http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/security-admin/src/main/java/org/apache/ranger/biz/XABizUtil.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XABizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/XABizUtil.java new file mode 100644 index 0000000..0177682 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/biz/XABizUtil.java @@ -0,0 +1,1313 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + package org.apache.ranger.biz; + +import java.io.File; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; + +import org.apache.log4j.Logger; +import org.apache.ranger.common.AppConstants; +import org.apache.ranger.common.ContextUtil; +import org.apache.ranger.common.GUIDUtil; +import org.apache.ranger.common.PropertiesUtil; +import org.apache.ranger.common.RESTErrorUtil; +import org.apache.ranger.common.StringUtil; +import org.apache.ranger.common.UserSessionBase; +import org.apache.ranger.common.XACommonEnums; +import org.apache.ranger.common.XAConstants; +import org.apache.ranger.common.db.BaseDao; +import org.apache.ranger.db.XADaoManager; +import org.apache.ranger.entity.XXAsset; +import org.apache.ranger.entity.XXDBBase; +import org.apache.ranger.entity.XXGroup; +import org.apache.ranger.entity.XXPermMap; +import org.apache.ranger.entity.XXPortalUser; +import org.apache.ranger.entity.XXResource; +import org.apache.ranger.entity.XXTrxLog; +import org.apache.ranger.entity.XXUser; +import org.apache.ranger.service.AbstractBaseResourceService; +import org.apache.ranger.view.VXDataObject; +import org.apache.ranger.view.VXPortalUser; +import org.apache.ranger.view.VXResource; +import org.apache.ranger.view.VXResponse; +import org.apache.ranger.view.VXString; +import org.apache.ranger.view.VXStringList; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +import java.util.Random; + +import org.apache.commons.io.FilenameUtils; +import org.apache.commons.io.IOCase; + +@Component +public class XABizUtil { + static final Logger logger = Logger.getLogger(XABizUtil.class); + + @Autowired + RESTErrorUtil restErrorUtil; + + @Autowired + XADaoManager daoManager; + + @Autowired + StringUtil stringUtil; + + @Autowired + UserMgr userMgr; + + Set<Class<?>> groupEditableClasses; + private Class<?>[] groupEditableClassesList = {}; + + Map<String, Integer> classTypeMappings = new HashMap<String, Integer>(); + private int maxFirstNameLength; + int maxDisplayNameLength = 150; + boolean defaultAutoApprove = true; + boolean showBlockedContent = true; + public final String EMPTY_CONTENT_DISPLAY_NAME = "..."; + boolean enableResourceAccessControl; + private Random random; + private static final String PATH_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrst0123456789-_."; + private static char[] PATH_CHAR_SET = PATH_CHARS.toCharArray(); + private static int PATH_CHAR_SET_LEN = PATH_CHAR_SET.length; + + static String fileSeparator = PropertiesUtil.getProperty( + "xa.file.separator", "/"); + + public XABizUtil() { + maxFirstNameLength = Integer.parseInt(PropertiesUtil.getProperty( + "xa.user.firstname.maxlength", "16")); + maxDisplayNameLength = PropertiesUtil.getIntProperty( + "xa.bookmark.name.maxlen", maxDisplayNameLength); + showBlockedContent = PropertiesUtil.getBooleanProperty( + "xa.content.show_blocked", showBlockedContent); + defaultAutoApprove = PropertiesUtil.getBooleanProperty( + "xa.mod.default", defaultAutoApprove); + + groupEditableClasses = new HashSet<Class<?>>( + Arrays.asList(groupEditableClassesList)); + enableResourceAccessControl = PropertiesUtil.getBooleanProperty( + "xa.resource.accessControl.enabled", true); + random = new Random(); + } + + public <T extends XXDBBase> List<? extends XXDBBase> getParentObjects(T object) { + List<XXDBBase> parentObjectList = null; + // if (checkParentAcess.contains(object.getMyClassType())) { + // parentObjectList = new ArrayList<MBase>(); + // } + return parentObjectList; + } + + public int getClassType(Class<?> klass) { + String className = klass.getName(); + // See if this mapping is already in the database + Integer classType = classTypeMappings.get(className); + if (classType == null) { + // Instantiate the class and call the getClassType method + if (XXDBBase.class.isAssignableFrom(klass)) { + try { + XXDBBase gjObj = (XXDBBase) klass.newInstance(); + classType = gjObj.getMyClassType(); + classTypeMappings.put(className, classType); + } catch (Throwable ex) { + logger.error("Error instantiating object for class " + + className, ex); + } + } + } + if (classType == null) { + return XACommonEnums.CLASS_TYPE_NONE; + } else { + return classType; + } + } + + // Access control methods + public void checkSystemAdminAccess() { + UserSessionBase currentUserSession = ContextUtil + .getCurrentUserSession(); + if (currentUserSession != null && currentUserSession.isUserAdmin()) { + return; + } + throw restErrorUtil + .create403RESTException("Only System Administrators can add accounts"); + } + + /** + * @param contentType + * @return + */ + public int getMimeTypeInt(String contentType) { + if (contentType.equalsIgnoreCase("JPEG") + || contentType.equalsIgnoreCase("JPG") + || contentType.endsWith("jpg") || contentType.endsWith("jpeg")) { + return XAConstants.MIME_JPEG; + } + if (contentType.equalsIgnoreCase("PNG") || contentType.endsWith("png")) { + return XAConstants.MIME_PNG; + } + return XAConstants.MIME_UNKNOWN; + } + + /** + * @param mimeType + * @return + */ + public String getMimeType(int mimeType) { + switch (mimeType) { + case XAConstants.MIME_JPEG: + return "jpg"; + case XAConstants.MIME_PNG: + return "png"; + } + return ""; + } + + /** + * @param contentType + * @return + */ + public String getImageExtension(String contentType) { + if (contentType.toLowerCase().endsWith("jpg") + || contentType.toLowerCase().endsWith("jpeg")) { + return "jpg"; + } else if (contentType.toLowerCase().endsWith("png")) { + return "png"; + } + return ""; + } + + /** + * @param file + * @return + */ + public String getFileNameWithoutExtension(File file) { + if (file != null) { + String fileName = file.getName(); + if (fileName.indexOf(".") > 0) { + return fileName.substring(0, fileName.indexOf(".")); + } + return fileName; + + } + return null; + } + + public String getDisplayNameForClassName(XXDBBase obj) { + String classTypeDisplayName = XAConstants.getLabelFor_ClassTypes(obj + .getMyClassType()); + if (classTypeDisplayName == null) { + logger.error( + "Error get name for class type. obj=" + obj.toString(), + new Throwable()); + } + return classTypeDisplayName; + } + + public String getDisplayName(XXDBBase obj) { + if (obj != null) { + return handleGetDisplayName(obj.getMyDisplayValue()); + } else { + return handleGetDisplayName(null); + } + } + + /** + * @param displayValue + * @return + */ + private String handleGetDisplayName(String displayValue) { + if (displayValue == null || displayValue.trim().isEmpty()) { + return EMPTY_CONTENT_DISPLAY_NAME; + } + + if (displayValue.length() > maxDisplayNameLength) { + displayValue = displayValue.substring(0, maxDisplayNameLength - 3) + .concat("..."); + } + return displayValue; + } + + /** + * @param userProfile + * @return + */ + public String generatePublicName(VXPortalUser userProfile, XXPortalUser gjUser) { + return generatePublicName(userProfile.getFirstName(), + userProfile.getLastName()); + } + + public String generatePublicName(String firstName, String lastName) { + String publicName = null; + String fName = firstName; + if (firstName.length() > maxFirstNameLength) { + fName = firstName.substring(0, maxFirstNameLength - (1 + 3)) + + "..."; + } + if (lastName != null && lastName.length() > 0) { + publicName = fName + " " + lastName.substring(0, 1) + "."; + } + return publicName; + } + + public void updateCloneReferences(XXDBBase obj) { + if (obj == null) { + return; + } + } + + public Long getForUserId(XXDBBase resource) { + return null; + } + + public XXDBBase getMObject(int objClassType, Long objId) { + XXDBBase obj = null; + + if (objId != null) { + BaseDao<?