You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sn...@apache.org on 2015/05/31 17:03:41 UTC
[01/12] incubator-ranger git commit: KMS keys listing throws
authentication required error in secure cluster
Repository: incubator-ranger
Updated Branches:
refs/heads/ranger-0.5 0d73c38af -> c510b449d
KMS keys listing throws authentication required error in secure cluster
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/d79401bb
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/d79401bb
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/d79401bb
Branch: refs/heads/ranger-0.5
Commit: d79401bb429754ef9d4203f6c78c28606c922ccb
Parents: 0d73c38
Author: Gautam Borad <gb...@gmail.com>
Authored: Tue May 26 16:47:57 2015 +0530
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Thu May 28 21:18:24 2015 -0400
----------------------------------------------------------------------
.../ranger/services/kms/client/KMSClient.java | 70 +++--
.../java/org/apache/ranger/biz/KmsKeyMgr.java | 291 ++++++++++++++-----
.../java/org/apache/ranger/rest/XKeyREST.java | 6 +-
3 files changed, 273 insertions(+), 94 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d79401bb/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
index 59fa634..c67584e 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
@@ -24,14 +24,17 @@ import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
+import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import java.util.regex.Pattern;
+import javax.security.auth.Subject;
import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.security.HadoopKerberosName;
import org.apache.hadoop.security.ProviderUtils;
+import org.apache.hadoop.security.SecureClientLogin;
import org.apache.log4j.Logger;
import org.apache.ranger.plugin.client.BaseClient;
import org.apache.ranger.plugin.client.HadoopException;
@@ -43,6 +46,8 @@ import com.google.gson.GsonBuilder;
import com.sun.jersey.api.client.Client;
import com.sun.jersey.api.client.ClientResponse;
import com.sun.jersey.api.client.WebResource;
+import com.sun.jersey.api.client.config.ClientConfig;
+import com.sun.jersey.api.client.config.DefaultClientConfig;
public class KMSClient {
@@ -50,7 +55,7 @@ public class KMSClient {
private static final String EXPECTED_MIME_TYPE = "application/json";
- private static final String KMS_LIST_API_ENDPOINT = "v1/keys/names?user.name=${userName}"; // GET
+ private static final String KMS_LIST_API_ENDPOINT = "v1/keys/names"; // GET
private static final String errMessage = " You can still save the repository and start creating "
+ "policies, but you would not be able to use autocomplete for "
@@ -64,7 +69,6 @@ public class KMSClient {
this.provider = provider;
this.username = username;
this.password = password;
-
if (LOG.isDebugEnabled()) {
LOG.debug("Kms Client is build with url [" + provider + "] user: ["
+ username + "]");
@@ -137,24 +141,42 @@ public class KMSClient {
for (int i = 0; i < providers.length; i++) {
lret = new ArrayList<String>();
if (LOG.isDebugEnabled()) {
- LOG.debug("Getting Kms Key list for keyNameMatching : "
- + keyNameMatching);
+ LOG.debug("Getting Kms Key list for keyNameMatching : " + keyNameMatching);
}
- String keyLists = KMS_LIST_API_ENDPOINT.replaceAll(
- Pattern.quote("${userName}"), username);
- String uri = providers[i]
- + (providers[i].endsWith("/") ? keyLists : ("/" + keyLists));
+ String uri = providers[i] + (providers[i].endsWith("/") ? KMS_LIST_API_ENDPOINT : ("/" + KMS_LIST_API_ENDPOINT));
Client client = null;
ClientResponse response = null;
-
+ boolean isKerberose = false;
try {
- client = Client.create();
-
- WebResource webResource = client.resource(uri);
-
- response = webResource.accept(EXPECTED_MIME_TYPE).get(
- ClientResponse.class);
-
+ ClientConfig cc = new DefaultClientConfig();
+ cc.getProperties().put(ClientConfig.PROPERTY_FOLLOW_REDIRECTS, true);
+ client = Client.create(cc);
+
+ if(username.contains("@")){
+ isKerberose = true;
+ }
+
+ if(!isKerberose){
+ uri = uri.concat("?user.name="+username);
+ WebResource webResource = client.resource(uri);
+ response = webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class);
+ }else{
+ String shortName = new HadoopKerberosName(username).getShortName();
+ uri = uri.concat("?doAs="+shortName);
+ Subject sub = new Subject();
+ if (username.contains("@")) {
+ sub = SecureClientLogin.loginUserWithPassword(username, password);
+ } else {
+ sub = SecureClientLogin.login(username);
+ }
+ final WebResource webResource = client.resource(uri);
+ response = Subject.doAs(sub, new PrivilegedAction<ClientResponse>() {
+ @Override
+ public ClientResponse run() {
+ return webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class);
+ }
+ });
+ }
if (LOG.isDebugEnabled()) {
LOG.debug("getKeyList():calling " + uri);
}
@@ -192,12 +214,22 @@ public class KMSClient {
LOG.info("getKeyList():response.getStatus()= "
+ response.getStatus() + " for URL " + uri
+ ", so returning null list");
- return lret;
+ String msgDesc = response.getEntity(String.class);
+ HadoopException hdpException = new HadoopException(msgDesc);
+ hdpException.generateResponseDataMap(false, msgDesc,
+ msgDesc + errMsg, null, null);
+ lret = null;
+ throw hdpException;
} else if (response.getStatus() == 403) {
LOG.info("getKeyList():response.getStatus()= "
+ response.getStatus() + " for URL " + uri
+ ", so returning null list");
- return lret;
+ String msgDesc = response.getEntity(String.class);
+ HadoopException hdpException = new HadoopException(msgDesc);
+ hdpException.generateResponseDataMap(false, msgDesc,
+ msgDesc + errMsg, null, null);
+ lret = null;
+ throw hdpException;
} else {
LOG.info("getKeyList():response.getStatus()= "
+ response.getStatus() + " for URL " + uri
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d79401bb/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
index 7446d1e..7854f4b 100755
--- a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
@@ -24,12 +24,14 @@ import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
+import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
+import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.MediaType;
@@ -40,13 +42,19 @@ import org.apache.commons.collections.PredicateUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.ProviderUtils;
+import org.apache.hadoop.security.SecureClientLogin;
+import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.log4j.Logger;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.MessageEnums;
+import org.apache.ranger.common.PasswordUtils;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.RangerConfigUtil;
import org.apache.ranger.common.SortField;
import org.apache.ranger.common.StringUtil;
+import org.apache.ranger.db.RangerDaoManagerBase;
+import org.apache.ranger.entity.XXService;
+import org.apache.ranger.entity.XXServiceConfigMap;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.util.KeySearchFilter;
import org.apache.ranger.view.VXKmsKey;
@@ -68,12 +76,14 @@ public class KmsKeyMgr {
static final Logger logger = Logger.getLogger(KmsKeyMgr.class);
- private static final String KMS_KEY_LIST_URI = "v1/keys/names?user.name=${userName}"; //GET
- private static final String KMS_ADD_KEY_URI = "v1/keys?user.name=${userName}"; //POST
- private static final String KMS_ROLL_KEY_URI = "v1/key/${alias}?user.name=${userName}"; //POST
- private static final String KMS_DELETE_KEY_URI = "v1/key/${alias}?user.name=${userName}"; //DELETE
- private static final String KMS_KEY_METADATA_URI = "v1/key/${alias}/_metadata?user.name=${userName}"; //GET
+ private static final String KMS_KEY_LIST_URI = "v1/keys/names"; //GET
+ private static final String KMS_ADD_KEY_URI = "v1/keys"; //POST
+ private static final String KMS_ROLL_KEY_URI = "v1/key/${alias}"; //POST
+ private static final String KMS_DELETE_KEY_URI = "v1/key/${alias}"; //DELETE
+ private static final String KMS_KEY_METADATA_URI = "v1/key/${alias}/_metadata"; //GET
private static final String KMS_URL_CONFIG = "provider";
+ private static final String KMS_PASSWORD = "password";
+ private static final String KMS_USERNAME = "username";
private static Map<String, String> providerList = new HashMap<String, String>();
private static int nextProvider = 0;
@@ -86,8 +96,11 @@ public class KmsKeyMgr {
@Autowired
RangerConfigUtil configUtil;
+ @Autowired
+ RangerDaoManagerBase rangerDaoManagerBase;
+
@SuppressWarnings("unchecked")
- public VXKmsKeyList searchKeys(String repoName){
+ public VXKmsKeyList searchKeys(String repoName) throws Exception{
String providers[] = null;
try {
providers = getKMSURL(repoName);
@@ -98,6 +111,12 @@ public class KmsKeyMgr {
VXKmsKeyList vxKmsKeyList = new VXKmsKeyList();
List<String> keys = null;
String connProvider = null;
+ boolean isKerberos=false;
+ try {
+ isKerberos = checkKerberos(repoName);
+ } catch (Exception e1) {
+ logger.error("checkKerberos(" + repoName + ") failed", e1);
+ }
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
@@ -105,15 +124,28 @@ public class KmsKeyMgr {
Pattern.quote("${userName}"), currentUserLoginId);
connProvider = providers[i];
String uri = providers[i]
- + (providers[i].endsWith("/") ? keyLists : ("/" + keyLists));
-
- WebResource r = c.resource(uri);
+ + (providers[i].endsWith("/") ? keyLists : ("/" + keyLists));
+ if(!isKerberos){
+ uri = uri.concat("?user.name="+currentUserLoginId);
+ }else{
+ uri = uri.concat("?doAs="+currentUserLoginId);
+ }
+ final WebResource r = c.resource(uri);
try {
- String response = r.accept(MediaType.APPLICATION_JSON_TYPE)
- .get(String.class);
+ String response = null;
+ if(!isKerberos){
+ response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ }else{
+ Subject sub = getSubjectForKerberos(repoName, currentUserLoginId);
+ response = Subject.doAs(sub, new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ }
+ });
+ }
Gson gson = new GsonBuilder().create();
logger.debug(" Search Key RESPONSE: [" + response + "]");
-
keys = gson.fromJson(response, List.class);
break;
} catch (Exception e) {
@@ -125,7 +157,7 @@ public class KmsKeyMgr {
}
if (keys != null && keys.size() > 0) {
for (String name : keys) {
- VXKmsKey key = getKeyFromUri(connProvider, name);
+ VXKmsKey key = getKeyFromUri(connProvider, name, isKerberos, repoName);
vXKeys.add(key);
}
vxKmsKeyList.setResultSize(vXKeys.size());
@@ -137,31 +169,46 @@ public class KmsKeyMgr {
return vxKmsKeyList;
}
- public VXKmsKey rolloverKey(String provider, VXKmsKey vXKey){
+ public VXKmsKey rolloverKey(String provider, VXKmsKey vXKey) throws Exception{
String providers[] = null;
try {
providers = getKMSURL(provider);
} catch (Exception e) {
- logger.error("rolloverKey(" + provider + ", " + vXKey.getName()
- + ") failed", e);
+ logger.error("rolloverKey(" + provider + ", " + vXKey.getName() + ") failed", e);
}
VXKmsKey ret = null;
+ boolean isKerberos=false;
+ try {
+ isKerberos = checkKerberos(provider);
+ } catch (Exception e1) {
+ logger.error("checkKerberos(" + provider + ") failed", e1);
+ }
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
- String rollRest = KMS_ROLL_KEY_URI.replaceAll(
- Pattern.quote("${alias}"), vXKey.getName());
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
- rollRest = rollRest.replaceAll(Pattern.quote("${userName}"),
- currentUserLoginId);
- String uri = providers[i]
- + (providers[i].endsWith("/") ? rollRest : ("/" + rollRest));
- WebResource r = c.resource(uri);
+ String rollRest = KMS_ROLL_KEY_URI.replaceAll(Pattern.quote("${alias}"), vXKey.getName());
+ String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
+ String uri = providers[i] + (providers[i].endsWith("/") ? rollRest : ("/" + rollRest));
+ if(!isKerberos){
+ uri = uri.concat("?user.name="+currentUserLoginId);
+ }else{
+ uri = uri.concat("?doAs="+currentUserLoginId);
+ }
+ final WebResource r = c.resource(uri);
Gson gson = new GsonBuilder().create();
- String jsonString = gson.toJson(vXKey);
+ final String jsonString = gson.toJson(vXKey);
try {
- String response = r.accept(MediaType.APPLICATION_JSON_TYPE)
- .type(MediaType.APPLICATION_JSON_TYPE)
- .post(String.class, jsonString);
+ String response = null;
+ if(!isKerberos){
+ response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString);}
+ else{
+ Subject sub = getSubjectForKerberos(provider, currentUserLoginId);
+ response = Subject.doAs(sub, new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString);
+ }
+ });
+ }
logger.debug("Roll RESPONSE: [" + response + "]");
ret = gson.fromJson(response, VXKmsKey.class);
break;
@@ -174,27 +221,44 @@ public class KmsKeyMgr {
}
return ret;
}
-
- public void deleteKey(String provider, String name){
+
+ public void deleteKey(String provider, String name) throws Exception{
String providers[] = null;
try {
providers = getKMSURL(provider);
} catch (Exception e) {
logger.error("deleteKey(" + provider + ", " + name + ") failed", e);
}
+ boolean isKerberos=false;
+ try {
+ isKerberos = checkKerberos(provider);
+ } catch (Exception e1) {
+ logger.error("checkKerberos(" + provider + ") failed", e1);
+ }
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
- String deleteRest = KMS_DELETE_KEY_URI.replaceAll(
- Pattern.quote("${alias}"), name);
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
- deleteRest = deleteRest.replaceAll(Pattern.quote("${userName}"),
- currentUserLoginId);
- String uri = providers[i]
- + (providers[i].endsWith("/") ? deleteRest
- : ("/" + deleteRest));
- WebResource r = c.resource(uri);
+ String deleteRest = KMS_DELETE_KEY_URI.replaceAll(Pattern.quote("${alias}"), name);
+ String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
+ String uri = providers[i] + (providers[i].endsWith("/") ? deleteRest : ("/" + deleteRest));
+ if(!isKerberos){
+ uri = uri.concat("?user.name="+currentUserLoginId);
+ }else{
+ uri = uri.concat("?doAs="+currentUserLoginId);
+ }
+ final WebResource r = c.resource(uri);
try {
- String response = r.delete(String.class) ;
+ String response = null;
+ if(!isKerberos){
+ response = r.delete(String.class) ;
+ }else{
+ Subject sub = getSubjectForKerberos(provider, currentUserLoginId);
+ response = Subject.doAs(sub, new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return r.delete(String.class);
+ }
+ });
+ }
logger.debug("delete RESPONSE: [" + response + "]") ;
break;
} catch (Exception e) {
@@ -206,7 +270,7 @@ public class KmsKeyMgr {
}
}
- public VXKmsKey createKey(String provider, VXKmsKey vXKey){
+ public VXKmsKey createKey(String provider, VXKmsKey vXKey) throws Exception{
String providers[] = null;
try {
providers = getKMSURL(provider);
@@ -215,21 +279,37 @@ public class KmsKeyMgr {
+ ") failed", e);
}
VXKmsKey ret = null;
+ boolean isKerberos=false;
+ try {
+ isKerberos = checkKerberos(provider);
+ } catch (Exception e1) {
+ logger.error("checkKerberos(" + provider + ") failed", e1);
+ }
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
- String createRest = KMS_ADD_KEY_URI.replaceAll(
- Pattern.quote("${userName}"), currentUserLoginId);
- String uri = providers[i]
- + (providers[i].endsWith("/") ? createRest
- : ("/" + createRest));
- WebResource r = c.resource(uri);
+ String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
+ String uri = providers[i] + (providers[i].endsWith("/") ? KMS_ADD_KEY_URI : ("/" + KMS_ADD_KEY_URI));
+ if(!isKerberos){
+ uri = uri.concat("?user.name="+currentUserLoginId);
+ }else{
+ uri = uri.concat("?doAs="+currentUserLoginId);
+ }
+ final WebResource r = c.resource(uri);
Gson gson = new GsonBuilder().create();
- String jsonString = gson.toJson(vXKey);
+ final String jsonString = gson.toJson(vXKey);
try {
- String response = r.accept(MediaType.APPLICATION_JSON_TYPE)
- .type(MediaType.APPLICATION_JSON_TYPE)
- .post(String.class, jsonString);
+ String response = null;
+ if(!isKerberos){
+ response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString);
+ }else{
+ Subject sub = getSubjectForKerberos(provider, currentUserLoginId);
+ response = Subject.doAs(sub, new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString);
+ }
+ });
+ }
logger.debug("Create RESPONSE: [" + response + "]");
ret = gson.fromJson(response, VXKmsKey.class);
return ret;
@@ -243,26 +323,43 @@ public class KmsKeyMgr {
return ret;
}
- public VXKmsKey getKey(String provider, String name){
+ public VXKmsKey getKey(String provider, String name) throws Exception{
String providers[] = null;
try {
providers = getKMSURL(provider);
} catch (Exception e) {
logger.error("getKey(" + provider + ", " + name + ") failed", e);
}
+ boolean isKerberos=false;
+ try {
+ isKerberos = checkKerberos(provider);
+ } catch (Exception e1) {
+ logger.error("checkKerberos(" + provider + ") failed", e1);
+ }
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
- String keyRest = KMS_KEY_METADATA_URI.replaceAll(
- Pattern.quote("${alias}"), name);
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
- keyRest = keyRest.replaceAll(Pattern.quote("${userName}"),
- currentUserLoginId);
- String uri = providers[i]
- + (providers[i].endsWith("/") ? keyRest : ("/" + keyRest));
- WebResource r = c.resource(uri);
+ String keyRest = KMS_KEY_METADATA_URI.replaceAll(Pattern.quote("${alias}"), name);
+ String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
+ String uri = providers[i] + (providers[i].endsWith("/") ? keyRest : ("/" + keyRest));
+ if(!isKerberos){
+ uri = uri.concat("?user.name="+currentUserLoginId);
+ }else{
+ uri = uri.concat("?doAs="+currentUserLoginId);
+ }
+ final WebResource r = c.resource(uri);
try {
- String response = r.accept(MediaType.APPLICATION_JSON_TYPE)
- .get(String.class);
+ String response = null;
+ if(!isKerberos){
+ response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ }else{
+ Subject sub = getSubjectForKerberos(provider, currentUserLoginId);
+ response = Subject.doAs(sub, new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ }
+ });
+ }
Gson gson = new GsonBuilder().create();
logger.debug("RESPONSE: [" + response + "]");
VXKmsKey key = gson.fromJson(response, VXKmsKey.class);
@@ -277,16 +374,29 @@ public class KmsKeyMgr {
return null;
}
- public VXKmsKey getKeyFromUri(String provider, String name) {
+ public VXKmsKey getKeyFromUri(String provider, String name, boolean isKerberos, String repoName) throws Exception {
Client c = getClient();
- String keyRest = KMS_KEY_METADATA_URI.replaceAll(
- Pattern.quote("${alias}"), name);
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
- keyRest = keyRest.replaceAll(Pattern.quote("${userName}"),
- currentUserLoginId);
+ String keyRest = KMS_KEY_METADATA_URI.replaceAll(Pattern.quote("${alias}"), name);
+ String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
String uri = provider + (provider.endsWith("/") ? keyRest : ("/" + keyRest));
- WebResource r = c.resource(uri);
- String response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ if(!isKerberos){
+ uri = uri.concat("?user.name="+currentUserLoginId);
+ }else{
+ uri = uri.concat("?doAs="+currentUserLoginId);
+ }
+ final WebResource r = c.resource(uri);
+ String response = null;
+ if(!isKerberos){
+ response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ }else{
+ Subject sub = getSubjectForKerberos(repoName, currentUserLoginId);
+ response = Subject.doAs(sub, new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ }
+ });
+ }
Gson gson = new GsonBuilder().create();
logger.debug("RESPONSE: [" + response + "]");
VXKmsKey key = gson.fromJson(response, VXKmsKey.class);
@@ -360,7 +470,7 @@ public class KmsKeyMgr {
providerNext = providerNext+";";
}
}
- for(int i=0; i<nextProvider; i++){
+ for(int i=0; i<nextProvider && i<hosts.length; i++){
providerNext = providerNext+";"+hosts[i];
}
if(nextProvider != hosts.length-1){
@@ -381,6 +491,43 @@ public class KmsKeyMgr {
}
return providers;
}
+
+ private Subject getSubjectForKerberos(String provider, String currentUserLoginId) throws Exception{
+ String userName = getKMSUserName(provider);
+ String password = getKMSPassword(provider);
+ if (KerberosName.getRules() == null) {
+ KerberosName.setRules("DEFAULT") ;
+ }
+ Subject sub = new Subject();
+ if (userName.contains("@")) {
+ sub = SecureClientLogin.loginUserWithPassword(userName, password);
+ } else {
+ sub = SecureClientLogin.login(userName);
+ }
+ return sub;
+ }
+
+ private String getKMSPassword(String srvName) throws Exception {
+ XXService rangerService = rangerDaoManagerBase.getXXService().findByName(srvName);
+ XXServiceConfigMap xxConfigMap = rangerDaoManagerBase.getXXServiceConfigMap().findByServiceAndConfigKey(rangerService.getId(), KMS_PASSWORD);
+ String encryptedPwd = xxConfigMap.getConfigvalue();
+ String pwd = PasswordUtils.decryptPassword(encryptedPwd);
+ return pwd;
+ }
+
+ private String getKMSUserName(String srvName) throws Exception {
+ RangerService rangerService = null;
+ rangerService = svcStore.getServiceByName(srvName);
+ return rangerService.getConfigs().get(KMS_USERNAME);
+ }
+
+ private boolean checkKerberos(String provider) throws Exception {
+ String userName = getKMSUserName(provider);
+ if(userName.contains("@")){
+ return true;
+ }
+ return false;
+ }
private synchronized Client getClient() {
Client ret = null;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d79401bb/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
index 379ea3c..7845b86 100755
--- a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
@@ -199,11 +199,11 @@ public class XKeyREST {
}
if(!(message==null) && !(message.isEmpty()) && message.contains("Connection refused")){
message = "Connection refused : Please check the KMS provider URL and whether the Ranger KMS is running";
- }else if(!(message==null) && !(message.isEmpty()) && message.contains("response status of 403")){
+ }else if(!(message==null) && !(message.isEmpty()) && (message.contains("response status of 403") || message.contains("HTTP Status 403"))){
message = UNAUTHENTICATED_MSG;
- }else if(!(message==null) && !(message.isEmpty()) && message.contains("response status of 401")){
+ }else if(!(message==null) && !(message.isEmpty()) && (message.contains("response status of 401") || message.contains("HTTP Status 401 - Authentication required"))){
message = UNAUTHENTICATED_MSG;
- }
+ }
throw restErrorUtil.createRESTException(message, MessageEnums.ERROR_SYSTEM);
}
}
[05/12] incubator-ranger git commit: RANGER-514 : Fix SOLR audit for
KMS
Posted by sn...@apache.org.
RANGER-514 : Fix SOLR audit for KMS
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/9e5bd854
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/9e5bd854
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/9e5bd854
Branch: refs/heads/ranger-0.5
Commit: 9e5bd854013e7529994ab81fff53c18d57aa4081
Parents: dda7a16
Author: Gautam Borad <gb...@gmail.com>
Authored: Fri May 29 19:03:15 2015 +0530
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Fri May 29 10:48:58 2015 -0400
----------------------------------------------------------------------
kms/pom.xml | 10 ++++++++++
src/main/assembly/kms.xml | 2 ++
2 files changed, 12 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e5bd854/kms/pom.xml
----------------------------------------------------------------------
diff --git a/kms/pom.xml b/kms/pom.xml
index 183359e..a726a86 100644
--- a/kms/pom.xml
+++ b/kms/pom.xml
@@ -431,6 +431,16 @@
<artifactId>credentialbuilder</artifactId>
<version>${project.version}</version>
</dependency>
+ <dependency>
+ <groupId>org.apache.httpcomponents</groupId>
+ <artifactId>httpmime</artifactId>
+ <version>${httpcomponent.httpmime.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.noggit</groupId>
+ <artifactId>noggit</artifactId>
+ <version>${noggit.version}</version>
+ </dependency>
</dependencies>
<build>
<pluginManagement>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9e5bd854/src/main/assembly/kms.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/kms.xml b/src/main/assembly/kms.xml
index 0e609ff..a2e0e2a 100755
--- a/src/main/assembly/kms.xml
+++ b/src/main/assembly/kms.xml
@@ -100,6 +100,8 @@
<include>org.xerial.snappy:snappy-java</include>
<include>xmlenc:xmlenc</include>
<include>org.tukaani:xz</include>
+ <include>org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version}</include>
+ <include>org.noggit:noggit:jar:${noggit.version}</include>
</includes>
</dependencySet>
</dependencySets>
[10/12] incubator-ranger git commit: RANGER-515 : Handle listing of
large no of groups
Posted by sn...@apache.org.
