You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2015/03/09 18:48:00 UTC
[1/2] incubator-ranger git commit: RANGER-277 : Ranger Public API
changes to use Service Model
Repository: incubator-ranger
Updated Branches:
refs/heads/master 2a309b5c1 -> ca75aadc6
RANGER-277 : Ranger Public API changes to use Service Model
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/e97c99d8
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/e97c99d8
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/e97c99d8
Branch: refs/heads/master
Commit: e97c99d8b17c8cd8b7b578e44acd020e6605911d
Parents: 895ac2b
Author: rmani <rm...@hortonworks.com>
Authored: Mon Mar 9 10:47:21 2015 -0700
Committer: rmani <rm...@hortonworks.com>
Committed: Mon Mar 9 10:47:21 2015 -0700
----------------------------------------------------------------------
.../org/apache/ranger/common/ServiceUtil.java | 881 +++++++++++++++++--
.../java/org/apache/ranger/rest/AssetREST.java | 89 +-
.../java/org/apache/ranger/rest/PublicAPIs.java | 338 ++++---
.../org/apache/ranger/rest/ServiceREST.java | 390 ++++----
4 files changed, 1272 insertions(+), 426 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e97c99d8/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java b/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
index d26f4c5..b340625 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
@@ -19,6 +19,7 @@
package org.apache.ranger.common;
+import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
@@ -26,9 +27,17 @@ import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
+import org.apache.ranger.authorization.utils.StringUtil;
+import org.apache.ranger.biz.ServiceDBStore;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.entity.XXGroup;
import org.apache.ranger.entity.XXUser;
@@ -37,11 +46,17 @@ import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
+import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.view.VXAsset;
import org.apache.ranger.view.VXAuditMap;
import org.apache.ranger.view.VXDataObject;
import org.apache.ranger.view.VXPermMap;
+import org.apache.ranger.view.VXPermObj;
+import org.apache.ranger.view.VXPolicy;
+import org.apache.ranger.view.VXPolicyList;
+import org.apache.ranger.view.VXRepositoryList;
import org.apache.ranger.view.VXResource;
+import org.apache.ranger.view.VXRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
@@ -51,6 +66,8 @@ public class ServiceUtil {
static Map<String, Integer> mapServiceTypeToAssetType = new HashMap<String, Integer>();
static Map<String, Integer> mapAccessTypeToPermType = new HashMap<String, Integer>();
+ static String version;
+ static String uniqueKeySeparator;
@Autowired
JSONUtil jsonUtil;
@@ -58,6 +75,12 @@ public class ServiceUtil {
@Autowired
RangerDaoManager xaDaoMgr;
+ @Autowired
+ RESTErrorUtil restErrorUtil;
+
+ @Autowired
+ ServiceDBStore svcStore;
+
static {
mapServiceTypeToAssetType.put(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HDFS_NAME, new Integer(RangerCommonEnums.ASSET_HDFS));
mapServiceTypeToAssetType.put(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HBASE_NAME, new Integer(RangerCommonEnums.ASSET_HBASE));
@@ -97,6 +120,10 @@ public class ServiceUtil {
mapAccessTypeToPermType.put("getUserTopology", 29);
mapAccessTypeToPermType.put("getTopologyInfo", 30);
mapAccessTypeToPermType.put("uploadNewCredentials", 31);
+
+ version = "0";
+ uniqueKeySeparator = "_";
+
}
public RangerService toRangerService(VXAsset asset) {
@@ -140,7 +167,7 @@ public class ServiceUtil {
return ret;
}
-
+
public RangerPolicy toRangerPolicy(VXResource resource, RangerService service) {
if(resource == null) {
return null;
@@ -175,7 +202,7 @@ public class ServiceUtil {
toRangerResourceList(resource.getServices(), "service", Boolean.FALSE, isRecursive, ret.getResources());
HashMap<String, List<VXPermMap>> sortedPermMap = new HashMap<String, List<VXPermMap>>();
-
+
// re-group the list with permGroup as the key
if (resource.getPermMapList() != null) {
for(VXPermMap permMap : resource.getPermMapList()) {
@@ -296,92 +323,8 @@ public class ServiceUtil {
}
}
- List<VXPermMap> permMapList = new ArrayList<VXPermMap>();
-
- int permGroup = 0;
- for(RangerPolicy.RangerPolicyItem policyItem : policy.getPolicyItems()) {
- String ipAddress = null;
-
- for(RangerPolicy.RangerPolicyItemCondition condition : policyItem.getConditions()) {
- if(condition.getType() == "ipaddress") {
- List<String> values = condition.getValues();
- if (CollectionUtils.isNotEmpty(values)) {
- // TODO changes this to properly deal with collection for now just returning 1st item
- ipAddress = values.get(0);
- }
- }
-
- if(ipAddress != null && !ipAddress.isEmpty()) {
- break; // only 1 IP-address per permMap
- }
- }
-
- for(String userName : policyItem.getUsers()) {
- for(RangerPolicyItemAccess access : policyItem.getAccesses()) {
- if(! access.getIsAllowed()) {
- continue;
- }
-
- VXPermMap permMap = new VXPermMap();
-
- permMap.setPermFor(AppConstants.XA_PERM_FOR_USER);
- permMap.setPermGroup(new Integer(permGroup).toString());
- permMap.setUserName(userName);
- permMap.setUserId(getUserId(userName));
- permMap.setPermType(toPermType(access.getType()));
- permMap.setIpAddress(ipAddress);
-
- permMapList.add(permMap);
- }
-
- if(policyItem.getDelegateAdmin()) {
- VXPermMap permMap = new VXPermMap();
-
- permMap.setPermFor(AppConstants.XA_PERM_FOR_USER);
- permMap.setPermGroup(new Integer(permGroup).toString());
- permMap.setUserName(userName);
- permMap.setUserId(getUserId(userName));
- permMap.setPermType(toPermType("Admin"));
- permMap.setIpAddress(ipAddress);
-
- permMapList.add(permMap);
- }
- }
- permGroup++;
-
- for(String groupName : policyItem.getGroups()) {
- for(RangerPolicyItemAccess access : policyItem.getAccesses()) {
- if(! access.getIsAllowed()) {
- continue;
- }
-
- VXPermMap permMap = new VXPermMap();
-
- permMap.setPermFor(AppConstants.XA_PERM_FOR_GROUP);
- permMap.setPermGroup(new Integer(permGroup).toString());
- permMap.setGroupName(groupName);
- permMap.setGroupId(getGroupId(groupName));
- permMap.setPermType(toPermType(access.getType()));
- permMap.setIpAddress(ipAddress);
-
- permMapList.add(permMap);
- }
-
- if(policyItem.getDelegateAdmin()) {
- VXPermMap permMap = new VXPermMap();
-
- permMap.setPermFor(AppConstants.XA_PERM_FOR_GROUP);
- permMap.setPermGroup(new Integer(permGroup).toString());
- permMap.setGroupName(groupName);
- permMap.setGroupId(getGroupId(groupName));
- permMap.setPermType(toPermType("Admin"));
- permMap.setIpAddress(ipAddress);
-
- permMapList.add(permMap);
- }
- }
- permGroup++;
- }
+ List<VXPermMap> permMapList = getVXPermMapList(policy);
+
ret.setPermMapList(permMapList);
return ret;
@@ -456,8 +399,52 @@ public class ServiceUtil {
return ret;
}
+
+ public VXRepository toVXRepository(RangerService service){
+
+ VXRepository ret = new VXRepository();
+ rangerObjectToDataObject(service,ret);
+
+ ret.setRepositoryType(service.getType());
+ ret.setName(service.getName());
+ ret.setDescription(service.getDescription());
+ ret.setIsActive(service.getIsEnabled());
+ ret.setConfig(jsonUtil.readMapToString(service.getConfigs()));
+ ret.setVersion(Long.toString(service.getVersion()));
+
+ return ret;
+ }
+
+
+ public VXAsset publicObjecttoVXAsset(VXRepository vXRepository) {
+ VXAsset ret = new VXAsset();
+ publicDataObjectTovXDataObject(vXRepository,ret);
+
+ ret.setAssetType(toAssetType(vXRepository.getRepositoryType()));
+ ret.setName(vXRepository.getName());
+ ret.setDescription(vXRepository.getDescription());
+ ret.setActiveStatus(vXRepository.getIsActive() ? RangerCommonEnums.STATUS_ENABLED : RangerCommonEnums.STATUS_DISABLED);
+ ret.setConfig(vXRepository.getConfig());
+ return ret;
+
+ }
+
+ public VXRepository vXAssetToPublicObject(VXAsset asset) {
+ VXRepository ret = new VXRepository();
+ vXDataObjectToPublicDataObject(ret,asset);
+
+ ret.setRepositoryType(toServiceType(asset.getAssetType()));
+ ret.setName(asset.getName());
+ ret.setDescription(asset.getDescription());
+ ret.setIsActive(asset.getActiveStatus() == RangerCommonEnums.STATUS_ENABLED ? true : false);
+ ret.setConfig(asset.getConfig());
+ ret.setVersion(version);
+
+ return ret;
+ }
- private RangerBaseModelObject dataObjectToRangerObject(VXDataObject dataObject, RangerBaseModelObject rangerObject) {
+
