You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2019/10/02 19:57:22 UTC
[ranger] branch master updated: RANGER-2512:RangerRolesRESTClient
for serving user group roles to the plugins for evaluation -part2
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 68fa17a RANGER-2512:RangerRolesRESTClient for serving user group roles to the plugins for evaluation -part2
68fa17a is described below
commit 68fa17a19a1032c3b3f2bff0df2f4c922b243595
Author: rmani <rm...@hortonworks.com>
AuthorDate: Wed Oct 2 11:11:20 2019 -0700
RANGER-2512:RangerRolesRESTClient for serving user group roles to the plugins for evaluation -part2
---
.../policyengine/RangerPolicyEngineImpl.java | 8 +--
.../main/java/org/apache/ranger/biz/AssetMgr.java | 18 +++---
.../java/org/apache/ranger/biz/ServiceDBStore.java | 70 ++++++++++++++++++----
.../org/apache/ranger/db/XXGlobalStateDao.java | 44 ++++++++++----
.../java/org/apache/ranger/db/XXPolicyDao.java | 11 ++++
.../apache/ranger/entity/XXServiceVersionInfo.java | 10 +++-
.../main/java/org/apache/ranger/rest/RoleREST.java | 6 +-
.../main/resources/META-INF/jpa_named_queries.xml | 9 +++
8 files changed, 133 insertions(+), 43 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
index 77648fd..576d5e5 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPolicyEngineImpl.java
@@ -1347,11 +1347,6 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
public Set<String> getRolesFromUserAndGroups(String user, Set<String> groups) {
Set<String> allRoles = new HashSet<>();
- if (rangerRoles != null ) {
- userRoleMapping = MapUtils.isNotEmpty(this.userRoleMapping) ? this.userRoleMapping : null;
- groupRoleMapping = MapUtils.isNotEmpty(this.groupRoleMapping) ? this.groupRoleMapping : null;
- }
-
if (MapUtils.isNotEmpty(userRoleMapping) && StringUtils.isNotEmpty(user)) {
Set<String> userRoles = userRoleMapping.get(user);
if (CollectionUtils.isNotEmpty(userRoles)) {
@@ -2025,6 +2020,9 @@ public class RangerPolicyEngineImpl implements RangerPolicyEngine {
rangerRolesUtil.init(rangerRoleSet);
userRoleMapping = rangerRolesUtil.getUserRoleMapping();
groupRoleMapping = rangerRolesUtil.getGroupRoleMapping();
+ } else {
+ userRoleMapping = null;
+ groupRoleMapping = null;
}
}
}
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java
index 9d26fb5..e17571f 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java
@@ -685,19 +685,19 @@ public class AssetMgr extends AssetMgrBase {
pluginSvcVersionInfo.setIpAddress(ipAddress);
switch (entityType) {
- case 0:
+ case RangerPluginInfo.ENTITY_TYPE_POLICIES:
pluginSvcVersionInfo.setPolicyActiveVersion(lastKnownVersion);
pluginSvcVersionInfo.setPolicyActivationTime(lastActivationTime);
pluginSvcVersionInfo.setPolicyDownloadedVersion(downloadedVersion);
pluginSvcVersionInfo.setPolicyDownloadTime(new Date().getTime());
break;
- case 1:
+ case RangerPluginInfo.ENTITY_TYPE_TAGS:
pluginSvcVersionInfo.setTagActiveVersion(lastKnownVersion);
pluginSvcVersionInfo.setTagActivationTime(lastActivationTime);
pluginSvcVersionInfo.setTagDownloadedVersion(downloadedVersion);
pluginSvcVersionInfo.setTagDownloadTime(new Date().getTime());
break;
- case 2:
+ case RangerPluginInfo.ENTITY_TYPE_ROLES:
pluginSvcVersionInfo.setRoleActiveVersion(lastKnownVersion);
pluginSvcVersionInfo.setRoleActivationTime(lastActivationTime);
pluginSvcVersionInfo.setRoleDownloadedVersion(downloadedVersion);
@@ -722,13 +722,13 @@ public class AssetMgr extends AssetMgrBase {
// HttpServletResponse.SC_NOT_MODIFIED
switch (entityType) {
- case 0:
+ case RangerPluginInfo.ENTITY_TYPE_POLICIES:
isTagVersionResetNeeded = rangerDaoManager.getXXService().findAssociatedTagService(pluginInfo.getServiceName()) == null;
break;
- case 1:
+ case RangerPluginInfo.ENTITY_TYPE_TAGS:
isTagVersionResetNeeded = false;
break;
- case 2:
+ case RangerPluginInfo.ENTITY_TYPE_ROLES:
