http://git-wip-us.apache.org/repos/asf/ranger/blob/c84b98fb/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index ceee8ce..a3e0261 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -19,6 +19,12 @@
package org.apache.ranger.biz;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.UnknownHostException;
+import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
@@ -27,18 +33,11 @@ import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashMap;
-import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
-import java.util.Set;
import java.util.Map.Entry;
+import java.util.Set;
import java.util.StringTokenizer;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.net.UnknownHostException;
-import java.text.SimpleDateFormat;
import javax.annotation.PostConstruct;
import javax.servlet.ServletOutputStream;
@@ -50,22 +49,30 @@ import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.security.SecureClientLogin;
+import org.apache.hadoop.security.authentication.util.KerberosName;
+import org.apache.poi.hssf.usermodel.HSSFWorkbook;
+import org.apache.poi.ss.usermodel.Cell;
+import org.apache.poi.ss.usermodel.CellStyle;
+import org.apache.poi.ss.usermodel.Font;
+import org.apache.poi.ss.usermodel.Row;
+import org.apache.poi.ss.usermodel.Sheet;
+import org.apache.poi.ss.usermodel.Workbook;
import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.common.AppConstants;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.MessageEnums;
-import org.apache.ranger.common.RangerCommonEnums;
+import org.apache.ranger.common.db.RangerTransactionSynchronizationAdapter;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import
org.apache.ranger.plugin.policyresourcematcher.RangerDefaultPolicyResourceMatcher;
import
org.apache.ranger.plugin.policyresourcematcher.RangerPolicyResourceMatcher;
-import org.apache.ranger.plugin.resourcematcher.RangerAbstractResourceMatcher;
-import org.apache.ranger.plugin.service.RangerBaseService;
import org.apache.ranger.plugin.store.ServiceStore;
import org.apache.ranger.plugin.util.PasswordUtils;
import org.apache.ranger.common.JSONUtil;
import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.RESTErrorUtil;
+import org.apache.ranger.common.RangerConstants;
import org.apache.ranger.common.RangerFactory;
import org.apache.ranger.common.RangerServicePoliciesCache;
import org.apache.ranger.common.RangerVersionInfo;
@@ -79,15 +86,6 @@ import org.apache.ranger.db.XXDataMaskTypeDefDao;
import org.apache.ranger.db.XXEnumDefDao;
import org.apache.ranger.db.XXEnumElementDefDao;
import org.apache.ranger.db.XXPolicyConditionDefDao;
-import org.apache.ranger.db.XXPolicyItemAccessDao;
-import org.apache.ranger.db.XXPolicyItemConditionDao;
-import org.apache.ranger.db.XXPolicyItemDao;
-import org.apache.ranger.db.XXPolicyItemDataMaskInfoDao;
-import org.apache.ranger.db.XXPolicyItemGroupPermDao;
-import org.apache.ranger.db.XXPolicyItemRowFilterInfoDao;
-import org.apache.ranger.db.XXPolicyItemUserPermDao;
-import org.apache.ranger.db.XXPolicyResourceDao;
-import org.apache.ranger.db.XXPolicyResourceMapDao;
import org.apache.ranger.db.XXResourceDefDao;
import org.apache.ranger.db.XXServiceConfigDefDao;
import org.apache.ranger.db.XXServiceConfigMapDao;
@@ -101,18 +99,11 @@ import org.apache.ranger.entity.XXDataHist;
import org.apache.ranger.entity.XXDataMaskTypeDef;
import org.apache.ranger.entity.XXEnumDef;
import org.apache.ranger.entity.XXEnumElementDef;
-import org.apache.ranger.entity.XXGroup;
import org.apache.ranger.entity.XXPolicy;
import org.apache.ranger.entity.XXPolicyConditionDef;
-import org.apache.ranger.entity.XXPolicyItem;
-import org.apache.ranger.entity.XXPolicyItemAccess;
-import org.apache.ranger.entity.XXPolicyItemCondition;
-import org.apache.ranger.entity.XXPolicyItemDataMaskInfo;
-import org.apache.ranger.entity.XXPolicyItemGroupPerm;
-import org.apache.ranger.entity.XXPolicyItemRowFilterInfo;
-import org.apache.ranger.entity.XXPolicyItemUserPerm;
-import org.apache.ranger.entity.XXPolicyResource;
-import org.apache.ranger.entity.XXPolicyResourceMap;
+import org.apache.ranger.entity.XXPolicyRefAccessType;
+import org.apache.ranger.entity.XXPolicyRefCondition;
+import org.apache.ranger.entity.XXPolicyRefResource;
import org.apache.ranger.entity.XXResourceDef;
import org.apache.ranger.entity.XXService;
import org.apache.ranger.entity.XXServiceConfigDef;
@@ -123,13 +114,11 @@ import org.apache.ranger.entity.XXTrxLog;
import org.apache.ranger.entity.XXUser;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem;
-import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition;
-import
org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo;
-import
org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemRowFilterInfo;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerRowFilterPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -144,7 +133,6 @@ import
org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerRowFilterDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef;
import org.apache.ranger.plugin.model.validation.RangerServiceDefHelper;
-import org.apache.ranger.plugin.policyevaluator.RangerPolicyItemEvaluator;
import org.apache.ranger.plugin.store.AbstractServiceStore;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.plugin.store.PList;
@@ -161,15 +149,14 @@ import org.apache.ranger.service.RangerServiceDefService;
import org.apache.ranger.service.RangerServiceDefWithAssignedIdService;
import org.apache.ranger.service.RangerServiceService;
import org.apache.ranger.service.RangerServiceWithAssignedIdService;
-import org.apache.ranger.service.XGroupService;
import org.apache.ranger.service.XUserService;
import org.apache.ranger.view.RangerExportPolicyList;
import org.apache.ranger.view.RangerPolicyList;
import org.apache.ranger.view.RangerServiceDefList;
import org.apache.ranger.view.RangerServiceList;
-import org.apache.ranger.view.VXGroup;
import org.apache.ranger.view.VXString;
import org.apache.ranger.view.VXUser;
+import org.codehaus.jettison.json.JSONException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
@@ -177,14 +164,6 @@ import
org.springframework.transaction.PlatformTransactionManager;
import org.springframework.transaction.TransactionStatus;
import org.springframework.transaction.support.TransactionCallback;
import org.springframework.transaction.support.TransactionTemplate;
-import org.apache.poi.hssf.usermodel.HSSFWorkbook;
-import org.apache.poi.ss.usermodel.Cell;
-import org.apache.poi.ss.usermodel.CellStyle;
-import org.apache.poi.ss.usermodel.Font;
-import org.apache.poi.ss.usermodel.Row;
-import org.apache.poi.ss.usermodel.Sheet;
-import org.apache.poi.ss.usermodel.Workbook;
-import org.codehaus.jettison.json.JSONException;
import com.google.gson.Gson;
@@ -192,26 +171,38 @@ import com.google.gson.Gson;
public class ServiceDBStore extends AbstractServiceStore {
private static final Log LOG = LogFactory.getLog(ServiceDBStore.class);
+ public static final String RANGER_TAG_EXPIRY_CONDITION_NAME =
"accessed-after-expiry";
+
+ private static final String ADMIN_USER_PRINCIPAL =
"ranger.admin.kerberos.principal";
+ private static final String ADMIN_USER_KEYTAB =
"ranger.admin.kerberos.keytab";
+ private static final String LOOKUP_PRINCIPAL =
"ranger.lookup.kerberos.principal";
+ private static final String LOOKUP_KEYTAB =
"ranger.lookup.kerberos.keytab";
+ private static final String RANGER_AUTH_TYPE =
"hadoop.security.authentication";
+ private static final String AMBARI_SERVICE_CHECK_USER =
"ambari.service.check.user";
+
+ private static final String KERBEROS_TYPE = "kerberos";
+
private static final String POLICY_ALLOW_EXCLUDE = "Policy
Allow:Exclude";
- //private static final String POLICY_ALLOW_INCLUDE = "Policy
Allow:Include";
- private static final String POLICY_DENY_EXCLUDE = "Policy Deny:Exclude";
- private static final String POLICY_DENY_INCLUDE = "Policy Deny:Include";
-
- private static String LOCAL_HOSTNAME = "unknown";
- private static final String HOSTNAME = "Host name";
- private static final String USER_NAME = "Exported by";
+ private static final String POLICY_ALLOW_INCLUDE = "Policy
Allow:Include";
+ private static final String POLICY_DENY_EXCLUDE = "Policy
Deny:Exclude";
+ private static final String POLICY_DENY_INCLUDE = "Policy
Deny:Include";
+
+ private static String LOCAL_HOSTNAME = "unknown";
+ private static final String HOSTNAME = "Host name";
+ private static final String USER_NAME = "Exported by";
private static final String RANGER_VERSION = "Ranger apache version";
- private static final String TIMESTAMP = "Export time";
+ private static final String TIMESTAMP = "Export time";
- private static final String AMBARI_SERVICE_CHECK_USER =
"ambari.service.check.user";
- private static final String SERVICE_ADMIN_USERS = "service.admin.users";
-
- public static final String CRYPT_ALGO =
PropertiesUtil.getProperty("ranger.password.encryption.algorithm",
PasswordUtils.DEFAULT_CRYPT_ALGO);
- public static final String ENCRYPT_KEY =
PropertiesUtil.getProperty("ranger.password.encryption.key",
PasswordUtils.DEFAULT_ENCRYPT_KEY);
- public static final String SALT =
PropertiesUtil.getProperty("ranger.password.salt", PasswordUtils.DEFAULT_SALT);
- public static final Integer ITERATION_COUNT =
PropertiesUtil.getIntProperty("ranger.password.iteration.count",
PasswordUtils.DEFAULT_ITERATION_COUNT);
+ private static final String AUDITTOHDFS_KMS_PATH =
"/ranger/audit/kms";
+ private static final String AUDITTOHDFS_POLICY_NAME = "kms-audit-path";
+ private static final String SERVICE_ADMIN_USERS =
"service.admin.users";
- static {
+ public static final String CRYPT_ALGO =
PropertiesUtil.getProperty("ranger.password.encryption.algorithm",
PasswordUtils.DEFAULT_CRYPT_ALGO);
+ public static final String ENCRYPT_KEY =
PropertiesUtil.getProperty("ranger.password.encryption.key",
PasswordUtils.DEFAULT_ENCRYPT_KEY);
+ public static final String SALT =
PropertiesUtil.getProperty("ranger.password.salt", PasswordUtils.DEFAULT_SALT);
+ public static final Integer ITERATION_COUNT =
PropertiesUtil.getIntProperty("ranger.password.iteration.count",
PasswordUtils.DEFAULT_ITERATION_COUNT);
+
+ static {
try {
LOCAL_HOSTNAME =
java.net.InetAddress.getLocalHost().getCanonicalHostName();
} catch (UnknownHostException e) {
@@ -247,7 +238,7 @@ public class ServiceDBStore extends AbstractServiceStore {
XUserMgr xUserMgr;
@Autowired
- XGroupService xGroupService;
+ PolicyRefUpdater policyRefUpdater;
@Autowired
RangerDataHistService dataHistService;
@@ -277,7 +268,14 @@ public class ServiceDBStore extends AbstractServiceStore {
@Autowired
ServiceMgr serviceMgr;
+ @Autowired
+ AssetMgr assetMgr;
+
+ @Autowired
+ RangerTransactionSynchronizationAdapter
transactionSynchronizationAdapter;
+
private static volatile boolean legacyServiceDefsInitDone = false;
+
private Boolean populateExistingBaseFields = false;
public static final String HIDDEN_PASSWORD_STR = "*****";
@@ -288,7 +286,6 @@ public class ServiceDBStore extends AbstractServiceStore {
private ServicePredicateUtil predicateUtil = null;
-
@Override
public void init() throws Exception {
if (LOG.isDebugEnabled()) {
@@ -735,8 +732,8 @@ public class ServiceDBStore extends AbstractServiceStore {
}
}
if (!found) {
- List<XXPolicyResource> policyResList =
daoMgr.getXXPolicyResource().findByResDefId(xRes.getId());
- if (!stringUtil.isEmpty(policyResList)) {
+ List<XXPolicyRefResource> xxPolicyRefResource =
daoMgr.getXXPolicyRefResource().findByResourceDefID(xRes.getId());
+ if (!stringUtil.isEmpty(xxPolicyRefResource)) {
throw
restErrorUtil.createRESTException("Policy/Policies are referring to this
resource: "
+ xRes.getName() + ".
