This is an automated email from the ASF dual-hosted git repository.
mugdha pushed a commit to branch ranger-2.6
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.6 by this push:
new 19a3e11a3 RANGER-4777: Improve API /public/v2/api/service-headers to
filter services depending on user role
19a3e11a3 is described below
commit 19a3e11a33fc013da8578f59697a7bc8a5cbe63c
Author: Rakesh Gupta <[email protected]>
AuthorDate: Tue Oct 22 12:18:07 2024 +0530
RANGER-4777: Improve API /public/v2/api/service-headers to filter services
depending on user role
Signed-off-by: Mugdha Varadkar <[email protected]>
---
.../ranger/plugin/model/RangerServiceHeaderInfo.java | 10 ++++++++++
.../main/java/org/apache/ranger/biz/RangerBizUtil.java | 15 +++++++++++++++
.../apache/ranger/db/XXSecurityZoneRefServiceDao.java | 2 +-
.../ranger/db/XXSecurityZoneRefTagServiceDao.java | 2 +-
.../main/java/org/apache/ranger/db/XXServiceDao.java | 2 +-
.../main/java/org/apache/ranger/rest/PublicAPIsv2.java | 3 ++-
.../main/java/org/apache/ranger/rest/ServiceREST.java | 17 ++++++++---------
.../apache/ranger/security/context/RangerAPIList.java | 5 +++++
.../ranger/security/context/RangerAPIMapping.java | 5 +++++
.../src/main/resources/META-INF/jpa_named_queries.xml | 6 +++---
10 files changed, 51 insertions(+), 16 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java
index 7303bc746..da2488567 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java
@@ -56,6 +56,16 @@ public class RangerServiceHeaderInfo extends
RangerBaseModelObject implements ja
setIsTagService(EMBEDDED_SERVICEDEF_TAG_NAME.equals(type));
}
+ public RangerServiceHeaderInfo(Long id, String name, String displayName,
String type, Boolean isEnabled) {
+ super();
+ setId(id);
+ setName(name);
+ setDisplayName(displayName);
+ setType(type);
+ setIsTagService(EMBEDDED_SERVICEDEF_TAG_NAME.equals(type));
+ setIsEnabled(isEnabled);
+ }
+
public String getName() {
return name;
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index 0d0102288..c0551a304 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -62,6 +62,7 @@ import org.apache.ranger.entity.XXTrxLogV2;
import org.apache.ranger.entity.XXUser;
import org.apache.ranger.plugin.model.RangerBaseModelObject;
import org.apache.ranger.plugin.model.RangerService;
+import org.apache.ranger.plugin.model.RangerServiceHeaderInfo;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.rest.ServiceREST;
import org.apache.ranger.security.context.RangerAdminOpContext;
@@ -1266,6 +1267,10 @@ public class RangerBizUtil {
if (xxDbBase != null && xxDbBase instanceof XXService) {
return hasAccessToXXService((XXService) xxDbBase,
isKeyAdmin, isSysAdmin, isAuditor, isAuditorKeyAdmin, isUser);
}
+
+ if (baseModel != null && baseModel instanceof
RangerServiceHeaderInfo) {
+ return
hasAccessToRangerServiceHeaderInfo((RangerServiceHeaderInfo) baseModel,
isKeyAdmin, isSysAdmin, isAuditor, isAuditorKeyAdmin, isUser);
+ }
return false;
}
@@ -1300,6 +1305,16 @@ public class RangerBizUtil {
}
}
+ private Boolean
hasAccessToRangerServiceHeaderInfo(RangerServiceHeaderInfo serviceHeader,
boolean isKeyAdmin, boolean isSysAdmin, boolean isAuditor, boolean
isAuditorKeyAdmin, boolean isUser) {
+ // TODO: As of now we are allowing SYS_ADMIN to read all the
+ // services including KMS
+ if (isSysAdmin || isAuditor) {
+ return true;
+ }
+
+ return
EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_KMS_NAME.equals(serviceHeader.getType())
? (isKeyAdmin || isAuditorKeyAdmin) : isUser;
+ }
+
public void hasAdminPermissions(String objType) {
UserSessionBase session = ContextUtil.getCurrentUserSession();
diff --git
a/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java
b/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java
index a7726d780..00d157e5c 100644
---
a/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java
+++
b/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java
@@ -97,7 +97,7 @@ public class XXSecurityZoneRefServiceDao extends
BaseDao<XXSecurityZoneRefServic
ret = new ArrayList<>(results.size());
for (Object[] result : results) {
- ret.add(new RangerServiceHeaderInfo((Long) result[0], (String)
result[1], (String) result[2], (String) result[3]));
+ ret.add(new RangerServiceHeaderInfo((Long) result[0], (String)
