You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Gautam Borad <gb...@gmail.com> on 2015/11/26 04:08:56 UTC
Review Request 40703: RANGER-743 : External users with Admin Role
should be allowed to create/update users
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40703/
-----------------------------------------------------------
Review request for ranger, Alok Lal, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
Bugs: RANGER-743
https://issues.apache.org/jira/browse/RANGER-743
Repository: ranger
Description
-------
Patch contains changes that allows External Users having ADMIN role to Create new users in Ranger Admin. It was working before, and it failed after RANGER-630
Diffs
-----
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java ee9d14b
security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 3f2c041
security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java 40b08c4
Diff: https://reviews.apache.org/r/40703/diff/
Testing
-------
**Env:**
OS : Linux
DataBase : MySQL/Any
**Issue:** External users are not allowed to create/update Ranger user.
**Steps Performed:** a) Installed Ranger usersync with 'unix' sync method.
b) Logged in from admin user and assigned 'ADMIN' role to a newly synced user from Ranger UI, Logged out from Admin user.
c) Logged in from synced user having 'ADMIN' role.
d) Tried to create a user from Ranger Admin UI.
**Expected Result:** User should have been created.
**Actual Result:** Create user request failed and message was displayed 'Error Creating user'.
**Proposed Solution:** After receiving successful auth token of external users from Unix/LDAP/AD server, fetch authenticated user roles from DB and wrap in authenticated object so that spring security module can read assigned role. PreAuthorise Annotation mapped in REST API/method shall allow Only users authenticated with particular roles.
**Testing done with patch:** 1) UNIX/LDAP/AD users can create and update users.
Thanks,
Gautam Borad
Re: Review Request 40703: RANGER-743 : External users with Admin Role
should be allowed to create/update users
Posted by Velmurugan Periasamy <vp...@hortonworks.com>.
> On Nov. 27, 2015, 3:24 p.m., Velmurugan Periasamy wrote:
> > Ship It!
Fix for master branch and then ship it!
- Velmurugan
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40703/#review108229
-----------------------------------------------------------
On Nov. 26, 2015, 3:08 a.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/40703/
> -----------------------------------------------------------
>
> (Updated Nov. 26, 2015, 3:08 a.m.)
>
>
> Review request for ranger, Alok Lal, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-743
> https://issues.apache.org/jira/browse/RANGER-743
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Patch contains changes that allows External Users having ADMIN role to Create new users in Ranger Admin. It was working before, and it failed after RANGER-630
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java ee9d14b
> security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 3f2c041
> security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java 40b08c4
>
> Diff: https://reviews.apache.org/r/40703/diff/
>
>
> Testing
> -------
>
> **Env:**
> OS : Linux
> DataBase : MySQL/Any
>
> **Issue:** External users are not allowed to create/update Ranger user.
> **Steps Performed:** a) Installed Ranger usersync with 'unix' sync method.
> b) Logged in from admin user and assigned 'ADMIN' role to a newly synced user from Ranger UI, Logged out from Admin user.
> c) Logged in from synced user having 'ADMIN' role.
> d) Tried to create a user from Ranger Admin UI.
> **Expected Result:** User should have been created.
> **Actual Result:** Create user request failed and message was displayed 'Error Creating user'.
> **Proposed Solution:** After receiving successful auth token of external users from Unix/LDAP/AD server, fetch authenticated user roles from DB and wrap in authenticated object so that spring security module can read assigned role. PreAuthorise Annotation mapped in REST API/method shall allow Only users authenticated with particular roles.
> **Testing done with patch:** 1) UNIX/LDAP/AD users can create and update users.
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 40703: RANGER-743 : External users with Admin Role
should be allowed to create/update users
Posted by Velmurugan Periasamy <vp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40703/#review108229
-----------------------------------------------------------
Ship it!
Ship It!
- Velmurugan Periasamy
On Nov. 26, 2015, 3:08 a.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/40703/
> -----------------------------------------------------------
>
> (Updated Nov. 26, 2015, 3:08 a.m.)
