You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Ankita Sinha <an...@freestoneinfotech.com> on 2016/05/31 09:03:03 UTC
Review Request 48064: Handle upgrade scenario in Kerberized Cluster
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/48064/
-----------------------------------------------------------
Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
Bugs: RANGER-1003
https://issues.apache.org/jira/browse/RANGER-1003
Repository: ranger
Description
-------
**Problem Statement**
In secure environment after upgrade the service and policies is not updated with custom properties for Policy/Tag download and with lookup user to have permission for Test Connection and Resource Lookup.
**Need to implement following**
1. After upgrade add lookup user to have permissions in all policies.
2. After upgrade add custom property "policy.download.auth.users" and "tag.download.auth.users" in Service config of each repo and "policy.grantrevoke.auth.users" for HBase/Hive.
Diffs
-----
security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 63c630e
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java d2178f4
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 1028c8d
security-admin/src/main/java/org/apache/ranger/rest/TagREST.java be70cfe
Diff: https://reviews.apache.org/r/48064/diff/
Testing
-------
1. Tested Ranger Admin with admin and keyadmin role user.
2. Checked when Ranger Admin starts the service/policy created in previous version is updated in secure cluster.
Thanks,
Ankita Sinha
Re: Review Request 48064: Handle upgrade scenario in Kerberized
Cluster
Posted by Velmurugan Periasamy <vp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/48064/#review137006
-----------------------------------------------------------
Ship it!
Ship It!
- Velmurugan Periasamy
On June 10, 2016, 5:22 a.m., Ankita Sinha wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/48064/
> -----------------------------------------------------------
>
> (Updated June 10, 2016, 5:22 a.m.)
>
>
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-1003
> https://issues.apache.org/jira/browse/RANGER-1003
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Problem Statement**
> In secure environment after upgrade the service and policies is not updated with custom properties for Policy/Tag download and with lookup user to have permission for Test Connection and Resource Lookup.
>
> **Need to implement following**
> 1. After upgrade add lookup user to have permissions in all policies.
> 2. After upgrade add custom property "policy.download.auth.users" and "tag.download.auth.users" in Service config of each repo and "policy.grantrevoke.auth.users" for HBase/Hive.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 63c630e
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java bf03e30
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java a8c7b52
> security-admin/src/main/java/org/apache/ranger/rest/TagREST.java be70cfe
>
> Diff: https://reviews.apache.org/r/48064/diff/
>
>
> Testing
> -------
>
> 1. Tested Ranger Admin with admin and keyadmin role user.
> 2. Checked when Ranger Admin starts the service/policy created in previous version is updated in secure cluster.
>
>
> Thanks,
>
> Ankita Sinha
>
>
Re: Review Request 48064: Handle upgrade scenario in Kerberized
Cluster
Posted by Ankita Sinha <an...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/48064/
-----------------------------------------------------------
(Updated June 10, 2016, 5:22 a.m.)
Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
Changes
-------
Updated patch with the latest Master Branch
Bugs: RANGER-1003
https://issues.apache.org/jira/browse/RANGER-1003
Repository: ranger
Description
-------
**Problem Statement**
In secure environment after upgrade the service and policies is not updated with custom properties for Policy/Tag download and with lookup user to have permission for Test Connection and Resource Lookup.
**Need to implement following**
1. After upgrade add lookup user to have permissions in all policies.
2. After upgrade add custom property "policy.download.auth.users" and "tag.download.auth.users" in Service config of each repo and "policy.grantrevoke.auth.users" for HBase/Hive.
Diffs (updated)
-----
security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 63c630e
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java bf03e30
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java a8c7b52
security-admin/src/main/java/org/apache/ranger/rest/TagREST.java be70cfe
Diff: https://reviews.apache.org/r/48064/diff/
Testing
-------
1. Tested Ranger Admin with admin and keyadmin role user.
2. Checked when Ranger Admin starts the service/policy created in previous version is updated in secure cluster.
Thanks,
Ankita Sinha
Re: Review Request 48064: Handle upgrade scenario in Kerberized
Cluster
Posted by Ankita Sinha <an...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/48064/
-----------------------------------------------------------
(Updated June 1, 2016, 5:42 a.m.)
Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
Changes
-------
Addressed Review Comments
Bugs: RANGER-1003
https://issues.apache.org/jira/browse/RANGER-1003
Repository: ranger
Description
-------
**Problem Statement**
In secure environment after upgrade the service and policies is not updated with custom properties for Policy/Tag download and with lookup user to have permission for Test Connection and Resource Lookup.
**Need to implement following**
1. After upgrade add lookup user to have permissions in all policies.
2. After upgrade add custom property "policy.download.auth.users" and "tag.download.auth.users" in Service config of each repo and "policy.grantrevoke.auth.users" for HBase/Hive.
Diffs (updated)
-----
security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 63c630e
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java d2178f4
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 1028c8d
security-admin/src/main/java/org/apache/ranger/rest/TagREST.java be70cfe
Diff: https://reviews.apache.org/r/48064/diff/
Testing
-------
1. Tested Ranger Admin with admin and keyadmin role user.
2. Checked when Ranger Admin starts the service/policy created in previous version is updated in secure cluster.
Thanks,
Ankita Sinha
Re: Review Request 48064: Handle upgrade scenario in Kerberized
Cluster
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/48064/#review135764
-----------------------------------------------------------
Fix it, then Ship it!
