You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ga...@apache.org on 2016/05/30 12:28:49 UTC
[1/4] incubator-ranger git commit: RANGER-985 : Support download csv
in Reports page as enhancement
Repository: incubator-ranger
Updated Branches:
refs/heads/master c498b0fc1 -> ced7c3b7a
RANGER-985 : Support download csv in Reports page as enhancement
Signed-off-by: Gautam Borad <ga...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/7d452069
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/7d452069
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/7d452069
Branch: refs/heads/master
Commit: 7d452069c636419dcb5084292377f977487cf123
Parents: c498b0f
Author: Mehul Parikh <me...@freestoneinfotech.com>
Authored: Wed May 25 12:02:42 2016 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Mon May 30 17:58:04 2016 +0530
----------------------------------------------------------------------
.../org/apache/ranger/biz/ServiceDBStore.java | 457 +++++++++++++++++--
.../org/apache/ranger/rest/ServiceREST.java | 36 ++
.../scripts/views/reports/UserAccessLayout.js | 158 ++++---
.../scripts/views/users/UserTableLayout.js | 57 +--
security-admin/src/main/webapp/styles/xa.css | 49 +-
.../reports/UserAccessLayout_tmpl.html | 14 +-
.../templates/users/UserTableLayout_tmpl.html | 14 +-
7 files changed, 612 insertions(+), 173 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7d452069/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 2f88a9b..c488d4a 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -27,13 +27,19 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
+import java.util.StringTokenizer;
+import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
+import java.io.FileOutputStream;
import java.io.IOException;
+import java.io.InputStream;
import java.io.OutputStream;
+import java.io.OutputStreamWriter;
import java.text.SimpleDateFormat;
import java.util.TreeMap;
import javax.annotation.PostConstruct;
+import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.collections.CollectionUtils;
@@ -1974,6 +1980,36 @@ public class ServiceDBStore extends AbstractServiceStore {
writeExcel(policies, excelFileName, response);
}
+ public void getPoliciesInCSV(List<RangerPolicy> policies, HttpServletResponse response) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> ServiceDBStore.getPoliciesInCSV()");
+ }
+ InputStream in=null;
+ ServletOutputStream out=null;
+ String CSVFileName=null;
+ try {
+ String timeStamp = new SimpleDateFormat("yyyyMMdd_HHmmss").format(new Date());
+ CSVFileName = "Ranger_Policies_" + timeStamp + ".csv";
+ out = response.getOutputStream();
+ StringBuffer sb = writeCSV(policies, CSVFileName, response);
+ in = new ByteArrayInputStream(sb.toString().getBytes());
+ byte[] outputByte = new byte[sb.length()];
+ while (in.read(outputByte, 0, sb.length()) != -1) {
+ out.write(outputByte, 0, sb.length());
+ }
+ }
+ catch (Exception e) {
+ LOG.error("Error while generating report file " + CSVFileName, e);
+ e.printStackTrace();
+
+ }
+ finally {
+ in.close();
+ out.flush();
+ out.close();
+ }
+ }
+
public PList<RangerPolicy> getPaginatedPolicies(SearchFilter filter) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getPaginatedPolicies(+ " + filter + ")");
@@ -3090,19 +3126,42 @@ public class ServiceDBStore extends AbstractServiceStore {
return false;
}
+
private void writeExcel(List<RangerPolicy> policies, String excelFileName, HttpServletResponse response)
throws IOException {
- Workbook workbook=null;
- OutputStream outStream =null;
- try{
+ Workbook workbook = null;
+ OutputStream outStream = null;
+ try {
workbook = new HSSFWorkbook();
Sheet sheet = workbook.createSheet();
createHeaderRow(sheet);
int rowCount = 0;
- if (!CollectionUtils.isEmpty(policies)){
+ if (!CollectionUtils.isEmpty(policies)) {
for (RangerPolicy policy : policies) {
- Row row = sheet.createRow(++rowCount);
- writeBook(policy, row);
+ long serviceType = daoMgr.getXXService().findByName(policy.getService()).getType();
+ List<RangerPolicyItem> policyItems = policy.getPolicyItems();
+ List<RangerRowFilterPolicyItem> rowFilterPolicyItems = policy.getRowFilterPolicyItems();
+ List<RangerDataMaskPolicyItem> dataMaskPolicyItems = policy.getDataMaskPolicyItems();
+
+ if (CollectionUtils.isNotEmpty(policyItems)) {
+ for (RangerPolicyItem policyItem : policyItems) {
+ Row row = sheet.createRow(++rowCount);
+ writeBookForPolicyItems(policy, policyItem, null, null, row);
+ }
+ } else if (CollectionUtils.isNotEmpty(dataMaskPolicyItems)) {
+ for (RangerDataMaskPolicyItem dataMaskPolicyItem : dataMaskPolicyItems) {
+ Row row = sheet.createRow(++rowCount);
+ writeBookForPolicyItems(policy, null, dataMaskPolicyItem, null, row);
+ }
+ } else if (CollectionUtils.isNotEmpty(rowFilterPolicyItems)) {
+ for (RangerRowFilterPolicyItem rowFilterPolicyItem : rowFilterPolicyItems) {
+ Row row = sheet.createRow(++rowCount);
+ writeBookForPolicyItems(policy, null, null, rowFilterPolicyItem, row);
+ }
+ } else if (serviceType == 100) {
+ Row row = sheet.createRow(++rowCount);
+ writeBookForTag(policy, row);
+ }
}
}
ByteArrayOutputStream outByteStream = new ByteArrayOutputStream();
@@ -3112,36 +3171,351 @@ public class ServiceDBStore extends AbstractServiceStore {
response.setContentLength(outArray.length);
response.setHeader("Expires:", "0");
response.setHeader("Content-Disposition", "attachment; filename=" + excelFileName);
- outStream=response.getOutputStream();
+ outStream = response.getOutputStream();
outStream.write(outArray);
outStream.flush();
- }catch(IOException ex){
+ } catch (IOException ex) {
LOG.error("Failed to create report file " + excelFileName, ex);
- }catch(Exception ex){
+ } catch (Exception ex) {
LOG.error("Error while generating report file " + excelFileName, ex);
- }finally{
- if(outStream!=null){
+ } finally {
+ if (outStream != null) {
outStream.close();
}
- if(workbook!=null){
+ if (workbook != null) {
workbook.close();
}
}
}
- private void writeBook(RangerPolicy policy, Row row) {
+ private StringBuffer writeCSV(List<RangerPolicy> policies, String cSVFileName, HttpServletResponse response) {
+ response.setContentType("text/csv");
+ final String COMMA_DELIMITER = "|";
+ final String LINE_SEPARATOR = "\n";
+ final String FILE_HEADER = "ID|Name|Resources|Groups|Users|Accesses|Service Type|Status";
+ StringBuffer csvBuffer = new StringBuffer();
+ csvBuffer.append(FILE_HEADER);
+ csvBuffer.append(LINE_SEPARATOR);
+ for (RangerPolicy policy : policies) {
+ String policyStatus = "";
+ String policyName = "";
+ String ServiceType = "";
+ Long serviceTypeId = null;
+ List<String> groups = new ArrayList<String>();
+ List<String> users = new ArrayList<String>();
+ List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
+ String groupNames = "";
+ String userNames = "";
+ String accessType = "";
+ String resValue = "";
+ String resourceKeyVal = "";
+ String resKey = "";
+ policyName = policy.getName();
+ policyName=policyName.replace("|", "");
+ Long policyId = policy.getId();
+
+ if (policy.getIsEnabled()) {
+ policyStatus = "Enabled";
+ } else {
+ policyStatus = "Disabled";
+ }
+ XXService xxservice = daoMgr.getXXService().findByName(policy.getService());
+
+ if (xxservice != null) {
+ serviceTypeId = xxservice.getType();
+ XXServiceDef xxservDef = daoMgr.getXXServiceDef().getById(serviceTypeId);
+ if (xxservDef != null) {
+ ServiceType = xxservDef.getName();
+ }
+ }
+ int policyType = policy.getPolicyType();
+ List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicyItem>();
+ List<RangerPolicyItem> policyItems0 = new ArrayList<RangerPolicyItem>();
+ List<RangerDataMaskPolicyItem> policyItems1 = new ArrayList<RangerDataMaskPolicyItem>();
+ List<RangerRowFilterPolicyItem> policyItems2 = new ArrayList<RangerRowFilterPolicyItem>();
+ switch (policyType) {
+ case 0:
+ policyItems0 = policy.getPolicyItems();
+ policyItems.addAll(policyItems0);
+ break;
+ case 1:
+ policyItems1 = policy.getDataMaskPolicyItems();
+ policyItems.addAll(policyItems1);
+ break;
+ case 2:
+ policyItems2 = policy.getRowFilterPolicyItems();
+ policyItems.addAll(policyItems2);
+ break;
+ }
+
+ if (serviceTypeId == 100) {
+ Map<String, RangerPolicyResource> resources = policy.getResources();
+
+ if (resources != null) {
+ for (Entry<String, RangerPolicyResource> resource : resources.entrySet()) {
+ resKey = resource.getKey();
+ RangerPolicyResource policyResource = resource.getValue();
+ List<String> resvalueList = policyResource.getValues();
+ resValue = resvalueList.toString();
+ resourceKeyVal = resourceKeyVal + " " + resKey + "=" + resValue;
+ resourceKeyVal = resourceKeyVal.replace("|", "");
+ }
+ }
+
+ if (!CollectionUtils.isEmpty(policyItems)) {
+ for (RangerPolicyItem policyItem : policyItems) {
+ groupNames = "";
+ userNames = "";
+ accessType = "";
+ groups = null;
+ users = null;
+ accesses = null;
+ groups = policyItem.getGroups();
+ accesses = policyItem.getAccesses();
+ users = policyItem.getUsers();
+
+ for (RangerPolicyItemAccess access : accesses) {
+ accessType = accessType + access.getType().replace("#", "").replace("|","") + "#";
+ }
+ accessType = accessType.substring(0, accessType.lastIndexOf("#"));
+ if (CollectionUtils.isNotEmpty(groups)) {
+ for (String group : groups){
+ group=group.replace("|", "");
+ group=group.replace("#", "");
+ groupNames=groupNames+group+ "#";
+ }
+ groupNames = groupNames.substring(0, groupNames.lastIndexOf("#"));
+ }
+
+ if (CollectionUtils.isNotEmpty(users)) {
+ for (String user : users){
+ user=user.replace("|", "");
+ user=user.replace("#", "");
+ userNames=userNames +user + "#";
+ }
+ userNames=userNames.substring(0,userNames.lastIndexOf("#"));
+ }
+
