You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2019/08/01 01:21:07 UTC
[ranger] branch ranger-2.0 updated: RANGER-2518: RANGER-2518: Allow
service creator to delete the service
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.0
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.0 by this push:
new 06b4659 RANGER-2518: RANGER-2518: Allow service creator to delete the service
06b4659 is described below
commit 06b46597108132316ccfc9bf4af0805454e26aec
Author: Pradeep <pr...@apache.org>
AuthorDate: Wed Jul 31 15:37:49 2019 -0700
RANGER-2518: RANGER-2518: Allow service creator to delete the service
---
.../java/org/apache/ranger/biz/RangerBizUtil.java | 9 ++-
.../java/org/apache/ranger/biz/ServiceDBStore.java | 2 +-
.../java/org/apache/ranger/rest/ServiceREST.java | 64 ++++++++++++----------
.../apache/ranger/service/XResourceService.java | 2 +-
.../ranger/service/XUgsyncAuditInfoService.java | 2 +-
.../org/apache/ranger/rest/TestServiceREST.java | 12 ++++
6 files changed, 58 insertions(+), 33 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index 0ad7df2..d49ea98 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -1339,13 +1339,17 @@ public class RangerBizUtil {
if (!session.isKeyAdmin() && !session.isUserAdmin()) {
throw restErrorUtil.createRESTException(
- "User is not allowed to update service-def, only Admin can create/update/delete " + objType,
+ "This user is not allowed this operation. Only users with Admin permission have access to this operation " + objType,
MessageEnums.OPER_NO_PERMISSION);
}
}
public void hasKMSPermissions(String objType, String implClassName) {
UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session == null) {
+ throw restErrorUtil.createRESTException("UserSession cannot be null, only KeyAdmin can create/update/delete "
+ + objType, MessageEnums.OPER_NO_PERMISSION);
+ }
if (session.isKeyAdmin() && !EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(implClassName)) {
throw restErrorUtil.createRESTException("KeyAdmin can create/update/delete only KMS " + objType,
@@ -1461,6 +1465,9 @@ public class RangerBizUtil {
public boolean hasModuleAccess(String moduleName) {
UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
+ if(currentUserSession == null) {
+ return false;
+ }
if(!currentUserSession.isUserAdmin() && !currentUserSession.isAuditUserAdmin()) {
if(!currentUserSession.getRangerUserPermission().getUserPermissions().contains(moduleName)) {
return false;
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 8420233..ef22354 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -3981,7 +3981,7 @@ public class ServiceDBStore extends AbstractServiceStore {
public void putMetaDataInfo(RangerExportPolicyList rangerExportPolicyList){
Map<String, Object> metaDataInfo = new LinkedHashMap<String, Object>();
UserSessionBase usb = ContextUtil.getCurrentUserSession();
- String userId = usb.getLoginId();
+ String userId = usb!=null ? usb.getLoginId() : null;
metaDataInfo.put(HOSTNAME, LOCAL_HOSTNAME);
metaDataInfo.put(USER_NAME, userId);
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index b06273c..348d072 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -798,40 +798,46 @@ public class ServiceREST {
}
RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore);
validator.validate(id, Action.DELETE);
-
- bizUtil.hasAdminPermissions("Services");
-
- // TODO: As of now we are allowing SYS_ADMIN to create all the
- // services including KMS
-
- XXService service = daoManager.getXXService().getById(id);
- if (service != null) {
- EmbeddedServiceDefsUtil embeddedServiceDefsUtil = EmbeddedServiceDefsUtil.instance();
- if (service.getType().equals(embeddedServiceDefsUtil.getTagServiceDefId())) {
- List<XXService> referringServices = daoManager.getXXService().findByTagServiceId(id);
- if (!CollectionUtils.isEmpty(referringServices)) {
- Set<String> referringServiceNames = new HashSet<String>();
- for (XXService xXService : referringServices) {
- referringServiceNames.add(xXService.getName());
- if (referringServiceNames.size() >= 10) {
- break;
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session != null) {
+ XXService service = daoManager.getXXService().getById(id);
+ if (service != null) {
+ //if logged-in user is not the service creator then check admin priv.
