You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sn...@apache.org on 2015/04/23 11:12:03 UTC
incubator-ranger git commit: RANGER-421: Streamline usersync process
Repository: incubator-ranger
Updated Branches:
refs/heads/master b802bd3ee -> b05edbc8d
RANGER-421: Streamline usersync process
Signed-off-by: sneethiraj <sn...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/b05edbc8
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/b05edbc8
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/b05edbc8
Branch: refs/heads/master
Commit: b05edbc8d568119bb709c65ed5007784dc716407
Parents: b802bd3
Author: Velmurugan Periasamy <ve...@apache.org>
Authored: Thu Apr 23 04:52:56 2015 -0400
Committer: sneethiraj <sn...@apache.org>
Committed: Thu Apr 23 05:04:14 2015 -0400
----------------------------------------------------------------------
.../db/mysql/patches/012-createusersyncuser.sql | 48 ++++++
.../oracle/patches/012-createusersyncuser.sql | 50 ++++++
.../db/postgres/xa_core_db_postgres.sql | 4 +
.../db/sqlserver/xa_core_db_sqlserver.sql | 6 +
.../java/org/apache/ranger/biz/UserMgr.java | 38 ++++-
.../java/org/apache/ranger/biz/XUserMgr.java | 141 ++++++++++++++-
.../org/apache/ranger/common/RESTErrorUtil.java | 22 +++
.../java/org/apache/ranger/rest/UserREST.java | 1 -
.../java/org/apache/ranger/rest/XUserREST.java | 7 +
.../conf.dist/security-applicationContext.xml | 4 +-
src/main/assembly/usersync.xml | 1 +
.../process/PolicyMgrUserGroupBuilder.java | 9 +-
.../config/UserGroupSyncConfig.java | 60 ++++++-
.../process/PolicyMgrUserGroupBuilder.java | 15 +-
.../conf.dist/unixauthservice.properties | 4 +
.../scripts/updatepolicymgrpassword.py | 171 +++++++++++++++++++
.../scripts/updatepolicymgrpassword.sh | 128 ++++++++++++++
17 files changed, 698 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/db/mysql/patches/012-createusersyncuser.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/mysql/patches/012-createusersyncuser.sql b/security-admin/db/mysql/patches/012-createusersyncuser.sql
new file mode 100644
index 0000000..9f3af62
--- /dev/null
+++ b/security-admin/db/mysql/patches/012-createusersyncuser.sql
@@ -0,0 +1,48 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+drop procedure if exists create_user_sync;
+
+delimiter ;;
+create procedure create_user_sync() begin
+DECLARE loginID varchar(1024);
+ /* check tables exist or not */
+ if exists (select * from information_schema.columns where table_schema=database() and table_name = 'x_portal_user') then
+ if exists (select * from information_schema.columns where table_schema=database() and table_name = 'x_portal_user_role') then
+ if exists (select * from information_schema.columns where table_schema=database() and table_name = 'x_user') then
+ /* check record for login id rangerusersync exist or not */
+ if not exists (select * from x_portal_user where login_id = 'rangerusersync') then
+ INSERT INTO x_portal_user(create_time,update_time,added_by_id,upd_by_id,first_name,last_name,pub_scr_name,login_id,password,email,status,user_src,notes) VALUES (UTC_TIMESTAMP(),UTC_TIMESTAMP(),NULL,NULL,'rangerusersync','','rangerusersync','rangerusersync','70b8374d3dfe0325aaa5002a688c7e3b','rangerusersync',1,0,NULL);
+ end if;
+ set loginID = (select id from x_portal_user where login_id = 'rangerusersync');
+ if not exists (select * from x_portal_user_role where user_id =loginID ) then
+ INSERT INTO x_portal_user_role(create_time,update_time,added_by_id,upd_by_id,user_id,user_role,status) VALUES (UTC_TIMESTAMP(),UTC_TIMESTAMP(),NULL,NULL,loginID,'ROLE_SYS_ADMIN',1);
+ end if;
+ if not exists (select * from x_user where user_name = 'admin') then
+ INSERT INTO x_user(create_time,update_time,added_by_id,upd_by_id,user_name,descr,status) values (UTC_TIMESTAMP(), UTC_TIMESTAMP(),NULL,NULL,'admin','Administrator',0);
+ end if;
+ if not exists (select * from x_user where user_name = 'rangerusersync') then
+ INSERT INTO x_user(create_time,update_time,added_by_id,upd_by_id,user_name,descr,status) values (UTC_TIMESTAMP(), UTC_TIMESTAMP(),NULL,NULL,'rangerusersync','rangerusersync',0);
+ end if;
+ end if;
+ end if;
+ end if;
+
+end;;
+
+delimiter ;
+call create_user_sync();
+
+drop procedure if exists create_user_sync;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/db/oracle/patches/012-createusersyncuser.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/oracle/patches/012-createusersyncuser.sql b/security-admin/db/oracle/patches/012-createusersyncuser.sql
new file mode 100644
index 0000000..5b99b1f
--- /dev/null
+++ b/security-admin/db/oracle/patches/012-createusersyncuser.sql
@@ -0,0 +1,50 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+DECLARE
+ v_count number:=0;
+ loginID number:=0;
+ sql_stmt VARCHAR2(1000);
+ first_name VARCHAR2(10):='rangerusersync';
+ scr_name VARCHAR2(10):='rangerusersync';
+ login_name VARCHAR2(10):='rangerusersync';
+ password VARCHAR2(50):='70b8374d3dfe0325aaa5002a688c7e3b';
+ user_role VARCHAR2(50):='ROLE_SYS_ADMIN';
+ email VARCHAR2(20):='rangerusersync';
+BEGIN