+ private RangerBaseModelObject dataObjectToRangerObject(VXDataObject dataObject,RangerBaseModelObject rangerObject) {
RangerBaseModelObject ret = rangerObject;
ret.setId(dataObject.getId());
@@ -481,6 +468,21 @@ public class ServiceUtil {
return ret;
}
+ private String toVxPolicyIncExc(int policyIncExc) {
+ String ret = "";
+
+ switch(policyIncExc) {
+ case 0:
+ ret = "Inclusion";
+ break;
+ case 1:
+ ret = "Exclusion";
+ break;
+ }
+ return ret;
+ }
+
+
private String getResourceString(List<String> values) {
String ret = null;
@@ -561,4 +563,705 @@ public class ServiceUtil {
return groupId;
}
+
+ public SearchCriteria getMappedSearchParams(HttpServletRequest request,
+ SearchCriteria searchCriteria) {
+
+ Object typeObj = searchCriteria.getParamValue("type");
+ Object statusObj = searchCriteria.getParamValue("status");
+
+ ArrayList<Integer> statusList = new ArrayList<Integer>();
+ if (statusObj == null) {
+ statusList.add(RangerCommonEnums.STATUS_DISABLED);
+ statusList.add(RangerCommonEnums.STATUS_ENABLED);
+ } else {
+ boolean status = restErrorUtil.parseBoolean(
+ request.getParameter("status"), "Invalid value for "
+ + "status", MessageEnums.INVALID_INPUT_DATA, null,
+ "status");
+ int statusEnum = (status == false) ? AppConstants.STATUS_DISABLED
+ : AppConstants.STATUS_ENABLED;
+ statusList.add(statusEnum);
+ }
+ searchCriteria.addParam("status", statusList);
+
+ if (typeObj != null) {
+ String type = typeObj.toString();
+ int typeEnum = AppConstants.getEnumFor_AssetType(type);
+ searchCriteria.addParam("type", typeEnum);
+ }
+ return searchCriteria;
+ }
+
+
+ public VXRepositoryList rangerServiceListToPublicObjectList(List<RangerService> serviceList) {
+
+ List<VXRepository> repoList = new ArrayList<VXRepository>();
+ for (RangerService service : serviceList) {
+ VXRepository vXRepo = toVXRepository(service);
+ repoList.add(vXRepo);
+ }
+ VXRepositoryList vXRepositoryList = new VXRepositoryList(repoList);
+ return vXRepositoryList;
+ }
+
+
+ private VXDataObject vXDataObjectToPublicDataObject(VXDataObject publicDataObject, VXDataObject vXdataObject) {
+
+ VXDataObject ret = publicDataObject;
+
+ ret.setId(vXdataObject.getId());
+ ret.setCreateDate(vXdataObject.getCreateDate());
+ ret.setUpdateDate(vXdataObject.getUpdateDate());
+ ret.setOwner(vXdataObject.getOwner());
+ ret.setUpdatedBy(vXdataObject.getUpdatedBy());
+
+ return ret;
+ }
+
+ protected VXDataObject publicDataObjectTovXDataObject(VXDataObject publicDataObject,VXDataObject vXDataObject) {
+
+ VXDataObject ret = vXDataObject;
+
+ ret.setId(publicDataObject.getId());
+ ret.setCreateDate(publicDataObject.getCreateDate());
+ ret.setUpdateDate(publicDataObject.getUpdateDate());
+ ret.setOwner(publicDataObject.getOwner());
+ ret.setUpdatedBy(publicDataObject.getUpdatedBy());
+
+ return ret;
+ }
+
+
+ public VXPolicy toVXPolicy(RangerPolicy policy, RangerService service) {
+ if(policy == null || service == null) {
+ return null;
+ }
+
+ VXPolicy ret = new VXPolicy();
+
+ rangerObjectToDataObject(policy, ret);
+
+ ret.setPolicyName(policy.getName());
+ ret.setDescription(policy.getDescription());
+ ret.setRepositoryName(policy.getService());
+ ret.setIsEnabled(policy.getIsEnabled() ? true : false);
+ ret.setRepositoryType(service.getType());
+ ret.setIsAuditEnabled(policy.getIsAuditEnabled());
+ if (policy.getVersion() != null ) {
+ ret.setVersion(policy.getVersion().toString());
+ } else {
+ ret.setVersion(version);
+ }
+
+ for(Map.Entry<String, RangerPolicy.RangerPolicyResource> e : policy.getResources().entrySet()) {
+ RangerPolicy.RangerPolicyResource res = e.getValue();
+ String resType = e.getKey();
+ String resString = getResourceString(res.getValues());
+
+ if(resType.equalsIgnoreCase("path")) {
+ ret.setResourceName(resString);
+ ret.setIsRecursive(Boolean.TRUE.equals(res.getIsRecursive()) ? true : false);
+ } else if(resType.equalsIgnoreCase("table")) {
+ ret.setTables(resString);
+ ret.setTableType(Boolean.TRUE.equals(res.getIsExcludes()) ? toVxPolicyIncExc(RangerCommonEnums.POLICY_EXCLUSION):toVxPolicyIncExc(RangerCommonEnums.POLICY_INCLUSION));
+ } else if(resType.equalsIgnoreCase("column-family")) {
+ ret.setColumnFamilies(resString);
+ } else if(resType.equalsIgnoreCase("column")) {
+ ret.setColumns(resString);
+ ret.setColumnType(Boolean.TRUE.equals(res.getIsExcludes()) ? toVxPolicyIncExc(RangerCommonEnums.POLICY_EXCLUSION):toVxPolicyIncExc(RangerCommonEnums.POLICY_INCLUSION));
+ } else if(resType.equalsIgnoreCase("database")) {
+ ret.setDatabases(resString);
+ } else if(resType.equalsIgnoreCase("udf")) {
+ ret.setUdfs(resString);
+ } else if(resType.equalsIgnoreCase("topology")) {
+ ret.setTopologies(resString);
+ } else if(resType.equalsIgnoreCase("service")) {
+ ret.setServices(resString);
+ }
+ }
+
+ List<VXPermMap> vXPermMapList = getVXPermMapList(policy);
+
+ List<VXPermObj> vXPermObjList = mapPermMapToPermObj(vXPermMapList);
+
+ ret.setPermMapList(vXPermObjList);
+
+ return ret;
+ }
+
+
+ public List<VXPermMap> getVXPermMapList(RangerPolicy policy) {
+
+ List<VXPermMap> permMapList = new ArrayList<VXPermMap>();
+
+ int permGroup = 0;
+ for(RangerPolicy.RangerPolicyItem policyItem : policy.getPolicyItems()) {
+ String ipAddress = null;
+
+ for(RangerPolicy.RangerPolicyItemCondition condition : policyItem.getConditions()) {
+ if(condition.getType() == "ipaddress") {
+ List<String> values = condition.getValues();
+ if (CollectionUtils.isNotEmpty(values)) {
+ // TODO changes this to properly deal with collection for now just returning 1st item
+ ipAddress = values.get(0);
+ }
+ }
+
+ if(ipAddress != null && !ipAddress.isEmpty()) {
+ break; // only 1 IP-address per permMap
+ }
+ }
+
+ for(String userName : policyItem.getUsers()) {
+ for(RangerPolicyItemAccess access : policyItem.getAccesses()) {
+ if(! access.getIsAllowed()) {
+ continue;
+ }
+
+ VXPermMap permMap = new VXPermMap();
+
+ permMap.setPermFor(AppConstants.XA_PERM_FOR_USER);
+ permMap.setPermGroup(new Integer(permGroup).toString());
+ permMap.setUserName(userName);
+ permMap.setUserId(getUserId(userName));
+ permMap.setPermType(toPermType(access.getType()));
+ permMap.setIpAddress(ipAddress);
+
+ permMapList.add(permMap);
+ }
+
+ if(policyItem.getDelegateAdmin()) {
+ VXPermMap permMap = new VXPermMap();
+
+ permMap.setPermFor(AppConstants.XA_PERM_FOR_USER);
+ permMap.setPermGroup(new Integer(permGroup).toString());
+ permMap.setUserName(userName);
+ permMap.setUserId(getUserId(userName));
+ permMap.setPermType(toPermType("Admin"));
+ permMap.setIpAddress(ipAddress);
+
+ permMapList.add(permMap);
+ }
+ }
+ permGroup++;
+
+ for(String groupName : policyItem.getGroups()) {
+ for(RangerPolicyItemAccess access : policyItem.getAccesses()) {
+ if(! access.getIsAllowed()) {
+ continue;
+ }
+
+ VXPermMap permMap = new VXPermMap();
+
+ permMap.setPermFor(AppConstants.XA_PERM_FOR_GROUP);
+ permMap.setPermGroup(new Integer(permGroup).toString());
+ permMap.setGroupName(groupName);
+ permMap.setGroupId(getGroupId(groupName));
+ permMap.setPermType(toPermType(access.getType()));
+ permMap.setIpAddress(ipAddress);
+
+ permMapList.add(permMap);
+ }
+
+ if(policyItem.getDelegateAdmin()) {
+ VXPermMap permMap = new VXPermMap();
+
+ permMap.setPermFor(AppConstants.XA_PERM_FOR_GROUP);
+ permMap.setPermGroup(new Integer(permGroup).toString());
+ permMap.setGroupName(groupName);
+ permMap.setGroupId(getGroupId(groupName));
+ permMap.setPermType(toPermType("Admin"));
+ permMap.setIpAddress(ipAddress);
+
+ permMapList.add(permMap);
+ }
+ }
+ permGroup++;
+ }
+ return permMapList;
+ }
+
+
+ public List<VXPermObj> mapPermMapToPermObj(List<VXPermMap> permMapList) {
+
+ List<VXPermObj> permObjList = new ArrayList<VXPermObj>();
+ HashMap<String, List<VXPermMap>> sortedPemMap = new HashMap<String, List<VXPermMap>>();
+
+ if (permMapList != null) {
+ for (VXPermMap vXPermMap : permMapList) {
+
+ String permGrp = vXPermMap.getPermGroup();
+ List<VXPermMap> sortedList = sortedPemMap.get(permGrp);
+ if (sortedList == null) {
+ sortedList = new ArrayList<VXPermMap>();
+ sortedPemMap.put(permGrp, sortedList);
+ }
+ sortedList.add(vXPermMap);
+ }
+ }
+
+ for (Entry<String, List<VXPermMap>> entry : sortedPemMap.entrySet()) {
+ VXPermObj vXPermObj = new VXPermObj();
+ List<String> userList = new ArrayList<String>();
