This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new b66eafe RANGER-2485: Security zone filter is causing Ranger audit
access request waiting for longer
b66eafe is described below
commit b66eafe0802ba9656b705103e9ed7ab5accbd916
Author: Pradeep <[email protected]>
AuthorDate: Wed Jun 26 16:28:17 2019 +0530
RANGER-2485: Security zone filter is causing Ranger audit access request
waiting for longer
---
.../main/java/org/apache/ranger/biz/AssetMgr.java | 69 ++++++++--------------
.../org/apache/ranger/db/XXSecurityZoneDao.java | 26 +++++++-
.../main/resources/META-INF/jpa_named_queries.xml | 12 ++++
3 files changed, 61 insertions(+), 46 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java
b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java
index 1a78790..f5fce93 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java
@@ -52,9 +52,6 @@ import org.apache.ranger.entity.XXPermMap;
import org.apache.ranger.entity.XXPluginInfo;
import org.apache.ranger.entity.XXPolicyExportAudit;
import org.apache.ranger.entity.XXPortalUser;
-import org.apache.ranger.entity.XXSecurityZone;
-import org.apache.ranger.entity.XXSecurityZoneRefGroup;
-import org.apache.ranger.entity.XXSecurityZoneRefUser;
import org.apache.ranger.entity.XXTrxLog;
import org.apache.ranger.entity.XXUser;
import org.apache.ranger.plugin.model.RangerPluginInfo;
@@ -973,54 +970,36 @@ public class AssetMgr extends AssetMgrBase {
searchCriteria.setSortType("desc");
}
- Set<String> zoneNameSet = new HashSet<String>();
- Long userId = xaBizUtil.getXUserId();
- VXGroupList groupList = xUserMgr.getXUserGroups(userId);
- List<XXSecurityZoneRefUser> zoneRefUserList = rangerDaoManager
-
.getXXSecurityZoneRefUser().findByUserId(userId);
- for (XXSecurityZoneRefUser zoneRefUser : zoneRefUserList) {
- XXSecurityZone securityZone = rangerDaoManager
- .getXXSecurityZoneDao().findByZoneId(
-
zoneRefUser.getZoneId());
- if (securityZone != null) {
- zoneNameSet.add(securityZone.getName());
- }
- }
+ if (!xaBizUtil.isAdmin()) {
+ Long userId = xaBizUtil.getXUserId();
+ List<String> userZones =
rangerDaoManager.getXXSecurityZoneDao().findZoneNamesByUserId(userId);
+ Set<String> zoneNameSet = new
HashSet<String>(userZones);
- for (VXGroup group : groupList.getList()) {
- List<XXSecurityZoneRefGroup> zoneRefGroupList =
rangerDaoManager
-
.getXXSecurityZoneRefGroup().findByGroupId(group.getId());
- for (XXSecurityZoneRefGroup zoneRefGroup :
zoneRefGroupList) {
- XXSecurityZone securityZone = rangerDaoManager
-
.getXXSecurityZoneDao().findByZoneId(
-
zoneRefGroup.getZoneId());
- if (securityZone != null) {
- zoneNameSet.add(securityZone.getName());
+ VXGroupList groupList = xUserMgr.getXUserGroups(userId);
+ for (VXGroup group : groupList.getList()) {
+ List<String> userGroupZones =
rangerDaoManager.getXXSecurityZoneDao().findZoneNamesByGroupId(group.getId());
+ for (String zoneName : userGroupZones) {
+ zoneNameSet.add(zoneName);
}
}
- }
- List<String> zoneNameList = (List<String>)
searchCriteria.getParamValue("zoneName");
- if (!xaBizUtil.isAdmin()
- && (zoneNameList == null ||
zoneNameList.isEmpty())) {
- if (!zoneNameSet.isEmpty()) {
- searchCriteria.getParamList().put("zoneName",
- new
ArrayList<String>(zoneNameSet));
- } else {
- searchCriteria.getParamList().put("zoneName",
null);
- }
- } else if (!xaBizUtil.isAdmin() && !zoneNameList.isEmpty()
