You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ve...@apache.org on 2020/03/19 16:17:08 UTC
[ranger] branch master updated: RANGER-2758 : Option to create
missing users/groups while creating/updating roles
This is an automated email from the ASF dual-hosted git repository.
vel pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 10f4cff RANGER-2758 : Option to create missing users/groups while creating/updating roles
10f4cff is described below
commit 10f4cff27b703ffbb18e77ac9bd08d4b61e63813
Author: Dineshkumar Yadav <di...@outlook.com>
AuthorDate: Mon Mar 16 13:11:49 2020 +0530
RANGER-2758 : Option to create missing users/groups while creating/updating roles
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
---
.../model/validation/RangerRoleValidator.java | 5 +-
.../org/apache/ranger/plugin/store/RoleStore.java | 4 +-
.../org/apache/ranger/biz/PolicyRefUpdater.java | 2 +-
.../java/org/apache/ranger/biz/RoleDBStore.java | 8 ++--
.../java/org/apache/ranger/biz/RoleRefUpdater.java | 56 ++++++++++++++++++----
.../java/org/apache/ranger/rest/PublicAPIsv2.java | 12 +++--
.../main/java/org/apache/ranger/rest/RoleREST.java | 26 +++++-----
7 files changed, 81 insertions(+), 32 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerRoleValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerRoleValidator.java
index bc34598..54ca93f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerRoleValidator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerRoleValidator.java
@@ -172,7 +172,10 @@ public class RangerRoleValidator extends RangerValidator {
}
Long id = rangerRole.getId();
- RangerRole existingRangerRole = getRangerRole(id);
+ RangerRole existingRangerRole = null;
+ if (null != id) {
+ existingRangerRole = getRangerRole(id);
+ }
if (action == Action.CREATE) {
if (existingRangerRole != null) {
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java
index 7da43d5..22e1e6e 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java
@@ -29,9 +29,9 @@ public interface RoleStore {
void init() throws Exception;
- RangerRole createRole(RangerRole role) throws Exception;
+ RangerRole createRole(RangerRole role, Boolean createNonExistUserGroup) throws Exception;
- RangerRole updateRole(RangerRole role) throws Exception;
+ RangerRole updateRole(RangerRole role, Boolean createNonExistUserGroup) throws Exception;
void deleteRole(String roleName) throws Exception;
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
index baacfa4..f978d5d 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
@@ -311,7 +311,7 @@ public class PolicyRefUpdater {
xUserMgr.checkAdminAccess();
- RangerRole createdRole= roleStore.createRole(rRole);
+ RangerRole createdRole= roleStore.createRole(rRole, false);
return createdRole.getId();
}
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
index 5be8d9d..c4a32e4 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
@@ -94,7 +94,7 @@ public class RoleDBStore implements RoleStore {
}
@Override
- public RangerRole createRole(RangerRole role) throws Exception {
+ public RangerRole createRole(RangerRole role, Boolean createNonExistUserGroup) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RoleDBStore.createRole()");
}
@@ -112,7 +112,7 @@ public class RoleDBStore implements RoleStore {
throw new Exception("Cannot create role:[" + role + "]");
}
- roleRefUpdater.createNewRoleMappingForRefTable(createdRole);
+ roleRefUpdater.createNewRoleMappingForRefTable(createdRole, createNonExistUserGroup);
List<XXTrxLog> trxLogList = roleService.getTransactionLog(createdRole, null, "create");
bizUtil.createTrxLog(trxLogList);
@@ -120,7 +120,7 @@ public class RoleDBStore implements RoleStore {
}
@Override
- public RangerRole updateRole(RangerRole role) throws Exception {
+ public RangerRole updateRole(RangerRole role, Boolean createNonExistUserGroup) throws Exception {
XXRole xxRole = daoMgr.getXXRole().findByRoleId(role.getId());
if (xxRole == null) {
throw restErrorUtil.createRESTException("role with id: " + role.getId() + " does not exist");
@@ -140,7 +140,7 @@ public class RoleDBStore implements RoleStore {
throw new Exception("Cannot update role:[" + role + "]");