+ csvBuffer.append(policyId);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(policyName);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(resourceKeyVal);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(groupNames);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(userNames);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(accessType);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(ServiceType);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(policyStatus);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(LINE_SEPARATOR);
+
+ }
+ } else {
+ csvBuffer.append(policyId);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(policyName);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(resourceKeyVal);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(groupNames);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(userNames);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(accessType);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(ServiceType);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(policyStatus);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(LINE_SEPARATOR);
+ }
+ }
+
+ else {
+ Map<String, RangerPolicyResource> resources = policy.getResources();
+ if (resources != null) {
+ for (Entry<String, RangerPolicyResource> resource : resources.entrySet()) {
+ resKey = resource.getKey();
+ RangerPolicyResource policyResource = resource.getValue();
+ List<String> resvalueList = policyResource.getValues();
+ resValue = resvalueList.toString();
+ resourceKeyVal = resourceKeyVal + " " + resKey + "=" + resValue;
+ resourceKeyVal = resourceKeyVal.replace("|", "");
+ }
+ }
+
+ for (RangerPolicyItem policyItem : policyItems) {
+ groups = null;
+ users = null;
+ accesses = null;
+ groupNames = "";
+ userNames = "";
+ accessType = "";
+ groups = policyItem.getGroups();
+ users = policyItem.getUsers();
+ accesses = policyItem.getAccesses();
+
+ if (CollectionUtils.isNotEmpty(accesses)) {
+ for (RangerPolicyItemAccess access : accesses) {
+ accessType = accessType + access.getType().replace("#", "").replace("|","") + "#";
+ }
+ accessType = accessType.substring(0, accessType.lastIndexOf("#"));
+ }
+ if (CollectionUtils.isNotEmpty(groups)) {
+ for (String group : groups){
+ group=group.replace("|", "");
+ group=group.replace("#", "");
+ groupNames=groupNames+group+ "#";
+ }
+ groupNames = groupNames.substring(0, groupNames.lastIndexOf("#"));
+ }
+ if (CollectionUtils.isNotEmpty(users)) {
+ for (String user : users){
+ user=user.replace("|", "");
+ user=user.replace("#", "");
+ userNames=userNames +user + "#";
+ }
+ userNames=userNames.substring(0,userNames.lastIndexOf("#"));
+ }
+ csvBuffer.append(policyId);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(policyName);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(resourceKeyVal);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(groupNames);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(userNames);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(accessType);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(ServiceType);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(policyStatus);
+ csvBuffer.append(COMMA_DELIMITER);
+ csvBuffer.append(LINE_SEPARATOR);
+ }
+ }
+ }
+ response.setHeader("Content-Disposition", "attachment; filename=" + cSVFileName);
+ return csvBuffer;
+ }
+
+ private void writeBookForPolicyItems(RangerPolicy policy, RangerPolicyItem policyItem,
+ RangerDataMaskPolicyItem dataMaskPolicyItem, RangerRowFilterPolicyItem rowFilterPolicyItem, Row row) {
+ List<String> groups = new ArrayList<String>();
+ List<String> users = new ArrayList<String>();
+ String groupNames = "";
+ String userNames = "";
+ String accessType = "";
String policyStatus = "";
Cell cell = row.createCell(0);
cell.setCellValue(policy.getId());
+ List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
cell = row.createCell(1);
cell.setCellValue(policy.getName());
cell = row.createCell(2);
+ String resValue = "";
+ String resourceKeyVal = "";
+ String resKey = "";
+ Map<String, RangerPolicyResource> resources = policy.getResources();
+ if (resources != null) {
+ for (Entry<String, RangerPolicyResource> resource : resources.entrySet()) {
+ resKey = resource.getKey();
+ RangerPolicyResource policyResource = resource.getValue();
+ List<String> resvalueList = policyResource.getValues();
+ resValue = resvalueList.toString();
+ resourceKeyVal = resourceKeyVal + " " + resKey + "=" + resValue;
+ }
+
+ cell.setCellValue(resourceKeyVal);
+ if (policyItem != null && dataMaskPolicyItem == null && rowFilterPolicyItem == null) {
+ groups = policyItem.getGroups();
+ users = policyItem.getUsers();
+ accesses = policyItem.getAccesses();
+ } else if (dataMaskPolicyItem != null && policyItem == null && rowFilterPolicyItem == null) {
+ groups = dataMaskPolicyItem.getGroups();
+ users = dataMaskPolicyItem.getUsers();
+ accesses = dataMaskPolicyItem.getAccesses();
+ } else if (rowFilterPolicyItem != null && policyItem == null && dataMaskPolicyItem == null) {
+ groups = rowFilterPolicyItem.getGroups();
+ users = rowFilterPolicyItem.getUsers();
+ accesses = rowFilterPolicyItem.getAccesses();
+ }
+ if (CollectionUtils.isNotEmpty(accesses)) {
+ for (RangerPolicyItemAccess access : accesses) {
+ accessType = accessType + access.getType();
+ accessType = accessType + " ,";
+ }
+ accessType = accessType.substring(0, accessType.lastIndexOf(","));
+ }
+ if (CollectionUtils.isNotEmpty(groups)) {
+ groupNames = groupNames + groups.toString();
+ StringTokenizer groupToken = new StringTokenizer(groupNames, "[]");
+ groupNames = groupToken.nextToken().toString();
+ }
+ if (CollectionUtils.isNotEmpty(users)) {
+ userNames = userNames + users.toString();
+ StringTokenizer userToken = new StringTokenizer(userNames, "[]");
+ userNames = userToken.nextToken().toString();
+ }
+ cell = row.createCell(3);
+ cell.setCellValue(groupNames);
+ cell = row.createCell(4);
+ cell.setCellValue(userNames);
+ cell = row.createCell(5);
+ cell.setCellValue(accessType.trim());
+ cell = row.createCell(6);
+ XXService xxservice = daoMgr.getXXService().findByName(policy.getService());
+ String ServiceType = "";
+ if (xxservice != null) {
+ Long ServiceId = xxservice.getType();
+ XXServiceDef xxservDef = daoMgr.getXXServiceDef().getById(ServiceId);
+ if (xxservDef != null) {
+ ServiceType = xxservDef.getName();
+ }
+ }
+ cell.setCellValue(ServiceType);
+ cell = row.createCell(7);
+
+ }
if (policy.getIsEnabled()) {
policyStatus = "Enabled";
} else {
policyStatus = "Disabled";
}
cell.setCellValue(policyStatus);
+ }
+
+ private void writeBookForTag(RangerPolicy policy, Row row) {
+ String policyStatus = "";
+ Cell cell = row.createCell(0);
+ cell.setCellValue(policy.getId());
+ cell = row.createCell(1);
+ cell.setCellValue(policy.getName());
+ cell = row.createCell(2);
+ String resValue = "";
+ String resourceKeyVal = "";
+ String resKey = "";
+ String groupNames = "";
+ String userNames = "";
+ String accessType = "";
+ Map<String, RangerPolicyResource> resources = policy.getResources();
+ if (resources!=null) {
+ for (Entry<String, RangerPolicyResource> resource : resources.entrySet()) {
+ resKey = resource.getKey();
+ RangerPolicyResource policyResource = resource.getValue();
+ List<String> resvalueList = policyResource.getValues();
+ resValue = resvalueList.toString();
+ resourceKeyVal = resourceKeyVal + " " + resKey + "=" + resValue;
+ }
+ }
+ cell.setCellValue(resourceKeyVal);
cell = row.createCell(3);
int policyType=policy.getPolicyType();
List<RangerPolicyItem> policyItems=new ArrayList<RangerPolicyItem>();
@@ -3165,18 +3539,18 @@ public class ServiceDBStore extends AbstractServiceStore {
List<String> groups = new ArrayList<String>();
List<String> users = new ArrayList<String>();
- String groupNames = "";
- String userNames = "";
- String accessType = "";
+
if (!CollectionUtils.isEmpty(policyItems)) {
for (RangerPolicyItem policyItem : policyItems) {
+ groupNames = "";
+ userNames = "";
+ accessType = "";
groups = policyItem.getGroups();
List<RangerPolicyItemAccess> accesses = policyItem.getAccesses();
- accessType = accessType + "[";
for (RangerPolicyItemAccess access : accesses) {
- accessType = accessType + access.getType() + " ";
+ accessType = accessType + access.getType() + " ,";
}
- accessType = accessType + "] ";
+ accessType = accessType.substring(0,accessType.lastIndexOf(","));
if (!groups.isEmpty()) {
groupNames = groupNames + groups.toString();
}
@@ -3190,6 +3564,8 @@ public class ServiceDBStore extends AbstractServiceStore {
cell = row.createCell(4);
cell.setCellValue(userNames);
cell = row.createCell(5);
+ cell.setCellValue(accessType.trim());
+ cell = row.createCell(6);
XXService xxservice = daoMgr.getXXService().findByName(policy.getService());
String ServiceType = "";
if (xxservice != null) {
@@ -3200,25 +3576,16 @@ public class ServiceDBStore extends AbstractServiceStore {
}
}
cell.setCellValue(ServiceType);
- cell = row.createCell(6);
- cell.setCellValue(accessType.trim());
cell = row.createCell(7);
- String resValue = "";
- String resourceKeyVal = "";
- String resKey = "";
- Map<String, RangerPolicyResource> resources = policy.getResources();
- if (resources!=null) {
- for (Entry<String, RangerPolicyResource> resource : resources.entrySet()) {
- resKey = resource.getKey();
- RangerPolicyResource policyResource = resource.getValue();
- List<String> resvalueList = policyResource.getValues();
- resValue = resvalueList.toString();
- resourceKeyVal = resourceKeyVal + " " + resKey + "=" + resValue;
- }
+ if (policy.getIsEnabled()) {
+ policyStatus = "Enabled";
+ } else {
+ policyStatus = "Disabled";
}
- cell.setCellValue(resourceKeyVal);
+ cell.setCellValue(policyStatus);
}
+
