You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ni...@apache.org on 2019/05/27 10:20:29 UTC
[ranger] branch master updated: RANGER-2446 : Suggestion - Include
security zone details as part of admin audit for policy update
This is an automated email from the ASF dual-hosted git repository.
ni3galave pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new db10a1d RANGER-2446 : Suggestion - Include security zone details as part of admin audit for policy update
db10a1d is described below
commit db10a1d88ea9b7982d332a92044bcada1ea12ff5
Author: Nitin Galave <ni...@apache.org>
AuthorDate: Fri May 24 19:36:08 2019 +0530
RANGER-2446 : Suggestion - Include security zone details as part of admin audit for policy update
---
.../apache/ranger/service/RangerPolicyService.java | 18 +++++++---
.../scripts/views/policymanager/ServiceLayout.js | 7 +++-
.../views/reports/PlugableServiceDiffDetail.js | 41 ++++++++++++++++++++--
.../scripts/views/security_zone/ZoneCreate.js | 4 +++
.../PlugableServicePolicyDeleteDiff_tmpl.html | 21 +++++++++++
.../reports/PlugableServicePolicyDiff_tmpl.html | 23 ++++++++++--
.../PlugableServicePolicyUpdateDiff_tmpl.html | 33 +++++++++++++++++
7 files changed, 137 insertions(+), 10 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java
index 0276367..4117442 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/RangerPolicyService.java
@@ -72,7 +72,7 @@ public class RangerPolicyService extends RangerPolicyServiceBase<XXPolicy, Range
public static final String POLICY_LABELS_CLASS_FIELD_NAME="policyLabels";
public static final String POLICY_VALIDITYSCHEDULES_CLASS_FIELD_NAME="validitySchedules";
public static final String POLICY_PRIORITY_CLASS_FIELD_NAME="policyPriority";
- public static final String POLICY_CONDITION_CLASS_FIELD_NAME="policyConditions";
+ public static final String POLICY_CONDITION_CLASS_FIELD_NAME="conditions";
static HashMap<String, VTrxLogAttr> trxLogAttrs = new HashMap<String, VTrxLogAttr>();
String actionCreate;
@@ -86,7 +86,7 @@ public class RangerPolicyService extends RangerPolicyServiceBase<XXPolicy, Range
trxLogAttrs.put("description", new VTrxLogAttr("description", "Policy Description", false));
trxLogAttrs.put("isEnabled", new VTrxLogAttr("isEnabled", "Policy Status", false));
trxLogAttrs.put("resources", new VTrxLogAttr("resources", "Policy Resources", false));
- trxLogAttrs.put("policyConditions", new VTrxLogAttr("policyConditions", "Policy Conditions", false));
+ trxLogAttrs.put("conditions", new VTrxLogAttr("conditions", "Policy Conditions", false));
trxLogAttrs.put("policyItems", new VTrxLogAttr("policyItems", "Policy Items", false));
trxLogAttrs.put("denyPolicyItems", new VTrxLogAttr("denyPolicyItems", "DenyPolicy Items", false));
trxLogAttrs.put("allowExceptions", new VTrxLogAttr("allowExceptions", "Allow Exceptions", false));
@@ -198,7 +198,7 @@ public class RangerPolicyService extends RangerPolicyServiceBase<XXPolicy, Range
field.setAccessible(true);
String fieldName = field.getName();
XXTrxLog xTrxLog = new XXTrxLog();
-
+ XXService parentObj = daoMgr.getXXService().findByName(vObj.getService());
try {
VTrxLogAttr vTrxLogAttr = trxLogAttrs.get(fieldName);
@@ -354,8 +354,17 @@ public class RangerPolicyService extends RangerPolicyServiceBase<XXPolicy, Range
} else if (POLICY_PRIORITY_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
oldValue = processPriorityClassFieldNameForTrxLog(oldPolicy.getPolicyPriority());
}
+ else if (POLICY_CONDITION_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
+ if (oldPolicy != null) {
+ oldValue = processPolicyItemsForTrxLog(oldPolicy.getConditions());
+ }
+ }
if (oldValue == null || oldValue.equalsIgnoreCase(value)) {
