You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by me...@apache.org on 2020/09/04 17:16:03 UTC
[ranger] branch ranger-2.2 updated (ba696a9 -> 03d4b3e)
This is an automated email from the ASF dual-hosted git repository.
mehul pushed a change to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git.
from ba696a9 RANGER-2982: updated version in pom.xml to 2.2.0-SNAPSHOT
new faae58f RANGER-2940: Added code to update user roles when group memberships are changed with AD/LDAP incremental sync
new 32ee9fa RANGER-2940: Fixed PMD volations introduced by previous checkin
new 03d4b3e RANGER-2929 :- Update Atlas Ranger Authorizer for "type-read" acessType changes done in ATLAS-3898.
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../service-defs/ranger-servicedef-atlas.json | 25 ++-
.../atlas/authorizer/RangerAtlasAuthorizer.java | 48 +++-
.../ranger/services/atlas/RangerServiceAtlas.java | 9 +
pom.xml | 2 +-
.../atlas/authorizer/RangerAtlasAuthorizer.java | 25 +++
.../optimized/current/ranger_core_db_mysql.sql | 1 +
.../optimized/current/ranger_core_db_oracle.sql | 1 +
.../optimized/current/ranger_core_db_postgres.sql | 1 +
.../current/ranger_core_db_sqlanywhere.sql | 2 +
.../optimized/current/ranger_core_db_sqlserver.sql | 1 +
.../main/java/org/apache/ranger/biz/XUserMgr.java | 79 ++++++-
.../patch/PatchForAtlasToAddTypeRead_J10040.java | 241 +++++++++++++++++++++
.../java/org/apache/ranger/rest/XUserREST.java | 10 +-
.../ranger/view/VXUsersGroupRoleAssignments.java | 45 ++--
.../process/LdapPolicyMgrUserGroupBuilder.java | 222 ++++++++++++-------
...oupList.java => UsersGroupRoleAssignments.java} | 32 ++-
16 files changed, 623 insertions(+), 121 deletions(-)
create mode 100644 security-admin/src/main/java/org/apache/ranger/patch/PatchForAtlasToAddTypeRead_J10040.java
copy ugsync/src/main/java/org/apache/ranger/unixusersync/model/UserGroupList.java => security-admin/src/main/java/org/apache/ranger/view/VXUsersGroupRoleAssignments.java (64%)
rename ugsync/src/main/java/org/apache/ranger/unixusersync/model/{UserGroupList.java => UsersGroupRoleAssignments.java} (66%)
[ranger] 03/03: RANGER-2929 :- Update Atlas Ranger Authorizer for
"type-read" acessType changes done in ATLAS-3898.
Posted by me...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mehul pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 03d4b3e1a053f0a79899051e1064213d2b66286a
Author: nixonrodrigues <ni...@apache.org>
AuthorDate: Mon Aug 31 12:56:19 2020 +0530
RANGER-2929 :- Update Atlas Ranger Authorizer for "type-read" acessType changes done in ATLAS-3898.
Signed-off-by: Mehul Parikh <me...@apache.org>
---
.../service-defs/ranger-servicedef-atlas.json | 25 ++-
.../atlas/authorizer/RangerAtlasAuthorizer.java | 48 +++-
.../ranger/services/atlas/RangerServiceAtlas.java | 9 +
pom.xml | 2 +-
.../atlas/authorizer/RangerAtlasAuthorizer.java | 25 +++
.../optimized/current/ranger_core_db_mysql.sql | 1 +
.../optimized/current/ranger_core_db_oracle.sql | 1 +
.../optimized/current/ranger_core_db_postgres.sql | 1 +
.../current/ranger_core_db_sqlanywhere.sql | 2 +
.../optimized/current/ranger_core_db_sqlserver.sql | 1 +
.../patch/PatchForAtlasToAddTypeRead_J10040.java | 241 +++++++++++++++++++++
11 files changed, 349 insertions(+), 7 deletions(-)
diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json
index 7672be0..68a3d36 100644
--- a/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json
@@ -42,7 +42,7 @@
},
"label": "Type Name",
"description": "Type Name",
- "accessTypeRestrictions": ["type-create", "type-update", "type-delete"]
+ "accessTypeRestrictions": ["type-read" ,"type-create", "type-update", "type-delete" ]
},
{
"itemId": 3,
@@ -298,17 +298,29 @@
{
"itemId": 1,
"name": "type-create",
- "label": "Create Type"
+ "label": "Create Type",
+ "impliedGrants":
+ [
+ "type-read"
+ ]
},
{
"itemId": 2,
"name": "type-update",
- "label": "Update Type"
+ "label": "Update Type",
+ "impliedGrants":
+ [
+ "type-read"
+ ]
},
{
"itemId": 3,
"name": "type-delete",
- "label": "Delete Type"
+ "label": "Delete Type",
+ "impliedGrants":
+ [
+ "type-read"
+ ]
},
{
"itemId": 4,
@@ -389,6 +401,11 @@
"itemId": 19,
"name": "entity-update-business-metadata",
"label": "Update Business Metadata"
+ },
+ {
+ "itemId": 20,
+ "name": "type-read",
+ "label": "Read Type"
}
],
"configs": [
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
index 28d71de..79ef604 100644
--- a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
+++ b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
@@ -25,10 +25,13 @@ import org.apache.atlas.authorize.AtlasAuthorizationException;
import org.apache.atlas.authorize.AtlasEntityAccessRequest;
import org.apache.atlas.authorize.AtlasSearchResultScrubRequest;
import org.apache.atlas.authorize.AtlasRelationshipAccessRequest;
-
+import org.apache.atlas.authorize.AtlasTypesDefFilterRequest;
import org.apache.atlas.authorize.AtlasTypeAccessRequest;
+import org.apache.atlas.authorize.AtlasAccessRequest;
import org.apache.atlas.authorize.AtlasAuthorizer;
import org.apache.atlas.authorize.AtlasPrivilege;
+import org.apache.atlas.model.typedef.AtlasBaseTypeDef;
+import org.apache.atlas.model.typedef.AtlasTypesDef;
import org.apache.atlas.model.discovery.AtlasSearchResult;
import org.apache.atlas.model.instance.AtlasEntityHeader;
import org.apache.commons.collections.CollectionUtils;
@@ -190,7 +193,14 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
rangerRequest.setForwardedAddresses(request.getForwardedAddresses());
rangerRequest.setRemoteIPAddress(request.getRemoteIPAddress());
- ret = checkAccess(rangerRequest);
+ boolean isAuditDisabled = ACCESS_TYPE_TYPE_READ.equalsIgnoreCase(action);
+
+ if (isAuditDisabled) {
+ ret = checkAccess(rangerRequest, null);
+ } else {
+ ret = checkAccess(rangerRequest);
+ }
+
} finally {
RangerPerfTracer.log(perf);
}
@@ -202,6 +212,8 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
return ret;
}
+
+
public boolean isAccessAllowed(AtlasRelationshipAccessRequest request) throws AtlasAuthorizationException {