Please remove such references from policy before updating service-def.",
MessageEnums.DATA_NOT_UPDATABLE);
@@ -822,8 +819,8 @@ public class ServiceDBStore extends AbstractServiceStore {
}
}
if (!found) {
- List<XXPolicyItemAccess> polItemAccessList =
daoMgr.getXXPolicyItemAccess().findByType(xAccess.getId());
- if(!stringUtil.isEmpty(polItemAccessList)) {
+ List<XXPolicyRefAccessType>
policyRefAccessTypeList =
daoMgr.getXXPolicyRefAccessType().findByAccessTypeDefId(xAccess.getId());
+
if(!stringUtil.isEmpty(policyRefAccessTypeList)) {
throw
restErrorUtil.createRESTException("Policy/Policies are referring to this
access-type: "
+ xAccess.getName() +
". Please remove such references from policy before updating service-def.",
MessageEnums.DATA_NOT_UPDATABLE);
@@ -865,15 +862,14 @@ public class ServiceDBStore extends AbstractServiceStore {
}
}
if(!found) {
- List<XXPolicyItemCondition> policyItemCondList
= daoMgr.getXXPolicyItemCondition()
-
.findByPolicyConditionDefId(xCondition.getId());
- if(!stringUtil.isEmpty(policyItemCondList)) {
+ List<XXPolicyRefCondition>
xxPolicyRefConditions =
daoMgr.getXXPolicyRefCondition().findByConditionDefId(xCondition.getId());
+ if(!stringUtil.isEmpty(xxPolicyRefConditions)) {
throw
restErrorUtil.createRESTException("Policy/Policies are referring to this
policy-condition: "
+ xCondition.getName()
+ ". Please remove such references from policy before updating service-def.",
MessageEnums.DATA_NOT_UPDATABLE);
}
- for(XXPolicyItemCondition policyItemCond :
policyItemCondList) {
-
daoMgr.getXXPolicyItemCondition().remove(policyItemCond);
+ for(XXPolicyRefCondition xxPolicyRefCondition :
xxPolicyRefConditions) {
+
daoMgr.getXXPolicyRefCondition().remove(xxPolicyRefCondition);
}
xxPolCondDao.remove(xCondition);
}
@@ -1206,9 +1202,9 @@ public class ServiceDBStore extends AbstractServiceStore {
List<XXPolicyConditionDef> policyCondList =
policyCondDao.findByServiceDefId(serviceDefId);
for (XXPolicyConditionDef policyCond : policyCondList) {
- List<XXPolicyItemCondition> policyItemCondList =
daoMgr.getXXPolicyItemCondition().findByPolicyConditionDefId(policyCond.getId());
- for (XXPolicyItemCondition policyItemCond :
policyItemCondList) {
-
daoMgr.getXXPolicyItemCondition().remove(policyItemCond);
+ List<XXPolicyRefCondition> xxPolicyRefConditions =
daoMgr.getXXPolicyRefCondition().findByConditionDefId(policyCond.getId());
+ for (XXPolicyRefCondition XXPolicyRefCondition :
xxPolicyRefConditions) {
+
daoMgr.getXXPolicyRefCondition().remove(XXPolicyRefCondition);
}
policyCondDao.remove(policyCond);
}
@@ -1258,37 +1254,25 @@ public class ServiceDBStore extends
AbstractServiceStore {
daoMgr.getXXAccessTypeDefGrants().remove(atdGrant);
}
- List<XXPolicyItemAccess> policyItemAccessList =
daoMgr.getXXPolicyItemAccess().findByType(xAccess.getId());
- for (XXPolicyItemAccess policyItemAccess :
policyItemAccessList) {
- daoMgr.getXXPolicyItemAccess().remove(policyItemAccess);
+ List<XXPolicyRefAccessType> policyRefAccessTypeList =
daoMgr.getXXPolicyRefAccessType().findByAccessTypeDefId(xAccess.getId());
+ for (XXPolicyRefAccessType xxPolicyRefAccessType :
policyRefAccessTypeList) {
+
daoMgr.getXXPolicyRefAccessType().remove(xxPolicyRefAccessType);
}
daoMgr.getXXAccessTypeDef().remove(xAccess);
}
public void deleteXXResourceDef(XXResourceDef xRes) {
-
List<XXResourceDef> xChildObjs =
daoMgr.getXXResourceDef().findByParentResId(xRes.getId());
for(XXResourceDef childRes : xChildObjs) {
deleteXXResourceDef(childRes);
}
-
- List<XXPolicyResource> xxResources =
daoMgr.getXXPolicyResource().findByResDefId(xRes.getId());
- for (XXPolicyResource xPolRes : xxResources) {
- deleteXXPolicyResource(xPolRes);
+ List<XXPolicyRefResource> xxPolicyRefResources =
daoMgr.getXXPolicyRefResource().findByResourceDefID(xRes.getId());
+ for (XXPolicyRefResource xPolRefRes : xxPolicyRefResources) {
+ daoMgr.getXXPolicyRefResource().remove(xPolRefRes);
}
-
daoMgr.getXXResourceDef().remove(xRes);
}
- public void deleteXXPolicyResource(XXPolicyResource xPolRes) {
- List<XXPolicyResourceMap> polResMapList =
daoMgr.getXXPolicyResourceMap().findByPolicyResId(xPolRes.getId());
- XXPolicyResourceMapDao polResMapDao =
daoMgr.getXXPolicyResourceMap();
- for (XXPolicyResourceMap xxPolResMap : polResMapList) {
- polResMapDao.remove(xxPolResMap);
- }
- daoMgr.getXXPolicyResource().remove(xPolRes);
- }
-
@Override
public RangerServiceDef getServiceDef(Long id) throws Exception {
if (LOG.isDebugEnabled()) {
@@ -1439,10 +1423,7 @@ public class ServiceDBStore extends AbstractServiceStore
{
xConfMap.setServiceId(xCreatedService.getId());
xConfMap.setConfigkey(configKey);
xConfMap.setConfigvalue(configValue);
- xConfMapDao.create(xConfMap);
- }
- if (LOG.isDebugEnabled()) {
- LOG.debug("vXUser:[" + vXUser + "]");
+ xConfMap = xConfMapDao.create(xConfMap);
}
RangerService createdService =
svcService.getPopulatedViewObject(xCreatedService);
@@ -1457,7 +1438,7 @@ public class ServiceDBStore extends AbstractServiceStore {
bizUtil.createTrxLog(trxLogList);
if (createDefaultPolicy) {
- createDefaultPolicies(createdService);
+ createDefaultPolicies(xCreatedService, vXUser);
}
return createdService;
@@ -1599,25 +1580,21 @@ public class ServiceDBStore extends
AbstractServiceStore {
+ userName + "]
please use existing user", MessageEnums.OPER_NO_PERMISSION);
}
vXUser =
xUserMgr.createServiceConfigUser(userName);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Service config user
created:[" + vXUser + "]");
+ }
}
}
-
+
if (StringUtils.equalsIgnoreCase(configKey,
CONFIG_KEY_PASSWORD)) {
if (StringUtils.equalsIgnoreCase(configValue,
HIDDEN_PASSWORD_STR)) {
- String[] crypt_algo_array = null;
- if (configValue.contains(",")) {
- crypt_algo_array =
configValue.split(",");
- }
- if (oldPassword != null &&
oldPassword.contains(",")) {
- String encryptKey = null;
- String salt = null;
- int iterationCount = 0;
- crypt_algo_array =
oldPassword.split(",");
- String OLD_CRYPT_ALGO =
crypt_algo_array[0];
- encryptKey =
crypt_algo_array[1];
- salt = crypt_algo_array[2];
- iterationCount =
Integer.parseInt(crypt_algo_array[3]);
-
+ if (oldPassword != null &&
oldPassword.contains(",")) {
+ String[] crypt_algo_array =
oldPassword.split(",");
+ String OLD_CRYPT_ALGO =
crypt_algo_array[0];
+ String encryptKey =
crypt_algo_array[1];
+ String salt =
crypt_algo_array[2];
+ int iterationCount =
Integer.parseInt(crypt_algo_array[3]);
+
if
(!OLD_CRYPT_ALGO.equalsIgnoreCase(CRYPT_ALGO)) {
String decryptedPwd =
PasswordUtils.decryptPassword(oldPassword);
String paddingString =
CRYPT_ALGO + "," + encryptKey + "," + salt + "," + iterationCount;
@@ -1642,15 +1619,13 @@ public class ServiceDBStore extends
AbstractServiceStore {
}
}
}
+
XXServiceConfigMap xConfMap = new XXServiceConfigMap();
xConfMap = (XXServiceConfigMap)
rangerAuditFields.populateAuditFields(xConfMap, xUpdService);
xConfMap.setServiceId(service.getId());
xConfMap.setConfigkey(configKey);
xConfMap.setConfigvalue(configValue);
- xConfMapDao.create(xConfMap);
- }
- if (LOG.isDebugEnabled()) {
- LOG.debug("vXUser:[" + vXUser + "]");
+ xConfMap = xConfMapDao.create(xConfMap);
}
RangerService updService =
svcService.getPopulatedViewObject(xUpdService);
dataHistService.createObjectDataHistory(updService,
RangerDataHistService.ACTION_UPDATE);
@@ -1672,11 +1647,11 @@ public class ServiceDBStore extends
AbstractServiceStore {
}
List<XXPolicy> policies =
daoMgr.getXXPolicy().findByServiceId(service.getId());
- RangerPolicy rangerPolicy =null;
+ //RangerPolicy rangerPolicy =null;
for(XXPolicy policy : policies) {
LOG.info("Deleting Policy, policyName: " +
policy.getName());
- rangerPolicy = getPolicy(policy.getId());
- deletePolicy(rangerPolicy);
+ //rangerPolicy = getPolicy(policy.getId());
+ deletePolicy(policy.getId());
}
XXServiceConfigMapDao configDao =
daoMgr.getXXServiceConfigMap();
@@ -1834,14 +1809,6 @@ public class ServiceDBStore extends AbstractServiceStore
{
throw new Exception("policy already exists:
ServiceName=" + policy.getService() + "; PolicyName=" + policy.getName() + ".
