You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Ramesh Mani <rm...@hortonworks.com> on 2020/06/21 21:14:42 UTC

Review Request 72608: RANGER-2869: Ranger audit module to provide an option to generate a UUID for each audit log

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72608/
-----------------------------------------------------------

Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.


Bugs: RANGER-2869
    https://issues.apache.org/jira/browse/RANGER-2869


Repository: ranger


Description
-------

RANGER-2869: Ranger audit module to provide an option to generate a UUID for each audit log


Diffs
-----

  agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java b7315a9 
  agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 137fd1f 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b82ff29 


Diff: https://reviews.apache.org/r/72608/diff/1/


Testing
-------

Verified in Local vm - Audit logs has the Strict UUID when "xasecure.audit.auditid.strict.uuid=true", else exisiting logic of appending the UUID with sequence is happening.


Thanks,

Ramesh Mani

Re: Review Request 72608: RANGER-2869: Ranger audit module to provide an option to generate a UUID for each audit log

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72608/#review221040
-----------------------------------------------------------




agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java
Line 76 (original), 77 (patched)
<https://reviews.apache.org/r/72608/#comment309822>

    @Abhay - you are right. There is no need to instantiate RANDOM_HOLDER. Instead, #303 should directly reference RandomHolder.random, which will defer instantiation of RandomHolder.random until its first use.



agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java
Lines 299 (patched)
<https://reviews.apache.org/r/72608/#comment309823>

    SecureRandom implementation depends on various sources of entropy such as (keyboard/mouse/other i/o, ..), which makes it unpredictable. Depending upon the activities in the operating system, it might take multiple seconds to create a random number - which is not suitable for high volunme audit-log-id generation here.


- Madhan Neethiraj


On June 21, 2020, 9:14 p.m., Ramesh Mani wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72608/
> -----------------------------------------------------------
> 
> (Updated June 21, 2020, 9:14 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-2869
>     https://issues.apache.org/jira/browse/RANGER-2869
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> RANGER-2869: Ranger audit module to provide an option to generate a UUID for each audit log
> 
> 
> Diffs
> -----
> 
>   agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java b7315a9 
>   agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 137fd1f 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b82ff29 
> 
> 
> Diff: https://reviews.apache.org/r/72608/diff/1/
> 
> 
> Testing
> -------
> 
> Verified in Local vm - Audit logs has the Strict UUID when "xasecure.audit.auditid.strict.uuid=true", else exisiting logic of appending the UUID with sequence is happening.
> 
> 
> Thanks,
> 
> Ramesh Mani
> 
>

Re: Review Request 72608: RANGER-2869: Ranger audit module to provide an option to generate a UUID for each audit log

Posted by Abhay Kulkarni <ak...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72608/#review221049
-----------------------------------------------------------


Ship it!




Ship It!

- Abhay Kulkarni


On June 22, 2020, 8:38 p.m., Ramesh Mani wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72608/
> -----------------------------------------------------------
> 
> (Updated June 22, 2020, 8:38 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-2869
>     https://issues.apache.org/jira/browse/RANGER-2869
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> RANGER-2869: Ranger audit module to provide an option to generate a UUID for each audit log
> 
> 
> Diffs
> -----
> 
>   agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java b7315a9 
>   agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 137fd1f 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b82ff29 
> 
> 
> Diff: https://reviews.apache.org/r/72608/diff/2/
> 
> 
> Testing
> -------
> 
> Verified in Local vm - Audit logs has the Strict UUID when "xasecure.audit.auditid.strict.uuid=true", else exisiting logic of appending the UUID with sequence is happening.
> 
> 
> Thanks,
> 
> Ramesh Mani
> 
>

Re: Review Request 72608: RANGER-2869: Ranger audit module to provide an option to generate a UUID for each audit log

Posted by Ramesh Mani <rm...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72608/
-----------------------------------------------------------

(Updated June 22, 2020, 8:38 p.m.)


Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.


