You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Himanshu Maurya <hi...@gmail.com> on 2024/02/20 11:52:21 UTC

Review Request 74897: RANGER-4719: Policy condition expressions are split by the Ranger UI on commas

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74897/
-----------------------------------------------------------

Review request for ranger, bhavik patel, Dhaval Shah, Dineshkumar Yadav, Harshal Chavan, Kishor Gollapalliwar, Madhan Neethiraj, Mehul Parikh, Nitin Galave, Pradeep Agrawal, and Velmurugan Periasamy.


Repository: ranger


Description
-------

While using attributes with default values introduced in RANGER-3997 like GET_USER_ATTR('state', 'null') in policy condition.
It is observed that ranger is splitting condition string in to parts separated by comma of the parameters passed to GET_USER_ATTR(), due to this it is not taking default value and conditions are converted to invalid strings.


Diffs
-----

  security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js 5f6d9ac01 


Diff: https://reviews.apache.org/r/74897/diff/1/


Testing
-------

Done the required code changes and installed ranger.
Validated the policy conditions with default comma separated parameters passed with attributes.


Thanks,

Himanshu Maurya

Re: Review Request 74897: RANGER-4719: Policy condition expressions are split by the Ranger UI on commas

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74897/#review226227
-----------------------------------------------------------




security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js
Lines 522 (patched)
<https://reviews.apache.org/r/74897/#comment314473>

    Instead of looking for PolicyCondition.type == "_expression", consider checking for one of the following in RangerPolicyConditionDef:
     - evaluator == "org.apache.ranger.plugin.conditionevaluator.RangerScriptConditionEvaluator"
     - evaluatorOptions["ui.isMultiline"] == "true"


- Madhan Neethiraj


On Feb. 20, 2024, 11:52 a.m., Himanshu Maurya wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74897/
> -----------------------------------------------------------
> 
> (Updated Feb. 20, 2024, 11:52 a.m.)
> 
> 
> Review request for ranger, bhavik patel, Dhaval Shah, Dineshkumar Yadav, Harshal Chavan, Kishor Gollapalliwar, Madhan Neethiraj, Mehul Parikh, Nitin Galave, Pradeep Agrawal, and Velmurugan Periasamy.
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> While using attributes with default values introduced in RANGER-3997 like GET_USER_ATTR('state', 'null') in policy condition.
> It is observed that ranger is splitting condition string in to parts separated by comma of the parameters passed to GET_USER_ATTR(), due to this it is not taking default value and conditions are converted to invalid strings.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js 5f6d9ac01 
> 
> 
> Diff: https://reviews.apache.org/r/74897/diff/1/
> 
> 
> Testing
> -------
> 
> Done the required code changes and installed ranger.
> Validated the policy conditions with default comma separated parameters passed with attributes.
> 
> 
> Thanks,
> 
> Himanshu Maurya
> 
>

Re: Review Request 74897: RANGER-4719: Policy condition expressions are split by the Ranger UI on commas

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74897/#review226305
-----------------------------------------------------------


Ship it!




Ship It!

- Madhan Neethiraj


On March 6, 2024, 11:57 a.m., Himanshu Maurya wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74897/
> -----------------------------------------------------------
> 
> (Updated March 6, 2024, 11:57 a.m.)
> 
> 
> Review request for ranger, bhavik patel, Dhaval Shah, Dineshkumar Yadav, Harshal Chavan, Kishor Gollapalliwar, Madhan Neethiraj, Mehul Parikh, Nitin Galave, Pradeep Agrawal, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4719
>     https://issues.apache.org/jira/browse/RANGER-4719
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> While using attributes with default values introduced in RANGER-3997 like GET_USER_ATTR('state', 'null') in policy condition.
> It is observed that ranger is splitting condition string in to parts separated by comma of the parameters passed to GET_USER_ATTR(), due to this it is not taking default value and conditions are converted to invalid strings.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java ea76e6c33 
> 
> 
> Diff: https://reviews.apache.org/r/74897/diff/2/
> 
> 
> Testing
> -------
> 
> Done the required code changes and installed ranger.
> Validated the policy conditions with default comma separated parameters passed with attributes.
> 
> 
> Thanks,
> 
> Himanshu Maurya
> 
>

Re: Review Request 74897: RANGER-4719: Policy condition expressions are split by the Ranger UI on commas

Posted by Madhan Neethiraj <ma...@apache.org>.