+ select count(*) into v_count from user_tables where table_name IN('X_PORTAL_USER','X_PORTAL_USER_ROLE','X_USER');
+ if (v_count = 3) then
+ v_count:=0;
+ select count(*) into v_count from x_portal_user where login_id = login_name;
+ if (v_count = 0) then
+ sql_stmt := 'INSERT INTO x_portal_user(ID,CREATE_TIME,UPDATE_TIME,FIRST_NAME,LAST_NAME,PUB_SCR_NAME,LOGIN_ID,PASSWORD,EMAIL,STATUS,USER_SRC) VALUES (X_PORTAL_USER_SEQ.nextval,sys_extract_utc(systimestamp),sys_extract_utc(systimestamp),:1,NULL,:2,:3,:4,:5,1,0)';
+ EXECUTE IMMEDIATE sql_stmt USING first_name,scr_name,login_name,password,email;
+ commit;
+ end if;
+ select id into loginID from x_portal_user where login_id = login_name;
+ if (loginID > 0) then
+ sql_stmt := 'INSERT INTO x_portal_user_role(id,create_time,update_time,user_id,user_role,status) VALUES (X_PORTAL_USER_ROLE_SEQ.nextval,sys_extract_utc(systimestamp),sys_extract_utc(systimestamp),:1,:2,1)';
+ EXECUTE IMMEDIATE sql_stmt USING loginID,user_role;
+ commit;
+ end if;
+ v_count:=0;
+ select count(*) into v_count from x_user where user_name = login_name;
+ if (v_count = 0) then
+ sql_stmt := 'INSERT INTO x_user(id,create_time,update_time,user_name,descr,status) values (X_USER_SEQ.nextval,sys_extract_utc(systimestamp),sys_extract_utc(systimestamp),:1,:2,0)';
+ EXECUTE IMMEDIATE sql_stmt USING login_name,login_name;
+ commit;
+ end if;
+ end if;
+end;/
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/db/postgres/xa_core_db_postgres.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/postgres/xa_core_db_postgres.sql b/security-admin/db/postgres/xa_core_db_postgres.sql
index d4aee9f..574b4ec 100644
--- a/security-admin/db/postgres/xa_core_db_postgres.sql
+++ b/security-admin/db/postgres/xa_core_db_postgres.sql
@@ -967,4 +967,8 @@ CREATE INDEX x_usr_module_perm_idx_moduleid ON x_user_module_perm(module_id);
CREATE INDEX x_usr_module_perm_idx_userid ON x_user_module_perm(user_id);
CREATE INDEX x_grp_module_perm_idx_groupid ON x_group_module_perm(group_id);
CREATE INDEX x_grp_module_perm_idx_moduleid ON x_group_module_perm(module_id);
+COMMIT;
+INSERT INTO x_portal_user(CREATE_TIME,UPDATE_TIME,FIRST_NAME,LAST_NAME,PUB_SCR_NAME,LOGIN_ID,PASSWORD,EMAIL,STATUS)VALUES(current_timestamp,current_timestamp,'rangerusersync','','rangerusersync','rangerusersync','70b8374d3dfe0325aaa5002a688c7e3b','rangerusersync',1);
+INSERT INTO x_portal_user_role(CREATE_TIME,UPDATE_TIME,USER_ID,USER_ROLE,STATUS)VALUES(current_timestamp,current_timestamp,2,'ROLE_SYS_ADMIN',1);
+INSERT INTO x_user(CREATE_TIME,UPDATE_TIME,user_name,status,descr)VALUES(current_timestamp,current_timestamp,'rangerusersync',0,'rangerusersync');
COMMIT;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/db/sqlserver/xa_core_db_sqlserver.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/sqlserver/xa_core_db_sqlserver.sql b/security-admin/db/sqlserver/xa_core_db_sqlserver.sql
index 835dd3e..207b137 100644
--- a/security-admin/db/sqlserver/xa_core_db_sqlserver.sql
+++ b/security-admin/db/sqlserver/xa_core_db_sqlserver.sql
@@ -2748,4 +2748,10 @@ GO
INSERT INTO x_modules_master(create_time,update_time,added_by_id,upd_by_id,module,url) VALUES(CURRENT_TIMESTAMP,CURRENT_TIMESTAMP,1,1,'Audit','');
GO
INSERT INTO x_modules_master(create_time,update_time,added_by_id,upd_by_id,module,url) VALUES(CURRENT_TIMESTAMP,CURRENT_TIMESTAMP,1,1,'KMS','');
+GO
+insert into x_portal_user (CREATE_TIME,UPDATE_TIME,FIRST_NAME,LAST_NAME,PUB_SCR_NAME,LOGIN_ID,PASSWORD,EMAIL,STATUS) values (CURRENT_TIMESTAMP,CURRENT_TIMESTAMP,'rangerusersync','','rangerusersync','rangerusersync','70b8374d3dfe0325aaa5002a688c7e3b','rangerusersync',1);
+GO
+insert into x_portal_user_role (CREATE_TIME,UPDATE_TIME,USER_ID,USER_ROLE,STATUS) values (CURRENT_TIMESTAMP,CURRENT_TIMESTAMP,2,'ROLE_SYS_ADMIN',1);
+GO
+insert into x_user (CREATE_TIME,UPDATE_TIME,user_name,status,descr) values (CURRENT_TIMESTAMP,CURRENT_TIMESTAMP,'rangerusersync',0,'rangerusersync');
exit
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
index 0b6281b..08afe79 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
@@ -25,6 +25,7 @@ import java.util.HashMap;
import java.util.List;
import javax.persistence.Query;
+import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.apache.ranger.common.AppConstants;
@@ -135,6 +136,21 @@ public class UserMgr {
public XXPortalUser createUser(VXPortalUser userProfile, int userStatus,
Collection<String> userRoleList) {
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session != null) {
+ if (!session.isUserAdmin()) {
+ throw restErrorUtil.create403RESTException("User "
+ + "creation denied. LoggedInUser="
+ + (session != null ? session.getXXPortalUser().getId()
+ : "Not Logged In")
+ + " ,isn't permitted to perform the action.");
+ }
+ }else{
+ VXResponse vXResponse = new VXResponse();
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setMsgDesc("Bad Credentials");
+ throw restErrorUtil.generateRESTException(vXResponse);
+ }
XXPortalUser user = mapVXPortalUserToXXPortalUser(userProfile);
user = createUser(user, userStatus, userRoleList);
