You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ga...@apache.org on 2017/08/11 06:43:52 UTC
ranger git commit: RANGER-1491:Automatically map group of external
users to Administrator Role
Repository: ranger
Updated Branches:
refs/heads/ranger-0.7 694ff57f1 -> 99abbcfa9
RANGER-1491:Automatically map group of external users to Administrator Role
Signed-off-by: Gautam Borad <ga...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/99abbcfa
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/99abbcfa
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/99abbcfa
Branch: refs/heads/ranger-0.7
Commit: 99abbcfa99667b60ae5f217db4bce44ac01bfdce
Parents: 694ff57
Author: Bhavik Patel <bh...@gmail.com>
Authored: Tue Aug 8 10:59:54 2017 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Fri Aug 11 12:13:08 2017 +0530
----------------------------------------------------------------------
.../java/org/apache/ranger/biz/UserMgr.java | 63 +++++-
.../java/org/apache/ranger/biz/XUserMgr.java | 87 +++++---
.../org/apache/ranger/service/XUserService.java | 7 +-
.../java/org/apache/ranger/view/VXUser.java | 1 +
.../java/org/apache/ranger/biz/TestUserMgr.java | 4 +-
.../org/apache/ranger/biz/TestXUserMgr.java | 45 ++++-
.../process/LdapPolicyMgrUserGroupBuilder.java | 123 +++++++++++-
.../config/UserGroupSyncConfig.java | 41 ++++
.../ranger/unixusersync/model/XUserInfo.java | 20 +-
.../process/PolicyMgrUserGroupBuilder.java | 201 ++++++++++++++++++-
unixauthservice/scripts/install.properties | 15 ++
unixauthservice/scripts/setup.py | 17 ++
.../templates/installprop2xml.properties | 4 +
.../templates/ranger-ugsync-template.xml | 16 ++
14 files changed, 588 insertions(+), 56 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
index be16f75..f27bfc1 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
@@ -142,6 +142,7 @@ public class UserMgr {
Collection<String> userRoleList) {
XXPortalUser user = mapVXPortalUserToXXPortalUser(userProfile);
checkAdminAccess();
+ xUserMgr.checkAccessRoles((List<String>) userRoleList);
user = createUser(user, userStatus, userRoleList);
return user;
@@ -175,7 +176,11 @@ public class UserMgr {
Collection<String> reqRoleList = userProfile.getUserRoleList();
if (reqRoleList != null && reqRoleList.size() > 0) {
for (String role : reqRoleList) {
- roleList.add(role);
+ if (role != null) {
+ roleList.add(role);
+ } else {
+ roleList.add(RangerConstants.ROLE_USER);
+ }
}
} else {
roleList.add(RangerConstants.ROLE_USER);
@@ -1109,6 +1114,8 @@ public class UserMgr {
checkAdminAccess();
logger.info("create:" + userProfile.getLoginId());
XXPortalUser xXPortalUser = null;
+ Collection<String> existingRoleList = null;
+ Collection<String> reqRoleList = null;
String loginId = userProfile.getLoginId();
String emailAddress = userProfile.getEmailAddress();
@@ -1143,13 +1150,59 @@ public class UserMgr {
*/
}
}
+ VXPortalUser userProfileRes = null;
if (xXPortalUser != null) {
- return mapXXPortalUserToVXPortalUserForDefaultAccount(xXPortalUser);
- } else {
- return null;
- }
+ userProfileRes = mapXXPortalUserToVXPortalUserForDefaultAccount(xXPortalUser);
+ if (userProfile.getUserRoleList() != null
+ && userProfile.getUserRoleList().size() > 0
+ && ((List<String>) userProfile.getUserRoleList()).get(0) != null) {
+ reqRoleList = userProfile.getUserRoleList();
+ existingRoleList = this.getRolesByLoginId(loginId);
+ XXPortalUser xxPortalUser = daoManager.getXXPortalUser()
+ .findByLoginId(userProfile.getLoginId());
+ if (xxPortalUser != null && xxPortalUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) {
+ userProfileRes = updateRoleForExternalUsers(reqRoleList, existingRoleList, userProfileRes);
+ }
+ }
+ }
+ return userProfileRes;
}
+ protected VXPortalUser updateRoleForExternalUsers(Collection<String> reqRoleList, Collection<String> existingRoleList, VXPortalUser userProfileRes) {
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if ("rangerusersync".equals(session.getXXPortalUser().getLoginId())
+ && reqRoleList != null && !reqRoleList.isEmpty()
+ && existingRoleList != null && !existingRoleList.isEmpty()) {
+ if (!reqRoleList.equals(existingRoleList)) {
+ userProfileRes.setUserRoleList(reqRoleList);
+ userProfileRes.setUserSource(RangerCommonEnums.USER_EXTERNAL);
+ List<XXUserPermission> xuserPermissionList = daoManager.getXXUserPermission().findByUserPermissionId(userProfileRes.getId());
+
+ if (xuserPermissionList!=null && xuserPermissionList.size()>0){
+
+ for (XXUserPermission xXUserPermission : xuserPermissionList) {
+ if (xXUserPermission != null) {
+ try {
+ xUserPermissionService.deleteResource(xXUserPermission.getId());
+ } catch (Exception e) {
+ logger.error(e.getMessage());
+ }
+ }
+
+ }
+ }
+ updateUser(userProfileRes);
+ }
+ } else {
+ if (logger.isDebugEnabled()) {
+ logger.debug("Permission" + " denied. LoggedInUser="
+ + (session != null ? session.getXXPortalUser().getId() : "")
+ + " isn't permitted to perform the action.");
+ }
+ }
+ return userProfileRes;
+ }
+
protected VXPortalUser mapXXPortalUserToVXPortalUserForDefaultAccount(
XXPortalUser user) {
http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
