RANGER-248: updated grant API to support recursive flag - needed in YARN plugin
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/307d51c2 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/307d51c2 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/307d51c2 Branch: refs/heads/master Commit: 307d51c2da351f3e370d820fb8fdcda10d84a6a9 Parents: c0bb7ec Author: Madhan Neethiraj <[email protected]> Authored: Mon Feb 23 16:05:15 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Mon Feb 23 16:05:15 2015 -0800 ---------------------------------------------------------------------- .../ranger/plugin/util/GrantRevokeRequest.java | 21 +- .../service-defs/ranger-servicedef-yarn.json | 65 +++- plugin-yarn/scripts/install.sh | 354 ------------------- plugin-yarn/scripts/uninstall.sh | 65 ---- .../yarn/authorizer/RangerYarnAuthorizer.java | 14 +- pom.xml | 1 + .../org/apache/ranger/rest/ServiceREST.java | 5 +- .../ranger/service/RangerBaseModelService.java | 8 +- 8 files changed, 94 insertions(+), 439 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/307d51c2/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java index cf871ca..dadcff0 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/GrantRevokeRequest.java @@ -51,13 +51,14 @@ public class GrantRevokeRequest implements Serializable { private Boolean delegateAdmin = Boolean.FALSE; private Boolean enableAudit = Boolean.TRUE; private Boolean replaceExistingPermissions = Boolean.FALSE; + private Boolean isRecursive = Boolean.FALSE; public GrantRevokeRequest() { - this(null, null, null, null, null, null, null, null); + this(null, null, null, null, null, null, null, null, null); } - public GrantRevokeRequest(String grantor, Map<String, String> resource, Set<String> users, Set<String> groups, Set<String> accessTypes, Boolean delegateAdmin, Boolean enableAudit, Boolean replaceExistingPermissions) { + public GrantRevokeRequest(String grantor, Map<String, String> resource, Set<String> users, Set<String> groups, Set<String> accessTypes, Boolean delegateAdmin, Boolean enableAudit, Boolean replaceExistingPermissions, Boolean isRecursive) { setGrantor(grantor); setResource(resource); setUsers(users); @@ -67,6 +68,7 @@ public class GrantRevokeRequest implements Serializable { setAccessTypes(accessTypes); setEnableAudit(enableAudit); setReplaceExistingPermissions(replaceExistingPermissions); + setIsRecursive(isRecursive); } /** @@ -181,6 +183,20 @@ public class GrantRevokeRequest implements Serializable { this.replaceExistingPermissions = replaceExistingPermissions == null ? Boolean.FALSE : replaceExistingPermissions; } + /** + * @return the isRecursive + */ + public Boolean getIsRecursive() { + return isRecursive; + } + + /** + * @param isRecursive the isRecursive to set + */ + public void setIsRecursive(Boolean isRecursive) { + this.isRecursive = isRecursive == null ? Boolean.FALSE : isRecursive; + } + @Override public String toString( ) { @@ -231,6 +247,7 @@ public class GrantRevokeRequest implements Serializable { sb.append("delegateAdmin={").append(delegateAdmin).append("} "); sb.append("enableAudit={").append(enableAudit).append("} "); sb.append("replaceExistingPermissions={").append(replaceExistingPermissions).append("} "); + sb.append("isRecursive={").append(isRecursive).append("} "); sb.append("}"); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/307d51c2/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json ---------------------------------------------------------------------- diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json index 00674b1..fc7d34f 100644 --- a/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json @@ -13,23 +13,70 @@ ], "configs": [ - {"name":"username", "type":"string", "mandatory":true, "label":"Username"}, - {"name":"password", "type":"password","mandatory":true, "label":"Password"}, - {"name":"yarn.url", "type":"string", "mandatory":true, "defaultValue":"","label":"YARN REST URL"}, - {"name":"certificate.cn","type":"string", "mandatory":false,"label":"Common Name for Certificate"} + { + "name":"username", + "type":"string", + "mandatory":true, + "label":"Username" + }, + { + "name":"password", + "type":"password", + "mandatory":true, + "label":"Password" + }, + { + "name":"yarn.url", + "type":"string", + "mandatory":true, + "defaultValue":"", + "label":"YARN REST URL" + }, + { + "name":"certificate.cn", + "type":"string", + "mandatory":false, + "label":"Common Name for Certificate" + } ], "resources": [ - {"name":"queue","type":"string","level":1,"mandatory":true,"lookupSupported":true,"matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher","matcherOptions":"wildCard=true;ignoreCase=true;pathSeperatorChar=.","label":"Queue","description":"Queue"} + { + "name":"queue", + "type":"string", + "level":1, + "mandatory":true, + "lookupSupported":true, + "recursiveSupported":true, + "matcher":"org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher", + "matcherOptions":"wildCard=true;ignoreCase=true;pathSeperatorChar=.", + "label":"Queue", + "description":"Queue" + } ], "accessTypes": [ - {"name":"submit-app","label":"submit-app"}, - {"name":"admin-queue","label":"admin-queue"}, - {"name":"admin","label":"admin"} + { + "name":"submit-app", + "label":"submit-app" + }, + { + "name":"admin-queue", + "label":"admin-queue" + }, + { + "name":"admin", + "label":"admin" + } ], "policyConditions": [ - {"name":"ip-range","evaluator":"org.apache.ranger.knox.IpRangeCondition","evaluatorOptions":"","label":"IP Address Range","description":"IP Address Range"} + { + "name":"ip-range", + "evaluator":"org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher", + "evaluatorOptions":"", + "label":"IP Address Range", + "description":"IP Address Range" + } ] } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/307d51c2/plugin-yarn/scripts/install.sh ---------------------------------------------------------------------- diff --git a/plugin-yarn/scripts/install.sh b/plugin-yarn/scripts/install.sh deleted file mode 100644 index 859b80c..0000000 --- a/plugin-yarn/scripts/install.sh +++ /dev/null @@ -1,354 +0,0 @@ -#!/bin/bash - -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -create_jceks() -{ - alias=$1 - pass=$2 - jceksFile=$3 - - java -cp "${install_dir}/cred/lib/*:${install_dir}/installer/lib/*" org.apache.ranger.credentialapi.buildks create ${alias} -value ${pass} -provider jceks://file${jceksFile} - if [ $? -ne 0 ] - then - echo "ERROR: Unable to create/update credential file [${jceksFile}] for alias [${alias}]" - exit 1 - fi -} - -#Update Properties to File -#$1 -> propertyName $2 -> newPropertyValue $3 -> fileName -updatePropertyToFile(){ - sed -i 's@^'$1'=[^ ]*$@'$1'='$2'@g' $3 - #validate=`sed -i 's/^'$1'=[^ ]*$/'$1'='$2'/g' $3` #for