>
>
> Review request for ranger, Alok Lal, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-743
> https://issues.apache.org/jira/browse/RANGER-743
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Patch contains changes that allows External Users having ADMIN role to Create new users in Ranger Admin. It was working before, and it failed after RANGER-630
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java ee9d14b
> security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 3f2c041
> security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java 40b08c4
>
> Diff: https://reviews.apache.org/r/40703/diff/
>
>
> Testing
> -------
>
> **Env:**
> OS : Linux
> DataBase : MySQL/Any
>
> **Issue:** External users are not allowed to create/update Ranger user.
> **Steps Performed:** a) Installed Ranger usersync with 'unix' sync method.
> b) Logged in from admin user and assigned 'ADMIN' role to a newly synced user from Ranger UI, Logged out from Admin user.
> c) Logged in from synced user having 'ADMIN' role.
> d) Tried to create a user from Ranger Admin UI.
> **Expected Result:** User should have been created.
> **Actual Result:** Create user request failed and message was displayed 'Error Creating user'.
> **Proposed Solution:** After receiving successful auth token of external users from Unix/LDAP/AD server, fetch authenticated user roles from DB and wrap in authenticated object so that spring security module can read assigned role. PreAuthorise Annotation mapped in REST API/method shall allow Only users authenticated with particular roles.
> **Testing done with patch:** 1) UNIX/LDAP/AD users can create and update users.
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 40703: RANGER-743 : External users with Admin Role
should be allowed to create/update users
Posted by Velmurugan Periasamy <vp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40703/#review108228
-----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java (line 523)
<https://reviews.apache.org/r/40703/#comment167569>
Patch does not apply on master branch. Please fix it before committing. Able to apply in ranger-0.5
- Velmurugan Periasamy
On Nov. 26, 2015, 3:08 a.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/40703/
> -----------------------------------------------------------
>
> (Updated Nov. 26, 2015, 3:08 a.m.)
>
>
> Review request for ranger, Alok Lal, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-743
> https://issues.apache.org/jira/browse/RANGER-743
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Patch contains changes that allows External Users having ADMIN role to Create new users in Ranger Admin. It was working before, and it failed after RANGER-630
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java ee9d14b
> security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 3f2c041
> security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java 40b08c4
>
> Diff: https://reviews.apache.org/r/40703/diff/
>
>
> Testing
> -------
>
> **Env:**
> OS : Linux
> DataBase : MySQL/Any
>
> **Issue:** External users are not allowed to create/update Ranger user.
> **Steps Performed:** a) Installed Ranger usersync with 'unix' sync method.
> b) Logged in from admin user and assigned 'ADMIN' role to a newly synced user from Ranger UI, Logged out from Admin user.
> c) Logged in from synced user having 'ADMIN' role.
> d) Tried to create a user from Ranger Admin UI.
> **Expected Result:** User should have been created.
> **Actual Result:** Create user request failed and message was displayed 'Error Creating user'.
> **Proposed Solution:** After receiving successful auth token of external users from Unix/LDAP/AD server, fetch authenticated user roles from DB and wrap in authenticated object so that spring security module can read assigned role. PreAuthorise Annotation mapped in REST API/method shall allow Only users authenticated with particular roles.
> **Testing done with patch:** 1) UNIX/LDAP/AD users can create and update users.
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 40703: RANGER-743 : External users with Admin Role
should be allowed to create/update users
Posted by Velmurugan Periasamy <vp...@hortonworks.com>.
> On Nov. 26, 2015, 3:25 p.m., Velmurugan Periasamy wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java, line 257
> > <https://reviews.apache.org/r/40703/diff/1/?file=1146967#file1146967line257>
> >
> > What's the reason behind this check against literal string "null"? Similar check is done in many places here in this patch. Same comment is applicable for all.