index ca06805..676b1e3 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
@@ -156,6 +156,9 @@ public class XUserMgr extends XUserMgrBase {
@Autowired
GUIDUtil guidUtil;
+ @Autowired
+ UserMgr userManager;
+
static final Logger logger = Logger.getLogger(XUserMgr.class);
@@ -520,7 +523,13 @@ public class XUserMgr extends XUserMgrBase {
VXUserGroupInfo vxUGInfo = new VXUserGroupInfo();
VXUser vXUser = vXUserGroupInfo.getXuserInfo();
-
+ VXPortalUser vXPortalUser = userMgr.getUserProfileByLoginId(vXUser.getName());
+ XXPortalUser xxPortalUser = daoManager.getXXPortalUser().findByLoginId(vXUser.getName());
+ Collection<String> reqRoleList = vXUser.getUserRoleList();
+ List<String> existingRole = daoManager.getXXPortalUserRole().findXPortalUserRolebyXPortalUserId(xxPortalUser.getId());
+ if (xxPortalUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) {
+ vXPortalUser = userManager.updateRoleForExternalUsers(reqRoleList,existingRole, vXPortalUser);
+ }
vXUser = xUserService.createXUserWithOutLogin(vXUser);
vxUGInfo.setXuserInfo(vXUser);
@@ -536,9 +545,7 @@ public class XUserMgr extends XUserMgrBase {
vXGroupUser = xGroupUserService
.createXGroupUserWithOutLogin(vXGroupUser);
}
- VXPortalUser vXPortalUser = userMgr.getUserProfileByLoginId(vXUser
- .getName());
- if(vXPortalUser!=null){
+ if (vXPortalUser != null) {
assignPermissionToUser(vXPortalUser, true);
}
vxUGInfo.setXgroupInfo(vxg);
@@ -562,17 +569,37 @@ public class XUserMgr extends XUserMgrBase {
List<VXUser> vxu = new ArrayList<VXUser>();
for (VXUser vXUser : vXGroupUserInfo.getXuserInfo()) {
- XXUser xUser = daoManager.getXXUser().findByUserName(vXUser.getName());
+ XXUser xUser = daoManager.getXXUser().findByUserName(
+ vXUser.getName());
+ XXPortalUser xXPortalUser = daoManager.getXXPortalUser()
+ .findByLoginId(vXUser.getName());
if (xUser != null) {
- // Add or update group user mapping only if the user already exists in x_user table.
+ // Add or update group user mapping only if the user already
+ // exists in x_user table.
vXGroup = xGroupService.createXGroupWithOutLogin(vXGroup);
vxGUInfo.setXgroupInfo(vXGroup);
vxu.add(vXUser);
VXGroupUser vXGroupUser = new VXGroupUser();
vXGroupUser.setUserId(xUser.getId());
vXGroupUser.setName(vXGroup.getName());
- vXGroupUser = xGroupUserService
- .createXGroupUserWithOutLogin(vXGroupUser);
+ if (xXPortalUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) {
+ vXGroupUser = xGroupUserService
+ .createXGroupUserWithOutLogin(vXGroupUser);
+ }
+ Collection<String> reqRoleList = vXUser.getUserRoleList();
+
+ XXPortalUser xxPortalUser = daoManager.getXXPortalUser()
+ .findByLoginId(vXUser.getName());
+ List<String> existingRole = daoManager.getXXPortalUserRole()
+ .findXPortalUserRolebyXPortalUserId(
+ xxPortalUser.getId());
+ VXPortalUser vxPortalUser = userManager
+ .mapXXPortalUserToVXPortalUserForDefaultAccount(xxPortalUser);
+ if (xxPortalUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) {
+ vxPortalUser = userManager.updateRoleForExternalUsers(
+ reqRoleList, existingRole, vxPortalUser);
+ assignPermissionToUser(vxPortalUser, true);
+ }
}
}
@@ -1271,30 +1298,42 @@ public class XUserMgr extends XUserMgrBase {
public void checkAccessRoles(List<String> stringRolesList) {
UserSessionBase session = ContextUtil.getCurrentUserSession();
- if (session != null && stringRolesList!=null) {
+ if (session != null && stringRolesList != null) {
if (!session.isUserAdmin() && !session.isKeyAdmin()) {
throw restErrorUtil.create403RESTException("Permission"
+ " denied. LoggedInUser="
+ (session != null ? session.getXXPortalUser().getId()
: "Not Logged In")
+ " ,isn't permitted to perform the action.");
- }else{
- if (session.isUserAdmin() && stringRolesList.contains(RangerConstants.ROLE_KEY_ADMIN)) {
- throw restErrorUtil.create403RESTException("Permission"
- + " denied. LoggedInUser="
- + (session != null ? session.getXXPortalUser().getId()
- : "")
- + " isn't permitted to perform the action.");
- }
- if (session.isKeyAdmin() && stringRolesList.contains(RangerConstants.ROLE_SYS_ADMIN)) {
- throw restErrorUtil.create403RESTException("Permission"
- + " denied. LoggedInUser="
- + (session != null ? session.getXXPortalUser().getId()
- : "")
- + " isn't permitted to perform the action.");
+ } else {
+ if (!"rangerusersync".equals(session.getXXPortalUser()
+ .getLoginId())) {// new logic for rangerusersync user
+ if (session.isUserAdmin()
+ && stringRolesList
+ .contains(RangerConstants.ROLE_KEY_ADMIN)) {
+ throw restErrorUtil.create403RESTException("Permission"
+ + " denied. LoggedInUser="
+ + (session != null ? session.getXXPortalUser()
+ .getId() : "")
+ + " isn't permitted to perform the action.");
+ }
+ if (session.isKeyAdmin()
+ && stringRolesList
+ .contains(RangerConstants.ROLE_SYS_ADMIN)) {
+ throw restErrorUtil.create403RESTException("Permission"
+ + " denied. LoggedInUser="
+ + (session != null ? session.getXXPortalUser()
+ .getId() : "")
+ + " isn't permitted to perform the action.");
+ }
+ } else {
+ logger.info("LoggedInUser="
+ + (session != null ? session.getXXPortalUser()
+ .getId()
+ : " is permitted to perform the action"));
}
}
- }else{
+ } else {
VXResponse vXResponse = new VXResponse();
vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
vXResponse.setMsgDesc("Bad Credentials");
http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/security-admin/src/main/java/org/apache/ranger/service/XUserService.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XUserService.java b/security-admin/src/main/java/org/apache/ranger/service/XUserService.java
index 0d07982..b2b06ff 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XUserService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XUserService.java
@@ -49,7 +49,7 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Scope;
import org.springframework.stereotype.Service;
import org.springframework.util.CollectionUtils;
-
+import org.apache.ranger.common.RangerCommonEnums;
@Service
@Scope("singleton")
public class XUserService extends XUserServiceBase<XXUser, VXUser> {
@@ -168,7 +168,10 @@ public class XUserService extends XUserServiceBase<XXUser, VXUser> {
xxUser = new XXUser();
userExists = false;
}
-
+ XXPortalUser xxPortalUser = daoManager.getXXPortalUser().findByLoginId(vxUser.getName());
+ if (xxPortalUser != null && xxPortalUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) {
+ vxUser.setIsVisible(xxUser.getIsVisible());
+ }
xxUser = mapViewToEntityBean(vxUser, xxUser, 0);
XXPortalUser xXPortalUser = daoManager.getXXPortalUser().getById(createdByUserId);
if (xXPortalUser != null) {
http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/security-admin/src/main/java/org/apache/ranger/view/VXUser.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/view/VXUser.java b/security-admin/src/main/java/org/apache/ranger/view/VXUser.java
index ecfd1ac..6e1d299 100644
--- a/security-admin/src/main/java/org/apache/ranger/view/VXUser.java
+++ b/security-admin/src/main/java/org/apache/ranger/view/VXUser.java
@@ -300,6 +300,7 @@ public class VXUser extends VXDataObject implements java.io.Serializable {
str += "isVisible={" + isVisible + "} ";
str += "groupIdList={" + groupIdList + "} ";
str += "groupNameList={" + groupNameList + "} ";
+ str += "roleList={" + userRoleList + "} ";
str += "}";
return str;
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java
index 6083778..6dc483d 100644
--- a/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java
+++ b/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java
@@ -774,8 +774,8 @@ public class TestUserMgr {
dbVXPortalUser.getEmailAddress());
Assert.assertEquals(user.getPassword(), dbVXPortalUser.getPassword());
- Mockito.verify(daoManager).getXXPortalUser();
- Mockito.verify(daoManager).getXXPortalUserRole();
+ Mockito.verify(daoManager, Mockito.atLeast(1)).getXXPortalUser();
+ Mockito.verify(daoManager, Mockito.atLeast(1)).getXXPortalUserRole();
}
@Test
http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
index 2542f91..6e6be72 100644
--- a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
+++ b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
@@ -24,7 +24,8 @@ import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
-
+import org.apache.ranger.common.RangerCommonEnums;
+import org.apache.ranger.common.RangerConstants;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.SearchCriteria;
@@ -175,6 +176,10 @@ public class TestXUserMgr {
UserSessionBase currentUserSession = ContextUtil
.getCurrentUserSession();
currentUserSession.setUserAdmin(true);
+ XXPortalUser gjUser = new XXPortalUser();
+ gjUser.setLoginId("test");
+ gjUser.setId(1L);
+ currentUserSession.setXXPortalUser(gjUser);
}
private VXUser vxUser() {
@@ -628,14 +633,16 @@ public class TestXUserMgr {
Mockito.when(xUserService.getXUserByUserName(userName)).thenReturn(
vxUser);
-
+ XXModuleDefDao xxModuleDefDao = Mockito.mock(XXModuleDefDao.class);
+ Mockito.when(daoManager.getXXModuleDef()).thenReturn(xxModuleDefDao);
VXUser dbVXUser = xUserMgr.getXUserByUserName(userName);
Assert.assertNotNull(dbVXUser);
userId = dbVXUser.getId();
Assert.assertEquals(userId, dbVXUser.getId());
Assert.assertEquals(dbVXUser.getName(), vxUser.getName());
Assert.assertEquals(dbVXUser.getOwner(), vxUser.getOwner());
- Mockito.verify(xUserService).getXUserByUserName(userName);
+ Mockito.verify(xUserService, Mockito.atLeast(2)).getXUserByUserName(
+ userName);
}
@Test
@@ -873,6 +880,20 @@ public class TestXUserMgr {
Mockito.when(
xGroupUserService.createXGroupUserWithOutLogin(vXGroupUser2))
.thenReturn(vXGroupUser2);
+ XXPortalUserDao portalUser = Mockito.mock(XXPortalUserDao.class);
+ Mockito.when(daoManager.getXXPortalUser()).thenReturn(portalUser);
+ XXPortalUser user = new XXPortalUser();
+ user.setId(1L);
+ user.setUserSource(RangerCommonEnums.USER_APP);
+ Mockito.when(portalUser.findByLoginId(vXUser.getName())).thenReturn(
+ user);
+ XXPortalUserRoleDao userDao = Mockito.mock(XXPortalUserRoleDao.class);
+ Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(userDao);
+ List<String> lstRole = new ArrayList<String>();
+ lstRole.add(RangerConstants.ROLE_SYS_ADMIN);
+ Mockito.when(
+ userDao.findXPortalUserRolebyXPortalUserId(Mockito.anyLong()))
+ .thenReturn(lstRole);
VXUserGroupInfo vxUserGroupTest = xUserMgr
.createXUserGroupFromMap(vXUserGroupInfo);
@@ -882,6 +903,11 @@ public class TestXUserMgr {
