This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch ranger-2.0
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.0 by this push:
new 06b4659 RANGER-2518: RANGER-2518: Allow service creator to delete the
service
06b4659 is described below
commit 06b46597108132316ccfc9bf4af0805454e26aec
Author: Pradeep <[email protected]>
AuthorDate: Wed Jul 31 15:37:49 2019 -0700
RANGER-2518: RANGER-2518: Allow service creator to delete the service
---
.../java/org/apache/ranger/biz/RangerBizUtil.java | 9 ++-
.../java/org/apache/ranger/biz/ServiceDBStore.java | 2 +-
.../java/org/apache/ranger/rest/ServiceREST.java | 64 ++++++++++++----------
.../apache/ranger/service/XResourceService.java | 2 +-
.../ranger/service/XUgsyncAuditInfoService.java | 2 +-
.../org/apache/ranger/rest/TestServiceREST.java | 12 ++++
6 files changed, 58 insertions(+), 33 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index 0ad7df2..d49ea98 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -1339,13 +1339,17 @@ public class RangerBizUtil {
if (!session.isKeyAdmin() && !session.isUserAdmin()) {
throw restErrorUtil.createRESTException(
- "User is not allowed to update
service-def, only Admin can create/update/delete " + objType,
+ "This user is not allowed this
operation. Only users with Admin permission have access to this operation " +
objType,
MessageEnums.OPER_NO_PERMISSION);
}
}
public void hasKMSPermissions(String objType, String implClassName) {
UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session == null) {
+ throw restErrorUtil.createRESTException("UserSession
cannot be null, only KeyAdmin can create/update/delete "
+ + objType,
MessageEnums.OPER_NO_PERMISSION);
+ }
if (session.isKeyAdmin() &&
!EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(implClassName)) {
throw restErrorUtil.createRESTException("KeyAdmin can
create/update/delete only KMS " + objType,
@@ -1461,6 +1465,9 @@ public class RangerBizUtil {
public boolean hasModuleAccess(String moduleName) {
UserSessionBase currentUserSession =
ContextUtil.getCurrentUserSession();
+ if(currentUserSession == null) {
+ return false;
+ }
if(!currentUserSession.isUserAdmin() &&
!currentUserSession.isAuditUserAdmin()) {
if(!currentUserSession.getRangerUserPermission().getUserPermissions().contains(moduleName))
{
return false;
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 8420233..ef22354 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -3981,7 +3981,7 @@ public class ServiceDBStore extends AbstractServiceStore {
public void putMetaDataInfo(RangerExportPolicyList
rangerExportPolicyList){
Map<String, Object> metaDataInfo = new LinkedHashMap<String,
Object>();
UserSessionBase usb = ContextUtil.getCurrentUserSession();
- String userId = usb.getLoginId();
+ String userId = usb!=null ? usb.getLoginId() : null;
metaDataInfo.put(HOSTNAME, LOCAL_HOSTNAME);
metaDataInfo.put(USER_NAME, userId);
diff --git
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index b06273c..348d072 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -798,40 +798,46 @@ public class ServiceREST {
}
RangerServiceValidator validator =
validatorFactory.getServiceValidator(svcStore);
validator.validate(id, Action.DELETE);
-
- bizUtil.hasAdminPermissions("Services");
-
- // TODO: As of now we are allowing SYS_ADMIN to create
all the
- // services including KMS
-
- XXService service =
daoManager.getXXService().getById(id);
- if (service != null) {
- EmbeddedServiceDefsUtil embeddedServiceDefsUtil
= EmbeddedServiceDefsUtil.instance();
- if
(service.getType().equals(embeddedServiceDefsUtil.getTagServiceDefId())) {
- List<XXService> referringServices =
daoManager.getXXService().findByTagServiceId(id);
- if
(!CollectionUtils.isEmpty(referringServices)) {
- Set<String>
referringServiceNames = new HashSet<String>();
- for (XXService xXService :
referringServices) {
-
referringServiceNames.add(xXService.getName());
- if
(referringServiceNames.size() >= 10) {
- break;
+ UserSessionBase session =
ContextUtil.getCurrentUserSession();
+ if (session != null) {
+ XXService service =
daoManager.getXXService().getById(id);
+ if (service != null) {
+ //if logged-in user is not the service
creator then check admin priv.
