You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2023/06/07 03:08:27 UTC
[ranger] branch master updated: RANGER-4255: Introduce option in Ranger to control retention period of x_auth_sess table data
This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new a07dbb804 RANGER-4255: Introduce option in Ranger to control retention period of x_auth_sess table data
a07dbb804 is described below
commit a07dbb8049dab1419fb983fc685211675292af49
Author: Pradeep AgrawaL <pr...@apache.org>
AuthorDate: Thu May 25 18:21:54 2023 +0530
RANGER-4255: Introduce option in Ranger to control retention period of x_auth_sess table data
---
.../java/org/apache/ranger/biz/ServiceDBStore.java | 36 ++++++++++++++++++++
.../org/apache/ranger/db/XXAuthSessionDao.java | 19 +++++++++--
.../java/org/apache/ranger/rest/PublicAPIsv2.java | 15 +++++++++
.../java/org/apache/ranger/rest/ServiceREST.java | 39 ++++++++++++++++++++++
.../main/resources/META-INF/jpa_named_queries.xml | 4 +++
.../main/resources/conf.dist/ranger-admin-site.xml | 8 +++++
6 files changed, 119 insertions(+), 2 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 04aee289e..356b01f3c 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -249,6 +249,8 @@ public class ServiceDBStore extends AbstractServiceStore {
public static boolean SUPPORTS_IN_PLACE_POLICY_UPDATES = false;
public static Integer RETENTION_PERIOD_IN_DAYS = 7;
public static Integer TAG_RETENTION_PERIOD_IN_DAYS = 3;
+ public static boolean SUPPORTS_PURGE_LOGIN_RECORDS = false;
+ public static Integer LOGIN_RECORDS_RETENTION_PERIOD_IN_DAYS = 0;
private static final String RANGER_PLUGIN_CONFIG_PREFIX = "ranger.plugin.";
public static final String RANGER_PLUGIN_AUDIT_FILTERS = "ranger.plugin.audit.filters";
@@ -391,12 +393,18 @@ public class ServiceDBStore extends AbstractServiceStore {
SUPPORTS_POLICY_DELTAS = config.getBoolean("ranger.admin" + RangerCommonConstants.RANGER_ADMIN_SUFFIX_POLICY_DELTA, RangerCommonConstants.RANGER_ADMIN_SUFFIX_POLICY_DELTA_DEFAULT);
RETENTION_PERIOD_IN_DAYS = config.getInt("ranger.admin.delta.retention.time.in.days", 7);
TAG_RETENTION_PERIOD_IN_DAYS = config.getInt("ranger.admin.tag.delta.retention.time.in.days", 3);
+
+ SUPPORTS_PURGE_LOGIN_RECORDS = config.getBoolean("ranger.admin.init.purge.login_records", false);
+ LOGIN_RECORDS_RETENTION_PERIOD_IN_DAYS = config.getInt("ranger.admin.init.purge.login_records.retention.days", 0);
+
isRolesDownloadedByService = config.getBoolean("ranger.support.for.service.specific.role.download", false);
SUPPORTS_IN_PLACE_POLICY_UPDATES = SUPPORTS_POLICY_DELTAS && config.getBoolean("ranger.admin" + RangerCommonConstants.RANGER_ADMIN_SUFFIX_IN_PLACE_POLICY_UPDATES, RangerCommonConstants.RANGER_ADMIN_SUFFIX_IN_PLACE_POLICY_UPDATES_DEFAULT);
LOG.info("SUPPORTS_POLICY_DELTAS=" + SUPPORTS_POLICY_DELTAS);
LOG.info("RETENTION_PERIOD_IN_DAYS=" + RETENTION_PERIOD_IN_DAYS);
LOG.info("TAG_RETENTION_PERIOD_IN_DAYS=" + TAG_RETENTION_PERIOD_IN_DAYS);
+ LOG.info("SUPPORTS_PURGE_LOGIN_RECORDS=" + SUPPORTS_PURGE_LOGIN_RECORDS);
+ LOG.info("LOGIN_RECORDS_RETENTION_PERIOD_IN_DAYS=" + LOGIN_RECORDS_RETENTION_PERIOD_IN_DAYS);
LOG.info("isRolesDownloadedByService=" + isRolesDownloadedByService);
LOG.info("SUPPORTS_IN_PLACE_POLICY_UPDATES=" + SUPPORTS_IN_PLACE_POLICY_UPDATES);
@@ -414,6 +422,9 @@ public class ServiceDBStore extends AbstractServiceStore {
createGenericUsers();
resetPolicyUpdateLog(RETENTION_PERIOD_IN_DAYS, RangerPolicyDelta.CHANGE_TYPE_RANGER_ADMIN_START);
