ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gautam Borad <gbo...@gmail.com>
Subject Re: [jira] [Updated] (RANGER-967) Allow additional characters in username
Date Thu, 05 May 2016 05:10:31 GMT
Bryan is right in his analysis, even if we support adding such users, the
split on "," during policy creation will be an issue.

I think the right solution would be to use the transformation feature
implemented by *@Sailaja* in
https://issues.apache.org/jira/browse/RANGER-684. Thanks.

On Thu, May 5, 2016 at 2:59 AM, Sailaja Polavarapu <
spolavarapu@hortonworks.com> wrote:

> We currently have a username/groupname transformation feature implemented
> for LDAP sync (https://issues.apache.org/jira/browse/RANGER-684). May be
> we can do similar changes for File source sync or move the name
> transformation logic to common location for all sync sources.
> Few things to consider when we implement name transformation logic to File
> source -
> 1. For non Json files, provide a delimiter that is not part of the
> transformation logic in order to distinguish between usernames & groupnames
> while reading from the input file.
> 2. Apply same transformation logic while sending any authorization
> requests to ranger with username and/or groupname
> 3. Apply same transformation logic if using other services like solr,
> kafka, etc…
>
> Thanks,
> Sailaja.
>
>
>
>
> On 5/4/16, 2:03 PM, "Bryan Bende" <bbende@gmail.com> wrote:
>
> >I don't think this one has a server side fix...
> >
> >We can fix the user sync to remove email validation (RANGER-968), and we
> >can change the UI to allow DNs on user creation(RANGER-967)...
> >
> >But in either case, we can't create a policy through the UI when the
> >username is a DN. The REST API may work, but there has to be something
> user
> >facing.
> >
> >Do you view this as another JIRA? or maybe I'm trying to force something
> >that wasn't intended to work?
> >
> >
> >On Wed, May 4, 2016 at 4:03 PM, Don Bosco Durai <bosco@apache.org> wrote:
> >
> >> Gautam might be the right person to answer UI related questions.
> >>
> >> If server side fix will unblock you, then I will suggest that you should
> >> fix it for the time being. We can ask Gautam to look into the UI side.
> >>
> >>
> >>
> >> Thanks
> >>
> >> Bosco
> >>
> >>
> >> On 5/4/16, 12:02 PM, "Bryan Bende" <bbende@gmail.com> wrote:
> >>
> >> >All,
> >> >
> >> >I started looking at this ticket because I initially thought it would
> be
> >> >straight forward...
> >> >
> >> >In UserForm.js I changed the regex validator from
> >> [a-z0-9][a-z0-9,._\-'+/@]
> >> > to [a-z0-9][a-z0-9,._\-'+/@= ] which allowed "=" and spaces. That
> allowed
> >> >me to enter a DN as a user name.
> >> >
> >> >The next issue is that when creating a policy for that user, the value
> of
> >> >the users field is split on commas, so a single DN with commas ends
> being
> >> >submitted as several users that don't exist, and prevent the policy
> from
> >> >being created.
> >> >
> >> >This happens in RangerPolicyForm.js with this code:
> >> >
> >> >if(!_.isUndefined(m.get('userName')) && !_.isNull(m.get('userName'))){
> >> > policyItem.set("users",m.get("userName").split(','));
> >> >}
> >> >
> >> >I have a feeling this can't easily be changed because it is how
> multiple
> >> >selected users are being stored behind the scenes.
> >> >
> >> >Does anyone have any thoughts on what else would need to be changed to
> >> >allow a username with commas in it?
> >> >
> >> >Thanks,
> >> >
> >> >Bryan
> >> >
> >> >
> >> >On Wed, May 4, 2016 at 1:07 PM, Bryan Bende (JIRA) <jira@apache.org>
> >> wrote:
> >> >
> >> >>
> >> >>      [
> >> >>
> >>
> https://issues.apache.org/jira/browse/RANGER-967?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
> >> >> ]
> >> >>
> >> >> Bryan Bende updated RANGER-967:
> >> >> -------------------------------
> >> >>     Fix Version/s: 0.6.0
> >> >>
> >> >> > Allow additional characters in username
> >> >> > ---------------------------------------
> >> >> >
> >> >> >                 Key: RANGER-967
> >> >> >                 URL:
> https://issues.apache.org/jira/browse/RANGER-967
> >> >> >             Project: Ranger
> >> >> >          Issue Type: Improvement
> >> >> >            Reporter: Bryan Bende
> >> >> >            Assignee: Bryan Bende
> >> >> >            Priority: Minor
> >> >> >             Fix For: 0.6.0
> >> >> >
> >> >> >
> >> >> > Currently the Username field on the Create User form in the UI
> >> performs
> >> >> validation that restricts the value to:
> >> >> > [a-z0-9][a-z0-9,._\-'+/@]+
> >> >> > I'd like to be able to add a DN as a username such as:
> >> >> > CN=localhost, OU=My Org, O=Apache, L=Santa Monica, ST=CA, C=US
> >> >> > I believe this would require adding "=" and spaces as valid
> >> characters.
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> This message was sent by Atlassian JIRA
> >> >> (v6.3.4#6332)
> >> >>
> >>
> >>
>



-- 
Regards,
Gautam.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message