You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ga...@apache.org on 2015/11/28 18:46:18 UTC

incubator-ranger git commit: RANGER-743 : External users with Admin Role should be allowed to create/update users

Repository: incubator-ranger
Updated Branches:
  refs/heads/ranger-0.5 5a626203b -> 2073c0a9d


RANGER-743 : External users with Admin Role should be allowed to create/update users


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/2073c0a9
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/2073c0a9
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/2073c0a9

Branch: refs/heads/ranger-0.5
Commit: 2073c0a9d52ad5b002afa9b713419591d5f9e889
Parents: 5a62620
Author: Gautam Borad <ga...@apache.org>
Authored: Wed Nov 25 17:35:17 2015 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Sat Nov 28 23:15:47 2015 +0530

----------------------------------------------------------------------
 .../java/org/apache/ranger/biz/UserMgr.java     | 67 ++++++++++++++++++--
 .../java/org/apache/ranger/biz/XUserMgr.java    | 51 ++++++++++++---
 .../handler/RangerAuthenticationProvider.java   | 28 +++++++-
 3 files changed, 130 insertions(+), 16 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2073c0a9/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
index ee9d14b..571265c 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
@@ -254,6 +254,9 @@ public class UserMgr {
 		// }
 
 		// firstName
+		if("null".equalsIgnoreCase(userProfile.getFirstName())){
+			userProfile.setFirstName("");
+		}
 		if (!stringUtil.isEmpty(userProfile.getFirstName())
 				&& !userProfile.getFirstName().equals(gjUser.getFirstName())) {
 			userProfile.setFirstName(stringUtil.toCamelCaseAllWords(userProfile
@@ -261,8 +264,10 @@ public class UserMgr {
 			updateUser = true;
 		}
 
-		// lastName allowed to be empty
-		if (userProfile.getLastName() != null
+		if("null".equalsIgnoreCase(userProfile.getLastName())){
+			userProfile.setLastName("");
+		}
+		if (!stringUtil.isEmpty(userProfile.getLastName())
 				&& !userProfile.getLastName().equals(gjUser.getLastName())) {
 			userProfile.setLastName(stringUtil.toCamelCaseAllWords(userProfile
 					.getLastName()));
@@ -270,12 +275,16 @@ public class UserMgr {
 		}
 
 		// publicScreenName
-		if (!stringUtil.isEmpty(userProfile.getPublicScreenName())
-				&& !userProfile.getPublicScreenName().equals(
-						gjUser.getPublicScreenName())) {
+		if (userProfile.getFirstName() != null
+				&& userProfile.getLastName() != null
+				&& !userProfile.getFirstName().trim().isEmpty()
+				&& !userProfile.getLastName().trim().isEmpty()) {
 			userProfile.setPublicScreenName(userProfile.getFirstName() + " "
 					+ userProfile.getLastName());
 			updateUser = true;
+		} else {
+			userProfile.setPublicScreenName(gjUser.getLoginId());
+			updateUser = true;
 		}
 
 		// notes
@@ -554,12 +563,34 @@ public class UserMgr {
 	public XXPortalUser mapVXPortalUserToXXPortalUser(VXPortalUser userProfile) {
 		XXPortalUser gjUser = new XXPortalUser();
 		gjUser.setEmailAddress(userProfile.getEmailAddress());
+		if("null".equalsIgnoreCase(userProfile.getFirstName())){
+			userProfile.setFirstName("");
+		}
 		gjUser.setFirstName(userProfile.getFirstName());
+		if("null".equalsIgnoreCase(userProfile.getLastName())){
+			userProfile.setLastName("");
+		}
 		gjUser.setLastName(userProfile.getLastName());
+		if (userProfile.getLoginId() == null
+				|| userProfile.getLoginId().trim().isEmpty()
+				|| "null".equalsIgnoreCase(userProfile.getLoginId())) {
+			throw restErrorUtil.createRESTException(
+					"LoginId should not be null or blank, It is",
+					MessageEnums.INVALID_INPUT_DATA);
+		}
 		gjUser.setLoginId(userProfile.getLoginId());
 		gjUser.setPassword(userProfile.getPassword());
 		gjUser.setUserSource(userProfile.getUserSource());
 		gjUser.setPublicScreenName(userProfile.getPublicScreenName());
+		if (userProfile.getFirstName() != null
+				&& userProfile.getLastName() != null
+				&& !userProfile.getFirstName().trim().isEmpty()
+				&& !userProfile.getLastName().trim().isEmpty()) {
+			gjUser.setPublicScreenName(userProfile.getFirstName() + " "
+					+ userProfile.getLastName());
+		} else {
+			gjUser.setPublicScreenName(userProfile.getLoginId());
+		}
 		return gjUser;
 	}
 
@@ -1237,4 +1268,30 @@ public class UserMgr {
 		throw restErrorUtil.create403RESTException("Operation not allowed." + " loggedInUser=" + (sess != null ? sess.getXXPortalUser().getId() : "Not Logged In"));
 	}
 