resetTagUpdateLog(TAG_RETENTION_PERIOD_IN_DAYS, ServiceTags.TagsChangeType.RANGER_ADMIN_START);
+ if (SUPPORTS_PURGE_LOGIN_RECORDS) {
+ removeAuthSessions(LOGIN_RECORDS_RETENTION_PERIOD_IN_DAYS);
+ }
//createUnzonedSecurityZone();
initRMSDaos();
return null;
@@ -5275,6 +5286,31 @@ public class ServiceDBStore extends AbstractServiceStore {
}
}
+ public void removeAuthSessions(int retentionInDays) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> removeAuthSessions(" + retentionInDays + ")");
+ }
+
+ if (retentionInDays > 0) {
+ long rowsCount = daoMgr.getXXAuthSession().getAllCount();
+ long rowsDeleted = daoMgr.getXXAuthSession().deleteOlderThan(retentionInDays);
+ LOG.info("Deleted " + rowsDeleted + " records from x_auth_sess that are older than " + retentionInDays + " days");
+ List<XXTrxLog> trxLogList = new ArrayList<XXTrxLog>();
+ XXTrxLog xxTrxLog = new XXTrxLog();
+ xxTrxLog.setAction("Deleted Auth Session records");
+ xxTrxLog.setObjectClassType(AppConstants.CLASS_TYPE_AUTH_SESS);
+ xxTrxLog.setPreviousValue("Total Records : "+rowsCount);
+ xxTrxLog.setNewValue("Deleted Records : "+rowsDeleted);
+ trxLogList.add(xxTrxLog);
+ bizUtil.createTrxLog(trxLogList);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== removeAuthSessions(" + retentionInDays + ")");
+
+ }
+ }
+
public List<String> getPolicyLabels(SearchFilter searchFilter) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getPolicyLabels()");
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXAuthSessionDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXAuthSessionDao.java
index c3bd13c63..f69b8d2bb 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXAuthSessionDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXAuthSessionDao.java
@@ -19,19 +19,24 @@
package org.apache.ranger.db;
-import java.util.Date;
-import java.util.List;
+ import java.util.Date;
+ import java.util.List;
+ import java.util.concurrent.TimeUnit;
import javax.persistence.NoResultException;
import org.apache.ranger.common.DateUtil;
import org.apache.ranger.common.db.BaseDao;
import org.apache.ranger.entity.XXAuthSession;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Service;
@Service
public class XXAuthSessionDao extends BaseDao<XXAuthSession> {
+ private static final Logger LOG = LoggerFactory.getLogger(XXAuthSessionDao.class);
+
public XXAuthSessionDao( RangerDaoManagerBase daoManager ) {
super(daoManager);
}
@@ -89,5 +94,15 @@ public class XXAuthSessionDao extends BaseDao<XXAuthSession> {
public void deleteAuthSessionsByIds(List<Long> ids){
batchDeleteByIds("XXAuthSession.deleteByIds", ids, "ids");
}
+
+ public long deleteOlderThan(int olderThanInDays) {
+ Date since = new Date(System.currentTimeMillis() - TimeUnit.DAYS.toMillis(olderThanInDays));
+ LOG.info("Deleting x_auth_sess records that are older than " + olderThanInDays + " days, that is, older than " + since);
+
+ long ret = getEntityManager().createNamedQuery("XXAuthSession.deleteOlderThan").setParameter("olderThan", since).executeUpdate();
+
+ LOG.info("Deleted " + ret + " x_auth_sess records");
+ return ret;
+ }
}
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
index 69d2260de..1bdac859c 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
@@ -896,4 +896,19 @@ public class PublicAPIsv2 {
public RESTResponse revokeRoleUsersAndRoles(@PathParam("serviceName") String serviceName, GrantRevokeRoleRequest revokeRoleRequest, @Context HttpServletRequest request) {