> dao = daoManager.getDaoForClassType(objClassType); + + if (dao != null) { + obj = (XXDBBase) dao.getById(objId); + } + } + + return obj; + } + + public XXDBBase getMObject(VXDataObject vXDataObject) { + if (vXDataObject != null) { + return getMObject(vXDataObject.getMyClassType(), vXDataObject.getId()); + } + return null; + } + + public VXDataObject getVObject(int objClassType, Long objId) { + if (objId == null) { + return null; + } + if (objClassType == XAConstants.CLASS_TYPE_USER_PROFILE) { + return userMgr.mapXXPortalUserVXPortalUser(daoManager.getXXPortalUser().getById( + objId)); + } + try { + AbstractBaseResourceService<?, ?> myService = AbstractBaseResourceService + .getService(objClassType); + if (myService != null) { + return myService.readResource(objId); + } + } catch (Throwable t) { + logger.error("Error reading resource. objectClassType=" + + objClassType + ", objectId=" + objId, t); + } + return null; + } + + public void deleteReferencedObjects(XXDBBase obj) { + + if (obj == null) { + return; + } + if (obj.getMyClassType() == XAConstants.CLASS_TYPE_NONE) { + return; + } + + } + + /** + * @param obj + */ + void deleteObjects(List<XXDBBase> objs) { + + } + + void deleteObject(XXDBBase obj) { + AbstractBaseResourceService<?, ?> myService = AbstractBaseResourceService + .getService(obj.getMyClassType()); + if (myService != null) { + myService.deleteResource(obj.getId()); + } else { + logger.error("Service not found for obj=" + obj, new Throwable()); + } + } + + public <T extends XXDBBase> Class<? extends XXDBBase> getContextObject( + int objectClassType, Long objectId) { + return null; + } + + public VXStringList mapStringListToVStringList(List<String> stringList) { + if (stringList == null) { + return null; + } + + List<VXString> vStringList = new ArrayList<VXString>(); + for (String str : stringList) { + VXString vXString = new VXString(); + vXString.setValue(str); + vStringList.add(vXString); + } + + return new VXStringList(vStringList); + } + + /** + * return response object if users is having permission on given resource + * + * @param vXResource + * @param permission + * @return + */ + public VXResponse hasPermission(VXResource vXResource, int permission) { + + VXResponse vXResponse = new VXResponse(); + if (!enableResourceAccessControl) { + logger.debug("Resource Access Control is disabled !!!"); + return vXResponse; + } + + if (vXResource == null) { + vXResponse.setStatusCode(VXResponse.STATUS_ERROR); + vXResponse.setMsgDesc("Please provide valid policy."); + return vXResponse; + } + + String resourceNames = vXResource.getName(); + if (stringUtil.isEmpty(resourceNames)) { + vXResponse.setStatusCode(VXResponse.STATUS_ERROR); + vXResponse.setMsgDesc("Please provide valid policy."); + return vXResponse; + } + + if (isAdmin()) { + return vXResponse; + } + + Long xUserId = getXUserId(); + Long assetId = vXResource.getAssetId(); + List<XXResource> xResourceList = daoManager.getXXResource() + .findByAssetIdAndResourceStatus(assetId, + AppConstants.STATUS_ENABLED); + + XXAsset xAsset = daoManager.getXXAsset().getById(assetId); + int assetType = xAsset.getAssetType(); + + vXResponse.setStatusCode(VXResponse.STATUS_ERROR); + vXResponse.setMsgDesc("Permission Denied !"); + + if (assetType == AppConstants.ASSET_HIVE) { + String[] requestResNameList = resourceNames.split(","); + if (stringUtil.isEmpty(vXResource.getUdfs())) { + int reqTableType = vXResource.getTableType(); + int reqColumnType = vXResource.getColumnType(); + for (String resourceName : requestResNameList) { + boolean matchFound = matchHivePolicy(resourceName, + xResourceList, xUserId, permission, reqTableType, + reqColumnType, false); + if (!matchFound) { + vXResponse.setMsgDesc("You're not permitted to perform " + + "the action for resource path : " + + resourceName); + vXResponse.setStatusCode(VXResponse.STATUS_ERROR); + return vXResponse; + } + } + } else { + for (String resourceName : requestResNameList) { + boolean matchFound = matchHivePolicy(resourceName, + xResourceList, xUserId, permission); + if (!matchFound) { + vXResponse.setMsgDesc("You're not permitted to perform " + + "the action for resource path : " + + resourceName); + vXResponse.setStatusCode(VXResponse.STATUS_ERROR); + return vXResponse; + } + } + } + vXResponse.setStatusCode(VXResponse.STATUS_SUCCESS); + return vXResponse; + } else if (assetType == AppConstants.ASSET_HBASE) { + String[] requestResNameList = resourceNames.split(","); + for (String resourceName : requestResNameList) { + boolean matchFound = matchHbasePolicy(resourceName, + xResourceList, vXResponse, xUserId, permission); + if (!matchFound) { + vXResponse.setMsgDesc("You're not permitted to perform " + + "the action for resource path : " + resourceName); + vXResponse.setStatusCode(VXResponse.STATUS_ERROR); + return vXResponse; + } + } + vXResponse.setStatusCode(VXResponse.STATUS_SUCCESS); + return vXResponse; + } else if (assetType == AppConstants.ASSET_HDFS) { + String[] requestResNameList = resourceNames.split(","); + for (String resourceName : requestResNameList) { + boolean matchFound = matchHdfsPolicy(resourceName, + xResourceList, xUserId, permission); + if (!matchFound) { + vXResponse.setMsgDesc("You're not permitted to perform " + + "the action for resource path : " + resourceName); + vXResponse.setStatusCode(VXResponse.STATUS_ERROR); + return vXResponse; + } + } + vXResponse.setStatusCode(VXResponse.STATUS_SUCCESS); + return vXResponse; + } else if (assetType == AppConstants.ASSET_KNOX) { + String[] requestResNameList = resourceNames.split(","); + for (String resourceName : requestResNameList) { + boolean matchFound = matchKnoxPolicy(resourceName, + xResourceList, vXResponse, xUserId, permission); + if (!matchFound) { + vXResponse.setMsgDesc("You're not permitted to perform " + + "the action for resource path : " + resourceName); + vXResponse.setStatusCode(VXResponse.STATUS_ERROR); + return vXResponse; + } + } + vXResponse.setStatusCode(VXResponse.STATUS_SUCCESS); + return vXResponse; + } else if (assetType == AppConstants.ASSET_STORM) { + String[] requestResNameList = resourceNames.split(","); + for (String resourceName : requestResNameList) { + boolean matchFound = matchStormPolicy(resourceName, + xResourceList, vXResponse, xUserId, permission); + if (!matchFound) { + vXResponse.setMsgDesc("You're not permitted to perform " + + "the action for resource path : " + resourceName); + vXResponse.setStatusCode(VXResponse.STATUS_ERROR); + return vXResponse; + } + } + vXResponse.setStatusCode(VXResponse.STATUS_SUCCESS); + return vXResponse; + } + return vXResponse; + } + + /** + * return true id current logged in session is owned by admin + * + * @return + */ + public boolean isAdmin() { + UserSessionBase currentUserSession = ContextUtil + .getCurrentUserSession(); + if (currentUserSession == null) { + logger.debug("Unable to find session."); + return false; + } + + if (currentUserSession.isUserAdmin()) { + return true; + } + return false; + } + + /** + * returns current user's userID from active user sessions + * + * @return + */ + public Long getXUserId() { + + UserSessionBase currentUserSession = ContextUtil + .getCurrentUserSession(); + if (currentUserSession == null) { + logger.debug("Unable to find session."); + return null; + } + + XXPortalUser user = daoManager.getXXPortalUser().getById( + currentUserSession.getUserId()); + if (user == null) { + logger.debug("XXPortalUser