You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/12/03 00:19:17 UTC
[01/26] incubator-ranger git commit: RANGER-680 : Default policies
for KMS repo
Repository: incubator-ranger
Updated Branches:
refs/heads/tag-policy 91f19321d -> 42b040e67
RANGER-680 : Default policies for KMS repo
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/18e63978
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/18e63978
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/18e63978
Branch: refs/heads/tag-policy
Commit: 18e63978666eba70b67519501cc7871b3a8c79d7
Parents: 427ed4a
Author: Gautam Borad <gb...@gmail.com>
Authored: Tue Oct 6 13:06:46 2015 +0530
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Fri Nov 13 12:57:25 2015 -0500
----------------------------------------------------------------------
.../src/main/java/org/apache/ranger/biz/ServiceDBStore.java | 8 --------
1 file changed, 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/18e63978/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index ced2f51..0ee3595 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -1928,14 +1928,6 @@ public class ServiceDBStore extends AbstractServiceStore {
users.add(vXUser.getName());
policyItem.setUsers(users);
- // Default policy for KMS should grant all access to 'public'
- long serviceType = createdService.getType() == null ? -1 : createdService.getType();
- if(serviceType == EmbeddedServiceDefsUtil.instance().getKmsServiceDefId()) {
- List<String> groups = new ArrayList<String>();
- groups.add(RangerConstants.GROUP_PUBLIC);
- policyItem.setGroups(groups);
- }
-
List<XXAccessTypeDef> accessTypeDefs = daoMgr.getXXAccessTypeDef().findByServiceDefId(createdService.getType());
List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>();
for(XXAccessTypeDef accessTypeDef : accessTypeDefs) {
[15/26] incubator-ranger git commit: RANGER-741 : Fix installation
script to skip Audit DB password check if audit source is SOLR
Posted by ma...@apache.org.
RANGER-741 : Fix installation script to skip Audit DB password check if audit source is SOLR
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/5216a89d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/5216a89d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/5216a89d
Branch: refs/heads/tag-policy
Commit: 5216a89d20813e3a57ca68a383a92513bad955e8
Parents: 38fea60
Author: Gautam Borad <ga...@apache.org>
Authored: Wed Nov 25 09:29:04 2015 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Fri Nov 27 11:54:24 2015 +0530
----------------------------------------------------------------------
kms/scripts/dba_script.py | 8 ++---
security-admin/scripts/dba_script.py | 26 +++++++--------
security-admin/scripts/setup.sh | 54 ++++++++++++++++++++-----------
3 files changed, 53 insertions(+), 35 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5216a89d/kms/scripts/dba_script.py
----------------------------------------------------------------------
diff --git a/kms/scripts/dba_script.py b/kms/scripts/dba_script.py
index 06a6a8c..1e039e5 100755
--- a/kms/scripts/dba_script.py
+++ b/kms/scripts/dba_script.py
@@ -492,11 +492,11 @@ class OracleConf(BaseDB):
# Assign default tablespace db_name
get_cmd = self.get_jisql_cmd(root_user , db_root_password)
if os_name == "LINUX":
- query = get_cmd +" -c \; -query 'alter user %s identified by \"%s\" DEFAULT Tablespace %s;'" %(db_user, db_password, db_name)
+ query = get_cmd +" -c \; -query 'alter user %s DEFAULT Tablespace %s;'" %(db_user, db_name)
jisql_log(query, db_root_password)
ret = subprocess.call(shlex.split(query))
elif os_name == "WINDOWS":
- query = get_cmd +" -query \"alter user %s identified by \"%s\" DEFAULT Tablespace %s;\" -c ;" %(db_user, db_password, db_name)
+ query = get_cmd +" -query \"alter user %s DEFAULT Tablespace %s;\" -c ;" %(db_user, db_name)
jisql_log(query, db_root_password)
ret = subprocess.call(query)
if ret == 0:
@@ -519,7 +519,7 @@ class OracleConf(BaseDB):
log("[E] Assigning default tablespace to user '" + db_user + "' failed..", "error")
sys.exit(1)
else:
- logFile("alter user %s identified by \"%s\" DEFAULT Tablespace %s;" %(db_user, db_password, db_name))
+ logFile("alter user %s DEFAULT Tablespace %s;" %(db_user, db_name))
logFile("GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;" % (db_user))
@@ -548,7 +548,7 @@ class OracleConf(BaseDB):
logFile('create user %s identified by "%s";'%(db_user, db_password))
logFile('GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'%(db_user))
logFile("create tablespace %s datafile '%s.dat' size 10M autoextend on;" %(db_name, db_name))
- logFile('alter user %s identified by "%s" DEFAULT Tablespace %s;'%(db_user, db_password, db_name))
+ logFile('alter user %s DEFAULT Tablespace %s;'%(db_user, db_name))
logFile('GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;'%(db_user))
class PostgresConf(BaseDB):
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5216a89d/security-admin/scripts/dba_script.py
----------------------------------------------------------------------
diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py
index 5564737..66b2848 100644
--- a/security-admin/scripts/dba_script.py
+++ b/security-admin/scripts/dba_script.py
@@ -519,11 +519,11 @@ class OracleConf(BaseDB):
# Assign default tablespace db_name
get_cmd = self.get_jisql_cmd(root_user , db_root_password)
if os_name == "LINUX":
- query = get_cmd +" -c \; -query 'alter user %s identified by \"%s\" DEFAULT Tablespace %s;'" %(db_user, db_password, db_name)
+ query = get_cmd +" -c \; -query 'alter user %s DEFAULT Tablespace %s;'" %(db_user, db_name)
jisql_log(query, db_root_password)
ret = subprocess.call(shlex.split(query))
elif os_name == "WINDOWS":
- query = get_cmd +" -query \"alter user %s identified by \"%s\" DEFAULT Tablespace %s;\" -c ;" %(db_user, db_password, db_name)
+ query = get_cmd +" -query \"alter user %s DEFAULT Tablespace %s;\" -c ;" %(db_user, db_name)
jisql_log(query, db_root_password)
ret = subprocess.call(query)
if ret == 0:
@@ -546,7 +546,7 @@ class OracleConf(BaseDB):
log("[E] Assigning default tablespace to user '" + db_user + "' failed..", "error")
sys.exit(1)
else:
- logFile("alter user %s identified by \"%s\" DEFAULT Tablespace %s;" %(db_user, db_password, db_name))
+ logFile("alter user %s DEFAULT Tablespace %s;" %(db_user, db_name))
logFile("GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;" % (db_user))
@@ -609,11 +609,11 @@ class OracleConf(BaseDB):
# Assign default tablespace db_name
get_cmd = self.get_jisql_cmd(audit_db_root_user , audit_db_root_password)
if os_name == "LINUX":
- query = get_cmd +" -c \; -query 'alter user %s identified by \"%s\" DEFAULT Tablespace %s;'" %(audit_db_user, audit_db_password, db_name)
+ query = get_cmd +" -c \; -query 'alter user %s DEFAULT Tablespace %s;'" %(audit_db_user, db_name)
jisql_log(query, audit_db_root_password)
ret1 = subprocess.call(shlex.split(query))
elif os_name == "WINDOWS":
- query = get_cmd +" -query \"alter user %s identified by \"%s\" DEFAULT Tablespace %s;\" -c ;" %(audit_db_user, audit_db_password, db_name)
+ query = get_cmd +" -query \"alter user %s DEFAULT Tablespace %s;\" -c ;" %(audit_db_user, db_name)
jisql_log(query, audit_db_root_password)
ret1 = subprocess.call(query)
@@ -621,11 +621,11 @@ class OracleConf(BaseDB):
# Assign default tablespace audit_db_name
get_cmd = self.get_jisql_cmd(audit_db_root_user , audit_db_root_password)
if os_name == "LINUX":
- query = get_cmd +" -c \; -query 'alter user %s identified by \"%s\" DEFAULT Tablespace %s;'" %(audit_db_user, audit_db_password, audit_db_name)
+ query = get_cmd +" -c \; -query 'alter user %s DEFAULT Tablespace %s;'" %(audit_db_user, audit_db_name)
jisql_log(query, audit_db_root_password)
ret2 = subprocess.call(shlex.split(query))
elif os_name == "WINDOWS":
- query = get_cmd +" -query \"alter user %s identified by \"%s\" DEFAULT Tablespace %s;\" -c ;" %(audit_db_user, audit_db_password, audit_db_name)
+ query = get_cmd +" -query \"alter user %s DEFAULT Tablespace %s;\" -c ;" %(audit_db_user, audit_db_name)
jisql_log(query, audit_db_root_password)
ret2 = subprocess.call(query)
@@ -647,8 +647,8 @@ class OracleConf(BaseDB):
else:
return False
else:
- logFile("alter user %s identified by \"%s\" DEFAULT Tablespace %s;" %(audit_db_user, audit_db_password, db_name))
- logFile("alter user %s identified by \"%s\" DEFAULT Tablespace %s;" %(audit_db_user, audit_db_password, audit_db_name))
+ logFile("alter user %s DEFAULT Tablespace %s;" %(audit_db_user, db_name))
+ logFile("alter user %s DEFAULT Tablespace %s;" %(audit_db_user, audit_db_name))
logFile("GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED Tablespace TO %s WITH ADMIN OPTION;" % (db_user))
def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_password, invoke,dryMode):
@@ -762,12 +762,12 @@ class OracleConf(BaseDB):
logFile('create user %s identified by "%s";'%(db_user, db_password))
logFile('GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED TABLESPACE TO %s WITH ADMIN OPTION;'%(db_user))
logFile("create tablespace %s datafile '%s.dat' size 10M autoextend on;" %(db_name, db_name))
- logFile('alter user %s identified by "%s" DEFAULT tablespace %s;'%(db_user, db_password, db_name))
+ logFile('alter user %s DEFAULT tablespace %s;'%(db_user, db_name))
if not db_user == audit_db_user:
logFile('create user %s identified by "%s";'%(audit_db_user, audit_db_password))
logFile('GRANT CREATE SESSION TO %s;' %(audit_db_user))
logFile("create tablespace %s datafile '%s.dat' size 10M autoextend on;" %(audit_db_name, audit_db_name))
- logFile('alter user %s identified by "%s" DEFAULT tablespace %s;' %(audit_db_user, audit_db_password, audit_db_name))
+ logFile('alter user %s DEFAULT tablespace %s;' %(audit_db_user, audit_db_name))
logFile('GRANT CREATE SESSION,CREATE PROCEDURE,CREATE TABLE,CREATE VIEW,CREATE SEQUENCE,CREATE PUBLIC SYNONYM,CREATE ANY SYNONYM,CREATE TRIGGER,UNLIMITED TABLESPACE TO %s WITH ADMIN OPTION;'%(db_user))
class PostgresConf(BaseDB):
@@ -1781,8 +1781,6 @@ def main(argv):
password_validation(xa_db_root_password,"DBA root");
log("[I] ---------- Verifing Ranger Admin db user password ---------- ","info")
password_validation(db_password,"admin");
- log("[I] ---------- Verifing Ranger Audit db user password ---------- ","info")
- password_validation(audit_db_password,"audit");
# Methods Begin
if DBA_MODE == "TRUE" :
if (dryMode==True):
@@ -1800,6 +1798,8 @@ def main(argv):
xa_sqlObj.grant_xa_db_user(xa_db_root_user, db_name, db_user, db_password, xa_db_root_password, is_revoke,dryMode)
# Ranger Admin DB Host AND Ranger Audit DB Host are Different OR Same
if audit_store == "db":
+ log("[I] ---------- Verifing Ranger Audit db user password ---------- ","info")
+ password_validation(audit_db_password,"audit");
log("[I] ---------- Verifying/Creating audit user --------- ","info")
audit_sqlObj.create_auditdb_user(xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode)
log("[I] ---------- Ranger Policy Manager DB and User Creation Process Completed.. ---------- ","info")
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5216a89d/security-admin/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh
index 8b67f98..f77a1f5 100755
--- a/security-admin/scripts/setup.sh
+++ b/security-admin/scripts/setup.sh
@@ -371,9 +371,12 @@ update_properties() {
newPropertyValue="jdbc:log4jdbc:mysql://${DB_HOST}/${db_name}"
updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
- propertyName=ranger.jpa.audit.jdbc.url
- newPropertyValue="jdbc:log4jdbc:mysql://${DB_HOST}/${audit_db_name}"
- updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ if [ "${audit_store}" == "db" ]
+ then
+ propertyName=ranger.jpa.audit.jdbc.url
+ newPropertyValue="jdbc:log4jdbc:mysql://${DB_HOST}/${audit_db_name}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
propertyName=ranger.jpa.jdbc.dialect
newPropertyValue="org.eclipse.persistence.platform.database.MySQLPlatform"
@@ -405,8 +408,11 @@ update_properties() {
fi
updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
- propertyName=ranger.jpa.audit.jdbc.url
- updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ if [ "${audit_store}" == "db" ]
+ then
+ propertyName=ranger.jpa.audit.jdbc.url
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
propertyName=ranger.jpa.jdbc.dialect
newPropertyValue="org.eclipse.persistence.platform.database.OraclePlatform"
@@ -435,9 +441,12 @@ update_properties() {
newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}"
updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
- propertyName=ranger.jpa.audit.jdbc.url
- newPropertyValue="jdbc:postgresql://${DB_HOST}/${audit_db_name}"
- updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ if [ "${audit_store}" == "db" ]
+ then
+ propertyName=ranger.jpa.audit.jdbc.url
+ newPropertyValue="jdbc:postgresql://${DB_HOST}/${audit_db_name}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
propertyName=ranger.jpa.jdbc.dialect
newPropertyValue="org.eclipse.persistence.platform.database.PostgreSQLPlatform"
@@ -462,9 +471,12 @@ update_properties() {
newPropertyValue="jdbc:sqlserver://${DB_HOST};databaseName=${db_name}"
updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
- propertyName=ranger.jpa.audit.jdbc.url
- newPropertyValue="jdbc:sqlserver://${DB_HOST};databaseName=${audit_db_name}"
- updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ if [ "${audit_store}" == "db" ]
+ then
+ propertyName=ranger.jpa.audit.jdbc.url
+ newPropertyValue="jdbc:sqlserver://${DB_HOST};databaseName=${audit_db_name}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
propertyName=ranger.jpa.jdbc.dialect
newPropertyValue="org.eclipse.persistence.platform.database.SQLServerPlatform"
@@ -489,9 +501,12 @@ update_properties() {
newPropertyValue="jdbc:sqlanywhere:database=${db_name};host=${DB_HOST}"
updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
- propertyName=ranger.jpa.audit.jdbc.url
- newPropertyValue="jdbc:sqlanywhere:database=${audit_db_name};host=${DB_HOST}"
- updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ if [ "${audit_store}" == "db" ]
+ then
+ propertyName=ranger.jpa.audit.jdbc.url
+ newPropertyValue="jdbc:sqlanywhere:database=${audit_db_name};host=${DB_HOST}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
propertyName=ranger.jpa.jdbc.dialect
newPropertyValue="org.eclipse.persistence.platform.database.SQLAnywherePlatform"
@@ -533,9 +548,12 @@ update_properties() {
newPropertyValue="${db_user}"
updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
- propertyName=ranger.jpa.audit.jdbc.user
- newPropertyValue="${audit_db_user}"
- updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ if [ "${audit_store}" == "db" ]
+ then
+ propertyName=ranger.jpa.audit.jdbc.user
+ newPropertyValue="${audit_db_user}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
##########
keystore="${cred_keystore_filename}"
@@ -581,7 +599,7 @@ update_properties() {
fi
###########
- if [ "${audit_store}" != "solr" ]
+ if [ "${audit_store}" == "db" ]
then
audit_db_password_alias=ranger.auditdb.password
[08/26] incubator-ranger git commit: RANGER 739 :Ranger HBase Plugin
returning null for RegionObserver.preCompact calls causing hbase:acl issue
Posted by ma...@apache.org.
RANGER 739 :Ranger HBase Plugin returning null for RegionObserver.preCompact calls causing hbase:acl issue
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/04c5dc36
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/04c5dc36
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/04c5dc36
Branch: refs/heads/tag-policy
Commit: 04c5dc364f3e4f69a858292f558b016f4e73c882
Parents: 766f100
Author: rmani <rm...@hortonworks.com>
Authored: Fri Nov 20 14:39:56 2015 -0800
Committer: rmani <rm...@hortonworks.com>
Committed: Fri Nov 20 14:39:56 2015 -0800
----------------------------------------------------------------------
.../hbase/RangerAuthorizationCoprocessor.java | 80 ++++++++++----------
1 file changed, 40 insertions(+), 40 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/04c5dc36/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git a/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index a9b3cad..7c45fd0 100644
--- a/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/ranger-hbase-plugin-shim/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -168,7 +168,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.getService()");
}
- Service ret = null;
+ final Service ret;
try {
activatePluginClassLoader();
ret = implCoprocessorService.getService();
@@ -204,7 +204,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public RegionScanner postScannerOpen(ObserverContext<RegionCoprocessorEnvironment> c, Scan scan, RegionScanner s) throws IOException {
- RegionScanner ret = null;
+ final RegionScanner ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.postScannerOpen()");
@@ -264,7 +264,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public Result preAppend(ObserverContext<RegionCoprocessorEnvironment> c, Append append) throws IOException {
- Result ret = null;
+ final Result ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preAppend()");
@@ -322,7 +322,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public boolean preBalanceSwitch(ObserverContext<MasterCoprocessorEnvironment> c, boolean newValue) throws IOException {
- boolean ret = false;
+ final boolean ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preBalanceSwitch()");
@@ -363,7 +363,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public boolean preCheckAndDelete(ObserverContext<RegionCoprocessorEnvironment> c, byte[] row, byte[] family, byte[] qualifier, CompareOp compareOp, ByteArrayComparable comparator, Delete delete, boolean result) throws IOException {
- boolean ret = false;
+ final boolean ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preCheckAndDelete()");
@@ -385,7 +385,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public boolean preCheckAndPut(ObserverContext<RegionCoprocessorEnvironment> c, byte[] row, byte[] family, byte[] qualifier, CompareOp compareOp, ByteArrayComparable comparator, Put put, boolean result) throws IOException {
- boolean ret = false;
+ final boolean ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preCheckAndPut()");
@@ -444,7 +444,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public InternalScanner preCompact(ObserverContext<RegionCoprocessorEnvironment> e, Store store, InternalScanner scanner, ScanType scanType) throws IOException {
- InternalScanner ret = null;
+ final InternalScanner ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preCompact()");
@@ -452,7 +452,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
try {
activatePluginClassLoader();
- ret = implRegionObserver.preCompact(e, store, scanner, scanType);
+ ret = implRegionObserver.preCompact(e, store, scanner, scanType);
} finally {
deactivatePluginClassLoader();
}
@@ -610,7 +610,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public boolean preExists(ObserverContext<RegionCoprocessorEnvironment> c, Get get, boolean exists) throws IOException {
- boolean ret = false;
+ final boolean ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preExists()");
@@ -668,7 +668,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public Result preIncrement(ObserverContext<RegionCoprocessorEnvironment> c, Increment increment) throws IOException {
- Result ret = null;
+ final Result ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preIncrement()");
@@ -690,7 +690,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public long preIncrementColumnValue(ObserverContext<RegionCoprocessorEnvironment> c, byte[] row,byte[] family, byte[] qualifier, long amount, boolean writeToWAL) throws IOException {
- long ret;
+ final long ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preIncrementColumnValue()");
@@ -820,7 +820,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public boolean preScannerNext(ObserverContext<RegionCoprocessorEnvironment> c, InternalScanner s, List<Result> result, int limit, boolean hasNext) throws IOException {
- boolean ret = false;
+ final boolean ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preScannerNext()");
@@ -842,7 +842,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public RegionScanner preScannerOpen(ObserverContext<RegionCoprocessorEnvironment> c, Scan scan, RegionScanner s) throws IOException {
- RegionScanner ret = null;
+ final RegionScanner ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preScannerOpen()");
@@ -1479,7 +1479,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public ReplicationEndpoint postCreateReplicationEndPoint(ObserverContext<RegionServerCoprocessorEnvironment> ctx, ReplicationEndpoint endpoint) {
- ReplicationEndpoint ret = null;
+ final ReplicationEndpoint ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.postCreateReplicationEndPoint()");
@@ -1574,7 +1574,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public InternalScanner preFlushScannerOpen( ObserverContext<RegionCoprocessorEnvironment> c, Store store, KeyValueScanner memstoreScanner, InternalScanner s) throws IOException {
- InternalScanner ret = null;
+ final InternalScanner ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preFlushScannerOpen()");
@@ -1597,7 +1597,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public InternalScanner preFlush(ObserverContext<RegionCoprocessorEnvironment> c, Store store, InternalScanner scanner) throws IOException {
- InternalScanner ret = null;
+ final InternalScanner ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preFlush()");
@@ -1710,7 +1710,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public InternalScanner preCompact(ObserverContext<RegionCoprocessorEnvironment> c, Store store, InternalScanner scanner, ScanType scanType, CompactionRequest request) throws IOException {
- InternalScanner ret = null;
+ final InternalScanner ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preCompact()");
@@ -1718,7 +1718,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
try {
activatePluginClassLoader();
- implRegionObserver.preCompact(c, store, scanner, scanType, request);
+ ret = implRegionObserver.preCompact(c, store, scanner, scanType, request);
} finally {
deactivatePluginClassLoader();
}
@@ -1733,7 +1733,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public InternalScanner preCompactScannerOpen(ObserverContext<RegionCoprocessorEnvironment> c, Store store, List<? extends KeyValueScanner> scanners, ScanType scanType,
long earliestPutTs, InternalScanner s, CompactionRequest request) throws IOException {
- InternalScanner ret = null;
+ final InternalScanner ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preCompactScannerOpen()");
@@ -1741,7 +1741,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
try {
activatePluginClassLoader();
- implRegionObserver.preCompactScannerOpen(c, store, scanners, scanType, earliestPutTs, s,request);
+ ret = implRegionObserver.preCompactScannerOpen(c, store, scanners, scanType, earliestPutTs, s,request);
} finally {
deactivatePluginClassLoader();
}
@@ -1756,7 +1756,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public InternalScanner preCompactScannerOpen(ObserverContext<RegionCoprocessorEnvironment> c, Store store, List<? extends KeyValueScanner> scanners, ScanType scanType,
long earliestPutTs, InternalScanner s) throws IOException {
- InternalScanner ret = null;
+ final InternalScanner ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preCompactScannerOpen()");
@@ -1764,7 +1764,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
try {
activatePluginClassLoader();
- implRegionObserver.preCompactScannerOpen(c, store, scanners, scanType, earliestPutTs, s);
+ ret = implRegionObserver.preCompactScannerOpen(c, store, scanners, scanType, earliestPutTs, s);
} finally {
deactivatePluginClassLoader();
}
@@ -1995,7 +1995,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public boolean postExists(ObserverContext<RegionCoprocessorEnvironment> c, Get get, boolean exists) throws IOException {
- boolean ret = false;
+ final boolean ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.postExists()");
@@ -2162,7 +2162,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public boolean preCheckAndPutAfterRowLock(ObserverContext<RegionCoprocessorEnvironment> c, byte[] row, byte[] family, byte[] qualifier, CompareOp compareOp,
ByteArrayComparable comparator, Put put, boolean result) throws IOException {
- boolean ret = false;
+ final boolean ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preCheckAndPutAfterRowLock()");
@@ -2184,7 +2184,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public boolean postCheckAndPut(ObserverContext<RegionCoprocessorEnvironment> c, byte[] row, byte[] family, byte[] qualifier, CompareOp compareOp,
ByteArrayComparable comparator, Put put, boolean result) throws IOException {
- boolean ret = false;
+ final boolean ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.postCheckAndPut()");
@@ -2206,7 +2206,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public boolean preCheckAndDeleteAfterRowLock(ObserverContext<RegionCoprocessorEnvironment> c, byte[] row, byte[] family, byte[] qualifier, CompareOp compareOp,
ByteArrayComparable comparator, Delete delete, boolean result) throws IOException {
- boolean ret = false;
+ final boolean ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preCheckAndDeleteAfterRowLock()");
@@ -2228,7 +2228,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public boolean postCheckAndDelete(ObserverContext<RegionCoprocessorEnvironment> c, byte[] row,byte[] family, byte[] qualifier, CompareOp compareOp,
ByteArrayComparable comparator, Delete delete, boolean result) throws IOException {
- boolean ret = false;
+ final boolean ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.postCheckAndDelete()");
@@ -2249,7 +2249,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public long postIncrementColumnValue(ObserverContext<RegionCoprocessorEnvironment> c, byte[] row, byte[] family, byte[] qualifier, long amount, boolean writeToWAL, long result) throws IOException {
- long ret = 0;
+ final long ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.postIncrementColumnValue()");
@@ -2270,7 +2270,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public Result preAppendAfterRowLock(ObserverContext<RegionCoprocessorEnvironment> c, Append append) throws IOException {
- Result ret = null;
+ final Result ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preAppendAfterRowLock()");
@@ -2291,7 +2291,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public Result postAppend(ObserverContext<RegionCoprocessorEnvironment> c, Append append, Result result) throws IOException {
- Result ret = null;
+ final Result ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.postAppend()");
@@ -2313,7 +2313,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public Result preIncrementAfterRowLock(ObserverContext<RegionCoprocessorEnvironment> c, Increment increment) throws IOException {
- Result ret = null;
+ final Result ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preIncrementAfterRowLock()");
@@ -2335,7 +2335,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public Result postIncrement(ObserverContext<RegionCoprocessorEnvironment> c, Increment increment, Result result) throws IOException {
- Result ret = null;
+ final Result ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.postIncrement()");
@@ -2357,7 +2357,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public KeyValueScanner preStoreScannerOpen(ObserverContext<RegionCoprocessorEnvironment> c, Store store, Scan scan, NavigableSet<byte[]> targetCols, KeyValueScanner s) throws IOException {
- KeyValueScanner ret = null;
+ final KeyValueScanner ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preStoreScannerOpen()");
@@ -2379,7 +2379,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public boolean postScannerNext( ObserverContext<RegionCoprocessorEnvironment> c, InternalScanner s, List<Result> result, int limit, boolean hasNext) throws IOException {
- boolean ret = false;
+ final boolean ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.postScannerNext()");
@@ -2402,7 +2402,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public boolean postScannerFilterRow( ObserverContext<RegionCoprocessorEnvironment> c, InternalScanner s, byte[] currentRow, int offset, short length, boolean hasMore) throws IOException {
- boolean ret = false;
+ final boolean ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.postScannerFilterRow()");
@@ -2461,7 +2461,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public boolean postBulkLoadHFile(ObserverContext<RegionCoprocessorEnvironment> ctx, List<Pair<byte[], String>> familyPaths, boolean hasLoaded) throws IOException {
- boolean ret = false;
+ final boolean ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.postBulkLoadHFile()");
@@ -2484,7 +2484,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public Reader preStoreFileReaderOpen(ObserverContext<RegionCoprocessorEnvironment> ctx, FileSystem fs, Path p, FSDataInputStreamWrapper in, long size,
CacheConfig cacheConf, Reference r, Reader reader) throws IOException {
- Reader ret = null;
+ final Reader ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.preStoreFileReaderOpen()");
@@ -2507,7 +2507,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public Reader postStoreFileReaderOpen(ObserverContext<RegionCoprocessorEnvironment> ctx, FileSystem fs, Path p, FSDataInputStreamWrapper in, long size,
CacheConfig cacheConf, Reference r, Reader reader) throws IOException {
- Reader ret = null;
+ final Reader ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.postStoreFileReaderOpen()");
@@ -2529,7 +2529,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public Cell postMutationBeforeWAL(ObserverContext<RegionCoprocessorEnvironment> ctx, MutationType opType, Mutation mutation, Cell oldCell, Cell newCell) throws IOException {
- Cell ret = null;
+ final Cell ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.postMutationBeforeWAL()");
@@ -2551,7 +2551,7 @@ public class RangerAuthorizationCoprocessor implements MasterObserver, RegionObs
@Override
public DeleteTracker postInstantiateDeleteTracker( ObserverContext<RegionCoprocessorEnvironment> ctx, DeleteTracker delTracker) throws IOException {
- DeleteTracker ret = null;
+ final DeleteTracker ret;
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAuthorizationCoprocessor.postInstantiateDeleteTracker()");
[20/26] incubator-ranger git commit: Ranger-742: Made code changes to
complete user search before performing group search. Also,
added check to retrieve groups from user's memberof attribute only when group
search is not enabled.
Posted by ma...@apache.org.
Ranger-742: Made code changes to complete user search before performing group search. Also, added check to retrieve groups from user's memberof attribute only when group search is not enabled.
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/ec2ea921
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/ec2ea921
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/ec2ea921
Branch: refs/heads/tag-policy
Commit: ec2ea92135cfae32378c377a1fad73039f3e1f3f
Parents: 7ac6a02
Author: Sailaja Polavarapu <sp...@hortonworks.com>
Authored: Mon Nov 30 13:18:59 2015 -0800
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Tue Dec 1 14:46:01 2015 -0800
----------------------------------------------------------------------
.../process/LdapUserGroupBuilder.java | 388 ++++++++++---------
1 file changed, 210 insertions(+), 178 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ec2ea921/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java
index bab9e84..bb5fad5 100644
--- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java
+++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java
@@ -21,8 +21,11 @@
import java.util.ArrayList;
+import java.util.HashMap;
import java.util.HashSet;
+import java.util.Iterator;
import java.util.List;
+import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.StringTokenizer;
@@ -95,6 +98,7 @@ public class LdapUserGroupBuilder implements UserGroupSource {
Mapper userNameRegExInst = null;
Mapper groupNameRegExInst = null;
+ private List<UserInfo> userGroupMap;
public static void main(String[] args) throws Throwable {
LdapUserGroupBuilder ugBuilder = new LdapUserGroupBuilder();
@@ -293,61 +297,62 @@ public class LdapUserGroupBuilder implements UserGroupSource {
@Override
public void updateSink(UserGroupSink sink) throws Throwable {
LOG.info("LDAPUserGroupBuilder updateSink started");
- NamingEnumeration<SearchResult> userSearchResultEnum = null;
- NamingEnumeration<SearchResult> groupSearchResultEnum = null;
+ userGroupMap = new ArrayList<UserInfo>();
+ NamingEnumeration<SearchResult> userSearchResultEnum = null;
+ NamingEnumeration<SearchResult> groupSearchResultEnum = null;
try {
createLdapContext();
- int total;
- // Activate paged results
- byte[] cookie = null;
- if (pagedResultsEnabled) {
- ldapContext.setRequestControls(new Control[]{
- new PagedResultsControl(pagedResultsSize, Control.NONCRITICAL) });
- }
+ int total;
+ // Activate paged results
+ byte[] cookie = null;
+ if (pagedResultsEnabled) {
+ ldapContext.setRequestControls(new Control[]{
+ new PagedResultsControl(pagedResultsSize, Control.NONCRITICAL) });
+ }
int counter = 0;
do {
userSearchResultEnum = ldapContext
- .search(userSearchBase, extendedUserSearchFilter,
- userSearchControls);
+ .search(userSearchBase, extendedUserSearchFilter,
+ userSearchControls);
while (userSearchResultEnum.hasMore()) {
// searchResults contains all the user entries
final SearchResult userEntry = userSearchResultEnum.next();
- if (userEntry == null) {
- if (LOG.isInfoEnabled()) {
- LOG.info("userEntry null, skipping sync for the entry");
- }
- continue;
- }
-
- Attributes attributes = userEntry.getAttributes();
- if (attributes == null) {
- if (LOG.isInfoEnabled()) {
- LOG.info("attributes missing for entry " + userEntry.getNameInNamespace() +
- ", skipping sync");
- }
- continue;
- }
-
- Attribute userNameAttr = attributes.get(userNameAttribute);
- if (userNameAttr == null) {
- if (LOG.isInfoEnabled()) {
- LOG.info(userNameAttribute + " missing for entry " + userEntry.getNameInNamespace() +
- ", skipping sync");
- }
- continue;
- }
+ if (userEntry == null) {
+ if (LOG.isInfoEnabled()) {
+ LOG.info("userEntry null, skipping sync for the entry");
+ }
+ continue;
+ }
+
+ Attributes attributes = userEntry.getAttributes();
+ if (attributes == null) {
+ if (LOG.isInfoEnabled()) {
+ LOG.info("attributes missing for entry " + userEntry.getNameInNamespace() +
+ ", skipping sync");
+ }
+ continue;
+ }
+
+ Attribute userNameAttr = attributes.get(userNameAttribute);
+ if (userNameAttr == null) {
+ if (LOG.isInfoEnabled()) {
+ LOG.info(userNameAttribute + " missing for entry " + userEntry.getNameInNamespace() +
+ ", skipping sync");
+ }
+ continue;
+ }
String userName = (String) userNameAttr.get();
- if (userName == null || userName.trim().isEmpty()) {
- if (LOG.isInfoEnabled()) {
- LOG.info(userNameAttribute + " empty for entry " + userEntry.getNameInNamespace() +
- ", skipping sync");
- }
- continue;
- }
+ if (userName == null || userName.trim().isEmpty()) {
+ if (LOG.isInfoEnabled()) {
+ LOG.info(userNameAttribute + " empty for entry " + userEntry.getNameInNamespace() +
+ ", skipping sync");
+ }
+ continue;
+ }
if (userNameCaseConversionFlag) {
if (userNameLowerCaseFlag) {
@@ -357,73 +362,53 @@ public class LdapUserGroupBuilder implements UserGroupSource {
userName = userName.toUpperCase() ;
}
}
-
+
if (userNameRegExInst != null) {
- userName = userNameRegExInst.transform(userName);
+ userName = userNameRegExInst.transform(userName);
}
- Set<String> groups = new HashSet<String>();
-
- for (String useGroupNameAttribute : userGroupNameAttributeSet) {
- Attribute userGroupfAttribute = userEntry.getAttributes().get(useGroupNameAttribute);
- if (userGroupfAttribute != null) {
- NamingEnumeration<?> groupEnum = userGroupfAttribute.getAll();
- while (groupEnum.hasMore()) {
- String gName = getShortGroupName((String) groupEnum
- .next());
- if (groupNameCaseConversionFlag) {
- if (groupNameLowerCaseFlag) {
- gName = gName.toLowerCase();
- } else {
- gName = gName.toUpperCase();
- }
- }
- if (groupNameRegExInst != null) {
- gName = groupNameRegExInst.transform(gName);
- }
- groups.add(gName);
- }
- }
- }
-
- if (groupSearchEnabled && groupUserMapSyncEnabled) {
- LOG.info("groupSearch and groupUserMapSync are enabled, would search for groups and compute memberships");
- groupSearchResultEnum = ldapContext
- .search(groupSearchBase, extendedGroupSearchFilter,
- new Object[]{userEntry.getNameInNamespace()},
- groupSearchControls);
- Set<String> computedGroups = new HashSet<String>();
- while (groupSearchResultEnum.hasMore()) {
- final SearchResult groupEntry = groupSearchResultEnum.next();
- if (groupEntry != null) {
- String gName = (String) groupEntry.getAttributes()
- .get(groupNameAttribute).get();
- if (groupNameCaseConversionFlag) {
- if (groupNameLowerCaseFlag) {
- gName = gName.toLowerCase();
- } else {
- gName = gName.toUpperCase();
- }
- }
- if (groupNameRegExInst != null) {
- gName = groupNameRegExInst.transform(gName);
- }
- computedGroups.add(gName);
- }
- }
- if (LOG.isInfoEnabled()) {
- LOG.info("computed groups for user: " + userName +", groups: " + computedGroups);
- }
- groups.addAll(computedGroups);
- }
-
- List<String> groupList = new ArrayList<String>(groups);
+ UserInfo userInfo = new UserInfo(userName, userEntry.getNameInNamespace());
+ Set<String> groups = new HashSet<String>();
+
+ // Get all the groups from the group name attribute of the user only when group search is not enabled.
