You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2019/05/10 12:02:05 UTC
[ranger] branch master updated: RANGER-2347 : Restrict capabilities
of security zone administrator and auditor
This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new ecab208 RANGER-2347 : Restrict capabilities of security zone administrator and auditor
ecab208 is described below
commit ecab208744d2fa653259c1db7645dca28ff748ed
Author: Bhavik Patel <bh...@gmail.com>
AuthorDate: Fri May 10 14:55:31 2019 +0530
RANGER-2347 : Restrict capabilities of security zone administrator and auditor
Signed-off-by: Pradeep <pr...@apache.org>
---
.../main/java/org/apache/ranger/biz/AssetMgr.java | 56 +++++++++++++-
.../java/org/apache/ranger/biz/ServiceMgr.java | 89 +++++++++++++++++++++-
.../java/org/apache/ranger/rest/AssetREST.java | 4 +-
.../org/apache/ranger/rest/SecurityZoneREST.java | 14 ++--
.../java/org/apache/ranger/rest/ServiceREST.java | 80 +------------------
.../ranger/solr/SolrAccessAuditsService.java | 2 +-
.../java/org/apache/ranger/rest/TestAssetREST.java | 4 +-
7 files changed, 160 insertions(+), 89 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java
index 41b42ca..1a78790 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java
@@ -52,6 +52,9 @@ import org.apache.ranger.entity.XXPermMap;
import org.apache.ranger.entity.XXPluginInfo;
import org.apache.ranger.entity.XXPolicyExportAudit;
import org.apache.ranger.entity.XXPortalUser;
+import org.apache.ranger.entity.XXSecurityZone;
+import org.apache.ranger.entity.XXSecurityZoneRefGroup;
+import org.apache.ranger.entity.XXSecurityZoneRefUser;
import org.apache.ranger.entity.XXTrxLog;
import org.apache.ranger.entity.XXUser;
import org.apache.ranger.plugin.model.RangerPluginInfo;
@@ -119,6 +122,9 @@ public class AssetMgr extends AssetMgrBase {
@Autowired
XUgsyncAuditInfoService xUgsyncAuditInfoService;
+ @Autowired
+ ServiceMgr serviceMgr;
+
private static final Logger logger = Logger.getLogger(AssetMgr.class);
public File getXResourceFile(Long id, String fileType) {
@@ -966,6 +972,55 @@ public class AssetMgr extends AssetMgrBase {
} else if (!"asc".equalsIgnoreCase(searchCriteria.getSortType()) && !"desc".equalsIgnoreCase(searchCriteria.getSortType())) {
searchCriteria.setSortType("desc");
}
+
+ Set<String> zoneNameSet = new HashSet<String>();
+ Long userId = xaBizUtil.getXUserId();
+ VXGroupList groupList = xUserMgr.getXUserGroups(userId);
+ List<XXSecurityZoneRefUser> zoneRefUserList = rangerDaoManager
+ .getXXSecurityZoneRefUser().findByUserId(userId);
+ for (XXSecurityZoneRefUser zoneRefUser : zoneRefUserList) {
+ XXSecurityZone securityZone = rangerDaoManager
+ .getXXSecurityZoneDao().findByZoneId(
+ zoneRefUser.getZoneId());
+ if (securityZone != null) {
+ zoneNameSet.add(securityZone.getName());
+ }
+ }
+
+ for (VXGroup group : groupList.getList()) {
+ List<XXSecurityZoneRefGroup> zoneRefGroupList = rangerDaoManager
+ .getXXSecurityZoneRefGroup().findByGroupId(group.getId());
+ for (XXSecurityZoneRefGroup zoneRefGroup : zoneRefGroupList) {
+ XXSecurityZone securityZone = rangerDaoManager
+ .getXXSecurityZoneDao().findByZoneId(
+ zoneRefGroup.getZoneId());
+ if (securityZone != null) {
+ zoneNameSet.add(securityZone.getName());
+ }
+ }
+ }
+ List<String> zoneNameList = (List<String>) searchCriteria.getParamValue("zoneName");