- && !zoneNameSet.isEmpty()) {
- for (String znName : zoneNameList) {
- if (!serviceMgr.isZoneAdmin(znName)
- &&
!serviceMgr.isZoneAuditor(znName)) {
- throw restErrorUtil.createRESTException(
-
HttpServletResponse.SC_FORBIDDEN,
- "User is not the zone
admin or zone auditor of zone "
- +
znName, true);
+ List<String> zoneNameList = (List<String>)
searchCriteria.getParamValue("zoneName");
+
+ if ((zoneNameList == null || zoneNameList.isEmpty())) {
+ if (!zoneNameSet.isEmpty()) {
+
searchCriteria.getParamList().put("zoneName", new
ArrayList<String>(zoneNameSet));
+ } else {
+
searchCriteria.getParamList().put("zoneName", null);
+ }
+ } else if (!zoneNameList.isEmpty() &&
!zoneNameSet.isEmpty()) {
+ for (String znName : zoneNameList) {
+ if (!serviceMgr.isZoneAdmin(znName) &&
!serviceMgr.isZoneAuditor(znName)) {
+ throw
restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is
not the zone admin or zone auditor of zone " + znName, true);
+ }
}
}
- }
+ }
+
if
(RangerBizUtil.AUDIT_STORE_SOLR.equalsIgnoreCase(xaBizUtil.getAuditDBType())) {
return solrAccessAuditsService.searchXAccessAudits(searchCriteria);
} else {
diff --git
a/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java
b/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java
index c0f0666..78296e2 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java
@@ -21,7 +21,6 @@ import org.apache.commons.lang.StringUtils;
import org.apache.ranger.common.db.BaseDao;
import org.apache.ranger.entity.XXSecurityZone;
import org.springframework.stereotype.Service;
-
import javax.persistence.NoResultException;
import java.util.Collections;
import java.util.List;
@@ -73,4 +72,29 @@ public class XXSecurityZoneDao extends
BaseDao<XXSecurityZone> {
return Collections.emptyList();
}
}
+
+ public List<String> findZoneNamesByUserId(Long userId) {
+ if (userId == null) {
+ return Collections.emptyList();
+ }
+ try {
+ return
getEntityManager().createNamedQuery("XXSecurityZone.findZoneNamesByUserId",
String.class)
+ .setParameter("userId",
userId).getResultList();
+ } catch (NoResultException e) {
+ return Collections.emptyList();
+ }
+ }
+
+ public List<String> findZoneNamesByGroupId(Long groupId) {
+ if (groupId == null) {
+ return Collections.emptyList();
+ }
+ try {
+ return
getEntityManager().createNamedQuery("XXSecurityZone.findZoneNamesByGroupId",
String.class)
+ .setParameter("groupId",
groupId).getResultList();
+ } catch (NoResultException e) {
+ return Collections.emptyList();
+ }
+ }
+
}
diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
index 54e34d5..eb0384b 100644
--- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
+++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
@@ -1408,6 +1408,18 @@
</query>
</named-query>
+ <named-query name="XXSecurityZone.findZoneNamesByUserId">
+ <query>
+ select distinct obj.name from XXSecurityZone obj,
XXSecurityZoneRefUser refObj where obj.id = refObj.zoneId and refObj.userId =
:userId
+ </query>
+ </named-query>
+
+ <named-query name="XXSecurityZone.findZoneNamesByGroupId">
+ <query>
+ select distinct obj.name from XXSecurityZone obj,
XXSecurityZoneRefGroup refObj where obj.id = refObj.zoneId and refObj.groupId =
:groupId
+ </query>
+ </named-query>
+
<named-query name="XXGlobalState.findByStateId">
<query>
select obj from XXGlobalState obj where obj.id = :stateId