+ if (!groupSearchEnabled) {
+ for (String useGroupNameAttribute : userGroupNameAttributeSet) {
+ Attribute userGroupfAttribute = userEntry.getAttributes().get(useGroupNameAttribute);
+ if (userGroupfAttribute != null) {
+ NamingEnumeration<?> groupEnum = userGroupfAttribute.getAll();
+ while (groupEnum.hasMore()) {
+ String gName = getShortGroupName((String) groupEnum
+ .next());
+ if (groupNameCaseConversionFlag) {
+ if (groupNameLowerCaseFlag) {
+ gName = gName.toLowerCase();
+ } else {
+ gName = gName.toUpperCase();
+ }
+ }
+ if (groupNameRegExInst != null) {
+ gName = groupNameRegExInst.transform(gName);
+ }
+ groups.add(gName);
+ }
+ }
+ }
+ }
+
+ userInfo.addGroups(groups);
+ //populate the userGroupMap with username, userInfo.
+ //userInfo contains details of user that will be later used for
+ //group search to compute group membership as well as to call sink.addOrUpdateUser()
+ userGroupMap.add(userInfo);
+
+ //List<String> groupList = new ArrayList<String>(groups);
+ List<String> groupList = userInfo.getGroups();
counter++;
if (counter <= 2000) {
if (LOG.isInfoEnabled()) {
LOG.info("Updating user count: " + counter
- + ", userName: " + userName + ", groupList: "
- + groupList);
+ + ", userName: " + userName + ", groupList: "
+ + groupList);
}
if ( counter == 2000 ) {
LOG.info("===> 2000 user records have been synchronized so far. From now on, only a summary progress log will be written for every 100 users. To continue to see detailed log for every user, please enable Trace level logging. <===");
@@ -439,90 +424,112 @@ public class LdapUserGroupBuilder implements UserGroupSource {
}
}
}
- try {
- sink.addOrUpdateUser(userName, groupList);
- } catch (Throwable t) {
- LOG.error("sink.addOrUpdateUser failed with exception: " + t.getMessage()
- + ", for user: " + userName
- + ", groups: " + groupList);
- }
+
}
-
+
// Examine the paged results control response
- Control[] controls = ldapContext.getResponseControls();
- if (controls != null) {
- for (int i = 0; i < controls.length; i++) {
- if (controls[i] instanceof PagedResultsResponseControl) {
- PagedResultsResponseControl prrc =
- (PagedResultsResponseControl)controls[i];
- total = prrc.getResultSize();
- if (total != 0) {
- LOG.debug("END-OF-PAGE total : " + total);
- } else {
- LOG.debug("END-OF-PAGE total : unknown");
- }
- cookie = prrc.getCookie();
- }
- }
- } else {
- LOG.debug("No controls were sent from the server");
- }
- // Re-activate paged results
- if (pagedResultsEnabled) {
- ldapContext.setRequestControls(new Control[]{
- new PagedResultsControl(PAGE_SIZE, cookie, Control.CRITICAL) });
- }
+ Control[] controls = ldapContext.getResponseControls();
+ if (controls != null) {
+ for (int i = 0; i < controls.length; i++) {
+ if (controls[i] instanceof PagedResultsResponseControl) {
+ PagedResultsResponseControl prrc =
+ (PagedResultsResponseControl)controls[i];
+ total = prrc.getResultSize();
+ if (total != 0) {
+ LOG.debug("END-OF-PAGE total : " + total);
+ } else {
+ LOG.debug("END-OF-PAGE total : unknown");
+ }
+ cookie = prrc.getCookie();
+ }
+ }
+ } else {
+ LOG.debug("No controls were sent from the server");
+ }
+ // Re-activate paged results
+ if (pagedResultsEnabled) {
+ ldapContext.setRequestControls(new Control[]{
+ new PagedResultsControl(PAGE_SIZE, cookie, Control.CRITICAL) });
+ }
} while (cookie != null);
LOG.info("LDAPUserGroupBuilder.updateSink() completed with user count: "
+ counter);
- if (groupSearchEnabled && !groupUserMapSyncEnabled) {
- if (LOG.isInfoEnabled()) {
- LOG.info("groupSearch enabled and groupUserMapSync not enabled, "
- + "would search for groups, would not compute memberships");
- }
- Set <String> groupNames = new HashSet<String>();
- groupSearchResultEnum = ldapContext
- .search(groupSearchBase, extendedAllGroupsSearchFilter,
- groupSearchControls);
-
- while (groupSearchResultEnum.hasMore()) {
- final SearchResult groupEntry = groupSearchResultEnum.next();
- if (groupEntry.getAttributes().get(groupNameAttribute) == null) {
- continue;
- }
- String gName = (String) groupEntry.getAttributes()
- .get(groupNameAttribute).get();
- if (groupNameCaseConversionFlag) {
- if (groupNameLowerCaseFlag) {
- gName = gName.toLowerCase();
- } else {
- gName = gName.toUpperCase();
- }
- }
- if (groupNameRegExInst != null) {
- gName = groupNameRegExInst.transform(gName);
- }
- groupNames.add(gName);
- }
- if (LOG.isInfoEnabled()) {
- LOG.info("found groups from ldap source: " + groupNames);
- }
-
- // TODO: push groupNames to ranger
- // POST http://<IP>:6080/service/xusers/secure/groups create group
- // PUT http://<IP>:6080/service/xusers/secure/groups/{id} update group
- // sink.addOrUpdateUser(groupNames);
-
- }
+
} finally {
- if (userSearchResultEnum != null) {
- userSearchResultEnum.close();
- }
- if (groupSearchResultEnum != null) {
- groupSearchResultEnum.close();
- }
+ if (userSearchResultEnum != null) {
+ userSearchResultEnum.close();
+ }
+ if (groupSearchResultEnum != null) {
+ groupSearchResultEnum.close();
+ }
+ closeLdapContext();
+ }
+ // Perform group search
+ getUserGroups(sink);
+ }
+
+ private void getUserGroups(UserGroupSink sink) throws Throwable {
+ NamingEnumeration<SearchResult> groupSearchResultEnum = null;
+ LOG.debug("Total No. of users saved = " + userGroupMap.size());
+ if (groupSearchEnabled && groupUserMapSyncEnabled) {
+ LOG.info("groupSearch and groupUserMapSync are enabled, would search for groups and compute memberships");
+ createLdapContext();
+ }
+
+ Iterator<UserInfo> userInfoIterator = userGroupMap.iterator();
+ while(userInfoIterator.hasNext()) {
+ UserInfo userInfo = userInfoIterator.next();
+ String userName = userInfo.getUserName();
+ if (groupSearchEnabled && groupUserMapSyncEnabled) {
+ //LOG.info("groupSearch and groupUserMapSync are enabled, would search for groups and compute memberships");
+ try {
+
+ groupSearchResultEnum = ldapContext
+ .search(groupSearchBase, extendedGroupSearchFilter,
+ new Object[]{userInfo.getUserFullName()},
+ groupSearchControls);
+ Set<String> computedGroups = new HashSet<String>();
+ while (groupSearchResultEnum.hasMore()) {
+ final SearchResult groupEntry = groupSearchResultEnum.next();
+ if (groupEntry != null) {
+ String gName = (String) groupEntry.getAttributes()
+ .get(groupNameAttribute).get();
+ if (groupNameCaseConversionFlag) {
+ if (groupNameLowerCaseFlag) {
+ gName = gName.toLowerCase();
+ } else {
+ gName = gName.toUpperCase();
+ }
+ }
+ if (groupNameRegExInst != null) {
+ gName = groupNameRegExInst.transform(gName);
+ }
+ computedGroups.add(gName);
+ }
+ }
+ if (LOG.isInfoEnabled()) {
+ LOG.info("computed groups for user: " + userName +", groups: " + computedGroups);
+ }
+ userInfo.addGroups(computedGroups);
+
+ } finally {
+ if (groupSearchResultEnum != null) {
+ groupSearchResultEnum.close();
+ }
+ }
+ }
+ List<String> groupList = userInfo.getGroups();
+ try {
+ sink.addOrUpdateUser(userName, groupList);
+ } catch (Throwable t) {
+ LOG.error("sink.addOrUpdateUser failed with exception: " + t.getMessage()
+ + ", for user: " + userName
+ + ", groups: " + groupList);
+ }
+ }
+ if (groupSearchEnabled && groupUserMapSyncEnabled) {
closeLdapContext();
}
}
@@ -544,3 +551,28 @@ public class LdapUserGroupBuilder implements UserGroupSource {
}
}
+
+class UserInfo {
+ private String userName;
+ private String userFullName;
+ private Set<String> groupList;
+
+ public UserInfo(String userName, String userFullName) {
+ this.userName = userName;
+ this.userFullName = userFullName;
+ this.groupList = new HashSet<String>();
+ }
+
+ public String getUserName() {
+ return userName;
+ }
+ public String getUserFullName() {
+ return userFullName;
+ }
+ public void addGroups(Set<String> groups) {
+ groupList.addAll(groups);
+ }
+ public List<String> getGroups() {
+ return (new ArrayList<String>(groupList));
+ }
+}
[14/26] incubator-ranger git commit: RANGER-747:RangerAdmin is
considering "none" as valid ZK Host Name for Solr
Posted by ma...@apache.org.
RANGER-747:RangerAdmin is considering "none" as valid ZK Host Name for
Solr
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/38fea60b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/38fea60b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/38fea60b
Branch: refs/heads/tag-policy
Commit: 38fea60b7e8ee213d11ec8f4e01d3d25b0b9c8a9
Parents: fa435a9
Author: Don Bosco Durai <bo...@apache.org>
Authored: Wed Nov 25 18:11:02 2015 -0800
Committer: Don Bosco Durai <bo...@apache.org>
Committed: Wed Nov 25 18:11:02 2015 -0800
----------------------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/solr/SolrMgr.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/38fea60b/security-admin/src/main/java/org/apache/ranger/solr/SolrMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/solr/SolrMgr.java b/security-admin/src/main/java/org/apache/ranger/solr/SolrMgr.java
index 603e46a..913b9f0 100644
--- a/security-admin/src/main/java/org/apache/ranger/solr/SolrMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/solr/SolrMgr.java
@@ -89,7 +89,7 @@ public class SolrMgr {
}
if (zkHosts != null && !zkHosts.trim().equals("")
- && !zkHosts.trim().equals("none")) {
+ && !zkHosts.trim().equalsIgnoreCase("none")) {
zkHosts = zkHosts.trim();
String collectionName = PropertiesUtil
.getProperty(SOLR_COLLECTION_NAME);
[02/26] incubator-ranger git commit: RANGER-731: Ranger plugin for
YARN doesn't seem to be able to write audit to Kerberized HDFS
Posted by ma...@apache.org.
RANGER-731: Ranger plugin for YARN doesn't seem to be able to write audit to Kerberized HDFS
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/e267c092
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/e267c092
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/e267c092
Branch: refs/heads/tag-policy
Commit: e267c09235c81e5d9a98318b504b139c3686c88c
Parents: 18e6397
Author: rmani <rm...@hortonworks.com>
Authored: Mon Nov 16 13:30:55 2015 -0800
Committer: rmani <rm...@hortonworks.com>
Committed: Mon Nov 16 13:30:55 2015 -0800
----------------------------------------------------------------------
src/main/assembly/plugin-yarn.xml | 2 --
1 file changed, 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e267c092/src/main/assembly/plugin-yarn.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/plugin-yarn.xml b/src/main/assembly/plugin-yarn.xml
index 6f8e33b..3550881 100644
--- a/src/main/assembly/plugin-yarn.xml
+++ b/src/main/assembly/plugin-yarn.xml
@@ -49,8 +49,6 @@
<outputDirectory>/lib/ranger-yarn-plugin-impl</outputDirectory>
<unpack>false</unpack>
<includes>
- <include>org.apache.hadoop:hadoop-common:jar:${hadoop-common.version}</include>
- <include>org.apache.hadoop:hadoop-common-plus:jar:${hadoop-common.version}</include>
<include>org.eclipse.persistence:eclipselink</include>
<include>org.eclipse.persistence:javax.persistence</include>
<include>org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version}</include>
[10/26] incubator-ranger git commit: RANGER-735: Request to Solr
should use POST rather than GET
Posted by ma...@apache.org.
RANGER-735: Request to Solr should use POST rather than GET
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/ad45c554
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/ad45c554
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/ad45c554
Branch: refs/heads/tag-policy
Commit: ad45c554fe244ce1567c0560b52ae42f8d3a9d4b
Parents: 7b7b314
Author: Don Bosco Durai <bo...@apache.org>
Authored: Thu Nov 19 11:22:58 2015 -0800
Committer: Don Bosco Durai <bo...@apache.org>
Committed: Mon Nov 23 22:44:28 2015 -0800
----------------------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/solr/SolrUtil.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ad45c554/security-admin/src/main/java/org/apache/ranger/solr/SolrUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/solr/SolrUtil.java b/security-admin/src/main/java/org/apache/ranger/solr/SolrUtil.java
index ebf416d..c865669 100644
--- a/security-admin/src/main/java/org/apache/ranger/solr/SolrUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/solr/SolrUtil.java
@@ -37,6 +37,7 @@ import org.apache.ranger.common.SearchField.SEARCH_TYPE;
import org.apache.solr.client.solrj.SolrClient;
import org.apache.solr.client.solrj.SolrQuery;
import org.apache.solr.client.solrj.SolrQuery.ORDER;
+import org.apache.solr.client.solrj.SolrRequest.METHOD;
import org.apache.solr.client.solrj.response.QueryResponse;
import org.apache.solr.client.solrj.util.ClientUtils;
import org.springframework.beans.factory.annotation.Autowired;
@@ -71,7 +72,7 @@ public class SolrUtil {
if (solrQuery != null) {
QueryResponse response;
try {
- response = solrClient.query(solrQuery);
+ response = solrClient.query(solrQuery, METHOD.POST);
return response;
} catch (Throwable e) {
logger.error("Error from Solr server.", e);
[17/26] incubator-ranger git commit: RANGER-743 : External users with
Admin Role should be allowed to create/update users
Posted by ma...@apache.org.
RANGER-743 : External users with Admin Role should be allowed to create/update users
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/7a95ff0d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/7a95ff0d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/7a95ff0d
Branch: refs/heads/tag-policy
Commit: 7a95ff0de1ca4b340deebf6c53e8559a025df750
Parents: 5fec40f
Author: Gautam Borad <ga...@apache.org>
Authored: Wed Nov 25 17:35:17 2015 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Sat Nov 28 23:17:40 2015 +0530
----------------------------------------------------------------------
.../java/org/apache/ranger/biz/UserMgr.java | 67 ++++++++++++++++++--
.../java/org/apache/ranger/biz/XUserMgr.java | 51 ++++++++++++---
.../handler/RangerAuthenticationProvider.java | 28 +++++++-
3 files changed, 130 insertions(+), 16 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a95ff0d/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
index ee9d14b..fd49e05 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
@@ -254,6 +254,9 @@ public class UserMgr {
// }
// firstName
+ if("null".equalsIgnoreCase(userProfile.getFirstName())){
+ userProfile.setFirstName("");
+ }
if (!stringUtil.isEmpty(userProfile.getFirstName())
&& !userProfile.getFirstName().equals(gjUser.getFirstName())) {
userProfile.setFirstName(stringUtil.toCamelCaseAllWords(userProfile
@@ -261,8 +264,10 @@ public class UserMgr {
updateUser = true;
}
- // lastName allowed to be empty
- if (userProfile.getLastName() != null
+ if("null".equalsIgnoreCase(userProfile.getLastName())){
+ userProfile.setLastName("");
+ }
+ if (!stringUtil.isEmpty(userProfile.getLastName())
&& !userProfile.getLastName().equals(gjUser.getLastName())) {
userProfile.setLastName(stringUtil.toCamelCaseAllWords(userProfile
.getLastName()));
@@ -270,12 +275,16 @@ public class UserMgr {
}
// publicScreenName
- if (!stringUtil.isEmpty(userProfile.getPublicScreenName())
- && !userProfile.getPublicScreenName().equals(
- gjUser.getPublicScreenName())) {
+ if (userProfile.getFirstName() != null
+ && userProfile.getLastName() != null
+ && !userProfile.getFirstName().trim().isEmpty()
+ && !userProfile.getLastName().trim().isEmpty()) {
userProfile.setPublicScreenName(userProfile.getFirstName() + " "
+ userProfile.getLastName());
updateUser = true;
+ } else {
+ userProfile.setPublicScreenName(gjUser.getLoginId());
+ updateUser = true;
}
// notes
@@ -554,12 +563,34 @@ public class UserMgr {
public XXPortalUser mapVXPortalUserToXXPortalUser(VXPortalUser userProfile) {
XXPortalUser gjUser = new XXPortalUser();
gjUser.setEmailAddress(userProfile.getEmailAddress());
+ if("null".equalsIgnoreCase(userProfile.getFirstName())){
+ userProfile.setFirstName("");
+ }
gjUser.setFirstName(userProfile.getFirstName());
+ if("null".equalsIgnoreCase(userProfile.getLastName())){
+ userProfile.setLastName("");
+ }
gjUser.setLastName(userProfile.getLastName());
+ if (userProfile.getLoginId() == null
+ || userProfile.getLoginId().trim().isEmpty()
+ || "null".equalsIgnoreCase(userProfile.getLoginId())) {
+ throw restErrorUtil.createRESTException(
+ "LoginId should not be null or blank, It is",
+ MessageEnums.INVALID_INPUT_DATA);
+ }
gjUser.setLoginId(userProfile.getLoginId());
gjUser.setPassword(userProfile.getPassword());
gjUser.setUserSource(userProfile.getUserSource());
gjUser.setPublicScreenName(userProfile.getPublicScreenName());
+ if (userProfile.getFirstName() != null
+ && userProfile.getLastName() != null
+ && !userProfile.getFirstName().trim().isEmpty()
+ && !userProfile.getLastName().trim().isEmpty()) {
+ gjUser.setPublicScreenName(userProfile.getFirstName() + " "
+ + userProfile.getLastName());
+ } else {
+ gjUser.setPublicScreenName(userProfile.getLoginId());
+ }
return gjUser;
}
@@ -1237,4 +1268,30 @@ public class UserMgr {
throw restErrorUtil.create403RESTException("Operation not allowed." + " loggedInUser=" + (sess != null ? sess.getXXPortalUser().getId() : "Not Logged In"));
}
+ public Collection<String> getRolesByLoginId(String loginId) {
+ if (loginId == null || loginId.trim().isEmpty()){
+ return DEFAULT_ROLE_LIST;
+ }
+ XXPortalUser xXPortalUser=daoManager.getXXPortalUser().findByLoginId(loginId);
+ if(xXPortalUser==null){
+ return DEFAULT_ROLE_LIST;
+ }
+ Collection<XXPortalUserRole> xXPortalUserRoles = daoManager
+ .getXXPortalUserRole().findByUserId(xXPortalUser.getId());
+ if(xXPortalUserRoles==null){
+ return DEFAULT_ROLE_LIST;
+ }
+ Collection<String> roleList = new ArrayList<String>();
+ for (XXPortalUserRole role : xXPortalUserRoles) {
+ if(role!=null && VALID_ROLE_LIST.contains(role.getUserRole())){
+ if(!roleList.contains(role.getUserRole())){
+ roleList.add(role.getUserRole());
+ }
+ }
+ }
+ if(roleList==null || roleList.size()==0){
+ return DEFAULT_ROLE_LIST;
+ }
+ return roleList;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a95ff0d/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
index 3f2c041..3784439 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
@@ -186,9 +186,11 @@ public class XUserMgr extends XUserMgrBase {
public VXUser createXUser(VXUser vXUser) {
checkAdminAccess();
String userName = vXUser.getName();
- if (userName == null || userName.isEmpty()) {
- throw restErrorUtil.createRESTException("Please provide a valid "
- + "username.", MessageEnums.INVALID_INPUT_DATA);
+ if (userName == null || "null".equalsIgnoreCase(userName)
+ || userName.trim().isEmpty()) {
+ throw restErrorUtil.createRESTException(
+ "Please provide a valid username.",
+ MessageEnums.INVALID_INPUT_DATA);
}
if (vXUser.getDescription() == null) {
@@ -200,10 +202,23 @@ public class XUserMgr extends XUserMgrBase {
VXPortalUser vXPortalUser = new VXPortalUser();
vXPortalUser.setLoginId(userName);
vXPortalUser.setFirstName(vXUser.getFirstName());
+ if("null".equalsIgnoreCase(vXPortalUser.getFirstName())){
+ vXPortalUser.setFirstName("");
+ }
vXPortalUser.setLastName(vXUser.getLastName());
+ if("null".equalsIgnoreCase(vXPortalUser.getLastName())){
+ vXPortalUser.setLastName("");
+ }
vXPortalUser.setEmailAddress(vXUser.getEmailAddress());
- vXPortalUser.setPublicScreenName(vXUser.getFirstName() + " "
- + vXUser.getLastName());
+ if (vXPortalUser.getFirstName() != null
+ && vXPortalUser.getLastName() != null
+ && !vXPortalUser.getFirstName().trim().isEmpty()
+ && !vXPortalUser.getLastName().trim().isEmpty()) {
+ vXPortalUser.setPublicScreenName(vXPortalUser.getFirstName() + " "
+ + vXPortalUser.getLastName());
+ } else {
+ vXPortalUser.setPublicScreenName(vXUser.getName());
+ }
vXPortalUser.setPassword(actualPassword);
vXPortalUser.setUserRoleList(vXUser.getUserRoleList());
vXPortalUser = userMgr.createDefaultAccountUser(vXPortalUser);
@@ -324,8 +339,11 @@ public class XUserMgr extends XUserMgrBase {
}
public VXUser updateXUser(VXUser vXUser) {
- if (vXUser == null || vXUser.getName() == null || vXUser.getName().trim().isEmpty()) {
- throw restErrorUtil.createRESTException("Please provide a valid " + "username.", MessageEnums.INVALID_INPUT_DATA);
+ if (vXUser == null || vXUser.getName() == null
+ || "null".equalsIgnoreCase(vXUser.getName())
+ || vXUser.getName().trim().isEmpty()) {
+ throw restErrorUtil.createRESTException("Please provide a valid "
+ + "username.", MessageEnums.INVALID_INPUT_DATA);
}
checkAccess(vXUser.getName());
VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser
@@ -337,13 +355,26 @@ public class XUserMgr extends XUserMgrBase {
// TODO : There is a possibility that old user may not exist.
vXPortalUser.setFirstName(vXUser.getFirstName());
+ if("null".equalsIgnoreCase(vXPortalUser.getFirstName())){
+ vXPortalUser.setFirstName("");
+ }
vXPortalUser.setLastName(vXUser.getLastName());
+ if("null".equalsIgnoreCase(vXPortalUser.getLastName())){
+ vXPortalUser.setLastName("");
+ }
vXPortalUser.setEmailAddress(vXUser.getEmailAddress());
vXPortalUser.setLoginId(vXUser.getName());
vXPortalUser.setStatus(vXUser.getStatus());
vXPortalUser.setUserRoleList(vXUser.getUserRoleList());
- vXPortalUser.setPublicScreenName(vXUser.getFirstName() + " "
- + vXUser.getLastName());
+ if (vXPortalUser.getFirstName() != null
+ && vXPortalUser.getLastName() != null
+ && !vXPortalUser.getFirstName().trim().isEmpty()
+ && !vXPortalUser.getLastName().trim().isEmpty()) {
+ vXPortalUser.setPublicScreenName(vXPortalUser.getFirstName() + " "
+ + vXPortalUser.getLastName());
+ } else {
+ vXPortalUser.setPublicScreenName(vXUser.getName());
+ }
vXPortalUser.setUserSource(vXUser.getUserSource());
String hiddenPasswordString = PropertiesUtil.getProperty("ranger.password.hidden", "*****");
String password = vXUser.getPassword();
@@ -1247,6 +1278,7 @@ public class XUserMgr extends XUserMgrBase {
if(vXUser==null){
throw restErrorUtil.createRESTException("Please provide a valid ID", MessageEnums.INVALID_INPUT_DATA);
}
+ checkAccess(vXUser.getName());
List<XXPortalUserRole> portalUserRoleList =null;
VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser.getName());
if(oldUserProfile!=null){
@@ -1260,6 +1292,7 @@ public class XUserMgr extends XUserMgrBase {
public VXStringList getUserRolesByName(String userName) {
VXPortalUser vXPortalUser=null;
if(userName!=null && !userName.trim().isEmpty()){
+ checkAccess(userName);
vXPortalUser = userMgr.getUserProfileByLoginId(userName);
if(vXPortalUser!=null && vXPortalUser.getUserRoleList()!=null){
List<XXPortalUserRole> portalUserRoleList = daoManager.getXXPortalUserRole().findByUserId(vXPortalUser.getId());
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a95ff0d/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
index 3920ab3..cfdd9bc 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
@@ -20,6 +20,7 @@
package org.apache.ranger.security.handler;
import java.util.ArrayList;
+import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.HashMap;
@@ -241,6 +242,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
authentication = ldapAuthenticationProvider
.authenticate(finalAuthentication);
+ authentication=getAuthenticationWithGrantedAuthority(authentication);
return authentication;
} else {
return authentication;
@@ -334,6 +336,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
principal, userPassword, grantedAuths);
authentication = jaasAuthenticationProvider
.authenticate(finalAuthentication);
+ authentication=getAuthenticationWithGrantedAuthority(authentication);
return authentication;
} else {
return authentication;
@@ -410,6 +413,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths);
authentication = ldapAuthenticationProvider.authenticate(finalAuthentication);
+ authentication=getAuthenticationWithGrantedAuthority(authentication);
return authentication;
} else {
return authentication;
@@ -475,6 +479,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths);
authentication = ldapAuthenticationProvider.authenticate(finalAuthentication);
+ authentication=getAuthenticationWithGrantedAuthority(authentication);
return authentication;
} else {
return authentication;
@@ -510,8 +515,6 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
if (userName != null && userPassword != null && !userName.trim().isEmpty()&& !userPassword.trim().isEmpty()) {
final List<GrantedAuthority> grantedAuths = new ArrayList<>();
grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole));
- grantedAuths.add(new SimpleGrantedAuthority("ROLE_SYS_ADMIN"));
- grantedAuths.add(new SimpleGrantedAuthority("ROLE_KEY_ADMIN"));
final UserDetails principal = new User(userName, userPassword,grantedAuths);
final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths);
authentication= authenticator.authenticate(finalAuthentication);
@@ -533,6 +536,27 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
return authentication;
}
+ private List<GrantedAuthority> getAuthorities(String username) {
+ Collection<String> roleList=userMgr.getRolesByLoginId(username);
+ final List<GrantedAuthority> grantedAuths = new ArrayList<>();
+ for(String role:roleList){
+ grantedAuths.add(new SimpleGrantedAuthority(role));
+ }
+ return grantedAuths;
+ }
+
+ public Authentication getAuthenticationWithGrantedAuthority(Authentication authentication){
+ UsernamePasswordAuthenticationToken result=null;
+ if(authentication!=null && authentication.isAuthenticated()){
+ final List<GrantedAuthority> grantedAuths=getAuthorities(authentication.getName().toString());
+ final UserDetails userDetails = new User(authentication.getName().toString(), authentication.getCredentials().toString(),grantedAuths);
+ result = new UsernamePasswordAuthenticationToken(userDetails,authentication.getCredentials(),grantedAuths);
+ result.setDetails(authentication.getDetails());
+ return result;
+ }
+ return authentication;
+ }
+
private Authentication getSSOAuthentication(Authentication authentication) throws AuthenticationException{
return authentication;
}
[22/26] incubator-ranger git commit: RANGER-748 : Fix - Users in
policy got changed after upgrade
Posted by ma...@apache.org.
RANGER-748 : Fix - Users in policy got changed after upgrade
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/68ab77b2
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/68ab77b2
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/68ab77b2
Branch: refs/heads/tag-policy
Commit: 68ab77b298f817b3e3bd6544921d27bcae5e98b4
Parents: 44d3654
Author: Gautam Borad <ga...@apache.org>
Authored: Tue Nov 24 18:09:34 2015 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Wed Dec 2 09:37:33 2015 +0530
----------------------------------------------------------------------
.../main/java/org/apache/ranger/biz/RangerPolicyRetriever.java | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/68ab77b2/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java
index 4c65178..e3adc1d 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java
@@ -44,6 +44,7 @@ import org.apache.ranger.entity.XXPolicyResourceMap;
import org.apache.ranger.entity.XXPortalUser;
import org.apache.ranger.entity.XXResourceDef;
import org.apache.ranger.entity.XXService;
+import org.apache.ranger.entity.XXUser;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
@@ -250,10 +251,10 @@ public class RangerPolicyRetriever {
ret = userNames.get(userId);
if(ret == null) {
- XXPortalUser user = daoMgr.getXXPortalUser().getById(userId);
+ XXUser user = daoMgr.getXXUser().getById(userId);
if(user != null) {
- ret = user.getLoginId();
+ ret = user.getName(); // Name is `loginId`
userNames.put(userId, ret);
}
[19/26] incubator-ranger git commit: RANGER-755, 756,
757: ldaptool fixes (Sailaja Polavarapu via Velmurugan Periasamy)
Posted by ma...@apache.org.
RANGER-755,756,757: ldaptool fixes (Sailaja Polavarapu via Velmurugan Periasamy)
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/7ac6a02a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/7ac6a02a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/7ac6a02a
Branch: refs/heads/tag-policy
Commit: 7ac6a02a3b12a453c03d9e5868010fda4fdfa61d
Parents: 19c2134
Author: Velmurugan Periasamy <ve...@apache.org>
Authored: Tue Dec 1 14:19:41 2015 -0800
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Tue Dec 1 14:23:26 2015 -0800
----------------------------------------------------------------------
.../ldapconfigcheck/scripts/run.sh | 8 ++++----
.../ranger/ldapconfigcheck/CommandLineOptions.java | 14 ++++++--------
2 files changed, 10 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7ac6a02a/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh b/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh
index 787e216..e5c313a 100755
--- a/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh
@@ -19,7 +19,7 @@ AUTH=1
usage() {
echo "usage: run.sh
- -noauth ignore authentication properties
+ -a ignore authentication properties
-d <arg> {all|users|groups}
-h show help.
-i <arg> Input file name
@@ -33,7 +33,7 @@ cp="${cdir}/lib/*:${cdir}/conf"
OUTDIR="${cdir}/output/"
JAVA_CMD="java -cp ${cdir}/lib/ldapconfigcheck.jar:${cp} org.apache.ranger.ldapconfigcheck.LdapConfigCheckMain"
-while getopts "i:o:d:r:noauthh" opt; do
+while getopts "i:o:d:r:ah" opt; do
case $opt in
i) INFILE=$OPTARG
JAVA_CMD="$JAVA_CMD -i $OPTARG"
@@ -46,8 +46,8 @@ while getopts "i:o:d:r:noauthh" opt; do
r) RETRIEVE=$OPTARG
JAVA_CMD="$JAVA_CMD -r $OPTARG"
;;
- noauth) AUTH=0
- JAVA_CMD="$JAVA_CMD -noauth"
+ a) AUTH=0
+ JAVA_CMD="$JAVA_CMD -a"
;;
h) usage
;;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7ac6a02a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java
index 790330f..c71e5cc 100644
--- a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java
@@ -28,7 +28,7 @@ public class CommandLineOptions {
private Options options = new Options();
private String input = null;
private String output = null;
- private String discoverProperties;
+ private String discoverProperties = null;
private String retrieveValues = null;
private boolean isAuthEnabled = true;
private String ldapUrl = "";
@@ -46,7 +46,7 @@ public class CommandLineOptions {
options.addOption("o", "outputdir", true, "Output directory");
options.addOption("d", "discoverProperties", true, "{all|users|groups}");
options.addOption("r", "retrieve", true, "{all|users|groups}");
- options.addOption("noauth", "noAuthentication", false, "Ignore authentication properties");
+ options.addOption("a", "noAuthentication", false, "Ignore authentication properties");
}
public void parse() {
@@ -72,9 +72,7 @@ public class CommandLineOptions {
System.out.println("Unsupported value for option d");
help();
}
- }
-
- if (cmd.hasOption("r")) {
+ } else if (cmd.hasOption("r")) {
retrieveValues = cmd.getOptionValue("r");
if (retrieveValues == null || (!retrieveValues.equalsIgnoreCase("all")
&& !retrieveValues.equalsIgnoreCase("users") && !retrieveValues.equalsIgnoreCase("groups"))) {
@@ -82,15 +80,15 @@ public class CommandLineOptions {
help();
}
} else {
- if (discoverProperties == null || discoverProperties.isEmpty()) {
+ //if (discoverProperties == null || discoverProperties.isEmpty()) {
System.out.println("Default to discover all usersync properties");
//help();
// If "d" or "r" option is not specified, then default to discover all usersync properties
discoverProperties = "all";
- }
+ //}
}
- if (cmd.hasOption("noauth")) {
+ if (cmd.hasOption("a") || discoverProperties == null || (discoverProperties != null && !discoverProperties.equalsIgnoreCase("all"))) {
isAuthEnabled = false;
}
[26/26] incubator-ranger git commit: Merge branch 'master' into
tag-policy
Posted by ma...@apache.org.
Merge branch 'master' into tag-policy
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/42b040e6
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/42b040e6
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/42b040e6
Branch: refs/heads/tag-policy
Commit: 42b040e67a0564b9a3583304fa7447977a52d2e2
Parents: 91f1932 a733b7c
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Wed Dec 2 15:18:03 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Wed Dec 2 15:18:03 2015 -0800
----------------------------------------------------------------------
.../RangerAbstractConditionEvaluator.java | 3 +
.../RangerConditionEvaluator.java | 1 -
.../contextenricher/RangerTagEnricher.java | 50 +-
.../ranger/plugin/model/RangerTagDef.java | 1 +
.../policyengine/RangerPolicyEngineImpl.java | 62 +-
.../policyengine/RangerPolicyRepository.java | 25 +
.../RangerAbstractPolicyEvaluator.java | 6 +-
.../RangerAbstractPolicyItemEvaluator.java | 9 +-
.../RangerCachedPolicyEvaluator.java | 26 +-
.../RangerDefaultPolicyEvaluator.java | 96 ++-
.../RangerDefaultPolicyItemEvaluator.java | 40 +-
.../RangerOptimizedPolicyEvaluator.java | 79 ++-
.../RangerPolicyItemEvaluator.java | 2 +
.../RangerAbstractResourceMatcher.java | 6 +-
.../ranger/plugin/store/AbstractTagStore.java | 45 ++
.../apache/ranger/plugin/store/TagStore.java | 1 +
.../ranger/plugin/util/PolicyRefresher.java | 11 +-
.../plugin/policyengine/TestPolicyEngine.java | 2 +-
.../src/test/resources/log4j.properties | 35 --
agents-common/src/test/resources/log4j.xml | 53 ++
kms/scripts/dba_script.py | 8 +-
kms/scripts/exportKeysToJCEKS.sh | 19 +
kms/scripts/importJCEKSKeys.sh | 2 +-
.../hadoop/crypto/key/Ranger2JKSUtil.java | 134 +++++
.../hadoop/crypto/key/RangerKeyStore.java | 40 +-
.../kafka/authorizer/RangerKafkaAuthorizer.java | 84 ++-
.../services/kafka/RangerServiceKafka.java | 37 +-
.../kafka/client/ServiceKafkaClient.java | 42 +-
pom.xml | 7 +-
ranger-kafka-plugin-shim/.gitignore | 1 +
.../kafka/authorizer/RangerKafkaAuthorizer.java | 87 ++-
security-admin/.gitignore | 2 -
security-admin/scripts/dba_script.py | 26 +-
security-admin/scripts/install.properties | 13 +
security-admin/scripts/setup.sh | 89 ++-
.../ranger/biz/RangerPolicyRetriever.java | 7 +-
.../apache/ranger/biz/RangerTagDBRetriever.java | 597 +++++++++++++++++++
.../java/org/apache/ranger/biz/TagDBStore.java | 24 +-
.../java/org/apache/ranger/biz/UserMgr.java | 67 ++-
.../java/org/apache/ranger/biz/XUserMgr.java | 51 +-
.../ranger/db/XXServiceResourceElementDao.java | 12 +
.../db/XXServiceResourceElementValueDao.java | 25 +
.../org/apache/ranger/db/XXTagAttributeDao.java | 23 +
.../apache/ranger/db/XXTagAttributeDefDao.java | 23 +
.../java/org/apache/ranger/db/XXTagDefDao.java | 13 +
.../org/apache/ranger/rest/ServiceREST.java | 198 +++---
.../ranger/rest/ServiceTagsProcessor.java | 27 +-
.../handler/RangerAuthenticationProvider.java | 28 +-
.../java/org/apache/ranger/solr/SolrMgr.java | 100 +++-
.../java/org/apache/ranger/solr/SolrUtil.java | 3 +-
.../resources/META-INF/jpa_named_queries.xml | 77 ++-
.../conf.dist/security-applicationContext.xml | 1 -
.../src/test/resources/log4j.properties | 35 --
security-admin/src/test/resources/log4j.xml | 53 ++
src/main/assembly/kms.xml | 1 +
.../ldapconfigcheck/scripts/run.sh | 8 +-
.../ldapconfigcheck/CommandLineOptions.java | 14 +-
.../ldapconfigcheck/LdapConfigCheckMain.java | 6 +-
.../apache/ranger/ldapconfigcheck/UserSync.java | 17 +-
.../process/LdapUserGroupBuilder.java | 388 ++++++------
unixauthservice/scripts/setup.py | 4 +-
61 files changed, 2262 insertions(+), 684 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/42b040e6/security-admin/scripts/install.properties
----------------------------------------------------------------------
diff --cc security-admin/scripts/install.properties
index 2d52890,cb10769..5c39dcf
--- a/security-admin/scripts/install.properties
+++ b/security-admin/scripts/install.properties
@@@ -107,20 -107,9 +107,21 @@@ unix_group=range
#
# ------- UNIX User CONFIG - END ----------------
#
+ #
#
+#-------- SSO CONFIG - Start ------------------
+#
+sso_enabled=false
+sso_providerurl=https://localhost:8443/gateway/knoxsso/api/v1/websso
+sso_publickey=
+sso_cookiename=hadoop-jwt
+sso_query_param_originalurl=originalUrl
+#
+#-------- SSO CONFIG - Start ------------------
+#
+
+#
# UNIX authentication service for Policy Manager
#
# PolicyManager can authenticate using UNIX username/password
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/42b040e6/security-admin/scripts/setup.sh
----------------------------------------------------------------------
[11/26] incubator-ranger git commit: RANGER-602: Solr client in
SolrCloud mode should work with zookeeper settings also
Posted by ma...@apache.org.