not found with logged in user id : " + + currentUserSession.getUserId()); + return null; + } + + XXUser xUser = daoManager.getXXUser().findByUserName(user.getLoginId()); + if (xUser == null) { + logger.debug("XXPortalUser not found for user id :" + user.getId() + + " with name " + user.getFirstName()); + return null; + } + + return xUser.getId(); + } + + /** + * returns true if user is having required permission on given Hdfs resource + * + * @param resourceName + * @param xResourceList + * @param xUserId + * @param permission + * @return + */ + private boolean matchHdfsPolicy(String resourceName, + List<XXResource> xResourceList, Long xUserId, int permission) { + boolean matchFound = false; + resourceName = replaceMetaChars(resourceName); + + for (XXResource xResource : xResourceList) { + if (xResource.getResourceStatus() != AppConstants.STATUS_ENABLED) { + continue; + } + Long resourceId = xResource.getId(); + matchFound = checkUsrPermForPolicy(xUserId, permission, resourceId); + if (matchFound) { + matchFound = false; + String resource = xResource.getName(); + String[] dbResourceNameList = resource.split(","); + for (String dbResourceName : dbResourceNameList) { + if (comparePathsForExactMatch(resourceName, dbResourceName)) { + matchFound = true; + } else { + if (xResource.getIsRecursive() == AppConstants.BOOL_TRUE) { + matchFound = isRecursiveWildCardMatch(resourceName, + dbResourceName); + } else { + matchFound = nonRecursiveWildCardMatch( + resourceName, dbResourceName); + } + } + if (matchFound) { + break; + } + } + if (matchFound) { + break; + } + } + } + return matchFound; + } + + /** + * returns true if user is having required permission on given Hbase + * resource + * + * @param resourceName + * @param xResourceList + * @param vXResponse + * @param xUserId + * @param permission + * @return + */ + public boolean matchHbasePolicy(String resourceName, + List<XXResource> xResourceList, VXResponse vXResponse, Long xUserId, + int permission) { + if(stringUtil.isEmpty(resourceName) || xResourceList==null || xUserId==null){ + return false; + } + + String[] splittedResources = stringUtil.split(resourceName, fileSeparator); + if (splittedResources.length < 1 || splittedResources.length > 3) { + logger.debug("Invalid resourceName name : " + resourceName); + return false; + } + + String tblName = splittedResources.length > 0 ? splittedResources[0] : StringUtil.WILDCARD_ASTERISK; + String colFamName = splittedResources.length > 1 ? splittedResources[1] : StringUtil.WILDCARD_ASTERISK; + String colName = splittedResources.length > 2 ? splittedResources[2] : StringUtil.WILDCARD_ASTERISK; + + boolean policyMatched = false; + // check all resources whether Hbase policy is enabled in any resource + // of provided resource list + for (XXResource xResource : xResourceList) { + if (xResource.getResourceStatus() != AppConstants.STATUS_ENABLED) { + continue; + } + Long resourceId = xResource.getId(); + boolean hasPermission = checkUsrPermForPolicy(xUserId, permission, resourceId); + // if permission is enabled then load Tables,column family and + // columns list from resource + if (! hasPermission) { + continue; + } + + // 1. does the policy match the table? + String[] xTables = stringUtil.isEmpty(xResource.getTables()) ? null : stringUtil.split(xResource.getTables(), ","); + + boolean matchFound = (xTables == null || xTables.length == 0) ? true : matchPath(tblName, xTables); + + if(matchFound) { + // 2. does the policy match the column? + String[] xColumnFamilies = stringUtil.isEmpty(xResource.getColumnFamilies()) ? null : stringUtil.split(xResource.getColumnFamilies(), ","); + + matchFound = (xColumnFamilies == null || xColumnFamilies.length == 0) ? true : matchPath(colFamName, xColumnFamilies); + + if(matchFound) { + // 3. does the policy match the columnFamily? + String[] xColumns = stringUtil.isEmpty(xResource.getColumns()) ? null : stringUtil.split(xResource.getColumns(), ","); + + matchFound = (xColumns == null || xColumns.length == 0) ? true : matchPath(colName, xColumns); + } + } + + if (matchFound) { + policyMatched = true; + break; + } + } + return policyMatched; + } + + public boolean matchHivePolicy(String resourceName, + List<XXResource> xResourceList, Long xUserId, int permission) { + return matchHivePolicy(resourceName, xResourceList, xUserId, + permission, 0, 0, true); + } + + /** + * returns true if user is having required permission on given Hive resource + * + * @param resourceName + * @param xResourceList + * @param xUserId + * @param permission + * @param reqTableType + * @param reqColumnType + * @param isUdfPolicy + * @return + */ + public boolean matchHivePolicy(String resourceName, + List<XXResource> xResourceList, Long xUserId, int permission, + int reqTableType, int reqColumnType, boolean isUdfPolicy) { + + if(stringUtil.isEmpty(resourceName) || xResourceList==null || xUserId==null){ + return false; + } + + String[] splittedResources = stringUtil.split(resourceName, fileSeparator);// get list of resources + if (splittedResources.length < 1 || splittedResources.length > 3) { + logger.debug("Invalid resource name : " + resourceName); + return false; + } + + String dbName = splittedResources.length > 0 ? splittedResources[0] : StringUtil.WILDCARD_ASTERISK; + String tblName = splittedResources.length > 1 ? splittedResources[1] : StringUtil.WILDCARD_ASTERISK; + String colName = splittedResources.length > 2 ? splittedResources[2] : StringUtil.WILDCARD_ASTERISK; + + boolean policyMatched = false; + for (XXResource xResource : xResourceList) { + if (xResource.getResourceStatus() != AppConstants.STATUS_ENABLED) { + continue; + } + + Long resourceId = xResource.getId(); + boolean hasPermission = checkUsrPermForPolicy(xUserId, permission, resourceId); + + if (! hasPermission) { + continue; + } + + // 1. does the policy match the database? + String[] xDatabases = stringUtil.isEmpty(xResource.getDatabases()) ? null : stringUtil.split(xResource.getDatabases(), ","); + + boolean matchFound = (xDatabases == null || xDatabases.length == 0) ? true : matchPath(dbName, xDatabases); + + if (! matchFound) { + continue; + } + + // Type(either UDFs policy or non-UDFs policy) of current policy + // should be of same as type of policy being iterated + if (!stringUtil.isEmpty(xResource.getUdfs()) && !isUdfPolicy) { + continue; + } + + if (isUdfPolicy) { + // 2. does the policy match the UDF? + String[] xUdfs = stringUtil.isEmpty(xResource.getUdfs()) ? null : stringUtil.split(xResource.getUdfs(), ","); + + if(! matchPath(tblName, xUdfs)) { + continue; + } else { + policyMatched = true; + break; + } + } else { + // 2. does the policy match the table? + String[] xTables = stringUtil.isEmpty(xResource.getTables()) ? null : stringUtil.split(xResource.getTables(), ","); + + matchFound = (xTables == null || xTables.length == 0) ? true : matchPath(tblName, xTables); + + if(xResource.getTableType() == AppConstants.POLICY_EXCLUSION) { + matchFound = !matchFound; + } + + if (!matchFound) { + continue; + } + + // 3. does current policy match the column? + String[] xColumns = stringUtil.isEmpty(xResource.getColumns()) ? null : stringUtil.split(xResource.getColumns(), ","); + + matchFound = (xColumns == null || xColumns.length == 0) ? true : matchPath(colName, xColumns); + + if(xResource.getColumnType() == AppConstants.POLICY_EXCLUSION) { + matchFound = !matchFound; + } + + if (!matchFound) { + continue; + } else { + policyMatched = true; + break; + } + } + } + return policyMatched; + } + /** + * returns true if user is having required permission on given Hbase + * resource + * + * @param resourceName + * @param xResourceList + * @param vXResponse + * @param xUserId + * @param