>
> Gautam Borad wrote:
> During create and update user testing it was observed in the log that when object is null and are converted then it has 'null' word. so it might happen that 'null' word may get store in DB and shown to user, now after receiving user profile code will check if 'null' word is there then will be replaced with ''(empty string)
Ok. I would expect 'null' literal string should not be stored in DB. Once that problem is addressed, this check needs to be revisited.
- Velmurugan
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40703/#review108146
-----------------------------------------------------------
On Nov. 26, 2015, 3:08 a.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/40703/
> -----------------------------------------------------------
>
> (Updated Nov. 26, 2015, 3:08 a.m.)
>
>
> Review request for ranger, Alok Lal, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-743
> https://issues.apache.org/jira/browse/RANGER-743
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Patch contains changes that allows External Users having ADMIN role to Create new users in Ranger Admin. It was working before, and it failed after RANGER-630
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java ee9d14b
> security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 3f2c041
> security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java 40b08c4
>
> Diff: https://reviews.apache.org/r/40703/diff/
>
>
> Testing
> -------
>
> **Env:**
> OS : Linux
> DataBase : MySQL/Any
>
> **Issue:** External users are not allowed to create/update Ranger user.
> **Steps Performed:** a) Installed Ranger usersync with 'unix' sync method.
> b) Logged in from admin user and assigned 'ADMIN' role to a newly synced user from Ranger UI, Logged out from Admin user.
> c) Logged in from synced user having 'ADMIN' role.
> d) Tried to create a user from Ranger Admin UI.
> **Expected Result:** User should have been created.
> **Actual Result:** Create user request failed and message was displayed 'Error Creating user'.
> **Proposed Solution:** After receiving successful auth token of external users from Unix/LDAP/AD server, fetch authenticated user roles from DB and wrap in authenticated object so that spring security module can read assigned role. PreAuthorise Annotation mapped in REST API/method shall allow Only users authenticated with particular roles.
> **Testing done with patch:** 1) UNIX/LDAP/AD users can create and update users.
>
>
> Thanks,
>
> Gautam Borad
>
>
Re: Review Request 40703: RANGER-743 : External users with Admin Role
should be allowed to create/update users
Posted by Velmurugan Periasamy <vp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40703/#review108146
-----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java (line 257)
<https://reviews.apache.org/r/40703/#comment167497>
What's the reason behind this check against literal string "null"? Similar check is done in many places here in this patch. Same comment is applicable for all.
- Velmurugan Periasamy
On Nov. 26, 2015, 3:08 a.m., Gautam Borad wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/40703/
> -----------------------------------------------------------
>
> (Updated Nov. 26, 2015, 3:08 a.m.)
>
>
> Review request for ranger, Alok Lal, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-743
> https://issues.apache.org/jira/browse/RANGER-743
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Patch contains changes that allows External Users having ADMIN role to Create new users in Ranger Admin. It was working before, and it failed after RANGER-630
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java ee9d14b
> security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 3f2c041
> security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java 40b08c4
>
> Diff: https://reviews.apache.org/r/40703/diff/
>
>
> Testing
> -------
>
> **Env:**
> OS : Linux
> DataBase : MySQL/Any
>
> **Issue:** External users are not allowed to create/update Ranger user.
> **Steps Performed:** a) Installed Ranger usersync with 'unix' sync method.
> b) Logged in from admin user and assigned 'ADMIN' role to a newly synced user from Ranger UI, Logged out from Admin user.
> c) Logged in from synced user having 'ADMIN' role.
> d) Tried to create a user from Ranger Admin UI.
> **Expected Result:** User should have been created.
> **Actual Result:** Create user request failed and message was displayed 'Error Creating user'.
> **Proposed Solution:** After receiving successful auth token of external users from Unix/LDAP/AD server, fetch authenticated user roles from DB and wrap in authenticated object so that spring security module can read assigned role. PreAuthorise Annotation mapped in REST API/method shall allow Only users authenticated with particular roles.
> **Testing done with patch:** 1) UNIX/LDAP/AD users can create and update users.
>
>
> Thanks,
>
> Gautam Borad
>
>