> On March 8, 2024, 12:13 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java
> > Lines 719 (patched)
> > <https://reviews.apache.org/r/74897/diff/2/?file=2285749#file2285749line719>
> >
> >     @Himanshu - how does adding "engineName" to evaluator options help resolve this issue? Can you please add details? Thanks!
> 
> Himanshu Maurya wrote:
>     Hi @Madhan Neethiraj
>     
>     If engineName is not present in evaluatorOptions then we are adding this in RangerScriptConditionEvaluator.java while evaluation but before that in PermissionList.js at line 760 we are checking if engineName is not present in evaluatorOptions along with ui.isMultiline then split the value in policy conditon on commas.
>     In ranger-servicedef-gds.json I can see we are adding engineName to evaluatorOptions in policyConditions but for other services ranger-servicedef-{service}.json policyConditions is empty, for them we are adding this through ServiceDefUtil.java and RangerScriptConditionEvaluator.java to avoid updation of existing ranger-servicedef-{service}.json and skip the json patches during upgrades. So I added this engineName to evaluatorOptions in ServiceDefUtil.java.
>     
>     Thanks and Regards
> 
> Himanshu Maurya wrote:
>     Hi @Madhan Neethiraj
>     
>     Kindly ignore my previous reply.
>     If engineName is not present in evaluatorOptions then we are adding this in RangerScriptConditionEvaluator.java during evaluation, but before that in PermissionList.js at line 760, we are checking if engineName is not present in evaluatorOptions along with ui.isMultiline then split the value in policy condition on commas.
>     In ranger-servicedef-gds.json, I can see we are adding engineName to evaluatorOptions in policyConditions but for other services in ranger-servicedef-{service}.json policyConditions is empty, for them we are adding this through ServiceDefUtil.java and RangerServiceDefServiceBase.java to avoid updation of existing ranger-servicedef-{service}.json and skip the json patches during upgrades. So I added this engineName to evaluatorOptions in ServiceDefUtil.java.
>     
>     
>     Thanks and Regards

Himanshu - thank you for adding the details. The fix looks good.


- Madhan


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74897/#review226299
-----------------------------------------------------------


On March 6, 2024, 11:57 a.m., Himanshu Maurya wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74897/
> -----------------------------------------------------------
> 
> (Updated March 6, 2024, 11:57 a.m.)
> 
> 
> Review request for ranger, bhavik patel, Dhaval Shah, Dineshkumar Yadav, Harshal Chavan, Kishor Gollapalliwar, Madhan Neethiraj, Mehul Parikh, Nitin Galave, Pradeep Agrawal, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4719
>     https://issues.apache.org/jira/browse/RANGER-4719
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> While using attributes with default values introduced in RANGER-3997 like GET_USER_ATTR('state', 'null') in policy condition.
> It is observed that ranger is splitting condition string in to parts separated by comma of the parameters passed to GET_USER_ATTR(), due to this it is not taking default value and conditions are converted to invalid strings.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java ea76e6c33 
> 
> 
> Diff: https://reviews.apache.org/r/74897/diff/2/
> 
> 
> Testing
> -------
> 
> Done the required code changes and installed ranger.
> Validated the policy conditions with default comma separated parameters passed with attributes.
> 
> 
> Thanks,
> 
> Himanshu Maurya
> 
>

Re: Review Request 74897: RANGER-4719: Policy condition expressions are split by the Ranger UI on commas

Posted by Himanshu Maurya <hi...@gmail.com>.


> On March 8, 2024, 12:13 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java
> > Lines 719 (patched)
> > <https://reviews.apache.org/r/74897/diff/2/?file=2285749#file2285749line719>
> >
> >     @Himanshu - how does adding "engineName" to evaluator options help resolve this issue? Can you please add details? Thanks!
> 
> Himanshu Maurya wrote:
>     Hi @Madhan Neethiraj
>     
>     If engineName is not present in evaluatorOptions then we are adding this in RangerScriptConditionEvaluator.java while evaluation but before that in PermissionList.js at line 760 we are checking if engineName is not present in evaluatorOptions along with ui.isMultiline then split the value in policy conditon on commas.
>     In ranger-servicedef-gds.json I can see we are adding engineName to evaluatorOptions in policyConditions but for other services ranger-servicedef-{service}.json policyConditions is empty, for them we are adding this through ServiceDefUtil.java and RangerScriptConditionEvaluator.java to avoid updation of existing ranger-servicedef-{service}.json and skip the json patches during upgrades. So I added this engineName to evaluatorOptions in ServiceDefUtil.java.
>     
>     Thanks and Regards

