You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by me...@apache.org on 2018/12/17 11:52:40 UTC
[01/28] ranger git commit: RANGER-2231 - Upgrade to Knox 1.1.0
Repository: ranger
Updated Branches:
refs/heads/ranger-1 7b851f74f -> ea4cf885b
RANGER-2231 - Upgrade to Knox 1.1.0
Signed-off-by: Colm O hEigeartaigh <co...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/b5d52f86
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/b5d52f86
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/b5d52f86
Branch: refs/heads/ranger-1
Commit: b5d52f86785f4a49c4ccfa4af3b5a4404f2843b7
Parents: 7b851f7
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Sep 26 19:08:47 2018 -0400
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:33:09 2018 +0530
----------------------------------------------------------------------
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/b5d52f86/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 7a4cf92..0d2cc66 100644
--- a/pom.xml
+++ b/pom.xml
@@ -183,7 +183,7 @@
<junit.version>4.12</junit.version>
<kafka.version>1.0.0</kafka.version>
<kerby.version>1.0.0</kerby.version>
- <knox.gateway.version>1.0.0</knox.gateway.version>
+ <knox.gateway.version>1.1.0</knox.gateway.version>
<kylin.version>2.3.0</kylin.version>
<libpam4j.version>1.10</libpam4j.version>
<local.lib.dir>${project.basedir}/../lib/local</local.lib.dir>
[24/28] ranger git commit: RANGER-2049: Fixed an issue where doAs
User role is not set properly
Posted by me...@apache.org.
RANGER-2049: Fixed an issue where doAs User role is not set properly
Conflicts:
security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/d9ff1bb2
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/d9ff1bb2
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/d9ff1bb2
Branch: refs/heads/ranger-1
Commit: d9ff1bb25d06a5114c3805f960635999d83044ba
Parents: edfe7fc
Author: Sailaja Polavarapu <sp...@hortonworks.com>
Authored: Fri Nov 16 13:39:30 2018 -0800
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:53:15 2018 +0530
----------------------------------------------------------------------
.../filter/RangerKRBAuthenticationFilter.java | 132 +++++++++++++++----
1 file changed, 105 insertions(+), 27 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/d9ff1bb2/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
index d20a203..5c825d8 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
@@ -32,6 +32,7 @@ import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
+import java.util.Collections;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
@@ -53,6 +54,13 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.collections.iterators.IteratorEnumeration;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.SaslRpcServer;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authentication.server.AuthenticationToken;
+import org.apache.hadoop.security.authorize.AuthorizationException;
+import org.apache.hadoop.security.authorize.ProxyUsers;
+import org.apache.hadoop.util.HttpExceptionUtils;
import org.apache.ranger.biz.UserMgr;
import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.RESTErrorUtil;
@@ -98,6 +106,8 @@ public class RangerKRBAuthenticationFilter extends RangerKrbFilter {
static final String RANGER_AUTH_TYPE = "hadoop.security.authentication";
static final String AUTH_COOKIE_NAME = "hadoop.auth";
static final String HOST_NAME = "ranger.service.host";
+ static final String ALLOW_TRUSTED_PROXY = "ranger.authentication.allow.trustedproxy";
+ static final String PROXY_PREFIX = "ranger.proxyuser.";
private static final String KERBEROS_TYPE = "kerberos";
private static final String S_USER = "suser";
@@ -119,6 +129,7 @@ public class RangerKRBAuthenticationFilter extends RangerKrbFilter {
params.put(TOKEN_VALID_PARAM, PropertiesUtil.getProperty(TOKEN_VALID,"30"));
params.put(COOKIE_DOMAIN_PARAM, PropertiesUtil.getProperty(COOKIE_DOMAIN, PropertiesUtil.getProperty(HOST_NAME, "localhost")));
params.put(COOKIE_PATH_PARAM, PropertiesUtil.getProperty(COOKIE_PATH, "/"));
+ params.put(ALLOW_TRUSTED_PROXY, PropertiesUtil.getProperty(ALLOW_TRUSTED_PROXY, "false"));
try {
params.put(PRINCIPAL_PARAM, SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(PRINCIPAL,""), PropertiesUtil.getProperty(HOST_NAME)));
} catch (IOException ignored) {
@@ -153,6 +164,20 @@ public class RangerKRBAuthenticationFilter extends RangerKrbFilter {
}
};
super.init(myConf);
+ Configuration conf1 = this.getProxyuserConfiguration();
+ ProxyUsers.refreshSuperUserGroupsConfiguration(conf1, PROXY_PREFIX);
+ }
+
+ protected Configuration getProxyuserConfiguration() {
+ Configuration conf = new Configuration(false);
+ Map<String, String> propertiesMap = PropertiesUtil.getPropertiesMap();
+ for (String key : propertiesMap.keySet()) {
+ if (!key.startsWith(PROXY_PREFIX)) {
+ continue;
+ }
+ conf.set(key, propertiesMap.get(key));
+ }
+ return conf;
}
@Override
@@ -162,6 +187,7 @@ public class RangerKRBAuthenticationFilter extends RangerKrbFilter {
String authType = PropertiesUtil.getProperty(RANGER_AUTH_TYPE);
String userName = null;
boolean checkCookie = response.containsHeader("Set-Cookie");
+ boolean allowTrustedProxy = PropertiesUtil.getBooleanProperty(ALLOW_TRUSTED_PROXY, false);
if(checkCookie){
Collection<String> authUserName = response.getHeaders("Set-Cookie");
if(authUserName != null){
@@ -200,46 +226,98 @@ public class RangerKRBAuthenticationFilter extends RangerKrbFilter {
userName = sessionUserName;
}
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("Remote user from request = " + request.getRemoteUser());
+ }
+
if((isSpnegoEnable(authType) && (!StringUtils.isEmpty(userName)))){
Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
if(existingAuth == null || !existingAuth.isAuthenticated()){
//--------------------------- To Create Ranger Session --------------------------------------
String rangerLdapDefaultRole = PropertiesUtil.getProperty("ranger.ldap.default.role", "ROLE_USER");
- //if we get the userName from the token then log into ranger using the same user
- final List<GrantedAuthority> grantedAuths = new ArrayList<>();
- grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole));
- final UserDetails principal = new User(userName, "",grantedAuths);
- final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "", grantedAuths);
- WebAuthenticationDetails webDetails = new WebAuthenticationDetails(request);
- ((AbstractAuthenticationToken) finalAuthentication).setDetails(webDetails);
- RangerAuthenticationProvider authenticationProvider = new RangerAuthenticationProvider();
- Authentication authentication = authenticationProvider.authenticate(finalAuthentication);
- authentication = getGrantedAuthority(authentication);
- if(authentication != null && authentication.isAuthenticated()) {
- if (request.getParameterMap().containsKey("doAs")) {
- if(!response.isCommitted()) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("Http headers: " + Collections.list(request.getHeaderNames()).toString());
+ }
+ String doAsUser = request.getParameter("doAs");
+
+ if (allowTrustedProxy && doAsUser != null && !doAsUser.isEmpty()) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("userPrincipal from request = " + request.getUserPrincipal() + " request paramerters = " + request.getParameterMap().keySet());
+ }
+ AuthenticationToken authToken = (AuthenticationToken)request.getUserPrincipal();
+ if(authToken != null && authToken != AuthenticationToken.ANONYMOUS) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("remote user from authtoken = " + authToken.getUserName());
+ }
+ UserGroupInformation ugi = UserGroupInformation.createRemoteUser(authToken.getUserName(), SaslRpcServer.AuthMethod.KERBEROS);
+ if(ugi != null) {
+ ugi = UserGroupInformation.createProxyUser(doAsUser, ugi);
if(LOG.isDebugEnabled()) {
- LOG.debug("Request contains unsupported parameter, doAs.");
+ LOG.debug("Real user from UGI = " + ugi.getRealUser().getShortUserName());
+ }
+
+ try {
+ ProxyUsers.authorize(ugi, request.getRemoteAddr());
+ } catch (AuthorizationException ex) {
+ HttpExceptionUtils.createServletExceptionResponse(response, 403, ex);
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("Authentication exception: " + ex.getMessage(), ex);
+ } else {
+ LOG.warn("Authentication exception: " + ex.getMessage());
+ }
+ return;
}
- request.setAttribute("spnegoenabled", false);
- response.sendError(HttpServletResponse.SC_FORBIDDEN, "Missing authentication token.");
+ final List<GrantedAuthority> grantedAuths = new ArrayList<>();
+ grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole));
+ final UserDetails principal = new User(doAsUser, "", grantedAuths);
+ Authentication authentication = new UsernamePasswordAuthenticationToken(principal, "", grantedAuths);
+ WebAuthenticationDetails webDetails = new WebAuthenticationDetails(request);
+ ((AbstractAuthenticationToken) authentication).setDetails(webDetails);
+ authentication = getGrantedAuthority(authentication);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+ request.setAttribute("spnegoEnabled", true);
+ LOG.info("Logged into Ranger as doAsUser = " + doAsUser + ", by authenticatedUser=" + authToken.getUserName());
}
+
}
- if(request.getParameterMap().containsKey("user.name")) {
- if(!response.isCommitted()) {
- if(LOG.isDebugEnabled()) {
- LOG.debug("Request contains an unsupported parameter user.name");
+
+ }else {
+ //if we get the userName from the token then log into ranger using the same user
+ final List<GrantedAuthority> grantedAuths = new ArrayList<>();
+ grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole));
+ final UserDetails principal = new User(userName, "", grantedAuths);
+ final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "", grantedAuths);
+ WebAuthenticationDetails webDetails = new WebAuthenticationDetails(request);
+ ((AbstractAuthenticationToken) finalAuthentication).setDetails(webDetails);
+ RangerAuthenticationProvider authenticationProvider = new RangerAuthenticationProvider();
+ Authentication authentication = authenticationProvider.authenticate(finalAuthentication);
+ authentication = getGrantedAuthority(authentication);
+ if (authentication != null && authentication.isAuthenticated()) {
+ if (request.getParameterMap().containsKey("doAs")) {
+ if (!response.isCommitted()) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Request contains unsupported parameter, doAs.");
+ }
+ request.setAttribute("spnegoenabled", false);
+ response.sendError(HttpServletResponse.SC_FORBIDDEN, "Missing authentication token.");
+ }
+ }
+ if (request.getParameterMap().containsKey("user.name")) {
+ if (!response.isCommitted()) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Request contains an unsupported parameter user.name");
+ }
+ request.setAttribute("spnegoenabled", false);
+ response.sendError(HttpServletResponse.SC_FORBIDDEN, "Missing authentication token.");
+ } else {
+ LOG.info("Response seems to be already committed for user.name.");
}
- request.setAttribute("spnegoenabled", false);
- response.sendError(HttpServletResponse.SC_FORBIDDEN, "Missing authentication token.");
- } else {
- LOG.info("Response seems to be already committed for user.name.");
}
}
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+ request.setAttribute("spnegoEnabled", true);
+ LOG.info("Logged into Ranger as = " + userName);
}
- SecurityContextHolder.getContext().setAuthentication(authentication);
- request.setAttribute("spnegoEnabled", true);
- LOG.info("Logged into Ranger as = "+userName);
filterChain.doFilter(request, response);
}else{
try{
[15/28] ranger git commit: RANGER-2303:Add kylin-plugin infomation to
README.txt
Posted by me...@apache.org.
RANGER-2303:Add kylin-plugin infomation to README.txt
Signed-off-by: peng.jianhua <pe...@zte.com.cn>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/58ca383c
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/58ca383c
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/58ca383c
Branch: refs/heads/ranger-1
Commit: 58ca383c6c2d7f576d651f0d33bacaa5c406f41f
Parents: ae120d0
Author: zhangqiang2 <zh...@zte.com.cn>
Authored: Wed Dec 5 14:10:10 2018 +0800
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:43:49 2018 +0530
----------------------------------------------------------------------
README.txt | 2 ++
1 file changed, 2 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/58ca383c/README.txt
----------------------------------------------------------------------
diff --git a/README.txt b/README.txt
index e54ce33..8aa1779 100644
--- a/README.txt
+++ b/README.txt
@@ -52,6 +52,7 @@ Build Process
ranger-<version>-tagsync.tar.gz
ranger-<version>-usersync.tar.gz
ranger-<version>-yarn-plugin.tar.gz
+ ranger-<version>-kylin-plugin.tar.gz
Importing Apache Ranger Project into Eclipse
============================================
@@ -77,6 +78,7 @@ Installation Host Information
(f) Kafka/Solr Plugin needs to be installed on their respective component hosts.
(g) YARN plugin needs to be installed on YARN Resource Manager hosts
(h) Sqoop plugin needs to be installed on Sqoop2 hosts
+ (i) Kylin plugin needs to be installed on Kylin hosts
Installation Process
~~~~~~~~~~~~~~~~~~~~
[10/28] ranger git commit: RANGER-2264:Kafka default policies for new
resources are not showing up in UI when upgrade is done from older version
Posted by me...@apache.org.