validation - validate=$(sed '/^\#/d' $3 | grep "^$1" | tail -n 1 | cut -d "=" -f2-) # for validation - #echo 'V1:'$validate - if test -z "$validate" ; then echo "[E] '$1' not found in $3 file while Updating....!!"; exit 1; fi - echo "[I] File $3 Updated successfully : {'$1'}" -} - -yarn_dir=/usr/lib/yarn -yarn_lib_dir=${yarn_dir}/lib -yarn_conf_dir=/etc/yarn/conf -yarn_bin_dir=${yarn_dir}/bin - -CONFIG_FILE_OWNER=yarn:yarn - -yarn_srv_conf_dir=${yarn_conf_dir} -yarn_cli_conf_dir="${yarn_conf_dir}" - -install_dir=`dirname $0` - -[ "${install_dir}" = "." ] && install_dir=`pwd` - - -#verify sql-connector path is valid -SQL_CONNECTOR_JAR=`grep '^SQL_CONNECTOR_JAR' ${install_dir}/install.properties | awk -F= '{ print $2 }'` -echo "[I] Checking SQL CONNECTOR FILE : $SQL_CONNECTOR_JAR" -if test -f "$SQL_CONNECTOR_JAR"; then - echo "[I] SQL CONNECTOR FILE : $SQL_CONNECTOR_JAR file found" -else - echo "[E] SQL CONNECTOR FILE : $SQL_CONNECTOR_JAR not found, aborting installation" - exit 1 -fi -#copying sql connector jar file to lib directory -cp $SQL_CONNECTOR_JAR ${install_dir}/lib - -#echo "Current Install Directory: [${install_dir}]" - - -# -# --- Backup current configuration for backup - START -# - -COMPONENT_NAME=yarn - -XASECURE_VERSION=`cat ${install_dir}/version` - -CFG_DIR=${yarn_conf_dir} -XASECURE_ROOT=/etc/xasecure/${COMPONENT_NAME} -BACKUP_TYPE=pre -CUR_VERSION_FILE=${XASECURE_ROOT}/.current_version -CUR_CFG_DIR_FILE=${XASECURE_ROOT}/.config_dir -PRE_INSTALL_CONFIG=${XASECURE_ROOT}/${BACKUP_TYPE}-${XASECURE_VERSION} - -if [ ! -d ${XASECURE_ROOT} ] -then - mkdir -p ${XASECURE_ROOT} -fi - -backup_dt=`date '+%Y%m%d%H%M%S'` - -if [ -d "${PRE_INSTALL_CONFIG}" ] -then - PRE_INSTALL_CONFIG="${PRE_INSTALL_CONFIG}.${backup_dt}" -fi - -if [ -d ${CFG_DIR} ] -then - ( cd ${CFG_DIR} ; find . -print | cpio -pdm ${PRE_INSTALL_CONFIG} ) - [ -f ${CUR_VERSION_FILE} ] && mv ${CUR_VERSION_FILE} ${CUR_VERSION_FILE}-${backup_dt} - echo ${XASECURE_VERSION} > ${CUR_VERSION_FILE} - echo ${CFG_DIR} > ${CUR_CFG_DIR_FILE} -else - echo "+ mkdir -p ${CFG_DIR} ..." - mkdir -p ${CFG_DIR} -fi - -cp -f ${install_dir}/uninstall.sh ${XASECURE_ROOT}/ - -# -# --- Backup current configuration for backup - END -# - - -dt=`date '+%Y%m%d%H%M%S'` -for f in ${install_dir}/conf/* -do - if [ -f ${f} ] - then - fn=`basename $f` - if [ ! -f ${yarn_conf_dir}/${fn} ] - then - echo "+cp ${f} ${yarn_conf_dir}/${fn}" - cp ${f} ${yarn_conf_dir}/${fn} - else - echo "WARN: ${fn} already exists in the ${yarn_conf_dir} - Using existing configuration ${fn}" - fi - fi -done - - -if [ ! -d ${yarn_lib_dir} ] -then - echo "+mkdir -p ${yarn_lib_dir}" - mkdir -p ${yarn_lib_dir} -fi - -for f in ${install_dir}/dist/*.jar ${install_dir}/lib/*.jar -do - if [ -f ${f} ] - then - fn=`basename $f` - echo "+cp ${f} ${yarn_lib_dir}/${fn}" - cp ${f} ${yarn_lib_dir}/${fn} - fi -done - -# -# Copy the SSL parameters -# - -CredFile=`grep '^CREDENTIAL_PROVIDER_FILE' ${install_dir}/install.properties | awk -F= '{ print $2 }'` - -if ! [ `echo ${CredFile} | grep '^/.