Hi @Madhan Neethiraj

Kindly ignore my previous reply.
If engineName is not present in evaluatorOptions then we are adding this in RangerScriptConditionEvaluator.java during evaluation, but before that in PermissionList.js at line 760, we are checking if engineName is not present in evaluatorOptions along with ui.isMultiline then split the value in policy condition on commas.
In ranger-servicedef-gds.json, I can see we are adding engineName to evaluatorOptions in policyConditions but for other services in ranger-servicedef-{service}.json policyConditions is empty, for them we are adding this through ServiceDefUtil.java and RangerServiceDefServiceBase.java to avoid updation of existing ranger-servicedef-{service}.json and skip the json patches during upgrades. So I added this engineName to evaluatorOptions in ServiceDefUtil.java.


Thanks and Regards


- Himanshu


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74897/#review226299
-----------------------------------------------------------


On March 6, 2024, 11:57 a.m., Himanshu Maurya wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74897/
> -----------------------------------------------------------
> 
> (Updated March 6, 2024, 11:57 a.m.)
> 
> 
> Review request for ranger, bhavik patel, Dhaval Shah, Dineshkumar Yadav, Harshal Chavan, Kishor Gollapalliwar, Madhan Neethiraj, Mehul Parikh, Nitin Galave, Pradeep Agrawal, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4719
>     https://issues.apache.org/jira/browse/RANGER-4719
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> While using attributes with default values introduced in RANGER-3997 like GET_USER_ATTR('state', 'null') in policy condition.
> It is observed that ranger is splitting condition string in to parts separated by comma of the parameters passed to GET_USER_ATTR(), due to this it is not taking default value and conditions are converted to invalid strings.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java ea76e6c33 
> 
> 
> Diff: https://reviews.apache.org/r/74897/diff/2/
> 
> 
> Testing
> -------
> 
> Done the required code changes and installed ranger.
> Validated the policy conditions with default comma separated parameters passed with attributes.
> 
> 
> Thanks,
> 
> Himanshu Maurya
> 
>

Re: Review Request 74897: RANGER-4719: Policy condition expressions are split by the Ranger UI on commas

Posted by Himanshu Maurya <hi...@gmail.com>.


> On March 8, 2024, 12:13 a.m., Madhan Neethiraj wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java
> > Lines 719 (patched)
> > <https://reviews.apache.org/r/74897/diff/2/?file=2285749#file2285749line719>
> >
> >     @Himanshu - how does adding "engineName" to evaluator options help resolve this issue? Can you please add details? Thanks!

Hi @Madhan Neethiraj

If engineName is not present in evaluatorOptions then we are adding this in RangerScriptConditionEvaluator.java while evaluation but before that in PermissionList.js at line 760 we are checking if engineName is not present in evaluatorOptions along with ui.isMultiline then split the value in policy conditon on commas.
In ranger-servicedef-gds.json I can see we are adding engineName to evaluatorOptions in policyConditions but for other services ranger-servicedef-{service}.json policyConditions is empty, for them we are adding this through ServiceDefUtil.java and RangerScriptConditionEvaluator.java to avoid updation of existing ranger-servicedef-{service}.json and skip the json patches during upgrades. So I added this engineName to evaluatorOptions in ServiceDefUtil.java.

Thanks and Regards


- Himanshu


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74897/#review226299
-----------------------------------------------------------


On March 6, 2024, 11:57 a.m., Himanshu Maurya wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74897/
> -----------------------------------------------------------
> 
> (Updated March 6, 2024, 11:57 a.m.)
> 
> 
> Review request for ranger, bhavik patel, Dhaval Shah, Dineshkumar Yadav, Harshal Chavan, Kishor Gollapalliwar, Madhan Neethiraj, Mehul Parikh, Nitin Galave, Pradeep Agrawal, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4719
>     https://issues.apache.org/jira/browse/RANGER-4719
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> While using attributes with default values introduced in RANGER-3997 like GET_USER_ATTR('state', 'null') in policy condition.
> It is observed that ranger is splitting condition string in to parts separated by comma of the parameters passed to GET_USER_ATTR(), due to this it is not taking default value and conditions are converted to invalid strings.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java ea76e6c33 
> 
> 
> Diff: https://reviews.apache.org/r/74897/diff/2/
> 
> 
> Testing
> -------
> 
> Done the required code changes and installed ranger.
> Validated the policy conditions with default comma separated parameters passed with attributes.
> 
> 
> Thanks,
> 
> Himanshu Maurya
> 
>