private void createHeaderRow(Sheet sheet) {
CellStyle cellStyle = sheet.getWorkbook().createCellStyle();
Font font = sheet.getWorkbook().createFont();
@@ -3236,9 +3603,9 @@ public class ServiceDBStore extends AbstractServiceStore {
cellNAME.setCellStyle(cellStyle);
cellNAME.setCellValue("Name");
- Cell cellStatus = row.createCell(2);
- cellStatus.setCellStyle(cellStyle);
- cellStatus.setCellValue("Status");
+ Cell cellResources = row.createCell(2);
+ cellResources.setCellStyle(cellStyle);
+ cellResources.setCellValue("Resources");
Cell cellGroups = row.createCell(3);
cellGroups.setCellStyle(cellStyle);
@@ -3248,16 +3615,16 @@ public class ServiceDBStore extends AbstractServiceStore {
cellUsers.setCellStyle(cellStyle);
cellUsers.setCellValue("Users");
- Cell cellServiceType = row.createCell(5);
- cellServiceType.setCellStyle(cellStyle);
- cellServiceType.setCellValue("Service Type");
-
- Cell cellAccesses = row.createCell(6);
+ Cell cellAccesses = row.createCell(5);
cellAccesses.setCellStyle(cellStyle);
cellAccesses.setCellValue("Accesses");
- Cell cellResources = row.createCell(7);
- cellResources.setCellStyle(cellStyle);
- cellResources.setCellValue("Resources");
+ Cell cellServiceType = row.createCell(6);
+ cellServiceType.setCellStyle(cellStyle);
+ cellServiceType.setCellValue("Service Type");
+
+ Cell cellStatus = row.createCell(7);
+ cellStatus.setCellStyle(cellStyle);
+ cellStatus.setCellValue("Status");
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7d452069/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 19a1509..052254d 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -19,6 +19,7 @@
package org.apache.ranger.rest;
+import java.io.IOException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
@@ -1526,6 +1527,41 @@ public class ServiceREST {
}
+ @GET
+ @Path("/policies/csv")
+ @Produces("text/csv")
+ public void getPoliciesInCsv(@Context HttpServletRequest request, @Context HttpServletResponse response) throws IOException {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> ServiceREST.getPoliciesInCsv()");
+ }
+ RangerPerfTracer perf = null;
+
+ SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields);
+
+ try {
+ if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPoliciesInCsv()");
+ }
+ List<RangerPolicy> policies = new ArrayList<RangerPolicy>();
+ if (filter != null) {
+ filter.setStartIndex(0);
+ filter.setMaxRows(Integer.MAX_VALUE);
+ policies = svcStore.getPoliciesForReports(filter);
+ }
+ svcStore.getPoliciesInCSV(policies, response);
+
+ } catch (WebApplicationException excp) {
+ throw excp;
+ } catch (Throwable excp) {
+ LOG.error("Error while downloading policy report", excp);
+
+ throw restErrorUtil.createRESTException(excp.getMessage());
+ } finally {
+ RangerPerfTracer.log(perf);
+ }
+ }
+
public List<RangerPolicy> getPolicies(SearchFilter filter) {
if(LOG.isDebugEnabled()) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7d452069/security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js b/security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js
index c3acf6b..4c02504 100644
--- a/security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js
+++ b/security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js
@@ -76,7 +76,6 @@ define(function(require) {'use strict';
btnShowLessUsers : '[data-id="showLessUsers"]',
componentType : '[data-id="component"]',
downloadReport : '[data-id="downloadReport"]',
- downloadBtn : '[data-js="downloadBtn"]',
policyType : '[data-id="policyType"]'
},
@@ -90,7 +89,7 @@ define(function(require) {'use strict';
events['click ' + this.ui.btnShowLess] = 'onShowLess';
events['click ' + this.ui.btnShowMoreUsers] = 'onShowMoreUsers';
events['click ' + this.ui.btnShowLessUsers] = 'onShowLessUsers';
- events['click ' + this.ui.downloadBtn] = 'onDownload';
+ events['click .downloadFormat'] = 'setDownloadFormatFilter';
return events;
},
@@ -103,7 +102,7 @@ define(function(require) {'use strict';
_.extend(this, _.pick(options, 'groupList','userList'));
this.bindEvents();
this.previousSearchUrl = '';
- this.searchedFlag = true;
+ this.searchedFlag = false;
this.allowDownload = false;
},
initializeRequiredData : function() {
@@ -206,18 +205,51 @@ define(function(require) {'use strict';
editable: false,
sortable : false
},
- isEnabled:{
- label:localization.tt('lbl.status'),
- cell :"html",
- editable:false,
+ resources:
+ {
+ label: 'Resources',
+ cell: 'Html',
formatter: _.extend({}, Backgrid.CellFormatter.prototype, {
- fromRaw: function (rawValue) {
- return rawValue ? '<label class="label label-success">Enabled</label>' : '<label class="label label-important">Disabled</label>';
+ fromRaw: function (rawValue,model) {
+ var strVal = '', names = '';
+ var resource = model.get('resources');
+ _.each(resource,function(resourceObj,key){
+ strVal += "<b>"+key+":</b>";
+ strVal += "<span title='";
+ names = '';
+ _.map(resourceObj.values,function(resourceVal){
+ names += resourceVal+",";
+ });
+ names = names.slice(0,-1);
+ strVal += names + "'>"+names +"</span>";
+ strVal = strVal+ "<br />";
+ });
+ return strVal;
+ }
+ }),
+ editable: false,
+ sortable: false,
+ click: false
+ },
+ policyType: {
+ label: 'Policy Type',
+ cell: Backgrid.HtmlCell.extend({className: 'cellWidth-1', className: 'html-cell'}),
+ formatter: _.extend({}, Backgrid.CellFormatter.prototype,{
+ fromRaw: function(rawValue,model){
+ var policyType = model.get("policyType");
+ var startLbl = '<label class="label label-ranger" style="float:inherit;">';
+ if (XAUtil.isMaskingPolicy(policyType)) {
+ return startLbl + XAEnums.RangerPolicyType.RANGER_MASKING_POLICY_TYPE.label + '</label>';
+ } else if (XAUtil.isRowFilterPolicy(policyType)) {
+ return startLbl + XAEnums.RangerPolicyType.RANGER_ROW_FILTER_POLICY_TYPE.label + '</label>';
+ }else{// by default it is access
+ return startLbl + XAEnums.RangerPolicyType.RANGER_ACCESS_POLICY_TYPE.label + '</label>';
+ }
}
}),
- click : false,
- drag : false,
- sortable : false
+ editable: false,
+ sortable: false,
+ click: false
},
permissions: {
label: 'Permissions',
@@ -254,9 +286,9 @@ define(function(require) {'use strict';
});
}
- htmlStr += '<tr style="height:60px"><td style ="width:80px">'+grpStr+'</td>\
- <td style="width:80px">'+(userStr)+'</td>\
- <td style="width:150px">'+accessStr+'</td></tr>';
+ htmlStr += '<tr style="height:60px"><td class="report-user-group">'+grpStr+'</td>\
+ <td class="report-user-group">'+(userStr)+'</td>\
+ <td class="report-access">'+accessStr+'</td></tr>';
accessStr = '', grpStr = '', userStr = '';
});
return htmlStr;
@@ -269,32 +301,20 @@ define(function(require) {'use strict';
sortable: false,
click: false
},
- resources:
- {
- label: 'Resources',
- cell: 'Html',
+ isEnabled:{
+ label:localization.tt('lbl.status'),
+ cell :"html",
+ editable:false,
formatter: _.extend({}, Backgrid.CellFormatter.prototype, {
- fromRaw: function (rawValue,model) {
- var strVal = '', names = '';
- var resource = model.get('resources');
- _.each(resource,function(resourceObj,key){
- strVal += "<b>"+key+":</b>";
- strVal += "<span title='";
- names = '';
- _.map(resourceObj.values,function(resourceVal){
- names += resourceVal+",";
- });
- names = names.slice(0,-1);
- strVal += names + "'>"+names +"</span>";
- strVal = strVal+ "<br />";
- });
- return strVal;
- }
+ fromRaw: function (rawValue) {
+ return rawValue ? '<label class="label label-success" style="float:inherit;">Enabled</label>' : '<label class="label label-important" style="float:inherit;">Disabled</label>';
+ }
}),
- editable: false,
- sortable: false,
- click: false
+ click : false,
+ drag : false,
+ sortable : false
}
+
};
return coll.constructor.getTableCols(cols, coll);
@@ -327,7 +347,7 @@ define(function(require) {'use strict';
},
modifyTableForSubcolumns : function(){
this.$el.find(".permissions").html('<tr><th colspan="3">Permissions</th></tr>\
- <tr><th style="width:80px">Groups</th><th style="width:80px">Users</th>\
+ <tr><th style="width:80px;max-width:80px;">Groups</th><th style="width:80px;max-width:80px;">Users</th>\
<th style="width:150px">Accesses</th></tr>');
},
onDownload: function(e){
@@ -338,14 +358,28 @@ define(function(require) {'use strict';
});
return;
}
- if(this.searchedFlag) {
+ if(!this.searchedFlag) {
url = this.previousSearchUrl;
+ } else if (this.searchedFlag && this.updatedUrl) {
+ var urlString = XAUtil.getBaseUrl();
+ if(urlString.slice(-1) === "/") {
+ urlString = urlString.slice(0,-1);
+ }
+ url = url + urlString;
+ if (e === "xlsFormat") {
+ url = url + '/service/plugins/policies/downloadExcel?';
+ } else {
+ url = url + '/service/plugins/policies/csv?';
+ }
+ url = url + this.searchedParamsString + this.searchedComponentString;
+ this.previousSearchUrl = url;
+ this.searchedFlag = true;
}
this.ui.downloadReport.attr("href",url)[0].click();
-
},
- getDownloadExcelUrl: function(that,component,params){
- var compString = '', url = '/service/plugins/policies/downloadExcel?';
+ setDownloadReportUrl: function(that,component,params){
+
+ var compString = '', url = '';
if(!_.isUndefined(component)) {
_.each(component,function(comp){
compString = compString + comp + '_';
@@ -360,11 +394,10 @@ define(function(require) {'use strict';
}
});
var str = jQuery.param( params );
- url = url + str;
- if(!_.isEmpty(compString)) {
- url = url + "&serviceType=" + compString;
- }
- return url;
+ this.searchedComponentString = "&serviceType=" + compString;
+ this.searchedParamsString = str;
+ this.updatedUrl = true;
+
},
/** on render callback */
setupGroupAutoComplete : function(){
@@ -567,11 +600,8 @@ define(function(require) {'use strict';
policyNamePartial : policyName,
policyType: policyType
};
- if(urlString.slice(-1) == "/") {
