Repository: ranger Updated Branches: refs/heads/master a30c43db3 -> f0cb6223d
RANGER-1756: Handle role related restrictions for users having User role. Signed-off-by: Mehul Parikh <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/f0cb6223 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/f0cb6223 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/f0cb6223 Branch: refs/heads/master Commit: f0cb6223d5111ac27c717d69e4cd2ef21db09f70 Parents: a30c43d Author: ni3galave <[email protected]> Authored: Fri Sep 29 12:40:39 2017 +0530 Committer: Mehul Parikh <[email protected]> Committed: Fri Sep 29 13:04:20 2017 +0530 ---------------------------------------------------------------------- .../hadoop/security/SecureClientLogin.java | 3 +-- .../java/org/apache/ranger/rest/XUserREST.java | 25 ++++++++++++++++++-- .../src/main/webapp/scripts/utils/XAUtils.js | 4 +++- 3 files changed, 27 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/f0cb6223/agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java b/agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java index 320a9a4..e4d6a39 100644 --- a/agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java +++ b/agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java @@ -71,7 +71,6 @@ public class SecureClientLogin { } public synchronized static Subject loginUserWithPassword(String user, String password) throws IOException { - String tmpPass = password; try { Subject subject = new Subject(); SecureClientLoginConfiguration loginConf = new SecureClientLoginConfiguration(false, user, password); @@ -80,7 +79,7 @@ public class SecureClientLogin { login.login(); return login.getSubject(); } catch (LoginException le) { - throw new IOException("Login failure for " + user + " using password " + tmpPass.replaceAll(".","*"), le); + throw new IOException("Login failure for " + user + " using password ****", le); } } http://git-wip-us.apache.org/repos/asf/ranger/blob/f0cb6223/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java index 739ea05..5a58346 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java @@ -20,6 +20,8 @@ package org.apache.ranger.rest; import java.util.HashMap; +import java.util.List; +import java.util.Random; import javax.servlet.http.HttpServletRequest; import javax.ws.rs.DELETE; @@ -31,12 +33,14 @@ import javax.ws.rs.PathParam; import javax.ws.rs.Produces; import javax.ws.rs.core.Context; +import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; import org.apache.ranger.biz.RangerBizUtil; import org.apache.ranger.biz.SessionMgr; import org.apache.ranger.biz.XUserMgr; import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.RESTErrorUtil; +import org.apache.ranger.common.RangerConstants; import org.apache.ranger.common.SearchCriteria; import org.apache.ranger.common.SearchUtil; import org.apache.ranger.common.StringUtil; @@ -346,18 +350,35 @@ public class XUserREST { @Produces({ "application/xml", "application/json" }) @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_USERS + "\")") public VXUserList searchXUsers(@Context HttpServletRequest request) { + String UserRoleParamName = RangerConstants.ROLE_USER; SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xUserService.sortFields); - + String userName = null; + if(request != null && request.getUserPrincipal() != null){ + userName = request.getUserPrincipal().getName(); + } searchUtil.extractString(request, searchCriteria, "name", "User name",null); searchUtil.extractString(request, searchCriteria, "emailAddress", "Email Address", null); searchUtil.extractInt(request, searchCriteria, "userSource", "User Source"); searchUtil.extractInt(request, searchCriteria, "isVisible", "User Visibility"); searchUtil.extractInt(request, searchCriteria, "status", "User Status"); - searchUtil.extractStringList(request, searchCriteria, "userRoleList", "User Role List", "userRoleList", null, + List<String> userRolesList = searchUtil.extractStringList(request, searchCriteria, "userRoleList", "User Role List", "userRoleList", null, null); searchUtil.extractString(request, searchCriteria, "userRole", "UserRole", null); + if (CollectionUtils.isNotEmpty(userRolesList) && CollectionUtils.size(userRolesList) == 1 && userRolesList.get(0).equalsIgnoreCase(UserRoleParamName)) { + if (!(searchCriteria.getParamList().containsKey("name"))) { + searchCriteria.addParam("name", userName); + } + else if ((searchCriteria.getParamList().containsKey("name")) && userName.contains((String) searchCriteria.getParamList().get("name"))) { + searchCriteria.addParam("name", userName); + } + else { + String randomString = new Random().toString(); + searchCriteria.addParam("name", randomString); + } + } + return xUserMgr.searchXUsers(searchCriteria); } http://git-wip-us.apache.org/repos/asf/ranger/blob/f0cb6223/security-admin/src/main/webapp/scripts/utils/XAUtils.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/utils/XAUtils.js b/security-admin/src/main/webapp/scripts/utils/XAUtils.js index ecf43ad..90b41d8 100644 --- a/security-admin/src/main/webapp/scripts/utils/XAUtils.js +++ b/security-admin/src/main/webapp/scripts/utils/XAUtils.js @@ -1215,7 +1215,9 @@ define(function(require) { _.each(XAEnums.UserRoles,function(val, key){ if(SessionMgr.isKeyAdmin() && XAEnums.UserRoles.ROLE_SYS_ADMIN.value != val.value){ userRoleList.push(key) - }else if(!SessionMgr.isKeyAdmin() && XAEnums.UserRoles.ROLE_KEY_ADMIN.value != val.value){ + }else if(SessionMgr.isSystemAdmin() && XAEnums.UserRoles.ROLE_KEY_ADMIN.value != val.value){ + userRoleList.push(key) + }else if(SessionMgr.isUser() && XAEnums.UserRoles.ROLE_USER.value == val.value){ userRoleList.push(key) } })
