This is an automated email from the ASF dual-hosted git repository.
spolavarapu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new ba2d550 RANGER-2552: Fixed code to update the user role/permissions
properly when group memberships are updated
ba2d550 is described below
commit ba2d55068a0c4e19b29616c1265575da674a5170
Author: Sailaja Polavarapu <[email protected]>
AuthorDate: Tue Aug 27 10:32:38 2019 -0700
RANGER-2552: Fixed code to update the user role/permissions properly when
group memberships are updated
---
.../process/PolicyMgrUserGroupBuilder.java | 158 ++++++---------------
1 file changed, 44 insertions(+), 114 deletions(-)
diff --git
a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
index e5fc68b..52579a3 100644
---
a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
+++
b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
@@ -34,6 +34,7 @@ import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
+import java.util.Set;
import java.util.StringTokenizer;
import java.util.regex.Pattern;
@@ -359,7 +360,6 @@ public class PolicyMgrUserGroupBuilder implements
UserGroupSink {
@Override
public void addOrUpdateUser(String userName, List<String> groups)
throws Throwable {
- UserGroupInfo ugInfo = new UserGroupInfo();
XUserInfo user = userName2XUserInfoMap.get(userName);
if (groups == null) {
@@ -402,6 +402,7 @@ public class PolicyMgrUserGroupBuilder implements
UserGroupSink {
List<String> addGroups = new ArrayList<String>();
List<String> delGroups = new ArrayList<String>();
List<String> updateGroups = new ArrayList<String>();
+ Set<String> cumulativeGroups = new HashSet<>();
XGroupInfo tempXGroupInfo=null;
for(String group : groups) {
if (! oldGroups.contains(group)) {
@@ -442,122 +443,54 @@ public class PolicyMgrUserGroupBuilder implements
UserGroupSink {
}
if (isMockRun) {
- return;
- }
- if (!addGroups.isEmpty()) {
- XUserInfo obj = addXUserInfo(userName);
- if (obj != null) {
- for (String group : addGroups) {
- String value =
groupMap.get(group);
- if (value != null) {
- List<String>
userRoleList = new ArrayList<String>();
- userRoleList.add(value);
- if
(userMap.containsKey(obj.getName())) {
- List<String>
userRole = new ArrayList<String>();
-
userRole.add(userMap.get(obj.getName()));
- if
(!obj.getUserRoleList().equals(userRole)) {
-
obj.setUserRoleList(userRole);
-
- }
- } else if
(!obj.getUserRoleList().equals(userRoleList)) {
-
obj.setUserRoleList(userRoleList);
- }
- }
- }
- }
- ugInfo.setXuserInfo(obj);
-
ugInfo.setXgroupInfo(getXGroupInfoList(addGroups));
- try {
- // If the rest call to ranger admin
fails,
- // propagate the failure to the caller
for retry in next
- // sync cycle.
- if (addUserGroupInfo(ugInfo) == null) {
- String msg = "Failed to add
user group info";
- LOG.error(msg);
- throw new Exception(msg);
- }
- } catch (Throwable t) {
-
LOG.error("PolicyMgrUserGroupBuilder.addUserGroupInfo failed for user-group
entry: "
- + ugInfo.toString() + "
with exception: ", t);
+ if (LOG.isDebugEnabled()) {
+
LOG.debug("PolicyMgrUserGroupBuilder.addOrUpdateUser(): Mock Run enabled and
hence not sending updates to Ranger admin!");
}
- addXUserGroupInfo(user, addGroups);
+ return;
}
if (!delGroups.isEmpty()) {
- if (LOG.isDebugEnabled()) {
-
LOG.debug("PolicyMgrUserGroupBuilder.addUserGroupInfo() user role list for " +
userName + " after delete = " + user.getUserRoleList());
- }
delXUserGroupInfo(user, delGroups);
//Remove groups from user mapping
-
userName2XUserInfoMap.get(userName).deleteGroups(delGroups);
- List<String> groupList =
userName2XUserInfoMap.get(userName).getGroups();
+ user.deleteGroups(delGroups);
if (LOG.isDebugEnabled()) {
-
LOG.debug("PolicyMgrUserGroupBuilder.addUserGroupInfo() groups for " + userName
+ " after delete = " + groupList);
- }
- if (!groupList.isEmpty()) {
- XUserInfo obj = addXUserInfo(userName);
- if (obj != null) {
- for (String group :
updateGroups) {
- String value =
groupMap.get(group);
- if (value != null) {
- List<String>
userRoleList = new ArrayList<String>();
-
userRoleList.add(value);
- if
(userMap.containsKey(obj.getName())) {
-
List<String> userRole = new ArrayList<String>();
-
userRole.add(userMap.get(obj.getName()));
- if
(!obj.getUserRoleList().equals(userRole)) {
-
obj.setUserRoleList(userRole);
- }
- } else if
(!obj.getUserRoleList().equals(
-
userRoleList)) {
-
obj.setUserRoleList(userRoleList);
- }
- }
- }
- }
- ugInfo.setXuserInfo(obj);
-
ugInfo.setXgroupInfo(getXGroupInfoList(groupList));
- try {
- // If the rest call to ranger
admin fails,
- // propagate the failure to the
caller for retry in next
- // sync cycle.
