Repository: ranger Updated Branches: refs/heads/ranger-0.7 e656b9a0b -> 9ac776702
RANGER-1176: Ranger admin does not allow to create / update a policy with only delegate admin permission. Signed-off-by: Mehul Parikh <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/9ac77670 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/9ac77670 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/9ac77670 Branch: refs/heads/ranger-0.7 Commit: 9ac77670278895b62400af61e8c351b13550e8ed Parents: e656b9a Author: ni3galave <[email protected]> Authored: Tue Oct 10 18:57:34 2017 +0530 Committer: Mehul Parikh <[email protected]> Committed: Wed Oct 11 19:17:09 2017 +0530 ---------------------------------------------------------------------- .../java/org/apache/ranger/biz/XUserMgr.java | 12 ++--- .../scripts/modules/globalize/message/en.js | 3 +- .../views/policies/RangerPolicyCreate.js | 13 +++++- .../scripts/views/policies/RangerPolicyForm.js | 16 ++++--- .../main/webapp/templates/helpers/XAHelpers.js | 3 ++ .../PlugableServicePolicyUpdateDiff_tmpl.html | 48 ++++++++++---------- 6 files changed, 55 insertions(+), 40 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/9ac77670/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index 8d3b751..f9e6991 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -386,15 +386,13 @@ public class XUserMgr extends XUserMgrBase { && password.equals(hiddenPasswordString)) { vXPortalUser.setPassword(oldUserProfile.getPassword()); } + else if(oldUserProfile != null && oldUserProfile.getUserSource() == RangerCommonEnums.USER_EXTERNAL && password != null){ + vXPortalUser.setPassword(oldUserProfile.getPassword()); + logger.debug("User is trrying to change external user password which we are not allowing it to change"); + } else if(password != null){ validatePassword(vXUser); - if (oldUserProfile.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { - vXPortalUser.setPassword(oldUserProfile.getPassword()); - } - else if(oldUserProfile.getUserSource() == RangerCommonEnums.USER_APP) - { - vXPortalUser.setPassword(password); - } + vXPortalUser.setPassword(password); } Collection<Long> groupIdList = vXUser.getGroupIdList(); XXPortalUser xXPortalUser = new XXPortalUser(); http://git-wip-us.apache.org/repos/asf/ranger/blob/9ac77670/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js index 3338633..8c9f284 100644 --- a/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js +++ b/security-admin/src/main/webapp/scripts/modules/globalize/message/en.js @@ -395,7 +395,8 @@ define(function(require) { plsSelectUserToSetVisibility :' Please select user to set visibility or selected user is already visible/hidden.', plsSelectGroupToSetVisibility:' Please select group to set visibility or selected group is already visible/hidden.', activationTimeDelayMsg :'Policy activation time delayed by more than 1hr from last update time.', - pleaseSelectAccessTypeForTagMasking : 'Please select access type first to enable add masking options.' + pleaseSelectAccessTypeForTagMasking : 'Please select access type first to enable add masking options.', + addUserOrGroupForDelegateAdmin : 'Please select user/group for the selected permission(s)', }, plcHldr : { http://git-wip-us.apache.org/repos/asf/ranger/blob/9ac77670/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js index df13b7c..1475dd9 100644 --- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js +++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyCreate.js @@ -163,8 +163,10 @@ define(function(require){ var userPerm = (validateObj1.userPerm || validateObj2.userPerm || validateObj3.userPerm || validateObj4.userPerm); var groupPerm = (validateObj1.groupPermSet || validateObj2.groupPermSet - || validateObj3.groupPermSet || validateObj4.groupPermSet) - if((!validateObj1.auditLoggin) && !