RANGER-515 : Handle listing of large no of groups
Signed-off-by: sneethiraj <sn...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/a097b7f8
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/a097b7f8
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/a097b7f8
Branch: refs/heads/ranger-0.5
Commit: a097b7f8f2919544819f35edced710c8020dc0d1
Parents: 29f8f20
Author: Gautam Borad <gb...@gmail.com>
Authored: Sat May 30 14:30:45 2015 +0530
Committer: sneethiraj <sn...@apache.org>
Committed: Sat May 30 23:57:24 2015 -0400
----------------------------------------------------------------------
security-admin/src/bin/ranger_install.py | 19 +++++++++-------
.../src/main/webapp/scripts/utils/XAUtils.js | 24 ++++++++++++--------
.../views/permissions/ModulePermissionForm.js | 10 ++++----
.../views/permissions/ModulePermsTableLayout.js | 2 ++
.../views/policies/RangerPolicyTableLayout.js | 2 ++
5 files changed, 34 insertions(+), 23 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a097b7f8/security-admin/src/bin/ranger_install.py
----------------------------------------------------------------------
diff --git a/security-admin/src/bin/ranger_install.py b/security-admin/src/bin/ranger_install.py
index 346f292..d961b55 100644
--- a/security-admin/src/bin/ranger_install.py
+++ b/security-admin/src/bin/ranger_install.py
@@ -299,7 +299,8 @@ def init_variables(switch):
conf_dict['audit_db_name']=os.getenv("RANGER_AUDIT_DB_DBNAME")
conf_dict['audit_db_user']=os.getenv("RANGER_AUDIT_DB_USERNAME")
conf_dict['audit_db_password']=os.getenv("RANGER_AUDIT_DB_PASSWORD")
-
+ conf_dict['RANGER_ADMIN_DB_PORT']=os.getenv("RANGER_ADMIN_DB_PORT")
+ conf_dict['RANGER_AUDIT_DB_PORT']=os.getenv("RANGER_AUDIT_DB_PORT")
db_dir = os.path.join(conf_dict['RANGER_ADMIN_HOME'] , "db")
conf_dict['mysql_core_file']=os.path.join(db_dir,'mysql','xa_core_db.sql')
conf_dict['mysql_audit_file']=os.path.join(db_dir,'mysql','xa_audit_db.sql')
@@ -714,6 +715,8 @@ def update_properties():
db_user = conf_dict["RANGER_ADMIN_DB_USERNAME"]
db_password = conf_dict["RANGER_ADMIN_DB_PASSWORD"]
db_name = conf_dict["RANGER_ADMIN_DB_NAME"]
+ RANGER_ADMIN_DB_PORT = conf_dict["RANGER_ADMIN_DB_PORT"]
+ RANGER_AUDIT_DB_PORT = conf_dict["RANGER_AUDIT_DB_PORT"]
audit_db_user = conf_dict["RANGER_AUDIT_DB_USERNAME"]
audit_db_password = conf_dict["RANGER_AUDIT_DB_PASSWORD"]
@@ -734,7 +737,7 @@ def update_properties():
log("SQL_HOST is : " + MYSQL_HOST,"debug")
if RANGER_DB_FLAVOR == "MYSQL":
propertyName="ranger.jpa.jdbc.url"
- newPropertyValue="jdbc:log4jdbc:mysql://" + MYSQL_HOST + ":3306/" + db_name
+ newPropertyValue="jdbc:log4jdbc:mysql://" + MYSQL_HOST + ":RANGER_ADMIN_DB_PORT/" + db_name
updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger)
propertyName="ranger.jpa.jdbc.user"
@@ -746,7 +749,7 @@ def update_properties():
updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger)
propertyName="ranger.jpa.audit.jdbc.url"
- newPropertyValue="jdbc:log4jdbc:mysql://"+MYSQL_HOST+":3306/"+audit_db_name
+ newPropertyValue="jdbc:log4jdbc:mysql://"+MYSQL_HOST+":RANGER_AUDIT_DB_PORT/"+audit_db_name
updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger)
propertyName="ranger.jpa.jdbc.dialect"
@@ -767,7 +770,7 @@ def update_properties():
elif RANGER_DB_FLAVOR == "ORACLE":
propertyName="ranger.jpa.jdbc.url"
- newPropertyValue="jdbc:oracle:thin:%s/%s@%s:1521/XE" %(db_user, db_password, MYSQL_HOST)
+ newPropertyValue="jdbc:oracle:thin:@%s" %(MYSQL_HOST)
updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger)
propertyName="ranger.jpa.jdbc.user"
@@ -779,7 +782,7 @@ def update_properties():
updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger)
propertyName="ranger.jpa.audit.jdbc.url"
- newPropertyValue="jdbc:oracle:thin:%s/%s@%s:1521/XE" %(audit_db_user, audit_db_password, MYSQL_HOST)
+ newPropertyValue="jdbc:oracle:thin:@%s" %(MYSQL_HOST)
updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger)
propertyName="ranger.jpa.jdbc.dialect"
@@ -800,7 +803,7 @@ def update_properties():
elif RANGER_DB_FLAVOR == "POSTGRES":
propertyName="ranger.jpa.jdbc.url"
- newPropertyValue="jdbc:postgresql://%s/%s" %(MYSQL_HOST, db_name)
+ newPropertyValue="jdbc:postgresql://%s:%s/%s" %(MYSQL_HOST, RANGER_ADMIN_DB_PORT, db_name)
updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger)
propertyName="ranger.jpa.jdbc.user"
@@ -812,7 +815,7 @@ def update_properties():
updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger)
propertyName="ranger.jpa.audit.jdbc.url"
- newPropertyValue="jdbc:postgresql://%s/%s" %(MYSQL_HOST, audit_db_name)
+ newPropertyValue="jdbc:postgresql://%s:%s/%s" %(MYSQL_HOST, RANGER_AUDIT_DB_PORT, audit_db_name)
updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger)
propertyName="ranger.jpa.jdbc.dialect"
@@ -853,7 +856,7 @@ def update_properties():
newPropertyValue="org.eclipse.persistence.platform.database.SQLServerPlatform"
updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_default)
- propertyName="ranger.jpa.jdbc.dialect"
+ propertyName="ranger.jpa.audit.jdbc.dialect"
newPropertyValue="org.eclipse.persistence.platform.database.SQLServerPlatform"
updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_default)
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a097b7f8/security-admin/src/main/webapp/scripts/utils/XAUtils.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/utils/XAUtils.js b/security-admin/src/main/webapp/scripts/utils/XAUtils.js
index 89668a2..b99d8fd 100644
--- a/security-admin/src/main/webapp/scripts/utils/XAUtils.js
+++ b/security-admin/src/main/webapp/scripts/utils/XAUtils.js
@@ -473,30 +473,32 @@ define(function(require) {
var newGroupArr = _.map(groupArr, function(name, i) {
if (i >= 4) {
- return '<span class="label label-info" policy-' + type
+ return '<span class="label label-info float-left-margin-2" policy-' + type
+ '-id="' + model.id + '" style="display:none;">'
+ name + '</span>';
} else if (i == 3 && groupArr.length > 4) {
showMoreLess = true;
- return '<span class="label label-info" policy-' + type
+ return '<span class="label label-info float-left-margin-2" policy-' + type
+ '-id="' + model.id + '">' + name + '</span>';
} else {
- return '<span class="label label-info" policy-' + type
+ return '<span class="label label-info float-left-margin-2" policy-' + type
+ '-id="' + model.id + '">' + name + '</span>';
}
});
if (showMoreLess) {
newGroupArr
- .push('<span class="pull-left"><a href="javascript:void(0);" data-id="showMore" class="" policy-'
+ .push('<span class="pull-left float-left-margin-2"><a href="javascript:void(0);" data-id="showMore" class="" policy-'
+ type
+ '-id="'
+ model.id
- + '"><code style=""> + More..</code></a></span><span class="pull-left" ><a href="javascript:void(0);" data-id="showLess" class="" policy-'
+ + '"><code style=""> + More..</code></a></span><span class="pull-left float-left-margin-2" ><a href="javascript:void(0);" data-id="showLess" class="" policy-'
+ type
+ '-id="'
+ model.id
+ '" style="display:none;"><code> - Less..</code></a></span>');
}
+ newGroupArr.unshift('<div data-id="groupsDiv">');
+ newGroupArr.push('</div>');
return newGroupArr.length ? newGroupArr.join(' ') : '--';
};
@@ -517,30 +519,32 @@ define(function(require) {
var newObjArr = _.map(objArr, function(name, i) {
if (i >= 4) {
- return '<span class="label label-info" policy-' + userOrGroups
+ return '<span class="label label-info float-left-margin-2" policy-' + userOrGroups
+ '-id="' + model.id + '" style="display:none;">'
+ name + '</span>';
} else if (i == 3 && objArr.length > 4) {
showMoreLess = true;
- return '<span class="label label-info" policy-' + userOrGroups
+ return '<span class="label label-info float-left-margin-2" policy-' + userOrGroups
+ '-id="' + model.id + '">' + name + '</span>';
} else {
- return '<span class="label label-info" policy-' + userOrGroups
+ return '<span class="label label-info float-left-margin-2" policy-' + userOrGroups
+ '-id="' + model.id + '">' + name + '</span>';
}
});
if (showMoreLess) {
newObjArr
- .push('<span class="pull-left"><a href="javascript:void(0);" data-id="showMore" class="" policy-'
+ .push('<span class="pull-left float-left-margin-2"><a href="javascript:void(0);" data-id="showMore" class="" policy-'
+ userOrGroups
+ '-id="'
+ model.id
- + '"><code style=""> + More..</code></a></span><span class="pull-left" ><a href="javascript:void(0);" data-id="showLess" class="" policy-'
+ + '"><code style=""> + More..</code></a></span><span class="pull-left float-left-margin-2" ><a href="javascript:void(0);" data-id="showLess" class="" policy-'
+ userOrGroups
+ '-id="'
+ model.id
+ '" style="display:none;"><code> - Less..</code></a></span>');
}
+ newObjArr.unshift('<div data-id="groupsDiv">');
+ newObjArr.push('</div>');
return newObjArr.length ? newObjArr.join(' ') : '--';
};
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a097b7f8/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionForm.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionForm.js b/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionForm.js
index 8984fb9..497a4a2 100644
--- a/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionForm.js
+++ b/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionForm.js
@@ -91,7 +91,7 @@ define(function(require) {
selectUsers : {
type : 'Select2Remote',
editorAttrs : {'placeholder' :'Select User','tokenSeparators': [",", " "],multiple:true},
- pluginAttr: this.getPlugginAttr(true,{'lookupURL':"service/users",'permList':that.model.get('userPermList'),'idKey':'userId','textKey':'userName'}),
+ pluginAttr: this.getPlugginAttr(true,{'lookupURL':"service/xusers/users",'permList':that.model.get('userPermList'),'idKey':'userId','textKey':'userName'}),
title : localization.tt('lbl.selectUser')+' *',
},
isAllowed : {
@@ -170,16 +170,16 @@ define(function(require) {
cache: false,
data: function (term, page) {
//To be checked
- //return {name : term, isVisible : XAEnums.VisibilityStatus.STATUS_VISIBLE.value};
- return {loginId : term};
+ return {name : term, isVisible : XAEnums.VisibilityStatus.STATUS_VISIBLE.value};
+// return {loginId : term};
},
results: function (data, page) {
var results = [];
if(data.resultSize != "0"){
if(!_.isUndefined(data.vXGroups))
results = data.vXGroups.map(function(m, i){ return {id : m.id+"", text: m.name}; });
- else if(!_.isUndefined(data.vXPortalUsers))
- results = data.vXPortalUsers.map(function(m, i){ return {id : m.id+"", text: m.loginId}; });
+ else if(!_.isUndefined(data.vXUsers))
+ results = data.vXUsers.map(function(m, i){ return {id : m.id+"", text: m.name}; });
}
return { results : results};
},
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a097b7f8/security-admin/src/main/webapp/scripts/views/permissions/ModulePermsTableLayout.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/permissions/ModulePermsTableLayout.js b/security-admin/src/main/webapp/scripts/views/permissions/ModulePermsTableLayout.js
index 3e78904..18d7c4c 100644
--- a/security-admin/src/main/webapp/scripts/views/permissions/ModulePermsTableLayout.js
+++ b/security-admin/src/main/webapp/scripts/views/permissions/ModulePermsTableLayout.js
@@ -183,6 +183,7 @@ define(function(require){
$td.find('['+attrName+'="'+id+'"]').show();
$td.find('[data-id="showLess"]['+attrName+'="'+id+'"]').show();
$td.find('[data-id="showMore"]['+attrName+'="'+id+'"]').hide();
+ $td.find('[data-id="showMore"]['+attrName+'="'+id+'"]').parents('div[data-id="groupsDiv"]').addClass('set-height-groups');
},
onShowLess : function(e){
var attrName = 'policy-groups-id';
@@ -195,6 +196,7 @@ define(function(require){
$td.find('['+attrName+'="'+id+'"]').slice(4).hide();
$td.find('[data-id="showLess"]['+attrName+'="'+id+'"]').hide();
$td.find('[data-id="showMore"]['+attrName+'="'+id+'"]').show();
+ $td.find('[data-id="showMore"]['+attrName+'="'+id+'"]').parents('div[data-id="groupsDiv"]').removeClass('set-height-groups');
},
addVisualSearch : function(){
var that = this;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a097b7f8/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js
index 0e92d6e..9a6b92f 100644
--- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js
+++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js
@@ -298,6 +298,7 @@ define(function(require){
$td.find('['+attrName+'="'+id+'"]').show();
$td.find('[data-id="showLess"]['+attrName+'="'+id+'"]').show();
$td.find('[data-id="showMore"]['+attrName+'="'+id+'"]').hide();
+ $td.find('[data-id="showMore"]['+attrName+'="'+id+'"]').parents('div[data-id="groupsDiv"]').addClass('set-height-groups');
},
onShowLess : function(e){
var attrName = 'policy-groups-id';
@@ -310,6 +311,7 @@ define(function(require){
$td.find('['+attrName+'="'+id+'"]').slice(4).hide();
$td.find('[data-id="showLess"]['+attrName+'="'+id+'"]').hide();
$td.find('[data-id="showMore"]['+attrName+'="'+id+'"]').show();
+ $td.find('[data-id="showMore"]['+attrName+'="'+id+'"]').parents('div[data-id="groupsDiv"]').removeClass('set-height-groups');
},
addVisualSearch : function(){
var that = this;
[07/12] incubator-ranger git commit: RANGER-397 Applied review
feedback
Posted by sn...@apache.org.
RANGER-397 Applied review feedback
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/94ba6beb
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/94ba6beb
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/94ba6beb
Branch: refs/heads/ranger-0.5
Commit: 94ba6beb3841f094d5800619275d80296a8b54b6
Parents: a2de245
Author: Don Bosco Durai <bo...@apache.org>
Authored: Sat May 30 12:14:19 2015 -0700
Committer: Don Bosco Durai <bo...@apache.org>
Committed: Sat May 30 12:14:19 2015 -0700
----------------------------------------------------------------------
.../audit/destination/DBAuditDestination.java | 24 +++++++++++-------
.../ranger/audit/queue/AuditAsyncQueue.java | 25 +++++++++----------
.../ranger/audit/queue/AuditBatchQueue.java | 21 ++++++----------
.../apache/ranger/audit/queue/AuditQueue.java | 7 ++++++
.../ranger/audit/queue/AuditSummaryQueue.java | 26 +++++++++-----------
.../kafka/client/ServiceKafkaClient.java | 5 ++--
.../services/solr/client/ServiceSolrClient.java | 5 ++--
.../org/apache/ranger/common/ServiceUtil.java | 13 +++++++---
src/main/assembly/plugin-kafka.xml | 2 ++
9 files changed, 66 insertions(+), 62 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/94ba6beb/agents-audit/src/main/java/org/apache/ranger/audit/destination/DBAuditDestination.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/destination/DBAuditDestination.java b/agents-audit/src/main/java/org/apache/ranger/audit/destination/DBAuditDestination.java
index c58748e..8cece4e 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/destination/DBAuditDestination.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/destination/DBAuditDestination.java
@@ -119,8 +119,8 @@ public class DBAuditDestination extends AuditDestination {
+ PROP_DB_JDBC_URL);
dbUser = MiscUtil.getStringProperty(props, propPrefix + "."
+ PROP_DB_USER);
- String dbPassword = MiscUtil.getStringProperty(props, propPrefix
- + "." + PROP_DB_PASSWORD);
+ String dbPasswordFromProp = MiscUtil.getStringProperty(props,
+ propPrefix + "." + PROP_DB_PASSWORD);
String tmpAlias = MiscUtil.getStringProperty(props, propPrefix
+ "." + PROP_DB_PASSWORD_ALIAS);
dbPasswordAlias = tmpAlias != null ? tmpAlias : dbPasswordAlias;
@@ -142,16 +142,22 @@ public class DBAuditDestination extends AuditDestination {
+ propPrefix + "." + PROP_DB_USER);
return;
}
+ String dbPassword = MiscUtil.getCredentialString(credFile,
+ dbPasswordAlias);
+
if (dbPassword == null || dbPassword.isEmpty()) {
- logger.warn("DB password not provided. Will assume empty for now. Set property name "
- + propPrefix + "." + PROP_DB_PASSWORD);
- } else {
- dbPassword = MiscUtil.getCredentialString(credFile,
- dbPasswordAlias);
+ // If password is not in credential store, let's try password
+ // from property
+ dbPassword = dbPasswordFromProp;
+ }
+
+ if (dbPassword == null || dbPassword.isEmpty()) {
+ logger.warn("DB password not provided. Will assume it is empty and continue");
}
logger.info("JDBC Driver=" + jdbcDriver + ", JDBC URL=" + jdbcURL
+ ", dbUser=" + dbUser + ", passwordAlias="
- + dbPasswordAlias + ", credFile=" + credFile);
+ + dbPasswordAlias + ", credFile=" + credFile
+ + ", usingPassword=" + (dbPassword == null ? "no" : "yes"));
Map<String, String> dbProperties = new HashMap<String, String>();
dbProperties.put("javax.persistence.jdbc.driver", jdbcDriver);
@@ -170,7 +176,7 @@ public class DBAuditDestination extends AuditDestination {
daoManager.setEntityManagerFactory(entityManagerFactory);
// this forces the connection to be made to DB
- if (daoManager.getEntityManager() != null) {
+ if (daoManager.getEntityManager() == null) {
logger.error("Error connecting audit database. EntityManager is null. dbURL="
+ jdbcURL + ", dbUser=" + dbUser);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/94ba6beb/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditAsyncQueue.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditAsyncQueue.java b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditAsyncQueue.java
index de5941a..47480da 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditAsyncQueue.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditAsyncQueue.java
@@ -103,9 +103,6 @@ public class AuditAsyncQueue extends AuditQueue implements Runnable {
@Override
public void stop() {
logger.info("Stop called. name=" + getName());
- if (stopTime != 0) {
- stopTime = System.currentTimeMillis();
- }
setDrain(true);
try {
if (consumerThread != null) {
@@ -145,21 +142,21 @@ public class AuditAsyncQueue extends AuditQueue implements Runnable {
}
} catch (InterruptedException e) {
logger.info(
- "Caught exception in consumer thread. Mostly server is shutting down.",
+ "Caught exception in consumer thread. Shutdown might be in progress",
e);
} catch (Throwable t) {
logger.error("Caught error during processing request.", t);
}
- if (isDrain() && queue.isEmpty()) {
- break;
- }
- if (isDrain()
- && (stopTime - System.currentTimeMillis()) > AUDIT_CONSUMER_THREAD_WAIT_MS) {
- logger.warn("Exiting polling loop to max time allowed. name="
- + getName() + ", waited for "
- + (stopTime - System.currentTimeMillis()) + " ms");
-
- break;
+ if (isDrain()) {
+ if (queue.isEmpty()) {
+ break;
+ }
+ if (isDrainMaxTimeElapsed()) {
+ logger.warn("Exiting polling loop because max time allowed reached. name="
+ + getName()
+ + ", waited for "
+ + (stopTime - System.currentTimeMillis()) + " ms");
+ }
}
}
logger.info("Exiting polling loop. name=" + getName());
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/94ba6beb/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditBatchQueue.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditBatchQueue.java b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditBatchQueue.java
index 645483b..80d7853 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditBatchQueue.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditBatchQueue.java
@@ -120,10 +120,6 @@ public class AuditBatchQueue extends AuditQueue implements Runnable {
@Override
public void stop() {
logger.info("Stop called. name=" + getName());
- if (stopTime != 0) {
- stopTime = System.currentTimeMillis();
- }
-
setDrain(true);
flush();
try {
@@ -266,7 +262,7 @@ public class AuditBatchQueue extends AuditQueue implements Runnable {
}
} catch (InterruptedException e) {
logger.info(
- "Caught exception in consumer thread. Mostly server is shutting down.",
+ "Caught exception in consumer thread. Shutdown might be in progress",
e);
setDrain(true);
} catch (Throwable t) {
@@ -319,16 +315,13 @@ public class AuditBatchQueue extends AuditQueue implements Runnable {
} else {
break;
}
+ if (isDrainMaxTimeElapsed()) {
+ logger.warn("Exiting polling loop because max time allowed reached. name="
+ + getName()
+ + ", waited for "
+ + (stopTime - System.currentTimeMillis()) + " ms");
+ }
}
- if (isDrain()
- && (stopTime - System.currentTimeMillis()) > AUDIT_CONSUMER_THREAD_WAIT_MS) {
- logger.warn("Exiting polling loop to max time allowed. name="
- + getName() + ", waited for "
- + (stopTime - System.currentTimeMillis()) + " ms");
-
- break;
- }
-
}
logger.info("Exiting consumerThread. Queue=" + getName() + ", dest="
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/94ba6beb/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java
index 039dc6d..e873459 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java
@@ -114,11 +114,18 @@ public abstract class AuditQueue extends BaseAuditHandler {
return consumer;
}
+ public boolean isDrainMaxTimeElapsed() {
+ return (stopTime - System.currentTimeMillis()) > AUDIT_CONSUMER_THREAD_WAIT_MS;
+ }
+
public boolean isDrain() {
return isDrain;
}
public void setDrain(boolean isDrain) {
+ if (isDrain && stopTime != 0) {
+ stopTime = System.currentTimeMillis();
+ }
this.isDrain = isDrain;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/94ba6beb/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditSummaryQueue.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditSummaryQueue.java b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditSummaryQueue.java
index 1e5b500..f1ce799 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditSummaryQueue.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditSummaryQueue.java
@@ -123,10 +123,6 @@ public class AuditSummaryQueue extends AuditQueue implements Runnable {
@Override
public void stop() {
logger.info("Stop called. name=" + getName());
- if (stopTime != 0) {
- stopTime = System.currentTimeMillis();
- }
-
setDrain(true);
try {
if (consumerThread != null) {
@@ -179,7 +175,7 @@ public class AuditSummaryQueue extends AuditQueue implements Runnable {
}
} catch (InterruptedException e) {
logger.info(
- "Caught exception in consumer thread. Mostly server is shutting down.",
+ "Caught exception in consumer thread. Shutdown might be in progress",
e);
} catch (Throwable t) {
logger.error("Caught error during processing request.", t);
@@ -223,16 +219,16 @@ public class AuditSummaryQueue extends AuditQueue implements Runnable {
summaryMap.clear();
}
- if (isDrain() && summaryMap.isEmpty() && queue.isEmpty()) {
- break;
- }
- if (isDrain()
- && (stopTime - System.currentTimeMillis()) > AUDIT_CONSUMER_THREAD_WAIT_MS) {
- logger.warn("Exiting polling loop to max time allowed. name="
- + getName() + ", waited for "
- + (stopTime - System.currentTimeMillis()) + " ms");
-
- break;
+ if (isDrain()) {
+ if (summaryMap.isEmpty() && queue.isEmpty()) {
+ break;
+ }
+ if (isDrainMaxTimeElapsed()) {
+ logger.warn("Exiting polling loop because max time allowed reached. name="
+ + getName()
+ + ", waited for "
+ + (stopTime - System.currentTimeMillis()) + " ms");
+ }
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/94ba6beb/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/client/ServiceKafkaClient.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/client/ServiceKafkaClient.java b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/client/ServiceKafkaClient.java
index 5cca619..0698bf6 100644
--- a/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/client/ServiceKafkaClient.java
+++ b/plugin-kafka/src/main/java/org/apache/ranger/services/kafka/client/ServiceKafkaClient.java
@@ -61,20 +61,19 @@ public class ServiceKafkaClient {
public HashMap<String, Object> testConnection() throws Exception {
String errMsg = errMessage;
- boolean connectivityStatus = false;
HashMap<String, Object> responseData = new HashMap<String, Object>();
try {
getTopicList(null);
// If it doesn't throw exception, then assume the instance is
// reachable
String successMsg = "TestConnection Successful";
- BaseClient.generateResponseDataMap(connectivityStatus, successMsg,
+ BaseClient.generateResponseDataMap(true, successMsg,
successMsg, null, null, responseData);
} catch (IOException e) {
LOG.error("Error connecting to Kafka. kafkaClient=" + this, e);
String failureMsg = "Unable to connect to Kafka instance."