if (LOG.isDebugEnabled()) {
LOG.debug("==> isAccessAllowed(" + request + ")");
@@ -317,6 +329,38 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
}
}
+ @Override
+ public void filterTypesDef(AtlasTypesDefFilterRequest request) throws AtlasAuthorizationException {
+
+ AtlasTypesDef typesDef = request.getTypesDef();
+
+ filterTypes(request, typesDef.getEnumDefs());
+ filterTypes(request, typesDef.getStructDefs());
+ filterTypes(request, typesDef.getEntityDefs());
+ filterTypes(request, typesDef.getClassificationDefs());
+ filterTypes(request, typesDef.getRelationshipDefs());
+ filterTypes(request, typesDef.getBusinessMetadataDefs());
+
+ }
+
+ private void filterTypes(AtlasAccessRequest request, List<? extends AtlasBaseTypeDef> typeDefs)throws AtlasAuthorizationException {
+ if (typeDefs != null) {
+ for (ListIterator<? extends AtlasBaseTypeDef> iter = typeDefs.listIterator(); iter.hasNext();) {
+ AtlasBaseTypeDef typeDef = iter.next();
+ AtlasTypeAccessRequest typeRequest = new AtlasTypeAccessRequest(request.getAction(), typeDef, request.getUser(), request.getUserGroups());
+
+ typeRequest.setClientIPAddress(request.getClientIPAddress());
+ typeRequest.setForwardedAddresses(request.getForwardedAddresses());
+ typeRequest.setRemoteIPAddress(request.getRemoteIPAddress());
+
+ if (!isAccessAllowed(typeRequest)) {
+ iter.remove();
+ }
+ }
+ }
+ }
+
+
private RangerServiceDef getServiceDef() {
RangerBasePlugin plugin = atlasPlugin;
diff --git a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
index 7c89ffe..5b58c06 100644
--- a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
+++ b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java
@@ -76,6 +76,7 @@ public class RangerServiceAtlas extends RangerBaseService {
public static final String SEARCH_FEATURE_POLICY_NAME = "Allow users to manage favorite searches";
public static final String ACCESS_TYPE_ENTITY_READ = "entity-read";
+ public static final String ACCESS_TYPE_TYPE_READ = "type-read";
public static final String ACCESS_TYPE_ENTITY_CREATE = "entity-create";
public static final String ACCESS_TYPE_ENTITY_UPDATE = "entity-update";
public static final String ACCESS_TYPE_ENTITY_DELETE = "entity-delete";
@@ -198,6 +199,14 @@ public class RangerServiceAtlas extends RangerBaseService {
policyItemForLookupUser.setDelegateAdmin(false);
defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
}
+
+ // add a policy-item for rangertagsync user with 'type-read' permission in the policy for 'type-category'
+ if (policyResources.containsKey(RangerServiceAtlas.RESOURCE_TYPE_CATEGORY)) {
+ RangerPolicyItem policyItemTypeReadForAll = new RangerPolicyItem();
+ policyItemTypeReadForAll.setGroups(Collections.singletonList(RangerPolicyEngine.GROUP_PUBLIC));
+ policyItemTypeReadForAll.setAccesses(Collections.singletonList(new RangerPolicyItemAccess(ACCESS_TYPE_TYPE_READ)));
+ defaultPolicy.getPolicyItems().add(policyItemTypeReadForAll);
+ }
}
//4.add new policy for public group with entity-read, entity-create, entity-update, entity-delete for __AtlasUserProfile, __AtlasUserSavedSearch entity type
diff --git a/pom.xml b/pom.xml
index 8936bc4..34fd606 100644
--- a/pom.xml
+++ b/pom.xml
@@ -80,7 +80,7 @@
<asm.all.version>3.2</asm.all.version>
<aspectj.version>1.8.2</aspectj.version>
<assembly.plugin.version>2.6</assembly.plugin.version>
- <atlas.version>2.1.0</atlas.version>
+ <atlas.version>3.0.0-SNAPSHOT</atlas.version>
<atlas.gson.version>2.5</atlas.gson.version>
<atlas.jackson.version>2.10.3</atlas.jackson.version>
<atlas.jackson.databind.version>2.10.3</atlas.jackson.databind.version>
diff --git a/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
index 0e220f1..916c856 100644
--- a/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
+++ b/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java
@@ -25,6 +25,7 @@ import org.apache.atlas.authorize.AtlasSearchResultScrubRequest;
import org.apache.atlas.authorize.AtlasRelationshipAccessRequest;
import org.apache.atlas.authorize.AtlasTypeAccessRequest;
import org.apache.atlas.authorize.AtlasAuthorizationException;
+import org.apache.atlas.authorize.AtlasTypesDefFilterRequest;
import org.apache.atlas.authorize.AtlasAuthorizer;
import org.apache.ranger.plugin.classloader.RangerPluginClassLoader;
import org.slf4j.Logger;
@@ -220,6 +221,27 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
}
}
+ @Override
+ public void filterTypesDef(AtlasTypesDefFilterRequest request) throws AtlasAuthorizationException {
+
+ if (isDebugEnabled) {
+ LOG.debug("==> filterTypesDef(" + request + ")");
+ }
+
+ try {
+ activatePluginClassLoader();
+
+ rangerAtlasAuthorizerImpl.filterTypesDef(request);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+
+ if (isDebugEnabled) {
+ LOG.debug("<== filterTypesDef(): " + request);
+ }
+
+ }
+
private void activatePluginClassLoader() {
if(rangerPluginClassLoader != null) {
rangerPluginClassLoader.activate();
@@ -231,4 +253,7 @@ public class RangerAtlasAuthorizer implements AtlasAuthorizer {
rangerPluginClassLoader.deactivate();
}
}
+
+
+
}
diff --git a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
index dfaf3c9..3320fc2 100644
--- a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
+++ b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
@@ -1758,4 +1758,5 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10036',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10037',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10038',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
+INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10040',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
diff --git a/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql b/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
index 21626f6..698a687 100644
--- a/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
+++ b/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