return roleREST.revokeRole(serviceName, revokeRoleRequest, request);
}
+
+ @DELETE
+ @Path("/api/server/purge/records")
+ @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+ public void purgeRecords(@QueryParam("type") String recordType, @DefaultValue("180") @QueryParam("retentionDays") Integer olderThan, @Context HttpServletRequest request) {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> PublicAPIsv2.purgeRecords(" + recordType + ", " + olderThan + ")");
+ }
+
+ serviceREST.purgeRecords(recordType, olderThan, request);
+
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== PublicAPIsv2.purgeRecords(" + recordType + ", " + olderThan + ")");
+ }
+ }
}
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 3447eb20e..6348d0287 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -3932,6 +3932,45 @@ public class ServiceREST {
}
}
+ @DELETE
+ @Path("/server/purge/records")
+ @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+ public void purgeRecords(@QueryParam("type") String recordType, @DefaultValue("180") @QueryParam("retentionDays") Integer olderThan, @Context HttpServletRequest request) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> ServiceREST.purgeRecords(" + recordType + ", " + olderThan + ")");
+ }
+
+ if (StringUtils.isEmpty(recordType) || !"login_records".equalsIgnoreCase(recordType)) {
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Invalid record type - " + recordType, true);
+ }
+
+ if (olderThan < 1) {
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Retention days can't be lesser than 1", true);
+ }
+
+ RangerPerfTracer perf = null;
+
+ try {
+ if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.purgeRecords(recordType=" + recordType + ", olderThan=" + olderThan + ")");
+ }
+
+ svcStore.removeAuthSessions(olderThan);
+
+ } catch (WebApplicationException excp) {
+ throw excp;
+ } catch (Throwable excp) {
+ LOG.error("purgeRecords(" + recordType + ", " + olderThan + ") failed", excp);
+ throw restErrorUtil.createRESTException(excp.getMessage());
+ } finally {
+ RangerPerfTracer.log(perf);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== ServiceREST.purgeRecords(" + recordType + ", " + olderThan + ")");
+ }
+ }
+
private HashMap<String, Object> getCSRFPropertiesMap(HttpServletRequest request) {
HashMap<String, Object> map = new HashMap<String, Object>();
map.put(isCSRF_ENABLED, PropertiesUtil.getBooleanProperty(isCSRF_ENABLED, true));
diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
index 2baf53673..d3cdecdca 100755
--- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
+++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
@@ -24,6 +24,10 @@
WHERE obj.extSessionId = :sessionId
</query>
</named-query>
+ <named-query name="XXAuthSession.deleteOlderThan">
+ <query>delete from XXAuthSession obj where obj.createTime < :olderThan</query>
+ </named-query>
+
<named-query name="XXAuthSession.getRecentAuthFailureCountByLoginId">
<query>SELECT COUNT(1) FROM XXAuthSession obj
WHERE obj.loginId = :loginId
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
index 839cf180a..d6bf174e9 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
@@ -385,4 +385,12 @@
<name>ranger.admin.cookie.name</name>
<value>RANGERADMINSESSIONID</value>
</property>
+ <property>
+ <name>ranger.admin.init.purge.login_records</name>
+ <value>false</value>
+ </property>
+ <property>
+ <name>ranger.admin.init.purge.login_records.retention.days</name>
+ <value>0</value>
+ </property>
</configuration>