+ e.getMessage();
- BaseClient.generateResponseDataMap(connectivityStatus, failureMsg,
+ BaseClient.generateResponseDataMap(false, failureMsg,
failureMsg + errMsg, null, null, responseData);
}
return responseData;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/94ba6beb/plugin-solr/src/main/java/org/apache/ranger/services/solr/client/ServiceSolrClient.java
----------------------------------------------------------------------
diff --git a/plugin-solr/src/main/java/org/apache/ranger/services/solr/client/ServiceSolrClient.java b/plugin-solr/src/main/java/org/apache/ranger/services/solr/client/ServiceSolrClient.java
index 6a192f4..801578b 100644
--- a/plugin-solr/src/main/java/org/apache/ranger/services/solr/client/ServiceSolrClient.java
+++ b/plugin-solr/src/main/java/org/apache/ranger/services/solr/client/ServiceSolrClient.java
@@ -72,7 +72,6 @@ public class ServiceSolrClient {
public HashMap<String, Object> testConnection() throws Exception {
String errMsg = errMessage;
- boolean connectivityStatus = false;
HashMap<String, Object> responseData = new HashMap<String, Object>();
try {
@@ -80,13 +79,13 @@ public class ServiceSolrClient {
// If it doesn't throw exception, then assume the instance is
// reachable
String successMsg = "TestConnection Successful";
- BaseClient.generateResponseDataMap(connectivityStatus, successMsg,
+ BaseClient.generateResponseDataMap(true, successMsg,
successMsg, null, null, responseData);
} catch (IOException e) {
LOG.error("Error connecting to Solr. solrClient=" + solrClient, e);
String failureMsg = "Unable to connect to Solr instance."
+ e.getMessage();
- BaseClient.generateResponseDataMap(connectivityStatus, failureMsg,
+ BaseClient.generateResponseDataMap(false, failureMsg,
failureMsg + errMsg, null, null, responseData);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/94ba6beb/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java b/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
index 09759c3..b7a923b 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
@@ -1305,27 +1305,29 @@ public class ServiceUtil {
try {
service = svcStore.getServiceByName(serviceName);
} catch (Exception e) {
- LOG.error("Requested Service not found");
+ LOG.error("Requested Service not found. serviceName=" + serviceName);
throw restErrorUtil.createRESTException("Serivce:" + serviceName + " not found",
MessageEnums.DATA_NOT_FOUND);
}
if(service==null){
- LOG.error("Requested Service not found");
+ LOG.error("Requested Service not found. Service name is null.");
throw restErrorUtil.createRESTException("No Data Found.",
MessageEnums.DATA_NOT_FOUND);
}
if(!service.getIsEnabled()){
- LOG.error("Requested Service is disabled");
+ LOG.error("Requested Service is disabled. serviceName=" + serviceName);
throw restErrorUtil.createRESTException("Unauthorized access.",
MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
}
if (!httpEnabled) {
if (!isSecure) {
+ LOG.error("Unauthorized access. Only https is allowed. serviceName=" + serviceName);
throw restErrorUtil.createRESTException("Unauthorized access -"
+ " only https allowed",
MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
}
if (certchain == null || certchain.length == 0) {
+ LOG.error("Unauthorized access. Unable to get client certificate. serviceName=" + serviceName);
throw restErrorUtil.createRESTException("Unauthorized access -"
+ " unable to get client certificate",
MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
@@ -1344,13 +1346,14 @@ public class ServiceUtil {
}
}
if (commonName == null) {
+ LOG.error("Unauthorized access. CName is null. serviceName=" + serviceName);
throw restErrorUtil.createRESTException(
"Unauthorized access - Unable to find Common Name from ["
+ dn + "]",
MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
}
} catch (InvalidNameException e) {
- LOG.error("Invalid Common Name.", e);
+ LOG.error("Invalid Common Name. CName=" + commonName + ", serviceName=" + serviceName, e);
throw restErrorUtil.createRESTException(
"Unauthorized access - Invalid Common Name",
MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
@@ -1362,6 +1365,8 @@ public class ServiceUtil {
String cnFromConfig = configMap.get("commonNameForCertificate");
if (cnFromConfig == null
|| !commonName.equalsIgnoreCase(cnFromConfig)) {
+ LOG.error("Unauthorized access. expected [" + cnFromConfig + "], found ["
+ + commonName + "], serviceName=" + serviceName);
throw restErrorUtil.createRESTException(
"Unauthorized access. expected [" + cnFromConfig
+ "], found [" + commonName + "]",
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/94ba6beb/src/main/assembly/plugin-kafka.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/plugin-kafka.xml b/src/main/assembly/plugin-kafka.xml
index 77c4e65..67e8489 100644
--- a/src/main/assembly/plugin-kafka.xml
+++ b/src/main/assembly/plugin-kafka.xml
@@ -36,6 +36,8 @@
</include>
<include>org.apache.hadoop:hadoop-common-plus:jar:${hadoop-common.version}
</include>
+ <include>org.apache.hadoop:hadoop-auth:jar:${hadoop-common.version}
+ </include>
<include>com.google.code.gson:gson</include>
<include>org.eclipse.persistence:eclipselink</include>
<include>org.eclipse.persistence:javax.persistence</include>
[02/12] incubator-ranger git commit: RANGER-512: fixed policy
create/update to fail when non-existing user or group is specified
Posted by sn...@apache.org.
RANGER-512: fixed policy create/update to fail when non-existing user or group is specified
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/fb6e94f1
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/fb6e94f1
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/fb6e94f1
Branch: refs/heads/ranger-0.5
Commit: fb6e94f13e674988d7d237211f29a24a80fdc3d4
Parents: d79401b
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Thu May 28 14:28:13 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu May 28 20:27:57 2015 -0700
----------------------------------------------------------------------
.../org/apache/ranger/biz/ServiceDBStore.java | 25 ++++++--------------
1 file changed, 7 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fb6e94f1/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 2c9ceff..b259be6 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -1758,7 +1758,7 @@ public class ServiceDBStore implements ServiceStore {
serviceDao.update(serviceDbObj);
}
- private void createNewPolicyItemsForPolicy(RangerPolicy policy, XXPolicy xPolicy, List<RangerPolicyItem> policyItems, XXServiceDef xServiceDef) {
+ private void createNewPolicyItemsForPolicy(RangerPolicy policy, XXPolicy xPolicy, List<RangerPolicyItem> policyItems, XXServiceDef xServiceDef) throws Exception {
for (int itemOrder = 0; itemOrder < policyItems.size(); itemOrder++) {
RangerPolicyItem policyItem = policyItems.get(itemOrder);
@@ -1778,9 +1778,7 @@ public class ServiceDBStore implements ServiceStore {
.findByNameAndServiceId(access.getType(),
xPolicy.getService());
if (xAccTypeDef == null) {
- LOG.info("One of given accessType is not valid for this policy. access: "
- + access.getType() + ", Ignoring this access");
- continue;
+ throw new Exception(access.getType() + ": is not a valid access-type. policy='"+ policy.getName() + "' service='"+ policy.getService() + "'");
}
XXPolicyItemAccess xPolItemAcc = new XXPolicyItemAccess();
@@ -1799,9 +1797,7 @@ public class ServiceDBStore implements ServiceStore {
XXUser xUser = daoMgr.getXXUser().findByUserName(user);
if(xUser == null) {
- LOG.info("User does not exists with username: "
- + user + ", Ignoring permissions given to this user for policy");
- continue;
+ throw new Exception(user + ": user does not exist. policy='"+ policy.getName() + "' service='"+ policy.getService() + "'");
}
XXPolicyItemUserPerm xUserPerm = new XXPolicyItemUserPerm();
xUserPerm = (XXPolicyItemUserPerm) rangerAuditFields.populateAuditFields(xUserPerm, xPolicyItem);
@@ -1817,9 +1813,7 @@ public class ServiceDBStore implements ServiceStore {
XXGroup xGrp = daoMgr.getXXGroup().findByGroupName(group);
if(xGrp == null) {
- LOG.info("Group does not exists with groupName: "
- + group + ", Ignoring permissions given to this group for policy");
- continue;
+ throw new Exception(group + ": group does not exist. policy='"+ policy.getName() + "' service='"+ policy.getService() + "'");
}
XXPolicyItemGroupPerm xGrpPerm = new XXPolicyItemGroupPerm();
xGrpPerm = (XXPolicyItemGroupPerm) rangerAuditFields.populateAuditFields(xGrpPerm, xPolicyItem);
@@ -1836,10 +1830,7 @@ public class ServiceDBStore implements ServiceStore {
xServiceDef.getId(), condition.getType());
if(xPolCond == null) {
- LOG.info("PolicyCondition is not valid, condition: "
- + condition.getType()
- + ", Ignoring creation of this policy condition");
- continue;
+ throw new Exception(condition.getType() + ": is not a valid condition-type. policy='"+ policy.getName() + "' service='"+ policy.getService() + "'");
}
for(int i = 0; i < condition.getValues().size(); i++) {
@@ -1856,7 +1847,7 @@ public class ServiceDBStore implements ServiceStore {
}
}
- private void createNewResourcesForPolicy(RangerPolicy policy, XXPolicy xPolicy, Map<String, RangerPolicyResource> resources) {
+ private void createNewResourcesForPolicy(RangerPolicy policy, XXPolicy xPolicy, Map<String, RangerPolicyResource> resources) throws Exception {
for (Entry<String, RangerPolicyResource> resource : resources.entrySet()) {
RangerPolicyResource policyRes = resource.getValue();
@@ -1864,9 +1855,7 @@ public class ServiceDBStore implements ServiceStore {
XXResourceDef xResDef = daoMgr.getXXResourceDef()
.findByNameAndPolicyId(resource.getKey(), policy.getId());
if (xResDef == null) {
- LOG.info("No Such Resource found, resourceName : "
- + resource.getKey() + ", Ignoring this resource.");
- continue;
+ throw new Exception(resource.getKey() + ": is not a valid resource-type. policy='"+ policy.getName() + "' service='"+ policy.getService() + "'");
}
XXPolicyResource xPolRes = new XXPolicyResource();
[06/12] incubator-ranger git commit: RANGER-397 Support RDBMS as
audit destination using V3 configuration
Posted by sn...@apache.org.
RANGER-397 Support RDBMS as audit destination using V3 configuration
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/a2de2450
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/a2de2450
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/a2de2450
Branch: refs/heads/ranger-0.5
Commit: a2de2450a572468af1928d5d021567c39544e193
Parents: 9e5bd85
Author: Don Bosco Durai <bo...@apache.org>
Authored: Fri May 29 14:54:22 2015 -0700
Committer: Don Bosco Durai <bo...@apache.org>
Committed: Fri May 29 14:54:22 2015 -0700
----------------------------------------------------------------------
.../org/apache/ranger/audit/dao/DaoManager.java | 2 +
.../audit/destination/DBAuditDestination.java | 306 +++++++++++++++++++
.../audit/destination/HDFSAuditDestination.java | 3 +
.../audit/provider/AuditProviderFactory.java | 3 +-
.../ranger/audit/provider/BaseAuditHandler.java | 5 +-
.../apache/ranger/audit/provider/MiscUtil.java | 15 +
.../ranger/audit/queue/AuditAsyncQueue.java | 25 +-
.../ranger/audit/queue/AuditBatchQueue.java | 24 +-
.../apache/ranger/audit/queue/AuditQueue.java | 6 +
.../ranger/audit/queue/AuditSummaryQueue.java | 25 +-
10 files changed, 409 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2de2450/agents-audit/src/main/java/org/apache/ranger/audit/dao/DaoManager.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/dao/DaoManager.java b/agents-audit/src/main/java/org/apache/ranger/audit/dao/DaoManager.java
index 6d81744..fd4d096 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/dao/DaoManager.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/dao/DaoManager.java
@@ -49,6 +49,8 @@ public class DaoManager extends DaoManagerBase {
sEntityManager.set(em);
}
+ } else {
+ logger.error("EntityManagerFactory was not set in this thread.", new Throwable());
}
return em;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2de2450/agents-audit/src/main/java/org/apache/ranger/audit/destination/DBAuditDestination.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/destination/DBAuditDestination.java b/agents-audit/src/main/java/org/apache/ranger/audit/destination/DBAuditDestination.java
new file mode 100644
index 0000000..c58748e
--- /dev/null
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/destination/DBAuditDestination.java
@@ -0,0 +1,306 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.audit.destination;
+
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Properties;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import javax.persistence.EntityManager;
+import javax.persistence.EntityManagerFactory;
+import javax.persistence.EntityTransaction;
+import javax.persistence.Persistence;
+
+import org.apache.ranger.audit.dao.DaoManager;
+import org.apache.ranger.audit.model.AuditEventBase;
+import org.apache.ranger.audit.provider.MiscUtil;
+
+public class DBAuditDestination extends AuditDestination {
+
+ private static final Log logger = LogFactory
+ .getLog(DBAuditDestination.class);
+
+ public static final String PROP_DB_JDBC_DRIVER = "jdbc.driver";
+ public static final String PROP_DB_JDBC_URL = "jdbc.url";
+ public static final String PROP_DB_USER = "user";
+ public static final String PROP_DB_PASSWORD = "password";
+ public static final String PROP_DB_PASSWORD_ALIAS = "password.alias";
+
+ private EntityManagerFactory entityManagerFactory;
+ private DaoManager daoManager;
+
+ private String jdbcDriver = null;
+ private String jdbcURL = null;
+ private String dbUser = null;
+ private String dbPasswordAlias = "auditDBCred";
+
+ public DBAuditDestination() {
+ logger.info("DBAuditDestination() called");
+ }
+
+ @Override
+ public void init(Properties props, String propPrefix) {
+ logger.info("init() called");
+ super.init(props, propPrefix);
+
+ // Initial connect
+ connect();
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see
+ * org.apache.ranger.audit.provider.AuditHandler#logger(java.util.Collection
+ * )
+ */
+ @Override
+ public boolean log(Collection<AuditEventBase> events) {
+ boolean retValue = false;
+
+ if (!beginTransaction()) {
+ return false;
+ }
+ boolean isFailed = false;
+ for (AuditEventBase event : events) {
+ try {
+ event.persist(daoManager);
+ } catch (Throwable t) {
+ logger.error("Error persisting data. event=" + event, t);
+ isFailed = true;
+ break;
+ }
+ }
+ if (isFailed) {
+ retValue = false;
+ rollbackTransaction();
+ } else {
+ retValue = commitTransaction();
+ }
+ return retValue;
+ }
+
+ @Override
+ public void stop() {
+ cleanUp();
+ super.stop();
+ }
+
+ // Local methods
+ protected void connect() {
+ if (isDbConnected()) {
+ return;
+ }
+ try {
+ jdbcDriver = MiscUtil.getStringProperty(props, propPrefix + "."
+ + PROP_DB_JDBC_DRIVER);
+ jdbcURL = MiscUtil.getStringProperty(props, propPrefix + "."
+ + PROP_DB_JDBC_URL);
+ dbUser = MiscUtil.getStringProperty(props, propPrefix + "."
+ + PROP_DB_USER);
+ String dbPassword = MiscUtil.getStringProperty(props, propPrefix
+ + "." + PROP_DB_PASSWORD);
+ String tmpAlias = MiscUtil.getStringProperty(props, propPrefix
+ + "." + PROP_DB_PASSWORD_ALIAS);
+ dbPasswordAlias = tmpAlias != null ? tmpAlias : dbPasswordAlias;
+ String credFile = MiscUtil.getStringProperty(props,
+ AUDIT_DB_CREDENTIAL_PROVIDER_FILE);
+
+ if (jdbcDriver == null || jdbcDriver.isEmpty()) {
+ logger.fatal("JDBC driver not provided. Set property name "
+ + propPrefix + "." + PROP_DB_JDBC_DRIVER);
+ return;
+ }
+ if (jdbcURL == null || jdbcURL.isEmpty()) {
+ logger.fatal("JDBC URL not provided. Set property name "
+ + propPrefix + "." + PROP_DB_JDBC_URL);
+ return;
+ }
+ if (dbUser == null || dbUser.isEmpty()) {
+ logger.fatal("DB user not provided. Set property name "
+ + propPrefix + "." + PROP_DB_USER);
+ return;
+ }
+ if (dbPassword == null || dbPassword.isEmpty()) {
+ logger.warn("DB password not provided. Will assume empty for now. Set property name "
+ + propPrefix + "." + PROP_DB_PASSWORD);
+ } else {
+ dbPassword = MiscUtil.getCredentialString(credFile,
+ dbPasswordAlias);
+ }
+ logger.info("JDBC Driver=" + jdbcDriver + ", JDBC URL=" + jdbcURL
+ + ", dbUser=" + dbUser + ", passwordAlias="
+ + dbPasswordAlias + ", credFile=" + credFile);
+
+ Map<String, String> dbProperties = new HashMap<String, String>();
+ dbProperties.put("javax.persistence.jdbc.driver", jdbcDriver);
+ dbProperties.put("javax.persistence.jdbc.url", jdbcURL);
+ dbProperties.put("javax.persistence.jdbc.user", dbUser);
+ if (dbPassword != null) {
+ dbProperties.put("javax.persistence.jdbc.password", dbPassword);
+ }
+
+ entityManagerFactory = Persistence.createEntityManagerFactory(
+ "xa_server", dbProperties);
+
+ logger.info("entityManagerFactory=" + entityManagerFactory);
+
+ daoManager = new DaoManager();
+ daoManager.setEntityManagerFactory(entityManagerFactory);
+
+ // this forces the connection to be made to DB
+ if (daoManager.getEntityManager() != null) {
+ logger.error("Error connecting audit database. EntityManager is null. dbURL="
+ + jdbcURL + ", dbUser=" + dbUser);
+ }
+
+ } catch (Throwable t) {
+ logger.error("Error connecting audit database. dbURL=" + jdbcURL
+ + ", dbUser=" + dbUser, t);
+ }
+ }
+
+ private synchronized void cleanUp() {
+ logger.info("DBAuditDestination: cleanUp()");
+
+ try {
+ if (entityManagerFactory != null && entityManagerFactory.isOpen()) {
+ entityManagerFactory.close();
+ }
+ } catch (Exception excp) {
+ logger.error("DBAuditDestination.cleanUp(): failed", excp);
+ } finally {
+ entityManagerFactory = null;
+ daoManager = null;
+ }
+ }
+
+ private EntityManager getEntityManager() {
+ DaoManager daoMgr = daoManager;
+
+ if (daoMgr != null) {
+ try {
+ return daoMgr.getEntityManager();
+ } catch (Exception excp) {
+ logger.error("DBAuditDestination.getEntityManager(): failed",
+ excp);
+
+ cleanUp();
+ }
+ }
+
+ return null;
+ }
+
+ private boolean isDbConnected() {
+ EntityManager em = getEntityManager();
+ return em != null && em.isOpen();
+ }
+
+ private void clearEntityManager() {
+ try {
+ EntityManager em = getEntityManager();
+
+ if (em != null) {
+ em.clear();
+ }
+ } catch (Exception excp) {
+ logger.warn("DBAuditDestination.clearEntityManager(): failed", excp);
+ }
+ }
+
+ private EntityTransaction getTransaction() {
+ if (!isDbConnected()) {
+ connect();
+ }
+
+ EntityManager em = getEntityManager();
+
+ return em != null ? em.getTransaction() : null;
+ }
+
+ private boolean beginTransaction() {
+ EntityTransaction trx = getTransaction();
+
+ if (trx != null && !trx.isActive()) {
+ trx.begin();
+ }
+
+ if (trx == null) {
+ logger.warn("DBAuditDestination.beginTransaction(): trx is null");
+ }
+
+ return trx != null;
+ }
+
+ private boolean commitTransaction() {
+ boolean ret = false;
+ EntityTransaction trx = null;
+
+ try {
+ trx = getTransaction();
+
+ if (trx != null && trx.isActive()) {
+ trx.commit();
+ ret = true;
+ } else {
+ throw new Exception("trx is null or not active");
+ }
+ } catch (Throwable excp) {
+ logger.error("DBAuditDestination.commitTransaction(): failed", excp);
+
+ cleanUp(); // so that next insert will try to init()
+ } finally {
+ clearEntityManager();
+ }
+
+ return ret;
+ }
+
+ private boolean rollbackTransaction() {
+ boolean ret = false;
+ EntityTransaction trx = null;
+
+ try {
+ trx = getTransaction();
+
+ if (trx != null && trx.isActive()) {
+ trx.rollback();
+ ret = true;
+ } else {
+ throw new Exception("trx is null or not active");
+ }
+ } catch (Throwable excp) {
+ logger.error("DBAuditDestination.rollbackTransaction(): failed",
+ excp);
+
+ cleanUp(); // so that next insert will try to init()
+ } finally {
+ clearEntityManager();
+ }
+
+ return ret;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2de2450/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java b/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java
index 6ca4fce..67382a9 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java
@@ -105,6 +105,9 @@ public class HDFSAuditDestination extends AuditDestination {
@Override
synchronized public boolean logJSON(Collection<String> events) {
+ if (!initDone) {
+ return false;
+ }
if (isStopped) {
logError("log() called after stop was requested. name=" + getName());
return false;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2de2450/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java
index d6ef318..c3a05ce 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/AuditProviderFactory.java
@@ -24,6 +24,7 @@ import java.util.Properties;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.audit.destination.DBAuditDestination;
import org.apache.ranger.audit.destination.FileAuditDestination;
import org.apache.ranger.audit.destination.HDFSAuditDestination;
import org.apache.ranger.audit.destination.SolrAuditDestination;
@@ -415,7 +416,7 @@ public class AuditProviderFactory {
} else if (providerName.equals("kafka")) {
provider = new KafkaAuditProvider();
} else if (providerName.equals("db")) {
- provider = new DbAuditProvider();
+ provider = new DBAuditDestination();
} else if (providerName.equals("log4j")) {
provider = new Log4jAuditProvider();
} else if (providerName.equals("batch")) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2de2450/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java
index dd44def..09335c7 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java
@@ -22,6 +22,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.audit.model.AuditEventBase;
import org.apache.ranger.audit.model.AuthzAuditEvent;
+
import com.google.gson.GsonBuilder;
import java.util.concurrent.atomic.AtomicLong;
@@ -33,7 +34,9 @@ import java.util.Properties;
public abstract class BaseAuditHandler implements AuditHandler {
private static final Log LOG = LogFactory.getLog(BaseAuditHandler.class);
- private static final String AUDIT_LOG_FAILURE_REPORT_MIN_INTERVAL_PROP = "xasecure.audit.log.failure.report.min.interval.ms";
+ static final String AUDIT_LOG_FAILURE_REPORT_MIN_INTERVAL_PROP = "xasecure.audit.log.failure.report.min.interval.ms";
+ protected static final String AUDIT_DB_CREDENTIAL_PROVIDER_FILE = "xasecure.audit.credential.provider.file";
+
private int mLogFailureReportMinIntervalInMs = 60 * 1000;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2de2450/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java
index fe6b0e9..abb0a90 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java
@@ -29,6 +29,7 @@ import java.util.StringTokenizer;
import java.util.UUID;
import org.apache.log4j.helpers.LogLog;
+import org.apache.ranger.authorization.hadoop.utils.RangerCredentialProvider;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
@@ -377,5 +378,19 @@ public class MiscUtil {
}
return list;
}
+
+ public static String getCredentialString(String url,String alias) {
+ String ret = null;
+
+ if(url != null && alias != null) {
+ char[] cred = RangerCredentialProvider.getInstance().getCredentialString(url,alias);
+
+ if ( cred != null ) {
+ ret = new String(cred);
+ }
+ }
+
+ return ret;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2de2450/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditAsyncQueue.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditAsyncQueue.java b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditAsyncQueue.java
index d16fff9..de5941a 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditAsyncQueue.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditAsyncQueue.java
@@ -102,9 +102,16 @@ public class AuditAsyncQueue extends AuditQueue implements Runnable {
*/
@Override
public void stop() {
+ logger.info("Stop called. name=" + getName());
+ if (stopTime != 0) {
+ stopTime = System.currentTimeMillis();
+ }
setDrain(true);
try {
if (consumerThread != null) {
+ logger.info("Interrupting consumerThread. name=" + getName()
+ + ", consumer="
+ + (consumer == null ? null : consumer.getName()));
consumerThread.interrupt();
}
} catch (Throwable t) {
@@ -138,7 +145,7 @@ public class AuditAsyncQueue extends AuditQueue implements Runnable {
}
} catch (InterruptedException e) {
logger.info(
- "Caught exception in consumer thread. Mostly to about loop",
+ "Caught exception in consumer thread. Mostly server is shutting down.",
e);
} catch (Throwable t) {
logger.error("Caught error during processing request.", t);
@@ -146,13 +153,29 @@ public class AuditAsyncQueue extends AuditQueue implements Runnable {
if (isDrain() && queue.isEmpty()) {
break;
}
+ if (isDrain()
+ && (stopTime - System.currentTimeMillis()) > AUDIT_CONSUMER_THREAD_WAIT_MS) {
+ logger.warn("Exiting polling loop to max time allowed. name="
+ + getName() + ", waited for "
+ + (stopTime - System.currentTimeMillis()) + " ms");
+
+ break;
+ }
}
+ logger.info("Exiting polling loop. name=" + getName());
+
try {
// Call stop on the consumer
+ logger.info("Calling to stop consumer. name=" + getName()
+ + ", consumer.name=" + consumer.getName());
+
+ // Call stop on the consumer
consumer.stop();
} catch (Throwable t) {
logger.error("Error while calling stop on consumer.", t);
}
+ logger.info("Exiting consumerThread.run() method. name=" + getName());
+
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2de2450/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditBatchQueue.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditBatchQueue.java b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditBatchQueue.java
index 8316c2b..645483b 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditBatchQueue.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditBatchQueue.java
@@ -119,10 +119,19 @@ public class AuditBatchQueue extends AuditQueue implements Runnable {
*/
@Override
public void stop() {
+ logger.info("Stop called. name=" + getName());
+ if (stopTime != 0) {
+ stopTime = System.currentTimeMillis();
+ }
+
setDrain(true);
flush();
try {
if (consumerThread != null) {
+ logger.info("Interrupting consumerThread. name=" + getName()
+ + ", consumer="
+ + (consumer == null ? null : consumer.getName()));
+
consumerThread.interrupt();
}
} catch (Throwable t) {
@@ -257,7 +266,7 @@ public class AuditBatchQueue extends AuditQueue implements Runnable {
}
} catch (InterruptedException e) {
logger.info(
- "Caught exception in consumer thread. Mostly to abort loop",
+ "Caught exception in consumer thread. Mostly server is shutting down.",
e);
setDrain(true);
} catch (Throwable t) {
@@ -311,12 +320,24 @@ public class AuditBatchQueue extends AuditQueue implements Runnable {
break;
}
}
+ if (isDrain()
+ && (stopTime - System.currentTimeMillis()) > AUDIT_CONSUMER_THREAD_WAIT_MS) {
+ logger.warn("Exiting polling loop to max time allowed. name="
+ + getName() + ", waited for "
+ + (stopTime - System.currentTimeMillis()) + " ms");
+
+ break;
+ }
+
}
logger.info("Exiting consumerThread. Queue=" + getName() + ", dest="
+ consumer.getName());
try {
// Call stop on the consumer
+ logger.info("Calling to stop consumer. name=" + getName()
+ + ", consumer.name=" + consumer.getName());
+
consumer.stop();
if (fileSpoolerEnabled) {
fileSpooler.stop();
@@ -324,5 +345,6 @@ public class AuditBatchQueue extends AuditQueue implements Runnable {
} catch (Throwable t) {
logger.error("Error while calling stop on consumer.", t);
}
+ logger.info("Exiting consumerThread.run() method. name=" + getName());
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2de2450/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java
index 4c3ac5f..039dc6d 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java
@@ -33,6 +33,9 @@ public abstract class AuditQueue extends BaseAuditHandler {
public static final int AUDIT_MAX_QUEUE_SIZE_DEFAULT = 1024 * 1024;
public static final int AUDIT_BATCH_INTERVAL_DEFAULT_MS = 1000;
public static final int AUDIT_BATCH_SIZE_DEFAULT = 1000;
+
+ //This is the max time the consumer thread will wait before exiting the loop
+ public static final int AUDIT_CONSUMER_THREAD_WAIT_MS = 5000;
private int maxQueueSize = AUDIT_MAX_QUEUE_SIZE_DEFAULT;
private int maxBatchInterval = AUDIT_BATCH_INTERVAL_DEFAULT_MS;
@@ -57,6 +60,9 @@ public abstract class AuditQueue extends BaseAuditHandler {
protected int fileSpoolMaxWaitTime = 5 * 60 * 1000; // Default 5 minutes
protected int fileSpoolDrainThresholdPercent = 80;
+ //This is set when the first time stop is called.
