You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2017/01/03 08:17:03 UTC
[2/9] incubator-ranger git commit: RANGER-1099 : keyadmin user is not
able to create service/repo using public apis
RANGER-1099 : keyadmin user is not able to create service/repo using public apis
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
(cherry picked from commit 7bc2f89e25b656ca9e80d41d6f4cb1531350f502)
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/c3a2b50c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/c3a2b50c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/c3a2b50c
Branch: refs/heads/ranger-0.6
Commit: c3a2b50c4d62987b101735087df40f7de97075de
Parents: 115f9d4
Author: Ankita Sinha <an...@freestoneinfotech.com>
Authored: Wed Jul 13 15:24:17 2016 +0530
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Mon Jan 2 23:35:57 2017 -0800
----------------------------------------------------------------------
.../main/java/org/apache/ranger/rest/ServiceREST.java | 13 +++++++++++--
.../security/context/RangerPreAuthSecurityHandler.java | 2 +-
2 files changed, 12 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c3a2b50c/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index b550c17..bd98e67 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -455,15 +455,24 @@ public class ServiceREST {
validator.validate(service, Action.CREATE);
UserSessionBase session = ContextUtil.getCurrentUserSession();
+ XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(service.getType());
if(session != null && !session.isSpnegoEnabled()){
bizUtil.hasAdminPermissions("Services");
// TODO: As of now we are allowing SYS_ADMIN to create all the
// services including KMS
-
- XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(service.getType());
bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname());
}
+ if(session != null && session.isSpnegoEnabled()){
+ if (session.isKeyAdmin() && !xxServiceDef.getImplclassname().equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
+ throw restErrorUtil.createRESTException("KeyAdmin can create/update/delete only KMS ",
+ MessageEnums.OPER_NO_PERMISSION);
+ }
+ if ((!session.isKeyAdmin() && !session.isUserAdmin()) && xxServiceDef.getImplclassname().equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
+ throw restErrorUtil.createRESTException("User cannot create/update/delete KMS Service",
+ MessageEnums.OPER_NO_PERMISSION);
+ }
+ }
ret = svcStore.createService(service);
} catch(WebApplicationException excp) {
throw excp;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c3a2b50c/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
index 899d866..fe225c7 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
@@ -97,7 +97,7 @@ public class RangerPreAuthSecurityHandler {
UserSessionBase userSession = ContextUtil.getCurrentUserSession();
if (userSession != null && userSession.isSpnegoEnabled()) {
return true;
- }else if(userSession != null && userSession.isUserAdmin()){
+ }else if(userSession != null && (userSession.isUserAdmin() || userSession.isKeyAdmin())){
return true;
}
throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not allowed to access the API", true);