}
- roleRefUpdater.createNewRoleMappingForRefTable(updatedRole);
+ roleRefUpdater.createNewRoleMappingForRefTable(updatedRole, createNonExistUserGroup);
roleService.updatePolicyVersions(updatedRole.getId());
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java b/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java
index 3742bd6..bb68e32 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java
@@ -24,8 +24,11 @@ import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.RESTErrorUtil;
+import org.apache.ranger.common.RangerCommonEnums;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.db.XXRoleRefGroupDao;
import org.apache.ranger.db.XXRoleRefRoleDao;
@@ -38,11 +41,18 @@ import org.apache.ranger.entity.XXRoleRefUser;
import org.apache.ranger.entity.XXUser;
import org.apache.ranger.plugin.model.RangerRole;
import org.apache.ranger.service.RangerAuditFields;
+import org.apache.ranger.service.XGroupService;
+import org.apache.ranger.service.XUserService;
+import org.apache.ranger.view.VXGroup;
+import org.apache.ranger.view.VXUser;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
+
@Component
public class RoleRefUpdater {
+ private static final Log LOG = LogFactory.getLog(RoleRefUpdater.class);
+
@Autowired
RangerDaoManager daoMgr;
@@ -52,7 +62,16 @@ public class RoleRefUpdater {
@Autowired
RESTErrorUtil restErrorUtil;
- public void createNewRoleMappingForRefTable(RangerRole rangerRole) throws Exception {
+ @Autowired
+ XUserMgr xUserMgr;
+
+ @Autowired
+ XUserService xUserService;
+
+ @Autowired
+ XGroupService xGroupService;
+
+ public void createNewRoleMappingForRefTable(RangerRole rangerRole, Boolean createNonExistUserGroup) throws Exception {
if (rangerRole == null) {
return;
}
@@ -80,18 +99,26 @@ public class RoleRefUpdater {
if (StringUtils.isBlank(roleUser)) {
continue;
}
-
+ VXUser vXUser = null;
XXUser xUser = daoMgr.getXXUser().findByUserName(roleUser);
if (xUser == null) {
- throw restErrorUtil.createRESTException("user with name: " + roleUser + " does not exist ",
- MessageEnums.INVALID_INPUT_DATA);
+ if (createNonExistUserGroup) {
+ LOG.warn("User specified in role does not exist in ranger admin, creating new user, User = "
+ + roleUser);
+ vXUser = xUserMgr.createExternalUser(roleUser);
+ } else {
+ throw restErrorUtil.createRESTException("user with name: " + roleUser + " does not exist ",
+ MessageEnums.INVALID_INPUT_DATA);
+ }
+ }else {
+ vXUser = xUserService.populateViewBean(xUser);
}
XXRoleRefUser xRoleRefUser = rangerAuditFields.populateAuditFieldsForCreate(new XXRoleRefUser());
xRoleRefUser.setRoleId(roleId);
- xRoleRefUser.setUserId(xUser.getId());
+ xRoleRefUser.setUserId(vXUser.getId());
xRoleRefUser.setUserName(roleUser);
xRoleRefUser.setUserType(0);
daoMgr.getXXRoleRefUser().create(xRoleRefUser);
@@ -104,18 +131,29 @@ public class RoleRefUpdater {
if (StringUtils.isBlank(roleGroup)) {
continue;
}
-
+ VXGroup vXGroup = null;
XXGroup xGroup = daoMgr.getXXGroup().findByGroupName(roleGroup);
if (xGroup == null) {
- throw restErrorUtil.createRESTException("group with name: " + roleGroup + " does not exist ",
- MessageEnums.INVALID_INPUT_DATA);
+ if (createNonExistUserGroup) {
+ LOG.warn("Group specified in role does not exist in ranger admin, creating new group, Group = "
+ + roleGroup);
+ VXGroup vxGroupNew = new VXGroup();
+ vxGroupNew.setName(roleGroup);
+ vxGroupNew.setGroupSource(RangerCommonEnums.GROUP_EXTERNAL);
+ vXGroup = xUserMgr.createXGroup(vxGroupNew);
+ } else {
+ throw restErrorUtil.createRESTException("group with name: " + roleGroup + " does not exist ",
+ MessageEnums.INVALID_INPUT_DATA);
+ }
+ }else {
+ vXGroup = xGroupService.populateViewBean(xGroup);
}
XXRoleRefGroup xRoleRefGroup = rangerAuditFields.populateAuditFieldsForCreate(new XXRoleRefGroup());
xRoleRefGroup.setRoleId(roleId);
- xRoleRefGroup.setGroupId(xGroup.getId());
+ xRoleRefGroup.setGroupId(vXGroup.getId());
xRoleRefGroup.setGroupName(roleGroup);
xRoleRefGroup.setGroupType(0);
daoMgr.getXXRoleRefGroup().create(xRoleRefGroup);
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
