You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by me...@apache.org on 2017/09/29 07:35:02 UTC

ranger git commit: RANGER-1756: Handle role related restrictions for users having User role.

Repository: ranger
Updated Branches:
  refs/heads/master a30c43db3 -> f0cb6223d


RANGER-1756: Handle role related restrictions for users having User role.

Signed-off-by: Mehul Parikh <me...@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/f0cb6223
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/f0cb6223
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/f0cb6223

Branch: refs/heads/master
Commit: f0cb6223d5111ac27c717d69e4cd2ef21db09f70
Parents: a30c43d
Author: ni3galave <ni...@gmail.com>
Authored: Fri Sep 29 12:40:39 2017 +0530
Committer: Mehul Parikh <me...@apache.org>
Committed: Fri Sep 29 13:04:20 2017 +0530

----------------------------------------------------------------------
 .../hadoop/security/SecureClientLogin.java      |  3 +--
 .../java/org/apache/ranger/rest/XUserREST.java  | 25 ++++++++++++++++++--
 .../src/main/webapp/scripts/utils/XAUtils.js    |  4 +++-
 3 files changed, 27 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/f0cb6223/agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java b/agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java
index 320a9a4..e4d6a39 100644
--- a/agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java
+++ b/agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java
@@ -71,7 +71,6 @@ public class SecureClientLogin {
 	}
 
 	public synchronized static Subject loginUserWithPassword(String user, String password) throws IOException {
-		String tmpPass = password;
 		try {
 			Subject subject = new Subject();
 			SecureClientLoginConfiguration loginConf = new SecureClientLoginConfiguration(false, user, password);
@@ -80,7 +79,7 @@ public class SecureClientLogin {
 			login.login();
 			return login.getSubject();
 		} catch (LoginException le) {
-			throw new IOException("Login failure for " + user + " using password " + tmpPass.replaceAll(".","*"), le);
+			throw new IOException("Login failure for " + user + " using password ****", le);
 		}
 	}
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/f0cb6223/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
index 739ea05..5a58346 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
@@ -20,6 +20,8 @@
  package org.apache.ranger.rest;
 
 import java.util.HashMap;
+import java.util.List;
+import java.util.Random;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.DELETE;
@@ -31,12 +33,14 @@ import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.Context;
 
+import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.ranger.biz.RangerBizUtil;
 import org.apache.ranger.biz.SessionMgr;
 import org.apache.ranger.biz.XUserMgr;
 import org.apache.ranger.common.MessageEnums;
 import org.apache.ranger.common.RESTErrorUtil;
+import org.apache.ranger.common.RangerConstants;
 import org.apache.ranger.common.SearchCriteria;
 import org.apache.ranger.common.SearchUtil;
 import org.apache.ranger.common.StringUtil;
@@ -346,18 +350,35 @@ public class XUserREST {
 	@Produces({ "application/xml", "application/json" })
 	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_USERS + "\")")
 	public VXUserList searchXUsers(@Context HttpServletRequest request) {
+		String UserRoleParamName = RangerConstants.ROLE_USER;
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, xUserService.sortFields);
-
+		String userName = null;
+		if(request != null && request.getUserPrincipal() != null){
+			userName = request.getUserPrincipal().getName();
+		}
 		searchUtil.extractString(request, searchCriteria, "name", "User name",null);
 		searchUtil.extractString(request, searchCriteria, "emailAddress", "Email Address",
 				null);		
 		searchUtil.extractInt(request, searchCriteria, "userSource", "User Source");
 		searchUtil.extractInt(request, searchCriteria, "isVisible", "User Visibility");
 		searchUtil.extractInt(request, searchCriteria, "status", "User Status");
-		searchUtil.extractStringList(request, searchCriteria, "userRoleList", "User Role List", "userRoleList", null,
+		List<String> userRolesList = searchUtil.extractStringList(request, searchCriteria, "userRoleList", "User Role List", "userRoleList", null,
 				null);
 		searchUtil.extractString(request, searchCriteria, "userRole", "UserRole", null);
+		if (CollectionUtils.isNotEmpty(userRolesList) && CollectionUtils.size(userRolesList) == 1 && userRolesList.get(0).equalsIgnoreCase(UserRoleParamName)) {
+			if (!(searchCriteria.getParamList().containsKey("name"))) {
+				searchCriteria.addParam("name", userName);
+			}
+			else if ((searchCriteria.getParamList().containsKey("name")) && userName.contains((String) searchCriteria.getParamList().get("name"))) {
+				searchCriteria.addParam("name", userName);
+			}
+			else {
+				String randomString = new Random().toString();
+				searchCriteria.addParam("name", randomString);
+			}
+		}
+
 		return xUserMgr.searchXUsers(searchCriteria);
 	}
 

http://git-wip-us.apache.org/repos/asf/ranger/blob/f0cb6223/security-admin/src/main/webapp/scripts/utils/XAUtils.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/utils/XAUtils.js b/security-admin/src/main/webapp/scripts/utils/XAUtils.js
index ecf43ad..90b41d8 100644
--- a/security-admin/src/main/webapp/scripts/utils/XAUtils.js
+++ b/security-admin/src/main/webapp/scripts/utils/XAUtils.js
@@ -1215,7 +1215,9 @@ define(function(require) {
 		_.each(XAEnums.UserRoles,function(val, key){
 			if(SessionMgr.isKeyAdmin() && XAEnums.UserRoles.ROLE_SYS_ADMIN.value != val.value){
 				userRoleList.push(key)
-			}else if(!SessionMgr.isKeyAdmin() && XAEnums.UserRoles.ROLE_KEY_ADMIN.value != val.value){
+			}else if(SessionMgr.isSystemAdmin() && XAEnums.UserRoles.ROLE_KEY_ADMIN.value != val.value){
+				userRoleList.push(key)
+			}else if(SessionMgr.isUser() && XAEnums.UserRoles.ROLE_USER.value == val.value){
 				userRoleList.push(key)
 			}
 		})