expected.add(vXGroup1);
expected.add(vXGroup2);
Assert.assertTrue(result.containsAll(expected));
+ Mockito.verify(daoManager).getXXPortalUser();
+ Mockito.verify(portalUser).findByLoginId(vXUser.getName());
+ Mockito.verify(daoManager).getXXPortalUserRole();
+ Mockito.verify(userDao).findXPortalUserRolebyXPortalUserId(
+ Mockito.anyLong());
}
// Module permission
@@ -1312,9 +1338,20 @@ public class TestXUserMgr {
String userName = "test";
Mockito.when(xUserService.getXUserByUserName(userName)).thenReturn(
vxUser);
+ XXModuleDefDao modDef = Mockito.mock(XXModuleDefDao.class);
+ Mockito.when(daoManager.getXXModuleDef()).thenReturn(modDef);
+ List<String> lstModule = new ArrayList<String>();
+ lstModule.add(RangerConstants.MODULE_USER_GROUPS);
+ Mockito.when(
+ modDef.findAccessibleModulesByUserId(Mockito.anyLong(),
+ Mockito.anyLong())).thenReturn(lstModule);
Set<String> list = xUserMgr.getGroupsForUser(userName);
Assert.assertNotNull(list);
- Mockito.verify(xUserService).getXUserByUserName(userName);
+ Mockito.verify(xUserService, Mockito.atLeast(2)).getXUserByUserName(
+ userName);
+ Mockito.verify(daoManager).getXXModuleDef();
+ Mockito.verify(modDef).findAccessibleModulesByUserId(Mockito.anyLong(),
+ Mockito.anyLong());
}
@Test
http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java
index 428ad30..9548ed4 100644
--- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java
+++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java
@@ -65,6 +65,10 @@ import com.sun.jersey.api.client.config.ClientConfig;
import com.sun.jersey.api.client.config.DefaultClientConfig;
import com.sun.jersey.api.client.filter.HTTPBasicAuthFilter;
import com.sun.jersey.client.urlconnection.HTTPSProperties;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.HashMap;
+import java.util.StringTokenizer;
public class LdapPolicyMgrUserGroupBuilder implements UserGroupSink {
@@ -100,7 +104,8 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
private UserGroupInfo usergroupInfo = new UserGroupInfo();
private GroupUserInfo groupuserInfo = new GroupUserInfo();
-
+ Map<String, String> userMap = new LinkedHashMap<String, String>();
+ Map<String, String> groupMap = new LinkedHashMap<String, String>();
Table<String, String, String> groupsUsersTable;
private String keyStoreFile = null;
@@ -147,7 +152,10 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
}
keytab = config.getProperty(KEYTAB,"");
nameRules = config.getProperty(NAME_RULE,"DEFAULT");
-
+ String userGroupRoles = config.getGroupRoleRules();
+ if (userGroupRoles != null && !userGroupRoles.isEmpty()) {
+ getRoleForUserGroups(userGroupRoles);
+ }
}
@Override
@@ -331,7 +339,11 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
xuserInfo.setName(aUserName);
xuserInfo.setDescription(aUserName + " - add from Unix box");
-
+ if (userMap.containsKey(aUserName)) {
+ List<String> roleList = new ArrayList<String>();
+ roleList.add(userMap.get(aUserName));
+ xuserInfo.setUserRoleList(roleList);
+ }
usergroupInfo.setXuserInfo(xuserInfo);
return xuserInfo;
@@ -414,9 +426,11 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
}
List<String> oldUsers = new ArrayList<String>();
+ Map <String,List<String>> oldUserMap = new HashMap<String, List<String>>();
if (groupUserInfo != null && groupUserInfo.getXuserInfo() != null) {
for (XUserInfo xUserInfo : groupUserInfo.getXuserInfo()) {
oldUsers.add(xUserInfo.getName());
+ oldUserMap.put(xUserInfo.getName(), xUserInfo.getUserRoleList());
}
LOG.debug("Returned users for group " + groupUserInfo.getXgroupInfo().getName() + " are: " + oldUsers);
}
@@ -433,7 +447,7 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
addUsers = users;
} else {
for (String user : users) {
- if (!oldUsers.contains(user)) {
+ if (!oldUsers.contains(user)|| !(oldUserMap.get(user).equals(groupMap.get(groupName)))) {
addUsers.add(user);
}
}
@@ -569,7 +583,30 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
WebResource r = c.resource(getURL(PM_ADD_GROUP_USER_INFO_URI));
Gson gson = new GsonBuilder().create();
-
+ if (groupuserInfo != null
+ && groupuserInfo.getXgroupInfo() != null
+ && groupuserInfo.getXuserInfo() != null
+ && groupMap
+ .containsKey(groupuserInfo.getXgroupInfo().getName())
+ && groupuserInfo.getXuserInfo().size() > 0) {
+ List<String> userRoleList = new ArrayList<String>();
+ userRoleList.add(groupMap.get(groupuserInfo.getXgroupInfo()
+ .getName()));
+ int i = groupuserInfo.getXuserInfo().size();
+ for (int j = 0; j < i; j++) {
+ if (userMap.containsKey(groupuserInfo.getXuserInfo().get(j)
+ .getName())) {
+ List<String> userRole = new ArrayList<String>();
+ userRole.add(userMap.get(groupuserInfo.getXuserInfo()
+ .get(j).getName()));
+ groupuserInfo.getXuserInfo().get(j)
+ .setUserRoleList(userRole);
+ } else {
+ groupuserInfo.getXuserInfo().get(j)
+ .setUserRoleList(userRoleList);
+ }
+ }
+ }
String jsonString = gson.toJson(groupuserInfo);
LOG.debug("GROUP USER MAPPING" + jsonString);
@@ -591,7 +628,11 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
userInfo.setLoginId(aUserName);
userInfo.setFirstName(aUserName);
userInfo.setLastName(aUserName);
-
+ String str[] = new String[1];