RANGER-602: Solr client in SolrCloud mode should work with zookeeper
settings also
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/428afbce
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/428afbce
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/428afbce
Branch: refs/heads/tag-policy
Commit: 428afbce3b80d0bbcdb079ee7b0f9ed072fe8919
Parents: ad45c55
Author: Don Bosco Durai <bo...@apache.org>
Authored: Tue Nov 24 05:20:14 2015 -0800
Committer: Don Bosco Durai <bo...@apache.org>
Committed: Tue Nov 24 05:20:14 2015 -0800
----------------------------------------------------------------------
.../java/org/apache/ranger/solr/SolrMgr.java | 100 ++++++++++++++-----
1 file changed, 74 insertions(+), 26 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/428afbce/security-admin/src/main/java/org/apache/ranger/solr/SolrMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/solr/SolrMgr.java b/security-admin/src/main/java/org/apache/ranger/solr/SolrMgr.java
index 2a57fa1..603e46a 100644
--- a/security-admin/src/main/java/org/apache/ranger/solr/SolrMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/solr/SolrMgr.java
@@ -26,6 +26,7 @@ import org.apache.ranger.biz.RangerBizUtil;
import org.apache.ranger.common.PropertiesUtil;
import org.apache.solr.client.solrj.SolrClient;
import org.apache.solr.client.solrj.impl.BinaryRequestWriter;
+import org.apache.solr.client.solrj.impl.CloudSolrClient;
import org.apache.solr.client.solrj.impl.HttpSolrClient;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
@@ -49,6 +50,9 @@ public class SolrMgr {
volatile boolean initDone = false;
final static String SOLR_URLS_PROP = "ranger.audit.solr.urls";
+ final static String SOLR_ZK_HOSTS = "ranger.audit.solr.zookeepers";
+ final static String SOLR_COLLECTION_NAME = "ranger.audit.solr.collection.name";
+ public static final String DEFAULT_COLLECTION_NAME = "ranger_audits";
public SolrMgr() {
@@ -59,6 +63,17 @@ public class SolrMgr {
synchronized (lock) {
if (!initDone) {
if (rangerBizUtil.getAuditDBType().equalsIgnoreCase("solr")) {
+ String zkHosts = PropertiesUtil
+ .getProperty(SOLR_ZK_HOSTS);
+ if (zkHosts == null) {
+ zkHosts = PropertiesUtil
+ .getProperty("ranger.audit.solr.zookeeper");
+ }
+ if (zkHosts == null) {
+ zkHosts = PropertiesUtil
+ .getProperty("ranger.solr.zookeeper");
+ }
+
String solrURL = PropertiesUtil
.getProperty(SOLR_URLS_PROP);
@@ -72,38 +87,71 @@ public class SolrMgr {
solrURL = PropertiesUtil
.getProperty("ranger.solr.url");
}
- if (solrURL == null || solrURL.isEmpty()
- || solrURL.equalsIgnoreCase("none")) {
- logger.fatal("Solr URL for Audit is empty. Please set property "
- + SOLR_URLS_PROP);
- } else {
- try {
- solrClient = new HttpSolrClient(solrURL);
- if (solrClient == null) {
- logger.fatal("Can't connect to Solr. URL="
- + solrURL);
- } else {
- if (solrClient instanceof HttpSolrClient) {
- HttpSolrClient httpSolrClient = (HttpSolrClient) solrClient;
- httpSolrClient
- .setAllowCompression(true);
- httpSolrClient
- .setConnectionTimeout(1000);
- // httpSolrClient.setSoTimeout(10000);
- httpSolrClient.setMaxRetries(1);
- httpSolrClient
- .setRequestWriter(new BinaryRequestWriter());
- }
- initDone = true;
- }
+ if (zkHosts != null && !zkHosts.trim().equals("")
+ && !zkHosts.trim().equals("none")) {
+ zkHosts = zkHosts.trim();
+ String collectionName = PropertiesUtil
+ .getProperty(SOLR_COLLECTION_NAME);
+ if (collectionName == null
+ || collectionName.equalsIgnoreCase("none")) {
+ collectionName = DEFAULT_COLLECTION_NAME;
+ }
+
+ logger.info("Solr zkHosts=" + zkHosts
+ + ", collectionName=" + collectionName);
+
+ try {
+ // Instantiate
+ CloudSolrClient solrCloudClient = new CloudSolrClient(
+ zkHosts);
+ solrCloudClient
+ .setDefaultCollection(collectionName);
+ solrClient = solrCloudClient;
} catch (Throwable t) {
logger.fatal(
- "Can't connect to Solr server. URL="
- + solrURL, t);
+ "Can't connect to Solr server. ZooKeepers="
+ + zkHosts + ", collection="
+ + collectionName, t);
+ }
+
+ } else {
+ if (solrURL == null || solrURL.isEmpty()
+ || solrURL.equalsIgnoreCase("none")) {
+ logger.fatal("Solr ZKHosts and URL for Audit are empty. Please set property "
+ + SOLR_ZK_HOSTS
+ + " or "
+ + SOLR_URLS_PROP);
+ } else {
+ try {
+ solrClient = new HttpSolrClient(solrURL);
+ if (solrClient == null) {
+ logger.fatal("Can't connect to Solr. URL="
+ + solrURL);
+ } else {
+ if (solrClient instanceof HttpSolrClient) {
+ HttpSolrClient httpSolrClient = (HttpSolrClient) solrClient;
+ httpSolrClient
+ .setAllowCompression(true);
+ httpSolrClient
+ .setConnectionTimeout(1000);
+ // httpSolrClient.setSoTimeout(10000);
+ httpSolrClient.setMaxRetries(1);
+ httpSolrClient
+ .setRequestWriter(new BinaryRequestWriter());
+ }
+ initDone = true;
+ }
+
+ } catch (Throwable t) {
+ logger.fatal(
+ "Can't connect to Solr server. URL="
+ + solrURL, t);
+ }
}
}
}
+
}
}
}
[23/26] incubator-ranger git commit: RANGER-753: Optimized
tag-download implementation. Instrumented policy download and policy
evaluation for performance measurement.
Posted by ma...@apache.org.
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index d92fd41..7d41f07 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -168,11 +168,10 @@ public class ServiceREST {
RangerServiceDef ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createServiceDef(serviceDefName=" + serviceDef.getName() + ")");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createServiceDef(serviceDefName=" + serviceDef.getName() + ")");
+ }
RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore);
validator.validate(serviceDef, Action.CREATE);
@@ -209,11 +208,10 @@ public class ServiceREST {
RangerServiceDef ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.updateServiceDef(" + serviceDef.getName() + ")");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.updateServiceDef(" + serviceDef.getName() + ")");
+ }
RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore);
validator.validate(serviceDef, Action.UPDATE);
@@ -249,11 +247,10 @@ public class ServiceREST {
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.deleteServiceDef(serviceDefId=" + id + ")");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.deleteServiceDef(serviceDefId=" + id + ")");
+ }
RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore);
validator.validate(id, Action.DELETE);
@@ -295,11 +292,10 @@ public class ServiceREST {
RangerServiceDef ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServiceDef(serviceDefId=" + id + ")");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServiceDef(serviceDefId=" + id + ")");
+ }
XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(id);
if (!bizUtil.hasAccess(xServiceDef, null)) {
throw restErrorUtil.createRESTException(
@@ -341,11 +337,10 @@ public class ServiceREST {
RangerServiceDef ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServiceDefByName(", name, ")");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServiceDefByName(" + name + ")");
+ }
XXServiceDef xServiceDef = daoManager.getXXServiceDef().findByName(name);
if (xServiceDef != null) {
if (!bizUtil.hasAccess(xServiceDef, null)) {
@@ -389,15 +384,14 @@ public class ServiceREST {
RangerServiceDefList ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServiceDefs()");
- }
-
PList<RangerServiceDef> paginatedSvcDefs = null;
SearchFilter filter = searchUtil.getSearchFilter(request, serviceDefService.sortFields);
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServiceDefs()");
+ }
paginatedSvcDefs = svcStore.getPaginatedServiceDefs(filter);
if(paginatedSvcDefs != null) {
@@ -439,11 +433,10 @@ public class ServiceREST {
RangerService ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createService(serviceName=" + service.getName() + ")");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createService(serviceName=" + service.getName() + ")");
+ }
RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore);
validator.validate(service, Action.CREATE);
@@ -485,11 +478,10 @@ public class ServiceREST {
RangerService ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.updateService(serviceName=" + service.getName() + ")");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.updateService(serviceName=" + service.getName() + ")");
+ }
RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore);
validator.validate(service, Action.UPDATE);
@@ -530,11 +522,10 @@ public class ServiceREST {
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.deleteService(serviceId=" + id + ")");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.deleteService(serviceId=" + id + ")");
+ }
RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore);
validator.validate(id, Action.DELETE);
@@ -575,11 +566,10 @@ public class ServiceREST {
RangerService ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getService(serviceId=" + id + ")");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getService(serviceId=" + id + ")");
+ }
ret = svcStore.getService(id);
} catch(WebApplicationException excp) {
throw excp;
@@ -614,11 +604,10 @@ public class ServiceREST {
RangerService ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getService(serviceName=" + name + ")");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getService(serviceName=" + name + ")");
+ }
ret = svcStore.getServiceByName(name);
} catch(WebApplicationException excp) {
throw excp;
@@ -653,15 +642,14 @@ public class ServiceREST {
RangerServiceList ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServices()");
- }
-
PList<RangerService> paginatedSvcs = null;
SearchFilter filter = searchUtil.getSearchFilter(request, svcService.sortFields);
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServices()");
+ }
paginatedSvcs = svcStore.getPaginatedServices(filter);
if(paginatedSvcs != null) {
@@ -699,11 +687,10 @@ public class ServiceREST {
List<RangerService> ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServices()");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServices()");
+ }
ret = svcStore.getServices(filter);
} catch(WebApplicationException excp) {
throw excp;
@@ -735,11 +722,10 @@ public class ServiceREST {
Long ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.countService()");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.countService()");
+ }
List<RangerService> services = getServices(request).getServices();
ret = new Long(services == null ? 0 : services.size());
@@ -772,11 +758,10 @@ public class ServiceREST {
VXResponse ret = new VXResponse();
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.validateConfig(serviceName=" + service.getName() + ")");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.validateConfig(serviceName=" + service.getName() + ")");
+ }
ret = serviceMgr.validateConfig(service, svcStore);
} catch(WebApplicationException excp) {
throw excp;
@@ -807,11 +792,10 @@ public class ServiceREST {
List<String> ret = new ArrayList<String>();
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.lookupResource(serviceName=" + serviceName + ")");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.lookupResource(serviceName=" + serviceName + ")");
+ }
ret = serviceMgr.lookupResource(serviceName,context, svcStore);
} catch(WebApplicationException excp) {
throw excp;
@@ -841,13 +825,13 @@ public class ServiceREST {
RESTResponse ret = new RESTResponse();
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.grantAccess(serviceName=" + serviceName + ")");
- }
-
if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) {
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.grantAccess(serviceName=" + serviceName + ")");
+ }
+
String userName = grantRequest.getGrantor();
Set<String> userGroups = userMgr.getGroupsForUser(userName);
RangerAccessResource resource = new RangerAccessResourceImpl(grantRequest.getResource());
@@ -1000,13 +984,13 @@ public class ServiceREST {
RESTResponse ret = new RESTResponse();
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.revokeAccess(serviceName=" + serviceName + ")");
- }
-
if (serviceUtil.isValidateHttpsAuthentication(serviceName,request)) {
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.revokeAccess(serviceName=" + serviceName + ")");
+ }
+
String userName = revokeRequest.getGrantor();
Set<String> userGroups = userMgr.getGroupsForUser(userName);
RangerAccessResource resource = new RangerAccessResourceImpl(revokeRequest.getResource());
@@ -1104,11 +1088,10 @@ public class ServiceREST {
RangerPolicy ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createPolicy(policyName=" + policy.getName() + ")");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createPolicy(policyName=" + policy.getName() + ")");
+ }
// this needs to happen before validator is called
// set name of policy if unspecified
if (StringUtils.isBlank(policy.getName())) { // use of isBlank over isEmpty is deliberate as a blank string does not strike us as a particularly useful policy name!
@@ -1160,11 +1143,10 @@ public class ServiceREST {
RangerPolicy ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.updatePolicy(policyId=" + policy.getId() + ")");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.updatePolicy(policyId=" + policy.getId() + ")");
+ }
RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore);
validator.validate(policy, Action.UPDATE, bizUtil.isAdmin());
@@ -1198,11 +1180,10 @@ public class ServiceREST {
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.deletePolicy(policyId=" + id + ")");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.deletePolicy(policyId=" + id + ")");
+ }
RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore);
validator.validate(id, Action.DELETE);
@@ -1237,11 +1218,10 @@ public class ServiceREST {
RangerPolicy ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicy(policyId=" + id + ")");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicy(policyId=" + id + ")");
+ }
ret = svcStore.getPolicy(id);
if(ret != null) {
@@ -1279,15 +1259,14 @@ public class ServiceREST {
RangerPolicyList ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicies()");
- }
-
PList<RangerPolicy> paginatedPolicies = null;
SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields);
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicies()");
+ }
paginatedPolicies = svcStore.getPaginatedPolicies(filter);
if(paginatedPolicies != null) {
@@ -1327,11 +1306,10 @@ public class ServiceREST {
List<RangerPolicy> ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicies()");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicies()");
+ }
ret = svcStore.getPolicies(filter);
applyAdminAccessFilter(ret);
@@ -1363,11 +1341,10 @@ public class ServiceREST {
Long ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.countPolicies()");
- }
-
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.countPolicies()");
+ }
List<RangerPolicy> policies = getPolicies(request).getPolicies();
applyAdminAccessFilter(policies);
@@ -1402,15 +1379,14 @@ public class ServiceREST {
RangerPolicyList ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePolicies(serviceId=" + serviceId + ")");
- }
-
PList<RangerPolicy> paginatedPolicies = null;
SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields);
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePolicies(serviceId=" + serviceId + ")");
+ }
paginatedPolicies = svcStore.getPaginatedServicePolicies(serviceId, filter);
if(paginatedPolicies != null) {
@@ -1459,15 +1435,14 @@ public class ServiceREST {
RangerPolicyList ret = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePolicies(serviceName=" + serviceName + ")");
- }
-
PList<RangerPolicy> paginatedPolicies = null;
SearchFilter filter = searchUtil.getSearchFilter(request, policyService.sortFields);
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePolicies(serviceName=" + serviceName + ")");
+ }
paginatedPolicies = svcStore.getPaginatedServicePolicies(serviceName, filter);
if(paginatedPolicies != null) {
@@ -1518,16 +1493,15 @@ public class ServiceREST {
String logMsg = null;
RangerPerfTracer perf = null;
- if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePoliciesIfUpdated(serviceName=" + serviceName + ", lastKnownVersion=" + lastKnownVersion + ")");
- }
-
if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) {
if(lastKnownVersion == null) {
lastKnownVersion = new Long(-1);
}
try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServicePoliciesIfUpdated(serviceName=" + serviceName + ",lastKnownVersion=" + lastKnownVersion + ")");
+ }
ret = svcStore.getServicePoliciesIfUpdated(serviceName, lastKnownVersion);
if(ret == null) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java
index b1986be..1dcc242 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java
@@ -412,32 +412,9 @@ public class ServiceTagsProcessor {
// TODO:
// This is an inefficient implementation. Replace by direct database deletes
+ boolean isResourePrivateTag = StringUtils.equals(serviceTags.getTagModel(), ServiceTags.TAGMODEL_RESOURCE_PRIVATE) ? true : false;
- SearchFilter searchAll = new SearchFilter();
-
- List<RangerTagResourceMap> allTagResourceMaps = tagStore.getTagResourceMaps(searchAll);
- for (RangerTagResourceMap tagResourceMap : allTagResourceMaps) {
- tagStore.deleteTagResourceMap(tagResourceMap.getId());
- }
-
- List<RangerServiceResource> allServiceResources = tagStore.getServiceResources(searchAll);
- for (RangerServiceResource serviceResource : allServiceResources) {
- tagStore.deleteServiceResource(serviceResource.getId());
- }
-
- List<RangerTag> allTags = tagStore.getTags(searchAll);
- for (RangerTag tag : allTags) {
- tagStore.deleteTag(tag.getId());
- }
-
- List<RangerTagDef> allTagDefs = tagStore.getTagDefs(searchAll);
- for (RangerTagDef tagDef : allTagDefs) {
- tagStore.deleteTagDef(tagDef.getId());
- }
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("ServiceTagsProcessor.replace() : All tag-related objects are removed now. Adding objects specified in ServiceTags..");
- }
+ tagStore.deleteAllTagObjectsForService(serviceTags.getServiceName(), isResourePrivateTag);
addOrUpdate(serviceTags);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
index 4719fc9..ac1c87a 100644
--- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
+++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
@@ -664,9 +664,18 @@
<!-- Start ==> JPA Queries for Tag Based Policies -->
<named-query name="XXServiceResourceElement.findByResourceId">
- <query>select obj from XXServiceResourceElement obj where obj.resourceId = :resourceId</query>
+ <query>select obj from XXServiceResourceElement obj where obj.resourceId = :resourceId order by obj.resourceId, obj.id</query>
</named-query>
-
+
+ <named-query name="XXServiceResourceElement.findByServiceId">
+ <query>select obj from XXServiceResourceElement obj where obj.resourceId in
+ (select serviceresource.id from XXServiceResource serviceresource where serviceresource.serviceId = :serviceId and serviceresource.id in
+ (select tagResMap.resourceId from XXTagResourceMap tagResMap)
+ )
+ order by obj.resourceId, obj.id
+ </query>
+ </named-query>
+
<named-query name="XXServiceResourceElementValue.findByResElementId">
<query>select obj from XXServiceResourceElementValue obj where obj.resElementId = :resElementId</query>
</named-query>
@@ -675,6 +684,21 @@
<query>select obj.value from XXServiceResourceElementValue obj where obj.resElementId = :resElementId</query>
</named-query>
+ <named-query name="XXServiceResourceElementValue.findByServiceId">
+ <query>select obj from XXServiceResourceElementValue obj, XXServiceResourceElement resElem where obj.resElementId = resElem.id and resElem.resourceId in
+ (select res.id from XXServiceResource res where res.serviceId = :serviceId and res.id in
+ (select tagResMap.resourceId from XXTagResourceMap tagResMap)
+ )
+ order by resElem.resourceId, resElem.id
+ </query>
+ </named-query>
+
+ <named-query name="XXServiceResourceElementValue.findByResourceId">
+ <query>select obj from XXServiceResourceElementValue obj, XXServiceResourceElement resElem where obj.resElementId = resElem.id and resElem.resourceId = :resourceId
+ order by resElem.resourceId, resElem.id
+ </query>
+ </named-query>
+
<named-query name="XXTagResourceMap.findByGuid">
<query>select obj from XXTagResourceMap obj where obj.guid = :guid</query>
</named-query>
@@ -711,7 +735,7 @@
<named-query name="XXTagResourceMap.getTagIdsForResourceId">
<query>select obj.tagId from XXTagResourceMap obj
- where obj.resourceId = :resourceId
+ where obj.resourceId = :resourceId order by obj.id
</query>
</named-query>
@@ -725,7 +749,16 @@
<named-query name="XXTagDef.findByServiceId">
<query>select obj from XXTagDef obj where obj.id in
- (select tag.type from XXTag tag, XXTagResourceMap tagRes, XXServiceResource resource where tag.id = tagRes.tagId and tagRes.resourceId = resource.id and resource.serviceId = :serviceId)</query>
+ (select tag.type from XXTag tag, XXTagResourceMap tagRes, XXServiceResource resource where tag.id = tagRes.tagId and tagRes.resourceId = resource.id and resource.serviceId = :serviceId)
+ order by obj.id
+ </query>
+ </named-query>
+
+ <named-query name="XXTagDef.findByResourceId">
+ <query>select obj from XXTagDef obj where obj.id in
+ (select tag.type from XXTag tag, XXTagResourceMap tagRes where tag.id = tagRes.tagId and tagRes.resourceId = :resourceId)
+ order by obj.id
+ </query>
</named-query>
<named-query name="XXTagDef.getAllNames">
@@ -742,9 +775,22 @@
<query>select obj from XXTagAttributeDef obj where obj.tagDefId = :tagDefId</query>
</named-query>
-
+ <named-query name="XXTagAttributeDef.findByServiceId">
+ <query>select obj from XXTagAttributeDef obj where obj.tagDefId in
+ (select tag.type from XXTag tag, XXTagResourceMap tagRes, XXServiceResource resource where tag.id = tagRes.tagId and tagRes.resourceId = resource.id and resource.serviceId = :serviceId)
+ order by obj.tagDefId
+ </query>
+ </named-query>
+
+ <named-query name="XXTagAttributeDef.findByResourceId">
+ <query>select obj from XXTagAttributeDef obj where obj.tagDefId in
+ (select tag.type from XXTag tag, XXTagResourceMap tagRes where tag.id = tagRes.tagId and tagRes.resourceId = :resourceId)
+ order by obj.tagDefId
+ </query>
+ </named-query>
+
<named-query name="XXTag.findByGuid">
- <query>select obj from XXTag obj where obj.guid = :guid</query>
+ <query>select obj from XXTag obj where obj.guid = :guid order by obj.id</query>
</named-query>
<named-query name="XXTag.findByName">
@@ -752,7 +798,7 @@
</named-query>
<named-query name="XXTag.findByResourceId">
- <query>select obj from XXTag obj, XXTagResourceMap tagResMap where tagResMap.resourceId = :resourceId and obj.id = tagResMap.tagId</query>
+ <query>select obj from XXTag obj, XXTagResourceMap tagResMap where tagResMap.resourceId = :resourceId and obj.id = tagResMap.tagId order by obj.id</query>
</named-query>
<named-query name="XXTag.findByResourceGuid">
@@ -766,7 +812,9 @@
<named-query name="XXTag.findByServiceId">
<query>select obj from XXTag obj where obj.id in
- (select tagRes.tagId from XXTagResourceMap tagRes, XXServiceResource resource where tagRes.resourceId = resource.id and resource.serviceId = :serviceId)</query>
+ (select tagRes.tagId from XXTagResourceMap tagRes, XXServiceResource resource where tagRes.resourceId = resource.id and resource.serviceId = :serviceId)
+ order by obj.id
+ </query>
</named-query>
<named-query name="XXTag.updateTagVersionInService">
@@ -779,6 +827,19 @@
<query>select obj from XXTagAttribute obj where obj.tagId = :tagId</query>
</named-query>
+ <named-query name="XXTagAttribute.findByServiceId">
+ <query>select obj from XXTagAttribute obj where obj.tagId in
+ (select tagRes.tagId from XXTagResourceMap tagRes, XXServiceResource resource where tagRes.resourceId = resource.id and resource.serviceId = :serviceId)
+ order by obj.tagId
+ </query>
+ </named-query>
+
+ <named-query name="XXTagAttribute.findByResourceId">
+ <query>select obj from XXTagAttribute obj where obj.tagId in
+ (select tagRes.tagId from XXTagResourceMap tagRes where tagRes.resourceId = :resourceId)
+ order by obj.tagId
+ </query>
+ </named-query>
<named-query name="XXServiceResource.findByGuid">
<query>select obj from XXServiceResource obj where obj.guid = :guid</query>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/security-admin/src/test/resources/log4j.properties
----------------------------------------------------------------------
diff --git a/security-admin/src/test/resources/log4j.properties b/security-admin/src/test/resources/log4j.properties
deleted file mode 100644
index cb409e8..0000000
--- a/security-admin/src/test/resources/log4j.properties
+++ /dev/null
@@ -1,35 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-##-- To prevent junits from cluttering the build run by default all test runs send output to null appender
-log4j.appender.devnull=org.apache.log4j.varia.NullAppender
-ranger.root.logger=FATAL,devnull
-
-##-- uncomment the following line during during development/debugging so see debug messages during test run to be emitted to console
-# ranger.root.logger=DEBUG,console
-
-log4j.rootLogger=${ranger.root.logger}
-
-# Logging Threshold
-log4j.threshold=ALL
-
-#
-# console
-# Add "console" to rootlogger above if you want to use this
-#
-log4j.appender.console=org.apache.log4j.ConsoleAppender
-log4j.appender.console.target=System.err
-log4j.appender.console.layout=org.apache.log4j.PatternLayout
-log4j.appender.console.layout.ConversionPattern=%d{ISO8601} %-5p [%t] %c{2}: %m%n
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/security-admin/src/test/resources/log4j.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/test/resources/log4j.xml b/security-admin/src/test/resources/log4j.xml
new file mode 100644
index 0000000..48ed214
--- /dev/null
+++ b/security-admin/src/test/resources/log4j.xml
@@ -0,0 +1,53 @@
+<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
+
+<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/" debug="false">
+
+ <appender name="console" class="org.apache.log4j.ConsoleAppender">
+ <param name="target" value="System.err" />
+ <layout class="org.apache.log4j.PatternLayout">
+ <param name="ConversionPattern" value="%d{ISO8601} %-5p [%t] %c{2}: %m%n" />
+ </layout>
+ </appender>
+
+ <!--
+ <appender name="perf_appender" class="org.apache.log4j.DailyRollingFileAppender">
+ <param name="file" value="./ranger_admin_perf_test.log" />
+ <param name="datePattern" value="'.'yyyy-MM-dd" />
+ <param name="append" value="true" />
+ <layout class="org.apache.log4j.PatternLayout">
+ <param name="ConversionPattern" value="%d [%t] %m%n" />
+ </layout>
+ </appender>
+
+ <category name="ranger.perf" additivity="false">
+ <priority value="info" />
+ <appender-ref ref="perf_appender" />
+ </category>
+
+ <category name="ranger.perf.policy" additivity="false">
+ <priority value="warn" />
+ <appender-ref ref="perf_appender" />
+ </category>
+
+ <category name="ranger.perf.item" additivity="false">
+ <priority value="warn" />
+ <appender-ref ref="perf_appender" />
+ </category>
+
+ <category name="ranger.perf.condition" additivity="false">
+ <priority value="warn" />
+ <appender-ref ref="perf_appender" />
+ </category>
+
+ <category name="ranger.perf.enricher" additivity="false">
+ <priority value="warn" />
+ <appender-ref ref="perf_appender" />
+ </category>
+ -->
+
+ <root>
+ <priority value="warn" />
+ <appender-ref ref="console" />
+ </root>
+
+</log4j:configuration>
[06/26] incubator-ranger git commit: RANGER-733 : Implement best
coding practices to resolve issues found during code scan
Posted by ma...@apache.org.