@@ -1933,5 +1933,6 @@ INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,act
INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10036',sys_extract_utc(systimestamp),'Ranger 1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10037',sys_extract_utc(systimestamp),'Ranger 1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10038',sys_extract_utc(systimestamp),'Ranger 1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
+INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10040',sys_extract_utc(systimestamp),'Ranger 1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'JAVA_PATCHES',sys_extract_utc(systimestamp),'Ranger 1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
commit;
diff --git a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
index 5cd2cc7..edccc0a 100644
--- a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
+++ b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
@@ -1881,6 +1881,7 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10036',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10037',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10038',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y');
+INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10040',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y');
DROP VIEW IF EXISTS vx_trx_log;
diff --git a/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql b/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
index 081b153..1ffbc6c 100644
--- a/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
+++ b/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
@@ -2279,6 +2279,8 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active
GO
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10038',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
GO
+INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10040',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
+GO
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
GO
exit
diff --git a/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql b/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
index 642d6c1..957f924 100644
--- a/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
+++ b/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
@@ -3964,6 +3964,7 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10036',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10037',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10038',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
+INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10040',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
GO
CREATE VIEW [dbo].[vx_trx_log] AS
diff --git a/security-admin/src/main/java/org/apache/ranger/patch/PatchForAtlasToAddTypeRead_J10040.java b/security-admin/src/main/java/org/apache/ranger/patch/PatchForAtlasToAddTypeRead_J10040.java
new file mode 100644
index 0000000..f303092
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/patch/PatchForAtlasToAddTypeRead_J10040.java
@@ -0,0 +1,241 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.patch;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import org.apache.log4j.Logger;
+import org.apache.ranger.biz.ServiceDBStore;
+import org.apache.ranger.common.RangerValidatorFactory;
+import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.entity.XXServiceDef;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef;
+import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator;
+import org.apache.ranger.plugin.model.validation.RangerValidator.Action;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
+import org.apache.ranger.util.CLIUtil;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+import org.apache.ranger.entity.XXPolicy;
+import org.apache.ranger.entity.XXService;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
+
+@Component
+public class PatchForAtlasToAddTypeRead_J10040 extends org.apache.ranger.patch.BaseLoader {
+ private static final Logger logger = Logger.getLogger(PatchForAtlasToAddTypeRead_J10040.class);
+
+ private static final List<String> ATLAS_RESOURCES = new ArrayList<>(
+ Arrays.asList("type"));
+ private static final List<String> ATLAS_ACCESS_TYPES = new ArrayList<>(
+ Arrays.asList("type-read"));
+
+ private static final String GROUP_PUBLIC = "public";
+ private static final String TYPE_READ = "type-read";
+ private static final String ALL_TYPE_RESOURCE_DEF_NAME = "all - type-category, type";
+
+
+ @Autowired
+ RangerDaoManager daoMgr;
+
+ @Autowired
+ ServiceDBStore svcDBStore;
+
+ @Autowired
+ RangerValidatorFactory validatorFactory;
+
+ @Autowired
+ ServiceDBStore svcStore;
+
+ public static void main(String[] args) {
+ logger.info("main()");
+ try {
+ PatchForAtlasToAddTypeRead_J10040 loader = (PatchForAtlasToAddTypeRead_J10040) CLIUtil
+ .getBean(PatchForAtlasToAddTypeRead_J10040.class);
+ loader.init();
+ while (loader.isMoreToProcess()) {
+ loader.load();
+ }
+ logger.info("Load complete. Exiting!!!");
+ System.exit(0);
+ } catch (Exception e) {
+ logger.error("Error loading", e);
+ System.exit(1);
+ }
+ }
+
+ @Override
+ public void init() throws Exception {
+ // Do Nothing
+ }
+
+ @Override
+ public void execLoad() {
+ logger.info("==> PatchForAtlasToAddTypeRead_J10040.execLoad()");
+ try {
+ addTypeReadPermissionInServiceDef();
+ updateDefaultPolicyForType();
+ } catch (Exception e) {
+ throw new RuntimeException(
+ "Error while updating " + EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME + " service-def", e);
+ }
+ logger.info("<== PatchForAtlasToAddTypeRead_J10040.execLoad()");
+ }
+
+ @Override
+ public void printStats() {
+ logger.info("PatchForAtlasToAddTypeRead_J10040 Logs");
+ }
+
+ private void addTypeReadPermissionInServiceDef() throws Exception {
+
+ logger.debug("==>> addTypeReadPermissionInServiceDef");
+ RangerServiceDef ret = null;
+ RangerServiceDef embeddedAtlasServiceDef = null;
+ XXServiceDef xXServiceDefObj = null;
+ RangerServiceDef dbAtlasServiceDef = null;
