This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch ranger-2.2 in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 60e453f754cca269455608be41e253d322b4d528 Author: nixonrodrigues <[email protected]> AuthorDate: Mon Nov 9 18:37:46 2020 +0530 RANGER-3075: Add new authorization privilege - admin-audits in Ranger-Atlas service. Signed-off-by: Mehul Parikh <[email protected]> (cherry picked from commit 63a125c0f4bccc88e5dc4e58759c18880aefb3c1) --- .../service-defs/ranger-servicedef-atlas.json | 7 +- .../optimized/current/ranger_core_db_mysql.sql | 1 + .../optimized/current/ranger_core_db_oracle.sql | 1 + .../optimized/current/ranger_core_db_postgres.sql | 1 + .../current/ranger_core_db_sqlanywhere.sql | 2 + .../optimized/current/ranger_core_db_sqlserver.sql | 1 + .../patch/PatchForAtlasAdminAudits_J10042.java | 160 +++++++++++++++++++++ 7 files changed, 172 insertions(+), 1 deletion(-) diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json index 68a3d36..4ce7ec9 100644 --- a/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json @@ -115,7 +115,7 @@ }, "label": "Atlas Service", "description": "Atlas Service", - "accessTypeRestrictions": ["admin-import", "admin-export", "admin-purge"] + "accessTypeRestrictions": ["admin-import", "admin-export", "admin-purge", "admin-audits"] }, { "itemId": 7, @@ -406,6 +406,11 @@ "itemId": 20, "name": "type-read", "label": "Read Type" + }, + { + "itemId": 21, + "name": "admin-audits", + "label": "Admin Audits" } ], "configs": [ diff --git a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql index 71e0019..393125a 100644 --- a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql +++ b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql @@ -1828,4 +1828,5 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10038',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y'); INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10040',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y'); INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10041',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y'); +INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10042',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y'); INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y'); diff --git a/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql b/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql index 0137a9d..ecd595a 100644 --- a/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql +++ b/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql @@ -2042,5 +2042,6 @@ INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,act INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10038',sys_extract_utc(systimestamp),'Ranger 1.0.0',sys_extract_utc(systimestamp),'localhost','Y'); INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10040',sys_extract_utc(systimestamp),'Ranger 1.0.0',sys_extract_utc(systimestamp),'localhost','Y'); INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10041',sys_extract_utc(systimestamp),'Ranger 1.0.0',sys_extract_utc(systimestamp),'localhost','Y'); +INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'J10042',sys_extract_utc(systimestamp),'Ranger 1.0.0',sys_extract_utc(systimestamp),'localhost','Y'); INSERT INTO x_db_version_h (id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES (X_DB_VERSION_H_SEQ.nextval,'JAVA_PATCHES',sys_extract_utc(systimestamp),'Ranger 1.0.0',sys_extract_utc(systimestamp),'localhost','Y'); commit; diff --git a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql index d00af37..dc79c2b 100644 --- a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql +++ b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql @@ -1966,6 +1966,7 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10038',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y'); INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10040',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y'); INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10041',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y'); +INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10042',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y'); INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',current_timestamp,'Ranger 1.0.0',current_timestamp,'localhost','Y'); DROP VIEW IF EXISTS vx_trx_log; diff --git a/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql b/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql index 7791a9a..bb8825f 100644 --- a/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql +++ b/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql @@ -2382,6 +2382,8 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active GO INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10041',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y'); GO +INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10042',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y'); +GO INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y'); GO exit diff --git a/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql b/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql index addb566..3c4c1ec 100644 --- a/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql +++ b/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql @@ -4157,6 +4157,7 @@ INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10038',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y'); INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10040',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y'); INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10041',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y'); +INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('J10042',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y'); INSERT INTO x_db_version_h (version,inst_at,inst_by,updated_at,updated_by,active) VALUES ('JAVA_PATCHES',CURRENT_TIMESTAMP,'Ranger 1.0.0',CURRENT_TIMESTAMP,'localhost','Y'); GO CREATE VIEW [dbo].