Repository: ranger Updated Branches: refs/heads/master d0e5f24b2 -> a4ad1a0b6
RANGER-2021 : Ranger Usersync should use cookie based authentication for subsequent requests Change-Id: I9fd45eb7cbdf961a1df24f55e63245bb699577c7 Signed-off-by: Mehul Parikh <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/a4ad1a0b Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/a4ad1a0b Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/a4ad1a0b Branch: refs/heads/master Commit: a4ad1a0b6599cee1831062d73f8515bcd7e0f721 Parents: d0e5f24 Author: Nikhil P <[email protected]> Authored: Wed Apr 18 20:18:33 2018 +0530 Committer: Mehul Parikh <[email protected]> Committed: Thu Apr 19 15:39:40 2018 +0530 ---------------------------------------------------------------------- .../config/UserGroupSyncConfig.java | 11 +- .../process/PolicyMgrUserGroupBuilder.java | 660 +++++++++++++++---- .../conf.dist/ranger-ugsync-default.xml | 4 + 3 files changed, 536 insertions(+), 139 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/a4ad1a0b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java index e9e356a..13d77e7 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java @@ -233,7 +233,10 @@ public class UserGroupSyncConfig { private static final String USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER = "ranger.usersync.username.groupname.assignment.list.delimiter"; private static final String GROUP_BASED_ROLE_ASSIGNMENT_RULES = "ranger.usersync.group.based.role.assignment.rules"; - private Properties prop = new Properties(); + + private static final String USERSYNC_RANGER_COOKIE_ENABLED_PROP = "ranger.usersync.cookie.enabled"; + + private Properties prop = new Properties(); private static volatile UserGroupSyncConfig me = null; @@ -928,6 +931,12 @@ public class UserGroupSyncConfig { return null; } + public boolean isUserSyncRangerCookieEnabled() { + String val = prop.getProperty(USERSYNC_RANGER_COOKIE_ENABLED_PROP); + return val == null || Boolean.valueOf(val.trim()); + } + + public String getRoleDelimiter() { if (prop != null && prop.containsKey(ROLE_ASSIGNMENT_LIST_DELIMITER)) { String roleDelimiter = prop http://git-wip-us.apache.org/repos/asf/ranger/blob/a4ad1a0b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java index b30b051..dd26e1b 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java @@ -28,7 +28,13 @@ import java.net.UnknownHostException; import java.security.KeyStore; import java.security.PrivilegedAction; import java.security.SecureRandom; -import java.util.*; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.HashSet; +import java.util.LinkedHashMap; +import java.util.List; +import java.util.Map; +import java.util.StringTokenizer; import java.util.regex.Pattern; import javax.net.ssl.HostnameVerifier; @@ -39,11 +45,26 @@ import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.security.auth.Subject; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.core.Cookie; import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.NewCookie; import org.apache.hadoop.security.SecureClientLogin; import org.apache.log4j.Level; import org.apache.log4j.Logger; +import org.apache.ranger.unixusersync.config.UserGroupSyncConfig; +import org.apache.ranger.unixusersync.model.GetXGroupListResponse; +import org.apache.ranger.unixusersync.model.GetXUserGroupListResponse; +import org.apache.ranger.unixusersync.model.GetXUserListResponse; +import org.apache.ranger.unixusersync.model.MUserInfo; +import org.apache.ranger.unixusersync.model.UgsyncAuditInfo; +import org.apache.ranger.unixusersync.model.UserGroupInfo; +import org.apache.ranger.unixusersync.model.XGroupInfo; +import org.apache.ranger.unixusersync.model.XUserGroupInfo; +import org.apache.ranger.unixusersync.model.XUserInfo; +import org.apache.ranger.usergroupsync.UserGroupSink; +import org.apache.ranger.usersync.util.UserSyncUtil; import com.google.gson.Gson; import com.google.gson.GsonBuilder; @@ -55,11 +76,6 @@ import com.sun.jersey.api.client.config.DefaultClientConfig; import com.sun.jersey.api.client.filter.HTTPBasicAuthFilter; import com.sun.jersey.client.urlconnection.HTTPSProperties; -import org.apache.ranger.unixusersync.config.UserGroupSyncConfig; -import org.apache.ranger.unixusersync.model.