*'` ] -then - echo "ERROR:Please enter the Credential File Store with proper file path" - exit 1 -fi -pardir=`dirname ${CredFile}` - -if [ ! -d ${pardir} ] -then - mkdir -p ${pardir} - chmod go+rx ${pardir} -fi - -# -# Generate Credential Provider file and Credential for Audit DB access. -# - - -auditCredAlias="auditDBCred" - -auditdbCred=`grep '^XAAUDIT.DB.PASSWORD' ${install_dir}/install.properties | awk -F= '{ print $2 }'` - -create_jceks ${auditCredAlias} ${auditdbCred} ${CredFile} - - -# -# Generate Credential Provider file and Credential for SSL KEYSTORE AND TRUSTSTORE -# - - -sslkeystoreAlias="sslKeyStore" - -sslkeystoreCred=`grep '^SSL_KEYSTORE_PASSWORD' ${install_dir}/install.properties | awk -F= '{ print $2 }'` - -create_jceks ${sslkeystoreAlias} ${sslkeystoreCred} ${CredFile} - - -ssltruststoreAlias="sslTrustStore" - -ssltruststoreCred=`grep '^SSL_TRUSTSTORE_PASSWORD' ${install_dir}/install.properties | awk -F= '{ print $2 }'` - -create_jceks ${ssltruststoreAlias} ${ssltruststoreCred} ${CredFile} - -chown ${CONFIG_FILE_OWNER} ${CredFile} - -PROP_ARGS="-p ${install_dir}/install.properties" - -to_file="${install_dir}/install.properties" -DB_FLAVOR=`grep '^XAAUDIT.DB.FLAVOUR' ${install_dir}/install.properties | awk -F= '{ print $2 }'` -DB_FLAVOR=`echo $DB_FLAVOR | tr '[:lower:]' '[:upper:]'` -if [ "${DB_FLAVOR}" == "" ] -then - $DB_FLAVOR="MYSQL" -fi -echo "[I] Updating install.properites setting for : $DB_FLAVOR" - -if [ "${DB_FLAVOR}" == "MYSQL" ] -then - audit_db_hostname=`grep '^XAAUDIT.DB.HOSTNAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` - audit_db_name=`grep '^XAAUDIT.DB.DATABASE_NAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` - propertyName=XAAUDIT.DB.JDBC_URL - newPropertyValue="jdbc:mysql://${audit_db_hostname}/${audit_db_name}" - updatePropertyToFile $propertyName $newPropertyValue $to_file - - propertyName=XAAUDIT.DB.JDBC_DRIVER - newPropertyValue="com.mysql.jdbc.Driver" - updatePropertyToFile $propertyName $newPropertyValue $to_file -fi - -if [ "${DB_FLAVOR}" == "ORACLE" ] -then - audit_db_hostname=`grep '^XAAUDIT.DB.HOSTNAME' ${install_dir}/install.properties | awk -F= '{ print $2 }'` - propertyName=XAAUDIT.DB.JDBC_URL - newPropertyValue="jdbc:oracle:thin:\@//${audit_db_hostname}" - updatePropertyToFile $propertyName $newPropertyValue $to_file - - propertyName=XAAUDIT.DB.JDBC_DRIVER - newPropertyValue="oracle.jdbc.OracleDriver" - updatePropertyToFile $propertyName $newPropertyValue $to_file -fi -for f in ${install_dir}/installer/conf/*-changes.cfg -do - if [ -f ${f} ] - then - fn=`basename $f` - orgfn=`echo $fn | sed -e 's:-changes.cfg:.xml:'` - fullpathorgfn="${yarn_conf_dir}/${orgfn}" - if [ ! -f ${fullpathorgfn} ] - then - echo "ERROR: Unable to find ${fullpathorgfn}" - exit 1 - fi - archivefn="${yarn_conf_dir}/.${orgfn}.${dt}" - newfn="${yarn_conf_dir}/.${orgfn}-new.${dt}" - cp ${fullpathorgfn} ${archivefn} - if [ $? -eq 0 ] - then - cp="${install_dir}/installer/lib/*:${install_dir}/cred/lib/*:" - java -cp "${cp}" org.apache.ranger.utils.install.XmlConfigChanger -i ${archivefn} -o ${newfn} -c ${f} ${PROP_ARGS} - if [ $? -eq 0 ] - then - diff -w ${newfn} ${fullpathorgfn} > /dev/null 2>&1 - if [ $? -ne 0 ] - then - #echo "Changing config file: ${fullpathorgfn} with following changes:" - #echo "===============================================================" - #diff -w ${newfn} ${fullpathorgfn} - #echo "===============================================================" - echo "NOTE: Current config file: ${fullpathorgfn} is being saved as ${archivefn}" - #echo "===============================================================" - cp ${newfn} ${fullpathorgfn} - fi - else - echo "ERROR: Unable to