You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pr...@apache.org on 2018/09/28 06:55:53 UTC
ranger git commit: RANGER-2168: Add service admin user through
service config
Repository: ranger
Updated Branches:
refs/heads/ranger-0.7 ac456e84c -> 46c6cf878
RANGER-2168: Add service admin user through service config
(cherry picked from commit 0ebc2d30eb803f61ff51656bbc1a00f148297a08)
(cherry picked from commit a8c4c0091929fa26a6afcc2946617f5ba9eeca10)
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/46c6cf87
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/46c6cf87
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/46c6cf87
Branch: refs/heads/ranger-0.7
Commit: 46c6cf878026b1c2d7e76f838c95733271e1497b
Parents: ac456e8
Author: Pradeep Agrawal <pr...@apache.org>
Authored: Wed Sep 19 12:33:11 2018 +0530
Committer: Pradeep <pr...@apache.org>
Committed: Fri Sep 28 11:48:22 2018 +0530
----------------------------------------------------------------------
.../org/apache/ranger/biz/ServiceDBStore.java | 16 ++++++++++++++++
.../apache/ranger/db/XXServiceConfigMapDao.java | 14 ++++++++++++++
.../org/apache/ranger/rest/ServiceREST.java | 20 +++++++++-----------
.../resources/META-INF/jpa_named_queries.xml | 5 +++++
4 files changed, 44 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/46c6cf87/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 64cf043..ceee8ce 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -204,6 +204,7 @@ public class ServiceDBStore extends AbstractServiceStore {
private static final String TIMESTAMP = "Export time";
private static final String AMBARI_SERVICE_CHECK_USER = "ambari.service.check.user";
+ private static final String SERVICE_ADMIN_USERS = "service.admin.users";
public static final String CRYPT_ALGO = PropertiesUtil.getProperty("ranger.password.encryption.algorithm", PasswordUtils.DEFAULT_CRYPT_ALGO);
public static final String ENCRYPT_KEY = PropertiesUtil.getProperty("ranger.password.encryption.key", PasswordUtils.DEFAULT_ENCRYPT_KEY);
@@ -3993,4 +3994,19 @@ public class ServiceDBStore extends AbstractServiceStore {
genericUser.setDescription(RangerPolicyEngine.RESOURCE_OWNER);
xUserService.createXUserWithOutLogin(genericUser);
}
+
+ public boolean isServiceAdminUser(String serviceName, String userName) {
+ boolean ret=false;
+ XXServiceConfigMap cfgSvcAdminUsers = daoMgr.getXXServiceConfigMap().findByServiceNameAndConfigKey(serviceName, SERVICE_ADMIN_USERS);
+ String svcAdminUsers = cfgSvcAdminUsers != null ? cfgSvcAdminUsers.getConfigvalue() : null;
+ if (svcAdminUsers != null) {
+ for (String svcAdminUser : svcAdminUsers.split(",")) {
+ if (userName.equals(svcAdminUser)) {
+ ret=true;
+ break;
+ }
+ }
+ }
+ return ret;
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/46c6cf87/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java
index 9f97b60..9559161 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java
@@ -60,4 +60,18 @@ public class XXServiceConfigMapDao extends BaseDao<XXServiceConfigMap> {
}
}
+ public XXServiceConfigMap findByServiceNameAndConfigKey(String serviceName, String configKey) {
+ if(serviceName == null || configKey == null) {
+ return null;
+ }
+ try {
+ return getEntityManager()
+ .createNamedQuery("XXServiceConfigMap.findByServiceNameAndConfigKey", tClass)
+ .setParameter("name", serviceName)
+ .setParameter("configKey", configKey).getSingleResult();
+ } catch (NoResultException e) {
+ return null;
+ }
+ }
+
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/46c6cf87/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index e2a0c29..5e5e7dd 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -2988,7 +2988,8 @@ public class ServiceREST {
List<RangerPolicy> listToFilter = entry.getValue();
if (CollectionUtils.isNotEmpty(listToFilter)) {
- if (isAdmin || isKeyAdmin) {
+ boolean isServiceAdminUser=isAdmin || svcStore.isServiceAdminUser(serviceName, userName);
+ if (isAdmin || isKeyAdmin || isServiceAdminUser) {
XXService xService = daoManager.getXXService().findByName(serviceName);
Long serviceDefId = xService.getType();
boolean isKmsService = serviceDefId.equals(EmbeddedServiceDefsUtil.instance().getKmsServiceDefId());
@@ -2997,10 +2998,12 @@ public class ServiceREST {
if (!isKmsService) {
ret.addAll(listToFilter);
}
- } else { // isKeyAdmin
+ } else if (isKeyAdmin) {
if (isKmsService) {
ret.addAll(listToFilter);
}
+ } else if (isServiceAdminUser) {
+ ret.addAll(listToFilter);
}
continue;
@@ -3034,16 +3037,11 @@ public class ServiceREST {
boolean isKeyAdmin = bizUtil.isKeyAdmin();
String userName = bizUtil.getCurrentUserLoginId();
- if(!isAdmin && !isKeyAdmin) {
- boolean isAllowed = false;
+ boolean isSvcAdmin = isAdmin || svcStore.isServiceAdminUser(serviceName, userName);
- RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName);
-
- if (policyEngine != null) {
- Set<String> userGroups = userMgr.getGroupsForUser(userName);
-
- isAllowed = hasAdminAccess(serviceName, userName, userGroups, resources);
- }
+ if(!isAdmin && !isKeyAdmin && !isSvcAdmin) {
+ Set<String> userGroups = userMgr.getGroupsForUser(userName);
+ boolean isAllowed = hasAdminAccess(serviceName, userName, userGroups, resources);
if (!isAllowed) {
throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED,
http://git-wip-us.apache.org/repos/asf/ranger/blob/46c6cf87/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
index 786b4bf..4a7055d 100644
--- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
+++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
@@ -390,6 +390,11 @@
obj.serviceId = :serviceId and obj.configKey = :configKey</query>
</named-query>
+ <named-query name="XXServiceConfigMap.findByServiceNameAndConfigKey">
+ <query>select obj from XXServiceConfigMap obj, XXService xSvc where
+ xSvc.name = :name and xSvc.id=obj.serviceId and obj.configKey = :configKey</query>
+ </named-query>
+
<!-- XXService -->
<named-query name="XXService.findByName">
<query>select obj from XXService obj where obj.name = :name</query>