This is an automated email from the ASF dual-hosted git repository.
mehul pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 8f177b0 RANGER-3361 : Improve error message while deleting users and
groups associated with role
8f177b0 is described below
commit 8f177b03b22875ba46537371136d3bd6a330fa48
Author: mateenmansoori <[email protected]>
AuthorDate: Thu Aug 12 14:50:15 2021 +0530
RANGER-3361 : Improve error message while deleting users and groups
associated with role
Signed-off-by: Mehul Parikh <[email protected]>
---
.../main/java/org/apache/ranger/biz/XUserMgr.java | 64 +++++++++++++++++-----
.../java/org/apache/ranger/biz/TestXUserMgr.java | 20 +++++++
2 files changed, 70 insertions(+), 14 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
index 38b06d1..6596bac 100755
--- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
@@ -74,6 +74,9 @@ import org.apache.ranger.entity.XXPermMap;
import org.apache.ranger.entity.XXPolicy;
import org.apache.ranger.entity.XXPortalUser;
import org.apache.ranger.entity.XXResource;
+import org.apache.ranger.entity.XXRole;
+import org.apache.ranger.entity.XXRoleRefGroup;
+import org.apache.ranger.entity.XXRoleRefUser;
import org.apache.ranger.entity.XXSecurityZone;
import org.apache.ranger.entity.XXSecurityZoneRefGroup;
import org.apache.ranger.entity.XXSecurityZoneRefUser;
@@ -98,6 +101,8 @@ import
org.springframework.transaction.support.TransactionTemplate;
public class XUserMgr extends XUserMgrBase {
private static final String RANGER_USER_GROUP_GLOBAL_STATE_NAME =
"RangerUserStore";
+ private static final String USER = "User";
+ private static final String GROUP = "Group";
private static final int MAX_DB_TRANSACTION_RETRIES = 5;
@Autowired
@@ -2031,6 +2036,7 @@ public class XUserMgr extends XUserMgrBase {
public void deleteXGroup(Long id, boolean force) {
checkAdminAccess();
blockIfZoneGroup(id);
+ this.blockIfRoleGroup(id);
xaBizUtil.blockAuditorRoleUser();
XXGroupDao xXGroupDao = daoManager.getXXGroup();
XXGroup xXGroup = xXGroupDao.getById(id);
@@ -2207,14 +2213,9 @@ public class XUserMgr extends XUserMgrBase {
for(XXSecurityZoneRefGroup zoneRefGrp : zoneRefGrpList)
{
XXSecurityZone
xSecZone=daoManager.getXXSecurityZoneDao().getById(zoneRefGrp.getZoneId());
if(zones.indexOf(xSecZone.getName())<0)
- zones.append(", " + xSecZone.getName());
+ zones.append(xSecZone.getName() + ",");
}
- logger.info("Can Not Delete Group :" +
zoneRefGrpList.get(0).getGroupName() + "' as its already present in Zone "
+zones);
- VXResponse vXResponse = new VXResponse();
-
vXResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST);
- vXResponse.setMsgDesc(
- "Can Not Delete Group '" +
zoneRefGrpList.get(0).getGroupName() + "' as its already present in Zone "
+zones);
- throw restErrorUtil.generateRESTException(vXResponse);
+
this.prepareAndThrow(zoneRefGrpList.get(0).getGroupName(),
RangerConstants.MODULE_SECURITY_ZONE, zones, GROUP);
}
}
@@ -2241,6 +2242,7 @@ public class XUserMgr extends XUserMgrBase {
}
restrictSelfAccountDeletion(vXUser.getName().trim());
blockIfZoneUser(id);
+ this.blockIfRoleUser(id);
SearchCriteria searchCriteria = new SearchCriteria();
searchCriteria.addParam("xUserId", id);
VXGroupUserList vxGroupUserList =
searchXGroupUsers(searchCriteria);
@@ -2414,17 +2416,51 @@ public class XUserMgr extends XUserMgrBase {
for(XXSecurityZoneRefUser zoneRefUser :zoneRefUserList
) {