(groupPerm || userPerm)){ + || validateObj3.groupPermSet || validateObj4.groupPermSet); + var delegatePerm = (validateObj1.delegateAdmin || validateObj2.delegateAdmin + || validateObj3.delegateAdmin || validateObj4.delegateAdmin); + if((!validateObj1.auditLoggin) && !(groupPerm || userPerm || delegatePerm )){ XAUtil.alertPopup({ msg :localization.tt('msg.yourAuditLogginIsOff') }); return; } @@ -177,6 +179,13 @@ define(function(require){ }, validatePolicyItem : function(validateObj){ var that = this, valid = false; + //DelegateAdmin checks + if((validateObj.groupSet || validateObj.userSet) && validateObj.delegateAdmin){ + return true; + }else if(validateObj.delegateAdmin && !(validateObj.groupSet || validateObj.userSet)) { + this.popupCallBack(localization.tt('msg.addUserOrGroupForDelegateAdmin'),validateObj); + return false; + } valid = (validateObj.groupSet && validateObj.permSet) || (validateObj.userSet && validateObj.userPerm); if(!valid){ if((!validateObj.groupSet && !validateObj.userSet) && (validateObj.condSet)) { http://git-wip-us.apache.org/repos/asf/ranger/blob/9ac77670/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js index 6f27d5d..e235cda 100644 --- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js +++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js @@ -427,7 +427,6 @@ define(function(require){ var RangerPolicyItemAccessList = Backbone.Collection.extend(); var rangerPlcItemAccessList = new RangerPolicyItemAccessList(m.get('accesses')); policyItem.set('accesses', rangerPlcItemAccessList) - policyItemList.add(policyItem) } if(!_.isUndefined(m.get('dataMaskInfo'))){ policyItem.set("dataMaskInfo",m.get("dataMaskInfo")); @@ -435,6 +434,7 @@ define(function(require){ if(!_.isUndefined(m.get('rowFilterInfo'))){ policyItem.set("rowFilterInfo",m.get("rowFilterInfo")); } + policyItemList.add(policyItem); } @@ -655,16 +655,17 @@ define(function(require){ return JSON.stringify(context); }, formValidation : function(coll){ - var groupSet = false,permSet = false,groupPermSet = false, + var groupSet = false , permSet = false , groupPermSet = false , delegateAdmin = false , userSet=false, userPerm = false, userPermSet =false,breakFlag =false, condSet = false,customMaskSet = true; console.log('validation called..'); coll.each(function(m){ if(_.isEmpty(m.attributes)) return; - if(m.has('groupName') || m.has('userName') || m.has('accesses') ){ + if(m.has('groupName') || m.has('userName') || m.has('accesses') || m.has('delegateAdmin') ){ if(! breakFlag){ groupSet = m.has('groupName') ? true : false; userSet = m.has('userName') ? true : false; - permSet = m.has('accesses') ? true : false; + permSet = m.has('accesses') ? true : false; + delegateAdmin = m.has('delegateAdmin') ? m.get('delegateAdmin') : false; if(groupSet && permSet){ groupPermSet = true; userPermSet = false; @@ -672,7 +673,9 @@ define(function(require){ userPermSet = true; groupPermSet = false; }else{ - breakFlag=true; + if(!((userSet || groupSet) && delegateAdmin)){ + breakFlag=true; + } } } } @@ -692,7 +695,8 @@ define(function(require){ userSet : userSet, isUsers:userPermSet, auditLoggin : auditStatus, condSet : condSet, - customMaskSet : customMaskSet + customMaskSet : customMaskSet, + delegateAdmin : delegateAdmin, }; if(groupSet || userSet){ obj['permSet'] = groupSet ? permSet : false; http://git-wip-us.apache.org/repos/asf/ranger/blob/9ac77670/security-admin/src/main/webapp/templates/helpers/XAHelpers.