ID=" + existing.getId());
}
- Map<String, RangerPolicyResource> resources =
policy.getResources();
- List<RangerPolicyItem> policyItems =
policy.getPolicyItems();
- List<RangerPolicyItem> denyPolicyItems =
policy.getDenyPolicyItems();
- List<RangerPolicyItem> allowExceptions =
policy.getAllowExceptions();
- List<RangerPolicyItem> denyExceptions =
policy.getDenyExceptions();
- List<RangerDataMaskPolicyItem> dataMaskItems =
policy.getDataMaskPolicyItems();
- List<RangerRowFilterPolicyItem> rowFilterItems =
policy.getRowFilterPolicyItems();
-
policy.setVersion(Long.valueOf(1));
updatePolicySignature(policy);
@@ -1859,14 +1826,8 @@ public class ServiceDBStore extends AbstractServiceStore
{
}
XXPolicy xCreatedPolicy =
daoMgr.getXXPolicy().getById(policy.getId());
+ policyRefUpdater.createNewPolMappingForRefTable(policy,
xCreatedPolicy, xServiceDef);
- createNewResourcesForPolicy(policy, xCreatedPolicy, resources);
- createNewPolicyItemsForPolicy(policy, xCreatedPolicy,
policyItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW);
- createNewPolicyItemsForPolicy(policy, xCreatedPolicy,
denyPolicyItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY);
- createNewPolicyItemsForPolicy(policy, xCreatedPolicy,
allowExceptions, xServiceDef,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS);
- createNewPolicyItemsForPolicy(policy, xCreatedPolicy,
denyExceptions, xServiceDef,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS);
- createNewDataMaskPolicyItemsForPolicy(policy, xCreatedPolicy,
dataMaskItems, xServiceDef,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATAMASK);
- createNewRowFilterPolicyItemsForPolicy(policy, xCreatedPolicy,
rowFilterItems, xServiceDef,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ROWFILTER);
handlePolicyUpdate(service, true);
RangerPolicy createdPolicy =
policyService.getPopulatedViewObject(xCreatedPolicy);
dataHistService.createObjectDataHistory(createdPolicy,
RangerDataHistService.ACTION_CREATE);
@@ -1877,29 +1838,6 @@ public class ServiceDBStore extends AbstractServiceStore
{
return createdPolicy;
}
- private boolean validatePolicyItem(List<RangerPolicyItem> policyItems)
{
- boolean isPolicyItemValid=true;
- for (RangerPolicyItem policyItem : policyItems) {
- if (policyItem != null) {
- if
(CollectionUtils.isEmpty(policyItem.getUsers())
- || (policyItem.getUsers() !=
null) && policyItem.getUsers().contains(null)
- ||
(policyItem.getUsers().contains(""))) {
- if
(CollectionUtils.isEmpty(policyItem.getGroups())
- ||
(policyItem.getGroups() != null) && policyItem.getGroups().contains(null)
- ||
(policyItem.getGroups().contains(""))) {
-
- isPolicyItemValid = false;
- }
- }
- if
(CollectionUtils.isEmpty(policyItem.getAccesses())
- || (policyItem.getAccesses()
!= null) && policyItem.getAccesses().contains(null)) {
- isPolicyItemValid = false;
- }
- }
- }
- return isPolicyItemValid;
- }
-
@Override
public RangerPolicy updatePolicy(RangerPolicy policy) throws Exception {
if(LOG.isDebugEnabled()) {
@@ -1937,14 +1875,7 @@ public class ServiceDBStore extends AbstractServiceStore
{
throw new Exception("another policy already
exists with name '" + policy.getName() + "'. ID=" + newNamePolicy.getId());
}
}
- Map<String, RangerPolicyResource> newResources =
policy.getResources();
- List<RangerPolicyItem> policyItems =
policy.getPolicyItems();
- List<RangerPolicyItem> denyPolicyItems =
policy.getDenyPolicyItems();
- List<RangerPolicyItem> allowExceptions =
policy.getAllowExceptions();
- List<RangerPolicyItem> denyExceptions =
policy.getDenyExceptions();
- List<RangerDataMaskPolicyItem> dataMaskPolicyItems =
policy.getDataMaskPolicyItems();
- List<RangerRowFilterPolicyItem> rowFilterItems =
policy.getRowFilterPolicyItems();
-
+
policy.setCreateTime(xxExisting.getCreateTime());
policy.setGuid(xxExisting.getGuid());
policy.setVersion(xxExisting.getVersion());
@@ -1958,26 +1889,19 @@ public class ServiceDBStore extends
AbstractServiceStore {
isTagVersionUpdateNeeded = existing.getIsEnabled() ?
!policy.getIsEnabled() : policy.getIsEnabled();
isTagVersionUpdateNeeded = isTagVersionUpdateNeeded ||
!StringUtils.equals(existing.getResourceSignature(),
policy.getResourceSignature());
}
+
policy = policyService.update(policy);
XXPolicy newUpdPolicy =
daoMgr.getXXPolicy().getById(policy.getId());
- deleteExistingPolicyResources(policy);
- deleteExistingPolicyItems(policy);
-
- createNewResourcesForPolicy(policy, newUpdPolicy, newResources);
- createNewPolicyItemsForPolicy(policy, newUpdPolicy,
policyItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW);
- createNewPolicyItemsForPolicy(policy, newUpdPolicy,
denyPolicyItems, xServiceDef, RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY);
- createNewPolicyItemsForPolicy(policy, newUpdPolicy,
allowExceptions, xServiceDef,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ALLOW_EXCEPTIONS);
- createNewPolicyItemsForPolicy(policy, newUpdPolicy,
denyExceptions, xServiceDef,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DENY_EXCEPTIONS);
- createNewDataMaskPolicyItemsForPolicy(policy, newUpdPolicy,
dataMaskPolicyItems, xServiceDef,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_DATAMASK);
- createNewRowFilterPolicyItemsForPolicy(policy, newUpdPolicy,
rowFilterItems, xServiceDef,
RangerPolicyItemEvaluator.POLICY_ITEM_TYPE_ROWFILTER);
-
- handlePolicyUpdate(service, isTagVersionUpdateNeeded);
+ policyRefUpdater.cleanupRefTables(policy);
+ policyRefUpdater.createNewPolMappingForRefTable(policy,
newUpdPolicy, xServiceDef);
+
+ handlePolicyUpdate(service, isTagVersionUpdateNeeded);
RangerPolicy updPolicy =
policyService.getPopulatedViewObject(newUpdPolicy);
dataHistService.createObjectDataHistory(updPolicy,
RangerDataHistService.ACTION_UPDATE);
bizUtil.createTrxLog(trxLogList);
-
+
return updPolicy;
}
@@ -2011,10 +1935,7 @@ public class ServiceDBStore extends AbstractServiceStore
{
policy.setVersion(version);
List<XXTrxLog> trxLogList =
policyService.getTransactionLog(policy,
RangerPolicyService.OPERATION_DELETE_CONTEXT);
-
- deleteExistingPolicyItems(policy);
- deleteExistingPolicyResources(policy);
-
+ policyRefUpdater.cleanupRefTables(policy);
policyService.delete(policy);
handlePolicyUpdate(service, true);
@@ -2024,7 +1945,7 @@ public class ServiceDBStore extends AbstractServiceStore {
LOG.info("Policy Deleted Successfully. PolicyName : " +
policyName);
}
-
+/*
public void deletePolicy(RangerPolicy policy) throws Exception {
if(policy == null) {
return;
@@ -2045,13 +1966,11 @@ public class ServiceDBStore extends
AbstractServiceStore {
}
policy.setVersion(version);
List<XXTrxLog> trxLogList =
policyService.getTransactionLog(policy,
RangerPolicyService.OPERATION_DELETE_CONTEXT);
- deleteExistingPolicyItemsNative(policy);
- deleteExistingPolicyResourcesNative(policy);
daoMgr.getXXPolicy().deletePolicyIDReference("id",policy.getId());
handlePolicyUpdate(service, true);
dataHistService.createObjectDataHistory(policy,
RangerDataHistService.ACTION_DELETE);
bizUtil.createTrxLog(trxLogList);
- }
+ }*/
@Override
public RangerPolicy getPolicy(Long id) throws Exception {
@@ -2087,7 +2006,6 @@ public class ServiceDBStore extends AbstractServiceStore {
return ret;
}
-
public void getPoliciesInExcel(List<RangerPolicy> policies,
HttpServletResponse response) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getPoliciesInExcel()");
@@ -2570,134 +2488,428 @@ public class ServiceDBStore extends
AbstractServiceStore {
return ret;
}
- void createDefaultPolicies(RangerService createdService) throws
Exception {
+ void createDefaultPolicies(XXService createdService, VXUser vXUser)
throws Exception {
+ RangerServiceDef serviceDef =
getServiceDef(createdService.getType());
+
+ if
(serviceDef.getName().equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME))
{
+ createDefaultTagPolicy(createdService);
+ } else {
+ // we need to create one policy for each resource
hierarchy
+ RangerServiceDefHelper serviceDefHelper = new
RangerServiceDefHelper(serviceDef);
+ for (List<RangerResourceDef> aHierarchy :
serviceDefHelper.getResourceHierarchies(RangerPolicy.POLICY_TYPE_ACCESS)) {
+ RangerPolicy policy = new RangerPolicy();
+ createDefaultPolicy(policy, createdService,
vXUser, aHierarchy);
+ policy = createPolicy(policy);
+ RangerPolicy policyAudit = new RangerPolicy();
+ createPolicyForKeyAdmin(policyAudit,
serviceDef, aHierarchy, createdService);
+ }
+ }
+ }
+
+ private void createPolicyForKeyAdmin(RangerPolicy policyAudit,
RangerServiceDef serviceDef, List<RangerResourceDef> aHierarchy, XXService
createdService) {
+ if
(serviceDef.getName().equals(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HDFS_NAME))
{
+ try {
+ // we need to create one policy for keyadmin user for audit to
HDFS
+ RangerPolicy policy = getPolicyForKMSAudit(aHierarchy ,
createdService.getName(), serviceDef);
+ if (policy != null) {
+ createPolicy(policy);
+ }
+ } catch (Exception e) {
+ LOG.error("Error creating policy for keyadmin for audit to
HDFS : " + serviceDef.getName(), e);
+ }
+ }
+ }
+
+ private RangerPolicy getPolicyForKMSAudit(List<RangerResourceDef>
resourceHierarchy, String serviceName, RangerServiceDef serviceDef) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> ServiceDBStore.getPolicyForKMSAudit()");
+ }
- RangerBaseService svc =
serviceMgr.getRangerServiceByService(createdService, this);
+ RangerPolicy policy = new RangerPolicy();
- if (svc != null) {
+ policy.setIsEnabled(true);