+
+ if (!xaBizUtil.isAdmin()
+ && (zoneNameList == null || zoneNameList.isEmpty())) {
+ if (!zoneNameSet.isEmpty()) {
+ searchCriteria.getParamList().put("zoneName",
+ new ArrayList<String>(zoneNameSet));
+ } else {
+ searchCriteria.getParamList().put("zoneName", null);
+ }
+ } else if (!xaBizUtil.isAdmin() && !zoneNameList.isEmpty()
+ && !zoneNameSet.isEmpty()) {
+ for (String znName : zoneNameList) {
+ if (!serviceMgr.isZoneAdmin(znName)
+ && !serviceMgr.isZoneAuditor(znName)) {
+ throw restErrorUtil.createRESTException(
+ HttpServletResponse.SC_FORBIDDEN,
+ "User is not the zone admin or zone auditor of zone "
+ + znName, true);
+ }
+ }
+ }
if (RangerBizUtil.AUDIT_STORE_SOLR.equalsIgnoreCase(xaBizUtil.getAuditDBType())) {
return solrAccessAuditsService.searchXAccessAudits(searchCriteria);
} else {
@@ -973,7 +1028,6 @@ public class AssetMgr extends AssetMgrBase {
}
}
-
public VXTrxLogList getTransactionReport(String transactionId) {
List<XXTrxLog> xTrxLogList = rangerDaoManager.getXXTrxLog()
.findByTransactionId(transactionId);
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
index 429c450..7fdda9a 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
@@ -36,8 +36,11 @@ import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.security.SecureClientLogin;
import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.TimedExecutor;
+import org.apache.ranger.db.XXGroupUserDao;
+import org.apache.ranger.entity.XXGroupUser;
import org.apache.ranger.plugin.client.HadoopConfigHolder;
import org.apache.ranger.plugin.client.HadoopException;
+import org.apache.ranger.plugin.model.RangerSecurityZone;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.service.RangerBaseService;
@@ -78,8 +81,14 @@ public class ServiceMgr {
@Autowired
TimedExecutor timedExecutor;
- @Autowired
- RangerBizUtil rangerBizUtil;
+ @Autowired
+ RangerBizUtil rangerBizUtil;
+
+ @Autowired
+ SecurityZoneDBStore zoneStore;
+
+ @Autowired
+ XXGroupUserDao groupUserDao;
public List<String> lookupResource(String serviceName, ResourceLookupContext context, ServiceStore svcStore) throws Exception {
List<String> ret = null;
@@ -196,6 +205,82 @@ public class ServiceMgr {
return ret;
}
+
+ public boolean isZoneAdmin(String zoneName) {
+ boolean isZoneAdmin = false;
+ RangerSecurityZone securityZone = null;
+ try {
+ securityZone = zoneStore.getSecurityZoneByName(zoneName);
+ } catch (Exception e) {
+ LOG.error(
+ "Unexpected error when fetching security zone with name:["
+ + zoneName + "] from database", e);
+ }
+
+ if (securityZone != null) {
+ String userId = rangerBizUtil.getCurrentUserLoginId();
+
+ List<XXGroupUser> groupUsers = groupUserDao
+ .findByUserId(rangerBizUtil.getXUserId());
+ List<String> loggedInUsersGroups = new ArrayList<>();
+ for (XXGroupUser groupUser : groupUsers) {
+ loggedInUsersGroups.add(groupUser.getName());
+ }
+ for (String loggedInUsersGroup : loggedInUsersGroups) {
+ if (securityZone != null
+ && securityZone.getAdminUserGroups() != null
+ && securityZone.getAdminUserGroups().contains(
+ loggedInUsersGroup)) {
+ isZoneAdmin = true;
+ break;
+ }
+ }
+ if ((securityZone != null && securityZone.getAdminUsers() != null && securityZone
+ .getAdminUsers().contains(userId))) {
+ isZoneAdmin = true;
+ }
+ }
+
+ return isZoneAdmin;
+ }
+
+ public boolean isZoneAuditor(String zoneName) {