permission + * @return + */ + private boolean matchKnoxPolicy(String resourceName, + List<XXResource> xResourceList, VXResponse vXResponse, Long xUserId, + int permission) { + + String[] splittedResources = stringUtil.split(resourceName, + fileSeparator); + int numberOfResources = splittedResources.length; + if (numberOfResources < 1 || numberOfResources > 3) { + logger.debug("Invalid policy name : " + resourceName); + return false; + } + + boolean policyMatched = false; + // check all resources whether Knox policy is enabled in any resource + // of provided resource list + for (XXResource xResource : xResourceList) { + if (xResource.getResourceStatus() != AppConstants.STATUS_ENABLED) { + continue; + } + Long resourceId = xResource.getId(); + boolean hasPermission = checkUsrPermForPolicy(xUserId, permission, + resourceId); + // if permission is enabled then load Topologies,services list from resource + if (hasPermission) { + String[] xTopologies = (xResource.getTopologies() == null || xResource + .getTopologies().equalsIgnoreCase("")) ? null : stringUtil + .split(xResource.getTopologies(), ","); + String[] xServices = (xResource.getServices() == null || xResource + .getServices().equalsIgnoreCase("")) ? null + : stringUtil.split(xResource.getServices(), ","); + + boolean matchFound = false; + + for (int index = 0; index < numberOfResources; index++) { + matchFound = false; + // check whether given table resource matches with any + // existing topology resource + if (index == 0) { + if(xTopologies!=null){ + for (String xTopology : xTopologies) { + if (matchPath(splittedResources[index], xTopology)) { + matchFound = true; + continue; + } + } + } + if(!matchFound) { + break; + } + } // check whether given service resource matches with + // any existing service resource + else if (index == 1) { + if(xServices!=null){ + for (String xService : xServices) { + if (matchPath(splittedResources[index], + xService)) { + matchFound = true; + continue; + } + } + } + if(!matchFound) { + break; + } + } + } + if (matchFound) { + policyMatched = true; + break; + } + } + } + return policyMatched; + } + + /** + * returns true if user is having required permission on given STORM + * resource + * + * @param resourceName + * @param xResourceList + * @param vXResponse + * @param xUserId + * @param permission + * @return + */ + private boolean matchStormPolicy(String resourceName, + List<XXResource> xResourceList, VXResponse vXResponse, Long xUserId, + int permission) { + + String[] splittedResources = stringUtil.split(resourceName, + fileSeparator); + int numberOfResources = splittedResources.length; + if (numberOfResources < 1 || numberOfResources > 3) { + logger.debug("Invalid policy name : " + resourceName); + return false; + } + + boolean policyMatched = false; + // check all resources whether Knox policy is enabled in any resource + // of provided resource list + for (XXResource xResource : xResourceList) { + if (xResource.getResourceStatus() != AppConstants.STATUS_ENABLED) { + continue; + } + Long resourceId = xResource.getId(); + boolean hasPermission = checkUsrPermForPolicy(xUserId, permission, + resourceId); + // if permission is enabled then load Topologies,services list from resource + if (hasPermission) { + String[] xTopologies = (xResource.getTopologies() == null || xResource + .getTopologies().equalsIgnoreCase("")) ? null : stringUtil + .split(xResource.getTopologies(), ","); + /*String[] xServices = (xResource.getServices() == null || xResource + .getServices().equalsIgnoreCase("")) ? null + : stringUtil.split(xResource.getServices(), ",");*/ + + boolean matchFound = false; + + for (int index = 0; index < numberOfResources; index++) { + matchFound = false; + // check whether given table resource matches with any + // existing topology resource + if (index == 0) { + if(xTopologies!=null){ + for (String xTopology : xTopologies) { + if (matchPath(splittedResources[index], xTopology)) { + matchFound = true; + continue; + } + } + } + } // check whether given service resource matches with + // any existing service resource + /*else if (index == 1) { + if(xServices!=null){ + for (String xService : xServices) { + if (matchPath(splittedResources[index], + xService)) { + matchFound = true; + continue; + } + } + } + }*/ + } + if (matchFound) { + policyMatched = true; + break; + } + } + } + return policyMatched; + } + + /** + * returns path without meta characters + * + * @param path + * @return + */ + public String replaceMetaChars(String path) { + if (path == null || path.isEmpty()) { + return path; + } + + if (path.contains("*")) { + String replacement = getRandomString(5, 60); + path = path.replaceAll("\\*", replacement); + } + if (path.contains("?")) { + String replacement = getRandomString(1, 1); + path = path.replaceAll("\\?", replacement); + } + return path; + } + + /** + * returns random String of given length range + * + * @param minLen + * @param maxLen + * @return + */ + private String getRandomString(int minLen, int maxLen) { + StringBuilder sb = new StringBuilder(); + int len = getRandomInt(minLen, maxLen); + for (int i = 0; i < len; i++) { + int charIdx = random.nextInt(PATH_CHAR_SET_LEN); + sb.append(PATH_CHAR_SET[charIdx]); + } + return sb.toString(); + } + + /** + * return random integer number for given range + * + * @param min + * @param max + * @return + */ + private int getRandomInt(int min, int max) { + if (min == max) { + return min; + } else { + int interval = max - min; + int randomNum = random.nextInt(); + return ((Math.abs(randomNum) % interval) + min); + } + } + + /** + * returns true if given userID is having specified permission on specified + * resource + * + * @param xUserId + * @param permission + * @param resourceId + * @return + */ + private boolean checkUsrPermForPolicy(Long xUserId, int permission, + Long resourceId) { + // this snippet load user groups and permission map list from DB + List<XXGroup> userGroups = new ArrayList<XXGroup>(); + List<XXPermMap> permMapList = new ArrayList<XXPermMap>(); + userGroups = daoManager.getXXGroup().findByUserId(xUserId); + permMapList = daoManager.getXXPermMap().findByResourceId(resourceId); + Long publicGroupId = getPublicGroupId(); + boolean matchFound = false; + for (XXPermMap permMap : permMapList) { + if (permMap.getPermType() == permission) { + if (permMap.getPermFor() == AppConstants.XA_PERM_FOR_GROUP) { + // check whether permission is enabled for public group or a group to which user belongs + matchFound = (publicGroupId != null && publicGroupId == permMap.getGroupId()) || isGroupInList(permMap.getGroupId(), userGroups); + } else if (permMap.getPermFor() == AppConstants.XA_PERM_FOR_USER) { + // check whether permission is enabled to user + matchFound = permMap.getUserId().equals(xUserId); + } + } + if (matchFound) { + break; + } + } + return matchFound; + } + + public Long getPublicGroupId() { + XXGroup xXGroupPublic = daoManager.getXXGroup().findByGroupName(XAConstants.GROUP_PUBLIC); + + return xXGroupPublic != null ? xXGroupPublic.getId() : null; + } + + /** + * returns true is given group id is in given group list + * + * @param groupId + * @param xGroupList + * @return + */ + public boolean isGroupInList(Long groupId, List<XXGroup> xGroupList) { + for (XXGroup xGroup : xGroupList) { + if (xGroup.getId().equals(groupId)) { + return true; + } + } + return false; + } + + /** + * returns true if given path matches in same level or sub directories with + * given wild card pattern + * + * @param pathToCheck + * @param wildcardPath + * @return + */ + public boolean isRecursiveWildCardMatch(String pathToCheck, + String wildcardPath) { + if (pathToCheck != null) { + if (wildcardPath != null && wildcardPath.equals(fileSeparator)) { + return true; + } + StringBuilder sb = new StringBuilder(); + for (String p : pathToCheck.split(fileSeparator)) { + sb.append(p); + boolean matchFound = FilenameUtils.wildcardMatch(sb.toString(), + wildcardPath); + if (matchFound) { + return true; + } + sb.append(fileSeparator); + } + sb = null; + } + return false; + } + + /** + * return List<Integer> + * + * List of all possible parent return type for some specific resourceType + * + * @param resourceType + * , assetType + * + */ + public List<Integer> getResorceTypeParentHirearchy(int resourceType, + int assetType) { + List<Integer> resourceTypeList = new ArrayList<Integer>(); + + if (assetType == AppConstants.ASSET_HDFS) { + resourceTypeList.add(AppConstants.RESOURCE_PATH); + } else if (assetType == AppConstants.ASSET_HIVE) { + resourceTypeList.add(AppConstants.RESOURCE_DB); + if (resourceType == AppConstants.RESOURCE_TABLE) { + resourceTypeList.add(AppConstants.RESOURCE_TABLE); + } else if (resourceType == AppConstants.RESOURCE_UDF) { + resourceTypeList.add(AppConstants.RESOURCE_UDF); + } else if (resourceType == AppConstants.RESOURCE_COLUMN) { + resourceTypeList.add(AppConstants.RESOURCE_TABLE); + resourceTypeList.add(AppConstants.RESOURCE_COLUMN); + } + } else if (assetType == AppConstants.ASSET_HBASE) { + resourceTypeList.add(AppConstants.RESOURCE_TABLE); + if (resourceType == AppConstants.RESOURCE_COL_FAM) { + resourceTypeList.add(AppConstants.RESOURCE_COL_FAM); + } else if (resourceType == AppConstants.RESOURCE_COLUMN) { + resourceTypeList.add(AppConstants.RESOURCE_COL_FAM); + resourceTypeList.add(AppConstants.RESOURCE_COLUMN); + } + } + + return resourceTypeList; + } + + /** + * return true if both path matches exactly, wild card matching is not + * checked + * + * @param path1 + * @param path2 + * @return + */ + public boolean comparePathsForExactMatch(String path1, String path2) { + String pathSeparator = fileSeparator; + if (!path1.endsWith(pathSeparator)) { + path1 = path1.concat(pathSeparator); + } + if (!path2.endsWith(pathSeparator)) { + path2 = path2.concat(pathSeparator); + } + return path1.equalsIgnoreCase(path2); + } + + /** + * return true if both path matches at same level path, this function does + * not match sub directories + * + * @param pathToCheck + * @param wildcardPath + * @return + */ + public boolean nonRecursiveWildCardMatch(String pathToCheck, + String wildcardPath) { + if (pathToCheck != null && wildcardPath != null) { + + List<String> pathToCheckArray = new ArrayList<String>(); + List<String> wildcardPathArray = new ArrayList<String>(); + + for (String p : pathToCheck.split(fileSeparator)) { + pathToCheckArray.add(p); + } + for (String w : wildcardPath.split(fileSeparator)) { + wildcardPathArray.add(w); + } + + if (pathToCheckArray.size() == wildcardPathArray.size()) { + boolean match = false; + for (int index = 0; index < pathToCheckArray.size(); index++) { + match = matchPath(pathToCheckArray.get(index), + wildcardPathArray.get(index)); + if (!match) + return match; + } + return match; + } + } + return false; + } + + /** + * returns true if first and second path are same + * + * @param pathToCheckFragment + * @param wildCardPathFragment + * @return + */ + private boolean matchPath(String pathToCheckFragment, + String wildCardPathFragment) { + if(pathToCheckFragment == null || wildCardPathFragment == null) { + return false; + } + + if (pathToCheckFragment.contains("*") + || pathToCheckFragment.contains("?")) { + pathToCheckFragment = replaceMetaChars(pathToCheckFragment); + + if (wildCardPathFragment.contains("*") + || wildCardPathFragment.contains("?")) { + return FilenameUtils.wildcardMatch(pathToCheckFragment, + wildCardPathFragment, IOCase.SENSITIVE); + } else { + return false; + } + } else { + if (wildCardPathFragment.contains("*") + || wildCardPathFragment.contains("?")) { + return FilenameUtils.wildcardMatch(pathToCheckFragment, + wildCardPathFragment, IOCase.SENSITIVE); + } else { + return pathToCheckFragment.trim().equals( + wildCardPathFragment.trim()); + } + } + } + + private boolean matchPath(String pathToCheck, String[] wildCardPaths) { + if (pathToCheck != null && wildCardPaths != null) { + for (String wildCardPath : wildCardPaths) { + if (matchPath(pathToCheck, wildCardPath)) { + return true; + } + } + } + + return false; + } + + /** + * This method returns true if first parameter value is equal to others + * argument value passed + * + * @param checkValue + * @param otherValues + * @return + */ + public static boolean areAllEqual(int checkValue, int... otherValues) { + for (int value : otherValues) { + if (value != checkValue) { + return false; + } + } + return true; + } + + public void createTrxLog(List<XXTrxLog> trxLogList) { + if (trxLogList == null) { + return; + } + + UserSessionBase usb = ContextUtil.getCurrentUserSession(); + Long authSessionId = null; + if (usb != null) { + authSessionId = ContextUtil.getCurrentUserSession().getSessionId(); + } + Long trxId = GUIDUtil.genLong(); + + for (XXTrxLog xTrxLog : trxLogList) { + xTrxLog.setTransactionId(trxId.toString()); + if (authSessionId != null) { + xTrxLog.setSessionId("" + authSessionId); + } + xTrxLog.setSessionType("Spring Authenticated Session"); + xTrxLog.setRequestId(trxId.toString()); + daoManager.getXXTrxLog().create(xTrxLog); + } + } + + public static int getDBFlavor() { + + String dbFlavor = ""; + boolean dbFlavorPropFound = true; + + dbFlavor = PropertiesUtil.getProperty("xa.db.flavor"); + if (dbFlavor == null || dbFlavor.trim().isEmpty()) { + dbFlavor = PropertiesUtil.getProperty("jdbc.dialect"); + dbFlavorPropFound = false; + } + + if (dbFlavor != null && !dbFlavor.trim().isEmpty()) { + if (dbFlavorPropFound) { + if ("MYSQL".equalsIgnoreCase(dbFlavor)) { + return AppConstants.DB_FLAVOR_MYSQL; + } else if ("ORACLE".equalsIgnoreCase(dbFlavor)) { + return AppConstants.DB_FLAVOR_ORACLE; + } else { + return AppConstants.DB_FLAVOR_UNKNOWN; + } + } else { + if (dbFlavor.toUpperCase().contains("MYSQL")) { + return AppConstants.DB_FLAVOR_MYSQL; + } else if (dbFlavor.toUpperCase().contains("ORACLE")) { + return AppConstants.DB_FLAVOR_ORACLE; + } else { + return AppConstants.DB_FLAVOR_UNKNOWN; + } + } + } else { + logger.error("Property : xa.db.flavor or jdbc.dialect, not found"); + return AppConstants.DB_FLAVOR_UNKNOWN; + } + } + +}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java new file mode 100644 index 0000000..9d69a95 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java @@ -0,0 +1,25 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + package org.apache.ranger.biz; + +public class XAuditMgr extends XAuditMgrBase { + +} + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgrBase.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgrBase.java b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgrBase.java new file mode 100644 index 0000000..7031508 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgrBase.java @@ -0,0 +1,102 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + package org.apache.ranger.biz; + +import org.apache.ranger.common.*; +import org.apache.ranger.service.*; +import org.apache.ranger.view.