+ policy.setVersion(1L);
+ policy.setName(AUDITTOHDFS_POLICY_NAME);
+ policy.setService(serviceName);
+ policy.setDescription("Policy for " + AUDITTOHDFS_POLICY_NAME);
+ policy.setIsAuditEnabled(true);
+ policy.setResources(createKMSAuditResource(resourceHierarchy));
- List<String> serviceCheckUsers =
getServiceCheckUsers(createdService);
+ List<RangerPolicy.RangerPolicyItem> policyItems = new
ArrayList<RangerPolicy.RangerPolicyItem>();
+ //Create policy item for keyadmin
+ RangerPolicy.RangerPolicyItem policyItem = new
RangerPolicy.RangerPolicyItem();
+ List<String> userKeyAdmin = new ArrayList<String>();
+ userKeyAdmin.add("keyadmin");
+ policyItem.setUsers(userKeyAdmin);
+ policyItem.setAccesses(getAndAllowAllAccesses(serviceDef));
+ policyItem.setDelegateAdmin(false);
- List<RangerPolicy.RangerPolicyItemAccess> allAccesses =
svc.getAndAllowAllAccesses();
+ policyItems.add(policyItem);
+ policy.setPolicyItems(policyItems);
- List<RangerPolicy> defaultPolicies =
svc.getDefaultRangerPolicies();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== ServiceDBStore.getPolicyForKMSAudit()" +
policy);
+ }
- if (CollectionUtils.isNotEmpty(defaultPolicies)) {
+ return policy;
+ }
-
createDefaultPolicyUsersAndGroups(defaultPolicies);
+ public List<RangerPolicy.RangerPolicyItemAccess>
getAndAllowAllAccesses(RangerServiceDef serviceDef) {
+ List<RangerPolicy.RangerPolicyItemAccess> ret = new
ArrayList<RangerPolicy.RangerPolicyItemAccess>();
+
+ for (RangerServiceDef.RangerAccessTypeDef accessTypeDef :
serviceDef.getAccessTypes()) {
+ RangerPolicy.RangerPolicyItemAccess access = new
RangerPolicy.RangerPolicyItemAccess();
+ access.setType(accessTypeDef.getName());
+ access.setIsAllowed(true);
+ ret.add(access);
+ }
+ return ret;
+ }
- for (RangerPolicy defaultPolicy :
defaultPolicies) {
- List<RangerPolicyItem> policyItems =
defaultPolicy.getPolicyItems();
- if
(CollectionUtils.isNotEmpty(serviceCheckUsers)
- &&
StringUtils.equalsIgnoreCase(defaultPolicy.getService(),
createdService.getName())) {
+ private Map<String, RangerPolicyResource> createKMSAuditResource(
+ List<RangerServiceDef.RangerResourceDef>
resourceHierarchy) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
ServiceDBStore.createKMSAuditResource()");
+ }
+ Map<String, RangerPolicy.RangerPolicyResource> resourceMap =
new HashMap<>();
- RangerPolicy.RangerPolicyItem
policyItem = new RangerPolicy.RangerPolicyItem();
+ for (RangerServiceDef.RangerResourceDef resourceDef :
resourceHierarchy) {
+ RangerPolicy.RangerPolicyResource polRes = new
RangerPolicy.RangerPolicyResource();
-
policyItem.setUsers(serviceCheckUsers);
-
policyItem.setAccesses(allAccesses);
-
policyItem.setDelegateAdmin(true);
+ polRes.setIsExcludes(false);
+
polRes.setIsRecursive(resourceDef.getRecursiveSupported());
+ polRes.setValue(AUDITTOHDFS_KMS_PATH);
-
defaultPolicy.getPolicyItems().add(policyItem);
- }
- boolean
isPolicyItemValid=validatePolicyItem(policyItems);
- if (isPolicyItemValid) {
- createPolicy(defaultPolicy);
- } else {
- LOG.warn("Default policy won't
be created,since policyItems not valid-either users/groups not present or
access not present in policy.");
- }
+ resourceMap.put(resourceDef.getName(), polRes);
+ }
- }
- }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== ServiceDBStore.createKMSAuditResource():"
+ + resourceMap);
}
+ return resourceMap;
}
- void createDefaultPolicyUsersAndGroups(List<RangerPolicy>
defaultPolicies) {
- Set<String> defaultPolicyUsers = new HashSet<String>();
- Set<String> defaultPolicyGroups = new HashSet<String>();
+ private void createDefaultTagPolicy(XXService createdService) throws
Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> ServiceDBStore.createDefaultTagPolicy()
");
+ }
- for (RangerPolicy defaultPolicy : defaultPolicies) {
+ String tagResourceDefName = null;
+ boolean isConditionDefFound = false;
- for (RangerPolicyItem defaultPolicyItem :
defaultPolicy.getPolicyItems()) {
-
defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
-
defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
- }
- for (RangerPolicyItem defaultPolicyItem :
defaultPolicy.getAllowExceptions()) {
-
defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
-
defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
- }
- for (RangerPolicyItem defaultPolicyItem :
defaultPolicy.getDenyPolicyItems()) {
-
defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
-
defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
+ RangerServiceDef tagServiceDef =
getServiceDef(createdService.getType());
+ List<RangerResourceDef> tagResourceDef =
tagServiceDef.getResources();
+ if (tagResourceDef != null && tagResourceDef.size() > 0) {
+ // Assumption : First (and perhaps the only)
resourceDef is the name of the tag resource
+ RangerResourceDef theTagResourceDef =
tagResourceDef.get(0);
+ tagResourceDefName = theTagResourceDef.getName();
+ } else {
+ LOG.error("ServiceDBStore.createService() - Cannot
create default TAG policy: Cannot get tagResourceDef Name.");
+ }
+
+ List<RangerPolicyConditionDef> policyConditionDefs =
tagServiceDef.getPolicyConditions();
+
+ if (CollectionUtils.isNotEmpty(policyConditionDefs)) {
+ for (RangerPolicyConditionDef conditionDef :
policyConditionDefs) {
+ if
(conditionDef.getName().equals(RANGER_TAG_EXPIRY_CONDITION_NAME)) {
+ isConditionDefFound = true;
+ break;
+ }
}
- for (RangerPolicyItem defaultPolicyItem :
defaultPolicy.getDenyExceptions()) {
-
defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
-
defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
+ }
+ if (!isConditionDefFound) {
+ LOG.error("ServiceDBStore.createService() - Cannot
create default TAG policy: Cannot get tagPolicyConditionDef with name=" +
RANGER_TAG_EXPIRY_CONDITION_NAME);
+ }
+
+ if (tagResourceDefName != null && isConditionDefFound) {
+
+ String tagType = "EXPIRES_ON";
+
+ String policyName = tagType;
+
+ RangerPolicy policy = new RangerPolicy();
+
+ policy.setIsEnabled(true);
+ policy.setVersion(1L);
+ policy.setName(StringUtils.trim(policyName));
+ policy.setService(createdService.getName());
+ policy.setDescription("Policy for data with " + tagType
+ " tag");
+ policy.setIsAuditEnabled(true);
+
+ Map<String, RangerPolicyResource> resourceMap = new
HashMap<String, RangerPolicyResource>();
+
+ RangerPolicyResource polRes = new
RangerPolicyResource();
+ polRes.setIsExcludes(false);
+ polRes.setIsRecursive(false);
+ polRes.setValue(tagType);
+ resourceMap.put(tagResourceDefName, polRes);
+
+ policy.setResources(resourceMap);
+
+ List<RangerPolicyItem> policyItems = new
ArrayList<RangerPolicyItem>();
+
+ RangerPolicyItem policyItem = new RangerPolicyItem();
+
+ List<String> groups = new ArrayList<String>();
+ groups.add(RangerConstants.GROUP_PUBLIC);
+ policyItem.setGroups(groups);
+
+ List<XXAccessTypeDef> accessTypeDefs =
daoMgr.getXXAccessTypeDef().findByServiceDefId(createdService.getType());
+ List<RangerPolicyItemAccess> accesses = new
ArrayList<RangerPolicyItemAccess>();
+ for (XXAccessTypeDef accessTypeDef : accessTypeDefs) {
+ RangerPolicyItemAccess access = new
RangerPolicyItemAccess();
+ access.setType(accessTypeDef.getName());
+ access.setIsAllowed(true);
+ accesses.add(access);
}
- for (RangerPolicyItem defaultPolicyItem :
defaultPolicy.getDataMaskPolicyItems()) {
-
defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
-
defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
+ policyItem.setAccesses(accesses);
+
+ List<RangerPolicyItemCondition> policyItemConditions =
new ArrayList<RangerPolicyItemCondition>();
+ List<String> values = new ArrayList<String>();
+ values.add("yes");
+ RangerPolicyItemCondition policyItemCondition = new
RangerPolicyItemCondition(RANGER_TAG_EXPIRY_CONDITION_NAME, values);
+ policyItemConditions.add(policyItemCondition);
+
+ policyItem.setConditions(policyItemConditions);
+ policyItem.setDelegateAdmin(Boolean.FALSE);
+
+ policyItems.add(policyItem);
+
+ policy.setDenyPolicyItems(policyItems);
+
+ policy = createPolicy(policy);
+ } else {
+ LOG.error("ServiceDBStore.createService() - Cannot
create default TAG policy, tagResourceDefName=" + tagResourceDefName +
+ ", tagPolicyConditionName=" +
RANGER_TAG_EXPIRY_CONDITION_NAME);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
ServiceDBStore.createDefaultTagPolicy()");
+ }
+ }
+
+ private String buildPolicyName(List<RangerResourceDef>
resourceHierarchy) {
+ String ret = "all";
+ if (CollectionUtils.isNotEmpty(resourceHierarchy)) {
+ int resourceDefCount = 0;
+ for (RangerResourceDef resourceDef : resourceHierarchy)
{
+ if (resourceDefCount > 0) {
+ ret += ", ";
+ } else {
+ ret += " - ";
+ }
+ ret += resourceDef.getName();
+ resourceDefCount++;
}
- for (RangerPolicyItem defaultPolicyItem :
defaultPolicy.getRowFilterPolicyItems()) {
-
defaultPolicyUsers.addAll(defaultPolicyItem.getUsers());
-
defaultPolicyGroups.addAll(defaultPolicyItem.getGroups());
+ }
+ return ret;
+ }
+
+ void createDefaultPolicy(RangerPolicy policy, XXService createdService,
VXUser vXUser, List<RangerResourceDef> resourceHierarchy) throws Exception {
+
+ String policyName=buildPolicyName(resourceHierarchy);
+
+ policy.setIsEnabled(true);
+ policy.setVersion(1L);
+ policy.setName(StringUtils.trim(policyName));
+ policy.setService(createdService.getName());
+ policy.setDescription("Policy for " + policyName);
+ policy.setIsAuditEnabled(true);
+ policy.setPolicyType(policy.getPolicyType() == null ?
RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType());
+
+
policy.setResources(createDefaultPolicyResource(resourceHierarchy));
+
+ if (vXUser != null) {
+ List<RangerPolicyItem> policyItems = new
ArrayList<RangerPolicyItem>();
+ List<XXAccessTypeDef> accessTypeDefs =
daoMgr.getXXAccessTypeDef().findByServiceDefId(createdService.getType());
+ //Create Default policy item for the service user
+ RangerPolicyItem policyItem =
createDefaultPolicyItem(createdService, vXUser, accessTypeDefs);
+ policyItems.add(policyItem);
+ // For KMS add default policies for HDFS & HIVE users.
+ XXServiceDef xServiceDef =
daoMgr.getXXServiceDef().getById(createdService.getType());
+ if
(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname()))
{
+ List<XXAccessTypeDef> hdfsAccessTypeDefs = new
ArrayList<XXAccessTypeDef>();
+ List<XXAccessTypeDef> hiveAccessTypeDefs = new
ArrayList<XXAccessTypeDef>();
+ for(XXAccessTypeDef accessTypeDef :
accessTypeDefs) {
+ if
(accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GET_METADATA)) {
+
hdfsAccessTypeDefs.add(accessTypeDef);
+
hiveAccessTypeDefs.add(accessTypeDef);
+ } else if
(accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GENERATE_EEK)) {
+
hdfsAccessTypeDefs.add(accessTypeDef);
+ } else if
(accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_DECRYPT_EEK)) {
+
hiveAccessTypeDefs.add(accessTypeDef);
+ }
+ }
+
+ String hdfsUser =
PropertiesUtil.getProperty("ranger.kms.service.user.hdfs", "hdfs");
+ if (hdfsUser != null && !hdfsUser.isEmpty()) {
+ XXUser xxUser =
daoMgr.getXXUser().findByUserName(hdfsUser);
+ if (xxUser != null) {
+ vXUser =
xUserService.populateViewBean(xxUser);
+ } else {
+ vXUser =
xUserMgr.createServiceConfigUser(hdfsUser);
+ }
+ if (vXUser != null) {
+ LOG.info("Creating default KMS
policy item for " + hdfsUser);
+ policyItem =
createDefaultPolicyItem(createdService, vXUser, hdfsAccessTypeDefs);
+ policyItems.add(policyItem);
+ }
+ }
+
+ String hiveUser =
PropertiesUtil.getProperty("ranger.kms.service.user.hive", "hive");
+ if (hiveUser != null && !hiveUser.isEmpty()) {
+ XXUser xxUser =
daoMgr.getXXUser().findByUserName(hiveUser);
+ if (xxUser != null) {
+ vXUser =
xUserService.populateViewBean(xxUser);
+ } else {
+ vXUser =
xUserMgr.createServiceConfigUser(hiveUser);
+ }
+ if (vXUser != null) {
+ LOG.info("Creating default KMS
policy item for " + hiveUser);
+ policyItem =
createDefaultPolicyItem(createdService, vXUser, hiveAccessTypeDefs);
+ policyItems.add(policyItem);
+ }
+ }
}
+ policy.setPolicyItems(policyItems);
}
- for (String policyUser : defaultPolicyUsers) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking policyUser:[" + policyUser
+ "] for existence");
+ }
+
+ private RangerPolicyItem createDefaultPolicyItem(XXService
createdService, VXUser vXUser, List<XXAccessTypeDef> accessTypeDefs) throws
Exception {
+ String adminPrincipal =
PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL);
+ String adminKeytab =
PropertiesUtil.getProperty(ADMIN_USER_KEYTAB);
+ String authType =
PropertiesUtil.getProperty(RANGER_AUTH_TYPE,"simple");
+ String lookupPrincipal =
PropertiesUtil.getProperty(LOOKUP_PRINCIPAL);
+ String lookupKeytab = PropertiesUtil.getProperty(LOOKUP_KEYTAB);
+
+ RangerPolicyItem policyItem = new RangerPolicyItem();
+
+ List<String> users = new ArrayList<String>();
+ users.add(vXUser.getName());
+ VXUser vXLookupUser = getLookupUser(authType, lookupPrincipal,
lookupKeytab);
+
+ XXService xService =
daoMgr.getXXService().findByName(createdService.getName());
+ XXServiceDef xServiceDef =
daoMgr.getXXServiceDef().getById(xService.getType());
+ if (StringUtils.equals(xServiceDef.getImplclassname(),
EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)){
+ VXUser vXAdminUser = getLookupUser(authType,
adminPrincipal, adminKeytab);
+ if(vXAdminUser != null){
+ users.add(vXAdminUser.getName());
+ }
+ }else if(vXLookupUser != null){
+ users.add(vXLookupUser.getName());
+ }else{
+ // do nothing
+ }
+
+ if (StringUtils.equals(xServiceDef.getImplclassname(),
EmbeddedServiceDefsUtil.ATLAS_IMPL_CLASS_NAME)){
+ VXUser vXUserAdmin = chkAdminUserExists("admin");
+ if(vXUserAdmin != null){
+ users.add(vXUserAdmin.getName());
}
- if (StringUtils.isNotBlank(policyUser) &&
!StringUtils.equals(policyUser, RangerPolicyEngine.USER_CURRENT)
- && !StringUtils.equals(policyUser,
RangerPolicyEngine.RESOURCE_OWNER)) {
- XXUser xxUser =
daoMgr.getXXUser().findByUserName(policyUser);
- if (xxUser == null) {
- UserSessionBase usb =
ContextUtil.getCurrentUserSession();
- if (usb != null && !usb.isKeyAdmin() &&
!usb.isUserAdmin() && !usb.isSpnegoEnabled()) {
- throw
restErrorUtil.createRESTException("User does not exist with given username: ["
- + policyUser +
"] please use existing user", MessageEnums.OPER_NO_PERMISSION);
+ }
+
+ RangerService rangerService =
getServiceByName(createdService.getName());
+ if (rangerService != null){
+ Map<String, String> map = rangerService.getConfigs();
+ if (map != null &&
map.containsKey(AMBARI_SERVICE_CHECK_USER)){
+ String userNames =
map.get(AMBARI_SERVICE_CHECK_USER);
+ String[] userList = userNames.split(",");
+ if(userList != null){
+ for (String userName : userList) {
+
if(!StringUtils.isEmpty(userName)){
+ XXUser xxUser =
daoMgr.getXXUser().findByUserName(userName);
+ if (xxUser != null) {
+ vXUser =
xUserService.populateViewBean(xxUser);
+ } else {
+ vXUser =
xUserMgr.createServiceConfigUser(userName);
+
LOG.info("Creating Ambari Service Check User : "+vXUser.getName());
+ }
+ if(vXUser != null){
+
users.add(vXUser.getName());
+ }
+ }
}
-
xUserMgr.createServiceConfigUser(policyUser);
}
}
}
- for (String policyGroup : defaultPolicyGroups) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking policyGroup:[" +
policyGroup + "] for existence");
+ policyItem.setUsers(users);
+
+ List<RangerPolicyItemAccess> accesses = new
ArrayList<RangerPolicyItemAccess>();
+ for(XXAccessTypeDef accessTypeDef : accessTypeDefs) {
+ RangerPolicyItemAccess access = new
RangerPolicyItemAccess();
+ access.setType(accessTypeDef.getName());
+ access.setIsAllowed(true);
+ accesses.add(access);
+ }
+ policyItem.setAccesses(accesses);
+
+ policyItem.setDelegateAdmin(true);
+ return policyItem;
+ }
+
+ private VXUser chkAdminUserExists(String adminUser) {
+ VXUser vXUser = null;
+ if(!StringUtils.isEmpty(adminUser)){
+ XXUser xxUser =
daoMgr.getXXUser().findByUserName(adminUser);
+ if (xxUser != null) {
+ vXUser = xUserService.populateViewBean(xxUser);
}
- if (StringUtils.isNotBlank(policyGroup)) {
- XXGroup xxGroup =
daoMgr.getXXGroup().findByGroupName(policyGroup);
- if (xxGroup == null) {
- UserSessionBase usb =
ContextUtil.getCurrentUserSession();
- if (usb != null && !usb.isKeyAdmin() &&
!usb.isUserAdmin() && !usb.isSpnegoEnabled()) {
- throw
restErrorUtil.createRESTException("Group does not exist with given groupname: ["
- + policyGroup +
"] please use existing group", MessageEnums.OPER_NO_PERMISSION);
+ }
+ return vXUser;
+ }
+
+ private VXUser getLookupUser(String authType, String lookupPrincipal,
String lookupKeytab) {
+ VXUser vXUser = null;
+ if(!StringUtils.isEmpty(authType) &&
authType.equalsIgnoreCase(KERBEROS_TYPE)){
+
if(SecureClientLogin.isKerberosCredentialExists(lookupPrincipal, lookupKeytab)){
+ KerberosName krbName = new
KerberosName(lookupPrincipal);
+ String lookupUser=null;
+ try {
+ lookupUser = krbName.getShortName();
+ } catch (IOException e) {
+ throw
restErrorUtil.createRESTException("Please provide proper value of lookup user
principal : "+ lookupPrincipal, MessageEnums.INVALID_INPUT_DATA);
+ }
+
+ if(LOG.isDebugEnabled()){
+ LOG.debug("Checking for Lookup User :
"+lookupUser);
+ }
+ if(!StringUtils.isEmpty(lookupUser)){
+ XXUser xxUser =
daoMgr.getXXUser().findByUserName(lookupUser);
+ if (xxUser != null) {
+ vXUser =
xUserService.populateViewBean(xxUser);
+ } else {
+ vXUser =
xUserMgr.createServiceConfigUser(lookupUser);
+ LOG.info("Creating Lookup User
: "+vXUser.getName());
}
- VXGroup vXGroup = new VXGroup();
- vXGroup.setName(policyGroup);
- vXGroup.setDescription(policyGroup);
-
vXGroup.setGroupSource(RangerCommonEnums.GROUP_INTERNAL);
-
vXGroup.setIsVisible(RangerCommonEnums.IS_VISIBLE);
- xGroupService.createResource(vXGroup);
}
}
}
+ return vXUser;
}
- List<String> getServiceCheckUsers(RangerService createdService) {
- List<String> ret = new ArrayList<String>();
- Map<String, String> serviceConfig = createdService.getConfigs();