index 1a83949..4862442 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
@@ -561,10 +561,12 @@ public class PublicAPIsv2 {
@POST
@Path("/api/roles")
@Produces({ "application/json", "application/xml" })
- public RangerRole createRole(@QueryParam("serviceName") String serviceName, RangerRole role, @Context HttpServletRequest request) {
+ public RangerRole createRole(@QueryParam("serviceName") String serviceName, RangerRole role
+ , @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup
+ , @Context HttpServletRequest request) {
logger.info("==> PublicAPIsv2.createRole");
RangerRole ret;
- ret = roleREST.createRole(serviceName, role);
+ ret = roleREST.createRole(serviceName, role, createNonExistUserGroup);
logger.info("<== PublicAPIsv2.createRole" + ret.getName());
return ret;
}
@@ -575,8 +577,10 @@ public class PublicAPIsv2 {
@PUT
@Path("/api/roles/{id}")
@Produces({ "application/json", "application/xml" })
- public RangerRole updateRole(@PathParam("id") Long roleId, RangerRole role, @Context HttpServletRequest request) {
- return roleREST.updateRole(roleId, role);
+ public RangerRole updateRole(@PathParam("id") Long roleId, RangerRole role
+ , @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup
+ , @Context HttpServletRequest request) {
+ return roleREST.updateRole(roleId, role, createNonExistUserGroup);
}
@DELETE
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
index d690297..aa031ae 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
@@ -132,7 +132,9 @@ public class RoleREST {
@POST
@Path("/roles")
- public RangerRole createRole(@QueryParam("serviceName") String serviceName, RangerRole role) {
+ public RangerRole createRole(@QueryParam("serviceName") String serviceName, RangerRole role
+ , @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup
+ ) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> createRole("+ role + ")");
}
@@ -147,7 +149,7 @@ public class RoleREST {
if (containsInvalidMember(role.getUsers())) {
throw new Exception("Invalid role user(s)");
}
- ret = roleStore.createRole(role);
+ ret = roleStore.createRole(role, createNonExistUserGroup);
} catch(WebApplicationException excp) {
throw excp;
} catch(Throwable excp) {
@@ -167,8 +169,10 @@ public class RoleREST {
@PUT
@Path("/roles/{id}")
- public RangerRole updateRole(@PathParam("id") Long roleId,
- RangerRole role) {
+ public RangerRole updateRole(@PathParam("id") Long roleId
+ , RangerRole role
+ , @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup
+ ) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> updateRole(id=" + roleId +", " + role + ")");
}
@@ -187,7 +191,7 @@ public class RoleREST {
if (containsInvalidMember(role.getUsers())) {
throw new Exception("Invalid role user(s)");
}
- ret = roleStore.updateRole(role);
+ ret = roleStore.updateRole(role, createNonExistUserGroup);
} catch(WebApplicationException excp) {
throw excp;
} catch(Throwable excp) {
@@ -429,7 +433,7 @@ public class RoleREST {
role.setUsers(new ArrayList<>(roleUsers));
role.setGroups(new ArrayList<>(roleGroups));
- role = roleStore.updateRole(role);
+ role = roleStore.updateRole(role,false);
} catch(WebApplicationException excp) {
throw excp;
@@ -483,7 +487,7 @@ public class RoleREST {
}
}
- role = roleStore.updateRole(role);
+ role = roleStore.updateRole(role, false);
} catch(WebApplicationException excp) {
throw excp;
@@ -529,7 +533,7 @@ public class RoleREST {
}
}
- role = roleStore.updateRole(role);
+ role = roleStore.updateRole(role, false);
} catch(WebApplicationException excp) {
throw excp;
@@ -1105,7 +1109,7 @@ public class RoleREST {
role.setGroups(new ArrayList<>(roleGroups));
role.setRoles(new ArrayList<>(roleRoles));
- role = roleStore.updateRole(role);
+ role = roleStore.updateRole(role, false);
} catch(WebApplicationException excp) {
throw excp;
@@ -1162,7 +1166,7 @@ public class RoleREST {
}
}
- role = roleStore.updateRole(role);
+ role = roleStore.updateRole(role, false);
} catch(WebApplicationException excp) {
throw excp;
@@ -1207,7 +1211,7 @@ public class RoleREST {
}
}
- role = roleStore.updateRole(role);
+ role = roleStore.updateRole(role, false);
} catch(WebApplicationException excp) {
throw excp;