+ if (userMap.containsKey(aUserName)) {
+ str[0] = userMap.get(aUserName);
+ }
+ userInfo.setUserRoleList(str);
if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)) {
try {
Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
@@ -804,4 +845,74 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
return ret;
}
+ private void getRoleForUserGroups(String userGroupRolesData) {
+ String roleDelimiter = config.getRoleDelimiter();
+ String userGroupDelimiter = config.getUserGroupDelimiter();
+ String userNameDelimiter = config.getUserGroupNameDelimiter();
+ if (roleDelimiter == null || roleDelimiter.isEmpty()) {
+ roleDelimiter = "&";
+ }
+ if (userGroupDelimiter == null || userGroupDelimiter.isEmpty()) {
+ userGroupDelimiter = ":";
+ }
+ if (userNameDelimiter == null || userNameDelimiter.isEmpty()) {
+ userNameDelimiter = ",";
+ }
+ StringTokenizer str = new StringTokenizer(userGroupRolesData,
+ roleDelimiter);
+ int flag = 0;
+ String userGroupCheck = null;
+ String roleName = null;
+ while (str.hasMoreTokens()) {
+ flag = 0;
+ String tokens = str.nextToken();
+ if (tokens != null && !tokens.isEmpty()) {
+ StringTokenizer userGroupRoles = new StringTokenizer(tokens,
+ userGroupDelimiter);
+ if (userGroupRoles != null) {
+ while (userGroupRoles.hasMoreElements()) {
+ String userGroupRolesTokens = userGroupRoles
+ .nextToken();
+ if (userGroupRolesTokens != null
+ && !userGroupRolesTokens.isEmpty()) {
+ flag++;
+ switch (flag) {
+ case 1:
+ roleName = userGroupRolesTokens;
+ break;
+ case 2:
+ userGroupCheck = userGroupRolesTokens;
+ break;
+ case 3:
+ StringTokenizer userGroupNames = new StringTokenizer(
+ userGroupRolesTokens, userNameDelimiter);
+ if (userGroupNames != null) {
+ while (userGroupNames.hasMoreElements()) {
+ String userGroup = userGroupNames
+ .nextToken();
+ if (userGroup != null
+ && !userGroup.isEmpty()) {
+ if (userGroupCheck
+ .equalsIgnoreCase("u")) {
+ userMap.put(userGroup.trim(), roleName.trim());
+ } else if (userGroupCheck
+ .equalsIgnoreCase("g")) {
+ groupMap.put(userGroup.trim(),
+ roleName.trim());
+ }
+ }
+ }
+ }
+ break;
+ default:
+ userMap.clear();
+ groupMap.clear();
+ break;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
index fc239af..df16043 100644
--- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
+++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
@@ -235,6 +235,11 @@ public class UserGroupSyncConfig {
private static final String SYNC_MAPPING_GROUPNAME_HANDLER = "ranger.usersync.mapping.groupname.handler";
private static final String DEFAULT_SYNC_MAPPING_GROUPNAME_HANDLER = "org.apache.ranger.usergroupsync.RegEx";
+ private static final String ROLE_ASSIGNMENT_LIST_DELIMITER = "ranger.usersync.role.assignment.list.delimiter";
+ private static final String USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER = "ranger.usersync.users.groups.assignment.list.delimiter";
+ private static final String USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER = "ranger.usersync.username.groupname.assignment.list.delimiter";
+ private static final String GROUP_BASED_ROLE_ASSIGNMENT_RULES = "ranger.usersync.group.based.role.assignment.rules";
+
private Properties prop = new Properties();
private static volatile UserGroupSyncConfig me = null;
@@ -1063,4 +1068,40 @@ public class UserGroupSyncConfig {
public void setDeltaSync(boolean deltaSyncEnabled) {
prop.setProperty(LGSYNC_LDAP_DELTASYNC_ENABLED, String.valueOf(deltaSyncEnabled));
}
+ public String getGroupRoleRules() {
+ if(prop != null && prop.containsKey(GROUP_BASED_ROLE_ASSIGNMENT_RULES)) {
+ String GroupRoleRules = prop.getProperty(GROUP_BASED_ROLE_ASSIGNMENT_RULES);
+ if(GroupRoleRules != null && !GroupRoleRules.isEmpty()) {
+ return GroupRoleRules.trim();
+ }
+ }
+ return null;
+ }
+ public String getUserGroupDelimiter() {
+ if(prop != null && prop.containsKey(USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER)) {
+ String UserGroupDelimiter = prop.getProperty(USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER);
+ if(UserGroupDelimiter != null && !UserGroupDelimiter.isEmpty()) {
+ return UserGroupDelimiter;
+ }
+ }
+ return null;
+ }
+ public String getUserGroupNameDelimiter() {
+ if(prop != null && prop.containsKey(USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER)) {
+ String UserGroupNameDelimiter = prop.getProperty(USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER);
+ if(UserGroupNameDelimiter != null && !UserGroupNameDelimiter.isEmpty()) {
+ return UserGroupNameDelimiter;
+ }
+ }
+ return null;
+ }
+ public String getRoleDelimiter() {
+ if(prop != null && prop.containsKey(ROLE_ASSIGNMENT_LIST_DELIMITER)) {
+ String roleDelimiter = prop.getProperty(ROLE_ASSIGNMENT_LIST_DELIMITER);
+ if(roleDelimiter != null && !roleDelimiter.isEmpty()) {
+ return roleDelimiter;
+ }
+ }
+ return null;
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/ugsync/src/main/java/org/apache/ranger/unixusersync/model/XUserInfo.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/model/XUserInfo.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/model/XUserInfo.java
index 7d636fd..b21468b 100644
--- a/ugsync/src/main/java/org/apache/ranger/unixusersync/model/XUserInfo.java