+ Map<String, RangerPolicyResource>
createDefaultPolicyResource(List<RangerResourceDef> resourceHierarchy) throws
Exception {
+ Map<String, RangerPolicyResource> resourceMap = new HashMap<>();
- if (serviceConfig.containsKey(AMBARI_SERVICE_CHECK_USER)) {
- String userNames =
serviceConfig.get(AMBARI_SERVICE_CHECK_USER);
- String[] userList = userNames.split(",");
- for (String userName : userList) {
- if (!StringUtils.isEmpty(userName)) {
- ret.add(userName);
- }
+ for (RangerResourceDef resourceDef : resourceHierarchy) {
+ RangerPolicyResource polRes = new
RangerPolicyResource();
+ polRes.setIsExcludes(false);
+ polRes.setIsRecursive(false);
+
+ String value = "*";
+ if("path".equalsIgnoreCase(resourceDef.getName())) {
+ value = "/*";
}
- }
- return ret;
+ if(resourceDef.getRecursiveSupported()) {
+ polRes.setIsRecursive(Boolean.TRUE);
+ }
+
+ polRes.setValue(value);
+ resourceMap.put(resourceDef.getName(), polRes);
+ }
+ return resourceMap;
}
private Map<String, String> validateRequiredConfigParams(RangerService
service, Map<String, String> configs) {
@@ -2732,381 +2944,77 @@ public class ServiceDBStore extends
AbstractServiceStore {
updatePolicyVersion(service, isTagVersionUpdateNeeded);
}
+ public enum VERSION_TYPE { POLICY_VERSION, TAG_VERSION,
POLICY_AND_TAG_VERSION }
+
private void updatePolicyVersion(RangerService service, boolean
isTagVersionUpdateNeeded) throws Exception {
if(service == null || service.getId() == null) {
return;
}
- boolean filterForServicePlugin =
RangerConfiguration.getInstance().getBoolean(RangerTagDBRetriever.OPTION_RANGER_FILTER_TAGS_FOR_SERVICE_PLUGIN,
false);
-
XXServiceDao serviceDao = daoMgr.getXXService();
- XXService serviceDbObj = serviceDao.getById(service.getId());
+ final XXService serviceDbObj =
serviceDao.getById(service.getId());
if(serviceDbObj == null) {
LOG.warn("updatePolicyVersion(serviceId=" +
service.getId() + "): service not found");
return;
}
- XXServiceVersionInfoDao serviceVersionInfoDao =
daoMgr.getXXServiceVersionInfo();
-
- XXServiceVersionInfo serviceVersionInfoDbObj =
serviceVersionInfoDao.findByServiceId(service.getId());
+ final RangerDaoManager daoManager = daoMgr;
+ final Long serviceId =
serviceDbObj.getId();
+ final VERSION_TYPE versionType =
VERSION_TYPE.POLICY_VERSION;
- if(serviceVersionInfoDbObj != null) {
-
serviceVersionInfoDbObj.setPolicyVersion(getNextVersion(serviceVersionInfoDbObj.getPolicyVersion()));
- serviceVersionInfoDbObj.setPolicyUpdateTime(new Date());
-
- serviceVersionInfoDao.update(serviceVersionInfoDbObj);
-
- } else {
- LOG.warn("updatePolicyVersion(service=" +
serviceDbObj.getName() + "): serviceVersionInfo not found, creating it..");
-
- serviceVersionInfoDbObj = new XXServiceVersionInfo();
-
serviceVersionInfoDbObj.setServiceId(serviceDbObj.getId());
-
serviceVersionInfoDbObj.setPolicyVersion(getNextVersion(serviceDbObj.getPolicyVersion()));
- serviceVersionInfoDbObj.setPolicyUpdateTime(new Date());
-
serviceVersionInfoDbObj.setTagVersion(serviceDbObj.getTagVersion());
-
serviceVersionInfoDbObj.setTagUpdateTime(serviceDbObj.getTagUpdateTime());
-
- serviceVersionInfoDao.create(serviceVersionInfoDbObj);
- }
+ Runnable serviceVersionUpdater = new
ServiceVersionUpdater(daoManager, serviceId, versionType);
+
transactionSynchronizationAdapter.executeOnTransactionCommit(serviceVersionUpdater);
// if this is a tag service, update all services that refer to
this tag service
// so that next policy-download from plugins will get updated
tag policies
boolean isTagService = serviceDbObj.getType() ==
EmbeddedServiceDefsUtil.instance().getTagServiceDefId();
if(isTagService) {
- List<XXService> referringServices =
serviceDao.findByTagServiceId(serviceDbObj.getId());
+ List<XXService> referringServices =
serviceDao.findByTagServiceId(serviceId);
if(CollectionUtils.isNotEmpty(referringServices)) {
for(XXService referringService :
referringServices) {
- serviceVersionInfoDbObj =
serviceVersionInfoDao.findByServiceId(referringService.getId());
- if (serviceVersionInfoDbObj != null) {
-
-
serviceVersionInfoDbObj.setPolicyVersion(getNextVersion(serviceVersionInfoDbObj.getPolicyVersion()));
-
serviceVersionInfoDbObj.setPolicyUpdateTime(new Date());
+ final Long
referringServiceId = referringService.getId();
+ final VERSION_TYPE
tagServiceversionType = VERSION_TYPE.POLICY_VERSION;
- if (filterForServicePlugin &&
isTagVersionUpdateNeeded) {
-
serviceVersionInfoDbObj.setTagVersion(getNextVersion(serviceVersionInfoDbObj.getTagVersion()));
-
serviceVersionInfoDbObj.setTagUpdateTime(new Date());
- }
-
serviceVersionInfoDao.update(serviceVersionInfoDbObj);
- } else {
-
LOG.warn("updatePolicyVersion(service=" + referringService.getName() + "):
serviceVersionInfo not found, creating it..");
- serviceVersionInfoDbObj = new
XXServiceVersionInfo();
-
serviceVersionInfoDbObj.setServiceId(referringService.getId());
-
serviceVersionInfoDbObj.setPolicyVersion(getNextVersion(referringService.getPolicyVersion()));
-
serviceVersionInfoDbObj.setPolicyUpdateTime(new Date());
- if (filterForServicePlugin &&
isTagVersionUpdateNeeded) {
-
serviceVersionInfoDbObj.setTagVersion(getNextVersion(referringService.getTagVersion()));
-
serviceVersionInfoDbObj.setTagUpdateTime(new Date());
- } else {
-
serviceVersionInfoDbObj.setTagVersion(referringService.getTagVersion());
-
serviceVersionInfoDbObj.setTagUpdateTime(referringService.getTagUpdateTime());
- }
-
serviceVersionInfoDao.create(serviceVersionInfoDbObj);
- }
+ Runnable tagServiceVersionUpdater = new
ServiceVersionUpdater(daoManager, referringServiceId, tagServiceversionType);
+
transactionSynchronizationAdapter.executeOnTransactionCommit(tagServiceVersionUpdater);
}
}
}
}
- private XXPolicyItem createNewPolicyItemForPolicy(RangerPolicy policy,
XXPolicy xPolicy, RangerPolicyItem policyItem, XXServiceDef xServiceDef, int
itemOrder, int policyItemType) throws Exception {
- XXPolicyItem xPolicyItem = new XXPolicyItem();
-
- xPolicyItem = (XXPolicyItem)
rangerAuditFields.populateAuditFields(xPolicyItem, xPolicy);
-
- xPolicyItem.setDelegateAdmin(policyItem.getDelegateAdmin());
- xPolicyItem.setItemType(policyItemType);
- xPolicyItem.setIsEnabled(Boolean.TRUE);
- xPolicyItem.setComments(null);
- xPolicyItem.setPolicyId(policy.getId());
- xPolicyItem.setOrder(itemOrder);
- xPolicyItem = daoMgr.getXXPolicyItem().create(xPolicyItem);
-
- List<RangerPolicyItemAccess> accesses =
policyItem.getAccesses();
- for (int i = 0; i < accesses.size(); i++) {
- RangerPolicyItemAccess access = accesses.get(i);
-
- XXAccessTypeDef xAccTypeDef =
daoMgr.getXXAccessTypeDef()
-
.findByNameAndServiceId(access.getType(),
- xPolicy.getService());
- if (xAccTypeDef == null) {
- throw new Exception(access.getType() + ": is
not a valid access-type. policy='" + policy.getName() + "' service='" +
policy.getService() + "'");
- }
-
- XXPolicyItemAccess xPolItemAcc = new
XXPolicyItemAccess();
-
- xPolItemAcc = (XXPolicyItemAccess)
rangerAuditFields.populateAuditFields(xPolItemAcc, xPolicyItem);
- xPolItemAcc.setIsAllowed(access.getIsAllowed());
- xPolItemAcc.setType(xAccTypeDef.getId());
- xPolItemAcc.setPolicyitemid(xPolicyItem.getId());
- xPolItemAcc.setOrder(i);
-
- daoMgr.getXXPolicyItemAccess().create(xPolItemAcc);
- }
-
- List<String> users = policyItem.getUsers();
- for(int i = 0; i < users.size(); i++) {
- String user = users.get(i);
- if (StringUtils.isBlank(user)) {
- continue;
- }
- XXUser xUser = daoMgr.getXXUser().findByUserName(user);
- if(xUser == null) {
- throw new Exception(user + ": user does not
exist. policy='"+ policy.getName() + "' service='"+ policy.getService() + "'
user='" + user +"'");
- }
- XXPolicyItemUserPerm xUserPerm = new
XXPolicyItemUserPerm();
- xUserPerm = (XXPolicyItemUserPerm)
rangerAuditFields.populateAuditFields(xUserPerm, xPolicyItem);
- xUserPerm.setUserId(xUser.getId());
- xUserPerm.setPolicyItemId(xPolicyItem.getId());
- xUserPerm.setOrder(i);
- xUserPerm =
daoMgr.getXXPolicyItemUserPerm().create(xUserPerm);
- }
-
- List<String> groups = policyItem.getGroups();
- for(int i = 0; i < groups.size(); i++) {
- String group = groups.get(i);
- if (StringUtils.isBlank(group)) {
- continue;
- }
- XXGroup xGrp =
daoMgr.getXXGroup().findByGroupName(group);
- if(xGrp == null) {
- throw new Exception(group + ": group does not
exist. policy='"+ policy.getName() + "' service='"+ policy.getService() + "'
group='" + group + "'");
- }
- XXPolicyItemGroupPerm xGrpPerm = new