+ protected long stopTime = 0;
+
/**
* @param consumer
*/
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2de2450/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditSummaryQueue.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditSummaryQueue.java b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditSummaryQueue.java
index 7922312..1e5b500 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditSummaryQueue.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditSummaryQueue.java
@@ -122,9 +122,18 @@ public class AuditSummaryQueue extends AuditQueue implements Runnable {
*/
@Override
public void stop() {
+ logger.info("Stop called. name=" + getName());
+ if (stopTime != 0) {
+ stopTime = System.currentTimeMillis();
+ }
+
setDrain(true);
try {
if (consumerThread != null) {
+ logger.info("Interrupting consumerThread. name=" + getName()
+ + ", consumer="
+ + (consumer == null ? null : consumer.getName()));
+
consumerThread.interrupt();
}
} catch (Throwable t) {
@@ -170,7 +179,7 @@ public class AuditSummaryQueue extends AuditQueue implements Runnable {
}
} catch (InterruptedException e) {
logger.info(
- "Caught exception in consumer thread. Mostly to about loop",
+ "Caught exception in consumer thread. Mostly server is shutting down.",
e);
} catch (Throwable t) {
logger.error("Caught error during processing request.", t);
@@ -217,14 +226,28 @@ public class AuditSummaryQueue extends AuditQueue implements Runnable {
if (isDrain() && summaryMap.isEmpty() && queue.isEmpty()) {
break;
}
+ if (isDrain()
+ && (stopTime - System.currentTimeMillis()) > AUDIT_CONSUMER_THREAD_WAIT_MS) {
+ logger.warn("Exiting polling loop to max time allowed. name="
+ + getName() + ", waited for "
+ + (stopTime - System.currentTimeMillis()) + " ms");
+
+ break;
+ }
+
}
+ logger.info("Exiting polling loop. name=" + getName());
try {
// Call stop on the consumer
+ logger.info("Calling to stop consumer. name=" + getName()
+ + ", consumer.name=" + consumer.getName());
consumer.stop();
} catch (Throwable t) {
logger.error("Error while calling stop on consumer.", t);
}
+ logger.info("Exiting consumerThread.run() method. name=" + getName());
+
}
class AuditSummary {
[03/12] incubator-ranger git commit: RANGER-513 Policy validation:
resource hierarchies check does not work with single-node hierarchies e.g.
for HDFS
Posted by sn...@apache.org.
RANGER-513 Policy validation: resource hierarchies check does not work with single-node hierarchies e.g. for HDFS
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/f0a8931a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/f0a8931a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/f0a8931a
Branch: refs/heads/ranger-0.5
Commit: f0a8931a8c1847470e486ffdf59c70814270ce9d
Parents: fb6e94f
Author: Alok Lal <al...@hortonworks.com>
Authored: Thu May 28 15:34:15 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu May 28 20:47:54 2015 -0700
----------------------------------------------------------------------
.../validation/RangerServiceDefHelper.java | 30 +++++++++++---
.../validation/TestRangerServiceDefHelper.java | 42 +++++++++++++++++++-
2 files changed, 66 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f0a8931a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
index 91ff16a..d3bcc1a 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerServiceDefHelper.java
@@ -36,6 +36,8 @@ import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
+import com.google.common.collect.Lists;
+
public class RangerServiceDefHelper {
private static final Log LOG = LogFactory.getLog(RangerServiceDefHelper.class);
@@ -238,10 +240,20 @@ public class RangerServiceDefHelper {
Set<String> sources = graph.getSources();
Set<String> sinks = graph.getSinks();
for (String source : sources) {
- for (String sink : sinks) {
- List<String> path = graph.getAPath(source, sink, new HashSet<String>());
- if (!path.isEmpty()) {
- hierarchies.add(path);
+ /*
+ * A disconnected node, i.e. one that does not have any arc coming into or out of it is a hierarchy in itself!
+ * A source by definition does not have any arcs coming into it. So if it also doesn't have any neighbors then we know
+ * it is a disconnected node.
+ */
+ if (!graph.hasNeighbors(source)) {
+ List<String> path = Lists.newArrayList(source);
+ hierarchies.add(path);
+ } else {
+ for (String sink : sinks) {
+ List<String> path = graph.getAPath(source, sink, new HashSet<String>());
+ if (!path.isEmpty()) {
+ hierarchies.add(path);
+ }
}
}
}
@@ -328,6 +340,14 @@ public class RangerServiceDefHelper {
}
/**
+ * Returns true if the node "from" has any neighbor.
+ * @param from
+ * @return
+ */
+ boolean hasNeighbors(String from) {
+ return _nodes.containsKey(from) && _nodes.get(from).size() > 0;
+ }
+ /**
* Return the set of nodes with in degree of 0, i.e. those that are not in any other nodes' list of neighbors
*
* @return
@@ -339,7 +359,7 @@ public class RangerServiceDefHelper {
sources.removeAll(nbrs); // A source in a DAG can't be a neighbor of any other node
}
if (LOG.isDebugEnabled()) {
- LOG.debug("Returning sinks: " + sources);
+ LOG.debug("Returning sources: " + sources);
}
return sources;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f0a8931a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java
----------------------------------------------------------------------
diff --git a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java
index 2703384..883b808 100644
--- a/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java
+++ b/agents-common/src/test/java/org/apache/ranger/plugin/model/validation/TestRangerServiceDefHelper.java
@@ -149,10 +149,50 @@ public class TestRangerServiceDefHelper {
assertTrue(expectedHierarchies.contains(resourceNames));
expectedHierarchies.remove(resourceNames);
}
- assertTrue(expectedHierarchies.isEmpty()); // make sure we saw got back hierarchies
+ assertTrue("Missing hierarchies: " + expectedHierarchies.toString(), expectedHierarchies.isEmpty()); // make sure we got back all hierarchies
}
@Test
+ public final void test_isResourceGraphValid_forest_singleNodeTrees() {
+ /*
+ * Create a service-def which is a forest with a few single node trees
+ *
+ * Database
+ *
+ * Server
+ *
+ * Namespace -> package
+ * |
+ * v
+ * function
+ *
+ * Check that helper corrects reports back all of the hierarchies: levels in it and their order.
+ */
+ RangerResourceDef database = createResourceDef("database", "");
+ RangerResourceDef server = createResourceDef("server", "");
+ RangerResourceDef namespace = createResourceDef("namespace", "");
+ RangerResourceDef function = createResourceDef("function", "namespace");
+ RangerResourceDef Package = createResourceDef("package", "namespace");
+ List<RangerResourceDef> resourceDefs = Lists.newArrayList(database, server, namespace, function, Package);
+ when(_serviceDef.getResources()).thenReturn(resourceDefs);
+ _helper = new RangerServiceDefHelper(_serviceDef);
+ assertTrue(_helper.isResourceGraphValid());
+ Set<List<RangerResourceDef>> hierarchies = _helper.getResourceHierarchies();
+
+ Set<List<String>> expectedHierarchies = new HashSet<List<String>>();
+ expectedHierarchies.add(Lists.newArrayList("database"));
+ expectedHierarchies.add(Lists.newArrayList("server"));
+ expectedHierarchies.add(Lists.newArrayList("namespace", "package"));
+ expectedHierarchies.add(Lists.newArrayList("namespace", "function"));
+
+ for (List<RangerResourceDef> aHierarchy : hierarchies) {
+ List<String> resourceNames = _helper.getAllResourceNames(aHierarchy);
+ assertTrue(expectedHierarchies.contains(resourceNames));
+ expectedHierarchies.remove(resourceNames);
+ }
+ assertTrue("Missing hierarchies: " + expectedHierarchies.toString(), expectedHierarchies.isEmpty()); // make sure we got back all hierarchies
+ }
+ @Test
public final void test_cacheBehavior() {
// wipe the cache clean
RangerServiceDefHelper._Cache.clear();
[09/12] incubator-ranger git commit: NPE fix
Posted by sn...@apache.org.
NPE fix
Signed-off-by: sneethiraj <sn...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/29f8f202
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/29f8f202
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/29f8f202
Branch: refs/heads/ranger-0.5
Commit: 29f8f2027f7703dcb144f4bd87499fe3d8459a88
Parents: ab4683e
Author: Gautam Borad <gb...@gmail.com>
Authored: Tue May 19 18:42:52 2015 +0530
Committer: sneethiraj <sn...@apache.org>
Committed: Sat May 30 23:48:27 2015 -0400
----------------------------------------------------------------------
.../org/apache/ranger/service/RangerServiceDefService.java | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/29f8f202/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java
index ecf0b16..33a2da3 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java
@@ -26,6 +26,7 @@ import org.apache.ranger.common.SearchField;
import org.apache.ranger.common.SortField;
import org.apache.ranger.common.SearchField.DATA_TYPE;
import org.apache.ranger.common.SearchField.SEARCH_TYPE;
+import org.apache.ranger.common.UserSessionBase;
import org.apache.ranger.entity.XXContextEnricherDef;
import org.apache.ranger.entity.XXAccessTypeDef;
import org.apache.ranger.entity.XXEnumDef;
@@ -158,13 +159,14 @@ public class RangerServiceDefService extends RangerServiceDefServiceBase<XXServi
return this.populateViewBean(xServiceDef);
}
@Override
- @SuppressWarnings("unchecked")
public RangerServiceDefList searchRangerServiceDefs(SearchFilter searchFilter) {
List<RangerServiceDef> serviceDefList = new ArrayList<RangerServiceDef>();
RangerServiceDefList retList = new RangerServiceDefList();
List<XXServiceDef> xSvcDefList = (List<XXServiceDef>) searchResources(searchFilter, searchFields, sortFields, retList);
- List<String> userRoleList = ContextUtil.getCurrentUserSession().getUserRoleList();
+ UserSessionBase sessionBase = ContextUtil.getCurrentUserSession();
+ List<String> userRoleList = (sessionBase != null) ? sessionBase.getUserRoleList() : null;
+
for (XXServiceDef xSvcDef : xSvcDefList) {
if(userRoleList != null && !userRoleList.contains(RangerConstants.ROLE_KEY_ADMIN)){
if(xSvcDef!=null && !"KMS".equalsIgnoreCase(xSvcDef.getName())){
[12/12] incubator-ranger git commit: RANGER-516 : Implement Scope and
Restriction of users having KEY_ADMIN Role
Posted by sn...@apache.org.
RANGER-516 : Implement Scope and Restriction of users having KEY_ADMIN Role
Signed-off-by: sneethiraj <sn...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/c510b449
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/c510b449
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/c510b449
Branch: refs/heads/ranger-0.5
Commit: c510b449d0564aa165007810fcf87a3587cec291
Parents: 3250e5c
Author: Gautam Borad <gb...@gmail.com>
Authored: Sun May 31 15:29:22 2015 +0530
Committer: sneethiraj <sn...@apache.org>
Committed: Sun May 31 09:39:13 2015 -0400
----------------------------------------------------------------------
.../plugin/store/EmbeddedServiceDefsUtil.java | 10 +
.../ranger/server/tomcat/EmbeddedServer.java | 4 +-
kms/config/kms-webapp/kms-log4j.properties | 6 +-
.../scripts/ranger-admin-site-template.xml | 2 +-
.../org/apache/ranger/biz/RangerBizUtil.java | 142 ++++++++++
.../org/apache/ranger/biz/ServiceDBStore.java | 265 +++++++++++--------
.../java/org/apache/ranger/biz/SessionMgr.java | 16 +-
.../java/org/apache/ranger/biz/UserMgr.java | 8 +-
.../org/apache/ranger/common/SearchUtil.java | 5 +-
.../apache/ranger/common/UserSessionBase.java | 9 +
.../org/apache/ranger/rest/ServiceREST.java | 109 +++++++-
.../java/org/apache/ranger/rest/XUserREST.java | 11 +-
.../ranger/service/RangerServiceDefService.java | 41 +--
.../service/RangerServiceServiceBase.java | 34 ++-
.../ranger/service/XAccessAuditService.java | 9 +
.../org/apache/ranger/service/XUserService.java | 6 +-
.../org/apache/ranger/view/VXAccessAudit.java | 19 ++
.../webapp/scripts/controllers/Controller.js | 4 +-
.../scripts/modules/globalize/message/en.js | 3 +-
.../src/main/webapp/scripts/utils/XAUtils.js | 14 +-
.../scripts/views/policies/PermissionList.js | 13 +-
.../webapp/scripts/views/reports/AuditLayout.js | 28 +-
.../main/webapp/scripts/views/users/UserForm.js | 12 +-
.../scripts/views/users/UserTableLayout.js | 17 +-
.../templates/users/UserTableLayout_tmpl.html | 4 +-
.../rest/TestServiceRESTForValidation.java | 1 +
26 files changed, 610 insertions(+), 182 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
index 2115256..e3ecc0f 100755
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
@@ -54,6 +54,16 @@ public class EmbeddedServiceDefsUtil {
public static final String EMBEDDED_SERVICEDEF_SOLR_NAME = "solr";
public static final String PROPERTY_CREATE_EMBEDDED_SERVICE_DEFS = "ranger.service.store.create.embedded.service-defs";
+ public static final String HDFS_IMPL_CLASS_NAME = "org.apache.ranger.services.hdfs.RangerServiceHdfs";
+ public static final String HBASE_IMPL_CLASS_NAME = "org.apache.ranger.services.hbase.RangerServiceHBase";
+ public static final String HIVE_IMPL_CLASS_NAME = "org.apache.ranger.services.hive.RangerServiceHive";
+ public static final String KNOX_IMPL_CLASS_NAME = "org.apache.ranger.services.knox.RangerServiceKnox";
+ public static final String STORM_IMPL_CLASS_NAME = "org.apache.ranger.services.storm.RangerServiceStorm";
+ public static final String YARN_IMPL_CLASS_NAME = "org.apache.ranger.services.yarn.RangerServiceYarn";
+ public static final String KMS_IMPL_CLASS_NAME = "org.apache.ranger.services.kms.RangerServiceKMS";
+ public static final String KAFKA_IMPL_CLASS_NAME = "org.apache.ranger.services.kafka.RangerServiceKafka";
+ public static final String SOLR_IMPL_CLASS_NAME = "org.apache.ranger.services.solr.RangerServiceSolr";
+
private static EmbeddedServiceDefsUtil instance = new EmbeddedServiceDefsUtil();
private boolean createEmbeddedServiceDefs = true;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
----------------------------------------------------------------------
diff --git a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
index aa45ddd..e259d9e 100644
--- a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
+++ b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
@@ -102,10 +102,10 @@ public class EmbeddedServer {
ssl.setScheme("https");
ssl.setAttribute("SSLEnabled", "true");
ssl.setAttribute("sslProtocol", getConfig("ranger.service.https.attrib.ssl.protocol", "TLS"));
- ssl.setAttribute("clientAuth", getConfig("ranger.service.https.attrib.client.auth", "false"));
+ ssl.setAttribute("clientAuth", getConfig("ranger.service.https.attrib.clientAuth", "false"));
ssl.setAttribute("keyAlias", getConfig("ranger.service.https.attrib.keystore.keyalias"));
ssl.setAttribute("keystorePass", getConfig("ranger.service.https.attrib.keystore.pass"));
- ssl.setAttribute("keystoreFile", getConfig("ranger.service.https.attrib.keystore.file"));
+ ssl.setAttribute("keystoreFile", getConfig("ranger.https.attrib.keystore.file"));
String enabledProtocols = "SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2";
ssl.setAttribute("sslEnabledProtocols", enabledProtocols);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/kms/config/kms-webapp/kms-log4j.properties
----------------------------------------------------------------------
diff --git a/kms/config/kms-webapp/kms-log4j.properties b/kms/config/kms-webapp/kms-log4j.properties
index 8e6d909..479b5b4 100644
--- a/kms/config/kms-webapp/kms-log4j.properties
+++ b/kms/config/kms-webapp/kms-log4j.properties
@@ -32,7 +32,9 @@ log4j.appender.kms-audit.layout.ConversionPattern=%d{ISO8601} %m%n
log4j.logger.kms-audit=INFO, kms-audit
log4j.additivity.kms-audit=false
-log4j.rootLogger=ALL, kms
-log4j.logger.org.apache.hadoop.conf=ERROR
+log4j.logger=INFO, kms
+log4j.rootLogger=WARN, kms
+log4j.logger.org.apache.hadoop.conf=INFO
log4j.logger.org.apache.hadoop=INFO
+log4j.logger.org.apache.ranger=INFO
log4j.logger.com.sun.jersey.server.wadl.generators.WadlGeneratorJAXBGrammarGenerator=OFF
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/scripts/ranger-admin-site-template.xml
----------------------------------------------------------------------
diff --git a/security-admin/scripts/ranger-admin-site-template.xml b/security-admin/scripts/ranger-admin-site-template.xml
index 001248f..11adbe9 100644
--- a/security-admin/scripts/ranger-admin-site-template.xml
+++ b/security-admin/scripts/ranger-admin-site-template.xml
@@ -49,7 +49,7 @@
<value></value>
</property>
<property>
- <name>ranger.service.https.attrib.client.auth</name>
+ <name>ranger.service.https.attrib.clientAuth</name>
<value></value>
</property>
<property>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index f4705d3..2cae01d 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -35,6 +35,7 @@ import org.apache.log4j.Logger;
import org.apache.ranger.common.AppConstants;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.GUIDUtil;
+import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.RangerCommonEnums;
@@ -42,6 +43,7 @@ import org.apache.ranger.common.RangerConstants;
import org.apache.ranger.common.StringUtil;
import org.apache.ranger.common.UserSessionBase;
import org.apache.ranger.common.db.BaseDao;
+import org.apache.ranger.common.view.VList;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.entity.XXAsset;
import org.apache.ranger.entity.XXDBBase;
@@ -49,18 +51,29 @@ import org.apache.ranger.entity.XXGroup;
import org.apache.ranger.entity.XXPermMap;
import org.apache.ranger.entity.XXPortalUser;
import org.apache.ranger.entity.XXResource;
+import org.apache.ranger.entity.XXService;
+import org.apache.ranger.entity.XXServiceBase;
+import org.apache.ranger.entity.XXServiceDef;
import org.apache.ranger.entity.XXTrxLog;
import org.apache.ranger.entity.XXUser;
+import org.apache.ranger.plugin.model.RangerBaseModelObject;
+import org.apache.ranger.plugin.model.RangerService;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.service.AbstractBaseResourceService;
+import org.apache.ranger.view.RangerServiceDefList;
import org.apache.ranger.view.VXDataObject;
import org.apache.ranger.view.VXPortalUser;
import org.apache.ranger.view.VXResource;
import org.apache.ranger.view.VXResponse;
import org.apache.ranger.view.VXString;
import org.apache.ranger.view.VXStringList;
+import org.apache.ranger.view.VXUser;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
+import com.sun.xml.internal.rngom.xml.sax.XmlBaseHandler;
+
@Component
public class RangerBizUtil {
static final Logger logger = Logger.getLogger(RangerBizUtil.class);
@@ -1373,4 +1386,133 @@ public class RangerBizUtil {
this.auditDBType = auditDBType;
}
+ /**
+ * return true id current logged in session is owned by keyadmin
+ *
+ * @return
+ */
+ public boolean isKeyAdmin() {
+ UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
+ if (currentUserSession == null) {
+ logger.debug("Unable to find session.");
+ return false;
+ }
+
+ if (currentUserSession.isKeyAdmin()) {
+ return true;
+ }
+ return false;
+ }
+
+ /**
+ * @param xxDbBase
+ * @param baseModel
+ * @return Boolean
+ *
+ * @NOTE: Kindly check all the references of this function before making any changes
+ */
+ public Boolean hasAccess(XXDBBase xxDbBase, RangerBaseModelObject baseModel) {
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session == null) {
+ logger.info("User session not found, granting access.");
+ return true;
+ }
+
+ boolean isKeyAdmin = session.isKeyAdmin();
+ boolean isSysAdmin = session.isUserAdmin();
+ boolean isUser = false;
+
+ List<String> roleList = session.getUserRoleList();
+ if (roleList.contains(RangerConstants.ROLE_USER)) {
+ isUser = true;
+ }
+
+ if (xxDbBase != null && xxDbBase instanceof XXServiceDef) {
+ XXServiceDef xServiceDef = (XXServiceDef) xxDbBase;
+ String implClass = xServiceDef.getImplclassname();
+ if (implClass == null) {
+ return false;
+ }
+
+ if (isKeyAdmin && implClass.equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
+ return true;
+ } else if ((isSysAdmin || isUser) && !implClass.equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
+ return true;
+ }
+ }
+
+ if (xxDbBase != null && xxDbBase instanceof XXService) {
+
+ // TODO: As of now we are allowing SYS_ADMIN to create/update/read/delete all the
+ // services including KMS
+ if (isSysAdmin) {
+ return true;
+ }
+
+ XXService xService = (XXService) xxDbBase;
+ XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
+ String implClass = xServiceDef.getImplclassname();
+ if (implClass == null) {
+ return false;
+ }
+
+ if (isKeyAdmin && implClass.equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
+ return true;