*; +import org.springframework.beans.factory.annotation.Autowired; +public class XAuditMgrBase { + + @Autowired + RESTErrorUtil restErrorUtil; + + @Autowired + XTrxLogService xTrxLogService; + + @Autowired + XAccessAuditService xAccessAuditService; + public VXTrxLog getXTrxLog(Long id){ + return (VXTrxLog)xTrxLogService.readResource(id); + } + + public VXTrxLog createXTrxLog(VXTrxLog vXTrxLog){ + vXTrxLog = (VXTrxLog)xTrxLogService.createResource(vXTrxLog); + return vXTrxLog; + } + + public VXTrxLog updateXTrxLog(VXTrxLog vXTrxLog) { + vXTrxLog = (VXTrxLog)xTrxLogService.updateResource(vXTrxLog); + return vXTrxLog; + } + + public void deleteXTrxLog(Long id, boolean force) { + if (force) { + xTrxLogService.deleteResource(id); + } else { + throw restErrorUtil.createRESTException( + "serverMsg.modelMgrBaseDeleteModel", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + + public VXTrxLogList searchXTrxLogs(SearchCriteria searchCriteria) { + return xTrxLogService.searchXTrxLogs(searchCriteria); + } + + public VXLong getXTrxLogSearchCount(SearchCriteria searchCriteria) { + return xTrxLogService.getSearchCount(searchCriteria, + xTrxLogService.searchFields); + } + + public VXAccessAudit getXAccessAudit(Long id){ + return (VXAccessAudit)xAccessAuditService.readResource(id); + } + + public VXAccessAudit createXAccessAudit(VXAccessAudit vXAccessAudit){ + vXAccessAudit = (VXAccessAudit)xAccessAuditService.createResource(vXAccessAudit); + return vXAccessAudit; + } + + public VXAccessAudit updateXAccessAudit(VXAccessAudit vXAccessAudit) { + vXAccessAudit = (VXAccessAudit)xAccessAuditService.updateResource(vXAccessAudit); + return vXAccessAudit; + } + + public void deleteXAccessAudit(Long id, boolean force) { + if (force) { + xAccessAuditService.deleteResource(id); + } else { + throw restErrorUtil.createRESTException( + "serverMsg.modelMgrBaseDeleteModel", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + + public VXAccessAuditList searchXAccessAudits(SearchCriteria searchCriteria) { + return xAccessAuditService.searchXAccessAudits(searchCriteria); + } + + public VXLong getXAccessAuditSearchCount(SearchCriteria searchCriteria) { + return xAccessAuditService.getSearchCount(searchCriteria, + xAccessAuditService.searchFields); + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java new file mode 100644 index 0000000..7f0fe37 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -0,0 +1,450 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + package org.apache.ranger.biz; + +import java.util.ArrayList; +import java.util.Collection; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +import org.apache.log4j.Logger; +import org.apache.ranger.biz.UserMgr; +import org.apache.ranger.biz.XABizUtil; +import org.apache.ranger.common.MessageEnums; +import org.apache.ranger.common.PropertiesUtil; +import org.apache.ranger.common.SearchCriteria; +import org.apache.ranger.common.XAConstants; +import org.apache.ranger.db.XADaoManager; +import org.apache.ranger.db.XXGroupUserDao; +import org.apache.ranger.entity.XXGroup; +import org.apache.ranger.entity.XXPortalUser; +import org.apache.ranger.entity.XXTrxLog; +import org.apache.ranger.service.XUserService; +import org.apache.ranger.view.VXGroup; +import org.apache.ranger.view.VXGroupList; +import org.apache.ranger.view.VXGroupUser; +import org.apache.ranger.view.VXGroupUserList; +import org.apache.ranger.view.VXPortalUser; +import org.apache.ranger.view.VXUser; +import org.apache.ranger.view.VXUserList; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +@Component +public class XUserMgr extends XUserMgrBase { + + @Autowired + XUserService xUserService; + @Autowired + XABizUtil msBizUtil; + + @Autowired + UserMgr userMgr; + + @Autowired + XADaoManager daoManager; + + @Autowired + XABizUtil xaBizUtil; + + static final Logger logger = Logger.getLogger(XUserMgr.class); + + public void deleteXGroup(Long id, boolean force) { + if (force) { + SearchCriteria searchCriteria = new SearchCriteria(); + searchCriteria.addParam("xGroupId", id); + VXGroupUserList vxGroupUserList = searchXGroupUsers(searchCriteria); + for (VXGroupUser groupUser : vxGroupUserList.getList()) { + daoManager.getXXGroupUser().remove(groupUser.getId()); + } + XXGroup xGroup = daoManager.getXXGroup().getById(id); + daoManager.getXXGroup().remove(id); + List<XXTrxLog> trxLogList = xGroupService.getTransactionLog( + xGroupService.populateViewBean(xGroup), "delete"); + xaBizUtil.createTrxLog(trxLogList); + } else { + throw restErrorUtil.createRESTException( + "serverMsg.modelMgrBaseDeleteModel", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + + public void deleteXUser(Long id, boolean force) { + if (force) { + SearchCriteria searchCriteria = new SearchCriteria(); + searchCriteria.addParam("xUserId", id); + VXGroupUserList vxGroupUserList = searchXGroupUsers(searchCriteria); + + XXGroupUserDao xGroupUserDao = daoManager.getXXGroupUser(); + for (VXGroupUser groupUser : vxGroupUserList.getList()) { + xGroupUserDao.remove(groupUser.getId()); + } + // TODO : Need to discuss, why we were not removing user from the + // system. + + // XXUser xUser = daoManager.getXXUser().getById(id); + daoManager.getXXUser().remove(id); + //applicationCache.removeUserID(id); + // Not Supported So Far + // List<XXTrxLog> trxLogList = xUserService.getTransactionLog( + // xUserService.populateViewBean(xUser), "delete"); + // xaBizUtil.createTrxLog(trxLogList); + } else { + throw restErrorUtil.createRESTException( + "serverMsg.modelMgrBaseDeleteModel", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + + public VXUser getXUserByUserName(String userName) { + return xUserService.getXUserByUserName(userName); + } + + public VXUser createXUser(VXUser vXUser) { + + String userName = vXUser.getName(); + if (userName == null || userName.isEmpty()) { + throw restErrorUtil.createRESTException("Please provide a valid " + + "username.", MessageEnums.INVALID_INPUT_DATA); + } + + if (vXUser.getDescription() == null) { + setUserDesc(vXUser); + } + + String actualPassword = vXUser.getPassword(); + + VXPortalUser vXPortalUser = new VXPortalUser(); + vXPortalUser.setLoginId(userName); + vXPortalUser.setFirstName(vXUser.getFirstName()); + vXPortalUser.setLastName(vXUser.getLastName()); + vXPortalUser.setEmailAddress(vXUser.getEmailAddress()); + vXPortalUser.setPublicScreenName(vXUser.getFirstName() +" "+ vXUser.getLastName()); + vXPortalUser.setPassword(actualPassword); + vXPortalUser.setUserRoleList(vXUser.getUserRoleList()); + vXPortalUser = userMgr.createDefaultAccountUser(vXPortalUser); + + VXUser createdXUser = xUserService.createResource(vXUser); + + createdXUser.setPassword(actualPassword); + List<XXTrxLog> trxLogList = xUserService.getTransactionLog( + createdXUser, "create"); + + String hiddenPassword = PropertiesUtil.getProperty( + "xa.password.hidden", "*****"); + createdXUser.setPassword(hiddenPassword); + + Collection<Long> groupIdList = vXUser.getGroupIdList(); + List<VXGroupUser> vXGroupUsers = new ArrayList<VXGroupUser>(); + if (groupIdList != null) { + for (Long groupId : groupIdList) { + VXGroupUser vXGroupUser = createXGroupUser( + createdXUser.getId(), groupId); + // trxLogList.addAll(xGroupUserService.getTransactionLog( + // vXGroupUser, "create")); + vXGroupUsers.add(vXGroupUser); + } + } + for (VXGroupUser vXGroupUser : vXGroupUsers) { + trxLogList.addAll(xGroupUserService.getTransactionLog(vXGroupUser, + "create")); + } + // + xaBizUtil.createTrxLog(trxLogList); + + return createdXUser; + } + + private VXGroupUser createXGroupUser(Long userId, Long groupId) { + VXGroupUser vXGroupUser = new VXGroupUser(); + vXGroupUser.setParentGroupId(groupId); + vXGroupUser.setUserId(userId); + VXGroup vXGroup = xGroupService.readResource(groupId); + vXGroupUser.setName(vXGroup.getName()); + vXGroupUser = xGroupUserService.createResource(vXGroupUser); + + return vXGroupUser; + } + + public VXUser updateXUser(VXUser vXUser) { + VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser + .getName()); + VXPortalUser vXPortalUser = new VXPortalUser(); + if(oldUserProfile!=null && oldUserProfile.getId()!