+ if (field.getName().equalsIgnoreCase("zoneName") && !(stringUtil.isEmpty(value))) {
+ oldValue=value;
+ } else {
return null;
+ }
} else if (POLICY_RESOURCE_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
// Compare old and new resources
if(compareTwoPolicyResources(value, oldValue)) {
@@ -444,8 +453,7 @@ public class RangerPolicyService extends RangerPolicyServiceBase<XXPolicy, Range
xTrxLog.setObjectClassType(AppConstants.CLASS_TYPE_RANGER_POLICY);
xTrxLog.setObjectId(vObj.getId());
xTrxLog.setObjectName(objectName);
-
- XXService parentObj = daoMgr.getXXService().findByName(vObj.getService());
+
xTrxLog.setParentObjectClassType(AppConstants.CLASS_TYPE_XA_SERVICE);
xTrxLog.setParentObjectId(parentObj.getId());
xTrxLog.setParentObjectName(parentObj.getName());
diff --git a/security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js b/security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js
index 767f278..b6851ed 100644
--- a/security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js
+++ b/security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js
@@ -294,7 +294,7 @@ define(function(require){
selectZoneName : function(){
var that = this;
var zoneName = _.map(this.rangerZoneList.models, function(m){
- return { 'id':m.get('name'), 'text':m.get('name')}
+ return { 'id':m.get('name'), 'text':m.get('name'), 'zoneId' : m.get('id')}
});
if(!_.isEmpty(App.vZone.vZoneName) && !_.isUndefined(App.vZone.vZoneName)){
this.ui.selectZoneName.val(App.vZone.vZoneName);
@@ -309,6 +309,11 @@ define(function(require){
placeholder: 'Select Zone Name',
}).on('change', function(e){
App.vZone.vZoneName = e.val;
+ if(e.added){
+ App.vZone.vZoneId = e.added.zoneId;
+ } else {
+ App.vZone.vZoneId = null;
+ }
var rBreadcrumbsText = !_.isEmpty(App.vZone.vZoneName) ? 'Service Manager : ' + App.vZone.vZoneName + ' zone' : 'Service Manager';
App.rBreadcrumbs.currentView.breadcrumb[0].text = rBreadcrumbsText;
App.rBreadcrumbs.currentView.render()
diff --git a/security-admin/src/main/webapp/scripts/views/reports/PlugableServiceDiffDetail.js b/security-admin/src/main/webapp/scripts/views/reports/PlugableServiceDiffDetail.js
index cc9ee8d..ce3af44 100644
--- a/security-admin/src/main/webapp/scripts/views/reports/PlugableServiceDiffDetail.js
+++ b/security-admin/src/main/webapp/scripts/views/reports/PlugableServiceDiffDetail.js
@@ -40,6 +40,7 @@ define(function(require){
template: PolicyOperationDiff_tmpl,
templateHelpers :function(){
+ var zoneName = !_.isEmpty(this.zoneName) && !_.isUndefined(this.zoneName) ? this.zoneName : false;
return {
collection : this.collection.models,
action : this.action,
@@ -64,7 +65,10 @@ define(function(require){
oldRowFilterPolicyItems: this.oldRowFilterPolicyItems,
userName : this.userName,
newPolicyValidityPeriod: this.newValidityPeriod,
- oldPolicyValidityPeriod: this.oldValidityPeriod
+ oldPolicyValidityPeriod: this.oldValidityPeriod,
+ zoneName: zoneName,
+ newPolicyConditions: this.newConditions,
+ oldPolicyCondition: this.oldConditions,
};
},
@@ -99,7 +103,15 @@ define(function(require){
},
initializeServiceDef : function(){
- var url, policyName = this.collection.findWhere({'attributeName':'Policy Name'});
+ var url, policyName = this.collection.findWhere({'attributeName':'Policy Name'}),
+ zoneName = this.collection.findWhere({'attributeName':'Zone Name'});
+ if((this.action == 'create' || this.action == 'Import Create') && zoneName && !_.isEmpty(zoneName)){
+ this.zoneName = zoneName.get('newValue');
+ this.collection.remove(zoneName);
+ } else if((this.action == 'delete' || this.action == 'update' || this.action == 'Import Delete') && zoneName && !_.isEmpty(zoneName)){
