You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ga...@apache.org on 2017/09/11 13:02:48 UTC
[1/2] ranger git commit: RANGER-1750 : In Nifi default policy is
getting created with policyitem without any user/group but permission set for
the same
Repository: ranger
Updated Branches:
refs/heads/ranger-0.7 1d0e8af41 -> a0f43d87a
RANGER-1750 : In Nifi default policy is getting created with policyitem without any user/group but permission set for the same
Signed-off-by: Gautam Borad <ga...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/adc3819e
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/adc3819e
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/adc3819e
Branch: refs/heads/ranger-0.7
Commit: adc3819e4be0ca20c08917043c9629a817cb6f61
Parents: 1d0e8af
Author: Nikhil P <ni...@gmail.com>
Authored: Wed Aug 30 15:18:52 2017 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Mon Sep 11 18:29:14 2017 +0530
----------------------------------------------------------------------
.../org/apache/ranger/biz/ServiceDBStore.java | 32 +++++++++++++++++++-
1 file changed, 31 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/adc3819e/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 8132357..63fdf4f 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -1859,6 +1859,29 @@ public class ServiceDBStore extends AbstractServiceStore {
return createdPolicy;
}
+ private boolean validatePolicyItem(List<RangerPolicyItem> policyItems) {
+ boolean isPolicyItemValid=true;
+ for (RangerPolicyItem policyItem : policyItems) {
+ if (policyItem != null) {
+ if (CollectionUtils.isEmpty(policyItem.getUsers())
+ || (policyItem.getUsers() != null) && policyItem.getUsers().contains(null)
+ || (policyItem.getUsers().contains(""))) {
+ if (CollectionUtils.isEmpty(policyItem.getGroups())
+ || (policyItem.getGroups() != null) && policyItem.getGroups().contains(null)
+ || (policyItem.getGroups().contains(""))) {
+
+ isPolicyItemValid = false;
+ }
+ }
+ if (CollectionUtils.isEmpty(policyItem.getAccesses())
+ || (policyItem.getAccesses() != null) && policyItem.getAccesses().contains(null)) {
+ isPolicyItemValid = false;
+ }
+ }
+ }
+ return isPolicyItemValid;
+ }
+
@Override
public RangerPolicy updatePolicy(RangerPolicy policy) throws Exception {
if(LOG.isDebugEnabled()) {
@@ -2502,6 +2525,7 @@ public class ServiceDBStore extends AbstractServiceStore {
createDefaultPolicyUsersAndGroups(defaultPolicies);
for (RangerPolicy defaultPolicy : defaultPolicies) {
+ List<RangerPolicyItem> policyItems = defaultPolicy.getPolicyItems();
if (CollectionUtils.isNotEmpty(serviceCheckUsers)
&& StringUtils.equalsIgnoreCase(defaultPolicy.getService(), createdService.getName())) {
@@ -2513,7 +2537,13 @@ public class ServiceDBStore extends AbstractServiceStore {
defaultPolicy.getPolicyItems().add(policyItem);
}
- createPolicy(defaultPolicy);
+ boolean isPolicyItemValid=validatePolicyItem(policyItems);
+ if (isPolicyItemValid) {
+ createPolicy(defaultPolicy);
+ } else {
+ LOG.warn("Default policy won't be created,since policyItems not valid-either users/groups not present or access not present in policy.");
+ }
+
}
}
}
[2/2] ranger git commit: RANGER 1697 : Update NiFi service def and
handle upgrade scenario
Posted by ga...@apache.org.