+ } else if (isUser && !implClass.equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
+ return true;
+ }
+ // else if ((isSysAdmin || isUser) && !implClass.equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
+ // return true;
+ // }
+ }
+ return false;
+ }
+
+ public void hasAdminPermissions(String objType) {
+
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+
+ if (session == null) {
+ throw restErrorUtil.createRESTException("UserSession cannot be null, only Admin can create/update/delete "
+ + objType, MessageEnums.OPER_NO_PERMISSION);
+ }
+
+ if (!session.isKeyAdmin() && !session.isUserAdmin()) {
+ throw restErrorUtil.createRESTException(
+ "User is not allowed to update service-def, only Admin can create/update/delete " + objType,
+ MessageEnums.OPER_NO_PERMISSION);
+ }
+ }
+
+ public void hasKMSPermissions(String objType, String implClassName) {
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+
+ if (session.isKeyAdmin() && !implClassName.equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
+ throw restErrorUtil.createRESTException("KeyAdmin can create/update/delete only KMS " + objType,
+ MessageEnums.OPER_NO_PERMISSION);
+ }
+
+ // TODO: As of now we are allowing SYS_ADMIN to create/update/read/delete all the
+ // services including KMS
+
+ if (objType.equalsIgnoreCase("Service-Def") && session.isUserAdmin() && implClassName.equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
+ throw restErrorUtil.createRESTException("System Admin cannot create/update/delete KMS " + objType,
+ MessageEnums.OPER_NO_PERMISSION);
+ }
+ }
+
+ public boolean checkUserAccessible(VXUser vXUser) {
+ if(isKeyAdmin() && vXUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN)) {
+ throw restErrorUtil.createRESTException("Logged in user is not allowd to create/update user",
+ MessageEnums.OPER_NO_PERMISSION);
+ }
+
+ if(isAdmin() && vXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN)) {
+ throw restErrorUtil.createRESTException("Logged in user is not allowd to create/update user",
+ MessageEnums.OPER_NO_PERMISSION);
+ }
+
+ return true;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index b259be6..e0dbea29 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -656,6 +656,7 @@ public class ServiceDBStore implements ServiceStore {
XXContextEnricherDef xContext = new XXContextEnricherDef();
xContext = serviceDefService.populateRangerContextEnricherDefToXX(context, xContext, createdSvcDef,
RangerServiceDefService.OPERATION_UPDATE_CONTEXT);
+ xContext = xxContextEnricherDao.create(xContext);
context = serviceDefService.populateXXToRangerContextEnricherDef(xContext);
}
}
@@ -754,9 +755,23 @@ public class ServiceDBStore implements ServiceStore {
}
}
}
-
+
@Override
public void deleteServiceDef(Long serviceDefId) throws Exception {
+
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session == null) {
+ throw restErrorUtil.createRESTException(
+ "UserSession cannot be null, only Admin can update service-def",
+ MessageEnums.OPER_NO_PERMISSION);
+ }
+
+ if (!session.isKeyAdmin() && !session.isUserAdmin()) {
+ throw restErrorUtil.createRESTException(
+ "User is not allowed to update service-def, only Admin can update service-def",
+ MessageEnums.OPER_NO_PERMISSION);
+ }
+
deleteServiceDef(serviceDefId, false);
}
@@ -847,7 +862,7 @@ public class ServiceDBStore implements ServiceStore {
LOG.debug("<== ServiceDefDBStore.deleteServiceDef(" + serviceDefId + ")");
}
}
-
+
public void deleteXXAccessTypeDef(XXAccessTypeDef xAccess) {
List<XXAccessTypeDefGrants> atdGrantsList = daoMgr.getXXAccessTypeDefGrants().findByATDId(xAccess.getId());
@@ -865,7 +880,7 @@ public class ServiceDBStore implements ServiceStore {
public void deleteXXResourceDef(XXResourceDef xRes) {
List<XXResourceDef> xChildObjs = daoMgr.getXXResourceDef().findByParentResId(xRes.getId());
- for(XXResourceDef childRes : xChildObjs) {
+ for(XXResourceDef childRes : xChildObjs) {
deleteXXResourceDef(childRes);
}
@@ -891,10 +906,8 @@ public class ServiceDBStore implements ServiceStore {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDefDBStore.getServiceDef(" + id + ")");
}
-
- RangerServiceDef ret = null;
- ret = serviceDefService.read(id);
+ RangerServiceDef ret = serviceDefService.read(id);
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceDefDBStore.getServiceDef(" + id + "): " + ret);
}
@@ -907,9 +920,9 @@ public class ServiceDBStore implements ServiceStore {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDefDBStore.getServiceDefByName(" + name + ")");
}
-
+
RangerServiceDef ret = null;
-
+
XXServiceDef xServiceDef = daoMgr.getXXServiceDef().findByName(name);
if(xServiceDef != null) {
@@ -965,105 +978,87 @@ public class ServiceDBStore implements ServiceStore {
}
if (service == null) {
- throw restErrorUtil.createRESTException(
- "Service object cannot be null.",
+ throw restErrorUtil.createRESTException("Service object cannot be null.",
MessageEnums.ERROR_CREATING_OBJECT);
}
boolean createDefaultPolicy = true;
- boolean isAllowed=false;
-
- UserSessionBase usb = ContextUtil.getCurrentUserSession();
-
- List<String> userRoleList = usb == null ? null : usb.getUserRoleList();
- if (userRoleList != null && userRoleList.contains(RangerConstants.ROLE_KEY_ADMIN)) {
- if ("KMS".equalsIgnoreCase(service.getType())) {
- isAllowed = true;
+ Map<String, String> configs = service.getConfigs();
+ Map<String, String> validConfigs = validateRequiredConfigParams(service, configs);
+ if (validConfigs == null) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> ConfigParams cannot be null, ServiceDefDBStore.createService(" + service + ")");
}
+ throw restErrorUtil.createRESTException("ConfigParams cannot be null.", MessageEnums.ERROR_CREATING_OBJECT);
}
- if (usb != null && usb.isUserAdmin() || populateExistingBaseFields) {
- isAllowed = true;
+
+ // While creating, value of version should be 1.
+ service.setVersion(new Long(1));
+
+ if (populateExistingBaseFields) {
+ svcServiceWithAssignedId.setPopulateExistingBaseFields(true);
+ service = svcServiceWithAssignedId.create(service);
+ svcServiceWithAssignedId.setPopulateExistingBaseFields(false);
+ createDefaultPolicy = false;
+ } else {
+ service = svcService.create(service);
}
+ XXService xCreatedService = daoMgr.getXXService().getById(service.getId());
+ VXUser vXUser = null;
- if (isAllowed) {
- Map<String, String> configs = service.getConfigs();
- Map<String, String> validConfigs = validateRequiredConfigParams(
- service, configs);
- if (validConfigs == null) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("==> ConfigParams cannot be null, ServiceDefDBStore.createService(" + service + ")");
- }
- throw restErrorUtil.createRESTException(
- "ConfigParams cannot be null.",
- MessageEnums.ERROR_CREATING_OBJECT);
- }
+ XXServiceConfigMapDao xConfMapDao = daoMgr.getXXServiceConfigMap();
+ for (Entry<String, String> configMap : validConfigs.entrySet()) {
+ String configKey = configMap.getKey();
+ String configValue = configMap.getValue();
- // While creating, value of version should be 1.
- service.setVersion(new Long(1));
-
- if(populateExistingBaseFields) {
- svcServiceWithAssignedId.setPopulateExistingBaseFields(true);
- service = svcServiceWithAssignedId.create(service);
- svcServiceWithAssignedId.setPopulateExistingBaseFields(false);
- createDefaultPolicy = false;
- } else {
- service = svcService.create(service);
- }
- XXService xCreatedService = daoMgr.getXXService().getById(service.getId());
- VXUser vXUser = null;
-
- XXServiceConfigMapDao xConfMapDao = daoMgr.getXXServiceConfigMap();
- for (Entry<String, String> configMap : validConfigs.entrySet()) {
- String configKey = configMap.getKey();
- String configValue = configMap.getValue();
-
- if(StringUtils.equalsIgnoreCase(configKey, "username")) {
- String userName = stringUtil.getValidUserName(configValue);
- XXUser xxUser = daoMgr.getXXUser().findByUserName(userName);
- if (xxUser != null) {
- vXUser = xUserService.populateViewBean(xxUser);
- } else {
- vXUser = new VXUser();
- vXUser.setName(userName);
- vXUser.setUserSource(RangerCommonEnums.USER_EXTERNAL);
- vXUser = xUserMgr.createXUser(vXUser);
+ if (StringUtils.equalsIgnoreCase(configKey, "username")) {
+ String userName = stringUtil.getValidUserName(configValue);
+ XXUser xxUser = daoMgr.getXXUser().findByUserName(userName);
+ if (xxUser != null) {
+ vXUser = xUserService.populateViewBean(xxUser);
+ } else {
+ vXUser = new VXUser();
+ vXUser.setName(userName);
+ vXUser.setUserSource(RangerCommonEnums.USER_EXTERNAL);
+
+ UserSessionBase usb = ContextUtil.getCurrentUserSession();
+ if (usb != null && !usb.isUserAdmin()) {
+ throw restErrorUtil.createRESTException("User does not exist with given username: ["
+ + userName + "] please use existing user", MessageEnums.OPER_NO_PERMISSION);
}
+ vXUser = xUserMgr.createXUser(vXUser);
}
+ }
- if (StringUtils.equalsIgnoreCase(configKey, CONFIG_KEY_PASSWORD)) {
- String encryptedPwd = PasswordUtils.encryptPassword(configValue);
- String decryptedPwd = PasswordUtils.decryptPassword(encryptedPwd);
+ if (StringUtils.equalsIgnoreCase(configKey, CONFIG_KEY_PASSWORD)) {
+ String encryptedPwd = PasswordUtils.encryptPassword(configValue);
+ String decryptedPwd = PasswordUtils.decryptPassword(encryptedPwd);
- if (StringUtils.equals(decryptedPwd, configValue)) {
- configValue = encryptedPwd;
- }
+ if (StringUtils.equals(decryptedPwd, configValue)) {
+ configValue = encryptedPwd;
}
-
- XXServiceConfigMap xConfMap = new XXServiceConfigMap();
- xConfMap = (XXServiceConfigMap) rangerAuditFields.populateAuditFields(xConfMap, xCreatedService);
- xConfMap.setServiceId(xCreatedService.getId());
- xConfMap.setConfigkey(configKey);
- xConfMap.setConfigvalue(configValue);
- xConfMap = xConfMapDao.create(xConfMap);
}
- RangerService createdService = svcService.getPopulatedViewObject(xCreatedService);
- dataHistService.createObjectDataHistory(createdService, RangerDataHistService.ACTION_CREATE);
-
- List<XXTrxLog> trxLogList = svcService.getTransactionLog(createdService, RangerServiceService.OPERATION_CREATE_CONTEXT);
- bizUtil.createTrxLog(trxLogList);
- if (createDefaultPolicy) {
- createDefaultPolicy(xCreatedService, vXUser);
- }
+ XXServiceConfigMap xConfMap = new XXServiceConfigMap();
+ xConfMap = (XXServiceConfigMap) rangerAuditFields.populateAuditFields(xConfMap, xCreatedService);
+ xConfMap.setServiceId(xCreatedService.getId());
+ xConfMap.setConfigkey(configKey);
+ xConfMap.setConfigvalue(configValue);
+ xConfMap = xConfMapDao.create(xConfMap);
+ }
+ RangerService createdService = svcService.getPopulatedViewObject(xCreatedService);
+ dataHistService.createObjectDataHistory(createdService, RangerDataHistService.ACTION_CREATE);
- return createdService;
- } else {
- LOG.debug("Logged in user doesn't have admin access to create repository.");
- throw restErrorUtil.createRESTException(
- "Sorry, you don't have permission to perform the operation",
- MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
+ List<XXTrxLog> trxLogList = svcService.getTransactionLog(createdService,
+ RangerServiceService.OPERATION_CREATE_CONTEXT);
+ bizUtil.createTrxLog(trxLogList);
+ if (createDefaultPolicy) {
+ createDefaultPolicy(xCreatedService, vXUser);
}
+
+ return createdService;
+
}
@Override
@@ -1071,7 +1066,7 @@ public class ServiceDBStore implements ServiceStore {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.updateService()");
}
-
+
XXService existing = daoMgr.getXXService().getById(service.getId());
if(existing == null) {
@@ -1079,11 +1074,11 @@ public class ServiceDBStore implements ServiceStore {
"no service exists with ID=" + service.getId(),
MessageEnums.DATA_NOT_FOUND);
}
-
+
String existingName = existing.getName();
boolean renamed = !StringUtils.equalsIgnoreCase(service.getName(), existingName);
-
+
if(renamed) {
XXService newNameService = daoMgr.getXXService().findByName(service.getName());
@@ -1092,7 +1087,7 @@ public class ServiceDBStore implements ServiceStore {
+ service.getName() + "'. ID=" + newNameService.getId(), MessageEnums.DATA_NOT_UPDATABLE);
}
}
-
+
Map<String, String> configs = service.getConfigs();
Map<String, String> validConfigs = validateRequiredConfigParams(service, configs);
if (validConfigs == null) {
@@ -1101,9 +1096,9 @@ public class ServiceDBStore implements ServiceStore {
}
throw restErrorUtil.createRESTException("ConfigParams cannot be null.", MessageEnums.ERROR_CREATING_OBJECT);
}
-
+
List<XXTrxLog> trxLogList = svcService.getTransactionLog(service, existing, RangerServiceService.OPERATION_UPDATE_CONTEXT);
-
+
Long version = service.getVersion();
if(version == null) {
version = new Long(1);
@@ -1123,9 +1118,9 @@ public class ServiceDBStore implements ServiceStore {
}
XXService xUpdService = daoMgr.getXXService().getById(service.getId());
-
+
String oldPassword = null;
-
+
List<XXServiceConfigMap> dbConfigMaps = daoMgr.getXXServiceConfigMap().findByServiceId(service.getId());
for(XXServiceConfigMap dbConfigMap : dbConfigMaps) {
if(StringUtils.equalsIgnoreCase(dbConfigMap.getConfigkey(), CONFIG_KEY_PASSWORD)) {
@@ -1133,13 +1128,13 @@ public class ServiceDBStore implements ServiceStore {
}
daoMgr.getXXServiceConfigMap().remove(dbConfigMap);
}
-
+
VXUser vXUser = null;
XXServiceConfigMapDao xConfMapDao = daoMgr.getXXServiceConfigMap();
for (Entry<String, String> configMap : validConfigs.entrySet()) {
String configKey = configMap.getKey();
String configValue = configMap.getValue();
-
+
if(StringUtils.equalsIgnoreCase(configKey, "username")) {
String userName = stringUtil.getValidUserName(configValue);
XXUser xxUser = daoMgr.getXXUser().findByUserName(userName);
@@ -1149,6 +1144,11 @@ public class ServiceDBStore implements ServiceStore {
vXUser = new VXUser();
vXUser.setName(userName);
vXUser.setUserSource(RangerCommonEnums.USER_EXTERNAL);
+ UserSessionBase usb = ContextUtil.getCurrentUserSession();
+ if (usb != null && !usb.isUserAdmin()) {
+ throw restErrorUtil.createRESTException("User does not exist with given username: ["
+ + userName + "] please use existing user", MessageEnums.OPER_NO_PERMISSION);
+ }
vXUser = xUserMgr.createXUser(vXUser);
}
}
@@ -1192,19 +1192,19 @@ public class ServiceDBStore implements ServiceStore {
if(service == null) {
throw new Exception("no service exists with ID=" + id);
}
-
+
List<XXPolicy> policies = daoMgr.getXXPolicy().findByServiceId(service.getId());
for(XXPolicy policy : policies) {
LOG.info("Deleting Policy, policyName: " + policy.getName());
deletePolicy(policy.getId());
}
-
+
XXServiceConfigMapDao configDao = daoMgr.getXXServiceConfigMap();
List<XXServiceConfigMap> configs = configDao.findByServiceId(service.getId());
for (XXServiceConfigMap configMap : configs) {
configDao.remove(configMap);
}
-
+
Long version = service.getVersion();
if(version == null) {
version = new Long(1);
@@ -1213,11 +1213,11 @@ public class ServiceDBStore implements ServiceStore {
version = new Long(version.longValue() + 1);
}
service.setVersion(version);
-
+
svcService.delete(service);
-
+
dataHistService.createObjectDataHistory(service, RangerDataHistService.ACTION_DELETE);
-
+
List<XXTrxLog> trxLogList = svcService.getTransactionLog(service, RangerServiceService.OPERATION_DELETE_CONTEXT);
bizUtil.createTrxLog(trxLogList);
}
@@ -1240,7 +1240,24 @@ public class ServiceDBStore implements ServiceStore {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getService()");
}
- return svcService.read(id);
+
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session == null) {
+ throw restErrorUtil.createRESTException("UserSession cannot be null.",
+ MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
+ }
+
+ XXService xService = daoMgr.getXXService().getById(id);
+
+ // TODO: As of now we are allowing SYS_ADMIN to read all the
+ // services including KMS
+
+ if (!bizUtil.hasAccess(xService, null)) {
+ throw restErrorUtil.createRESTException("Logged in user is not allowed to read service, id: " + id,
+ MessageEnums.OPER_NO_PERMISSION);
+ }
+
+ return svcService.getPopulatedViewObject(xService);
}
@Override
@@ -1249,6 +1266,20 @@ public class ServiceDBStore implements ServiceStore {
LOG.debug("==> ServiceDBStore.getServiceByName()");
}
XXService xService = daoMgr.getXXService().findByName(name);
+
+ // TODO: As of now we are allowing SYS_ADMIN to read all the
+ // services including KMS
+
+ if (ContextUtil.getCurrentUserSession() != null) {
+ if (xService == null) {
+ return null;
+ }
+ if (!bizUtil.hasAccess(xService, null)) {
+ throw restErrorUtil.createRESTException("Logged in user is not allowed to read service, name: " + name,
+ MessageEnums.OPER_NO_PERMISSION);
+ }
+ }
+
return xService == null ? null : svcService.getPopulatedViewObject(xService);
}
@@ -1291,7 +1322,7 @@ public class ServiceDBStore implements ServiceStore {
public RangerPolicy createPolicy(RangerPolicy policy) throws Exception {
RangerService service = getServiceByName(policy.getService());
-
+
if(service == null) {
throw new Exception("service does not exist - name=" + policy.getService());
}
@@ -1350,7 +1381,7 @@ public class ServiceDBStore implements ServiceStore {
}
RangerService service = getServiceByName(policy.getService());
-
+
if(service == null) {
throw new Exception("service does not exist - name=" + policy.getService());
}
@@ -1365,7 +1396,7 @@ public class ServiceDBStore implements ServiceStore {
throw new Exception("policy id=" + policy.getId() + " already exists in service " + existing.getService() + ". It can not be moved to service " + policy.getService());
}
boolean renamed = !StringUtils.equalsIgnoreCase(policy.getName(), existing.getName());
-
+
if(renamed) {
XXPolicy newNamePolicy = daoMgr.getXXPolicy().findByNameAndServiceId(policy.getName(), service.getId());
@@ -1471,7 +1502,7 @@ public class ServiceDBStore implements ServiceStore {
if(LOG.isDebugEnabled()) {
LOG.debug("<== ServiceDBStore.getPolicies()");
}
-
+
return ret;
}
@@ -1481,7 +1512,7 @@ public class ServiceDBStore implements ServiceStore {
}
RangerPolicyList policyList = policyService.searchRangerPolicies(filter);
-
+
if (LOG.isDebugEnabled()) {
LOG.debug("before filter: count=" + policyList.getListSize());
}
@@ -1502,13 +1533,13 @@ public class ServiceDBStore implements ServiceStore {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getServicePolicies(" + serviceId + ")");
}
-
- RangerService service = getService(serviceId);
- if(service == null) {
+ XXService service = daoMgr.getXXService().getById(serviceId);
+
+ if (service == null) {
throw new Exception("service does not exist - id='" + serviceId);
}
-
+
List<RangerPolicy> ret = getServicePolicies(service.getName(), filter);
return ret;
@@ -1519,7 +1550,7 @@ public class ServiceDBStore implements ServiceStore {
LOG.debug("==> ServiceDBStore.getPaginatedServicePolicies(" + serviceId + ")");
}
- RangerService service = getService(serviceId);
+ XXService service = daoMgr.getXXService().getById(serviceId);
if (service == null) {
throw new Exception("service does not exist - id='" + serviceId);
@@ -1626,7 +1657,7 @@ public class ServiceDBStore implements ServiceStore {
return ret;
}
-
+
private void createDefaultPolicy(XXService createdService, VXUser vXUser) throws Exception {
RangerPolicy policy = new RangerPolicy();
String policyName=createdService.getName()+"-"+1+"-"+DateUtil.dateToString(DateUtil.getUTCDate(),"yyyyMMddHHmmss");
@@ -1721,7 +1752,7 @@ public class ServiceDBStore implements ServiceStore {
}
return validConfigs;
}
-
+
private void handlePolicyUpdate(RangerService service) throws Exception {
updatePolicyVersion(service);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
index 12f8c34..bcbb2af 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
@@ -175,12 +175,20 @@ public class SessionMgr {
userSession.getUserId());
for (XXPortalUserRole gjUserRole : roleList) {
String userRole = gjUserRole.getUserRole();
-
strRoleList.add(userRole);
- if (userRole.equals(RangerConstants.ROLE_SYS_ADMIN)) {
- userSession.setUserAdmin(true);
- }
}
+
+ if (strRoleList.contains(RangerConstants.ROLE_SYS_ADMIN)) {
+ userSession.setUserAdmin(true);
+ userSession.setKeyAdmin(false);
+ } else if (strRoleList.contains(RangerConstants.ROLE_KEY_ADMIN)) {
+ userSession.setKeyAdmin(true);
+ userSession.setUserAdmin(false);
+ } else if (strRoleList.size() == 1 && strRoleList.get(0).equals(RangerConstants.ROLE_USER)) {
+ userSession.setKeyAdmin(false);
+ userSession.setUserAdmin(false);
+ }
+
userSession.setUserRoleList(strRoleList);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
index 145c331..7b8c986 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
@@ -637,7 +637,7 @@ public class UserMgr {
}
// Admin
- if (sess.isUserAdmin()