XXPolicyItemGroupPerm();
- xGrpPerm = (XXPolicyItemGroupPerm)
rangerAuditFields.populateAuditFields(xGrpPerm, xPolicyItem);
- xGrpPerm.setGroupId(xGrp.getId());
- xGrpPerm.setPolicyItemId(xPolicyItem.getId());
- xGrpPerm.setOrder(i);
- xGrpPerm =
daoMgr.getXXPolicyItemGroupPerm().create(xGrpPerm);
- }
-
- List<RangerPolicyItemCondition> conditions =
policyItem.getConditions();
- for(RangerPolicyItemCondition condition : conditions) {
- XXPolicyConditionDef xPolCond = daoMgr
-
.getXXPolicyConditionDef().findByServiceDefIdAndName(
- xServiceDef.getId(),
condition.getType());
-
- if(xPolCond == null) {
- throw new Exception(condition.getType() + ": is
not a valid condition-type. policy='"+ xPolicy.getName() + "' service='"+
xPolicy.getService() + "'");
- }
-
- for(int i = 0; i < condition.getValues().size(); i++) {
- String value = condition.getValues().get(i);
- XXPolicyItemCondition xPolItemCond = new
XXPolicyItemCondition();
- xPolItemCond = (XXPolicyItemCondition)
rangerAuditFields.populateAuditFields(xPolItemCond, xPolicyItem);
-
xPolItemCond.setPolicyItemId(xPolicyItem.getId());
- xPolItemCond.setType(xPolCond.getId());
- xPolItemCond.setValue(value);
- xPolItemCond.setOrder(i);
-
-
daoMgr.getXXPolicyItemCondition().create(xPolItemCond);
- }
- }
-
- return xPolicyItem;
- }
-
- private void createNewPolicyItemsForPolicy(RangerPolicy policy,
XXPolicy xPolicy, List<RangerPolicyItem> policyItems, XXServiceDef xServiceDef,
int policyItemType) throws Exception {
- if(CollectionUtils.isNotEmpty(policyItems)) {
- for (int itemOrder = 0; itemOrder < policyItems.size();
itemOrder++) {
- RangerPolicyItem policyItem =
policyItems.get(itemOrder);
- createNewPolicyItemForPolicy(policy, xPolicy,
policyItem, xServiceDef, itemOrder, policyItemType);
- }
- }
- }
-
- private void createNewDataMaskPolicyItemsForPolicy(RangerPolicy policy,
XXPolicy xPolicy, List<RangerDataMaskPolicyItem> policyItems, XXServiceDef
xServiceDef, int policyItemType) throws Exception {
- if(CollectionUtils.isNotEmpty(policyItems)) {
- for (int itemOrder = 0; itemOrder < policyItems.size();
itemOrder++) {
- RangerDataMaskPolicyItem policyItem =
policyItems.get(itemOrder);
-
- XXPolicyItem xPolicyItem =
createNewPolicyItemForPolicy(policy, xPolicy, policyItem, xServiceDef,
itemOrder, policyItemType);
-
- RangerPolicyItemDataMaskInfo dataMaskInfo =
policyItem.getDataMaskInfo();
-
- if(dataMaskInfo != null) {
- XXDataMaskTypeDef dataMaskDef =
daoMgr.getXXDataMaskTypeDef().findByNameAndServiceId(dataMaskInfo.getDataMaskType(),
xPolicy.getService());
-
- if(dataMaskDef == null) {
- throw new
Exception(dataMaskInfo.getDataMaskType() + ": is not a valid datamask-type.
policy='" + policy.getName() + "' service='" + policy.getService() + "'");
- }
-
- XXPolicyItemDataMaskInfo xxDataMaskInfo
= new XXPolicyItemDataMaskInfo();
-
-
xxDataMaskInfo.setPolicyItemId(xPolicyItem.getId());
-
xxDataMaskInfo.setType(dataMaskDef.getId());
-
xxDataMaskInfo.setConditionExpr(dataMaskInfo.getConditionExpr());
-
xxDataMaskInfo.setValueExpr(dataMaskInfo.getValueExpr());
-
-
daoMgr.getXXPolicyItemDataMaskInfo().create(xxDataMaskInfo);
- }
- }
- }
- }
-
- private void createNewRowFilterPolicyItemsForPolicy(RangerPolicy
policy, XXPolicy xPolicy, List<RangerRowFilterPolicyItem> policyItems,
XXServiceDef xServiceDef, int policyItemType) throws Exception {
- if(CollectionUtils.isNotEmpty(policyItems)) {
- for (int itemOrder = 0; itemOrder < policyItems.size();
itemOrder++) {
- RangerRowFilterPolicyItem policyItem =
policyItems.get(itemOrder);
-
- XXPolicyItem xPolicyItem =
createNewPolicyItemForPolicy(policy, xPolicy, policyItem, xServiceDef,
itemOrder, policyItemType);
-
- RangerPolicyItemRowFilterInfo dataMaskInfo =
policyItem.getRowFilterInfo();
-
- if(dataMaskInfo != null) {
- XXPolicyItemRowFilterInfo
xxRowFilterInfo = new XXPolicyItemRowFilterInfo();
-
-
xxRowFilterInfo.setPolicyItemId(xPolicyItem.getId());
-
xxRowFilterInfo.setFilterExpr(dataMaskInfo.getFilterExpr());
-
- xxRowFilterInfo =
daoMgr.getXXPolicyItemRowFilterInfo().create(xxRowFilterInfo);
- }
- }
- }
- }
+ public static void persistVersionChange(RangerDaoManager daoMgr, Long
id, VERSION_TYPE versionType) {
+ XXServiceVersionInfoDao serviceVersionInfoDao =
daoMgr.getXXServiceVersionInfo();
- private void createNewResourcesForPolicy(RangerPolicy policy, XXPolicy
xPolicy, Map<String, RangerPolicyResource> resources) throws Exception {
-
- for (Entry<String, RangerPolicyResource> resource :
resources.entrySet()) {
- RangerPolicyResource policyRes = resource.getValue();
-
- XXResourceDef xResDef = daoMgr.getXXResourceDef()
-
.findByNameAndPolicyId(resource.getKey(), policy.getId());
- if (xResDef == null) {
- throw new Exception(resource.getKey() + ": is
not a valid resource-type. policy='"+ policy.getName() + "' service='"+
policy.getService() + "'");
- }
-
- XXPolicyResource xPolRes = new XXPolicyResource();
- xPolRes = (XXPolicyResource)
rangerAuditFields.populateAuditFields(xPolRes, xPolicy);
-
- xPolRes.setIsExcludes(policyRes.getIsExcludes());
- xPolRes.setIsRecursive(policyRes.getIsRecursive());
- xPolRes.setPolicyId(policy.getId());
- xPolRes.setResDefId(xResDef.getId());
- xPolRes = daoMgr.getXXPolicyResource().create(xPolRes);
-
- List<String> values = policyRes.getValues();
- if (CollectionUtils.isNotEmpty(values)) {
- Set<String> uniqueValues = new
LinkedHashSet<String>(values);
- int i = 0;
- if (CollectionUtils.isNotEmpty(uniqueValues)) {
- for (String uniqValue : uniqueValues) {
- if
(!StringUtils.isEmpty(uniqValue)) {
- XXPolicyResourceMap
xPolResMap = new XXPolicyResourceMap();
- xPolResMap =
(XXPolicyResourceMap) rangerAuditFields.populateAuditFields(xPolResMap,xPolRes);
-
xPolResMap.setResourceId(xPolRes.getId());
-
xPolResMap.setValue(uniqValue);
- xPolResMap.setOrder(i);
- xPolResMap =
daoMgr.getXXPolicyResourceMap().create(xPolResMap);
- i++;
- }
- }
- }
- }
- }
- }
+ XXServiceVersionInfo serviceVersionInfoDbObj =
serviceVersionInfoDao.findByServiceId(id);
- private Boolean deleteExistingPolicyItems(RangerPolicy policy) {
- if(policy == null) {
- return false;
- }
-
- XXPolicyItemDao policyItemDao = daoMgr.getXXPolicyItem();
- List<XXPolicyItem> policyItems =
policyItemDao.findByPolicyId(policy.getId());
- for(XXPolicyItem policyItem : policyItems) {
- Long polItemId = policyItem.getId();
-
- XXPolicyItemConditionDao polCondDao =
daoMgr.getXXPolicyItemCondition();
- List<XXPolicyItemCondition> conditions =
polCondDao.findByPolicyItemId(polItemId);
- for(XXPolicyItemCondition condition : conditions) {
- polCondDao.remove(condition);
- }
-
- XXPolicyItemGroupPermDao grpPermDao =
daoMgr.getXXPolicyItemGroupPerm();
- List<XXPolicyItemGroupPerm> groups =
grpPermDao.findByPolicyItemId(polItemId);
- for(XXPolicyItemGroupPerm group : groups) {
- grpPermDao.remove(group);
- }
-
- XXPolicyItemUserPermDao userPermDao =
daoMgr.getXXPolicyItemUserPerm();
- List<XXPolicyItemUserPerm> users =
userPermDao.findByPolicyItemId(polItemId);
- for(XXPolicyItemUserPerm user : users) {
- userPermDao.remove(user);
+ if(serviceVersionInfoDbObj != null) {
+ if (versionType == VERSION_TYPE.POLICY_VERSION ||
versionType == VERSION_TYPE.POLICY_AND_TAG_VERSION) {
+
serviceVersionInfoDbObj.setPolicyVersion(getNextVersion(serviceVersionInfoDbObj.getPolicyVersion()));
+ serviceVersionInfoDbObj.setPolicyUpdateTime(new
Date());
}
-
- XXPolicyItemAccessDao polItemAccDao =
daoMgr.getXXPolicyItemAccess();
- List<XXPolicyItemAccess> accesses =
polItemAccDao.findByPolicyItemId(polItemId);
- for(XXPolicyItemAccess access : accesses) {
- polItemAccDao.remove(access);
+ if (versionType == VERSION_TYPE.TAG_VERSION ||
versionType == VERSION_TYPE.POLICY_AND_TAG_VERSION) {
+
serviceVersionInfoDbObj.setTagVersion(getNextVersion(serviceVersionInfoDbObj.getTagVersion()));
+ serviceVersionInfoDbObj.setTagUpdateTime(new
Date());
}
- XXPolicyItemDataMaskInfoDao polItemDataMaskInfoDao =
daoMgr.getXXPolicyItemDataMaskInfo();
- List<XXPolicyItemDataMaskInfo> dataMaskInfos =
polItemDataMaskInfoDao.findByPolicyItemId(polItemId);
- for(XXPolicyItemDataMaskInfo dataMaskInfo :
dataMaskInfos) {
- polItemDataMaskInfoDao.remove(dataMaskInfo);
- }
-
- XXPolicyItemRowFilterInfoDao polItemRowFilterInfoDao =
daoMgr.getXXPolicyItemRowFilterInfo();
- List<XXPolicyItemRowFilterInfo> rowFilterInfos =
polItemRowFilterInfoDao.findByPolicyItemId(polItemId);
- for(XXPolicyItemRowFilterInfo rowFilterInfo :
rowFilterInfos) {