RANGER 1697 : Update NiFi service def and handle upgrade scenario
Signed-off-by: Gautam Borad <ga...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/a0f43d87
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/a0f43d87
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/a0f43d87
Branch: refs/heads/ranger-0.7
Commit: a0f43d87a6e2d1de8cb311bc82827f0c836fa21c
Parents: adc3819
Author: Nikhil P <ni...@gmail.com>
Authored: Tue Sep 5 16:22:51 2017 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Mon Sep 11 18:32:23 2017 +0530
----------------------------------------------------------------------
.../service-defs/ranger-servicedef-nifi.json | 2 +-
...atchForNifiResourceUpdateExclude_J10008.java | 145 +++++++++++++++++++
.../org/apache/ranger/rest/ServiceREST.java | 2 +-
.../apache/ranger/service/XTrxLogService.java | 10 +-
4 files changed, 152 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/a0f43d87/agents-common/src/main/resources/service-defs/ranger-servicedef-nifi.json
----------------------------------------------------------------------
diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-nifi.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-nifi.json
index b81785d..1d11232 100644
--- a/agents-common/src/main/resources/service-defs/ranger-servicedef-nifi.json
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-nifi.json
@@ -14,7 +14,7 @@
"mandatory":true,
"lookupSupported":true,
"recursiveSupported":false,
- "excludesSupported":true,
+ "excludesSupported":false,
"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions":{
"wildCard":true,
http://git-wip-us.apache.org/repos/asf/ranger/blob/a0f43d87/security-admin/src/main/java/org/apache/ranger/patch/PatchForNifiResourceUpdateExclude_J10008.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/patch/PatchForNifiResourceUpdateExclude_J10008.java b/security-admin/src/main/java/org/apache/ranger/patch/PatchForNifiResourceUpdateExclude_J10008.java
new file mode 100644
index 0000000..634082c
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/patch/PatchForNifiResourceUpdateExclude_J10008.java
@@ -0,0 +1,145 @@
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.patch;
+
+import java.util.List;
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.log4j.Logger;
+import org.apache.ranger.biz.ServiceDBStore;
+import org.apache.ranger.common.JSONUtil;
+import org.apache.ranger.common.RangerValidatorFactory;
+import org.apache.ranger.common.StringUtil;
+import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.entity.XXPolicyResource;
+import org.apache.ranger.entity.XXResourceDef;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
+import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator;
+import org.apache.ranger.plugin.model.validation.RangerValidator.Action;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
+import org.apache.ranger.service.RangerPolicyService;
+import org.apache.ranger.util.CLIUtil;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+@Component
+public class PatchForNifiResourceUpdateExclude_J10008 extends BaseLoader {
+ private static final Logger logger = Logger.getLogger(PatchForHiveServiceDefUpdate_J10006.class);
+ @Autowired
+ RangerDaoManager daoMgr;
+
+ @Autowired
+ ServiceDBStore svcDBStore;
+
+ @Autowired
+ JSONUtil jsonUtil;
+
+ @Autowired
+ StringUtil stringUtil;
+
+ @Autowired
+ RangerValidatorFactory validatorFactory;
+
+ @Autowired
+ ServiceDBStore svcStore;
+
+ @Autowired
+ RangerPolicyService policyService;
+
+ public static void main(String[] args) {
+ logger.info("main()");
+ try {
+ PatchForNifiResourceUpdateExclude_J10008 loader = (PatchForNifiResourceUpdateExclude_J10008) CLIUtil.getBean(PatchForNifiResourceUpdateExclude_J10008.class);
+ loader.init();
+ while (loader.isMoreToProcess()) {
+ loader.load();
+ }
+ logger.info("Load complete. Exiting!!!");
+ System.exit(0);
+ } catch (Exception e) {
+ logger.error("Error loading", e);
+ System.exit(1);
+ }
+ }
+
+ @Override
+ public void init() throws Exception {
+ // Do Nothing
+ }
+
+ @Override
+ public void execLoad() {
+ logger.info("==> PatchForNifiResourceUpdateExclude.execLoad()");
+ try {
+ updateNifiServiceDef();
+ } catch (Exception e) {
