ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Don Bosco Durai <bo...@apache.org>
Subject Re: [jira] [Updated] (RANGER-967) Allow additional characters in username
Date Thu, 05 May 2016 05:28:54 GMT
Since user are from dropdown (not manually entered), can’t we escape them while creating
the UI elements?

I feel, transformation is not an ideal workaround. We have to see if we can support ",”
in UI (at least when there is read only). Can we do some experiments?


Thanks

Bosco
 

On 5/4/16, 10:10 PM, "Gautam Borad" <gborad@gmail.com> wrote:

>Bryan is right in his analysis, even if we support adding such users, the
>split on "," during policy creation will be an issue.
>
>I think the right solution would be to use the transformation feature
>implemented by *@Sailaja* in
>https://issues.apache.org/jira/browse/RANGER-684. Thanks.
>
>On Thu, May 5, 2016 at 2:59 AM, Sailaja Polavarapu <
>spolavarapu@hortonworks.com> wrote:
>
>> We currently have a username/groupname transformation feature implemented
>> for LDAP sync (https://issues.apache.org/jira/browse/RANGER-684). May be
>> we can do similar changes for File source sync or move the name
>> transformation logic to common location for all sync sources.
>> Few things to consider when we implement name transformation logic to File
>> source -
>> 1. For non Json files, provide a delimiter that is not part of the
>> transformation logic in order to distinguish between usernames & groupnames
>> while reading from the input file.
>> 2. Apply same transformation logic while sending any authorization
>> requests to ranger with username and/or groupname
>> 3. Apply same transformation logic if using other services like solr,
>> kafka, etc…
>>
>> Thanks,
>> Sailaja.
>>
>>
>>
>>
>> On 5/4/16, 2:03 PM, "Bryan Bende" <bbende@gmail.com> wrote:
>>
>> >I don't think this one has a server side fix...
>> >
>> >We can fix the user sync to remove email validation (RANGER-968), and we
>> >can change the UI to allow DNs on user creation(RANGER-967)...
>> >
>> >But in either case, we can't create a policy through the UI when the
>> >username is a DN. The REST API may work, but there has to be something
>> user
>> >facing.
>> >
>> >Do you view this as another JIRA? or maybe I'm trying to force something
>> >that wasn't intended to work?
>> >
>> >
>> >On Wed, May 4, 2016 at 4:03 PM, Don Bosco Durai <bosco@apache.org> wrote:
>> >
>> >> Gautam might be the right person to answer UI related questions.
>> >>
>> >> If server side fix will unblock you, then I will suggest that you should
>> >> fix it for the time being. We can ask Gautam to look into the UI side.
>> >>
>> >>
>> >>
>> >> Thanks
>> >>
>> >> Bosco
>> >>
>> >>
>> >> On 5/4/16, 12:02 PM, "Bryan Bende" <bbende@gmail.com> wrote:
>> >>
>> >> >All,
>> >> >
>> >> >I started looking at this ticket because I initially thought it would
>> be
>> >> >straight forward...
>> >> >
>> >> >In UserForm.js I changed the regex validator from
>> >> [a-z0-9][a-z0-9,._\-'+/@]
>> >> > to [a-z0-9][a-z0-9,._\-'+/@= ] which allowed "=" and spaces. That
>> allowed
>> >> >me to enter a DN as a user name.
>> >> >
>> >> >The next issue is that when creating a policy for that user, the value
>> of
>> >> >the users field is split on commas, so a single DN with commas ends
>> being
>> >> >submitted as several users that don't exist, and prevent the policy
>> from
>> >> >being created.
>> >> >
>> >> >This happens in RangerPolicyForm.js with this code:
>> >> >
>> >> >if(!_.isUndefined(m.get('userName')) && !_.isNull(m.get('userName'))){
>> >> > policyItem.set("users",m.get("userName").split(','));
>> >> >}
>> >> >
>> >> >I have a feeling this can't easily be changed because it is how
>> multiple
>> >> >selected users are being stored behind the scenes.
>> >> >
>> >> >Does anyone have any thoughts on what else would need to be changed
to
>> >> >allow a username with commas in it?
>> >> >
>> >> >Thanks,
>> >> >
>> >> >Bryan
>> >> >
>> >> >
>> >> >On Wed, May 4, 2016 at 1:07 PM, Bryan Bende (JIRA) <jira@apache.org>
>> >> wrote:
>> >> >
>> >> >>
>> >> >>      [
>> >> >>
>> >>
>> https://issues.apache.org/jira/browse/RANGER-967?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
>> >> >> ]
>> >> >>
>> >> >> Bryan Bende updated RANGER-967:
>> >> >> -------------------------------
>> >> >>     Fix Version/s: 0.6.0
>> >> >>
>> >> >> > Allow additional characters in username
>> >> >> > ---------------------------------------
>> >> >> >
>> >> >> >                 Key: RANGER-967
>> >> >> >                 URL:
>> https://issues.apache.org/jira/browse/RANGER-967
>> >> >> >             Project: Ranger
>> >> >> >          Issue Type: Improvement
>> >> >> >            Reporter: Bryan Bende
>> >> >> >            Assignee: Bryan Bende
>> >> >> >            Priority: Minor
>> >> >> >             Fix For: 0.6.0
>> >> >> >
>> >> >> >
>> >> >> > Currently the Username field on the Create User form in the
UI
>> >> performs
>> >> >> validation that restricts the value to:
>> >> >> > [a-z0-9][a-z0-9,._\-'+/@]+
>> >> >> > I'd like to be able to add a DN as a username such as:
>> >> >> > CN=localhost, OU=My Org, O=Apache, L=Santa Monica, ST=CA,
C=US
>> >> >> > I believe this would require adding "=" and spaces as valid
>> >> characters.
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> This message was sent by Atlassian JIRA
>> >> >> (v6.3.4#6332)
>> >> >>
>> >>
>> >>
>>
>
>
>
>-- 
>Regards,
>Gautam.


Mime
View raw message