+ List<String> groupList = new ArrayList<String>();
+ List<String> permList = new ArrayList<String>();
+ String ipAddress = "";
+
+ List<VXPermMap> permListForGrp = entry.getValue();
+
+ for (VXPermMap permMap : permListForGrp) {
+ if (permMap.getPermFor() == AppConstants.XA_PERM_FOR_USER) {
+ if (!userList.contains(permMap.getUserName())) {
+ userList.add(permMap.getUserName());
+ }
+ } else if (permMap.getPermFor() == AppConstants.XA_PERM_FOR_GROUP) {
+ if (!groupList.contains(permMap.getGroupName())) {
+ groupList.add(permMap.getGroupName());
+ }
+ }
+ String perm = AppConstants.getLabelFor_XAPermType(permMap
+ .getPermType());
+ if (!permList.contains(perm)) {
+ permList.add(perm);
+ }
+ ipAddress = permMap.getIpAddress();
+ }
+ if (!userList.isEmpty()) {
+ vXPermObj.setUserList(userList);
+ }
+ if (!groupList.isEmpty()) {
+ vXPermObj.setGroupList(groupList);
+ }
+ vXPermObj.setPermList(permList);
+ vXPermObj.setIpAddress(ipAddress);
+
+ permObjList.add(vXPermObj);
+ }
+ return permObjList;
+ }
+
+
+ public RangerPolicy toRangerPolicy(VXPolicy vXPolicy, RangerService service ) {
+
+ if(vXPolicy == null) {
+ return null;
+ }
+
+ RangerPolicy ret = new RangerPolicy();
+
+ ret = (RangerPolicy) dataObjectToRangerObject(vXPolicy, ret);
+
+ if(service != null) {
+ ret.setService(service.getName());
+ } else {
+ ret.setService(vXPolicy.getRepositoryName());
+ }
+
+ ret.setName(vXPolicy.getPolicyName());
+ ret.setDescription(vXPolicy.getDescription());
+ ret.setIsEnabled(vXPolicy.getIsEnabled() == true);
+ ret.setIsAuditEnabled(vXPolicy.getIsAuditEnabled());
+
+ Boolean isRecursive = Boolean.FALSE;
+ if ( vXPolicy.getIsRecursive() != null) {
+ isRecursive = vXPolicy.getIsRecursive();
+ }
+
+ Boolean isTableExcludes = Boolean.FALSE;
+ if ( vXPolicy.getTableType() != null) {
+ isTableExcludes = vXPolicy.getTableType().equals(RangerCommonEnums.getLabelFor_PolicyType(RangerCommonEnums.POLICY_EXCLUSION));
+ }
+
+ Boolean isColumnExcludes = Boolean.FALSE;
+ if ( vXPolicy.getColumnType() != null) {
+ isColumnExcludes = vXPolicy.getColumnType().equals(RangerCommonEnums.getLabelFor_PolicyType(RangerCommonEnums.POLICY_EXCLUSION));
+ }
+
+ if (vXPolicy.getResourceName() != null ) {
+ toRangerResourceList(vXPolicy.getResourceName(), "path", Boolean.FALSE, isRecursive, ret.getResources());
+ }
+
+ if (vXPolicy.getTables() != null) {
+ toRangerResourceList(vXPolicy.getTables(), "table", isTableExcludes, isRecursive, ret.getResources());
+ }
+
+ if (vXPolicy.getColumnFamilies() != null) {
+ toRangerResourceList(vXPolicy.getColumnFamilies(), "column-family", Boolean.FALSE, isRecursive, ret.getResources());
+ }
+
+ if (vXPolicy.getColumns() != null) {
+ toRangerResourceList(vXPolicy.getColumns(), "column", isColumnExcludes, isRecursive, ret.getResources());
+ }
+
+ if (vXPolicy.getDatabases() != null) {
+ toRangerResourceList(vXPolicy.getDatabases(), "database", Boolean.FALSE, isRecursive, ret.getResources());
+ }
+
+ if (vXPolicy.getUdfs() != null) {
+ toRangerResourceList(vXPolicy.getUdfs(), "udf", Boolean.FALSE, isRecursive, ret.getResources());
+ }
+
+ if (vXPolicy.getTopologies() != null) {
+ toRangerResourceList(vXPolicy.getTopologies(), "topology", Boolean.FALSE, isRecursive, ret.getResources());
+ }
+
+ if (vXPolicy.getServices() != null) {
+ toRangerResourceList(vXPolicy.getServices(), "service", Boolean.FALSE, isRecursive, ret.getResources());
+ }
+
+
+ if ( vXPolicy.getPermMapList() != null) {
+ List<VXPermObj> vXPermObjList = vXPolicy.getPermMapList();
+
+ for(VXPermObj vXPermObj : vXPermObjList ) {
+ List<String> userList = new ArrayList<String>();
+ List<String> groupList = new ArrayList<String>();
+ List<RangerPolicyItemAccess> accessList = new ArrayList<RangerPolicyItemAccess>();
+ String ipAddress = null;
+ boolean delegatedAdmin = false;
+
+ if (vXPermObj.getUserList() != null) {
+ for (String user : vXPermObj.getUserList() ) {
+ if ( user.contains(getUserName(user))) {
+ userList.add(user);
+ }
+ }
+ }
+
+ if (vXPermObj.getGroupList() != null) {
+ for (String group : vXPermObj.getGroupList()) {
+ if ( group.contains(getGroupName(group))) {
+ groupList.add(group);
+ }
+ }
+ }
+
+ if (vXPermObj.getPermList() != null) {
+ for (String perm : vXPermObj.getPermList()) {
+ if ( AppConstants.getEnumFor_XAPermType(perm) != 0 ) {
+ if (perm.equalsIgnoreCase("Admin")) {
+ delegatedAdmin=true;
+ continue;
+ }
+ accessList.add(new RangerPolicyItemAccess(perm));
+ }
+
+
+ }
+ }
+
+ if (vXPermObj.getIpAddress() != null ) {
+ ipAddress = vXPermObj.getIpAddress();
+ }
+
+ RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem();
+
+ policyItem.setUsers(userList);
+ policyItem.setGroups(groupList);
+ policyItem.setAccesses(accessList);
+
+ if (delegatedAdmin) {
+ policyItem.setDelegateAdmin(Boolean.TRUE);
+ } else {
+ policyItem.setDelegateAdmin(Boolean.FALSE);
+ }
+
+ if(ipAddress != null && !ipAddress.isEmpty()) {
+ RangerPolicy.RangerPolicyItemCondition ipCondition = new RangerPolicy.RangerPolicyItemCondition("ipaddress", Collections.singletonList(ipAddress));
+
+ policyItem.getConditions().add(ipCondition);
+ }
+
+ ret.getPolicyItems().add(policyItem);
+ }
+ }
+
+ return ret;
+ }
+
+ private String getUserName(String userName) {
+ if(userName == null || userName.isEmpty()) {
+
+ XXUser xxUser = xaDaoMgr.getXXUser().findByUserName(userName);
+
+ if(xxUser != null) {
+ userName = xxUser.getName();
+ }
+ }
+ return userName;
+ }
+
+
+ private String getGroupName(String groupName) {
+
+ if(groupName == null || groupName.isEmpty()) {
+ XXGroup xxGroup = xaDaoMgr.getXXGroup().findByGroupName(groupName);
+
+ if(xxGroup != null) {
+ groupName = xxGroup.getName();
+ }
+ }
+ return groupName;
+ }
+
+
+ public VXPolicyList rangerPolicyListToPublic(List<RangerPolicy> rangerPolicyList) {
+
+ RangerService service = null;
+ List<VXPolicy> vXPolicyList = new ArrayList<VXPolicy>();
+
+ VXPolicyList vXPolicyListObj = new VXPolicyList();
+
+ for ( RangerPolicy policy : rangerPolicyList) {
+ try {
+ service = svcStore.getServiceByName(policy.getService());
+ } catch(Exception excp) {
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true);
+ }
+
+ if(service == null) {
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true);
+ }
+
+ VXPolicy vXPolicy = toVXPolicy(policy,service);
+
+ vXPolicyList.add(vXPolicy);
+ }
+
+ vXPolicyListObj.setVXPolicies(vXPolicyList);
+
+ return vXPolicyListObj;
+
+ }
+
+
+ public GrantRevokeRequest toGrantRevokeRequest(VXPolicy vXPolicy) {
+ String serviceType = null;
+ RangerService service = null;
+ GrantRevokeRequest ret = new GrantRevokeRequest();
+
+ if ( vXPolicy != null) {
+ String serviceName = vXPolicy.getRepositoryName();
+ try {
+ service = svcStore.getServiceByName(serviceName);
+ } catch (Exception e) {
+ LOG.error( HttpServletResponse.SC_BAD_REQUEST + "No Service Found for ServiceName:" + serviceName );
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, e.getMessage() + serviceName, true);
+ }
+
+ if ( service != null) {
+ serviceType = service.getType();
+ } else {
+ LOG.error( HttpServletResponse.SC_BAD_REQUEST + "No Service Found for ServiceName" + serviceName );
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "No Service Found for ServiceName" + serviceName, true);
+ }
+
+ if (vXPolicy.getGrantor() != null) {
+ ret.setGrantor(vXPolicy.getGrantor());
+ }
+ ret.setEnableAudit(Boolean.TRUE);
+
+ ret.setIsRecursive(Boolean.FALSE);
+
+ ret.setReplaceExistingPermissions(toBooleanReplacePerm(vXPolicy.isReplacePerm()));
+
+ int assertType = toAssetType(serviceType);
+
+ if (assertType == RangerCommonEnums.ASSET_HIVE) {
+
+ String database = StringUtils.isEmpty(vXPolicy.getDatabases()) ? "*" : vXPolicy.getDatabases();
+ String table = getTableOrUdf(vXPolicy);
+ String column = StringUtils.isEmpty(vXPolicy.getColumns()) ? "*" : vXPolicy.getColumns();
+
+ Map<String, String> mapResource = new HashMap<String, String>();
+ mapResource.put("database", database);
+ mapResource.put("table", table);
+ mapResource.put("column", column);
+ ret.setResource(mapResource);
+ }
+ else if ( assertType == RangerCommonEnums.ASSET_HBASE) {
+
+ String tableName = vXPolicy.getTables();
+ tableName = StringUtil.isEmpty(tableName) ? "*" : tableName;
+
+ String colFamily = vXPolicy.getColumnFamilies();
+ colFamily = StringUtil.isEmpty(colFamily) ? "*": colFamily;