RANGER-2264:Kafka default policies for new resources are not showing up in UI when upgrade is done from older version
Signed-off-by: rmani <rm...@hortonworks.com>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/8ecf24b7
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/8ecf24b7
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/8ecf24b7
Branch: refs/heads/ranger-1
Commit: 8ecf24b797f1d60e0fd9369df5af40ef0d52e94c
Parents: 16d2d3e
Author: rmani <rm...@hortonworks.com>
Authored: Tue Oct 23 18:20:01 2018 -0700
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:42:57 2018 +0530
----------------------------------------------------------------------
.../PatchForKafkaServiceDefUpdate_J10025.java | 75 ++++++++++++++++++--
1 file changed, 71 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/8ecf24b7/security-admin/src/main/java/org/apache/ranger/patch/PatchForKafkaServiceDefUpdate_J10025.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/patch/PatchForKafkaServiceDefUpdate_J10025.java b/security-admin/src/main/java/org/apache/ranger/patch/PatchForKafkaServiceDefUpdate_J10025.java
index 0ef1544..f15a278 100644
--- a/security-admin/src/main/java/org/apache/ranger/patch/PatchForKafkaServiceDefUpdate_J10025.java
+++ b/security-admin/src/main/java/org/apache/ranger/patch/PatchForKafkaServiceDefUpdate_J10025.java
@@ -19,6 +19,7 @@ package org.apache.ranger.patch;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
+import org.apache.ranger.authorization.utils.JsonUtils;
import org.apache.ranger.biz.RangerBizUtil;
import org.apache.ranger.biz.ServiceDBStore;
import org.apache.ranger.common.GUIDUtil;
@@ -53,6 +54,7 @@ import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -292,9 +294,9 @@ public class PatchForKafkaServiceDefUpdate_J10025 extends BaseLoader {
xxPolicy.setGuid(guidUtil.genGUID());
xxPolicy.setAddedByUserId(currentUserId);
xxPolicy.setUpdatedByUserId(currentUserId);
- RangerPolicy rangerPolicy = new RangerPolicy();
- RangerPolicyResourceSignature resourceSignature = new RangerPolicyResourceSignature(rangerPolicy);
- xxPolicy.setResourceSignature(resourceSignature.getSignature());
+ RangerPolicy rangerPolicy = getRangerPolicy(newResource,xxPortalUser,xxService);
+ xxPolicy.setPolicyText(JsonUtils.objectToJson(rangerPolicy));
+ xxPolicy.setResourceSignature(rangerPolicy.getResourceSignature());
XXPolicy createdPolicy = daoMgr.getXXPolicy().create(xxPolicy);
XXPolicyItem xxPolicyItem = new XXPolicyItem();
@@ -307,7 +309,7 @@ public class PatchForKafkaServiceDefUpdate_J10025 extends BaseLoader {
xxPolicyItem.setPolicyId(createdPolicy.getId());
XXPolicyItem createdXXPolicyItem = daoMgr.getXXPolicyItem().create(xxPolicyItem);
- List<String> accessTypes = Arrays.asList("create", "delete", "configure", "alter_configs", "describe", "describe_configs", "consume", "publish", "kafka_admin","idempotent_write");
+ List<String> accessTypes = getAccessTypes();
for (int i = 0; i < accessTypes.size(); i++) {
XXAccessTypeDef xAccTypeDef = daoMgr.getXXAccessTypeDef().findByNameAndServiceId(accessTypes.get(i),
xxPolicy.getService());
@@ -378,4 +380,69 @@ public class PatchForKafkaServiceDefUpdate_J10025 extends BaseLoader {
}
logger.info("<== createDefaultPolicyForNewResources ");
}
+
+
+ private RangerPolicy getRangerPolicy(String newResource, XXPortalUser xxPortalUser, XXService xxService) {
+ RangerPolicy policy = new RangerPolicy();
+
+ List<RangerPolicy.RangerPolicyItemAccess> accesses = getPolicyItemAccesses();
+ List<String> users = new ArrayList<>(DEFAULT_POLICY_USERS);
+ List<String> groups = new ArrayList<>();
+ List<RangerPolicy.RangerPolicyItemCondition> conditions = new ArrayList<>();
+ List<RangerPolicy.RangerPolicyItem> policyItems = new ArrayList<>();
+ RangerPolicy.RangerPolicyItem rangerPolicyItem = new RangerPolicy.RangerPolicyItem();
+ rangerPolicyItem.setAccesses(accesses);
+ rangerPolicyItem.setConditions(conditions);
+ rangerPolicyItem.setGroups(groups);
+ rangerPolicyItem.setUsers(users);
+ rangerPolicyItem.setDelegateAdmin(false);
+
+ policyItems.add(rangerPolicyItem);
+
+ Map<String, RangerPolicy.RangerPolicyResource> policyResource = new HashMap<>();
+ RangerPolicy.RangerPolicyResource rangerPolicyResource = new RangerPolicy.RangerPolicyResource();
+ rangerPolicyResource.setIsExcludes(false);
+ rangerPolicyResource.setIsRecursive(false);
+ rangerPolicyResource.setValue("*");
+ String policyResourceName = KAFKA_RESOURCE_CLUSTER;
+ if ("all - delegationtoken".equals(newResource)) {
+ policyResourceName = KAFKA_RESOURCE_DELEGATIONTOKEN;
+ }
+ policyResource.put(policyResourceName, rangerPolicyResource);
+ policy.setCreateTime(new Date());
+ policy.setDescription(newResource);
+ policy.setIsEnabled(true);
+ policy.setName(newResource);
+ policy.setCreatedBy(xxPortalUser.getLoginId());
+ policy.setUpdatedBy(xxPortalUser.getLoginId());
+ policy.setUpdateTime(new Date());
+ policy.setService(xxService.getName());
+ policy.setIsAuditEnabled(true);
+ policy.setPolicyItems(policyItems);
+ policy.setResources(policyResource);
+ policy.setPolicyType(0);
+ policy.setId(0L);
+ policy.setGuid("");
+ policy.setPolicyLabels(new ArrayList<>());
+ policy.setVersion(1L);
+ RangerPolicyResourceSignature resourceSignature = new RangerPolicyResourceSignature(policy);
+ policy.setResourceSignature(resourceSignature.getSignature());
+ return policy;
+ }
+
+ private List<String> getAccessTypes() {
+ List<String> accessTypes = Arrays.asList("create", "delete", "configure", "alter_configs", "describe", "describe_configs", "consume", "publish", "kafka_admin", "idempotent_write");
+ return accessTypes;
+ }
+
+ private ArrayList<RangerPolicy.RangerPolicyItemAccess> getPolicyItemAccesses() {
+ ArrayList<RangerPolicy.RangerPolicyItemAccess> rangerPolicyItemAccesses = new ArrayList<>();
+ for(String type:getAccessTypes()) {
+ RangerPolicy.RangerPolicyItemAccess policyItemAccess = new RangerPolicy.RangerPolicyItemAccess();
+ policyItemAccess.setType(type);
+ policyItemAccess.setIsAllowed(true);
+ rangerPolicyItemAccesses.add(policyItemAccess);
+ }
+ return rangerPolicyItemAccesses;
+ }
}
\ No newline at end of file
[20/28] ranger git commit: RANGER-2282: The error message for
changing password is incorrect in User Profile page.
Posted by me...@apache.org.
RANGER-2282: The error message for changing password is incorrect in User Profile page.
Signed-off-by: peng.jianhua <pe...@zte.com.cn>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/9dbd4c97
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/9dbd4c97
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/9dbd4c97
Branch: refs/heads/ranger-1
Commit: 9dbd4c97f975d4990763ece30550519cf2d28c5e
Parents: 6596dcd
Author: zhangqiang2 <zh...@zte.com.cn>
Authored: Tue Nov 13 10:48:04 2018 +0800
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:44:40 2018 +0530
----------------------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java | 4 ++--
security-admin/src/main/webapp/scripts/views/user/UserProfile.js | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/9dbd4c97/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
index 2a638f8..9e45782 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
@@ -418,7 +418,7 @@ public class UserMgr {
String encryptedOldPwd = encrypt(pwdChange.getLoginId(),pwdChange.getOldPassword());
if (!stringUtil.equals(encryptedOldPwd, gjUser.getPassword())) {
logger.info("changePassword(). Invalid old password. LoginId="+ pwdChange.getLoginId());
- throw restErrorUtil.createRESTException("serverMsg.userMgrOldPassword",MessageEnums.INVALID_INPUT_DATA, null, null,pwdChange.getLoginId());
+ throw restErrorUtil.createRESTException("validationMessages.oldPasswordError",MessageEnums.INVALID_INPUT_DATA, null, null,pwdChange.getLoginId());
}
//validate new password
@@ -448,7 +448,7 @@ public class UserMgr {
} else {
ret.setMsgDesc("Password update failed");
ret.setStatusCode(VXResponse.STATUS_ERROR);
- throw restErrorUtil.createRESTException("serverMsg.userMgrNewPassword",MessageEnums.INVALID_INPUT_DATA, gjUser.getId(),"password", gjUser.toString());
+ throw restErrorUtil.createRESTException("serverMsg.userMgrOldPassword",MessageEnums.INVALID_INPUT_DATA, gjUser.getId(),"password", gjUser.toString());
}
return ret;
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/9dbd4c97/security-admin/src/main/webapp/scripts/views/user/UserProfile.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/user/UserProfile.js b/security-admin/src/main/webapp/scripts/views/user/UserProfile.js
index 8e60b53..408b311 100644
--- a/security-admin/src/main/webapp/scripts/views/user/UserProfile.js
+++ b/security-admin/src/main/webapp/scripts/views/user/UserProfile.js
@@ -171,7 +171,7 @@ define(function(require){
that.form.fields.newPassword.setError(localization.tt('validationMessages.newPasswordError'));
that.form.fields.reEnterPassword.setError(localization.tt('validationMessages.newPasswordError'));
}else if((msResponse.responseJSON.msgDesc) == "serverMsg.userMgrOldPassword"){
- that.form.fields.oldPassword.setError(localization.tt('validationMessages.oldPasswordRepeatError'));
+ that.form.fields.newPassword.setError(localization.tt('validationMessages.oldPasswordRepeatError'));
}else if(msResponse.status == 419){
XAUtil.defaultErrorHandler(options , msResponse);
} else {
[06/28] ranger git commit: RANGER-2237: Upgrade Kylin version to 2.5.0
Posted by me...@apache.org.
RANGER-2237: Upgrade Kylin version to 2.5.0
Signed-off-by: peng.jianhua <pe...@zte.com.cn>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/b08b52cb
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/b08b52cb
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/b08b52cb
Branch: refs/heads/ranger-1
Commit: b08b52cbb3845592693721622f4fa6344989d6b6
Parents: ee45ff0
Author: zhangqiang2 <zh...@zte.com.cn>
Authored: Mon Oct 8 09:51:12 2018 +0800
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:41:14 2018 +0530
----------------------------------------------------------------------
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/b08b52cb/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 99dc0db..5f84398 100644
--- a/pom.xml
+++ b/pom.xml
@@ -184,7 +184,7 @@
<kafka.version>1.0.0</kafka.version>
<kerby.version>1.0.0</kerby.version>
<knox.gateway.version>1.1.0</knox.gateway.version>
- <kylin.version>2.3.0</kylin.version>
+ <kylin.version>2.5.0</kylin.version>
<libpam4j.version>1.10</libpam4j.version>
<local.lib.dir>${project.basedir}/../lib/local</local.lib.dir>
<log4j.version>1.2.17</log4j.version>
[19/28] ranger git commit: RANGER-2289: Unable to get Audit Admin tab
page
Posted by me...@apache.org.
RANGER-2289: Unable to get Audit Admin tab page
Signed-off-by: peng.jianhua <pe...@zte.com.cn>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/6596dcda
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/6596dcda
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/6596dcda
Branch: refs/heads/ranger-1
Commit: 6596dcdae11dbf3ba7558aa91db7c77f0d48629b
Parents: dcfd789
Author: zhangqiang2 <zh...@zte.com.cn>
Authored: Tue Nov 20 17:43:07 2018 +0800
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:44:29 2018 +0530
----------------------------------------------------------------------
.../src/main/webapp/scripts/utils/XAUtils.js | 17 ++++++++---------
.../webapp/scripts/views/reports/AuditLayout.js | 4 ++--
2 files changed, 10 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/6596dcda/security-admin/src/main/webapp/scripts/utils/XAUtils.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/utils/XAUtils.js b/security-admin/src/main/webapp/scripts/utils/XAUtils.js
index bb88ec3..d85dc7a 100644
--- a/security-admin/src/main/webapp/scripts/utils/XAUtils.js
+++ b/security-admin/src/main/webapp/scripts/utils/XAUtils.js
@@ -770,15 +770,14 @@ define(function(require) {
text : m.attributes.category
});
var extraParam = {};
- if (_.has(serverParamName, 'multiple')
- && serverParamName.multiple) {
- extraParam[serverParamName.label] = XAUtils
- .enumLabelToValue(serverParamName.optionsArr, m
- .get('value'));
- ;
- $.extend(params, extraParam);
- } else {
- if (!_.isUndefined(serverParamName)) {
+ if (!_.isUndefined(serverParamName)) {
+ if (_.has(serverParamName, 'multiple')
+ && serverParamName.multiple) {
+ extraParam[serverParamName.label] = XAUtils
+ .enumLabelToValue(serverParamName.optionsArr, m
+ .get('value'));
+ $.extend(params, extraParam);
+ } else {
extraParam[serverParamName.label] = m.get('value');
$.extend(params, extraParam);
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/6596dcda/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js b/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
index fe9566c..56385bc 100644
--- a/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
+++ b/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
@@ -443,8 +443,8 @@ define(function(require) {
})
if(!_.isUndefined(App.sessionId)){
App.vsHistory.admin = [] ;
- query = '"Session Id": "'+App.sessionId+'"';
- App.vsHistory.admin.push(new Backbone.Model({'category':'Session Id', value:App.sessionId}));
+ query = '"Session ID": "'+App.sessionId+'"';
+ App.vsHistory.admin.push(new Backbone.Model({'category':'Session ID', value:App.sessionId}));
delete App.sessionId;
}else{
_.map(App.vsHistory.admin, function(a){ query += '"'+a.get('category')+'":"'+a.get('value')+'"'; });
[07/28] ranger git commit: RANGER-2252:Permission Kafka Admin should
not be part of Topic resource in Ranger Kafka resource definition
Posted by me...@apache.org.
RANGER-2252:Permission Kafka Admin should not be part of Topic resource in Ranger Kafka resource definition
Signed-off-by: rmani <rm...@hortonworks.com>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/6efdb0f5
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/6efdb0f5
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/6efdb0f5
Branch: refs/heads/ranger-1
Commit: 6efdb0f5a101ddf6966d8962ddaf9767d628f462
Parents: b08b52c
Author: rmani <rm...@hortonworks.com>
Authored: Tue Oct 16 11:42:27 2018 -0700
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:41:53 2018 +0530
----------------------------------------------------------------------
.../src/main/resources/service-defs/ranger-servicedef-kafka.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/6efdb0f5/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json
----------------------------------------------------------------------
diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json
index 78ae9ea..800b123 100644
--- a/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json
@@ -24,7 +24,7 @@
"uiHint":"",
"label":"Topic",
"description":"Topic",
- "accessTypeRestrictions": ["create", "delete", "configure", "alter_configs", "describe", "describe_configs", "consume", "publish", "kafka_admin"]
+ "accessTypeRestrictions": ["create", "delete", "configure", "alter_configs", "describe", "describe_configs", "consume", "publish"]
},
{
"itemId":2,
[09/28] ranger git commit: RANGER-2258: Improve the policy list page
to prompt users when the service is disabled
Posted by me...@apache.org.
RANGER-2258: Improve the policy list page to prompt users when the service is disabled
Signed-off-by: peng.jianhua <pe...@zte.com.cn>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/16d2d3ea
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/16d2d3ea
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/16d2d3ea
Branch: refs/heads/ranger-1
Commit: 16d2d3ea5ea95f2a449fc657ed1097e5043a6d26
Parents: 584136c
Author: zhangqiang2 <zh...@zte.com.cn>
Authored: Fri Oct 19 15:59:11 2018 +0800
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:42:49 2018 +0530
----------------------------------------------------------------------
.../webapp/scripts/views/policies/RangerPolicyTableLayout.js | 4 ++--
.../webapp/templates/policies/RangerPolicyTableLayout_tmpl.html | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/16d2d3ea/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js
index 1150838..90ad83e 100644
--- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js
+++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyTableLayout.js
@@ -56,7 +56,7 @@ define(function(require){
rangerPolicyType : this.collection.queryParams['policyType'],
isRenderAccessTab : XAUtil.isRenderMasking(this.rangerServiceDefModel.get('dataMaskDef')) ? true
: XAUtil.isRenderRowFilter(this.rangerServiceDefModel.get('rowFilterDef')) ? true : false,
- isNotAuditorAdminOrKmsAuditor : !(XAUtil.isAuditorOrKMSAuditor(SessionMgr))
+ isAddNewPolicyButtonShow : !(XAUtil.isAuditorOrKMSAuditor(SessionMgr)) && this.rangerService.get('isEnabled')
};
},
@@ -168,7 +168,7 @@ define(function(require){
gridOpts : {
row: Backgrid.Row.extend({}),
header : XABackgrid,
- emptyText : 'No Policies found!'
+ emptyText : 'No Policies found!' + (this.rangerService.get('isEnabled') ? '' : ' The service is disabled!')
},
}));
},
http://git-wip-us.apache.org/repos/asf/ranger/blob/16d2d3ea/security-admin/src/main/webapp/templates/policies/RangerPolicyTableLayout_tmpl.html
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/templates/policies/RangerPolicyTableLayout_tmpl.html b/security-admin/src/main/webapp/templates/policies/RangerPolicyTableLayout_tmpl.html
index bcd495c..a2b930f 100644
--- a/security-admin/src/main/webapp/templates/policies/RangerPolicyTableLayout_tmpl.html
+++ b/security-admin/src/main/webapp/templates/policies/RangerPolicyTableLayout_tmpl.html
@@ -45,7 +45,7 @@
</div>
<div class="span2">
<div class="clearfix btn-right">
- {{#if isNotAuditorAdminOrKmsAuditor}}
+ {{#if isAddNewPolicyButtonShow}}
<a data-js="addNewPolicy" href="#!/service/{{rangerService.id}}/policies/create/{{this.rangerPolicyType}}" class="btn btn-primary " type="button">{{tt 'lbl.addNewPolicy'}} </a>
{{/if}}
</div>
[12/28] ranger git commit: RANGER-2248: Sorting does not work in
AbstractPredicateUtil.java
Posted by me...@apache.org.
RANGER-2248: Sorting does not work in AbstractPredicateUtil.java
Signed-off-by: peng.jianhua <pe...@zte.com.cn>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/52f62ce4
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/52f62ce4
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/52f62ce4
Branch: refs/heads/ranger-1
Commit: 52f62ce4d940aa89e71b72b41e00372dcb648d1b
Parents: 43d49bd
Author: zhangqiang2 <zh...@zte.com.cn>
Authored: Thu Oct 11 15:26:01 2018 +0800
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:43:16 2018 +0530
----------------------------------------------------------------------
.../java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/52f62ce4/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java
index 4d2bc62..7446df6 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractPredicateUtil.java
@@ -101,7 +101,7 @@ public class AbstractPredicateUtil {
}
public Comparator<RangerBaseModelObject> getSorter(SearchFilter filter) {
- String sortBy = filter == null ? null : filter.getParam(SearchFilter.SORT_BY);
+ String sortBy = filter == null ? null : filter.getSortBy();
if(StringUtils.isEmpty(sortBy)) {
return null;
[05/28] ranger git commit: RANGER-1958 [HBase] Implement
getUserPermissions API of AccessControlService.Interface to allow clients to
access HBase permissions stored in Ranger (Ankit Singhal)
Posted by me...@apache.org.