+ this.zoneName = zoneName.get('previousValue');
+ this.collection.remove(zoneName);
+ }
if(this.action == 'create' || this.action == 'Import Create'){
this.policyName = policyName.get('newValue');
} else if(this.action == 'delete'){
@@ -273,6 +285,14 @@ define(function(require){
this.oldRowFilterPolicyItems = perms.oldPerms;
}
}
+ var policyConditions = this.collection.findWhere({'attributeName':'Policy Conditions'});
+ if(!_.isUndefined(policyConditions)){
+ var conditions = this.getPolicyCondition(policyConditions);
+ if(!_.isEmpty(conditions)){
+ this.newConditions = conditions.newPerms;
+ this.oldConditions = conditions.oldPerms;
+ }
+ }
},
getPolicyResources : function() {
var policyResources = this.collection.findWhere({'attributeName':'Policy Resources'});
@@ -344,6 +364,23 @@ define(function(require){
return {'oldPerms' : validityTimePreviousValue, 'newPerms' : validityTimeNewValues};
}
},
+
+ getPolicyCondition : function(policyConditions) {
+ var conditionNewValues = [], conditionOldValues = [] ;
+ this.collection.remove(policyConditions);
+ if(!_.isUndefined(policyConditions.get('newValue')) && !_.isEmpty(policyConditions.get('newValue'))){
+ conditionNewValues = JSON.parse(policyConditions.get('newValue'));
+ }
+ if(!_.isUndefined(policyConditions.get('previousValue')) && !_.isEmpty(policyConditions.get('previousValue'))){
+ var conditionOldValues = JSON.parse(policyConditions.get('previousValue'));
+ }
+ if(this.action == "update"){
+ return this.setOldNewPermDiff(conditionNewValues, conditionOldValues);
+ } else {
+ return {'oldPerms' : conditionOldValues, 'newPerms' : conditionNewValues};
+ }
+ },
+
getPolicyItems : function(itemType) {
var items = {},that = this;
var newPolicyItems=[], oldPolicyItems =[];
diff --git a/security-admin/src/main/webapp/scripts/views/security_zone/ZoneCreate.js b/security-admin/src/main/webapp/scripts/views/security_zone/ZoneCreate.js
index e0fab23..117e388 100644
--- a/security-admin/src/main/webapp/scripts/views/security_zone/ZoneCreate.js
+++ b/security-admin/src/main/webapp/scripts/views/security_zone/ZoneCreate.js
@@ -173,6 +173,10 @@ define(function(require) {
success: function(model) {
XAUtil.blockUI('unblock');
XAUtil.allowNavigation();
+ if(that.editZone && App.vZone && !_.isNull(App.vZone.vZoneId) && App.vZone.vZoneId == model.id &&
+ App.vZone.vZoneName !== model.get('name')){
+ App.vZone.vZoneName = model.get('name');
+ }
var msg = that.editZone ? 'Service zone updated successfully' : 'Service zone created successfully';
XAUtil.notifySuccess('Success', msg);
App.appRouter.navigate("#!/zones/zone/"+model.id, {
diff --git a/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDeleteDiff_tmpl.html b/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDeleteDiff_tmpl.html
index 04aa6dc..fc5c302 100644
--- a/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDeleteDiff_tmpl.html
+++ b/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDeleteDiff_tmpl.html
@@ -17,6 +17,9 @@
<div class="diff-content">
<b>Policy ID : </b><label class="label label-ranger"> {{objectId}}</label>
<label class="no-margin label-size13-weightbold">Policy Name : {{policyName}}</label>
+ {{#if zoneName}}
+ <label class="no-margin label-size13-weightbold" > Zone Name : {{zoneName}}</label>
+ {{/if}}
<label class="no-margin label-size13-weightbold"> Deleted Date : {{objectCreatedDate}}</label>
<label class="no-margin label-size13-weightbold" > Deleted By : {{userName}}</label>
@@ -76,6 +79,24 @@
</div>
{{/if}}
+{{#if oldPolicyCondition}}
+ <h5>Policy Conditions :</h5>
+ <div class="diff diff-perms" >
+ <div class="diff-right diff-list" data-id="diff">
