You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/04/02 09:45:47 UTC
incubator-ranger git commit: RANGER-366: grant,
revoke to authorize based on groups of the grantor
Repository: incubator-ranger
Updated Branches:
refs/heads/master 49bebb59f -> be34cc292
RANGER-366: grant, revoke to authorize based on groups of the grantor
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/be34cc29
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/be34cc29
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/be34cc29
Branch: refs/heads/master
Commit: be34cc2929e0cb4c4a43d5a2eece40683e61a62d
Parents: 49bebb5
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Wed Apr 1 22:56:21 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Apr 2 00:44:40 2015 -0700
----------------------------------------------------------------------
.../java/org/apache/ranger/biz/XUserMgr.java | 31 ++++++++++++++++++++
.../org/apache/ranger/rest/ServiceREST.java | 10 +++++--
2 files changed, 38 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/be34cc29/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
index bc0fc82..1051991 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
@@ -32,6 +32,7 @@ import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
+import org.apache.commons.collections.CollectionUtils;
import org.apache.log4j.Logger;
import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.PropertiesUtil;
@@ -443,6 +444,36 @@ public class XUserMgr extends XUserMgrBase {
return vXGroupList;
}
+ public Set<String> getGroupsForUser(String userName) {
+ Set<String> ret = new HashSet<String>();
+
+ try {
+ VXUser user = getXUserByUserName(userName);
+
+ if(user != null) {
+ VXGroupList groups = getXUserGroups(user.getId());
+
+ if(groups != null && !CollectionUtils.isEmpty(groups.getList())) {
+ for(VXGroup group : groups.getList()) {
+ ret.add(group.getName());
+ }
+ } else {
+ if(logger.isDebugEnabled()) {
+ logger.debug("getGroupsForUser('" + userName + "'): no groups found for user");
+ }
+ }
+ } else {
+ if(logger.isDebugEnabled()) {
+ logger.debug("getGroupsForUser('" + userName + "'): user not found");
+ }
+ }
+ } catch(Exception excp) {
+ logger.error("getGroupsForUser('" + userName + "') failed", excp);
+ }
+
+ return ret;
+ }
+
public VXUserList getXGroupUsers(Long xGroupId) {
SearchCriteria searchCriteria = new SearchCriteria();
searchCriteria.addParam("xGroupId", xGroupId);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/be34cc29/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 9d8d277..ce175f1 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -47,6 +47,7 @@ import org.apache.ranger.admin.client.datatype.RESTResponse;
import org.apache.ranger.biz.AssetMgr;
import org.apache.ranger.biz.ServiceDBStore;
import org.apache.ranger.biz.ServiceMgr;
+import org.apache.ranger.biz.XUserMgr;
import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.RangerConfigUtil;
@@ -106,6 +107,9 @@ public class ServiceREST {
AssetMgr assetMgr;
@Autowired
+ XUserMgr userMgr;
+
+ @Autowired
ServiceDBStore svcStore;
@Autowired
@@ -125,7 +129,7 @@ public class ServiceREST {
@Autowired
RangerSearchUtil searchUtil;
-
+
// this indirection for validation via a factory exists only for testability
// TODO move the instantiation to DI framework?
RangerValidatorFactory validatorFactory = new RangerValidatorFactory();
@@ -557,7 +561,7 @@ public class ServiceREST {
try {
String userName = grantRequest.getGrantor();
- Set<String> userGroups = Collections.<String>emptySet(); // TODO: get groups for the grantor from Ranger database
+ Set<String> userGroups = userMgr.getGroupsForUser(userName);
RangerAccessResource resource = new RangerAccessResourceImpl(grantRequest.getResource());
boolean isAdmin = isAdminForResource(userName, userGroups, serviceName, resource);
@@ -738,7 +742,7 @@ public class ServiceREST {
try {
String userName = revokeRequest.getGrantor();
- Set<String> userGroups = Collections.<String>emptySet(); // TODO: get groups for the grantor from Ranger databas
+ Set<String> userGroups = userMgr.getGroupsForUser(userName);
RangerAccessResource resource = new RangerAccessResourceImpl(revokeRequest.getResource());
boolean isAdmin = isAdminForResource(userName, userGroups, serviceName, resource);