@@ -511,6 +527,21 @@ public class UserMgr {
* @param userId
*/
public VXPortalUser deactivateUser(XXPortalUser gjUser) {
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session != null) {
+ if (!session.isUserAdmin()) {
+ throw restErrorUtil.create403RESTException("deactivation of user"
+ + " denied. LoggedInUser="
+ + (session != null ? session.getXXPortalUser().getId()
+ : "Not Logged In")
+ + " ,isn't permitted to perform the action.");
+ }
+ }else{
+ VXResponse vXResponse = new VXResponse();
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setMsgDesc("Bad Credentials");
+ throw restErrorUtil.generateRESTException(vXResponse);
+ }
if (gjUser != null
&& gjUser.getStatus() != RangerConstants.ACT_STATUS_DEACTIVATED) {
logger.info("Marking user " + gjUser.getLoginId() + " as deleted");
@@ -1101,8 +1132,13 @@ public class UserMgr {
+ " ,isn't permitted to perform the action.");
}
+ }else{
+ VXResponse vXResponse = new VXResponse();
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setMsgDesc("Bad Credentials");
+ throw restErrorUtil.generateRESTException(vXResponse);
}
-
+ logger.info("create:" + userProfile.getEmailAddress());
XXPortalUser xXPortalUser = null;
String loginId = userProfile.getLoginId();
String emailAddress = userProfile.getEmailAddress();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
index c96eb17..512c58f 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
@@ -46,6 +46,7 @@ import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.RangerConstants;
import org.apache.ranger.common.SearchCriteria;
+import org.apache.ranger.common.UserSessionBase;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.db.XXGroupUserDao;
import org.apache.ranger.entity.XXGroup;
@@ -65,7 +66,8 @@ import org.apache.ranger.view.VXUserGroupInfo;
import org.apache.ranger.view.VXUserList;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
-
+import javax.servlet.http.HttpServletResponse;
+import org.apache.ranger.view.VXResponse;
@Component
public class XUserMgr extends XUserMgrBase {
@@ -102,6 +104,21 @@ public class XUserMgr extends XUserMgrBase {
static final Logger logger = Logger.getLogger(XUserMgr.class);
public void deleteXGroup(Long id, boolean force) {
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session != null) {
+ if (!session.isUserAdmin()) {
+ throw restErrorUtil.create403RESTException("deletion of group"
+ + " denied. LoggedInUser="
+ + (session != null ? session.getXXPortalUser().getId()
+ : "Not Logged In")
+ + " ,isn't permitted to perform the action.");
+ }
+ }else{
+ VXResponse vXResponse = new VXResponse();
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setMsgDesc("Bad Credentials");
+ throw restErrorUtil.generateRESTException(vXResponse);
+ }
if (force) {
SearchCriteria searchCriteria = new SearchCriteria();
searchCriteria.addParam("xGroupId", id);
@@ -122,6 +139,21 @@ public class XUserMgr extends XUserMgrBase {
}
public void deleteXUser(Long id, boolean force) {
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session != null) {
+ if (!session.isUserAdmin()) {
+ throw restErrorUtil.create403RESTException("deletion of user"
+ + " denied. LoggedInUser="
+ + (session != null ? session.getXXPortalUser().getId()
+ : "Not Logged In")
+ + " ,isn't permitted to perform the action.");
+ }
+ }else{
+ VXResponse vXResponse = new VXResponse();
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setMsgDesc("Bad Credentials");
+ throw restErrorUtil.generateRESTException(vXResponse);
+ }
if (force) {
SearchCriteria searchCriteria = new SearchCriteria();
searchCriteria.addParam("xUserId", id);
@@ -153,7 +185,21 @@ public class XUserMgr extends XUserMgrBase {
}
public VXUser createXUser(VXUser vXUser) {
-
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session != null) {
+ if (!session.isUserAdmin()) {
+ throw restErrorUtil.create403RESTException("creation of user"
+ + " denied. LoggedInUser="
+ + (session != null ? session.getXXPortalUser().getId()
+ : "Not Logged In")
+ + " ,isn't permitted to perform the action.");
+ }
+ }else{
+ VXResponse vXResponse = new VXResponse();
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setMsgDesc("Bad Credentials");
+ throw restErrorUtil.generateRESTException(vXResponse);
+ }
String userName = vXUser.getName();
if (userName == null || userName.isEmpty()) {
throw restErrorUtil.createRESTException("Please provide a valid "
@@ -432,7 +478,21 @@ public class XUserMgr extends XUserMgrBase {
public VXUserGroupInfo createXUserGroupFromMap(
VXUserGroupInfo vXUserGroupInfo) {
-
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session != null) {
+ if (!session.isUserAdmin()) {
+ throw restErrorUtil.create403RESTException("User group "
+ + "creation denied. LoggedInUser="
+ + (session != null ? session.getXXPortalUser().getId()
+ : "Not Logged In")
+ + " ,isn't permitted to perform the action.");
+ }
+ }else{
+ VXResponse vXResponse = new VXResponse();
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setMsgDesc("Bad Credentials");
+ throw restErrorUtil.generateRESTException(vXResponse);
+ }
VXUserGroupInfo vxUGInfo = new VXUserGroupInfo();