isTagVersionResetNeeded = false;
break;
default:
@@ -1231,14 +1231,14 @@ public class AssetMgr extends AssetMgrBase {
}
private boolean isPolicyDownloadRequest(int entityType) {
- return entityType == 0;
+ return entityType == RangerPluginInfo.ENTITY_TYPE_POLICIES;
}
private boolean isTagDownloadRequest(int entityType) {
- return entityType == 1;
+ return entityType == RangerPluginInfo.ENTITY_TYPE_TAGS;
}
private boolean isRoleDownloadRequest(int entityType) {
- return entityType == 2;
+ return entityType == RangerPluginInfo.ENTITY_TYPE_ROLES;
}
}
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 85db577..51e08e1 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -66,6 +66,7 @@ import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.RangerCommonEnums;
import org.apache.ranger.common.db.RangerTransactionSynchronizationAdapter;
+import org.apache.ranger.db.XXGlobalStateDao;
import org.apache.ranger.db.XXPolicyDao;
import org.apache.ranger.entity.XXTagChangeLog;
import org.apache.ranger.plugin.model.RangerSecurityZone;
@@ -1637,7 +1638,7 @@ public class ServiceDBStore extends AbstractServiceStore {
service = svcService.update(service);
if (hasTagServiceValueChanged || hasIsEnabledChanged) {
- updatePolicyVersion(service, RangerPolicyDelta.CHANGE_TYPE_SERVICE_CHANGE, null);
+ updatePolicyVersion(service, RangerPolicyDelta.CHANGE_TYPE_SERVICE_CHANGE, null, false);
}
}
@@ -1932,6 +1933,8 @@ public class ServiceDBStore extends AbstractServiceStore {
policy.setVersion(Long.valueOf(1));
updatePolicySignature(policy);
+ boolean updateServiceInfoRoleVersion = isRoleDownloadRequired(policy, service.getId());
+
if(populateExistingBaseFields) {
assignedIdPolicyService.setPopulateExistingBaseFields(true);
daoMgr.getXXPolicy().setIdentityInsert(true);
@@ -1950,7 +1953,7 @@ public class ServiceDBStore extends AbstractServiceStore {
createOrMapLabels(xCreatedPolicy, uniquePolicyLabels);
RangerPolicy createdPolicy = policyService.getPopulatedViewObject(xCreatedPolicy);
- handlePolicyUpdate(service, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE, createdPolicy);
+ handlePolicyUpdate(service, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE, createdPolicy, updateServiceInfoRoleVersion);
dataHistService.createObjectDataHistory(createdPolicy, RangerDataHistService.ACTION_CREATE);
List<XXTrxLog> trxLogList = getTransactionLogList(createdPolicy,
@@ -2069,6 +2072,8 @@ public class ServiceDBStore extends AbstractServiceStore {
updatePolicySignature(policy);
+ boolean updateServiceInfoRoleVersion = isRoleDownloadRequired(policy, service.getId());
+
policy = policyService.update(policy);
XXPolicy newUpdPolicy = daoMgr.getXXPolicy().getById(policy.getId());
@@ -2078,7 +2083,7 @@ public class ServiceDBStore extends AbstractServiceStore {
policyRefUpdater.createNewPolMappingForRefTable(policy, newUpdPolicy, xServiceDef);
createOrMapLabels(newUpdPolicy, uniquePolicyLabels);
RangerPolicy updPolicy = policyService.getPopulatedViewObject(newUpdPolicy);
- handlePolicyUpdate(service, RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE, updPolicy);
+ handlePolicyUpdate(service, RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE, updPolicy, updateServiceInfoRoleVersion);
dataHistService.createObjectDataHistory(updPolicy, RangerDataHistService.ACTION_UPDATE);
bizUtil.createTrxLog(trxLogList);
@@ -2120,7 +2125,7 @@ public class ServiceDBStore extends AbstractServiceStore {
deleteExistingPolicyLabel(policy);
policyService.delete(policy);
- handlePolicyUpdate(service, RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE, policy);
+ handlePolicyUpdate(service, RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE, policy, false);
dataHistService.createObjectDataHistory(policy, RangerDataHistService.ACTION_DELETE);
@@ -2155,7 +2160,7 @@ public class ServiceDBStore extends AbstractServiceStore {
