You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/04/28 02:14:35 UTC

incubator-ranger git commit: RANGER-434: updated revoke implementation in HBase plugin to remove delegateAdmin

Repository: incubator-ranger
Updated Branches:
  refs/heads/master 88db70795 -> 27c81a236


RANGER-434: updated revoke implementation in HBase plugin to remove delegateAdmin


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/27c81a23
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/27c81a23
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/27c81a23

Branch: refs/heads/master
Commit: 27c81a236cec7100cd7ed204d0e888848bf19778
Parents: 88db707
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Mon Apr 27 17:07:59 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Mon Apr 27 17:07:59 2015 -0700

----------------------------------------------------------------------
 .../hbase/RangerAuthorizationCoprocessor.java   |   2 +-
 .../org/apache/ranger/rest/ServiceREST.java     | 120 ++++++++++---------
 2 files changed, 65 insertions(+), 57 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/27c81a23/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index 4893aa3..f42c15a 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -1243,7 +1243,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 		GrantRevokeRequest ret = new GrantRevokeRequest();
 
 		ret.setGrantor(grantor);
-		ret.setDelegateAdmin(Boolean.FALSE);
+		ret.setDelegateAdmin(Boolean.TRUE); // remove delegateAdmin privilege as well
 		ret.setEnableAudit(Boolean.TRUE);
 		ret.setReplaceExistingPermissions(Boolean.TRUE);
 		ret.setResource(mapResource);

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/27c81a23/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index a02b932..c2701a6 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -612,37 +612,7 @@ public class ServiceREST {
 	
 					// replace all existing privileges for users and groups
 					if(grantRequest.getReplaceExistingPermissions()) {
-						List<RangerPolicyItem> policyItems = policy.getPolicyItems();
-	
-						int numOfItems = policyItems.size();
-		
-						for(int i = 0; i < numOfItems; i++) {
-							RangerPolicyItem policyItem = policyItems.get(i);
-		
-							if(CollectionUtils.containsAny(policyItem.getUsers(), grantRequest.getUsers())) {
-								policyItem.getUsers().removeAll(grantRequest.getUsers());
-	
-								policyUpdated = true;
-							}
-	
-							if(CollectionUtils.containsAny(policyItem.getGroups(), grantRequest.getGroups())) {
-								policyItem.getGroups().removeAll(grantRequest.getGroups());
-	
-								policyUpdated = true;
-							}
-	
-							if(CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) {
-								policyItems.remove(i);
-								numOfItems--;
-								i--;
-	
-								policyUpdated = true;
-							}
-						}
-	
-						if(compactPolicy(policy)) {
-							policyUpdated = true;
-						}
+						policyUpdated = removeUsersAndGroupsFromPolicy(policy, grantRequest.getUsers(), grantRequest.getGroups());
 					}
 	
 					for(String user : grantRequest.getUsers()) {
@@ -791,45 +761,49 @@ public class ServiceREST {
 				
 				if(policy != null) {
 					boolean policyUpdated = false;
-	
-					for(String user : revokeRequest.getUsers()) {
-						RangerPolicyItem policyItem = getPolicyItemForUser(policy, user);
-
-						if (policyItem != null) {
-							if (removeAccesses(policyItem, revokeRequest.getAccessTypes())) {
-								policyUpdated = true;
-							}
 
+					// remove all existing privileges for users and groups
+					if(revokeRequest.getReplaceExistingPermissions()) {
+						policyUpdated = removeUsersAndGroupsFromPolicy(policy, revokeRequest.getUsers(), revokeRequest.getGroups());
+					} else {
+						for(String user : revokeRequest.getUsers()) {
+							RangerPolicyItem policyItem = getPolicyItemForUser(policy, user);
 
-							if (revokeRequest.getDelegateAdmin()) { // remove delegate?
-								if (policyItem.getDelegateAdmin()) {
-									policyItem.setDelegateAdmin(Boolean.FALSE);
+							if (policyItem != null) {
+								if (removeAccesses(policyItem, revokeRequest.getAccessTypes())) {
 									policyUpdated = true;
 								}
 
+								if (revokeRequest.getDelegateAdmin()) { // remove delegate?
+									if (policyItem.getDelegateAdmin()) {
+										policyItem.setDelegateAdmin(Boolean.FALSE);
+										policyUpdated = true;
+									}
+
+								}
 							}
 						}
-					}
 	
-					for(String group : revokeRequest.getGroups()) {
-						RangerPolicyItem policyItem = getPolicyItemForGroup(policy, group);
+						for(String group : revokeRequest.getGroups()) {
+							RangerPolicyItem policyItem = getPolicyItemForGroup(policy, group);
 						
-						if(policyItem != null) {
-							if(removeAccesses(policyItem, revokeRequest.getAccessTypes())) {
-								policyUpdated = true;
-							}
-	
-							if(revokeRequest.getDelegateAdmin()) { // remove delegate?
-								if(policyItem.getDelegateAdmin()) {
-									policyItem.setDelegateAdmin(Boolean.FALSE);
+							if(policyItem != null) {
+								if(removeAccesses(policyItem, revokeRequest.getAccessTypes())) {
 									policyUpdated = true;
 								}
+
+								if(revokeRequest.getDelegateAdmin()) { // remove delegate?
+									if(policyItem.getDelegateAdmin()) {
+										policyItem.setDelegateAdmin(Boolean.FALSE);
+										policyUpdated = true;
+									}
+								}
 							}
 						}
-					}
 	
-					if(compactPolicy(policy)) {
-						policyUpdated = true;
+						if(compactPolicy(policy)) {
+							policyUpdated = true;
+						}
 					}
 	
 					if(policyUpdated) {
@@ -1342,6 +1316,40 @@ public class ServiceREST {
 		return ret;
 	}
 
+	private boolean removeUsersAndGroupsFromPolicy(RangerPolicy policy, Set<String> users, Set<String> groups) {
+		boolean policyUpdated = false;
+
+		List<RangerPolicyItem> policyItems = policy.getPolicyItems();
+
+		int numOfItems = policyItems.size();
+
+		for(int i = 0; i < numOfItems; i++) {
+			RangerPolicyItem policyItem = policyItems.get(i);
+
+			if(CollectionUtils.containsAny(policyItem.getUsers(), users)) {
+				policyItem.getUsers().removeAll(users);
+
+				policyUpdated = true;
+			}
+
+			if(CollectionUtils.containsAny(policyItem.getGroups(), groups)) {
+				policyItem.getGroups().removeAll(groups);
+
+				policyUpdated = true;
+			}
+
+			if(CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) {
+				policyItems.remove(i);
+				numOfItems--;
+				i--;
+
+				policyUpdated = true;
+			}
+		}
+
+		return policyUpdated;
+	}
+
 	@GET
 	@Path("/policies/eventTime")
 	@Produces({ "application/json", "application/xml" })