+++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/model/XUserInfo.java
@@ -26,8 +26,8 @@ public class XUserInfo {
private String id;
private String name;
private String description;
-
- private List<String> groupNameList = new ArrayList<String>();
+ private List<String> groupNameList = new ArrayList<String>();
+ private List<String> userRoleList = new ArrayList<String>();
public String getId() {
return id;
@@ -59,5 +59,19 @@ public class XUserInfo {
public List<String> getGroups() {
return groupNameList;
}
-
+
+ public List<String> getUserRoleList() {
+ return userRoleList;
+ }
+
+ public void setUserRoleList(List<String> userRoleList) {
+ this.userRoleList = userRoleList;
+ }
+
+ @Override
+ public String toString() {
+ return "XUserInfo [id=" + id + ", name=" + name + ", description="
+ + description + ", groupNameList=" + groupNameList
+ + ", userRoleList=" + userRoleList + "]";
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
index 070a39b..87b4883 100644
--- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
+++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
@@ -68,7 +68,9 @@ import org.apache.ranger.unixusersync.model.XUserInfo;
import org.apache.ranger.unixusersync.model.UserGroupInfo;
import org.apache.ranger.usergroupsync.UserGroupSink;
import org.apache.ranger.usersync.util.UserSyncUtil;
-
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.StringTokenizer;
public class PolicyMgrUserGroupBuilder implements UserGroupSink {
private static final Logger LOG = Logger.getLogger(PolicyMgrUserGroupBuilder.class);
@@ -121,7 +123,8 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
String principal;
String keytab;
String nameRules;
-
+ Map<String, String> userMap = new LinkedHashMap<String, String>();
+ Map<String, String> groupMap = new LinkedHashMap<String, String>();
static {
try {
LOCAL_HOSTNAME = java.net.InetAddress.getLocalHost().getCanonicalHostName();
@@ -160,6 +163,10 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
}
keytab = config.getProperty(KEYTAB,"");
nameRules = config.getProperty(NAME_RULE,"DEFAULT");
+ String userGroupRoles = config.getGroupRoleRules();
+ if (userGroupRoles != null && !userGroupRoles.isEmpty()) {
+ getRoleForUserGroups(userGroupRoles);
+ }
buildUserGroupInfo();
}
@@ -366,7 +373,28 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
}
if (! isMockRun) {
if (!addGroups.isEmpty()){
- ugInfo.setXuserInfo(addXUserInfo(userName));
+ XUserInfo obj = addXUserInfo(userName);
+ if (obj != null) {
+ for (int i = 0; i < addGroups.size(); i++) {
+ if (groupMap.containsKey(addGroups.get(i))) {
+ List<String> userRoleList = new ArrayList<String>();
+ userRoleList
+ .add(groupMap.get(addGroups.get(i)));
+ if (userMap.containsKey(obj.getName())) {
+ List<String> userRole = new ArrayList<String>();
+ userRole.add(userMap.get(obj.getName()));
+ if (!obj.getUserRoleList().equals(userRole)) {
+ obj.setUserRoleList(userRole);
+
+ }
+ } else if (!obj.getUserRoleList().equals(
+ userRoleList)) {
+ obj.setUserRoleList(userRoleList);
+ }
+ }
+ }
+ }
+ ugInfo.setXuserInfo(obj);
ugInfo.setXgroupInfo(getXGroupInfoList(addGroups));
try{
// If the rest call to ranger admin fails,
@@ -393,7 +421,27 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
}
if (! isMockRun) {
if (!updateGroups.isEmpty()){
- ugInfo.setXuserInfo(addXUserInfo(userName));
+ XUserInfo obj = addXUserInfo(userName);
+ if (obj != null) {
+ for (int i = 0; i < updateGroups.size(); i++) {
+ if (groupMap.containsKey(updateGroups.get(i))) {
+ List<String> userRoleList = new ArrayList<String>();
+ userRoleList.add(groupMap.get(updateGroups
+ .get(i)));
+ if (userMap.containsKey(obj.getName())) {
+ List<String> userRole = new ArrayList<String>();
+ userRole.add(userMap.get(obj.getName()));
+ if (!obj.getUserRoleList().equals(userRole)) {
+ obj.setUserRoleList(userRole);
+ }
+ } else if (!obj.getUserRoleList().equals(
+ userRoleList)) {
+ obj.setUserRoleList(userRoleList);
+ }
+ }
+ }
+ }
+ ugInfo.setXuserInfo(obj);
ugInfo.setXgroupInfo(getXGroupInfoList(updateGroups));
try{
// If the rest call to ranger admin fails,
@@ -409,8 +457,53 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
}
}
}
- }
- }
+ if (!isMockRun) {
+ XUserInfo obj = addXUserInfo(userName);
+ boolean roleFlag = false;
+ if (obj != null && updateGroups.isEmpty()
+ && addGroups.isEmpty()) {
+ if (userMap.containsKey(obj.getName())) {
+ List<String> userRole = new ArrayList<String>();
+ userRole.add(userMap.get(obj.getName()));
+ if (!obj.getUserRoleList().equals(userRole)) {
+ obj.setUserRoleList(userRole);
+ roleFlag = true;
+ }
+ } else {
+ for (int i = 0; i < groups.size(); i++) {
+ if (groupMap.containsKey(groups.get(i))) {
+ List<String> userRoleList = new ArrayList<String>();
+ userRoleList.add(groupMap.get(groups.get(i)));
+ if (!obj.getUserRoleList().equals(userRoleList)) {
+ obj.setUserRoleList(userRoleList);
+ roleFlag = true;
+ }
+ }
+ }
+
+ }
+ ugInfo.setXuserInfo(obj);
+ ugInfo.setXgroupInfo(getXGroupInfoList(groups));
+ }
+ if (roleFlag) {
+ try {
+ // If the rest call to ranger admin fails,
+ // propagate the failure to the caller for retry in next
+ // sync cycle.