- urlString = urlString.slice(0,-1);
- }
- url = urlString + this.getDownloadExcelUrl(this, component, params);
- this.previousSearchUrl = url;
+
+ this.setDownloadReportUrl(this,component,params);
this.searchedFlag = true;
},
autocompleteFilter : function(e){
@@ -591,6 +621,28 @@ define(function(require) {'use strict';
$button.text('Username');
}
},
+ setDownloadFormatFilter : function(e){
+ var that = this;
+ var el = $(e.currentTarget);
+ if(el.data('id') === "xlsFormat") {
+ if(!that.searchedFlag) {
+ var urlString = XAUtil.getBaseUrl();
+ if(urlString.slice(-1) === "/") {
+ urlString = urlString.slice(0,-1);
+ }
+ }
+ this.previousSearchUrl = urlString + "/service/plugins/policies/downloadExcel?";
+ } else {
+ if(!that.searchedFlag) {
+ var urlString = XAUtil.getBaseUrl();
+ if(urlString.slice(-1) === "/") {
+ urlString = urlString.slice(0,-1);
+ }
+ this.previousSearchUrl = urlString + "/service/plugins/policies/csv?";
+ }
+ }
+ this.onDownload(el.data('id'));
+ },
gotoTable : function(e){
var that = this, elem = $(e.currentTarget),pos;
var scroll = false;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7d452069/security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js b/security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js
index ecd97e8..a766705 100644
--- a/security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js
+++ b/security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js
@@ -63,8 +63,6 @@ define(function(require){
btnSave : '[data-id="save"]',
btnShowHide : '[data-action="showHide"]',
visibilityDropdown : '[data-id="visibilityDropdown"]',
- activeStatusDropdown : '[data-id="activeStatusDropdown"]',
- activeStatusDiv :'[data-id="activeStatusDiv"]',
addNewBtnDiv : '[data-id="addNewBtnDiv"]',
deleteUser: '[data-id="deleteUserGroup"]'
},
@@ -77,7 +75,6 @@ define(function(require){
events['click ' + this.ui.btnShowLess] = 'onShowLess';
events['click ' + this.ui.btnSave] = 'onSave';
events['click ' + this.ui.visibilityDropdown +' li a'] = 'onVisibilityChange';
- events['click ' + this.ui.activeStatusDropdown +' li a'] = 'onStatusChange';
events['click ' + this.ui.deleteUser] = 'onDeleteUser';
return events;
},
@@ -168,38 +165,6 @@ define(function(require){
});
}
},
- onStatusChange : function(e){
- var that = this;
- var status = $(e.currentTarget).attr('data-id') == 'Enable' ? true : false;
- var updateMap = {};
- var collection = this.showUsers ? this.collection : this.groupList;
-
- _.each(collection.selected, function(s){
- if( s.get('status') != status ){
- s.set('status', status);
- s.toServerStatus();
- updateMap[s.get('id')] = s.get('status');
- }
- });
-
- var clearCache = function(coll){
- _.each(Backbone.fetchCache._cache, function(url, val){
- var urlStr = coll.url;
- if((val.indexOf(urlStr) != -1)){
- Backbone.fetchCache.clearItem(val);
- }
- });
- coll.fetch({reset: true, cache : false});
- }
- if(this.showUsers){
- collection.setStatus(updateMap, {
- success : function(){
- that.chgFlags = [];
- clearCache(collection);
- }
- });
- }
- },
renderUserTab : function(){
var that = this;
if(_.isUndefined(this.collection)){
@@ -217,7 +182,6 @@ define(function(require){
if(!_.isString(that.ui.addNewGroup)){
that.ui.addNewGroup.hide();
that.ui.addNewUser.show();
- that.ui.activeStatusDiv.show();
}
that.$('.wrap-header').text('User List');
that.checkRoleKeyAdmin();
@@ -237,7 +201,6 @@ define(function(require){
}).done(function(){
that.ui.addNewUser.hide();
that.ui.addNewGroup.show();
- that.ui.activeStatusDiv.hide();
that.$('.wrap-header').text('Group List');
that.$('ul').find('[data-js="groups"]').addClass('active');
that.$('ul').find('[data-js="users"]').removeClass();
@@ -364,25 +327,7 @@ define(function(require){
}),
editable:false,
sortable:false
- },
- status : {
- label : localization.tt("lbl.status"),
- cell : Backgrid.HtmlCell.extend({className: 'cellWidth-1'}),
- formatter: _.extend({}, Backgrid.CellFormatter.prototype, {
- fromRaw: function (rawValue, model) {
- if(!_.isUndefined(rawValue)){
- if(rawValue)
- return '<span class="label label-success">'+XAEnums.ActiveStatus.STATUS_ENABLED.label+'</span>';
- else
- return '<span class="label label-green">'+XAEnums.ActiveStatus.STATUS_DISABLED.label+'</span>';
- }else
- return '--';
- }
- }),
- editable:false,
- sortable:false
- },
-
+ }
};
return this.collection.constructor.getTableCols(cols, this.collection);
},
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7d452069/security-admin/src/main/webapp/styles/xa.css
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/styles/xa.css b/security-admin/src/main/webapp/styles/xa.css
index b586e11..a451761 100644
--- a/security-admin/src/main/webapp/styles/xa.css
+++ b/security-admin/src/main/webapp/styles/xa.css
@@ -1915,10 +1915,6 @@ input[type="radio"], input[type="checkbox"] {margin-top: 0;}
margin-top: -2px;
font-size: 11px;
}
-.backgrid > tbody > tr > td:nth-child(5) {
- text-align: left !important;
- width: 200px
-}
.control-label-align {
width: 80px !important;
}
@@ -1944,3 +1940,48 @@ input[type="radio"], input[type="checkbox"] {margin-top: 0;}
.permissionItemSortable > tr:hover > td:first-child:after {
border-color: rgba(0,0,0,0.5);
}
+.download-list {
+ min-width: 100px;
+ max-width: 120px;
+}
+.hdfs-table table.backgrid thead th:nth-child(1){
+ width: 60px;
+ max-width: 60px
+}
+.hdfs-table table.backgrid thead th:nth-child(2) {
+ /*width: 300px;*/
+ width: 25%;
+}
+.hdfs-table table.backgrid thead th:nth-child(3){
+ width:200px;
+}
+.hdfs-table table.backgrid thead th:nth-child(4){
+ width:100px;
+}
+.hdfs-table table.backgrid tbody td:nth-child(4){
+ width:100px;
+ text-align: center;
+}
+.hdfs-table table.backgrid tbody tr td:nth-child(3){
+ text-align: left !important;
+ max-width: 200px;
+}
+.hdfs-table table.backgrid tbody tr td:nth-child(6){
+ text-align: center;
+ width: 100px
+}
+.hdfs-table table.backgrid thead th:nth-child(6){
+ text-align: center;
+ width: 100px;
+}
+.hdfs-table table.backgrid thead th:nth-child(5) tr{
+ border-left-style: hidden;
+}
+.report-access{
+ width:100%;
+ border-right:1px solid #DDD;
+}
+.report-user-group{
+ width:80px;
+ min-width:80px;
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7d452069/security-admin/src/main/webapp/templates/reports/UserAccessLayout_tmpl.html
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/templates/reports/UserAccessLayout_tmpl.html b/security-admin/src/main/webapp/templates/reports/UserAccessLayout_tmpl.html
index 48741ce..df7acfb 100644
--- a/security-admin/src/main/webapp/templates/reports/UserAccessLayout_tmpl.html
+++ b/security-admin/src/main/webapp/templates/reports/UserAccessLayout_tmpl.html
@@ -96,10 +96,18 @@
</div>
<div class="row-fluid">
<span>
- <button type="button" class="btn btn-primary btn-small btn-right" data-js="downloadBtn" title="Download all below policies" name="downloadPolicy">
- <i class="icon-download-alt"></i>
- Download
+ <div class="btn-group btn-right">
+ <button type="button" data-name="downloadFormatBtn" class="btn btn-primary dropdown-toggle" title="Download all below policies" data-toggle="dropdown">
+ <i class="icon-download-alt"></i>
+ <span>Download</span>
+ <span class="caret"> </span>
</button>
+ <ul class="dropdown-menu download-list">
+ <li><a data-id="xlsFormat" class="downloadFormat" href="javascript:void(0)">Excel file</a></li>
+ <li role="separator" class="divider"></li>
+ <li><a data-id="csvFormat" class="downloadFormat" href="javascript:void(0)">CSV file</a></li>
+ </ul>
+ </div>
</span>
<a href="javascript:void(0)" data-id="downloadReport"></a>
</div>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7d452069/security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html b/security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html
index f7c90f3..b7d4967 100644
--- a/security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html
+++ b/security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html
@@ -33,8 +33,6 @@
{{#isSystemAdmin .}}
<a href="javascript:void(0);" data-id="deleteUserGroup" title="Permanently delete selected users/groups" class="btn btn-primary btn-right btn-danger"><i class="icon-trash icon-large" /></a>
{{/isSystemAdmin}}
- <a href="#!/user/create" class="btn btn-primary btn-right" type="button" data-id="addNewUser"> {{tt 'lbl.addNewUser'}} </a>
- <a href="#!/group/create" class="btn btn-primary btn-right" type="button" data-id="addNewGroup" style="display:none;"> {{tt 'lbl.addNewGroup'}} </a>
<div class="btn-group btn-right">
<a class="btn btn-primary dropdown-toggle" data-toggle="dropdown" href="#">
{{tt 'btn.setVisibility'}}
@@ -45,16 +43,8 @@
<li><a href="javascript:void(0);" data-id="hidden">{{tt 'lbl.VisibilityStatus_IS_HIDDEN'}}</a></li>
</ul>
</div>
- <div class="btn-group btn-right" data-id="activeStatusDiv">
- <a class="btn btn-primary dropdown-toggle" data-toggle="dropdown" href="#">
- {{tt 'btn.setStatus'}}
- <span class="caret"></span>
- </a>
- <ul class="dropdown-menu" data-id="activeStatusDropdown">
- <li><a href="javascript:void(0);" data-id="Enable">{{tt 'lbl.ActiveStatus_STATUS_ENABLED'}}</a></li>
- <li><a href="javascript:void(0);" data-id="Disable">{{tt 'lbl.ActiveStatus_STATUS_DISABLED'}}</a></li>
- </ul>
- </div>
+ <a href="#!/user/create" class="btn btn-primary btn-right" type="button" data-id="addNewUser"> {{tt 'lbl.addNewUser'}} </a>
+ <a href="#!/group/create" class="btn btn-primary btn-right" type="button" data-id="addNewGroup" style="display:none;"> {{tt 'lbl.addNewGroup'}} </a>
</div>
<div data-id="r_tableList" class="clickable">
<b class="_prevNav"></b>
[3/4] incubator-ranger git commit: RANGER-995 : Implement session
fixation protection
Posted by ga...@apache.org.