+ List<RangerServiceDef.RangerResourceDef> embeddedAtlasResourceDefs = null;
+ List<RangerServiceDef.RangerAccessTypeDef> embeddedAtlasAccessTypes = null;
+
+ embeddedAtlasServiceDef = EmbeddedServiceDefsUtil.instance()
+ .getEmbeddedServiceDef(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME);
+ if (embeddedAtlasServiceDef != null) {
+ xXServiceDefObj = daoMgr.getXXServiceDef()
+ .findByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME);
+ if (xXServiceDefObj == null) {
+ logger.info(xXServiceDefObj + ": service-def not found. No patching is needed");
+ return;
+ }
+
+ dbAtlasServiceDef = svcDBStore.getServiceDefByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME);
+
+ embeddedAtlasResourceDefs = embeddedAtlasServiceDef.getResources();
+ embeddedAtlasAccessTypes = embeddedAtlasServiceDef.getAccessTypes();
+
+ if (checkResourcePresent(embeddedAtlasResourceDefs)) {
+ dbAtlasServiceDef.setResources(embeddedAtlasResourceDefs);
+ if (checkAccessPresent(embeddedAtlasAccessTypes)) {
+ dbAtlasServiceDef.setAccessTypes(embeddedAtlasAccessTypes);
+ }
+ }
+
+ RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore);
+ validator.validate(dbAtlasServiceDef, Action.UPDATE);
+ ret = svcStore.updateServiceDef(dbAtlasServiceDef);
+ if (ret == null) {
+ logger.error("Error while updating " + EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME
+ + " service-def");
+ throw new RuntimeException("Error while updating "
+ + EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME + " service-def");
+ }
+ }
+ logger.debug("<<== addTypeReadPermissionInServiceDef");
+ }
+
+ private boolean checkResourcePresent(List<RangerServiceDef.RangerResourceDef> resourceDefs) {
+ boolean ret = false;
+ for (RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) {
+ if (ATLAS_RESOURCES.contains(resourceDef.getName())) {
+ ret = true;
+ break;
+ }
+ }
+ return ret;
+ }
+
+ private boolean checkAccessPresent(List<RangerAccessTypeDef> embeddedAtlasAccessTypes) {
+ boolean ret = false;
+ for (RangerServiceDef.RangerAccessTypeDef accessDef : embeddedAtlasAccessTypes) {
+ if (ATLAS_ACCESS_TYPES.contains(accessDef.getName())) {
+ ret = true;
+ break;
+ }
+ }
+ return ret;
+ }
+
+ private void updateDefaultPolicyForType() throws Exception {
+ logger.info("==> updateDefaultPolicyForType() ");
+
+ XXServiceDef xXServiceDefObj = daoMgr.getXXServiceDef()
+ .findByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME);
+ if (xXServiceDefObj == null) {
+ logger.debug("ServiceDef not found with name :" + EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME);
+ return;
+ }
+ Long xServiceDefId = xXServiceDefObj.getId();
+ List<XXService> xxServices = daoMgr.getXXService().findByServiceDefId(xServiceDefId);
+
+ for (XXService xxService : xxServices) {
+ List<XXPolicy> xxPolicies = daoMgr.getXXPolicy().findByServiceId(xxService.getId());
+
+ for (XXPolicy xxPolicy : xxPolicies) {
+ if (xxPolicy.getName().equalsIgnoreCase(ALL_TYPE_RESOURCE_DEF_NAME)) {
+
+ RangerPolicy rPolicy = svcDBStore.getPolicy(xxPolicy.getId());
+ List<RangerPolicyItem> policyItems = rPolicy.getPolicyItems();
+
+ for (RangerPolicyItem item : policyItems) {
+ if (!checkIfTypeReadPermissionSet(item)) {
+ List<RangerPolicyItemAccess> itemAccesses = item.getAccesses();
+ itemAccesses.add(getTypeReadPolicyItemAccesses());
+ item.setAccesses(itemAccesses);
+ }
+ }
+
+ RangerPolicyItem rangerPolicyItemReadType = new RangerPolicyItem();
+ rangerPolicyItemReadType.setDelegateAdmin(Boolean.FALSE);
+ rangerPolicyItemReadType.setAccesses(Arrays.asList(getTypeReadPolicyItemAccesses()));
+ rangerPolicyItemReadType.setGroups(Arrays.asList(GROUP_PUBLIC));
+
+ policyItems.add(rangerPolicyItemReadType);
+
+ svcDBStore.updatePolicy(rPolicy);
+ }
+
+ }
+
+ }
+ logger.info("<== updateDefaultPolicyForType() ");
+ }
+
+ private RangerPolicyItemAccess getTypeReadPolicyItemAccesses() {
+
+ RangerPolicyItemAccess policyItemAccess = new RangerPolicyItemAccess();
+ policyItemAccess.setType(TYPE_READ);
+ policyItemAccess.setIsAllowed(true);
+
+ return policyItemAccess;
+ }
+
+ boolean checkIfTypeReadPermissionSet(RangerPolicyItem item) {
+ boolean ret = false;
+ for (RangerPolicyItemAccess itemAccess : item.getAccesses()) {
+ if (ATLAS_ACCESS_TYPES.contains(itemAccess.getType())) {
+ ret = true;
+ break;
+ }
+ }
+ return ret;
+ }
+
+}
\ No newline at end of file
[ranger] 02/03: RANGER-2940: Fixed PMD volations introduced by
previous checkin
Posted by me...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mehul pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 32ee9faa51a0933ffb5d80f52535654f63941a3d
Author: Sailaja Polavarapu <sp...@cloudera.com>
AuthorDate: Mon Aug 31 15:04:13 2020 -0700
RANGER-2940: Fixed PMD volations introduced by previous checkin
---
.../ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java | 3 ---
1 file changed, 3 deletions(-)
diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java
index 72080fc..2df7dfb 100644
--- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java
+++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java
@@ -28,8 +28,6 @@ import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
-import java.util.Set;
-import java.util.HashSet;
import java.util.StringTokenizer;
import java.util.regex.Pattern;
import java.lang.reflect.Type;
@@ -50,7 +48,6 @@ import org.apache.ranger.unixusersync.model.*;
import org.apache.ranger.unixusersync.process.RangerUgSyncRESTClient;
import org.apache.ranger.usergroupsync.UserGroupSink;
-import com.google.common.collect.Table;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import com.google.gson.reflect.TypeToken;
[ranger] 01/03: RANGER-2940: Added code to update user roles when
group memberships are changed with AD/LDAP incremental sync
Posted by me...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mehul pushed a commit to branch ranger-2.2
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit faae58f507fde28cfb45d76665571417a85870d2
