You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by al...@apache.org on 2016/03/03 01:07:04 UTC
[40/50] [abbrv] incubator-ranger git commit: RANGER-630 : Data
consistency across API and UI
RANGER-630 : Data consistency across API and UI
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/4d04a09c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/4d04a09c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/4d04a09c
Branch: refs/heads/HDP-2.3.2-groupid
Commit: 4d04a09c6c52d607528dcb2f9e1f130d3caed170
Parents: ff1ec7b
Author: Gautam Borad <gb...@gmail.com>
Authored: Tue Sep 15 13:50:35 2015 +0530
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Wed Sep 16 01:22:48 2015 -0400
----------------------------------------------------------------------
.../java/org/apache/ranger/biz/UserMgr.java | 73 +--
.../java/org/apache/ranger/biz/XAuditMgr.java | 73 ++-
.../java/org/apache/ranger/biz/XUserMgr.java | 278 +++++-----
.../org/apache/ranger/db/XXGroupUserDao.java | 21 +
.../org/apache/ranger/db/XXModuleDefDao.java | 38 ++
.../java/org/apache/ranger/rest/AssetREST.java | 15 +-
.../org/apache/ranger/rest/PublicAPIsv2.java | 2 +-
.../org/apache/ranger/rest/ServiceREST.java | 30 +-
.../java/org/apache/ranger/rest/UserREST.java | 13 +-
.../java/org/apache/ranger/rest/XAuditREST.java | 10 +-
.../java/org/apache/ranger/rest/XKeyREST.java | 10 +-
.../java/org/apache/ranger/rest/XUserREST.java | 114 +++-
.../ranger/security/context/RangerAPIList.java | 201 +++++++
.../security/context/RangerAPIMapping.java | 535 +++++++++++++++++++
.../context/RangerPreAuthSecurityHandler.java | 93 ++++
.../apache/ranger/service/XAuditMapService.java | 60 +++
.../apache/ranger/service/XPermMapService.java | 60 ++-
.../apache/ranger/service/XResourceService.java | 31 +-
.../resources/META-INF/jpa_named_queries.xml | 19 +
.../conf.dist/security-applicationContext.xml | 2 +
.../org/apache/ranger/audit/TestAuditQueue.java | 3 +-
.../java/org/apache/ranger/biz/TestUserMgr.java | 14 +-
.../org/apache/ranger/biz/TestXUserMgr.java | 9 +-
.../org/apache/ranger/rest/TestServiceREST.java | 2 +-
24 files changed, 1450 insertions(+), 256 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
index 939ddc2..ff0ea01 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
@@ -139,22 +139,8 @@ public class UserMgr {
public XXPortalUser createUser(VXPortalUser userProfile, int userStatus,
Collection<String> userRoleList) {
- UserSessionBase session = ContextUtil.getCurrentUserSession();
- if (session != null) {
- if (!session.isUserAdmin()) {
- throw restErrorUtil.create403RESTException("User "
- + "creation denied. LoggedInUser="
- + (session != null ? session.getXXPortalUser().getId()
- : "Not Logged In")
- + " ,isn't permitted to perform the action.");
- }
- }else{
- VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
- vXResponse.setMsgDesc("Bad Credentials");
- throw restErrorUtil.generateRESTException(vXResponse);
- }
XXPortalUser user = mapVXPortalUserToXXPortalUser(userProfile);
+ checkAdminAccess();
user = createUser(user, userStatus, userRoleList);
return user;
@@ -366,6 +352,7 @@ public class UserMgr {
* @param vStrings
*/
public void setUserRoles(Long userId, List<VXString> vStringRolesList) {
+ checkAccess(userId);
List<String> stringRolesList = new ArrayList<String>();
for (VXString vXString : vStringRolesList) {
stringRolesList.add(vXString.getValue());
@@ -384,15 +371,7 @@ public class UserMgr {
String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
XXPortalUser gjUserCurrent = daoManager.getXXPortalUser()
.findByLoginId(currentUserLoginId);
-
- if (gjUserCurrent == null) {
- logger.info("changePassword(). Invalid user login id. userId="
- + currentUserLoginId);
- throw restErrorUtil.createRESTException(
- "serverMsg.userMgrInvalidUser",
- MessageEnums.DATA_NOT_FOUND, null, null, ""
- + currentUserLoginId);
- }
+ checkAccess(gjUserCurrent);
String encryptedOldPwd = encrypt(gjUserCurrent.getLoginId(),
pwdChange.getOldPassword());
@@ -480,7 +459,7 @@ public class UserMgr {
*/
public VXPortalUser changeEmailAddress(XXPortalUser gjUser,
VXPasswordChange changeEmail) {
-
+ checkAccess(gjUser);
if (gjUser.getEmailAddress() != null) {
throw restErrorUtil.createRESTException(
"serverMsg.userMgrEmailChange",
@@ -530,21 +509,7 @@ public class UserMgr {
* @param userId
*/
public VXPortalUser deactivateUser(XXPortalUser gjUser) {
- UserSessionBase session = ContextUtil.getCurrentUserSession();
- if (session != null) {
- if (!session.isUserAdmin()) {
- throw restErrorUtil.create403RESTException("deactivation of user"
- + " denied. LoggedInUser="
- + (session != null ? session.getXXPortalUser().getId()
- : "Not Logged In")
- + " ,isn't permitted to perform the action.");
- }
- }else{
- VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
- vXResponse.setMsgDesc("Bad Credentials");
- throw restErrorUtil.generateRESTException(vXResponse);
- }
+ checkAdminAccess();
if (gjUser != null
&& gjUser.getStatus() != RangerConstants.ACT_STATUS_DEACTIVATED) {
logger.info("Marking user " + gjUser.getLoginId() + " as deleted");
@@ -1121,6 +1086,7 @@ public class UserMgr {
}
public VXPortalUser createUser(VXPortalUser userProfile) {
+ checkAdminAccess();
XXPortalUser xXPortalUser = this.createUser(userProfile,
RangerCommonEnums.STATUS_ENABLED);
return mapXXPortalUserVXPortalUser(xXPortalUser);
@@ -1132,21 +1098,7 @@ public class UserMgr {
userProfile.setUserSource(RangerCommonEnums.USER_EXTERNAL);
}
// access control
- UserSessionBase session = ContextUtil.getCurrentUserSession();
- if (session != null) {
- if (!session.isUserAdmin()) {
- throw restErrorUtil.create403RESTException("User "
- + "creation denied. LoggedInUser="
- + session.getXXPortalUser().getId()
- + " ,isn't permitted to perform the action.");
-
- }
- }else{
- VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
- vXResponse.setMsgDesc("Bad Credentials");
- throw restErrorUtil.generateRESTException(vXResponse);
- }
+ checkAdminAccess();
logger.info("create:" + userProfile.getEmailAddress());
XXPortalUser xXPortalUser = null;
String loginId = userProfile.getLoginId();
@@ -1275,4 +1227,15 @@ public class UserMgr {
return xXPortalUser;
}
+
+ public void checkAdminAccess() {
+ UserSessionBase sess = ContextUtil.getCurrentUserSession();
+ if (sess != null) {
+ if (sess != null && sess.isUserAdmin()) {
+ return;
+ }
+ }
+ throw restErrorUtil.create403RESTException("Operation not allowed." + " loggedInUser=" + (sess != null ? sess.getXXPortalUser().getId() : "Not Logged In"));
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java
index d9812f9..02d725f 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java
@@ -19,13 +19,22 @@
package org.apache.ranger.biz;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.SearchCriteria;
+import org.apache.ranger.common.UserSessionBase;
import org.apache.ranger.solr.SolrAccessAuditsService;
import org.apache.ranger.view.VXAccessAudit;
import org.apache.ranger.view.VXAccessAuditList;
import org.apache.ranger.view.VXLong;
+import org.apache.ranger.view.VXResponse;
+import org.apache.ranger.view.VXTrxLog;
+import org.apache.ranger.view.VXTrxLogList;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+@Component
public class XAuditMgr extends XAuditMgrBase {
@Autowired
@@ -34,9 +43,68 @@ public class XAuditMgr extends XAuditMgrBase {
@Autowired
RangerBizUtil rangerBizUtil;
+ public VXTrxLog getXTrxLog(Long id) {
+ checkAdminAccess();
+ return super.getXTrxLog(id);
+ }
+
+ public VXTrxLog createXTrxLog(VXTrxLog vXTrxLog) {
+ checkAdminAccess();
+ return super.createXTrxLog(vXTrxLog);
+ }
+
+ public VXTrxLog updateXTrxLog(VXTrxLog vXTrxLog) {
+ checkAdminAccess();
+ return super.updateXTrxLog(vXTrxLog);
+ }
+
+ public void deleteXTrxLog(Long id, boolean force) {
+ checkAdminAccess();
+ super.deleteXTrxLog(id, force);
+ }
+
+ public VXTrxLogList searchXTrxLogs(SearchCriteria searchCriteria) {
+ checkAdminAccess();
+ return super.searchXTrxLogs(searchCriteria);
+ }
+
+ public VXLong getXTrxLogSearchCount(SearchCriteria searchCriteria) {
+ checkAdminAccess();
+ return super.getXTrxLogSearchCount(searchCriteria);
+ }
+
+ public VXAccessAudit createXAccessAudit(VXAccessAudit vXAccessAudit) {
+ checkAdminAccess();
+ return super.createXAccessAudit(vXAccessAudit);
+ }
+