XXSecurityZone xSecZone =
daoManager.getXXSecurityZoneDao().getById(zoneRefUser.getZoneId());
if(zones.indexOf(xSecZone.getName())<0)
- zones.append(", " + xSecZone.getName());
+ zones.append(xSecZone.getName() + ",");
}
- logger.info("Can Not Delete User :" +
zoneRefUserList.get(0).getUserName());
- VXResponse vXResponse = new VXResponse();
-
vXResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST);
- vXResponse.setMsgDesc(
- "Can Not Delete User '"+
zoneRefUserList.get(0).getUserName() +"' as its already present in Zone" +
zones);
- throw restErrorUtil.generateRESTException(vXResponse);
+
this.prepareAndThrow(zoneRefUserList.get(0).getUserName(),
RangerConstants.MODULE_SECURITY_ZONE, zones, USER);
+ }
+ }
+
+ private void blockIfRoleUser(Long id) {
+ List<XXRoleRefUser> roleRefUsers =
this.daoManager.getXXRoleRefUser().findByUserId(id);
+ if (CollectionUtils.isNotEmpty(roleRefUsers)) {
+ StringBuilder roles = new StringBuilder();
+ for (XXRoleRefUser roleRefUser : roleRefUsers) {
+ XXRole xxRole =
this.daoManager.getXXRole().getById(roleRefUser.getRoleId());
+ final String roleName = xxRole.getName();
+ if (roles.indexOf(roleName) < 0)
+ roles.append(roleName + ",");
+ }
+ final String roleRefUserName =
roleRefUsers.get(0).getUserName();
+ this.prepareAndThrow(roleRefUserName,
RangerConstants.ROLE_FIELD, roles, USER);
}
}
+ private void blockIfRoleGroup(Long id) {
+ List<XXRoleRefGroup> roleRefGroups =
this.daoManager.getXXRoleRefGroup().findByGroupId(id);
+ if (CollectionUtils.isNotEmpty(roleRefGroups)) {
+ StringBuilder roles = new StringBuilder();
+ for (XXRoleRefGroup roleRefGroup : roleRefGroups) {
+ XXRole xxRole =
this.daoManager.getXXRole().getById(roleRefGroup.getRoleId());
+ final String roleName = xxRole.getName();
+ if (roles.indexOf(roleName) < 0)
+ roles.append(roleName + ",");
+ }
+ final String roleRefGroupName =
roleRefGroups.get(0).getGroupName();
+ this.prepareAndThrow(roleRefGroupName,
RangerConstants.ROLE_FIELD, roles, GROUP);
+ }
+ }
+
+ private void prepareAndThrow(String userGrpName, String moduleName,
StringBuilder rolesOrZones, String userOrGrp) {
+ logger.error("Can Not Delete " + userOrGrp + ":" + userGrpName);
+ VXResponse vXResponse = new VXResponse();
+ vXResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST);
+ vXResponse.setMsgDesc("Can Not Delete " + userOrGrp + ": '" +
userGrpName + "' as its present in " + moduleName
+ + " : " +
rolesOrZones.deleteCharAt(rolesOrZones.length() - 1));
+ throw restErrorUtil.generateRESTException(vXResponse);
+ }
+
private <T extends RangerPolicyItem> void
removeUserGroupReferences(List<T> policyItems, String user, String group) {
List<T> itemsToRemove = null;
for(T policyItem : policyItems) {
diff --git
a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
index cfd66b1..5b201ec 100644
--- a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
+++ b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
@@ -50,6 +50,8 @@ import org.apache.ranger.db.XXPolicyDao;
import org.apache.ranger.db.XXPortalUserDao;
import org.apache.ranger.db.XXPortalUserRoleDao;
import org.apache.ranger.db.XXResourceDao;
+import org.apache.ranger.db.XXRoleRefGroupDao;
+import org.apache.ranger.db.XXRoleRefUserDao;
import org.apache.ranger.db.XXSecurityZoneRefGroupDao;
import org.apache.ranger.db.XXSecurityZoneRefUserDao;
import org.apache.ranger.db.XXUserDao;