RANGER-1958 [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger (Ankit Singhal)
Signed-off-by: rmani <rm...@hortonworks.com>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/ee45ff0c
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/ee45ff0c
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/ee45ff0c
Branch: refs/heads/ranger-1
Commit: ee45ff0c35b8f77d59fcc7808476ff3e4c20d1da
Parents: ae77c38
Author: Ankit Singhal <an...@gmail.com>
Authored: Thu Oct 4 16:24:06 2018 -0700
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:40:19 2018 +0530
----------------------------------------------------------------------
.../hbase/AuthorizationSession.java | 3 +-
.../hbase/RangerAuthorizationCoprocessor.java | 122 ++++++++++++++++++-
.../hbase/HBaseRangerAuthorizationTest.java | 71 ++++++++++-
.../src/test/resources/hbase-policies.json | 58 +++++++++
4 files changed, 250 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/ee45ff0c/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
index cdaad00..74293fb 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/AuthorizationSession.java
@@ -174,7 +174,8 @@ public class AuthorizationSession {
StringUtils.equals(_operation, "deleteNamespace") ||
StringUtils.equals(_operation, "modifyNamespace") ||
StringUtils.equals(_operation, "setUserNamespaceQuota") ||
- StringUtils.equals(_operation, "setNamespaceQuota");
+ StringUtils.equals(_operation, "setNamespaceQuota") ||
+ StringUtils.equals(_operation, "getUserPermissionForNamespace");
}
AuthorizationSession buildRequest() {
http://git-wip-us.apache.org/repos/asf/ranger/blob/ee45ff0c/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index d85339a..ddb6d9b 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -19,6 +19,7 @@
package org.apache.ranger.authorization.hbase;
import java.io.IOException;
import java.net.InetAddress;
+import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
@@ -29,6 +30,7 @@ import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
+import java.util.Map.Entry;
import java.util.NavigableSet;
import java.util.Set;
@@ -36,6 +38,7 @@ import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hbase.AuthUtil;
import org.apache.hadoop.hbase.Cell;
import org.apache.hadoop.hbase.CoprocessorEnvironment;
import org.apache.hadoop.hbase.HColumnDescriptor;
@@ -83,6 +86,7 @@ import org.apache.hadoop.hbase.regionserver.StoreFile;
import org.apache.hadoop.hbase.regionserver.wal.WALEdit;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.User;
+import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.security.access.Permission.Action;
import org.apache.hadoop.hbase.security.access.RangerAccessControlLists;
@@ -97,13 +101,19 @@ import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
+import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
+import org.apache.ranger.plugin.policyengine.RangerResourceACLs.AccessResult;
+import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import com.google.common.base.Objects;
import com.google.common.collect.Lists;
import com.google.common.collect.MapMaker;
+import com.google.common.collect.Sets;
import com.google.protobuf.RpcCallback;
import com.google.protobuf.RpcController;
import com.google.protobuf.Service;
@@ -1272,8 +1282,116 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
}
@Override
- public void getUserPermissions(RpcController controller, AccessControlProtos.GetUserPermissionsRequest request, RpcCallback<AccessControlProtos.GetUserPermissionsResponse> done) {
- LOG.debug("getUserPermissions(): ");
+ public void getUserPermissions(RpcController controller, AccessControlProtos.GetUserPermissionsRequest request,
+ RpcCallback<AccessControlProtos.GetUserPermissionsResponse> done) {
+ AccessControlProtos.GetUserPermissionsResponse response = null;
+ try {
+ String operation = "userPermissions";
+ final RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
+ User user = getActiveUser();
+ Set<String> groups = _userUtils.getUserGroups(user);
+ if (groups.isEmpty() && user.getUGI() != null) {
+ String[] groupArray = user.getUGI().getGroupNames();
+ if (groupArray != null) {
+ groups = Sets.newHashSet(groupArray);
+ }
+ }
+ RangerAccessRequestImpl rangerAccessrequest = new RangerAccessRequestImpl(resource, null,
+ _userUtils.getUserAsString(user), groups);
+ rangerAccessrequest.setAction(operation);
+ rangerAccessrequest.setClientIPAddress(getRemoteAddress());
+ rangerAccessrequest.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF);
+ rangerAccessrequest.setClusterName(hbasePlugin.getClusterName());
+ List<UserPermission> perms = null;
+ if (request.getType() == AccessControlProtos.Permission.Type.Table) {
+ final TableName table = request.hasTableName() ? ProtobufUtil.toTableName(request.getTableName())
+ : null;
+ requirePermission(operation, table.getName(), Action.ADMIN);
+ resource.setValue(RangerHBaseResource.KEY_TABLE, table.getNameAsString());
+ perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
+ @Override
+ public List<UserPermission> run() throws Exception {
+ return getUserPrermissions(
+ hbasePlugin.getCurrentRangerAuthContext().getResourceACLs(rangerAccessrequest),
+ table.getNameAsString(), false);
+ }
+ });
+ } else if (request.getType() == AccessControlProtos.Permission.Type.Namespace) {
+ final String namespace = request.getNamespaceName().toStringUtf8();
+ requireGlobalPermission("getUserPermissionForNamespace", namespace, Action.ADMIN);
+ resource.setValue(RangerHBaseResource.KEY_TABLE, namespace + RangerHBaseResource.NAMESPACE_SEPARATOR);
+ rangerAccessrequest.setRequestData(namespace);
+ perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
+ @Override
+ public List<UserPermission> run() throws Exception {
+ return getUserPrermissions(
+ hbasePlugin.getCurrentRangerAuthContext().getResourceACLs(rangerAccessrequest),
+ namespace, true);
+ }
+ });
+ } else {
+ requirePermission("userPermissions", Action.ADMIN);
+ perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
+ @Override
+ public List<UserPermission> run() throws Exception {
+ return getUserPrermissions(
+ hbasePlugin.getCurrentRangerAuthContext().getResourceACLs(rangerAccessrequest), null,
+ false);
+ }
+ });
+ if (_userUtils.isSuperUser(user)) {
+ perms.add(new UserPermission(Bytes.toBytes(_userUtils.getUserAsString(user)),
+ AccessControlLists.ACL_TABLE_NAME, null, Action.values()));
+ }
+ }
+ response = ResponseConverter.buildGetUserPermissionsResponse(perms);
+ } catch (IOException ioe) {
+ // pass exception back up
+ ResponseConverter.setControllerException(controller, ioe);
+ }
+ done.run(response);
+ }
+
+ private List<UserPermission> getUserPrermissions(RangerResourceACLs rangerResourceACLs, String resource,
+ boolean isNamespace) {
+ List<UserPermission> userPermissions = new ArrayList<UserPermission>();
+ Action[] hbaseActions = Action.values();
+ List<String> hbaseActionsList = new ArrayList<String>();
+ for (Action action : hbaseActions) {
+ hbaseActionsList.add(action.name());
+ }
+ addPermission(rangerResourceACLs.getUserACLs(), isNamespace, hbaseActionsList, userPermissions, resource,
+ false);
+ addPermission(rangerResourceACLs.getGroupACLs(), isNamespace, hbaseActionsList, userPermissions, resource,
+ true);
+ return userPermissions;
+ }
+
+ private void addPermission(Map<String, Map<String, AccessResult>> acls, boolean isNamespace,
+ List<String> hbaseActionsList, List<UserPermission> userPermissions, String resource, boolean isGroup) {
+ for (Entry<String, Map<String, AccessResult>> userAcls : acls.entrySet()) {
+ String user = !isGroup ? userAcls.getKey() : AuthUtil.toGroupEntry(userAcls.getKey());
+ List<Action> allowedPermissions = new ArrayList<Action>();
+ for (Entry<String, AccessResult> permissionAccess : userAcls.getValue().entrySet()) {
+ String permission = permissionAccess.getKey().toUpperCase();
+ if (hbaseActionsList.contains(permission)
+ && permissionAccess.getValue().getResult() == RangerPolicyEvaluator.ACCESS_ALLOWED) {
+ allowedPermissions.add(Action.valueOf(permission));
+ }
+
+ }
+ if (!allowedPermissions.isEmpty()) {
+ UserPermission up = null;
+ if (isNamespace) {
+ up = new UserPermission(Bytes.toBytes(user), resource,
+ allowedPermissions.toArray(new Action[allowedPermissions.size()]));
+ } else {
+ up = new UserPermission(Bytes.toBytes(user), TableName.valueOf(resource), null, null,
+ allowedPermissions.toArray(new Action[allowedPermissions.size()]));
+ }
+ userPermissions.add(up);
+ }
+ }
}
@Override
http://git-wip-us.apache.org/repos/asf/ranger/blob/ee45ff0c/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java
index 3840885..f1cd893 100644
--- a/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java
+++ b/hbase-agent/src/test/java/org/apache/ranger/authorization/hbase/HBaseRangerAuthorizationTest.java
@@ -42,6 +42,9 @@ import org.apache.hadoop.hbase.client.Put;
import org.apache.hadoop.hbase.client.Result;
import org.apache.hadoop.hbase.client.Table;
import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos;
+import org.apache.hadoop.hbase.security.access.AccessControlClient;
+import org.apache.hadoop.hbase.security.access.Permission;
+import org.apache.hadoop.hbase.security.access.UserPermission;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.security.UserGroupInformation;
import org.junit.Assert;
@@ -116,6 +119,15 @@ public class HBaseRangerAuthorizationTest {
admin.createTable(tableDescriptor);
}
+ if (!admin.tableExists(TableName.valueOf("default:temp5"))) {
+ HTableDescriptor tableDescriptor = new HTableDescriptor(TableName.valueOf("default:temp5"));
+
+ // Adding column families to table descriptor
+ tableDescriptor.addFamily(new HColumnDescriptor("colfam1"));
+
+ admin.createTable(tableDescriptor);
+ }
+
// Add a new row
Put put = new Put(Bytes.toBytes("row1"));
put.addColumn(Bytes.toBytes("colfam1"), Bytes.toBytes("col1"), Bytes.toBytes("val1"));
@@ -174,7 +186,7 @@ public class HBaseRangerAuthorizationTest {
for (HTableDescriptor desc : tableDescriptors) {
LOG.info("Found table:[" + desc.getTableName().getNameAsString() + "]");
}
- Assert.assertEquals(2, tableDescriptors.length);
+ Assert.assertEquals(3, tableDescriptors.length);
conn.close();
}
@@ -961,6 +973,63 @@ public class HBaseRangerAuthorizationTest {
conn.close();
}
+ @Test
+ public void testGetUserPermission() throws Throwable {
+ final Configuration conf = HBaseConfiguration.create();
+ conf.set("hbase.zookeeper.quorum", "localhost");
+ conf.set("hbase.zookeeper.property.clientPort", "" + port);
+ conf.set("zookeeper.znode.parent", "/hbase-unsecure");
+ String user = "IT";
+ UserGroupInformation ugi = UserGroupInformation.createUserForTesting(user, new String[] { "IT" });
+ ugi.doAs(new PrivilegedExceptionAction<Void>() {
+ public Void run() throws Exception {
+ try (Connection conn = ConnectionFactory.createConnection(conf)) {
+ AccessControlClient.getUserPermissions(conn, "temp");
+ Assert.fail();
+ } catch (Throwable e) {
+ // expected
+ }
+ return null;
+ }
+
+ });
+
+ user = "QA";
+ ugi = UserGroupInformation.createUserForTesting(user, new String[] { "QA" });
+ ugi.doAs(new PrivilegedExceptionAction<Void>() {
+ public Void run() throws Exception {
+ List<UserPermission> userPermissions;
+ try (Connection conn = ConnectionFactory.createConnection(conf)) {
+ userPermissions = AccessControlClient.getUserPermissions(conn, "@test_namespace");
+ } catch (Throwable e) {
+ throw new Exception(e);
+ }
+ boolean found = false;
+ for (UserPermission namespacePermission : userPermissions) {
+ if (namespacePermission.hasNamespace()) {
+ found = Bytes.equals(namespacePermission.getUser(), Bytes.toBytes("@QA"));
+ if (found) {
+ break;
+ }
+ }
+ }
+ Assert.assertTrue("QA is not found", found);
+ return null;
+ }
+ });
+
+ List<UserPermission> userPermissions;
+ try (Connection conn = ConnectionFactory.createConnection(conf)) {
+ userPermissions = AccessControlClient.getUserPermissions(conn, "temp5");
+ } catch (Throwable e) {
+ throw new Exception(e);
+ }
+ UserPermission userPermission = new UserPermission(Bytes.toBytes("@IT"), TableName.valueOf("temp5"), null,
+ Permission.Action.READ, Permission.Action.WRITE);
+ Assert.assertTrue("@IT permission should be there", userPermissions.contains(userPermission));
+
+ }
+
private static int getFreePort() throws IOException {
ServerSocket serverSocket = new ServerSocket(0);
int port = serverSocket.getLocalPort();
http://git-wip-us.apache.org/repos/asf/ranger/blob/ee45ff0c/hbase-agent/src/test/resources/hbase-policies.json
----------------------------------------------------------------------
diff --git a/hbase-agent/src/test/resources/hbase-policies.json b/hbase-agent/src/test/resources/hbase-policies.json
index b7b44c9..6213a0e 100644
--- a/hbase-agent/src/test/resources/hbase-policies.json
+++ b/hbase-agent/src/test/resources/hbase-policies.json
@@ -132,6 +132,64 @@
},
{
"service": "cl1_hbase",
+ "name": "TempPolicy",
+ "policyType": 0,
+ "description": "",
+ "isAuditEnabled": true,
+ "resources": {
+ "column-family": {
+ "values": [
+ "*"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "*"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "temp5"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "read",
+ "isAllowed": true
+ },
+ {
+ "type": "write",
+ "isAllowed": true
+ }
+ ],
+ "users": [],
+ "groups": [
+ "IT"
+ ],
+ "conditions": [],
+ "delegateAdmin": false
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [],
+ "id": 33,
+ "isEnabled": true,
+ "version": 1
+ },
+ {
+ "service": "cl1_hbase",
"name": "HBASETest-3-namespace",
"description": "Default Policy for Service: HBASETest for namespace test_namespace",
"isAuditEnabled": true,
[21/28] ranger git commit: RANGER-2288: Sqoop repository config
missing 'Common Name for Certificate'
Posted by me...@apache.org.
RANGER-2288: Sqoop repository config missing 'Common Name for Certificate'
Signed-off-by: peng.jianhua <pe...@zte.com.cn>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/9ad7c373
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/9ad7c373
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/9ad7c373
Branch: refs/heads/ranger-1
Commit: 9ad7c373394bed7bb9e860893b2d2d5a9123195d
Parents: 9dbd4c9
Author: zhangqiang2 <zh...@zte.com.cn>
Authored: Fri Nov 16 15:10:44 2018 +0800
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:44:48 2018 +0530
----------------------------------------------------------------------
.../service-defs/ranger-servicedef-sqoop.json | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/9ad7c373/agents-common/src/main/resources/service-defs/ranger-servicedef-sqoop.json
----------------------------------------------------------------------
diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-sqoop.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-sqoop.json
index 902a0b8..8cff9ab 100644
--- a/agents-common/src/main/resources/service-defs/ranger-servicedef-sqoop.json
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-sqoop.json
@@ -103,7 +103,18 @@
"validationMessage": "",
"uiHint":"{\"TextFieldWithIcon\":true, \"info\": \"eg. 'http://<ipaddr>:12000'\"}",
"label": "Sqoop URL"
- }
+ },
+
+ {
+ "itemId": 3,
+ "name": "commonNameForCertificate",
+ "type": "string",
+ "mandatory": false,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Common Name for Certificate"
+ }
],
"options": { "enableDenyAndExceptionsInPolicies": "false" },
[26/28] ranger git commit: RANGER-2277: Kylin repository config
missing 'Common Name for Certificate'
Posted by me...@apache.org.