+ if (addUserGroupInfo(ugInfo) == null) {
+ String msg = "Failed to add user group info";
+ LOG.error(msg);
+ throw new Exception(msg);
+ }
+ } catch (Throwable t) {
+ LOG.error("PolicyMgrUserGroupBuilder.addUserGroupInfo failed with exception: "
+ + t.getMessage()
+ + ", for user-group entry: "
+ + ugInfo);
+ }
+ }
+ }
+ } }
private void buildGroupList() {
if (LOG.isDebugEnabled()) {
@@ -530,6 +623,23 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
if (! isMockRun) {
user = addXUserInfo(userName);
}
+ if (!groups.isEmpty() && user != null) {
+ for (int i = 0; i < groups.size(); i++) {
+ if (groupMap.containsKey(groups.get(i))) {
+ List<String> userRoleList = new ArrayList<String>();
+ userRoleList.add(groupMap.get(groups.get(i)));
+ if (userMap.containsKey(user.getName())) {
+ List<String> userRole = new ArrayList<String>();
+ userRole.add(userMap.get(user.getName()));
+ user.setUserRoleList(userRole);
+ } else {
+ user.setUserRoleList(userRoleList);
+ }
+ }
+ }
+ }
+ usergroupInfo.setXuserInfo(user);
+
for(String g : groups) {
LOG.debug("INFO: addPMXAGroupToUser(" + userName + "," + g + ")" );
@@ -809,7 +919,11 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
userInfo.setLoginId(aUserName);
userInfo.setFirstName(aUserName);
userInfo.setLastName(aUserName);
-
+ String str[] = new String[1];
+ if (userMap.containsKey(aUserName)) {
+ str[0] = userMap.get(aUserName);
+ }
+ userInfo.setUserRoleList(str);
if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)) {
try {
Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
@@ -1080,6 +1194,73 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
// TODO Auto-generated method stub
}
-
-
-}
+ private void getRoleForUserGroups(String userGroupRolesData) {
+
+ String roleDelimiter = config.getRoleDelimiter();
+ String userGroupDelimiter = config.getUserGroupDelimiter();
+ String userNameDelimiter = config.getUserGroupNameDelimiter();
+ if (roleDelimiter == null || roleDelimiter.isEmpty()) {
+ roleDelimiter = "&";
+ }
+ if (userGroupDelimiter == null || userGroupDelimiter.isEmpty()) {
+ userGroupDelimiter = ":";
+ }
+ if (userNameDelimiter == null || userNameDelimiter.isEmpty()) {
+ userNameDelimiter = ",";
+ }
+ StringTokenizer str = new StringTokenizer(userGroupRolesData,
+ roleDelimiter);
+ int flag = 0;
+ String userGroupCheck = null;
+ String roleName = null;
+ while (str.hasMoreTokens()) {
+ flag = 0;
+ String tokens = str.nextToken();
+ if (tokens != null && !tokens.isEmpty()) {
+ StringTokenizer userGroupRoles = new StringTokenizer(tokens,
+ userGroupDelimiter);
+ if (userGroupRoles != null) {
+ while (userGroupRoles.hasMoreElements()) {
+ String userGroupRolesTokens = userGroupRoles
+ .nextToken();
+ if (userGroupRolesTokens != null
+ && !userGroupRolesTokens.isEmpty()) {
+ flag++;
+ switch (flag) {
+ case 1:
+ roleName = userGroupRolesTokens;
+ break;
+ case 2:
+ userGroupCheck = userGroupRolesTokens;
+ break;
+ case 3:
+ StringTokenizer userGroupNames = new StringTokenizer(
+ userGroupRolesTokens, userNameDelimiter);
+ if (userGroupNames != null) {
+ while (userGroupNames.hasMoreElements()) {
+ String userGroup = userGroupNames
+ .nextToken();
+ if (userGroup != null
+ && !userGroup.isEmpty()) {
+ if (userGroupCheck.trim().equalsIgnoreCase("u")) {
+ userMap.put(userGroup.trim(), roleName.trim());
+ } else if (userGroupCheck.trim().equalsIgnoreCase("g")) {
+ groupMap.put(userGroup.trim(),
+ roleName.trim());
+ }
+ }
+ }
+ }
+ break;
+ default:
+ userMap.clear();
+ groupMap.clear();
+ break;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/unixauthservice/scripts/install.properties
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/install.properties b/unixauthservice/scripts/install.properties
index 13ae1e5..0be2c8f 100644
--- a/unixauthservice/scripts/install.properties
+++ b/unixauthservice/scripts/install.properties
@@ -64,6 +64,21 @@ AUTH_SSL_TRUSTSTORE_PASSWORD=
# ---------------------------------------------------------------
# The following properties are relevant only if SYNC_SOURCE = ldap
# ---------------------------------------------------------------
+# The below properties ROLE_ASSIGNMENT_LIST_DELIMITER, USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER, USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER,
+#and GROUP_BASED_ROLE_ASSIGNMENT_RULES can be used to assign role to LDAP synced users and groups
+#NOTE all the delimiters should have different values and the delimiters should not contain characters that are allowed in userName or GroupName
+
+# default value ROLE_ASSIGNMENT_LIST_DELIMITER = &
+ROLE_ASSIGNMENT_LIST_DELIMITER = &
+
+#default value USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER = :
+USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER = :
+
+#default value USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER = ,
+USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER = ,
+
+# with above mentioned delimiters a sample value would be &ROLE_SYS_ADMIN:u:userName1,userName2&ROLE_SYS_ADMIN:g:groupName1,groupName2&ROLE_KEY_ADMIN:u:userName&ROLE_KEY_ADMIN:g:groupName
+GROUP_BASED_ROLE_ASSIGNMENT_RULES =
# URL of source ldap
# a sample value would be: ldap://ldap.example.com:389
http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/unixauthservice/scripts/setup.py
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/setup.py b/unixauthservice/scripts/setup.py
index c7aa959..211da64 100755
--- a/unixauthservice/scripts/setup.py
+++ b/unixauthservice/scripts/setup.py
@@ -347,6 +347,23 @@ def main():
hadoop_conf = globalDict['hadoop_conf']
pid_dir_path = globalDict['USERSYNC_PID_DIR_PATH']
unix_user = globalDict['unix_user']
+ if globalDict['SYNC_SOURCE'].lower() == SYNC_SOURCE_LDAP and globalDict.has_key('ROLE_ASSIGNMENT_LIST_DELIMITER') \
+ and globalDict.has_key('USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER') and globalDict.has_key('USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER'):
+ roleAssignmentDelimiter = globalDict['ROLE_ASSIGNMENT_LIST_DELIMITER']
+ userGroupAssignmentDelimiter= globalDict['USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER']
+ userNameGroupNameAssignmentListDelimiter= globalDict['USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER'];
+ if roleAssignmentDelimiter != "" :
+ if roleAssignmentDelimiter == userGroupAssignmentDelimiter or roleAssignmentDelimiter == userNameGroupNameAssignmentListDelimiter :
+ print "ERROR: All Delimiters ROLE_ASSIGNMENT_LIST_DELIMITER, USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER and USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER should be different"
+ sys.exit(1)
+ if userGroupAssignmentDelimiter != "" :
+ if roleAssignmentDelimiter == userGroupAssignmentDelimiter or userGroupAssignmentDelimiter == userNameGroupNameAssignmentListDelimiter:
+ print "ERROR: All Delimiters ROLE_ASSIGNMENT_LIST_DELIMITER, USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER and USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER should be different"
+ sys.exit(1)
+ if userNameGroupNameAssignmentListDelimiter != "":
+ if roleAssignmentDelimiter == userNameGroupNameAssignmentListDelimiter or userGroupAssignmentDelimiter == userNameGroupNameAssignmentListDelimiter:
+ print "ERROR: All Delimiters ROLE_ASSIGNMENT_LIST_DELIMITER, USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER and USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER should be different"
+ sys.exit(1)
if pid_dir_path == "":
pid_dir_path = "/var/run/ranger"
http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/unixauthservice/scripts/templates/installprop2xml.properties
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/templates/installprop2xml.properties b/unixauthservice/scripts/templates/installprop2xml.properties
index 1a9bf36..8a889a9 100644
--- a/unixauthservice/scripts/templates/installprop2xml.properties
+++ b/unixauthservice/scripts/templates/installprop2xml.properties
@@ -16,6 +16,10 @@
POLICY_MGR_URL = ranger.usersync.policymanager.baseURL
MIN_UNIX_USER_ID_TO_SYNC = ranger.usersync.unix.minUserId
SYNC_INTERVAL = ranger.usersync.sleeptimeinmillisbetweensynccycle
+ROLE_ASSIGNMENT_LIST_DELIMITER = ranger.usersync.role.assignment.list.delimiter
+USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER = ranger.usersync.users.groups.assignment.list.delimiter
+USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER = ranger.usersync.username.groupname.assignment.list.delimiter
+GROUP_BASED_ROLE_ASSIGNMENT_RULES = ranger.usersync.group.based.role.assignment.rules
SYNC_LDAP_URL = ranger.usersync.ldap.url
SYNC_LDAP_BIND_DN = ranger.usersync.ldap.binddn
SYNC_LDAP_BIND_PASSWORD = ranger.usersync.ldap.ldapbindpassword
http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/unixauthservice/scripts/templates/ranger-ugsync-template.xml
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/templates/ranger-ugsync-template.xml b/unixauthservice/scripts/templates/ranger-ugsync-template.xml
index 0025dc8..5a0cf98 100644
--- a/unixauthservice/scripts/templates/ranger-ugsync-template.xml
+++ b/unixauthservice/scripts/templates/ranger-ugsync-template.xml
@@ -205,4 +205,20 @@
<name>ranger.usersync.truststore.password</name>
<value></value>
</property>
+ <property>
+ <name>ranger.usersync.role.assignment.list.delimiter</name>
+ <value></value>
+ </property>
+ <property>
+ <name>ranger.usersync.users.groups.assignment.list.delimiter</name>
+ <value></value>
+ </property>
+ <property>
+ <name>ranger.usersync.username.groupname.assignment.list.delimiter</name>
+ <value></value>
+ </property>
+ <property>
+ <name>ranger.usersync.group.based.role.assignment.rules</name>
+ <value></value>
+ </property>
</configuration>