+ boolean isZoneAuditor = false;
+ RangerSecurityZone securityZone = null;
+ try {
+ securityZone = zoneStore.getSecurityZoneByName(zoneName);
+ } catch (Exception e) {
+ LOG.error(
+ "Unexpected error when fetching security zone with name:["
+ + zoneName + "] from database", e);
+ }
+
+ if (securityZone != null) {
+ String userId = rangerBizUtil.getCurrentUserLoginId();
+
+ List<XXGroupUser> groupUsers = groupUserDao
+ .findByUserId(rangerBizUtil.getXUserId());
+ List<String> loggedInUsersGroups = new ArrayList<>();
+ for (XXGroupUser groupUser : groupUsers) {
+ loggedInUsersGroups.add(groupUser.getName());
+ }
+ for (String loggedInUsersGroup : loggedInUsersGroups) {
+ if (securityZone != null
+ && securityZone.getAuditUserGroups() != null
+ && securityZone.getAuditUserGroups().contains(
+ loggedInUsersGroup)) {
+ isZoneAuditor = true;
+ break;
+ }
+ }
+ if ((securityZone != null && securityZone.getAuditUsers() != null && securityZone
+ .getAuditUsers().contains(userId))) {
+ isZoneAuditor = true;
+ }
+ }
+
+ return isZoneAuditor;
+ }
public RangerBaseService getRangerServiceByName(String serviceName, ServiceStore svcStore) throws Exception {
if(LOG.isDebugEnabled()) {
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
index 703d30b..037888e 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
@@ -651,7 +651,9 @@ public class AssetREST {
searchUtil.extractString(request, searchCriteria, "tags", "tags", null);
searchUtil.extractString(request, searchCriteria, "cluster", "Cluster Name", StringUtil.VALIDATION_TEXT);
- searchUtil.extractString(request, searchCriteria, "zoneName", "Zone Name", StringUtil.VALIDATION_TEXT);
+ searchUtil.extractStringList(request, searchCriteria, "zoneName", "Zone Name List", "zoneName", null,
+ null);
+
searchUtil.extractString(request, searchCriteria, "agentHost", "Agent Host Name", StringUtil.VALIDATION_TEXT);
boolean isKeyAdmin = msBizUtil.isKeyAdmin();
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java b/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java
index f0909ab..ce3ffc8 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java
@@ -43,6 +43,7 @@ import org.apache.commons.logging.LogFactory;
import org.apache.ranger.biz.RangerBizUtil;
import org.apache.ranger.biz.SecurityZoneDBStore;
import org.apache.ranger.biz.ServiceDBStore;
+import org.apache.ranger.biz.ServiceMgr;
import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.RangerSearchUtil;
@@ -94,11 +95,14 @@ public class SecurityZoneREST {
@Autowired
RangerBizUtil bizUtil;
- @Autowired
- ServiceREST serviceRest;
+ @Autowired
+ ServiceREST serviceRest;
- @Autowired
- RangerDaoManager daoManager;
+ @Autowired
+ RangerDaoManager daoManager;
+
+ @Autowired
+ ServiceMgr serviceMgr;
@POST
@@ -324,7 +328,7 @@ public class SecurityZoneREST {
throwRestError("User : " + userName
+ " is not allowed to edit zone description of zone : " + existingSecurityZone.getName());
}
- if (!serviceRest.isZoneAdmin(existingSecurityZone.getName())) {
+ if (!serviceMgr.isZoneAdmin(existingSecurityZone.getName())) {
if (!securityZone.getAdminUserGroups().equals(
existingSecurityZone.getAdminUserGroups())) {
throwRestError("User : "
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index c4ccee9..3ff763c 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -80,7 +80,6 @@ import org.apache.ranger.common.ServiceUtil;