VXUser vXUser = vXUserGroupInfo.getXuserInfo();
@@ -459,10 +519,40 @@ public class XUserMgr extends XUserMgrBase {
}
public VXUser createXUserWithOutLogin(VXUser vXUser) {
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session != null) {
+ if (!session.isUserAdmin()) {
+ throw restErrorUtil.create403RESTException("creation of user"
+ + " denied. LoggedInUser="
+ + (session != null ? session.getXXPortalUser().getId()
+ : "Not Logged In")
+ + " ,isn't permitted to perform the action.");
+ }
+ }else{
+ VXResponse vXResponse = new VXResponse();
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setMsgDesc("Bad Credentials");
+ throw restErrorUtil.generateRESTException(vXResponse);
+ }
return xUserService.createXUserWithOutLogin(vXUser);
}
public VXGroup createXGroup(VXGroup vXGroup) {
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session != null) {
+ if (!session.isUserAdmin()) {
+ throw restErrorUtil.create403RESTException("creation of group"
+ + " denied. LoggedInUser="
+ + (session != null ? session.getXXPortalUser().getId()
+ : "Not Logged In")
+ + " ,isn't permitted to perform the action.");
+ }
+ }else{
+ VXResponse vXResponse = new VXResponse();
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setMsgDesc("Bad Credentials");
+ throw restErrorUtil.generateRESTException(vXResponse);
+ }
// FIXME Just a hack
if (vXGroup.getDescription() == null) {
vXGroup.setDescription(vXGroup.getName());
@@ -476,10 +566,40 @@ public class XUserMgr extends XUserMgrBase {
}
public VXGroup createXGroupWithoutLogin(VXGroup vXGroup) {
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session != null) {
+ if (!session.isUserAdmin()) {
+ throw restErrorUtil.create403RESTException("creation of group"
+ + " denied. LoggedInUser="
+ + (session != null ? session.getXXPortalUser().getId()
+ : "Not Logged In")
+ + " ,isn't permitted to perform the action.");
+ }
+ }else{
+ VXResponse vXResponse = new VXResponse();
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setMsgDesc("Bad Credentials");
+ throw restErrorUtil.generateRESTException(vXResponse);
+ }
return xGroupService.createXGroupWithOutLogin(vXGroup);
}
public VXGroupUser createXGroupUser(VXGroupUser vXGroupUser) {
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session != null) {
+ if (!session.isUserAdmin()) {
+ throw restErrorUtil.create403RESTException("creation of group"
+ + " denied. LoggedInUser="
+ + (session != null ? session.getXXPortalUser().getId()
+ : "Not Logged In")
+ + " ,isn't permitted to perform the action.");
+ }
+ }else{
+ VXResponse vXResponse = new VXResponse();
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setMsgDesc("Bad Credentials");
+ throw restErrorUtil.generateRESTException(vXResponse);
+ }
vXGroupUser = xGroupUserService
.createXGroupUserWithOutLogin(vXGroupUser);
return vXGroupUser;
@@ -526,6 +646,21 @@ public class XUserMgr extends XUserMgrBase {
*/
public void deleteXGroupAndXUser(String groupName, String userName) {
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session != null) {
+ if (!session.isUserAdmin()) {
+ throw restErrorUtil.create403RESTException("User "
+ + "deletion denied. LoggedInUser="
+ + (session != null ? session.getXXPortalUser().getId()
+ : "Not Logged In")
+ + " ,isn't permitted to perform the action.");
+ }
+ }else{
+ VXResponse vXResponse = new VXResponse();
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setMsgDesc("Bad Credentials");
+ throw restErrorUtil.generateRESTException(vXResponse);
+ }
VXGroup vxGroup = xGroupService.getGroupByGroupName(groupName);
VXUser vxUser = xUserService.getXUserByUserName(userName);
SearchCriteria searchCriteria = new SearchCriteria();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java b/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java
index 8d7d96d..a17da9b 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java
@@ -68,6 +68,28 @@ public class RESTErrorUtil {
return restException;
}
+ public WebApplicationException generateRESTException(VXResponse gjResponse) {
+ Response errorResponse = Response
+ .status(gjResponse.getStatusCode())
+ .entity(gjResponse).build();
+
+ WebApplicationException restException = new WebApplicationException(
+ errorResponse);
+ restException.fillInStackTrace();
+ UserSessionBase userSession = ContextUtil.getCurrentUserSession();
+ Long sessionId = null;
+ String loginId = null;
+ if (userSession != null) {
+ loginId = userSession.getLoginId();
+ sessionId = userSession.getSessionId();
+ }
+
+ logger.info("Request failed. SessionId=" + sessionId + ", loginId="
+ + loginId + ", logMessage=" + gjResponse.getMsgDesc(),
+ restException);
+
+ return restException;
+ }
/**
*
* @param logMessage
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java
index 3cb2d2d..a9d0059 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java
@@ -188,7 +188,6 @@ public class UserREST {
public VXPortalUser createDefaultAccountUser(VXPortalUser userProfile,
@Context HttpServletRequest servletRequest) {
VXPortalUser vxPortalUser;
- logger.info("create:" + userProfile.getEmailAddress());