@@ -66,6 +68,8 @@ import org.apache.ranger.entity.XXPolicy;
import org.apache.ranger.entity.XXPortalUser;
import org.apache.ranger.entity.XXPortalUserRole;
import org.apache.ranger.entity.XXResource;
+import org.apache.ranger.entity.XXRoleRefGroup;
+import org.apache.ranger.entity.XXRoleRefUser;
import org.apache.ranger.entity.XXSecurityZoneRefGroup;
import org.apache.ranger.entity.XXSecurityZoneRefUser;
import org.apache.ranger.entity.XXUser;
@@ -1063,6 +1067,10 @@ public class TestXUserMgr {
XXSecurityZoneRefGroupDao
zoneSecRefGroupDao=Mockito.mock(XXSecurityZoneRefGroupDao.class);
Mockito.when(daoManager.getXXSecurityZoneRefGroup()).thenReturn(zoneSecRefGroupDao);
Mockito.when(zoneSecRefGroupDao.findByGroupId(userId)).thenReturn(zoneSecRefGroup);
+ List<XXRoleRefGroup> roleRefGroup = new
ArrayList<XXRoleRefGroup>();
+ XXRoleRefGroupDao roleRefGroupDao =
Mockito.mock(XXRoleRefGroupDao.class);
+
Mockito.when(daoManager.getXXRoleRefGroup()).thenReturn(roleRefGroupDao);
+
Mockito.when(roleRefGroupDao.findByGroupId(userId)).thenReturn(roleRefGroup);
xUserMgr.deleteXGroup(vXGroup.getId(), force);
}
@@ -1140,6 +1148,10 @@ public class TestXUserMgr {
XXSecurityZoneRefUserDao
zoneSecRefUserDao=Mockito.mock(XXSecurityZoneRefUserDao.class);
Mockito.when(daoManager.getXXSecurityZoneRefUser()).thenReturn(zoneSecRefUserDao);
Mockito.when(zoneSecRefUserDao.findByUserId(userId)).thenReturn(zoneSecRefUser);
+ List<XXRoleRefUser> roleRefUser=new ArrayList<XXRoleRefUser>();
+ XXRoleRefUserDao
roleRefUserDao=Mockito.mock(XXRoleRefUserDao.class);
+
Mockito.when(daoManager.getXXRoleRefUser()).thenReturn(roleRefUserDao);
+
Mockito.when(roleRefUserDao.findByUserId(userId)).thenReturn(roleRefUser);
xUserMgr.deleteXUser(vXUser.getId(), force);
force=false;
xUserMgr.deleteXUser(vXUser.getId(), force);
@@ -2912,6 +2924,10 @@ public class TestXUserMgr {
XXSecurityZoneRefUserDao
zoneSecRefUserDao=Mockito.mock(XXSecurityZoneRefUserDao.class);
Mockito.when(daoManager.getXXSecurityZoneRefUser()).thenReturn(zoneSecRefUserDao);
Mockito.when(zoneSecRefUserDao.findByUserId(userId)).thenReturn(zoneSecRefUser);
+ List<XXRoleRefUser> roleRefUser=new ArrayList<XXRoleRefUser>();
+ XXRoleRefUserDao
roleRefUserDao=Mockito.mock(XXRoleRefUserDao.class);
+
Mockito.when(daoManager.getXXRoleRefUser()).thenReturn(roleRefUserDao);
+
Mockito.when(roleRefUserDao.findByUserId(userId)).thenReturn(roleRefUser);
xUserMgr.deleteXUser(vXUser.getId(), force);
Mockito.when(xGroupUserService.searchXGroupUsers((SearchCriteria)
Mockito.any())).thenReturn(new VXGroupUserList());
XXPolicy xXPolicy=getXXPolicy();
@@ -2985,7 +3001,11 @@ public class TestXUserMgr {
List<XXSecurityZoneRefGroup> zoneSecRefGroup=new
ArrayList<XXSecurityZoneRefGroup>();
XXSecurityZoneRefGroupDao
zoneSecRefGroupDao=Mockito.mock(XXSecurityZoneRefGroupDao.class);
Mockito.when(daoManager.getXXSecurityZoneRefGroup()).thenReturn(zoneSecRefGroupDao);
+ List<XXRoleRefGroup> roleRefGroup=new ArrayList<XXRoleRefGroup>();
+ XXRoleRefGroupDao roleRefGroupDao =
Mockito.mock(XXRoleRefGroupDao.class);
+
Mockito.when(daoManager.getXXRoleRefGroup()).thenReturn(roleRefGroupDao);
Mockito.when(zoneSecRefGroupDao.findByGroupId(userId)).thenReturn(zoneSecRefGroup);
+
Mockito.when(roleRefGroupDao.findByGroupId(userId)).thenReturn(roleRefGroup);
XXResource xXResource = new XXResource();
xXResource.setId(userId);
xXResource.setName("hadoopdev");