Changes
-------

Fixed review comments


Bugs: RANGER-2869
    https://issues.apache.org/jira/browse/RANGER-2869


Repository: ranger


Description
-------

RANGER-2869: Ranger audit module to provide an option to generate a UUID for each audit log


Diffs (updated)
-----

  agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java b7315a9 
  agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 137fd1f 
  agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b82ff29 


Diff: https://reviews.apache.org/r/72608/diff/2/

Changes: https://reviews.apache.org/r/72608/diff/1-2/


Testing
-------

Verified in Local vm - Audit logs has the Strict UUID when "xasecure.audit.auditid.strict.uuid=true", else exisiting logic of appending the UUID with sequence is happening.


Thanks,

Ramesh Mani

Re: Review Request 72608: RANGER-2869: Ranger audit module to provide an option to generate a UUID for each audit log

Posted by Ramesh Mani <rm...@hortonworks.com>.


> On June 21, 2020, 10:37 p.m., Abhay Kulkarni wrote:
> > agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java
> > Lines 299 (patched)
> > <https://reviews.apache.org/r/72608/diff/1/?file=2234815#file2234815line299>
> >
> >     Although secureRandom object can be slow at times, the black-duck scan may flag this as a security issue.

When every audit log needs a new UUID, we shall stick to random() as secureRandom() will be very slow and will block the operation done.


- Ramesh


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72608/#review221039
-----------------------------------------------------------


On June 22, 2020, 8:38 p.m., Ramesh Mani wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72608/
> -----------------------------------------------------------
> 
> (Updated June 22, 2020, 8:38 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-2869
>     https://issues.apache.org/jira/browse/RANGER-2869
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> RANGER-2869: Ranger audit module to provide an option to generate a UUID for each audit log
> 
> 
> Diffs
> -----
> 
>   agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java b7315a9 
>   agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 137fd1f 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b82ff29 
> 
> 
> Diff: https://reviews.apache.org/r/72608/diff/2/
> 
> 
> Testing
> -------
> 
> Verified in Local vm - Audit logs has the Strict UUID when "xasecure.audit.auditid.strict.uuid=true", else exisiting logic of appending the UUID with sequence is happening.
> 
> 
> Thanks,
> 
> Ramesh Mani
> 
>

Re: Review Request 72608: RANGER-2869: Ranger audit module to provide an option to generate a UUID for each audit log

Posted by Abhay Kulkarni <ak...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72608/#review221039
-----------------------------------------------------------




agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java
Line 76 (original), 77 (patched)
<https://reviews.apache.org/r/72608/#comment309820>

    Given that the static final RANDOM_HOLDER is created here, how is the initialization deferred to the time of first use as indicated in the comment at line 871?



agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java
Lines 299 (patched)
<https://reviews.apache.org/r/72608/#comment309821>

    Although secureRandom object can be slow at times, the black-duck scan may flag this as a security issue.



agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java
Lines 293 (patched)
<https://reviews.apache.org/r/72608/#comment309819>

    This may cause a log of warning messages. Please review.


- Abhay Kulkarni


On June 21, 2020, 9:14 p.m., Ramesh Mani wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72608/
> -----------------------------------------------------------
> 
> (Updated June 21, 2020, 9:14 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-2869
>     https://issues.apache.org/jira/browse/RANGER-2869
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> RANGER-2869: Ranger audit module to provide an option to generate a UUID for each audit log
> 
> 
> Diffs
> -----
> 
>   agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java b7315a9 
>   agents-common/src/main/java/org/apache/ranger/plugin/audit/RangerDefaultAuditHandler.java 137fd1f 
>   agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerAccessResult.java b82ff29 
> 
> 
> Diff: https://reviews.apache.org/r/72608/diff/1/
> 
> 
> Testing
> -------
> 
> Verified in Local vm - Audit logs has the Strict UUID when "xasecure.audit.auditid.strict.uuid=true", else exisiting logic of appending the UUID with sequence is happening.
> 
> 
> Thanks,
> 
> Ramesh Mani
> 
>