+ if (!session.getUserId().equals(service.getAddedByUserId())) {
+ bizUtil.hasAdminPermissions("Services");
+ }
+ EmbeddedServiceDefsUtil embeddedServiceDefsUtil = EmbeddedServiceDefsUtil.instance();
+ if (service.getType().equals(embeddedServiceDefsUtil.getTagServiceDefId())) {
+ List<XXService> referringServices = daoManager.getXXService().findByTagServiceId(id);
+ if (!CollectionUtils.isEmpty(referringServices)) {
+ Set<String> referringServiceNames = new HashSet<String>();
+ for (XXService xXService : referringServices) {
+ referringServiceNames.add(xXService.getName());
+ if (referringServiceNames.size() >= 10) {
+ break;
+ }
+ }
+ if (referringServices.size() <= 10) {
+ throw restErrorUtil.createRESTException("Tag service '" + service.getName() + "' is being referenced by " + referringServices.size() + " services: " + referringServiceNames, MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
+ } else {
+ throw restErrorUtil.createRESTException("Tag service '" + service.getName() + "' is being referenced by " + referringServices.size() + " services: " + referringServiceNames + " and more..", MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
}
- }
- if (referringServices.size() <= 10) {
- throw restErrorUtil.createRESTException("Tag service '" + service.getName() + "' is being referenced by " + referringServices.size() + " services: " + referringServiceNames, MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
- } else {
- throw restErrorUtil.createRESTException("Tag service '" + service.getName() + "' is being referenced by " + referringServices.size() + " services: " + referringServiceNames + " and more..", MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
}
}
- }
- XXServiceDef xxServiceDef = daoManager.getXXServiceDef().getById(service.getType());
- bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname());
- bizUtil.blockAuditorRoleUser();
- tagStore.deleteAllTagObjectsForService(service.getName());
+ XXServiceDef xxServiceDef = daoManager.getXXServiceDef().getById(service.getType());
+ if (!session.getUserId().equals(service.getAddedByUserId())) {
+ bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname());
+ bizUtil.blockAuditorRoleUser();
+ }
+ tagStore.deleteAllTagObjectsForService(service.getName());
- svcStore.deleteService(id);
+ svcStore.deleteService(id);
+ } else {
+ LOG.error("Cannot retrieve service:[" + id + "] for deletion");
+ throw new Exception("deleteService(" + id + ") failed");
+ }
} else {
- LOG.error("Cannot retrieve service:[" + id + "] for deletion");
+ LOG.error("Cannot retrieve user session.");
throw new Exception("deleteService(" + id + ") failed");
}
} catch(WebApplicationException excp) {
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XResourceService.java b/security-admin/src/main/java/org/apache/ranger/service/XResourceService.java
index 43a855e..57b20b7 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XResourceService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XResourceService.java
@@ -357,7 +357,7 @@ public class XResourceService extends
UserSessionBase currentUserSession = ContextUtil
.getCurrentUserSession();
// If user is system admin
- if (currentUserSession.isUserAdmin()) {
+ if (currentUserSession != null && currentUserSession.isUserAdmin()) {
returnList = super.searchXResources(searchCriteria);
} else {// need to be optimize
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java b/security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java
index d613c70..7fa96fb 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java
@@ -144,7 +144,7 @@ public class XUgsyncAuditInfoService extends XUgsyncAuditInfoServiceBase<XXUgsyn
public VXUgsyncAuditInfo createUgsyncAuditInfo(VXUgsyncAuditInfo vxUgsyncAuditInfo) {
- Long sessionId = ContextUtil.getCurrentUserSession().getSessionId();
+ Long sessionId = ContextUtil.getCurrentUserSession() != null ? ContextUtil.getCurrentUserSession().getSessionId() : null;
if (sessionId != null) {
vxUgsyncAuditInfo.setSessionId("" + sessionId);
}
diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
index 34be7e9..a7e19bf 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
@@ -1817,6 +1817,18 @@ public class TestServiceREST {
xService.setType(embeddedServiceDefsUtil.getTagServiceDefId());
XXServiceDao xServiceDao = Mockito.mock(XXServiceDao.class);
+ String userLoginID = "testuser";
+ Long userId = 8L;
+ RangerSecurityContext context = new RangerSecurityContext();
+ context.setUserSession(new UserSessionBase());
+ RangerContextHolder.setSecurityContext(context);
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ session.setUserAdmin(true);
+ XXPortalUser xXPortalUser = new XXPortalUser();
+ xXPortalUser.setLoginId(userLoginID);
+ xXPortalUser.setId(userId);
+ session.setXXPortalUser(xXPortalUser);
+
Mockito.when(validatorFactory.getServiceValidator(svcStore)).thenReturn(serviceValidator);
Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
Mockito.when(xServiceDao.findByTagServiceId(Mockito.anyLong())).thenReturn(referringServices);