You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ni...@apache.org on 2019/12/16 13:11:42 UTC
[ranger] branch master updated: RANGER-2660 : Option to create
missing users/groups/roles while creating/updating/importing policies
This is an automated email from the ASF dual-hosted git repository.
nikhil pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new d6e0e9a RANGER-2660 : Option to create missing users/groups/roles while creating/updating/importing policies
d6e0e9a is described below
commit d6e0e9af2446d023e68df1e21221d8bf1190615d
Author: Nikhil P <ni...@apache.org>
AuthorDate: Mon Dec 16 18:40:30 2019 +0530
RANGER-2660 : Option to create missing users/groups/roles while creating/updating/importing policies
---
.../model/validation/RangerRoleValidator.java | 16 ----
.../org/apache/ranger/biz/PolicyRefUpdater.java | 92 +++++++++++++++++++---
.../java/org/apache/ranger/biz/RangerBizUtil.java | 6 ++
3 files changed, 86 insertions(+), 28 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerRoleValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerRoleValidator.java
index beeb888..bc34598 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerRoleValidator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerRoleValidator.java
@@ -19,7 +19,6 @@
package org.apache.ranger.plugin.model.validation;
-import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -172,21 +171,6 @@ public class RangerRoleValidator extends RangerValidator {
valid = false;
}
- List<RangerRole.RoleMember> users = rangerRole.getUsers();
- List<RangerRole.RoleMember> groups = rangerRole.getGroups();
- List<RangerRole.RoleMember> roles = rangerRole.getRoles();
-
- if (CollectionUtils.isEmpty(users) && CollectionUtils.isEmpty(groups) && CollectionUtils.isEmpty(roles)) {
- ValidationErrorCode error = ValidationErrorCode.ROLE_VALIDATION_ERR_MISSING_USER_OR_GROUPS_OR_ROLES;
- failures.add(new ValidationFailureDetailsBuilder()
- .field("users and groups and roles")
- .isMissing()
- .becauseOf(error.getMessage())
- .errorCode(error.getErrorCode())
- .build());
- valid = false;
- }
-
Long id = rangerRole.getId();
RangerRole existingRangerRole = getRangerRole(id);
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
index 3846d00..85e6aeb 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java
@@ -19,12 +19,15 @@
package org.apache.ranger.biz;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.entity.XXAccessTypeDef;
import org.apache.ranger.entity.XXDataMaskTypeDef;
@@ -48,19 +51,36 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
+import org.apache.ranger.plugin.model.RangerRole;
import org.apache.ranger.service.RangerAuditFields;
+import org.apache.ranger.service.XUserService;
+import org.apache.ranger.view.VXGroup;
+import org.apache.ranger.view.VXUser;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
+
@Component
public class PolicyRefUpdater {
+ private static final Log LOG = LogFactory.getLog(PolicyRefUpdater.class);
+
@Autowired
RangerDaoManager daoMgr;
@Autowired
RangerAuditFields<?> rangerAuditFields;
+ @Autowired
+ XUserMgr xUserMgr;
+
+
+ @Autowired
+ XUserService xUserService;
+
+ @Autowired
+ RoleDBStore roleStore;
+
public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy, XXServiceDef xServiceDef) throws Exception {
if(policy == null) {
return;
@@ -75,6 +95,7 @@ public class PolicyRefUpdater {
final Set<String> accessTypes = new HashSet<>();
final Set<String> conditionTypes = new HashSet<>();
final Set<String> dataMaskTypes = new HashSet<>();
+ boolean oldBulkMode = RangerBizUtil.isBulkMode();
List<RangerPolicy.RangerPolicyItemCondition> rangerPolicyConditions = policy.getConditions();
if (CollectionUtils.isNotEmpty(rangerPolicyConditions)) {
@@ -138,19 +159,23 @@ public class PolicyRefUpdater {
}
XXRole xRole = daoMgr.getXXRole().findByRoleName(role);
-
- if (xRole == null) {
- throw new Exception(role + ": role does not exist. policy='"+ policy.getName() + "' service='"+ policy.getService() + "' role='" + role + "'");
+ Long roleId = null;
+ if (xRole != null) {
+ roleId = xRole.getId();
+ }
+ else {
+ RangerBizUtil.setBulkMode(false);
+ roleId = createRoleForPolicy(role);
}
-
XXPolicyRefRole xPolRole = rangerAuditFields.populateAuditFields(new XXPolicyRefRole(), xPolicy);