+
+ String qualifier = vXPolicy.getColumns();
+ qualifier = StringUtil.isEmpty(qualifier) ? "*" : qualifier;
+
+ Map<String, String> mapResource = new HashMap<String, String>();
+ mapResource.put("table", tableName);
+ mapResource.put("column-family", colFamily);
+ mapResource.put("column", qualifier);
+
+ }
+
+ List<VXPermObj> vXPermObjList = vXPolicy.getPermMapList();
+
+ if (vXPermObjList != null) {
+ for(VXPermObj vXPermObj : vXPermObjList ) {
+ boolean delegatedAdmin = false;
+ String ipAddress = null;
+
+ if (vXPermObj.getUserList() != null ) {
+ for (String user : vXPermObj.getUserList() ) {
+ if ( user.contains(getUserName(user))) {
+ ret.getUsers().add(user);
+ }
+ }
+ }
+
+ if (vXPermObj.getGroupList() != null) {
+ for (String group : vXPermObj.getGroupList()) {
+ if ( group.contains(getGroupName(group))) {
+ ret.getGroups().add(group);
+ }
+ }
+ }
+
+ if(vXPermObj.getPermList() != null) {
+ for (String perm : vXPermObj.getPermList()) {
+ if ( AppConstants.getEnumFor_XAPermType(perm) != 0 ) {
+ if (perm.equalsIgnoreCase("Admin")) {
+ delegatedAdmin=true;
+ continue;
+ }
+ ret.getAccessTypes().add(perm);
+ }
+ }
+ }
+
+ if (vXPermObj.getIpAddress() != null) {
+ ipAddress = vXPermObj.getIpAddress();
+ }
+
+ if (delegatedAdmin) {
+ ret.setDelegateAdmin(Boolean.TRUE);
+ } else {
+ ret.setDelegateAdmin(Boolean.FALSE);
+ }
+ }
+
+ }
+ }
+ return ret;
+
+ }
+
+ private String getTableOrUdf(VXPolicy vXPolicy) {
+ String ret = null;
+ String table = vXPolicy.getTables();
+ String udf = vXPolicy.getUdfs();
+
+ if (!StringUtils.isEmpty(table)) {
+ ret = table;
+ } else if (!StringUtils.isEmpty(udf)) {
+ ret = udf;
+ }
+ return ret;
+ }
+
+
+ public boolean isValidateHttpsAuthentication( String serviceName, HttpServletRequest request) {
+
+ boolean isValidAuthentication=false;
+ boolean httpEnabled = PropertiesUtil.getBooleanProperty("http.enabled",true);
+ X509Certificate[] certchain = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
+ String ipAddress = request.getHeader("X-FORWARDED-FOR");
+ if (ipAddress == null) {
+ ipAddress = request.getRemoteAddr();
+ }
+ boolean isSecure = request.isSecure();
+
+ if (serviceName == null || serviceName.isEmpty()) {
+ LOG.error("ServiceName not provided");
+ throw restErrorUtil.createRESTException("Unauthorized access.",
+ MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
+ }
+
+ RangerService service = null;
+ try {
+ service = svcStore.getServiceByName(serviceName);
+ } catch (Exception e) {
+ LOG.error("Requested Service not found");
+ throw restErrorUtil.createRESTException("Serivce:" + serviceName + " not found",
+ MessageEnums.DATA_NOT_FOUND);
+ }
+ if(service==null){
+ LOG.error("Requested Service not found");
+ throw restErrorUtil.createRESTException("No Data Found.",
+ MessageEnums.DATA_NOT_FOUND);
+ }
+ if(!service.getIsEnabled()){
+ LOG.error("Requested Service is disabled");
+ throw restErrorUtil.createRESTException("Unauthorized access.",
+ MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
+ }
+ if (!httpEnabled) {
+ if (!isSecure) {
+ throw restErrorUtil.createRESTException("Unauthorized access -"
+ + " only https allowed",
+ MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
+ }
+ if (certchain == null || certchain.length == 0) {
+ throw restErrorUtil.createRESTException("Unauthorized access -"
+ + " unable to get client certificate",
+ MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
+ }
+ }
+ String commonName = null;
+ if (certchain != null) {
+ X509Certificate clientCert = certchain[0];
+ String dn = clientCert.getSubjectX500Principal().getName();
+ try {
+ LdapName ln = new LdapName(dn);
+ for (Rdn rdn : ln.getRdns()) {
+ if (rdn.getType().equalsIgnoreCase("CN")) {
+ commonName = rdn.getValue() + "";
+ break;
+ }
+ }
+ if (commonName == null) {
+ throw restErrorUtil.createRESTException(
+ "Unauthorized access - Unable to find Common Name from ["
+ + dn + "]",
+ MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
+ }
+ } catch (InvalidNameException e) {
+ LOG.error("Invalid Common Name.", e);
+ throw restErrorUtil.createRESTException(
+ "Unauthorized access - Invalid Common Name",
+ MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
+ }
+ }
+ if (commonName != null) {
+
+ Map<String, String> configMap = service.getConfigs();
+ String cnFromConfig = configMap.get("commonNameForCertificate");
+ if (cnFromConfig == null
+ || !commonName.equalsIgnoreCase(cnFromConfig)) {
+ throw restErrorUtil.createRESTException(
+ "Unauthorized access. expected [" + cnFromConfig
+ + "], found [" + commonName + "]",
+ MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
+ }
+ }
+ isValidAuthentication=true;
+ return isValidAuthentication;
+ }
+
+ private Boolean toBooleanReplacePerm(boolean isReplacePermission) {
+
+ Boolean ret;
+
+ if (isReplacePermission) {
+ ret = Boolean.TRUE;
+ } else {
+ ret = Boolean.FALSE;
+ }
+ return ret;
+ }
}
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e97c99d8/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
index 753a3bf..462671a 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
@@ -25,6 +25,7 @@ import java.util.ArrayList;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.DELETE;
import javax.ws.rs.Encoded;
import javax.ws.rs.GET;
@@ -38,6 +39,7 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.apache.log4j.Logger;
+import org.apache.ranger.admin.client.datatype.RESTResponse;
import org.apache.ranger.biz.AssetMgr;
import org.apache.ranger.biz.RangerBizUtil;
import org.apache.ranger.common.PropertiesUtil;
@@ -48,6 +50,7 @@ import org.apache.ranger.common.ServiceUtil;
import org.apache.ranger.common.StringUtil;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
+import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.common.annotation.RangerAnnotationClassName;
import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName;
import org.apache.ranger.service.AbstractBaseResourceService;
@@ -625,28 +628,32 @@ public class AssetREST {
@Path("/resources/grant")
@Produces({ "application/xml", "application/json" })
public VXPolicy grantPermission(@Context HttpServletRequest request,VXPolicy vXPolicy) {
- boolean httpEnabled = PropertiesUtil.getBooleanProperty("http.enabled",true);
- X509Certificate[] certchain = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
- String ipAddress = request.getHeader("X-FORWARDED-FOR");
- if (ipAddress == null) {
- ipAddress = request.getRemoteAddr();
+
+ RESTResponse ret = null;
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("==> AssetREST.grantPermission(" + vXPolicy + ")");
}
- boolean isSecure = request.isSecure();
- String repository=null;
- if(vXPolicy!=null){
- repository=vXPolicy.getRepositoryName();
- vXPolicy.setOwner(vXPolicy.getGrantor());
- vXPolicy.setUpdatedBy(vXPolicy.getGrantor());
- }
- boolean isValidAuthentication=assetMgr.isValidHttpsAuthentication(repository,certchain,httpEnabled,ipAddress,isSecure);
- if(isValidAuthentication){
- VXResource vXResource = xPolicyService.mapPublicToXAObject(vXPolicy,AbstractBaseResourceService.OPERATION_CREATE_CONTEXT);
- vXResource=assetMgr.grantXResource(vXResource,vXPolicy);
- vXResource.setPermMapList(xPolicyService.updatePermGroup(vXResource));
- xResourceService.updateResource(vXResource);
- vXPolicy=xPolicyService.mapXAToPublicObject(vXResource);
- vXPolicy.syncResponseWithJsonRequest();
+
+ if ( vXPolicy != null) {
+ String serviceName = vXPolicy.getRepositoryName();
+ GrantRevokeRequest grantRevokeRequest = serviceUtil.toGrantRevokeRequest(vXPolicy);
+ try {
+ ret = serviceREST.grantAccess(serviceName, grantRevokeRequest, request);
+ } catch (Exception e) {
+ logger.error( HttpServletResponse.SC_BAD_REQUEST + "Grant Access Failed for the request " + vXPolicy );
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Grant Access Failed for the request " + e.getMessage(), true);
+ }
+ } else {
+ logger.error( HttpServletResponse.SC_BAD_REQUEST + "Bad Request parameter " + vXPolicy );
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Bad Request parameter " , true);
+ }
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("<== AssetREST.grantPermission(" + ret + ")");
}
+
+ // TO DO Current Grant REST doesn't return a policy so returning a null value. Has to be replace with VXpolicy.