deleteExistingPolicyLabel(policy);
policyService.delete(policy);
List<XXTrxLog> trxLogList = getTransactionLogList(policy, RangerPolicyService.OPERATION_IMPORT_DELETE_CONTEXT, RangerPolicyService.OPERATION_DELETE_CONTEXT);
- handlePolicyUpdate(service, RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE, policy);
+ handlePolicyUpdate(service, RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE, policy, false);
dataHistService.createObjectDataHistory(policy, RangerDataHistService.ACTION_DELETE);
bizUtil.createTrxLog(trxLogList);
}
@@ -3289,13 +3294,13 @@ public class ServiceDBStore extends AbstractServiceStore {
return validConfigs;
}
- private void handlePolicyUpdate(RangerService service, Integer policyDeltaType, RangerPolicy policy) throws Exception {
- updatePolicyVersion(service, policyDeltaType, policy);
+ private void handlePolicyUpdate(RangerService service, Integer policyDeltaType, RangerPolicy policy, boolean updateServiceInfoRoleVersion) throws Exception {
+ updatePolicyVersion(service, policyDeltaType, policy, updateServiceInfoRoleVersion);
}
public enum VERSION_TYPE { POLICY_VERSION, TAG_VERSION, POLICY_AND_TAG_VERSION, ROLE_VERSION }
- private void updatePolicyVersion(RangerService service, Integer policyDeltaType, RangerPolicy policy) throws Exception {
+ private void updatePolicyVersion(RangerService service, Integer policyDeltaType, RangerPolicy policy, boolean updateServiceInfoRoleVersion) throws Exception {
if(service == null || service.getId() == null) {
return;
}
@@ -3332,6 +3337,11 @@ public class ServiceDBStore extends AbstractServiceStore {
Runnable serviceVersionUpdater = new ServiceVersionUpdater(daoManager, serviceId, versionType, policy != null ? policy.getZoneName() : null, policyDeltaType, policy);
transactionSynchronizationAdapter.executeOnTransactionCommit(serviceVersionUpdater);
+
+ if (updateServiceInfoRoleVersion) {
+ Runnable roleVersionUpdater = new ServiceVersionUpdater(daoManager, serviceId, VERSION_TYPE.ROLE_VERSION, policy != null ? policy.getZoneName() : null, policyDeltaType, policy);
+ transactionSynchronizationAdapter.executeOnTransactionCommit(roleVersionUpdater);
+ }
}
public static void persistVersionChange(ServiceVersionUpdater serviceVersionUpdater) {
@@ -3359,11 +3369,16 @@ public class ServiceDBStore extends AbstractServiceStore {
serviceVersionInfoDbObj.setTagUpdateTime(now);
}
- if (versionType == VERSION_TYPE.ROLE_VERSION) {
+ if(versionType == VERSION_TYPE.ROLE_VERSION) {
// get the LatestRoleVersion from the GlobalTable and update ServiceInfo for a service
- Long currentRoleVersion = daoMgr.getXXGlobalState().getRoleVersion("RangerRole");
- serviceVersionInfoDbObj.setRolVersion(currentRoleVersion);
- serviceVersionInfoDbObj.setRoleUpdateTime(now);
+ XXGlobalStateDao xxGlobalStateDao = daoMgr.getXXGlobalState();
+ if (xxGlobalStateDao != null) {
+ Long roleVersion = xxGlobalStateDao.getRoleVersion("RangerRole");
+ if (roleVersion != null) {
+ serviceVersionInfoDbObj.setRoleVersion(roleVersion);
+ serviceVersionInfoDbObj.setRoleUpdateTime(now);
+ }
+ }
}
serviceVersionInfoDao.update(serviceVersionInfoDbObj);
@@ -3376,6 +3391,8 @@ public class ServiceDBStore extends AbstractServiceStore {
serviceVersionInfoDbObj.setPolicyUpdateTime(new Date());
serviceVersionInfoDbObj.setTagVersion(1L);
serviceVersionInfoDbObj.setTagUpdateTime(new Date());
+ serviceVersionInfoDbObj.setRoleVersion(1L);
+ serviceVersionInfoDbObj.setRoleUpdateTime(new Date());
serviceVersionInfoDao.create(serviceVersionInfoDbObj);
}
@@ -3386,6 +3403,35 @@ public class ServiceDBStore extends AbstractServiceStore {
}
}
+ private boolean isRoleDownloadRequired(RangerPolicy policy, Long serviceId) {
+ // Role Download to plugin is required if some role in the policy created/updated is not present in any other
+ // policy for that service.
