You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/04/02 09:45:47 UTC

incubator-ranger git commit: RANGER-366: grant, revoke to authorize based on groups of the grantor

Repository: incubator-ranger
Updated Branches:
  refs/heads/master 49bebb59f -> be34cc292


RANGER-366: grant, revoke to authorize based on groups of the grantor


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/be34cc29
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/be34cc29
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/be34cc29

Branch: refs/heads/master
Commit: be34cc2929e0cb4c4a43d5a2eece40683e61a62d
Parents: 49bebb5
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Wed Apr 1 22:56:21 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Apr 2 00:44:40 2015 -0700

----------------------------------------------------------------------
 .../java/org/apache/ranger/biz/XUserMgr.java    | 31 ++++++++++++++++++++
 .../org/apache/ranger/rest/ServiceREST.java     | 10 +++++--
 2 files changed, 38 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/be34cc29/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
index bc0fc82..1051991 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
@@ -32,6 +32,7 @@ import javax.ws.rs.PUT;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 
+import org.apache.commons.collections.CollectionUtils;
 import org.apache.log4j.Logger;
 import org.apache.ranger.common.MessageEnums;
 import org.apache.ranger.common.PropertiesUtil;
@@ -443,6 +444,36 @@ public class XUserMgr extends XUserMgrBase {
 		return vXGroupList;
 	}
 
+	public Set<String> getGroupsForUser(String userName) {
+		Set<String> ret = new HashSet<String>();
+
+		try {
+			VXUser user = getXUserByUserName(userName);
+
+			if(user != null) {
+				VXGroupList groups = getXUserGroups(user.getId());
+
+				if(groups != null && !CollectionUtils.isEmpty(groups.getList())) {
+					for(VXGroup group : groups.getList()) {
+						ret.add(group.getName());
+					}
+				} else {
+					if(logger.isDebugEnabled()) {
+						logger.debug("getGroupsForUser('" + userName + "'): no groups found for user");
+					}
+				}
+			} else {
+				if(logger.isDebugEnabled()) {
+					logger.debug("getGroupsForUser('" + userName + "'): user not found");
+				}
+			}
+		} catch(Exception excp) {
+			logger.error("getGroupsForUser('" + userName + "') failed", excp);
+		}
+
+		return ret;
+	}
+
 	public VXUserList getXGroupUsers(Long xGroupId) {
 		SearchCriteria searchCriteria = new SearchCriteria();
 		searchCriteria.addParam("xGroupId", xGroupId);

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/be34cc29/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 9d8d277..ce175f1 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -47,6 +47,7 @@ import org.apache.ranger.admin.client.datatype.RESTResponse;
 import org.apache.ranger.biz.AssetMgr;
 import org.apache.ranger.biz.ServiceDBStore;
 import org.apache.ranger.biz.ServiceMgr;
+import org.apache.ranger.biz.XUserMgr;
 import org.apache.ranger.common.MessageEnums;
 import org.apache.ranger.common.RESTErrorUtil;
 import org.apache.ranger.common.RangerConfigUtil;
@@ -106,6 +107,9 @@ public class ServiceREST {
 	AssetMgr assetMgr;
 
 	@Autowired
+	XUserMgr userMgr;
+
+	@Autowired
 	ServiceDBStore svcStore;
 	
 	@Autowired
@@ -125,7 +129,7 @@ public class ServiceREST {
 	
 	@Autowired
 	RangerSearchUtil searchUtil;
-	
+
 	// this indirection for validation via a factory exists only for testability
 	// TODO move the instantiation to DI framework?
 	RangerValidatorFactory validatorFactory = new RangerValidatorFactory(); 
@@ -557,7 +561,7 @@ public class ServiceREST {
 
 			try {
 				String               userName   = grantRequest.getGrantor();
-				Set<String>          userGroups = Collections.<String>emptySet(); // TODO: get groups for the grantor from Ranger database
+				Set<String>          userGroups = userMgr.getGroupsForUser(userName);
 				RangerAccessResource resource   = new RangerAccessResourceImpl(grantRequest.getResource());
 	
 				boolean isAdmin = isAdminForResource(userName, userGroups, serviceName, resource);
@@ -738,7 +742,7 @@ public class ServiceREST {
 
 			try {
 				String               userName   = revokeRequest.getGrantor();
-				Set<String>          userGroups = Collections.<String>emptySet(); // TODO: get groups for the grantor from Ranger databas
+				Set<String>          userGroups =  userMgr.getGroupsForUser(userName);
 				RangerAccessResource resource   = new RangerAccessResourceImpl(revokeRequest.getResource());
 	
 				boolean isAdmin = isAdminForResource(userName, userGroups, serviceName, resource);