vxPortalUser=userManager.createDefaultAccountUser(userProfile);
if(vxPortalUser!=null)
{
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
index 45fea99..4c47584 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
@@ -154,6 +154,7 @@ public class XUserREST {
@POST
@Path("/groups")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
public VXGroup createXGroup(VXGroup vXGroup) {
return xUserMgr.createXGroupWithoutLogin(vXGroup);
}
@@ -161,6 +162,7 @@ public class XUserREST {
@POST
@Path("/secure/groups")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
public VXGroup secureCreateXGroup(VXGroup vXGroup) {
return xUserMgr.createXGroup(vXGroup);
}
@@ -244,6 +246,7 @@ public class XUserREST {
@POST
@Path("/users")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
public VXUser createXUser(VXUser vXUser) {
return xUserMgr.createXUserWithOutLogin(vXUser);
}
@@ -251,6 +254,7 @@ public class XUserREST {
@POST
@Path("/users/userinfo")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
public VXUserGroupInfo createXUserGroupFromMap(VXUserGroupInfo vXUserGroupInfo) {
return xUserMgr.createXUserGroupFromMap(vXUserGroupInfo);
}
@@ -258,6 +262,7 @@ public class XUserREST {
@POST
@Path("/secure/users")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
public VXUser secureCreateXUser(VXUser vXUser) {
return xUserMgr.createXUser(vXUser);
}
@@ -338,6 +343,7 @@ public class XUserREST {
@POST
@Path("/groupusers")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
public VXGroupUser createXGroupUser(VXGroupUser vXGroupUser) {
return xUserMgr.createXGroupUser(vXGroupUser);
}
@@ -604,6 +610,7 @@ public class XUserREST {
//
@DELETE
@Path("/group/{groupName}/user/{userName}")
+ @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
public void deleteXGroupAndXUser(@PathParam("groupName") String groupName,
@PathParam("userName") String userName,
@Context HttpServletRequest request) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
index 8d2392b..ee73136 100644
--- a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
+++ b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
@@ -61,10 +61,10 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
<security:http pattern="/service/plugins/policies/download/*" security="none"/>
<security:http pattern="/service/plugins/services/grant/*" security="none"/>
<security:http pattern="/service/plugins/services/revoke/*" security="none"/>
- <security:http pattern="/service/users/default" security="none"/>
+ <!--<security:http pattern="/service/users/default" security="none"/>
<security:http pattern="/service/xusers/groups/**" security="none"/>
<security:http pattern="/service/xusers/users/*" security="none"/>
- <security:http pattern="/service/xusers/groupusers/*" security="none"/>
+ <security:http pattern="/service/xusers/groupusers/*" security="none"/>-->
<security:http auto-config="false" create-session="always" entry-point-ref="authenticationProcessingFilterEntryPoint">
<security:session-management session-fixation-protection="newSession" />
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/src/main/assembly/usersync.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/usersync.xml b/src/main/assembly/usersync.xml
index 6ad433c..b5f1620 100644
--- a/src/main/assembly/usersync.xml
+++ b/src/main/assembly/usersync.xml
@@ -50,6 +50,7 @@
<include>org.apache.ranger:credentialbuilder</include>
<include>org.apache.ranger:ranger-util</include>
<include>commons-io:commons-io:jar:${commons.io.version}</include>
+ <include>org.apache.htrace:htrace-core</include>
</includes>
<unpack>false</unpack>
</dependencySet>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java
index 7cd06cc..2013f1c 100644
--- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java
+++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java
@@ -59,6 +59,7 @@ import com.sun.jersey.api.client.ClientResponse;
import com.sun.jersey.api.client.WebResource;
import com.sun.jersey.api.client.config.ClientConfig;
import com.sun.jersey.api.client.config.DefaultClientConfig;
+import com.sun.jersey.api.client.filter.HTTPBasicAuthFilter;
import com.sun.jersey.client.urlconnection.HTTPSProperties;
public class PolicyMgrUserGroupBuilder implements UserGroupSink {
@@ -669,7 +670,13 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
cc.getProperties().put(ClientConfig.PROPERTY_FOLLOW_REDIRECTS, true);
ret = Client.create(cc);
}
-
+ if(ret!=null){
+ String username = config.getPolicyMgrUserName();
+ String password = config.getPolicyMgrPassword();
+ if(username!=null && password!=null){
+ ret.addFilter(new HTTPBasicAuthFilter(username, password));
+ }
+ }
return ret ;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
index 2701353..3ff3a0a 100644
--- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
+++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
@@ -144,6 +144,17 @@ public class UserGroupSyncConfig {
private static final String LGSYNC_GROUP_MEMBER_ATTRIBUTE_NAME = "ldapGroupSync.groupMemberAttributeName";