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java (line 3656)
<https://reviews.apache.org/r/48064/#comment200813>
updateService() should be called only if service-config was updated in this method - in line #3648 or #3651 or #3654. Please review and update.
- Madhan Neethiraj
On June 1, 2016, 4:57 a.m., Ankita Sinha wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/48064/
> -----------------------------------------------------------
>
> (Updated June 1, 2016, 4:57 a.m.)
>
>
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-1003
> https://issues.apache.org/jira/browse/RANGER-1003
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Problem Statement**
> In secure environment after upgrade the service and policies is not updated with custom properties for Policy/Tag download and with lookup user to have permission for Test Connection and Resource Lookup.
>
> **Need to implement following**
> 1. After upgrade add lookup user to have permissions in all policies.
> 2. After upgrade add custom property "policy.download.auth.users" and "tag.download.auth.users" in Service config of each repo and "policy.grantrevoke.auth.users" for HBase/Hive.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 63c630e
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java d2178f4
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 1028c8d
> security-admin/src/main/java/org/apache/ranger/rest/TagREST.java be70cfe
>
> Diff: https://reviews.apache.org/r/48064/diff/
>
>
> Testing
> -------
>
> 1. Tested Ranger Admin with admin and keyadmin role user.
> 2. Checked when Ranger Admin starts the service/policy created in previous version is updated in secure cluster.
>
>
> Thanks,
>
> Ankita Sinha
>
>
Re: Review Request 48064: Handle upgrade scenario in Kerberized
Cluster
Posted by Ankita Sinha <an...@freestoneinfotech.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/48064/
-----------------------------------------------------------
(Updated June 1, 2016, 4:57 a.m.)
Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
Changes
-------
Addressed review comments
Bugs: RANGER-1003
https://issues.apache.org/jira/browse/RANGER-1003
Repository: ranger
Description
-------
**Problem Statement**
In secure environment after upgrade the service and policies is not updated with custom properties for Policy/Tag download and with lookup user to have permission for Test Connection and Resource Lookup.
**Need to implement following**
1. After upgrade add lookup user to have permissions in all policies.
2. After upgrade add custom property "policy.download.auth.users" and "tag.download.auth.users" in Service config of each repo and "policy.grantrevoke.auth.users" for HBase/Hive.
Diffs (updated)
-----
security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 63c630e
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java d2178f4
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 1028c8d
security-admin/src/main/java/org/apache/ranger/rest/TagREST.java be70cfe
Diff: https://reviews.apache.org/r/48064/diff/
Testing
-------
1. Tested Ranger Admin with admin and keyadmin role user.
2. Checked when Ranger Admin starts the service/policy created in previous version is updated in secure cluster.
Thanks,
Ankita Sinha
Re: Review Request 48064: Handle upgrade scenario in Kerberized
Cluster
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/48064/#review135692
-----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java (line 3651)
<https://reviews.apache.org/r/48064/#comment200718>
update serviceConfig only if the key is already not present
if(!rangerService.getConfigs().containsKey(ServiceREST.Allowed_User_List_For_Grant_Revoke) {
rangerService.getConfigs().put(ServiceREST.Allowed_User_List_For_Grant_Revoke, serviceUser);
}
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java (line 3653)
<https://reviews.apache.org/r/48064/#comment200719>
update serviceConfig only if the key is already not present
if(!rangerService.getConfigs().containsKey(TagREST.Allowed_User_List_For_Tag_Download) {
rangerService.getConfigs().put(TagREST.Allowed_User_List_For_Tag_Download, serviceUser);
}
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java (line 3667)
<https://reviews.apache.org/r/48064/#comment200723>
adding a policy item to each policy during each startup does not look right. Instead, I think we should document the necessary permission for lookup user and have a policy in each service manually updated/created.
- Madhan Neethiraj
On May 31, 2016, 9:03 a.m., Ankita Sinha wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/48064/
> -----------------------------------------------------------
>
> (Updated May 31, 2016, 9:03 a.m.)
>
>
> Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-1003
> https://issues.apache.org/jira/browse/RANGER-1003
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Problem Statement**
> In secure environment after upgrade the service and policies is not updated with custom properties for Policy/Tag download and with lookup user to have permission for Test Connection and Resource Lookup.
>
> **Need to implement following**
> 1. After upgrade add lookup user to have permissions in all policies.
> 2. After upgrade add custom property "policy.download.auth.users" and "tag.download.auth.users" in Service config of each repo and "policy.grantrevoke.auth.users" for HBase/Hive.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 63c630e
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java d2178f4
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 1028c8d
> security-admin/src/main/java/org/apache/ranger/rest/TagREST.java be70cfe
>
> Diff: https://reviews.apache.org/r/48064/diff/
>
>
> Testing
> -------
>
> 1. Tested Ranger Admin with admin and keyadmin role user.
> 2. Checked when Ranger Admin starts the service/policy created in previous version is updated in secure cluster.
>
>
> Thanks,
>
> Ankita Sinha
>
>