+ logger.error("Error whille updateNifiServiceDef()data.", e);
+ }
+ logger.info("<== PatchForNifiResourceUpdateExclude.execLoad()");
+ }
+
+ @Override
+ public void printStats() {
+ logger.info("updateNifiServiceDef data ");
+ }
+
+ private void updateNifiServiceDef(){
+ RangerServiceDef ret = null;
+ RangerServiceDef dbNifiServiceDef = null;
+ try {
+ dbNifiServiceDef = svcDBStore.getServiceDefByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_NIFI_NAME);
+ if (dbNifiServiceDef != null) {
+ List<RangerResourceDef> rRDefList = null;
+ rRDefList = dbNifiServiceDef.getResources();
+ if (CollectionUtils.isNotEmpty(rRDefList)) {
+ for (RangerResourceDef rRDef : rRDefList) {
+
+ if (rRDef.getExcludesSupported()) {
+ rRDef.setExcludesSupported(false);
+ }
+
+ XXResourceDef sdf=daoMgr.getXXResourceDef().findByNameAndServiceDefId(rRDef.getName(), dbNifiServiceDef.getId());
+ long ResourceDefId=sdf.getId();
+ List<XXPolicyResource> RangerPolicyResourceList=daoMgr.getXXPolicyResource().findByResDefId(ResourceDefId);
+ if (CollectionUtils.isNotEmpty(RangerPolicyResourceList)){
+ for(XXPolicyResource RangerPolicyResource : RangerPolicyResourceList){
+ if(RangerPolicyResource.getIsexcludes()){
+ RangerPolicy rPolicy=svcDBStore.getPolicy(RangerPolicyResource.getPolicyid());
+ rPolicy.setIsEnabled(false);
+ svcStore.updatePolicy(rPolicy);
+ }
+ }
+ }
+ }
+ }
+ RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore);
+ validator.validate(dbNifiServiceDef, Action.UPDATE);
+ ret = svcStore.updateServiceDef(dbNifiServiceDef);
+ }
+ if (ret == null) {
+ logger.error("Error while updating " + EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_NIFI_NAME+ "service-def");
+ System.exit(1);
+ }
+ } catch (Exception e) {
+ logger.error("Error while updating " + EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_NIFI_NAME + "service-def", e);
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/ranger/blob/a0f43d87/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 6687e60..5fa114d 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -1425,7 +1425,7 @@ public class ServiceREST {
policy.setName(StringUtils.trim(policyName));
}
- if(Boolean.valueOf(updateIfExists)) {
+ if (updateIfExists != null && Boolean.valueOf(updateIfExists)) {
RangerPolicy existingPolicy = null;
try {
if(StringUtils.isNotEmpty(policy.getGuid())) {
http://git-wip-us.apache.org/repos/asf/ranger/blob/a0f43d87/security-admin/src/main/java/org/apache/ranger/service/XTrxLogService.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XTrxLogService.java b/security-admin/src/main/java/org/apache/ranger/service/XTrxLogService.java
index 6c3034f..6c56eef 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XTrxLogService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XTrxLogService.java
@@ -215,18 +215,18 @@ public class XTrxLogService extends XTrxLogServiceBase<XXTrxLog, VXTrxLog> {
}
List<VXTrxLog> keyAdminTrxLogList = new ArrayList<VXTrxLog>();
- if (session != null && session.isKeyAdmin() && xxServiceDef != null && resultList != null) {
+ if (session != null && session.isKeyAdmin() && xxServiceDef != null) {
List<VXTrxLog> vXTrxLogs = new ArrayList<VXTrxLog>();
for (VXTrxLog xTrxLog : trxLogList) {
int parentObjectClassType = xTrxLog.getParentObjectClassType();
Long parentObjectId = xTrxLog.getParentObjectId();
- if (parentObjectClassType == AppConstants.CLASS_TYPE_XA_SERVICE_DEF && parentObjectId == xxServiceDef.getId()) {
+ if (parentObjectClassType == AppConstants.CLASS_TYPE_XA_SERVICE_DEF && parentObjectId.equals(xxServiceDef.getId())) {
vXTrxLogs.add(xTrxLog);
- } else if (parentObjectClassType == AppConstants.CLASS_TYPE_XA_SERVICE && parentObjectId != xxServiceDef.getId()) {
+ } else if (parentObjectClassType == AppConstants.CLASS_TYPE_XA_SERVICE && !(parentObjectId.equals(xxServiceDef.getId()))) {
for (VXTrxLog vxTrxLog : trxLogList) {
if (parentObjectClassType == vxTrxLog.getObjectClassType()
- && parentObjectId == vxTrxLog.getObjectId()
- && vxTrxLog.getParentObjectId() == xxServiceDef.getId()) {
+ && parentObjectId.equals(vxTrxLog.getObjectId())
+ && vxTrxLog.getParentObjectId().equals(xxServiceDef.getId())) {
vXTrxLogs.add(xTrxLog);
break;
}