Re: Review Request 74897: RANGER-4719: Policy condition expressions are split by the Ranger UI on commas

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74897/#review226299
-----------------------------------------------------------




agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java
Lines 719 (patched)
<https://reviews.apache.org/r/74897/#comment314528>

    @Himanshu - how does adding "engineName" to evaluator options help resolve this issue? Can you please add details? Thanks!


- Madhan Neethiraj


On March 6, 2024, 11:57 a.m., Himanshu Maurya wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74897/
> -----------------------------------------------------------
> 
> (Updated March 6, 2024, 11:57 a.m.)
> 
> 
> Review request for ranger, bhavik patel, Dhaval Shah, Dineshkumar Yadav, Harshal Chavan, Kishor Gollapalliwar, Madhan Neethiraj, Mehul Parikh, Nitin Galave, Pradeep Agrawal, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-4719
>     https://issues.apache.org/jira/browse/RANGER-4719
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> While using attributes with default values introduced in RANGER-3997 like GET_USER_ATTR('state', 'null') in policy condition.
> It is observed that ranger is splitting condition string in to parts separated by comma of the parameters passed to GET_USER_ATTR(), due to this it is not taking default value and conditions are converted to invalid strings.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java ea76e6c33 
> 
> 
> Diff: https://reviews.apache.org/r/74897/diff/2/
> 
> 
> Testing
> -------
> 
> Done the required code changes and installed ranger.
> Validated the policy conditions with default comma separated parameters passed with attributes.
> 
> 
> Thanks,
> 
> Himanshu Maurya
> 
>

Re: Review Request 74897: RANGER-4719: Policy condition expressions are split by the Ranger UI on commas

Posted by Himanshu Maurya <hi...@gmail.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74897/
-----------------------------------------------------------

(Updated March 6, 2024, 11:57 a.m.)


Review request for ranger, bhavik patel, Dhaval Shah, Dineshkumar Yadav, Harshal Chavan, Kishor Gollapalliwar, Madhan Neethiraj, Mehul Parikh, Nitin Galave, Pradeep Agrawal, and Velmurugan Periasamy.


Bugs: RANGER-4719
    https://issues.apache.org/jira/browse/RANGER-4719


Repository: ranger


Description
-------

While using attributes with default values introduced in RANGER-3997 like GET_USER_ATTR('state', 'null') in policy condition.
It is observed that ranger is splitting condition string in to parts separated by comma of the parameters passed to GET_USER_ATTR(), due to this it is not taking default value and conditions are converted to invalid strings.


Diffs
-----

  agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java ea76e6c33 


Diff: https://reviews.apache.org/r/74897/diff/2/


Testing
-------

Done the required code changes and installed ranger.
Validated the policy conditions with default comma separated parameters passed with attributes.


Thanks,

Himanshu Maurya

Re: Review Request 74897: RANGER-4719: Policy condition expressions are split by the Ranger UI on commas

Posted by Himanshu Maurya <hi...@gmail.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74897/
-----------------------------------------------------------

(Updated March 6, 2024, 11:50 a.m.)


Review request for ranger, bhavik patel, Dhaval Shah, Dineshkumar Yadav, Harshal Chavan, Kishor Gollapalliwar, Madhan Neethiraj, Mehul Parikh, Nitin Galave, Pradeep Agrawal, and Velmurugan Periasamy.


Repository: ranger


Description
-------

While using attributes with default values introduced in RANGER-3997 like GET_USER_ATTR('state', 'null') in policy condition.
It is observed that ranger is splitting condition string in to parts separated by comma of the parameters passed to GET_USER_ATTR(), due to this it is not taking default value and conditions are converted to invalid strings.


Diffs (updated)
-----

  agents-common/src/main/java/org/apache/ranger/plugin/util/ServiceDefUtil.java ea76e6c33 


Diff: https://reviews.apache.org/r/74897/diff/2/

Changes: https://reviews.apache.org/r/74897/diff/1-2/


Testing
-------

Done the required code changes and installed ranger.
Validated the policy conditions with default comma separated parameters passed with attributes.


Thanks,

Himanshu Maurya