RANGER-995 : Implement session fixation protection
Signed-off-by: Gautam Borad <ga...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/14f8c118
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/14f8c118
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/14f8c118
Branch: refs/heads/master
Commit: 14f8c118368cb9e5ee01a7a59b9ade03de48a288
Parents: e115000
Author: pradeep <pr...@freestoneinfotech.com>
Authored: Thu May 26 14:43:22 2016 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Mon May 30 17:58:14 2016 +0530
----------------------------------------------------------------------
.../RangerAuthSuccessHandler.java | 2 ++
...RangerSessionFixationProtectionStrategy.java | 33 ++++++++++++++++++++
2 files changed, 35 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/14f8c118/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthSuccessHandler.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthSuccessHandler.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthSuccessHandler.java
index bf16a57..877620b 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthSuccessHandler.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthSuccessHandler.java
@@ -76,6 +76,8 @@ SavedRequestAwareAuthenticationSuccessHandler {
HttpServletResponse response, Authentication authentication)
throws ServletException, IOException {
+ RangerSessionFixationProtectionStrategy rangerSessionFixationProtectionStrategy=new RangerSessionFixationProtectionStrategy();
+ rangerSessionFixationProtectionStrategy.onAuthentication(authentication, request, response);
WebAuthenticationDetails details = (WebAuthenticationDetails) authentication
.getDetails();
String remoteAddress = details != null ? details.getRemoteAddress()
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/14f8c118/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerSessionFixationProtectionStrategy.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerSessionFixationProtectionStrategy.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerSessionFixationProtectionStrategy.java
new file mode 100644
index 0000000..4c73b52
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerSessionFixationProtectionStrategy.java
@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.security.web.authentication;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
+
+public class RangerSessionFixationProtectionStrategy extends SessionFixationProtectionStrategy {
+
+ @Override
+ public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response){
+ super.onAuthentication(authentication, request, response);
+ }
+}
[2/4] incubator-ranger git commit: RANGER-995 : CSRF implementation
in Ranger
Posted by ga...@apache.org.
RANGER-995 : CSRF implementation in Ranger
Signed-off-by: Gautam Borad <ga...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/e1150005
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/e1150005
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/e1150005
Branch: refs/heads/master
Commit: e11500050d32845441c96adee45d4289624dbf85
Parents: 7d45206
Author: Ankita Sinha <an...@freestoneinfotech.com>
Authored: Wed May 25 12:19:42 2016 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Mon May 30 17:58:10 2016 +0530
----------------------------------------------------------------------
.../org/apache/ranger/rest/ServiceREST.java | 22 ++
.../web/filter/RangerCSRFPreventionFilter.java | 229 +++++++++++++++++++
.../resources/conf.dist/ranger-admin-site.xml | 18 ++
.../conf.dist/security-applicationContext.xml | 4 +
security-admin/src/main/webapp/scripts/Main.js | 3 +-
.../src/main/webapp/scripts/modules/RestCsrf.js | 98 ++++++++
.../filter/TestRangerCSRFPreventionFilter.java | 152 ++++++++++++
7 files changed, 525 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e1150005/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 052254d..886e78f 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -56,6 +56,7 @@ import org.apache.ranger.biz.XUserMgr;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.GUIDUtil;
import org.apache.ranger.common.MessageEnums;
+import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.RangerSearchUtil;
import org.apache.ranger.common.RangerValidatorFactory;
@@ -114,6 +115,11 @@ public class ServiceREST {
private static final String Allowed_User_List_For_Download = "policy.download.auth.users";
private static final String Allowed_User_List_For_Grant_Revoke = "policy.grantrevoke.auth.users";
+ public static final String isCSRF_ENABLED = "ranger.rest-csrf.enabled";
+ public static final String BROWSER_USER_AGENT_PARAM = "ranger.rest-csrf.browser-useragents-regex";
+ public static final String CUSTOM_METHODS_TO_IGNORE_PARAM = "ranger.rest-csrf.methods-to-ignore";
+ public static final String CUSTOM_HEADER_PARAM = "ranger.rest-csrf.custom-header";
+
@Autowired
RESTErrorUtil restErrorUtil;
@@ -2248,7 +2254,23 @@ public class ServiceREST {
public String checkSSO() {
return String.valueOf(bizUtil.isSSOEnabled());
}
+
+ @GET
+ @Path("/csrfconf")
+ @Produces({ "application/json"})
+ public HashMap<String, Object> getCSRFProperties() {
+ return getCSRFPropertiesMap();
+ }
+ private HashMap<String, Object> getCSRFPropertiesMap() {
+ HashMap<String, Object> map = new HashMap<String, Object>();
+ map.put(isCSRF_ENABLED, PropertiesUtil.getBooleanProperty(isCSRF_ENABLED, false));
+ map.put(CUSTOM_HEADER_PARAM, PropertiesUtil.getProperty(CUSTOM_HEADER_PARAM));
+ map.put(BROWSER_USER_AGENT_PARAM, PropertiesUtil.getProperty(BROWSER_USER_AGENT_PARAM));
+ map.put(CUSTOM_METHODS_TO_IGNORE_PARAM, PropertiesUtil.getProperty(CUSTOM_METHODS_TO_IGNORE_PARAM));
+ return map;
+ }
+
boolean isAdminUserWithNoFilterParams(SearchFilter filter) {
return (filter == null || MapUtils.isEmpty(filter.getParams())) &&
(bizUtil.isAdmin() || bizUtil.isKeyAdmin());
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e1150005/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java
new file mode 100644
index 0000000..42b4ad4
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java
@@ -0,0 +1,229 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.security.web.filter;
+
+import java.io.IOException;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.log4j.Logger;
+import org.apache.ranger.common.PropertiesUtil;
+
+public class RangerCSRFPreventionFilter implements Filter {
+
+ private static final Logger LOG = Logger.getLogger(RangerCSRFPreventionFilter.class);
+
+ public static final boolean isCSRF_ENABLED = PropertiesUtil.getBooleanProperty("ranger.rest-csrf.enabled",true);
+ public static final String BROWSER_USER_AGENT_PARAM = "ranger.rest-csrf.browser-useragents-regex";
+ static final String BROWSER_USER_AGENTS_DEFAULT = "^Mozilla.*,^Opera.*";
+ public static final String CUSTOM_METHODS_TO_IGNORE_PARAM = "ranger.rest-csrf.methods-to-ignore";
+ static final String METHODS_TO_IGNORE_DEFAULT = "GET,OPTIONS,HEAD,TRACE";
+ public static final String CUSTOM_HEADER_PARAM = "ranger.rest-csrf.custom-header";
+ public static final String HEADER_DEFAULT = "X-XSRF-HEADER";
+ public static final String HEADER_USER_AGENT = "User-Agent";
+
+ private String headerName = HEADER_DEFAULT;
+ private Set<String> methodsToIgnore = null;
+ private Set<Pattern> browserUserAgents;
+
+ public RangerCSRFPreventionFilter() {
+ try {
+ if (isCSRF_ENABLED){
+ init(null);
+ }
+ } catch (Exception e) {
+ LOG.error("Error while initializing Filter : "+e.getMessage());
+ }
+ }
+
+ public void init(FilterConfig filterConfig) throws ServletException {
+ String customHeader = PropertiesUtil.getProperty(CUSTOM_HEADER_PARAM);
+ if (customHeader != null) {
+ headerName = customHeader;
+ }
+
+ String customMethodsToIgnore = PropertiesUtil.getProperty(CUSTOM_METHODS_TO_IGNORE_PARAM);
+ if (customMethodsToIgnore != null) {
+ parseMethodsToIgnore(customMethodsToIgnore);
+ } else {
+ parseMethodsToIgnore(METHODS_TO_IGNORE_DEFAULT);
+ }
+ String agents = PropertiesUtil.getProperty(BROWSER_USER_AGENT_PARAM);
+ if (agents == null) {
+ agents = BROWSER_USER_AGENTS_DEFAULT;
+ }
+ parseBrowserUserAgents(agents);
+ LOG.info("Adding cross-site request forgery (CSRF) protection");
+ }
+
+ void parseMethodsToIgnore(String mti) {
+ String[] methods = mti.split(",");
+ methodsToIgnore = new HashSet<String>();
+ for (int i = 0; i < methods.length; i++) {
+ methodsToIgnore.add(methods[i]);
+ }
+ }
+
+ void parseBrowserUserAgents(String userAgents) {
+ String[] agentsArray = userAgents.split(",");
+ browserUserAgents = new HashSet<Pattern>();
+ for (String patternString : agentsArray) {
+ browserUserAgents.add(Pattern.compile(patternString));
+ }
+ }
+
+ protected boolean isBrowser(String userAgent) {
+ if (userAgent == null) {
+ return false;
+ }
+ if (browserUserAgents != null){
+ for (Pattern pattern : browserUserAgents) {
+ Matcher matcher = pattern.matcher(userAgent);
+ if (matcher.matches()) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
+
+ public interface HttpInteraction {
+ /**
+ * Returns the value of a header.