Author: Sailaja Polavarapu <sp...@cloudera.com>
AuthorDate: Mon Aug 31 11:29:23 2020 -0700
RANGER-2940: Added code to update user roles when group memberships are changed with AD/LDAP incremental sync
---
.../main/java/org/apache/ranger/biz/XUserMgr.java | 79 +++++++-
.../java/org/apache/ranger/rest/XUserREST.java | 10 +-
.../ranger/view/VXUsersGroupRoleAssignments.java | 45 +++--
.../process/LdapPolicyMgrUserGroupBuilder.java | 223 ++++++++++++++-------
...oupList.java => UsersGroupRoleAssignments.java} | 32 ++-
5 files changed, 276 insertions(+), 113 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
index 6a5ca7b..323d3d3 100755
--- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
@@ -649,7 +649,7 @@ public class XUserMgr extends XUserMgrBase {
return vxGUInfo;
}
-
+
public VXGroupUserInfo getXGroupUserFromMap(
String groupName) {
checkAdminAccess();
@@ -687,7 +687,7 @@ public class XUserMgr extends XUserMgrBase {
}
vxu.add(vxUser);
}
-
+
}
vxGUInfo.setXuserInfo(vxu);
@@ -745,13 +745,13 @@ public class XUserMgr extends XUserMgrBase {
throw restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data.");
}
}
-
+
if(vXUser!=null && !hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)){
vXUser=getMaskedVXUser(vXUser);
}
return vXUser;
}
-
+
private boolean hasAccessToGetUserInfo(VXUser requestedVXUser) {
UserSessionBase userSession = ContextUtil.getCurrentUserSession();
if (userSession != null && userSession.getLoginId() != null) {
@@ -761,9 +761,9 @@ public class XUserMgr extends XUserMgrBase {
if (loggedInVXUser.getUserRoleList().size() == 1
&& loggedInVXUser.getUserRoleList().contains(
RangerConstants.ROLE_USER)) {
-
+
return requestedVXUser.getId().equals(loggedInVXUser.getId()) ? true : false;
-
+
}else{
return true;
}
@@ -779,7 +779,7 @@ public class XUserMgr extends XUserMgrBase {
public VXGroup getXGroup(Long id) {
VXGroup vXGroup=null;
-
+
UserSessionBase userSession = ContextUtil.getCurrentUserSession();
if (userSession != null && userSession.getLoginId() != null) {
VXUser loggedInVXUser = xUserService.getXUserByUserName(userSession
@@ -1540,6 +1540,71 @@ public class XUserMgr extends XUserMgrBase {
}
+ public List<String> updateUserRoleAssignments(VXUsersGroupRoleAssignments ugRoleAssignments) {
+ List<String> updatedUsers = new ArrayList<>();
+ // For each user get groups and compute roles based on group role assignments
+ for (String userName : ugRoleAssignments.getUsers()) {
+ if (userMgr.getUserProfileByLoginId(userName) == null) {
+ logger.info(userName + " doesn't exist and hence ignoring role assignments");
+ continue;
+ }
+ Set<String> userRoleList = new HashSet<>();
+ Map<String, String> userMap = ugRoleAssignments.getUserRoleAssignments();
+ if (!userMap.isEmpty() && userMap.containsKey(userName)) {
+ // Add the user role that is defined in user role assignments
+ userRoleList.add(userMap.get(userName));
+ }
+ Map<String, String> groupMap = ugRoleAssignments.getGroupRoleAssignments();
+
+ if (!groupMap.isEmpty()) {
+ for (String group : getGroupsForUser(userName)) {
+ String value = groupMap.get(group);
+ if (value != null) {
+ userRoleList.add(value);
+ }
+ }
+ }
+ if (userRoleList.isEmpty()) {
+ userRoleList.add(RangerConstants.ROLE_USER);
+ }
+ String updatedUser = setRolesByUserName(userName, new ArrayList<>(userRoleList));
+ if (updatedUser != null) {
+ updatedUsers.add(updatedUser);
+ }
+ }
+ return updatedUsers;
+ }
+
+ private String setRolesByUserName(String userName, List<String> roleListNewProfile) {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> XUserMgr.setRolesByUserName(" + userName + ", " + roleListNewProfile + ")");
+ }
+ String ret = null;
+ xaBizUtil.blockAuditorRoleUser();
+ if (roleListNewProfile == null) {
+ roleListNewProfile = new ArrayList<String>();
+ }
+
+ if(userName!=null && roleListNewProfile.size()>0){
+ checkAccessRoles(roleListNewProfile);
+ VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(userName);
+ if(oldUserProfile!=null){
+ denySelfRoleChange(oldUserProfile.getLoginId());
+ updateUserRolesPermissions(oldUserProfile,roleListNewProfile);
+ logger.info("<== XUserMgr.setRolesByUserName returned roles for " + userName + " are: " + roleListNewProfile );
+ ret = userName;
+ }else{
+ logger.error(userName + "doesn't exist.");
+ }
+ }else{
+ logger.error(userName + "doesn't exist or new role assignments are empty");
+ }
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== XUserMgr.setRolesByUserName(" + userName + ", " + roleListNewProfile + ") ret = " + ret);
+ }
+ return ret;
+ }
+
public VXStringList getUserRolesByExternalID(Long userId) {
VXUser vXUser=getXUser(userId);
if(vXUser==null){
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
index 8ad5bad..e299f1f 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
@@ -306,7 +306,15 @@ public class XUserREST {
public VXUserGroupInfo createXUserGroupFromMap(VXUserGroupInfo vXUserGroupInfo) {
return xUserMgr.createXUserGroupFromMap(vXUserGroupInfo);
}
-
+
+ @POST
+ @Path("/users/roleassignments")
+ @Produces({ "application/xml", "application/json" })
+ @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+ public List<String> setXUserRolesByName(VXUsersGroupRoleAssignments ugRoleAssignments) {
+ return xUserMgr.updateUserRoleAssignments(ugRoleAssignments);
+ }
+
@POST
@Path("/secure/users")
@Produces({ "application/xml", "application/json" })
diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/model/UserGroupList.java b/security-admin/src/main/java/org/apache/ranger/view/VXUsersGroupRoleAssignments.java
similarity index 64%
copy from ugsync/src/main/java/org/apache/ranger/unixusersync/model/UserGroupList.java
copy to security-admin/src/main/java/org/apache/ranger/view/VXUsersGroupRoleAssignments.java
index 4553d02..848a2c1 100644
--- a/ugsync/src/main/java/org/apache/ranger/unixusersync/model/UserGroupList.java
+++ b/security-admin/src/main/java/org/apache/ranger/view/VXUsersGroupRoleAssignments.java
@@ -17,41 +17,50 @@
* under the License.