return vXPolicy;
}
@@ -654,27 +661,29 @@ public class AssetREST {
@Path("/resources/revoke")
@Produces({ "application/xml", "application/json" })
public VXPolicy revokePermission(@Context HttpServletRequest request,VXPolicy vXPolicy) {
- boolean httpEnabled = PropertiesUtil.getBooleanProperty("http.enabled",true);
- X509Certificate[] certchain = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
- String ipAddress = request.getHeader("X-FORWARDED-FOR");
- if (ipAddress == null) {
- ipAddress = request.getRemoteAddr();
+
+ RESTResponse ret = null;
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("==> AssetREST.revokePermission(" + vXPolicy + ")");
}
- boolean isSecure = request.isSecure();
- String repository=null;
- if(vXPolicy!=null){
- repository=vXPolicy.getRepositoryName();
- vXPolicy.setOwner(vXPolicy.getGrantor());
- vXPolicy.setUpdatedBy(vXPolicy.getGrantor());
- }
- boolean isValidAuthentication=assetMgr.isValidHttpsAuthentication(repository,certchain,httpEnabled,ipAddress,isSecure);
- if(isValidAuthentication){
- VXResource vXResource = xPolicyService.mapPublicToXAObject(vXPolicy,AbstractBaseResourceService.OPERATION_CREATE_CONTEXT);
- vXResource=assetMgr.revokeXResource(vXResource);
- vXResource.setPermMapList(xPolicyService.updatePermGroup(vXResource));
- xResourceService.updateResource(vXResource);
- vXPolicy=xPolicyService.mapXAToPublicObject(vXResource);
- vXPolicy.syncResponseWithJsonRequest();
+
+ if ( vXPolicy != null) {
+ String serviceName = vXPolicy.getRepositoryName();
+ GrantRevokeRequest grantRevokeRequest = serviceUtil.toGrantRevokeRequest(vXPolicy);
+ try {
+ ret = serviceREST.revokeAccess(serviceName, grantRevokeRequest, request);
+ } catch (Exception e) {
+ logger.error( HttpServletResponse.SC_BAD_REQUEST + "Revoke Access Failed for the request " + vXPolicy );
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Grant Access Failed for the request " + e.getMessage(), true);
+ }
+ } else {
+ logger.error( HttpServletResponse.SC_BAD_REQUEST + "Bad Request parameter " + vXPolicy );
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Bad Request parameter " , true);
+ }
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("<== AssetREST.revokePermission(" + ret + ")");
}
return vXPolicy;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e97c99d8/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java
index 0a62f8e..082b2f8 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java
@@ -34,31 +34,29 @@ import javax.ws.rs.core.Context;
import org.apache.log4j.Logger;
import org.apache.ranger.biz.AssetMgr;
-import org.apache.ranger.common.AppConstants;
-import org.apache.ranger.common.MessageEnums;
+import org.apache.ranger.biz.ServiceDBStore;
import org.apache.ranger.common.RESTErrorUtil;
-import org.apache.ranger.common.RangerCommonEnums;
import org.apache.ranger.common.RangerConstants;
import org.apache.ranger.common.RangerSearchUtil;
import org.apache.ranger.common.SearchCriteria;
+import org.apache.ranger.common.ServiceUtil;
import org.apache.ranger.common.StringUtil;
import org.apache.ranger.common.annotation.RangerAnnotationClassName;
import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName;
import org.apache.ranger.db.RangerDaoManager;
-import org.apache.ranger.service.AbstractBaseResourceService;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.service.XAssetService;
import org.apache.ranger.service.XPolicyService;
import org.apache.ranger.service.XRepositoryService;
import org.apache.ranger.service.XResourceService;
import org.apache.ranger.view.VXAsset;
-import org.apache.ranger.view.VXAssetList;
import org.apache.ranger.view.VXLong;
import org.apache.ranger.view.VXPolicy;
import org.apache.ranger.view.VXPolicyList;
import org.apache.ranger.view.VXRepository;
import org.apache.ranger.view.VXRepositoryList;
import org.apache.ranger.view.VXResource;
-import org.apache.ranger.view.VXResourceList;
import org.apache.ranger.view.VXResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Scope;
@@ -101,35 +99,97 @@ public class PublicAPIs {
@Autowired
RangerDaoManager xaDaoMgr;
+
+ @Autowired
+ ServiceUtil serviceUtil;
+
+ @Autowired
+ ServiceREST serviceREST;
+
+ @Autowired
+ AssetREST assetREST;
+ @Autowired
+ ServiceDBStore svcStore;
+
+
@GET
@Path("/api/repository/{id}")
@Produces({ "application/json", "application/xml" })
public VXRepository getRepository(@PathParam("id") Long id) {
- VXAsset vXAsset = assetMgr.getXAsset(id);
- return xRepositoryService.mapXAToPublicObject(vXAsset);
- }
+ if(logger.isDebugEnabled()) {
+ logger.debug("==> PublicAPIs.getRepository(" + id + ")");
+ }
+
+ RangerService service = serviceREST.getService(id);
+
+ VXRepository ret = serviceUtil.toVXRepository(service);
+ if(logger.isDebugEnabled()) {
+ logger.debug("<= PublicAPIs.getRepository(" + id + ")");
+ }
+ return ret;
+ }
+
+
@POST
@Path("/api/repository/")
@Produces({ "application/json", "application/xml" })
public VXRepository createRepository(VXRepository vXRepository) {
- VXAsset vXAsset = xRepositoryService.mapPublicToXAObject(vXRepository);
- vXAsset = assetMgr.createXAsset(vXAsset);
- return xRepositoryService.mapXAToPublicObject(vXAsset);
+ if(logger.isDebugEnabled()) {
+ logger.debug("==> PublicAPIs.createRepository(" + vXRepository + ")");
+ }
+
+ VXAsset vXAsset = serviceUtil.publicObjecttoVXAsset(vXRepository);
+
+ RangerService service = serviceUtil.toRangerService(vXAsset);
+
+ RangerService createdService = serviceREST.createService(service);
+
+ VXAsset retvXAsset = serviceUtil.toVXAsset(createdService);
+
+ VXRepository ret = serviceUtil.vXAssetToPublicObject(retvXAsset);
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("<== PublicAPIs.createRepository(" + ret + ")");
+ }
+
+ return ret;
}
+
@PUT
@Path("/api/repository/{id}")
@Produces({ "application/json", "application/xml" })
public VXRepository updateRepository(VXRepository vXRepository,
@PathParam("id") Long id) {
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("==> PublicAPIs.updateRepository(" + id + ")");
+ }
+
vXRepository.setId(id);
- VXAsset vXAsset = xRepositoryService.mapPublicToXAObject(vXRepository);
- vXAsset = assetMgr.updateXAsset(vXAsset);
- return xRepositoryService.mapXAToPublicObject(vXAsset);
+
+ VXAsset vXAsset = serviceUtil.publicObjecttoVXAsset(vXRepository);
+
+ RangerService service = serviceUtil.toRangerService(vXAsset);
+
+ RangerService updatedService = serviceREST.updateService(service);
+
+ VXAsset retvXAsset = serviceUtil.toVXAsset(updatedService);
+
+ VXRepository ret = serviceUtil.vXAssetToPublicObject(retvXAsset);
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("<== PublicAPIs.updateRepository(" + ret + ")");
+ }
+
+ return ret;
}
+
+
+
@DELETE
@Path("/api/repository/{id}")
@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
@@ -137,27 +197,53 @@ public class PublicAPIs {
public void deleteRepository(@PathParam("id") Long id,
@Context HttpServletRequest request) {
+ if(logger.isDebugEnabled()) {
+ logger.debug("==> PublicAPIs.deleteRepository(" + id + ")");
+ }
+
String forceStr = request.getParameter("force");
boolean force = true;
if (!stringUtil.isEmpty(forceStr)) {
force = Boolean.parseBoolean(forceStr.trim());
}
- assetMgr.deleteXAsset(id, force);
+
+ serviceREST.deleteService(id);
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("<== PublicAPIs.deleteRepository(" + id + ")");
+ }
}
+
- // @POST
+ /*// @POST
// @Path("/api/repository/testConfig")
// @Produces({ "application/xml", "application/json" })
public VXResponse testConfig(VXRepository vXRepository) {
VXAsset vXAsset = xRepositoryService.mapPublicToXAObject(vXRepository);
return assetMgr.testConfig(vXAsset);
+ }*/
+
+
+ // @POST
+ // @Path("/api/repository/testConfig")
+ // @Produces({ "application/xml", "application/json" })
+ public VXResponse testConfig(VXRepository vXRepository) {
+ VXAsset vXAsset = serviceUtil.publicObjecttoVXAsset(vXRepository);
+ return serviceREST.validateConfig(serviceUtil.toRangerService(vXAsset));
}
-
+
+
+
@GET
@Path("/api/repository/")
@Produces({ "application/json", "application/xml" })
public VXRepositoryList searchRepositories(
@Context HttpServletRequest request) {
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("==> PublicAPIs.searchRepositories()");
+ }
+
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xAssetService.sortFields);
searchUtil.extractString(request, searchCriteria, "name",
@@ -167,58 +253,129 @@ public class PublicAPIs {
searchUtil.extractString(request, searchCriteria, "type",
"Repository Type", null);
- searchCriteria = xRepositoryService.getMappedSearchParams(request,
+ searchCriteria = serviceUtil.getMappedSearchParams(request,
searchCriteria);
- VXAssetList vXAssetList = assetMgr.searchXAssets(searchCriteria);
-
- return xRepositoryService.mapToVXRepositoryList(vXAssetList);
+ List<RangerService> serviceList = serviceREST.getServices(request);
+
+ VXRepositoryList ret = serviceUtil.rangerServiceListToPublicObjectList(serviceList);