import org.apache.ranger.common.UserSessionBase;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.db.XXGroupUserDao;
-import org.apache.ranger.entity.XXGroupUser;
import org.apache.ranger.entity.XXPolicyExportAudit;
import org.apache.ranger.entity.XXSecurityZone;
import org.apache.ranger.entity.XXSecurityZoneRefService;
@@ -3390,7 +3389,7 @@ public class ServiceREST {
for (RangerPolicy policy : listToFilter) {
if (policyEngine.isAccessAllowed(policy, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS)
- || (!StringUtils.isEmpty(policy.getZoneName()) && (isZoneAdmin(policy.getZoneName()) || isZoneAuditor(policy.getZoneName())))
+ || (!StringUtils.isEmpty(policy.getZoneName()) && (serviceMgr.isZoneAdmin(policy.getZoneName()) || serviceMgr.isZoneAuditor(policy.getZoneName())))
|| isServiceAdminUser) {
ret.add(policy);
}
@@ -3405,79 +3404,6 @@ public class ServiceREST {
return ret;
}
-
- public boolean isZoneAdmin(String zoneName) {
- boolean isZoneAdmin = false;
- RangerSecurityZone securityZone = null;
- try {
- securityZone = zoneStore.getSecurityZoneByName(zoneName);
- } catch (Exception e) {
- LOG.error("Unexpected error when fetching security zone with name:[" + zoneName + "] from database", e);
- }
-
- if (securityZone != null) {
- String userId = bizUtil.getCurrentUserLoginId();
-
- List<XXGroupUser> groupUsers = groupUserDao.findByUserId(bizUtil
- .getXUserId());
- List<String> loggedInUsersGroups = new ArrayList<>();
- for (XXGroupUser groupUser : groupUsers) {
- loggedInUsersGroups.add(groupUser.getName());
- }
- for (String loggedInUsersGroup : loggedInUsersGroups) {
- if (securityZone != null
- && securityZone.getAdminUserGroups() != null
- && securityZone.getAdminUserGroups().contains(
- loggedInUsersGroup)) {
- isZoneAdmin = true;
- break;
- }
- }
- if ((securityZone != null && securityZone.getAdminUsers() != null && securityZone
- .getAdminUsers().contains(userId))) {
- isZoneAdmin = true;
- }
- }
-
- return isZoneAdmin;
- }
-
-
- public boolean isZoneAuditor(String zoneName) {
- boolean isZoneAuditor = false;
- RangerSecurityZone securityZone = null;
- try {
- securityZone = zoneStore.getSecurityZoneByName(zoneName);
- } catch (Exception e) {
- LOG.error("Unexpected error when fetching security zone with name:[" + zoneName + "] from database", e);
- }
-
- if (securityZone != null) {
- String userId = bizUtil.getCurrentUserLoginId();
-
- List<XXGroupUser> groupUsers = groupUserDao.findByUserId(bizUtil
- .getXUserId());
- List<String> loggedInUsersGroups = new ArrayList<>();
- for (XXGroupUser groupUser : groupUsers) {
- loggedInUsersGroups.add(groupUser.getName());
- }
- for (String loggedInUsersGroup : loggedInUsersGroups) {
- if (securityZone != null
- && securityZone.getAuditUserGroups() != null
- && securityZone.getAuditUserGroups().contains(
- loggedInUsersGroup)) {
- isZoneAuditor = true;
- break;
- }
- }
- if ((securityZone != null && securityZone.getAuditUsers() != null && securityZone
- .getAuditUsers().contains(userId))) {
- isZoneAuditor = true;
- }
- }
-
- return isZoneAuditor;
- }
void ensureAdminAccess(RangerPolicy policy) {
boolean isAdmin = bizUtil.isAdmin();
@@ -3491,7 +3417,7 @@ public class ServiceREST {
Set<String> userGroups = userMgr.getGroupsForUser(userName);
