This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new d62bede RANGER-2703: Grant operation succeeds even though there is no
delegate admin permission
new 375e736 Merge branch 'master' of
https://gitbox.apache.org/repos/asf/ranger
d62bede is described below
commit d62bedef4232e846cb24d8a1629fb7b242d4575e
Author: Kishor Gollapalliwar <[email protected]>
AuthorDate: Thu Jan 16 12:10:14 2020 +0530
RANGER-2703: Grant operation succeeds even though there is no delegate
admin permission
---
.../plugin/store/EmbeddedServiceDefsUtil.java | 5 +++++
.../java/org/apache/ranger/biz/RangerBizUtil.java | 18 ++++++++++++++++
.../main/java/org/apache/ranger/rest/RoleREST.java | 24 ++++------------------
.../java/org/apache/ranger/rest/ServiceREST.java | 18 +++++++++++-----
4 files changed, 40 insertions(+), 25 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
b/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
index e96f881..2b007d2 100755
---
a/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
@@ -300,6 +300,11 @@ public class EmbeddedServiceDefsUtil {
ret = gsonBuilder.fromJson(reader, RangerServiceDef.class);
+ //Set DEFAULT displayName if missing
+ if (ret != null && StringUtils.isBlank(ret.getDisplayName())) {
+ ret.setDisplayName(ret.getName());
+ }
+
if(LOG.isDebugEnabled()) {
LOG.debug("==>
EmbeddedServiceDefsUtil.loadEmbeddedServiceDef(" + serviceType + ")");
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index 71511dc..21308b1 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -65,6 +65,7 @@ import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.rest.ServiceREST;
import org.apache.ranger.security.context.RangerAdminOpContext;
import org.apache.ranger.security.context.RangerContextHolder;
+import org.apache.ranger.service.XUserService;
import org.apache.ranger.view.VXPortalUser;
import org.apache.ranger.view.VXResource;
import org.apache.ranger.view.VXResponse;
@@ -91,6 +92,9 @@ public class RangerBizUtil {
UserMgr userMgr;
@Autowired
+ XUserService xUserService;
+
+ @Autowired
GUIDUtil guidUtil;
Set<Class<?>> groupEditableClasses;
@@ -1413,6 +1417,19 @@ public class RangerBizUtil {
public boolean isUserAllowedForGrantRevoke(RangerService rangerService,
String userName) {
return isUserInConfigParameter(rangerService,
ServiceREST.Allowed_User_List_For_Grant_Revoke, userName);
}
+
+ public boolean isUserRangerAdmin(String username) {
+ boolean isAdmin = false;
+ try {
+ VXUser vxUser =
xUserService.getXUserByUserName(username);
+ if (vxUser != null &&
(vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN) ||
vxUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN))) {
+ isAdmin = true;
+ }
+ } catch (Exception ex) {
+ }
+ return isAdmin;
+ }
+
public boolean isUserServiceAdmin(RangerService rangerService, String
userName) {
return isUserInConfigParameter(rangerService,
ServiceDBStore.SERVICE_ADMIN_USERS, userName);
}
@@ -1517,4 +1534,5 @@ public class RangerBizUtil {
}
}
}
+
}
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
index 9b225a3..d690297 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
@@ -47,7 +47,6 @@ import org.apache.ranger.common.RangerSearchUtil;
import org.apache.ranger.common.RangerValidatorFactory;
import org.apache.ranger.common.ServiceUtil;
import org.apache.ranger.common.UserSessionBase;
-import org.apache.ranger.common.RangerConstants;
import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.db.RangerDaoManager;
@@ -67,7 +66,6 @@ import org.apache.ranger.plugin.util.SearchFilter;
import org.apache.ranger.service.RangerRoleService;
import org.apache.ranger.service.XUserService;
import org.apache.ranger.view.RangerRoleList;
-import org.apache.ranger.view.VXUser;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Scope;
import org.springframework.stereotype.Component;
@@ -879,7 +877,7 @@ public class RoleREST {
UserSessionBase usb = ContextUtil.getCurrentUserSession();
String loggedInUser = usb != null ? usb.getLoginId() : null;
if (!StringUtil.equals(userName, loggedInUser)) {
- if (!userIsRangerAdmin(loggedInUser) &&
!userIsSrvAdmOrSrvUser(serviceName, loggedInUser)) {
+ if (!bizUtil.isUserRangerAdmin(loggedInUser) &&
!userIsSrvAdmOrSrvUser(serviceName, loggedInUser)) {
throw new Exception("User does not have permission for this
operation");
}
effectiveUser = userName != null ? userName : loggedInUser;
@@ -887,7 +885,7 @@ public class RoleREST {
effectiveUser = loggedInUser;
}
- if (!userIsRangerAdmin(effectiveUser)) {
+ if (!bizUtil.isUserRangerAdmin(effectiveUser)) {
throw new Exception("User " + effectiveUser + " does not have
permission for this operation");
}
}