+ *
+ * @param header
+ * name of header
+ * @return value of header
+ */
+ String getHeader(String header);
+
+ /**
+ * Returns the method.
+ *
+ * @return method
+ */
+ String getMethod();
+
+ /**
+ * Called by the filter after it decides that the request may proceed.
+ *
+ * @throws IOException
+ * if there is an I/O error
+ * @throws ServletException
+ * if the implementation relies on the servlet API and a
+ * servlet API call has failed
+ */
+ void proceed() throws IOException, ServletException;
+
+ /**
+ * Called by the filter after it decides that the request is a potential
+ * CSRF attack and therefore must be rejected.
+ *
+ * @param code
+ * status code to send
+ * @param message
+ * response message
+ * @throws IOException
+ * if there is an I/O error
+ */
+ void sendError(int code, String message) throws IOException;
+ }
+
+ public void handleHttpInteraction(HttpInteraction httpInteraction)
+ throws IOException, ServletException {
+ if (!isBrowser(httpInteraction.getHeader(HEADER_USER_AGENT))
+ || methodsToIgnore.contains(httpInteraction.getMethod())
+ || httpInteraction.getHeader(headerName) != null) {
+ httpInteraction.proceed();
+ }else {
+ httpInteraction.sendError(HttpServletResponse.SC_BAD_REQUEST,"Missing Required Header for CSRF Vulnerability Protection");
+ }
+ }
+
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+ if (isCSRF_ENABLED){
+ final HttpServletRequest httpRequest = (HttpServletRequest)request;
+ final HttpServletResponse httpResponse = (HttpServletResponse)response;
+ handleHttpInteraction(new ServletFilterHttpInteraction(httpRequest, httpResponse, chain));
+ }else{
+ chain.doFilter(request, response);
+ }
+ }
+
+ public void destroy() {
+ }
+
+ private static final class ServletFilterHttpInteraction implements
+ HttpInteraction {
+
+ private final FilterChain chain;
+ private final HttpServletRequest httpRequest;
+ private final HttpServletResponse httpResponse;
+
+ /**
+ * Creates a new ServletFilterHttpInteraction.
+ *
+ * @param httpRequest
+ * request to process
+ * @param httpResponse
+ * response to process
+ * @param chain
+ * filter chain to forward to if HTTP interaction is allowed
+ */
+ public ServletFilterHttpInteraction(HttpServletRequest httpRequest,
+ HttpServletResponse httpResponse, FilterChain chain) {
+ this.httpRequest = httpRequest;
+ this.httpResponse = httpResponse;
+ this.chain = chain;
+ }
+
+ @Override
+ public String getHeader(String header) {
+ return httpRequest.getHeader(header);
+ }
+
+ @Override
+ public String getMethod() {
+ return httpRequest.getMethod();
+ }
+
+ @Override
+ public void proceed() throws IOException, ServletException {
+ chain.doFilter(httpRequest, httpResponse);
+ }
+
+ @Override
+ public void sendError(int code, String message) throws IOException {
+ httpResponse.sendError(code, message);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e1150005/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
index c1a91ae..60a2c96 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
@@ -288,4 +288,22 @@
<name>ranger.kms.service.user.hive</name>
<value>hive</value>
</property>
+ <!-- CSRF Properties Starts-->
+ <property>
+ <name>ranger.rest-csrf.enabled</name>
+ <value>true</value>
+ </property>
+ <property>
+ <name>ranger.rest-csrf.custom-header</name>
+ <value>X-XSRF-HEADER</value>
+ </property>
+ <property>
+ <name>ranger.rest-csrf.methods-to-ignore</name>
+ <value>GET,OPTIONS,HEAD,TRACE</value>
+ </property>
+ <property>
+ <name>ranger.rest-csrf.browser-useragents-regex</name>
+ <value>^Mozilla.*,^Opera.*</value>
+ </property>
+ <!-- CSRF Properties ENDs-->
</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e1150005/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
index 66ef8af..13ddb26 100644
--- a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
+++ b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
@@ -50,6 +50,7 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
<intercept-url pattern="/**" access="isAuthenticated()"/>
<custom-filter ref="ssoAuthenticationFilter" after="BASIC_AUTH_FILTER" />
<security:custom-filter ref="krbAuthenticationFilter" after="SERVLET_API_SUPPORT_FILTER" />
+ <security:custom-filter ref="CSRFPreventionFilter" after="REMEMBER_ME_FILTER" />
<security:custom-filter position="FORM_LOGIN_FILTER" ref="customUsernamePasswordAuthenticationFilter"/>
<security:custom-filter position="LAST" ref="userContextFormationFilter"/>
@@ -93,6 +94,9 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
<beans:bean id="krbAuthenticationFilter" class="org.apache.ranger.security.web.filter.RangerKRBAuthenticationFilter">
</beans:bean>
+ <beans:bean id="CSRFPreventionFilter" class="org.apache.ranger.security.web.filter.RangerCSRFPreventionFilter">
+ </beans:bean>
+
<beans:bean id="ssoAuthenticationFilter" class="org.apache.ranger.security.web.filter.RangerSSOAuthenticationFilter">
</beans:bean>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e1150005/security-admin/src/main/webapp/scripts/Main.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/Main.js b/security-admin/src/main/webapp/scripts/Main.js
index 460c91a..d518afb 100644
--- a/security-admin/src/main/webapp/scripts/Main.js
+++ b/security-admin/src/main/webapp/scripts/Main.js
@@ -24,10 +24,11 @@
'routers/Router',
'controllers/Controller',
'modules/XAOverrides',
+ 'modules/RestCsrf',
'utils/XAUtils',
'hbs!tmpl/common/loading_tmpl'
],
-function ( Backbone, App, RegionManager, AppRouter, AppController, XAOverrides, XAUtils, loadingHTML ) {
+function ( Backbone, App, RegionManager, AppRouter, AppController, XAOverrides,RestCSRF, XAUtils, loadingHTML ) {
'use strict';
var controller = new AppController();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e1150005/security-admin/src/main/webapp/scripts/modules/RestCsrf.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/modules/RestCsrf.js b/security-admin/src/main/webapp/scripts/modules/RestCsrf.js
new file mode 100644
index 0000000..2eff355
--- /dev/null
+++ b/security-admin/src/main/webapp/scripts/modules/RestCsrf.js
@@ -0,0 +1,98 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+//"use strict";
+
+// Initializes client-side handling of cross-site request forgery (CSRF)
+// protection by figuring out the custom HTTP headers that need to be sent in
+// requests and which HTTP methods are ignored because they do not require CSRF
+// protection.
+(function() {
+ "use strict";
+ require('jquery');
+ var restCsrfCustomHeader = null;
+ var restCsrfMethodsToIgnore = null;
+
+ if(!window.location.origin){
+ window.location.origin = window.location.protocol + "//" + window.location.hostname + (window.location.port ? ':' + window.location.port: '');
+ }
+ var baseUrl = window.location.origin +
+ window.location.pathname.substring(window.location.pathname.indexOf('/', 2) + 1, 0);
+ if(baseUrl.slice(-1) == "/") {
+ baseUrl = baseUrl.slice(0,-1);
+ }
+ var url = baseUrl + "/service/plugins/csrfconf";
+
+ $.ajax({'url': url, 'dataType': 'json', 'async': false}).done(
+ function(data) {
+ function getTrimmedStringArrayValue(element) {
+ var str = element, array = [];
+ if (str) {
+ var splitStr = str.split(',');
+ for (var i = 0; i < splitStr.length; i++) {
+ array.push(splitStr[i].trim());
+ }
+ }
+ return array;
+ }
+
+ // Get all relevant configuration properties.
+ var $xml = $(data);
+ var csrfEnabled = false;
+ var header = null;
+ var methods = [];
+ $xml.each(function(indx,element){
+ if(element['ranger.rest-csrf.enabled']) {
+ var str = "" + element['ranger.rest-csrf.enabled'];
+ csrfEnabled = (str.toLowerCase() == 'true');
+ }
+ if (element['ranger.rest-csrf.custom-header']) {
+ header = element['ranger.rest-csrf.custom-header'].trim();
+ }
+ if (element['ranger.rest-csrf.methods-to-ignore']) {
+ methods = getTrimmedStringArrayValue(element['ranger.rest-csrf.methods-to-ignore']);
+ }
+ });
+
+ // If enabled, set up all subsequent AJAX calls with a pre-send callback
+ // that adds the custom headers if necessary.
+ if (csrfEnabled) {
+ restCsrfCustomHeader = header;
+ restCsrfMethodsToIgnore = {};
+ methods.map(function(method) { restCsrfMethodsToIgnore[method] = true; });
+ $.ajaxSetup({
+ beforeSend: addRestCsrfCustomHeader
+ });
+ }
+ });
+
+ // Adds custom headers to request if necessary. This is done only for WebHDFS
+ // URLs, and only if it's not an ignored method.
+ function addRestCsrfCustomHeader(xhr, settings) {
+// if (settings.url == null || !settings.url.startsWith('/webhdfs/')) {
+ if (settings.url == null ) {
+ return;
+ }
+ var method = settings.type;
+ if (restCsrfCustomHeader != null && !restCsrfMethodsToIgnore[method]) {
+ // The value of the header is unimportant. Only its presence matters.