+ public VXAccessAudit updateXAccessAudit(VXAccessAudit vXAccessAudit) {
+ checkAdminAccess();
+ return super.updateXAccessAudit(vXAccessAudit);
+ }
+
+ public void deleteXAccessAudit(Long id, boolean force) {
+ checkAdminAccess();
+ super.deleteXAccessAudit(id, force);
+ }
+
+ public void checkAdminAccess() {
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session != null) {
+ if (!session.isUserAdmin()) {
+ throw restErrorUtil.create403RESTException("Operation" + " denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In")
+ + " ,isn't permitted to perform the action.");
+ }
+ } else {
+ VXResponse vXResponse = new VXResponse();
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setMsgDesc("Bad Credentials");
+ throw restErrorUtil.generateRESTException(vXResponse);
+ }
+ }
+
@Override
public VXAccessAudit getXAccessAudit(Long id) {
- // TODO Auto-generated method stub
return super.getXAccessAudit(id);
}
@@ -52,8 +120,7 @@ public class XAuditMgr extends XAuditMgrBase {
@Override
public VXLong getXAccessAuditSearchCount(SearchCriteria searchCriteria) {
if (rangerBizUtil.getAuditDBType().equalsIgnoreCase("solr")) {
- return solrAccessAuditsService
- .getXAccessAuditSearchCount(searchCriteria);
+ return solrAccessAuditsService.getXAccessAuditSearchCount(searchCriteria);
} else {
return super.getXAccessAuditSearchCount(searchCriteria);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
index 700caff..2413afb 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
@@ -20,7 +20,6 @@
package org.apache.ranger.biz;
import java.util.ArrayList;
-import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
@@ -37,6 +36,7 @@ import org.apache.ranger.entity.XXUserPermission;
import org.apache.ranger.service.XGroupPermissionService;
import org.apache.ranger.service.XModuleDefService;
import org.apache.ranger.service.XPortalUserService;
+import org.apache.ranger.service.XResourceService;
import org.apache.ranger.service.XUserPermissionService;
import org.apache.ranger.view.VXGroupPermission;
import org.apache.ranger.view.VXModuleDef;
@@ -49,24 +49,31 @@ import org.apache.ranger.common.SearchCriteria;
import org.apache.ranger.common.UserSessionBase;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.db.XXGroupUserDao;
+import org.apache.ranger.entity.XXAuditMap;
import org.apache.ranger.entity.XXGroup;
+import org.apache.ranger.entity.XXPermMap;
import org.apache.ranger.entity.XXPortalUser;
-import org.apache.ranger.entity.XXPortalUserRole;
import org.apache.ranger.entity.XXTrxLog;
import org.apache.ranger.entity.XXUser;
import org.apache.ranger.service.XGroupService;
import org.apache.ranger.service.XUserService;
+import org.apache.ranger.view.VXAuditMapList;
import org.apache.ranger.view.VXGroup;
+import org.apache.ranger.view.VXGroupGroup;
import org.apache.ranger.view.VXGroupList;
import org.apache.ranger.view.VXGroupUser;
import org.apache.ranger.view.VXGroupUserList;
+import org.apache.ranger.view.VXLong;
+import org.apache.ranger.view.VXPermMapList;
import org.apache.ranger.view.VXPortalUser;
import org.apache.ranger.view.VXUser;
import org.apache.ranger.view.VXUserGroupInfo;
import org.apache.ranger.view.VXUserList;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
+
import javax.servlet.http.HttpServletResponse;
+
import org.apache.ranger.view.VXResponse;
@Component
public class XUserMgr extends XUserMgrBase {
@@ -100,25 +107,14 @@ public class XUserMgr extends XUserMgrBase {
@Autowired
XPortalUserService xPortalUserService;
+
+ @Autowired
+ XResourceService xResourceService;
static final Logger logger = Logger.getLogger(XUserMgr.class);
public void deleteXGroup(Long id, boolean force) {
- UserSessionBase session = ContextUtil.getCurrentUserSession();
- if (session != null) {
- if (!session.isUserAdmin()) {
- throw restErrorUtil.create403RESTException("deletion of group"
- + " denied. LoggedInUser="
- + (session != null ? session.getXXPortalUser().getId()
- : "Not Logged In")
- + " ,isn't permitted to perform the action.");
- }
- }else{
- VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
- vXResponse.setMsgDesc("Bad Credentials");
- throw restErrorUtil.generateRESTException(vXResponse);
- }
+ checkAdminAccess();
if (force) {
SearchCriteria searchCriteria = new SearchCriteria();
searchCriteria.addParam("xGroupId", id);
@@ -139,21 +135,7 @@ public class XUserMgr extends XUserMgrBase {
}
public void deleteXUser(Long id, boolean force) {
- UserSessionBase session = ContextUtil.getCurrentUserSession();
- if (session != null) {
- if (!session.isUserAdmin()) {
- throw restErrorUtil.create403RESTException("deletion of user"
- + " denied. LoggedInUser="
- + (session != null ? session.getXXPortalUser().getId()
- : "Not Logged In")
- + " ,isn't permitted to perform the action.");
- }
- }else{
- VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
- vXResponse.setMsgDesc("Bad Credentials");
- throw restErrorUtil.generateRESTException(vXResponse);
- }
+ checkAdminAccess();
if (force) {
SearchCriteria searchCriteria = new SearchCriteria();
searchCriteria.addParam("xUserId", id);
@@ -185,21 +167,7 @@ public class XUserMgr extends XUserMgrBase {
}
public VXUser createXUser(VXUser vXUser) {
- UserSessionBase session = ContextUtil.getCurrentUserSession();
- if (session != null) {
- if (!session.isUserAdmin()) {
- throw restErrorUtil.create403RESTException("creation of user"
- + " denied. LoggedInUser="
- + (session != null ? session.getXXPortalUser().getId()
- : "Not Logged In")
- + " ,isn't permitted to perform the action.");
- }
- }else{
- VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
- vXResponse.setMsgDesc("Bad Credentials");
- throw restErrorUtil.generateRESTException(vXResponse);
- }
+ checkAdminAccess();
String userName = vXUser.getName();
if (userName == null || userName.isEmpty()) {
throw restErrorUtil.createRESTException("Please provide a valid "
@@ -256,7 +224,6 @@ public class XUserMgr extends XUserMgrBase {
}
// Assigning Permission
- @SuppressWarnings("unused")
public void assignPermissionToUser(VXPortalUser vXPortalUser,
boolean isCreate) {
HashMap<String, Long> moduleNameId = getModelNames();
@@ -336,7 +303,6 @@ public class XUserMgr extends XUserMgrBase {
}
- @SuppressWarnings("unused")
public HashMap<String, Long> getModelNames() {
List<XXModuleDef> xxModuleDefs = daoManager.getXXModuleDef()
.findModuleNamesWithIds();
@@ -369,6 +335,10 @@ public class XUserMgr extends XUserMgrBase {
}
public VXUser updateXUser(VXUser vXUser) {
+ if (vXUser == null || vXUser.getName() == null || vXUser.getName().trim().isEmpty()) {
+ throw restErrorUtil.createRESTException("Please provide a valid " + "username.", MessageEnums.INVALID_INPUT_DATA);
+ }
+ checkAccess(vXUser.getName());
VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser
.getName());
VXPortalUser vXPortalUser = new VXPortalUser();
@@ -522,21 +492,7 @@ public class XUserMgr extends XUserMgrBase {
public VXUserGroupInfo createXUserGroupFromMap(
VXUserGroupInfo vXUserGroupInfo) {
- UserSessionBase session = ContextUtil.getCurrentUserSession();
- if (session != null) {
- if (!session.isUserAdmin()) {
- throw restErrorUtil.create403RESTException("User group "
- + "creation denied. LoggedInUser="
- + (session != null ? session.getXXPortalUser().getId()
- : "Not Logged In")
- + " ,isn't permitted to perform the action.");
- }
- }else{
- VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
- vXResponse.setMsgDesc("Bad Credentials");
- throw restErrorUtil.generateRESTException(vXResponse);
- }
+ checkAdminAccess();
VXUserGroupInfo vxUGInfo = new VXUserGroupInfo();
VXUser vXUser = vXUserGroupInfo.getXuserInfo();
@@ -563,41 +519,12 @@ public class XUserMgr extends XUserMgrBase {
}
public VXUser createXUserWithOutLogin(VXUser vXUser) {
- UserSessionBase session = ContextUtil.getCurrentUserSession();
- if (session != null) {
- if (!session.isUserAdmin()) {
- throw restErrorUtil.create403RESTException("creation of user"
- + " denied. LoggedInUser="
- + (session != null ? session.getXXPortalUser().getId()
- : "Not Logged In")
- + " ,isn't permitted to perform the action.");
- }
- }else{
- VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
- vXResponse.setMsgDesc("Bad Credentials");
- throw restErrorUtil.generateRESTException(vXResponse);
- }
+ checkAdminAccess();
return xUserService.createXUserWithOutLogin(vXUser);
}