+ if (sess.isUserAdmin() || sess.isKeyAdmin()
|| sess.getXXPortalUser().getId().equals(user.getId())) {
userProfile.setLoginId(user.getLoginId());
userProfile.setStatus(user.getStatus());
@@ -661,7 +661,7 @@ public class UserMgr {
}
}
- if (sess.isUserAdmin()
+ if (sess.isUserAdmin() || sess.isKeyAdmin()
|| sess.getXXPortalUser().getId().equals(user.getId())) {
userProfile.setId(user.getId());
List<XXUserPermission> xUserPermissions = daoManager
@@ -1009,7 +1009,7 @@ public class UserMgr {
return null;
}
// Admin
- if (!sess.isUserAdmin()) {
+ if (!sess.isUserAdmin() && !sess.isKeyAdmin()) {
logger.error(
"SECURITY WARNING: User trying to add non public role. userId="
+ userId + ", role=" + userRole + ", session="
@@ -1063,7 +1063,7 @@ public class UserMgr {
if (sess != null) {
// Admin
- if (sess != null && sess.isUserAdmin()) {
+ if (sess != null && sess.isUserAdmin() || sess.isKeyAdmin()) {
return;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/java/org/apache/ranger/common/SearchUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/SearchUtil.java b/security-admin/src/main/java/org/apache/ranger/common/SearchUtil.java
index e3cb28f..d5c54fd 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/SearchUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/SearchUtil.java
@@ -531,9 +531,8 @@ public class SearchUtil {
&& (((Collection) paramValue).size()) >=1) {
whereClause.append(" and ")
.append(searchField.getFieldName())
- .append(" in ( :")
- .append(searchField.getClientFieldName())
- .append(")");
+ .append(" in :")
+ .append(searchField.getClientFieldName());
}
}
else if (searchField.getDataType() == SearchField.DATA_TYPE.INTEGER) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
index 20894dc..37b2049 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
@@ -33,6 +33,7 @@ public class UserSessionBase implements Serializable {
XXPortalUser xXPortalUser;
XXAuthSession xXAuthSession;
private boolean userAdmin;
+ private boolean keyAdmin = false;
private int authProvider = RangerConstants.USER_APP;
private List<String> userRoleList = new ArrayList<String>();
int clientTimeOffsetInMinute = 0;
@@ -112,4 +113,12 @@ public class UserSessionBase implements Serializable {
this.clientTimeOffsetInMinute = clientTimeOffsetInMinute;
}
+ public boolean isKeyAdmin() {
+ return keyAdmin;
+ }
+
+ public void setKeyAdmin(boolean keyAdmin) {
+ this.keyAdmin = keyAdmin;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index c2701a6..4423633 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -56,7 +56,10 @@ import org.apache.ranger.common.RangerConfigUtil;
import org.apache.ranger.common.RangerSearchUtil;
import org.apache.ranger.common.RangerValidatorFactory;
import org.apache.ranger.common.ServiceUtil;
+import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.entity.XXPolicyExportAudit;
+import org.apache.ranger.entity.XXService;
+import org.apache.ranger.entity.XXServiceDef;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
@@ -74,6 +77,7 @@ import org.apache.ranger.plugin.policyengine.RangerPolicyEngineCache;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.service.ResourceLookupContext;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.SearchFilter;
import org.apache.ranger.plugin.util.ServicePolicies;
@@ -141,6 +145,9 @@ public class ServiceREST {
@Autowired
RangerValidatorFactory validatorFactory;
+ @Autowired
+ RangerDaoManager daoManager;
+
public ServiceREST() {
}
@@ -159,6 +166,10 @@ public class ServiceREST {
try {
RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore);
validator.validate(serviceDef, Action.CREATE);
+
+ bizUtil.hasAdminPermissions("Service-Def");
+ bizUtil.hasKMSPermissions("Service-Def", serviceDef.getImplClass());
+
ret = svcStore.createServiceDef(serviceDef);
} catch(Exception excp) {
LOG.error("createServiceDef(" + serviceDef + ") failed", excp);
@@ -187,6 +198,10 @@ public class ServiceREST {
try {
RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore);
validator.validate(serviceDef, Action.UPDATE);
+
+ bizUtil.hasAdminPermissions("Service-Def");
+ bizUtil.hasKMSPermissions("Service-Def", serviceDef.getImplClass());
+
ret = svcStore.updateServiceDef(serviceDef);
} catch(Exception excp) {
LOG.error("updateServiceDef(" + serviceDef + ") failed", excp);
@@ -213,7 +228,11 @@ public class ServiceREST {
try {
RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore);
validator.validate(id, Action.DELETE);
-
+
+ bizUtil.hasAdminPermissions("Service-Def");
+ XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(id);
+ bizUtil.hasKMSPermissions("Service-Def", xServiceDef.getImplclassname());
+
String forceDeleteStr = request.getParameter("forceDelete");
boolean forceDelete = false;
if(!StringUtils.isEmpty(forceDeleteStr) && forceDeleteStr.equalsIgnoreCase("true")) {
@@ -243,6 +262,13 @@ public class ServiceREST {
RangerServiceDef ret = null;
try {
+ XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(id);
+ if (!bizUtil.hasAccess(xServiceDef, null)) {
+ throw restErrorUtil.createRESTException(
+ "User is not allowed to access service-def, id: " + xServiceDef.getId(),
+ MessageEnums.OPER_NO_PERMISSION);
+ }
+
ret = svcStore.getServiceDef(id);
} catch(Exception excp) {
LOG.error("getServiceDef(" + id + ") failed", excp);
@@ -272,6 +298,15 @@ public class ServiceREST {
RangerServiceDef ret = null;
try {
+ XXServiceDef xServiceDef = daoManager.getXXServiceDef().findByName(name);
+ if (xServiceDef != null) {
+ if (!bizUtil.hasAccess(xServiceDef, null)) {
+ throw restErrorUtil.createRESTException(
+ "User is not allowed to access service-def: " + xServiceDef.getName(),
+ MessageEnums.OPER_NO_PERMISSION);
+ }
+ }
+
ret = svcStore.getServiceDefByName(name);
} catch(Exception excp) {
LOG.error("getServiceDefByName(" + name + ") failed", excp);
@@ -330,7 +365,15 @@ public class ServiceREST {
try {
RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore);
validator.validate(service, Action.CREATE);
-
+
+ bizUtil.hasAdminPermissions("Services");
+
+ // TODO: As of now we are allowing SYS_ADMIN to create all the
+ // services including KMS
+
+ XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(service.getType());
+ bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname());
+
ret = svcStore.createService(service);
} catch(Exception excp) {
LOG.error("createService(" + service + ") failed", excp);
@@ -359,6 +402,15 @@ public class ServiceREST {
try {
RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore);
validator.validate(service, Action.UPDATE);
+
+ bizUtil.hasAdminPermissions("Services");
+
+ // TODO: As of now we are allowing SYS_ADMIN to create all the
+ // services including KMS
+
+ XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(service.getType());
+ bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname());
+
ret = svcStore.updateService(service);
} catch(Exception excp) {
LOG.error("updateService(" + service + ") failed", excp);
@@ -385,6 +437,16 @@ public class ServiceREST {
try {
RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore);
validator.validate(id, Action.DELETE);
+
+ bizUtil.hasAdminPermissions("Services");
+
+ // TODO: As of now we are allowing SYS_ADMIN to create all the
+ // services including KMS
+
+ XXService service = daoManager.getXXService().getById(id);
+ XXServiceDef xxServiceDef = daoManager.getXXServiceDef().getById(service.getType());
+ bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname());
+
svcStore.deleteService(id);
} catch(Exception excp) {
LOG.error("deleteService(" + id + ") failed", excp);
@@ -1399,8 +1461,9 @@ public class ServiceREST {
private void applyAdminAccessFilter(List<RangerPolicy> policies) {
boolean isAdmin = bizUtil.isAdmin();
+ boolean isKeyAdmin = bizUtil.isKeyAdmin();
- if(!isAdmin && !CollectionUtils.isEmpty(policies)) {
+ if(!isAdmin && !isKeyAdmin && !CollectionUtils.isEmpty(policies)) {
String userName = bizUtil.getCurrentUserLoginId();
Set<String> userGroups = userMgr.getGroupsForUser(userName);
Map<String, RangerPolicyEngine> policyEngines = new HashMap<String, RangerPolicyEngine>();
@@ -1425,13 +1488,39 @@ public class ServiceREST {
i--;
}
}
+ } else if (isAdmin && !CollectionUtils.isEmpty(policies)) {
+ for (int i = 0; i < policies.size(); i++) {
+
+ XXService xService = daoManager.getXXService().findByName(policies.get(i).getService());
+ XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
+
+ if (xServiceDef.getImplclassname().equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
+ policies.remove(i);
+ i--;
+ }
+ }
+ } else if (isKeyAdmin && !CollectionUtils.isEmpty(policies)) {
+ for (int i = 0; i < policies.size(); i++) {
+
+ XXService xService = daoManager.getXXService().findByName(policies.get(i).getService());
+ XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
+
+ if (!xServiceDef.getImplclassname().equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
+ policies.remove(i);
+ i--;
+ }
+ }
}
}
void ensureAdminAccess(String serviceName, Map<String, RangerPolicyResource> resources) {
boolean isAdmin = bizUtil.isAdmin();
+ boolean isKeyAdmin = bizUtil.isKeyAdmin();
+
+ XXService xService = daoManager.getXXService().findByName(serviceName);
+ XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
- if(!isAdmin) {
+ if(!isAdmin && !isKeyAdmin) {
RangerPolicyEngine policyEngine = getPolicyEngine(serviceName);
String userName = bizUtil.getCurrentUserLoginId();
Set<String> userGroups = userMgr.getGroupsForUser(userName);
@@ -1442,6 +1531,18 @@ public class ServiceREST {
throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED,
"User '" + userName + "' does not have delegated-admin privilege on given resources", true);
}
+ } else if (isAdmin) {
+ if (xServiceDef.getImplclassname().equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
+ throw restErrorUtil.createRESTException(
+ "KMS Policies/Services/Service-Defs are not accessible for logged in user.",
+ MessageEnums.OPER_NO_PERMISSION);
+ }
+ } else if (isKeyAdmin) {
+ if (!xServiceDef.getImplclassname().equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
+ throw restErrorUtil.createRESTException(
+ "Only KMS Policies/Services/Service-Defs are accessible for logged in user.",
+ MessageEnums.OPER_NO_PERMISSION);
+ }
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
index 4885c92..93980b4 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
@@ -33,6 +33,7 @@ import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import org.apache.log4j.Logger;
+import org.apache.ranger.biz.RangerBizUtil;
import org.apache.ranger.biz.SessionMgr;
import org.apache.ranger.biz.XUserMgr;
import org.apache.ranger.common.RESTErrorUtil;
@@ -135,6 +136,9 @@ public class XUserREST {
@Autowired
AuthSessionService authSessionService;
+ @Autowired
+ RangerBizUtil bizUtil;
+
// Handle XGroup
@GET
@Path("/groups/{id}")
@@ -263,6 +267,8 @@ public class XUserREST {
@Produces({ "application/xml", "application/json" })
@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
public VXUser secureCreateXUser(VXUser vXUser) {
+
+ bizUtil.checkUserAccessible(vXUser);
return xUserMgr.createXUser(vXUser);
}
@@ -277,6 +283,8 @@ public class XUserREST {
@Path("/secure/users/{id}")
@Produces({ "application/xml", "application/json" })
public VXUser secureUpdateXUser(VXUser vXUser) {
+
+ bizUtil.checkUserAccessible(vXUser);
return xUserMgr.updateXUser(vXUser);
}
@@ -317,8 +325,9 @@ public class XUserREST {
searchUtil.extractInt(request, searchCriteria, "userSource", "User Source");
searchUtil.extractInt(request, searchCriteria, "isVisible", "User Visibility");
searchUtil.extractInt(request, searchCriteria, "status", "User Status");
- searchUtil.extractString(request, searchCriteria, "userRoleList", "User Role",
+ searchUtil.extractStringList(request, searchCriteria, "userRoleList", "User Role List", "userRoleList", null,
null);
+ searchUtil.extractString(request, searchCriteria, "userRole", "UserRole", null);
return xUserMgr.searchXUsers(searchCriteria);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java
index 33a2da3..4970ffe 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java
@@ -160,30 +160,39 @@ public class RangerServiceDefService extends RangerServiceDefServiceBase<XXServi
}
@Override
public RangerServiceDefList searchRangerServiceDefs(SearchFilter searchFilter) {
- List<RangerServiceDef> serviceDefList = new ArrayList<RangerServiceDef>();
+ //List<RangerServiceDef> serviceDefList = new ArrayList<RangerServiceDef>();
RangerServiceDefList retList = new RangerServiceDefList();
-
+ int startIndex = searchFilter.getStartIndex();
+ int pageSize = searchFilter.getMaxRows();
+ searchFilter.setStartIndex(0);
+ searchFilter.setMaxRows(Integer.MAX_VALUE);
List<XXServiceDef> xSvcDefList = (List<XXServiceDef>) searchResources(searchFilter, searchFields, sortFields, retList);
UserSessionBase sessionBase = ContextUtil.getCurrentUserSession();
- List<String> userRoleList = (sessionBase != null) ? sessionBase.getUserRoleList() : null;
-
+ //List<String> userRoleList = (sessionBase != null) ? sessionBase.getUserRoleList() : null;
+ List<XXServiceDef> permittedServiceDefs = new ArrayList<XXServiceDef>();
for (XXServiceDef xSvcDef : xSvcDefList) {
- if(userRoleList != null && !userRoleList.contains(RangerConstants.ROLE_KEY_ADMIN)){
- if(xSvcDef!=null && !"KMS".equalsIgnoreCase(xSvcDef.getName())){
- serviceDefList.add(populateViewBean(xSvcDef));
- }
- }
- else if(userRoleList != null && userRoleList.contains(RangerConstants.ROLE_KEY_ADMIN)){
- if(xSvcDef!=null && "KMS".equalsIgnoreCase(xSvcDef.getName())){
- serviceDefList.add(populateViewBean(xSvcDef));
- break;
- }
+ if(bizUtil.hasAccess(xSvcDef, null)){
+ permittedServiceDefs.add(xSvcDef);
}
}
- retList.setServiceDefs(serviceDefList);
-
+ //retList.setServiceDefs(serviceDefList);
+ if(permittedServiceDefs.size() > 0) {
+ populatePageList(permittedServiceDefs, startIndex, pageSize, retList);
+ }
return retList;
}
+ private void populatePageList(List<XXServiceDef> xxObjList, int startIndex, int pageSize,
+ RangerServiceDefList retList) {
+ List<RangerServiceDef> onePageList = new ArrayList<RangerServiceDef>();
+ for (int i = startIndex; i < pageSize + startIndex && i < xxObjList.size(); i++) {
+ onePageList.add(populateViewBean(xxObjList.get(i)));
+ }
+ retList.setServiceDefs(onePageList);
+ retList.setStartIndex(startIndex);
+ retList.setPageSize(pageSize);
+ retList.setResultSize(onePageList.size());
+ retList.setTotalCount(xxObjList.size());
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/java/org/apache/ranger/service/RangerServiceServiceBase.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceServiceBase.java b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceServiceBase.java
index 66f02fe..d0ddcff 100755
--- a/security-admin/src/main/java/org/apache/ranger/service/RangerServiceServiceBase.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/RangerServiceServiceBase.java
@@ -32,6 +32,7 @@ import org.apache.ranger.entity.XXService;
import org.apache.ranger.entity.XXServiceBase;
import org.apache.ranger.entity.XXServiceDef;
import org.apache.ranger.plugin.model.RangerService;
+import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.util.SearchFilter;
import org.apache.ranger.view.RangerServiceList;
import org.springframework.beans.factory.annotation.Autowired;
@@ -98,15 +99,42 @@ public abstract class RangerServiceServiceBase<T extends XXServiceBase, V extend
@SuppressWarnings("unchecked")
public RangerServiceList searchRangerServices(SearchFilter searchFilter) {
- List<RangerService> serviceList = new ArrayList<RangerService>();
RangerServiceList retList = new RangerServiceList();
+ int startIndex = searchFilter.getStartIndex();
+ int pageSize = searchFilter.getMaxRows();
+ searchFilter.setStartIndex(0);
+ searchFilter.setMaxRows(Integer.MAX_VALUE);
+
List<XXService> xSvcList = (List<XXService>) searchResources(searchFilter, searchFields, sortFields, retList);
+ List<XXService> permittedServices = new ArrayList<XXService>();
+
for (XXService xSvc : xSvcList) {
- serviceList.add(populateViewBean((T) xSvc));
+ if(bizUtil.hasAccess(xSvc, null)){
+ permittedServices.add(xSvc);
+ }
}
- retList.setServices(serviceList);
+
+ if(permittedServices.size() > 0) {
+ populatePageList(permittedServices, startIndex, pageSize, retList);
+ }
+
return retList;
}
+ @SuppressWarnings("unchecked")
+ private void populatePageList(List<XXService> xxObjList, int startIndex, int pageSize,
+ RangerServiceList retList) {
+ List<RangerService> onePageList = new ArrayList<RangerService>();
+
+ for (int i = startIndex; i < pageSize + startIndex && i < xxObjList.size(); i++) {
+ onePageList.add(populateViewBean((T)xxObjList.get(i)));
+ }
+ retList.setServices(onePageList);
+ retList.setStartIndex(startIndex);
+ retList.setPageSize(pageSize);
+ retList.setResultSize(onePageList.size());
+ retList.setTotalCount(xxObjList.size());
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java b/security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java
index 9598308..98c987e 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XAccessAuditService.java
@@ -33,6 +33,8 @@ import org.apache.ranger.common.SortField;
import org.apache.ranger.common.SortField.SORT_ORDER;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.entity.XXAccessAudit;
+import org.apache.ranger.entity.XXService;
+import org.apache.ranger.entity.XXServiceDef;
import org.apache.ranger.view.VXAccessAudit;
import org.apache.ranger.view.VXAccessAuditList;
import org.springframework.beans.factory.annotation.Autowired;
@@ -147,6 +149,13 @@ public class XAccessAuditService extends XAccessAuditServiceBase<XXAccessAudit,
vObj.setSequenceNumber( mObj.getSequenceNumber());
vObj.setEventCount( mObj.getEventCount());
vObj.setEventDuration( mObj.getEventDuration());
+
+ XXService xService = daoManager.getXXService().findByName(mObj.getRepoName());
+ if (xService != null) {
+ XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
+ vObj.setServiceType(xServiceDef.getName());
+ }
+
return vObj;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/java/org/apache/ranger/service/XUserService.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XUserService.java b/security-admin/src/main/java/org/apache/ranger/service/XUserService.java
index b013af5..474a6ab 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XUserService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XUserService.java
@@ -103,7 +103,7 @@ public class XUserService extends XUserServiceBase<XXUser, VXUser> {
"XXPortalUser xXPortalUser", "xXPortalUser.loginId = obj.name "));
searchFields.add(new SearchField("userRoleList", "xXPortalUserRole.userRole",
- SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.FULL,
+ SearchField.DATA_TYPE.STR_LIST, SearchField.SEARCH_TYPE.FULL,
"XXPortalUser xXPortalUser, XXPortalUserRole xXPortalUserRole",
"xXPortalUser.id=xXPortalUserRole.userId and xXPortalUser.loginId = obj.name "));
@@ -113,6 +113,10 @@ public class XUserService extends XUserServiceBase<XXUser, VXUser> {
searchFields.add(new SearchField("status", "xXPortalUser.status",
SearchField.DATA_TYPE.INTEGER, SearchField.SEARCH_TYPE.FULL,
"XXPortalUser xXPortalUser", "xXPortalUser.loginId = obj.name "));
+ searchFields.add(new SearchField("userRole", "xXPortalUserRole.userRole",
+ SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.FULL,
+ "XXPortalUser xXPortalUser, XXPortalUserRole xXPortalUserRole",
+ "xXPortalUser.id=xXPortalUserRole.userId and xXPortalUser.loginId = obj.name "));
createdByUserId = new Long(PropertiesUtil.getIntProperty("ranger.xuser.createdByUserId", 1));
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java b/security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java
index 16b6718..bcffd4d 100644
--- a/security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java
+++ b/security-admin/src/main/java/org/apache/ranger/view/VXAccessAudit.java
@@ -88,6 +88,10 @@ public class VXAccessAudit extends VXDataObject implements java.io.Serializable
*/
protected int repoType;
/**
+ * Service Type ~~ repoType
+ */
+ protected String serviceType;
+ /**
* Reason of result
*/
protected String resultReason;
@@ -305,6 +309,20 @@ public class VXAccessAudit extends VXDataObject implements java.io.Serializable
}
/**
+ * @return the serviceType
+ */
+ public String getServiceType() {
+ return serviceType;
+ }
+
+ /**
+ * @param serviceType the serviceType to set
+ */
+ public void setServiceType(String serviceType) {
+ this.serviceType = serviceType;
+ }
+
+ /**
* This method sets the value to the member attribute <b>resultReason</b>.
* You cannot set null to the attribute.