//for zone policy create /update / delete
- if(!StringUtils.isEmpty(policy.getZoneName()) && isZoneAdmin(policy.getZoneName())){
+ if(!StringUtils.isEmpty(policy.getZoneName()) && serviceMgr.isZoneAdmin(policy.getZoneName())){
isAllowed = true;
}else{
isAllowed = hasAdminAccess(policy, userName, userGroups);
@@ -3827,7 +3753,7 @@ public class ServiceREST {
String userName = bizUtil.getCurrentUserLoginId();
boolean isAuditAdmin = bizUtil.isAuditAdmin();
boolean isAuditKeyAdmin = bizUtil.isAuditKeyAdmin();
- boolean isSvcAdmin = isAdmin || svcStore.isServiceAdminUser(policy.getService(), userName) || (!StringUtils.isEmpty(policy.getZoneName()) && (isZoneAdmin(policy.getZoneName()) || isZoneAuditor(policy.getZoneName())));
+ boolean isSvcAdmin = isAdmin || svcStore.isServiceAdminUser(policy.getService(), userName) || (!StringUtils.isEmpty(policy.getZoneName()) && (serviceMgr.isZoneAdmin(policy.getZoneName()) || serviceMgr.isZoneAuditor(policy.getZoneName())));
if (!isAdmin && !isKeyAdmin && !isSvcAdmin && !isAuditAdmin && !isAuditKeyAdmin) {
boolean isAllowed = false;
diff --git a/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java b/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java
index 9be2ef4..a517d76 100644
--- a/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java
+++ b/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java
@@ -127,7 +127,7 @@ public class SolrAccessAuditsService {
searchFields.add(new SearchField("cluster", "cluster",
SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.FULL));
searchFields.add(new SearchField("zoneName", "zoneName",
- SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.FULL));
+ SearchField.DATA_TYPE.STR_LIST, SearchField.SEARCH_TYPE.FULL));
searchFields.add(new SearchField("agentHost", "agentHost",
SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.PARTIAL));
diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java
index 1f73709..ef149d5 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java
@@ -761,7 +761,7 @@ public class TestAssetREST {
Mockito.verify(msBizUtil).isKeyAdmin();
Mockito.verify(assetMgr).getAccessLogs(searchCriteria);
Mockito.verify(daoManager).getXXServiceDef();
- Mockito.verify(searchUtil, Mockito.times(15)).extractString((HttpServletRequest) Mockito.any(),
+ Mockito.verify(searchUtil, Mockito.times(14)).extractString((HttpServletRequest) Mockito.any(),
(SearchCriteria) Mockito.any(), Mockito.anyString(), Mockito.anyString(), Mockito.nullable(String.class));
Mockito.verify(searchUtil, Mockito.times(4)).extractInt((HttpServletRequest) Mockito.any(),
(SearchCriteria) Mockito.any(), Mockito.anyString(), Mockito.anyString());
@@ -804,7 +804,7 @@ public class TestAssetREST {
Mockito.verify(msBizUtil).isKeyAdmin();
Mockito.verify(assetMgr).getAccessLogs(searchCriteria);
Mockito.verify(daoManager).getXXServiceDef();
- Mockito.verify(searchUtil, Mockito.times(15)).extractString((HttpServletRequest) Mockito.any(),
+ Mockito.verify(searchUtil, Mockito.times(14)).extractString((HttpServletRequest) Mockito.any(),
(SearchCriteria) Mockito.any(), Mockito.anyString(), Mockito.anyString(), Mockito.nullable(String.class));
Mockito.verify(searchUtil, Mockito.times(4)).extractInt((HttpServletRequest) Mockito.any(),
(SearchCriteria) Mockito.any(), Mockito.anyString(), Mockito.anyString());