public VXGroup createXGroup(VXGroup vXGroup) {
- UserSessionBase session = ContextUtil.getCurrentUserSession();
- if (session != null) {
- if (!session.isUserAdmin()) {
- throw restErrorUtil.create403RESTException("creation of group"
- + " denied. LoggedInUser="
- + (session != null ? session.getXXPortalUser().getId()
- : "Not Logged In")
- + " ,isn't permitted to perform the action.");
- }
- }else{
- VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
- vXResponse.setMsgDesc("Bad Credentials");
- throw restErrorUtil.generateRESTException(vXResponse);
- }
- // FIXME Just a hack
+ checkAdminAccess();
if (vXGroup.getDescription() == null) {
vXGroup.setDescription(vXGroup.getName());
}
@@ -610,40 +537,12 @@ public class XUserMgr extends XUserMgrBase {
}
public VXGroup createXGroupWithoutLogin(VXGroup vXGroup) {
- UserSessionBase session = ContextUtil.getCurrentUserSession();
- if (session != null) {
- if (!session.isUserAdmin()) {
- throw restErrorUtil.create403RESTException("creation of group"
- + " denied. LoggedInUser="
- + (session != null ? session.getXXPortalUser().getId()
- : "Not Logged In")
- + " ,isn't permitted to perform the action.");
- }
- }else{
- VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
- vXResponse.setMsgDesc("Bad Credentials");
- throw restErrorUtil.generateRESTException(vXResponse);
- }
+ checkAdminAccess();
return xGroupService.createXGroupWithOutLogin(vXGroup);
}
public VXGroupUser createXGroupUser(VXGroupUser vXGroupUser) {
- UserSessionBase session = ContextUtil.getCurrentUserSession();
- if (session != null) {
- if (!session.isUserAdmin()) {
- throw restErrorUtil.create403RESTException("creation of group"
- + " denied. LoggedInUser="
- + (session != null ? session.getXXPortalUser().getId()
- : "Not Logged In")
- + " ,isn't permitted to perform the action.");
- }
- }else{
- VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
- vXResponse.setMsgDesc("Bad Credentials");
- throw restErrorUtil.generateRESTException(vXResponse);
- }
+ checkAdminAccess();
vXGroupUser = xGroupUserService
.createXGroupUserWithOutLogin(vXGroupUser);
return vXGroupUser;
@@ -690,21 +589,7 @@ public class XUserMgr extends XUserMgrBase {
*/
public void deleteXGroupAndXUser(String groupName, String userName) {
- UserSessionBase session = ContextUtil.getCurrentUserSession();
- if (session != null) {
- if (!session.isUserAdmin()) {
- throw restErrorUtil.create403RESTException("User "
- + "deletion denied. LoggedInUser="
- + (session != null ? session.getXXPortalUser().getId()
- : "Not Logged In")
- + " ,isn't permitted to perform the action.");
- }
- }else{
- VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
- vXResponse.setMsgDesc("Bad Credentials");
- throw restErrorUtil.generateRESTException(vXResponse);
- }
+ checkAdminAccess();
VXGroup vxGroup = xGroupService.getGroupByGroupName(groupName);
VXUser vxUser = xUserService.getXUserByUserName(userName);
SearchCriteria searchCriteria = new SearchCriteria();
@@ -807,6 +692,7 @@ public class XUserMgr extends XUserMgrBase {
@Override
public VXGroup updateXGroup(VXGroup vXGroup) {
+ checkAdminAccess();
XXGroup xGroup = daoManager.getXXGroup().getById(vXGroup.getId());
List<XXTrxLog> trxLogList = xGroupService.getTransactionLog(vXGroup,
xGroup, "update");
@@ -814,8 +700,77 @@ public class XUserMgr extends XUserMgrBase {
vXGroup = (VXGroup) xGroupService.updateResource(vXGroup);
return vXGroup;
}
+ public VXGroupUser updateXGroupUser(VXGroupUser vXGroupUser) {
+ checkAdminAccess();
+ return super.updateXGroupUser(vXGroupUser);
+ }
+
+ public void deleteXGroupUser(Long id, boolean force) {
+ checkAdminAccess();
+ super.deleteXGroupUser(id, force);
+ }
+
+ public VXGroupGroup createXGroupGroup(VXGroupGroup vXGroupGroup){
+ checkAdminAccess();
+ return super.createXGroupGroup(vXGroupGroup);
+ }
+
+ public VXGroupGroup updateXGroupGroup(VXGroupGroup vXGroupGroup) {
+ checkAdminAccess();
+ return super.updateXGroupGroup(vXGroupGroup);
+ }
+
+ public void deleteXGroupGroup(Long id, boolean force) {
+ checkAdminAccess();
+ super.deleteXGroupGroup(id, force);
+ }
+
+ public void deleteXPermMap(Long id, boolean force) {
+ if (force) {
+ XXPermMap xPermMap = daoManager.getXXPermMap().getById(id);
+ if (xPermMap != null) {
+ if (xResourceService.readResource(xPermMap.getResourceId()) == null) {
+ throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + xPermMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA);
+ }
+ }
+
+ xPermMapService.deleteResource(id);
+ } else {
+ throw restErrorUtil.createRESTException("serverMsg.modelMgrBaseDeleteModel", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
+ }
+ }
+
+ public VXLong getXPermMapSearchCount(SearchCriteria searchCriteria) {
+ VXPermMapList permMapList = xPermMapService.searchXPermMaps(searchCriteria);
+ VXLong vXLong = new VXLong();
+ vXLong.setValue(permMapList.getListSize());
+ return vXLong;
+ }
+
+ public void deleteXAuditMap(Long id, boolean force) {
+ if (force) {
+ XXAuditMap xAuditMap = daoManager.getXXAuditMap().getById(id);
+ if (xAuditMap != null) {
+ if (xResourceService.readResource(xAuditMap.getResourceId()) == null) {
+ throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + xAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA);
+ }
+ }
+
+ xAuditMapService.deleteResource(id);
+ } else {
+ throw restErrorUtil.createRESTException("serverMsg.modelMgrBaseDeleteModel", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
+ }
+ }
+
+ public VXLong getXAuditMapSearchCount(SearchCriteria searchCriteria) {
+ VXAuditMapList auditMapList = xAuditMapService.searchXAuditMaps(searchCriteria);
+ VXLong vXLong = new VXLong();
+ vXLong.setValue(auditMapList.getListSize());
+ return vXLong;
+ }
public void modifyUserVisibility(HashMap<Long, Integer> visibilityMap) {
+ checkAdminAccess();
Set<Map.Entry<Long, Integer>> entries = visibilityMap.entrySet();
for (Map.Entry<Long, Integer> entry : entries) {
XXUser xUser = daoManager.getXXUser().getById(entry.getKey());
@@ -826,6 +781,7 @@ public class XUserMgr extends XUserMgrBase {
}
public void modifyGroupsVisibility(HashMap<Long, Integer> groupVisibilityMap) {
+ checkAdminAccess();
Set<Map.Entry<Long, Integer>> entries = groupVisibilityMap.entrySet();
for (Map.Entry<Long, Integer> entry : entries) {
XXGroup xGroup = daoManager.getXXGroup().getById(entry.getKey());
@@ -878,6 +834,7 @@ public class XUserMgr extends XUserMgrBase {
// Module permissions
public VXModuleDef createXModuleDefPermission(VXModuleDef vXModuleDef) {
+ checkAdminAccess();
return xModuleDefService.createResource(vXModuleDef);
}
@@ -886,6 +843,7 @@ public class XUserMgr extends XUserMgrBase {
}
public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) {
+ checkAdminAccess();
List<VXGroupPermission> groupPermListNew = vXModuleDef
.getGroupPermList();
List<VXUserPermission> userPermListNew = vXModuleDef.getUserPermList();
@@ -970,12 +928,14 @@ public class XUserMgr extends XUserMgrBase {
}
public void deleteXModuleDefPermission(Long id, boolean force) {
+ checkAdminAccess();
xModuleDefService.deleteResource(id);
}
// User permission
public VXUserPermission createXUserPermission(
VXUserPermission vXUserPermission) {
+ checkAdminAccess();
return xUserPermissionService.createResource(vXUserPermission);
}
@@ -985,17 +945,19 @@ public class XUserMgr extends XUserMgrBase {
public VXUserPermission updateXUserPermission(
VXUserPermission vXUserPermission) {
-
+ checkAdminAccess();
return xUserPermissionService.updateResource(vXUserPermission);
}
public void deleteXUserPermission(Long id, boolean force) {
+ checkAdminAccess();
xUserPermissionService.deleteResource(id);
}
// Group permission
public VXGroupPermission createXGroupPermission(
VXGroupPermission vXGroupPermission) {
+ checkAdminAccess();
return xGroupPermissionService.createResource(vXGroupPermission);
}
@@ -1005,14 +967,17 @@ public class XUserMgr extends XUserMgrBase {
public VXGroupPermission updateXGroupPermission(
VXGroupPermission vXGroupPermission) {
+ checkAdminAccess();
return xGroupPermissionService.updateResource(vXGroupPermission);
}
public void deleteXGroupPermission(Long id, boolean force) {
+ checkAdminAccess();
xGroupPermissionService.deleteResource(id);
}
public void modifyUserActiveStatus(HashMap<Long, Integer> statusMap) {
+ checkAdminAccess();