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/templates/helpers/XAHelpers.js b/security-admin/src/main/webapp/templates/helpers/XAHelpers.js index 1766880..9363c6b 100644 --- a/security-admin/src/main/webapp/templates/helpers/XAHelpers.js +++ b/security-admin/src/main/webapp/templates/helpers/XAHelpers.js @@ -310,6 +310,9 @@ case '>=': return (v1 >= v2) ? options.fn(this) : options.inverse(this); break; + case '||': + return (v1 || v2) ? options.fn(this) : options.inverse(this); + break; default: return options.inverse(this); break; http://git-wip-us.apache.org/repos/asf/ranger/blob/9ac77670/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html b/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html index 524b18f..cac71d9 100644 --- a/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html +++ b/security-admin/src/main/webapp/templates/reports/PlugableServicePolicyUpdateDiff_tmpl.html @@ -76,7 +76,7 @@ <h3>Old Value</h3> {{#each oldPolicyItems}} <ol class="unstyled data"> - {{#if this.permissions}} + {{#ifCond this.users '||' this.groups }} <li class="change-row"><i>Groups</i>: {{#if_eq this.groups compare=0}} <empty> @@ -111,7 +111,7 @@ <li class="change-row"><i>Delegate Admin</i>: {{this.delegateAdmin}}</li> {{else}} <li style=" min-height: 99px; line-height: 102px; text-align: center; font-weight: bold; font-style: italic;"><empty></li> - {{/if}} + {{/ifCond}} </ol><br/> {{/each}} </div> @@ -119,7 +119,7 @@ <h3>New Value</h3> {{#each newPolicyItems}} <ol class="unstyled data"> - {{#if this.permissions}} + {{#ifCond this.users '||' this.groups}} <li class="change-row"><i>Groups</i>: {{#if_eq this.groups compare=0}} <empty> @@ -154,7 +154,7 @@ <li class="change-row"><i>Delegate Admin</i>: {{this.delegateAdmin}}</li> {{else}} <li style=" min-height: 99px; line-height: 102px; text-align: center; font-weight: bold; font-style: italic;"><empty></li> - {{/if}} + {{/ifCond}} </ol><br/> {{/each}} </div> @@ -168,7 +168,7 @@ <h3>Old Value</h3> {{#each oldAllowExceptionPolicyItems}} <ol class="unstyled data"> - {{#if this.permissions}} + {{#ifCond this.users '||' this.groups}} <li class="change-row"><i>Groups</i>: {{#if_eq this.groups compare=0}} <empty> @@ -203,7 +203,7 @@ <li class="change-row"><i>Delegate Admin</i>: {{this.delegateAdmin}}</li> {{else}} <li style=" min-height: 99px; line-height: 102px; text-align: center; font-weight: bold; font-style: italic;"><empty></li> - {{/if}} + {{/ifCond}} </ol><br/> {{/each}} </div> @@ -211,7 +211,7 @@ <h3>New Value</h3> {{#each newAllowExceptionPolicyItems}} <ol class="unstyled data"> - {{#if this.permissions}} + {{#ifCond this.users '||' this.groups}} <li class="change-row"><i>Groups</i>: {{#if_eq this.groups compare=0}} <empty> @@ -246,7 +246,7 @@ <li class="change-row"><i>Delegate Admin</i>: {{this.delegateAdmin}}</li> {{else}} <li style=" min-height: 99px; line-height: 102px; text-align: center; font-weight: bold; font-style: italic;"><empty></li> - {{/if}} + {{/ifCond}} </ol><br/> {{/each}} </div> @@ -261,7 +261,7 @@ <h3>Old Value</h3> {{#each oldDenyPolicyItems}} <ol class="unstyled data"> - {{#if this.permissions}} + {{#ifCond this.users '||' this.groups}} <li class="change-row"><i>Groups</i>: {{#if_eq this.groups compare=0}} <empty> @@ -296,7 +296,7 @@ <li class="change-row"><i>Delegate Admin</i>: {{this.delegateAdmin}}</li> {{else}} <li style=" min-height: 