* @param resultReason Value to set member attribute <b>resultReason</b>
@@ -486,6 +504,7 @@ public class VXAccessAudit extends VXDataObject implements java.io.Serializable
str += "policyId={" + policyId + "} ";
str += "repoName={" + repoName + "} ";
str += "repoType={" + repoType + "} ";
+ str += "serviceType={" + serviceType + "} ";
str += "resultReason={" + resultReason + "} ";
str += "sessionId={" + sessionId + "} ";
str += "eventTime={" + eventTime + "} ";
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/webapp/scripts/controllers/Controller.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/controllers/Controller.js b/security-admin/src/main/webapp/scripts/controllers/Controller.js
index ec7ccee..0819f9e 100755
--- a/security-admin/src/main/webapp/scripts/controllers/Controller.js
+++ b/security-admin/src/main/webapp/scripts/controllers/Controller.js
@@ -134,6 +134,7 @@ define(function(require) {
MAppState.set({
'currentTab' : XAGlobals.AppTabs.Settings.value
});
+ var XAUtil = require('utils/XAUtils');
var view = require('views/users/UserTableLayout');
var VXUserList = require('collections/VXUserList');
var userList = new VXUserList();
@@ -142,8 +143,9 @@ define(function(require) {
collection : userList,
tab :tab
}));
+ _.extend(userList.queryParams, XAUtil.getUserDataParams())
userList.fetch({
- cache:true
+ cache:false,
});
},
userCreateAction : function(){
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
index 8532152..fa02166 100644
--- a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
+++ b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
@@ -226,7 +226,8 @@ define(function(require) {
addNewConfig : 'Add New Configurations',
createService : 'Create Service',
editService : 'Edit Service',
- serviceDetails : 'Service Details'
+ serviceDetails : 'Service Details',
+ serviceName : 'Service Name'
},
btn : {
add : 'Add',
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/webapp/scripts/utils/XAUtils.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/utils/XAUtils.js b/security-admin/src/main/webapp/scripts/utils/XAUtils.js
index b99d8fd..a83b22a 100644
--- a/security-admin/src/main/webapp/scripts/utils/XAUtils.js
+++ b/security-admin/src/main/webapp/scripts/utils/XAUtils.js
@@ -1080,6 +1080,18 @@ define(function(require) {
//If a user doesnot has access to any tab - taking user to by default Profile page.
location.hash = XALinks.get('UserProfile').href;
}
- }
+ };
+ XAUtils.getUserDataParams = function(){
+ var SessionMgr = require('mgrs/SessionMgr');
+ var userRoleList = []
+ _.each(XAEnums.UserRoles,function(val, key){
+ if(SessionMgr.isKeyAdmin() && XAEnums.UserRoles.ROLE_SYS_ADMIN.value != val.value){
+ userRoleList.push(key)
+ }else if(!SessionMgr.isKeyAdmin() && XAEnums.UserRoles.ROLE_KEY_ADMIN.value != val.value){
+ userRoleList.push(key)
+ }
+ })
+ return {'userRoleList' : userRoleList };
+ };
return XAUtils;
});
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js b/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js
index 38e528a..0901892 100644
--- a/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js
+++ b/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js
@@ -28,6 +28,8 @@ define(function(require) {
var XAEnums = require('utils/XAEnums');
var XAUtil = require('utils/XAUtils');
var localization = require('utils/XALangSupport');
+ var SessionMgr = require('mgrs/SessionMgr');
+
var VXGroup = require('models/VXGroup');
var VXGroupList = require('collections/VXGroupList');
var VXUserList = require('collections/VXUserList');
@@ -198,7 +200,16 @@ define(function(require) {
url: url,
dataType: 'json',
data: function (term, page) {
- return {name : term, isVisible : XAEnums.VisibilityStatus.STATUS_VISIBLE.value};
+ var data = { name : term, isVisible : XAEnums.VisibilityStatus.STATUS_VISIBLE.value };
+ var userRoleList = []
+ _.each(XAEnums.UserRoles,function(val, key){
+ if(SessionMgr.isKeyAdmin() && XAEnums.UserRoles.ROLE_KEY_ADMIN.value == val.value){
+ userRoleList.push(key)
+ }else if(!SessionMgr.isKeyAdmin() && XAEnums.UserRoles.ROLE_KEY_ADMIN.value != val.value){
+ userRoleList.push(key)
+ }
+ })
+ return _.extend(data,{'userRoleList' : userRoleList });
},
results: function (data, page) {
var results = [] , selectedVals = [];
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js b/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
index 2f418be..0503ba9 100644
--- a/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
+++ b/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
@@ -30,6 +30,7 @@ define(function(require) {
var XABackgrid = require('views/common/XABackgrid');
var XATableLayout = require('views/common/XATableLayout');
var localization = require('utils/XALangSupport');
+ var SessionMgr = require('mgrs/SessionMgr');
var VXAuthSession = require('collections/VXAuthSessionList');
var VXTrxLogList = require('collections/VXTrxLogList');
@@ -731,6 +732,9 @@ define(function(require) {
var self = this;
var policyId = this.model.get('policyId');
var serviceDef = that.serviceDefList.findWhere({'id':this.model.get('repoType')});
+ if(_.isUndefined(serviceDef)){
+ return ;
+ }
var eventTime = this.model.get('eventTime');
var policy = new RangerPolicy({
@@ -786,12 +790,19 @@ define(function(require) {
if(rawValue == -1){
return '--';
}
- var rangerService = new RangerService();
+ /*var rangerService = new RangerService();
rangerService.urlRoot += '/name/'+model.get('repoName');
rangerService.fetch({
cache : false,
async : false
- });
+ });*/
+
+// if (SessionMgr.isKeyAdmin()) {
+ var serviceDef = that.serviceDefList.findWhere({'id' : model.get('repoType')})
+ if(_.isUndefined(serviceDef)){
+ return rawValue;
+ }
+// }
var href = 'javascript:void(0)';
return '<a href="'+href+'" title="'+rawValue+'">'+rawValue+'</a>';
}
@@ -831,17 +842,8 @@ define(function(require) {
editable:false,
formatter: _.extend({}, Backgrid.CellFormatter.prototype, {
fromRaw: function (rawValue, model) {
- var html='';
- var repoType = model.get('repoType');
- that.serviceDefList.each(function(m){
- if(parseInt(repoType) == m.id){
- rawValue = _.escape(rawValue);
- html = '<div title="'+rawValue+'">'+rawValue+'</div>\
- <div title="'+rawValue+'" style="border-top: 1px solid #ddd;">'+_.escape(m.get('name'))+'</div>';
- return ;
- }
- });
- return html;
+ return '<div title="'+rawValue+'">'+_.escape(rawValue)+'</div>\
+ <div title="'+model.get('serviceType')+'" style="border-top: 1px solid #ddd;">'+_.escape(model.get('serviceType'))+'</div>';;
}
})
},
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/webapp/scripts/views/users/UserForm.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/users/UserForm.js b/security-admin/src/main/webapp/scripts/views/users/UserForm.js
index abd3097..5788335 100644
--- a/security-admin/src/main/webapp/scripts/views/users/UserForm.js
+++ b/security-admin/src/main/webapp/scripts/views/users/UserForm.js
@@ -98,7 +98,13 @@ define(function(require){
userRoleList : {
type : 'Select',
options : function(callback, editor){
- var userTypes = _.filter(XAEnums.UserRoles,function(m){return m.label != 'Unknown'});
+
+ var userTypes = _.filter(XAEnums.UserRoles,function(m){
+ if(!SessionMgr.isKeyAdmin())
+ return m.label != 'Unknown' && m.label != 'KeyAdmin';
+ else
+ return m.label != 'Unknown'
+ });
var nvPairs = XAUtils.enumToSelectPairs(userTypes);
callback(nvPairs);
},
@@ -141,7 +147,9 @@ define(function(require){
if(_.contains(SessionMgr.getUserProfile().get('userRoleList'),'ROLE_SYS_ADMIN')){
this.fields.userRoleList.editor.$el.attr('disabled',false);
}else{
- this.fields.userRoleList.editor.$el.attr('disabled',true);
+ if(!SessionMgr.isKeyAdmin()){
+ this.fields.userRoleList.editor.$el.attr('disabled',true);
+ }
}
}else{
this.fields.userRoleList.editor.$el.attr('disabled',true);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js b/security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js
index 136ae5d..2ade868 100644
--- a/security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js
+++ b/security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js
@@ -27,6 +27,7 @@ define(function(require){
var XAUtil = require('utils/XAUtils');
var XABackgrid = require('views/common/XABackgrid');
var localization = require('utils/XALangSupport');
+ var SessionMgr = require('mgrs/SessionMgr');
var VXGroupList = require('collections/VXGroupList');
var VXGroup = require('models/VXGroup');
@@ -61,7 +62,8 @@ define(function(require){
btnShowHide : '[data-action="showHide"]',
visibilityDropdown : '[data-id="visibilityDropdown"]',
activeStatusDropdown : '[data-id="activeStatusDropdown"]',
- activeStatusDiv :'[data-id="activeStatusDiv"]'
+ activeStatusDiv :'[data-id="activeStatusDiv"]',
+ addNewBtnDiv : '[data-id="addNewBtnDiv"]'
},
/** ui events hash */
@@ -203,8 +205,10 @@ define(function(require){
}
this.collection.selectNone();
this.renderUserListTable();
+ _.extend(this.collection.queryParams, XAUtil.getUserDataParams())
this.collection.fetch({
- cache:true
+ cache:true,
+// data : XAUtil.getUserDataParams(),
}).done(function(){
if(!_.isString(that.ui.addNewGroup)){
that.ui.addNewGroup.hide();
@@ -212,6 +216,7 @@ define(function(require){
that.ui.activeStatusDiv.show();
}
that.$('.wrap-header').text('User List');
+ that.checkRoleKeyAdmin();
});
},
renderGroupTab : function(){
@@ -230,6 +235,7 @@ define(function(require){
that.$('.wrap-header').text('Group List');
that.$('ul').find('[data-js="groups"]').addClass('active');
that.$('ul').find('[data-js="users"]').removeClass();
+ that.checkRoleKeyAdmin();
});
},
renderUserListTable : function(){
@@ -472,7 +478,7 @@ define(function(require){
var userRoleList = _.map(XAEnums.UserRoles,function(obj,key){return {label:obj.label,value:key};});
serverAttrName = [ {text : "User Name", label :"name"},
{text : "Email Address", label :"emailAddress"},
- {text : "Role", label :"userRoleList", 'multiple' : true, 'optionsArr' : userRoleList},
+ {text : "Role", label :"userRole", 'multiple' : true, 'optionsArr' : userRoleList},
{text : "Visibility", label :"isVisible", 'multiple' : true, 'optionsArr' : XAUtil.enumToSelectLabelValuePairs(XAEnums.VisibilityStatus)},
{text : "User Source", label :"userSource", 'multiple' : true, 'optionsArr' : XAUtil.enumToSelectLabelValuePairs(XAEnums.UserTypes)},
{text : "User Status", label :"status", 'multiple' : true, 'optionsArr' : XAUtil.enumToSelectLabelValuePairs(XAEnums.ActiveStatus)},
@@ -540,6 +546,11 @@ define(function(require){
$('[data-id="showMore"][policy-group-id="'+id+'"]').show();
$('[data-id="showMore"][policy-group-id="'+id+'"]').parents('div[data-id="groupsDiv"]').removeClass('set-height-groups')
},
+ checkRoleKeyAdmin : function() {
+ if(SessionMgr.isKeyAdmin()){
+ this.ui.addNewBtnDiv.children().hide()
+ }
+ },
/** all post render plugin initialization */
initializePlugins: function(){
},
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html b/security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html
index 6dd4b0f..5d38022 100644
--- a/security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html
+++ b/security-admin/src/main/webapp/templates/users/UserTableLayout_tmpl.html
@@ -26,10 +26,10 @@
<h3 class="wrap-header bold"> {{tt 'lbl.userListing'}} </h3>
<div class="wrap non-collapsible m-height ">
<div>
- <div class="span8">
+ <div class="span8" style=" margin-bottom: 11px; ">
<div class="visual_search"></div>
</div>
- <div class="clearfix">
+ <div class="clearfix" data-id="addNewBtnDiv">
<a href="#!/user/create" class="btn btn-primary btn-right" type="button" data-id="addNewUser"> {{tt 'lbl.addNewUser'}} </a>
<a href="#!/group/create" class="btn btn-primary btn-right" type="button" data-id="addNewGroup" style="display:none;"> {{tt 'lbl.addNewGroup'}} </a>
<div class="btn-group btn-right">
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c510b449/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java
----------------------------------------------------------------------
diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java
index 57a6f1f..c591750 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceRESTForValidation.java
@@ -47,6 +47,7 @@ import org.junit.Ignore;
import org.junit.Test;
import org.mockito.Mockito;
+@Ignore("Junit breakage: RANGER-516") // TODO
public class TestServiceRESTForValidation {
private static final Log LOG = LogFactory.getLog(TestServiceRESTForValidation.class);
[11/12] incubator-ranger git commit: RANGER-517 : Fix Unix
authentication
Posted by sn...@apache.org.
RANGER-517 : Fix Unix authentication
Signed-off-by: sneethiraj <sn...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/3250e5c2
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/3250e5c2
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/3250e5c2
Branch: refs/heads/ranger-0.5
Commit: 3250e5c22fb4d4f5048b62bb2d26fc8b706d5caa
Parents: a097b7f
Author: Gautam Borad <gb...@gmail.com>
Authored: Sun May 31 09:17:47 2015 +0530
Committer: sneethiraj <sn...@apache.org>
Committed: Sun May 31 00:27:34 2015 -0400
----------------------------------------------------------------------
.../java/org/apache/ranger/common/PropertiesUtil.java | 3 +++
.../org/apache/ranger/common/XMLPropertiesUtil.java | 2 +-
.../handler/RangerAuthenticationProvider.java | 14 +++-----------
3 files changed, 7 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3250e5c2/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
index a0bfff4..4044443 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
@@ -222,4 +222,7 @@ public class PropertiesUtil extends PropertyPlaceholderConfigurer {
}
return Boolean.parseBoolean(value);
}
+ public static Map<String, String> getPropertiesMap() {
+ return propertiesMap;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3250e5c2/security-admin/src/main/java/org/apache/ranger/common/XMLPropertiesUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/XMLPropertiesUtil.java b/security-admin/src/main/java/org/apache/ranger/common/XMLPropertiesUtil.java
index a00664d..521fe2f 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/XMLPropertiesUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/XMLPropertiesUtil.java
@@ -84,7 +84,7 @@ public class XMLPropertiesUtil extends DefaultPropertiesPersister {
properties.put(propertyName, propertyValue);
}
- logger.info("ranger site properties loaded successfully.");
+ //logger.info("ranger site properties loaded successfully.");
}
} catch (Exception e) {
logger.error("Error loading : ", e);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/3250e5c2/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
index 3275a8e..ac522cc 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
@@ -19,7 +19,6 @@
package org.apache.ranger.security.handler;
-import java.security.Principal;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
@@ -288,27 +287,20 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
DefaultJaasAuthenticationProvider jaasAuthenticationProvider = new DefaultJaasAuthenticationProvider();
String loginModuleName = "org.apache.ranger.authentication.unix.jaas.RemoteUnixLoginModule";
LoginModuleControlFlag controlFlag = LoginModuleControlFlag.REQUIRED;
- Map<String, String> options = (Map<String, String>) new HashMap<String, String>();
- options.put("configFile", "ranger-admin-site.xml");
+ Map<String, String> options = PropertiesUtil.getPropertiesMap();
AppConfigurationEntry appConfigurationEntry = new AppConfigurationEntry(
loginModuleName, controlFlag, options);
AppConfigurationEntry[] appConfigurationEntries = new AppConfigurationEntry[] { appConfigurationEntry };
- Map<String, AppConfigurationEntry[]> appConfigurationEntriesOptions = (Map<String, AppConfigurationEntry[]>) new HashMap<String, AppConfigurationEntry[]>();
+ Map<String, AppConfigurationEntry[]> appConfigurationEntriesOptions = new HashMap<String, AppConfigurationEntry[]>();
appConfigurationEntriesOptions.put("SPRINGSECURITY",
appConfigurationEntries);
Configuration configuration = new InMemoryConfiguration(
appConfigurationEntriesOptions);
-
jaasAuthenticationProvider.setConfiguration(configuration);
-
RoleUserAuthorityGranter authorityGranter = new RoleUserAuthorityGranter();
-
- authorityGranter.grant((Principal) authentication.getPrincipal());
-
RoleUserAuthorityGranter[] authorityGranters = new RoleUserAuthorityGranter[] { authorityGranter };
-
jaasAuthenticationProvider.setAuthorityGranters(authorityGranters);
-
+ jaasAuthenticationProvider.afterPropertiesSet();
String userName = authentication.getName();
String userPassword = "";
if (authentication.getCredentials() != null) {
[04/12] incubator-ranger git commit: RANGER-510 : Client IP not
getting populated for KMS in audit
Posted by sn...@apache.org.
RANGER-510 : Client IP not getting populated for KMS in audit
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/dda7a165
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/dda7a165
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/dda7a165
Branch: refs/heads/ranger-0.5
Commit: dda7a165c5a7c80d13023c91a095a373a6dd3e70
Parents: f0a8931
Author: Gautam Borad <gb...@gmail.com>
Authored: Fri May 29 12:11:11 2015 +0530
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Fri May 29 10:16:55 2015 -0400
----------------------------------------------------------------------
.../hadoop/crypto/key/kms/server/KMS.java | 68 ++++++++++----------
.../hadoop/crypto/key/kms/server/KMSACLs.java | 6 +-
.../kms/server/KeyAuthorizationKeyProvider.java | 5 +-
.../crypto/key/kms/server/TestKMSACLs.java | 11 ++--
.../kms/authorizer/RangerKmsAuthorizer.java | 30 +++------
5 files changed, 57 insertions(+), 63 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
index 5575eab..404b710 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMS.java
@@ -30,6 +30,7 @@ import org.apache.hadoop.crypto.key.kms.KMSClientProvider;
import org.apache.hadoop.crypto.key.kms.server.KMSACLsType.Type;
import org.apache.hadoop.security.token.delegation.web.HttpUserGroupInformation;
+import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.DefaultValue;
@@ -39,6 +40,7 @@ import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
@@ -74,13 +76,13 @@ public class KMS {
}
private void assertAccess(Type aclType, UserGroupInformation ugi,
- KMSOp operation) throws AccessControlException {
- KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, null);
+ KMSOp operation, String clientIp) throws AccessControlException {
+ KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, null, clientIp);
}
private void assertAccess(Type aclType, UserGroupInformation ugi,
- KMSOp operation, String key) throws AccessControlException {
- KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, key);
+ KMSOp operation, String key, String clientIp) throws AccessControlException {
+ KMSWebApp.getACLs().assertAccess(aclType, ugi, operation, key, clientIp);
}
private static KeyProvider.KeyVersion removeKeyMaterial(
@@ -99,12 +101,12 @@ public class KMS {
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@SuppressWarnings("unchecked")
- public Response createKey(Map jsonKey) throws Exception {
+ public Response createKey(Map jsonKey, @Context HttpServletRequest request) throws Exception {
KMSWebApp.getAdminCallsMeter().mark();
UserGroupInformation user = HttpUserGroupInformation.get();
final String name = (String) jsonKey.get(KMSRESTConstants.NAME_FIELD);
- KMSClientProvider.checkNotEmpty(name, KMSRESTConstants.NAME_FIELD);
- assertAccess(Type.CREATE, user, KMSOp.CREATE_KEY, name);
+ KMSClientProvider.checkNotEmpty(name, KMSRESTConstants.NAME_FIELD);
+ assertAccess(Type.CREATE, user, KMSOp.CREATE_KEY, name, request.getRemoteAddr());
String cipher = (String) jsonKey.get(KMSRESTConstants.CIPHER_FIELD);
final String material = (String) jsonKey.get(KMSRESTConstants.MATERIAL_FIELD);
int length = (jsonKey.containsKey(KMSRESTConstants.LENGTH_FIELD))
@@ -115,7 +117,7 @@ public class KMS {
jsonKey.get(KMSRESTConstants.ATTRIBUTES_FIELD);
if (material != null) {
assertAccess(Type.SET_KEY_MATERIAL, user,
- KMSOp.CREATE_KEY, name);
+ KMSOp.CREATE_KEY, name, request.getRemoteAddr());
}
final KeyProvider.Options options = new KeyProvider.Options(
KMSWebApp.getConfiguration());
@@ -144,7 +146,7 @@ public class KMS {
kmsAudit.ok(user, KMSOp.CREATE_KEY, name, "UserProvidedMaterial:" +
(material != null) + " Description:" + description);
- if (!KMSWebApp.getACLs().hasAccess(Type.GET, user)) {
+ if (!KMSWebApp.getACLs().hasAccess(Type.GET, user, request.getRemoteAddr())) {
keyVersion = removeKeyMaterial(keyVersion);
}
Map json = KMSServerJSONUtils.toJSON(keyVersion);
@@ -158,11 +160,11 @@ public class KMS {
@DELETE
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}")
- public Response deleteKey(@PathParam("name") final String name)
+ public Response deleteKey(@PathParam("name") final String name, @Context HttpServletRequest request)
throws Exception {
KMSWebApp.getAdminCallsMeter().mark();
UserGroupInformation user = HttpUserGroupInformation.get();
- assertAccess(Type.DELETE, user, KMSOp.DELETE_KEY, name);
+ assertAccess(Type.DELETE, user, KMSOp.DELETE_KEY, name, request.getRemoteAddr());
KMSClientProvider.checkNotEmpty(name, "name");
user.doAs(new PrivilegedExceptionAction<Void>() {
@@ -184,16 +186,16 @@ public class KMS {
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public Response rolloverKey(@PathParam("name") final String name,
- Map jsonMaterial) throws Exception {
+ Map jsonMaterial, @Context HttpServletRequest request) throws Exception {
KMSWebApp.getAdminCallsMeter().mark();
UserGroupInformation user = HttpUserGroupInformation.get();
- assertAccess(Type.ROLLOVER, user, KMSOp.ROLL_NEW_VERSION, name);
+ assertAccess(Type.ROLLOVER, user, KMSOp.ROLL_NEW_VERSION, name, request.getRemoteAddr());
KMSClientProvider.checkNotEmpty(name, "name");
final String material = (String)
jsonMaterial.get(KMSRESTConstants.MATERIAL_FIELD);
if (material != null) {
assertAccess(Type.SET_KEY_MATERIAL, user,
- KMSOp.ROLL_NEW_VERSION, name);
+ KMSOp.ROLL_NEW_VERSION, name, request.getRemoteAddr());
}
KeyProvider.KeyVersion keyVersion = user.doAs(
@@ -212,7 +214,7 @@ public class KMS {
kmsAudit.ok(user, KMSOp.ROLL_NEW_VERSION, name, "UserProvidedMaterial:" +
(material != null) + " NewVersion:" + keyVersion.getVersionName());
- if (!KMSWebApp.getACLs().hasAccess(Type.GET, user)) {
+ if (!KMSWebApp.getACLs().hasAccess(Type.GET, user, request.getRemoteAddr())) {
keyVersion = removeKeyMaterial(keyVersion);
}
Map json = KMSServerJSONUtils.toJSON(keyVersion);
@@ -223,12 +225,12 @@ public class KMS {
@Path(KMSRESTConstants.KEYS_METADATA_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
public Response getKeysMetadata(@QueryParam(KMSRESTConstants.KEY)
- List<String> keyNamesList) throws Exception {
+ List<String> keyNamesList, @Context HttpServletRequest request) throws Exception {
KMSWebApp.getAdminCallsMeter().mark();
UserGroupInformation user = HttpUserGroupInformation.get();
final String[] keyNames = keyNamesList.toArray(
new String[keyNamesList.size()]);
- assertAccess(Type.GET_METADATA, user, KMSOp.GET_KEYS_METADATA);
+ assertAccess(Type.GET_METADATA, user, KMSOp.GET_KEYS_METADATA, request.getRemoteAddr());
KeyProvider.Metadata[] keysMeta = user.doAs(
new PrivilegedExceptionAction<KeyProvider.Metadata[]>() {
@@ -247,10 +249,10 @@ public class KMS {
@GET
@Path(KMSRESTConstants.KEYS_NAMES_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
- public Response getKeyNames() throws Exception {
+ public Response getKeyNames(@Context HttpServletRequest request) throws Exception {
KMSWebApp.getAdminCallsMeter().mark();
UserGroupInformation user = HttpUserGroupInformation.get();
- assertAccess(Type.GET_KEYS, user, KMSOp.GET_KEYS);