+	public Collection<String> getRolesByLoginId(String loginId) {
+		if (loginId == null || loginId.trim().isEmpty()){
+			return DEFAULT_ROLE_LIST;
+		}
+		XXPortalUser xXPortalUser=daoManager.getXXPortalUser().findByLoginId(loginId);
+		if(xXPortalUser==null){
+			return DEFAULT_ROLE_LIST;
+		}
+		Collection<XXPortalUserRole> xXPortalUserRoles = daoManager
+				.getXXPortalUserRole().findByUserId(xXPortalUser.getId());
+		if(xXPortalUserRoles==null){
+			return DEFAULT_ROLE_LIST;
+		}
+		Collection<String> roleList = new ArrayList<String>();
+		for (XXPortalUserRole role : xXPortalUserRoles) {
+			if(role!=null && VALID_ROLE_LIST.contains(role.getUserRole())){
+				if(!roleList.contains(role.getUserRole())){
+					roleList.add(role.getUserRole());
+				}
+			}
+		}
+		if(roleList==null || roleList.size()==0){
+			return DEFAULT_ROLE_LIST;
+		}
+		return roleList;
+	}
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2073c0a9/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
index 3f2c041..3784439 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
@@ -186,9 +186,11 @@ public class XUserMgr extends XUserMgrBase {
 	public VXUser createXUser(VXUser vXUser) {
 		checkAdminAccess();
 		String userName = vXUser.getName();
-		if (userName == null || userName.isEmpty()) {
-			throw restErrorUtil.createRESTException("Please provide a valid "
-					+ "username.", MessageEnums.INVALID_INPUT_DATA);
+		if (userName == null || "null".equalsIgnoreCase(userName)
+				|| userName.trim().isEmpty()) {
+			throw restErrorUtil.createRESTException(
+					"Please provide a valid username.",
+					MessageEnums.INVALID_INPUT_DATA);
 		}
 
 		if (vXUser.getDescription() == null) {
@@ -200,10 +202,23 @@ public class XUserMgr extends XUserMgrBase {
 		VXPortalUser vXPortalUser = new VXPortalUser();
 		vXPortalUser.setLoginId(userName);
 		vXPortalUser.setFirstName(vXUser.getFirstName());
+		if("null".equalsIgnoreCase(vXPortalUser.getFirstName())){
+			vXPortalUser.setFirstName("");
+		}
 		vXPortalUser.setLastName(vXUser.getLastName());
+		if("null".equalsIgnoreCase(vXPortalUser.getLastName())){
+			vXPortalUser.setLastName("");
+		}
 		vXPortalUser.setEmailAddress(vXUser.getEmailAddress());
-		vXPortalUser.setPublicScreenName(vXUser.getFirstName() + " "
-				+ vXUser.getLastName());
+		if (vXPortalUser.getFirstName() != null
+				&& vXPortalUser.getLastName() != null
+				&& !vXPortalUser.getFirstName().trim().isEmpty()
+				&& !vXPortalUser.getLastName().trim().isEmpty()) {
+			vXPortalUser.setPublicScreenName(vXPortalUser.getFirstName() + " "
+					+ vXPortalUser.getLastName());
+		} else {
+			vXPortalUser.setPublicScreenName(vXUser.getName());
+		}
 		vXPortalUser.setPassword(actualPassword);
 		vXPortalUser.setUserRoleList(vXUser.getUserRoleList());
 		vXPortalUser = userMgr.createDefaultAccountUser(vXPortalUser);
@@ -324,8 +339,11 @@ public class XUserMgr extends XUserMgrBase {
 	}
 
 	public VXUser updateXUser(VXUser vXUser) {
-		if (vXUser == null || vXUser.getName() == null || vXUser.getName().trim().isEmpty()) {
-			throw restErrorUtil.createRESTException("Please provide a valid " + "username.", MessageEnums.INVALID_INPUT_DATA);
+		if (vXUser == null || vXUser.getName() == null
+				|| "null".equalsIgnoreCase(vXUser.getName())
+				|| vXUser.getName().trim().isEmpty()) {
+			throw restErrorUtil.createRESTException("Please provide a valid "
+					+ "username.", MessageEnums.INVALID_INPUT_DATA);
 		}
 		checkAccess(vXUser.getName());
 		VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser
@@ -337,13 +355,26 @@ public class XUserMgr extends XUserMgrBase {
 		// TODO : There is a possibility that old user may not exist.
 