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("<== PublicAPIs.searchRepositories(): count=" + (ret == null ? 0 : ret.getListSize()));
+ }
+
+ return ret;
}
+
@GET
@Path("/api/repository/count")
@Produces({ "application/json", "application/xml" })
public VXLong countRepositories(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xAssetService.sortFields);
-
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("==> PublicAPIs.countRepositories()");
+ }
+
ArrayList<Integer> valueList = new ArrayList<Integer>();
valueList.add(RangerConstants.STATUS_DISABLED);
valueList.add(RangerConstants.STATUS_ENABLED);
searchCriteria.addParam("status", valueList);
+
+ VXLong ret = new VXLong();
+
+ ret.setValue(serviceREST.countServices(request));
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("<== PublicAPIs.countRepositories(): count=" + ret);
+ }
+
+ return ret;
+ }
+
- return assetMgr.getXAssetSearchCount(searchCriteria);
- }
-
+
@GET
@Path("/api/policy/{id}")
@Produces({ "application/json", "application/xml" })
public VXPolicy getPolicy(@PathParam("id") Long id) {
- VXResource vXResource = assetMgr.getXResource(id);
- return xPolicyService.mapXAToPublicObject(vXResource);
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("==> PublicAPIs.getPolicy() " + id);
+ }
+
+ RangerPolicy policy = null;
+ RangerService service = null;
+
+ policy = serviceREST.getPolicy(id);
+
+ if(policy != null) {
+ service = serviceREST.getServiceByName(policy.getService());
+ }
+
+ VXPolicy ret = serviceUtil.toVXPolicy(policy, service);
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("<== PublicAPIs.getPolicy()" + ret);
+ }
+
+ return ret;
}
+
@POST
@Path("/api/policy")
@Produces({ "application/json", "application/xml" })
public VXPolicy createPolicy(VXPolicy vXPolicy) {
- VXResource vXResource = xPolicyService.mapPublicToXAObject(vXPolicy,
- AbstractBaseResourceService.OPERATION_CREATE_CONTEXT);
- vXResource = assetMgr.createXResource(vXResource);
- vXResource.setPermMapList(xPolicyService.updatePermGroup(vXResource));
- return xPolicyService.mapXAToPublicObject(vXResource);
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("==> PublicAPIs.createPolicy()");
+ }
+
+ RangerService service = serviceREST.getServiceByName(vXPolicy.getRepositoryName());
+
+ RangerPolicy policy = serviceUtil.toRangerPolicy(vXPolicy,service);
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("RANGERPOLICY: " + policy.toString());
+ }
+
+ RangerPolicy createdPolicy = serviceREST.createPolicy(policy);
+ VXPolicy ret = serviceUtil.toVXPolicy(createdPolicy, service);
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("<== PublicAPIs.createPolicy(" + policy + "): " + ret);
+ }
+
+ return ret;
}
@PUT
@Path("/api/policy/{id}")
@Produces({ "application/json", "application/xml" })
public VXPolicy updatePolicy(VXPolicy vXPolicy, @PathParam("id") Long id) {
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("==> PublicAPIs.updatePolicy(): " + vXPolicy );
+ }
+
vXPolicy.setId(id);
- VXResource vXResource = xPolicyService.mapPublicToXAObject(vXPolicy,
- AbstractBaseResourceService.OPERATION_UPDATE_CONTEXT);
- vXResource = assetMgr.updateXResource(vXResource);
- vXResource.setPermMapList(xPolicyService.updatePermGroup(vXResource));
- return xPolicyService.mapXAToPublicObject(vXResource);
+
+ RangerService service = serviceREST.getServiceByName(vXPolicy.getRepositoryName());
+
+ RangerPolicy policy = serviceUtil.toRangerPolicy(vXPolicy,service);
+
+ RangerPolicy updatedPolicy = serviceREST.createPolicy(policy);
+
+ VXPolicy ret = serviceUtil.toVXPolicy(updatedPolicy, service);
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("<== AssetREST.updatePolicy(" + policy + "): " + ret);
+ }
+
+ return ret;
}
@DELETE
@@ -227,92 +384,57 @@ public class PublicAPIs {
@RangerAnnotationClassName(class_name = VXResource.class)
public void deletePolicy(@PathParam("id") Long id,
@Context HttpServletRequest request) {
- String forceStr = request.getParameter("force");
- boolean force = true;
- if (!stringUtil.isEmpty(forceStr)) {
- force = Boolean.parseBoolean(forceStr.trim());
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("==> PublicAPIs.deletePolicy(): " + id );
+ }
+
+ serviceREST.deletePolicy(id);
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("<== PublicAPIs.deletePolicy(): " + id );
}
- assetMgr.deleteXResource(id, force);
}
@GET
@Path("/api/policy")
@Produces({ "application/json", "application/xml" })
public VXPolicyList searchPolicies(@Context HttpServletRequest request) {
- SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
- request, xResourceService.sortFields);
-
- String resourceName = request.getParameter("resourceName");
- if (!stringUtil.isEmpty(resourceName)) {
- searchCriteria.getParamList().put("name", resourceName);
- }
- searchUtil.extractString(request, searchCriteria, "policyName",
- "Policy name", StringUtil.VALIDATION_TEXT);
- searchUtil.extractString(request, searchCriteria, "columns",
- "Column name", StringUtil.VALIDATION_TEXT);
- searchUtil.extractString(request, searchCriteria, "columnFamilies",
- "Column Family", StringUtil.VALIDATION_TEXT);
- searchUtil.extractString(request, searchCriteria, "tables", "Tables",
- StringUtil.VALIDATION_TEXT);
- searchUtil.extractString(request, searchCriteria, "udfs", "UDFs",
- StringUtil.VALIDATION_TEXT);
- searchUtil.extractString(request, searchCriteria, "databases",
- "Databases", StringUtil.VALIDATION_TEXT);
- searchUtil.extractString(request, searchCriteria, "groupName",
- "Group Name", StringUtil.VALIDATION_TEXT);
-
- String repositoryType = request.getParameter("repositoryType");
- if (!stringUtil.isEmpty(repositoryType)) {
- searchCriteria.getParamList().put("assetType",
- AppConstants.getEnumFor_AssetType(repositoryType));
- }
-
- String isRec = request.getParameter("isRecursive");
- if (isRec != null) {
- boolean isRecursiveBool = restErrorUtil.parseBoolean(isRec,
- "Invalid value for " + "isRecursive",
- MessageEnums.INVALID_INPUT_DATA, null, "isRecursive");
- int isRecursive = (isRecursiveBool == true) ? RangerConstants.BOOL_TRUE
- : RangerConstants.BOOL_FALSE;
- searchCriteria.getParamList().put("isRecursive", isRecursive);
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("==> PublicAPIs.searchPolicies(): ");
}
-
- searchUtil.extractString(request, searchCriteria, "userName",
- "User Name", StringUtil.VALIDATION_TEXT);
- searchUtil.extractString(request, searchCriteria, "repositoryName",
- "Repository Name", StringUtil.VALIDATION_TEXT);
-
- String resStatus = request.getParameter("isEnabled");
- List<Integer> resList = new ArrayList<Integer>();
- if (stringUtil.isEmpty(resStatus)) {
- resList.add(RangerCommonEnums.STATUS_ENABLED);
- resList.add(RangerCommonEnums.STATUS_DISABLED);
- } else {
- boolean policyStatus = restErrorUtil.parseBoolean(resStatus,
- "Invalid value for " + "isEnabled",
- MessageEnums.INVALID_INPUT_DATA, null, "isEnabled");
- int policyStat = (policyStatus) ? RangerCommonEnums.STATUS_ENABLED
- : RangerCommonEnums.STATUS_DISABLED;
- resList.add(policyStat);
+
+ List<RangerPolicy> rangerPolicyList = serviceREST.getPolicies(request);
+
+ VXPolicyList vXPolicyList = serviceUtil.rangerPolicyListToPublic(rangerPolicyList);
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("<== PublicAPIs.searchPolicies(): " + vXPolicyList );
}
- searchCriteria.getParamList().put("resourceStatus", resList);
- searchCriteria.setDistinct(true);
-
- VXResourceList vXResourceList = assetMgr
- .searchXResources(searchCriteria);
- return xPolicyService.mapToVXPolicyList(vXResourceList);
+ return vXPolicyList;
}
@GET
@Path("/api/policy/count")
@Produces({ "application/xml", "application/json" })
public VXLong countPolicies(@Context HttpServletRequest request) {
- SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
- request, xResourceService.sortFields);
-
-
- return assetMgr.getXResourceSearchCount(searchCriteria);
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("==> PublicAPIs.countPolicies(): ");
+ }
+
+ Long policyCount = serviceREST.countPolicies(request);
+
+ VXLong vXlong = new VXLong();
+ vXlong.setValue(policyCount);
+
+ if(logger.isDebugEnabled()) {
+ logger.debug("<== PublicAPIs.countPolicies(): " + request );
+ }
+
+ return vXlong;
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e97c99d8/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index fc2178f..821562f 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -72,7 +72,10 @@ import org.apache.ranger.admin.client.datatype.RESTResponse;
import org.apache.ranger.biz.AssetMgr;
import org.apache.ranger.biz.ServiceMgr;
import org.apache.ranger.biz.ServiceDBStore;
+import org.apache.ranger.common.MessageEnums;
+import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.RESTErrorUtil;
+import org.apache.ranger.common.ServiceUtil;
import org.apache.ranger.entity.XXPolicyExportAudit;
@@ -95,6 +98,9 @@ public class ServiceREST {
@Autowired
ServiceDBStore svcStore;
+ @Autowired
+ ServiceUtil serviceUtil;
+
// this indirection for validation via a factory exists only for testability
// TODO move the instantiation to DI framework?