*; -import org.apache.ranger.usergroupsync.UserGroupSink; -import org.apache.ranger.usersync.util.UserSyncUtil; - public class PolicyMgrUserGroupBuilder implements UserGroupSink { private static final Logger LOG = Logger.getLogger(PolicyMgrUserGroupBuilder.class); @@ -86,11 +102,16 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { private static final String GROUP_SOURCE_EXTERNAL ="1"; + private static final String RANGER_ADMIN_COOKIE_NAME = "RANGERADMINSESSIONID"; private static String LOCAL_HOSTNAME = "unknown"; private String recordsToPullPerCall = "1000"; private boolean isMockRun = false; private String policyMgrBaseUrl; + private Cookie sessionId=null; + private boolean isValidRangerCookie=false; + List<NewCookie> cookieList=new ArrayList<>(); + private UserGroupSyncConfig config = UserGroupSyncConfig.getInstance(); private UserGroupInfo usergroupInfo = new UserGroupInfo(); @@ -124,6 +145,7 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { private HashSet<String> modifiedUserList = new HashSet<String>(); private HashSet<String> newGroupList = new HashSet<String>(); private HashSet<String> modifiedGroupList = new HashSet<String>(); + private boolean isRangerCookieEnabled; boolean isStartupFlag = false; static { @@ -150,11 +172,11 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { noOfNewGroups = 0; noOfModifiedGroups = 0; isStartupFlag = true; - + isRangerCookieEnabled = config.isUserSyncRangerCookieEnabled(); if (isMockRun) { LOG.setLevel(Level.DEBUG); } - + sessionId=null; keyStoreFile = config.getSSLKeyStorePath(); keyStoreFilepwd = config.getSSLKeyStorePathPassword(); trustStoreFile = config.getSSLTrustStorePath(); @@ -327,7 +349,6 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { if (groups == null) { groups = new ArrayList<String>(); } - if (user == null) { // Does not exists //noOfNewUsers++; newUserList.add(userName); @@ -545,109 +566,118 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { private void buildGroupList() { if (LOG.isDebugEnabled()) { - LOG.debug("==> PolicyMgrUserGroupBuilder.buildGroupList"); + LOG.debug("==> PolicyMgrUserGroupBuilder.buildGroupList()"); } Client c = getClient(); - int totalCount = 100; int retrievedCount = 0; - while (retrievedCount < totalCount) { - WebResource r = c.resource(getURL(PM_GROUP_LIST_URI)) - .queryParam("pageSize", recordsToPullPerCall) - .queryParam("startIndex", String.valueOf(retrievedCount)); - - String response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class); - - LOG.debug("RESPONSE: [" + response + "]"); + String response = null; + Gson gson = new GsonBuilder().create(); + if (isRangerCookieEnabled) { + response = cookieBasedGetEntity(PM_GROUP_LIST_URI, retrievedCount); + } else { + WebResource r = c.resource(getURL(PM_GROUP_LIST_URI)).queryParam("pageSize", recordsToPullPerCall) + .queryParam("startIndex", String.valueOf(retrievedCount)); - Gson gson = new GsonBuilder().create(); + response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class); + } + LOG.debug("RESPONSE: [" + response + "]"); - GetXGroupListResponse groupList = gson.fromJson(response, GetXGroupListResponse.class); + GetXGroupListResponse groupList = gson.fromJson(response, GetXGroupListResponse.class); - totalCount = groupList.getTotalCount(); + totalCount = groupList.getTotalCount(); if (groupList.getXgroupInfoList() != null) { xgroupList.addAll(groupList.getXgroupInfoList()); retrievedCount = xgroupList.size(); for (XGroupInfo g : groupList.getXgroupInfoList()) { - LOG.debug("GROUP: Id:" + g.getId() + ", Name: "+ g.getName() + ", Description: "+ g.getDescription()); + LOG.debug("GROUP: Id:" + g.getId() + ", Name: " + g.getName() + ", Description: " + + g.getDescription()); } } } + if (LOG.isDebugEnabled()) { + LOG.debug("<== PolicyMgrUserGroupBuilder.buildGroupList()"); + } } private void buildUserList() { if (LOG.isDebugEnabled()) { - LOG.debug("==> PolicyMgrUserGroupBuilder.buildUserList"); + LOG.debug("==> PolicyMgrUserGroupBuilder.buildUserList()"); } Client c = getClient(); + int totalCount = 100; + int retrievedCount = 0; + while (retrievedCount < totalCount) { + String response = null; + Gson gson = new GsonBuilder().create(); + if (isRangerCookieEnabled) { + response = cookieBasedGetEntity(PM_USER_LIST_URI, retrievedCount); + } else { + WebResource r = c.resource(getURL(PM_USER_LIST_URI)).queryParam("pageSize", recordsToPullPerCall) + .queryParam("startIndex", String.valueOf(retrievedCount)); + response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class); + } + LOG.debug("RESPONSE: [" + response + "]"); + GetXUserListResponse userList = gson.fromJson(response, GetXUserListResponse.class); - int totalCount = 100; - int retrievedCount = 0; - - while (retrievedCount < totalCount) { - - WebResource r = c.resource(getURL(PM_USER_LIST_URI)) - .queryParam("pageSize", recordsToPullPerCall) - .queryParam("startIndex", String.valueOf(retrievedCount)); - - String response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class); - - Gson gson = new GsonBuilder().create(); - - LOG.debug("RESPONSE: [" + response + "]"); - - GetXUserListResponse userList = gson.fromJson(response, GetXUserListResponse.class); - - totalCount = userList.getTotalCount(); + totalCount = userList.getTotalCount(); - if (userList.getXuserInfoList() != null) { - xuserList.addAll(userList.getXuserInfoList()); - retrievedCount = xuserList.size(); + if (userList.getXuserInfoList() != null) { + xuserList.addAll(userList.getXuserInfoList()); + retrievedCount = xuserList.size(); - for(XUserInfo u : userList.getXuserInfoList()) { - LOG.debug("USER: Id:" + u.getId() + ", Name: " + u.getName() + ", Description: " + u.getDescription()); - } - } - } + for (XUserInfo u : userList.getXuserInfoList()) { + LOG.debug("USER: Id:" + u.getId() + ", Name: " + u.getName() + ", Description: " + + u.getDescription()); + } + } + } + if (LOG.isDebugEnabled()) { + LOG.debug("<== PolicyMgrUserGroupBuilder.buildUserList()"); + } } private void buildUserGroupLinkList() { - if(LOG.isDebugEnabled()) { - LOG.debug("==> PolicyMgrUserGroupBuilder.buildUserGroupLinkList"); - } + if (LOG.isDebugEnabled()) { + LOG.debug("==> PolicyMgrUserGroupBuilder.buildUserGroupLinkList()"); + } Client c = getClient(); + int totalCount = 100; + int retrievedCount = 0; - int totalCount = 100; - int retrievedCount = 0; - - while (retrievedCount < totalCount) { - - WebResource r = c.resource(getURL(PM_USER_GROUP_MAP_LIST_URI)) - .queryParam("pageSize", recordsToPullPerCall) - .queryParam("startIndex", String.valueOf(retrievedCount)); - - String response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class); - - LOG.debug("RESPONSE: [" + response + "]"); + while (retrievedCount < totalCount) { + String response = null; + Gson gson = new GsonBuilder().create(); + if (isRangerCookieEnabled) { + response = cookieBasedGetEntity(PM_USER_GROUP_MAP_LIST_URI, retrievedCount); + } else { + WebResource r = c.resource(getURL(PM_USER_GROUP_MAP_LIST_URI)) + .queryParam("pageSize", recordsToPullPerCall) + .queryParam("startIndex", String.valueOf(retrievedCount)); - Gson gson = new GsonBuilder().create(); + response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class); + } + LOG.debug("RESPONSE: [" + response + "]"); - GetXUserGroupListResponse usergroupList = gson.fromJson(response, GetXUserGroupListResponse.class); + GetXUserGroupListResponse usergroupList = gson.fromJson(response, GetXUserGroupListResponse.class); - totalCount = usergroupList.getTotalCount(); + totalCount = usergroupList.getTotalCount(); - if (usergroupList.getXusergroupInfoList() != null) { - xusergroupList.addAll(usergroupList.getXusergroupInfoList()); - retrievedCount = xusergroupList.size(); + if (usergroupList.getXusergroupInfoList() != null) { + xusergroupList.addAll(usergroupList.getXusergroupInfoList()); + retrievedCount = xusergroupList.size(); - for(XUserGroupInfo ug : usergroupList.getXusergroupInfoList()) { - LOG.debug("USER_GROUP: UserId:" + ug.getUserId() + ", Name: " + ug.getGroupName()); - } - } - } + for (XUserGroupInfo ug : usergroupList.getXusergroupInfoList()) { + LOG.debug("USER_GROUP: UserId:" + ug.getUserId() + ", Name: " + ug.getGroupName()); + } + } + } + if (LOG.isDebugEnabled()) { + LOG.debug("<== PolicyMgrUserGroupBuilder.buildUserGroupLinkList()"); + } } private UserGroupInfo addUserGroupInfo(String userName, List<String> groups){ @@ -711,20 +741,31 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { } private UserGroupInfo getUsergroupInfo(UserGroupInfo ret) { - Client c = getClient(); - - WebResource r = c.resource(getURL(PM_ADD_USER_GROUP_INFO_URI)); - + if(LOG.isDebugEnabled()){ + LOG.debug("==> PolicyMgrUserGroupBuilder.getUsergroupInfo(UserGroupInfo ret)"); + } + String response = null; Gson gson = new GsonBuilder().create(); - String jsonString = gson.toJson(usergroupInfo); - - LOG.debug("USER GROUP MAPPING" + jsonString); - - String response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString); - - LOG.debug("RESPONSE: [" + response + "]"); - + if (LOG.isDebugEnabled()) { + LOG.debug("USER GROUP MAPPING" + jsonString); + } + if(isRangerCookieEnabled){ + response = cookieBasedUploadEntity(jsonString,PM_ADD_USER_GROUP_INFO_URI); + } + else{ + Client c = getClient(); + WebResource r = c.resource(getURL(PM_ADD_USER_GROUP_INFO_URI)); + try{ + response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString); + } + catch(Throwable t){ + LOG.error("Failed to communicate Ranger Admin : ", t); + } + } + if ( LOG.isDebugEnabled() ) { + LOG.debug("RESPONSE: [" + response + "]"); + } ret = gson.fromJson(response, UserGroupInfo.class); if ( ret != null) { @@ -738,32 +779,38 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { } } + if(LOG.isDebugEnabled()){ + LOG.debug("<== PolicyMgrUserGroupBuilder.getUsergroupInfo (UserGroupInfo ret)"); + } return ret; } private void getUserGroupInfo(UserGroupInfo ret, UserGroupInfo usergroupInfo) { - Client c = getClient(); - - WebResource r = c.resource(getURL(PM_ADD_USER_GROUP_INFO_URI)); - + if(LOG.isDebugEnabled()){ + LOG.debug("==> PolicyMgrUserGroupBuilder.getUsergroupInfo(UserGroupInfo ret, UserGroupInfo usergroupInfo)"); + } + String response = null; Gson gson = new GsonBuilder().create(); - String jsonString = gson.toJson(usergroupInfo); - if ( LOG.isDebugEnabled() ) { - LOG.debug("USER GROUP MAPPING" + jsonString); + if (LOG.isDebugEnabled()) { + LOG.debug("USER GROUP MAPPING" + jsonString); } - - String response = null; - try{ - response=r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString); - }catch(Throwable t){ - LOG.error("Failed to communicate Ranger Admin : ", t); + if(isRangerCookieEnabled){ + response = cookieBasedUploadEntity(jsonString,PM_ADD_USER_GROUP_INFO_URI); } - if ( LOG.isDebugEnabled() ) { + else{ + Client c = getClient(); + WebResource r = c.resource(getURL(PM_ADD_USER_GROUP_INFO_URI)); + try{ + response=r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString); + }catch(Throwable t){ + LOG.error("Failed to communicate Ranger Admin : ", t); + } + } + if (LOG.isDebugEnabled()) { LOG.debug("RESPONSE: [" + response + "]"); } ret = gson.fromJson(response, UserGroupInfo.class); - if ( ret != null) { XUserInfo xUserInfo = ret.getXuserInfo(); @@ -774,8 +821,109 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { addUserGroupInfoToList(xUserInfo, xGroupInfo); } } + if(LOG.isDebugEnabled()){ + LOG.debug("<== PolicyMgrUserGroupBuilder.getUsergroupInfo(UserGroupInfo ret, UserGroupInfo usergroupInfo)"); + } } + + private String tryUploadEntityWithCookie(String jsonString, String apiURL) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> PolicyMgrUserGroupBuilder.tryUploadEntityWithCookie()"); + } + String response = null; + ClientResponse clientResp = null; + WebResource webResource = createWebResourceForCookieAuth(apiURL); + WebResource.Builder br = webResource.getRequestBuilder().cookie(sessionId); + try{ + clientResp=br.