99px; line-height: 102px; text-align: center; font-weight: bold; font-style: italic;"><empty></li> - {{/if}} + {{/ifCond}} </ol><br/> {{/each}} </div> @@ -304,7 +304,7 @@ <h3>New Value</h3> {{#each newDenyPolicyItems}} <ol class="unstyled data"> - {{#if this.permissions}} + {{#ifCond this.users '||' this.groups}} <li class="change-row"><i>Groups</i>: {{#if_eq this.groups compare=0}} <empty> @@ -339,7 +339,7 @@ <li class="change-row"><i>Delegate Admin</i>: {{this.delegateAdmin}}</li> {{else}} <li style=" min-height: 99px; line-height: 102px; text-align: center; font-weight: bold; font-style: italic;"><empty></li> - {{/if}} + {{/ifCond}} </ol><br/> {{/each}} </div> @@ -355,7 +355,7 @@ <h3>Old Value</h3> {{#each oldDenyExceptionPolicyItems}} <ol class="unstyled data"> - {{#if this.permissions}} + {{#ifCond this.users '||' this.groups}} <li class="change-row"><i>Groups</i>: {{#if_eq this.groups compare=0}} <empty> @@ -390,7 +390,7 @@ <li class="change-row"><i>Delegate Admin</i>: {{this.delegateAdmin}}</li> {{else}} <li style=" min-height: 99px; line-height: 102px; text-align: center; font-weight: bold; font-style: italic;"><empty></li> - {{/if}} + {{/ifCond}} </ol><br/> {{/each}} </div> @@ -398,7 +398,7 @@ <h3>New Value</h3> {{#each newDenyExceptionPolicyItems}} <ol class="unstyled data"> - {{#if this.permissions}} + {{#ifCond this.users '||' this.groups}} <li class="change-row"><i>Groups</i>: {{#if_eq this.groups compare=0}} <empty> @@ -433,7 +433,7 @@ <li class="change-row"><i>Delegate Admin</i>: {{this.delegateAdmin}}</li> {{else}} <li style=" min-height: 99px; line-height: 102px; text-align: center; font-weight: bold; font-style: italic;"><empty></li> - {{/if}} + {{/ifCond}} </ol><br/> {{/each}} </div> @@ -448,7 +448,7 @@ <h3>Old Value</h3> {{#each oldMaskPolicyItems}} <ol class="unstyled data"> - {{#if this.accesses}} + {{#ifCond this.users '||' this.groups}} <li class="change-row"><i>Groups</i>: {{#if_eq this.groups compare=0}} <empty> @@ -480,7 +480,7 @@ {{/if}} {{else}} <li style=" min-height: 99px; line-height: 102px; text-align: center; font-weight: bold; font-style: italic;"><empty></li> - {{/if}} + {{/ifCond}} </ol><br/> {{/each}} </div> @@ -488,7 +488,7 @@ <h3>New Value</h3> {{#each newMaskPolicyItems}} <ol class="unstyled data"> - {{#if this.accesses}} + {{#ifCond this.users '||' this.groups}} <li class="change-row"><i>Groups</i>: {{#if_eq this.groups compare=0}} <empty> @@ -521,7 +521,7 @@ {{else}} <li style=" min-height: 99px; line-height: 102px; text-align: center; font-weight: bold; font-style: italic;"><empty></li> - {{/if}} + {{/ifCond}} </ol><br/> {{/each}} </div> @@ -536,7 +536,7 @@ <h3>Old Value</h3> {{#each oldRowFilterPolicyItems}} <ol class="unstyled data"> - {{#if this.accesses}} + {{#ifCond this.users '||' this.groups}} <li class="change-row"><i>Groups</i>: {{#if_eq this.groups compare=0}} <empty> @@ -568,7 +568,7 @@ {{/if}} {{else}} <li style=" min-height: 99px; line-height: 102px; text-align: center; font-weight: bold; font-style: italic;"><empty></li> - {{/if}} + {{/ifCond}} </ol><br/> {{/each}} </div> @@ -576,7 +576,7 @@ <h3>New Value</h3> {{#each newRowFilterPolicyItems}} <ol class="unstyled data"> - {{#if this.accesses}} + {{#ifCond this.users '||' this.groups}} <li class="change-row"><i>Groups</i>: {{#if_eq this.groups compare=0}} <empty> @@ -609,7 +609,7 @@ {{else}} <li style=" min-height: 99px; line-height: 102px; text-align: center; font-weight: bold; font-style: italic;"><empty></li> - {{/if}} + {{/ifCond}} </ol><br/> {{/each}} </div>