*/
-package org.apache.ranger.unixusersync.model;
-
-import java.util.List;
-
-import javax.xml.bind.annotation.XmlRootElement;
+package org.apache.ranger.view;
import org.codehaus.jackson.annotate.JsonAutoDetect;
-import org.codehaus.jackson.annotate.JsonIgnoreProperties;
import org.codehaus.jackson.annotate.JsonAutoDetect.Visibility;
+import org.codehaus.jackson.annotate.JsonIgnoreProperties;
import org.codehaus.jackson.map.annotate.JsonSerialize;
+import javax.xml.bind.annotation.XmlRootElement;
+import java.util.List;
+import java.util.Map;
+
@JsonAutoDetect(getterVisibility = Visibility.NONE, setterVisibility = Visibility.NONE, fieldVisibility = Visibility.ANY)
@JsonSerialize(include = JsonSerialize.Inclusion.NON_NULL)
@JsonIgnoreProperties(ignoreUnknown = true)
@XmlRootElement
-public class UserGroupList {
+public class VXUsersGroupRoleAssignments {
+
+ List<String> users;
+
+ Map<String, String> groupRoleAssignments;
- String user;
-
- List<String> groups;
+ Map<String, String> userRoleAssignments;
- public String getUser() {
- return user;
+ public List<String> getUsers() {
+ return users;
}
- public void setUser(String user) {
- this.user = user;
+ public void setUsers(List<String> users) {
+ this.users = users;
}
- public List<String> getGroups() {
- return groups;
+ public Map<String, String> getGroupRoleAssignments() {
+ return groupRoleAssignments;
}
- public void setGroups(List<String> groups) {
- this.groups = groups;
+ public void setGroupRoleAssignments(Map<String, String> groupRoleAssignments) {
+ this.groupRoleAssignments = groupRoleAssignments;
}
+ public Map<String, String> getUserRoleAssignments() {
+ return userRoleAssignments;
+ }
+
+ public void setUserRoleAssignments(Map<String, String> userRoleAssignments) {
+ this.userRoleAssignments = userRoleAssignments;
+ }
}
\ No newline at end of file
diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java
index 8dc05b0..72080fc 100644
--- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java
+++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java
@@ -28,8 +28,11 @@ import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
+import java.util.Set;
+import java.util.HashSet;
import java.util.StringTokenizer;
import java.util.regex.Pattern;
+import java.lang.reflect.Type;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletResponse;
@@ -50,32 +53,30 @@ import org.apache.ranger.usergroupsync.UserGroupSink;
import com.google.common.collect.Table;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
+import com.google.gson.reflect.TypeToken;
import com.sun.jersey.api.client.ClientResponse;
public class LdapPolicyMgrUserGroupBuilder implements UserGroupSink {
private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder.class);
-
- private static final String AUTHENTICATION_TYPE = "hadoop.security.authentication";
+
+ private static final String AUTHENTICATION_TYPE = "hadoop.security.authentication";
private String AUTH_KERBEROS = "kerberos";
private static final String PRINCIPAL = "ranger.usersync.kerberos.principal";
private static final String KEYTAB = "ranger.usersync.kerberos.keytab";
private static final String NAME_RULE = "hadoop.security.auth_to_local";
-
- public static final String PM_USER_LIST_URI = "/service/xusers/users/"; // GET
+
private static final String PM_ADD_USER_GROUP_INFO_URI = "/service/xusers/users/userinfo"; // POST
-
+ public static final String PM_UPDATE_USERS_ROLES_URI = "/service/xusers/users/roleassignments"; // PUT
+
private static final String PM_ADD_GROUP_USER_INFO_URI = "/service/xusers/groups/groupinfo"; // POST
-
- public static final String PM_GROUP_LIST_URI = "/service/xusers/groups/"; // GET
+
private static final String PM_ADD_GROUP_URI = "/service/xusers/groups/"; // POST
-
+
private static final String PM_DEL_USER_GROUP_LINK_URI = "/service/xusers/group/${groupName}/user/${userName}"; // DELETE
-
- public static final String PM_USER_GROUP_MAP_LIST_URI = "/service/xusers/groupusers/"; // GET
-
+
public static final String PM_GET_GROUP_USER_MAP_LIST_URI = "/service/xusers/groupusers/groupName/${groupName}"; // GET
-
+
private static final String PM_ADD_LOGIN_USER_URI = "/service/users/default"; // POST
private static final String PM_AUDIT_INFO_URI = "/service/xusers/ugsync/auditinfo/"; // POST
@@ -95,8 +96,6 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
private UserGroupInfo usergroupInfo = new UserGroupInfo();
private GroupUserInfo groupuserInfo = new GroupUserInfo();
private volatile RangerUgSyncRESTClient ldapUgSyncClient;
-
- Table<String, String, String> groupsUsersTable;
private String authenticationType = null;
String principal;
@@ -113,7 +112,7 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
LOCAL_HOSTNAME = "unknown";