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(ClientResponse.class, jsonString); + } + catch(Throwable t){ + LOG.error("Failed to communicate Ranger Admin : ", t); + } + if (clientResp != null) { + if (!(clientResp.toString().contains(apiURL))) { + clientResp.setStatus(HttpServletResponse.SC_NOT_FOUND); + sessionId = null; + isValidRangerCookie = false; + } else if (clientResp.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { + sessionId = null; + isValidRangerCookie = false; + } else if (clientResp.getStatus() == HttpServletResponse.SC_NO_CONTENT || clientResp.getStatus() == HttpServletResponse.SC_OK) { + cookieList = clientResp.getCookies(); + for (NewCookie cookie : cookieList) { + if (cookie.getName().equalsIgnoreCase(RANGER_ADMIN_COOKIE_NAME)) { + sessionId = cookie.toCookie(); + isValidRangerCookie = true; + break; + } + } + } + + if (clientResp.getStatus() != HttpServletResponse.SC_OK && clientResp.getStatus() != HttpServletResponse.SC_NO_CONTENT + && clientResp.getStatus() != HttpServletResponse.SC_BAD_REQUEST) { + sessionId = null; + isValidRangerCookie = false; + } + clientResp.bufferEntity(); + response = clientResp.getEntity(String.class); + } + if (LOG.isDebugEnabled()) { + LOG.debug("<== PolicyMgrUserGroupBuilder.tryUploadEntityWithCookie()"); + } + return response; + } + + + private String tryUploadEntityWithCred(String jsonString,String apiURL){ + if(LOG.isDebugEnabled()){ + LOG.debug("==> PolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred()"); + } + String response = null; + ClientResponse clientResp = null; + Client c = getClient(); + WebResource r = c.resource(getURL(apiURL)); + if ( LOG.isDebugEnabled() ) { + LOG.debug("USER GROUP MAPPING" + jsonString); + } + try{ + clientResp=r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(ClientResponse.class, jsonString); + } + catch(Throwable t){ + LOG.error("Failed to communicate Ranger Admin : ", t); + } + if (clientResp != null) { + if (!(clientResp.toString().contains(apiURL))) { + clientResp.setStatus(HttpServletResponse.SC_NOT_FOUND); + } else if (clientResp.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { + LOG.warn("Credentials response from ranger is 401."); + } else if (clientResp.getStatus() == HttpServletResponse.SC_OK || clientResp.getStatus() == HttpServletResponse.SC_NO_CONTENT) { + cookieList = clientResp.getCookies(); + for (NewCookie cookie : cookieList) { + if (cookie.getName().equalsIgnoreCase(RANGER_ADMIN_COOKIE_NAME)) { + sessionId = cookie.toCookie(); + isValidRangerCookie = true; + LOG.info("valid cookie saved "); + break; + } + } + } + if (clientResp.getStatus() != HttpServletResponse.SC_OK && clientResp.getStatus() != HttpServletResponse.SC_NO_CONTENT + && clientResp.getStatus() != HttpServletResponse.SC_BAD_REQUEST) { + sessionId = null; + isValidRangerCookie = false; + } + clientResp.bufferEntity(); + response = clientResp.getEntity(String.class); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== PolicyMgrUserGroupBuilder.tryUploadEntityInfoWithCred()"); + } + return response; + } + + private UserGroupInfo addUserGroupInfo(UserGroupInfo usergroupInfo){ if(LOG.isDebugEnabled()) { LOG.debug("==> PolicyMgrUserGroupBuilder.addUserGroupInfo"); @@ -808,6 +956,9 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { LOG.error("Failed to add User Group Info : ", t); } } + if (LOG.isDebugEnabled()) { + LOG.debug("<== PolicyMgrUserGroupBuilder.addUserGroupInfo"); + } return ret; } @@ -920,21 +1071,84 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { private void delXUserGroupInfo(XUserInfo aUserInfo, XGroupInfo aGroupInfo) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> PolicyMgrUserGroupBuilder.delXUserGroupInfo()"); + } + String groupName = aGroupInfo.getName(); String userName = aUserInfo.getName(); try { - - Client c = getClient(); - + ClientResponse response = null; String uri = PM_DEL_USER_GROUP_LINK_URI.replaceAll(Pattern.quote("${groupName}"), UserSyncUtil.encodeURIParam(groupName)).replaceAll(Pattern.quote("${userName}"), UserSyncUtil.encodeURIParam(userName)); + if (isRangerCookieEnabled) { + if (sessionId != null && isValidRangerCookie) { + WebResource webResource = createWebResourceForCookieAuth(uri); + WebResource.Builder br = webResource.getRequestBuilder().cookie(sessionId); + response = br.delete(ClientResponse.class); + if (response != null) { + if (!