+ boolean ret = false;
+
+ if (policy != null) {
+ List<RangerPolicy.RangerPolicyItem> rangerPolicyItems = policy.getPolicyItems();
+ if (CollectionUtils.isNotEmpty(rangerPolicyItems)) {
+ for (RangerPolicyItem rangerPolicyItem : rangerPolicyItems) {
+ List<String> roleNames = rangerPolicyItem.getRoles();
+ if (CollectionUtils.isNotEmpty(roleNames)) {
+ for (String roleName : roleNames) {
+ List<Long> policyIds = daoMgr.getXXPolicy().findPolicyIdsByRoleNameAndServiceId(roleName, serviceId);
+ if (CollectionUtils.isEmpty(policyIds)) {
+ ret = true;
+ break;
+ }
+ }
+ }
+ if (ret) {
+ break;
+ }
+ }
+ }
+ }
+
+ return ret;
+ }
+
private static void persistChangeLog(ServiceVersionUpdater serviceVersionUpdater) {
XXServiceVersionInfoDao serviceVersionInfoDao = serviceVersionUpdater.daoManager.getXXServiceVersionInfo();
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXGlobalStateDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXGlobalStateDao.java
index d687e73..4f7e9d5 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXGlobalStateDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXGlobalStateDao.java
@@ -18,6 +18,7 @@
package org.apache.ranger.db;
import com.google.gson.Gson;
+import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.apache.ranger.common.DateUtil;
@@ -34,7 +35,7 @@ import java.util.Map;
public class XXGlobalStateDao extends BaseDao<XXGlobalState> {
private static final Logger logger = Logger.getLogger(RangerDaoManager.class);
- final static String RANGER_ROLE_VERSION_LABEL = "RangerRoleVersion";
+ final static String APP_DATA_ENTRY_ROLE_VERSION = "RangerRoleVersion";
public void onGlobalStateChange(String stateName) throws Exception {
@@ -73,18 +74,9 @@ public class XXGlobalStateDao extends BaseDao<XXGlobalState> {
try {
XXGlobalState globalState = findByStateName(stateName);
if (globalState == null) {
- globalState = new XXGlobalState();
- globalState.setStateName(stateName);
- Map<String,String> roleVersion = new HashMap<>();
- roleVersion.put(RANGER_ROLE_VERSION_LABEL,new String(Long.toString(1L)));
- globalState.setAppData(new Gson().toJson(roleVersion));
- create(globalState);
+ createGlobalStateForRoleVersion(globalState, stateName);
} else {
- Map<String,String> roleVersionJson = new Gson().fromJson(globalState.getAppData(),Map.class);
- Long roleVersion = Long.valueOf(roleVersionJson.get(RANGER_ROLE_VERSION_LABEL)) + 1L;
- roleVersionJson.put(RANGER_ROLE_VERSION_LABEL,new String(Long.toString(roleVersion)));
- globalState.setAppData(new Gson().toJson(roleVersionJson));
- update(globalState);
+ updateGlobalStateForRoleVersion(globalState, stateName);
}
} catch (Exception exception) {
logger.error("Cannot create/update GlobalState for state:[" + stateName + "]", exception);
@@ -98,7 +90,11 @@ public class XXGlobalStateDao extends BaseDao<XXGlobalState> {
try {
XXGlobalState globalState = findByStateName(stateName);
Map<String, String> roleVersionJson = new Gson().fromJson(globalState.getAppData(), Map.class);
- ret = Long.valueOf(roleVersionJson.get(RANGER_ROLE_VERSION_LABEL));
+ if(MapUtils.isNotEmpty(roleVersionJson)) {
+ ret = Long.valueOf(roleVersionJson.get(APP_DATA_ENTRY_ROLE_VERSION));
+ } else {
+ ret = 1L;
+ }
} catch (Exception exception) {
logger.warn("Unable to find the role version in Ranger Database");
}
@@ -139,5 +135,27 @@ public class XXGlobalStateDao extends BaseDao<XXGlobalState> {
return null;
}
}
+
+ private void createGlobalStateForRoleVersion(XXGlobalState globalState, String stateName) {
+ globalState.setStateName(stateName);
+ Map<String,String> roleVersion = new HashMap<>();
+ roleVersion.put(APP_DATA_ENTRY_ROLE_VERSION,new String(Long.toString(1L)));
+ globalState.setAppData(new Gson().toJson(roleVersion));
+ create(globalState);
+ }
+
+ private void updateGlobalStateForRoleVersion(XXGlobalState globalState, String stateName) {
+ Map<String,String> roleVersionJson = new Gson().fromJson(globalState.getAppData(),Map.class);
+ if (MapUtils.isNotEmpty(roleVersionJson)) {
+ Long roleVersion = Long.valueOf(roleVersionJson.get(APP_DATA_ENTRY_ROLE_VERSION)) + 1L;
+ roleVersionJson.put(APP_DATA_ENTRY_ROLE_VERSION, new String(Long.toString(roleVersion)));
+ globalState.setAppData(new Gson().toJson(roleVersionJson));
+ update(globalState);
+ } else {
+ //if not present create Global State for Role Version.
