You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2019/05/06 06:14:44 UTC
[ranger] branch master updated: RANGER-2411 : Admin role user is
able to create Zone for KMS service with REST API
This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 56fd7ff RANGER-2411 : Admin role user is able to create Zone for KMS service with REST API
56fd7ff is described below
commit 56fd7ff5ccb5aac38fead8ed6224a030fd010fd7
Author: Nikhil P <ni...@gmail.com>
AuthorDate: Fri Apr 26 19:12:45 2019 +0530
RANGER-2411 : Admin role user is able to create Zone for KMS service with REST API
---
.../org/apache/ranger/rest/SecurityZoneREST.java | 38 +++++++++++++++++++-
.../apache/ranger/rest/TestSecurityZoneREST.java | 40 ++++++++++++++++++++++
2 files changed, 77 insertions(+), 1 deletion(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java b/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java
index 4f6fa89..f0909ab 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java
@@ -43,9 +43,13 @@ import org.apache.commons.logging.LogFactory;
import org.apache.ranger.biz.RangerBizUtil;
import org.apache.ranger.biz.SecurityZoneDBStore;
import org.apache.ranger.biz.ServiceDBStore;
+import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.RangerSearchUtil;
import org.apache.ranger.common.RangerValidatorFactory;
+import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.entity.XXService;
+import org.apache.ranger.entity.XXServiceDef;
import org.apache.ranger.plugin.model.RangerSecurityZone;
import org.apache.ranger.plugin.model.validation.RangerSecurityZoneValidator;
import org.apache.ranger.plugin.model.validation.RangerValidator;
@@ -53,6 +57,7 @@ import org.apache.ranger.plugin.util.SearchFilter;
import org.apache.ranger.service.RangerSecurityZoneServiceService;
import org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService;
import org.apache.ranger.view.RangerSecurityZoneList;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Scope;
import org.springframework.stereotype.Component;
@@ -92,6 +97,10 @@ public class SecurityZoneREST {
@Autowired
ServiceREST serviceRest;
+ @Autowired
+ RangerDaoManager daoManager;
+
+
@POST
@Path("/zones")
public RangerSecurityZone createSecurityZone(RangerSecurityZone securityZone) {
@@ -101,7 +110,7 @@ public class SecurityZoneREST {
RangerSecurityZone ret;
try {
- ensureAdminAccess();
+ ensureAdminAccess(securityZone);
removeEmptyEntries(securityZone);
RangerSecurityZoneValidator validator = validatorFactory.getSecurityZoneValidator(svcStore, securityZoneStore);
validator.validate(securityZone, RangerValidator.Action.CREATE);
@@ -438,6 +447,33 @@ public class SecurityZoneREST {
}
+ private void ensureAdminAccess(RangerSecurityZone securityZone) {
+ if (!bizUtil.isAdmin()) {
+ String userName = bizUtil.getCurrentUserLoginId();
+ throw restErrorUtil.createRESTException(
+ "Ranger Securtiy Zone is not accessible for user '" + userName + "'.",
+ MessageEnums.OPER_NO_PERMISSION);
+ }
+ else {
+ blockAdminFromKMSService(securityZone);
+ }
+ }
+
+ private void blockAdminFromKMSService(RangerSecurityZone securityZone) {
+ if(securityZone != null) {
+ Map<String, RangerSecurityZoneService> serviceMap = securityZone.getServices();
+ for (String serviceName : serviceMap.keySet()) {
+ XXService xService = daoManager.getXXService().findByName(serviceName);
+ XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
+ if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) {
+ throw restErrorUtil.createRESTException(
+ "KMS Services/Service-Defs are not accessible for Zone operations",
+ MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
+ }
+ }
+ }
+ }
+
private void removeEmptyEntries(RangerSecurityZone securityZone) {
bizUtil.removeEmptyStrings(securityZone.getTagServices());
bizUtil.removeEmptyStrings(securityZone.getAdminUsers());
diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java
index edb3102..d6384a6 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java
