You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sp...@apache.org on 2019/08/08 23:32:31 UTC
[ranger] branch master updated: RANGER-2531: Removing a user from a
group is not reflected properly in unix based sync
This is an automated email from the ASF dual-hosted git repository.
spolavarapu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 0bfe8a0 RANGER-2531: Removing a user from a group is not reflected properly in unix based sync
0bfe8a0 is described below
commit 0bfe8a0b4c521297a91c4421fbe35f30c52608bc
Author: Sailaja Polavarapu <sp...@cloudera.com>
AuthorDate: Thu Aug 8 16:32:08 2019 -0700
RANGER-2531: Removing a user from a group is not reflected properly in unix based sync
---
.../process/PolicyMgrUserGroupBuilder.java | 327 ++++++++++++---------
.../unixusersync/process/UnixUserGroupBuilder.java | 11 +-
2 files changed, 195 insertions(+), 143 deletions(-)
diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
index 466c747..e5fc68b 100644
--- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
+++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
@@ -425,152 +425,199 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
}
}
- for(String g : addGroups) {
- LOG.debug("INFO: addPMXAGroupToUser(" + userName + "," + g + ")" );
- }
- if (!isMockRun) {
- if (!addGroups.isEmpty()) {
- XUserInfo obj = addXUserInfo(userName);
- if (obj != null) {
- for (String group : addGroups) {
- String value = groupMap.get(group);
- if (value != null) {
- List<String> userRoleList = new ArrayList<String>();
- userRoleList.add(value);
- if (userMap.containsKey(obj.getName())) {
- List<String> userRole = new ArrayList<String>();
- userRole.add(userMap.get(obj.getName()));
- if (!obj.getUserRoleList().equals(userRole)) {
- obj.setUserRoleList(userRole);
+ for(String g : addGroups) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("INFO: addPMXAGroupToUser(" + userName + "," + g + ")");
+ }
+ }
+ for(String g : delGroups) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("INFO: delPMXAGroupFromUser(" + userName + "," + g + ")");
+ }
+ }
+ for(String g : updateGroups) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("INFO: updatePMXAGroupToUser(" + userName + "," + g + ")");
+ }
+ }
- }
- } else if (!obj.getUserRoleList().equals(userRoleList)) {
- obj.setUserRoleList(userRoleList);
- }
- }
- }
- }
- ugInfo.setXuserInfo(obj);
- ugInfo.setXgroupInfo(getXGroupInfoList(addGroups));
- try {
- // If the rest call to ranger admin fails,
- // propagate the failure to the caller for retry in next
- // sync cycle.
- if (addUserGroupInfo(ugInfo) == null) {
- String msg = "Failed to add user group info";
- LOG.error(msg);
- throw new Exception(msg);
- }
- } catch (Throwable t) {
- LOG.error("PolicyMgrUserGroupBuilder.addUserGroupInfo failed for user-group entry: "
- + ugInfo.toString() + " with exception: ", t);
- }
- }
- addXUserGroupInfo(user, addGroups);
- }
+ if (isMockRun) {
+ return;
+ }
+ if (!addGroups.isEmpty()) {
+ XUserInfo obj = addXUserInfo(userName);
+ if (obj != null) {
+ for (String group : addGroups) {
+ String value = groupMap.get(group);
+ if (value != null) {
+ List<String> userRoleList = new ArrayList<String>();
+ userRoleList.add(value);
+ if (userMap.containsKey(obj.getName())) {
+ List<String> userRole = new ArrayList<String>();
+ userRole.add(userMap.get(obj.getName()));
+ if (!obj.getUserRoleList().equals(userRole)) {
+ obj.setUserRoleList(userRole);
- for(String g : delGroups) {
- LOG.debug("INFO: delPMXAGroupFromUser(" + userName + "," + g + ")" );
- }
+ }
+ } else if (!obj.getUserRoleList().equals(userRoleList)) {
+ obj.setUserRoleList(userRoleList);
+ }
+ }
+ }
+ }
+ ugInfo.setXuserInfo(obj);
+ ugInfo.setXgroupInfo(getXGroupInfoList(addGroups));
+ try {
+ // If the rest call to ranger admin fails,
+ // propagate the failure to the caller for retry in next
+ // sync cycle.
