main/java/org/apache/ranger/common/StringUtil.java
index 82afa27..97f0d2a 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/StringUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/StringUtil.java
@@ -20,6 +20,9 @@
package org.apache.ranger.common;
import java.io.Serializable;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.List;
import java.util.regex.Matcher;
@@ -258,4 +261,8 @@ public class StringUtil implements Serializable {
: str;
}
+ public static String getUTFEncodedString(String username) throws UnsupportedEncodingException {
+ return URLEncoder.encode(username, StandardCharsets.UTF_8.toString());
+ }
+
}
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
index 77381f5..da427d5 100755
--- a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
@@ -200,11 +200,11 @@ public class XKeyREST {
JSONObject obj = new JSONObject(message);
message = obj.getString("message");
} catch (JSONException e1) {
- message = e1.getMessage();
- }
- }
+ logger.error("Unable to parse the error message, So sending error message as it is - Error : " + e1.getMessage());
+ }
+ }
if (!(message==null) && !(message.isEmpty()) && message.contains("Connection refused")){
- message = "Connection refused : Please check the KMS provider URL and whether the Ranger KMS is running";
+ message = "Connection refused : Please check the KMS provider URL and whether the Ranger KMS is running";
} else if (!(message==null) && !(message.isEmpty()) && (message.contains("response status of 403") || message.contains("HTTP Status 403"))){
message = UNAUTHENTICATED_MSG;
} else if (!(message==null) && !(message.isEmpty()) && (message.contains("response status of 401") || message.contains("HTTP Status 401 - Authentication required"))){
[ranger] 03/03: RANGER-3033: hive authorior should impl
getRoleGrantInfoForPrincipal() interface
Posted by pr...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 4195eab099682024827fd88f4d2d3a93ce1f250d
Author: rujia1019 <82...@163.com>
AuthorDate: Tue Oct 13 16:01:32 2020 +0800
RANGER-3033: hive authorior should impl getRoleGrantInfoForPrincipal() interface
Signed-off-by: pradeep <pr...@apache.org>
---
.../hive/authorizer/RangerHiveAuthorizer.java | 48 ++++++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index b909e30..5e64e34 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -2351,6 +2351,54 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
return ret;
}
+ @Override
+ public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal)
+ throws HiveAuthzPluginException, HiveAccessControlException {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerHiveAuthorizer.getRoleGrantInfoForPrincipal ==> principal: " + principal);
+ }
+ boolean result = false;
+ RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
+ UserGroupInformation ugi = getCurrentUserGroupInfo();
+
+ if(ugi == null) {
+ throw new HiveAccessControlException("Permission denied: user information not available");
+ }
+
+ List<HiveRoleGrant> ret = new ArrayList<>();
+ String currentUserName = ugi.getShortUserName();
+ List<String> userNames = Arrays.asList(currentUserName);
+
+ try {
+ List<String> roleStringList = hivePlugin.getUserRoles(principal.getName(), auditHandler);
+
+ for (String roleName : roleStringList) {
+ RangerRole role = hivePlugin.getRole(ugi.getShortUserName(), roleName, auditHandler);
+ HiveRoleGrant hiveRoleGrant = new HiveRoleGrant();
+ hiveRoleGrant.setGrantOption(true);
+ hiveRoleGrant.setGrantor(role.getCreatedBy());
+ hiveRoleGrant.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
+ hiveRoleGrant.setGrantTime((int) (role.getUpdateTime().getTime()/1000));
+ hiveRoleGrant.setRoleName(roleName);
+ ret.add(hiveRoleGrant);
+ }
+ result = true;
+ } catch (Exception e) {
+ LOG.error("RangerHiveAuthorizer.getRoleGrantInfoForPrincipal() error", e);
+ throw new HiveAuthzPluginException("RangerHiveAuthorizer.getRoleGrantInfoForPrincipal() error: " + e.getMessage(), e);
+ } finally {
+ RangerAccessResult accessResult = createAuditEvent(hivePlugin, currentUserName, userNames, HiveOperationType.SHOW_ROLE_GRANT, HiveAccessType.SELECT, null, result);
+ auditHandler.processResult(accessResult);
+ auditHandler.flushAudit();
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerHiveAuthorizer.getRoleGrantInfoForPrincipal() Result: " + ret);
+ }
+
+ return ret;
+ }
+
private HivePrivilegeObjectType getPluginPrivilegeObjType(
org.apache.hadoop.hive.metastore.api.HiveObjectType objectType) {
switch (objectType) {
[ranger] 01/03: RANGER-3092: KMS fails to start with
NullPointerException in catalina.out logs
Posted by pr...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit cbd4cdbb2567e86da7ecd89c0d55b088b107e559
Author: Mahesh Bandal <ma...@gmail.com>
AuthorDate: Wed Dec 2 23:47:44 2020 +0530
RANGER-3092: KMS fails to start with NullPointerException in catalina.out logs
Signed-off-by: pradeep <pr...@apache.org>
---