[vx_trx_log] AS diff --git a/security-admin/src/main/java/org/apache/ranger/patch/PatchForAtlasAdminAudits_J10042.java b/security-admin/src/main/java/org/apache/ranger/patch/PatchForAtlasAdminAudits_J10042.java new file mode 100644 index 0000000..892e6c1 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/patch/PatchForAtlasAdminAudits_J10042.java @@ -0,0 +1,160 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.ranger.patch; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; +import org.apache.log4j.Logger; +import org.apache.ranger.biz.ServiceDBStore; +import org.apache.ranger.common.RangerValidatorFactory; +import org.apache.ranger.db.RangerDaoManager; +import org.apache.ranger.entity.XXServiceDef; +import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef; +import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator; +import org.apache.ranger.plugin.model.validation.RangerValidator.Action; +import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; +import org.apache.ranger.util.CLIUtil; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +@Component +public class PatchForAtlasAdminAudits_J10042 extends BaseLoader { + private static final Logger logger = Logger.getLogger(PatchForAtlasAdminAudits_J10042.class); + + private static final List<String> ATLAS_RESOURCES = new ArrayList<>( + Arrays.asList("atlas-service")); + private static final List<String> ATLAS_ACCESS_TYPES = new ArrayList<>( + Arrays.asList("admin-audits")); + + @Autowired + RangerDaoManager daoMgr; + + @Autowired + ServiceDBStore svcDBStore; + + @Autowired + RangerValidatorFactory validatorFactory; + + @Autowired + ServiceDBStore svcStore; + + public static void main(String[] args) { + logger.info("main()"); + try { + PatchForAtlasAdminAudits_J10042 loader = (PatchForAtlasAdminAudits_J10042) CLIUtil + .getBean(PatchForAtlasAdminAudits_J10042.class); + loader.init(); + while (loader.isMoreToProcess()) { + loader.load(); + } + logger.info("Load complete. Exiting!!!"); + System.exit(0); + } catch (Exception e) { + logger.error("Error loading", e); + System.exit(1); + } + } + + @Override + public void init() throws Exception { + // Do Nothing + } + + @Override + public void execLoad() { + logger.info("==> PatchForAtlasAdminAudits_J10042.execLoad()"); + try { + addAdminAuditsPermissionInServiceDef(); + } catch (Exception e) { + throw new RuntimeException( + "Error while updating " + EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME + " service-def"); + } + logger.info("<== PatchForAtlasAdminAudits_J10042.execLoad()"); + } + + @Override + public void printStats() { + logger.info("PatchForAtlasAdminAudits_J10042 Logs"); + } + + private void addAdminAuditsPermissionInServiceDef() throws Exception { + RangerServiceDef ret = null; + RangerServiceDef embeddedAtlasServiceDef = null; + XXServiceDef xXServiceDefObj = null; + RangerServiceDef dbAtlasServiceDef = null; + List<RangerServiceDef.RangerResourceDef> embeddedAtlasResourceDefs = null; + List<RangerServiceDef.RangerAccessTypeDef> embeddedAtlasAccessTypes = null; + + embeddedAtlasServiceDef = EmbeddedServiceDefsUtil.instance() + .getEmbeddedServiceDef(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME); + if (embeddedAtlasServiceDef != null) { + xXServiceDefObj = daoMgr.getXXServiceDef() + .findByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME); + if (xXServiceDefObj == null) { + logger.info(xXServiceDefObj + ": service-def not found. No patching is needed"); + return; + } + + dbAtlasServiceDef = svcDBStore.getServiceDefByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME); + + embeddedAtlasResourceDefs = embeddedAtlasServiceDef.getResources(); + embeddedAtlasAccessTypes = embeddedAtlasServiceDef.getAccessTypes(); + + if (checkResourcePresent(embeddedAtlasResourceDefs)) { + dbAtlasServiceDef.setResources(embeddedAtlasResourceDefs); + if (checkAccessPresent(embeddedAtlasAccessTypes)) { + dbAtlasServiceDef.setAccessTypes(embeddedAtlasAccessTypes); + } + } + + RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore); + validator.validate(dbAtlasServiceDef, Action.UPDATE); + ret = svcStore.updateServiceDef(dbAtlasServiceDef); + if (ret == null) { + logger.error("Error while updating " + EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME + + " service-def"); + throw new RuntimeException("Error while updating " + + EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME + " service-def"); + } + } + } + + private boolean checkResourcePresent(List<RangerServiceDef.RangerResourceDef> resourceDefs) { + boolean ret = false; + for (RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) { + if (ATLAS_RESOURCES.contains(resourceDef.getName())) { + ret = true; + break; + } + } + return ret; + } + + private boolean checkAccessPresent(List<RangerAccessTypeDef> embeddedAtlasAccessTypes) { + boolean ret = false; + for (RangerServiceDef.RangerAccessTypeDef accessDef : embeddedAtlasAccessTypes) { + if (ATLAS_ACCESS_TYPES.contains(accessDef.getName())) { + ret = true; + break; + } + } + return ret; + } +} \ No newline at end of file