RANGER-2277: Kylin repository config missing 'Common Name for Certificate'
Signed-off-by: peng.jianhua <pe...@zte.com.cn>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/65e4ee2f
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/65e4ee2f
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/65e4ee2f
Branch: refs/heads/ranger-1
Commit: 65e4ee2fd31426135d8be69c66e4eed246c84f9c
Parents: 64e4107
Author: zhangqiang2 <zh...@zte.com.cn>
Authored: Mon Nov 5 17:24:41 2018 +0800
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 18:05:06 2018 +0530
----------------------------------------------------------------------
.../resources/service-defs/ranger-servicedef-kylin.json | 11 +++++++++++
1 file changed, 11 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/65e4ee2f/agents-common/src/main/resources/service-defs/ranger-servicedef-kylin.json
----------------------------------------------------------------------
diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-kylin.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-kylin.json
index 3e0f0a3..a6e76a0 100644
--- a/agents-common/src/main/resources/service-defs/ranger-servicedef-kylin.json
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-kylin.json
@@ -88,6 +88,17 @@
"validationMessage": "",
"uiHint":"{\"TextFieldWithIcon\":true, \"info\": \"1.For one url, eg.<br>'http://<ipaddr>:7070'<br>2.For multiple urls (use , or ; delimiter), eg.<br>'http://<ipaddr1>:7070,http://<ipaddr2>:7070'\"}",
"label": "Kylin URL"
+ },
+
+ {
+ "itemId": 4,
+ "name": "commonNameForCertificate",
+ "type": "string",
+ "mandatory": false,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Common Name for Certificate"
}
],
[13/28] ranger git commit: RANGER-2265: Added all ranger modules to
linux profile so that all are built by default for unix environments
Posted by me...@apache.org.
RANGER-2265: Added all ranger modules to linux profile so that all are built by default for unix environments
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/f52bffdb
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/f52bffdb
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/f52bffdb
Branch: refs/heads/ranger-1
Commit: f52bffdbe9eb1af545839952621381ebaea6476e
Parents: 52f62ce
Author: Sailaja Polavarapu <sp...@hortonworks.com>
Authored: Wed Oct 31 11:00:38 2018 -0700
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:43:23 2018 +0530
----------------------------------------------------------------------
pom.xml | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 74 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/f52bffdb/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 5f84398..147b6b9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -225,8 +225,82 @@
</os>
</activation>
<modules>
+ <module>jisql</module>
+ <module>agents-audit</module>
+ <module>agents-common</module>
+ <module>agents-cred</module>
+ <module>agents-installer</module>
+ <module>credentialbuilder</module>
+ <module>embeddedwebserver</module>
+ <module>kms</module>
+ <module>hbase-agent</module>
+ <module>hdfs-agent</module>
+ <module>hive-agent</module>
+ <module>knox-agent</module>
+ <module>storm-agent</module>
+ <module>plugin-yarn</module>
+ <module>security-admin</module>
+ <module>plugin-kafka</module>
+ <module>plugin-solr</module>
+ <module>plugin-nifi</module>
+ <module>plugin-nifi-registry</module>
+ <module>ugsync</module>
+ <module>ugsync/ldapconfigchecktool/ldapconfigcheck</module>
+ <module>unixauthclient</module>
+ <module>unixauthservice</module>
+ <module>ranger-util</module>
+ <module>plugin-kms</module>
+ <module>tagsync</module>
+ <module>ranger-hdfs-plugin-shim</module>
+ <module>ranger-plugin-classloader</module>
+ <module>ranger-hive-plugin-shim</module>
+ <module>ranger-hbase-plugin-shim</module>
+ <module>ranger-knox-plugin-shim</module>
+ <module>ranger-yarn-plugin-shim</module>
+ <module>ranger-storm-plugin-shim</module>
+ <module>ranger-kafka-plugin-shim</module>
+ <module>ranger-solr-plugin-shim</module>
+ <module>ranger-atlas-plugin-shim</module>
+ <module>ranger-kms-plugin-shim</module>
+ <module>ranger-examples</module>
+ <module>ranger-tools</module>
+ <module>plugin-atlas</module>
+ <module>plugin-sqoop</module>
+ <module>ranger-sqoop-plugin-shim</module>
+ <module>plugin-kylin</module>
+ <module>ranger-kylin-plugin-shim</module>
<module>unixauthnative</module>
</modules>
+ <build>
+ <plugins>
+ <plugin>
+ <artifactId>maven-assembly-plugin</artifactId>
+ <version>2.2-beta-5</version>
+ <configuration>
+ <descriptors>
+ <descriptor>src/main/assembly/hdfs-agent.xml</descriptor>
+ <descriptor>src/main/assembly/hive-agent.xml</descriptor>
+ <descriptor>src/main/assembly/hbase-agent.xml</descriptor>
+ <descriptor>src/main/assembly/knox-agent.xml</descriptor>
+ <descriptor>src/main/assembly/storm-agent.xml</descriptor>
+ <descriptor>src/main/assembly/plugin-kafka.xml</descriptor>
+ <descriptor>src/main/assembly/plugin-yarn.xml</descriptor>
+ <descriptor>src/main/assembly/plugin-solr.xml</descriptor>
+ <descriptor>src/main/assembly/admin-web.xml</descriptor>
+ <descriptor>src/main/assembly/usersync.xml</descriptor>
+ <descriptor>src/main/assembly/tagsync.xml</descriptor>
+ <descriptor>src/main/assembly/migration-util.xml</descriptor>
+ <descriptor>src/main/assembly/kms.xml</descriptor>
+ <descriptor>src/main/assembly/ranger-tools.xml</descriptor>
+ <descriptor>src/main/assembly/ranger-src.xml</descriptor>
+ <descriptor>src/main/assembly/plugin-atlas.xml</descriptor>
+ <descriptor>src/main/assembly/plugin-sqoop.xml</descriptor>
+ <descriptor>src/main/assembly/plugin-kylin.xml</descriptor>
+ </descriptors>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
</profile>
<profile>
<id>linux-pam</id>
[04/28] ranger git commit: RANGER-2222:Apache RangerKafkaPlugin
support to handle Kafka Cluster as a new resource - added create permission
in Cluster resource
Posted by me...@apache.org.
RANGER-2222:Apache RangerKafkaPlugin support to handle Kafka Cluster as a new resource - added create permission in Cluster resource
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/ae77c388
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/ae77c388
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/ae77c388
Branch: refs/heads/ranger-1
Commit: ae77c3885d113e4fadedb7157b5fb30048c82f5c
Parents: 9888dfa
Author: rmani <rm...@hortonworks.com>
Authored: Mon Oct 8 18:11:40 2018 -0700
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:40:05 2018 +0530
----------------------------------------------------------------------
.../src/main/resources/service-defs/ranger-servicedef-kafka.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/ae77c388/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json
----------------------------------------------------------------------
diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json
index 7e91aab..78ae9ea 100644
--- a/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json
@@ -56,7 +56,7 @@
},
"label":"Cluster",
"description":"Cluster",
- "accessTypeRestrictions": ["configure", "alter_configs", "describe", "describe_configs", "kafka_admin", "idempotent_write"]
+ "accessTypeRestrictions": ["create", "configure", "alter_configs", "describe", "describe_configs", "kafka_admin", "idempotent_write"]
},
{
"itemId":4,
[03/28] ranger git commit: RANGER-2222:Apache RangerKafkaPlugin
support to handle Kafka Cluster as a new resource
Posted by me...@apache.org.
RANGER-2222:Apache RangerKafkaPlugin support to handle Kafka Cluster as a new resource
Signed-off-by: rmani <rm...@hortonworks.com>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/9888dfac
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/9888dfac
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/9888dfac
Branch: refs/heads/ranger-1
Commit: 9888dfacd7dc8ebc8d0a94dae5aa3b9eacdf1bb1
Parents: 4cb5f34
Author: rmani <rm...@hortonworks.com>
Authored: Mon Oct 8 12:09:34 2018 -0700
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:39:28 2018 +0530
----------------------------------------------------------------------
.../service-defs/ranger-servicedef-kafka.json | 49 ++-
.../authorizer/RangerKafkaAuditHandler.java | 74 ++++
.../kafka/authorizer/RangerKafkaAuthorizer.java | 16 +-
.../KafkaRangerAuthorizerGSSTest.java | 1 -
.../KafkaRangerTopicCreationTest.java | 191 ++++++++++
.../src/test/resources/kafka-policies.json | 198 +++++++++-
.../src/test/resources/kafka_kerberos.jaas | 8 +-
.../optimized/current/ranger_core_db_mysql.sql | 1 +
.../optimized/current/ranger_core_db_oracle.sql | 1 +
.../current/ranger_core_db_postgres.sql | 1 +
.../current/ranger_core_db_sqlanywhere.sql | 2 +
.../current/ranger_core_db_sqlserver.sql | 1 +
.../PatchForKafkaServiceDefUpdate_J10025.java | 381 +++++++++++++++++++
src/main/assembly/plugin-kafka.xml | 1 -
14 files changed, 900 insertions(+), 25 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/9888dfac/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json
----------------------------------------------------------------------
diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json
index ca3e0fe..7e91aab 100644
--- a/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json
@@ -23,13 +23,15 @@
"validationMessage":"",
"uiHint":"",
"label":"Topic",
- "description":"Topic"
+ "description":"Topic",
+ "accessTypeRestrictions": ["create", "delete", "configure", "alter_configs", "describe", "describe_configs", "consume", "publish", "kafka_admin"]
},
{
"itemId":2,
"name":"transactionalid",
"type":"string",
"level":1,
+ "mandatory":true,
"excludesSupported":true,
"matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions":{
@@ -37,9 +39,41 @@
"ignoreCase":true
},
"label":"Transactional Id",
- "description":"Transactional Id"
+ "description":"Transactional Id",
+ "accessTypeRestrictions": ["publish", "describe"]
+ },
+ {
+ "itemId":3,
+ "name":"cluster",
+ "type":"string",
+ "level":1,
+ "mandatory":true,
+ "excludesSupported":true,
+ "matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions":{
+ "wildCard":true,
+ "ignoreCase":true
+ },
+ "label":"Cluster",
+ "description":"Cluster",
+ "accessTypeRestrictions": ["configure", "alter_configs", "describe", "describe_configs", "kafka_admin", "idempotent_write"]
+ },
+ {
+ "itemId":4,
+ "name":"delegationtoken",
+ "type":"string",
+ "level":1,
+ "mandatory":true,
+ "excludesSupported":true,
+ "matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions":{
+ "wildCard":true,
+ "ignoreCase":true
+ },
+ "label":"Delegation Token",
+ "description":"Delegation Token",
+ "accessTypeRestrictions": ["describe"]
}
-
],
"accessTypes":[
{
@@ -49,7 +83,6 @@
"impliedGrants":[
"describe"
]
-
},
{
"itemId":2,
@@ -58,7 +91,6 @@
"impliedGrants":[
"describe"
]
-
},
{
"itemId":5,
@@ -67,7 +99,6 @@
"impliedGrants":[
"describe"
]
-
},
{
"itemId":6,
@@ -99,7 +130,6 @@
"create",
"delete"
]
-
},
{
"itemId":10,
@@ -150,13 +180,10 @@
"mandatory":false,
"label":"Ranger Plugin SSL CName"
}
-
],
"enums":[
-
],
"contextEnrichers":[
-
],
"policyConditions":[
{
@@ -164,7 +191,6 @@
"name":"ip-range",
"evaluator":"org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher",
"evaluatorOptions":{
-
},
"validationRegEx":"",
"validationMessage":"",
@@ -172,6 +198,5 @@
"label":"IP Address Range",
"description":"IP Address Range"
}
-
]
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/9888dfac/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuditHandler.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuditHandler.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuditHandler.java
new file mode 100644
index 0000000..ee50e95
--- /dev/null
+++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuditHandler.java
@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.ranger.authorization.kafka.authorizer;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.audit.model.AuthzAuditEvent;
+import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+
+public class RangerKafkaAuditHandler extends RangerDefaultAuditHandler {
+ private static final Log LOG = LogFactory.getLog(RangerKafkaAuditHandler.class);
+
+ private AuthzAuditEvent auditEvent = null;
+
+ public RangerKafkaAuditHandler(){
+ }
+
+ @Override
+ public void processResult(RangerAccessResult result) {
+ // If Cluster Resource Level Topic Creation is not Allowed we don't audit.
+ // Subsequent call from Kafka for Topic Creation at Topic resource Level will be audited.
