ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gautam Borad <gbo...@gmail.com>
Subject Re: [jira] [Updated] (RANGER-967) Allow additional characters in username
Date Thu, 05 May 2016 05:33:21 GMT
Ok, let me see if something can be done on the UI side.

On Thu, May 5, 2016 at 10:58 AM, Don Bosco Durai <bosco@apache.org> wrote:

> Since user are from dropdown (not manually entered), can’t we escape them
> while creating the UI elements?
>
> I feel, transformation is not an ideal workaround. We have to see if we
> can support ",” in UI (at least when there is read only). Can we do some
> experiments?
>
>
> Thanks
>
> Bosco
>
>
> On 5/4/16, 10:10 PM, "Gautam Borad" <gborad@gmail.com> wrote:
>
> >Bryan is right in his analysis, even if we support adding such users, the
> >split on "," during policy creation will be an issue.
> >
> >I think the right solution would be to use the transformation feature
> >implemented by *@Sailaja* in
> >https://issues.apache.org/jira/browse/RANGER-684. Thanks.
> >
> >On Thu, May 5, 2016 at 2:59 AM, Sailaja Polavarapu <
> >spolavarapu@hortonworks.com> wrote:
> >
> >> We currently have a username/groupname transformation feature
> implemented
> >> for LDAP sync (https://issues.apache.org/jira/browse/RANGER-684). May
> be
> >> we can do similar changes for File source sync or move the name
> >> transformation logic to common location for all sync sources.
> >> Few things to consider when we implement name transformation logic to
> File
> >> source -
> >> 1. For non Json files, provide a delimiter that is not part of the
> >> transformation logic in order to distinguish between usernames &
> groupnames
> >> while reading from the input file.
> >> 2. Apply same transformation logic while sending any authorization
> >> requests to ranger with username and/or groupname
> >> 3. Apply same transformation logic if using other services like solr,
> >> kafka, etc…
> >>
> >> Thanks,
> >> Sailaja.
> >>
> >>
> >>
> >>
> >> On 5/4/16, 2:03 PM, "Bryan Bende" <bbende@gmail.com> wrote:
> >>
> >> >I don't think this one has a server side fix...
> >> >
> >> >We can fix the user sync to remove email validation (RANGER-968), and
> we
> >> >can change the UI to allow DNs on user creation(RANGER-967)...
> >> >
> >> >But in either case, we can't create a policy through the UI when the
> >> >username is a DN. The REST API may work, but there has to be something
> >> user
> >> >facing.
> >> >
> >> >Do you view this as another JIRA? or maybe I'm trying to force
> something
> >> >that wasn't intended to work?
> >> >
> >> >
> >> >On Wed, May 4, 2016 at 4:03 PM, Don Bosco Durai <bosco@apache.org>
> wrote:
> >> >
> >> >> Gautam might be the right person to answer UI related questions.
> >> >>
> >> >> If server side fix will unblock you, then I will suggest that you
> should
> >> >> fix it for the time being. We can ask Gautam to look into the UI
> side.
> >> >>
> >> >>
> >> >>
> >> >> Thanks
> >> >>
> >> >> Bosco
> >> >>
> >> >>
> >> >> On 5/4/16, 12:02 PM, "Bryan Bende" <bbende@gmail.com> wrote:
> >> >>
> >> >> >All,
> >> >> >
> >> >> >I started looking at this ticket because I initially thought it
> would
> >> be
> >> >> >straight forward...
> >> >> >
> >> >> >In UserForm.js I changed the regex validator from
> >> >> [a-z0-9][a-z0-9,._\-'+/@]
> >> >> > to [a-z0-9][a-z0-9,._\-'+/@= ] which allowed "=" and spaces. That
> >> allowed
> >> >> >me to enter a DN as a user name.
> >> >> >
> >> >> >The next issue is that when creating a policy for that user, the
> value
> >> of
> >> >> >the users field is split on commas, so a single DN with commas
ends
> >> being
> >> >> >submitted as several users that don't exist, and prevent the policy
> >> from
> >> >> >being created.
> >> >> >
> >> >> >This happens in RangerPolicyForm.js with this code:
> >> >> >
> >> >> >if(!_.isUndefined(m.get('userName')) &&
> !_.isNull(m.get('userName'))){
> >> >> > policyItem.set("users",m.get("userName").split(','));
> >> >> >}
> >> >> >
> >> >> >I have a feeling this can't easily be changed because it is how
> >> multiple
> >> >> >selected users are being stored behind the scenes.
> >> >> >
> >> >> >Does anyone have any thoughts on what else would need to be changed
> to
> >> >> >allow a username with commas in it?
> >> >> >
> >> >> >Thanks,
> >> >> >
> >> >> >Bryan
> >> >> >
> >> >> >
> >> >> >On Wed, May 4, 2016 at 1:07 PM, Bryan Bende (JIRA) <jira@apache.org
> >
> >> >> wrote:
> >> >> >
> >> >> >>
> >> >> >>      [
> >> >> >>
> >> >>
> >>
> https://issues.apache.org/jira/browse/RANGER-967?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
> >> >> >> ]
> >> >> >>
> >> >> >> Bryan Bende updated RANGER-967:
> >> >> >> -------------------------------
> >> >> >>     Fix Version/s: 0.6.0
> >> >> >>
> >> >> >> > Allow additional characters in username
> >> >> >> > ---------------------------------------
> >> >> >> >
> >> >> >> >                 Key: RANGER-967
> >> >> >> >                 URL:
> >> https://issues.apache.org/jira/browse/RANGER-967
> >> >> >> >             Project: Ranger
> >> >> >> >          Issue Type: Improvement
> >> >> >> >            Reporter: Bryan Bende
> >> >> >> >            Assignee: Bryan Bende
> >> >> >> >            Priority: Minor
> >> >> >> >             Fix For: 0.6.0
> >> >> >> >
> >> >> >> >
> >> >> >> > Currently the Username field on the Create User form
in the UI
> >> >> performs
> >> >> >> validation that restricts the value to:
> >> >> >> > [a-z0-9][a-z0-9,._\-'+/@]+
> >> >> >> > I'd like to be able to add a DN as a username such as:
> >> >> >> > CN=localhost, OU=My Org, O=Apache, L=Santa Monica, ST=CA,
C=US
> >> >> >> > I believe this would require adding "=" and spaces as
valid
> >> >> characters.
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> --
> >> >> >> This message was sent by Atlassian JIRA
> >> >> >> (v6.3.4#6332)
> >> >> >>
> >> >>
> >> >>
> >>
> >
> >
> >
> >--
> >Regards,
> >Gautam.
>
>


-- 
Regards,
Gautam.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message