RANGER-733 : Implement best coding practices to resolve issues found during code scan
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/624310dc
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/624310dc
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/624310dc
Branch: refs/heads/tag-policy
Commit: 624310dcf1d1a3a1823834681e949dbd89fd09c0
Parents: e47756c
Author: Gautam Borad <ga...@apache.org>
Authored: Wed Nov 18 10:08:17 2015 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Fri Nov 20 22:58:53 2015 +0530
----------------------------------------------------------------------
.../apache/ranger/plugin/client/BaseClient.java | 10 ++++++-
.../ranger/services/knox/client/KnoxClient.java | 6 ++--
.../ranger/services/kms/client/KMSClient.java | 4 +--
.../org/apache/ranger/biz/RangerBizUtil.java | 29 ++++++++++++++++----
.../java/org/apache/ranger/biz/UserMgr.java | 8 ++----
.../java/org/apache/ranger/biz/XUserMgr.java | 11 ++++++--
.../apache/ranger/json/JsonDateSerializer.java | 5 ++--
.../service/AbstractBaseResourceService.java | 4 +--
.../ranger/service/RangerBaseModelService.java | 2 +-
.../ranger/service/XAccessAuditService.java | 11 --------
.../apache/ranger/service/XPolicyService.java | 2 +-
.../apache/ranger/view/VXGroupPermission.java | 2 +-
.../org/apache/ranger/view/VXModuleDef.java | 2 +-
.../apache/ranger/view/VXUserPermission.java | 2 +-
.../org/apache/ranger/biz/TestXUserMgr.java | 1 -
.../TestRangerServiceDefServiceBase.java | 2 --
.../services/storm/client/StormClient.java | 6 ++--
.../unix/jaas/RemoteUnixLoginModule.java | 4 +--
.../scripts/ranger-usersync-services.sh | 2 +-
19 files changed, 65 insertions(+), 48 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/624310dc/agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java b/agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java
index 4ef3b48..0242caa 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java
@@ -159,5 +159,13 @@ public abstract class BaseClient {
}
return StringUtils.join(errList, "");
}
-
+
+ public static Map<String, String> getMaskedConfigMap(Map<String, String> configMap){
+ Map<String, String> maskedMap=new HashMap<String, String>();
+ maskedMap.putAll(configMap);
+ if(maskedMap!=null && maskedMap.containsKey("password")){
+ maskedMap.put("password", "*****");
+ }
+ return maskedMap;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/624310dc/knox-agent/src/main/java/org/apache/ranger/services/knox/client/KnoxClient.java
----------------------------------------------------------------------
diff --git a/knox-agent/src/main/java/org/apache/ranger/services/knox/client/KnoxClient.java b/knox-agent/src/main/java/org/apache/ranger/services/knox/client/KnoxClient.java
index f4d5858..6859492 100644
--- a/knox-agent/src/main/java/org/apache/ranger/services/knox/client/KnoxClient.java
+++ b/knox-agent/src/main/java/org/apache/ranger/services/knox/client/KnoxClient.java
@@ -314,8 +314,10 @@ public class KnoxClient {
public static KnoxClient getKnoxClient(String serviceName,
Map<String, String> configs) {
KnoxClient knoxClient = null;
- LOG.debug("Getting knoxClient for ServiceName: " + serviceName
- + "configMap: " + configs);
+ if(LOG.isDebugEnabled()){
+ LOG.debug("Getting knoxClient for ServiceName: " + serviceName);
+ LOG.debug("configMap: " + BaseClient.getMaskedConfigMap(configs));
+ }
String errMsg = " You can still save the repository and start creating "
+ "policies, but you would not be able to use autocomplete for "
+ "resource names. Check xa_portal.log for more info.";
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/624310dc/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
index c67584e..061f95c 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
@@ -309,8 +309,8 @@ public class KMSClient {
Map<String, String> configs) {
KMSClient kmsClient = null;
if (LOG.isDebugEnabled()) {
- LOG.debug("Getting KmsClient for datasource: " + serviceName
- + "configMap: " + configs);
+ LOG.debug("Getting KmsClient for datasource: " + serviceName);
+ LOG.debug("configMap: " + BaseClient.getMaskedConfigMap(configs));
}
String errMsg = errMessage;
if (configs == null || configs.isEmpty()) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/624310dc/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index e00db2c..730c087 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -1334,13 +1334,30 @@ public class RangerBizUtil {
Long trxId = guidUtil.genLong();
for (XXTrxLog xTrxLog : trxLogList) {
- xTrxLog.setTransactionId(trxId.toString());
- if (authSessionId != null) {
- xTrxLog.setSessionId("" + authSessionId);
+ if (xTrxLog != null) {
+ if ("Password".equalsIgnoreCase(xTrxLog.getAttributeName()
+ .trim())) {
+ if (xTrxLog.getPreviousValue() != null
+ && !xTrxLog.getPreviousValue().trim().isEmpty()
+ && !"null".equalsIgnoreCase(xTrxLog
+ .getPreviousValue().trim())) {
+ xTrxLog.setPreviousValue(AppConstants.Masked_String);
+ }
+ if (xTrxLog.getNewValue() != null
+ && !xTrxLog.getNewValue().trim().isEmpty()
+ && !"null".equalsIgnoreCase(xTrxLog.getNewValue()
+ .trim())) {
+ xTrxLog.setNewValue(AppConstants.Masked_String);
+ }
+ }
+ xTrxLog.setTransactionId(trxId.toString());
+ if (authSessionId != null) {
+ xTrxLog.setSessionId("" + authSessionId);
+ }
+ xTrxLog.setSessionType("Spring Authenticated Session");
+ xTrxLog.setRequestId(trxId.toString());
+ daoManager.getXXTrxLog().create(xTrxLog);
}
- xTrxLog.setSessionType("Spring Authenticated Session");
- xTrxLog.setRequestId(trxId.toString());
- daoManager.getXXTrxLog().create(xTrxLog);
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/624310dc/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
index 8fbad1f..ee9d14b 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
@@ -294,7 +294,7 @@ public class UserMgr {
userProfile, gjUser, "update");
userProfile.setPassword(gjUser.getPassword());
- userProfile = xPortalUserService.updateResource(userProfile);
+ xPortalUserService.updateResource(userProfile);
sessionMgr.resetUserSessionForProfiles(ContextUtil
.getCurrentUserSession());
@@ -1231,10 +1231,8 @@ public class UserMgr {
public void checkAdminAccess() {
UserSessionBase sess = ContextUtil.getCurrentUserSession();
- if (sess != null) {
- if (sess != null && sess.isUserAdmin()) {
- return;
- }
+ if (sess != null && sess.isUserAdmin()) {
+ return;
}
throw restErrorUtil.create403RESTException("Operation not allowed." + " loggedInUser=" + (sess != null ? sess.getXXPortalUser().getId() : "Not Logged In"));
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/624310dc/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
index 2d43379..3f2c041 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
@@ -396,6 +396,7 @@ public class XUserMgr extends XUserMgrBase {
roleList = userMgr.getRolesForUser(xXPortalUser);
}
if (roleList == null || roleList.size() == 0) {
+ roleList = new ArrayList<String>();
roleList.add(RangerConstants.ROLE_USER);
}
@@ -501,7 +502,11 @@ public class XUserMgr extends XUserMgrBase {
vXGroupUser = xGroupUserService
.createXGroupUserWithOutLogin(vXGroupUser);
}
-
+ VXPortalUser vXPortalUser = userMgr.getUserProfileByLoginId(vXUser
+ .getName());
+ if(vXPortalUser!=null){
+ assignPermissionToUser(vXPortalUser, true);
+ }
vxUGInfo.setXgroupInfo(vxg);
return vxUGInfo;
@@ -838,7 +843,7 @@ public class XUserMgr extends XUserMgrBase {
for (VXGroupPermission oldVXGroupPerm : groupPermListOld) {
if (newVXGroupPerm.getModuleId().equals(oldVXGroupPerm.getModuleId()) && newVXGroupPerm.getGroupId().equals(oldVXGroupPerm.getGroupId())) {
- if (newVXGroupPerm.getIsAllowed() != oldVXGroupPerm.getIsAllowed()) {
+ if (!newVXGroupPerm.getIsAllowed().equals(oldVXGroupPerm.getIsAllowed())) {
oldVXGroupPerm.setIsAllowed(newVXGroupPerm.getIsAllowed());
oldVXGroupPerm = this.updateXGroupPermission(oldVXGroupPerm);
}
@@ -857,7 +862,7 @@ public class XUserMgr extends XUserMgrBase {
boolean isExist = false;
for (VXUserPermission oldVXUserPerm : userPermListOld) {
if (newVXUserPerm.getModuleId().equals(oldVXUserPerm.getModuleId()) && newVXUserPerm.getUserId().equals(oldVXUserPerm.getUserId())) {
- if (newVXUserPerm.getIsAllowed() != oldVXUserPerm.getIsAllowed()) {
+ if (!newVXUserPerm.getIsAllowed().equals(oldVXUserPerm.getIsAllowed())) {
oldVXUserPerm.setIsAllowed(newVXUserPerm.getIsAllowed());
oldVXUserPerm = this.updateXUserPermission(oldVXUserPerm);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/624310dc/security-admin/src/main/java/org/apache/ranger/json/JsonDateSerializer.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/json/JsonDateSerializer.java b/security-admin/src/main/java/org/apache/ranger/json/JsonDateSerializer.java
index 7493226..1d7cfcf 100644
--- a/security-admin/src/main/java/org/apache/ranger/json/JsonDateSerializer.java
+++ b/security-admin/src/main/java/org/apache/ranger/json/JsonDateSerializer.java
@@ -37,14 +37,13 @@ import org.springframework.stereotype.Component;
@Component
public class JsonDateSerializer extends JsonSerializer<Date> {
- private static final SimpleDateFormat dateFormat = new SimpleDateFormat
- ("yyyy-MM-dd'T'HH:mm:ss'Z'");
+ private static final String DATE_FORMAT = "yyyy-MM-dd'T'HH:mm:ss'Z'";
@Override
public void serialize(Date date, JsonGenerator gen,
SerializerProvider provider) throws IOException,
JsonProcessingException {
- String formattedDate = dateFormat.format(date);
+ String formattedDate = new SimpleDateFormat(DATE_FORMAT).format(date);
gen.writeString(formattedDate);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/624310dc/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java b/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java
index 49f5dde..fb51534 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java
@@ -234,12 +234,12 @@ public abstract class AbstractBaseResourceService<T extends XXDBBase, V extends
}
// Get total count of the rows which meet the search criteria
- countQueryStr = "SELECT COUNT(obj) FROM " + tEntityClass.getName()
+ countQueryStr = "SELECT COUNT(obj) FROM " + className
+ " obj ";
queryStr = "SELECT obj FROM " + className + " obj ";
distinctCountQueryStr = "SELECT COUNT(distinct obj.id) FROM "
- + tEntityClass.getName() + " obj ";
+ + className + " obj ";
distinctQueryStr = "SELECT distinct obj FROM " + className + " obj ";
sortFields.add(new SortField("id", "obj.id",true,SORT_ORDER.ASC));
registerService(this);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/624310dc/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java
index ac251c6..ec358bb 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java
@@ -111,7 +111,7 @@ public abstract class RangerBaseModelService<T extends XXDBBase, V extends Range
populateExistingBaseFields = false;
- countQueryStr = "SELECT COUNT(obj) FROM " + tEntityClass.getName() + " obj ";
+ countQueryStr = "SELECT COUNT(obj) FROM " + tClassName + " obj ";
queryStr = "SELECT obj FROM " + tClassName + " obj ";
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/624310dc/security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java b/security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java
index 2bca389..de3b87f 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java
@@ -28,7 +28,6 @@ import org.apache.ranger.common.SearchCriteria;
import org.apache.ranger.common.SearchField;
import org.apache.ranger.common.SearchField.DATA_TYPE;
import org.apache.ranger.common.SearchField.SEARCH_TYPE;
-import org.apache.ranger.common.SearchUtil;
import org.apache.ranger.common.SortField;
import org.apache.ranger.common.SortField.SORT_ORDER;
import org.apache.ranger.db.RangerDaoManager;
@@ -45,20 +44,10 @@ import org.springframework.stereotype.Service;
@Scope("singleton")
public class XAccessAuditService extends XAccessAuditServiceBase<XXAccessAudit, VXAccessAudit>{
public static final String NAME = "XAccessAudit";
- public List<SortField> sortFields = new ArrayList<SortField>();
- public List<SearchField> searchFields = new ArrayList<SearchField>();
-
- @Autowired
- protected SearchUtil searchUtil;
-
@Autowired
RangerDaoManager appDaoMgr;
-
- protected String queryStr;
protected final String distinctCountQueryStr;
protected final String distinctQueryStr;
- protected String countQueryStr;
-
public XAccessAuditService() {
countQueryStr = "SELECT COUNT(obj) FROM XXAccessAudit obj ";
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/624310dc/security-admin/src/main/java/org/apache/ranger/service/XPolicyService.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XPolicyService.java b/security-admin/src/main/java/org/apache/ranger/service/XPolicyService.java
index 42de408..5e8ed56 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XPolicyService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XPolicyService.java
@@ -236,7 +236,7 @@ public class XPolicyService extends PublicAPIServiceBase<VXResource, VXPolicy> {
int assetType = AppConstants.getEnumFor_AssetType(vXPolicy
.getRepositoryType());
- if (assetType == 0 || assetType == AppConstants.ASSET_UNKNOWN) {
+ if (assetType == AppConstants.ASSET_UNKNOWN) {
assetType = xAsset.getAssetType();
vXPolicy.setRepositoryType(AppConstants.getLabelFor_AssetType(assetType));
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/624310dc/security-admin/src/main/java/org/apache/ranger/view/VXGroupPermission.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/view/VXGroupPermission.java b/security-admin/src/main/java/org/apache/ranger/view/VXGroupPermission.java
index 445b5f0..2e02eb5 100644
--- a/security-admin/src/main/java/org/apache/ranger/view/VXGroupPermission.java
+++ b/security-admin/src/main/java/org/apache/ranger/view/VXGroupPermission.java
@@ -34,7 +34,7 @@ public class VXGroupPermission extends VXDataObject implements java.io.Serializa
private static final long serialVersionUID = 1L;
- protected Long id;
+
protected Long groupId;
protected Long moduleId;
protected Integer isAllowed;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/624310dc/security-admin/src/main/java/org/apache/ranger/view/VXModuleDef.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/view/VXModuleDef.java b/security-admin/src/main/java/org/apache/ranger/view/VXModuleDef.java
index 3923d07..0c9ee5e 100644
--- a/security-admin/src/main/java/org/apache/ranger/view/VXModuleDef.java
+++ b/security-admin/src/main/java/org/apache/ranger/view/VXModuleDef.java
@@ -37,7 +37,7 @@ public class VXModuleDef extends VXDataObject implements java.io.Serializable {
private static final long serialVersionUID = 1L;
- protected Long id;
+
protected Date createTime;
protected Date updateTime;
protected Long addedById;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/624310dc/security-admin/src/main/java/org/apache/ranger/view/VXUserPermission.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/view/VXUserPermission.java b/security-admin/src/main/java/org/apache/ranger/view/VXUserPermission.java
index cdbddc5..82b5995 100644
--- a/security-admin/src/main/java/org/apache/ranger/view/VXUserPermission.java
+++ b/security-admin/src/main/java/org/apache/ranger/view/VXUserPermission.java
@@ -34,7 +34,7 @@ public class VXUserPermission extends VXDataObject implements
private static final long serialVersionUID = 1L;
- protected Long id;
+
protected Long userId;
protected Long moduleId;
protected Integer isAllowed;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/624310dc/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
index e992190..8ace44b 100644
--- a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
+++ b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
@@ -242,7 +242,6 @@ public class TestXUserMgr {
Mockito.when(xUserService.createResource(vxUser)).thenReturn(vxUser);
XXModuleDefDao value = Mockito.mock(XXModuleDefDao.class);
Mockito.when(daoManager.getXXModuleDef()).thenReturn(value);
- List<XXModuleDef> lsvalue = new ArrayList<XXModuleDef>();
Mockito.when(
userMgr.createDefaultAccountUser((VXPortalUser) Mockito
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/624310dc/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefServiceBase.java
----------------------------------------------------------------------
diff --git a/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefServiceBase.java b/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefServiceBase.java
index e01e23c..67d1feb 100644
--- a/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefServiceBase.java
+++ b/security-admin/src/test/java/org/apache/ranger/service/TestRangerServiceDefServiceBase.java
@@ -292,8 +292,6 @@ public class TestRangerServiceDefServiceBase {
resourceDefObj.getDescription());
Assert.assertEquals(dbRangerResourceDef.getType(),
resourceDefObj.getType());
- Assert.assertEquals(dbRangerResourceDef.getParent(),
- resourceDefObj.getParent());
Assert.assertEquals(dbRangerResourceDef.getRbKeyDescription(),
resourceDefObj.getRbkeydescription());
Mockito.verify(daoManager).getXXResourceDef();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/624310dc/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java
----------------------------------------------------------------------
diff --git a/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java b/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java
index 2b62c4f..c7c746d 100644
--- a/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java
+++ b/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java
@@ -329,8 +329,10 @@ public class StormClient {
public static StormClient getStormClient(String serviceName,
Map<String, String> configs) {
StormClient stormClient = null;
- LOG.debug("Getting StormClient for datasource: " + serviceName
- + "configMap: " + configs);
+ if(LOG.isDebugEnabled()){
+ LOG.debug("Getting StormClient for datasource: " + serviceName);
+ LOG.debug("configMap: " + BaseClient.getMaskedConfigMap(configs));
+ }
String errMsg = errMessage;
if (configs == null || configs.isEmpty()) {
String msgDesc = "Could not connect as Connection ConfigMap is empty.";
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/624310dc/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java
----------------------------------------------------------------------
diff --git a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java
index 0dd549a..51367c0 100644
--- a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java
+++ b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java
@@ -277,7 +277,7 @@ public class RemoteUnixLoginModule implements LoginModule {
if (trustStorePathPassword == null) {
trustStorePathPassword = "";
}
- log("trustStorePathPassword:" + trustStorePathPassword);
+ log("trustStorePathPassword:*****");
}
keyStorePath = (String) options.get(SSL_KEYSTORE_PATH_PARAM);
@@ -287,7 +287,7 @@ public class RemoteUnixLoginModule implements LoginModule {
if (keyStorePathPassword == null) {
keyStorePathPassword = "";
}
- log("keyStorePathPassword:" + keyStorePathPassword);
+ log("keyStorePathPassword:*****");
}
String certValidationFlag = (String) options.get(SERVER_CERT_VALIDATION_PARAM) ;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/624310dc/unixauthservice/scripts/ranger-usersync-services.sh
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/ranger-usersync-services.sh b/unixauthservice/scripts/ranger-usersync-services.sh
index ea5c7e8..4b3d4d4 100644
--- a/unixauthservice/scripts/ranger-usersync-services.sh
+++ b/unixauthservice/scripts/ranger-usersync-services.sh
@@ -64,7 +64,7 @@ if [ "${action}" == "START" ]; then
cd ${cdir}
umask 0077
- nohup java -Dproc_rangerusersync ${JAVA_OPTS} -Dlogdir="${logdir}" -cp "${cp}" org.apache.ranger.authentication.UnixAuthenticationService -enableUnixAuth > ${logdir}/auth.log 2>&1 &
+ nohup java -Dproc_rangerusersync -Dlog4j.configuration=file:/etc/ranger/usersync/conf/log4j.xml ${JAVA_OPTS} -Dlogdir="${logdir}" -cp "${cp}" org.apache.ranger.authentication.UnixAuthenticationService -enableUnixAuth > ${logdir}/auth.log 2>&1 &
echo $! > ${pidf}
chown ranger ${pidf}
sleep 5
[07/26] incubator-ranger git commit: Ranger-652: excluded
org.apache.hadoop dependecy with ranger-util as well as removed credential
builder dependency as it is not used
Posted by ma...@apache.org.
Ranger-652: excluded org.apache.hadoop dependecy with ranger-util as well as removed credential builder dependency as it is not used
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/766f100e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/766f100e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/766f100e
Branch: refs/heads/tag-policy
Commit: 766f100e3457e42f59d35ede53d4c97488eb7398
Parents: 624310d
Author: Sailaja Polavarapu <sp...@hortonworks.com>
Authored: Fri Nov 20 10:50:01 2015 -0800
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Fri Nov 20 17:28:15 2015 -0500
----------------------------------------------------------------------
ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml | 15 ++++-----------
1 file changed, 4 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/766f100e/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml b/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml
index 8d7a150..bc541a2 100644
--- a/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml
@@ -90,22 +90,15 @@
<version>${springframework.security.version}</version>
</dependency>
<dependency>
- <groupId>org.apache.ranger</groupId>
- <artifactId>credentialbuilder</artifactId>
- <version>${project.version}</version>
- <exclusions>
- <exclusion>
- <groupId>com.microsoft.windowsazure</groupId>
- <artifactId>*</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
<groupId>org.apache.ranger</groupId>
<artifactId>ranger-util</artifactId>
<version>${project.version}</version>
<exclusions>
<exclusion>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ <exclusion>
<groupId>com.microsoft.windowsazure</groupId>
<artifactId>*</artifactId>
</exclusion>
[24/26] incubator-ranger git commit: RANGER-753: Optimized
tag-download implementation. Instrumented policy download and policy
evaluation for performance measurement.
Posted by ma...@apache.org.
RANGER-753: Optimized tag-download implementation. Instrumented policy download and policy evaluation for performance measurement.
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/7a80c8e3
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/7a80c8e3
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/7a80c8e3
Branch: refs/heads/tag-policy
Commit: 7a80c8e3522fb62ae5f3f53f6df786720a0569be
Parents: 68ab77b
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Thu Nov 12 06:57:41 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Tue Dec 1 21:14:37 2015 -0800
----------------------------------------------------------------------
.../RangerAbstractConditionEvaluator.java | 3 +
.../RangerConditionEvaluator.java | 1 -
.../contextenricher/RangerTagEnricher.java | 50 +-
.../ranger/plugin/model/RangerTagDef.java | 1 +
.../policyengine/RangerPolicyEngineImpl.java | 62 +-
.../policyengine/RangerPolicyRepository.java | 25 +
.../RangerAbstractPolicyItemEvaluator.java | 9 +-
.../RangerCachedPolicyEvaluator.java | 26 +-
.../RangerDefaultPolicyEvaluator.java | 61 +-
.../RangerDefaultPolicyItemEvaluator.java | 40 +-
.../RangerOptimizedPolicyEvaluator.java | 12 +-
.../RangerPolicyItemEvaluator.java | 2 +
.../RangerAbstractResourceMatcher.java | 6 +-
.../ranger/plugin/store/AbstractTagStore.java | 45 ++
.../apache/ranger/plugin/store/TagStore.java | 1 +
.../ranger/plugin/util/PolicyRefresher.java | 11 +-
.../plugin/policyengine/TestPolicyEngine.java | 2 +-
.../src/test/resources/log4j.properties | 35 --
agents-common/src/test/resources/log4j.xml | 53 ++
security-admin/.gitignore | 2 -
.../ranger/biz/RangerPolicyRetriever.java | 2 +-
.../apache/ranger/biz/RangerTagDBRetriever.java | 597 +++++++++++++++++++
.../java/org/apache/ranger/biz/TagDBStore.java | 24 +-
.../ranger/db/XXServiceResourceElementDao.java | 12 +
.../db/XXServiceResourceElementValueDao.java | 25 +
.../org/apache/ranger/db/XXTagAttributeDao.java | 23 +
.../apache/ranger/db/XXTagAttributeDefDao.java | 23 +
.../java/org/apache/ranger/db/XXTagDefDao.java | 13 +
.../org/apache/ranger/rest/ServiceREST.java | 198 +++---
.../ranger/rest/ServiceTagsProcessor.java | 27 +-
.../resources/META-INF/jpa_named_queries.xml | 77 ++-
.../src/test/resources/log4j.properties | 35 --
security-admin/src/test/resources/log4j.xml | 53 ++
33 files changed, 1287 insertions(+), 269 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAbstractConditionEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAbstractConditionEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAbstractConditionEvaluator.java
index 0bcb744..06263d1 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAbstractConditionEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerAbstractConditionEvaluator.java
@@ -47,4 +47,7 @@ public abstract class RangerAbstractConditionEvaluator implements RangerConditio
@Override
public void init() {
}
+
+ public RangerPolicyItemCondition getPolicyItemCondition() { return condition; }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java
index 602b80e..9515000 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/conditionevaluator/RangerConditionEvaluator.java
@@ -31,7 +31,6 @@ public interface RangerConditionEvaluator {
void setServiceDef(RangerServiceDef serviceDef);
-
void init();
boolean isMatched(RangerAccessRequest request);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index b5662bf..e9fc42c 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -33,6 +33,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
+import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.ServiceTags;
import java.io.*;
@@ -43,6 +44,8 @@ import java.util.Map;
public class RangerTagEnricher extends RangerAbstractContextEnricher {
private static final Log LOG = LogFactory.getLog(RangerTagEnricher.class);
+ private static final Log PERF_ENRICHER_LOG = RangerPerfTracer.getPerfLogger("enricher");
+
public static final String TAG_REFRESHER_POLLINGINTERVAL_OPTION = "tagRefresherPollingInterval";
public static final String TAG_RETRIEVER_CLASSNAME_OPTION = "tagRetrieverClassName";
@@ -51,8 +54,6 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
private RangerTagRetriever tagRetriever = null;
- private long lastKnownVersion = -1L;
-
ServiceTags serviceTags = null;
List<RangerServiceResourceMatcher> serviceResourceMatchers;
@@ -100,7 +101,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
tagRetriever.setAppId(appId);
tagRetriever.init(enricherDef.getEnricherOptions());
- tagRefresher = new RangerTagRefresher(tagRetriever, this, lastKnownVersion, cacheFile, pollingIntervalMs);
+ tagRefresher = new RangerTagRefresher(tagRetriever, this, -1L, cacheFile, pollingIntervalMs);
try {
tagRefresher.populateTags();
@@ -125,9 +126,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
LOG.debug("==> RangerTagEnricher.enrich(" + request + ")");
}
- List<RangerServiceResourceMatcher> serviceResourceMatchersCopy = serviceResourceMatchers;
-
- List<RangerTag> matchedTags = findMatchingTags(request.getResource(), serviceResourceMatchersCopy);
+ List<RangerTag> matchedTags = findMatchingTags(request.getResource());
RangerAccessRequestUtil.setRequestTagsInContext(request.getContext(), matchedTags);
@@ -137,15 +136,19 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
}
public void setServiceTags(final ServiceTags serviceTags) {
- this.serviceTags = serviceTags;
- this.lastKnownVersion = serviceTags.getTagVersion();
List<RangerServiceResourceMatcher> resourceMatchers = new ArrayList<RangerServiceResourceMatcher>();
- List<RangerServiceResource> serviceResources = this.serviceTags.getServiceResources();
+ List<RangerServiceResource> serviceResources = serviceTags.getServiceResources();
if (CollectionUtils.isNotEmpty(serviceResources)) {
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_ENRICHER_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_ENRICHER_LOG, "RangerTagEnricher.setServiceTags(serviceName=" + tagRetriever.getServiceName() + ",lastKnownVersion=" + serviceTags.getTagVersion() + ")");
+ }
+
for (RangerServiceResource serviceResource : serviceResources) {
RangerDefaultPolicyResourceMatcher matcher = new RangerDefaultPolicyResourceMatcher();
@@ -163,10 +166,12 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
resourceMatchers.add(serviceResourceMatcher);
}
- }
- serviceResourceMatchers = resourceMatchers;
+ RangerPerfTracer.log(perf);
+ }
+ this.serviceResourceMatchers = resourceMatchers;
+ this.serviceTags = serviceTags;
}
@Override
@@ -188,16 +193,19 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
return ret;
}
- private List<RangerTag> findMatchingTags(final RangerAccessResource resource, final List<RangerServiceResourceMatcher> resourceMatchers) {
+ private List<RangerTag> findMatchingTags(final RangerAccessResource resource) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerTagEnricher.findMatchingTags(" + resource + ")");
}
List<RangerTag> ret = null;
+ final List<RangerServiceResourceMatcher> serviceResourceMatchers = this.serviceResourceMatchers;
- if (CollectionUtils.isNotEmpty(resourceMatchers)) {
+ if (CollectionUtils.isNotEmpty(serviceResourceMatchers)) {
- for (RangerServiceResourceMatcher resourceMatcher : resourceMatchers) {
+ final ServiceTags serviceTags = this.serviceTags;
+
+ for (RangerServiceResourceMatcher resourceMatcher : serviceResourceMatchers) {
boolean matchResult = resourceMatcher.isMatch(resource);
@@ -226,14 +234,14 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
return ret;
}
- static private List<RangerTag> getTagsForServiceResource(ServiceTags serviceTags, RangerServiceResource serviceResource) {
+ static private List<RangerTag> getTagsForServiceResource(final ServiceTags serviceTags, final RangerServiceResource serviceResource) {
List<RangerTag> ret = new ArrayList<RangerTag>();
- Long resourceId = serviceResource.getId();
+ final Long resourceId = serviceResource.getId();
- Map<Long, List<Long>> resourceToTagIds = serviceTags.getResourceToTagIds();
- Map<Long, RangerTag> tags = serviceTags.getTags();
+ final Map<Long, List<Long>> resourceToTagIds = serviceTags.getResourceToTagIds();
+ final Map<Long, RangerTag> tags = serviceTags.getTags();
if (resourceId != null && MapUtils.isNotEmpty(resourceToTagIds) && MapUtils.isNotEmpty(tags)) {
@@ -318,7 +326,11 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
if (tagEnricher != null) {
ServiceTags serviceTags = null;
+ RangerPerfTracer perf = null;
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_ENRICHER_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_ENRICHER_LOG, "RangerTagRefresher.populateTags(serviceName=" + tagRetriever.getServiceName() + ",lastKnownVersion" + lastKnownVersion + ")");
+ }
serviceTags = tagRetriever.retrieveTags(lastKnownVersion);
if (serviceTags == null) {
@@ -329,6 +341,8 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher {
saveToCache(serviceTags);
}
+ RangerPerfTracer.log(perf);
+
if (serviceTags != null) {
tagEnricher.setServiceTags(serviceTags);
LOG.info("RangerTagRefresher.populateTags() - Updated tags-cache to new version of tags, lastKnownVersion=" + lastKnownVersion + "; newVersion=" + serviceTags.getTagVersion());
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTagDef.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTagDef.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTagDef.java
index ba2a5d7..93f7b14 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTagDef.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerTagDef.java
@@ -61,6 +61,7 @@ public class RangerTagDef extends RangerBaseModelObject {
super();
setName(name);
setSource(source);
+ setAttributeDefs(null);
}
public String getName() {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 8adab7b..df6ca41 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -30,12 +30,15 @@ import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
+import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.ServicePolicies;
import java.util.*;
public class RangerPolicyEngineImpl implements RangerPolicyEngine {
private static final Log LOG = LogFactory.getLog(RangerPolicyEngineImpl.class);
+ private static final Log PERF_POLICY_LOG = RangerPerfTracer.getPerfLogger("policy");
+ private static final Log PERF_ENRICHER_LOG = RangerPerfTracer.getPerfLogger("enricher");
private final RangerPolicyRepository policyRepository;
private final RangerPolicyRepository tagPolicyRepository;
@@ -47,6 +50,12 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
LOG.debug("==> RangerPolicyEngineImpl(" + appId + ", " + servicePolicies + ", " + options + ")");
}
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_LOG, "RangerPolicyEngine.init(appId=" + appId + ",hashCode=" + Integer.toHexString(System.identityHashCode(this)) + ")");
+ }
+
if (options == null) {
options = new RangerPolicyEngineOptions();
}
@@ -90,6 +99,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
this.allContextEnrichers = tmpList;
+ RangerPerfTracer.log(perf);
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl()");
}
@@ -126,11 +137,21 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
List<RangerContextEnricher> enrichers = allContextEnrichers;
if(!CollectionUtils.isEmpty(enrichers)) {
+
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_ENRICHER_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_ENRICHER_LOG, "RangerPolicyEngine.preProcess(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + ")");
+ }
+
for(RangerContextEnricher enricher : enrichers) {
enricher.enrich(request);
}
+
+ RangerPerfTracer.log(perf);
}
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.preProcess(" + request + ")");
}
@@ -168,6 +189,11 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + request + ")");
}
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_LOG, "RangerPolicyEngine.isAccessAllowed(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + ")");
+ }
RangerAccessResult ret = isAccessAllowedNoAudit(request);
@@ -175,6 +201,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
resultProcessor.processResult(ret);
}
+ RangerPerfTracer.log(perf);
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + request + "): " + ret);
}
@@ -216,6 +244,11 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + ")");
}
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_LOG, "RangerPolicyEngine.isAccessAllowed(user=" + user + ",accessType=" + accessType + ")");
+ }
boolean ret = false;
for (RangerPolicyEvaluator evaluator : policyRepository.getPolicyEvaluators()) {
@@ -226,6 +259,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
}
+ RangerPerfTracer.log(perf);
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowed(" + resource + ", " + user + ", " + userGroups + ", " + accessType + "): " + ret);
}
@@ -311,6 +346,12 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + ")");
}
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_LOG, "RangerPolicyEngine.isAccessAllowedNoAudit(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + ")");
+ }
+
RangerAccessResult ret = createAccessResult(request);
if (ret != null && request != null) {
@@ -359,6 +400,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
}
}
+ RangerPerfTracer.log(perf);
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedNoAudit(" + request + "): " + ret);
}
@@ -371,6 +414,12 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
LOG.debug("==> RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + request + ", " + result + ")");
}
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_LOG, "RangerPolicyEngine.isAccessAllowedForTagPolicies(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + ")");
+ }
+
List<RangerPolicyEvaluator> evaluators = tagPolicyRepository.getPolicyEvaluators();
if (CollectionUtils.isNotEmpty(evaluators)) {
@@ -436,13 +485,11 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
break; // Break out of policy-evaluation loop
}
}
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("RangerPolicyEngineImpl.isAccessAllowedForTagPolicies() : result=" + result);
- }
}
}
+ RangerPerfTracer.log(perf);
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.isAccessAllowedForTagPolicies(" + request + ", " + result + ")" );
}
@@ -503,6 +550,11 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
LOG.debug("==> RangerPolicyEngineImpl.cleanup()");
}
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_LOG, "RangerPolicyEngine.cleanUp(hashCode=" + Integer.toHexString(System.identityHashCode(this)) + ")");
+ }
preCleanup();
if (CollectionUtils.isNotEmpty(allContextEnrichers)) {
@@ -513,6 +565,8 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
this.allContextEnrichers = null;
+ RangerPerfTracer.log(perf);
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyEngineImpl.cleanup()");
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
index 57b1b7d..0cde01a 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyRepository.java
@@ -31,12 +31,14 @@ import org.apache.ranger.plugin.policyevaluator.RangerCachedPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerOptimizedPolicyEvaluator;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.store.AbstractServiceStore;
+import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.ServicePolicies;
import java.util.*;
public class RangerPolicyRepository {
private static final Log LOG = LogFactory.getLog(RangerPolicyRepository.class);
+ private static final Log PERF_LOG = RangerPerfTracer.getPerfLogger("policy");
private final String serviceName;
private final String appId;
@@ -53,6 +55,12 @@ public class RangerPolicyRepository {
RangerPolicyRepository(String appId, ServicePolicies servicePolicies, RangerPolicyEngineOptions options) {
super();
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerPolicyRepository.init(appId=" + appId + ",hashCode=" + Integer.toHexString(System.identityHashCode(this)) + ")");
+ }
+
this.componentServiceName = this.serviceName = servicePolicies.getServiceName();
this.componentServiceDef = this.serviceDef = servicePolicies.getServiceDef();
@@ -78,6 +86,7 @@ public class RangerPolicyRepository {
init(options);
+ RangerPerfTracer.log(perf);
}
RangerPolicyRepository(String appId, ServicePolicies.TagPolicies tagPolicies, RangerPolicyEngineOptions options,
@@ -321,6 +330,12 @@ public class RangerPolicyRepository {
RangerContextEnricher ret = null;
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerPolicyRepository.buildContextEnricher(name=" + enricherDef.getName() + ")");
+ }
+
String name = enricherDef != null ? enricherDef.getName() : null;
String clsName = enricherDef != null ? enricherDef.getEnricher() : null;
@@ -343,6 +358,8 @@ public class RangerPolicyRepository {
ret.init();
}
+ RangerPerfTracer.log(perf);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyRepository.buildContextEnricher(" + enricherDef + "): " + ret);
}
@@ -356,6 +373,12 @@ public class RangerPolicyRepository {
RangerPolicyEvaluator ret;
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerPolicyRepository.buildPolicyEvaluator(name=" + policy.getName() + ")");
+ }
+
if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_DEFAULT)) {
ret = new RangerOptimizedPolicyEvaluator();
} else if(StringUtils.equalsIgnoreCase(options.evaluatorType, RangerPolicyEvaluator.EVALUATOR_TYPE_OPTIMIZED)) {
@@ -366,6 +389,8 @@ public class RangerPolicyRepository {
ret.init(policy, serviceDef, options);
+ RangerPerfTracer.log(perf);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerPolicyRepository.buildPolicyEvaluator(" + policy + "," + serviceDef + "): " + ret);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java
index ffd1d79..d592182 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyItemEvaluator.java
@@ -47,15 +47,17 @@ public abstract class RangerAbstractPolicyItemEvaluator implements RangerPolicyI
final RangerServiceDef serviceDef;
final RangerPolicyItem policyItem;
final int policyItemType;
+ final int policyItemIndex;
final long policyId;
final int evalOrder;
List<RangerConditionEvaluator> conditionEvaluators = Collections.<RangerConditionEvaluator>emptyList();
- RangerAbstractPolicyItemEvaluator(RangerServiceDef serviceDef, RangerPolicy policy, RangerPolicyItem policyItem, int policyItemType, RangerPolicyEngineOptions options) {
+ RangerAbstractPolicyItemEvaluator(RangerServiceDef serviceDef, RangerPolicy policy, RangerPolicyItem policyItem, int policyItemType, int policyItemIndex, RangerPolicyEngineOptions options) {
this.serviceDef = serviceDef;
this.policyItem = policyItem;
this.policyItemType = policyItemType;
+ this.policyItemIndex = policyItemIndex;
this.options = options;
this.policyId = policy != null && policy.getId() != null ? policy.getId() : -1;
this.evalOrder = computeEvalOrder();
@@ -82,6 +84,11 @@ public abstract class RangerAbstractPolicyItemEvaluator implements RangerPolicyI
}
@Override
+ public int getPolicyItemIndex() {
+ return policyItemIndex;
+ }
+
+ @Override
public String getComments() {
return policyItem == null ? null : policyItem.getComments();
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java
index d67777c..580447b 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerCachedPolicyEvaluator.java
@@ -25,11 +25,14 @@ import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
+import org.apache.ranger.plugin.util.RangerPerfTracer;
public class RangerCachedPolicyEvaluator extends RangerOptimizedPolicyEvaluator {
private static final Log LOG = LogFactory.getLog(RangerCachedPolicyEvaluator.class);
+ private static final Log PERF_LOG = RangerPerfTracer.getPerfLogger("policy");
private RangerResourceAccessCache cache = null;
+ private String perfTag;
@Override
public void init(RangerPolicy policy, RangerServiceDef serviceDef, RangerPolicyEngineOptions options) {
@@ -37,10 +40,23 @@ public class RangerCachedPolicyEvaluator extends RangerOptimizedPolicyEvaluator
LOG.debug("==> RangerCachedPolicyEvaluator.init()");
}
+ StringBuffer perfTagBuffer = new StringBuffer();
+ perfTagBuffer.append("policyId=").append(policy.getId()).append(",policyName=").append(policy.getName());
+
+ perfTag = perfTagBuffer.toString();
+
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerCachedPolicyEvaluator.init(" + perfTag + ")");
+ }
+
super.init(policy, serviceDef, options);
cache = RangerResourceAccessCacheImpl.getInstance(serviceDef, policy);
-
+
+ RangerPerfTracer.log(perf);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerCachedPolicyEvaluator.init()");
}
@@ -54,6 +70,12 @@ public class RangerCachedPolicyEvaluator extends RangerOptimizedPolicyEvaluator
boolean result = false;
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerCachedPolicyEvaluator.isMatch(" + perfTag + ",accessResource=" + resource.getAsString() + ")");
+ }
+
// Check in the evaluator-owned cache for the match, if found return. else call super.isMatch(), add result to cache
RangerResourceAccessCache.LookupResult lookup = cache.lookup(resource);
@@ -73,6 +95,8 @@ public class RangerCachedPolicyEvaluator extends RangerOptimizedPolicyEvaluator
}
}
+ RangerPerfTracer.log(perf);
+
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerCachedPolicyEvaluator.isMatch(" + resource + "): " + result);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index da15c00..439b58d 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -44,10 +44,12 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
import org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
+import org.apache.ranger.plugin.util.RangerPerfTracer;
public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator {
private static final Log LOG = LogFactory.getLog(RangerDefaultPolicyEvaluator.class);
+ private static final Log PERF_LOG = RangerPerfTracer.getPerfLogger("policy");
private RangerPolicyResourceMatcher resourceMatcher = null;
private List<RangerPolicyItemEvaluator> allowEvaluators = null;
@@ -55,6 +57,7 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
private List<RangerPolicyItemEvaluator> allowExceptionEvaluators = null;
private List<RangerPolicyItemEvaluator> denyExceptionEvaluators = null;
private int customConditionsCount = 0;
+ private String perfTag;
@Override
public int getCustomConditionsCount() {
@@ -67,6 +70,17 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
LOG.debug("==> RangerDefaultPolicyEvaluator.init()");
}
+ StringBuffer perfTagBuffer = new StringBuffer();
+ perfTagBuffer.append("policyId=").append(policy.getId()).append(", policyName=").append(policy.getName());
+
+ perfTag = perfTagBuffer.toString();
+
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerDefaultPolicyEvaluator.init(" + perfTag + ")");