+ if (addUserGroupInfo(ugInfo) == null) {
+ String msg = "Failed to add user group info";
+ LOG.error(msg);
+ throw new Exception(msg);
+ }
+ } catch (Throwable t) {
+ LOG.error("PolicyMgrUserGroupBuilder.addUserGroupInfo failed for user-group entry: "
+ + ugInfo.toString() + " with exception: ", t);
+ }
+ addXUserGroupInfo(user, addGroups);
+ }
- if (! isMockRun ) {
- delXUserGroupInfo(user, delGroups);
+ if (!delGroups.isEmpty()) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("PolicyMgrUserGroupBuilder.addUserGroupInfo() user role list for " + userName + " after delete = " + user.getUserRoleList());
+ }
+ delXUserGroupInfo(user, delGroups);
//Remove groups from user mapping
userName2XUserInfoMap.get(userName).deleteGroups(delGroups);
- LOG.debug(userName2XUserInfoMap.get(userName).getGroups());
- }
- if (! isMockRun) {
- if (!updateGroups.isEmpty()) {
- XUserInfo obj = addXUserInfo(userName);
- if (obj != null) {
- for (String group : updateGroups) {
- String value = groupMap.get(group);
- if (value != null) {
- List<String> userRoleList = new ArrayList<String>();
- userRoleList.add(value);
- if (userMap.containsKey(obj.getName())) {
- List<String> userRole = new ArrayList<String>();
- userRole.add(userMap.get(obj.getName()));
- if (!obj.getUserRoleList().equals(userRole)) {
- obj.setUserRoleList(userRole);
- }
- } else if (!obj.getUserRoleList().equals(
- userRoleList)) {
- obj.setUserRoleList(userRoleList);
- }
- }
- }
- }
- ugInfo.setXuserInfo(obj);
- ugInfo.setXgroupInfo(getXGroupInfoList(updateGroups));
- try {
- // If the rest call to ranger admin fails,
- // propagate the failure to the caller for retry in next
- // sync cycle.
- if (addUserGroupInfo(ugInfo) == null) {
- String msg = "Failed to add user group info";
- LOG.error(msg);
- throw new Exception(msg);
- }
- } catch (Throwable t) {
- LOG.error("PolicyMgrUserGroupBuilder.addUserGroupInfo failed with exception: "
- + t.getMessage()
- + ", for user-group entry: "
- + ugInfo);
- }
- }
- }
- if (!isMockRun) {
- XUserInfo obj = addXUserInfo(userName);
- boolean roleFlag = false;
- if (obj != null && updateGroups.isEmpty()
- && addGroups.isEmpty()) {
- if (userMap.containsKey(obj.getName())) {
- List<String> userRole = new ArrayList<String>();
- userRole.add(userMap.get(obj.getName()));
- if (!obj.getUserRoleList().equals(userRole)) {
- obj.setUserRoleList(userRole);
- roleFlag = true;
- }
- } else {
- for (String group : groups) {
- String value = groupMap.get(group);
- if (value != null) {
- List<String> userRoleList = new ArrayList<String>();
- userRoleList.add(value);
- if (!obj.getUserRoleList().equals(userRoleList)) {
- obj.setUserRoleList(userRoleList);
- roleFlag = true;
- }
- }
- }
+ List<String> groupList = userName2XUserInfoMap.get(userName).getGroups();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("PolicyMgrUserGroupBuilder.addUserGroupInfo() groups for " + userName + " after delete = " + groupList);
+ }
+ if (!groupList.isEmpty()) {
+ XUserInfo obj = addXUserInfo(userName);
+ if (obj != null) {
+ for (String group : updateGroups) {
+ String value = groupMap.get(group);
+ if (value != null) {
+ List<String> userRoleList = new ArrayList<String>();
+ userRoleList.add(value);
+ if (userMap.containsKey(obj.getName())) {
+ List<String> userRole = new ArrayList<String>();
+ userRole.add(userMap.get(obj.getName()));
+ if (!obj.getUserRoleList().equals(userRole)) {
+ obj.setUserRoleList(userRole);
+ }
+ } else if (!obj.getUserRoleList().equals(
+ userRoleList)) {
+ obj.setUserRoleList(userRoleList);
+ }
+ }
+ }
+ }
+ ugInfo.setXuserInfo(obj);
+ ugInfo.setXgroupInfo(getXGroupInfoList(groupList));
+ try {
+ // If the rest call to ranger admin fails,
+ // propagate the failure to the caller for retry in next
+ // sync cycle.
+ if (addUserGroupInfo(ugInfo) == null) {
+ String msg = "Failed to add user group info";
+ LOG.error(msg);
+ throw new Exception(msg);
+ }
+ } catch (Throwable t) {
+ LOG.error("PolicyMgrUserGroupBuilder.addUserGroupInfo failed with exception: "
+ + t.getMessage()
+ + ", for user-group entry: "
+ + ugInfo);
+ }
+ }
+ }
+
+ if (!updateGroups.isEmpty()) {
+ XUserInfo obj = addXUserInfo(userName);
+ if (obj != null) {
+ for (String group : updateGroups) {
+ String value = groupMap.get(group);
+ if (value != null) {
+ List<String> userRoleList = new ArrayList<String>();
+ userRoleList.add(value);
+ if (userMap.containsKey(obj.getName())) {
+ List<String> userRole = new ArrayList<String>();
+ userRole.add(userMap.get(obj.getName()));
+ if (!obj.getUserRoleList().equals(userRole)) {
+ obj.setUserRoleList(userRole);
+ }
+ } else if (!obj.getUserRoleList().equals(
+ userRoleList)) {
+ obj.setUserRoleList(userRoleList);
+ }
+ }
+ }
+ }
+ ugInfo.setXuserInfo(obj);
+ ugInfo.setXgroupInfo(getXGroupInfoList(updateGroups));
+ try {
+ // If the rest call to ranger admin fails,
+ // propagate the failure to the caller for retry in next
+ // sync cycle.