+ if (!isAuditingNeeded(result)) {
+ return;
+ }
+ auditEvent = super.getAuthzEvents(result);
+ }
+
+ private boolean isAuditingNeeded(final RangerAccessResult result) {
+ boolean ret = true;
+ boolean isAllowed = result.getIsAllowed();
+ RangerAccessRequest request = result.getAccessRequest();
+ RangerAccessResourceImpl resource = (RangerAccessResourceImpl) request.getResource();
+ String resourceName = (String) resource.getValue(RangerKafkaAuthorizer.KEY_CLUSTER);
+ if (resourceName != null) {
+ if (request.getAccessType().equalsIgnoreCase(RangerKafkaAuthorizer.ACCESS_TYPE_CREATE) && !isAllowed) {
+ ret = false;
+ }
+ }
+ return ret;
+ }
+
+ public void flushAudit() {
+ if(LOG.isDebugEnabled()) {
+ LOG.info("==> RangerYarnAuditHandler.flushAudit(" + "AuditEvent: " + auditEvent + ")");
+ }
+ if (auditEvent != null) {
+ super.logAuthzAudit(auditEvent);
+ }
+ if(LOG.isDebugEnabled()) {
+ LOG.info("<== RangerYarnAuditHandler.flushAudit(" + "AuditEvent: " + auditEvent + ")");
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/ranger/blob/9888dfac/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
index b5d151e..1745ad9 100644
--- a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
+++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
@@ -39,7 +39,6 @@ import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.kafka.common.security.authenticator.LoginManager;
import org.apache.ranger.audit.provider.MiscUtil;
-import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
@@ -58,6 +57,7 @@ public class RangerKafkaAuthorizer implements Authorizer {
public static final String KEY_CLUSTER = "cluster";
public static final String KEY_CONSUMER_GROUP = "consumer_group";
public static final String KEY_TRANSACTIONALID = "transactionalid";
+ public static final String KEY_DELEGATIONTOKEN = "delegationtoken";
public static final String ACCESS_TYPE_READ = "consume";
public static final String ACCESS_TYPE_WRITE = "publish";
@@ -71,6 +71,7 @@ public class RangerKafkaAuthorizer implements Authorizer {
public static final String ACCESS_TYPE_IDEMPOTENT_WRITE = "idempotent_write";
private static volatile RangerBasePlugin rangerPlugin = null;
+ RangerKafkaAuditHandler auditHandler = null;
public RangerKafkaAuthorizer() {
}
@@ -113,7 +114,7 @@ public class RangerKafkaAuthorizer implements Authorizer {
}
logger.info("Calling plugin.init()");
rangerPlugin.init();
- RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler();
+ auditHandler = new RangerKafkaAuditHandler();
rangerPlugin.setResultProcessor(auditHandler);
}
@@ -197,13 +198,14 @@ public class RangerKafkaAuthorizer implements Authorizer {
if (resource.resourceType().equals(Topic$.MODULE$)) {
rangerResource.setValue(KEY_TOPIC, resource.name());
- } else if (resource.resourceType().equals(Cluster$.MODULE$)) { //NOPMD
- // CLUSTER should go as null
- // rangerResource.setValue(KEY_CLUSTER, resource.name());
+ } else if (resource.resourceType().equals(Cluster$.MODULE$)) {
+ rangerResource.setValue(KEY_CLUSTER, resource.name());
} else if (resource.resourceType().equals(Group$.MODULE$)) {
rangerResource.setValue(KEY_CONSUMER_GROUP, resource.name());
} else if (resource.resourceType().equals(TransactionalId$.MODULE$)) {
- rangerResource.setValue(KEY_TRANSACTIONALID,resource.name());
+ rangerResource.setValue(KEY_TRANSACTIONALID, resource.name());
+ } else if (resource.resourceType().equals(DelegationToken$.MODULE$)) {
+ rangerResource.setValue(KEY_DELEGATIONTOKEN, resource.name());
} else {
logger.fatal("Unsupported resourceType=" + resource.resourceType());
validationFailed = true;
@@ -226,6 +228,8 @@ public class RangerKafkaAuthorizer implements Authorizer {
} catch (Throwable t) {
logger.error("Error while calling isAccessAllowed(). request="
+ rangerRequest, t);
+ } finally {
+ auditHandler.flushAudit();
}
}
RangerPerfTracer.log(perf);
http://git-wip-us.apache.org/repos/asf/ranger/blob/9888dfac/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerGSSTest.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerGSSTest.java b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerGSSTest.java
index c1386fe..43e88b5 100644
--- a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerGSSTest.java
+++ b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerGSSTest.java
@@ -308,7 +308,6 @@ public class KafkaRangerAuthorizerGSSTest {
producer.send(new ProducerRecord<String, String>("dev", "somekey", "somevalue"));
producer.flush();
record.get();
- Assert.fail("Authorization failure expected");
} catch (Exception ex) {
Assert.assertTrue(ex.getMessage().contains("Not authorized to access topics"));
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/9888dfac/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerTopicCreationTest.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerTopicCreationTest.java b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerTopicCreationTest.java
new file mode 100644
index 0000000..a12817e
--- /dev/null
+++ b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerTopicCreationTest.java
@@ -0,0 +1,191 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.authorization.kafka.authorizer;
+
+import kafka.server.KafkaConfig;
+import kafka.server.KafkaServerStartable;
+import org.apache.curator.test.InstanceSpec;
+import org.apache.curator.test.TestingServer;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.kafka.clients.CommonClientConfigs;
+import org.apache.kafka.clients.admin.AdminClient;
+import org.apache.kafka.clients.admin.KafkaAdminClient;
+import org.apache.kafka.clients.admin.AdminClientConfig;
+import org.apache.kafka.clients.admin.CreateTopicsResult;
+import org.apache.kafka.clients.admin.NewTopic;
+import org.apache.kafka.common.KafkaFuture;
+import org.apache.kerby.kerberos.kerb.server.SimpleKdcServer;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.net.ServerSocket;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.FileSystems;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Properties;
+
+
+public class KafkaRangerTopicCreationTest {
+ private final static Logger LOG = LoggerFactory.getLogger(KafkaRangerTopicCreationTest.class);
+
+ private static KafkaServerStartable kafkaServer;
+ private static TestingServer zkServer;
+ private static int port;
+ private static Path tempDir;
+ private static SimpleKdcServer kerbyServer;
+
+ @org.junit.BeforeClass
+ public static void setup() throws Exception {
+ String basedir = System.getProperty("basedir");
+ if (basedir == null) {
+ basedir = new File(".").getCanonicalPath();
+ }
+ System.out.println("Base Dir " + basedir);
+
+ configureKerby(basedir);
+
+ // JAAS Config file - We need to point to the correct keytab files
+ Path path = FileSystems.getDefault().getPath(basedir, "/src/test/resources/kafka_kerberos.jaas");
+ String content = new String(Files.readAllBytes(path), StandardCharsets.UTF_8);
+ content = content.replaceAll("<basedir>", basedir);
+ //content = content.replaceAll("zookeeper/localhost", "zookeeper/" + address);
+
+ Path path2 = FileSystems.getDefault().getPath(basedir, "/target/test-classes/kafka_kerberos.jaas");
+ Files.write(path2, content.getBytes(StandardCharsets.UTF_8));
+
+ System.setProperty("java.security.auth.login.config", path2.toString());
+
+ // Set up Zookeeper to require SASL
+ Map<String,Object> zookeeperProperties = new HashMap<>();
+ zookeeperProperties.put("authProvider.1", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
+ zookeeperProperties.put("requireClientAuthScheme", "sasl");
+ zookeeperProperties.put("jaasLoginRenew", "3600000");
+
+ InstanceSpec instanceSpec = new InstanceSpec(null, -1, -1, -1, true, 1,-1, -1, zookeeperProperties, "localhost");
+
+ zkServer = new TestingServer(instanceSpec, true);
+
+ // Get a random port
+ ServerSocket serverSocket = new ServerSocket(0);
+ port = serverSocket.getLocalPort();
+ serverSocket.close();
+
+ tempDir = Files.createTempDirectory("kafka");
+
+ LOG.info("Port is {}", port);
+ LOG.info("Temporary directory is at {}", tempDir);
+
+ final Properties props = new Properties();
+ props.put("broker.id", 1);
+ props.put("host.name", "localhost");
+ props.put("port", port);
+ props.put("log.dir", tempDir.toString());
+ props.put("zookeeper.connect", zkServer.getConnectString());
+ props.put("replica.socket.timeout.ms", "1500");
+ props.put("controlled.shutdown.enable", Boolean.TRUE.toString());
+ // Enable SASL_PLAINTEXT
+ props.put("listeners", "SASL_PLAINTEXT://localhost:" + port);
+ props.put("security.inter.broker.protocol", "SASL_PLAINTEXT");
+ props.put("sasl.enabled.mechanisms", "GSSAPI");
+ props.put("sasl.mechanism.inter.broker.protocol", "GSSAPI");
+ props.put("sasl.kerberos.service.name", "kafka");
+ props.put("offsets.topic.replication.factor", (short) 1);
+ props.put("offsets.topic.num.partitions", 1);
+
+ // Plug in Apache Ranger authorizer
+ props.put("authorizer.class.name", "org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer");
+
+ // Create users for testing
+ UserGroupInformation.createUserForTesting("client@kafka.apache.org", new String[] {"public"});
+ UserGroupInformation.createUserForTesting("kafka/localhost@kafka.apache.org", new String[] {"IT"});
+
+ KafkaConfig config = new KafkaConfig(props);
+ kafkaServer = new KafkaServerStartable(config);
+ kafkaServer.startup();
+ }
+
+ private static void configureKerby(String baseDir) throws Exception {
+
+ //System.setProperty("sun.security.krb5.debug", "true");
+ System.setProperty("java.security.krb5.conf", baseDir + "/target/krb5.conf");
+
+ kerbyServer = new SimpleKdcServer();
+
+ kerbyServer.setKdcRealm("kafka.apache.org");
+ kerbyServer.setAllowUdp(false);
+ kerbyServer.setWorkDir(new File(baseDir + "/target"));
+
+ kerbyServer.init();
+
+ // Create principals
+ String zookeeper = "zookeeper/localhost@kafka.apache.org";
+ String kafka = "kafka/localhost@kafka.apache.org";
+ String client = "client@kafka.apache.org";
+
+ kerbyServer.createPrincipal(zookeeper, "zookeeper");
+ File keytabFile = new File(baseDir + "/target/zookeeper.keytab");
+ kerbyServer.exportPrincipal(zookeeper, keytabFile);
+
+ kerbyServer.createPrincipal(kafka, "kafka");
+ keytabFile = new File(baseDir + "/target/kafka.keytab");
+ kerbyServer.exportPrincipal(kafka, keytabFile);
+
+ kerbyServer.createPrincipal(client, "client");
+ keytabFile = new File(baseDir + "/target/client.keytab");
+ kerbyServer.exportPrincipal(client, keytabFile);
+
+ kerbyServer.start();
+ }
+
+ @org.junit.AfterClass
+ public static void cleanup() throws Exception {
+ if (kafkaServer != null) {
+ kafkaServer.shutdown();
+ }
+ if (zkServer != null) {
+ zkServer.stop();
+ }
+ if (kerbyServer != null) {
+ kerbyServer.stop();
+ }
+ }
+
+ @Test
+ public void testCreateTopic() throws Exception {
+ final String topic = "test";
+ Properties properties = new Properties();
+ properties.put(AdminClientConfig.BOOTSTRAP_SERVERS_CONFIG, "localhost:" + port);
+ properties.put("client.id", "test-consumer-id");
+ properties.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "SASL_PLAINTEXT");
+ AdminClient client = KafkaAdminClient.create(properties);
+ CreateTopicsResult result = client.createTopics(Arrays.asList(new NewTopic(topic, 1, (short) 1)));
+ result.values().get(topic).get();
+ for (Map.Entry<String, KafkaFuture<Void>> entry : result.values().entrySet()) {
+ System.out.println("Create Topic : " + entry.getKey() + " " +
+ "isCancelled : " + entry.getValue().isCancelled() + " " +
+ "isCompletedExceptionally : " + entry.getValue().isCompletedExceptionally() + " " +
+ "isDone : " + entry.getValue().isDone());
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/ranger/blob/9888dfac/plugin-kafka/src/test/resources/kafka-policies.json
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/test/resources/kafka-policies.json b/plugin-kafka/src/test/resources/kafka-policies.json
index 0c07604..e4f5db1 100644
--- a/plugin-kafka/src/test/resources/kafka-policies.json
+++ b/plugin-kafka/src/test/resources/kafka-policies.json
@@ -6,6 +6,84 @@
"policies": [
{
"service": "cl1_kafka",
+ "name": "all - cluster",
+ "policyType": 0,
+ "description": "Policy for all - cluster",
+ "isAuditEnabled": true,
+ "resources": {
+ "cluster": {
+ "values": [
+ "*"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "publish",
+ "isAllowed": true
+ },
+ {
+ "type": "consume",
+ "isAllowed": true
+ },
+ {
+ "type": "configure",
+ "isAllowed": true
+ },
+ {
+ "type": "describe",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "delete",
+ "isAllowed": true
+ },
+ {
+ "type": "kafka_admin",
+ "isAllowed": true
+ },
+ {
+ "type": "idempotent_write",
+ "isAllowed": true
+ },
+ {
+ "type": "describe_configs",
+ "isAllowed": true
+ },
+ {
+ "type": "alter_configs",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "admin","kafka"
+ ],
+ "groups": [
+ "IT"
+ ],
+ "conditions": [],
+ "delegateAdmin": true
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [],
+ "id": 40,
+ "isEnabled": true,
+ "version": 2
+ },
+ {
+ "service": "cl1_kafka",
"name": "all - topic",
"policyType": 0,
"description": "Policy for all - topic",
@@ -64,7 +142,7 @@
}
],
"users": [
- "admin","kafka"
+ "admin","kafka", "client"
],
"groups": [
"IT"
@@ -243,6 +321,84 @@
"id": 30,
"isEnabled": true,
"version": 1
+ },
+ {
+ "service": "cl1_kafka",
+ "name": "DelegationToken Policy",
+ "policyType": 0,
+ "description": "DelegationTokenPolicy",
+ "isAuditEnabled": true,
+ "resources": {
+ "delegationtoken": {
+ "values": [
+ "*"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "publish",
+ "isAllowed": true
+ },
+ {
+ "type": "consume",
+ "isAllowed": true
+ },
+ {
+ "type": "configure",
+ "isAllowed": true
+ },
+ {
+ "type": "describe",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "delete",
+ "isAllowed": true
+ },
+ {
+ "type": "kafka_admin",
+ "isAllowed": true
+ },
+ {
+ "type": "idempotent_write",
+ "isAllowed": true
+ },
+ {
+ "type": "describe_configs",
+ "isAllowed": true
+ },
+ {
+ "type": "alter_configs",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "admin","kafka", "client"
+ ],
+ "groups": [
+ "IT"
+ ],
+ "conditions": [],
+ "delegateAdmin": true
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [],
+ "id": 31,
+ "isEnabled": true,
+ "version": 2
}
],
"serviceDef": {
@@ -322,6 +478,46 @@
"uiHint":"",
"label":"Transactional Id",
"description":"Transactional Id"
+ },
+ {
+ "itemId":3,
+ "name":"cluster",
+ "type":"string",
+ "level":1,
+ "mandatory":true,
+ "lookupSupported":false,
+ "recursiveSupported":false,
+ "excludesSupported":true,
+ "matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions":{
+ "wildCard":true,
+ "ignoreCase":true
+ },
+ "validationRegEx":"",
+ "validationMessage":"",
+ "uiHint":"",
+ "label":"Cluster",
+ "description":"Cluster"
+ },
+ {
+ "itemId":4,
+ "name":"delegationtoken",
+ "type":"string",
+ "level":1,
+ "mandatory":true,
+ "lookupSupported":false,
+ "recursiveSupported":false,
+ "excludesSupported":true,
+ "matcher":"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions":{
+ "wildCard":true,
+ "ignoreCase":true
+ },
+ "validationRegEx":"",
+ "validationMessage":"",
+ "uiHint":"",
+ "label":"Delegation Token",
+ "description":"Delegation Token"
}
],
"accessTypes": [
http://git-wip-us.apache.org/repos/asf/ranger/blob/9888dfac/plugin-kafka/src/test/resources/kafka_kerberos.jaas
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/test/resources/kafka_kerberos.jaas b/plugin-kafka/src/test/resources/kafka_kerberos.jaas
index 1de804b..2e83c7c 100644
--- a/plugin-kafka/src/test/resources/kafka_kerberos.jaas
+++ b/plugin-kafka/src/test/resources/kafka_kerberos.jaas
@@ -1,20 +1,20 @@
Server {
- com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=true
+ com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=true serviceName="kafka"
keyTab="<basedir>/target/zookeeper.keytab" storeKey=true principal="zookeeper/localhost";
};
KafkaServer {
- com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=true
+ com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=true serviceName="kafka"
keyTab="<basedir>/target/kafka.keytab" storeKey=true principal="kafka/localhost";
};
Client {
- com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=true
+ com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=true serviceName="kafka"
keyTab="<basedir>/target/kafka.keytab" storeKey=true principal="kafka/localhost";
};
KafkaClient {
- com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=true
+ com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=true serviceName="kafka"
keyTab="<basedir>/target/client.keytab" storeKey=true principal="client";
};
http://git-wip-us.apache.org/repos/asf/ranger/blob/9888dfac/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
index f743a65..0066339 100644
--- a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
+++ b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
@@ -1430,4 +1430,5 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10019',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10020',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10025',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
+INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10018',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
http://git-wip-us.apache.org/repos/asf/ranger/blob/9888dfac/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql b/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
index a7d6f73..de12102 100644
--- a/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
+++ b/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
