You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Abhay Kulkarni <ak...@hortonworks.com> on 2019/12/10 19:46:53 UTC
Re: Review Request 71894: RANGER-2669: Blacklist for Ranger Audits
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71894/#review218987
-----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
Lines 169 (patched)
<https://reviews.apache.org/r/71894/#comment306987>
Please consider moving lines 169-171 to line 187. Excluded user/groups/roles need to override all other settings.
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
Lines 190 (patched)
<https://reviews.apache.org/r/71894/#comment306988>
Please consider excluded roles (just like users and groups) here and everywhere excluded users/groups are considered.
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java
Lines 219 (patched)
<https://reviews.apache.org/r/71894/#comment306990>
Do we need auditExcludedUsers/groups/roles for TagPolicies class? At evaluation time, tag policies are executed as part of evaluating resource policies. Please review and consider removing these three attributes.
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
Lines 1658 (patched)
<https://reviews.apache.org/r/71894/#comment306991>
Please consider having a space surrounding operator.
- Abhay Kulkarni
On Dec. 9, 2019, 10:33 a.m., Pradeep Agrawal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71894/
> -----------------------------------------------------------
>
> (Updated Dec. 9, 2019, 10:33 a.m.)
>
>
> Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2669
> https://issues.apache.org/jira/browse/RANGER-2669
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Problem Statement:** Ranger logs too much audit information, specifically around service accounts (like hbase, atlas, solr). Too much data to solr is making it turn off.
>
> It would be good if a "audit exclude user/groups" optional - configuration can be provided, where user can specify user/groups (like "solr") which wouldn't get logged during the audits.
>
> **Proposed Solution:**
>
> 1) Ranger service will support configuration parameters whose values will be downloaded to Ranger plugin during policy/tag download. Their names will start with 'ranger.plugin.audit'. ServicePolicies will have additional member of type list which will contain these parameters and their values.
>
> 2) One of the parameter will be 'ranger.plugin.audit.exclude.users' and the value will be a comma-separated list of users that do not need to be audited.
>
> 3) Plugin will accept and maintain a list of not-to-audit users/groups in an instance of BasePlugin class.
>
> 4) PolicyEngine.createAccessResult() will be modified to call setIsAudited(false) if the user is in the list in case of AUDIT_ALL option.
>
> **Note:** Changes to blacklist the audit for role is not implemented yet in this patch.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java a75a6c692
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java 197c30f0d
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java 360404af3
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 0fd5093a9
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java f2bbd3c1a
>
>
> Diff: https://reviews.apache.org/r/71894/diff/2/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Pradeep Agrawal
>
>
Re: Review Request 71894: RANGER-2669: Blacklist for Ranger Audits
Posted by Pradeep Agrawal <pr...@gmail.com>.
> On Dec. 10, 2019, 7:46 p.m., Abhay Kulkarni wrote:
> > agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java
> > Lines 190 (patched)
> > <https://reviews.apache.org/r/71894/diff/2/?file=2183584#file2183584line190>
> >
> > Please consider excluded roles (just like users and groups) here and everywhere excluded users/groups are considered.
Fixed, but can you review again the approach.
- Pradeep
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71894/#review218987
-----------------------------------------------------------
On Dec. 9, 2019, 10:33 a.m., Pradeep Agrawal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71894/
> -----------------------------------------------------------
>
> (Updated Dec. 9, 2019, 10:33 a.m.)
>
>
> Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2669
> https://issues.apache.org/jira/browse/RANGER-2669
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Problem Statement:** Ranger logs too much audit information, specifically around service accounts (like hbase, atlas, solr). Too much data to solr is making it turn off.
>
> It would be good if a "audit exclude user/groups" optional - configuration can be provided, where user can specify user/groups (like "solr") which wouldn't get logged during the audits.
>
> **Proposed Solution:**
>
> 1) Ranger service will support configuration parameters whose values will be downloaded to Ranger plugin during policy/tag download. Their names will start with 'ranger.plugin.audit'. ServicePolicies will have additional member of type list which will contain these parameters and their values.
>
> 2) One of the parameter will be 'ranger.plugin.audit.exclude.users' and the value will be a comma-separated list of users that do not need to be audited.
>
> 3) Plugin will accept and maintain a list of not-to-audit users/groups in an instance of BasePlugin class.
>
> 4) PolicyEngine.createAccessResult() will be modified to call setIsAudited(false) if the user is in the list in case of AUDIT_ALL option.
>
> **Note:** Changes to blacklist the audit for role is not implemented yet in this patch.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/PolicyEngine.java a75a6c692
> agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java 197c30f0d
> agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java 360404af3
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 0fd5093a9
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java f2bbd3c1a
>
>
> Diff: https://reviews.apache.org/r/71894/diff/3/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Pradeep Agrawal
>
>