- polItemRowFilterInfoDao.remove(rowFilterInfo);
- }
+ serviceVersionInfoDao.update(serviceVersionInfoDbObj);
- policyItemDao.remove(policyItem);
- }
- return true;
- }
+ } else {
+ XXService service = daoMgr.getXXService().getById(id);
+ if (service != null) {
+ serviceVersionInfoDbObj = new
XXServiceVersionInfo();
+
serviceVersionInfoDbObj.setServiceId(service.getId());
+ serviceVersionInfoDbObj.setPolicyVersion(1L);
+ serviceVersionInfoDbObj.setPolicyUpdateTime(new
Date());
+ serviceVersionInfoDbObj.setTagVersion(1L);
+ serviceVersionInfoDbObj.setTagUpdateTime(new
Date());
- private Boolean deleteExistingPolicyResources(RangerPolicy policy) {
- if(policy == null) {
- return false;
- }
-
- List<XXPolicyResource> resources =
daoMgr.getXXPolicyResource().findByPolicyId(policy.getId());
-
- XXPolicyResourceDao resDao = daoMgr.getXXPolicyResource();
- for(XXPolicyResource resource : resources) {
- List<XXPolicyResourceMap> resMapList =
daoMgr.getXXPolicyResourceMap().findByPolicyResId(resource.getId());
-
- XXPolicyResourceMapDao resMapDao =
daoMgr.getXXPolicyResourceMap();
- for(XXPolicyResourceMap resMap : resMapList) {
- resMapDao.remove(resMap);
+
serviceVersionInfoDao.create(serviceVersionInfoDbObj);
}
- resDao.remove(resource);
}
- return true;
- }
-
- private Boolean deleteExistingPolicyItemsNative(RangerPolicy policy) {
- if(policy == null) {
- return false;
- }
- XXPolicyItemDao policyItemDao = daoMgr.getXXPolicyItem();
- List<XXPolicyItem> policyItems =
policyItemDao.findByPolicyId(policy.getId());
- for(XXPolicyItem policyItem : policyItems) {
- Long polItemId = policyItem.getId();
-
daoMgr.getXXPolicyItemRowFilterInfo().deletePolicyIDReference("policy_item_id",
polItemId);
-
daoMgr.getXXPolicyItemDataMaskInfo().deletePolicyIDReference("policy_item_id",
polItemId);
-
daoMgr.getXXPolicyItemGroupPerm().deletePolicyIDReference("policy_item_id",
polItemId);
-
daoMgr.getXXPolicyItemUserPerm().deletePolicyIDReference("policy_item_id",
polItemId);
-
daoMgr.getXXPolicyItemCondition().deletePolicyIDReference("policy_item_id",
polItemId);
-
daoMgr.getXXPolicyItemAccess().deletePolicyIDReference("policy_item_id",
polItemId);
- }
- daoMgr.getXXPolicyItem().deletePolicyIDReference("policy_id",
policy.getId());
- return true;
- }
-
- private Boolean deleteExistingPolicyResourcesNative(RangerPolicy
policy) {
- if(policy == null) {
- return false;
- }
- List<XXPolicyResource> resources =
daoMgr.getXXPolicyResource().findByPolicyId(policy.getId());
- for(XXPolicyResource resource : resources) {
-
daoMgr.getXXPolicyResourceMap().deletePolicyIDReference("resource_id",
resource.getId());
-
daoMgr.getXXPolicyResource().deletePolicyIDReference("id", resource.getId());
- }
- return true;
}
@Override
@@ -3177,55 +3085,34 @@ public class ServiceDBStore extends
AbstractServiceStore {
return;
}
+ final RangerDaoManager daoManager = daoMgr;
+
boolean isTagServiceDef =
StringUtils.equals(serviceDef.getName(),
EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME);
XXServiceDao serviceDao = daoMgr.getXXService();
- XXServiceVersionInfoDao serviceVersionInfoDao =
daoMgr.getXXServiceVersionInfo();
List<XXService> services =
serviceDao.findByServiceDefId(serviceDef.getId());
if(CollectionUtils.isNotEmpty(services)) {
for(XXService service : services) {
- XXServiceVersionInfo serviceVersionInfo =
serviceVersionInfoDao.findByServiceId(service.getId());
- if (serviceVersionInfo != null) {
-
serviceVersionInfo.setPolicyVersion(getNextVersion(serviceVersionInfo.getPolicyVersion()));
-
serviceVersionInfo.setPolicyUpdateTime(serviceDef.getUpdateTime());
-
serviceVersionInfoDao.update(serviceVersionInfo);
- } else {
-
LOG.warn("updateServicesForServiceDefUpdate(service=" + service.getName() + "):
serviceVersionInfo not found, creating it..");
- serviceVersionInfo = new
XXServiceVersionInfo();
-
serviceVersionInfo.setServiceId(service.getId());
-
serviceVersionInfo.setPolicyVersion(getNextVersion(service.getPolicyVersion()));
-
serviceVersionInfo.setTagVersion(service.getTagVersion());
-
serviceVersionInfo.setPolicyUpdateTime(new Date());
-
serviceVersionInfo.setTagUpdateTime(service.getTagUpdateTime());
+ final Long serviceId =
service.getId();
+ final VERSION_TYPE versionType =
VERSION_TYPE.POLICY_VERSION;
-
serviceVersionInfoDao.create(serviceVersionInfo);
- }
+ Runnable serviceVersionUpdater = new
ServiceVersionUpdater(daoManager, serviceId, versionType);
+
transactionSynchronizationAdapter.executeOnTransactionCommit(serviceVersionUpdater);
if(isTagServiceDef) {
- List<XXService> referrringServices =
serviceDao.findByTagServiceId(service.getId());
+ List<XXService> referringServices =
serviceDao.findByTagServiceId(service.getId());
-
if(CollectionUtils.isNotEmpty(referrringServices)) {
- for(XXService referringService
: referrringServices) {
- serviceVersionInfo =
serviceVersionInfoDao.findByServiceId(referringService.getId());
- if (serviceVersionInfo
!= null) {
-
serviceVersionInfo.setPolicyVersion(getNextVersion(serviceVersionInfo.getPolicyVersion()));
-
serviceVersionInfo.setPolicyUpdateTime(serviceDef.getUpdateTime());
+
if(CollectionUtils.isNotEmpty(referringServices)) {
+ for(XXService referringService
: referringServices) {
-
serviceVersionInfoDao.update(serviceVersionInfo);
- } else {
-
LOG.warn("updateServicesForServiceDefUpdate(service=" +
referringService.getName() + "): serviceVersionInfo not found, creating it..");
-
serviceVersionInfo = new XXServiceVersionInfo();
-
serviceVersionInfo.setServiceId(referringService.getId());
-
serviceVersionInfo.setPolicyVersion(getNextVersion(referringService.getPolicyVersion()));
-
serviceVersionInfo.setTagVersion(referringService.getTagVersion());
-
serviceVersionInfo.setPolicyUpdateTime(new Date());
-
serviceVersionInfo.setTagUpdateTime(referringService.getTagUpdateTime());
-
-
serviceVersionInfoDao.create(serviceVersionInfo);
- }
+ final Long
referringServiceId = referringService.getId();
+ final VERSION_TYPE
tagServiceVersionType = VERSION_TYPE.POLICY_VERSION;
+
+ Runnable
tagServiceVersionUpdater = new ServiceVersionUpdater(daoManager,
referringServiceId, tagServiceVersionType);
+
transactionSynchronizationAdapter.executeOnTransactionCommit(tagServiceVersionUpdater);
}
}
}
@@ -3711,10 +3598,6 @@ public class ServiceDBStore extends AbstractServiceStore
{
private void writeBookForPolicyItems(RangerPolicy policy,
RangerPolicyItem policyItem,
RangerDataMaskPolicyItem dataMaskPolicyItem,
RangerRowFilterPolicyItem rowFilterPolicyItem, Row row, String
policyConditonType) {
- if (LOG.isDebugEnabled()) {
- // To avoid PMD violation
- LOG.debug("policyConditonType:[" + policyConditonType +
"]");
- }
List<String> groups = new ArrayList<String>();
List<String> users = new ArrayList<String>();
String groupNames = "";
@@ -3995,18 +3878,34 @@ public class ServiceDBStore extends
AbstractServiceStore {
xUserService.createXUserWithOutLogin(genericUser);
}
- public boolean isServiceAdminUser(String serviceName, String userName) {
- boolean ret=false;
- XXServiceConfigMap cfgSvcAdminUsers =
daoMgr.getXXServiceConfigMap().findByServiceNameAndConfigKey(serviceName,
SERVICE_ADMIN_USERS);
- String svcAdminUsers = cfgSvcAdminUsers != null ?
cfgSvcAdminUsers.getConfigvalue() : null;
- if (svcAdminUsers != null) {
- for (String svcAdminUser : svcAdminUsers.split(",")) {
- if (userName.equals(svcAdminUser)) {
- ret=true;
- break;
- }
- }
- }
- return ret;
- }
+ public boolean isServiceAdminUser(String serviceName, String userName) {
+ boolean ret=false;
+ XXServiceConfigMap cfgSvcAdminUsers =
daoMgr.getXXServiceConfigMap().findByServiceNameAndConfigKey(serviceName,
SERVICE_ADMIN_USERS);
+ String svcAdminUsers = cfgSvcAdminUsers != null ?
cfgSvcAdminUsers.getConfigvalue() : null;
+ if (svcAdminUsers != null) {
+ for (String svcAdminUser : svcAdminUsers.split(",")) {
+ if (userName.equals(svcAdminUser)) {
+ ret=true;
+ break;
+ }
+ }
+ }
+ return ret;
+ }
+
+ public static class ServiceVersionUpdater implements Runnable {
+ final Long serviceId;
+ final RangerDaoManager daoManager;
+ final VERSION_TYPE versionType;
+
+ public ServiceVersionUpdater(RangerDaoManager daoManager, Long
serviceId, VERSION_TYPE versionType ) {
+ this.serviceId = serviceId;
+ this.daoManager = daoManager;
+ this.versionType = versionType;
+ }
+ @Override
+ public void run() {
+ ServiceDBStore.persistVersionChange(this.daoManager,
this.serviceId, this.versionType);
+ }
+ }
}