+ assertAccess(Type.GET_KEYS, user, KMSOp.GET_KEYS, request.getRemoteAddr());
List<String> json = user.doAs(
new PrivilegedExceptionAction<List<String>>() {
@@ -267,21 +269,21 @@ public class KMS {
@GET
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}")
- public Response getKey(@PathParam("name") String name)
+ public Response getKey(@PathParam("name") String name, @Context HttpServletRequest request)
throws Exception {
- return getMetadata(name);
+ return getMetadata(name, request);
}
@GET
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
KMSRESTConstants.METADATA_SUB_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
- public Response getMetadata(@PathParam("name") final String name)
+ public Response getMetadata(@PathParam("name") final String name, @Context HttpServletRequest request)
throws Exception {
UserGroupInformation user = HttpUserGroupInformation.get();
KMSClientProvider.checkNotEmpty(name, "name");
KMSWebApp.getAdminCallsMeter().mark();
- assertAccess(Type.GET_METADATA, user, KMSOp.GET_METADATA, name);
+ assertAccess(Type.GET_METADATA, user, KMSOp.GET_METADATA, name, request.getRemoteAddr());
KeyProvider.Metadata metadata = user.doAs(
new PrivilegedExceptionAction<KeyProvider.Metadata>() {
@@ -301,12 +303,12 @@ public class KMS {
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
KMSRESTConstants.CURRENT_VERSION_SUB_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
- public Response getCurrentVersion(@PathParam("name") final String name)
+ public Response getCurrentVersion(@PathParam("name") final String name, @Context HttpServletRequest request)
throws Exception {
UserGroupInformation user = HttpUserGroupInformation.get();
KMSClientProvider.checkNotEmpty(name, "name");
KMSWebApp.getKeyCallsMeter().mark();
- assertAccess(Type.GET, user, KMSOp.GET_CURRENT_KEY, name);
+ assertAccess(Type.GET, user, KMSOp.GET_CURRENT_KEY, name, request.getRemoteAddr());
KeyVersion keyVersion = user.doAs(
new PrivilegedExceptionAction<KeyVersion>() {
@@ -329,11 +331,11 @@ public class KMS {
@Path(KMSRESTConstants.KEY_VERSION_RESOURCE + "/{versionName:.*}")
@Produces(MediaType.APPLICATION_JSON)
public Response getKeyVersion(
- @PathParam("versionName") final String versionName) throws Exception {
+ @PathParam("versionName") final String versionName, @Context HttpServletRequest request) throws Exception {
UserGroupInformation user = HttpUserGroupInformation.get();
KMSClientProvider.checkNotEmpty(versionName, "versionName");
KMSWebApp.getKeyCallsMeter().mark();
- assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSION);
+ assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSION, request.getRemoteAddr());
KeyVersion keyVersion = user.doAs(
new PrivilegedExceptionAction<KeyVersion>() {
@@ -360,7 +362,7 @@ public class KMS {
@PathParam("name") final String name,
@QueryParam(KMSRESTConstants.EEK_OP) String edekOp,
@DefaultValue("1")
- @QueryParam(KMSRESTConstants.EEK_NUM_KEYS) final int numKeys)
+ @QueryParam(KMSRESTConstants.EEK_NUM_KEYS) final int numKeys, @Context HttpServletRequest request)
throws Exception {
UserGroupInformation user = HttpUserGroupInformation.get();
KMSClientProvider.checkNotEmpty(name, "name");
@@ -368,7 +370,7 @@ public class KMS {
Object retJSON;
if (edekOp.equals(KMSRESTConstants.EEK_GENERATE)) {
- assertAccess(Type.GENERATE_EEK, user, KMSOp.GENERATE_EEK, name);
+ assertAccess(Type.GENERATE_EEK, user, KMSOp.GENERATE_EEK, name, request.getRemoteAddr());
final List<EncryptedKeyVersion> retEdeks =
new LinkedList<EncryptedKeyVersion>();
@@ -412,7 +414,7 @@ public class KMS {
public Response decryptEncryptedKey(
@PathParam("versionName") final String versionName,
@QueryParam(KMSRESTConstants.EEK_OP) String eekOp,
- Map jsonPayload)
+ Map jsonPayload, @Context HttpServletRequest request)
throws Exception {
UserGroupInformation user = HttpUserGroupInformation.get();
KMSClientProvider.checkNotEmpty(versionName, "versionName");
@@ -425,7 +427,7 @@ public class KMS {
(String) jsonPayload.get(KMSRESTConstants.MATERIAL_FIELD);
Object retJSON;
if (eekOp.equals(KMSRESTConstants.EEK_DECRYPT)) {
- assertAccess(Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName);
+ assertAccess(Type.DECRYPT_EEK, user, KMSOp.DECRYPT_EEK, keyName, request.getRemoteAddr());
KMSClientProvider.checkNotNull(ivStr, KMSRESTConstants.IV_FIELD);
final byte[] iv = Base64.decodeBase64(ivStr);
KMSClientProvider.checkNotNull(encMaterialStr,
@@ -461,12 +463,12 @@ public class KMS {
@Path(KMSRESTConstants.KEY_RESOURCE + "/{name:.*}/" +
KMSRESTConstants.VERSIONS_SUB_RESOURCE)
@Produces(MediaType.APPLICATION_JSON)
- public Response getKeyVersions(@PathParam("name") final String name)
+ public Response getKeyVersions(@PathParam("name") final String name, @Context HttpServletRequest request)
throws Exception {
UserGroupInformation user = HttpUserGroupInformation.get();
KMSClientProvider.checkNotEmpty(name, "name");
KMSWebApp.getKeyCallsMeter().mark();
- assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSIONS, name);
+ assertAccess(Type.GET, user, KMSOp.GET_KEY_VERSIONS, name, request.getRemoteAddr());
List<KeyVersion> ret = user.doAs(
new PrivilegedExceptionAction<List<KeyVersion>>() {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
index dc09709..ff2f6d9 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSACLs.java
@@ -195,7 +195,7 @@ public class KMSACLs implements Runnable, KeyACLs {
* @return true is user has access
*/
@Override
- public boolean hasAccess(Type type, UserGroupInformation ugi) {
+ public boolean hasAccess(Type type, UserGroupInformation ugi, String clientIp) {
boolean access = acls.get(type).isUserAllowed(ugi);
if (access) {
AccessControlList blacklist = blacklistedAcls.get(type);
@@ -206,9 +206,9 @@ public class KMSACLs implements Runnable, KeyACLs {
@Override
public void assertAccess(Type aclType,
- UserGroupInformation ugi, KMSOp operation, String key)
+ UserGroupInformation ugi, KMSOp operation, String key, String clientIp)
throws AccessControlException {
- if (!KMSWebApp.getACLs().hasAccess(aclType, ugi)) {
+ if (!KMSWebApp.getACLs().hasAccess(aclType, ugi, clientIp)) {
KMSWebApp.getUnauthorizedCallsMeter().mark();
KMSWebApp.getKMSAudit().unauthorized(ugi, operation, key);
throw new AuthorizationException(String.format(
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java
index 1e43dac..201ecbb 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.java
@@ -27,6 +27,7 @@ import java.util.Map;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
import org.apache.hadoop.crypto.key.kms.server.KMS.KMSOp;
+import org.apache.hadoop.crypto.key.kms.server.KMSACLsType.Type;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AuthorizationException;
@@ -86,10 +87,10 @@ public class KeyAuthorizationKeyProvider extends KeyProviderCryptoExtension {
public void stopReloader();
- public boolean hasAccess(KMSACLsType.Type aclType, UserGroupInformation ugi);
+ public boolean hasAccess(KMSACLsType.Type aclType, UserGroupInformation ugi, String clientIp);
public void assertAccess(KMSACLsType.Type aclType, UserGroupInformation ugi,
- KMSOp operation, String key) throws AccessControlException;
+ KMSOp operation, String key, String clientIp) throws AccessControlException;
}
private final KeyProviderCryptoExtension provider;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
----------------------------------------------------------------------
diff --git a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java b/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
index 12945d7..2e1cacc 100644
--- a/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
+++ b/kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.java
@@ -25,17 +25,19 @@ import org.junit.Test;
public class TestKMSACLs {
+ String ipAddress = "192.168.90.1";
+
@Test
public void testDefaults() {
KMSACLs acls = new KMSACLs(new Configuration(false));
for (Type type : Type.values()) {
Assert.assertTrue(acls.hasAccess(type,
- UserGroupInformation.createRemoteUser("foo")));
+ UserGroupInformation.createRemoteUser("foo"), ipAddress));
}
}
@Test
- public void testCustom() {
+ public void testCustom() {
Configuration conf = new Configuration(false);
for (Type type : Type.values()) {
conf.set(type.getAclConfigKey(), type.toString() + " ");
@@ -43,10 +45,9 @@ public class TestKMSACLs {
KMSACLs acls = new KMSACLs(conf);
for (Type type : Type.values()) {
Assert.assertTrue(acls.hasAccess(type,
- UserGroupInformation.createRemoteUser(type.toString())));
+ UserGroupInformation.createRemoteUser(type.toString()), ipAddress));
Assert.assertFalse(acls.hasAccess(type,
- UserGroupInformation.createRemoteUser("foo")));
+ UserGroupInformation.createRemoteUser("foo"), ipAddress));
}
}
-
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/dda7a165/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
index eb2081d..3407a1d 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
@@ -20,6 +20,7 @@
package org.apache.ranger.authorization.kms.authorizer;
import java.net.InetAddress;
+import java.net.UnknownHostException;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.Executors;
@@ -138,11 +139,10 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
* @return true is user has access
*/
@Override
- public boolean hasAccess(Type type, UserGroupInformation ugi) {
+ public boolean hasAccess(Type type, UserGroupInformation ugi, String clientIp) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKmsAuthorizer.hasAccess(" + type + ", " + ugi + ")");
}
-
boolean ret = false;
RangerKMSPlugin plugin = kmsPlugin;
String rangerAccessType = getRangerAccessType(type);
@@ -153,7 +153,7 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
}
if(plugin != null && ret) {
- RangerKMSAccessRequest request = new RangerKMSAccessRequest("", rangerAccessType, ugi);
+ RangerKMSAccessRequest request = new RangerKMSAccessRequest("", rangerAccessType, ugi, clientIp);
RangerAccessResult result = plugin.isAccessAllowed(request);
ret = result == null ? false : result.getIsAllowed();
}
@@ -165,11 +165,10 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
return ret;
}
- public boolean hasAccess(Type type, UserGroupInformation ugi, String keyName) {
+ public boolean hasAccess(Type type, UserGroupInformation ugi, String keyName, String clientIp) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKmsAuthorizer.hasAccess(" + type + ", " + ugi + " , "+keyName+")");
}
-
boolean ret = false;
RangerKMSPlugin plugin = kmsPlugin;
String rangerAccessType = getRangerAccessType(type);
@@ -180,7 +179,7 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
}
if(plugin != null && ret) {
- RangerKMSAccessRequest request = new RangerKMSAccessRequest(keyName, rangerAccessType, ugi);
+ RangerKMSAccessRequest request = new RangerKMSAccessRequest(keyName, rangerAccessType, ugi, clientIp);
RangerAccessResult result = plugin.isAccessAllowed(request);
ret = result == null ? false : result.getIsAllowed();
}
@@ -193,13 +192,13 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
}
@Override
- public void assertAccess(Type aclType, UserGroupInformation ugi, KMSOp operation, String key)
+ public void assertAccess(Type aclType, UserGroupInformation ugi, KMSOp operation, String key, String clientIp)
throws AccessControlException {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerKmsAuthorizer.assertAccess(" + key + ", " + ugi +", " + aclType + ")");
}
key = (key == null)?"":key;
- if (!hasAccess(aclType, ugi, key)) {
+ if (!hasAccess(aclType, ugi, key, clientIp)) {
KMSWebApp.getUnauthorizedCallsMeter().mark();
KMSWebApp.getKMSAudit().unauthorized(ugi, operation, key);
throw new AuthorizationException(String.format(
@@ -217,7 +216,7 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerKmsAuthorizer.hasAccessToKey(" + keyName + ", " + ugi +", " + opType + ")");
}
-
+
return true;
}
@@ -331,22 +330,13 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
}
class RangerKMSAccessRequest extends RangerAccessRequestImpl {
- public RangerKMSAccessRequest(String keyName, String accessType, UserGroupInformation ugi) {
+ public RangerKMSAccessRequest(String keyName, String accessType, UserGroupInformation ugi, String clientIp) {
super.setResource(new RangerKMSResource(keyName));
super.setAccessType(accessType);
super.setUser(ugi.getShortUserName());
super.setUserGroups(Sets.newHashSet(ugi.getGroupNames()));
super.setAccessTime(StringUtil.getUTCDate());
- super.setClientIPAddress(getRemoteIp());
+ super.setClientIPAddress(clientIp);
super.setAction(accessType);
}
-
- private static String getRemoteIp() {
- String ret = null ;
- InetAddress ip = Server.getRemoteIp() ;
- if (ip != null) {
- ret = ip.getHostAddress();
- }
- return ret ;
- }
}
[08/12] incubator-ranger git commit: RANGER-506:Update password
script should update the right config file
Posted by sn...@apache.org.
RANGER-506:Update password script should update the right config file
Signed-off-by: sneethiraj <sn...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/ab4683eb
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/ab4683eb
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/ab4683eb
Branch: refs/heads/ranger-0.5
Commit: ab4683eb1fa325494b36b516ef2d80a2962f4548
Parents: 94ba6be
Author: Gautam Borad <gb...@gmail.com>
Authored: Sat May 30 17:44:37 2015 +0530
Committer: sneethiraj <sn...@apache.org>
Committed: Sat May 30 23:15:04 2015 -0400
----------------------------------------------------------------------
.../resources/conf.dist/ranger-admin-site.xml | 2 +-
.../process/PolicyMgrUserGroupBuilder.java | 4 +
.../config/UserGroupSyncConfig.java | 9 +-
unixauthservice/scripts/setup.py | 4 +
.../scripts/updatepolicymgrpassword.py | 105 +++++++------------
.../UnixAuthenticationService.java | 2 +-
6 files changed, 49 insertions(+), 77 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ab4683eb/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
index 2660e19..822a507 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
@@ -180,7 +180,7 @@
<property>
<name>ranger.service.https.attrib.keystore.pass</name>
- <value>ranger</value>
+ <value>_</value>
</property>
<property>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ab4683eb/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java
index 2013f1c..c99f7a0 100644
--- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java
+++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java
@@ -673,6 +673,10 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
if(ret!=null){
String username = config.getPolicyMgrUserName();
String password = config.getPolicyMgrPassword();
+ if(username==null||password==null||username.trim().isEmpty()||password.trim().isEmpty()){
+ username=config.getDefaultPolicyMgrUserName();
+ password=config.getDefaultPolicyMgrPassword();
+ }
if(username!=null && password!=null){
ret.addFilter(new HTTPBasicAuthFilter(username, password));
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ab4683eb/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
index 5aba0e9..d9efe1a 100644
--- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
+++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
@@ -88,7 +88,7 @@ public class UserGroupSyncConfig {
private static final String LGSYNC_LDAP_BIND_DN = "ranger.usersync.ldap.binddn";
- private static final String LGSYNC_LDAP_BIND_KEYSTORE = "ranger.usersync.ldap.bindkeystore";
+ private static final String LGSYNC_LDAP_BIND_KEYSTORE = "ranger.usersync.credstore.filename";
private static final String LGSYNC_LDAP_BIND_ALIAS = "ranger.usersync.ldap.bindalias";
@@ -422,18 +422,17 @@ public class UserGroupSyncConfig {
if (prop == null) {
return null;
}
- if(prop.containsKey(LGSYNC_LDAP_BIND_KEYSTORE) && prop.containsKey(LGSYNC_LDAP_BIND_ALIAS)){
+ if(prop.containsKey(LGSYNC_LDAP_BIND_KEYSTORE)){
String path=prop.getProperty(LGSYNC_LDAP_BIND_KEYSTORE);
- String alias=prop.getProperty(LGSYNC_LDAP_BIND_ALIAS);
+ String alias=LGSYNC_LDAP_BIND_ALIAS;
if(path!=null && alias!=null){
if(!path.trim().isEmpty() && !alias.trim().isEmpty()){
String password=CredentialReader.getDecryptedString(path.trim(),alias.trim());
if(password!=null&& !password.trim().isEmpty() && !password.trim().equalsIgnoreCase("none")){
prop.setProperty(LGSYNC_LDAP_BIND_PASSWORD,password);
- //System.out.println("Password IS :"+password);
}
}
- }
+ }
}
return prop.getProperty(LGSYNC_LDAP_BIND_PASSWORD);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ab4683eb/unixauthservice/scripts/setup.py
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/setup.py b/unixauthservice/scripts/setup.py
index e45ea63..5ba50d3 100755
--- a/unixauthservice/scripts/setup.py
+++ b/unixauthservice/scripts/setup.py
@@ -141,8 +141,12 @@ def getPropertiesKeyList(configFileName):
def writeXMLUsingProperties(xmlTemplateFileName,prop,xmlOutputFileName):
tree = ET.parse(xmlTemplateFileName)
root = tree.getroot()
+ prop_arr =["ranger.usersync.ldap.ldapbindpassword", "ranger.usersync.keystore.password","ranger.usersync.truststore.password","ranger.usersync.policymgr"]
for config in root.findall('property'):
name = config.find('name').text
+ if name in prop_arr:
+ config.find('value').text = "_"
+ continue
if (name in prop.keys()):
config.find('value').text = str(prop[name])
#else:
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ab4683eb/unixauthservice/scripts/updatepolicymgrpassword.py
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/updatepolicymgrpassword.py b/unixauthservice/scripts/updatepolicymgrpassword.py
index b07458b..92c4805 100644
--- a/unixauthservice/scripts/updatepolicymgrpassword.py
+++ b/unixauthservice/scripts/updatepolicymgrpassword.py
@@ -23,6 +23,8 @@ import platform
import fileinput
import getpass
import shutil
+from xml.etree import ElementTree as ET
+import update_property
from os.path import basename
from subprocess import Popen,PIPE
from datetime import date
@@ -52,75 +54,37 @@ def log(msg,type):
if type == 'error':
logging.error(" %s",msg)
-def populate_global_dict():
- global globalDict
- read_config_file = open(os.path.join(os.getcwd(),'install.properties'))
- for each_line in read_config_file.read().split('\n') :
- if len(each_line) == 0 : continue
- if re.search('=', each_line):
- key , value = each_line.strip().split("=",1)
- key = key.strip()
- value = value.strip()
- globalDict[key] = value
-
-def ModConfig(File, Variable, Setting):
- """
- Modify Config file variable with new setting
- """
- VarFound = False
- AlreadySet = False
- V=str(Variable)
- S=str(Setting)
- # use quotes if setting has spaces #
- if ' ' in S:
- S = '"%s"' % S
-
- for line in fileinput.input(File, inplace = 1):
- # process lines that look like config settings #
- if not line.lstrip(' ').startswith('#') and '=' in line:
- _infile_var = str(line.split('=')[0].rstrip(' '))
- _infile_set = str(line.split('=')[1].lstrip(' ').rstrip())
- # only change the first matching occurrence #
- if VarFound == False and _infile_var.rstrip(' ') == V:
- VarFound = True
- # don't change it if it is already set #
- if _infile_set.lstrip(' ') == S:
- AlreadySet = True
- else:
- line = "%s = %s\n" % (V, S)
-
- sys.stdout.write(line)
-
- # Append the variable if it wasn't found #
- if not VarFound:
- print "property '%s' not found. Adding it to %s" % (V, File)
- with open(File, "a") as f:
- f.write("%s = %s\n" % (V, S))
- elif AlreadySet == True:
- print "property '%s' unchanged" % (V)
+def import_properties_from_xml(xml_path, properties_from_xml=None):
+ print('getting values from file : ' + str(xml_path))
+ if os.path.isfile(xml_path):
+ xml = ET.parse(xml_path)
+ root = xml.getroot()
+ if properties_from_xml is None:
+ properties_from_xml = dict()
+ for child in root.findall('property'):
+ name = child.find("name").text.strip()
+ value = child.find("value").text.strip() if child.find("value").text is not None else ""
+ properties_from_xml[name] = value
else:
- print "property '%s' modified to '%s'" % (V, S)
+ print('XML file not found at path : ' + str(xml_path))
+ return properties_from_xml
- return
def main():
-
+ global globalDict
FORMAT = '%(asctime)-15s %(message)s'
logging.basicConfig(format=FORMAT, level=logging.DEBUG)
- populate_global_dict()
- SYNC_LDAP_BIND_KEYSTOREPATH=globalDict['CRED_KEYSTORE_FILENAME']
- SYNC_POLICY_MGR_ALIAS="policymgr.user.password"
- SYNC_POLICY_MGR_PASSWORD = ''
- SYNC_POLICY_MGR_USERNAME = ''
- JAVA_BIN = ''
- unix_user = "ranger"
- unix_group = "ranger"
+ CFG_FILE=os.path.join(os.getcwd(),'conf','ranger-ugsync-site.xml')
+ if os.path.isfile(CFG_FILE):
+ pass
+ else:
+ log("[E] Required file not found: ["+CFG_FILE+"]","error")
+ sys.exit(1)
if os.environ['JAVA_HOME'] == "":
log("[E] ---------- JAVA_HOME environment property not defined, aborting installation. ----------", "error")
sys.exit(1)
-
JAVA_BIN=os.path.join(os.environ['JAVA_HOME'],'bin','java')
if os_name == "WINDOWS" :
JAVA_BIN = JAVA_BIN+'.exe'
@@ -130,9 +94,17 @@ def main():
while os.path.isfile(JAVA_BIN) == False:
log("Enter java executable path: :","info")
JAVA_BIN=raw_input()
-
log("[I] Using Java:" + str(JAVA_BIN),"info")
+ globalDict=import_properties_from_xml(CFG_FILE,globalDict)
+ SYNC_LDAP_BIND_KEYSTOREPATH=globalDict['ranger.usersync.credstore.filename']
+ log("[I] SYNC_LDAP_BIND_KEYSTOREPATH:" + str(SYNC_LDAP_BIND_KEYSTOREPATH),"info")
+ SYNC_POLICY_MGR_ALIAS="ranger.usersync.policymgr.password"
+ SYNC_POLICY_MGR_PASSWORD = ''
+ SYNC_POLICY_MGR_USERNAME = ''
+ unix_user = "ranger"
+ unix_group = "ranger"
+
while SYNC_POLICY_MGR_USERNAME == "":
print "Enter policymgr user name:"
SYNC_POLICY_MGR_USERNAME=raw_input()
@@ -148,18 +120,12 @@ def main():
cmd="chown %s:%s %s" %(unix_user,unix_group,SYNC_LDAP_BIND_KEYSTOREPATH)
ret=subprocess.call(shlex.split(cmd))
if ret == 0:
- CFG_FILE=os.path.join(os.getcwd(),'conf','unixauthservice.properties')
- NEW_CFG_FILE=os.path.join(os.getcwd(),'conf','unixauthservice.properties.tmp')
if os.path.isfile(CFG_FILE):
- shutil.copyfile(CFG_FILE, NEW_CFG_FILE)
- ModConfig(NEW_CFG_FILE, "userSync.policyMgrUserName", SYNC_POLICY_MGR_USERNAME)
- ModConfig(NEW_CFG_FILE, "userSync.policyMgrKeystore", SYNC_LDAP_BIND_KEYSTOREPATH)
- ModConfig(NEW_CFG_FILE, "userSync.policyMgrAlias", SYNC_POLICY_MGR_ALIAS)
- now = datetime.now()
- shutil.copyfile(CFG_FILE, CFG_FILE+"."+now.strftime('%Y%m%d%H%M%S'))
- shutil.copyfile(NEW_CFG_FILE,CFG_FILE)
+ update_property.write_properties_to_xml(CFG_FILE,"ranger.usersync.policymgr.username",SYNC_POLICY_MGR_USERNAME)
+ update_property.write_properties_to_xml(CFG_FILE,"ranger.usersync.policymgr.keystore",SYNC_LDAP_BIND_KEYSTOREPATH)
+ update_property.write_properties_to_xml(CFG_FILE,"ranger.usersync.policymgr.alias",SYNC_POLICY_MGR_ALIAS)
else:
- log("[E] Required file not found: ["+CFG_FILE+"]","error")
+ log("[E] Required file not found: ["+CFG_FILE+"]","error")
else:
log("[E] unable to execute command ["+cmd+"]","error")
else:
@@ -167,5 +133,4 @@ def main():
else:
log("[E] Input Error","error")
-
main()
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ab4683eb/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
----------------------------------------------------------------------
diff --git a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
index ff2838f..16e7324 100644
--- a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
+++ b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
@@ -184,7 +184,7 @@ public class UnixAuthenticationService {
.item(0).getTextContent().trim();
}
- LOG.info("Adding Property:[" + propertyName + "] Value:["+ propertyValue + "]");
+ //LOG.info("Adding Property:[" + propertyName + "] Value:["+ propertyValue + "]");
if (prop.get(propertyName) != null ) {
prop.remove(propertyName) ;
}