You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2019/08/01 01:21:07 UTC

[ranger] branch ranger-2.0 updated: RANGER-2518: RANGER-2518: Allow service creator to delete the service

This is an automated email from the ASF dual-hosted git repository.

abhay pushed a commit to branch ranger-2.0
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/ranger-2.0 by this push:
     new 06b4659  RANGER-2518: RANGER-2518: Allow service creator to delete the service
06b4659 is described below

commit 06b46597108132316ccfc9bf4af0805454e26aec
Author: Pradeep <pr...@apache.org>
AuthorDate: Wed Jul 31 15:37:49 2019 -0700

    RANGER-2518: RANGER-2518: Allow service creator to delete the service
---
 .../java/org/apache/ranger/biz/RangerBizUtil.java  |  9 ++-
 .../java/org/apache/ranger/biz/ServiceDBStore.java |  2 +-
 .../java/org/apache/ranger/rest/ServiceREST.java   | 64 ++++++++++++----------
 .../apache/ranger/service/XResourceService.java    |  2 +-
 .../ranger/service/XUgsyncAuditInfoService.java    |  2 +-
 .../org/apache/ranger/rest/TestServiceREST.java    | 12 ++++
 6 files changed, 58 insertions(+), 33 deletions(-)

diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index 0ad7df2..d49ea98 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -1339,13 +1339,17 @@ public class RangerBizUtil {
 
 		if (!session.isKeyAdmin() && !session.isUserAdmin()) {
 			throw restErrorUtil.createRESTException(
-					"User is not allowed to update service-def, only Admin can create/update/delete " + objType,
+					"This user is not allowed this operation. Only users with Admin permission have access to this operation " + objType,
 					MessageEnums.OPER_NO_PERMISSION);
 		}
 	}
 
 	public void hasKMSPermissions(String objType, String implClassName) {
 		UserSessionBase session = ContextUtil.getCurrentUserSession();
+		if (session == null) {
+			throw restErrorUtil.createRESTException("UserSession cannot be null, only KeyAdmin can create/update/delete "
+					+ objType, MessageEnums.OPER_NO_PERMISSION);
+		}
 
 		if (session.isKeyAdmin() && !EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(implClassName)) {
 			throw restErrorUtil.createRESTException("KeyAdmin can create/update/delete only KMS " + objType,
@@ -1461,6 +1465,9 @@ public class RangerBizUtil {
 
 	public boolean hasModuleAccess(String moduleName) {
 		UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
+		if(currentUserSession == null) {
+			return false;
+		}
 		if(!currentUserSession.isUserAdmin() && !currentUserSession.isAuditUserAdmin()) {
 			if(!currentUserSession.getRangerUserPermission().getUserPermissions().contains(moduleName)) {
 				return false;
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 8420233..ef22354 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -3981,7 +3981,7 @@ public class ServiceDBStore extends AbstractServiceStore {
 	public void putMetaDataInfo(RangerExportPolicyList rangerExportPolicyList){
 		Map<String, Object> metaDataInfo = new LinkedHashMap<String, Object>();
 		UserSessionBase usb = ContextUtil.getCurrentUserSession();
-		String userId = usb.getLoginId();
+		String userId = usb!=null ? usb.getLoginId() : null;
 		
