Repository: ranger Updated Branches: refs/heads/ranger-1 407346e63 -> f09e0d170
RANGER-2270: Restrict tag module access to unprivileged users Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/f09e0d17 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/f09e0d17 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/f09e0d17 Branch: refs/heads/ranger-1 Commit: f09e0d1704e99a66fb70f22c6cba78b872c58326 Parents: 407346e Author: Pradeep <[email protected]> Authored: Mon Oct 29 18:33:49 2018 +0530 Committer: Pradeep <[email protected]> Committed: Wed Oct 31 21:29:16 2018 +0530 ---------------------------------------------------------------------- .../main/java/org/apache/ranger/biz/RangerBizUtil.java | 9 +++++++++ .../src/main/java/org/apache/ranger/biz/XUserMgr.java | 3 +++ .../src/main/java/org/apache/ranger/rest/ServiceREST.java | 10 ++++++++++ .../src/test/java/org/apache/ranger/biz/TestXUserMgr.java | 6 +++--- 4 files changed, 25 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/f09e0d17/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java index b304e3e..d350fd1 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java @@ -1417,4 +1417,13 @@ public class RangerBizUtil { } } + public boolean hasModuleAccess(String moduleName) { + UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + if(!currentUserSession.isUserAdmin() && !currentUserSession.isAuditUserAdmin()) { + if(!currentUserSession.getRangerUserPermission().getUserPermissions().contains(moduleName)) { + return false; + } + } + return true; + } } http://git-wip-us.apache.org/repos/asf/ranger/blob/f09e0d17/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index 5a1e519..febf221 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -1060,6 +1060,9 @@ public class XUserMgr extends XUserMgrBase { List<VXUserPermission> userPermListOld = new ArrayList<VXUserPermission>(); XXModuleDef xModuleDef = daoManager.getXXModuleDef().getById(vXModuleDef.getId()); + if(!StringUtil.equals(xModuleDef.getModule(), vXModuleDef.getModule())) { + throw restErrorUtil.createRESTException("Module name change is not allowed!", MessageEnums.DATA_NOT_UPDATABLE); + } VXModuleDef vModuleDefPopulateOld = xModuleDefService.populateViewBean(xModuleDef); List<XXGroupPermission> xgroupPermissionList = daoManager.getXXGroupPermission().findByModuleId(vXModuleDef.getId(), true); http://git-wip-us.apache.org/repos/asf/ranger/blob/f09e0d17/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index c513548..865e115 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -370,6 +370,11 @@ public class ServiceREST { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServiceDef(serviceDefId=" + id + ")"); } XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(id); + if(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME.equals(xServiceDef.getName())) { + if (!bizUtil.hasModuleAccess(RangerConstants.MODULE_TAG_BASED_POLICIES)) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not having permissions on the tag module.", true); + } + } if (!bizUtil.hasAccess(xServiceDef, null)) { throw restErrorUtil.createRESTException( "User is not allowed to access service-def, id: " + xServiceDef.getId(), @@ -416,6 +421,11 @@ public class ServiceREST { } XXServiceDef xServiceDef = daoManager.getXXServiceDef().findByName(name); if (xServiceDef != null) { + if(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME.equals(xServiceDef.getName())) { + if (!bizUtil.hasModuleAccess(RangerConstants.MODULE_TAG_BASED_POLICIES)) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not having permissions on the tag module", true); + } + } if (!bizUtil.hasAccess(xServiceDef, null)) { throw restErrorUtil.createRESTException( "User is not allowed to access service-def: " + xServiceDef.getName(), http://git-wip-us.apache.org/repos/asf/ranger/blob/f09e0d17/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java index e20cf9f..4139183 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java @@ -1269,7 +1269,7 @@ public class TestXUserMgr { @Test public void test26updateXModuleDefPermission() { XXModuleDefDao xModuleDefDao = Mockito.mock(XXModuleDefDao.class); - XXModuleDef xModuleDef = Mockito.mock(XXModuleDef.class); + XXModuleDef xModuleDef = xxModuleDef(); XXUserPermissionDao xUserPermissionDao = Mockito.mock(XXUserPermissionDao.class); XXGroupPermissionDao xGroupPermissionDao = Mockito.mock(XXGroupPermissionDao.class); VXModuleDef vXModuleDef = vxModuleDef(); @@ -2998,7 +2998,7 @@ public class TestXUserMgr { @Test public void test96updateXModuleDefPermission() { XXModuleDefDao xModuleDefDao = Mockito.mock(XXModuleDefDao.class); - XXModuleDef xModuleDef = Mockito.mock(XXModuleDef.class); + XXModuleDef xModuleDef = xxModuleDef(); XXUserPermissionDao xUserPermissionDao = Mockito.mock(XXUserPermissionDao.class); XXGroupPermissionDao xGroupPermissionDao = Mockito.mock(XXGroupPermissionDao.class); VXModuleDef vXModuleDef = vxModuleDef(); @@ -3073,7 +3073,7 @@ public class TestXUserMgr { @Test public void test97updateXModuleDefPermission() { XXModuleDefDao xModuleDefDao = Mockito.mock(XXModuleDefDao.class); - XXModuleDef xModuleDef = Mockito.mock(XXModuleDef.class); + XXModuleDef xModuleDef = xxModuleDef(); XXUserPermissionDao xUserPermissionDao = Mockito.mock(XXUserPermissionDao.class); XXGroupPermissionDao xGroupPermissionDao = Mockito.mock(XXGroupPermissionDao.class); VXModuleDef vXModuleDef = vxModuleDef();