private static final String DEFAULT_LGSYNC_GROUP_MEMBER_ATTRIBUTE_NAME = "member";
+ private static final String SYNC_POLICY_MGR_KEYSTORE = "userSync.policyMgrKeystore";
+
+ private static final String SYNC_POLICY_MGR_ALIAS = "userSync.policyMgrAlias";
+
+ private static final String SYNC_POLICY_MGR_PASSWORD = "userSync.policyMgrPassword";
+
+ private static final String SYNC_POLICY_MGR_USERNAME = "userSync.policyMgrUserName";
+
+ private static final String DEFAULT_POLICYMGR_USERNAME = "rangerusersync";
+
+ private static final String DEFAULT_POLICYMGR_PASSWORD = "rangerusersync";
private Properties prop = new Properties() ;
private static volatile UserGroupSyncConfig me = null ;
@@ -564,5 +575,52 @@ public class UserGroupSyncConfig {
public String getProperty(String aPropertyName, String aDefaultValue) {
return prop.getProperty(aPropertyName, aDefaultValue) ;
}
-
+
+ public String getPolicyMgrPassword(){
+ //update credential from keystore
+ String password=null;
+ if(prop!=null && prop.containsKey(SYNC_POLICY_MGR_KEYSTORE)){
+ password=prop.getProperty(SYNC_POLICY_MGR_PASSWORD);
+ if(password!=null && !password.isEmpty()){
+ return password;
+ }
+ }
+ if(prop!=null && prop.containsKey(SYNC_POLICY_MGR_KEYSTORE) && prop.containsKey(SYNC_POLICY_MGR_ALIAS)){
+ String path=prop.getProperty(SYNC_POLICY_MGR_KEYSTORE);
+ String alias=prop.getProperty(SYNC_POLICY_MGR_ALIAS,"policymgr.user.password");
+ if(path!=null && alias!=null){
+ if(!path.trim().isEmpty() && !alias.trim().isEmpty()){
+ try{
+ password=CredentialReader.getDecryptedString(path.trim(),alias.trim());
+ }catch(Exception ex){
+ password=null;
+ }
+ if(password!=null&& !password.trim().isEmpty() && !password.trim().equalsIgnoreCase("none")){
+ prop.setProperty(SYNC_POLICY_MGR_PASSWORD,password);
+ return password;
+ }
+ }
+ }
+ }
+ return null;
+ }
+
+ public String getPolicyMgrUserName() {
+ String userName=null;
+ if(prop!=null && prop.containsKey(SYNC_POLICY_MGR_USERNAME)){
+ userName=prop.getProperty(SYNC_POLICY_MGR_USERNAME);
+ if(userName!=null && !userName.isEmpty()){
+ return userName;
+ }
+ }
+ return null;
+ }
+
+ public String getDefaultPolicyMgrUserName(){
+ return DEFAULT_POLICYMGR_USERNAME;
+ }
+
+ public String getDefaultPolicyMgrPassword(){
+ return DEFAULT_POLICYMGR_PASSWORD;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
index 6d78d25..20ffbf1 100644
--- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
+++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
@@ -50,6 +50,7 @@ import com.sun.jersey.api.client.ClientResponse;
import com.sun.jersey.api.client.WebResource;
import com.sun.jersey.api.client.config.ClientConfig;
import com.sun.jersey.api.client.config.DefaultClientConfig;
+import com.sun.jersey.api.client.filter.HTTPBasicAuthFilter;
import com.sun.jersey.client.urlconnection.HTTPSProperties;
import org.apache.ranger.unixusersync.config.UserGroupSyncConfig;
import org.apache.ranger.unixusersync.model.GetXGroupListResponse;
@@ -446,7 +447,7 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
addXUserGroupInfo(user, groups) ;
}
- Client c = new Client();
+ Client c = getClient();
WebResource r = c.resource(getURL(PM_ADD_USER_GROUP_INFO_URI));
@@ -687,7 +688,17 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
cc.getProperties().put(ClientConfig.PROPERTY_FOLLOW_REDIRECTS, true);
ret = Client.create(cc);
}
-
+ if(ret!=null){
+ String username = config.getPolicyMgrUserName();
+ String password = config.getPolicyMgrPassword();
+ if(username==null||password==null||username.trim().isEmpty()||password.trim().isEmpty()){
+ username=config.getDefaultPolicyMgrUserName();
+ password=config.getDefaultPolicyMgrPassword();
+ }
+ if(username!=null && password!=null){
+ ret.addFilter(new HTTPBasicAuthFilter(username, password));
+ }
+ }
return ret ;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/unixauthservice/conf.dist/unixauthservice.properties
----------------------------------------------------------------------
diff --git a/unixauthservice/conf.dist/unixauthservice.properties b/unixauthservice/conf.dist/unixauthservice.properties
index bedc810..d1a1f5f 100644
--- a/unixauthservice/conf.dist/unixauthservice.properties
+++ b/unixauthservice/conf.dist/unixauthservice.properties
@@ -242,3 +242,7 @@ ldapGroupSync.pagedResultsEnabled=
# search results would be returned page by page with the specified number of entries per page
# default value: 500
ldapGroupSync.pagedResultsSize=
+userSync.policyMgrUserName =rangerusersync
+userSync.policyMgrPassword =
+userSync.policyMgrAlias =policymgr.user.password
+userSync.policyMgrKeystore =/usr/lib/xausersync/.jceks/xausersync.jceks
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/unixauthservice/scripts/updatepolicymgrpassword.py
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/updatepolicymgrpassword.py b/unixauthservice/scripts/updatepolicymgrpassword.py
new file mode 100644
index 0000000..b07458b
--- /dev/null
+++ b/unixauthservice/scripts/updatepolicymgrpassword.py
@@ -0,0 +1,171 @@
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License. See accompanying LICENSE file.