(response.toString().contains(uri))) { + response.setStatus(HttpServletResponse.SC_NOT_FOUND); + sessionId = null; + isValidRangerCookie = false; + } else if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { + LOG.warn("response from ranger is 401 unauthorized"); + sessionId = null; + isValidRangerCookie = false; + } else if (response.getStatus() == HttpServletResponse.SC_NO_CONTENT + || response.getStatus() == HttpServletResponse.SC_OK) { + cookieList = response.getCookies(); + for (NewCookie cookie : cookieList) { + if (cookie.getName().equalsIgnoreCase(RANGER_ADMIN_COOKIE_NAME)) { + sessionId = cookie.toCookie(); + isValidRangerCookie = true; + break; + } + } + } + if (response.getStatus() != HttpServletResponse.SC_OK && response.getStatus() != HttpServletResponse.SC_NO_CONTENT + && response.getStatus() != HttpServletResponse.SC_BAD_REQUEST) { + sessionId = null; + isValidRangerCookie = false; + } + } + } else { + Client c = getClient(); + WebResource r = c.resource(getURL(uri)); + response = r.delete(ClientResponse.class); + if (response != null) { + if (!(response.toString().contains(uri))) { + response.setStatus(HttpServletResponse.SC_NOT_FOUND); + } else if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { + LOG.warn("Credentials response from ranger is 401."); + } else if (response.getStatus() == HttpServletResponse.SC_OK + || response.getStatus() == HttpServletResponse.SC_NO_CONTENT) { + cookieList = response.getCookies(); + for (NewCookie cookie : cookieList) { + if (cookie.getName().equalsIgnoreCase(RANGER_ADMIN_COOKIE_NAME)) { + sessionId = cookie.toCookie(); + isValidRangerCookie = true; + LOG.info("valid cookie saved "); + break; + } + } + } + if (response.getStatus() != HttpServletResponse.SC_OK && response.getStatus() != HttpServletResponse.SC_NO_CONTENT + && response.getStatus() != HttpServletResponse.SC_BAD_REQUEST) { + sessionId = null; + isValidRangerCookie = false; + } + } + } + } else { + Client c = getClient(); WebResource r = c.resource(getURL(uri)); - ClientResponse response = r.delete(ClientResponse.class); - + response = r.delete(ClientResponse.class); + } if ( LOG.isDebugEnabled() ) { LOG.debug("RESPONSE: [" + response.toString() + "]"); } @@ -947,6 +1161,9 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { LOG.warn( "ERROR: Unable to delete GROUP: " + groupName + " from USER:" + userName , e); } + if (LOG.isDebugEnabled()) { + LOG.debug("<== PolicyMgrUserGroupBuilder.delXUserGroupInfo()"); + } } @@ -990,31 +1207,166 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { private MUserInfo getMUser(MUserInfo userInfo, MUserInfo ret) { - Client c = getClient(); + if(LOG.isDebugEnabled()){ + LOG.debug("==> PolicyMgrUserGroupBuilder.getMUser()"); + } + String response = null; + Gson gson = new GsonBuilder().create(); + String jsonString = gson.toJson(userInfo); + if (isRangerCookieEnabled) { + response = cookieBasedUploadEntity(jsonString, PM_ADD_LOGIN_USER_URI); + } else { + Client c = getClient(); + WebResource r = c.resource(getURL(PM_ADD_LOGIN_USER_URI)); + response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE) + .post(String.class, jsonString); + } + if (LOG.isDebugEnabled()) { + LOG.debug("RESPONSE[" + response + "]"); + } + ret = gson.fromJson(response, MUserInfo.class); + if (LOG.isDebugEnabled()) { + LOG.debug("MUser Creation successful " + ret); + LOG.debug("<== PolicyMgrUserGroupBuilder.getMUser()"); + } + return ret; + } - WebResource r = c.resource(getURL(PM_ADD_LOGIN_USER_URI)); + private String cookieBasedUploadEntity(String jsonString, String apiURL ) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> PolicyMgrUserGroupBuilder.cookieBasedUploadEntity()"); + } + String response = null; + if (sessionId != null && isValidRangerCookie) { + response = tryUploadEntityWithCookie(jsonString,apiURL); + } + else{ + response = tryUploadEntityWithCred(jsonString,apiURL); + } + if (LOG.isDebugEnabled()) { + LOG.debug("<== PolicyMgrUserGroupBuilder.cookieBasedUploadEntity()"); + } + return response; + } - Gson gson = new GsonBuilder().create(); + private String cookieBasedGetEntity(String apiURL ,int retrievedCount) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> PolicyMgrUserGroupBuilder.cookieBasedGetEntity()"); + } + String response = null; + if (sessionId != null && isValidRangerCookie) { + response = tryGetEntityWithCookie(apiURL,retrievedCount); + } + else{ + response = tryGetEntityWithCred(apiURL,retrievedCount); + } + if (LOG.isDebugEnabled()) { + LOG.debug("<== PolicyMgrUserGroupBuilder.cookieBasedGetEntity()"); + } + return response; + } - String jsonString = gson.toJson(userInfo); + private String tryGetEntityWithCred(String apiURL, int retrievedCount) { + if(LOG.isDebugEnabled()){ + LOG.debug("==> PolicyMgrUserGroupBuilder.tryGetEntityWithCred()"); + } + String response = null; + ClientResponse clientResp = null; + Client c = getClient(); + WebResource r = c.resource(getURL(apiURL)) + .queryParam("pageSize", recordsToPullPerCall) + .queryParam("startIndex", String.valueOf(retrievedCount)); - String response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString); + try{ + clientResp=r.accept(MediaType.APPLICATION_JSON_TYPE).get(ClientResponse.class); + } + catch(Throwable t){ + LOG.error("Failed to communicate Ranger Admin : ", t); + } + if (clientResp != null) { + if (!(clientResp.toString().contains(apiURL))) { + clientResp.setStatus(HttpServletResponse.SC_NOT_FOUND); + } else if (clientResp.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { + LOG.warn("Credentials response from ranger is 401."); + } else if (clientResp.getStatus() == HttpServletResponse.SC_OK || clientResp.getStatus() == HttpServletResponse.SC_NO_CONTENT) { + cookieList = clientResp.getCookies(); + for (NewCookie cookie : cookieList) { + if (cookie.getName().equalsIgnoreCase(RANGER_ADMIN_COOKIE_NAME)) { + sessionId = cookie.toCookie(); + isValidRangerCookie = true; + LOG.info("valid cookie saved "); + break; + } + } + } + if (clientResp.getStatus() != HttpServletResponse.SC_OK && clientResp.getStatus() != HttpServletResponse.SC_NO_CONTENT + && clientResp.getStatus() != HttpServletResponse.SC_BAD_REQUEST) { + sessionId = null; + isValidRangerCookie = false; + } + clientResp.bufferEntity(); + response = clientResp.getEntity(String.class); + } - LOG.debug("RESPONSE[" + response + "]"); + if (LOG.isDebugEnabled()) { + LOG.debug("<== PolicyMgrUserGroupBuilder.tryGetEntityWithCred()"); + } + return response; + } - ret = gson.fromJson(response, MUserInfo.class); - LOG.debug("MUser Creation successful " + ret); + private String tryGetEntityWithCookie(String apiURL, int retrievedCount) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> PolicyMgrUserGroupBuilder.tryGetEntityWithCookie()"); + } + String response = null; + ClientResponse clientResp = null; + WebResource webResource = createWebResourceForCookieAuth(apiURL).queryParam("pageSize", recordsToPullPerCall).queryParam("startIndex", String.valueOf(retrievedCount)); + WebResource.Builder br = webResource.getRequestBuilder().cookie(sessionId); + try{ + clientResp=br.accept(MediaType.APPLICATION_JSON_TYPE).get(ClientResponse.class); + } + catch(Throwable t){ + LOG.error("Failed to communicate Ranger Admin : ", t); + } + if (clientResp != null) { + if (!(clientResp.toString().contains(apiURL))) { + clientResp.setStatus(HttpServletResponse.SC_NOT_FOUND); + sessionId = null; + isValidRangerCookie = false; + } else if (clientResp.