This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 618ebd3 RANGER-2642: Grant/Revoke REST invocations by non-service
users should not specify resource owner
618ebd3 is described below
commit 618ebd3a9ce93bf348ff48b7c9a687c274d9556c
Author: Abhay Kulkarni <[email protected]>
AuthorDate: Fri Nov 15 07:32:21 2019 -0800
RANGER-2642: Grant/Revoke REST invocations by non-service users should not
specify resource owner
---
.../java/org/apache/ranger/biz/RangerBizUtil.java | 17 ++-
.../java/org/apache/ranger/biz/ServiceDBStore.java | 2 +-
.../java/org/apache/ranger/rest/ServiceREST.java | 136 +++++++++++----------
3 files changed, 84 insertions(+), 71 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index 6cd8634..3761ef2 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -62,6 +62,7 @@ import org.apache.ranger.entity.XXUser;
import org.apache.ranger.plugin.model.RangerBaseModelObject;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
+import org.apache.ranger.rest.ServiceREST;
import org.apache.ranger.view.VXPortalUser;
import org.apache.ranger.view.VXResource;
import org.apache.ranger.view.VXResponse;
@@ -1406,12 +1407,18 @@ public class RangerBizUtil {
return false;
}
- public boolean isUserAllowedForGrantRevoke(RangerService rangerService,
- String cfgNameAllowedUsers, String userName) {
+ public boolean isUserAllowedForGrantRevoke(RangerService rangerService,
String userName) {
+ return isUserInConfigParameter(rangerService,
ServiceREST.Allowed_User_List_For_Grant_Revoke, userName);
+ }
+ public boolean isUserServiceAdmin(RangerService rangerService, String
userName) {
+ return isUserInConfigParameter(rangerService,
ServiceDBStore.SERVICE_ADMIN_USERS, userName);
+ }
+
+ public boolean isUserInConfigParameter(RangerService rangerService,
String configParamName, String userName) {
Map<String, String> map = rangerService.getConfigs();
- if (map != null && map.containsKey(cfgNameAllowedUsers)) {
- String userNames = map.get(cfgNameAllowedUsers);
+ if (map != null && map.containsKey(configParamName)) {
+ String userNames = map.get(configParamName);
String[] userList = userNames.split(",");
if (userList != null) {
for (String u : userList) {
@@ -1422,7 +1429,7 @@ public class RangerBizUtil {
}
}
return false;
- }
+ }
public void blockAuditorRoleUser() {
UserSessionBase session = ContextUtil.getCurrentUserSession();
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 333672d..85289dd 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -229,7 +229,7 @@ public class ServiceDBStore extends AbstractServiceStore {
private static final String SERVICE_CHECK_USER = "service.check.user";
private static final String AMBARI_SERVICE_CHECK_USER =
"ambari.service.check.user";
- private static final String SERVICE_ADMIN_USERS =
"service.admin.users";
+ public static final String SERVICE_ADMIN_USERS =
"service.admin.users";
private static boolean isRolesDownloadedByService = false;
diff --git
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 20849f6..54c9ee3 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -1259,21 +1259,23 @@ public class ServiceREST {
perf =
RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.grantAccess(serviceName="
+ serviceName + ")");
}
-
validateGrantRevokeRequest(grantRequest);
+ // This is an open API - dont care
about who calls it. Caller is treated as privileged user
+ boolean hasAdminPrivilege = true;
+ String loggedInUser = null;
+
validateGrantRevokeRequest(grantRequest, hasAdminPrivilege, loggedInUser);
+
String userName =
grantRequest.getGrantor();
Set<String> userGroups =
CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ?
grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
String
ownerUser = grantRequest.getOwnerUser();
RangerAccessResource resource = new
RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()),
ownerUser);
- VXUser vxUser =
xUserService.getXUserByUserName(userName);
-
if(vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) ||
vxUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)){
- VXResponse vXResponse = new
VXResponse();
-
vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
- vXResponse.setMsgDesc("Operation"
- + " denied. LoggedInUser="
- + vxUser.getId()
- + " ,isn't permitted to perform the
action.");
- throw restErrorUtil.generateRESTException(vXResponse);
- }
+ VXUser vxUser =
xUserService.getXUserByUserName(userName);
+
+ if
(vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) ||
vxUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) {
+ VXResponse vXResponse = new
VXResponse();
+
vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+
vXResponse.setMsgDesc("Operation denied. LoggedInUser=" + vxUser.getId() + " is
not permitted to perform the action.");
+ throw
restErrorUtil.generateRESTException(vXResponse);
+ }
boolean isAdmin =
hasAdminAccess(serviceName, userName, userGroups, resource);
if(!isAdmin) {
@@ -1359,42 +1361,40 @@ public class ServiceREST {
}
RESTResponse ret = new RESTResponse();
RangerPerfTracer perf = null;
- boolean isAllowed = false;
- boolean isKeyAdmin = bizUtil.isKeyAdmin();
- bizUtil.blockAuditorRoleUser();
- if(grantRequest!=null){
+ bizUtil.blockAuditorRoleUser();
+
+ if(grantRequest != null) {
if (serviceUtil.isValidService(serviceName, request)) {
try {
if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf =
RangerPerfTracer.getPerfTracer(PERF_LOG,
"ServiceREST.scureGrantAccess(serviceName=" + serviceName + ")");
}
-
validateGrantRevokeRequest(grantRequest);
+ XXService xService =
daoManager.getXXService().findByName(serviceName);
+ XXServiceDef xServiceDef =
daoManager.getXXServiceDef().getById(xService.getType());
+ RangerService rangerService =
svcStore.getServiceByName(serviceName);
+
+ String loggedInUser =
bizUtil.getCurrentUserLoginId();
+ boolean hasAdminPrivilege =
bizUtil.isAdmin() || bizUtil.isUserServiceAdmin(rangerService, loggedInUser) ||
bizUtil.isUserAllowedForGrantRevoke(rangerService, loggedInUser);
+
+
validateGrantRevokeRequest(grantRequest, hasAdminPrivilege, loggedInUser);
String userName =
grantRequest.getGrantor();
- Set<String> userGroups =
CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ?
grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
+ Set<String> userGroups =
grantRequest.getGrantorGroups();
String
ownerUser = grantRequest.getOwnerUser();
+
RangerAccessResource resource = new
RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()),
ownerUser);
- boolean isAdmin =
hasAdminAccess(serviceName, userName, userGroups, resource);
- XXService xService =
daoManager.getXXService().findByName(serviceName);
- XXServiceDef xServiceDef =
daoManager.getXXServiceDef().getById(xService.getType());
- RangerService rangerService =
svcStore.getServiceByName(serviceName);
+ boolean isAllowed = false;
if
(StringUtils.equals(xServiceDef.getImplclassname(),
EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
- if (isKeyAdmin) {
+ if (bizUtil.isKeyAdmin() ||
bizUtil.isUserAllowedForGrantRevoke(rangerService, loggedInUser)) {
isAllowed = true;
- }else {
- isAllowed =
bizUtil.isUserAllowedForGrantRevoke(rangerService,
Allowed_User_List_For_Grant_Revoke, userName);
- }
- }else{
- if (isAdmin) {
- isAllowed = true;
- }
- else{
- isAllowed =
bizUtil.isUserAllowedForGrantRevoke(rangerService,
Allowed_User_List_For_Grant_Revoke, userName);
}
+ } else {
+ isAllowed = hasAdminPrivilege
|| hasAdminAccess(serviceName, userName, userGroups, resource);
}
+
if (isAllowed) {
RangerPolicy policy =
getExactMatchPolicyForResource(serviceName, resource, userName);
@@ -1489,22 +1489,23 @@ public class ServiceREST {
perf =
RangerPerfTracer.getPerfTracer(PERF_LOG,
"ServiceREST.revokeAccess(serviceName=" + serviceName + ")");
}
-
validateGrantRevokeRequest(revokeRequest);
+ // This is an open API - dont care
about who calls it. Caller is treated as privileged user
+ boolean hasAdminPrivilege = true;
+ String loggedInUser = null;
+
validateGrantRevokeRequest(revokeRequest, hasAdminPrivilege, loggedInUser);
String userName =
revokeRequest.getGrantor();
Set<String> userGroups =
CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups()) ?
revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
String
ownerUser = revokeRequest.getOwnerUser();
RangerAccessResource resource = new
RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()),
ownerUser);
- VXUser vxUser =
xUserService.getXUserByUserName(userName);
-
if(vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) ||
vxUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)){
- VXResponse vXResponse = new
VXResponse();
-
vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
- vXResponse.setMsgDesc("Operation"
- + " denied. LoggedInUser="
- + vxUser.getId()
- + " ,isn't permitted to perform the
action.");
- throw restErrorUtil.generateRESTException(vXResponse);
- }
+ VXUser vxUser =
xUserService.getXUserByUserName(userName);
+
+ if
(vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) ||
vxUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) {
+ VXResponse vXResponse = new
VXResponse();
+
vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+
vXResponse.setMsgDesc("Operation denied. LoggedInUser=" + vxUser.getId() + " is
not permitted to perform the action.");
+ throw
restErrorUtil.generateRESTException(vXResponse);
+ }
boolean isAdmin =
hasAdminAccess(serviceName, userName, userGroups, resource);
if(!isAdmin) {
@@ -1554,40 +1555,38 @@ public class ServiceREST {
}
RESTResponse ret = new RESTResponse();
RangerPerfTracer perf = null;
- if(revokeRequest!=null){
+ bizUtil.blockAuditorRoleUser();
+
+ if (revokeRequest != null) {
if (serviceUtil.isValidService(serviceName,request)) {
try {
if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf =
RangerPerfTracer.getPerfTracer(PERF_LOG,
"ServiceREST.secureRevokeAccess(serviceName=" + serviceName + ")");
}
-
validateGrantRevokeRequest(revokeRequest);
-
- String userName =
revokeRequest.getGrantor();
- Set<String> userGroups =
CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups()) ?
revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
- String
ownerUser = revokeRequest.getOwnerUser();
- RangerAccessResource resource = new
RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()),
ownerUser);
- boolean isAdmin =
hasAdminAccess(serviceName, userName, userGroups, resource);
- boolean isAllowed = false;
- boolean isKeyAdmin =
bizUtil.isKeyAdmin();
- bizUtil.blockAuditorRoleUser();
XXService xService =
daoManager.getXXService().findByName(serviceName);
XXServiceDef xServiceDef =
daoManager.getXXServiceDef().getById(xService.getType());
RangerService rangerService =
svcStore.getServiceByName(serviceName);
+ String loggedInUser =
bizUtil.getCurrentUserLoginId();
+ boolean hasAdminPrivilege =
bizUtil.isAdmin() || bizUtil.isUserServiceAdmin(rangerService, loggedInUser) ||
bizUtil.isUserAllowedForGrantRevoke(rangerService, loggedInUser);
+
+
validateGrantRevokeRequest(revokeRequest, hasAdminPrivilege, loggedInUser);
+
+ String userName =
revokeRequest.getGrantor();
+ Set<String> userGroups =
revokeRequest.getGrantorGroups();
+ String ownerUser =
revokeRequest.getOwnerUser();
+
+ RangerAccessResource resource = new
RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()),
ownerUser);
+
+ boolean isAllowed = false;
+
if
(StringUtils.equals(xServiceDef.getImplclassname(),
EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
- if (isKeyAdmin) {
+ if (bizUtil.isKeyAdmin() ||
bizUtil.isUserAllowedForGrantRevoke(rangerService, loggedInUser)) {
isAllowed = true;
- }else {
- isAllowed =
bizUtil.isUserAllowedForGrantRevoke(rangerService,
Allowed_User_List_For_Grant_Revoke, userName);
- }
- }else{
- if (isAdmin) {
- isAllowed = true;
- }
- else{
- isAllowed =
bizUtil.isUserAllowedForGrantRevoke(rangerService,
Allowed_User_List_For_Grant_Revoke, userName);
}
+ } else {
+ isAllowed = hasAdminPrivilege
|| hasAdminAccess(serviceName, userName, userGroups, resource);
}
if (isAllowed) {
@@ -3916,13 +3915,20 @@ public class ServiceREST {
return ret;
}
- private void validateGrantRevokeRequest(GrantRevokeRequest request){
- if( request!=null){
+ private void validateGrantRevokeRequest(GrantRevokeRequest request,
final boolean hasAdminPrivilege, final String loggedInUser) {
+ if (request != null) {
validateUsersGroupsAndRoles(request.getUsers(),request.getGroups(),
request.getRoles());
validateGrantor(request.getGrantor());
validateGrantees(request.getUsers());
validateGroups(request.getGroups());
validateRoles(request.getRoles());
+
+ if (!hasAdminPrivilege) {
+ if (!StringUtils.equals(request.getGrantor(),
loggedInUser) || StringUtils.isNotBlank(request.getOwnerUser())) {
+ throw
restErrorUtil.createGrantRevokeRESTException("Invalid grant/revoke request -
contains grantor or userOwner specification");
+ }
+
request.setGrantorGroups(userMgr.getGroupsForUser(request.getGrantor()));
+ }
}
}