+ XXGlobalState xxGlobalState = new XXGlobalState();
+ createGlobalStateForRoleVersion(xxGlobalState, stateName);
+ }
+ }
}
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java
index 06a4063..0d46ca8 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java
@@ -222,4 +222,15 @@ public class XXPolicyDao extends BaseDao<XXPolicy> {
return ret;
}
+ public List<Long> findPolicyIdsByRoleNameAndServiceId(String roleName, Long serviceId) {
+ List<Long> ret = null;
+ try {
+ return getEntityManager()
+ .createNamedQuery("XXPolicy.findPolicyIdsByRoleNameAndServiceId", Long.class)
+ .setParameter("serviceId", serviceId)
+ .setParameter("roleName", roleName).getResultList();
+ } catch (Exception e) {
+ }
+ return ret;
+ }
}
\ No newline at end of file
diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXServiceVersionInfo.java b/security-admin/src/main/java/org/apache/ranger/entity/XXServiceVersionInfo.java
index 1d81337..5d0f886 100644
--- a/security-admin/src/main/java/org/apache/ranger/entity/XXServiceVersionInfo.java
+++ b/security-admin/src/main/java/org/apache/ranger/entity/XXServiceVersionInfo.java
@@ -137,7 +137,7 @@ public class XXServiceVersionInfo implements java.io.Serializable {
return this.tagUpdateTime;
}
- public void setRolVersion(Long roleVersion) {
+ public void setRoleVersion(Long roleVersion) {
this.roleVersion = roleVersion;
}
@@ -166,6 +166,8 @@ public class XXServiceVersionInfo implements java.io.Serializable {
str += "policyUpdateTime={" + policyUpdateTime + "} ";
str += "tagVersion={" + tagVersion + "} ";
str += "tagUpdateTime={" + tagUpdateTime + "} ";
+ str += "setRoleVersion={" + roleVersion + "}" ;
+ str += "setRoleUpdateTime={" + roleUpdateTime + "}" ;
str += "}";
return str;
}
@@ -203,6 +205,12 @@ public class XXServiceVersionInfo implements java.io.Serializable {
if ((this.tagUpdateTime == null && other.tagUpdateTime != null) || (this.tagUpdateTime != null && !this.tagUpdateTime.equals(other.tagUpdateTime))) {
return false;
}
+ if ((this.roleVersion == null && other.roleVersion != null) || (this.roleVersion != null && !this.roleVersion.equals(other.roleVersion))) {
+ return false;
+ }
+ if ((this.roleUpdateTime == null && other.roleUpdateTime != null) || (this.roleUpdateTime != null && !this.roleUpdateTime.equals(other.roleUpdateTime))) {
+ return false;
+ }
return true;
}
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
index d28cf3d..268c8c4 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
@@ -80,7 +80,7 @@ public class RoleREST {
private static List<String> INVALID_USERS = new ArrayList<>();
- public static final String Allowed_User_List_For_Download = "policy.download.auth.users";
+ public static final String POLICY_DOWNLOAD_USERS = "policy.download.auth.users";
@Autowired
RESTErrorUtil restErrorUtil;
@@ -798,13 +798,13 @@ public class RoleREST {
if (isKeyAdmin) {
isAllowed = true;
}else {
- isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Download);
+ isAllowed = bizUtil.isUserAllowed(rangerService, POLICY_DOWNLOAD_USERS);
}
}else{
if (isAdmin) {
isAllowed = true;
}else{
- isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Download);
+ isAllowed = bizUtil.isUserAllowed(rangerService, POLICY_DOWNLOAD_USERS);
}
}
diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
index ab8e675..1a6b0bd 100755
--- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
+++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
@@ -312,6 +312,15 @@
<query>select DISTINCT(obj.service) from XXPolicy obj, XXPolicyRefRole policyRefRole where policyRefRole.roleId = :roleId and policyRefRole.policyId = obj.id</query>
</named-query>
+ <named-query name="XXPolicy.findPolicyIdsByRoleNameAndServiceId">
+ <query>select roleRef.policyId
+ from XXPolicy policy, XXPolicyRefRole roleRef
+ where policy.service = :serviceId
+ and roleRef.policyId = policy.id
+ and roleRef.roleName = :roleName
+ </query>
+ </named-query>
+
<!-- XXServiceDef -->
<named-query name="XXServiceDef.findByName">
<query>select obj from XXServiceDef obj where obj.name = :name</query>