UserSessionBase session = ContextUtil.getCurrentUserSession();
String currentUser=null;
if(session!=null){
@@ -1040,4 +1005,35 @@ public class XUserMgr extends XUserMgrBase {
}
}
}
+
+ public void checkAdminAccess() {
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session != null) {
+ if (!session.isUserAdmin()) {
+ throw restErrorUtil.create403RESTException("Operation" + " denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In")
+ + " ,isn't permitted to perform the action.");
+ }
+ } else {
+ VXResponse vXResponse = new VXResponse();
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setMsgDesc("Bad Credentials");
+ throw restErrorUtil.generateRESTException(vXResponse);
+ }
+ }
+
+ public void checkAccess(String loginID) {
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session != null) {
+ if (!session.isUserAdmin() && !session.isKeyAdmin() && !session.getLoginId().equalsIgnoreCase(loginID)) {
+ throw restErrorUtil.create403RESTException("Operation" + " denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In")
+ + " ,isn't permitted to perform the action.");
+ }
+ } else {
+ VXResponse vXResponse = new VXResponse();
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setMsgDesc("Bad Credentials");
+ throw restErrorUtil.generateRESTException(vXResponse);
+ }
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java
index 9f5abfb..104e188 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java
@@ -60,4 +60,25 @@ public class XXGroupUserDao extends BaseDao<XXGroupUser> {
}
return null;
}
+
+ /**
+ * @param xUserId
+ * -- Id of X_USER table
+ * @return
+ */
+ @SuppressWarnings("unchecked")
+ public List<Long> findGroupIdListByUserId(Long xUserId) {
+ if (xUserId != null) {
+ try {
+ return getEntityManager().createNamedQuery("XXGroupUser.findGroupIdListByUserId").setParameter("xUserId", xUserId).getResultList();
+ } catch (NoResultException e) {
+ logger.debug(e.getMessage());
+ }
+ } else {
+ logger.debug("UserId not provided.");
+ return new ArrayList<Long>();
+ }
+ return null;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java
index 611eaf8..fa2b3d9 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java
@@ -22,7 +22,9 @@ import java.util.List;
import javax.persistence.NoResultException;
+import org.apache.commons.collections.CollectionUtils;
import org.apache.log4j.Logger;
+import org.apache.ranger.common.RangerCommonEnums;
import org.apache.ranger.common.db.BaseDao;
import org.apache.ranger.entity.XXModuleDef;
@@ -115,4 +117,40 @@ public class XXModuleDefDao extends BaseDao<XXModuleDef>{
return null;
}
}
+
+ @SuppressWarnings("unchecked")
+ public List<String> findAccessibleModulesByGroupIdList(List<Long> grpIdList) {
+ if (CollectionUtils.isEmpty(grpIdList)) {
+ return new ArrayList<String>();
+ }
+ try {
+ return getEntityManager().createNamedQuery("XXModuleDef.findAccessibleModulesByGroupId").setParameter("grpIdList", grpIdList)
+ .setParameter("isAllowed", RangerCommonEnums.ACCESS_RESULT_ALLOWED).getResultList();
+ } catch (NoResultException e) {
+ return new ArrayList<String>();
+ }
+ }
+
+ /**
+ * @param portalUserId
+ * @param xUserId
+ * @return This function will return all the modules accessible for particular user, considering all the groups as well in which that user belongs
+ */
+ @SuppressWarnings("unchecked")
+ public List<String> findAccessibleModulesByUserId(Long portalUserId, Long xUserId) {
+ if (portalUserId == null || xUserId == null) {
+ return new ArrayList<String>();
+ }
+ try {
+
+ List<String> userPermList = getEntityManager().createNamedQuery("XXModuleDef.findAllAccessibleModulesByUserId").setParameter("portalUserId", portalUserId)
+ .setParameter("xUserId", xUserId).setParameter("isAllowed", RangerCommonEnums.ACCESS_RESULT_ALLOWED).getResultList();
+
+ return userPermList;
+
+ } catch (NoResultException e) {
+ return new ArrayList<String>();
+ }
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
index e5de160..19dbfaa 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
@@ -56,6 +56,7 @@ import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.SearchFilter;
import org.apache.ranger.plugin.util.ServicePolicies;
+import org.apache.ranger.security.context.RangerAPIList;
import org.apache.ranger.service.XAccessAuditService;
import org.apache.ranger.service.XAgentService;
import org.apache.ranger.service.XAssetService;
@@ -137,6 +138,7 @@ public class AssetREST {
@GET
@Path("/assets/{id}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_ASSET + "\")")
public VXAsset getXAsset(@PathParam("id") Long id) {
if(logger.isDebugEnabled()) {
logger.debug("==> AssetREST.getXAsset(" + id + ")");
@@ -156,6 +158,7 @@ public class AssetREST {
@POST
@Path("/assets")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_ASSET + "\")")
public VXAsset createXAsset(VXAsset vXAsset) {
if(logger.isDebugEnabled()) {
logger.debug("==> AssetREST.createXAsset(" + vXAsset + ")");
@@ -177,6 +180,7 @@ public class AssetREST {
@PUT
@Path("/assets/{id}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_ASSET + "\")")
public VXAsset updateXAsset(VXAsset vXAsset) {
if(logger.isDebugEnabled()) {
logger.debug("==> AssetREST.updateXAsset(" + vXAsset + ")");
@@ -197,8 +201,8 @@ public class AssetREST {
@DELETE
@Path("/assets/{id}")
- @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
@RangerAnnotationClassName(class_name = VXAsset.class)
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_ASSET + "\")")
public void deleteXAsset(@PathParam("id") Long id,
@Context HttpServletRequest request) {
if(logger.isDebugEnabled()) {
@@ -215,6 +219,7 @@ public class AssetREST {
@POST
@Path("/assets/testConfig")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.TEST_CONFIG + "\")")
public VXResponse testConfig(VXAsset vXAsset) {
if(logger.isDebugEnabled()) {
logger.debug("==> AssetREST.testConfig(" + vXAsset + ")");
@@ -234,6 +239,7 @@ public class AssetREST {
@GET
@Path("/assets")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_ASSETS + "\")")
public VXAssetList searchXAssets(@Context HttpServletRequest request) {
if(logger.isDebugEnabled()) {
logger.debug("==> AssetREST.searchXAssets()");
@@ -269,6 +275,7 @@ public class AssetREST {
@GET
@Path("/assets/count")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_ASSETS + "\")")
public VXLong countXAssets(@Context HttpServletRequest request) {
if(logger.isDebugEnabled()) {
logger.debug("==> AssetREST.countXAssets()");
@@ -547,8 +554,10 @@ public class AssetREST {
@GET
@Path("/exportAudit")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_POLICY_EXPORT_AUDITS + "\")")
public VXPolicyExportAuditList searchXPolicyExportAudits(
@Context HttpServletRequest request) {
+
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xPolicyExportAudits.sortFields);
searchUtil.extractString(request, searchCriteria, "agentId",
@@ -572,7 +581,9 @@ public class AssetREST {
@GET
@Path("/report")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_REPORT_LOGS + "\")")
public VXTrxLogList getReportLogs(@Context HttpServletRequest request){
+
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xTrxLogService.sortFields);
searchUtil.extractInt(request, searchCriteria, "objectClassType", "Class type for report.");
@@ -592,6 +603,7 @@ public class AssetREST {
@GET
@Path("/report/{transactionId}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_TRANSACTION_REPORT + "\")")
public VXTrxLogList getTransactionReport(@Context HttpServletRequest request,
@PathParam("transactionId") String transactionId){
return assetMgr.getTransactionReport(transactionId);
@@ -600,6 +612,7 @@ public class AssetREST {
@GET
@Path("/accessAudit")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_ACCESS_LOGS + "\")")
public VXAccessAuditList getAccessLogs(@Context HttpServletRequest request){
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xAccessAuditService.sortFields);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
index 059f787..2c30daa 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
@@ -312,7 +312,7 @@ public class PublicAPIsv2 {
@Produces({ "application/json", "application/xml" })
public List<RangerPolicy> searchPolicies(@PathParam("servicename") String serviceName,
@Context HttpServletRequest request) {
- return serviceREST.getServicePolicies(serviceName, request).getPolicies();