@@ -1575,5 +1575,6 @@ INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,act
INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10019',sys_extract_utc(systimestamp),'Ranger 1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10020',sys_extract_utc(systimestamp),'Ranger 1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10025',sys_extract_utc(systimestamp),'Ranger 1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
+INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10018',sys_extract_utc(systimestamp),'Ranger 1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'JAVA_PATCHES',sys_extract_utc(systimestamp),'Ranger 1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
commit;
http://git-wip-us.apache.org/repos/asf/ranger/blob/9888dfac/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
index 8969c26..35a133a 100644
--- a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
+++ b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
@@ -1519,6 +1519,7 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10019',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10020',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10025',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y');
+INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10018',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y');
DROP VIEW IF EXISTS vx_trx_log;
http://git-wip-us.apache.org/repos/asf/ranger/blob/9888dfac/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql b/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
index 9dc2515..43da93f 100644
--- a/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
+++ b/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
@@ -1869,6 +1869,8 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active
GO
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10025',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
GO
+INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10018,CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
+GO
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
GO
exit
http://git-wip-us.apache.org/repos/asf/ranger/blob/9888dfac/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql b/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
index 8351c70..a1ac530 100644
--- a/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
+++ b/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
@@ -3289,6 +3289,7 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10019',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10020',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10025',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
+INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10018',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
GO
CREATE VIEW [dbo].[vx_trx_log] AS
http://git-wip-us.apache.org/repos/asf/ranger/blob/9888dfac/security-admin/src/main/java/org/apache/ranger/patch/PatchForKafkaServiceDefUpdate_J10025.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/patch/PatchForKafkaServiceDefUpdate_J10025.java b/security-admin/src/main/java/org/apache/ranger/patch/PatchForKafkaServiceDefUpdate_J10025.java
new file mode 100644
index 0000000..0ef1544
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/patch/PatchForKafkaServiceDefUpdate_J10025.java
@@ -0,0 +1,381 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.patch;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.log4j.Logger;
+import org.apache.ranger.biz.RangerBizUtil;
+import org.apache.ranger.biz.ServiceDBStore;
+import org.apache.ranger.common.GUIDUtil;
+import org.apache.ranger.common.JSONUtil;
+import org.apache.ranger.common.RangerValidatorFactory;
+import org.apache.ranger.common.StringUtil;
+import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.entity.XXAccessTypeDef;
+import org.apache.ranger.entity.XXPolicy;
+import org.apache.ranger.entity.XXPolicyItem;
+import org.apache.ranger.entity.XXPolicyItemAccess;
+import org.apache.ranger.entity.XXPolicyItemUserPerm;
+import org.apache.ranger.entity.XXPolicyResource;
+import org.apache.ranger.entity.XXPolicyResourceMap;
+import org.apache.ranger.entity.XXPortalUser;
+import org.apache.ranger.entity.XXResourceDef;
+import org.apache.ranger.entity.XXService;
+import org.apache.ranger.entity.XXServiceDef;
+import org.apache.ranger.entity.XXUser;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator;
+import org.apache.ranger.plugin.model.validation.RangerValidator.Action;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
+import org.apache.ranger.service.RangerPolicyService;
+import org.apache.ranger.service.XPermMapService;
+import org.apache.ranger.service.XPolicyService;
+import org.apache.ranger.util.CLIUtil;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+@Component
+public class PatchForKafkaServiceDefUpdate_J10025 extends BaseLoader {
+ private static final Logger logger = Logger.getLogger(PatchForKafkaServiceDefUpdate_J10025.class);
+ private static final List<String> POLICY_NAMES = new ArrayList<>(Arrays.asList("all - cluster", "all - delegationtoken"));
+ private static final String LOGIN_ID_ADMIN = "admin";
+ private static final String KAFKA_RESOURCE_CLUSTER = "cluster";
+ private static final String KAFKA_RESOURCE_DELEGATIONTOKEN = "delegationtoken";
+
+ private static final List<String> DEFAULT_POLICY_USERS = new ArrayList<>(Arrays.asList("kafka","rangerlookup"));
+
+
+ public static final String SERVICEDBSTORE_SERVICEDEFBYNAME_KAFKA_NAME = "kafka";
+ public static final String CLUSTER_RESOURCE_NAME ="cluster";
+
+
+ @Autowired
+ RangerDaoManager daoMgr;
+
+ @Autowired
+ ServiceDBStore svcDBStore;
+
+ @Autowired
+ JSONUtil jsonUtil;
+
+ @Autowired
+ RangerPolicyService policyService;
+
+ @Autowired
+ StringUtil stringUtil;
+
+ @Autowired
+ GUIDUtil guidUtil;
+
+ @Autowired
+ XPolicyService xPolService;
+
+ @Autowired
+ XPermMapService xPermMapService;
+
+ @Autowired
+ RangerBizUtil bizUtil;
+
+ @Autowired
+ RangerValidatorFactory validatorFactory;
+
+ @Autowired
+ ServiceDBStore svcStore;
+
+ public static void main(String[] args) {
+ logger.info("main()");
+ try {
+ PatchForKafkaServiceDefUpdate_J10025 loader = (PatchForKafkaServiceDefUpdate_J10025) CLIUtil.getBean(PatchForKafkaServiceDefUpdate_J10025.class);
+ loader.init();
+ while (loader.isMoreToProcess()) {
+ loader.load();
+ }
+ logger.info("Load complete. Exiting!!!");
+ System.exit(0);
+ } catch (Exception e) {
+ logger.error("Error loading", e);
+ System.exit(1);
+ }
+ }
+
+ @Override
+ public void init() throws Exception {
+ // Do Nothing
+ }
+
+ @Override
+ public void execLoad() {
+ logger.info("==> PatchForKafkaServiceDefUpdate_J10025.execLoad()");
+ try {
+ updateKafkaServiceDef();
+ } catch (Exception e) {
+ logger.error("Error while applying PatchForKafkaServiceDefUpdate_J10025...", e);
+ }
+ logger.info("<== PatchForKafkaServiceDefUpdate_J10025.execLoad()");
+ }
+
+ @Override
+ public void printStats() {
+ logger.info("PatchForKafkaServiceDefUpdate_J10025 ");
+ }
+
+ private void updateKafkaServiceDef(){
+ RangerServiceDef ret = null;
+ RangerServiceDef embeddedKafkaServiceDef = null;
+ RangerServiceDef dbKafkaServiceDef = null;
+ List<RangerServiceDef.RangerResourceDef> embeddedKafkaResourceDefs = null;
+ List<RangerServiceDef.RangerAccessTypeDef> embeddedKafkaAccessTypes = null;
+ XXServiceDef xXServiceDefObj = null;
+ try{
+ embeddedKafkaServiceDef=EmbeddedServiceDefsUtil.instance().getEmbeddedServiceDef(SERVICEDBSTORE_SERVICEDEFBYNAME_KAFKA_NAME);
+ if(embeddedKafkaServiceDef!=null){
+
+ xXServiceDefObj = daoMgr.getXXServiceDef().findByName(SERVICEDBSTORE_SERVICEDEFBYNAME_KAFKA_NAME);
+ Map<String, String> serviceDefOptionsPreUpdate=null;
+ String jsonStrPreUpdate=null;
+ if(xXServiceDefObj!=null) {
+ jsonStrPreUpdate=xXServiceDefObj.getDefOptions();
+ serviceDefOptionsPreUpdate=jsonStringToMap(jsonStrPreUpdate);
+ xXServiceDefObj=null;
+ }
+ dbKafkaServiceDef=svcDBStore.getServiceDefByName(SERVICEDBSTORE_SERVICEDEFBYNAME_KAFKA_NAME);
+
+ if(dbKafkaServiceDef!=null){
+ embeddedKafkaResourceDefs = embeddedKafkaServiceDef.getResources();
+ embeddedKafkaAccessTypes = embeddedKafkaServiceDef.getAccessTypes();
+
+ if (checkNewKafkaresourcePresent(embeddedKafkaResourceDefs)) {
+ // This is to check if CLUSTER resource is added to the resource definition, if so update the resource def and accessType def
+ if (embeddedKafkaResourceDefs != null) {
+ dbKafkaServiceDef.setResources(embeddedKafkaResourceDefs);
+ }
+ if (embeddedKafkaAccessTypes != null) {
+ if(!embeddedKafkaAccessTypes.toString().equalsIgnoreCase(dbKafkaServiceDef.getAccessTypes().toString())) {
+ dbKafkaServiceDef.setAccessTypes(embeddedKafkaAccessTypes);
+ }
+ }
+ }
+
+ RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore);
+ validator.validate(dbKafkaServiceDef, Action.UPDATE);
+
+ ret = svcStore.updateServiceDef(dbKafkaServiceDef);
+ if(ret==null){
+ logger.error("Error while updating "+SERVICEDBSTORE_SERVICEDEFBYNAME_KAFKA_NAME+"service-def");
+ throw new RuntimeException("Error while updating "+SERVICEDBSTORE_SERVICEDEFBYNAME_KAFKA_NAME+"service-def");
+ }
+ xXServiceDefObj = daoMgr.getXXServiceDef().findByName(SERVICEDBSTORE_SERVICEDEFBYNAME_KAFKA_NAME);
+ if(xXServiceDefObj!=null) {
+ String jsonStrPostUpdate=xXServiceDefObj.getDefOptions();
+ Map<String, String> serviceDefOptionsPostUpdate=jsonStringToMap(jsonStrPostUpdate);
+ if (serviceDefOptionsPostUpdate != null && serviceDefOptionsPostUpdate.containsKey(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES)) {
+ if(serviceDefOptionsPreUpdate == null || !serviceDefOptionsPreUpdate.containsKey(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES)) {
+ String preUpdateValue = serviceDefOptionsPreUpdate == null ? null : serviceDefOptionsPreUpdate.get(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES);
+ if (preUpdateValue == null) {
+ serviceDefOptionsPostUpdate.remove(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES);
+ } else {
+ serviceDefOptionsPostUpdate.put(RangerServiceDef.OPTION_ENABLE_DENY_AND_EXCEPTIONS_IN_POLICIES, preUpdateValue);
+ }
+ xXServiceDefObj.setDefOptions(mapToJsonString(serviceDefOptionsPostUpdate));
+ daoMgr.getXXServiceDef().update(xXServiceDefObj);
+ }
+ }
+ createDefaultPolicyForNewResources();
+ }
+ }
+ }
+ }catch(Exception e)
+ {
+ logger.error("Error while updating "+SERVICEDBSTORE_SERVICEDEFBYNAME_KAFKA_NAME+"service-def", e);
+ }
+ }
+
+ private boolean checkNewKafkaresourcePresent(List<RangerServiceDef.RangerResourceDef> resourceDefs) {
+ boolean ret = false;
+ for(RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) {
+ if (CLUSTER_RESOURCE_NAME.equals(resourceDef.getName()) ) {
+ ret = true ;
+ break;
+ }
+ }
+ return ret;
+ }
+
+ private String mapToJsonString(Map<String, String> map) {
+ String ret = null;
+ if(map != null) {
+ try {
+ ret = jsonUtil.readMapToString(map);
+ } catch(Exception excp) {
+ logger.warn("mapToJsonString() failed to convert map: " + map, excp);
+ }
+ }
+ return ret;
+ }
+
+ protected Map<String, String> jsonStringToMap(String jsonStr) {
+ Map<String, String> ret = null;
+ if(!StringUtils.isEmpty(jsonStr)) {
+ try {
+ ret = jsonUtil.jsonToMap(jsonStr);
+ } catch(Exception excp) {
+ // fallback to earlier format: "name1=value1;name2=value2"
+ for(String optionString : jsonStr.split(";")) {
+ if(StringUtils.isEmpty(optionString)) {
+ continue;
+ }
+ String[] nvArr = optionString.split("=");
+ String name = (nvArr != null && nvArr.length > 0) ? nvArr[0].trim() : null;
+ String value = (nvArr != null && nvArr.length > 1) ? nvArr[1].trim() : null;
+ if(StringUtils.isEmpty(name)) {
+ continue;
+ }
+ if(ret == null) {
+ ret = new HashMap<String, String>();
+ }
+ ret.put(name, value);
+ }
+ }
+ }
+ return ret;
+ }
+
+ private void createDefaultPolicyForNewResources() {
+ logger.info("==> createDefaultPolicyForNewResources ");
+ XXPortalUser xxPortalUser = daoMgr.getXXPortalUser().findByLoginId(LOGIN_ID_ADMIN);
+ Long currentUserId = xxPortalUser.getId();
+
+ XXServiceDef xXServiceDefObj = daoMgr.getXXServiceDef()
+ .findByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_KAFKA_NAME);
+ if (xXServiceDefObj == null) {
+ logger.debug("ServiceDef not fount with name :" + EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_KAFKA_NAME);
+ return;
+ }
+
+ Long xServiceDefId = xXServiceDefObj.getId();
+ List<XXService> xxServices = daoMgr.getXXService().findByServiceDefId(xServiceDefId);
+
+ for (XXService xxService : xxServices) {
+ int resourceMapOrder = 0;
+ for (String newResource : POLICY_NAMES) {
+ XXPolicy xxPolicy = new XXPolicy();
+ xxPolicy.setName(newResource);
+ xxPolicy.setDescription(newResource);
+ xxPolicy.setService(xxService.getId());
+ xxPolicy.setPolicyPriority(RangerPolicy.POLICY_PRIORITY_NORMAL);
+ xxPolicy.setIsAuditEnabled(Boolean.TRUE);
+ xxPolicy.setIsEnabled(Boolean.TRUE);
+ xxPolicy.setPolicyType(RangerPolicy.POLICY_TYPE_ACCESS);
+ xxPolicy.setGuid(guidUtil.genGUID());
+ xxPolicy.setAddedByUserId(currentUserId);
+ xxPolicy.setUpdatedByUserId(currentUserId);
+ RangerPolicy rangerPolicy = new RangerPolicy();
+ RangerPolicyResourceSignature resourceSignature = new RangerPolicyResourceSignature(rangerPolicy);
+ xxPolicy.setResourceSignature(resourceSignature.getSignature());
+ XXPolicy createdPolicy = daoMgr.getXXPolicy().create(xxPolicy);
+
+ XXPolicyItem xxPolicyItem = new XXPolicyItem();
+ xxPolicyItem.setIsEnabled(Boolean.TRUE);
+ xxPolicyItem.setDelegateAdmin(Boolean.TRUE);
+ xxPolicyItem.setItemType(0);
+ xxPolicyItem.setOrder(0);
+ xxPolicyItem.setAddedByUserId(currentUserId);
+ xxPolicyItem.setUpdatedByUserId(currentUserId);
+ xxPolicyItem.setPolicyId(createdPolicy.getId());
+ XXPolicyItem createdXXPolicyItem = daoMgr.getXXPolicyItem().create(xxPolicyItem);
+
+ List<String> accessTypes = Arrays.asList("create", "delete", "configure", "alter_configs", "describe", "describe_configs", "consume", "publish", "kafka_admin","idempotent_write");
+ for (int i = 0; i < accessTypes.size(); i++) {
+ XXAccessTypeDef xAccTypeDef = daoMgr.getXXAccessTypeDef().findByNameAndServiceId(accessTypes.get(i),
+ xxPolicy.getService());
+ if (xAccTypeDef == null) {
+ throw new RuntimeException(accessTypes.get(i) + ": is not a valid access-type. policy='"
+ + xxPolicy.getName() + "' service='" + xxPolicy.getService() + "'");
+ }
+ XXPolicyItemAccess xPolItemAcc = new XXPolicyItemAccess();
+ xPolItemAcc.setIsAllowed(Boolean.TRUE);
+ xPolItemAcc.setType(xAccTypeDef.getId());
+ xPolItemAcc.setOrder(i);
+ xPolItemAcc.setAddedByUserId(currentUserId);
+ xPolItemAcc.setUpdatedByUserId(currentUserId);
+ xPolItemAcc.setPolicyitemid(createdXXPolicyItem.getId());
+ daoMgr.getXXPolicyItemAccess().create(xPolItemAcc);
+ }
+
+ for (int i = 0; i < DEFAULT_POLICY_USERS.size(); i++) {
+ String user = DEFAULT_POLICY_USERS.get(i);
+ if (StringUtils.isBlank(user)) {
+ continue;
+ }
+ XXUser xxUser = daoMgr.getXXUser().findByUserName(user);
+ if (xxUser == null) {
+ throw new RuntimeException(user + ": user does not exist. policy='" + xxPolicy.getName()
+ + "' service='" + xxPolicy.getService() + "' user='" + user + "'");
+ }
+ XXPolicyItemUserPerm xUserPerm = new XXPolicyItemUserPerm();
+ xUserPerm.setUserId(xxUser.getId());
+ xUserPerm.setPolicyItemId(createdXXPolicyItem.getId());
+ xUserPerm.setOrder(i);
+ xUserPerm.setAddedByUserId(currentUserId);
+ xUserPerm.setUpdatedByUserId(currentUserId);
+ daoMgr.getXXPolicyItemUserPerm().create(xUserPerm);
+ }
+
+ String policyResourceName = KAFKA_RESOURCE_CLUSTER;
+ if ("all - delegationtoken".equals(newResource)) {
+ policyResourceName = KAFKA_RESOURCE_DELEGATIONTOKEN;
+ }
+ XXResourceDef xResDef = daoMgr.getXXResourceDef().findByNameAndPolicyId(policyResourceName,
+ createdPolicy.getId());
+ if (xResDef == null) {
+ throw new RuntimeException(policyResourceName + ": is not a valid resource-type. policy='"
+ + createdPolicy.getName() + "' service='" + createdPolicy.getService() + "'");
+ }
+
+ XXPolicyResource xPolRes = new XXPolicyResource();
+
+ xPolRes.setAddedByUserId(currentUserId);
+ xPolRes.setUpdatedByUserId(currentUserId);
+ xPolRes.setIsExcludes(Boolean.FALSE);
+ xPolRes.setIsRecursive(Boolean.FALSE);
+ xPolRes.setPolicyId(createdPolicy.getId());
+ xPolRes.setResDefId(xResDef.getId());
+ xPolRes = daoMgr.getXXPolicyResource().create(xPolRes);
+
+ XXPolicyResourceMap xPolResMap = new XXPolicyResourceMap();
+ xPolResMap.setResourceId(xPolRes.getId());
+ xPolResMap.setValue("*");
+ xPolResMap.setOrder(resourceMapOrder);
+ xPolResMap.setAddedByUserId(currentUserId);
+ xPolResMap.setUpdatedByUserId(currentUserId);
+ daoMgr.getXXPolicyResourceMap().create(xPolResMap);
+ resourceMapOrder++;
+ logger.info("Creating policy for service id : " + xxService.getId());
+ }
+ }
+ logger.info("<== createDefaultPolicyForNewResources ");
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ranger/blob/9888dfac/src/main/assembly/plugin-kafka.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/plugin-kafka.xml b/src/main/assembly/plugin-kafka.xml
index 97ff8ad..7c55128 100644
--- a/src/main/assembly/plugin-kafka.xml
+++ b/src/main/assembly/plugin-kafka.xml
@@ -62,7 +62,6 @@
</include>
<include>commons-lang:commons-lang</include>
<include>commons-io:commons-io</include>
- <include>com.google.guava:guava:jar:${google.guava.version}</include>
<include>org.apache.httpcomponents:httpclient:jar:${httpcomponents.httpclient.version}
</include>
<include>org.apache.httpcomponents:httpcore:jar:${httpcomponents.httpcore.version}
[11/28] ranger git commit: RANGER-2257:Add policyID to error message
when click the Access log of Audit
Posted by me...@apache.org.