+ if (addUserGroupInfo(ugInfo) == null) {
+ String msg = "Failed to add user group info";
+ LOG.error(msg);
+ throw new Exception(msg);
+ }
+ } catch (Throwable t) {
+ LOG.error("PolicyMgrUserGroupBuilder.addUserGroupInfo failed with exception: "
+ + t.getMessage()
+ + ", for user-group entry: "
+ + ugInfo);
+ }
+ }
- }
- ugInfo.setXuserInfo(obj);
- ugInfo.setXgroupInfo(getXGroupInfoList(groups));
- }
- if (roleFlag) {
- try {
- // If the rest call to ranger admin fails,
- // propagate the failure to the caller for retry in next
- // sync cycle.
- if (addUserGroupInfo(ugInfo) == null) {
- String msg = "Failed to add user group info";
- LOG.error(msg);
- throw new Exception(msg);
- }
- } catch (Throwable t) {
- LOG.error("PolicyMgrUserGroupBuilder.addUserGroupInfo failed with exception: "
- + t.getMessage()
- + ", for user-group entry: "
- + ugInfo);
- }
- }
- }
- //LOG.info("Adding new groups " + addGroups + " for user = " + userName);
if (isStartupFlag) {
+ XUserInfo obj = addXUserInfo(userName);
+ if (obj != null && updateGroups.isEmpty()
+ && addGroups.isEmpty() && delGroups.isEmpty()) {
+ for (String group : groups) {
+ String value = groupMap.get(group);
+ if (value != null) {
+ List<String> userRoleList = new ArrayList<String>();
+ userRoleList.add(value);
+ if (userMap.containsKey(obj.getName())) {
+ List<String> userRole = new ArrayList<String>();
+ userRole.add(userMap.get(obj.getName()));
+ if (!obj.getUserRoleList().equals(userRole)) {
+ obj.setUserRoleList(userRole);
+ }
+ } else if (!obj.getUserRoleList().equals(
+ userRoleList)) {
+ obj.setUserRoleList(userRoleList);
+ }
+ }
+ }
+ ugInfo.setXuserInfo(obj);
+ ugInfo.setXgroupInfo(getXGroupInfoList(groups));
+ try {
+ // If the rest call to ranger admin fails,
+ // propagate the failure to the caller for retry in next
+ // sync cycle.
+ if (addUserGroupInfo(ugInfo) == null) {
+ String msg = "Failed to add user group info";
+ LOG.error(msg);
+ throw new Exception(msg);
+ }
+ } catch (Throwable t) {
+ LOG.error("PolicyMgrUserGroupBuilder.addUserGroupInfo failed with exception: "
+ + t.getMessage()
+ + ", for user-group entry: "
+ + ugInfo);
+ }
+ }
modifiedGroupList.addAll(oldGroups);
- LOG.debug("Adding user to modified user list: " + userName + ": " + oldGroups);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Adding user to modified user list: " + userName + ": " + oldGroups);
+ }
modifiedUserList.add(userName);
} else {
@@ -990,6 +1037,10 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
xuserInfo.setDescription(aUserName + " - add from Unix box");
+ List<String> userRole = new ArrayList<>();
+ userRole.add("ROLE_USER");
+ xuserInfo.setUserRoleList(userRole);
+
usergroupInfo.setXuserInfo(xuserInfo);
return xuserInfo;
diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java
index ddab629..2cf0082 100644
--- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java
+++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java
@@ -73,11 +73,11 @@ public class UnixUserGroupBuilder implements UserGroupSource {
private long timeout = 0;
private UserGroupSyncConfig config = UserGroupSyncConfig.getInstance();
- private Map<String,List<String>> user2GroupListMap = new HashMap<String,List<String>>();
- private Map<String,List<String>> internalUser2GroupListMap = new HashMap<String,List<String>>();
- private Map<String,String> groupId2groupNameMap = new HashMap<String,String>();
- private int minimumUserId = 0;
- private int minimumGroupId = 0;
+ private Map<String,List<String>> user2GroupListMap;
+ private Map<String,List<String>> internalUser2GroupListMap;
+ private Map<String,String> groupId2groupNameMap;
+ private int minimumUserId = 0;
+ private int minimumGroupId = 0;
private String unixPasswordFile;
private String unixGroupFile;
@@ -194,6 +194,7 @@ public class UnixUserGroupBuilder implements UserGroupSource {
private void buildUserGroupInfo() throws Throwable {
user2GroupListMap = new HashMap<String,List<String>>();
groupId2groupNameMap = new HashMap<String, String>();
+ internalUser2GroupListMap = new HashMap<String,List<String>>();
allGroups = new HashSet<>();
if (OS.startsWith("Mac")) {