+ return serviceREST.getServicePoliciesByName(serviceName, request).getPolicies();
}
@POST
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 3d2e8b0..f523d67 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -49,6 +49,7 @@ import org.apache.ranger.biz.RangerBizUtil;
import org.apache.ranger.biz.ServiceDBStore;
import org.apache.ranger.biz.ServiceMgr;
import org.apache.ranger.biz.XUserMgr;
+import org.apache.ranger.common.AppConstants;
import org.apache.ranger.common.GUIDUtil;
import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.RESTErrorUtil;
@@ -81,6 +82,8 @@ import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.SearchFilter;
import org.apache.ranger.plugin.util.ServicePolicies;
+import org.apache.ranger.security.context.RangerAPIList;
+import org.apache.ranger.security.context.RangerPreAuthSecurityHandler;
import org.apache.ranger.service.RangerPolicyService;
import org.apache.ranger.service.RangerServiceDefService;
import org.apache.ranger.service.RangerServiceService;
@@ -151,11 +154,10 @@ public class ServiceREST {
public ServiceREST() {
}
-
@POST
@Path("/definitions")
@Produces({ "application/json", "application/xml" })
- @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_SERVICE_DEF + "\")")
public RangerServiceDef createServiceDef(RangerServiceDef serviceDef) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.createServiceDef(" + serviceDef + ")");
@@ -189,7 +191,7 @@ public class ServiceREST {
@PUT
@Path("/definitions/{id}")
@Produces({ "application/json", "application/xml" })
- @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_SERVICE_DEF + "\")")
public RangerServiceDef updateServiceDef(RangerServiceDef serviceDef) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.updateServiceDef(" + serviceDef + ")");
@@ -223,7 +225,7 @@ public class ServiceREST {
@DELETE
@Path("/definitions/{id}")
@Produces({ "application/json", "application/xml" })
- @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_SERVICE_DEF + "\")")
public void deleteServiceDef(@PathParam("id") Long id, @Context HttpServletRequest request) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.deleteServiceDef(" + id + ")");
@@ -260,6 +262,7 @@ public class ServiceREST {
@GET
@Path("/definitions/{id}")
@Produces({ "application/json", "application/xml" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEF + "\")")
public RangerServiceDef getServiceDef(@PathParam("id") Long id) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getServiceDef(" + id + ")");
@@ -298,6 +301,7 @@ public class ServiceREST {
@GET
@Path("/definitions/name/{name}")
@Produces({ "application/json", "application/xml" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEF_BY_NAME + "\")")
public RangerServiceDef getServiceDefByName(@PathParam("name") String name) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getServiceDefByName(" + name + ")");
@@ -338,6 +342,7 @@ public class ServiceREST {
@GET
@Path("/definitions")
@Produces({ "application/json", "application/xml" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEFS + "\")")
public RangerServiceDefList getServiceDefs(@Context HttpServletRequest request) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getServiceDefs()");
@@ -366,7 +371,7 @@ public class ServiceREST {
@POST
@Path("/services")
@Produces({ "application/json", "application/xml" })
- @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_SERVICE + "\")")
public RangerService createService(RangerService service) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.createService(" + service + ")");
@@ -405,7 +410,7 @@ public class ServiceREST {
@PUT
@Path("/services/{id}")
@Produces({ "application/json", "application/xml" })
- @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_SERVICE + "\")")
public RangerService updateService(RangerService service) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.updateService(): " + service);
@@ -444,7 +449,7 @@ public class ServiceREST {
@DELETE
@Path("/services/{id}")
@Produces({ "application/json", "application/xml" })
- @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_SERVICE + "\")")
public void deleteService(@PathParam("id") Long id) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.deleteService(" + id + ")");
@@ -480,6 +485,7 @@ public class ServiceREST {
@GET
@Path("/services/{id}")
@Produces({ "application/json", "application/xml" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE + "\")")
public RangerService getService(@PathParam("id") Long id) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getService(" + id + ")");
@@ -511,6 +517,7 @@ public class ServiceREST {
@GET
@Path("/services/name/{name}")
@Produces({ "application/json", "application/xml" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_BY_NAME + "\")")
public RangerService getServiceByName(@PathParam("name") String name) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getServiceByName(" + name + ")");
@@ -542,6 +549,7 @@ public class ServiceREST {
@GET
@Path("/services")
@Produces({ "application/json", "application/xml" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICES + "\")")
public RangerServiceList getServices(@Context HttpServletRequest request) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getServices()");
@@ -595,6 +603,7 @@ public class ServiceREST {
@GET
@Path("/services/count")
@Produces({ "application/json", "application/xml" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_SERVICES + "\")")
public Long countServices(@Context HttpServletRequest request) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.countServices():");
@@ -624,6 +633,7 @@ public class ServiceREST {
@POST
@Path("/services/validateConfig")
@Produces({ "application/json", "application/xml" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.VALIDATE_CONFIG + "\")")
public VXResponse validateConfig(RangerService service) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.validateConfig(" + service + ")");
@@ -651,6 +661,7 @@ public class ServiceREST {
@POST
@Path("/services/lookupResource/{serviceName}")
@Produces({ "application/json", "application/xml" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.LOOKUP_RESOURCE + "\")")
public List<String> lookupResource(@PathParam("serviceName") String serviceName, ResourceLookupContext context) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.lookupResource(" + serviceName + ")");
@@ -1196,7 +1207,7 @@ public class ServiceREST {
@GET
@Path("/policies/service/name/{name}")
@Produces({ "application/json", "application/xml" })
- public RangerPolicyList getServicePolicies(@PathParam("name") String serviceName,
+ public RangerPolicyList getServicePoliciesByName(@PathParam("name") String serviceName,
@Context HttpServletRequest request) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getServicePolicies(" + serviceName + ")");
@@ -1464,6 +1475,7 @@ public class ServiceREST {
@GET
@Path("/policies/eventTime")
@Produces({ "application/json", "application/xml" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_POLICY_FROM_EVENT_TIME + "\")")
public RangerPolicy getPolicyFromEventTime(@Context HttpServletRequest request) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getPolicyFromEventTime()");
@@ -1490,6 +1502,7 @@ public class ServiceREST {
@GET
@Path("/policy/{policyId}/versionList")
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_POLICY_VERSION_LIST + "\")")
public VXString getPolicyVersionList(@PathParam("policyId") Long policyId) {
return svcStore.getPolicyVersionList(policyId);
}
@@ -1497,6 +1510,7 @@ public class ServiceREST {
@GET
@Path("/policy/{policyId}/version/{versionNo}")
@Produces({ "application/json", "application/xml" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_POLICY_FOR_VERSION_NO + "\")")
public RangerPolicy getPolicyForVersionNumber(@PathParam("policyId") Long policyId,
@PathParam("versionNo") int versionNo) {
return svcStore.getPolicyForVersionNumber(policyId, versionNo);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java
index a9d0059..4c5e890 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java
@@ -45,6 +45,8 @@ import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName;
import org.apache.ranger.common.annotation.RangerAnnotationRestAPI;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.entity.XXPortalUser;
+import org.apache.ranger.security.context.RangerAPIList;