+ xhr.setRequestHeader(restCsrfCustomHeader, '""');
+ }
+ }
+})();
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e1150005/security-admin/src/test/java/org/apache/ranger/security/web/filter/TestRangerCSRFPreventionFilter.java
----------------------------------------------------------------------
diff --git a/security-admin/src/test/java/org/apache/ranger/security/web/filter/TestRangerCSRFPreventionFilter.java b/security-admin/src/test/java/org/apache/ranger/security/web/filter/TestRangerCSRFPreventionFilter.java
new file mode 100644
index 0000000..f15def4
--- /dev/null
+++ b/security-admin/src/test/java/org/apache/ranger/security/web/filter/TestRangerCSRFPreventionFilter.java
@@ -0,0 +1,152 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.security.web.filter;
+
+import java.io.IOException;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.junit.Test;
+import org.mockito.Mockito;
+
+import static org.mockito.Mockito.atLeastOnce;
+import static org.mockito.Mockito.verify;
+
+public class TestRangerCSRFPreventionFilter {
+
+ private static final String EXPECTED_MESSAGE = "Missing Required Header for CSRF Vulnerability Protection";
+ private static final String X_CUSTOM_HEADER = "X-CUSTOM_HEADER";
+ private String userAgent = "Mozilla";
+
+ @Test
+ public void testNoHeaderDefaultConfig_badRequest() throws ServletException, IOException {
+ // CSRF has not been sent
+ HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(mockReq.getHeader(RangerCSRFPreventionFilter.HEADER_DEFAULT)).thenReturn(null);
+ Mockito.when(mockReq.getHeader(RangerCSRFPreventionFilter.HEADER_USER_AGENT)).thenReturn(userAgent);
+
+ // Objects to verify interactions based on request
+ HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
+ FilterChain mockChain = Mockito.mock(FilterChain.class);
+
+ // Object under test
+ RangerCSRFPreventionFilter filter = new RangerCSRFPreventionFilter();
+ filter.doFilter(mockReq, mockRes, mockChain);
+
+ verify(mockRes, atLeastOnce()).sendError(HttpServletResponse.SC_BAD_REQUEST, EXPECTED_MESSAGE);
+ Mockito.verifyZeroInteractions(mockChain);
+ }
+
+ @Test
+ public void testHeaderPresentDefaultConfig_goodRequest() throws ServletException, IOException {
+ // CSRF HAS been sent
+ HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(mockReq.getHeader(RangerCSRFPreventionFilter.HEADER_DEFAULT)).thenReturn("valueUnimportant");
+ Mockito.when(mockReq.getHeader(RangerCSRFPreventionFilter.HEADER_USER_AGENT)).thenReturn(userAgent);
+
+ // Objects to verify interactions based on request
+ HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
+ FilterChain mockChain = Mockito.mock(FilterChain.class);
+
+ // Object under test
+ RangerCSRFPreventionFilter filter = new RangerCSRFPreventionFilter();
+ filter.doFilter(mockReq, mockRes, mockChain);
+
+ Mockito.verify(mockChain).doFilter(mockReq, mockRes);
+ }
+
+ @Test
+ public void testHeaderPresentCustomHeaderConfig_goodRequest() throws ServletException, IOException {
+ // CSRF HAS been sent
+ HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(mockReq.getHeader(X_CUSTOM_HEADER)).thenReturn("valueUnimportant");
+
+ // Objects to verify interactions based on request
+ HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
+ FilterChain mockChain = Mockito.mock(FilterChain.class);
+
+ // Object under test
+ RangerCSRFPreventionFilter filter = new RangerCSRFPreventionFilter();
+ filter.doFilter(mockReq, mockRes, mockChain);
+
+ Mockito.verify(mockChain).doFilter(mockReq, mockRes);
+ }
+
+ @Test
+ public void testMissingHeaderWithCustomHeaderConfig_badRequest() throws ServletException, IOException {
+ // CSRF has not been sent
+ HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(mockReq.getHeader(X_CUSTOM_HEADER)).thenReturn(null);
+ Mockito.when(mockReq.getHeader(RangerCSRFPreventionFilter.HEADER_USER_AGENT)).thenReturn(userAgent);
+
+ // Objects to verify interactions based on request
+ HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
+ FilterChain mockChain = Mockito.mock(FilterChain.class);
+
+ // Object under test
+ RangerCSRFPreventionFilter filter = new RangerCSRFPreventionFilter();
+ filter.doFilter(mockReq, mockRes, mockChain);
+
+ Mockito.verifyZeroInteractions(mockChain);
+ }
+
+ @Test
+ public void testMissingHeaderIgnoreGETMethodConfig_goodRequest()
+ throws ServletException, IOException {
+ // CSRF has not been sent
+ HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(mockReq.getHeader(RangerCSRFPreventionFilter.HEADER_DEFAULT)).thenReturn(null);
+ Mockito.when(mockReq.getMethod()).thenReturn("GET");
+ Mockito.when(mockReq.getHeader(RangerCSRFPreventionFilter.HEADER_USER_AGENT)).thenReturn(userAgent);
+
+ // Objects to verify interactions based on request
+ HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
+ FilterChain mockChain = Mockito.mock(FilterChain.class);
+
+ // Object under test
+ RangerCSRFPreventionFilter filter = new RangerCSRFPreventionFilter();
+ filter.doFilter(mockReq, mockRes, mockChain);
+
+ Mockito.verify(mockChain).doFilter(mockReq, mockRes);
+ }
+
+ @Test
+ public void testMissingHeaderMultipleIgnoreMethodsConfig_badRequest()
+ throws ServletException, IOException {
+ // CSRF has not been sent
+ HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(mockReq.getHeader(RangerCSRFPreventionFilter.HEADER_DEFAULT))
+ .thenReturn(null);
+ Mockito.when(mockReq.getMethod()).thenReturn("PUT");
+ Mockito.when(mockReq.getHeader(RangerCSRFPreventionFilter.HEADER_USER_AGENT)).thenReturn(userAgent);
+
+ // Objects to verify interactions based on request
+ HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
+ FilterChain mockChain = Mockito.mock(FilterChain.class);
+
+ // Object under test
+ RangerCSRFPreventionFilter filter = new RangerCSRFPreventionFilter();
+ filter.doFilter(mockReq, mockRes, mockChain);
+
+ Mockito.verifyZeroInteractions(mockChain);
+ }
+}
\ No newline at end of file
[4/4] incubator-ranger git commit: RANGER-899: Problem
Changing/Updating emailAddress of logged in user using API
Posted by ga...@apache.org.
RANGER-899: Problem Changing/Updating emailAddress of logged in user using API
Signed-off-by: Gautam Borad <ga...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/ced7c3b7
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/ced7c3b7
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/ced7c3b7
Branch: refs/heads/master
Commit: ced7c3b7af823614c2fbc5a0858e8954aed42f51
Parents: 14f8c11
Author: pradeep <pr...@freestoneinfotech.com>
Authored: Wed May 25 10:24:56 2016 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Mon May 30 17:58:24 2016 +0530
----------------------------------------------------------------------
.../audit/provider/AuditProviderFactory.java | 6 +-
.../java/org/apache/ranger/biz/UserMgr.java | 12 +-
.../org/apache/ranger/audit/TestAuditQueue.java | 2 +-
.../java/org/apache/ranger/biz/TestUserMgr.java | 119 +++++++++++--------
.../org/apache/ranger/common/TestDateUtil.java | 9 +-
.../apache/ranger/common/TestStringUtil.java | 2 +-
6 files changed, 76 insertions(+), 74 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ced7c3b7/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java
index b95e2a9..e3e818c 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java
@@ -107,11 +107,7 @@ public class AuditProviderFactory {
LOG.info("AuditProviderFactory: initializing..");
if (mInitDone) {
- LOG.warn(
- "AuditProviderFactory.init(): already initialized! Will try to re-initialize",
- new Exception());
-
- // return;
+ LOG.warn("AuditProviderFactory.init(): already initialized! Will try to re-initialize");
}
mInitDone = true;
componentAppType = appType;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ced7c3b7/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
index 0e042fe..d3befbe 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
@@ -26,6 +26,7 @@ import java.util.List;
import javax.persistence.Query;
+import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.apache.ranger.common.AppConstants;
import org.apache.ranger.common.ContextUtil;
@@ -468,11 +469,11 @@ public class UserMgr {
public VXPortalUser changeEmailAddress(XXPortalUser gjUser,
VXPasswordChange changeEmail) {
checkAccess(gjUser);
- if (gjUser.getEmailAddress() != null) {
+ if (StringUtils.isEmpty(changeEmail.getEmailAddress())) {
throw restErrorUtil.createRESTException(
- "serverMsg.userMgrEmailChange",
- MessageEnums.OPER_NO_PERMISSION, null, null, ""
- + changeEmail);
+ "serverMsg.userMgrInvalidEmail",
+ MessageEnums.INVALID_INPUT_DATA, changeEmail.getId(),
+ "emailAddress", changeEmail.toString());
}
String encryptedOldPwd = encrypt(gjUser.getLoginId(),
@@ -501,9 +502,6 @@ public class UserMgr {
gjUser.setEmailAddress(stringUtil.normalizeEmail(changeEmail
.getEmailAddress()));
- // loginId
- gjUser.setLoginId(gjUser.getEmailAddress());
-
String saltEncodedpasswd = encrypt(gjUser.getLoginId(),
changeEmail.getOldPassword());
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ced7c3b7/security-admin/src/test/java/org/apache/ranger/audit/TestAuditQueue.java
----------------------------------------------------------------------
diff --git a/security-admin/src/test/java/org/apache/ranger/audit/TestAuditQueue.java b/security-admin/src/test/java/org/apache/ranger/audit/TestAuditQueue.java
