Skip to content

RANGER-5215 : Policy authorisation fails for Ranger Plugins in case of users/groups converted by Ranger userysnc as per given Regex#584

Merged
mneethiraj merged 16 commits intomasterfrom
ds_RANGER-5215_us
Jul 30, 2025
Merged

RANGER-5215 : Policy authorisation fails for Ranger Plugins in case of users/groups converted by Ranger userysnc as per given Regex#584
mneethiraj merged 16 commits intomasterfrom
ds_RANGER-5215_us

Conversation

@dhavalshah9131
Copy link
Copy Markdown
Contributor

@dhavalshah9131 dhavalshah9131 commented Jun 5, 2025

What changes were proposed in this pull request?

Problem Statement:

Currently, when Ranger Usersync is configured with case conversion and special character replacement using regex, it transforms the original user/group names from the source (e.g., AD/LDAP) before storing them in the Ranger Admin database.

Example:

Original name in LDAP/AD: John-jacobs
Usersync configuration:

  • ranger.usersync.ldap.username.caseconversion = lower
  • ranger.usersync.mapping.username.regex = s/[-]/_/g
  • Transformed and stored name in Ranger: john_jacobs

Issue:

If a Ranger plugin (e.g., Hive) uses the original name John-jacobs during authorization checks, it fails because Ranger Admin only recognizes the transformed name john_jacobs.

Error Example:

Permission denied: user [John-jacobs] does not have [SELECT] privilege on [vehicle/cars/*]
Solution:

To ensure consistency, the same transformation logic used by Usersync must also be applied on the plugin side before authorization. This transformation should be made available as a utility library packaged with the plugins.

Configurability:

This feature must be configurable at the plugin level via a property (e.g., ranger.plugin..supports.name.transformation), allowing users to enable or disable it based on their environment needs.

In ranger-admin-site.xml

ranger.plugins.ldap.username.caseconversion
ranger.plugins.ldap.groupname.caseconversion
ranger.plugins.mapping.username.handler
ranger.plugins.mapping.groupname.handler
ranger.plugins.mapping.regex.separator
ranger.plugins.mapping.username.regex
ranger.plugins.mapping.groupname.regex

How was this patch tested?

(Please explain how this patch was tested. Ex: unit tests, manual tests)
1.) Build successful with unit test.
2.) Manul testing

This comment was marked as outdated.

Sign in to view

@dhavalshah9131
RANGER-5215 : Policy authroisation fails for Ranger Plugins in case o…
f969e3e 
…f users/groups converted by Ranger userysnc as per given Regex
@dhavalshah9131
RANGER-5215 : Policy authroisation fails for Ranger Plugins in case o…
be624fb 
…f users/groups converted by Ranger userysnc as per given Regex
Copilot AI reviewed Jun 13, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses the issue where Ranger plugins fail authorization due to differences in user/group name formatting between the source (e.g., LDAP/AD) and the Ranger Admin database. The changes introduce a shared utility (ugsync-util) and corresponding configuration constants to apply consistent name transformations on the plugin side. Key changes include:

  • Updating various plugin assembly XML files to include the ugsync-util dependency.
  • Enhancing the RangerDefaultRequestProcessor and RangerBasePlugin to apply case conversion and regex-based name transformations using a new Mapper instance.
  • Adding new constants and a model (UgsyncNameTransformRules) to support the name transformation configuration.

Reviewed Changes

Copilot reviewed 41 out of 41 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
distro/src/main/assembly/*.xml Added for ugsync-util in several plugin and agent assembly definitions.
agents-common/src/main/java/org/apache/ranger/plugin/util/ServicePolicies.java Updated to copy service configuration including new name transformation settings.
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java Added new constants for name transformation configuration.
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java Added logic to perform user and group name transformation based on config settings.
agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java Introduced configuration loading for name transformation and Mapper instantiation.
agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java Added getters and setters for transformation Mapper and case conversion strings.
agents-common/src/main/java/org/apache/ranger/plugin/model/UgsyncNameTransformRules.java New model to encapsulate name transformation rules.
agents-common/pom.xml Added dependency on ugsync-util with necessary exclusions.
Comments suppressed due to low confidence (2)

agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java:1288

  • Consider using getDeclaredConstructor().newInstance() instead of newInstance() for instantiating the Mapper, to follow modern Java instantiation practices.
Mapper userNameRegExInst = regExClass.newInstance();

agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java:1308

  • Consider using getDeclaredConstructor().newInstance() instead of newInstance() for instantiating the Mapper, to follow modern Java instantiation practices.
Mapper groupNameRegExInst = regExClass.newInstance();