+import org.apache.ranger.security.context.RangerPreAuthSecurityHandler;
import org.apache.ranger.util.RangerRestUtil;
import org.apache.ranger.view.VXPasswordChange;
import org.apache.ranger.view.VXPortalUser;
@@ -99,7 +101,7 @@ public class UserREST {
*/
@GET
@Produces({ "application/xml", "application/json" })
- @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_USERS + "\")")
public VXPortalUserList searchUsers(@Context HttpServletRequest request) {
String[] approvedSortByParams = new String[] { "requestDate",
"approvedDate", "activationDate", "emailAddress", "firstName",
@@ -150,6 +152,7 @@ public class UserREST {
@GET
@Path("{userId}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_USER_PROFILE_FOR_USER + "\")")
public VXPortalUser getUserProfileForUser(@PathParam("userId") Long userId) {
try {
VXPortalUser userProfile = userManager.getUserProfile(userId);
@@ -171,7 +174,7 @@ public class UserREST {
@POST
@Consumes({ "application/json", "application/xml" })
@Produces({ "application/xml", "application/json" })
- @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE + "\")")
public VXPortalUser create(VXPortalUser userProfile,
@Context HttpServletRequest servletRequest) {
logger.info("create:" + userProfile.getEmailAddress());
@@ -184,7 +187,7 @@ public class UserREST {
@Path("/default")
@Consumes({ "application/json", "application/xml" })
@Produces({ "application/xml", "application/json" })
- @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_DEFAULT_ACCOUNT_USER + "\")")
public VXPortalUser createDefaultAccountUser(VXPortalUser userProfile,
@Context HttpServletRequest servletRequest) {
VXPortalUser vxPortalUser;
@@ -201,6 +204,7 @@ public class UserREST {
@Consumes({ "application/json", "application/xml" })
@Produces({ "application/xml", "application/json" })
@RangerAnnotationRestAPI(updates_classes = "VUserProfile")
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE + "\")")
public VXPortalUser update(VXPortalUser userProfile,
@Context HttpServletRequest servletRequest) {
logger.info("update:" + userProfile.getEmailAddress());
@@ -222,6 +226,7 @@ public class UserREST {
@PUT
@Path("/{userId}/roles")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SET_USER_ROLES + "\")")
public VXResponse setUserRoles(@PathParam("userId") Long userId,
VXStringList roleList) {
userManager.checkAccess(userId);
@@ -240,7 +245,7 @@ public class UserREST {
@POST
@Path("{userId}/deactivate")
@Produces({ "application/xml", "application/json" })
- @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DEACTIVATE_USER + "\")")
@RangerAnnotationClassName(class_name = VXPortalUser.class)
public VXPortalUser deactivateUser(@PathParam("userId") Long userId) {
XXPortalUser gjUser = daoManager.getXXPortalUser().getById(userId);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java
index 531f395..cbe486b 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java
@@ -35,6 +35,7 @@ import org.apache.ranger.common.SearchCriteria;
import org.apache.ranger.common.SearchUtil;
import org.apache.ranger.common.annotation.RangerAnnotationClassName;
import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName;
+import org.apache.ranger.security.context.RangerAPIList;
import org.apache.ranger.service.XAccessAuditService;
import org.apache.ranger.service.XTrxLogService;
import org.apache.ranger.view.VXAccessAuditList;
@@ -71,6 +72,7 @@ public class XAuditREST {
@GET
@Path("/trx_log/{id}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_TRX_LOG + "\")")
public VXTrxLog getXTrxLog(
@PathParam("id") Long id) {
return xAuditMgr.getXTrxLog(id);
@@ -79,6 +81,7 @@ public class XAuditREST {
@POST
@Path("/trx_log")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_TRX_LOG + "\")")
public VXTrxLog createXTrxLog(VXTrxLog vXTrxLog) {
return xAuditMgr.createXTrxLog(vXTrxLog);
}
@@ -86,13 +89,14 @@ public class XAuditREST {
@PUT
@Path("/trx_log")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_TRX_LOG + "\")")
public VXTrxLog updateXTrxLog(VXTrxLog vXTrxLog) {
return xAuditMgr.updateXTrxLog(vXTrxLog);
}
@DELETE
@Path("/trx_log/{id}")
- @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_TRX_LOG + "\")")
@RangerAnnotationClassName(class_name = VXTrxLog.class)
public void deleteXTrxLog(@PathParam("id") Long id,
@Context HttpServletRequest request) {
@@ -109,6 +113,7 @@ public class XAuditREST {
@GET
@Path("/trx_log")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_TRX_LOG + "\")")
public VXTrxLogList searchXTrxLogs(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xTrxLogService.sortFields);
@@ -118,6 +123,7 @@ public class XAuditREST {
@GET
@Path("/trx_log/count")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_TRX_LOGS + "\")")
public VXLong countXTrxLogs(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xTrxLogService.sortFields);
@@ -135,6 +141,7 @@ public class XAuditREST {
@GET
@Path("/access_audit")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_ACCESS_AUDITS + "\")")
public VXAccessAuditList searchXAccessAudits(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xAccessAuditService.sortFields);
@@ -144,6 +151,7 @@ public class XAuditREST {
@GET
@Path("/access_audit/count")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_ACCESS_AUDITS + "\")")
public VXLong countXAccessAudits(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xAccessAuditService.sortFields);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
index 1c0f9fc..c374f8e 100755
--- a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
@@ -35,12 +35,15 @@ import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.SearchUtil;
import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName;
+import org.apache.ranger.security.context.RangerAPIList;
+import org.apache.ranger.security.context.RangerPreAuthSecurityHandler;
import org.apache.ranger.view.VXKmsKey;
import org.apache.ranger.view.VXKmsKeyList;
import org.codehaus.jettison.json.JSONException;
import org.codehaus.jettison.json.JSONObject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Scope;
+import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Component;
import org.springframework.transaction.annotation.Propagation;
import org.springframework.transaction.annotation.Transactional;
@@ -66,7 +69,7 @@ public class XKeyREST {
@Autowired
RESTErrorUtil restErrorUtil;
-
+
/**
* Implements the traditional search functionalities for Keys
*
@@ -76,6 +79,7 @@ public class XKeyREST {
@GET
@Path("/keys")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_KEYS + "\")")
public VXKmsKeyList searchKeys(@Context HttpServletRequest request, @QueryParam("provider") String provider) {
VXKmsKeyList vxKmsKeyList = new VXKmsKeyList();
try{
@@ -94,6 +98,7 @@ public class XKeyREST {
@PUT
@Path("/key")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.ROLLOVER_KEYS + "\")")
public VXKmsKey rolloverKey(@QueryParam("provider") String provider, VXKmsKey vXKey) {
VXKmsKey vxKmsKey = new VXKmsKey();
try{
@@ -120,6 +125,7 @@ public class XKeyREST {
@DELETE
@Path("/key/{alias}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_KEY + "\")")
public void deleteKey(@PathParam("alias") String name, @QueryParam("provider") String provider, @Context HttpServletRequest request) {
try{
if (name == null || name.isEmpty()) {
@@ -140,6 +146,7 @@ public class XKeyREST {
@POST
@Path("/key")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_KEY + "\")")
public VXKmsKey createKey(@QueryParam("provider") String provider, VXKmsKey vXKey) {
VXKmsKey vxKmsKey = new VXKmsKey();
try{
@@ -167,6 +174,7 @@ public class XKeyREST {
@GET
@Path("/key/{alias}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_KEY + "\")")
public VXKmsKey getKey(@PathParam("alias") String name,@QueryParam("provider") String provider){
VXKmsKey vxKmsKey = new VXKmsKey();
try{
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
index 93980b4..472dad6 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
@@ -36,6 +36,7 @@ import org.apache.log4j.Logger;
import org.apache.ranger.biz.RangerBizUtil;
import org.apache.ranger.biz.SessionMgr;
import org.apache.ranger.biz.XUserMgr;
+import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.SearchCriteria;
import org.apache.ranger.common.SearchUtil;
@@ -43,6 +44,9 @@ import org.apache.ranger.common.StringUtil;
