RANGER-2083 : Restrict KMS audit events to KMS related users only Signed-off-by: Mehul Parikh <[email protected]>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/cccb5e1b Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/cccb5e1b Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/cccb5e1b Branch: refs/heads/master Commit: cccb5e1b949e843f6ff756f2019938d65125ea08 Parents: eed027a Author: fatimaawez <[email protected]> Authored: Wed May 9 11:36:00 2018 +0530 Committer: Mehul Parikh <[email protected]> Committed: Wed May 9 15:15:24 2018 +0530 ---------------------------------------------------------------------- .../java/org/apache/ranger/rest/AssetREST.java | 4 +++- .../ranger/solr/SolrAccessAuditsService.java | 3 ++- .../src/main/webapp/scripts/utils/XAEnums.js | 3 ++- .../webapp/scripts/views/reports/AuditLayout.js | 22 +++++++++++++++----- 4 files changed, 24 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/cccb5e1b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java index b7e045d..b2a43d2 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java @@ -655,7 +655,9 @@ public class AssetREST { if(isKeyAdmin && xxServiceDef != null || isAuditKeyAdmin && xxServiceDef != null){ searchCriteria.getParamList().put("repoType", xxServiceDef.getId()); } - + else if (xxServiceDef != null) { + searchCriteria.getParamList().put("-repoType", xxServiceDef.getId()); + } return assetMgr.getAccessLogs(searchCriteria); } http://git-wip-us.apache.org/repos/asf/ranger/blob/cccb5e1b/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java b/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java index 7dcb074..397639b 100644 --- a/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java +++ b/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java @@ -103,7 +103,8 @@ public class SolrAccessAuditsService { SearchField.DATA_TYPE.INTEGER, SearchField.SEARCH_TYPE.FULL)); searchFields.add(new SearchField("repoType", "repoType", SearchField.DATA_TYPE.INTEGER, SearchField.SEARCH_TYPE.FULL)); - + searchFields.add(new SearchField("-repoType", "-repoType", + SearchField.DATA_TYPE.INTEGER, SearchField.SEARCH_TYPE.FULL)); searchFields.add(new SearchField("resourceType", "resType", SearchField.DATA_TYPE.STRING, SearchField.SEARCH_TYPE.FULL)); searchFields.add(new SearchField("reason", "reason", http://git-wip-us.apache.org/repos/asf/ranger/blob/cccb5e1b/security-admin/src/main/webapp/scripts/utils/XAEnums.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/utils/XAEnums.js b/security-admin/src/main/webapp/scripts/utils/XAEnums.js index 6e101bf..ea80545 100644 --- a/security-admin/src/main/webapp/scripts/utils/XAEnums.js +++ b/security-admin/src/main/webapp/scripts/utils/XAEnums.js @@ -130,7 +130,8 @@ define(function(require) { Service_HBASE:{value:3, label:'hbase', rbkey:'xa.enum.AssetType.ASSET_HBASE', tt: 'lbl.AssetType_ASSET_HBASE'}, Service_KNOX:{value:4, label:'knox', rbkey:'xa.enum.AssetType.ASSET_KNOX', tt: 'lbl.AssetType_ASSET_KNOX'}, Service_STORM:{value:5, label:'storm', rbkey:'xa.enum.AssetType.ASSET_STORM', tt: 'lbl.AssetType_ASSET_STORM'}, - SERVICE_TAG:{value:6, label:'tag', rbkey:'xa.enum.ServiceType.SERVICE_TAG', tt: 'lbl.ServiceType_SERVICE_TAG'} + SERVICE_TAG:{value:6, label:'tag', rbkey:'xa.enum.ServiceType.SERVICE_TAG', tt: 'lbl.ServiceType_SERVICE_TAG'}, + Service_KMS:{value:7, label:'kms', rbkey:'xa.enum.ServiceType.SERVICE_KMS', tt: 'lbl.ServiceType_SERVICE_KMS'} }); XAEnums.AuthStatus = mergeParams(XAEnums.AuthStatus, { http://git-wip-us.apache.org/repos/asf/ranger/blob/cccb5e1b/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js b/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js index b3da7b5..b55d57e 100644 --- a/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js +++ b/security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js @@ -361,9 +361,15 @@ define(function(require) { serviceList.setPageSize(100); serviceList.fetch().done(function(){ serviceList.each(function(m){ - if(m.get('type') !== XAEnums.ServiceType.SERVICE_TAG.label){ - serviceNameVal.push(m.get('name')); - }; + if(SessionMgr.isKeyAdmin() || SessionMgr.isKMSAuditor()){ + if(m.get('type') !== XAEnums.ServiceType.SERVICE_TAG.label){ + serviceNameVal.push(m.get('name')); + } + }else{ + if(m.get('type') !== XAEnums.ServiceType.SERVICE_TAG.label && m.get('type') !== XAEnums.ServiceType.Service_KMS.label){ + serviceNameVal.push(m.get('name')); + } + } }); callback(serviceNameVal); }); @@ -371,8 +377,14 @@ define(function(require) { case 'Service Type': var serviveDefs = []; that.serviceDefList.each(function(m){ - if(m.get('name').toUpperCase() != (XAEnums.ServiceType.SERVICE_TAG.label).toUpperCase()){ - serviveDefs.push({ 'label' : m.get('name').toUpperCase(), 'value' : m.get('name').toUpperCase() }); + if(SessionMgr.isKeyAdmin() || SessionMgr.isKMSAuditor()){ + if(m.get('name').toUpperCase() != (XAEnums.ServiceType.SERVICE_TAG.label).toUpperCase()){ + serviveDefs.push({ 'label' : m.get('name').toUpperCase(), 'value' : m.get('name').toUpperCase() }); + } + }else{ + if(m.get('name').toUpperCase() != (XAEnums.ServiceType.SERVICE_TAG.label).toUpperCase() && m.get('name') !== XAEnums.ServiceType.Service_KMS.label){ + serviveDefs.push({ 'label' : m.get('name').toUpperCase(), 'value' : m.get('name').toUpperCase() }); + } } }); callback(serviveDefs);