 		vXPortalUser.setFirstName(vXUser.getFirstName());
+		if("null".equalsIgnoreCase(vXPortalUser.getFirstName())){
+			vXPortalUser.setFirstName("");
+		}
 		vXPortalUser.setLastName(vXUser.getLastName());
+		if("null".equalsIgnoreCase(vXPortalUser.getLastName())){
+			vXPortalUser.setLastName("");
+		}
 		vXPortalUser.setEmailAddress(vXUser.getEmailAddress());
 		vXPortalUser.setLoginId(vXUser.getName());
 		vXPortalUser.setStatus(vXUser.getStatus());
 		vXPortalUser.setUserRoleList(vXUser.getUserRoleList());
-		vXPortalUser.setPublicScreenName(vXUser.getFirstName() + " "
-				+ vXUser.getLastName());
+		if (vXPortalUser.getFirstName() != null
+				&& vXPortalUser.getLastName() != null
+				&& !vXPortalUser.getFirstName().trim().isEmpty()
+				&& !vXPortalUser.getLastName().trim().isEmpty()) {
+			vXPortalUser.setPublicScreenName(vXPortalUser.getFirstName() + " "
+					+ vXPortalUser.getLastName());
+		} else {
+			vXPortalUser.setPublicScreenName(vXUser.getName());
+		}
 		vXPortalUser.setUserSource(vXUser.getUserSource());
 		String hiddenPasswordString = PropertiesUtil.getProperty("ranger.password.hidden", "*****");
 		String password = vXUser.getPassword();
@@ -1247,6 +1278,7 @@ public class XUserMgr extends XUserMgrBase {
 		if(vXUser==null){
 			throw restErrorUtil.createRESTException("Please provide a valid ID", MessageEnums.INVALID_INPUT_DATA);
 		}
+		checkAccess(vXUser.getName());
 		List<XXPortalUserRole> portalUserRoleList =null;
 		VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser.getName());
 		if(oldUserProfile!=null){
@@ -1260,6 +1292,7 @@ public class XUserMgr extends XUserMgrBase {
 	public VXStringList getUserRolesByName(String userName) {
 		VXPortalUser vXPortalUser=null;
 		if(userName!=null && !userName.trim().isEmpty()){
+			checkAccess(userName);
 			vXPortalUser = userMgr.getUserProfileByLoginId(userName);
 			if(vXPortalUser!=null && vXPortalUser.getUserRoleList()!=null){
 				List<XXPortalUserRole> portalUserRoleList = daoManager.getXXPortalUserRole().findByUserId(vXPortalUser.getId());

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2073c0a9/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
index 40b08c4..f7e5d40 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java
@@ -20,6 +20,7 @@
 package org.apache.ranger.security.handler;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 import java.util.HashMap;
@@ -230,6 +231,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
 
 				authentication = ldapAuthenticationProvider
 						.authenticate(finalAuthentication);
+				authentication=getAuthenticationWithGrantedAuthority(authentication);
 				return authentication;
 			} else {
 				return authentication;
@@ -272,6 +274,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
 						principal, userPassword, grantedAuths);
 				authentication = adAuthenticationProvider
 						.authenticate(finalAuthentication);
+				authentication=getAuthenticationWithGrantedAuthority(authentication);
 				return authentication;
 			} else {
 				return authentication;
@@ -323,6 +326,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
 						principal, userPassword, grantedAuths);
 				authentication = jaasAuthenticationProvider
 						.authenticate(finalAuthentication);
+				authentication=getAuthenticationWithGrantedAuthority(authentication);
 				return authentication;
 			} else {
 				return authentication;
@@ -399,6 +403,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
 				final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths);
 
 				authentication = ldapAuthenticationProvider.authenticate(finalAuthentication);
+				authentication=getAuthenticationWithGrantedAuthority(authentication);
 				return authentication;
 			} else {
 				return authentication;
@@ -464,6 +469,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
 				final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths);
 
 				authentication = ldapAuthenticationProvider.authenticate(finalAuthentication);
+				authentication=getAuthenticationWithGrantedAuthority(authentication);
 				return authentication;
 			} else {
 				return authentication;
@@ -499,8 +505,6 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
 			if (userName != null && userPassword != null && !userName.trim().isEmpty()&& !userPassword.trim().isEmpty()) {
 				final List<GrantedAuthority> grantedAuths = new ArrayList<>();
 				grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole));
-				grantedAuths.add(new SimpleGrantedAuthority("ROLE_SYS_ADMIN"));
-				grantedAuths.add(new SimpleGrantedAuthority("ROLE_KEY_ADMIN"));
 				final UserDetails principal = new User(userName, userPassword,grantedAuths);
 				final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths);
 				authentication= authenticator.authenticate(finalAuthentication);
@@ -521,4 +525,24 @@ public class RangerAuthenticationProvider implements AuthenticationProvider {
 		}
 		return authentication;
 	}
+	private List<GrantedAuthority> getAuthorities(String username) {
+		Collection<String> roleList=userMgr.getRolesByLoginId(username);
+		final List<GrantedAuthority> grantedAuths = new ArrayList<>();
+		for(String role:roleList){
+			grantedAuths.add(new SimpleGrantedAuthority(role));
+		}
+		return grantedAuths;
+	}
+
+	public Authentication getAuthenticationWithGrantedAuthority(Authentication authentication){
+		UsernamePasswordAuthenticationToken result=null;
+		if(authentication!=null && authentication.isAuthenticated()){
+			final List<GrantedAuthority> grantedAuths=getAuthorities(authentication.getName().toString());
+			final UserDetails userDetails = new User(authentication.getName().toString(), authentication.getCredentials().toString(),grantedAuths);
+			result = new UsernamePasswordAuthenticationToken(userDetails,authentication.getCredentials(),grantedAuths);
+			result.setDetails(authentication.getDetails());
+			return result;
+		}
+		return authentication;
+	}
 }