result[1], (String) result[2], (String) result[3], (Boolean) result[4]));
}
} else {
ret = Collections.emptyList();
diff --git
a/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java
b/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java
index 9e1fb13ef..9a587891e 100644
---
a/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java
+++
b/security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java
@@ -72,7 +72,7 @@ public class XXSecurityZoneRefTagServiceDao extends
BaseDao<XXSecurityZoneRefTag
ret = new ArrayList<>(results.size());
for (Object[] result : results) {
- ret.add(new RangerServiceHeaderInfo((Long) result[0], (String)
result[1], (String) result[2], (String) result[3]));
+ ret.add(new RangerServiceHeaderInfo((Long) result[0], (String)
result[1], (String) result[2], (String) result[3], (Boolean) result[4]));
}
} else {
ret = Collections.emptyList();
diff --git
a/security-admin/src/main/java/org/apache/ranger/db/XXServiceDao.java
b/security-admin/src/main/java/org/apache/ranger/db/XXServiceDao.java
index eb7fc05ae..26c13df70 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXServiceDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXServiceDao.java
@@ -160,7 +160,7 @@ public class XXServiceDao extends BaseDao<XXService> {
ret = new ArrayList<>(results.size());
for (Object[] result : results) {
- ret.add(new RangerServiceHeaderInfo((Long)
result[0], (String) result[1], (String) result[2], (String) result[3]));
+ ret.add(new RangerServiceHeaderInfo((Long)
result[0], (String) result[1], (String) result[2], (String) result[3],
(Boolean) result[4]));
}
} catch (NoResultException excp) {
ret = Collections.emptyList();
diff --git
a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
index 3aeda199a..b93b63f85 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
@@ -41,6 +41,7 @@ import org.apache.ranger.plugin.store.PList;
import org.apache.ranger.plugin.util.GrantRevokeRoleRequest;
import org.apache.ranger.plugin.util.RangerPurgeResult;
import org.apache.ranger.plugin.util.ServiceTags;
+import org.apache.ranger.security.context.RangerAPIList;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
@@ -437,7 +438,7 @@ public class PublicAPIsv2 {
@GET
@Path("/api/service-headers")
@Produces({ "application/json" })
- @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()")
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" +
RangerAPIList.GET_SERVICE_HEADERS + "\")")
public List<RangerServiceHeaderInfo> getServiceHeaders(@Context
HttpServletRequest request) {
return serviceREST.getServiceHeaders(request);
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 435b78679..dade6d66b 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -1101,15 +1101,14 @@ public class ServiceREST {
List<RangerServiceHeaderInfo> ret =
daoManager.getXXService().findServiceHeaders();
- if (!ret.isEmpty() && (filterByNamePrefix || filterByType)) {
- for (ListIterator<RangerServiceHeaderInfo> iter =
ret.listIterator(); iter.hasNext(); ) {
- RangerServiceHeaderInfo serviceHeader =
iter.next();
-
- if (filterByNamePrefix &&
!StringUtils.startsWithIgnoreCase(serviceHeader.getName(), namePrefix)) {
- iter.remove();
- } else if (filterByType &&
!StringUtils.equals(serviceHeader.getType(), svcType)) {
- iter.remove();
- }
+ for (ListIterator<RangerServiceHeaderInfo> iter =
ret.listIterator(); iter.hasNext(); ) {
+ RangerServiceHeaderInfo serviceHeader = iter.next();
+ if (filterByNamePrefix &&
!StringUtils.startsWithIgnoreCase(serviceHeader.getName(), namePrefix)) {
+ iter.remove();
+ } else if (filterByType &&
!StringUtils.equals(serviceHeader.getType(), svcType)) {
+ iter.remove();
+ } else if(!bizUtil.hasAccess(null, serviceHeader)) {
+ iter.remove();
}
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java
b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java
index d8284dff6..194663425 100644
---
a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java
+++
b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java
@@ -212,4 +212,9 @@ public class RangerAPIList {
public static final String
GET_USER_ROLES_BY_NAME="XUserREST.getUserRolesByName";
public static final String FORCE_DELETE_EXTERNAL_USERS =
"XUserREST.forceDeleteExternalUsers";
public static final String FORCE_DELETE_EXTERNAL_GROUPS =
"XUserREST.forceDeleteExternalGroups";
+
+ /**