+ }
+
super.init(policy, serviceDef, options);
preprocessPolicy(policy, serviceDef);
@@ -94,6 +108,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
Collections.sort(allowExceptionEvaluators);
Collections.sort(denyExceptionEvaluators);
+ RangerPerfTracer.log(perf);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.init()");
}
@@ -105,6 +121,13 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
LOG.debug("==> RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")");
}
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerDefaultPolicyEvaluator.evaluate(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + ","
+ + perfTag + ")");
+ }
+
if (request != null && result != null) {
boolean isResourceMatch = false;
boolean isResourceHeadMatch = false;
@@ -158,6 +181,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
}
+ RangerPerfTracer.log(perf);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.evaluate(" + request + ", " + result + ")");
}
@@ -168,6 +193,12 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
LOG.debug("==> RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + isResourceMatch + ")");
}
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerDefaultPolicyEvaluator.evaluatePolicyItems(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + "," + perfTag + ")");
+ }
+
RangerPolicyItemEvaluator matchedPolicyItem = getMatchingPolicyItem(request, denyEvaluators, denyExceptionEvaluators);
if(matchedPolicyItem == null && !result.getIsAllowed()) { // if not denied, evaluate allowItems only if not already allowed
@@ -192,6 +223,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
}
+ RangerPerfTracer.log(perf);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + isResourceMatch + ")");
}
@@ -229,10 +262,18 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
boolean ret = false;
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerDefaultPolicyEvaluator.isMatch(resource=" + resource.getAsString() + "," + perfTag + ")");
+ }
+
if(resourceMatcher != null) {
ret = resourceMatcher.isMatch(resource);
}
+ RangerPerfTracer.log(perf);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.isMatch(" + resource + "): " + ret);
}
@@ -333,12 +374,20 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
boolean ret = false;
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerDefaultPolicyEvaluator.isAccessAllowed(hashCode=" + Integer.toHexString(System.identityHashCode(this)) + "," + perfTag + ")");
+ }
+
RangerPolicyItemEvaluator item = this.getDeterminingPolicyItem(user, userGroups, accessType);
if(item != null && item.getPolicyItemType() == RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW) {
ret = true;
}
+ RangerPerfTracer.log(perf);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + "): " + ret);
}
@@ -464,8 +513,10 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
if(CollectionUtils.isNotEmpty(policyItems)) {
ret = new ArrayList<RangerPolicyItemEvaluator>();
+ int policyItemCounter = 1;
+
for(RangerPolicyItem policyItem : policyItems) {
- RangerPolicyItemEvaluator itemEvaluator = new RangerDefaultPolicyItemEvaluator(serviceDef, policy, policyItem, policyItemType, options);
+ RangerPolicyItemEvaluator itemEvaluator = new RangerDefaultPolicyItemEvaluator(serviceDef, policy, policyItem, policyItemType, policyItemCounter++, options);
itemEvaluator.init();
@@ -489,6 +540,12 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
RangerPolicyItemEvaluator ret = null;
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerDefaultPolicyEvaluator.getMatchingPolicyItem(requestHashCode=" + Integer.toHexString(System.identityHashCode(request)) + "," + perfTag + ")");
+ }
+
if(CollectionUtils.isNotEmpty(evaluators)) {
for (RangerPolicyItemEvaluator evaluator : evaluators) {
if(evaluator.isMatch(request)) {
@@ -513,6 +570,8 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
}
+ RangerPerfTracer.log(perf);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyEvaluator.getMatchingPolicyItem(" + request + "): " + ret);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
index 39a0a5e..7f40bda 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
@@ -26,6 +26,7 @@ import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.conditionevaluator.RangerAbstractConditionEvaluator;
import org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -36,14 +37,18 @@ import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
+import org.apache.ranger.plugin.util.RangerPerfTracer;
public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEvaluator {
private static final Log LOG = LogFactory.getLog(RangerDefaultPolicyItemEvaluator.class);
+ private static final Log PERF_POLICY_LOG = RangerPerfTracer.getPerfLogger("policy");
+ private static final Log PERF_ITEM_LOG = RangerPerfTracer.getPerfLogger("item");
+ private static final Log PERF_CONDITION_LOG = RangerPerfTracer.getPerfLogger("condition");
- public RangerDefaultPolicyItemEvaluator(RangerServiceDef serviceDef, RangerPolicy policy, RangerPolicyItem policyItem, int policyItemType, RangerPolicyEngineOptions options) {
- super(serviceDef, policy, policyItem, policyItemType, options);
+ public RangerDefaultPolicyItemEvaluator(RangerServiceDef serviceDef, RangerPolicy policy, RangerPolicyItem policyItem, int policyItemType, int policyItemIndex, RangerPolicyEngineOptions options) {
+ super(serviceDef, policy, policyItem, policyItemType, policyItemIndex, options);
}
public void init() {
@@ -54,6 +59,12 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv
if (!getConditionsDisabledOption() && policyItem != null && CollectionUtils.isNotEmpty(policyItem.getConditions())) {
conditionEvaluators = new ArrayList<RangerConditionEvaluator>();
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_POLICY_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_POLICY_LOG, "RangerDefaultPolicyItemEvaluator.init(policyId=" + policyId + ",policyItemIndex=" + getPolicyItemIndex() + ")");
+ }
+
for (RangerPolicyItemCondition condition : policyItem.getConditions()) {
RangerPolicyConditionDef conditionDef = getConditionDef(condition.getType());
@@ -76,6 +87,7 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv
LOG.error("RangerDefaultPolicyItemEvaluator(policyId=" + policyId + "): failed to instantiate condition evaluator '" + condition.getType() + "'; evaluatorClassName='" + conditionDef.getEvaluator() + "'");
}
}
+ RangerPerfTracer.log(perf);
}
if(LOG.isDebugEnabled()) {
@@ -90,6 +102,12 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv
}
boolean ret = false;
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_ITEM_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_ITEM_LOG, "RangerDefaultPolicyItemEvaluator.isMatch(policyId=" + policyId + ",policyItemIndex=" + getPolicyItemIndex() + ")");
+ }
+
if(policyItem != null) {
if(matchUserGroup(request.getUser(), request.getUserGroups())) {
@@ -125,6 +143,8 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv
}
}
+ RangerPerfTracer.log(perf);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerDefaultPolicyItemEvaluator.isMatch(" + request + "): " + ret);
}
@@ -217,8 +237,22 @@ public class RangerDefaultPolicyItemEvaluator extends RangerAbstractPolicyItemEv
if(LOG.isDebugEnabled()) {
LOG.debug("evaluating condition: " + conditionEvaluator);
}
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_CONDITION_LOG)) {
+ String conditionType = null;
+ if (conditionEvaluator instanceof RangerAbstractConditionEvaluator) {
+ conditionType = ((RangerAbstractConditionEvaluator)conditionEvaluator).getPolicyItemCondition().getType();
+ }
+
+ perf = RangerPerfTracer.getPerfTracer(PERF_CONDITION_LOG, "RangerDefaultPolicyItemEvaluator.matchCustomConditions(policyId=" + policyId + ",policyItemIndex=" + getPolicyItemIndex() + ",policyConditionType=" + conditionType + ")");
+ }
+
+ boolean conditionEvalResult = conditionEvaluator.isMatched(request);
+
+ RangerPerfTracer.log(perf);
- if(!conditionEvaluator.isMatched(request)) {
+ if (!conditionEvalResult) {
if(LOG.isDebugEnabled()) {
LOG.debug(conditionEvaluator + " returned false");
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
index e81280f..8cd854f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
@@ -29,12 +29,14 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
+import org.apache.ranger.plugin.util.RangerPerfTracer;
import java.util.*;
import java.lang.Math;
public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator {
private static final Log LOG = LogFactory.getLog(RangerOptimizedPolicyEvaluator.class);
+ private static final Log PERF_LOG = RangerPerfTracer.getPerfLogger("policy");
private Set<String> groups = new HashSet<String>();
private Set<String> users = new HashSet<String>();
@@ -70,6 +72,12 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator
LOG.debug("==> RangerOptimizedPolicyEvaluator.init()");
}
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerOptimizedPolicyEvaluator.init(policyId=" + policy.getId() + ",policyName=" + policy.getName() + ")");
+ }
+
super.init(policy, serviceDef, options);
preprocessPolicyItems(policy.getPolicyItems());
@@ -87,6 +95,8 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator
setEvalOrder(computeEvalOrder());
+ RangerPerfTracer.log(perf);
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerOptimizedPolicyEvaluator.init()");
}
@@ -222,7 +232,7 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator
boolean ret = false;
- if (hasPublicGroup || users.contains(user) || CollectionUtils.containsAny(groups, userGroups)) {
+ if (hasPublicGroup || users.contains(user) || CollectionUtils.containsAny(groups, userGroups)) {
if (StringUtils.isEmpty(accessType)) {
accessType = RangerPolicyEngine.ANY_ACCESS;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
index 95d2b4e..1dfc8cf 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerPolicyItemEvaluator.java
@@ -37,6 +37,8 @@ public interface RangerPolicyItemEvaluator extends Comparable<RangerPolicyItemEv
int getPolicyItemType();
+ int getPolicyItemIndex();
+
String getComments();
List<RangerConditionEvaluator> getConditionEvaluators();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
index 56c4cfb..fd5133f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/resourcematcher/RangerAbstractResourceMatcher.java
@@ -35,6 +35,7 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat
private static final Log LOG = LogFactory.getLog(RangerAbstractResourceMatcher.class);
public final static String WILDCARD_ASTERISK = "*";
+ public final static String WILDCARDS = "*?";
public final static String OPTIONS_SEP = ";";
public final static String OPTION_NV_SEP = "=";
@@ -74,6 +75,7 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat
policyIsExcludes = policyResource == null ? false : policyResource.getIsExcludes();
if(policyResource != null && policyResource.getValues() != null) {
+ boolean isWildCardPresent = !optWildCard;
for(String policyValue : policyResource.getValues()) {
if(StringUtils.isEmpty(policyValue)) {
continue;
@@ -81,10 +83,12 @@ public abstract class RangerAbstractResourceMatcher implements RangerResourceMat
if(StringUtils.containsOnly(policyValue, WILDCARD_ASTERISK)) {
isMatchAny = true;
+ } else if (!isWildCardPresent && StringUtils.containsAny(policyValue, WILDCARDS)) {
+ isWildCardPresent = true;
}
-
policyValues.add(policyValue);
}
+ optWildCard = optWildCard && isWildCardPresent;
}
if(policyValues.isEmpty()) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
index ed1b64d..f22a87a 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
@@ -22,6 +22,7 @@ package org.apache.ranger.plugin.store;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.*;
+import org.apache.ranger.plugin.util.SearchFilter;
import java.util.*;
@@ -102,6 +103,50 @@ public abstract class AbstractTagStore implements TagStore {
}
return ret;
}
+
+ @Override
+ public void deleteAllTagObjectsForService(String serviceName, boolean isResourePrivateTag) throws Exception {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> AbstractTagStore.deleteAllTagObjectsForService(serviceName=" + serviceName + ", isResourcePrivateTag=" + isResourePrivateTag + ")");
+ }
+
+ List<RangerServiceResource> serviceResources = getServiceResourcesByService(serviceName);
+
+ Set<Long> tagsToDelete = new HashSet<Long>();
+
+
+ for (RangerServiceResource serviceResource : serviceResources) {
+ Long resourceId = serviceResource.getId();
+
+ List<RangerTagResourceMap> tagResourceMapsForService = getTagResourceMapsForResourceId(resourceId);
+
+ if (isResourePrivateTag) {
+ for (RangerTagResourceMap tagResourceMap : tagResourceMapsForService) {
+ Long tagId = tagResourceMap.getTagId();
+ RangerTag tag = getTag(tagId);
+ tagsToDelete.add(tag.getId());
+ }
+ }
+ for (RangerTagResourceMap tagResourceMap : tagResourceMapsForService) {
+ deleteTagResourceMap(tagResourceMap.getId());
+ }
+ }
+
+ for (RangerServiceResource serviceResource : serviceResources) {
+ deleteServiceResource(serviceResource.getId());
+ }
+
+ for (Long tagId : tagsToDelete) {
+ deleteTag(tagId);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== AbstractTagStore.deleteAllTagObjectsForService(serviceName=" + serviceName + ", isResourcePrivateTag=" + isResourePrivateTag + ")");
+ }
+
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java
index ed20c51..104459d 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/TagStore.java
@@ -124,4 +124,5 @@ public interface TagStore {
ServiceTags getServiceTagsIfUpdated(String serviceName, Long lastKnownVersion) throws Exception;
+ void deleteAllTagObjectsForService(String serviceName, boolean isResourePrivateTag) throws Exception;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
index 0729339..58d99bb 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
@@ -37,6 +37,7 @@ import com.google.gson.GsonBuilder;
public class PolicyRefresher extends Thread {
private static final Log LOG = LogFactory.getLog(PolicyRefresher.class);
+ private static final Log PERF_LOG = RangerPerfTracer.getPerfLogger("policy");
private final RangerBasePlugin plugIn;
private final String serviceType;
@@ -171,7 +172,13 @@ public class PolicyRefresher extends Thread {
LOG.debug("==> PolicyRefresher(serviceName=" + serviceName + ").loadPolicy()");
}
- //load policy from PolicyAmdin
+ RangerPerfTracer perf = null;
+
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "PolicyRefresher.loadPolicy(serviceName=" + serviceName + ")");
+ }
+
+ //load policy from PolicyAdmin
ServicePolicies svcPolicies = loadPolicyfromPolicyAdmin();
if ( svcPolicies == null) {
@@ -183,6 +190,8 @@ public class PolicyRefresher extends Thread {
saveToCache(svcPolicies);
}
+ RangerPerfTracer.log(perf);
+
if (svcPolicies != null) {
plugIn.setPolicies(svcPolicies);
policiesSetInPlugin = true;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
index b59ae1f..f199c44 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/policyengine/TestPolicyEngine.java
@@ -219,7 +219,7 @@ public class TestPolicyEngine {
policyEngineOptions.disableTagPolicyEvaluation = false;
- policyEngine = new RangerPolicyEngineImpl("test-policyengine", servicePolicies, policyEngineOptions);
+ policyEngine = new RangerPolicyEngineImpl(testName, servicePolicies, policyEngineOptions);
RangerAccessRequest request = null;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/agents-common/src/test/resources/log4j.properties
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/log4j.properties b/agents-common/src/test/resources/log4j.properties
deleted file mode 100644
index cb409e8..0000000
--- a/agents-common/src/test/resources/log4j.properties
+++ /dev/null
@@ -1,35 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-##-- To prevent junits from cluttering the build run by default all test runs send output to null appender
-log4j.appender.devnull=org.apache.log4j.varia.NullAppender
-ranger.root.logger=FATAL,devnull
-
-##-- uncomment the following line during during development/debugging so see debug messages during test run to be emitted to console
-# ranger.root.logger=DEBUG,console
-
-log4j.rootLogger=${ranger.root.logger}
-
-# Logging Threshold
-log4j.threshold=ALL
-
-#
-# console
-# Add "console" to rootlogger above if you want to use this
-#
-log4j.appender.console=org.apache.log4j.ConsoleAppender
-log4j.appender.console.target=System.err
-log4j.appender.console.layout=org.apache.log4j.PatternLayout
-log4j.appender.console.layout.ConversionPattern=%d{ISO8601} %-5p [%t] %c{2}: %m%n
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/agents-common/src/test/resources/log4j.xml
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/log4j.xml b/agents-common/src/test/resources/log4j.xml
new file mode 100644
index 0000000..48ed214
--- /dev/null
+++ b/agents-common/src/test/resources/log4j.xml
@@ -0,0 +1,53 @@
+<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
+
+<log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/" debug="false">
+
+ <appender name="console" class="org.apache.log4j.ConsoleAppender">
+ <param name="target" value="System.err" />
+ <layout class="org.apache.log4j.PatternLayout">
+ <param name="ConversionPattern" value="%d{ISO8601} %-5p [%t] %c{2}: %m%n" />
+ </layout>
+ </appender>
+
+ <!--
+ <appender name="perf_appender" class="org.apache.log4j.DailyRollingFileAppender">
+ <param name="file" value="./ranger_admin_perf_test.log" />
+ <param name="datePattern" value="'.'yyyy-MM-dd" />
+ <param name="append" value="true" />
+ <layout class="org.apache.log4j.PatternLayout">
+ <param name="ConversionPattern" value="%d [%t] %m%n" />
+ </layout>
+ </appender>
+
+ <category name="ranger.perf" additivity="false">
+ <priority value="info" />
+ <appender-ref ref="perf_appender" />
+ </category>
+
+ <category name="ranger.perf.policy" additivity="false">
+ <priority value="warn" />
+ <appender-ref ref="perf_appender" />
+ </category>
+
+ <category name="ranger.perf.item" additivity="false">
+ <priority value="warn" />
+ <appender-ref ref="perf_appender" />
+ </category>
+
+ <category name="ranger.perf.condition" additivity="false">
+ <priority value="warn" />
+ <appender-ref ref="perf_appender" />
+ </category>
+
+ <category name="ranger.perf.enricher" additivity="false">
+ <priority value="warn" />
+ <appender-ref ref="perf_appender" />
+ </category>
+ -->
+
+ <root>
+ <priority value="warn" />
+ <appender-ref ref="console" />
+ </root>
+
+</log4j:configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/security-admin/.gitignore
----------------------------------------------------------------------
diff --git a/security-admin/.gitignore b/security-admin/.gitignore
index bf7dc37..5a3a673 100644
--- a/security-admin/.gitignore
+++ b/security-admin/.gitignore
@@ -1,8 +1,6 @@
/target/
/bin/
-/bin/
/target
.settings/
.pydevproject
-log4j.xml
*.log
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java
index e3adc1d..6e164f3 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java
@@ -114,7 +114,7 @@ public class RangerPolicyRetriever {
RangerPerfTracer perf = null;
if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
- perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerPolicyRetriever.getServicePolicies(serviceName=" + serviceName + ", serviceId=" + serviceId + ")");
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerPolicyRetriever.getServicePolicies(serviceName=" + serviceName + ",serviceId=" + serviceId + ")");
}
if(xService != null) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/security-admin/src/main/java/org/apache/ranger/biz/RangerTagDBRetriever.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerTagDBRetriever.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerTagDBRetriever.java
new file mode 100644
index 0000000..6cc4e5e
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerTagDBRetriever.java
@@ -0,0 +1,597 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.biz;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.ListIterator;
+import java.util.Map;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.authorization.utils.StringUtil;
+import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.entity.*;
+import org.apache.ranger.plugin.model.*;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import org.apache.ranger.plugin.util.RangerPerfTracer;
+
+
+public class RangerTagDBRetriever {
+ static final Log LOG = LogFactory.getLog(RangerTagDBRetriever.class);
+ static final Log PERF_LOG = RangerPerfTracer.getPerfLogger("db.RangerTagDBRetriever");
+
+ private final RangerDaoManager daoMgr;
+ private final XXService xService;
+ private final LookupCache lookupCache;
+
+ private List<RangerServiceResource> serviceResources;
+ private Map<Long, RangerTagDef> tagDefs;
+ private Map<Long, RangerTag> tags;
+ private List<RangerTagResourceMap> tagResourceMaps;
+
+
+ public RangerTagDBRetriever(final RangerDaoManager daoMgr, final XXService xService) {
+ this.daoMgr = daoMgr;
+ this.xService = xService;
+ this.lookupCache = new LookupCache();
+
+
+ if (this.daoMgr != null && this.xService != null) {
+
+ RangerPerfTracer perf = null;
+
+ if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "RangerTagDBReceiver-Optimized(serviceName=" + xService.getName());
+ }
+
+ TagRetrieverServiceResourceContext serviceResourceContext = new TagRetrieverServiceResourceContext(xService);
+ TagRetrieverTagDefContext tagDefContext = new TagRetrieverTagDefContext(xService);
+ TagRetrieverTagContext tagContext = new TagRetrieverTagContext(xService);
+
+ serviceResources = serviceResourceContext.getAllServiceResources();
+ tagDefs = tagDefContext.getAllTagDefs();
+ tags = tagContext.getAllTags();
+ tagResourceMaps = getAllTagResourceMaps();
+
+ RangerPerfTracer.log(perf);
+
+ }
+ }
+
+ public List<RangerTagResourceMap> getTagResourceMaps() {
+ return tagResourceMaps;
+ }
+
+ public List<RangerServiceResource> getServiceResources() {
+ return serviceResources;
+ }
+
+ public Map<Long, RangerTagDef> getTagDefs() {
+ return tagDefs;
+ }
+
+ public Map<Long, RangerTag> getTags() {
+ return tags;
+ }
+
+ private List<RangerTagResourceMap> getAllTagResourceMaps() {
+
+ List<XXTagResourceMap> xTagResourceMaps = daoMgr.getXXTagResourceMap().findByServiceId(xService.getId());
+ ListIterator<XXTagResourceMap> iterTagResourceMap = xTagResourceMaps.listIterator();
+
+ List<RangerTagResourceMap> ret = new ArrayList<RangerTagResourceMap>();
+
+ while (iterTagResourceMap.hasNext()) {
+
+ XXTagResourceMap xTagResourceMap = iterTagResourceMap.next();
+
+ if (xTagResourceMap != null) {
+
+ RangerTagResourceMap tagResourceMap = new RangerTagResourceMap();
+
+ tagResourceMap.setId(xTagResourceMap.getId());
+ tagResourceMap.setGuid(xTagResourceMap.getGuid());
+ tagResourceMap.setCreatedBy(lookupCache.getUserScreenName(xTagResourceMap.getAddedByUserId()));
+ tagResourceMap.setUpdatedBy(lookupCache.getUserScreenName(xTagResourceMap.getUpdatedByUserId()));
+ tagResourceMap.setCreateTime(xTagResourceMap.getCreateTime());
+ tagResourceMap.setUpdateTime(xTagResourceMap.getUpdateTime());
+ tagResourceMap.setResourceId(xTagResourceMap.getResourceId());
+ tagResourceMap.setTagId(xTagResourceMap.getTagId());
+
+ ret.add(tagResourceMap);
+ }
+ }
+ return ret;
+ }
+
+ static <T> List<T> asList(T obj) {
+ List<T> ret = new ArrayList<T>();
+
+ if (obj != null) {
+ ret.add(obj);
+ }
+
+ return ret;
+ }
+
+ private class LookupCache {
+ final Map<Long, String> userScreenNames = new HashMap<Long, String>();
+ final Map<Long, String> resourceDefs = new HashMap<Long, String>();
+
+ String getUserScreenName(Long userId) {
+ String ret = null;
+
+ if (userId != null) {
+ ret = userScreenNames.get(userId);
+
+ if (ret == null) {
+ XXPortalUser user = daoMgr.getXXPortalUser().getById(userId);
+
+ if (user != null) {
+ ret = user.getPublicScreenName();
+
+ if (StringUtil.isEmpty(ret)) {
+ ret = user.getFirstName();
+
+ if (StringUtil.isEmpty(ret)) {
+ ret = user.getLoginId();
+ } else {
+ if (!StringUtil.isEmpty(user.getLastName())) {
+ ret += (" " + user.getLastName());
+ }
+ }
+ }
+
+ if (ret != null) {
+ userScreenNames.put(userId, ret);
+ }
+ }
+ }
+ }
+
+ return ret;
+ }
+
+ String getResourceName(Long resourceDefId) {
+ String ret = null;
+
+ if (resourceDefId != null) {
+ ret = resourceDefs.get(resourceDefId);
+
+ if (ret == null) {
+ XXResourceDef xResourceDef = daoMgr.getXXResourceDef().getById(resourceDefId);
+
+ if (xResourceDef != null) {
+ ret = xResourceDef.getName();
+
+ resourceDefs.put(resourceDefId, ret);
+ }
+ }
+ }
+
+ return ret;
+ }
+ }
+
+ private class TagRetrieverServiceResourceContext {
+
+ final XXService service;
+ final ListIterator<XXServiceResource> iterServiceResource;
+ final ListIterator<XXServiceResourceElement> iterServiceResourceElement;
+ final ListIterator<XXServiceResourceElementValue> iterServiceResourceElementValue;
+
+ TagRetrieverServiceResourceContext(XXService xService) {
+ Long serviceId = xService == null ? null : xService.getId();
+
+ List<XXServiceResource> xServiceResources = daoMgr.getXXServiceResource().findTaggedResourcesInServiceId(serviceId);
+ List<XXServiceResourceElement> xServiceResourceElements = daoMgr.getXXServiceResourceElement().findByServiceId(serviceId);
+ List<XXServiceResourceElementValue> xServiceResourceElementValues = daoMgr.getXXServiceResourceElementValue().findByServiceId(serviceId);
+
+ this.service = xService;
+ this.iterServiceResource = xServiceResources.listIterator();
+ this.iterServiceResourceElement = xServiceResourceElements.listIterator();
+ this.iterServiceResourceElementValue = xServiceResourceElementValues.listIterator();
+
+ }
+
+ TagRetrieverServiceResourceContext(XXServiceResource xServiceResource, XXService xService) {
+ Long resourceId = xServiceResource == null ? null : xServiceResource.getId();
+
+ List<XXServiceResource> xServiceResources = asList(xServiceResource);
+ List<XXServiceResourceElement> xServiceResourceElements = daoMgr.getXXServiceResourceElement().findByResourceId(resourceId);
+ List<XXServiceResourceElementValue> xServiceResourceElementValues = daoMgr.getXXServiceResourceElementValue().findByResourceId(resourceId);
+
+ this.service = xService;
+ this.iterServiceResource = xServiceResources.listIterator();
+ this.iterServiceResourceElement = xServiceResourceElements.listIterator();
+ this.iterServiceResourceElementValue = xServiceResourceElementValues.listIterator();
+
+ }
+
+ List<RangerServiceResource> getAllServiceResources() {
+ List<RangerServiceResource> ret = new ArrayList<RangerServiceResource>();
+
+ while (iterServiceResource.hasNext()) {
+ RangerServiceResource serviceResource = getNextServiceResource();
+
+ if (serviceResource != null) {
+ ret.add(serviceResource);
+ }
+ }
+
+ if (!hasProcessedAll()) {
+ LOG.warn("getAllServiceResources(): perhaps one or more serviceResources got updated during retrieval. Using fallback ... ");
+
+ ret = getServiceResourcesBySecondary();
+ }
+
+ return ret;
+ }
+
+ RangerServiceResource getNextServiceResource() {
+ RangerServiceResource ret = null;
+
+ if (iterServiceResource.hasNext()) {
+ XXServiceResource xServiceResource = iterServiceResource.next();
+
+ if (xServiceResource != null) {
+ ret = new RangerServiceResource();
+
+ ret.setId(xServiceResource.getId());
+ ret.setGuid(xServiceResource.getGuid());
+ ret.setIsEnabled(xServiceResource.getIsEnabled());
+ ret.setCreatedBy(lookupCache.getUserScreenName(xServiceResource.getAddedByUserId()));
+ ret.setUpdatedBy(lookupCache.getUserScreenName(xServiceResource.getUpdatedByUserId()));
+ ret.setCreateTime(xServiceResource.getCreateTime());
+ ret.setUpdateTime(xServiceResource.getUpdateTime());
+ ret.setVersion(xServiceResource.getVersion());
+ ret.setResourceSignature(xServiceResource.getResourceSignature());
+
+ getServiceResourceElements(ret);
+ }
+ }
+
+ return ret;
+ }
+
+ void getServiceResourceElements(RangerServiceResource serviceResource) {
+ while (iterServiceResourceElement.hasNext()) {
+ XXServiceResourceElement xServiceResourceElement = iterServiceResourceElement.next();
+
+ if (xServiceResourceElement.getResourceId().equals(serviceResource.getId())) {
+ RangerPolicyResource resource = new RangerPolicyResource();
+
+ resource.setIsExcludes(xServiceResourceElement.getIsExcludes());
+ resource.setIsRecursive(xServiceResourceElement.getIsRecursive());
+
+ while (iterServiceResourceElementValue.hasNext()) {
+ XXServiceResourceElementValue xServiceResourceElementValue = iterServiceResourceElementValue.next();
+
+ if (xServiceResourceElementValue.getResElementId().equals(xServiceResourceElement.getId())) {
+ resource.getValues().add(xServiceResourceElementValue.getValue());
+ } else {
+ if (iterServiceResourceElementValue.hasPrevious()) {
+ iterServiceResourceElementValue.previous();
+ }
+ break;
+ }
+ }
+
+ serviceResource.getResourceElements().put(lookupCache.getResourceName(xServiceResourceElement.getResDefId()), resource);
+ } else if (xServiceResourceElement.getResourceId().compareTo(serviceResource.getId()) > 0) {
+ if (iterServiceResourceElement.hasPrevious()) {
+ iterServiceResourceElement.previous();
+ }
+ break;
+ }
+ }
+ }
+
+ boolean hasProcessedAll() {
+ boolean moreToProcess = iterServiceResource.hasNext()
+ || iterServiceResourceElement.hasNext()
+ || iterServiceResourceElementValue.hasNext();
+ return !moreToProcess;
+ }
+
+ List<RangerServiceResource> getServiceResourcesBySecondary() {
+ List<RangerServiceResource> ret = null;
+
+ if (service != null) {
+ List<XXServiceResource> xServiceResources = daoMgr.getXXServiceResource().findByServiceId(service.getId());
+
+ if (CollectionUtils.isNotEmpty(xServiceResources)) {
+ ret = new ArrayList<RangerServiceResource>(xServiceResources.size());
+
+ for (XXServiceResource xServiceResource : xServiceResources) {
+ TagRetrieverServiceResourceContext ctx = new TagRetrieverServiceResourceContext(xServiceResource, service);
+
+ RangerServiceResource serviceResource = ctx.getNextServiceResource();
+
+ if (serviceResource != null) {
+ ret.add(serviceResource);
+ }
+ }
+ }
+ }
+ return ret;
+ }
+ }
+
+ private class TagRetrieverTagDefContext {
+
+ final XXService service;
+ final ListIterator<XXTagDef> iterTagDef;
+ final ListIterator<XXTagAttributeDef> iterTagAttributeDef;
+
+
+ TagRetrieverTagDefContext(XXService xService) {
+ Long serviceId = xService == null ? null : xService.getId();
+
+ List<XXTagDef> xTagDefs = daoMgr.getXXTagDef().findByServiceId(serviceId);
+ List<XXTagAttributeDef> xTagAttributeDefs = daoMgr.getXXTagAttributeDef().findByServiceId(serviceId);
+
+ this.service = xService;
+ this.iterTagDef = xTagDefs.listIterator();
+ this.iterTagAttributeDef = xTagAttributeDefs.listIterator();
+ }
+
+ TagRetrieverTagDefContext(XXTagDef xTagDef, XXService xService) {
+ Long tagDefId = xTagDef == null ? null : xTagDef.getId();
+
+ List<XXTagDef> xTagDefs = asList(xTagDef);
+ List<XXTagAttributeDef> xTagAttributeDefs = daoMgr.getXXTagAttributeDef().findByTagDefId(tagDefId);
+
+ this.service = xService;
+ this.iterTagDef = xTagDefs.listIterator();
+ this.iterTagAttributeDef = xTagAttributeDefs.listIterator();
+ }
+
+ Map<Long, RangerTagDef> getAllTagDefs() {
+ Map<Long, RangerTagDef> ret = new HashMap<Long, RangerTagDef>();
+
+ while (iterTagDef.hasNext()) {
+ RangerTagDef tagDef = getNextTagDef();
+
+ if (tagDef != null) {
+ ret.put(tagDef.getId(), tagDef);
+ }
+ }
+
+ if (!hasProcessedAllTagDefs()) {
+ LOG.warn("getAllTagDefs(): perhaps one or more tag-definitions got updated during retrieval. Using fallback ... ");
+
+ ret = getTagDefsBySecondary();
+
+ }
+
+ return ret;
+ }
+
+ RangerTagDef getNextTagDef() {
+ RangerTagDef ret = null;
+
+ if (iterTagDef.hasNext()) {
+ XXTagDef xTagDef = iterTagDef.next();
+
+ if (xTagDef != null) {
+ ret = new RangerTagDef();
+
+ ret.setId(xTagDef.getId());
+ ret.setGuid(xTagDef.getGuid());
+ ret.setIsEnabled(xTagDef.getIsEnabled());
+ ret.setCreatedBy(lookupCache.getUserScreenName(xTagDef.getAddedByUserId()));
+ ret.setUpdatedBy(lookupCache.getUserScreenName(xTagDef.getUpdatedByUserId()));
+ ret.setCreateTime(xTagDef.getCreateTime());
+ ret.setUpdateTime(xTagDef.getUpdateTime());
+ ret.setVersion(xTagDef.getVersion());
+ ret.setName(xTagDef.getName());
+ ret.setSource(xTagDef.getSource());
+
+ getTagAttributeDefs(ret);
+ }
+ }
+
+ return ret;
+ }
+
+ void getTagAttributeDefs(RangerTagDef tagDef) {
+ while (iterTagAttributeDef.hasNext()) {
+ XXTagAttributeDef xTagAttributeDef = iterTagAttributeDef.next();
+
+ if (xTagAttributeDef.getTagDefId().equals(tagDef.getId())) {
+ RangerTagDef.RangerTagAttributeDef tagAttributeDef = new RangerTagDef.RangerTagAttributeDef();
+
+ tagAttributeDef.setName(xTagAttributeDef.getName());
+ tagAttributeDef.setType(xTagAttributeDef.getType());
+
+ tagDef.getAttributeDefs().add(tagAttributeDef);
+ } else if (xTagAttributeDef.getTagDefId().compareTo(tagDef.getId()) > 0) {
+ if (iterTagAttributeDef.hasPrevious()) {
+ iterTagAttributeDef.previous();
+ }
+ break;
+ }
+ }
+ }
+
+ boolean hasProcessedAllTagDefs() {
+ boolean moreToProcess = iterTagAttributeDef.hasNext();
+ return !moreToProcess;
+ }
+
+ Map<Long, RangerTagDef> getTagDefsBySecondary() {
+ Map<Long, RangerTagDef> ret = null;
+
+ if (service != null) {
+ List<XXTagDef> xTagDefs = daoMgr.getXXTagDef().findByServiceId(service.getId());
+
+ if (CollectionUtils.isNotEmpty(xTagDefs)) {
+ ret = new HashMap<Long, RangerTagDef>(xTagDefs.size());
+
+ for (XXTagDef xTagDef : xTagDefs) {
+ TagRetrieverTagDefContext ctx = new TagRetrieverTagDefContext(xTagDef, service);
+
+ RangerTagDef tagDef = ctx.getNextTagDef();
+
+ if (tagDef != null) {
+ ret.put(tagDef.getId(), tagDef);
+ }
+ }
+ }
+ }
+ return ret;
+ }
+ }
+
+ private class TagRetrieverTagContext {
+
+ final XXService service;
+ final ListIterator<XXTag> iterTag;
+ final ListIterator<XXTagAttribute> iterTagAttribute;
+
+ TagRetrieverTagContext(XXService xService) {
+ Long serviceId = xService == null ? null : xService.getId();
+
+ List<XXTag> xTags = daoMgr.getXXTag().findByServiceId(serviceId);
+ List<XXTagAttribute> xTagAttributes = daoMgr.getXXTagAttribute().findByServiceId(serviceId);
+
+ this.service = xService;
+ this.iterTag = xTags.listIterator();
+ this.iterTagAttribute = xTagAttributes.listIterator();
+
+ }
+
+ TagRetrieverTagContext(XXTag xTag, XXService xService) {
+ Long tagId = xTag == null ? null : xTag.getId();
+
+ List<XXTag> xTags = asList(xTag);
+ List<XXTagAttribute> xTagAttributes = daoMgr.getXXTagAttribute().findByTagId(tagId);
+
+ this.service = xService;
+ this.iterTag = xTags.listIterator();
+ this.iterTagAttribute = xTagAttributes.listIterator();
+ }
+
+
+ Map<Long, RangerTag> getAllTags() {
+ Map<Long, RangerTag> ret = new HashMap<Long, RangerTag>();
+
+ while (iterTag.hasNext()) {
+ RangerTag tag = getNextTag();
+
+ if (tag != null) {
+ ret.put(tag.getId(), tag);
+ }
+ }
+
+ if (!hasProcessedAllTags()) {
+ LOG.warn("getAllTags(): perhaps one or more tags got updated during retrieval. Using fallback ... ");
+
+ ret = getTagsBySecondary();
+ }
+
+ return ret;
+ }
+
+ RangerTag getNextTag() {
+ RangerTag ret = null;
+
+ if (iterTag.hasNext()) {
+ XXTag xTag = iterTag.next();
+
+ if (xTag != null) {
+ ret = new RangerTag();
+
+ ret.setId(xTag.getId());
+ ret.setGuid(xTag.getGuid());
+ ret.setCreatedBy(lookupCache.getUserScreenName(xTag.getAddedByUserId()));
+ ret.setUpdatedBy(lookupCache.getUserScreenName(xTag.getUpdatedByUserId()));
+ ret.setCreateTime(xTag.getCreateTime());
+ ret.setUpdateTime(xTag.getUpdateTime());
+ ret.setVersion(xTag.getVersion());
+
+ Map<Long, RangerTagDef> tagDefs = getTagDefs();
+ if (tagDefs != null) {
+ RangerTagDef tagDef = tagDefs.get(xTag.getType());
+ if (tagDef != null) {
+ ret.setType(tagDef.getName());
+ }
+ }
+
+ getTagAttributes(ret);
+ }
+ }
+
+ return ret;
+ }
+
+ void getTagAttributes(RangerTag tag) {
+ while (iterTagAttribute.hasNext()) {
+ XXTagAttribute xTagAttribute = iterTagAttribute.next();
+
+ if (xTagAttribute.getTagId().equals(tag.getId())) {
+ String attributeName = xTagAttribute.getName();
+ String attributeValue = xTagAttribute.getValue();
+
+
+ tag.getAttributes().put(attributeName, attributeValue);
+ } else if (xTagAttribute.getTagId().compareTo(tag.getId()) > 0) {
+ if (iterTagAttribute.hasPrevious()) {
+ iterTagAttribute.previous();
+ }
+ break;
+ }
+ }
+ }
+
+ boolean hasProcessedAllTags() {
+ boolean moreToProcess = iterTagAttribute.hasNext();
+ return !moreToProcess;
+ }
+
+ Map<Long, RangerTag> getTagsBySecondary() {
+ Map<Long, RangerTag> ret = null;
+
+ if (service != null) {
+ List<XXTag> xTags = daoMgr.getXXTag().findByServiceId(service.getId());
+
+ if (CollectionUtils.isNotEmpty(xTags)) {
+ ret = new HashMap<Long, RangerTag>(xTags.size());
+
+ for (XXTag xTag : xTags) {
+ TagRetrieverTagContext ctx = new TagRetrieverTagContext(xTag, service);
+
+ RangerTag tag = ctx.getNextTag();
+
+ if (tag != null) {
+ ret.put(tag.getId(), tag);
+ }
+ }
+ }
+ }
+ return ret;
+ }
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java
index 300ba8d..f89a434 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java
@@ -846,26 +846,14 @@ public class TagDBStore extends AbstractTagStore {
throw new Exception("service-def does not exist. id=" + xxService.getType());
}
- List<RangerTagDef> tagDefs = rangerTagDefService.getTagDefsByServiceId(xxService.getId());
- List<RangerTag> tags = rangerTagService.getTagsByServiceId(xxService.getId());
- List<RangerServiceResource> resources = rangerServiceResourceService.getTaggedResourcesInServiceId(xxService.getId());
- List<RangerTagResourceMap> tagResourceMaps = rangerTagResourceMapService.getTagResourceMapsByServiceId(xxService.getId());
+ RangerTagDBRetriever tagDBRetriever = new RangerTagDBRetriever(daoManager, xxService);
- Map<Long, RangerTagDef> tagDefMap = new HashMap<Long, RangerTagDef>();
- Map<Long, RangerTag> tagMap = new HashMap<Long, RangerTag>();
- Map<Long, List<Long>> resourceToTagIds = new HashMap<Long, List<Long>>();
-
- if(CollectionUtils.isNotEmpty(tagDefs)) {
- for(RangerTagDef tagDef : tagDefs) {
- tagDefMap.put(tagDef.getId(), tagDef);
- }
- }
+ Map<Long, RangerTagDef> tagDefMap = tagDBRetriever.getTagDefs();
+ Map<Long, RangerTag> tagMap = tagDBRetriever.getTags();
+ List<RangerServiceResource> resources = tagDBRetriever.getServiceResources();
+ List<RangerTagResourceMap> tagResourceMaps = tagDBRetriever.getTagResourceMaps();
- if(CollectionUtils.isNotEmpty(tags)) {
- for(RangerTag tag : tags) {
- tagMap.put(tag.getId(), tag);
- }
- }
+ Map<Long, List<Long>> resourceToTagIds = new HashMap<Long, List<Long>>();
if(CollectionUtils.isNotEmpty(tagResourceMaps)) {
Long resourceId = null;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/security-admin/src/main/java/org/apache/ranger/db/XXServiceResourceElementDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXServiceResourceElementDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXServiceResourceElementDao.java
index 8e2baab..56abeaf 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXServiceResourceElementDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXServiceResourceElementDao.java
@@ -46,4 +46,16 @@ public class XXServiceResourceElementDao extends BaseDao<XXServiceResourceElemen
}
}
+ public List<XXServiceResourceElement> findByServiceId(Long serviceId) {
+ if (serviceId == null) {
+ return new ArrayList<XXServiceResourceElement>();
+ }
+ try {
+ return getEntityManager().createNamedQuery("XXServiceResourceElement.findByServiceId", tClass)
+ .setParameter("serviceId", serviceId)
+ .getResultList();
+ } catch (NoResultException e) {
+ return new ArrayList<XXServiceResourceElement>();
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/security-admin/src/main/java/org/apache/ranger/db/XXServiceResourceElementValueDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXServiceResourceElementValueDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXServiceResourceElementValueDao.java
index 04942a7..48cdbbb 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXServiceResourceElementValueDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXServiceResourceElementValueDao.java
@@ -58,4 +58,29 @@ public class XXServiceResourceElementValueDao extends BaseDao<XXServiceResourceE
}
}
+ @SuppressWarnings("unchecked")
+ public List<XXServiceResourceElementValue> findByServiceId(Long serviceId) {
+ if (serviceId == null) {
+ return new ArrayList<XXServiceResourceElementValue>();
+ }
+ try {
+ return getEntityManager().createNamedQuery("XXServiceResourceElementValue.findByServiceId")
+ .setParameter("serviceId", serviceId).getResultList();
+ } catch (NoResultException e) {
+ return new ArrayList<XXServiceResourceElementValue>();
+ }
+ }
+
+ @SuppressWarnings("unchecked")
+ public List<XXServiceResourceElementValue> findByResourceId(Long resourceId) {
+ if (resourceId == null) {
+ return new ArrayList<XXServiceResourceElementValue>();
+ }
+ try {
+ return getEntityManager().createNamedQuery("XXServiceResourceElementValue.findByResourceId")
+ .setParameter("resourceId", resourceId).getResultList();
+ } catch (NoResultException e) {
+ return new ArrayList<XXServiceResourceElementValue>();
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/security-admin/src/main/java/org/apache/ranger/db/XXTagAttributeDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXTagAttributeDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXTagAttributeDao.java
index 5ba3b74..c993477 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXTagAttributeDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXTagAttributeDao.java
@@ -45,4 +45,27 @@ public class XXTagAttributeDao extends BaseDao<XXTagAttribute> {
}
}
+ public List<XXTagAttribute> findByServiceId(Long serviceId) {
+ if (serviceId == null) {
+ return new ArrayList<XXTagAttribute>();
+ }
+ try {
+ return getEntityManager().createNamedQuery("XXTagAttribute.findByServiceId", tClass)
+ .setParameter("serviceId", serviceId).getResultList();
+ } catch (NoResultException e) {
+ return new ArrayList<XXTagAttribute>();
+ }
+ }
+
+ public List<XXTagAttribute> findByResourceId(Long resourceId) {
+ if (resourceId == null) {
+ return new ArrayList<XXTagAttribute>();
+ }
+ try {
+ return getEntityManager().createNamedQuery("XXTagAttribute.findByResourceId", tClass)
+ .setParameter("resourceId", resourceId).getResultList();
+ } catch (NoResultException e) {
+ return new ArrayList<XXTagAttribute>();
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/security-admin/src/main/java/org/apache/ranger/db/XXTagAttributeDefDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXTagAttributeDefDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXTagAttributeDefDao.java
index c8cb91d..56b5d1a 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXTagAttributeDefDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXTagAttributeDefDao.java
@@ -45,4 +45,27 @@ public class XXTagAttributeDefDao extends BaseDao<XXTagAttributeDef> {
}
}
+ public List<XXTagAttributeDef> findByServiceId(Long serviceId) {
+ if (serviceId == null) {
+ return new ArrayList<XXTagAttributeDef>();
+ }
+ try {
+ return getEntityManager().createNamedQuery("XXTagAttributeDef.findByServiceId", tClass)
+ .setParameter("serviceId", serviceId).getResultList();
+ } catch (NoResultException e) {
+ return new ArrayList<XXTagAttributeDef>();
+ }
+ }
+
+ public List<XXTagAttributeDef> findByResourceId(Long resourceId) {
+ if (resourceId == null) {
+ return new ArrayList<XXTagAttributeDef>();
+ }
+ try {
+ return getEntityManager().createNamedQuery("XXTagAttributeDef.findByResourceId", tClass)
+ .setParameter("resourceId", resourceId).getResultList();
+ } catch (NoResultException e) {
+ return new ArrayList<XXTagAttributeDef>();
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7a80c8e3/security-admin/src/main/java/org/apache/ranger/db/XXTagDefDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXTagDefDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXTagDefDao.java
index 28ddfde..9a3ed59 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXTagDefDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXTagDefDao.java
@@ -100,4 +100,17 @@ public class XXTagDefDao extends BaseDao<XXTagDef> {
return;
}
}
+
+ public List<XXTagDef> findByResourceId(Long resourceId) {
+ if (resourceId == null) {
+ return new ArrayList<XXTagDef>();
+ }
+
+ try {
+ return getEntityManager().createNamedQuery("XXTagDef.findByResourceId", tClass)
+ .setParameter("resourceId", resourceId).getResultList();
+ } catch (NoResultException e) {
+ return new ArrayList<XXTagDef>();
+ }
+ }
}
[04/26] incubator-ranger git commit: RANGER-736: added missing apache
license header to source files
Posted by ma...@apache.org.