=null){ + vXPortalUser.setId(oldUserProfile.getId()); + } + // TODO : There is a possibility that old user may not exist. + + + vXPortalUser.setFirstName(vXUser.getFirstName()); + vXPortalUser.setLastName(vXUser.getLastName()); + vXPortalUser.setEmailAddress(vXUser.getEmailAddress()); + vXPortalUser.setLoginId(vXUser.getName()); + vXPortalUser.setStatus(vXUser.getStatus()); + vXPortalUser.setUserRoleList(vXUser.getUserRoleList()); + vXPortalUser.setPublicScreenName(vXUser.getFirstName() + " " + + vXUser.getLastName()); + vXPortalUser.setUserSource(vXUser.getUserSource()); + String hiddenPasswordString = PropertiesUtil.getProperty( + "xa.password.hidden", "*****"); + String password = vXUser.getPassword(); + if (password != null && password.equals(hiddenPasswordString)) { + vXPortalUser.setPassword(oldUserProfile.getPassword()); + } + vXPortalUser.setPassword(password); + + Collection<Long> groupIdList = vXUser.getGroupIdList(); + XXPortalUser xXPortalUser = new XXPortalUser(); + xXPortalUser=userMgr.updateUserWithPass(vXPortalUser); + Collection<String> roleList = new ArrayList<String>(); + if(xXPortalUser!=null){ + roleList=userMgr.getRolesForUser(xXPortalUser); + } + if(roleList==null || roleList.size()==0){ + roleList.add(XAConstants.ROLE_USER); + } + + // TODO I've to get the transaction log from here. + // There is nothing to log anything in XXUser so far. + vXUser = xUserService.updateResource(vXUser); + vXUser.setUserRoleList(roleList); + vXUser.setPassword(password); + List<XXTrxLog> trxLogList = xUserService.getTransactionLog(vXUser, + oldUserProfile, "update"); + vXUser.setPassword(hiddenPasswordString); + + Long userId = vXUser.getId(); + List<Long> groupUsersToRemove = new ArrayList<Long>(); + + if (groupIdList != null) { + SearchCriteria searchCriteria = new SearchCriteria(); + searchCriteria.addParam("xUserId", userId); + VXGroupUserList vXGroupUserList = xGroupUserService + .searchXGroupUsers(searchCriteria); + List<VXGroupUser> vXGroupUsers = vXGroupUserList.getList(); + + if (vXGroupUsers != null) { + + // Create + for (Long groupId : groupIdList) { + boolean found = false; + for (VXGroupUser vXGroupUser : vXGroupUsers) { + if (groupId.equals(vXGroupUser.getParentGroupId())) { + found = true; + break; + } + } + if (!found) { + VXGroupUser vXGroupUser = createXGroupUser(userId, + groupId); + trxLogList.addAll(xGroupUserService.getTransactionLog( + vXGroupUser, "create")); + } + } + + // Delete + for (VXGroupUser vXGroupUser : vXGroupUsers) { + boolean found = false; + for (Long groupId : groupIdList) { + if (groupId.equals(vXGroupUser.getParentGroupId())) { + trxLogList.addAll(xGroupUserService + .getTransactionLog(vXGroupUser, "update")); + found = true; + break; + } + } + if (!found) { + // TODO I've to get the transaction log from here. + trxLogList.addAll(xGroupUserService.getTransactionLog( + vXGroupUser, "delete")); + groupUsersToRemove.add(vXGroupUser.getId()); + // xGroupUserService.deleteResource(vXGroupUser.getId()); + } + } + + } else { + for (Long groupId : groupIdList) { + VXGroupUser vXGroupUser = createXGroupUser(userId, groupId); + trxLogList.addAll(xGroupUserService.getTransactionLog( + vXGroupUser, "create")); + } + } + vXUser.setGroupIdList(groupIdList); + } else { + logger.debug("Group id list can't be null for user. Group user " + + "mapping not updated for user : " + userId); + } + + xaBizUtil.createTrxLog(trxLogList); + + for (Long groupUserId : groupUsersToRemove) { + xGroupUserService.deleteResource(groupUserId); + } + + return vXUser; + } + + public VXUser createXUserWithOutLogin(VXUser vXUser) { + return xUserService.createXUserWithOutLogin(vXUser); + } + + public VXGroup createXGroup(VXGroup vXGroup) { + // FIXME Just a hack + if (vXGroup.getDescription() == null) { + vXGroup.setDescription(vXGroup.getName()); + } + + vXGroup = xGroupService.createResource(vXGroup); + List<XXTrxLog> trxLogList = xGroupService.getTransactionLog(vXGroup, + "create"); + xaBizUtil.createTrxLog(trxLogList); + return vXGroup; + } + + public VXGroup createXGroupWithoutLogin(VXGroup vXGroup) { + return xGroupService.createXGroupWithOutLogin(vXGroup); + } + + public VXGroupUser createXGroupUser(VXGroupUser vXGroupUser) { + vXGroupUser = xGroupUserService + .createXGroupUserWithOutLogin(vXGroupUser); + return vXGroupUser; + } + + public VXUser getXUser(Long id) { + return xUserService.readResourceWithOutLogin(id); + + } + + public VXGroupUser getXGroupUser(Long id) { + return xGroupUserService.readResourceWithOutLogin(id); + + } + + public VXGroup getXGroup(Long id) { + return xGroupService.readResourceWithOutLogin(id); + + } + + /** + * // public void createXGroupAndXUser(String groupName, String userName) { + * + * // Long groupId; // Long userId; // XXGroup xxGroup = // + * appDaoManager.getXXGroup().findByGroupName(groupName); // VXGroup + * vxGroup; // if (xxGroup == null) { // vxGroup = new VXGroup(); // + * vxGroup.setName(groupName); // vxGroup.setDescription(groupName); // + * vxGroup.setGroupType(AppConstants.XA_GROUP_USER); // + * vxGroup.setPriAcctId(1l); // vxGroup.setPriGrpId(1l); // vxGroup = + * xGroupService.createResource(vxGroup); // groupId = vxGroup.getId(); // } + * else { // groupId = xxGroup.getId(); // } // XXUser xxUser = + * appDaoManager.getXXUser().findByUserName(userName); // VXUser vxUser; // + * if (xxUser == null) { // vxUser = new VXUser(); // + * vxUser.setName(userName); // vxUser.setDescription(userName); // + * vxUser.setPriGrpId(1l); // vxUser.setPriAcctId(1l); // vxUser = + * xUserService.createResource(vxUser); // userId = vxUser.getId(); // } + * else { // userId = xxUser.getId(); // } // VXGroupUser vxGroupUser = new + * VXGroupUser(); // vxGroupUser.setParentGroupId(groupId); // + * vxGroupUser.setUserId(userId); // vxGroupUser.setName(groupName); // + * vxGroupUser.setPriAcctId(1l); // vxGroupUser.setPriGrpId(1l); // + * vxGroupUser = xGroupUserService.createResource(vxGroupUser); + * + * // } + */ + + public void deleteXGroupAndXUser(String groupName, String userName) { + VXGroup vxGroup = xGroupService.getGroupByGroupName(groupName); + VXUser vxUser = xUserService.getXUserByUserName(userName); + SearchCriteria searchCriteria = new SearchCriteria(); + searchCriteria.addParam("xGroupId", vxGroup.getId()); + searchCriteria.addParam("xUserId", vxUser.getId()); + VXGroupUserList vxGroupUserList = xGroupUserService + .searchXGroupUsers(searchCriteria); + for (VXGroupUser vxGroupUser : vxGroupUserList.getList()) { + daoManager.getXXGroupUser().remove(vxGroupUser.getId()); + } + } + + public VXGroupList getXUserGroups(Long xUserId) { + SearchCriteria searchCriteria = new SearchCriteria(); + searchCriteria.addParam("xUserId", xUserId); + VXGroupUserList vXGroupUserList = xGroupUserService + .searchXGroupUsers(searchCriteria); + VXGroupList vXGroupList = new VXGroupList(); + List<VXGroup> vXGroups = new ArrayList<VXGroup>(); + if (vXGroupUserList != null) { + List<VXGroupUser> vXGroupUsers = vXGroupUserList.getList(); + Set<Long> groupIdList = new HashSet<Long>(); + for (VXGroupUser vXGroupUser : vXGroupUsers) { + groupIdList.add(vXGroupUser.getParentGroupId()); + } + for (Long groupId : groupIdList) { + VXGroup vXGroup = xGroupService.readResource(groupId); + vXGroups.add(vXGroup); + } + vXGroupList.setVXGroups(vXGroups); + } else { + logger.debug("No groups found for user id : " + xUserId); + } + return vXGroupList; + } + + public VXUserList getXGroupUsers(Long xGroupId) { + SearchCriteria searchCriteria = new SearchCriteria(); + searchCriteria.addParam("xGroupId", xGroupId); + VXGroupUserList vXGroupUserList = xGroupUserService + .searchXGroupUsers(searchCriteria); + VXUserList vXUserList = new VXUserList(); + + List<VXUser> vXUsers = new ArrayList<VXUser>(); + if (vXGroupUserList != null) { + List<VXGroupUser> vXGroupUsers = vXGroupUserList.getList(); + Set<Long> userIdList = new HashSet<Long>(); + for (VXGroupUser vXGroupUser : vXGroupUsers) { + userIdList.add(vXGroupUser.getUserId()); + } + for (Long userId : userIdList) { + VXUser vXUser = xUserService.readResource(userId); + vXUsers.add(vXUser); + + } + vXUserList.setVXUsers(vXUsers); + } else { + logger.debug("No users found for group id : " + xGroupId); + } + return vXUserList; + } + + // FIXME Hack : Unnecessary, to be removed after discussion. + private void setUserDesc(VXUser vXUser) { + vXUser.setDescription(vXUser.getName()); + } + + @Override + public VXGroup updateXGroup(VXGroup vXGroup) { + XXGroup xGroup = daoManager.getXXGroup().getById(vXGroup.getId()); + List<XXTrxLog> trxLogList = xGroupService.getTransactionLog(vXGroup, + xGroup, "update"); + xaBizUtil.createTrxLog(trxLogList); + vXGroup = (VXGroup) xGroupService.updateResource(vXGroup); + return vXGroup; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/413fcb68/security-admin/src/main/java/org/apache/ranger/biz/XUserMgrBase.