+ <h3>Old Value</h3>
+ {{#each oldPolicyCondition}}
+ <li class="change-row">
+ {{#if this.type}}
+ {{this.type}} : [{{this.values}}]
+ {{else}}
+ --
+ {{/if}}
+ </li>
+ {{/each}}
+ </div>
+ </div>
+{{/if}}
+
{{#if oldPolicyItems}}
<h5>Allow PolicyItems :</h5>
<div class="diff diff-perms">
diff --git a/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDiff_tmpl.html b/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDiff_tmpl.html
index dbc519a..0dcae38 100644
--- a/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDiff_tmpl.html
+++ b/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyDiff_tmpl.html
@@ -17,12 +17,14 @@
<div class="diff-content">
<b>Policy ID : </b><label class="label label-ranger"> {{objectId}}</label>
<label class="no-margin label-size13-weightbold">Policy Name : {{policyName}}</label>
+ {{#if zoneName}}
+ <label class="no-margin label-size13-weightbold" > Zone Name : {{zoneName}}</label>
+ {{/if}}
{{#if repositoryType}}
<label class="no-margin label-size13-weightbold">Repository Type : {{repositoryType}}</label>
{{/if}}
<label class="no-margin label-size13-weightbold"> Created Date : {{objectCreatedDate}}</label>
<label class="no-margin label-size13-weightbold" > Created By : {{userName}}</label>
-
{{#if collection.length}}
<h5>Policy Details :</h5>
<div class="diff">
@@ -38,7 +40,7 @@
<h3>New Value</h3>
<ol class="unstyled data">
{{#each collection}}
- <li class="change-row">{{./this.attributes.newValue}}</li>
+ <li class="change-row">{{./this.attributes.newValue}}</li>
{{/each}}
</ol>
</div>
@@ -77,6 +79,23 @@
</div>
</div>
{{/if}}
+{{#if newPolicyConditions}}
+ <h5>Policy Conditions :</h5>
+ <div class="diff diff-perms" >
+ <div class="diff-right diff-list" data-id="diff">
+ <h3>New Value</h3>
+ {{#each newPolicyConditions}}
+ <li class="change-row">
+ {{#if this.type}}
+ {{this.type}} : [{{this.values}}]
+ {{else}}
+ --
+ {{/if}}
+ </li>
+ {{/each}}
+ </div>
+ </div>
+{{/if}}
{{#if newPolicyItems}}
<h5>Allow PolicyItems :</h5>
<div class="diff diff-perms" >
diff --git a/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html b/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html
index e150c32..c06c237 100644
--- a/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html
+++ b/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html
@@ -19,6 +19,9 @@
<div class="span6">
<b>Policy ID : </b><label class="label label-ranger"> {{objectId}}</label>
<label class="no-margin label-size13-weightbold">Policy Name : {{policyName}}</label>
+ {{#if zoneName}}
+ <label class="no-margin label-size13-weightbold" > Zone Name : {{zoneName}}</label>
+ {{/if}}
{{#if repositoryType}}
<label class="no-margin label-size13-weightbold">Repository Type : {{repositoryType}}</label>
{{/if}}
@@ -69,6 +72,36 @@
</div>
{{/if}}
+{{#if oldPolicyCondition}}
+ <h5>Policy Conditions :</h5>
+ <div class="diff validityPeriod" >
+ <div class="diff-left diff-list" data-id="diff">
+ <h3>Old Value</h3>
+ {{#each oldPolicyCondition}}
+ {{#if this.type}}
+ <li class="change-row">
+ {{this.type}} : [{{this.values}}]
+ </li>
+ {{else}}
+ <li style="text-align: center; font-weight: bold; font-style: italic;"><empty></li>
+ {{/if}}
+ {{/each}}
+ </div>
+ <div class="diff-right diff-list" data-id="diff">
+ <h3>New Value</h3>
+ {{#each newPolicyConditions}}
+ {{#if this.type}}
+ <li class="change-row">
+ {{this.type}} : [{{this.values}}]
+ </li>
+ {{else}}
+ <li style="text-align: center; font-weight: bold; font-style: italic;"><empty></li>
+ {{/if}}
+ {{/each}}
+ </div>
+ </div>
+{{/if}}
+
{{#if oldPolicyValidityPeriod}}
<h5>Validity Period :</h5>
<div class="diff validityPeriod" >