RANGER-736: added missing apache license header to source files
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/0b725f04
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/0b725f04
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/0b725f04
Branch: refs/heads/tag-policy
Commit: 0b725f04460b5422277dd0e1b362a121665296fa
Parents: d5c707f
Author: sneethiraj <sn...@apache.org>
Authored: Thu Nov 19 14:52:45 2015 -0500
Committer: sneethiraj <sn...@apache.org>
Committed: Thu Nov 19 14:52:45 2015 -0500
----------------------------------------------------------------------
.../filter/RangerSSOAuthenticationFilter.java | 19 ++++++++++++++++++
.../security/web/filter/SSOAuthentication.java | 21 +++++++++++++++++++-
.../web/filter/SSOAuthenticationProperties.java | 19 ++++++++++++++++++
3 files changed, 58 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0b725f04/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
index 960a25f..af3c58a 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
@@ -1,3 +1,22 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
package org.apache.ranger.security.web.filter;
import com.google.inject.Inject;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0b725f04/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthentication.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthentication.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthentication.java
index b6c39e6..6fcadb7 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthentication.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthentication.java
@@ -1,3 +1,22 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
package org.apache.ranger.security.web.filter;
import com.nimbusds.jwt.SignedJWT;
@@ -52,4 +71,4 @@ public class SSOAuthentication implements Authentication {
public Object getPrincipal() {
return null;
}
-}
\ No newline at end of file
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0b725f04/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthenticationProperties.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthenticationProperties.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthenticationProperties.java
index aa29de0..e48e7e5 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthenticationProperties.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthenticationProperties.java
@@ -1,3 +1,22 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
package org.apache.ranger.security.web.filter;
import java.security.interfaces.RSAPublicKey;
[25/26] incubator-ranger git commit: RANGER-763: Optimize policy
evaluation by reordering match-checks
Posted by ma...@apache.org.
RANGER-763: Optimize policy evaluation by reordering match-checks
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/a733b7c3
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/a733b7c3
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/a733b7c3
Branch: refs/heads/tag-policy
Commit: a733b7c3312f7bf954a233acaaf50ebf85b93b1b
Parents: 7a80c8e
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Wed Dec 2 11:36:19 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Wed Dec 2 11:36:19 2015 -0800
----------------------------------------------------------------------
.../RangerAbstractPolicyEvaluator.java | 6 +-
.../RangerDefaultPolicyEvaluator.java | 35 +++++-----
.../RangerOptimizedPolicyEvaluator.java | 69 ++++++++++----------
3 files changed, 61 insertions(+), 49 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a733b7c3/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
index fa35f1c..adc7d8c 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerAbstractPolicyEvaluator.java
@@ -26,9 +26,9 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
-
public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvaluator {
private static final Log LOG = LogFactory.getLog(RangerAbstractPolicyEvaluator.class);
@@ -65,6 +65,10 @@ public abstract class RangerAbstractPolicyEvaluator implements RangerPolicyEvalu
return policy != null && CollectionUtils.isNotEmpty(policy.getPolicyItems());
}
+ protected boolean hasMatchablePolicyItem(RangerAccessRequest request) {
+ return hasAllow() || hasDeny();
+ }
+
public boolean hasDeny() {
return policy != null && CollectionUtils.isNotEmpty(policy.getDenyPolicyItems());
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a733b7c3/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 439b58d..77fdb90 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -159,24 +159,29 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
if (!result.getIsAccessDetermined()) {
- // Try Match only if it was not attempted as part of evaluating Audit requirement
- if (!isResourceMatchAttempted) {
- isResourceMatch = isMatch(request.getResource());
- isResourceMatchAttempted = true;
- }
- // Try Head Match only if no match was found so far AND a head match was not attempted as part of evaluating
- // Audit requirement
- if (!isResourceMatch) {
- if (attemptResourceHeadMatch && !isResourceHeadMatchAttempted) {
- isResourceHeadMatch = matchResourceHead(request.getResource());
- isResourceHeadMatchAttempted = true;
+ // Attempt resource matching only if there may be a matchable policyItem
+ if (hasMatchablePolicyItem(request)) {
+
+ // Try Match only if it was not attempted as part of evaluating Audit requirement
+ if (!isResourceMatchAttempted) {
+ isResourceMatch = isMatch(request.getResource());
+ isResourceMatchAttempted = true;
}
- }
- // Go further to evaluate access only if match or head match was found at this point
- if (isResourceMatch || isResourceHeadMatch) {
- evaluatePolicyItems(request, result, isResourceMatch);
+ // Try Head Match only if no match was found so far AND a head match was not attempted as part of evaluating
+ // Audit requirement
+ if (!isResourceMatch) {
+ if (attemptResourceHeadMatch && !isResourceHeadMatchAttempted) {
+ isResourceHeadMatch = matchResourceHead(request.getResource());
+ isResourceHeadMatchAttempted = true;
+ }
+ }
+
+ // Go further to evaluate access only if match or head match was found at this point
+ if (isResourceMatch || isResourceHeadMatch) {
+ evaluatePolicyItems(request, result, isResourceMatch);
+ }
}
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a733b7c3/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
index 8cd854f..47dcd54 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerOptimizedPolicyEvaluator.java
@@ -26,7 +26,6 @@ import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
-import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.util.RangerPerfTracer;
@@ -224,52 +223,56 @@ public class RangerOptimizedPolicyEvaluator extends RangerDefaultPolicyEvaluator
return evalOrder;
}
- @Override
- protected boolean isAccessAllowed(String user, Set<String> userGroups, String accessType) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + ")");
- }
+ @Override
+ protected boolean isAccessAllowed(String user, Set<String> userGroups, String accessType) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + ")");
+ }
- boolean ret = false;
+ boolean ret = hasMatchablePolicyItem(user, userGroups, accessType) && super.isAccessAllowed(user, userGroups, accessType);
- if (hasPublicGroup || users.contains(user) || CollectionUtils.containsAny(groups, userGroups)) {
- if (StringUtils.isEmpty(accessType)) {
- accessType = RangerPolicyEngine.ANY_ACCESS;
- }
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + "): " + ret);
+ }
+
+ return ret;
+ }
- boolean isAnyAccess = StringUtils.equals(accessType, RangerPolicyEngine.ANY_ACCESS);
- boolean isAdminAccess = StringUtils.equals(accessType, RangerPolicyEngine.ADMIN_ACCESS);
+ @Override
+ protected boolean hasMatchablePolicyItem(RangerAccessRequest request) {
+ boolean ret = false;
- if (isAnyAccess || (isAdminAccess && delegateAdmin) || hasAllPerms || accessPerms.contains(accessType)) {
- ret = super.isAccessAllowed(user, userGroups, accessType);
+ if (hasPublicGroup || users.contains(request.getUser()) || CollectionUtils.containsAny(groups, request.getUserGroups())) {
+ if(request.isAccessTypeDelegatedAdmin()) {
+ ret = delegateAdmin;
+ } else if(hasAllPerms) {
+ ret = true;
+ } else {
+ ret = request.isAccessTypeAny() || accessPerms.contains(request.getAccessType());
}
}
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerOptimizedPolicyEvaluator.isAccessAllowed(" + user + ", " + userGroups + ", " + accessType + "): " + ret);
- }
+ return ret;
+ }
- return ret;
- }
+ private boolean hasMatchablePolicyItem(String user, Set<String> userGroups, String accessType) {
+ boolean ret = false;
- @Override
- protected void evaluatePolicyItems(RangerAccessRequest request, RangerAccessResult result, boolean isResourceMatch) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerOptimizedPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + isResourceMatch + ")");
- }
+ if (hasPublicGroup || users.contains(user) || CollectionUtils.containsAny(groups, userGroups)) {
+ boolean isAdminAccess = StringUtils.equals(accessType, RangerPolicyEngine.ADMIN_ACCESS);
- if (hasPublicGroup || users.contains(request.getUser()) || CollectionUtils.containsAny(groups, request.getUserGroups())) {
- // No need to reject based on users and groups
+ if(isAdminAccess) {
+ ret = delegateAdmin;
+ } else if(hasAllPerms) {
+ ret = true;
+ } else {
+ boolean isAccessTypeAny = StringUtils.isEmpty(accessType) || StringUtils.equals(accessType, RangerPolicyEngine.ANY_ACCESS);
- if (request.isAccessTypeAny() || (request.isAccessTypeDelegatedAdmin() && delegateAdmin) || hasAllPerms || accessPerms.contains(request.getAccessType())) {
- // No need to reject based on aggregated access permissions
- super.evaluatePolicyItems(request, result, isResourceMatch);
+ ret = isAccessTypeAny || accessPerms.contains(accessType);
}
}
- if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerOptimizedPolicyEvaluator.evaluatePolicyItems(" + request + ", " + result + ", " + isResourceMatch + ")");
- }
+ return ret;
}
private void preprocessPolicyItems(List<RangerPolicy.RangerPolicyItem> policyItems) {
[21/26] incubator-ranger git commit: RANGER-749 : Ranger KMS to
support multiple KMS instances with keys across multiple clusters
Posted by ma...@apache.org.
RANGER-749 : Ranger KMS to support multiple KMS instances with keys across multiple clusters
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/44d36543
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/44d36543
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/44d36543
Branch: refs/heads/tag-policy
Commit: 44d365434a37ccd5a4fb8fc2988d17c8d9098046
Parents: ec2ea92
Author: Gautam Borad <ga...@apache.org>
Authored: Wed Nov 25 13:48:14 2015 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Wed Dec 2 09:04:53 2015 +0530
----------------------------------------------------------------------
kms/scripts/exportKeysToJCEKS.sh | 19 +++
kms/scripts/importJCEKSKeys.sh | 2 +-
.../hadoop/crypto/key/Ranger2JKSUtil.java | 134 +++++++++++++++++++
.../hadoop/crypto/key/RangerKeyStore.java | 40 +++++-
src/main/assembly/kms.xml | 1 +
5 files changed, 188 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/44d36543/kms/scripts/exportKeysToJCEKS.sh
----------------------------------------------------------------------
diff --git a/kms/scripts/exportKeysToJCEKS.sh b/kms/scripts/exportKeysToJCEKS.sh
new file mode 100644
index 0000000..03dbe48
--- /dev/null
+++ b/kms/scripts/exportKeysToJCEKS.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# -------------------------------------------------------------------------------------
+RANGER_KMS_HOME=`dirname $0`
+cp="${RANGER_KMS_HOME}/cred/lib/*:${RANGER_KMS_HOME}/./ews/webapp/WEB-INF/classes/conf/:${RANGER_KMS_HOME}/ews/webapp/config:${RANGER_KMS_HOME}/ews/lib/*:${RANGER_KMS_HOME}/ews/webapp/lib/*:${RANGER_KMS_HOME}/ews/webapp/META-INF"
+java -cp "${cp}" org.apache.hadoop.crypto.key.Ranger2JKSUtil ${1} ${2}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/44d36543/kms/scripts/importJCEKSKeys.sh
----------------------------------------------------------------------
diff --git a/kms/scripts/importJCEKSKeys.sh b/kms/scripts/importJCEKSKeys.sh
index 9c2f9fb..57a2053 100755
--- a/kms/scripts/importJCEKSKeys.sh
+++ b/kms/scripts/importJCEKSKeys.sh
@@ -15,5 +15,5 @@
# limitations under the License.
# -------------------------------------------------------------------------------------
RANGER_KMS_HOME=`dirname $0`
-cp="${RANGER_KMS_HOME}/ews/webapp/config:${RANGER_KMS_HOME}/ews/lib/*:${RANGER_KMS_HOME}/ews/webapp/lib/*:${RANGER_KMS_HOME}/ews/webapp/META-INF:"
+cp="${RANGER_KMS_HOME}/cred/lib/*:${RANGER_KMS_HOME}/./ews/webapp/WEB-INF/classes/conf/:${RANGER_KMS_HOME}/ews/webapp/config:${RANGER_KMS_HOME}/ews/lib/*:${RANGER_KMS_HOME}/ews/webapp/lib/*:${RANGER_KMS_HOME}/ews/webapp/META-INF"
java -cp "${cp}" org.apache.hadoop.crypto.key.JKS2RangerUtil ${1} ${2}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/44d36543/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java b/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java
new file mode 100644
index 0000000..0def5e5
--- /dev/null
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java
@@ -0,0 +1,134 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto.key;
+
+import java.io.Console;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.nio.charset.Charset;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.ranger.kms.dao.DaoManager;
+
+public class Ranger2JKSUtil {
+
+ private static final String DEFAULT_KEYSTORE_TYPE = "jceks" ;
+ private static final String ENCRYPTION_KEY = "ranger.db.encrypt.key.password" ;
+
+ public static void showUsage() {
+ System.err.println("USAGE: java " + Ranger2JKSUtil.class.getName() + " <KMS_FileName> [KeyStoreType]") ;
+ System.err.println(" If KeyStoreType is not provided, it will be considered as " + DEFAULT_KEYSTORE_TYPE) ;
+ System.err.println(" When execution of this utility, it will prompt for both keystore password and key password.") ;
+ }
+
+
+ public static void main(String[] args) throws IOException {
+ if (args.length == 0) {
+ System.err.println("Invalid number of parameters found.") ;
+ showUsage() ;
+ System.exit(1) ;
+ }
+ else {
+ String keyStoreFileName = args[0] ;
+ File f = new File(keyStoreFileName) ;
+ if (! f.exists()) {
+ f.createNewFile();
+ }
+ String keyStoreType = (args.length == 2 ? args[1] : DEFAULT_KEYSTORE_TYPE) ;
+ try {
+ KeyStore.getInstance(keyStoreType) ;
+ } catch (KeyStoreException e) {
+ System.err.println("ERROR: Unable to get valid keystore for the type [" + keyStoreType + "]") ;
+ showUsage() ;
+ System.exit(1) ;
+ }
+
+ new Ranger2JKSUtil().doExportKeysFromJKS(keyStoreFileName, keyStoreType);
+
+ System.out.println("Keys from Ranger KMS Database has been successfully exported into " + keyStoreFileName);
+
+ System.exit(0) ;
+
+ }
+ }
+
+ private void doExportKeysFromJKS(String keyStoreFileName, String keyStoreType) {
+ try {
+ char[] keyStorePassword = getPasswordFromConsole("Enter Password for the keystore FILE :") ;
+ char[] keyPassword = getPasswordFromConsole("Enter Password for the KEY(s) stored in the keystore:") ;
+ Configuration conf = RangerKeyStoreProvider.getDBKSConf();
+ RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);
+ DaoManager daoManager = rangerkmsDb.getDaoManager();
+ RangerKeyStore dbStore = new RangerKeyStore(daoManager);
+ String password = conf.get(ENCRYPTION_KEY);
+ RangerMasterKey rangerMasterKey = new RangerMasterKey(daoManager);
+ char[] masterKey = rangerMasterKey.getMasterKey(password).toCharArray();
+ OutputStream out = null;
+ try {
+ out = new FileOutputStream(new File(keyStoreFileName));
+ dbStore.engineLoadToKeyStoreFile(out, keyStorePassword, keyPassword, masterKey, keyStoreType);
+ }
+ finally {
+ if (out != null) {
+ try {
+ out.close();
+ } catch (Exception e) {
+ throw new RuntimeException("ERROR: Unable to close file stream for [" + keyStoreFileName + "]", e) ;
+ }
+ }
+ }
+ }
+ catch(Throwable t) {
+ throw new RuntimeException("Unable to export keys to [" + keyStoreFileName + "] due to exception.", t) ;
+ }
+ }
+
+ private char[] getPasswordFromConsole(String prompt) throws IOException {
+ String ret = null ;
+ Console c=System.console();
+ if (c == null) {
+ System.out.print(prompt + " ");
+ InputStream in=System.in;
+ int max=50;
+ byte[] b=new byte[max];
+ int l= in.read(b);
+ l--; //last character is \n
+ if (l>0) {
+ byte[] e=new byte[l];
+ System.arraycopy(b,0, e, 0, l);
+ ret = new String(e, Charset.defaultCharset());
+ }
+ } else {
+ char[] pwd = c.readPassword(prompt + " ") ;
+ if (pwd == null) {
+ ret = null ;
+ }
+ else {
+ ret = new String(pwd);
+ }
+ }
+ if (ret == null) {
+ ret = "" ;
+ }
+ return ret.toCharArray() ;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/44d36543/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java
index ff82f53..850104f 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java
@@ -42,6 +42,7 @@ import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
+import java.util.ArrayList;
import java.util.Date;
import java.util.Enumeration;
import java.util.Hashtable;
@@ -223,10 +224,10 @@ public class RangerKeyStore extends KeyStoreSpi {
throw new IllegalArgumentException("Ranger Master Key can't be null");
}
- MessageDigest md = getKeyedMessageDigest(password);
+ MessageDigest md = getKeyedMessageDigest(password);
byte digest[] = md.digest();
- for (Enumeration<String> e = deltaEntries.keys(); e.hasMoreElements();) {
+ for (Enumeration<String> e = deltaEntries.keys(); e.hasMoreElements();) {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
DataOutputStream dos = new DataOutputStream(new DigestOutputStream(baos, md));
@@ -282,7 +283,6 @@ public class RangerKeyStore extends KeyStoreSpi {
xxRangerKeyStore = new XXRangerKeyStore();
keyStoreExists = false;
}
-
xxRangerKeyStore = mapToEntityBean(rangerKeyStore, xxRangerKeyStore, 0);
if (keyStoreExists) {
xxRangerKeyStore = rangerKMSDao.update(xxRangerKeyStore);
@@ -483,13 +483,13 @@ public class RangerKeyStore extends KeyStoreSpi {
public void engineLoadKeyStoreFile(InputStream stream, char[] storePass, char[] keyPass, char[] masterKey, String fileFormat)
throws IOException, NoSuchAlgorithmException, CertificateException
{
- synchronized(keyEntries) {
+ synchronized(deltaEntries) {
KeyStore ks;
try {
ks = KeyStore.getInstance(fileFormat);
ks.load(stream, storePass);
- keyEntries.clear();
+ deltaEntries.clear();
for (Enumeration<String> name = ks.aliases(); name.hasMoreElements();){
SecretKeyEntry entry = new SecretKeyEntry();
String alias = (String) name.nextElement();
@@ -532,8 +532,34 @@ public class RangerKeyStore extends KeyStoreSpi {
entry.date = ks.getCreationDate(alias);
entry.version = (alias.split("@").length == 2)?(Integer.parseInt(alias.split("@")[1])):0;
entry.description = k.getFormat()+" - "+ks.getType();
- keyEntries.put(alias, entry);
- }
+ deltaEntries.put(alias, entry);
+ }
+ } catch (Throwable t) {
+ logger.error("Unable to load keystore file ", t);
+ throw new IOException(t) ;
+ }
+ }
+ }
+
+ public void engineLoadToKeyStoreFile(OutputStream stream, char[] storePass, char[] keyPass, char[] masterKey, String fileFormat)
+ throws IOException, NoSuchAlgorithmException, CertificateException
+ {
+ synchronized(keyEntries) {
+ KeyStore ks;
+ try {
+ ks = KeyStore.getInstance(fileFormat);
+ ks.load(null, storePass);
+ String alias = null;
+ engineLoad(null, masterKey);
+ Enumeration<String> e = engineAliases();
+ Key key;
+ while (e.hasMoreElements()) {
+ alias = e.nextElement();
+ key = engineGetKey(alias, masterKey);
+ ks.setKeyEntry(alias, key, keyPass, null);
+ }
+
+ ks.store(stream, storePass);
} catch (Throwable t) {
logger.error("Unable to load keystore file ", t);
throw new IOException(t) ;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/44d36543/src/main/assembly/kms.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/kms.xml b/src/main/assembly/kms.xml
index 52ab5a0..5c9e11b 100755
--- a/src/main/assembly/kms.xml
+++ b/src/main/assembly/kms.xml
@@ -304,6 +304,7 @@
<include>setup.sh</include>
<include>install.properties</include>
<include>importJCEKSKeys.sh</include>
+ <include>exportKeysToJCEKS.sh</include>
</includes>
<fileMode>544</fileMode>
</fileSet>
[16/26] incubator-ranger git commit: RANGER-751: Fix for Ranger admin
setup fails with TypeError
Posted by ma...@apache.org.
RANGER-751: Fix for Ranger admin setup fails with TypeError
Signed-off-by: sneethiraj <sn...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/5fec40fe
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/5fec40fe
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/5fec40fe
Branch: refs/heads/tag-policy
Commit: 5fec40fe64e16142b17cc1d9bac24f626919d053
Parents: 5216a89
Author: Velmurugan Periasamy <ve...@apache.org>
Authored: Sat Nov 28 10:31:27 2015 -0500
Committer: sneethiraj <sn...@apache.org>
Committed: Sat Nov 28 11:07:21 2015 -0500
----------------------------------------------------------------------
security-admin/scripts/install.properties | 23 ++++----
security-admin/scripts/setup.sh | 56 ++++++++++++--------
.../conf.dist/security-applicationContext.xml | 1 -
unixauthservice/scripts/setup.py | 4 +-
4 files changed, 49 insertions(+), 35 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5fec40fe/security-admin/scripts/install.properties
----------------------------------------------------------------------
diff --git a/security-admin/scripts/install.properties b/security-admin/scripts/install.properties
index 2d52890..cb10769 100644
--- a/security-admin/scripts/install.properties
+++ b/security-admin/scripts/install.properties
@@ -107,17 +107,6 @@ unix_group=ranger
#
# ------- UNIX User CONFIG - END ----------------
#
-
-#
-#-------- SSO CONFIG - Start ------------------
-#
-sso_enabled=false
-sso_providerurl=https://localhost:8443/gateway/knoxsso/api/v1/websso
-sso_publickey=
-sso_cookiename=hadoop-jwt
-sso_query_param_originalurl=originalUrl
-#
-#-------- SSO CONFIG - Start ------------------
#
#
@@ -179,6 +168,18 @@ xa_ldap_ad_bind_dn=
xa_ldap_ad_bind_password=
xa_ldap_ad_referral=
xa_ldap_ad_userSearchFilter=
+
+#
+#-------- SSO CONFIG - Start ------------------
+#
+sso_enabled=false
+sso_providerurl=https://127.0.0.1:8443/gateway/knoxsso/api/v1/websso
+sso_publickey=
+sso_cookiename=hadoop-jwt
+sso_query_param_originalurl=originalUrl
+#
+#-------- SSO CONFIG - END ------------------
+
# -----------------------------------------------------------
#
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5fec40fe/security-admin/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh
index f77a1f5..6753d8d 100755
--- a/security-admin/scripts/setup.sh
+++ b/security-admin/scripts/setup.sh
@@ -344,27 +344,6 @@ update_properties() {
log "[E] $to_file_default does not exists" ; exit 1;
fi
- propertyName=ranger.sso.enabled
- newPropertyValue="${sso_enabled}"
- updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
-
- propertyName=ranger.sso.providerurl
- newPropertyValue="${sso_providerurl}"
- updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
-
- propertyName=ranger.sso.publicKey
- newPropertyValue="${sso_publickey}"
- updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
-
- propertyName=ranger.sso.cookiename
- newPropertyValue="${sso_cookiename}"
- updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
-
- propertyName=ranger.sso.query.param.originalurl
- newPropertyValue="${sso_query_param_originalurl}"
- updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
-
-
if [ "${DB_FLAVOR}" == "MYSQL" ]
then
propertyName=ranger.jpa.jdbc.url
@@ -675,6 +654,41 @@ update_properties() {
fi
fi
fi
+
+ if [ "${sso_enabled}" == "" ]
+ then
+ sso_enabled="false"
+ fi
+
+ sso_enabled=`echo $sso_enabled | tr '[:upper:]' '[:lower:]'`
+
+ if [ "${sso_enabled}" == "true" ]
+ then
+ if [ "${sso_providerurl}" == "" ] || [ "${sso_publickey}" == "" ] || [ "${sso_cookiename}" == "" ] || [ "${sso_query_param_originalurl}" == "" ]
+ then
+ log "[E] Please provide valid values in SSO config properties!";
+ exit 1
+ fi
+ propertyName=ranger.sso.enabled
+ newPropertyValue="${sso_enabled}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+
+ propertyName=ranger.sso.providerurl
+ newPropertyValue="${sso_providerurl}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+
+ propertyName=ranger.sso.publicKey
+ newPropertyValue="${sso_publickey}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+
+ propertyName=ranger.sso.cookiename
+ newPropertyValue="${sso_cookiename}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+
+ propertyName=ranger.sso.query.param.originalurl
+ newPropertyValue="${sso_query_param_originalurl}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
}
do_unixauth_setup() {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5fec40fe/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
index 329053f..1aead32 100644
--- a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
+++ b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
@@ -90,7 +90,6 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
</beans:bean>
<beans:bean id="ssoAuthenticationFilter" class="org.apache.ranger.security.web.filter.RangerSSOAuthenticationFilter">
- <beans:property name="ssoEnabled" value="${ranger.sso.enabled}"/>
</beans:bean>
<beans:bean id="userContextFormationFilter" class="org.apache.ranger.security.web.filter.RangerSecurityContextFormationFilter"/>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5fec40fe/unixauthservice/scripts/setup.py
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/setup.py b/unixauthservice/scripts/setup.py
index b35a261..fface25 100755
--- a/unixauthservice/scripts/setup.py
+++ b/unixauthservice/scripts/setup.py
@@ -267,13 +267,13 @@ def initializeInitD(ownerName):
for prefix in initPrefixList:
scriptFn = prefix + initdProgramName
scriptName = join(rcDir, scriptFn)
- if isfile(scriptName):
+ if isfile(scriptName) or os.path.islink(scriptName):
os.remove(scriptName)
os.symlink(initdFn,scriptName)
userSyncScriptName = "ranger-usersync-services.sh"
localScriptName = os.path.abspath(join(installPropDirName,userSyncScriptName))
ubinScriptName = join("/usr/bin",initdProgramName)
- if isfile(ubinScriptName):
+ if isfile(ubinScriptName) or os.path.islink(ubinScriptName):
os.remove(ubinScriptName)
os.symlink(localScriptName,ubinScriptName)
[03/26] incubator-ranger git commit: RANGER-685 : Make Ranger Admin
participate in Knox SSO
Posted by ma...@apache.org.