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgrBase.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgrBase.java new file mode 100644 index 0000000..2a413d2 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgrBase.java @@ -0,0 +1,246 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + package org.apache.ranger.biz; + +import org.apache.ranger.common.*; +import org.apache.ranger.service.*; +import org.apache.ranger.view.*; +import org.springframework.beans.factory.annotation.Autowired; +public class XUserMgrBase { + + @Autowired + RESTErrorUtil restErrorUtil; + + @Autowired + XGroupService xGroupService; + + @Autowired + XUserService xUserService; + + @Autowired + XGroupUserService xGroupUserService; + + @Autowired + XGroupGroupService xGroupGroupService; + + @Autowired + XPermMapService xPermMapService; + + @Autowired + XAuditMapService xAuditMapService; + public VXGroup getXGroup(Long id){ + return (VXGroup)xGroupService.readResource(id); + } + + public VXGroup createXGroup(VXGroup vXGroup){ + vXGroup = (VXGroup)xGroupService.createResource(vXGroup); + return vXGroup; + } + + public VXGroup updateXGroup(VXGroup vXGroup) { + vXGroup = (VXGroup)xGroupService.updateResource(vXGroup); + return vXGroup; + } + + public void deleteXGroup(Long id, boolean force) { + if (force) { + xGroupService.deleteResource(id); + } else { + throw restErrorUtil.createRESTException( + "serverMsg.modelMgrBaseDeleteModel", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + + public VXGroupList searchXGroups(SearchCriteria searchCriteria) { + return xGroupService.searchXGroups(searchCriteria); + } + + public VXLong getXGroupSearchCount(SearchCriteria searchCriteria) { + return xGroupService.getSearchCount(searchCriteria, + xGroupService.searchFields); + } + + public VXUser getXUser(Long id){ + return (VXUser)xUserService.readResource(id); + } + + public VXUser createXUser(VXUser vXUser){ + vXUser = (VXUser)xUserService.createResource(vXUser); + return vXUser; + } + + public VXUser updateXUser(VXUser vXUser) { + vXUser = (VXUser)xUserService.updateResource(vXUser); + return vXUser; + } + + public void deleteXUser(Long id, boolean force) { + if (force) { + xUserService.deleteResource(id); + } else { + throw restErrorUtil.createRESTException( + "serverMsg.modelMgrBaseDeleteModel", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + + public VXUserList searchXUsers(SearchCriteria searchCriteria) { + return xUserService.searchXUsers(searchCriteria); + } + + public VXLong getXUserSearchCount(SearchCriteria searchCriteria) { + return xUserService.getSearchCount(searchCriteria, + xUserService.searchFields); + } + + public VXGroupUser getXGroupUser(Long id){ + return (VXGroupUser)xGroupUserService.readResource(id); + } + + public VXGroupUser createXGroupUser(VXGroupUser vXGroupUser){ + vXGroupUser = (VXGroupUser)xGroupUserService.createResource(vXGroupUser); + return vXGroupUser; + } + + public VXGroupUser updateXGroupUser(VXGroupUser vXGroupUser) { + vXGroupUser = (VXGroupUser)xGroupUserService.updateResource(vXGroupUser); + return vXGroupUser; + } + + public void deleteXGroupUser(Long id, boolean force) { + if (force) { + xGroupUserService.deleteResource(id); + } else { + throw restErrorUtil.createRESTException( + "serverMsg.modelMgrBaseDeleteModel", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + + public VXGroupUserList searchXGroupUsers(SearchCriteria searchCriteria) { + return xGroupUserService.searchXGroupUsers(searchCriteria); + } + + public VXLong getXGroupUserSearchCount(SearchCriteria searchCriteria) { + return xGroupUserService.getSearchCount(searchCriteria, + xGroupUserService.searchFields); + } + + public VXGroupGroup getXGroupGroup(Long id){ + return (VXGroupGroup)xGroupGroupService.readResource(id); + } + + public VXGroupGroup createXGroupGroup(VXGroupGroup vXGroupGroup){ + vXGroupGroup = (VXGroupGroup)xGroupGroupService.createResource(vXGroupGroup); + return vXGroupGroup; + } + + public VXGroupGroup updateXGroupGroup(VXGroupGroup vXGroupGroup) { + vXGroupGroup = (VXGroupGroup)xGroupGroupService.updateResource(vXGroupGroup); + return vXGroupGroup; + } + + public void deleteXGroupGroup(Long id, boolean force) { + if (force) { + xGroupGroupService.deleteResource(id); + } else { + throw restErrorUtil.createRESTException( + "serverMsg.modelMgrBaseDeleteModel", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + + public VXGroupGroupList searchXGroupGroups(SearchCriteria searchCriteria) { + return xGroupGroupService.searchXGroupGroups(searchCriteria); + } + + public VXLong getXGroupGroupSearchCount(SearchCriteria searchCriteria) { + return xGroupGroupService.getSearchCount(searchCriteria, + xGroupGroupService.searchFields); + } + + public VXPermMap getXPermMap(Long id){ + return (VXPermMap)xPermMapService.readResource(id); + } + + public VXPermMap createXPermMap(VXPermMap vXPermMap){ + vXPermMap = (VXPermMap)xPermMapService.createResource(vXPermMap); + return vXPermMap; + } + + public VXPermMap updateXPermMap(VXPermMap vXPermMap) { + vXPermMap = (VXPermMap)xPermMapService.updateResource(vXPermMap); + return vXPermMap; + } + + public void deleteXPermMap(Long id, boolean force) { + if (force) { + xPermMapService.deleteResource(id); + } else { + throw restErrorUtil.createRESTException( + "serverMsg.modelMgrBaseDeleteModel", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + + public VXPermMapList searchXPermMaps(SearchCriteria searchCriteria) { + return xPermMapService.searchXPermMaps(searchCriteria); + } + + public VXLong getXPermMapSearchCount(SearchCriteria searchCriteria) { + return xPermMapService.getSearchCount(searchCriteria, + xPermMapService.searchFields); + } + + public VXAuditMap getXAuditMap(Long id){ + return (VXAuditMap)xAuditMapService.readResource(id); + } + + public VXAuditMap createXAuditMap(VXAuditMap vXAuditMap){ + vXAuditMap = (VXAuditMap)xAuditMapService.createResource(vXAuditMap); + return vXAuditMap; + } + + public VXAuditMap updateXAuditMap(VXAuditMap vXAuditMap) { + vXAuditMap = (VXAuditMap)xAuditMapService.updateResource(vXAuditMap); + return vXAuditMap; + } + + public void deleteXAuditMap(Long id, boolean force) { + if (force) { + xAuditMapService.deleteResource(id); + } else { + throw restErrorUtil.createRESTException( + "serverMsg.modelMgrBaseDeleteModel", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + + public VXAuditMapList searchXAuditMaps(SearchCriteria searchCriteria) { + return xAuditMapService.searchXAuditMaps(searchCriteria); + } + + public VXLong getXAuditMapSearchCount(SearchCriteria searchCriteria) { + return xAuditMapService.getSearchCount(searchCriteria, + xAuditMapService.searchFields); + } + +}