@@ -38,6 +38,11 @@ import org.apache.ranger.biz.ServiceDBStore;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.RangerSearchUtil;
import org.apache.ranger.common.RangerValidatorFactory;
+import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.db.XXServiceDao;
+import org.apache.ranger.db.XXServiceDefDao;
+import org.apache.ranger.entity.XXService;
+import org.apache.ranger.entity.XXServiceDef;
import org.apache.ranger.plugin.model.RangerSecurityZone;
import org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService;
import org.apache.ranger.plugin.model.validation.RangerSecurityZoneValidator;
@@ -74,6 +79,11 @@ public class TestSecurityZoneREST {
RangerSecurityZoneServiceService securityZoneService;
@Mock
RESTErrorUtil restErrorUtil;
+ @Mock
+ RangerDaoManager daoManager;
+ @Mock
+ XXServiceDef xServiceDef;
+
@Rule
public ExpectedException thrown = ExpectedException.none();
@@ -105,7 +115,16 @@ public class TestSecurityZoneREST {
@Test
public void testCreateSecurityZone() throws Exception {
RangerSecurityZone rangerSecurityZone = createRangerSecurityZone();
+ XXServiceDao xServiceDao = Mockito.mock(XXServiceDao.class);
+ XXService xService = Mockito.mock(XXService.class);
+ XXServiceDefDao xServiceDefDao = Mockito.mock(XXServiceDefDao.class);
when(rangerBizUtil.isAdmin()).thenReturn(true);
+ when(daoManager.getXXService()).thenReturn(xServiceDao);
+ when(xServiceDao.findByName("test_service_1")).thenReturn(xService);
+
+ when(daoManager.getXXServiceDef()).thenReturn(xServiceDefDao);
+ when(xServiceDefDao.getById(xService.getType())).thenReturn(xServiceDef);
+
when(validatorFactory.getSecurityZoneValidator(svcStore, securityZoneStore)).thenReturn(validator);
doNothing().when(validator).validate(rangerSecurityZone, RangerValidator.Action.CREATE);
when(securityZoneStore.createSecurityZone(rangerSecurityZone)).thenReturn(rangerSecurityZone);
@@ -118,9 +137,19 @@ public class TestSecurityZoneREST {
public void testUpdateSecurityZone() throws Exception {
RangerSecurityZone rangerSecurityZoneToUpdate = createRangerSecurityZone();
Long securityZoneId = 2L;
+ XXServiceDao xServiceDao = Mockito.mock(XXServiceDao.class);
+ XXService xService = Mockito.mock(XXService.class);
+ XXServiceDefDao xServiceDefDao = Mockito.mock(XXServiceDefDao.class);
rangerSecurityZoneToUpdate.setId(securityZoneId);
when(rangerBizUtil.isAdmin()).thenReturn(true);
when(validatorFactory.getSecurityZoneValidator(svcStore, securityZoneStore)).thenReturn(validator);
+
+ when(daoManager.getXXService()).thenReturn(xServiceDao);
+ when(xServiceDao.findByName("test_service_1")).thenReturn(xService);
+
+ when(daoManager.getXXServiceDef()).thenReturn(xServiceDefDao);
+ when(xServiceDefDao.getById(xService.getType())).thenReturn(xServiceDef);
+
doNothing().when(validator).validate(rangerSecurityZoneToUpdate, RangerValidator.Action.UPDATE);
when(securityZoneStore.updateSecurityZoneById(rangerSecurityZoneToUpdate))
.thenReturn(rangerSecurityZoneToUpdate);
@@ -134,8 +163,19 @@ public class TestSecurityZoneREST {
public void testUpdateSecurityZoneWithMisMatchId() throws Exception {
RangerSecurityZone rangerSecurityZoneToUpdate = createRangerSecurityZone();
Long securityZoneId = 2L;
+ XXServiceDefDao xServiceDefDao = Mockito.mock(XXServiceDefDao.class);
+ XXServiceDao xServiceDao = Mockito.mock(XXServiceDao.class);
+ XXService xService = Mockito.mock(XXService.class);
+
rangerSecurityZoneToUpdate.setId(securityZoneId);
when(rangerBizUtil.isAdmin()).thenReturn(true);
+
+ when(daoManager.getXXService()).thenReturn(xServiceDao);
+ when(xServiceDao.findByName("test_service_1")).thenReturn(xService);
+
+ when(daoManager.getXXServiceDef()).thenReturn(xServiceDefDao);
+ when(xServiceDefDao.getById(xService.getType())).thenReturn(xServiceDef);
+
when(validatorFactory.getSecurityZoneValidator(svcStore, securityZoneStore)).thenReturn(validator);
doNothing().when(validator).validate(rangerSecurityZoneToUpdate, RangerValidator.Action.UPDATE);
when(securityZoneStore.updateSecurityZoneById(rangerSecurityZoneToUpdate))