}
}
-
+
synchronized public void init() throws Throwable {
recordsToPullPerCall = config.getMaxRecordsPerAPICall();
policyMgrBaseUrl = config.getPolicyManagerBaseURL();
@@ -169,7 +168,7 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
}
}
-
+
private XGroupInfo addGroupInfo(final String groupName, Map<String, String> groupAttrs){
XGroupInfo ret = null;
XGroupInfo group = null;
@@ -203,17 +202,17 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
return null;
} else {
return getAddedGroupInfo(group);
- }
+ }
}
-
+
private XGroupInfo addXGroupInfo(String aGroupName, Map<String, String> groupAttrs) {
-
+
XGroupInfo addGroup = new XGroupInfo();
-
+
addGroup.setName(aGroupName);
-
+
addGroup.setDescription(aGroupName + " - add from Unix box");
-
+
addGroup.setGroupType("1");
addGroup.setGroupSource(GROUP_SOURCE_EXTERNAL);
@@ -224,7 +223,7 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
return addGroup;
}
- private XGroupInfo getAddedGroupInfo(XGroupInfo group){
+ private XGroupInfo getAddedGroupInfo(XGroupInfo group){
XGroupInfo ret = null;
String response = null;
ClientResponse clientRes = null;
@@ -304,7 +303,7 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
if (LOG.isDebugEnabled()) {
LOG.debug("INFO: addPMXAUser(" + userName + ")");
}
-
+
if (! isMockRun) {
user = addXUserInfo(userName, userAttrs);
}
@@ -343,7 +342,7 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
return getUsergroupInfo(ret);
}
}
-
+
private XUserInfo addXUserInfo(String aUserName, Map<String, String> userAttrs) {
if (LOG.isDebugEnabled()) {
@@ -359,17 +358,19 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
Gson gson = new Gson();
xuserInfo.setOtherAttributes(gson.toJson(userAttrs));
}
- if (userMap.containsKey(aUserName)) {
- List<String> roleList = new ArrayList<String>();
- roleList.add(userMap.get(aUserName));
- xuserInfo.setUserRoleList(roleList);
- }
+ List<String> roleList = new ArrayList<String>();
+ if (userMap.containsKey(aUserName)) {
+ roleList.add(userMap.get(aUserName));
+ }else{
+ roleList.add("ROLE_USER");
+ }
+ xuserInfo.setUserRoleList(roleList);
usergroupInfo.setXuserInfo(xuserInfo);
if(LOG.isDebugEnabled()) {
LOG.debug("<== LdapPolicyMgrUserGroupBuilder.addXUserInfo " + aUserName + " and " + userAttrs);
}
-
+
return xuserInfo;
}
@@ -378,7 +379,6 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
if(LOG.isDebugEnabled()) {
LOG.debug("==> LdapPolicyMgrUserGroupBuilder.addXUserGroupInfo ");
}
-
List<XGroupInfo> xGroupInfoList = new ArrayList<XGroupInfo>();
if (CollectionUtils.isNotEmpty(aGroupList)) {
@@ -388,24 +388,24 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
addXUserGroupInfo(aUserInfo, group);
}
}
-
+
usergroupInfo.setXgroupInfo(xGroupInfoList);
if(LOG.isDebugEnabled()) {
LOG.debug("<== LdapPolicyMgrUserGroupBuilder.addXUserGroupInfo ");
}
}
-
+
private XUserGroupInfo addXUserGroupInfo(XUserInfo aUserInfo, XGroupInfo aGroupInfo) {
-
-
+
+
XUserGroupInfo ugInfo = new XUserGroupInfo();
-
+
ugInfo.setUserId(aUserInfo.getId());
-
+
ugInfo.setGroupName(aGroupInfo.getName());
-
+
// ugInfo.setParentGroupId("1");
-
+
return ugInfo;
}
@@ -480,8 +480,8 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
}
} else {
groupUserInfo = getGroupUserInfo(groupName);
- }
-
+ }
+
List<String> oldUsers = new ArrayList<String>();
Map<String, List<String>> oldUserMap = new HashMap<String, List<String>>();
if (groupUserInfo != null && groupUserInfo.getXuserInfo() != null) {
@@ -493,10 +493,10 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
LOG.debug("Returned users for group " + groupUserInfo.getXgroupInfo().getName() + " are: " + oldUsers);
}
}
-
+
List<String> addUsers = new ArrayList<String>();
List<String> delUsers = new ArrayList<String>();
-
+
for (String user : oldUsers) {
if (!users.contains(user)) {
delUsers.add(user);
@@ -515,18 +515,114 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
LOG.debug("addUsers = " + addUsers);
}
delXGroupUserInfo(groupName, delUsers);
-
- //* Add user to group mapping in the x_group_user table.
+
+ //* Add user to group mapping in the x_group_user table.
//* Here the assumption is that the user already exists in x_portal_user table.
if ( ! isMockRun ) {
- // If the rest call to ranger admin fails,
+ // If the rest call to ranger admin fails,
// propagate the failure to the caller for retry in next sync cycle.
- if (addGroupUserInfo(groupName, groupAttrs, addUsers) == null ) {
+ GroupUserInfo ret = addGroupUserInfo(groupName, groupAttrs, addUsers);
+ if (ret == null ) {
String msg = "Failed to add addorUpdate group user info";
LOG.error(msg);
throw new Exception(msg);
}
}
+
+ // Update roles for both deleted & new users in this group when role assignments are configured.