xPolRole.setPolicyId(policy.getId());
- xPolRole.setRoleId(xRole.getId());
+ xPolRole.setRoleId(roleId);
xPolRole.setRoleName(role);
xPolRoles.add(xPolRole);
}
+ RangerBizUtil.setBulkMode(oldBulkMode);
daoMgr.getXXPolicyRefRole().batchCreate(xPolRoles);
List<XXPolicyRefGroup> xPolGroups = new ArrayList<>();
@@ -160,19 +185,24 @@ public class PolicyRefUpdater {
}
XXGroup xGroup = daoMgr.getXXGroup().findByGroupName(group);
-
- if (xGroup == null) {
- throw new Exception(group + ": group does not exist. policy='"+ policy.getName() + "' service='"+ policy.getService() + "' group='" + group + "'");
+ Long groupId = null;
+ if (xGroup != null) {
+ groupId = xGroup.getId();
+ }
+ else {
+ RangerBizUtil.setBulkMode(false);
+ groupId = createGroupForPolicy(group);
}
XXPolicyRefGroup xPolGroup = rangerAuditFields.populateAuditFields(new XXPolicyRefGroup(), xPolicy);
xPolGroup.setPolicyId(policy.getId());
- xPolGroup.setGroupId(xGroup.getId());
+ xPolGroup.setGroupId(groupId);
xPolGroup.setGroupName(group);
xPolGroups.add(xPolGroup);
}
+ RangerBizUtil.setBulkMode(oldBulkMode);
daoMgr.getXXPolicyRefGroup().batchCreate(xPolGroups);
List<XXPolicyRefUser> xPolUsers = new ArrayList<>();
@@ -182,19 +212,25 @@ public class PolicyRefUpdater {
}
XXUser xUser = daoMgr.getXXUser().findByUserName(user);
+ Long userId = null;
+ if(xUser != null){
+ userId = xUser.getId();
+ }
+ else {
+ RangerBizUtil.setBulkMode(false);
- if (xUser == null) {
- throw new Exception(user + ": user does not exist. policy='"+ policy.getName() + "' service='"+ policy.getService() + "' user='" + user +"'");
+ userId = createUserForPolicy(user);
}
XXPolicyRefUser xPolUser = rangerAuditFields.populateAuditFields(new XXPolicyRefUser(), xPolicy);
xPolUser.setPolicyId(policy.getId());
- xPolUser.setUserId(xUser.getId());
+ xPolUser.setUserId(userId);
xPolUser.setUserName(user);
xPolUsers.add(xPolUser);
}
+ RangerBizUtil.setBulkMode(oldBulkMode);
daoMgr.getXXPolicyRefUser().batchCreate(xPolUsers);
List<XXPolicyRefAccessType> xPolAccesses = new ArrayList<>();
@@ -252,6 +288,38 @@ public class PolicyRefUpdater {
daoMgr.getXXPolicyRefDataMaskType().batchCreate(xxDataMaskInfos);
}
+ private Long createUserForPolicy(String user) {
+ LOG.warn("User specified in policy does not exist in ranger admin, creating new user, User = " + user);
+ VXUser vxUser = new VXUser();
+ vxUser.setName(user);
+ vxUser.setDescription(user);
+ vxUser.setUserSource(1);
+ vxUser.setPassword(user+"12345");
+ vxUser.setUserRoleList(Arrays.asList("ROLE_USER"));
+ VXUser createdXUser= xUserMgr.createXUser(vxUser);
+ return createdXUser.getId();
+ }
+
+ private Long createGroupForPolicy(String group) {
+ LOG.warn("Group specified in policy does not exist in ranger admin, creating new group, Group = " + group);
+ VXGroup vxGroup = new VXGroup();
+ vxGroup.setName(group);
+ VXGroup vxGroupCreated= xUserMgr.createXGroup(vxGroup);
+ return vxGroupCreated.getId();
+ }
+
+ private Long createRoleForPolicy(String role) throws Exception {
+ LOG.warn("Role specified in policy does not exist in ranger admin, creating new role = " + role);
+
+ RangerRole rRole = new RangerRole(role, null, null, null, null);
+
+ xUserMgr.checkAdminAccess();
+
+ RangerRole createdRole= roleStore.createRole(rRole);
+ return createdRole.getId();
+ }
+
+
public Boolean cleanupRefTables(RangerPolicy policy) {
final Long policyId = policy == null ? null : policy.getId();
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index e8b58d1..974fc18 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -63,6 +63,7 @@ import org.apache.ranger.plugin.model.RangerBaseModelObject;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.rest.ServiceREST;
+import org.apache.ranger.security.context.RangerContextHolder;
import org.apache.ranger.view.VXPortalUser;
import org.apache.ranger.view.VXResource;
import org.apache.ranger.view.VXResponse;
@@ -1493,6 +1494,11 @@ public class RangerBizUtil {
return ContextUtil.isBulkModeContext();
}
+ public static boolean setBulkMode(boolean val) {
+ RangerContextHolder.getOpContext().setBulkModeContext(val);
+ return isBulkMode();
+ }
+
//should be used only in bulk operation like importPolicies, policies delete.
public void bulkModeOnlyFlushAndClear() {
if (batchClearEnabled) {