import org.apache.ranger.common.annotation.RangerAnnotationClassName;
import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName;
import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.security.context.RangerAPIList;
+import org.apache.ranger.security.context.RangerAPIMapping;
+import org.apache.ranger.security.context.RangerPreAuthSecurityHandler;
import org.apache.ranger.service.AuthSessionService;
import org.apache.ranger.service.XAuditMapService;
import org.apache.ranger.service.XGroupGroupService;
@@ -51,6 +55,7 @@ import org.apache.ranger.service.XGroupService;
import org.apache.ranger.service.XGroupUserService;
import org.apache.ranger.service.XModuleDefService;
import org.apache.ranger.service.XPermMapService;
+import org.apache.ranger.service.XResourceService;
import org.apache.ranger.service.XUserPermissionService;
import org.apache.ranger.service.XUserService;
import org.apache.ranger.view.VXAuditMap;
@@ -138,11 +143,15 @@ public class XUserREST {
@Autowired
RangerBizUtil bizUtil;
+
+ @Autowired
+ XResourceService xResourceService;
// Handle XGroup
@GET
@Path("/groups/{id}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP + "\")")
public VXGroup getXGroup(@PathParam("id") Long id) {
return xUserMgr.getXGroup(id);
}
@@ -150,6 +159,7 @@ public class XUserREST {
@GET
@Path("/secure/groups/{id}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SECURE_GET_X_GROUP + "\")")
public VXGroup secureGetXGroup(@PathParam("id") Long id) {
return xUserMgr.getXGroup(id);
}
@@ -187,6 +197,7 @@ public class XUserREST {
@PUT
@Path("/secure/groups/visibility")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.MODIFY_GROUPS_VISIBILITY + "\")")
public void modifyGroupsVisibility(HashMap<Long, Integer> groupVisibilityMap){
xUserMgr.modifyGroupsVisibility(groupVisibilityMap);
}
@@ -210,6 +221,7 @@ public class XUserREST {
@GET
@Path("/groups")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUPS + "\")")
public VXGroupList searchXGroups(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xGroupService.sortFields);
@@ -224,6 +236,7 @@ public class XUserREST {
@GET
@Path("/groups/count")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUPS + "\")")
public VXLong countXGroups(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xGroupService.sortFields);
@@ -235,6 +248,7 @@ public class XUserREST {
@GET
@Path("/users/{id}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER + "\")")
public VXUser getXUser(@PathParam("id") Long id) {
return xUserMgr.getXUser(id);
}
@@ -242,6 +256,7 @@ public class XUserREST {
@GET
@Path("/secure/users/{id}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SECURE_GET_X_USER + "\")")
public VXUser secureGetXUser(@PathParam("id") Long id) {
return xUserMgr.getXUser(id);
}
@@ -291,6 +306,7 @@ public class XUserREST {
@PUT
@Path("/secure/users/visibility")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.MODIFY_USER_VISIBILITY + "\")")
public void modifyUserVisibility(HashMap<Long, Integer> visibilityMap){
xUserMgr.modifyUserVisibility(visibilityMap);
}
@@ -314,6 +330,7 @@ public class XUserREST {
@GET
@Path("/users")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_USERS + "\")")
public VXUserList searchXUsers(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xUserService.sortFields);
@@ -334,6 +351,7 @@ public class XUserREST {
@GET
@Path("/users/count")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_USERS + "\")")
public VXLong countXUsers(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xUserService.sortFields);
@@ -345,6 +363,7 @@ public class XUserREST {
@GET
@Path("/groupusers/{id}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_USER + "\")")
public VXGroupUser getXGroupUser(@PathParam("id") Long id) {
return xUserMgr.getXGroupUser(id);
}
@@ -383,6 +402,7 @@ public class XUserREST {
@GET
@Path("/groupusers")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUP_USERS + "\")")
public VXGroupUserList searchXGroupUsers(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xGroupUserService.sortFields);
@@ -392,6 +412,7 @@ public class XUserREST {
@GET
@Path("/groupusers/count")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUP_USERS + "\")")
public VXLong countXGroupUsers(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xGroupUserService.sortFields);
@@ -403,6 +424,7 @@ public class XUserREST {
@GET
@Path("/groupgroups/{id}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_GROUP + "\")")
public VXGroupGroup getXGroupGroup(@PathParam("id") Long id) {
return xUserMgr.getXGroupGroup(id);
}
@@ -440,6 +462,7 @@ public class XUserREST {
@GET
@Path("/groupgroups")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUP_GROUPS + "\")")
public VXGroupGroupList searchXGroupGroups(
@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
@@ -450,6 +473,7 @@ public class XUserREST {
@GET
@Path("/groupgroups/count")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUP_GROUPS + "\")")
public VXLong countXGroupGroups(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xGroupGroupService.sortFields);
@@ -461,28 +485,53 @@ public class XUserREST {
@GET
@Path("/permmaps/{id}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_PERM_MAP + "\")")
public VXPermMap getXPermMap(@PathParam("id") Long id) {
- return xUserMgr.getXPermMap(id);
+ VXPermMap permMap = xUserMgr.getXPermMap(id);
+
+ if (permMap != null) {
+ if (xResourceService.readResource(permMap.getResourceId()) == null) {
+ throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + permMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA);
+ }
+ }
+
+ return permMap;
}
@POST
@Path("/permmaps")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_PERM_MAP + "\")")
public VXPermMap createXPermMap(VXPermMap vXPermMap) {
+
+ if (vXPermMap != null) {
+ if (xResourceService.readResource(vXPermMap.getResourceId()) == null) {
+ throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXPermMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA);
+ }
+ }
+
return xUserMgr.createXPermMap(vXPermMap);
}
@PUT
@Path("/permmaps")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_PERM_MAP + "\")")
public VXPermMap updateXPermMap(VXPermMap vXPermMap) {
+
+ if (vXPermMap != null) {
+ if (xResourceService.readResource(vXPermMap.getResourceId()) == null) {
+ throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXPermMap.getResourceId());
+ }
+ }
+
return xUserMgr.updateXPermMap(vXPermMap);
}
@DELETE
@Path("/permmaps/{id}")
- @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
@RangerAnnotationClassName(class_name = VXPermMap.class)
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_PERM_MAP + "\")")
public void deleteXPermMap(@PathParam("id") Long id,
@Context HttpServletRequest request) {
boolean force = false;
@@ -498,6 +547,7 @@ public class XUserREST {
@GET
@Path("/permmaps")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_PERM_MAPS + "\")")
public VXPermMapList searchXPermMaps(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xPermMapService.sortFields);
@@ -507,6 +557,7 @@ public class XUserREST {
@GET
@Path("/permmaps/count")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_PERM_MAPS + "\")")
public VXLong countXPermMaps(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xPermMapService.sortFields);
@@ -518,28 +569,53 @@ public class XUserREST {
@GET
@Path("/auditmaps/{id}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_AUDIT_MAP + "\")")
public VXAuditMap getXAuditMap(@PathParam("id") Long id) {
- return xUserMgr.getXAuditMap(id);
+ VXAuditMap vXAuditMap = xUserMgr.getXAuditMap(id);
+
+ if (vXAuditMap != null) {
+ if (xResourceService.readResource(vXAuditMap.getResourceId()) == null) {
+ throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA);
+ }
+ }
+
+ return vXAuditMap;
}
@POST
@Path("/auditmaps")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_AUDIT_MAP + "\")")
public VXAuditMap createXAuditMap(VXAuditMap vXAuditMap) {
+
+ if (vXAuditMap != null) {
+ if (xResourceService.readResource(vXAuditMap.getResourceId()) == null) {
+ throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA);
+ }
+ }
+
return xUserMgr.createXAuditMap(vXAuditMap);
}
@PUT
@Path("/auditmaps")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_AUDIT_MAP + "\")")
public VXAuditMap updateXAuditMap(VXAuditMap vXAuditMap) {