+ if
(!session.getUserId().equals(service.getAddedByUserId())) {
+
bizUtil.hasAdminPermissions("Services");
+ }
+ EmbeddedServiceDefsUtil
embeddedServiceDefsUtil = EmbeddedServiceDefsUtil.instance();
+ if
(service.getType().equals(embeddedServiceDefsUtil.getTagServiceDefId())) {
+ List<XXService>
referringServices = daoManager.getXXService().findByTagServiceId(id);
+ if
(!CollectionUtils.isEmpty(referringServices)) {
+ Set<String>
referringServiceNames = new HashSet<String>();
+ for (XXService
xXService : referringServices) {
+
referringServiceNames.add(xXService.getName());
+ if
(referringServiceNames.size() >= 10) {
+ break;
+ }
+ }
+ if
(referringServices.size() <= 10) {
+ throw
restErrorUtil.createRESTException("Tag service '" + service.getName() + "' is
being referenced by " + referringServices.size() + " services: " +
referringServiceNames, MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
+ } else {
+ throw
restErrorUtil.createRESTException("Tag service '" + service.getName() + "' is
being referenced by " + referringServices.size() + " services: " +
referringServiceNames + " and more..", MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
}
- }
- if (referringServices.size() <=
10) {
- throw
restErrorUtil.createRESTException("Tag service '" + service.getName() + "' is
being referenced by " + referringServices.size() + " services: " +
referringServiceNames, MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
- } else {
- throw
restErrorUtil.createRESTException("Tag service '" + service.getName() + "' is
being referenced by " + referringServices.size() + " services: " +
referringServiceNames + " and more..", MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
}
}
- }
- XXServiceDef xxServiceDef =
daoManager.getXXServiceDef().getById(service.getType());
- bizUtil.hasKMSPermissions("Service",
xxServiceDef.getImplclassname());
- bizUtil.blockAuditorRoleUser();
-
tagStore.deleteAllTagObjectsForService(service.getName());
+ XXServiceDef xxServiceDef =
daoManager.getXXServiceDef().getById(service.getType());
+ if
(!session.getUserId().equals(service.getAddedByUserId())) {
+
bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname());
+ bizUtil.blockAuditorRoleUser();
+ }
+
tagStore.deleteAllTagObjectsForService(service.getName());
- svcStore.deleteService(id);
+ svcStore.deleteService(id);
+ } else {
+ LOG.error("Cannot retrieve service:[" +
id + "] for deletion");
+ throw new Exception("deleteService(" +
id + ") failed");
+ }
} else {
- LOG.error("Cannot retrieve service:[" + id + "]
for deletion");
+ LOG.error("Cannot retrieve user session.");
throw new Exception("deleteService(" + id + ")
failed");
}
} catch(WebApplicationException excp) {
diff --git
a/security-admin/src/main/java/org/apache/ranger/service/XResourceService.java
b/security-admin/src/main/java/org/apache/ranger/service/XResourceService.java
index 43a855e..57b20b7 100644
---
a/security-admin/src/main/java/org/apache/ranger/service/XResourceService.java
+++
b/security-admin/src/main/java/org/apache/ranger/service/XResourceService.java
@@ -357,7 +357,7 @@ public class XResourceService extends
UserSessionBase currentUserSession = ContextUtil
.getCurrentUserSession();
// If user is system admin
- if (currentUserSession.isUserAdmin()) {
+ if (currentUserSession != null &&
currentUserSession.isUserAdmin()) {
returnList = super.searchXResources(searchCriteria);
} else {// need to be optimize
diff --git
a/security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java
b/security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java
index d613c70..7fa96fb 100644
---
a/security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java
+++
b/security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java
@@ -144,7 +144,7 @@ public class XUgsyncAuditInfoService extends
XUgsyncAuditInfoServiceBase<XXUgsyn
public VXUgsyncAuditInfo createUgsyncAuditInfo(VXUgsyncAuditInfo
vxUgsyncAuditInfo) {
- Long sessionId =
ContextUtil.getCurrentUserSession().getSessionId();
+ Long sessionId = ContextUtil.getCurrentUserSession() != null ?
ContextUtil.getCurrentUserSession().getSessionId() : null;
if (sessionId != null) {
vxUgsyncAuditInfo.setSessionId("" + sessionId);
}
diff --git
a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
index 34be7e9..a7e19bf 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
@@ -1817,6 +1817,18 @@ public class TestServiceREST {
xService.setType(embeddedServiceDefsUtil.getTagServiceDefId());
XXServiceDao xServiceDao = Mockito.mock(XXServiceDao.class);
+ String userLoginID = "testuser";
+ Long userId = 8L;
+ RangerSecurityContext context = new RangerSecurityContext();
+ context.setUserSession(new UserSessionBase());
+ RangerContextHolder.setSecurityContext(context);
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ session.setUserAdmin(true);
+ XXPortalUser xXPortalUser = new XXPortalUser();
+ xXPortalUser.setLoginId(userLoginID);
+ xXPortalUser.setId(userId);
+ session.setXXPortalUser(xXPortalUser);
+
Mockito.when(validatorFactory.getServiceValidator(svcStore)).thenReturn(serviceValidator);
Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao);
Mockito.when(xServiceDao.findByTagServiceId(Mockito.anyLong())).thenReturn(referringServices);