+ if (!groupMap.isEmpty() || !userMap.isEmpty()) {
+ UsersGroupRoleAssignments ugRoleAssignments = new UsersGroupRoleAssignments();
+ List<String> allUsers = new ArrayList<>();
+ if (!delUsers.isEmpty()) {
+ allUsers.addAll(delUsers);
+ }
+ if (!addUsers.isEmpty()) {
+ allUsers.addAll(addUsers);
+ }
+ if (!allUsers.isEmpty()) {
+ ugRoleAssignments.setUsers(allUsers);
+ ugRoleAssignments.setGroupRoleAssignments(groupMap);
+ ugRoleAssignments.setUserRoleAssignments(userMap);
+ if (updateRoles(ugRoleAssignments) == null) {
+ LOG.error("Unable to update roles for " + allUsers);
+ }
+ }
+ }
+ }
+
+ private List<String> updateRoles(UsersGroupRoleAssignments ugRoleAssignments) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("LdapPolicyMgrUserGroupBuilder.updateUserRole(" + ugRoleAssignments.getUsers() + ")");
+ }
+
+ if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)){
+ try {
+ Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
+ final UsersGroupRoleAssignments result = ugRoleAssignments;
+ List<String> ret = Subject.doAs(sub, new PrivilegedAction<List<String>>() {
+ @Override
+ public List<String> run() {
+ try {
+ return updateUsersRoles(result);
+ } catch (Exception e) {
+ LOG.error("Failed to add User Group Info : ", e);
+ }
+ return null;
+ }
+ });
+ return ret;
+ } catch (Exception e) {
+ LOG.error("Failed to Authenticate Using given Principal and Keytab : " , e);
+ }
+ return null;
+ }else{
+ return updateUsersRoles(ugRoleAssignments);
+ }
+ }
+
+ private List<String> updateUsersRoles(UsersGroupRoleAssignments ugRoleAssignments) {
+ if(LOG.isDebugEnabled()){
+ LOG.debug("==> LdapPolicyMgrUserGroupBuilder.updateUserRoles(" + ugRoleAssignments.getUsers() + ")");
+ }
+ List<String> ret = null;
+ try {
+ String response = null;
+ ClientResponse clientRes = null;
+ Gson gson = new GsonBuilder().create();
+ String jsonString = gson.toJson(ugRoleAssignments);
+ String url = PM_UPDATE_USERS_ROLES_URI;
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("USER role MAPPING" + jsonString);
+ }
+ if (isRangerCookieEnabled) {
+ response = cookieBasedUploadEntity(ugRoleAssignments, url);
+ } else {
+ try {
+ clientRes = ldapUgSyncClient.post(url, null, ugRoleAssignments);
+ if (clientRes != null) {
+ response = clientRes.getEntity(String.class);
+ }
+ } catch (Throwable t) {
+ LOG.error("Failed to get response, Error is : ", t);
+ }
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RESPONSE: [" + response + "]");
+ }
+ Type listType = new TypeToken<ArrayList<String>>() {
+ }.getType();
+ ret = new Gson().fromJson(response, listType);
+
+ } catch (Exception e) {
+
+ LOG.warn( "ERROR: Unable to update roles for: " + ugRoleAssignments.getUsers(), e);
+ }
+
+ if(LOG.isDebugEnabled()){
+ LOG.debug("<== LdapPolicyMgrUserGroupBuilder.updateUserRoles(" + ret + ")");
+ }
+ return ret;
}
@Override
@@ -692,7 +788,7 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
LOG.debug("<== LdapPolicyMgrUserGroupBuilder.delXUserGroupInfo()");
}
}
-
+
private GroupUserInfo addGroupUserInfo(String groupName, Map<String, String> groupAttrs, List<String> users){
if(LOG.isDebugEnabled()) {
LOG.debug("==> LdapPolicyMgrUserGroupBuilder.addGroupUserInfo " + groupName + " and " + users);
@@ -738,7 +834,7 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
return getGroupUserInfo(ret);
}
}
-
+
private void addXGroupUserInfo(XGroupInfo aGroupInfo, List<String> aUserList) {
List<XUserInfo> xUserInfoList = new ArrayList<XUserInfo>();
@@ -760,32 +856,7 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder
ClientResponse clientRes = null;
String relativeUrl = PM_ADD_GROUP_USER_INFO_URI;
Gson gson = new GsonBuilder().create();
-
-
- if (groupuserInfo != null
- && groupuserInfo.getXgroupInfo() != null
- && groupuserInfo.getXuserInfo() != null
- && groupMap
- .containsKey(groupuserInfo.getXgroupInfo().getName())
- && groupuserInfo.getXuserInfo().size() > 0) {
- List<String> userRoleList = new ArrayList<String>();
- userRoleList.add(groupMap.get(groupuserInfo.getXgroupInfo()
- .getName()));
- int i = groupuserInfo.getXuserInfo().size();
- for (int j = 0; j < i; j++) {
- if (userMap.containsKey(groupuserInfo.getXuserInfo().get(j)
- .getName())) {
- List<String> userRole = new ArrayList<String>();
- userRole.add(userMap.get(groupuserInfo.getXuserInfo()
- .get(j).getName()));
- groupuserInfo.getXuserInfo().get(j)
- .setUserRoleList(userRole);
- } else {
- groupuserInfo.getXuserInfo().get(j)
- .setUserRoleList(userRoleList);
- }
- }
- }
+
String jsonString = gson.toJson(groupuserInfo);
if (LOG.isDebugEnabled()) {
LOG.debug("GROUP USER MAPPING" + jsonString);
diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/model/UserGroupList.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/model/UsersGroupRoleAssignments.java
similarity index 66%
rename from ugsync/src/main/java/org/apache/ranger/unixusersync/model/UserGroupList.java
rename to ugsync/src/main/java/org/apache/ranger/unixusersync/model/UsersGroupRoleAssignments.java
index 4553d02..e6cabdb 100644
--- a/ugsync/src/main/java/org/apache/ranger/unixusersync/model/UserGroupList.java
+++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/model/UsersGroupRoleAssignments.java
@@ -20,6 +20,7 @@
package org.apache.ranger.unixusersync.model;
import java.util.List;
+import java.util.Map;
import javax.xml.bind.annotation.XmlRootElement;
@@ -32,26 +33,35 @@ import org.codehaus.jackson.map.annotate.JsonSerialize;
@JsonSerialize(include = JsonSerialize.Inclusion.NON_NULL)
@JsonIgnoreProperties(ignoreUnknown = true)
@XmlRootElement
-public class UserGroupList {
+public class UsersGroupRoleAssignments {
- String user;
+ List<String> users;
- List<String> groups;
+ Map<String, String> groupRoleAssignments;
- public String getUser() {
- return user;
+ Map<String, String> userRoleAssignments;
+
+ public List<String> getUsers() {
+ return users;
+ }
+
+ public void setUsers(List<String> users) {
+ this.users = users;
}
- public void setUser(String user) {
- this.user = user;
+ public Map<String, String> getGroupRoleAssignments() {
+ return groupRoleAssignments;
}
- public List<String> getGroups() {
- return groups;
+ public void setGroupRoleAssignments(Map<String, String> groupRoleAssignments) {
+ this.groupRoleAssignments = groupRoleAssignments;
}
- public void setGroups(List<String> groups) {
- this.groups = groups;
+ public Map<String, String> getUserRoleAssignments() {
+ return userRoleAssignments;
}
+ public void setUserRoleAssignments(Map<String, String> userRoleAssignments) {
+ this.userRoleAssignments = userRoleAssignments;
+ }
}
\ No newline at end of file