- if (addUserGroupInfo(ugInfo) ==
null) {
- String msg = "Failed to
add user group info";
- LOG.error(msg);
- throw new
Exception(msg);
- }
- } catch (Throwable t) {
-
LOG.error("PolicyMgrUserGroupBuilder.addUserGroupInfo failed with exception: "
- + t.getMessage()
- + ", for
user-group entry: "
- + ugInfo);
- }
+
LOG.debug("PolicyMgrUserGroupBuilder.addUserGroupInfo(): groups for " +
userName + " after delete = " + user.getGroups());
}
}
- if (!updateGroups.isEmpty()) {
+ if (!delGroups.isEmpty() || !addGroups.isEmpty() ||
!updateGroups.isEmpty()) {
+ cumulativeGroups = new
HashSet<>(user.getGroups());
+ cumulativeGroups.addAll(addGroups);
+ cumulativeGroups.addAll(updateGroups);
+ if (LOG.isDebugEnabled()) {
+
LOG.debug("PolicyMgrUserGroupBuilder.addUserGroupInfo(): cumulative groups for
" + userName + " = " + cumulativeGroups);
+ }
+
+ UserGroupInfo ugInfo = new UserGroupInfo();
XUserInfo obj = addXUserInfo(userName);
- if (obj != null) {
- for (String group : updateGroups) {
- String value =
groupMap.get(group);
- if (value != null) {
- List<String>
userRoleList = new ArrayList<String>();
- userRoleList.add(value);
- if
(userMap.containsKey(obj.getName())) {
- List<String>
userRole = new ArrayList<String>();
-
userRole.add(userMap.get(obj.getName()));
- if
(!obj.getUserRoleList().equals(userRole)) {
-
obj.setUserRoleList(userRole);
- }
- } else if
(!obj.getUserRoleList().equals(
-
userRoleList)) {
-
obj.setUserRoleList(userRoleList);
- }
- }
+ Set<String> userRoleList = new HashSet<>();
+ if (userMap.containsKey(userName)) {
+ // Add the user role that is defined in
user role assignments
+ userRoleList.add(userMap.get(userName));
+ }
+
+ for (String group : cumulativeGroups) {
+ String value = groupMap.get(group);
+ if (value != null) {
+ userRoleList.add(value);
}
}
+
+ if (!userRoleList.isEmpty()) {
+ obj.setUserRoleList(new
ArrayList<>(userRoleList));
+ }
+
+ if (LOG.isDebugEnabled()) {
+
LOG.debug("PolicyMgrUserGroupBuilder.addUserGroupInfo() user role list for " +
userName + " = " + obj.getUserRoleList());
+ }
+
ugInfo.setXuserInfo(obj);
-
ugInfo.setXgroupInfo(getXGroupInfoList(updateGroups));
+ ugInfo.setXgroupInfo(getXGroupInfoList(new
ArrayList<>(cumulativeGroups)));
try {
// If the rest call to ranger admin
fails,
// propagate the failure to the caller
for retry in next
@@ -576,26 +509,23 @@ public class PolicyMgrUserGroupBuilder implements
UserGroupSink {
}
if (isStartupFlag) {
+ UserGroupInfo ugInfo = new UserGroupInfo();
XUserInfo obj = addXUserInfo(userName);
if (obj != null && updateGroups.isEmpty()
&& addGroups.isEmpty() &&
delGroups.isEmpty()) {
+ Set<String> userRoleList = new
HashSet<>();
+ if (userMap.containsKey(userName)) {
+ // Add the user role that is
defined in user role assignments
+
userRoleList.add(userMap.get(userName));
+ }
+
for (String group : groups) {
String value =
groupMap.get(group);
if (value != null) {
- List<String>
userRoleList = new ArrayList<String>();
userRoleList.add(value);
- if
(userMap.containsKey(obj.getName())) {
- List<String>
userRole = new ArrayList<String>();
-
userRole.add(userMap.get(obj.getName()));
- if
(!obj.getUserRoleList().equals(userRole)) {
-
obj.setUserRoleList(userRole);
- }
- } else if
(!obj.getUserRoleList().equals(
-
userRoleList)) {
-
obj.setUserRoleList(userRoleList);
- }
}
}
+ obj.setUserRoleList(new
ArrayList<>(userRoleList));
ugInfo.setXuserInfo(obj);
ugInfo.setXgroupInfo(getXGroupInfoList(groups));
try {