index 3fe6246..637e43f 100644
--- a/security-admin/src/test/java/org/apache/ranger/audit/TestAuditQueue.java
+++ b/security-admin/src/test/java/org/apache/ranger/audit/TestAuditQueue.java
@@ -174,7 +174,7 @@ public class TestAuditQueue {
assertEquals(messageToSend, testConsumer.getSumTotal());
assertEquals(countToCheck, testConsumer.getCountTotal());
}
- @Ignore("Junit breakage: RANGER-630") // TODO
+
@Test
public void testAuditSummaryByInfra() {
logger.debug("testAuditSummaryByInfra()...");
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ced7c3b7/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java
index 2506c03..701ec4f 100644
--- a/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java
+++ b/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java
@@ -282,8 +282,14 @@ public class TestUserMgr {
}
@Test
- public void test16GetEmailAddress() {
+ public void test16ChangeEmailAddress() {
setup();
+ XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class);
+ XXPortalUserRoleDao roleDao = Mockito.mock(XXPortalUserRoleDao.class);
+ XXUserPermissionDao xUserPermissionDao = Mockito.mock(XXUserPermissionDao.class);
+ XXGroupPermissionDao xGroupPermissionDao = Mockito.mock(XXGroupPermissionDao.class);
+ XXModuleDefDao xModuleDefDao = Mockito.mock(XXModuleDefDao.class);
+ XXModuleDef xModuleDef = Mockito.mock(XXModuleDef.class);
VXPortalUser userProfile = userProfile();
XXPortalUser user = new XXPortalUser();
@@ -291,65 +297,79 @@ public class TestUserMgr {
user.setFirstName(userProfile.getFirstName());
user.setLastName(userProfile.getLastName());
user.setLoginId(userProfile.getLoginId());
- user.setPassword(userProfile.getPassword());
+ String encryptedPwd = userMgr.encrypt(userProfile.getLoginId(),userProfile.getPassword());
+ user.setPassword(encryptedPwd);
user.setUserSource(userProfile.getUserSource());
user.setPublicScreenName(userProfile.getPublicScreenName());
user.setId(userProfile.getId());
VXPasswordChange changeEmail = new VXPasswordChange();
- changeEmail.setEmailAddress(user.getEmailAddress());
+ changeEmail.setEmailAddress("testuser@test.com");
changeEmail.setId(user.getId());
changeEmail.setLoginId(user.getLoginId());
+ changeEmail.setOldPassword(userProfile.getPassword());
- Mockito.when(
- restErrorUtil.createRESTException(
- "serverMsg.userMgrEmailChange",
- MessageEnums.OPER_NO_PERMISSION, null, null, ""
- + changeEmail)).thenThrow(
- new WebApplicationException());
- thrown.expect(WebApplicationException.class);
-
- VXPortalUser dbVXPortalUser = userMgr.changeEmailAddress(user,
- changeEmail);
- Assert.assertNotNull(dbVXPortalUser);
- Assert.assertEquals(userId, dbVXPortalUser.getId());
- Assert.assertEquals(userProfile.getLastName(),
- dbVXPortalUser.getLastName());
- Assert.assertEquals(changeEmail.getLoginId(),
- dbVXPortalUser.getLoginId());
- Assert.assertEquals(changeEmail.getEmailAddress(),
- dbVXPortalUser.getEmailAddress());
+ XXPortalUserRole XXPortalUserRole = new XXPortalUserRole();
+ XXPortalUserRole.setId(userId);
+ XXPortalUserRole.setUserRole("ROLE_USER");
+ List<XXPortalUserRole> list = new ArrayList<XXPortalUserRole>();
+ list.add(XXPortalUserRole);
- Mockito.verify(restErrorUtil).createRESTException(
- "serverMsg.userMgrEmailChange",
- MessageEnums.OPER_NO_PERMISSION, null, null, "" + changeEmail);
- }
+ List<XXUserPermission> xUserPermissionsList = new ArrayList<XXUserPermission>();
+ XXUserPermission xUserPermissionObj = new XXUserPermission();
+ xUserPermissionObj.setAddedByUserId(userId);
+ xUserPermissionObj.setCreateTime(new Date());
+ xUserPermissionObj.setId(userId);
+ xUserPermissionObj.setIsAllowed(1);
+ xUserPermissionObj.setModuleId(1L);
+ xUserPermissionObj.setUpdatedByUserId(userId);
+ xUserPermissionObj.setUpdateTime(new Date());
+ xUserPermissionObj.setUserId(userId);
+ xUserPermissionsList.add(xUserPermissionObj);
- @Test
- public void test17ValidateEmailAddress() {
- setup();
- VXPortalUser userProfile = userProfile();
+ List<XXGroupPermission> xGroupPermissionList = new ArrayList<XXGroupPermission>();
+ XXGroupPermission xGroupPermissionObj = new XXGroupPermission();
+ xGroupPermissionObj.setAddedByUserId(userId);
+ xGroupPermissionObj.setCreateTime(new Date());
+ xGroupPermissionObj.setId(userId);
+ xGroupPermissionObj.setIsAllowed(1);
+ xGroupPermissionObj.setModuleId(1L);
+ xGroupPermissionObj.setUpdatedByUserId(userId);
+ xGroupPermissionObj.setUpdateTime(new Date());
+ xGroupPermissionObj.setGroupId(userId);
+ xGroupPermissionList.add(xGroupPermissionObj);
- XXPortalUser user = new XXPortalUser();
- user.setFirstName(userProfile.getFirstName());
- user.setLastName(userProfile.getLastName());
- user.setLoginId(userProfile.getLoginId());
- user.setPassword(userProfile.getPassword());
- user.setUserSource(userProfile.getUserSource());
- user.setPublicScreenName(userProfile.getPublicScreenName());
- user.setId(userProfile.getId());
+ VXUserPermission userPermission = new VXUserPermission();
+ userPermission.setId(1L);
+ userPermission.setIsAllowed(1);
+ userPermission.setModuleId(1L);
+ userPermission.setUserId(userId);
+ userPermission.setUserName("xyz");
+ userPermission.setOwner("admin");
- VXPasswordChange changeEmail = new VXPasswordChange();
- changeEmail.setId(user.getId());
- changeEmail.setLoginId(user.getLoginId());
+ VXGroupPermission groupPermission = new VXGroupPermission();
+ groupPermission.setId(1L);
+ groupPermission.setIsAllowed(1);
+ groupPermission.setModuleId(1L);
+ groupPermission.setGroupId(userId);
+ groupPermission.setGroupName("xyz");
+ groupPermission.setOwner("admin");
- Mockito.when(
- restErrorUtil.createRESTException(
- "serverMsg.userMgrInvalidEmail",
- MessageEnums.INVALID_INPUT_DATA, changeEmail.getId(),
- "emailAddress", changeEmail.toString())).thenThrow(
- new WebApplicationException());
- thrown.expect(WebApplicationException.class);
+ Mockito.when(stringUtil.validateEmail(Mockito.anyString())).thenReturn(true);
+ Mockito.when(stringUtil.equals(Mockito.anyString(), Mockito.anyString())).thenReturn(true);
+ Mockito.when(stringUtil.normalizeEmail(Mockito.anyString())).thenReturn(changeEmail.getEmailAddress());
+ Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao);
+ Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(roleDao);
+ Mockito.when(userDao.update(user)).thenReturn(user);
+ Mockito.when(roleDao.findByParentId(Mockito.anyLong())).thenReturn(list);
+ Mockito.when(daoManager.getXXUserPermission()).thenReturn(xUserPermissionDao);
+ Mockito.when(daoManager.getXXGroupPermission()).thenReturn(xGroupPermissionDao);
+ Mockito.when(xUserPermissionDao.findByUserPermissionIdAndIsAllowed(userProfile.getId())).thenReturn(xUserPermissionsList);
+ Mockito.when(xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId())).thenReturn(xGroupPermissionList);
+ Mockito.when(xGroupPermissionService.populateViewBean(xGroupPermissionObj)).thenReturn(groupPermission);
+ Mockito.when(xUserPermissionService.populateViewBean(xUserPermissionObj)).thenReturn(userPermission);
+ Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao);
+ Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong())).thenReturn(xModuleDef);
VXPortalUser dbVXPortalUser = userMgr.changeEmailAddress(user,
changeEmail);
@@ -361,11 +381,6 @@ public class TestUserMgr {
dbVXPortalUser.getLoginId());
Assert.assertEquals(changeEmail.getEmailAddress(),
dbVXPortalUser.getEmailAddress());
-
- Mockito.verify(restErrorUtil).createRESTException(
- "serverMsg.userMgrInvalidEmail",
- MessageEnums.INVALID_INPUT_DATA, changeEmail.getId(),
- "emailAddress", changeEmail.toString());
}
@Test
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ced7c3b7/security-admin/src/test/java/org/apache/ranger/common/TestDateUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/test/java/org/apache/ranger/common/TestDateUtil.java b/security-admin/src/test/java/org/apache/ranger/common/TestDateUtil.java
index a55bbdf..1673f6f 100644
--- a/security-admin/src/test/java/org/apache/ranger/common/TestDateUtil.java
+++ b/security-admin/src/test/java/org/apache/ranger/common/TestDateUtil.java
@@ -71,12 +71,5 @@ public class TestDateUtil {
Assert.assertEquals(currentDate.getDate(),date.getDate());
Assert.assertEquals(currentDate.getMinutes(),mins);
}
-
- @Ignore("test to be reviewed")
- @Test
- public void testGetUTCDate1(){
- Date date=new Date();
- Date userdate=DateUtil.getUTCDate();
- Assert.assertEquals(userdate.getDate(),date.getDate());
- }
+
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ced7c3b7/security-admin/src/test/java/org/apache/ranger/common/TestStringUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/test/java/org/apache/ranger/common/TestStringUtil.java b/security-admin/src/test/java/org/apache/ranger/common/TestStringUtil.java
index 044aebb..1dfedb4 100644
--- a/security-admin/src/test/java/org/apache/ranger/common/TestStringUtil.java
+++ b/security-admin/src/test/java/org/apache/ranger/common/TestStringUtil.java
@@ -128,7 +128,7 @@ public class TestStringUtil {
@Test
public void testValidateEmailId(){
- String email="jitendra.sonkar@freestoneinfotech.com";
+ String email="rangerqa@apache.org";
boolean value=stringUtil.validateEmail(email);
Assert.assertTrue(email.length() < 128);
Assert.assertTrue(value);