RANGER-685 : Make Ranger Admin participate in Knox SSO
Signed-off-by: sneethiraj <sn...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/d5c707ff
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/d5c707ff
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/d5c707ff
Branch: refs/heads/tag-policy
Commit: d5c707ffc5517722d6a5514ded2ed31a0d4ae6e4
Parents: e267c09
Author: Gautam Borad <ga...@apache.org>
Authored: Thu Nov 19 21:43:42 2015 +0530
Committer: sneethiraj <sn...@apache.org>
Committed: Thu Nov 19 11:53:08 2015 -0500
----------------------------------------------------------------------
security-admin/pom.xml | 18 +
security-admin/scripts/install.properties | 12 +
security-admin/scripts/setup.sh | 26 ++
.../org/apache/ranger/biz/RangerBizUtil.java | 11 +
.../apache/ranger/common/UserSessionBase.java | 10 +-
.../org/apache/ranger/rest/ServiceREST.java | 9 +
.../handler/RangerAuthenticationProvider.java | 29 ++
.../RangerAuthenticationEntryPoint.java | 6 +-
.../filter/RangerSSOAuthenticationFilter.java | 424 +++++++++++++++++++
.../RangerSecurityContextFormationFilter.java | 13 +-
.../security/web/filter/SSOAuthentication.java | 55 +++
.../web/filter/SSOAuthenticationProperties.java | 62 +++
.../resources/conf.dist/ranger-admin-site.xml | 26 ++
.../conf.dist/security-applicationContext.xml | 95 +----
.../src/main/webapp/scripts/utils/XAUtils.js | 7 +-
.../webapp/scripts/views/common/ErrorView.js | 9 +-
.../webapp/scripts/views/common/ProfileBar.js | 30 +-
17 files changed, 749 insertions(+), 93 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/pom.xml
----------------------------------------------------------------------
diff --git a/security-admin/pom.xml b/security-admin/pom.xml
index 3c26837..1fedbd0 100644
--- a/security-admin/pom.xml
+++ b/security-admin/pom.xml
@@ -407,6 +407,24 @@
<artifactId>spring-test</artifactId>
<version>${springframework.test.version}</version>
</dependency>
+
+ <dependency>
+ <groupId>com.nimbusds</groupId>
+ <artifactId>nimbus-jose-jwt</artifactId>
+ <version>3.9</version>
+ <scope>compile</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcprov-jdk15on</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>com.google.inject</groupId>
+ <artifactId>guice</artifactId>
+ <version>3.0</version>
+ </dependency>
</dependencies>
<build>
<pluginManagement>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/scripts/install.properties
----------------------------------------------------------------------
diff --git a/security-admin/scripts/install.properties b/security-admin/scripts/install.properties
index f3af716..2d52890 100644
--- a/security-admin/scripts/install.properties
+++ b/security-admin/scripts/install.properties
@@ -109,6 +109,18 @@ unix_group=ranger
#
#
+#-------- SSO CONFIG - Start ------------------
+#
+sso_enabled=false
+sso_providerurl=https://localhost:8443/gateway/knoxsso/api/v1/websso
+sso_publickey=
+sso_cookiename=hadoop-jwt
+sso_query_param_originalurl=originalUrl
+#
+#-------- SSO CONFIG - Start ------------------
+#
+
+#
# UNIX authentication service for Policy Manager
#
# PolicyManager can authenticate using UNIX username/password
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh
index 36696a0..8b67f98 100755
--- a/security-admin/scripts/setup.sh
+++ b/security-admin/scripts/setup.sh
@@ -110,6 +110,11 @@ sqlserver_audit_file=$(get_prop 'sqlserver_audit_file' $PROPFILE)
sqlanywhere_core_file=$(get_prop 'sqlanywhere_core_file' $PROPFILE)
sqlanywhere_audit_file=$(get_prop 'sqlanywhere_audit_file' $PROPFILE)
cred_keystore_filename=$(eval echo "$(get_prop 'cred_keystore_filename' $PROPFILE)")
+sso_enabled=$(get_prop 'sso_enabled' $PROPFILE)
+sso_providerurl=$(get_prop 'sso_providerurl' $PROPFILE)
+sso_publickey=$(get_prop 'sso_publickey' $PROPFILE)
+sso_cookiename=$(get_prop 'sso_cookiename' $PROPFILE)
+sso_query_param_originalurl=$(get_prop 'sso_query_param_originalurl' $PROPFILE)
DB_HOST="${db_host}"
@@ -339,6 +344,27 @@ update_properties() {
log "[E] $to_file_default does not exists" ; exit 1;
fi
+ propertyName=ranger.sso.enabled
+ newPropertyValue="${sso_enabled}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+
+ propertyName=ranger.sso.providerurl
+ newPropertyValue="${sso_providerurl}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+
+ propertyName=ranger.sso.publicKey
+ newPropertyValue="${sso_publickey}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+
+ propertyName=ranger.sso.cookiename
+ newPropertyValue="${sso_cookiename}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+
+ propertyName=ranger.sso.query.param.originalurl
+ newPropertyValue="${sso_query_param_originalurl}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+
+
if [ "${DB_FLAVOR}" == "MYSQL" ]
then
propertyName=ranger.jpa.jdbc.url
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index 689e165..e00db2c 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -1520,5 +1520,16 @@ public class RangerBizUtil {
return true;
}
+
+ public boolean isSSOEnabled() {
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session != null) {
+ return session.isSSOEnabled() == null ? PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false) : session.isSSOEnabled();
+ } else {
+ throw restErrorUtil.createRESTException(
+ "User session is not created",
+ MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
index 175459c..4473d74 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
@@ -39,7 +39,7 @@ public class UserSessionBase implements Serializable {
private List<String> userRoleList = new ArrayList<String>();
private RangerUserPermission rangerUserPermission;
int clientTimeOffsetInMinute = 0;
-
+ private Boolean isSSOEnabled;
public Long getUserId() {
if (xXPortalUser != null) {
return xXPortalUser.getId();
@@ -128,6 +128,14 @@ public class UserSessionBase implements Serializable {
+ public Boolean isSSOEnabled() {
+ return isSSOEnabled;
+ }
+
+ public void setSSOEnabled(Boolean isSSOEnabled) {
+ this.isSSOEnabled = isSSOEnabled;
+ }
+
public static class RangerUserPermission implements Serializable {
private static final long serialVersionUID = 1L;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 9173d6e..d92fd41 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -37,6 +37,7 @@ import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
@@ -1929,4 +1930,12 @@ public class ServiceREST {
return ret;
}
+
+ @GET
+ @Path("/checksso")
+ @Produces(MediaType.TEXT_PLAIN)
+ public String checkSSO() {
+ return String.valueOf(bizUtil.isSSOEnabled());
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
index 40b08c4..3920ab3 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
@@ -75,6 +75,8 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
private LdapAuthenticator authenticator;
+ private boolean ssoEnabled = false;
+
public RangerAuthenticationProvider() {
}
@@ -82,6 +84,14 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
+ if(isSsoEnabled()){
+ if (authentication != null){
+ authentication = getSSOAuthentication(authentication);
+ if(authentication!=null && authentication.isAuthenticated()){
+ return authentication;
+ }
+ }
+ }else{
String sha256PasswordUpdateDisable=PropertiesUtil.getProperty("ranger.sha256Password.update.disable", "false");
if(rangerAuthenticationMethod==null){
rangerAuthenticationMethod="NONE";
@@ -155,6 +165,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
}
return authentication;
}
+ }
return authentication;
}
@@ -521,4 +532,22 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
}
return authentication;
}
+
+ private Authentication getSSOAuthentication(Authentication authentication) throws AuthenticationException{
+ return authentication;
+ }
+
+ /**
+ * @return the ssoEnabled
+ */
+ public boolean isSsoEnabled() {
+ return ssoEnabled;
+ }
+
+ /**
+ * @param ssoEnabled the ssoEnabled to set
+ */
+ public void setSsoEnabled(boolean ssoEnabled) {
+ this.ssoEnabled = ssoEnabled;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
index 52228dd..0b61498 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
@@ -35,6 +35,7 @@ import org.apache.ranger.biz.SessionMgr;
import org.apache.ranger.common.JSONUtil;
import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.RangerConfigUtil;
+import org.apache.ranger.security.web.filter.RangerSSOAuthenticationFilter;
import org.apache.ranger.view.VXResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.AuthenticationException;
@@ -129,9 +130,12 @@ public class RangerAuthenticationEntryPoint extends
}
response.sendError(ajaxReturnCode, "");
} else if (!(requestURL.startsWith(reqServletPath))) {
+ if(requestURL.contains(RangerSSOAuthenticationFilter.LOCAL_LOGIN_URL)){
+ if (request.getSession() != null)
+ request.getSession().setAttribute("locallogin","true");
+ }
super.commence(request, response, authException);
}
-
}
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
new file mode 100644
index 0000000..960a25f
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
@@ -0,0 +1,424 @@
+package org.apache.ranger.security.web.filter;
+
+import com.google.inject.Inject;
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSObject;
+import com.nimbusds.jose.JWSVerifier;
+import com.nimbusds.jose.crypto.RSASSAVerifier;
+import com.nimbusds.jwt.SignedJWT;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.web.authentication.WebAuthenticationDetails;
+
+import javax.servlet.*;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
+import java.security.PublicKey;
+import java.security.cert.CertificateException;
+import java.security.interfaces.RSAPublicKey;
+import java.text.ParseException;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
+
+import org.apache.ranger.common.PropertiesUtil;
+import org.apache.ranger.common.UserSessionBase;
+import org.apache.ranger.security.context.RangerContextHolder;
+import org.apache.ranger.security.context.RangerSecurityContext;
+import org.apache.ranger.security.handler.RangerAuthenticationProvider;
+
+import java.io.ByteArrayInputStream;
+import java.io.UnsupportedEncodingException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+
+public class RangerSSOAuthenticationFilter implements Filter {
+ Logger LOG = LoggerFactory.getLogger(RangerSSOAuthenticationFilter.class);
+
+ public static final String BROWSER_USERAGENT = "ranger.sso.browser.useragent";
+ public static final String JWT_AUTH_PROVIDER_URL = "ranger.sso.providerurl";
+ public static final String JWT_PUBLIC_KEY = "ranger.sso.publicKey";
+ public static final String JWT_COOKIE_NAME = "ranger.sso.cookiename";
+ public static final String JWT_ORIGINAL_URL_QUERY_PARAM = "ranger.sso.query.param.originalurl";
+ public static final String JWT_COOKIE_NAME_DEFAULT = "hadoop-jwt";
+ public static final String JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT = "originalUrl";
+ public static final String LOCAL_LOGIN_URL = "locallogin";
+
+ private SSOAuthenticationProperties jwtProperties;
+
+ private String originalUrlQueryParam = "originalUrl";
+ private String authenticationProviderUrl = null;
+ private RSAPublicKey publicKey = null;
+ private String cookieName = "hadoop-jwt";
+ private boolean ssoEnabled = false;
+
+ @Inject
+ public RangerSSOAuthenticationFilter(){
+ jwtProperties = getJwtProperties();
+ loadJwtProperties();
+ }
+
+ public RangerSSOAuthenticationFilter(
+ SSOAuthenticationProperties jwtProperties){
+ this.jwtProperties = jwtProperties;
+ loadJwtProperties();
+ }
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ }
+
+ /*
+ * doFilter of RangerSSOAuthenticationFilter is the first in the filter list so in this it check for the request
+ * if the request is from browser, doesn't contain local login and sso is enabled then it process the request against knox sso
+ * else if it's ssoenable and the request is with local login string then it show's the appropriate msg
+ * else if ssoenable is false then it contiunes with further filters as it was before sso
+ */
+ @Override
+ public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)throws IOException, ServletException {
+
+ RangerSecurityContext context = RangerContextHolder.getSecurityContext();
+ UserSessionBase session = context != null ? context.getUserSession() : null;
+ ssoEnabled = session != null ? session.isSSOEnabled() : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
+
+ String userAgent = ((HttpServletRequest)servletRequest).getHeader("User-Agent");
+ if(((HttpServletRequest) servletRequest).getSession() != null){
+ if(((HttpServletRequest) servletRequest).getSession().getAttribute("locallogin") != null){
+ ssoEnabled = false;
+ servletRequest.setAttribute("ssoEnabled", false);
+ filterChain.doFilter(servletRequest, servletResponse);
+ return;
+ }
+ }
+ //If sso is enable and request is not for local login and is from browser then it will go inside and try for knox sso authentication
+ if (ssoEnabled && !((HttpServletRequest) servletRequest).getRequestURI().contains(LOCAL_LOGIN_URL) && isWebUserAgent(userAgent)) {
+ //if jwt properties are loaded and is current not authenticated then it will go for sso authentication
+ if (jwtProperties != null && !isAuthenticated()) {
+ HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
+ HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
+ String serializedJWT = getJWTFromCookie(httpServletRequest);
+ // if we get the hadoop-jwt token from the cookies then will process it further
+ if (serializedJWT != null) {
+ SignedJWT jwtToken = null;
+ try {
+ jwtToken = SignedJWT.parse(serializedJWT);
+ boolean valid = validateToken(jwtToken);
+ //if the public key provide is correct and also token is not expired the process token
+ if (valid) {
+ String userName = jwtToken.getJWTClaimsSet().getSubject();
+ LOG.info("SSO login user : "+userName);
+
+ String rangerLdapDefaultRole = PropertiesUtil.getProperty("ranger.ldap.default.role", "ROLE_USER");
+ //if we get the userName from the token then log into ranger using the same user
+ if (userName != null && !userName.trim().isEmpty()) {
+ final List<GrantedAuthority> grantedAuths = new ArrayList<>();
+ grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole));
+ final UserDetails principal = new User(userName, "",grantedAuths);
+ final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "", grantedAuths);
+ WebAuthenticationDetails webDetails = new WebAuthenticationDetails(httpServletRequest);
+ ((AbstractAuthenticationToken) finalAuthentication).setDetails(webDetails);
+ RangerAuthenticationProvider authenticationProvider = new RangerAuthenticationProvider();
+ authenticationProvider.setSsoEnabled(ssoEnabled);
+ final Authentication authentication = authenticationProvider.authenticate(finalAuthentication);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+ }
+
+ filterChain.doFilter(servletRequest,httpServletResponse);
+ }
+ // if the token is not valid then redirect to knox sso
+ else {
+ String ssourl = constructLoginURL(httpServletRequest);
+ if(LOG.isDebugEnabled())
+ LOG.debug("SSO URL = " + ssourl);
+ httpServletResponse.sendRedirect(ssourl);
+ }
+ } catch (ParseException e) {
+ LOG.warn("Unable to parse the JWT token", e);
+ }
+ }
+ // if the jwt token is not available then redirect it to knox sso
+ else {
+ String ssourl = constructLoginURL(httpServletRequest);
+ if(LOG.isDebugEnabled())
+ LOG.debug("SSO URL = " + ssourl);
+ httpServletResponse.sendRedirect(ssourl);
+ }
+ }
+ //if property is not loaded or is already authenticated then proceed further with next filter
+ else {
+ filterChain.doFilter(servletRequest, servletResponse);
+ }
+ } else if(ssoEnabled && ((HttpServletRequest) servletRequest).getRequestURI().contains(LOCAL_LOGIN_URL) && isWebUserAgent(userAgent) && isAuthenticated()){
+ //If already there's an active session with sso and user want's to switch to local login(i.e without sso) then it won't be navigated to local login
+ // In this scenario the user as to use separate browser
+ String url = ((HttpServletRequest) servletRequest).getRequestURI().replace(LOCAL_LOGIN_URL+"/", "");
+ url = url.replace(LOCAL_LOGIN_URL, "");
+ LOG.warn("There is an active session and if you want local login to ranger, try this on a separate browser");
+ ((HttpServletResponse)servletResponse).sendRedirect(url);
+ }
+ //if sso is not enable or the request is not from browser then proceed further with next filter
+ else {
+ filterChain.doFilter(servletRequest, servletResponse);
+ }
+ }
+
+ private boolean isWebUserAgent(String userAgent) {
+ boolean isWeb = false;
+ if (jwtProperties != null) {
+ String userAgentList[] = jwtProperties.getUserAgentList();
+ if(userAgentList != null && userAgentList.length > 0){
+ for(String ua : userAgentList){
+ if(userAgent.toLowerCase().startsWith(ua.toLowerCase())){
+ isWeb = true;
+ break;
+ }
+ }
+ }
+ }
+ return isWeb;
+ }
+
+ /**
+ * @return the ssoEnabled
+ */
+ public boolean isSsoEnabled() {
+ return ssoEnabled;
+ }
+
+ /**
+ * @param ssoEnabled the ssoEnabled to set
+ */
+ public void setSsoEnabled(boolean ssoEnabled) {
+ this.ssoEnabled = ssoEnabled;
+ }
+
+ private void loadJwtProperties() {
+ if (jwtProperties != null) {
+ authenticationProviderUrl = jwtProperties.getAuthenticationProviderUrl();
+ publicKey = jwtProperties.getPublicKey();
+ cookieName = jwtProperties.getCookieName();
+ originalUrlQueryParam = jwtProperties.getOriginalUrlQueryParam();
+ }
+ }
+
+ /**
+ * Do not try to validate JWT if user already authenticated via other
+ * provider
+ *
+ * @return true, if JWT validation required
+ */
+ private boolean isAuthenticated() {
+ Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
+ return !(!(existingAuth != null && existingAuth.isAuthenticated()) || existingAuth instanceof SSOAuthentication);
+ }
+
+ /**
+ * Encapsulate the acquisition of the JWT token from HTTP cookies within the
+ * request.
+ *
+ * @param req
+ * servlet request to get the JWT token from
+ * @return serialized JWT token
+ */
+ protected String getJWTFromCookie(HttpServletRequest req) {
+ String serializedJWT = null;
+ Cookie[] cookies = req.getCookies();
+ if (cookies != null) {
+ for (Cookie cookie : cookies) {
+ if (cookieName != null && cookieName.equals(cookie.getName())) {
+ if(LOG.isDebugEnabled())
+ LOG.debug(cookieName + " cookie has been found and is being processed");
+ serializedJWT = cookie.getValue();
+ break;
+ }
+ }
+ }
+ return serializedJWT;
+ }
+
+ /**
+ * Create the URL to be used for authentication of the user in the absence
+ * of a JWT token within the incoming request.
+ *
+ * @param request
+ * for getting the original request URL
+ * @return url to use as login url for redirect
+ */
+ protected String constructLoginURL(HttpServletRequest request) {
+ String delimiter = "?";
+ if (authenticationProviderUrl.contains("?")) {
+ delimiter = "&";
+ }
+ String loginURL = authenticationProviderUrl + delimiter + originalUrlQueryParam + "=" + request.getRequestURL().toString();
+ return loginURL;
+ }
+
+ /**
+ * This method provides a single method for validating the JWT for use in
+ * request processing. It provides for the override of specific aspects of
+ * this implementation through submethods used within but also allows for
+ * the override of the entire token validation algorithm.
+ *
+ * @param jwtToken
+ * the token to validate
+ * @return true if valid
+ */
+ protected boolean validateToken(SignedJWT jwtToken) {
+ boolean sigValid = validateSignature(jwtToken);
+ if (!sigValid) {
+ LOG.warn("Signature of JWT token could not be verified. Please check the public key");
+ }
+ boolean expValid = validateExpiration(jwtToken);
+ if (!expValid) {
+ LOG.warn("Expiration time validation of JWT token failed.");
+ }
+ return sigValid && expValid;
+ }
+
+ /**
+ * Verify the signature of the JWT token in this method. This method depends
+ * on the public key that was established during init based upon the
+ * provisioned public key. Override this method in subclasses in order to
+ * customize the signature verification behavior.
+ *
+ * @param jwtToken
+ * the token that contains the signature to be validated
+ * @return valid true if signature verifies successfully; false otherwise
+ */
+ protected boolean validateSignature(SignedJWT jwtToken) {
+ boolean valid = false;
+ if (JWSObject.State.SIGNED == jwtToken.getState()) {
+ if(LOG.isDebugEnabled())
+ LOG.debug("SSO token is in a SIGNED state");
+ if (jwtToken.getSignature() != null) {
+ if(LOG.isDebugEnabled())
+ LOG.debug("SSO token signature is not null");
+ try {
+ JWSVerifier verifier = new RSASSAVerifier(publicKey);
+ if (jwtToken.verify(verifier)) {
+ valid = true;
+ if(LOG.isDebugEnabled())
+ LOG.debug("SSO token has been successfully verified");
+ } else {
+ LOG.warn("SSO signature verification failed.Please check the public key");
+ }
+ } catch (JOSEException je) {
+ LOG.warn("Error while validating signature", je);
+ }
+ }
+ }
+ return valid;
+ }
+
+ /**
+ * Validate that the expiration time of the JWT token has not been violated.
+ * If it has then throw an AuthenticationException. Override this method in
+ * subclasses in order to customize the expiration validation behavior.
+ *
+ * @param jwtToken
+ * the token that contains the expiration date to validate
+ * @return valid true if the token has not expired; false otherwise
+ */
+ protected boolean validateExpiration(SignedJWT jwtToken) {
+ boolean valid = false;
+ try {
+ Date expires = jwtToken.getJWTClaimsSet().getExpirationTime();
+ if (expires != null && new Date().before(expires)) {
+ if(LOG.isDebugEnabled())
+ LOG.debug("SSO token expiration date has been " + "successfully validated");
+ valid = true;
+ } else {
+ LOG.warn("SSO expiration date validation failed.");
+ }
+ } catch (ParseException pe) {
+ LOG.warn("SSO expiration date validation failed.", pe);
+ }
+ return valid;
+ }
+
+ @Override
+ public void destroy() {
+ }
+
+ public SSOAuthenticationProperties getJwtProperties() {
+ String providerUrl = PropertiesUtil.getProperty(JWT_AUTH_PROVIDER_URL);
+ if (providerUrl != null) {
+ String publicKeyPath = PropertiesUtil.getProperty(JWT_PUBLIC_KEY);
+ if (publicKeyPath == null) {
+ LOG.error("Public key pem not specified for SSO auth provider {}. SSO auth will be disabled.",providerUrl);
+ return null;
+ }
+ try {
+ RSAPublicKey publicKey = parseRSAPublicKey(publicKeyPath);
+ SSOAuthenticationProperties jwtProperties = new SSOAuthenticationProperties();
+ jwtProperties.setAuthenticationProviderUrl(providerUrl);
+ jwtProperties.setPublicKey(publicKey);
+
+ jwtProperties.setCookieName(PropertiesUtil.getProperty(JWT_COOKIE_NAME, JWT_COOKIE_NAME_DEFAULT));
+ jwtProperties.setOriginalUrlQueryParam(PropertiesUtil.getProperty(JWT_ORIGINAL_URL_QUERY_PARAM, JWT_ORIGINAL_URL_QUERY_PARAM_DEFAULT));
+ String userAgent = PropertiesUtil.getProperty(BROWSER_USERAGENT);
+ if(userAgent != null && !userAgent.isEmpty()){
+ jwtProperties.setUserAgentList(userAgent.split(","));
+ }
+ return jwtProperties;
+
+ } catch (IOException e) {
+ LOG.error("Unable to read public certificate file. JWT auth will be disabled.",e);
+ return null;
+ } catch (CertificateException e) {
+ LOG.error("Unable to parse public certificate file. JWT auth will be disabled.",e);
+ return null;
+ } catch (ServletException e) {
+ LOG.error("ServletException while processing the properties",e);
+ }
+ } else {
+ return null;
+ }
+ return jwtProperties;
+ }
+
+ /*
+ * public static RSAPublicKey getPublicKeyFromFile(String filePath) throws
+ * IOException, CertificateException {
+ * FileUtils.readFileToString(new File(filePath));
+ * getPublicKeyFromString(pemString); }
+ */
+
+ public static RSAPublicKey parseRSAPublicKey(String pem)
+ throws CertificateException, UnsupportedEncodingException,
+ ServletException {
+ String PEM_HEADER = "-----BEGIN CERTIFICATE-----\n";
+ String PEM_FOOTER = "\n-----END CERTIFICATE-----";
+ String fullPem = PEM_HEADER + pem + PEM_FOOTER;
+ PublicKey key = null;
+ try {
+ CertificateFactory fact = CertificateFactory.getInstance("X.509");
+ ByteArrayInputStream is = new ByteArrayInputStream(fullPem.getBytes("UTF8"));
+ X509Certificate cer = (X509Certificate) fact.generateCertificate(is);
+ key = cer.getPublicKey();
+ } catch (CertificateException ce) {
+ String message = null;
+ if (pem.startsWith(PEM_HEADER)) {
+ message = "CertificateException - be sure not to include PEM header " + "and footer in the PEM configuration element.";
+ } else {
+ message = "CertificateException - PEM may be corrupt";
+ }
+ throw new ServletException(message, ce);
+ } catch (UnsupportedEncodingException uee) {
+ throw new ServletException(uee);
+ }
+ return (RSAPublicKey) key;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
index d92fcbb..df529b6 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
@@ -128,13 +128,18 @@ public class RangerSecurityContextFormationFilter extends GenericFilterBean {
UserSessionBase userSession = sessionMgr.processSuccessLogin(
XXAuthSession.AUTH_TYPE_PASSWORD, userAgent);
- if(userSession!=null && userSession.getClientTimeOffsetInMinute()==0){
- userSession.setClientTimeOffsetInMinute(clientTimeOffset);
+ if (userSession != null) {
+
+ Object ssoEnabledObj = request.getAttribute("ssoEnabled");
+ Boolean ssoEnabled = ssoEnabledObj != null ? new Boolean(String.valueOf(ssoEnabledObj)) : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
+ userSession.setSSOEnabled(ssoEnabled);
+
+ if (userSession.getClientTimeOffsetInMinute() == 0) {
+ userSession.setClientTimeOffsetInMinute(clientTimeOffset);
+ }
}
context.setUserSession(userSession);
-
-// xUserMgr.checkPermissionRoleByGivenUrls(httpRequest.getRequestURL().toString(),httpMethod);
}
HttpServletResponse res = (HttpServletResponse)response;
res.setHeader("X-Frame-Options", "DENY" );
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthentication.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthentication.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthentication.java
new file mode 100644
index 0000000..b6c39e6
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthentication.java
@@ -0,0 +1,55 @@
+package org.apache.ranger.security.web.filter;
+
+import com.nimbusds.jwt.SignedJWT;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+
+import java.util.Collection;
+
+/**
+ * Internal token which describes JWT authentication
+ */
+public class SSOAuthentication implements Authentication {
+
+ private SignedJWT token;
+ private boolean authenticated = false;
+
+ public SSOAuthentication(SignedJWT token) {
+ this.token = token;
+ }
+
+ @Override
+ public SignedJWT getCredentials() {
+ return token;
+ }
+
+ @Override
+ public Object getDetails() {
+ return null;
+ }
+
+ @Override
+ public boolean isAuthenticated() {
+ return authenticated;
+ }
+
+ @Override
+ public void setAuthenticated(boolean authenticated) throws IllegalArgumentException {
+ this.authenticated = authenticated;
+ }
+
+ @Override
+ public String getName() {
+ return null;
+ }
+
+ @Override
+ public Collection<? extends GrantedAuthority> getAuthorities() {
+ return null;
+ }
+
+ @Override
+ public Object getPrincipal() {
+ return null;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthenticationProperties.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthenticationProperties.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthenticationProperties.java
new file mode 100644
index 0000000..aa29de0
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/SSOAuthenticationProperties.java
@@ -0,0 +1,62 @@
+package org.apache.ranger.security.web.filter;
+
+import java.security.interfaces.RSAPublicKey;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+public class SSOAuthenticationProperties {
+
+ private String authenticationProviderUrl = null;
+ private RSAPublicKey publicKey = null;
+ private String cookieName = "hadoop-jwt";
+ private String originalUrlQueryParam = null;
+ private String[] userAgentList = null;
+
+ public String getAuthenticationProviderUrl() {
+ return authenticationProviderUrl;
+ }
+
+ public void setAuthenticationProviderUrl(String authenticationProviderUrl) {
+ this.authenticationProviderUrl = authenticationProviderUrl;
+ }
+
+ public RSAPublicKey getPublicKey() {
+ return publicKey;
+ }
+
+ public void setPublicKey(RSAPublicKey publicKey) {
+ this.publicKey = publicKey;
+ }
+
+ public String getCookieName() {
+ return cookieName;
+ }
+
+ public void setCookieName(String cookieName) {
+ this.cookieName = cookieName;
+ }
+
+ public String getOriginalUrlQueryParam() {
+ return originalUrlQueryParam;
+ }
+
+ public void setOriginalUrlQueryParam(String originalUrlQueryParam) {
+ this.originalUrlQueryParam = originalUrlQueryParam;
+ }
+
+ /**
+ * @return the userAgentList
+ */
+ public String[] getUserAgentList() {
+ return userAgentList;
+ }
+
+ /**
+ * @param userAgentList the userAgentList to set
+ */
+ public void setUserAgentList(String[] userAgentList) {
+ this.userAgentList = userAgentList;
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
index fe7320c..6ee48f4 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
@@ -228,4 +228,30 @@
<value>(sAMAccountName={0})</value>
<description></description>
</property>
+ <!-- SSO Properties Starts-->
+ <property>
+ <name>ranger.sso.providerurl</name>
+ <value>https://127.0.0.1:8443/gateway/knoxsso/api/v1/websso</value>
+ </property>
+ <property>
+ <name>ranger.sso.publicKey</name>
+ <value>MIICVjCCAb+gAwIBAgIJAPPvOtuTxFeiMA0GCSqGSIb3DQEBBQUAMG0xCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRUZXN0MQ0wCwYDVQQHEwRUZXN0MQ8wDQYDVQQKEwZIYWRvb3AxDTALBgNVBAsTBFRlc3QxIDAeBgNVBAMTF2M2NDAxLmFtYmFyaS5hcGFjaGUub3JnMB4XDTE1MDcxNjE4NDcyM1oXDTE2MDcxNTE4NDcyM1owbTELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhhZG9vcDENMAsGA1UECxMEVGVzdDEgMB4GA1UEAxMXYzY0MDEuYW1iYXJpLmFwYWNoZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMFs/rymbiNvg8lDhsdAqvh5uHP6iMtfv9IYpDleShjkS1C+IqId6bwGIEO8yhIS5BnfUR/fcnHi2ZNrXX7xQUtQe7M9tDIKu48w//InnZ6VpAqjGShWxcSzR6UB/YoGe5ytHS6MrXaormfBg3VWtDoy2MS83W8pweS6p5JnK7S5AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEANyVg6EzE2q84gq7wQfLt9t047nYFkxcRfzhNVL3LB8p6IkM4RUrzWq4kLA+z+bpY2OdpkTOewUpEdVKzOQd4V7vRxpdANxtbG/XXrJAAcY/S+eMy1eDK73cmaVPnxPUGWmMnQXUiTLab+w8tBQhNbq6BOQ42aOrLxA8k/M4cV1A=</value>
+ </property>
+ <property>
+ <name>ranger.sso.cookiename</name>
+ <value>hadoop-jwt</value>
+ </property>
+ <property>
+ <name>ranger.sso.enabled</name>
+ <value>false</value>
+ </property>
+ <property>
+ <name>ranger.sso.query.param.originalurl</name>
+ <value>originalUrl</value>
+ </property>
+ <property>
+ <name>ranger.sso.browser.useragent</name>
+ <value>Mozilla,chrome</value>
+ </property>
+ <!-- SSO Properties Ends-->
</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
index 162afc6..329053f 100644
--- a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
+++ b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
@@ -30,31 +30,12 @@ http://www.springframework.org/schema/util/spring-util-3.1.xsd
http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
- <!-- TEMP ADD START-->
- <security:http pattern="/test/social_login.jsp" security="none" />
- <!-- TEMP ADD END -->
<security:http pattern="/login.jsp" security="none" />
- <security:http pattern="/ms_version.jsp" security="none" />
- <security:http pattern="/userRegistration.jsp" security="none" />
- <security:http pattern="/forgotPassword.jsp" security="none" />
- <security:http pattern="public/failedLogin.jsp" security="none" />
<security:http pattern="/styles/**" security="none" />
<security:http pattern="/fonts/**" security="none" />
<security:http pattern="/scripts/**" security="none" />
- <security:http pattern="/bower_components/**" security="none" />
<security:http pattern="/libs/**" security="none" />
<security:http pattern="/images/**" security="none" />
- <security:http pattern="/service/registration" security="none" />
- <security:http pattern="/service/users/firstnames" security="none" />
- <security:http pattern="/components/globalize/**" security="none" />
- <security:http pattern="/resetPassword.jsp" security="none" />
- <security:http pattern="/captcha/**" security="none" />
- <security:http pattern="/service/registration/**" security="none" />
- <security:http pattern="/public/**" security="none" />
- <security:http pattern="/test/**" security="none" />
- <security:http pattern="/test.html" security="none" />
- <security:http pattern="/loadInit.html" security="none" />
- <security:http pattern="/service/documents/result/**" security="none" />
<security:http pattern="/service/assets/policyList/*" security="none"/>
<security:http pattern="/service/assets/resources/grant" security="none"/>
<security:http pattern="/service/assets/resources/revoke" security="none"/>
@@ -63,34 +44,16 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
<security:http pattern="/service/plugins/services/revoke/*" security="none"/>
<security:http pattern="/service/tags/download/*" security="none"/>
- <!--<security:http pattern="/service/users/default" security="none"/>
- <security:http pattern="/service/xusers/groups/**" security="none"/>
- <security:http pattern="/service/xusers/users/*" security="none"/>
- <security:http pattern="/service/xusers/groupusers/*" security="none"/>-->
-
- <security:http auto-config="false" create-session="always" entry-point-ref="authenticationProcessingFilterEntryPoint">
+ <security:http disable-url-rewriting="true" use-expressions="true" create-session="always" entry-point-ref="authenticationProcessingFilterEntryPoint">
<security:session-management session-fixation-protection="newSession" />
- <!-- security:remember-me user-service-ref="userService" key="REMEMBER_ME_PASSWORD"/ -->
-
- <!-- Restricted URLs to admin-->
- <security:intercept-url pattern="/service/crud/**" access="ROLE_SYS_ADMIN" />
- <security:intercept-url pattern="/service/users/activations/**" access="ROLE_SYS_ADMIN" />
-
- <!-- Allow annoymous access -->
- <security:intercept-url pattern="/service/general/feedbacks" access="IS_AUTHENTICATED_ANONYMOUSLY" />
-
- <!-- give read access to lesson api -->
- <security:intercept-url pattern="/service/lesson/**" access="IS_AUTHENTICATED_ANONYMOUSLY" method="GET"/>
-
- <!-- Restricted URLs to only authenticated users-->
- <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED" />
-
+ <intercept-url pattern="/**" access="isAuthenticated()"/>
+ <custom-filter ref="ssoAuthenticationFilter" after="BASIC_AUTH_FILTER" />
+
<security:custom-filter position="FORM_LOGIN_FILTER" ref="customUsernamePasswordAuthenticationFilter"/>
- <!-- security:custom-filter before="ANONYMOUS_FILTER" ref="rememberMeFilter" / -->
<security:custom-filter position="LAST" ref="userContextFormationFilter"/>
<security:access-denied-handler error-page="/public/failedLogin.jsp?access_denied=1"/>
- <security:logout delete-cookies="JSESSIONID, xa_rmc" logout-url="/logout.html" success-handler-ref="customLogoutSuccessHandler" />
+ <security:logout delete-cookies="JSESSIONID,hadoop-jwt,xa_rmc" logout-url="/logout.html" success-handler-ref="customLogoutSuccessHandler" />
<http-basic entry-point-ref="authenticationProcessingFilterEntryPoint"/>
</security:http>
@@ -108,7 +71,6 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="authenticationSuccessHandler" ref="ajaxAuthSuccessHandler"/>
<beans:property name="authenticationFailureHandler" ref="ajaxAuthFailureHandler"/>
- <!-- beans:property name="rememberMeServices" ref="rememberMeServices"/ -->
</beans:bean>
<beans:bean id="authenticationProcessingFilterEntryPoint" class="org.apache.ranger.security.web.authentication.RangerAuthenticationEntryPoint">
@@ -127,6 +89,10 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
<beans:bean id="customLogoutSuccessHandler" class="org.apache.ranger.security.web.authentication.CustomLogoutSuccessHandler">
</beans:bean>
+ <beans:bean id="ssoAuthenticationFilter" class="org.apache.ranger.security.web.filter.RangerSSOAuthenticationFilter">
+ <beans:property name="ssoEnabled" value="${ranger.sso.enabled}"/>
+ </beans:bean>
+
<beans:bean id="userContextFormationFilter" class="org.apache.ranger.security.web.filter.RangerSecurityContextFormationFilter"/>
<security:jdbc-user-service id="userService" data-source-ref="defaultDataSource"
@@ -136,50 +102,13 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
WHERE usr.LOGIN_ID=?
