You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/04/28 02:14:35 UTC
incubator-ranger git commit: RANGER-434: updated revoke
implementation in HBase plugin to remove delegateAdmin
Repository: incubator-ranger
Updated Branches:
refs/heads/master 88db70795 -> 27c81a236
RANGER-434: updated revoke implementation in HBase plugin to remove delegateAdmin
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/27c81a23
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/27c81a23
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/27c81a23
Branch: refs/heads/master
Commit: 27c81a236cec7100cd7ed204d0e888848bf19778
Parents: 88db707
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Mon Apr 27 17:07:59 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Mon Apr 27 17:07:59 2015 -0700
----------------------------------------------------------------------
.../hbase/RangerAuthorizationCoprocessor.java | 2 +-
.../org/apache/ranger/rest/ServiceREST.java | 120 ++++++++++---------
2 files changed, 65 insertions(+), 57 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/27c81a23/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index 4893aa3..f42c15a 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -1243,7 +1243,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
GrantRevokeRequest ret = new GrantRevokeRequest();
ret.setGrantor(grantor);
- ret.setDelegateAdmin(Boolean.FALSE);
+ ret.setDelegateAdmin(Boolean.TRUE); // remove delegateAdmin privilege as well
ret.setEnableAudit(Boolean.TRUE);
ret.setReplaceExistingPermissions(Boolean.TRUE);
ret.setResource(mapResource);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/27c81a23/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index a02b932..c2701a6 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -612,37 +612,7 @@ public class ServiceREST {
// replace all existing privileges for users and groups
if(grantRequest.getReplaceExistingPermissions()) {
- List<RangerPolicyItem> policyItems = policy.getPolicyItems();
-
- int numOfItems = policyItems.size();
-
- for(int i = 0; i < numOfItems; i++) {
- RangerPolicyItem policyItem = policyItems.get(i);
-
- if(CollectionUtils.containsAny(policyItem.getUsers(), grantRequest.getUsers())) {
- policyItem.getUsers().removeAll(grantRequest.getUsers());
-
- policyUpdated = true;
- }
-
- if(CollectionUtils.containsAny(policyItem.getGroups(), grantRequest.getGroups())) {
- policyItem.getGroups().removeAll(grantRequest.getGroups());
-
- policyUpdated = true;
- }
-
- if(CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) {
- policyItems.remove(i);
- numOfItems--;
- i--;
-
- policyUpdated = true;
- }
- }
-
- if(compactPolicy(policy)) {
- policyUpdated = true;
- }
+ policyUpdated = removeUsersAndGroupsFromPolicy(policy, grantRequest.getUsers(), grantRequest.getGroups());
}
for(String user : grantRequest.getUsers()) {
@@ -791,45 +761,49 @@ public class ServiceREST {
if(policy != null) {
boolean policyUpdated = false;
-
- for(String user : revokeRequest.getUsers()) {
- RangerPolicyItem policyItem = getPolicyItemForUser(policy, user);
-
- if (policyItem != null) {
- if (removeAccesses(policyItem, revokeRequest.getAccessTypes())) {
- policyUpdated = true;
- }
+ // remove all existing privileges for users and groups
+ if(revokeRequest.getReplaceExistingPermissions()) {
+ policyUpdated = removeUsersAndGroupsFromPolicy(policy, revokeRequest.getUsers(), revokeRequest.getGroups());
+ } else {
+ for(String user : revokeRequest.getUsers()) {
+ RangerPolicyItem policyItem = getPolicyItemForUser(policy, user);
- if (revokeRequest.getDelegateAdmin()) { // remove delegate?
- if (policyItem.getDelegateAdmin()) {
- policyItem.setDelegateAdmin(Boolean.FALSE);
+ if (policyItem != null) {
+ if (removeAccesses(policyItem, revokeRequest.getAccessTypes())) {
policyUpdated = true;
}
+ if (revokeRequest.getDelegateAdmin()) { // remove delegate?
+ if (policyItem.getDelegateAdmin()) {
+ policyItem.setDelegateAdmin(Boolean.FALSE);
+ policyUpdated = true;
+ }
+
+ }
}
}
- }
- for(String group : revokeRequest.getGroups()) {
- RangerPolicyItem policyItem = getPolicyItemForGroup(policy, group);
+ for(String group : revokeRequest.getGroups()) {
+ RangerPolicyItem policyItem = getPolicyItemForGroup(policy, group);
- if(policyItem != null) {
- if(removeAccesses(policyItem, revokeRequest.getAccessTypes())) {
- policyUpdated = true;
- }
-
- if(revokeRequest.getDelegateAdmin()) { // remove delegate?
- if(policyItem.getDelegateAdmin()) {
- policyItem.setDelegateAdmin(Boolean.FALSE);
+ if(policyItem != null) {
+ if(removeAccesses(policyItem, revokeRequest.getAccessTypes())) {
policyUpdated = true;
}
+
+ if(revokeRequest.getDelegateAdmin()) { // remove delegate?
+ if(policyItem.getDelegateAdmin()) {
+ policyItem.setDelegateAdmin(Boolean.FALSE);
+ policyUpdated = true;
+ }
+ }
}
}
- }
- if(compactPolicy(policy)) {
- policyUpdated = true;
+ if(compactPolicy(policy)) {
+ policyUpdated = true;
+ }
}
if(policyUpdated) {
@@ -1342,6 +1316,40 @@ public class ServiceREST {
return ret;
}
+ private boolean removeUsersAndGroupsFromPolicy(RangerPolicy policy, Set<String> users, Set<String> groups) {
+ boolean policyUpdated = false;
+
+ List<RangerPolicyItem> policyItems = policy.getPolicyItems();
+
+ int numOfItems = policyItems.size();
+
+ for(int i = 0; i < numOfItems; i++) {
+ RangerPolicyItem policyItem = policyItems.get(i);
+
+ if(CollectionUtils.containsAny(policyItem.getUsers(), users)) {
+ policyItem.getUsers().removeAll(users);
+
+ policyUpdated = true;
+ }
+
+ if(CollectionUtils.containsAny(policyItem.getGroups(), groups)) {
+ policyItem.getGroups().removeAll(groups);
+
+ policyUpdated = true;
+ }
+
+ if(CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) {
+ policyItems.remove(i);
+ numOfItems--;
+ i--;
+
+ policyUpdated = true;
+ }
+ }
+
+ return policyUpdated;
+ }
+
@GET
@Path("/policies/eventTime")
@Produces({ "application/json", "application/xml" })