+
+ if (vXAuditMap != null) {
+ if (xResourceService.readResource(vXAuditMap.getResourceId()) == null) {
+ throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA);
+ }
+ }
+
return xUserMgr.updateXAuditMap(vXAuditMap);
}
@DELETE
@Path("/auditmaps/{id}")
- @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
@RangerAnnotationClassName(class_name = VXAuditMap.class)
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_AUDIT_MAP + "\")")
public void deleteXAuditMap(@PathParam("id") Long id,
@Context HttpServletRequest request) {
boolean force = false;
@@ -555,6 +631,7 @@ public class XUserREST {
@GET
@Path("/auditmaps")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_AUDIT_MAPS + "\")")
public VXAuditMapList searchXAuditMaps(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xAuditMapService.sortFields);
@@ -564,6 +641,7 @@ public class XUserREST {
@GET
@Path("/auditmaps/count")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_AUDIT_MAPS + "\")")
public VXLong countXAuditMaps(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xAuditMapService.sortFields);
@@ -575,6 +653,7 @@ public class XUserREST {
@GET
@Path("/users/userName/{userName}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER_BY_USER_NAME + "\")")
public VXUser getXUserByUserName(@Context HttpServletRequest request,
@PathParam("userName") String userName) {
return xUserMgr.getXUserByUserName(userName);
@@ -583,6 +662,7 @@ public class XUserREST {
@GET
@Path("/groups/groupName/{groupName}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_BY_GROUP_NAME + "\")")
public VXGroup getXGroupByGroupName(@Context HttpServletRequest request,
@PathParam("groupName") String groupName) {
return xGroupService.getGroupByGroupName(groupName);
@@ -629,6 +709,7 @@ public class XUserREST {
@GET
@Path("/{userId}/groups")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER_GROUPS + "\")")
public VXGroupList getXUserGroups(@Context HttpServletRequest request,
@PathParam("userId") Long id){
return xUserMgr.getXUserGroups(id);
@@ -637,6 +718,7 @@ public class XUserREST {
@GET
@Path("/{groupId}/users")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_USERS + "\")")
public VXUserList getXGroupUsers(@Context HttpServletRequest request,
@PathParam("groupId") Long id){
return xUserMgr.getXGroupUsers(id);
@@ -645,6 +727,7 @@ public class XUserREST {
@GET
@Path("/authSessions")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_AUTH_SESSIONS + "\")")
public VXAuthSessionList getAuthSessions(@Context HttpServletRequest request){
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, authSessionService.AUTH_SESSION_SORT_FLDS);
@@ -666,6 +749,7 @@ public class XUserREST {
@GET
@Path("/authSessions/info")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_AUTH_SESSION + "\")")
public VXAuthSession getAuthSession(@Context HttpServletRequest request){
String authSessionId = request.getParameter("extSessionId");
return sessionMgr.getAuthSessionBySessionId(authSessionId);
@@ -675,6 +759,7 @@ public class XUserREST {
@POST
@Path("/permission")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_MODULE_DEF_PERMISSION + "\")")
public VXModuleDef createXModuleDefPermission(VXModuleDef vXModuleDef) {
return xUserMgr.createXModuleDefPermission(vXModuleDef);
}
@@ -682,6 +767,7 @@ public class XUserREST {
@GET
@Path("/permission/{id}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_MODULE_DEF_PERMISSION + "\")")
public VXModuleDef getXModuleDefPermission(@PathParam("id") Long id) {
return xUserMgr.getXModuleDefPermission(id);
}
@@ -689,13 +775,14 @@ public class XUserREST {
@PUT
@Path("/permission/{id}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_MODULE_DEF_PERMISSION + "\")")
public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) {
return xUserMgr.updateXModuleDefPermission(vXModuleDef);
}
@DELETE
@Path("/permission/{id}")
- @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_MODULE_DEF_PERMISSION + "\")")
public void deleteXModuleDefPermission(@PathParam("id") Long id,
@Context HttpServletRequest request) {
boolean force = true;
@@ -705,6 +792,7 @@ public class XUserREST {
@GET
@Path("/permission")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_MODULE_DEF + "\")")
public VXModuleDefList searchXModuleDef(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xModuleDefService.sortFields);
@@ -725,6 +813,7 @@ public class XUserREST {
@GET
@Path("/permission/count")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_MODULE_DEF + "\")")
public VXLong countXModuleDef(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xModuleDefService.sortFields);
@@ -735,6 +824,7 @@ public class XUserREST {
@POST
@Path("/permission/user")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_USER_PERMISSION + "\")")
public VXUserPermission createXUserPermission(
VXUserPermission vXUserPermission) {
return xUserMgr.createXUserPermission(vXUserPermission);
@@ -743,6 +833,7 @@ public class XUserREST {
@GET
@Path("/permission/user/{id}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER_PERMISSION + "\")")
public VXUserPermission getXUserPermission(@PathParam("id") Long id) {
return xUserMgr.getXUserPermission(id);
}
@@ -750,6 +841,7 @@ public class XUserREST {
@PUT
@Path("/permission/user/{id}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_USER_PERMISSION + "\")")
public VXUserPermission updateXUserPermission(
VXUserPermission vXUserPermission) {
return xUserMgr.updateXUserPermission(vXUserPermission);
@@ -757,7 +849,7 @@ public class XUserREST {
@DELETE
@Path("/permission/user/{id}")
- @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_USER_PERMISSION + "\")")
public void deleteXUserPermission(@PathParam("id") Long id,
@Context HttpServletRequest request) {
boolean force = true;
@@ -767,6 +859,7 @@ public class XUserREST {
@GET
@Path("/permission/user")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_USER_PERMISSION + "\")")
public VXUserPermissionList searchXUserPermission(
@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
@@ -782,6 +875,7 @@ public class XUserREST {
@GET
@Path("/permission/user/count")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_USER_PERMISSION + "\")")
public VXLong countXUserPermission(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xUserPermissionService.sortFields);
@@ -792,6 +886,7 @@ public class XUserREST {
@POST
@Path("/permission/group")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_GROUP_PERMISSION + "\")")
public VXGroupPermission createXGroupPermission(
VXGroupPermission vXGroupPermission) {
return xUserMgr.createXGroupPermission(vXGroupPermission);
@@ -800,6 +895,7 @@ public class XUserREST {
@GET
@Path("/permission/group/{id}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_PERMISSION + "\")")
public VXGroupPermission getXGroupPermission(@PathParam("id") Long id) {
return xUserMgr.getXGroupPermission(id);
}
@@ -807,6 +903,7 @@ public class XUserREST {
@PUT
@Path("/permission/group/{id}")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_GROUP_PERMISSION + "\")")
public VXGroupPermission updateXGroupPermission(
VXGroupPermission vXGroupPermission) {
return xUserMgr.updateXGroupPermission(vXGroupPermission);
@@ -814,7 +911,7 @@ public class XUserREST {
@DELETE
@Path("/permission/group/{id}")
- @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_GROUP_PERMISSION + "\")")
public void deleteXGroupPermission(@PathParam("id") Long id,
@Context HttpServletRequest request) {
boolean force = true;
@@ -824,6 +921,7 @@ public class XUserREST {
@GET
@Path("/permission/group")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUP_PERMISSION + "\")")
public VXGroupPermissionList searchXGroupPermission(
@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
@@ -838,6 +936,7 @@ public class XUserREST {
@GET
@Path("/permission/group/count")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUP_PERMISSION + "\")")
public VXLong countXGroupPermission(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xGroupPermissionService.sortFields);
@@ -847,6 +946,7 @@ public class XUserREST {
@PUT
@Path("/secure/users/activestatus")
@Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.MODIFY_USER_ACTIVE_STATUS + "\")")
public void modifyUserActiveStatus(HashMap<Long, Integer> statusMap){
xUserMgr.modifyUserActiveStatus(statusMap);
}