RangerValidatorFactory validatorFactory = new RangerValidatorFactory();
@@ -515,168 +521,171 @@ public class ServiceREST {
}
RESTResponse ret = new RESTResponse();
+
+ if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) {
- try {
- String userName = grantRequest.getGrantor();
- Set<String> userGroups = Collections.<String>emptySet(); // TODO: get groups for the grantor from Ranger database
- RangerResource resource = new RangerResourceImpl(grantRequest.getResource());
-
- boolean isAdmin = isAdminForResource(userName, userGroups, serviceName, resource);
-
- if(!isAdmin) {
- throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true);
- }
-
- RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource);
+ try {
+ String userName = grantRequest.getGrantor();
+ Set<String> userGroups = Collections.<String>emptySet(); // TODO: get groups for the grantor from Ranger database
+ RangerResource resource = new RangerResourceImpl(grantRequest.getResource());
- if(policy != null) {
- boolean policyUpdated = false;
-
- // replace all existing privileges for users and groups
- if(grantRequest.getReplaceExistingPermissions()) {
- List<RangerPolicyItem> policyItems = policy.getPolicyItems();
-
- int numOfItems = policyItems.size();
+ boolean isAdmin = isAdminForResource(userName, userGroups, serviceName, resource);
- for(int i = 0; i < numOfItems; i++) {
- RangerPolicyItem policyItem = policyItems.get(i);
+ if(!isAdmin) {
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true);
+ }
- if(CollectionUtils.containsAny(policyItem.getUsers(), grantRequest.getUsers())) {
- policyItem.getUsers().removeAll(grantRequest.getUsers());
-
- policyUpdated = true;
- }
-
- if(CollectionUtils.containsAny(policyItem.getGroups(), grantRequest.getGroups())) {
- policyItem.getGroups().removeAll(grantRequest.getGroups());
-
- policyUpdated = true;
+ RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource);
+
+ if(policy != null) {
+ boolean policyUpdated = false;
+
+ // replace all existing privileges for users and groups
+ if(grantRequest.getReplaceExistingPermissions()) {
+ List<RangerPolicyItem> policyItems = policy.getPolicyItems();
+
+ int numOfItems = policyItems.size();
+
+ for(int i = 0; i < numOfItems; i++) {
+ RangerPolicyItem policyItem = policyItems.get(i);
+
+ if(CollectionUtils.containsAny(policyItem.getUsers(), grantRequest.getUsers())) {
+ policyItem.getUsers().removeAll(grantRequest.getUsers());
+
+ policyUpdated = true;
+ }
+
+ if(CollectionUtils.containsAny(policyItem.getGroups(), grantRequest.getGroups())) {
+ policyItem.getGroups().removeAll(grantRequest.getGroups());
+
+ policyUpdated = true;
+ }
+
+ if(CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) {
+ policyItems.remove(i);
+ numOfItems--;
+ i--;
+
+ policyUpdated = true;
+ }
}
-
- if(CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) {
- policyItems.remove(i);
- numOfItems--;
- i--;
-
+
+ if(compactPolicy(policy)) {
policyUpdated = true;
}
}
-
- if(compactPolicy(policy)) {
- policyUpdated = true;
- }
- }
-
- for(String user : grantRequest.getUsers()) {
- RangerPolicyItem policyItem = getPolicyItemForUser(policy, user);
-
- if(policyItem != null) {
- if(addAccesses(policyItem, grantRequest.getAccessTypes())) {
- policyUpdated = true;
- }
- } else {
- policyItem = new RangerPolicyItem();
+
+ for(String user : grantRequest.getUsers()) {
+ RangerPolicyItem policyItem = getPolicyItemForUser(policy, user);
- policyItem.getUsers().add(user);
- addAccesses(policyItem, grantRequest.getAccessTypes());
- policy.getPolicyItems().add(policyItem);
-
- policyUpdated = true;
- }
-
- if(grantRequest.getDelegateAdmin()) {
- if(!policyItem.getDelegateAdmin()) {
- policyItem.setDelegateAdmin(Boolean.TRUE);
+ if(policyItem != null) {
+ if(addAccesses(policyItem, grantRequest.getAccessTypes())) {
+ policyUpdated = true;
+ }
+ } else {
+ policyItem = new RangerPolicyItem();
+
+ policyItem.getUsers().add(user);
+ addAccesses(policyItem, grantRequest.getAccessTypes());
+ policy.getPolicyItems().add(policyItem);
policyUpdated = true;
}
- }
- }
-
- for(String group : grantRequest.getGroups()) {
- RangerPolicyItem policyItem = getPolicyItemForGroup(policy, group);
-
- if(policyItem != null) {
- if(addAccesses(policyItem, grantRequest.getAccessTypes())) {
- policyUpdated = true;
+
+ if(grantRequest.getDelegateAdmin()) {
+ if(!policyItem.getDelegateAdmin()) {
+ policyItem.setDelegateAdmin(Boolean.TRUE);
+
+ policyUpdated = true;
+ }
}
- } else {
- policyItem = new RangerPolicyItem();
-
- policyItem.getGroups().add(group);
- addAccesses(policyItem, grantRequest.getAccessTypes());
- policy.getPolicyItems().add(policyItem);
-
- policyUpdated = true;
}
-
- if(grantRequest.getDelegateAdmin()) {
- if(!policyItem.getDelegateAdmin()) {
- policyItem.setDelegateAdmin(Boolean.TRUE);
+
+ for(String group : grantRequest.getGroups()) {
+ RangerPolicyItem policyItem = getPolicyItemForGroup(policy, group);
+
+ if(policyItem != null) {
+ if(addAccesses(policyItem, grantRequest.getAccessTypes())) {
+ policyUpdated = true;
+ }
+ } else {
+ policyItem = new RangerPolicyItem();
+
+ policyItem.getGroups().add(group);
+ addAccesses(policyItem, grantRequest.getAccessTypes());
+ policy.getPolicyItems().add(policyItem);
policyUpdated = true;
}
- }
- }
-
- if(policyUpdated) {
- updatePolicy(policy);
- }
- } else {
- policy = new RangerPolicy();
- policy.setService(serviceName);
- policy.setName("grant-" + System.currentTimeMillis()); // TODO: better policy name
- policy.setDescription("created by grant");
- policy.setIsAuditEnabled(grantRequest.getEnableAudit());
- policy.setCreatedBy(userName);
- Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>();
- Set<String> resourceNames = resource.getKeys();
-
- if(! CollectionUtils.isEmpty(resourceNames)) {
- for(String resourceName : resourceNames) {
- RangerPolicyResource policyResource = new RangerPolicyResource(resource.getValue(resourceName));
- policyResource.setIsRecursive(grantRequest.getIsRecursive());
-
- policyResources.put(resourceName, policyResource);
+ if(grantRequest.getDelegateAdmin()) {
+ if(!policyItem.getDelegateAdmin()) {
+ policyItem.setDelegateAdmin(Boolean.TRUE);
+
+ policyUpdated = true;
+ }
+ }
}
- }
- policy.setResources(policyResources);
- for(String user : grantRequest.getUsers()) {
- RangerPolicyItem policyItem = new RangerPolicyItem();
+ if(policyUpdated) {
+ updatePolicy(policy);
+ }
+ } else {
+ policy = new RangerPolicy();
+ policy.setService(serviceName);
+ policy.setName("grant-" + System.currentTimeMillis()); // TODO: better policy name
+ policy.setDescription("created by grant");
+ policy.setIsAuditEnabled(grantRequest.getEnableAudit());
+ policy.setCreatedBy(userName);
+
+ Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>();
+ Set<String> resourceNames = resource.getKeys();
- policyItem.getUsers().add(user);
- for(String accessType : grantRequest.getAccessTypes()) {
- policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE));
+ if(! CollectionUtils.isEmpty(resourceNames)) {
+ for(String resourceName : resourceNames) {
+ RangerPolicyResource policyResource = new RangerPolicyResource(resource.getValue(resourceName));
+ policyResource.setIsRecursive(grantRequest.getIsRecursive());
+
+ policyResources.put(resourceName, policyResource);
+ }
}
- policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin());
- policy.getPolicyItems().add(policyItem);
- }
-
- for(String group : grantRequest.getGroups()) {
- RangerPolicyItem policyItem = new RangerPolicyItem();
+ policy.setResources(policyResources);
- policyItem.getGroups().add(group);
- for(String accessType : grantRequest.getAccessTypes()) {
- policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE));
+ for(String user : grantRequest.getUsers()) {
+ RangerPolicyItem policyItem = new RangerPolicyItem();
+
+ policyItem.getUsers().add(user);
+ for(String accessType : grantRequest.getAccessTypes()) {
+ policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE));
+ }
+ policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin());
+ policy.getPolicyItems().add(policyItem);
+ }
+
+ for(String group : grantRequest.getGroups()) {
+ RangerPolicyItem policyItem = new RangerPolicyItem();
+
+ policyItem.getGroups().add(group);
+ for(String accessType : grantRequest.getAccessTypes()) {
+ policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE));
+ }
+ policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin());
+ policy.getPolicyItems().add(policyItem);
}
- policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin());
- policy.getPolicyItems().add(policyItem);
+
+ createPolicy(policy);
}
+ } catch(WebApplicationException excp) {
+ throw excp;
+ } catch(Exception excp) {
+ LOG.error("grantAccess(" + serviceName + ", " + grantRequest + ") failed", excp);
- createPolicy(policy);
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true);
}
- } catch(WebApplicationException excp) {
- throw excp;
- } catch(Exception excp) {
- LOG.error("grantAccess(" + serviceName + ", " + grantRequest + ") failed", excp);
-
- throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true);
+
+ ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
}
- ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
-
if(LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.grantAccess(" + serviceName + ", " + grantRequest + "): " + ret);
}
@@ -694,47 +703,33 @@ public class ServiceREST {
RESTResponse ret = new RESTResponse();
- try {
- String userName = revokeRequest.getGrantor();
- Set<String> userGroups = Collections.<String>emptySet(); // TODO: get groups for the grantor from Ranger databas
- RangerResource resource = new RangerResourceImpl(revokeRequest.getResource());
-
- boolean isAdmin = isAdminForResource(userName, userGroups, serviceName, resource);
-
- if(!isAdmin) {
- throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true);
- }
-
- RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource);
-
- if(policy != null) {
- boolean policyUpdated = false;
-
- for(String user : revokeRequest.getUsers()) {
- RangerPolicyItem policyItem = getPolicyItemForUser(policy, user);
-
- if(policyItem != null) {
- if(removeAccesses(policyItem, revokeRequest.getAccessTypes())) {
- policyUpdated = true;
- }
- }
+ if (serviceUtil.isValidateHttpsAuthentication(serviceName,request)) {
- if(revokeRequest.getDelegateAdmin()) { // remove delegate?