@apache apache deleted a comment from Copilot AI Jun 16, 2025
@dhavalshah9131
RANGER-5215 : Policy authroisation fails for Ranger Plugins in case o…
8bc7969 
…f users/groups converted by Ranger userysnc as per given Regex
@dhavalshah9131 dhavalshah9131 requested a review from fateh288 July 14, 2025 15:29
fateh288
fateh288 requested changes Jul 14, 2025
View reviewed changes
rameeshm
rameeshm reviewed Jul 15, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@rameeshm rameeshm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dhavalshah9131 Please correct the JIRA description as it has Typo.
RANGER-5215 : Policy authorization fails for Ranger Plugins in case of users/groups converted by Ranger userysnc as per given Regex

@dhavalshah9131 dhavalshah9131 changed the title RANGER-5215 : Policy authroisation fails for Ranger Plugins in case of users/groups converted by Ranger userysnc as per given Regex RANGER-5215 : Policy authorisation fails for Ranger Plugins in case of users/groups converted by Ranger userysnc as per given Regex Jul 15, 2025
fateh288
fateh288 approved these changes Jul 16, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@fateh288 fateh288 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have one more refactoring suggestion, but other than that it looks good

@dhavalshah9131
RANGER-5215 : Policy authorisation fails for Ranger Plugins in case o…
ee8dca0 
…f users/groups converted by Ranger userysnc as per given Regex
@dhavalshah9131 dhavalshah9131 requested a review from fateh288 July 17, 2025 09:57
@dhavalshah9131
RANGER-5215 : Policy authorisation fails for Ranger Plugins in case o…
b908e67 
…f users/groups converted by Ranger userysnc as per given Regex
@dhavalshah9131 dhavalshah9131 requested a review from kumaab July 17, 2025 19:15
fateh288
fateh288 approved these changes Jul 18, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@fateh288 fateh288 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM !!

@dhavalshah9131
RANGER-5215 : Policy authorisation fails for Ranger Plugins in case o…
1194e1b 
…f users/groups converted by Ranger userysnc as per given Regex
@dhavalshah9131 dhavalshah9131 requested a review from kumaab July 22, 2025 19:05
kumaab
kumaab approved these changes Jul 23, 2025
View reviewed changes
@dhavalshah9131
RANGER-5215 : Policy authorisation fails for Ranger Plugins in case o…
94831a6 
…f users/groups converted by Ranger userysnc as per given Regex
mneethiraj
mneethiraj reviewed Jul 23, 2025
View reviewed changes
@dhavalshah9131
RANGER-5215 : Policy authorisation fails for Ranger Plugins in case o…
e940ab4 
…f users/groups converted by Ranger userysnc as per given Regex
mneethiraj
mneethiraj reviewed Jul 25, 2025
View reviewed changes
dhavalshah9131
dhavalshah9131 commented Jul 30, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@dhavalshah9131 dhavalshah9131 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @mneethiraj changes.

@mneethiraj mneethiraj merged commit a642800 into master Jul 30, 2025
11 of 15 checks passed
@dhavalshah9131 dhavalshah9131 mentioned this pull request Nov 28, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mneethiraj mneethiraj mneethiraj approved these changes

@fateh288 fateh288 fateh288 approved these changes

@kumaab kumaab kumaab approved these changes

@pradeepagrawal8184 pradeepagrawal8184 Awaiting requested review from pradeepagrawal8184

@bhavikpatel9977 bhavikpatel9977 Awaiting requested review from bhavikpatel9977

@spolavarpau1 spolavarpau1 Awaiting requested review from spolavarpau1

@mehulbparikh mehulbparikh Awaiting requested review from mehulbparikh

@dineshkumar-yadav dineshkumar-yadav Awaiting requested review from dineshkumar-yadav

@rameeshm rameeshm Awaiting requested review from rameeshm

Assignees

@dhavalshah9131 dhavalshah9131

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@dhavalshah9131 @rameeshm @mneethiraj @fateh288 @kumaab