AND usr_role.USER_ID = usr.ID"
/>
- <beans:bean id="customAuthenticationProvider" class="org.apache.ranger.security.handler.RangerAuthenticationProvider" >
- <beans:property name="rangerAuthenticationMethod" value="${ranger.authentication.method}" />
- </beans:bean>
+ <beans:bean id="customAuthenticationProvider" class="org.apache.ranger.security.handler.RangerAuthenticationProvider" >
+ <beans:property name="rangerAuthenticationMethod" value="${ranger.authentication.method}" />
+ </beans:bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="customAuthenticationProvider"/>
- <!-- <security:authentication-manager alias="authenticationManager"> -->
- <!-- AD_SEC_SETTINGS_START -->
- <!-- AD_SEC_SETTINGS_END-->
- <!-- LDAP_SEC_SETTINGS_START -->
- <!-- LDAP_SEC_SETTINGS_END -->
- <!-- UNIX_SEC_SETTINGS_START -->
- <!-- UNIX_SEC_SETTINGS_END -->
- <!-- <security:authentication-provider user-service-ref="userService">
- <security:password-encoder hash="md5">
- <security:salt-source user-property="username"/>
- </security:password-encoder>
- </security:authentication-provider> -->
- <!-- security:authentication-provider ref="rememberMeAuthenticationProvider"/ -->
</security:authentication-manager>
-
<security:global-method-security pre-post-annotations="enabled" />
-
- <!-- UNIX_BEAN_SETTINGS_START -->
- <!-- UNIX_BEAN_SETTINGS_END -->
- <!-- AD_BEAN_SETTINGS_START -->
- <!-- AD_BEAN_SETTINGS_END -->
- <!-- LDAP_BEAN_SETTINGS_START -->
- <!-- LDAP_BEAN_SETTINGS_END -->
- <!-- beans:bean id="rememberMeFilter" class="org.apache.ranger.security.web.filter.MyRememberMeFilter">
- <beans:property name="rememberMeServices" ref="rememberMeServices"/>
- <beans:property name="authenticationManager" ref="authenticationManager" />
- </beans:bean>
- <beans:bean id="rememberMeServices" class=
- "org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
- <beans:property name="userDetailsService" ref="userService"/>
- <beans:property name="cookieName" value="xa_rmc" />
- <beans:property name="key" value="REMEMBER_ME_PASSWORD"/>
- <beans:property name="alwaysRemember" value="true"/>
- </beans:bean>
-
- <beans:bean id="rememberMeAuthenticationProvider" class=
- "org.springframework.security.authentication.RememberMeAuthenticationProvider">
- <beans:property name="key" value="REMEMBER_ME_PASSWORD"/>
- </beans:bean -->
<beans:bean id="securityEventListener" class ="org.apache.ranger.security.listener.SpringEventListener"/>
</beans:beans>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/webapp/scripts/utils/XAUtils.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/utils/XAUtils.js b/security-admin/src/main/webapp/scripts/utils/XAUtils.js
index 8cb90e3..0f3aa3d 100644
--- a/security-admin/src/main/webapp/scripts/utils/XAUtils.js
+++ b/security-admin/src/main/webapp/scripts/utils/XAUtils.js
@@ -1030,10 +1030,15 @@ define(function(require) {
XAUtils.filterAllowedActions = function(controller) {
var SessionMgr = require('mgrs/SessionMgr');
var XAGlobals = require('utils/XAGlobals');
+ var vError = require('views/common/ErrorView');
+ var App = require('App');
var that = this;
var vXPortalUser = SessionMgr.getUserProfile();
if(_.isEmpty(vXPortalUser.attributes)){
- return controller;
+ App.rContent.show(new vError({
+ status : 204
+ }));
+ return;
}
var denyControllerActions = [], denyModulesObj = [];
var userModuleNames = _.pluck(vXPortalUser.get('userPermList'),'moduleName');
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/webapp/scripts/views/common/ErrorView.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/common/ErrorView.js b/security-admin/src/main/webapp/scripts/views/common/ErrorView.js
index a9d5739..4f8f463 100644
--- a/security-admin/src/main/webapp/scripts/views/common/ErrorView.js
+++ b/security-admin/src/main/webapp/scripts/views/common/ErrorView.js
@@ -37,7 +37,10 @@ define(function(require){
if(this.status == 401){
msg = 'Access Denied (401)'
moreInfo = "Sorry, you don't have enough privileges to view this page.";
- }else{
+ } else if(this.status == 204){
+ msg = 'No Content (204)'
+ moreInfo = "Sorry, Please sync-up the users with your source directory.";
+ } else {
msg = 'Page not found (404).'
moreInfo = "Sorry, this page isn't here or has moved.";
}
@@ -82,6 +85,10 @@ define(function(require){
onRender: function() {
this.initializePlugins();
$('#r_breadcrumbs').hide();
+ if(this.status == 204){
+ this.ui.goBackBtn.hide();
+ this.ui.home.hide();
+ }
},
goBackClick : function(){
history.back();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c707ff/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js b/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
index 0f87270..0bb9648 100644
--- a/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
+++ b/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
@@ -53,7 +53,8 @@ define(function(require){
return events;
},
onLogout : function(){
- var url = 'security-admin-web/logout.html';
+ var url = 'security-admin-web/logout.html',
+ that = this;
$.ajax({
url : url,
type : 'GET',
@@ -61,13 +62,38 @@ define(function(require){
"cache-control" : "no-cache"
},
success : function() {
- window.location.replace('login.jsp');
+ that.checkKnoxSSO()
+// window.location.replace('login.jsp');
},
error : function(jqXHR, textStatus, err ) {
}
});
},
+ checkKnoxSSO : function(){
+ var url = 'service/plugins/checksso';
+ $.ajax({
+ url : url,
+ type : 'GET',
+ headers : {
+ "cache-control" : "no-cache"
+ },
+ success : function(resp) {
+ console.log(resp)
+ if(!_.isUndefined(resp) && resp){
+ window.location.replace('');
+ } else {
+ window.location.replace('login.jsp');
+ }
+ },
+ error : function(jqXHR, textStatus, err ) {
+ if( jqXHR.status == 419 ){
+ window.location.replace('login.jsp');
+ }
+ }
+
+ });
+ },
/**
* intialize a new ProfileBar ItemView
* @constructs
[12/26] incubator-ranger git commit: RANGER-740: Kafka Authorizer
interface has added close() method. Ranger should also implement it
Posted by ma...@apache.org.
RANGER-740: Kafka Authorizer interface has added close() method. Ranger
should also implement it
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/0dadcd10
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/0dadcd10
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/0dadcd10
Branch: refs/heads/tag-policy
Commit: 0dadcd1089fc093ad4b4a0196b1760886f7f55d4
Parents: 428afbc
Author: Don Bosco Durai <bo...@apache.org>
Authored: Tue Nov 24 12:52:19 2015 -0800
Committer: Don Bosco Durai <bo...@apache.org>
Committed: Tue Nov 24 12:52:19 2015 -0800
----------------------------------------------------------------------
.../kafka/authorizer/RangerKafkaAuthorizer.java | 33 ++++++++++++++++----
1 file changed, 27 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0dadcd10/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
index 08ff928..29c2ceb 100644
--- a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
+++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
@@ -26,7 +26,9 @@ import javax.security.auth.Subject;
import kafka.security.auth.Acl;
import kafka.security.auth.Authorizer;
+
import org.apache.kafka.common.security.auth.KafkaPrincipal;
+
import kafka.security.auth.*;
import kafka.server.KafkaConfig;
import kafka.common.security.LoginManager;
@@ -99,8 +101,26 @@ public class RangerKafkaAuthorizer implements Authorizer {
}
}
+ /*
+ * (non-Javadoc)
+ *
+ * @see kafka.security.auth.Authorizer#configure(Map<String, Object>)
+ */
@Override
- public boolean authorize(Session session, Operation operation, Resource resource) {
+ public void close() {
+ logger.info("close() called on authorizer.");
+ try {
+ if (rangerPlugin != null) {
+ rangerPlugin.cleanup();
+ }
+ } catch (Throwable t) {
+ logger.error("Error closing RangerPlugin.", t);
+ }
+ }
+
+ @Override
+ public boolean authorize(Session session, Operation operation,
+ Resource resource) {
if (rangerPlugin == null) {
MiscUtil.logErrorMessageByInterval(logger,
@@ -124,7 +144,7 @@ public class RangerKafkaAuthorizer implements Authorizer {
String ip = session.host();
// skip leading slash
- if(StringUtils.isNotEmpty(ip) && ip.charAt(0) == '/') {
+ if (StringUtils.isNotEmpty(ip) && ip.charAt(0) == '/') {
ip = ip.substring(1);
}
@@ -250,10 +270,12 @@ public class RangerKafkaAuthorizer implements Authorizer {
* (non-Javadoc)
*
* @see
- * kafka.security.auth.Authorizer#getAcls(kafka.security.auth.KafkaPrincipal)
+ * kafka.security.auth.Authorizer#getAcls(kafka.security.auth.KafkaPrincipal
+ * )
*/
@Override
- public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls(KafkaPrincipal principal) {
+ public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls(
+ KafkaPrincipal principal) {
scala.collection.immutable.Map<Resource, Set<Acl>> aclList = new scala.collection.immutable.HashMap<Resource, Set<Acl>>();
logger.error("getAcls(KafkaPrincipal) is not supported by Ranger for Kafka");
return aclList;
@@ -262,8 +284,7 @@ public class RangerKafkaAuthorizer implements Authorizer {
/*
* (non-Javadoc)
*
- * @see
- * kafka.security.auth.Authorizer#getAcls()
+ * @see kafka.security.auth.Authorizer#getAcls()
*/
@Override
public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls() {
[09/26] incubator-ranger git commit: RANGER-720: Handling some error
cases and fixing the issues that were reported in the Jira
Posted by ma...@apache.org.
RANGER-720: Handling some error cases and fixing the issues that were reported in the Jira
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/7b7b314d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/7b7b314d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/7b7b314d
Branch: refs/heads/tag-policy
Commit: 7b7b314d89fab7c40f747c04c3bca989c4593de3
Parents: 04c5dc3
Author: Sailaja Polavarapu <sp...@hortonworks.com>
Authored: Mon Nov 16 13:01:23 2015 -0800
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Mon Nov 23 17:08:36 2015 -0500
----------------------------------------------------------------------
.../ldapconfigcheck/LdapConfigCheckMain.java | 6 +-----
.../apache/ranger/ldapconfigcheck/UserSync.java | 17 ++++++++++-------
2 files changed, 11 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7b7b314d/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java
index ad56b2e..073df27 100644
--- a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java
@@ -200,10 +200,6 @@ public class LdapConfigCheckMain {
msg = "ranger.usersync.ldap.user.objectclass ";
throw new NullArgumentException(msg);
}
- if (userSyncObj.getUserGroupMemberName() == null || userSyncObj.getUserGroupMemberName().isEmpty()) {
- msg = "ranger.usersync.ldap.user.groupnameattribute ";
- throw new NullArgumentException(msg);
- }
if ((userSyncObj.getUserSearchBase() == null || userSyncObj.getUserSearchBase().isEmpty()) &&
(userSyncObj.getSearchBase() == null || userSyncObj.getSearchBase().isEmpty())) {
msg = "ranger.usersync.ldap.user.searchbase and " +
@@ -223,7 +219,7 @@ public class LdapConfigCheckMain {
msg = "ranger.usersync.group.objectclass ";
throw new NullArgumentException(msg);
}
- if (userSyncObj.getUserGroupMemberName() == null || userSyncObj.getUserGroupMemberName().isEmpty()) {
+ if (userSyncObj.getGroupMemberName() == null || userSyncObj.getGroupMemberName().isEmpty()) {
msg = "ranger.usersync.group.memberattributename ";
throw new NullArgumentException(msg);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7b7b314d/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java
index 53da9f2..f8b9aea 100644
--- a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java
@@ -258,7 +258,7 @@ public class UserSync {
groupMemberAttr = attributes.get(userGroupMemAttrValues[i]);
if (groupMemberAttr != null) {
userGroupMemberName = userGroupMemAttrValues[i];
- groupName = groupMemberAttr.get(1).toString();
+ groupName = groupMemberAttr.get(0).toString();
break;
}
}
@@ -421,7 +421,7 @@ public class UserSync {
public void getAllUsers(LdapContext ldapContext) throws Throwable {
int noOfUsers = 0;
Attribute userNameAttr = null;
- String groupName = null;
+ //String groupName = null;
Attribute groupMemberAttr;
NamingEnumeration<SearchResult> userSearchResultEnum = null;
SearchControls userSearchControls = new SearchControls();
@@ -598,12 +598,15 @@ public class UserSync {
groupSearchControls.setSearchScope(config.getGroupSearchScope());
try {
- int baseIndex = groupName.indexOf(",");
- groupBase = groupName.substring(baseIndex + 1);
- groupFilter = groupName.substring(0, baseIndex);
- groupSearchResultEnum = ldapContext.search(groupBase, groupFilter,
+ if (groupName == null || groupName.isEmpty()) {
+ groupSearchResultEnum = ldapContext.search(searchBase, null);
+ } else {
+ int baseIndex = groupName.indexOf(",");
+ groupBase = groupName.substring(baseIndex + 1);
+ groupFilter = groupName.substring(0, baseIndex);
+ groupSearchResultEnum = ldapContext.search(groupBase, groupFilter,
groupSearchControls);
-
+ }
noOfGroups = 0;
while (groupSearchResultEnum.hasMore()) {
if (noOfGroups >= 1) {
[18/26] incubator-ranger git commit: RANGER-745: Upgrade Apache
commons-collections
Posted by ma...@apache.org.
RANGER-745: Upgrade Apache commons-collections
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/19c21348
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/19c21348
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/19c21348
Branch: refs/heads/tag-policy
Commit: 19c21348621498dcc50d5808aa8b636251a90c17
Parents: 7a95ff0
Author: Velmurugan Periasamy <ve...@apache.org>
Authored: Wed Nov 25 15:51:29 2015 -0500
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Tue Dec 1 13:39:52 2015 -0800
----------------------------------------------------------------------
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/19c21348/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 1b183b4..d3a7a99 100644
--- a/pom.xml
+++ b/pom.xml
@@ -120,7 +120,7 @@
<commons.beanutils.core.version>1.8.3</commons.beanutils.core.version>
<commons.cli.version>1.2</commons.cli.version>
<commons.codec.version>1.9</commons.codec.version>
- <commons.collections.version>3.2.1</commons.collections.version>
+ <commons.collections.version>3.2.2</commons.collections.version>
<commons.compress.version>1.8.1</commons.compress.version>
<commons.configuration.version>1.10</commons.configuration.version>
<commons.dbcp.version>1.4</commons.dbcp.version>
[05/26] incubator-ranger git commit: RANGER-737: updated Ranger Kakfa
plugin for recent changes in Kafka authorizer
Posted by ma...@apache.org.
RANGER-737: updated Ranger Kakfa plugin for recent changes in Kafka authorizer
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/e47756ce
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/e47756ce
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/e47756ce
Branch: refs/heads/tag-policy
Commit: e47756ced5b9307e4e0c29543847d9ba0f6fad2b
Parents: 0b725f0
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Thu Nov 19 11:16:35 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Nov 19 23:09:42 2015 -0800
----------------------------------------------------------------------
.../kafka/authorizer/RangerKafkaAuthorizer.java | 68 +++++++++++++-------
.../services/kafka/RangerServiceKafka.java | 37 +++++++----
.../kafka/client/ServiceKafkaClient.java | 42 ++++++++----
pom.xml | 5 +-
ranger-kafka-plugin-shim/.gitignore | 1 +
.../kafka/authorizer/RangerKafkaAuthorizer.java | 65 +++++++++++++------
6 files changed, 146 insertions(+), 72 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e47756ce/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
index c5e955d..08ff928 100644
--- a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
+++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
@@ -20,14 +20,14 @@
package org.apache.ranger.authorization.kafka.authorizer;
import java.util.Date;
+import java.util.Map;
+
import javax.security.auth.Subject;
import kafka.security.auth.Acl;
import kafka.security.auth.Authorizer;
-import kafka.security.auth.KafkaPrincipal;
-import kafka.security.auth.Operation;
-import kafka.security.auth.Resource;
-import kafka.security.auth.ResourceType;
+import org.apache.kafka.common.security.auth.KafkaPrincipal;
+import kafka.security.auth.*;
import kafka.server.KafkaConfig;
import kafka.common.security.LoginManager;
import kafka.network.RequestChannel.Session;
@@ -73,11 +73,10 @@ public class RangerKafkaAuthorizer implements Authorizer {
/*
* (non-Javadoc)
*
- * @see kafka.security.auth.Authorizer#initialize(kafka.server.KafkaConfig)
+ * @see kafka.security.auth.Authorizer#configure(Map<String, Object>)
*/
@Override
- public void initialize(KafkaConfig kafkaConfig) {
-
+ public void configure(Map<String, ?> configs) {
if (rangerPlugin == null) {
try {
Subject subject = LoginManager.subject();
@@ -110,7 +109,7 @@ public class RangerKafkaAuthorizer implements Authorizer {
}
// TODO: If resource type if consumer group, then allow it by default
- if (resource.resourceType().equals(ResourceType.CONSUMER_GROUP)) {
+ if (resource.resourceType().equals(Group$.MODULE$)) {
return true;
}
@@ -124,6 +123,11 @@ public class RangerKafkaAuthorizer implements Authorizer {
.getGroupsForRequestUser(userName);
String ip = session.host();
+ // skip leading slash
+ if(StringUtils.isNotEmpty(ip) && ip.charAt(0) == '/') {
+ ip = ip.substring(1);
+ }
+
Date eventTime = StringUtil.getUTCDate();
String accessType = mapToRangerAccessType(operation);
boolean validationFailed = false;
@@ -152,12 +156,12 @@ public class RangerKafkaAuthorizer implements Authorizer {
rangerRequest.setAction(action);
rangerRequest.setRequestData(resource.name());
- if (resource.resourceType().equals(ResourceType.TOPIC)) {
+ if (resource.resourceType().equals(Topic$.MODULE$)) {
rangerResource.setValue(KEY_TOPIC, resource.name());
- } else if (resource.resourceType().equals(ResourceType.CLUSTER)) {
+ } else if (resource.resourceType().equals(Cluster$.MODULE$)) {
// CLUSTER should go as null
// rangerResource.setValue(KEY_CLUSTER, resource.name());
- } else if (resource.resourceType().equals(ResourceType.CONSUMER_GROUP)) {
+ } else if (resource.resourceType().equals(Group$.MODULE$)) {
rangerResource.setValue(KEY_CONSUMER_GROUP, resource.name());
} else {
logger.fatal("Unsupported resourceType=" + resource.resourceType());
@@ -201,7 +205,7 @@ public class RangerKafkaAuthorizer implements Authorizer {
*/
@Override
public void addAcls(Set<Acl> acls, Resource resource) {
- logger.error("addAcls() is not supported by Ranger for Kafka");
+ logger.error("addAcls(Set<Acl>, Resource) is not supported by Ranger for Kafka");
}
/*
@@ -213,7 +217,7 @@ public class RangerKafkaAuthorizer implements Authorizer {
*/
@Override
public boolean removeAcls(Set<Acl> acls, Resource resource) {
- logger.error("removeAcls() is not supported by Ranger for Kafka");
+ logger.error("removeAcls(Set<Acl>, Resource) is not supported by Ranger for Kafka");
return false;
}
@@ -225,7 +229,7 @@ public class RangerKafkaAuthorizer implements Authorizer {
*/
@Override
public boolean removeAcls(Resource resource) {
- logger.error("removeAcls() is not supported by Ranger for Kafka");
+ logger.error("removeAcls(Resource) is not supported by Ranger for Kafka");
return false;
}
@@ -237,7 +241,7 @@ public class RangerKafkaAuthorizer implements Authorizer {
@Override
public Set<Acl> getAcls(Resource resource) {
Set<Acl> aclList = new HashSet<Acl>();
- logger.error("getAcls() is not supported by Ranger for Kafka");
+ logger.error("getAcls(Resource) is not supported by Ranger for Kafka");
return aclList;
}
@@ -246,12 +250,24 @@ public class RangerKafkaAuthorizer implements Authorizer {
* (non-Javadoc)
*
* @see
- * kafka.security.auth.Authorizer#getAcls(kafka.security.auth.KafkaPrincipal
- * )
+ * kafka.security.auth.Authorizer#getAcls(kafka.security.auth.KafkaPrincipal)
*/
@Override
- public Set<Acl> getAcls(KafkaPrincipal principal) {
- Set<Acl> aclList = new HashSet<Acl>();
+ public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls(KafkaPrincipal principal) {
+ scala.collection.immutable.Map<Resource, Set<Acl>> aclList = new scala.collection.immutable.HashMap<Resource, Set<Acl>>();
+ logger.error("getAcls(KafkaPrincipal) is not supported by Ranger for Kafka");
+ return aclList;
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see
+ * kafka.security.auth.Authorizer#getAcls()
+ */
+ @Override
+ public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls() {
+ scala.collection.immutable.Map<Resource, Set<Acl>> aclList = new scala.collection.immutable.HashMap<Resource, Set<Acl>>();
logger.error("getAcls() is not supported by Ranger for Kafka");
return aclList;
}
@@ -261,16 +277,20 @@ public class RangerKafkaAuthorizer implements Authorizer {
* @return
*/
private String mapToRangerAccessType(Operation operation) {
- if (operation.equals(Operation.READ)) {
+ if (operation.equals(Read$.MODULE$)) {
return ACCESS_TYPE_READ;
- } else if (operation.equals(Operation.WRITE)) {
+ } else if (operation.equals(Write$.MODULE$)) {
return ACCESS_TYPE_WRITE;
- } else if (operation.equals(Operation.ALTER)) {
+ } else if (operation.equals(Alter$.MODULE$)) {
return ACCESS_TYPE_CONFIGURE;
- } else if (operation.equals(Operation.DESCRIBE)) {
+ } else if (operation.equals(Describe$.MODULE$)) {
return ACCESS_TYPE_DESCRIBE;
- } else if (operation.equals(Operation.CLUSTER_ACTION)) {
+ } else if (operation.equals(ClusterAction$.MODULE$)) {
return ACCESS_TYPE_KAFKA_ADMIN;
+ } else if (operation.equals(Create$.MODULE$)) {
+ return ACCESS_TYPE_CREATE;
+ } else if (operation.equals(Delete$.MODULE$)) {
+ return ACCESS_TYPE_DELETE;
}
return null;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e47756ce/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java
index ea6d316..8a82b2f 100644
--- a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java
+++ b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java
@@ -31,7 +31,6 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
public class RangerServiceKafka extends RangerBaseService {
-
private static final Log LOG = LogFactory.getLog(RangerServiceKafka.class);
public RangerServiceKafka() {
@@ -46,33 +45,45 @@ public class RangerServiceKafka extends RangerBaseService {
@Override
public HashMap<String, Object> validateConfig() throws Exception {
HashMap<String, Object> ret = new HashMap<String, Object>();
- String serviceName = getServiceName();
+
if (LOG.isDebugEnabled()) {
- LOG.debug("==> RangerServiceKafka.validateConfig Service: ("
- + serviceName + " )");
+ LOG.debug("==> RangerServiceKafka.validateConfig(" + serviceName + ")");
}
+
if (configs != null) {
try {
- ret = ServiceKafkaConnectionMgr.testConnection(serviceName,
- configs);
+ ret = ServiceKafkaConnectionMgr.testConnection(serviceName, configs);
} catch (Exception e) {
LOG.error("<== RangerServiceKafka.validateConfig Error:" + e);
throw e;
}
}
+
if (LOG.isDebugEnabled()) {
- LOG.debug("<== RangerServiceKafka.validateConfig Response : (" + ret
- + " )");
+ LOG.debug("<== RangerServiceKafka.validateConfig(" + serviceName + "): ret=" + ret);
}
+
return ret;
}
@Override
- public List<String> lookupResource(ResourceLookupContext context)
- throws Exception {
+ public List<String> lookupResource(ResourceLookupContext context) throws Exception {
+ List<String> ret = null;
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceKafka.lookupResource(" + serviceName + ")");
+ }
- ServiceKafkaClient serviceKafkaClient = ServiceKafkaConnectionMgr
- .getKafkaClient(serviceName, configs);
- return serviceKafkaClient.getResources(context);
+ if(configs != null) {
+ ServiceKafkaClient serviceKafkaClient = ServiceKafkaConnectionMgr.getKafkaClient(serviceName, configs);
+
+ ret = serviceKafkaClient.getResources(context);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceKafka.lookupResource(" + serviceName + "): ret=" + ret);
+ }
+
+ return ret;
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e47756ce/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/client/ServiceKafkaClient.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/client/ServiceKafkaClient.java b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/client/ServiceKafkaClient.java
index 0698bf6..f5c04fe 100644
--- a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/client/ServiceKafkaClient.java
+++ b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/client/ServiceKafkaClient.java
@@ -28,8 +28,9 @@ import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
import kafka.utils.ZkUtils;
-
-import org.I0Itec.zkclient.ZkClient;
+import kafka.utils.ZkUtils$;
+import org.apache.kafka.common.security.JaasUtils;
+import org.I0Itec.zkclient.*;
import org.apache.log4j.Logger;
import org.apache.ranger.plugin.client.BaseClient;
import org.apache.ranger.plugin.service.ResourceLookupContext;
@@ -79,31 +80,48 @@ public class ServiceKafkaClient {
return responseData;
}
- public List<String> getTopicList(List<String> ignoreTopicList)
- throws Exception {
+ private List<String> getTopicList(List<String> ignoreTopicList) throws Exception {
+ List<String> ret = new ArrayList<String>();
- List<String> list = new ArrayList<String>();
+ int sessionTimeout = 5000;
+ int connectionTimeout = 10000;
+ ZkClient zkClient = null;
+ ZkConnection zkConnection = null;
- ZkClient zkClient = new ZkClient(zookeeperConnect);
try {
- Seq<String> topicList = ZkUtils.getChildrenParentMayNotExist(
- zkClient, ZkUtils.BrokerTopicsPath());
+ zkClient = ZkUtils$.MODULE$.createZkClient(zookeeperConnect, sessionTimeout, connectionTimeout);
+ zkConnection = new ZkConnection(zookeeperConnect, sessionTimeout);
+
+ boolean zkSecurityEnabled = JaasUtils.isZkSecurityEnabled();
+ ZkUtils zkUtils = new ZkUtils(zkClient, zkConnection, true);
+ Seq<String> topicList = zkUtils.getChildrenParentMayNotExist(ZkUtils.BrokerTopicsPath());
Iterator<String> iter = topicList.iterator();
while (iter.hasNext()) {
String topic = iter.next();
if (ignoreTopicList == null || !ignoreTopicList.contains(topic)) {
- list.add(topic);
+ ret.add(topic);
}
}
} finally {
try {
- zkClient.close();
+ if(zkClient != null) {
+ zkClient.close();
+ }
} catch (Exception ex) {
- LOG.error("Error closing zookeeper", ex);
+ LOG.error("Error closing zkClient", ex);
+ }
+
+ try {
+ if(zkConnection != null) {
+ zkConnection.close();
+ }
+
+ } catch(Exception ex) {
+ LOG.error("Error closing zkConnection", ex);
}
}
- return list;
+ return ret;
}
/**
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e47756ce/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index d60fca4..1b183b4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -159,7 +159,7 @@
<jersey-client.version>2.6</jersey-client.version>
<junit.version>4.11</junit.version>
<kafka.version>0.8.2.0</kafka.version>
- <!-- <kafka.version>0.8.2.2.3.2.0-2950</kafka.version> -->
+ <!-- <kafka.version>0.8.2.2.3.4.0-3288</kafka.version> -->
<mockito.version>1.8.4</mockito.version>
<hamcrest-version>1.3</hamcrest-version>
<knox.gateway.version>0.6.0</knox.gateway.version>
@@ -233,7 +233,8 @@
<profile>
<id>kafka-security</id>
<modules>
- <module>plugin-kafka</module>
+ <module>plugin-kafka</module>
+ <module>ranger-kafka-plugin-shim</module>
</modules>
</profile>
</profiles>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e47756ce/ranger-kafka-plugin-shim/.gitignore
----------------------------------------------------------------------
diff --git a/ranger-kafka-plugin-shim/.gitignore b/ranger-kafka-plugin-shim/.gitignore
new file mode 100644
index 0000000..b83d222
--- /dev/null
+++ b/ranger-kafka-plugin-shim/.gitignore
@@ -0,0 +1 @@
+/target/
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e47756ce/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
----------------------------------------------------------------------
diff --git a/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
index d39cac2..0937835 100644
--- a/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
+++ b/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
@@ -19,6 +19,8 @@
package org.apache.ranger.authorization.kafka.authorizer;
+import java.util.Map;
+
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.classloader.RangerPluginClassLoader;
@@ -27,10 +29,9 @@ import scala.collection.immutable.Set;
import kafka.network.RequestChannel.Session;
import kafka.security.auth.Acl;
import kafka.security.auth.Authorizer;
-import kafka.security.auth.KafkaPrincipal;
+import org.apache.kafka.common.security.auth.KafkaPrincipal;
import kafka.security.auth.Operation;
import kafka.security.auth.Resource;
-import kafka.server.KafkaConfig;
//public class RangerKafkaAuthorizer extends Authorizer {
@@ -82,31 +83,30 @@ public class RangerKafkaAuthorizer implements Authorizer {
LOG.debug("<== RangerKafkaAuthorizer.init()");
}
}
-
-
+
@Override
- public void initialize(KafkaConfig kafkaConfig) {
+ public void configure(Map<String, ?> configs) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerKafkaAuthorizer.initialize()");
+ LOG.debug("==> RangerKafkaAuthorizer.configure(Map<String, ?>)");
}
try {
activatePluginClassLoader();
- rangerKakfaAuthorizerImpl.initialize(kafkaConfig);
+ rangerKakfaAuthorizerImpl.configure(configs);
} finally {
deactivatePluginClassLoader();
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerKafkaAuthorizer.initialize()");
+ LOG.debug("<== RangerKafkaAuthorizer.configure(Map<String, ?>)");
}
}
@Override
public boolean authorize(Session session, Operation operation,Resource resource) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerKafkaAuthorizer.authorize()");
+ LOG.debug("==> RangerKafkaAuthorizer.authorize(Session, Operation, Resource)");
}
boolean ret = false;
@@ -120,7 +120,7 @@ public class RangerKafkaAuthorizer implements Authorizer {
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerKafkaAuthorizer.authorize()");
+ LOG.debug("<== RangerKafkaAuthorizer.authorize(Session, Operation, Resource)");
}
return ret;
@@ -129,7 +129,7 @@ public class RangerKafkaAuthorizer implements Authorizer {
@Override
public void addAcls(Set<Acl> acls, Resource resource) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerKafkaAuthorizer.addAcls()");
+ LOG.debug("==> RangerKafkaAuthorizer.addAcls(Set<Acl>, Resource)");
}
try {
@@ -141,14 +141,14 @@ public class RangerKafkaAuthorizer implements Authorizer {
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerKafkaAuthorizer.addAcls()");
+ LOG.debug("<== RangerKafkaAuthorizer.addAcls(Set<Acl>, Resource)");
}
}
@Override
public boolean removeAcls(Set<Acl> acls, Resource resource) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerKafkaAuthorizer.removeAcls()");
+ LOG.debug("==> RangerKafkaAuthorizer.removeAcls(Set<Acl>, Resource)");
}
boolean ret = false;
try {
@@ -160,7 +160,7 @@ public class RangerKafkaAuthorizer implements Authorizer {
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerKafkaAuthorizer.removeAcls()");
+ LOG.debug("<== RangerKafkaAuthorizer.removeAcls(Set<Acl>, Resource)");
}
return ret;
@@ -169,7 +169,7 @@ public class RangerKafkaAuthorizer implements Authorizer {
@Override
public boolean removeAcls(Resource resource) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerKafkaAuthorizer.removeAcls()");
+ LOG.debug("==> RangerKafkaAuthorizer.removeAcls(Resource)");
}
boolean ret = false;
try {
@@ -181,7 +181,7 @@ public class RangerKafkaAuthorizer implements Authorizer {
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerKafkaAuthorizer.removeAcls()");
+ LOG.debug("<== RangerKafkaAuthorizer.removeAcls(Resource)");
}
return ret;
@@ -190,7 +190,7 @@ public class RangerKafkaAuthorizer implements Authorizer {
@Override
public Set<Acl> getAcls(Resource resource) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerKafkaAuthorizer.getAcls()");
+ LOG.debug("==> RangerKafkaAuthorizer.getAcls(Resource)");
}
Set<Acl> ret = null;
@@ -204,19 +204,19 @@ public class RangerKafkaAuthorizer implements Authorizer {
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<== RangerKafkaAuthorizer.getAcls()");
+ LOG.debug("<== RangerKafkaAuthorizer.getAcls(Resource)");
}
return ret;
}
@Override
- public Set<Acl> getAcls(KafkaPrincipal principal) {
+ public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls(KafkaPrincipal principal) {
if(LOG.isDebugEnabled()) {
- LOG.debug("==> RangerKafkaAuthorizer.getAcls()");
+ LOG.debug("==> RangerKafkaAuthorizer.getAcls(KafkaPrincipal)");
}
- Set<Acl> ret = null;
+ scala.collection.immutable.Map<Resource, Set<Acl>> ret = null;
try {
activatePluginClassLoader();
@@ -227,6 +227,29 @@ public class RangerKafkaAuthorizer implements Authorizer {
}
if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerKafkaAuthorizer.getAcls(KafkaPrincipal)");
+ }
+
+ return ret;
+ }
+
+ @Override
+ public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls() {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerKafkaAuthorizer.getAcls()");
+ }
+
+ scala.collection.immutable.Map<Resource, Set<Acl>> ret = null;
+
+ try {
+ activatePluginClassLoader();
+
+ ret = rangerKakfaAuthorizerImpl.getAcls();
+ } finally {
+ deactivatePluginClassLoader();
+ }
+
+ if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKafkaAuthorizer.getAcls()");
}
[13/26] incubator-ranger git commit: RANGER-744: Kafka Authorizer has
updated how IP/Host is passed
Posted by ma...@apache.org.
RANGER-744: Kafka Authorizer has updated how IP/Host is passed
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/fa435a92
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/fa435a92
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/fa435a92
Branch: refs/heads/tag-policy
Commit: fa435a922ff03fc19d8416f0b304999b5b1b9806
Parents: 0dadcd1
Author: Don Bosco Durai <bo...@apache.org>
Authored: Tue Nov 24 22:48:34 2015 -0800
Committer: Don Bosco Durai <bo...@apache.org>
Committed: Tue Nov 24 22:48:34 2015 -0800
----------------------------------------------------------------------
.../kafka/authorizer/RangerKafkaAuthorizer.java | 7 +------
.../kafka/authorizer/RangerKafkaAuthorizer.java | 22 +++++++++++++++++++-
2 files changed, 22 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fa435a92/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
index 29c2ceb..7ca12ce 100644
--- a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
+++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
@@ -101,11 +101,6 @@ public class RangerKafkaAuthorizer implements Authorizer {
}
}
- /*
- * (non-Javadoc)
- *
- * @see kafka.security.auth.Authorizer#configure(Map<String, Object>)
- */
@Override
public void close() {
logger.info("close() called on authorizer.");
@@ -141,7 +136,7 @@ public class RangerKafkaAuthorizer implements Authorizer {
}
java.util.Set<String> userGroups = MiscUtil
.getGroupsForRequestUser(userName);
- String ip = session.host();
+ String ip = session.clientAddress().getHostAddress();
// skip leading slash
if (StringUtils.isNotEmpty(ip) && ip.charAt(0) == '/') {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fa435a92/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
----------------------------------------------------------------------
diff --git a/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
index 0937835..90b1ab0 100644
--- a/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
+++ b/ranger-kafka-plugin-shim/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
@@ -104,6 +104,26 @@ public class RangerKafkaAuthorizer implements Authorizer {
}
@Override
+ public void close() {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerKafkaAuthorizer.close()");
+ }
+
+ try {
+ activatePluginClassLoader();
+
+ rangerKakfaAuthorizerImpl.close();
+ } finally {
+ deactivatePluginClassLoader();
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerKafkaAuthorizer.close()");
+ }
+
+ }
+
+ @Override
public boolean authorize(Session session, Operation operation,Resource resource) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKafkaAuthorizer.authorize(Session, Operation, Resource)");
@@ -268,4 +288,4 @@ public class RangerKafkaAuthorizer implements Authorizer {
}
}
-}
\ No newline at end of file
+}