- if(policyItem.getDelegateAdmin()) {
- policyItem.setDelegateAdmin(Boolean.FALSE);
- policyUpdated = true;
- }
- }
+ try {
+ String userName = revokeRequest.getGrantor();
+ Set<String> userGroups = Collections.<String>emptySet(); // TODO: get groups for the grantor from Ranger databas
+ RangerResource resource = new RangerResourceImpl(revokeRequest.getResource());
+
+ boolean isAdmin = isAdminForResource(userName, userGroups, serviceName, resource);
+
+ if(!isAdmin) {
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true);
}
-
- for(String group : revokeRequest.getGroups()) {
- RangerPolicyItem policyItem = getPolicyItemForGroup(policy, group);
-
- if(policyItem != null) {
- if(removeAccesses(policyItem, revokeRequest.getAccessTypes())) {
- policyUpdated = true;
+
+ RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource);
+
+ if(policy != null) {
+ boolean policyUpdated = false;
+
+ for(String user : revokeRequest.getUsers()) {
+ RangerPolicyItem policyItem = getPolicyItemForUser(policy, user);
+
+ if(policyItem != null) {
+ if(removeAccesses(policyItem, revokeRequest.getAccessTypes())) {
+ policyUpdated = true;
+ }
}
-
+
if(revokeRequest.getDelegateAdmin()) { // remove delegate?
if(policyItem.getDelegateAdmin()) {
policyItem.setDelegateAdmin(Boolean.FALSE);
@@ -742,28 +737,45 @@ public class ServiceREST {
}
}
}
+
+ for(String group : revokeRequest.getGroups()) {
+ RangerPolicyItem policyItem = getPolicyItemForGroup(policy, group);
+
+ if(policyItem != null) {
+ if(removeAccesses(policyItem, revokeRequest.getAccessTypes())) {
+ policyUpdated = true;
+ }
+
+ if(revokeRequest.getDelegateAdmin()) { // remove delegate?
+ if(policyItem.getDelegateAdmin()) {
+ policyItem.setDelegateAdmin(Boolean.FALSE);
+ policyUpdated = true;
+ }
+ }
+ }
+ }
+
+ if(compactPolicy(policy)) {
+ policyUpdated = true;
+ }
+
+ if(policyUpdated) {
+ updatePolicy(policy);
+ }
+ } else {
+ // nothing to revoke!
}
-
- if(compactPolicy(policy)) {
- policyUpdated = true;
- }
-
- if(policyUpdated) {
- updatePolicy(policy);
- }
- } else {
- // nothing to revoke!
+ } catch(WebApplicationException excp) {
+ throw excp;
+ } catch(Exception excp) {
+ LOG.error("revokeAccess(" + serviceName + ", " + revokeRequest + ") failed", excp);
+
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true);
}
- } catch(WebApplicationException excp) {
- throw excp;
- } catch(Exception excp) {
- LOG.error("revokeAccess(" + serviceName + ", " + revokeRequest + ") failed", excp);
-
- throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true);
+
+ ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
}
- ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
-
if(LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.revokeAccess(" + serviceName + ", " + revokeRequest + "): " + ret);
}
[2/2] incubator-ranger git commit: Merge branch 'master' of
https://git-wip-us.apache.org/repos/asf/incubator-ranger
Posted by rm...@apache.org.
Merge branch 'master' of https://git-wip-us.apache.org/repos/asf/incubator-ranger
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/ca75aadc
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/ca75aadc
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/ca75aadc
Branch: refs/heads/master
Commit: ca75aadc6be398fc0eac317c9c58ca928b6f152c
Parents: e97c99d 2a309b5
Author: rmani <rm...@hortonworks.com>
Authored: Mon Mar 9 10:47:49 2015 -0700
Committer: rmani <rm...@hortonworks.com>
Committed: Mon Mar 9 10:47:49 2015 -0700
----------------------------------------------------------------------
.../apache/ranger/credentialapi/buildks.java | 43 ++-
.../credentialapi/TestCredentialReader.java | 39 +--
.../ranger/credentialapi/Testbuildks.java | 43 +--
.../namenode/RangerFSPermissionChecker.java | 34 +-
.../agent/HadoopAuthClassTransformer.java | 313 ++++++++++---------
.../agent/TestRangerFSPermissionChecker.java | 16 +
pom.xml | 4 +-
.../patches/010-users-and-groups-visibility.sql | 50 +++
.../patches/010-users-and-groups-visibility.sql | 44 +++
.../java/org/apache/ranger/biz/XUserMgr.java | 31 ++
.../apache/ranger/common/RangerCommonEnums.java | 22 +-
.../java/org/apache/ranger/entity/XXGroup.java | 26 ++
.../java/org/apache/ranger/entity/XXUser.java | 29 ++
.../java/org/apache/ranger/rest/XUserREST.java | 18 ++
.../apache/ranger/service/XGroupService.java | 17 +-
.../ranger/service/XGroupServiceBase.java | 2 +
.../org/apache/ranger/service/XUserService.java | 4 +
.../apache/ranger/service/XUserServiceBase.java | 2 +
.../java/org/apache/ranger/view/VXGroup.java | 21 ++
.../java/org/apache/ranger/view/VXUser.java | 12 +-
.../scripts/collection_bases/VXGroupListBase.js | 26 +-
.../scripts/collection_bases/VXUserListBase.js | 23 +-
.../src/main/webapp/scripts/models/VXGroup.js | 15 +-
.../src/main/webapp/scripts/models/VXUser.js | 14 +
.../main/webapp/scripts/modules/XAOverrides.js | 263 ++++++++++++++++
.../scripts/modules/globalize/message/en.js | 10 +-
.../src/main/webapp/scripts/utils/XAEnums.js | 5 +
.../src/main/webapp/scripts/utils/XAUtils.js | 1 +
.../scripts/views/common/FormInputItemList.js | 2 +-
.../scripts/views/common/UserPermissionList.js | 2 +-
.../scripts/views/common/XATableLayout.js | 7 +
.../scripts/views/policies/PermissionList.js | 4 +-
.../scripts/views/policies/RangerPolicyForm.js | 2 +-
.../scripts/views/users/UserTableLayout.js | 157 +++++++++-
security-admin/src/main/webapp/styles/xa.css | 15 +
.../templates/users/UserTableLayout_tmpl.html | 2 +
.../org/apache/ranger/biz/TestXUserMgr.java | 175 ++++++++++-
src/main/assembly/hbase-agent.xml | 1 +
src/main/assembly/hdfs-agent.xml | 1 +
src/main/assembly/hive-agent.xml | 1 +
src/main/assembly/knox-agent.xml | 1 +
src/main/assembly/plugin-yarn.xml | 1 +
src/main/assembly/storm-agent.xml | 1 +
43 files changed, 1227 insertions(+), 272 deletions(-)
----------------------------------------------------------------------