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { + sessionId = null; + isValidRangerCookie = false; + } else if (clientResp.getStatus() == HttpServletResponse.SC_NO_CONTENT || clientResp.getStatus() == HttpServletResponse.SC_OK) { + cookieList = clientResp.getCookies(); + for (NewCookie cookie : cookieList) { + if (cookie.getName().equalsIgnoreCase(RANGER_ADMIN_COOKIE_NAME)) { + sessionId = cookie.toCookie(); + isValidRangerCookie = true; + break; + } + } + } - return ret; + if (clientResp.getStatus() != HttpServletResponse.SC_OK && clientResp.getStatus() != HttpServletResponse.SC_NO_CONTENT + && clientResp.getStatus() != HttpServletResponse.SC_BAD_REQUEST) { + sessionId = null; + isValidRangerCookie = false; + } + clientResp.bufferEntity(); + response = clientResp.getEntity(String.class); + } + if (LOG.isDebugEnabled()) { + LOG.debug("<== PolicyMgrUserGroupBuilder.tryGetEntityWithCookie()"); + } + return response; } + private synchronized Client getClient() { Client ret = null; - if (policyMgrBaseUrl.startsWith("https://";)) { - ClientConfig config = new DefaultClientConfig(); if (sslContext == null) { @@ -1112,6 +1464,13 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { return ret; } + private WebResource createWebResourceForCookieAuth(String url) { + Client cookieClient = getClient(); + cookieClient.removeAllFilters(); + WebResource ret = cookieClient.resource(getURL(url)); + return ret; + } + private InputStream getFileInputStream(String path) throws FileNotFoundException { InputStream ret = null; @@ -1199,20 +1558,29 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { private XGroupInfo getAddedGroupInfo(XGroupInfo group){ XGroupInfo ret = null; - - Client c = getClient(); - - WebResource r = c.resource(getURL(PM_ADD_GROUP_URI)); - + String response = null; Gson gson = new GsonBuilder().create(); - String jsonString = gson.toJson(group); + if(isRangerCookieEnabled){ + response = cookieBasedUploadEntity(jsonString,PM_ADD_GROUP_URI); + } + else{ + Client c = getClient(); + WebResource r = c.resource(getURL(PM_ADD_GROUP_URI)); + if (LOG.isDebugEnabled()) { + LOG.debug("Group" + jsonString); + } + try{ + response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString); + } + catch(Throwable t){ + LOG.error("Failed to communicate Ranger Admin : ", t); + } + } - LOG.debug("Group" + jsonString); - - String response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString); - - LOG.debug("RESPONSE: [" + response + "]"); + if ( LOG.isDebugEnabled() ) { + LOG.debug("RESPONSE: [" + response + "]"); + } ret = gson.fromJson(response, XGroupInfo.class); @@ -1308,22 +1676,38 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { private UgsyncAuditInfo getUserGroupAuditInfo(UgsyncAuditInfo userInfo) { - Client c = getClient(); + if(LOG.isDebugEnabled()){ + LOG.debug("==> PolicyMgrUserGroupBuilder.getUserGroupAuditInfo()"); + } - WebResource r = c.resource(getURL(PM_AUDIT_INFO_URI)); + String response = null; Gson gson = new GsonBuilder().create(); - String jsonString = gson.toJson(userInfo); - - String response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString); - - LOG.debug("RESPONSE[" + response + "]"); - + if(isRangerCookieEnabled){ + response = cookieBasedUploadEntity(jsonString, PM_AUDIT_INFO_URI); + } + else{ + Client c = getClient(); + WebResource r = c.resource(getURL(PM_AUDIT_INFO_URI)); + try{ + response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString); + } + catch(Throwable t){ + LOG.error("Failed to communicate Ranger Admin : ", t); + } + } + if (LOG.isDebugEnabled()) { + LOG.debug("RESPONSE[" + response + "]"); + } UgsyncAuditInfo ret = gson.fromJson(response, UgsyncAuditInfo.class); LOG.debug("AuditInfo Creation successful "); + if(LOG.isDebugEnabled()){ + LOG.debug("<== PolicyMgrUserGroupBuilder.getUserGroupAuditInfo()"); + } + return ret; } http://git-wip-us.apache.org/repos/asf/ranger/blob/a4ad1a0b/unixauthservice/conf.dist/ranger-ugsync-default.xml ---------------------------------------------------------------------- diff --git a/unixauthservice/conf.dist/ranger-ugsync-default.xml b/unixauthservice/conf.dist/ranger-ugsync-default.xml index cf4ab80..719bd90 100644 --- a/unixauthservice/conf.dist/ranger-ugsync-default.xml +++ b/unixauthservice/conf.dist/ranger-ugsync-default.xml @@ -61,4 +61,8 @@ <name>ranger.usersync.logdir</name> <value>./log</value> </property> + <property> + <name>ranger.usersync.cookie.enabled</name> + <value>true</value> + </property> </configuration>
