This is an automated email from the ASF dual-hosted git repository.
nikhil pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new f11d297 RANGER-2617 : Provide descriptive error message when role
delete not allowed
f11d297 is described below
commit f11d297ad74407e51707ba890b4f07db8ddb3be4
Author: Nikhil P <[email protected]>
AuthorDate: Thu Oct 17 16:12:52 2019 +0530
RANGER-2617 : Provide descriptive error message when role delete not allowed
---
.../java/org/apache/ranger/biz/RoleDBStore.java | 28 ++++++++++++++++++++++
.../org/apache/ranger/db/XXPolicyRefRoleDao.java | 12 ++++++++++
.../org/apache/ranger/db/XXRoleRefRoleDao.java | 12 ++++++++++
.../main/resources/META-INF/jpa_named_queries.xml | 8 +++++++
4 files changed, 60 insertions(+)
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
b/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
index 5d432f8..0854ff2 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
@@ -152,6 +152,8 @@ public class RoleDBStore implements RoleStore {
throw restErrorUtil.createRESTException("Role with name: " +
roleName + " does not exist");
}
+ ensureRoleDeleteAllowed(roleName);
+
daoMgr.getXXGlobalState().onGlobalAppDataChange(RANGER_ROLE_GLOBAL_STATE_NAME);
RangerRole role = roleService.read(xxRole.getId());
@@ -166,6 +168,8 @@ public class RoleDBStore implements RoleStore {
public void deleteRole(Long roleId) throws Exception {
RangerRole role = roleService.read(roleId);
+ ensureRoleDeleteAllowed(role.getName());
+
daoMgr.getXXGlobalState().onGlobalAppDataChange(RANGER_ROLE_GLOBAL_STATE_NAME);
roleRefUpdater.cleanupRefTables(role);
@@ -174,6 +178,30 @@ public class RoleDBStore implements RoleStore {
bizUtil.createTrxLog(trxLogList);
}
+ private void ensureRoleDeleteAllowed(String roleName) throws Exception {
+ boolean roleNotInPolicy = ensureRoleNotInPolicy(roleName);
+ if(!roleNotInPolicy) {
+ throw new Exception("Role '"+ roleName +"' can not be deleted as
it is referenced in one or more policies");
+ }
+
+ boolean roleNotInOtherRole = ensureRoleNotInRole(roleName);
+ if(!roleNotInOtherRole) {
+ throw new Exception("Role '"+ roleName + "' can not be deleted as
it is referenced in one or more other roles");
+ }
+ }
+
+ private boolean ensureRoleNotInPolicy(String roleName) {
+ Long roleRefPolicyCount =
daoMgr.getXXPolicyRefRole().findRoleRefPolicyCount(roleName);
+
+ return roleRefPolicyCount < 1;
+ }
+
+ private boolean ensureRoleNotInRole(String roleName) {
+ Long roleRefRoleCount =
daoMgr.getXXRoleRefRole().findRoleRefRoleCount(roleName);
+
+ return roleRefRoleCount < 1;
+ }
+
@Override
public RangerRole getRole(Long id) throws Exception {
return roleService.read(id);
diff --git
a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java
b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java
index b92f806..dbcacb7 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXPolicyRefRoleDao.java
@@ -96,5 +96,17 @@ public class XXPolicyRefRoleDao extends
BaseDao<XXPolicyRefRole>{
return ret;
}
+ public Long findRoleRefPolicyCount(String roleName) {
+ Long ret = -1L;
+
+ try {
+ ret =
getEntityManager().createNamedQuery("XXPolicyRefRole.findRoleRefPolicyCount",
Long.class)
+ .setParameter("roleName",
roleName).getSingleResult();
+ } catch (Exception e) {
+ }
+
+ return ret;
+ }
+
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java
b/security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java
index 4194810..8f6fc8c 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXRoleRefRoleDao.java
@@ -76,6 +76,18 @@ public class XXRoleRefRoleDao extends BaseDao<XXRoleRefRole>{
}
}
+ public Long findRoleRefRoleCount(String subRoleName) {
+ Long ret = -1L;
+
+ try {
+ ret =
getEntityManager().createNamedQuery("XXRoleRefRole.findRoleRefRoleCount",
Long.class)
+ .setParameter("subRoleName",
subRoleName).getSingleResult();
+ } catch (Exception e) {
+ }
+
+ return ret;
+ }
+
public Set<Long> getContainingRoles(Long subRoleId) {
Set<Long> ret;
diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
index 7e21399..6cc4799 100755
--- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
+++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
@@ -1546,6 +1546,11 @@
<query>select obj from XXRoleRefRole obj where obj.subRoleName =
:subRoleName </query>
</named-query>
+ <named-query name="XXRoleRefRole.findRoleRefRoleCount">
+ <query>select count(obj.roleId) from XXRoleRefRole obj where
obj.subRoleName = :subRoleName </query>
+ </named-query>
+
+
<!-- XXPolicyRefRole -->
<named-query name="XXPolicyRefRole.findByPolicyId">
<query>select obj from XXPolicyRefRole obj where obj.policyId =
:policyId </query>
@@ -1574,6 +1579,9 @@
</query>
</named-query>
+ <named-query name="XXPolicyRefRole.findRoleRefPolicyCount">
+ <query>select count(obj.policyId) from XXPolicyRefRole obj where
obj.roleName = :roleName </query>
+ </named-query>
<!-- XXTagChangeLog -->
<named-query name="XXTagChangeLog.findSinceVersion">