.../java/org/apache/ranger/server/tomcat/EmbeddedServer.java | 12 +++++++++---
kms/scripts/ranger-kms | 3 ++-
.../org/apache/ranger/tagsync/process/TagSynchronizer.java | 12 +++++++++---
.../ranger/authentication/UnixAuthenticationService.java | 12 +++++++++---
4 files changed, 29 insertions(+), 10 deletions(-)
diff --git a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
index f6d735c..30d8305 100644
--- a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
+++ b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
@@ -90,9 +90,15 @@ public class EmbeddedServer {
configFile = args[0];
}
- // load log configuration file dynamically if log4j.properties changed
- String logPropFile = StringUtils.splitByWholeSeparator(System.getProperty("log4j.configuration"), ":")[1];
- PropertyConfigurator.configureAndWatch(logPropFile, 10000L);
+ try {
+ // load log configuration file dynamically if log4j.properties changed
+ if (StringUtils.isNotBlank(System.getProperty("log4j.configuration"))) {
+ String logPropFile = StringUtils.splitByWholeSeparator(System.getProperty("log4j.configuration"), ":")[1];
+ PropertyConfigurator.configureAndWatch(logPropFile, 10000L);
+ }
+ } catch (Exception ignored) {
+ LOG.warning("Failed to get log4j.configuration Reason: " + ignored.toString());
+ }
EmbeddedServerUtil.loadRangerConfigProperties(configFile);
}
diff --git a/kms/scripts/ranger-kms b/kms/scripts/ranger-kms
index bfe7bd5..5eebc77 100755
--- a/kms/scripts/ranger-kms
+++ b/kms/scripts/ranger-kms
@@ -98,6 +98,7 @@ TOMCAT_LOG_DIR=${RANGER_KMS_LOG_DIR}
TOMCAT_LOG_FILE=${TOMCAT_LOG_DIR}/catalina.out
TOMCAT_STOP_LOG_FILE=${TOMCAT_LOG_DIR}/stop_catalina.out
+KMS_LOG_PROPERTIES_FILE=${RANGER_KMS_EWS_CONF_DIR}/kms-log4j.properties
if [ ! -d ${TOMCAT_LOG_DIR} ]
then
@@ -106,7 +107,7 @@ fi
KMS_CONF_DIR=${RANGER_KMS_EWS_DIR}/webapp/WEB-INF/classes/conf
SERVER_NAME=rangerkms
-JAVA_OPTS="${JAVA_OPTS} ${DB_SSL_PARAM} -Duser=${USER} -Dhostname=${HOSTNAME} -Dservername=${SERVER_NAME} -Dcatalina.base=${RANGER_KMS_EWS_DIR} -Dkms.config.dir=${KMS_CONF_DIR} -Dkms.log.dir=${TOMCAT_LOG_DIR} -cp ${RANGER_KMS_EWS_CONF_DIR}:${RANGER_KMS_EWS_LIB_DIR}/*:${RANGER_KMS_EWS_DIR}/webapp/lib/*:${JAVA_HOME}/lib/*:${RANGER_HADOOP_CONF_DIR}/*:$CLASSPATH "
+JAVA_OPTS="${JAVA_OPTS} ${DB_SSL_PARAM} -Duser=${USER} -Dhostname=${HOSTNAME} -Dservername=${SERVER_NAME} -Dcatalina.base=${RANGER_KMS_EWS_DIR} -Dkms.config.dir=${KMS_CONF_DIR} -Dlog4j.configuration=file:${KMS_LOG_PROPERTIES_FILE} -Dkms.log.dir=${TOMCAT_LOG_DIR} -cp ${RANGER_KMS_EWS_CONF_DIR}:${RANGER_KMS_EWS_LIB_DIR}/*:${RANGER_KMS_EWS_DIR}/webapp/lib/*:${JAVA_HOME}/lib/*:${RANGER_HADOOP_CONF_DIR}/*:$CLASSPATH "
createRangerKMSPid () {
SLEEP_TIME_AFTER_START=5
nohup java -D${PROC_NAME} ${JAVA_OPTS} ${START_CLASS_NAME} ${KMS_CONFIG_FILENAME} > ${TOMCAT_LOG_FILE} 2>&1 &
diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java
index 1b0649f..c723b0f 100644
--- a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java
+++ b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java
@@ -55,9 +55,15 @@ public class TagSynchronizer {
public static void main(String[] args) {
- // load log configuration file dynamically if log4j.properties changed
- String logPropFile = StringUtils.splitByWholeSeparator(System.getProperty("log4j.configuration"), ":")[1];
- PropertyConfigurator.configureAndWatch(logPropFile, 10000L);
+ try {
+ // load log configuration file dynamically if log4j.properties changed
+ if (StringUtils.isNotBlank(System.getProperty("log4j.configuration"))) {
+ String logPropFile = StringUtils.splitByWholeSeparator(System.getProperty("log4j.configuration"), ":")[1];
+ PropertyConfigurator.configureAndWatch(logPropFile, 10000L);
+ }
+ } catch (Exception ignored) {
+ LOG.warn("Failed to get log4j.configuration Reason: " + ignored.toString());
+ }
TagSynchronizer tagSynchronizer = new TagSynchronizer();
diff --git a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
index 4d84a96..3f7886b 100644
--- a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
+++ b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
@@ -92,9 +92,15 @@ public class UnixAuthenticationService {
public static void main(String[] args) {
- // load log configuration file dynamically if log4j.properties changed
- String logPropFile = StringUtils.splitByWholeSeparator(System.getProperty("log4j.configuration"), ":")[1];
- PropertyConfigurator.configureAndWatch(logPropFile, 10000L);
+ try {
+ // load log configuration file dynamically if log4j.properties changed
+ if (StringUtils.isNotBlank(System.getProperty("log4j.configuration"))) {
+ String logPropFile = StringUtils.splitByWholeSeparator(System.getProperty("log4j.configuration"), ":")[1];
+ PropertyConfigurator.configureAndWatch(logPropFile, 10000L);
+ }
+ } catch (Exception ignored) {
+ LOG.warn("Failed to get log4j.configuration Reason: " + ignored.toString());
+ }
if (args.length > 0) {
for (String s : args) {