+#
+
+import os
+import re
+import sys
+import errno
+import shlex
+import logging
+import subprocess
+import platform
+import fileinput
+import getpass
+import shutil
+from os.path import basename
+from subprocess import Popen,PIPE
+from datetime import date
+from datetime import datetime
+globalDict = {}
+
+os_name = platform.system()
+os_name = os_name.upper()
+
+def check_output(query):
+ if os_name == "LINUX":
+ p = subprocess.Popen(shlex.split(query), stdout=subprocess.PIPE)
+ elif os_name == "WINDOWS":
+ p = subprocess.Popen(query, stdout=subprocess.PIPE, shell=True)
+ output = p.communicate ()[0]
+ return output
+
+def log(msg,type):
+ if type == 'info':
+ logging.info(" %s",msg)
+ if type == 'debug':
+ logging.debug(" %s",msg)
+ if type == 'warning':
+ logging.warning(" %s",msg)
+ if type == 'exception':
+ logging.exception(" %s",msg)
+ if type == 'error':
+ logging.error(" %s",msg)
+
+def populate_global_dict():
+ global globalDict
+ read_config_file = open(os.path.join(os.getcwd(),'install.properties'))
+ for each_line in read_config_file.read().split('\n') :
+ if len(each_line) == 0 : continue
+ if re.search('=', each_line):
+ key , value = each_line.strip().split("=",1)
+ key = key.strip()
+ value = value.strip()
+ globalDict[key] = value
+
+def ModConfig(File, Variable, Setting):
+ """
+ Modify Config file variable with new setting
+ """
+ VarFound = False
+ AlreadySet = False
+ V=str(Variable)
+ S=str(Setting)
+ # use quotes if setting has spaces #
+ if ' ' in S:
+ S = '"%s"' % S
+
+ for line in fileinput.input(File, inplace = 1):
+ # process lines that look like config settings #
+ if not line.lstrip(' ').startswith('#') and '=' in line:
+ _infile_var = str(line.split('=')[0].rstrip(' '))
+ _infile_set = str(line.split('=')[1].lstrip(' ').rstrip())
+ # only change the first matching occurrence #
+ if VarFound == False and _infile_var.rstrip(' ') == V:
+ VarFound = True
+ # don't change it if it is already set #
+ if _infile_set.lstrip(' ') == S:
+ AlreadySet = True
+ else:
+ line = "%s = %s\n" % (V, S)
+
+ sys.stdout.write(line)
+
+ # Append the variable if it wasn't found #
+ if not VarFound:
+ print "property '%s' not found. Adding it to %s" % (V, File)
+ with open(File, "a") as f:
+ f.write("%s = %s\n" % (V, S))
+ elif AlreadySet == True:
+ print "property '%s' unchanged" % (V)
+ else:
+ print "property '%s' modified to '%s'" % (V, S)
+
+ return
+
+def main():
+
+ FORMAT = '%(asctime)-15s %(message)s'
+ logging.basicConfig(format=FORMAT, level=logging.DEBUG)
+ populate_global_dict()
+
+ SYNC_LDAP_BIND_KEYSTOREPATH=globalDict['CRED_KEYSTORE_FILENAME']
+ SYNC_POLICY_MGR_ALIAS="policymgr.user.password"
+ SYNC_POLICY_MGR_PASSWORD = ''
+ SYNC_POLICY_MGR_USERNAME = ''
+ JAVA_BIN = ''
+ unix_user = "ranger"
+ unix_group = "ranger"
+
+ if os.environ['JAVA_HOME'] == "":
+ log("[E] ---------- JAVA_HOME environment property not defined, aborting installation. ----------", "error")
+ sys.exit(1)
+
+ JAVA_BIN=os.path.join(os.environ['JAVA_HOME'],'bin','java')
+ if os_name == "WINDOWS" :
+ JAVA_BIN = JAVA_BIN+'.exe'
+ if os.path.isfile(JAVA_BIN):
+ pass
+ else:
+ while os.path.isfile(JAVA_BIN) == False:
+ log("Enter java executable path: :","info")
+ JAVA_BIN=raw_input()
+
+ log("[I] Using Java:" + str(JAVA_BIN),"info")
+
+ while SYNC_POLICY_MGR_USERNAME == "":
+ print "Enter policymgr user name:"
+ SYNC_POLICY_MGR_USERNAME=raw_input()
+
+ while SYNC_POLICY_MGR_PASSWORD == "":
+ SYNC_POLICY_MGR_PASSWORD=getpass.getpass("Enter policymgr user password:")
+
+ if SYNC_LDAP_BIND_KEYSTOREPATH != "" or SYNC_POLICY_MGR_ALIAS != "" or SYNC_POLICY_MGR_USERNAME != "" or SYNC_POLICY_MGR_PASSWORD != "":
+ log("[I] Storing policymgr usersync password in credential store:","info")
+ cmd="%s -cp lib/* org.apache.ranger.credentialapi.buildks create %s -value %s -provider jceks://file%s" %(JAVA_BIN,SYNC_POLICY_MGR_ALIAS,SYNC_POLICY_MGR_PASSWORD,SYNC_LDAP_BIND_KEYSTOREPATH)
+ ret=subprocess.call(shlex.split(cmd))
+ if ret == 0:
+ cmd="chown %s:%s %s" %(unix_user,unix_group,SYNC_LDAP_BIND_KEYSTOREPATH)
+ ret=subprocess.call(shlex.split(cmd))
+ if ret == 0:
+ CFG_FILE=os.path.join(os.getcwd(),'conf','unixauthservice.properties')
+ NEW_CFG_FILE=os.path.join(os.getcwd(),'conf','unixauthservice.properties.tmp')
+ if os.path.isfile(CFG_FILE):
+ shutil.copyfile(CFG_FILE, NEW_CFG_FILE)
+ ModConfig(NEW_CFG_FILE, "userSync.policyMgrUserName", SYNC_POLICY_MGR_USERNAME)
+ ModConfig(NEW_CFG_FILE, "userSync.policyMgrKeystore", SYNC_LDAP_BIND_KEYSTOREPATH)
+ ModConfig(NEW_CFG_FILE, "userSync.policyMgrAlias", SYNC_POLICY_MGR_ALIAS)
+ now = datetime.now()
+ shutil.copyfile(CFG_FILE, CFG_FILE+"."+now.strftime('%Y%m%d%H%M%S'))
+ shutil.copyfile(NEW_CFG_FILE,CFG_FILE)
+ else:
+ log("[E] Required file not found: ["+CFG_FILE+"]","error")
+ else:
+ log("[E] unable to execute command ["+cmd+"]","error")
+ else:
+ log("[E] unable to execute command ["+cmd+"]","error")
+ else:
+ log("[E] Input Error","error")
+
+
+main()
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/unixauthservice/scripts/updatepolicymgrpassword.sh
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/updatepolicymgrpassword.sh b/unixauthservice/scripts/updatepolicymgrpassword.sh
new file mode 100644
index 0000000..a13c030
--- /dev/null
+++ b/unixauthservice/scripts/updatepolicymgrpassword.sh
@@ -0,0 +1,128 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+INSTALL_BASE=$PWD
+
+MOD_NAME="ranger-usersync"
+unix_user=ranger
+unix_group=ranger
+
+INSTALL_DIR=${INSTALL_BASE}
+
+curDt=`date '+%Y%m%d%H%M%S'`
+LOGFILE=setup.log.$curDt
+
+log() {
+ local prefix="[$(date +%Y/%m/%d\ %H:%M:%S)]: "
+ echo "${prefix} $@" >> $LOGFILE
+ echo "${prefix} $@"
+}
+
+# Ensure that the user is root
+MY_ID=`id -u`
+if [ "${MY_ID}" -ne 0 ]
+then
+ echo "ERROR: You must run this script as root user."