 		metaDataInfo.put(HOSTNAME, LOCAL_HOSTNAME);
 		metaDataInfo.put(USER_NAME, userId);
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index b06273c..348d072 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -798,40 +798,46 @@ public class ServiceREST {
 			}
 			RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore);
 			validator.validate(id, Action.DELETE);
-
-			bizUtil.hasAdminPermissions("Services");
-
-			// TODO: As of now we are allowing SYS_ADMIN to create all the
-			// services including KMS
-
-			XXService service = daoManager.getXXService().getById(id);
-			if (service != null) {
-				EmbeddedServiceDefsUtil embeddedServiceDefsUtil = EmbeddedServiceDefsUtil.instance();
-				if (service.getType().equals(embeddedServiceDefsUtil.getTagServiceDefId())) {
-					List<XXService> referringServices = daoManager.getXXService().findByTagServiceId(id);
-					if (!CollectionUtils.isEmpty(referringServices)) {
-						Set<String> referringServiceNames = new HashSet<String>();
-						for (XXService xXService : referringServices) {
-							referringServiceNames.add(xXService.getName());
-							if (referringServiceNames.size() >= 10) {
-								break;
+			UserSessionBase session = ContextUtil.getCurrentUserSession();
+			if (session != null) {
+				XXService service = daoManager.getXXService().getById(id);
+				if (service != null) {
+					//if logged-in user is not the service creator then check admin priv.
+					if (!session.getUserId().equals(service.getAddedByUserId())) {
+						bizUtil.hasAdminPermissions("Services");
+					}
+					EmbeddedServiceDefsUtil embeddedServiceDefsUtil = EmbeddedServiceDefsUtil.instance();
+					if (service.getType().equals(embeddedServiceDefsUtil.getTagServiceDefId())) {
+						List<XXService> referringServices = daoManager.getXXService().findByTagServiceId(id);
+						if (!CollectionUtils.isEmpty(referringServices)) {
+							Set<String> referringServiceNames = new HashSet<String>();
+							for (XXService xXService : referringServices) {
+								referringServiceNames.add(xXService.getName());
+								if (referringServiceNames.size() >= 10) {
+									break;
+								}
+							}
+							if (referringServices.size() <= 10) {
+								throw restErrorUtil.createRESTException("Tag service '" + service.getName() + "' is being referenced by " + referringServices.size() + " services: " + referringServiceNames, MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
+							} else {
+								throw restErrorUtil.createRESTException("Tag service '" + service.getName() + "' is being referenced by " + referringServices.size() + " services: " + referringServiceNames + " and more..", MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
 							}
-						}
-						if (referringServices.size() <= 10) {
-							throw restErrorUtil.createRESTException("Tag service '" + service.getName() + "' is being referenced by " + referringServices.size() + " services: " + referringServiceNames, MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
-						} else {
-							throw restErrorUtil.createRESTException("Tag service '" + service.getName() + "' is being referenced by " + referringServices.size() + " services: " + referringServiceNames + " and more..", MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
 						}
 					}
-				}
-				XXServiceDef xxServiceDef = daoManager.getXXServiceDef().getById(service.getType());
-				bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname());
-				bizUtil.blockAuditorRoleUser();
-				tagStore.deleteAllTagObjectsForService(service.getName());
+					XXServiceDef xxServiceDef = daoManager.getXXServiceDef().getById(service.getType());
+					if (!session.getUserId().equals(service.getAddedByUserId())) {
+						bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname());
+						bizUtil.blockAuditorRoleUser();
+					}
+					tagStore.deleteAllTagObjectsForService(service.getName());
 
-				svcStore.deleteService(id);
+					svcStore.deleteService(id);
+				} else {
+					LOG.error("Cannot retrieve service:[" + id + "] for deletion");
+					throw new Exception("deleteService(" + id + ") failed");
+				}
 			} else {
-				LOG.error("Cannot retrieve service:[" + id + "] for deletion");
+				LOG.error("Cannot retrieve user session.");
 				throw new Exception("deleteService(" + id + ") failed");
 			}
 		} catch(WebApplicationException excp) {
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XResourceService.java b/security-admin/src/main/java/org/apache/ranger/service/XResourceService.java
index 43a855e..57b20b7 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XResourceService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XResourceService.java
@@ -357,7 +357,7 @@ public class XResourceService extends
 		UserSessionBase currentUserSession = ContextUtil
 				.getCurrentUserSession();
 		// If user is system admin
-		if (currentUserSession.isUserAdmin()) {
+		if (currentUserSession != null && currentUserSession.isUserAdmin()) {
 			returnList = super.searchXResources(searchCriteria);
 			
 		} else {// need to be optimize
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java b/security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java
index d613c70..7fa96fb 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java
@@ -144,7 +144,7 @@ public class XUgsyncAuditInfoService extends XUgsyncAuditInfoServiceBase<XXUgsyn
 
 	public VXUgsyncAuditInfo createUgsyncAuditInfo(VXUgsyncAuditInfo vxUgsyncAuditInfo) {
 
-		Long sessionId = ContextUtil.getCurrentUserSession().getSessionId();
+		Long sessionId = ContextUtil.getCurrentUserSession() != null ? ContextUtil.getCurrentUserSession().getSessionId() : null;
 		if (sessionId != null) {
 			vxUgsyncAuditInfo.setSessionId("" + sessionId);
 		}
diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
index 34be7e9..a7e19bf 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
@@ -1817,6 +1817,18 @@ public class TestServiceREST {
 		xService.setType(embeddedServiceDefsUtil.getTagServiceDefId());
 		XXServiceDao xServiceDao = Mockito.mock(XXServiceDao.class);
 
+		String userLoginID = "testuser";
+		Long userId = 8L;
+		RangerSecurityContext context = new RangerSecurityContext();
+		context.setUserSession(new UserSessionBase());
+		RangerContextHolder.setSecurityContext(context);
+		UserSessionBase session = ContextUtil.getCurrentUserSession();
+		session.setUserAdmin(true);
+		XXPortalUser xXPortalUser = new XXPortalUser();
+		xXPortalUser.setLoginId(userLoginID);
+		xXPortalUser.setId(userId);
+		session.setXXPortalUser(xXPortalUser);
+
 		Mockito.when(validatorFactory.getServiceValidator(svcStore)).thenReturn(serviceValidator);
 		Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
 		Mockito.when(xServiceDao.findByTagServiceId(Mockito.anyLong())).thenReturn(referringServices);