RANGER-2257:Add policyID to error message when click the Access log of Audit
Signed-off-by: peng.jianhua <pe...@zte.com.cn>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/43d49bdf
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/43d49bdf
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/43d49bdf
Branch: refs/heads/ranger-1
Commit: 43d49bdf1b6f880952e8d59bf548ba7a65f6d902
Parents: 8ecf24b
Author: zhangqiang2 <zh...@zte.com.cn>
Authored: Fri Oct 19 11:21:45 2018 +0800
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:43:09 2018 +0530
----------------------------------------------------------------------
.../src/main/java/org/apache/ranger/biz/ServiceDBStore.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/43d49bdf/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 63c9432..f2d61d3 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -2838,7 +2838,7 @@ public class ServiceDBStore extends AbstractServiceStore {
AppConstants.CLASS_TYPE_RANGER_POLICY, policyId);
if (xDataHist == null) {
- String errMsg = "No policy history found for given time: " + eventTime;
+ String errMsg = "No policy history found for given policy ID: " + policyId + " and event time: " + eventTime;
LOG.error(errMsg);
throw restErrorUtil.createRESTException(errMsg, MessageEnums.DATA_NOT_FOUND);
}
[22/28] ranger git commit: RANGER-2284: Unable to build image using
docker
Posted by me...@apache.org.
RANGER-2284: Unable to build image using docker
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/3e0f334a
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/3e0f334a
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/3e0f334a
Branch: refs/heads/ranger-1
Commit: 3e0f334adb88ab20105a7a5248947b5418566d2c
Parents: 9ad7c37
Author: Don Bosco Durai <bo...@apache.org>
Authored: Thu Nov 15 22:26:20 2018 -0800
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:44:55 2018 +0530
----------------------------------------------------------------------
build_ranger_using_docker.sh | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/3e0f334a/build_ranger_using_docker.sh
----------------------------------------------------------------------
diff --git a/build_ranger_using_docker.sh b/build_ranger_using_docker.sh
index 82b7179..fa77d91 100755
--- a/build_ranger_using_docker.sh
+++ b/build_ranger_using_docker.sh
@@ -22,12 +22,12 @@
#5. To delete the image, run "[sudo] docker rmi ranger_dev"
#Usage: [sudo] ./build_ranger_using_docker.sh [-build_image] mvn <build params>
-#Example 1 (default no param): (mvn -DskipTests=true clean compile package install assembly:assembly)
-#Example 2 (Regular build): ./build_ranger_using_docker.sh mvn clean install -DskipTests=true
-#Example 3 (Recreate Docker image): ./build_ranger_using_docker.sh mvn -build_image clean install -DskipTests=true
+#Example 1 (default no param): (mvn -Pall -DskipTests=true clean compile package install assembly:assembly)
+#Example 2 (Regular build): ./build_ranger_using_docker.sh mvn -Pall clean install -DskipTests=true
+#Example 3 (Recreate Docker image): ./build_ranger_using_docker.sh mvn -Pall -build_image clean install -DskipTests=true
#Notes: To remove build image manually, run "docker rmi ranger_dev" or "sudo docker rmi ranger_dev"
-default_command="mvn -DskipTests=true clean compile package install assembly:assembly"
+default_command="mvn -Pall -DskipTests=true clean compile package install assembly:assembly"
build_image=0
if [ "$1" = "-build_image" ]; then
build_image=1
@@ -75,14 +75,14 @@ ENV JAVA_HOME /usr/java/latest
ENV PATH $JAVA_HOME/bin:$PATH
-ADD https://www.apache.org/dist/maven/maven-3/3.5.3/binaries/apache-maven-3.5.3-bin.tar.gz.sha1 /tools
-ADD http://www-us.apache.org/dist/maven/maven-3/3.5.3/binaries/apache-maven-3.5.3-bin.tar.gz /tools
-RUN sha1sum apache-maven-3.5.3-bin.tar.gz | cut -f 1 -d " " > tmp.sha1
+ADD https://www.apache.org/dist/maven/maven-3/3.5.4/binaries/apache-maven-3.5.4-bin.tar.gz.sha512 /tools
+ADD http://www-us.apache.org/dist/maven/maven-3/3.5.4/binaries/apache-maven-3.5.4-bin.tar.gz /tools
+RUN sha512sum apache-maven-3.5.4-bin.tar.gz | cut -f 1 -d " " > tmp.sha1
-RUN diff -w tmp.sha1 apache-maven-3.5.3-bin.tar.gz.sha1
+RUN diff -w tmp.sha1 apache-maven-3.5.4-bin.tar.gz.sha512
-RUN tar xfz apache-maven-3.5.3-bin.tar.gz
-RUN ln -sf /tools/apache-maven-3.5.3 /tools/maven
+RUN tar xfz apache-maven-3.5.4-bin.tar.gz
+RUN ln -sf /tools/apache-maven-3.5.4 /tools/maven
ENV PATH /tools/maven/bin:$PATH
ENV MAVEN_OPTS "-Xmx2048m -XX:MaxPermSize=512m"
[18/28] ranger git commit: RANGER-2244: Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.91 or
later.
Posted by me...@apache.org.
RANGER-2244: Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.91 or later.
Signed-off-by: Mehul Parikh <me...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/dcfd789f
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/dcfd789f
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/dcfd789f
Branch: refs/heads/ranger-1
Commit: dcfd789fd2c29e3df78b050b4b273a856bd386e1
Parents: 9834698
Author: zhangqiang2 <zh...@zte.com.cn>
Authored: Thu Nov 15 16:47:04 2018 +0800
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:44:23 2018 +0530
----------------------------------------------------------------------
.../java/org/apache/ranger/server/tomcat/EmbeddedServer.java | 4 ----
pom.xml | 2 +-
2 files changed, 1 insertion(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/dcfd789f/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
----------------------------------------------------------------------
diff --git a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
index eac0dac..8d32352 100644
--- a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
+++ b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
@@ -27,7 +27,6 @@ import java.util.Iterator;
import java.util.Properties;
import java.util.logging.Logger;
import java.util.List;
-import javax.servlet.ServletException;
import org.apache.catalina.Context;
import org.apache.catalina.LifecycleException;
@@ -222,9 +221,6 @@ public class EmbeddedServer {
webappCtx.init();
LOG.info("Finished init of webapp [" + webContextName
+ "] = path [" + webapp_dir + "].");
- } catch (ServletException e1) {
- LOG.severe("Tomcat Server failed to add webapp:" + e1.toString());
- e1.printStackTrace();
} catch (LifecycleException lce) {
LOG.severe("Tomcat Server failed to start webapp:" + lce.toString());
lce.printStackTrace();
http://git-wip-us.apache.org/repos/asf/ranger/blob/dcfd789f/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 147b6b9..7aa326c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -212,7 +212,7 @@
<sqoop.version>1.99.7</sqoop.version>
<storm.version>1.2.0</storm.version>
<sun-jersey-bundle.version>1.19</sun-jersey-bundle.version>
- <tomcat.embed.version>7.0.90</tomcat.embed.version>
+ <tomcat.embed.version>7.0.91</tomcat.embed.version>
<velocity.version>1.7</velocity.version>
<zookeeper.version>3.4.6</zookeeper.version>
</properties>
[16/28] ranger git commit: RANGER-2298 Modify JAVA_VERSION_REQUIRED
to 1.8 in install.properties
Posted by me...@apache.org.
RANGER-2298 Modify JAVA_VERSION_REQUIRED to 1.8 in install.properties
Signed-off-by: peng.jianhua <pe...@zte.com.cn>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/a18f3d12
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/a18f3d12
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/a18f3d12
Branch: refs/heads/ranger-1
Commit: a18f3d12bbc53e30e21a7a53eb542a8d51a23554
Parents: 58ca383
Author: zhangqiang2 <zh...@zte.com.cn>
Authored: Fri Nov 30 15:27:34 2018 +0800
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:43:58 2018 +0530
----------------------------------------------------------------------
kms/scripts/install.properties | 2 +-
security-admin/scripts/install.properties | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/a18f3d12/kms/scripts/install.properties
----------------------------------------------------------------------
diff --git a/kms/scripts/install.properties b/kms/scripts/install.properties
index 947d9f3..aea0bb8 100755
--- a/kms/scripts/install.properties
+++ b/kms/scripts/install.properties
@@ -230,7 +230,7 @@ TMPFILE=$PWD/.fi_tmp
LOGFILE=$PWD/logfile
JAVA_BIN='java'
-JAVA_VERSION_REQUIRED='1.7'
+JAVA_VERSION_REQUIRED='1.8'
JAVA_ORACLE='Java(TM) SE Runtime Environment'
mysql_core_file=db/mysql/kms_core_db.sql
http://git-wip-us.apache.org/repos/asf/ranger/blob/a18f3d12/security-admin/scripts/install.properties
----------------------------------------------------------------------
diff --git a/security-admin/scripts/install.properties b/security-admin/scripts/install.properties
index 674844c..fdcee1b 100644
--- a/security-admin/scripts/install.properties
+++ b/security-admin/scripts/install.properties
@@ -223,7 +223,7 @@ LOGFILE=$PWD/logfile
LOGFILES="$LOGFILE"
JAVA_BIN='java'
-JAVA_VERSION_REQUIRED='1.7'
+JAVA_VERSION_REQUIRED='1.8'
JAVA_ORACLE='Java(TM) SE Runtime Environment'
ranger_admin_max_heap_size=1g
[17/28] ranger git commit: RANGER-2292 : Test case fix for RANGER-2276
Posted by me...@apache.org.
RANGER-2292 : Test case fix for RANGER-2276
Signed-off-by: Mehul Parikh <me...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/98346985
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/98346985
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/98346985
Branch: refs/heads/ranger-1
Commit: 983469858b42f833f3014cac3473249f4a01080d
Parents: a18f3d1
Author: Bhavik Patel <bh...@gmail.com>
Authored: Mon Nov 26 15:46:22 2018 +0530
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:44:15 2018 +0530
----------------------------------------------------------------------
.../src/test/java/org/apache/ranger/biz/TestXUserMgr.java | 2 ++
1 file changed, 2 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/98346985/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
index 0e4a957..49c57a6 100644
--- a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
+++ b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
@@ -579,6 +579,7 @@ public class TestXUserMgr {
XXModuleDefDao value = Mockito.mock(XXModuleDefDao.class);
Mockito.when(daoManager.getXXModuleDef()).thenReturn(value);
Mockito.when(userMgr.createDefaultAccountUser((VXPortalUser) Mockito.any())).thenReturn(vXPortalUser);
+ Mockito.when(stringUtil.validateEmail("test@test.com")).thenReturn(true);
VXUser dbUser = xUserMgr.createXUser(vxUser);
Assert.assertNotNull(dbUser);
userId = dbUser.getId();
@@ -649,6 +650,7 @@ public class TestXUserMgr {
vxUser.setFirstName("null");
vxUser.setLastName("null");
Mockito.when(xUserService.createResource(vxUser)).thenReturn(vxUser);
+ Mockito.when(stringUtil.validateEmail("test@test.com")).thenReturn(true);
xUserMgr.createXUser(vxUser);
}
[14/28] ranger git commit: RANGER-2266:To make Id to ID in Audit
Pages of Ranger Admin
Posted by me...@apache.org.
RANGER-2266:To make Id to ID in Audit Pages of Ranger Admin
Signed-off-by: peng.jianhua <pe...@zte.com.cn>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/ae120d0b
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/ae120d0b
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/ae120d0b
Branch: refs/heads/ranger-1
Commit: ae120d0b92a589e91d38688d8ae5cf5c14094e19
Parents: f52bffd
Author: zhangqiang2 <zh...@zte.com.cn>
Authored: Thu Oct 25 15:13:09 2018 +0800
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:43:28 2018 +0530
----------------------------------------------------------------------
.../src/main/webapp/scripts/modules/globalize/message/en.js | 6 +++---
.../src/main/webapp/scripts/views/reports/AuditLayout.js | 8 ++++----
2 files changed, 7 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/ae120d0b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
index 19cc7b4..2c0ee98 100644
--- a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
+++ b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
@@ -165,7 +165,7 @@ define(function(require) {
policyStatus : 'Policy Status',
httpResponseCode : 'Http Response Code',
repositoryName : 'Repository Name',
- agentId : 'Plugin Id',
+ agentId : 'Plugin ID',
agentIp : 'Plugin IP',
createDate : 'Export Date',
attributeName : 'Attribute Name',
@@ -177,12 +177,12 @@ define(function(require) {
columnType : 'Column Type',
accountName : 'Account Name',
createdDate : 'Created Date',
- sessionId : 'Session Id',
+ sessionId : 'Session ID',
operation : 'Operation',
auditType : 'Audit Type',
user : 'User',
actions : 'Actions',
- loginId : 'Login Id',
+ loginId : 'Login ID',
loginType : 'Login Type',
ip : 'IP',
userAgent : 'User Agent',
http://git-wip-us.apache.org/repos/asf/ranger/blob/ae120d0b/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js b/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
index 3da1567..fe9566c 100644
--- a/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
+++ b/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
@@ -420,9 +420,9 @@ define(function(require) {
},
addSearchForAdminTab : function(){
var that = this;
- var searchOpt = ["Audit Type", "User", "Actions", "Session Id", "Start Date", "End Date"];
+ var searchOpt = ["Audit Type", "User", "Actions", "Session ID", "Start Date", "End Date"];
var serverAttrName = [{text : "Audit Type", label :"objectClassType",'multiple' : true, 'optionsArr' : XAUtils.enumToSelectLabelValuePairs(XAEnums.ClassTypes)},
- {text : "User", label :"owner"}, {text : "Session Id", label :"sessionId"},
+ {text : "User", label :"owner"}, {text : "Session ID", label :"sessionId"},
{text : 'Start Date',label :'startDate'},{text : 'End Date',label :'endDate'},
{text : "Actions", label :"action",'multiple' : true, 'optionsArr' : XAUtils.enumToSelectLabelValuePairs(XAGlobals.ActionType)},];
@@ -490,8 +490,8 @@ define(function(require) {
},
addSearchForLoginSessionTab : function(){
var that = this , query = '' ;
- var searchOpt = ["Session Id", "Login Id", "Result", "Login Type", "IP", "User Agent", "Start Date","End Date"];
- var serverAttrName = [{text : "Session Id", label :"id"}, {text : "Login Id", label :"loginId"},
+ var searchOpt = ["Session ID", "Login ID", "Result", "Login Type", "IP", "User Agent", "Start Date","End Date"];
+ var serverAttrName = [{text : "Session ID", label :"id"}, {text : "Login ID", label :"loginId"},
{text : "Result", label :"authStatus",'multiple' : true, 'optionsArr' : XAUtils.enumToSelectLabelValuePairs(XAEnums.AuthStatus)},
{text : "Login Type", label :"authType",'multiple' : true, 'optionsArr' : XAUtils.enumToSelectLabelValuePairs(XAEnums.AuthType)},
{text : "IP", label :"requestIP"},{text :"User Agent", label :"requestUserAgent"},
[08/28] ranger git commit: RANGER-2256 - Grammatical error in UI
Posted by me...@apache.org.
RANGER-2256 - Grammatical error in UI
Signed-off-by: Colm O hEigeartaigh <co...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/584136c5
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/584136c5
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/584136c5
Branch: refs/heads/ranger-1
Commit: 584136c5e73e0df90ca561f1a2e2efd9cbbe560a
Parents: 6efdb0f
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Oct 17 17:19:52 2018 +0100
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:42:02 2018 +0530
----------------------------------------------------------------------
.../src/main/webapp/scripts/modules/globalize/message/en.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/584136c5/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
index 99cbf55..19cc7b4 100644
--- a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
+++ b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js
@@ -434,7 +434,7 @@ define(function(require) {
pleaseSelectAccessTypeForTagMasking : 'Please select access type first to enable add masking options.',
addUserOrGroupForDelegateAdmin : 'Please select user/group for the selected permission(s)',
policyLabelsinfo : 'Enter label of policy',
- noUserFoundText : 'No user associate with this group.',
+ noUserFoundText : 'No user is associated with this group.',
showInitialHundredUser : 'Initially search filter is applied for first hundred users. To get more users click on ',
searchForUserSync :"Search for your user sync audits...",
policyExpired :'Policy Expired',
[27/28] ranger git commit: RANGER-2280:The emptyText of User Sync and
Plugin Status should be reasonable
Posted by me...@apache.org.