+ exit 1
+fi
+
+# Ensure JAVA_HOME is set
+if [ "${JAVA_HOME}" == "" ]
+then
+ echo "ERROR: JAVA_HOME environment property not defined, aborting installation"
+ exit 2
+fi
+
+# Grep configuration properties from install.properties
+cdir=`dirname $0`
+
+check_ret_status(){
+ if [ $1 -ne 0 ]; then
+ log "[E] $2";
+ exit 1;
+ fi
+}
+
+SYNC_LDAP_BIND_KEYSTOREPATH=`grep '^[ \t]*CRED_KEYSTORE_FILENAME[ \t]*=' ${cdir}/install.properties | sed -e 's:^[ \t]*CRED_KEYSTORE_FILENAME[ \t]*=[ \t]*::'`
+
+# END Grep configuration properties from install.properties
+# Store POLICY_MGR user password in credential store
+SYNC_POLICY_MGR_ALIAS="policymgr.user.password"
+SYNC_POLICY_MGR_PASSWORD="rangerusersync"
+SYNC_POLICY_MGR_USERNAME="rangerusersync"
+count=0
+while :
+do
+ if [ $count -gt 2 ]
+ then
+ log "[E] Unable to continue as correct input is not provided in 3 attempts."
+ exit 1
+ fi
+ printf "Please enter policymgr username: "
+ read SYNC_POLICY_MGR_USERNAME
+ if [[ "${SYNC_POLICY_MGR_USERNAME}" != "" ]]
+ then
+ break;
+ fi
+done
+while :
+do
+ if [ $count -gt 2 ]
+ then
+ log "[E] Unable to continue as correct input is not provided in 3 attempts."
+ exit 1
+ fi
+ printf "Please enter policymgr password: "
+ stty -echo
+ read SYNC_POLICY_MGR_PASSWORD
+ stty echo
+ if [[ "${SYNC_POLICY_MGR_PASSWORD}" != "" ]]
+ then
+ break;
+ fi
+done
+if [[ "${SYNC_POLICY_MGR_ALIAS}" != "" && "${SYNC_LDAP_BIND_KEYSTOREPATH}" != "" && "${SYNC_POLICY_MGR_PASSWORD}" != "" && "${SYNC_POLICY_MGR_USERNAME}" != "" ]]
+then
+ log "[I] Storing policymgr usersync password in credential store"
+ mkdir -p `dirname "${SYNC_LDAP_BIND_KEYSTOREPATH}"`
+ chown ${unix_user}:${unix_group} `dirname "${SYNC_LDAP_BIND_KEYSTOREPATH}"`
+ $JAVA_HOME/bin/java -cp "lib/*" org.apache.ranger.credentialapi.buildks create "$SYNC_POLICY_MGR_ALIAS" -value "$SYNC_POLICY_MGR_PASSWORD" -provider jceks://file$SYNC_LDAP_BIND_KEYSTOREPATH
+fi
+
+# Create $INSTALL_DIR/conf/unixauthservice.properties
+
+CFG_FILE="${cdir}/conf/unixauthservice.properties"
+NEW_CFG_FILE=${cdir}/conf/unixauthservice.properties.tmp
+
+if [ -f ${CFG_FILE} ]
+then
+ sed \
+ -e "s|^\( *userSync.policyMgrUserName *=\).*|\1 ${SYNC_POLICY_MGR_USERNAME}|" \
+ -e "s|^\( *userSync.policyMgrKeystore *=\).*|\1 ${SYNC_LDAP_BIND_KEYSTOREPATH}|" \
+ -e "s|^\( *userSync.policyMgrAlias *=\).*|\1 ${SYNC_POLICY_MGR_ALIAS}|" \
+ ${CFG_FILE} > ${NEW_CFG_FILE}
+
+ echo "<${logdir}> ${CFG_FILE} > ${NEW_CFG_FILE}"
+else
+ echo "ERROR: Required file, not found: ${CFG_FILE}, Aborting installation"
+ exit 8
+fi
+
+mv ${cdir}/conf/unixauthservice.properties ${cdir}/conf/unixauthservice.properties.${curDt}
+mv ${cdir}/conf/unixauthservice.properties.tmp ${cdir}/conf/unixauthservice.properties
+
+#END Create $INSTALL_DIR/conf/unixauthservice.properties
\ No newline at end of file