+ * List of APIs for PublicAPIsv2
+ */
+ public static final String GET_SERVICE_HEADERS =
"PublicAPIsv2.getServiceHeaders";
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java
b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java
index 59cd2a6dc..37ccc0785 100644
---
a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java
+++
b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java
@@ -97,6 +97,7 @@ public class RangerAPIMapping {
apiAssociatedWithReports.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME);
apiAssociatedWithReports.add(RangerAPIList.GET_SERVICE_DEFS);
apiAssociatedWithReports.add(RangerAPIList.GET_SERVICES);
+ apiAssociatedWithReports.add(RangerAPIList.GET_SERVICE_HEADERS);
apiAssociatedWithReports.add(RangerAPIList.LOOKUP_RESOURCE);
apiAssociatedWithReports.add(RangerAPIList.GET_USER_PROFILE_FOR_USER);
@@ -162,6 +163,7 @@ public class RangerAPIMapping {
apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME);
apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_SERVICE_DEFS);
apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_SERVICES);
+
apiAssociatedWithTagBasedPolicy.add(RangerAPIList.GET_SERVICE_HEADERS);
apiAssociatedWithTagBasedPolicy.add(RangerAPIList.LOOKUP_RESOURCE);
apiAssociatedWithTagBasedPolicy.add(RangerAPIList.UPDATE_SERVICE);
apiAssociatedWithTagBasedPolicy.add(RangerAPIList.UPDATE_SERVICE_DEF);
@@ -246,6 +248,7 @@ public class RangerAPIMapping {
apiAssociatedWithKeyManager.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME);
apiAssociatedWithKeyManager.add(RangerAPIList.GET_SERVICE_DEFS);
apiAssociatedWithKeyManager.add(RangerAPIList.GET_SERVICES);
+
apiAssociatedWithKeyManager.add(RangerAPIList.GET_SERVICE_HEADERS);
apiAssociatedWithKeyManager.add(RangerAPIList.LOOKUP_RESOURCE);
apiAssociatedWithKeyManager.add(RangerAPIList.UPDATE_SERVICE);
apiAssociatedWithKeyManager.add(RangerAPIList.UPDATE_SERVICE_DEF);
@@ -379,6 +382,7 @@ public class RangerAPIMapping {
apiAssociatedWithAudit.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME);
apiAssociatedWithAudit.add(RangerAPIList.GET_SERVICE_DEFS);
apiAssociatedWithAudit.add(RangerAPIList.GET_SERVICES);
+ apiAssociatedWithAudit.add(RangerAPIList.GET_SERVICE_HEADERS);
apiAssociatedWithAudit.add(RangerAPIList.LOOKUP_RESOURCE);
apiAssociatedWithAudit.add(RangerAPIList.GET_USER_PROFILE_FOR_USER);
@@ -459,6 +463,7 @@ public class RangerAPIMapping {
apiAssociatedWithRBPolicies.add(RangerAPIList.GET_SERVICE_DEF_BY_NAME);
apiAssociatedWithRBPolicies.add(RangerAPIList.GET_SERVICE_DEFS);
apiAssociatedWithRBPolicies.add(RangerAPIList.GET_SERVICES);
+
apiAssociatedWithRBPolicies.add(RangerAPIList.GET_SERVICE_HEADERS);
apiAssociatedWithRBPolicies.add(RangerAPIList.LOOKUP_RESOURCE);
apiAssociatedWithRBPolicies.add(RangerAPIList.UPDATE_SERVICE);
apiAssociatedWithRBPolicies.add(RangerAPIList.UPDATE_SERVICE_DEF);
diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
index 616ce9924..81e52583b 100755
--- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
+++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
@@ -729,7 +729,7 @@
<named-query name="XXService.getAllServiceHeaders">
<query>
- SELECT obj.id, obj.name, obj.displayName, svcDef.name
FROM XXService obj
+ SELECT obj.id, obj.name, obj.displayName, svcDef.name,
obj.isEnabled FROM XXService obj
LEFT OUTER JOIN XXServiceDef svcDef ON obj.type =
svcDef.id
</query>
</named-query>
@@ -1775,7 +1775,7 @@
<named-query
name="XXSecurityZoneRefService.findServiceHeaderInfosByZoneId">
<query>
- SELECT obj.id, obj.name, obj.displayName, svcDef.name
FROM XXService obj
+ SELECT obj.id, obj.name, obj.displayName, svcDef.name,
obj.isEnabled FROM XXService obj
LEFT OUTER JOIN XXServiceDef svcDef ON obj.type =
svcDef.id
WHERE obj.id IN (SELECT ref.serviceId FROM
XXSecurityZoneRefService ref WHERE ref.zoneId = :zoneId)
</query>
@@ -1795,7 +1795,7 @@
<named-query
name="XXSecurityZoneRefTagService.findServiceHeaderInfosByZoneId">
<query>
- SELECT obj.id, obj.name, obj.displayName, svcDef.name
FROM XXService obj
+ SELECT obj.id, obj.name, obj.displayName, svcDef.name,
obj.isEnabled FROM XXService obj
LEFT OUTER JOIN XXServiceDef svcDef ON obj.type =
svcDef.id
WHERE obj.id IN (SELECT ref.tagServiceId FROM
XXSecurityZoneRefTagService ref WHERE ref.zoneId = :zoneId)
</query>