RANGER-2280:The emptyText of User Sync and Plugin Status should be reasonable
Signed-off-by: peng.jianhua <pe...@zte.com.cn>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/92fe4c4b
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/92fe4c4b
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/92fe4c4b
Branch: refs/heads/ranger-1
Commit: 92fe4c4b4bb8db3dcfd9d2aa0bcba02f7562c0e2
Parents: 65e4ee2
Author: zhangqiang2 <zh...@zte.com.cn>
Authored: Thu Nov 8 15:03:26 2018 +0800
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 18:05:13 2018 +0530
----------------------------------------------------------------------
.../src/main/webapp/scripts/views/reports/AuditLayout.js | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/92fe4c4b/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js b/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
index 56385bc..9040c49 100644
--- a/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
+++ b/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js
@@ -1408,7 +1408,7 @@ define(function(require) {
gridOpts : {
row : Backgrid.Row.extend({}),
header : XABackgrid,
- emptyText : 'No plugin found!'
+ emptyText : 'No plugin status found!'
}
}));
},
@@ -1582,7 +1582,7 @@ define(function(require) {
gridOpts : {
row : Backgrid.Row.extend({}),
header : XABackgrid,
- emptyText : 'No plugin found!'
+ emptyText : 'No user sync audit found!'
}
}));
},
[23/28] ranger git commit: RANGER-2276:Email Address should be
verified when Add New User in Ranger Admin
Posted by me...@apache.org.
RANGER-2276:Email Address should be verified when Add New User in Ranger Admin
Signed-off-by: peng.jianhua <pe...@zte.com.cn>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/edfe7fca
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/edfe7fca
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/edfe7fca
Branch: refs/heads/ranger-1
Commit: edfe7fcae90a8823b9ea408af3a8c8d85b1d88e9
Parents: 3e0f334
Author: zhangqiang2 <zh...@zte.com.cn>
Authored: Mon Nov 12 16:31:17 2018 +0800
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:45:06 2018 +0530
----------------------------------------------------------------------
.../java/org/apache/ranger/biz/XUserMgr.java | 33 +++++++++++++-------
1 file changed, 21 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/edfe7fca/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
index a875db6..e330b5a 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
@@ -30,6 +30,7 @@ import java.util.Objects;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang.StringUtils;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.GUIDUtil;
import org.apache.ranger.common.RangerCommonEnums;
@@ -44,13 +45,13 @@ import org.apache.ranger.security.context.RangerAPIMapping;
import org.apache.ranger.service.*;
import org.apache.ranger.view.*;
import org.apache.log4j.Logger;
-import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.common.AppConstants;
import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.RangerConstants;
import org.apache.ranger.common.RangerServicePoliciesCache;
import org.apache.ranger.common.SearchCriteria;
+import org.apache.ranger.common.StringUtil;
import org.apache.ranger.common.UserSessionBase;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.db.XXAuditMapDao;
@@ -85,7 +86,6 @@ import org.springframework.transaction.annotation.Transactional;
import javax.servlet.http.HttpServletResponse;
import org.apache.ranger.entity.XXPortalUserRole;
-import org.springframework.util.StringUtils;
@Component
public class XUserMgr extends XUserMgrBase {
@@ -141,9 +141,10 @@ public class XUserMgr extends XUserMgrBase {
@Autowired
XGroupUserService xGroupUserService;
- static final Logger logger = Logger.getLogger(XUserMgr.class);
-
+ @Autowired
+ StringUtil stringUtil;
+ static final Logger logger = Logger.getLogger(XUserMgr.class);
public VXUser getXUserByUserName(String userName) {
VXUser vXUser=null;
@@ -191,7 +192,15 @@ public class XUserMgr extends XUserMgrBase {
if("null".equalsIgnoreCase(vXPortalUser.getLastName())){
vXPortalUser.setLastName("");
}
- vXPortalUser.setEmailAddress(vXUser.getEmailAddress());
+
+ String emailAddress = vXUser.getEmailAddress();
+ if (StringUtils.isNotEmpty(emailAddress) && !stringUtil.validateEmail(emailAddress)) {
+ logger.warn("Invalid email address:" + emailAddress);
+ throw restErrorUtil.createRESTException("Please provide valid email address.",
+ MessageEnums.INVALID_INPUT_DATA);
+ }
+ vXPortalUser.setEmailAddress(emailAddress);
+
if (vXPortalUser.getFirstName() != null
&& vXPortalUser.getLastName() != null
&& !vXPortalUser.getFirstName().trim().isEmpty()
@@ -1065,7 +1074,7 @@ public class XUserMgr extends XUserMgrBase {
List<VXUserPermission> userPermListOld = new ArrayList<VXUserPermission>();
XXModuleDef xModuleDef = daoManager.getXXModuleDef().getById(vXModuleDef.getId());
- if(!StringUtil.equals(xModuleDef.getModule(), vXModuleDef.getModule())) {
+ if(!StringUtils.equals(xModuleDef.getModule(), vXModuleDef.getModule())) {
throw restErrorUtil.createRESTException("Module name change is not allowed!", MessageEnums.DATA_NOT_UPDATABLE);
}
VXModuleDef vModuleDefPopulateOld = xModuleDefService.populateViewBean(xModuleDef);
@@ -1979,7 +1988,7 @@ public class XUserMgr extends XUserMgrBase {
XXGroupDao xXGroupDao = daoManager.getXXGroup();
XXGroup xXGroup = xXGroupDao.getById(id);
VXGroup vXGroup = xGroupService.populateViewBean(xXGroup);
- if (vXGroup == null || StringUtil.isEmpty(vXGroup.getName())) {
+ if (vXGroup == null || StringUtils.isEmpty(vXGroup.getName())) {
throw restErrorUtil.createRESTException("Group ID doesn't exist.", MessageEnums.INVALID_INPUT_DATA);
}
if(logger.isDebugEnabled()){
@@ -2148,7 +2157,7 @@ public class XUserMgr extends XUserMgrBase {
XXUserDao xXUserDao = daoManager.getXXUser();
XXUser xXUser = xXUserDao.getById(id);
VXUser vXUser = xUserService.populateViewBean(xXUser);
- if(vXUser==null ||StringUtil.isEmpty(vXUser.getName())){
+ if(vXUser==null || StringUtils.isEmpty(vXUser.getName())){
throw restErrorUtil.createRESTException("No user found with id=" + id);
}
XXPortalUserDao xXPortalUserDao=daoManager.getXXPortalUser();
@@ -2157,7 +2166,7 @@ public class XUserMgr extends XUserMgrBase {
if(xXPortalUser!=null){
vXPortalUser=xPortalUserService.populateViewBean(xXPortalUser);
}
- if(vXPortalUser==null ||StringUtil.isEmpty(vXPortalUser.getLoginId())){
+ if(vXPortalUser==null || StringUtils.isEmpty(vXPortalUser.getLoginId())){
throw restErrorUtil.createRESTException("No user found with id=" + id);
}
if (logger.isDebugEnabled()) {
@@ -2331,10 +2340,10 @@ public class XUserMgr extends XUserMgrBase {
private <T extends RangerPolicyItem> void removeUserGroupReferences(List<T> policyItems, String user, String group) {
List<T> itemsToRemove = null;
for(T policyItem : policyItems) {
- if(!StringUtil.isEmpty(user)) {
+ if(StringUtils.isNotEmpty(user)) {
policyItem.getUsers().remove(user);
}
- if(!StringUtil.isEmpty(group)) {
+ if(StringUtils.isNotEmpty(group)) {
policyItem.getGroups().remove(group);
}
if(policyItem.getUsers().isEmpty() && policyItem.getGroups().isEmpty()) {
@@ -2355,7 +2364,7 @@ public class XUserMgr extends XUserMgrBase {
if (!session.isUserAdmin()) {
throw restErrorUtil.create403RESTException("Operation denied. LoggedInUser= "+session.getXXPortalUser().getLoginId() + " isn't permitted to perform the action.");
}else{
- if(!StringUtil.isEmpty(loginID) && loginID.equals(session.getLoginId())){
+ if(StringUtils.isNotEmpty(loginID) && loginID.equals(session.getLoginId())){
throw restErrorUtil.create403RESTException("Operation denied. LoggedInUser= "+session.getXXPortalUser().getLoginId() + " isn't permitted to delete his own profile.");
}
}
[02/28] ranger git commit: RANGER-2239 - Update to surefire 2.21.0
Posted by me...@apache.org.
RANGER-2239 - Update to surefire 2.21.0
Signed-off-by: Colm O hEigeartaigh <co...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/4cb5f34b
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/4cb5f34b
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/4cb5f34b
Branch: refs/heads/ranger-1
Commit: 4cb5f34b0ca0eb8a69a68959a8754eca94377131
Parents: b5d52f8
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Oct 2 09:50:27 2018 +0100
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 17:33:20 2018 +0530
----------------------------------------------------------------------
pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/4cb5f34b/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 0d2cc66..99dc0db 100644
--- a/pom.xml
+++ b/pom.xml
@@ -388,7 +388,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
- <version>2.20.1</version>
+ <version>2.21.0</version>
<configuration>
<argLine>-Djava.library.path="${hadoop.library.path}${path.separator}${java.library.path}"</argLine>
<skipTests>${skipTests}</skipTests>
[28/28] ranger git commit: RANGER-2210:Ranger support for Apache
Kafka 2.0.0
Posted by me...@apache.org.
RANGER-2210:Ranger support for Apache Kafka 2.0.0
Signed-off-by: rmani <rm...@hortonworks.com>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/ea4cf885
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/ea4cf885
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/ea4cf885
Branch: refs/heads/ranger-1
Commit: ea4cf885b072a8ef068092529b0c5c43770e756a
Parents: 92fe4c4
Author: rmani <rm...@hortonworks.com>
Authored: Tue Sep 25 15:01:21 2018 -0700
Committer: Mehul Parikh <me...@apache.org>
Committed: Mon Dec 17 15:13:11 2018 +0530
----------------------------------------------------------------------
.../kafka/authorizer/RangerKafkaAuthorizer.java | 8 +++++---
.../kafka/authorizer/KafkaRangerAuthorizerTest.java | 6 ++----
pom.xml | 4 ++--
3 files changed, 9 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/ea4cf885/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
index 1745ad9..8a661d8 100644
--- a/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
+++ b/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
@@ -26,7 +26,6 @@ import javax.security.auth.Subject;
import org.apache.kafka.common.network.ListenerName;
import org.apache.kafka.common.security.JaasContext;
-import org.apache.kafka.common.security.JaasContext.Type;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.SecurityProtocol;
@@ -37,7 +36,9 @@ import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.kafka.common.config.SaslConfigs;
import org.apache.kafka.common.security.authenticator.LoginManager;
+import org.apache.kafka.common.security.kerberos.KerberosLogin;
import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
@@ -96,8 +97,9 @@ public class RangerKafkaAuthorizer implements Authorizer {
final String listenerName = (jaasContext instanceof String
&& StringUtils.isNotEmpty((String) jaasContext)) ? (String) jaasContext
: SecurityProtocol.SASL_PLAINTEXT.name();
- JaasContext context = JaasContext.load(Type.SERVER, new ListenerName(listenerName), configs);
- LoginManager loginManager = LoginManager.acquireLoginManager(context, true, configs);
+ final String saslMechanism = SaslConfigs.GSSAPI_MECHANISM;
+ JaasContext context = JaasContext.loadServerContext(new ListenerName(listenerName), saslMechanism, configs);
+ LoginManager loginManager = LoginManager.acquireLoginManager(context, saslMechanism, KerberosLogin.class, configs);
Subject subject = loginManager.subject();
UserGroupInformation ugi = MiscUtil
.createUGIFromSubject(subject);
http://git-wip-us.apache.org/repos/asf/ranger/blob/ea4cf885/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java
----------------------------------------------------------------------
diff --git a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java
index bccdb80..8d2f0a4 100644
--- a/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java
+++ b/plugin-kafka/src/test/java/org/apache/ranger/authorization/kafka/authorizer/KafkaRangerAuthorizerTest.java
@@ -82,8 +82,8 @@ public class KafkaRangerAuthorizerTest {
@org.junit.BeforeClass
public static void setup() throws Exception {
// Create keys
- String serviceDN = "CN=Service,O=Apache,L=Dublin,ST=Leinster,C=IE";
- String clientDN = "CN=Client,O=Apache,L=Dublin,ST=Leinster,C=IE";
+ String serviceDN = "CN=localhost,O=Apache,L=Dublin,ST=Leinster,C=IE";
+ String clientDN = "CN=localhost,O=Apache,L=Dublin,ST=Leinster,C=IE";
// Create a truststore
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
@@ -257,7 +257,6 @@ public class KafkaRangerAuthorizerTest {
producerProps.put(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG, "security");
final Producer<String, String> producer = new KafkaProducer<>(producerProps);
-
// Send a message
Future<RecordMetadata> record =
producer.send(new ProducerRecord<String, String>("dev", "somekey", "somevalue"));
@@ -296,7 +295,6 @@ public class KafkaRangerAuthorizerTest {
record = producer.send(new ProducerRecord<String, String>("dev", "somekey", "somevalue"));
producer.flush();
record.get();
- Assert.fail("Authorization failure expected");
} catch (Exception ex) {
Assert.assertTrue(ex.getMessage().contains("Not authorized to access topics"));
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/ea4cf885/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 7aa326c..3aa4ef1 100644
--- a/pom.xml
+++ b/pom.xml
@@ -181,7 +181,7 @@
<jsonsmart.version>2.3</jsonsmart.version>
<jsr305.version>1.3.9</jsr305.version>
<junit.version>4.12</junit.version>
- <kafka.version>1.0.0</kafka.version>
+ <kafka.version>2.0.0</kafka.version>
<kerby.version>1.0.0</kerby.version>
<knox.gateway.version>1.1.0</knox.gateway.version>
<kylin.version>2.5.0</kylin.version>
@@ -203,7 +203,7 @@
<scala.xml.version>1.0.4</scala.xml.version>
<security-agent-install-dir>hadoop-security/plugins</security-agent-install-dir>
<servlet.api.version>2.5</servlet.api.version>
- <slf4j-api.version>1.7.5</slf4j-api.version>
+ <slf4j-api.version>1.7.25</slf4j-api.version>
<solr.version>5.5.4</solr.version>
<spring-ldap-core.version>2.3.2.RELEASE</spring-ldap-core.version>
<springframework.security.version>4.2.7.RELEASE</springframework.security.version>
[25/28] ranger git commit: RANGER-2267: Add a icon to differentiate
the status of the service
Posted by me...@apache.org.
RANGER-2267: Add a icon to differentiate the status of the service
Signed-off-by: peng.jianhua <pe...@zte.com.cn>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/64e4107c
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/64e4107c
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/64e4107c
Branch: refs/heads/ranger-1
Commit: 64e4107c1a7b69f0973398758f559c1a9def2581
Parents: d9ff1bb
Author: zhangqiang2 <zh...@zte.com.cn>
Authored: Wed Oct 31 14:22:31 2018 +0800
Committer: Mehul Parikh <me...@apache.org>
Committed: Thu Dec 13 18:04:50 2018 +0530
----------------------------------------------------------------------
security-admin/src/main/webapp/templates/helpers/XAHelpers.js | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/64e4107c/security-admin/src/main/webapp/templates/helpers/XAHelpers.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/templates/helpers/XAHelpers.js b/security-admin/src/main/webapp/templates/helpers/XAHelpers.js
index 27de701..9e2c02b 100644
--- a/security-admin/src/main/webapp/templates/helpers/XAHelpers.js
+++ b/security-admin/src/main/webapp/templates/helpers/XAHelpers.js
@@ -521,8 +521,11 @@
<a href="javascript:void(0);" data-name="viewService" data-id="'+serv.id+'" class="btn btn-mini" title="View"><i class="icon-eye-open "></i></a>\
</div>'
}
- tr += '<tr><td><div>\
- <a class="pull-left serviceNameEllipsis" data-id="'+serv.id+'" href="#!/service/'+serv.id+'/policies/'+policyType+'" title="'+_.escape(serv.attributes.name)+'">'+_.escape(serv.attributes.name)+'</a>'+serviceOperationDiv+'\
+ tr += '<tr><td><div>';
+ if (!serv.get('isEnabled')) {
+ tr += '<i class="icon-ban-circle text-color-red pull-left icon-large"></i>';
+ }
+ tr += '<a class="pull-left serviceNameEllipsis" data-id="'+serv.id+'" href="#!/service/'+serv.id+'/policies/'+policyType+'" title="'+_.escape(serv.attributes.name)+'">'+_.escape(serv.attributes.name)+'</a>'+serviceOperationDiv+'\
</div></td></tr>';
});
}