Move ranger code to new repo

[planetf1]

Review CLM reports for ranger-gaian plugin -- multiple issues reported

see https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/reports/odpi-egeria/5c16abc7c09d40c8a28358f959c68ef7

[planetf1]

The ranger gaian plugin has the following issues - which do not affect any other modules in egeria

apache-beanutils:common-beanutils:1.7.0 
- CVE-2014-0114 (7)

common-beanutils:common-beanutils-core:1.8.0
- CVE-2014-0114 (7)

io.netty:netty:3.7.0.Final - CVE-2015-2156 (7)
 - CVE-2014-0193 (5)

org.apache.hadoop:hadoop-common:2.9.2
 - CVE-2018-8009 (8)

org.apache.kafka:kafka_2.11:1.0.0
 - CVE-2018-17196 (8) 
 - CVE-2018-1288 (5)

org.apache.zookeeper:zookeeper:3.4.6 
 - CVE-2017-5637 (7) 
 - CVE-2018-8012 (7) 
 - CVE-2019-0201 (5)

org.codehaus.jackson:jackson-mapper-asl:1.9.13 
 - CVE-2017-7525 (9)

org.apache.httpcomponents:httpclient:4.5.2
 - SONATYPE-2017-0359 (7)

This last one only also affects janus - but this will be addressed in https://github.com/odpi/egeria/issues/1828

These issues are transitive dependencies from pulling in Apache Ranger client code.

Possible mitigation strategies to consider:

• Clear documentation over the state of the plugin including these issues
• Use of later ranger client libraries
• overriding transitive dependencies (via dependencyManagement) for our client - and testing.

[planetf1]

The ranger (and to a lesser extent gaian) code is raising many security scan issues and liable to quite a number of CVEs

This is brought in through the current ranger code we use, and in particular the client libraries.

We either need to be able to get the client very thin, or more likely move the ranger code to it's own repo

[cmgrote]

We had also discussed the potential to move this into a Hadoop-oriented connector repository (and do the same with the Apache Atlas connector) -- that could be a reasonable compromise between proliferating too many repositories while still keeping logical units together?

(Apache Atlas relies on many of these same underlying libraries, so there should hopefully also be some synergies in addressing the CVEs in a common way across them.)

[planetf1]

See also https://github.com/odpi/egeria/issues/2739 for a broader discussion (my notes) in terms of how we might manage repos.

Broadly in agreement though that for the hadoop case moving both items mentioned there would make sense

[planetf1]

Also to add to the hadoop list -- the docker build for atlas/ranger

[planetf1]

Starting work on this today ... in conjunction with #odpi/egeria-connector-hadoop-ecosystem#147

[planetf1]

We should move

• Atlas docker builds
• Ranger docker builds
• other ranger/atlas / very specifically hadoop related code

to our hadoop ecosystem repo

and setup appropriate build pipelines

Anything related to the helm charts can go to the samples repo

cc: @cmgrote

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.

[planetf1]

I believe you are looking at this first. Please assign back/raise issue with any remaining tasks you need me to look at as part of the migration

[mandy-chessell]

Yes - I can do this ... :)

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions.

[planetf1]

I propose to now remove our ranger/gaian related code from the egeria repo. This includes the ranger security connector, gaian, and docker containers.

They will be recreated in an alternative repo when we are ready to continue working for them, as we can retrieve from history.

Currently they are not functional or used, and are contributing to the cost of build performance, security issues etc