@@ -906,7 +904,7 @@ public class RoleREST {
UserSessionBase usb = ContextUtil.getCurrentUserSession();
String loggedInUser = usb != null ? usb.getLoginId() : null;
if (!StringUtil.equals(userName, loggedInUser)) {
- if (!userIsRangerAdmin(loggedInUser) &&
!userIsSrvAdmOrSrvUser(serviceName, loggedInUser)) {
+ if (!bizUtil.isUserRangerAdmin(loggedInUser) &&
!userIsSrvAdmOrSrvUser(serviceName, loggedInUser)) {
LOG.error("User does not have permission for this operation");
return null;
}
@@ -915,7 +913,7 @@ public class RoleREST {
effectiveUser = loggedInUser;
}
try {
- if (!userIsRangerAdmin(effectiveUser)) {
+ if (!bizUtil.isUserRangerAdmin(effectiveUser)) {
existingRole = roleStore.getRole(roleName);
ensureRoleAccess(effectiveUser, userGroups, existingRole);
@@ -930,19 +928,6 @@ public class RoleREST {
return existingRole;
}
- private boolean userIsRangerAdmin(String username) {
- boolean isAdmin = false;
- try {
- VXUser vxUser = xUserService.getXUserByUserName(username);
- if (vxUser != null &&
(vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN) ||
vxUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN))) {
- isAdmin = true;
- }
- } catch (Exception ex) {
- LOG.error("User " + username + " does not have permissions for
this operation" + ex.getMessage());
- }
- return isAdmin;
- }
-
private boolean userIsSrvAdmOrSrvUser(String serviceName, String username)
{
boolean isServiceAdmin = false;
@@ -1300,4 +1285,3 @@ public class RoleREST {
}
}
}
-
diff --git
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index f27be59..8618f32 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -1281,7 +1281,10 @@ public class ServiceREST {
vXResponse.setMsgDesc("Operation denied. LoggedInUser=" + vxUser.getId() + " is
not permitted to perform the action.");
throw
restErrorUtil.generateRESTException(vXResponse);
}
- boolean isAdmin =
hasAdminAccess(serviceName, userName, userGroups, resource);
+ RangerService rangerService =
svcStore.getServiceByName(serviceName);
+
+ boolean isAdmin =
bizUtil.isUserRangerAdmin(userName) ||
bizUtil.isUserServiceAdmin(rangerService, userName) ||
hasAdminAccess(serviceName, userName, userGroups, resource);
+
if(!isAdmin) {
throw
restErrorUtil.createGrantRevokeRESTException( "User doesn't have necessary
permission to grant access");
@@ -1397,7 +1400,7 @@ public class ServiceREST {
isAllowed = true;
}
} else {
- isAllowed = hasAdminPrivilege
|| hasAdminAccess(serviceName, userName, userGroups, resource);
+ isAllowed =
bizUtil.isUserRangerAdmin(userName) ||
bizUtil.isUserServiceAdmin(rangerService, userName) ||
hasAdminAccess(serviceName, userName, userGroups, resource);
}
if (isAllowed) {
@@ -1511,7 +1514,9 @@ public class ServiceREST {
vXResponse.setMsgDesc("Operation denied. LoggedInUser=" + vxUser.getId() + " is
not permitted to perform the action.");
throw
restErrorUtil.generateRESTException(vXResponse);
}
- boolean isAdmin =
hasAdminAccess(serviceName, userName, userGroups, resource);
+ RangerService rangerService =
svcStore.getServiceByName(serviceName);
+
+ boolean isAdmin =
bizUtil.isUserRangerAdmin(userName) ||
bizUtil.isUserServiceAdmin(rangerService, userName) ||
hasAdminAccess(serviceName, userName, userGroups, resource);
if(!isAdmin) {
throw
restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary
permission to revoke access");
@@ -1591,7 +1596,7 @@ public class ServiceREST {
isAllowed = true;
}
} else {
- isAllowed = hasAdminPrivilege
|| hasAdminAccess(serviceName, userName, userGroups, resource);
+ isAllowed =
bizUtil.isUserRangerAdmin(userName) ||
bizUtil.isUserServiceAdmin(rangerService, userName) ||
hasAdminAccess(serviceName, userName, userGroups, resource);
}
if (isAllowed) {
@@ -2265,7 +2270,9 @@ public class ServiceREST {
if (CollectionUtils.isNotEmpty(serviceNameList) &&
serviceNameList.contains(serviceName) && !sourceServices.contains(serviceName)
&& !destinationServices.contains(serviceName)) {
sourceServices.add(serviceName);
destinationServices.add(serviceName);
-
} else if (CollectionUtils.isEmpty(serviceNameList) &&
!sourceServices.contains(serviceName) &&
!destinationServices.contains(serviceName)) {
+
} else if (CollectionUtils.isEmpty(serviceNameList)
+
&& !sourceServices.contains(serviceName)
+
&& !destinationServices.contains(serviceName)) {
sourceServices.add(serviceName);
destinationServices.add(serviceName);
}
@@ -3608,6 +3615,7 @@ public class ServiceREST {
if(userGroups == null) {
userGroups =
daoManager.getXXGroupUser().findGroupNamesByUserName(userName);
}
+
Set<String> roles =
policyAdmin.getRolesFromUserAndGroups(userName, userGroups);
for (RangerPolicy policy :
listToFilter) {