make changes to config. file: ${fullpathorgfn}" - echo "exiting ...." - exit 1 - fi - else - echo "ERROR: Unable to save config. file: ${fullpathorgfn} to ${archivefn}" - echo "exiting ...." - exit 1 - fi - fi -done - -chmod go-rwx ${yarn_conf_dir}/xasecure-policymgr-ssl.xml -chown ${CONFIG_FILE_OWNER} ${yarn_conf_dir}/xasecure-policymgr-ssl.xml - -# -# Adding authorizer to yarn.yaml configuration file ... -# -YARN_DIR=/etc/yarn -YARN_CONFIG_FILE=yarn.yaml -YARN_BIN_FILE=/usr/bin/yarn - -dt=`date '+%Y%m%d%H%M%S'` -CONFIG_FILE=${YARN_DIR}/${YARN_CONFIG_FILE} -ARCHIVE_FILE=${YARN_DIR}/.${YARN_CONFIG_FILE}.${dt} -YARN_BIN_ARCHIVE_FILE=/usr/bin/.yarn.${dt} - -cp ${CONFIG_FILE} ${ARCHIVE_FILE} - -awk -F: 'BEGIN { - configured = 0 ; -} -{ - if ($1 == "nimbus.authorizer") { - if ($2 ~ /^[ \t]*"org.apache.ranger.authorization.yarn.authorizer.RangerYarnAuthorizer"[ \t]*$/) { - configured = 1 ; - printf("%s\n",$0) ; - } - else { - printf("#%s\n",$0); - printf("nimbus.authorizer: \"org.apache.ranger.authorization.yarn.authorizer.RangerYarnAuthorizer\"\n") ; - configured = 1 ; - } - } - else { - printf("%s\n",$0) ; - } -} -END { - if (configured == 0) { - printf("nimbus.authorizer: \"org.apache.ranger.authorization.yarn.authorizer.RangerYarnAuthorizer\"\n") ; - } -}' ${ARCHIVE_FILE} > ${ARCHIVE_FILE}.new - -if [ ! -z ${ARCHIVE_FILE}.new ] -then - cat ${ARCHIVE_FILE}.new > ${CONFIG_FILE} - rm -f ${ARCHIVE_FILE}.new -else - echo "ERROR: ${ARCHIVE_FILE}.new file has not created successfully." - exit 1 -fi - -# -# Modify the CLASSPATH of the YARN Servers (ui) .... -# -grep 'ret.extend(\["/etc/yarn/conf"' ${YARN_BIN_FILE} > /dev/null -if [ $? -ne 0 ] -then - temp=/tmp/yarn.tmp.$$ - cat ${YARN_BIN_FILE} | sed -e '/ret = get_jars_full(YARN_DIR)/ a\ - ret.extend(["/etc/yarn/conf","/usr/lib/yarn/lib/*"])' > ${temp} - if [ ! -z ${temp} ] - then - cp ${YARN_BIN_FILE} ${YARN_BIN_ARCHIVE_FILE} - cat ${temp} > ${YARN_BIN_FILE} - else - echo "ERROR: ${temp} file has not been created successfully." - exit 1 - fi -fi - - -exit 0 http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/307d51c2/plugin-yarn/scripts/uninstall.sh ---------------------------------------------------------------------- diff --git a/plugin-yarn/scripts/uninstall.sh b/plugin-yarn/scripts/uninstall.sh deleted file mode 100644 index d4661e7..0000000 --- a/plugin-yarn/scripts/uninstall.sh +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/bash - -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# -# Replacing authorizer to yarn.yaml configuration file ... -# -YARN_DIR=/etc/yarn -YARN_CONFIG_FILE=yarn.yaml - -dt=`date '+%Y%m%d%H%M%S'` -CONFIG_FILE=${YARN_DIR}/${YARN_CONFIG_FILE} -ARCHIVE_FILE=${YARN_DIR}/.${YARN_CONFIG_FILE}.${dt} - -cp ${CONFIG_FILE} ${ARCHIVE_FILE} - -awk -F: 'BEGIN { - configured = 0 ; -} -{ - if ($1 == "nimbus.authorizer") { - if ($2 ~ /^[ \t]*"backtype.yarn.security.auth.authorizer.SimpleACLAuthorizer"[ \t]*$/) { - configured = 1 ; - printf("%s\n",$0) ; - } - else { - printf("#%s\n",$0); - printf("nimbus.authorizer: \"backtype.yarn.security.auth.authorizer.SimpleACLAuthorizer\"\n") ; - configured = 1 ; - } - } - else { - printf("%s\n",$0) ; - } -} -END { - if (configured == 0) { - printf("nimbus.authorizer: \"backtype.yarn.security.auth.authorizer.SimpleACLAuthorizer\"\n") ; - } -}' ${ARCHIVE_FILE} > ${ARCHIVE_FILE}.new - -if [ ! -z ${ARCHIVE_FILE}.new ] -then - cat ${ARCHIVE_FILE}.new > ${CONFIG_FILE} - rm -f ${ARCHIVE_FILE}.new - echo "Apache Ranger Plugin has been uninstalled from YARN Service. Please restart YARN nimbus and ui services ..." -else - echo "ERROR: ${ARCHIVE_FILE}.new file has not created successfully." - exit 1 -fi - -exit 0 http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/307d51c2/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java ---------------------------------------------------------------------- diff --git a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java index e911fcc..cc82c81 100644 --- a/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java +++ b/plugin-yarn/src/main/java/org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.java @@ -21,7 +21,6 @@ package org.apache.ranger.authorization.yarn.authorizer; import java.net.InetAddress; -import java.security.Permissions; import java.util.Collection; import java.util.Collections; import java.util.HashMap; @@ -31,7 +30,6 @@ import java.util.Set; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.collections.MapUtils; -import org.apache.commons.collections.SetUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -162,6 +160,7 @@ public class RangerYarnAuthorizer extends YarnAuthorizationProvider { request.setDelegateAdmin(Boolean.FALSE); request.setEnableAudit(Boolean.TRUE); request.setReplaceExistingPermissions(Boolean.FALSE); + request.setIsRecursive(Boolean.TRUE); for(Map.Entry<AccessType, AccessControlList> e : permission.entrySet()) { AccessType accessType = e.getKey(); @@ -169,22 +168,25 @@ public class RangerYarnAuthorizer extends YarnAuthorizationProvider { Set<String> accessTypes = new HashSet<String>(); accessTypes.add(getRangerAccessType(accessType)); + request.setAccessTypes(accessTypes); if(acl.isAllAllowed()) { Set<String> publicGroup = new HashSet<String>(); publicGroup.add(RangerPolicyEngine.GROUP_PUBLIC); - request.setAccessTypes(accessTypes); request.setUsers(null); request.setGroups(publicGroup); + } else if(CollectionUtils.isEmpty(acl.getUsers()) && CollectionUtils.isEmpty(acl.getGroups())) { + if(LOG.isDebugEnabled()) { + LOG.debug("grantAccess(): empty users and groups - skipped"); + } + + continue; } else { - request.setAccessTypes(accessTypes); request.setUsers(getSet(acl.getUsers())); request.setGroups(getSet(acl.getGroups())); } - LOG.error("==> grantAccess(" + request + ")"); - try { plugin.grantAccess(request, plugin.getDefaultAuditHandler()); } catch(Exception excp) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/307d51c2/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 3eec63d..ec03d39 100644 --- a/pom.xml +++ b/pom.xml @@ -75,6 +75,7 @@ <modules> <module>jisql</module> + <module>kms</module> <module>agents-audit</module> <module>agents-common</module> <module>agents-cred</module> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/307d51c2/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 2a71527..d4851cc 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -622,7 +622,10 @@ public class ServiceREST { if(! CollectionUtils.isEmpty(resourceNames)) { for(String resourceName : resourceNames) { - policyResources.put(resourceName, new RangerPolicyResource(resource.getValue(resourceName))); + RangerPolicyResource policyResource = new RangerPolicyResource(resource.getValue(resourceName)); + policyResource.setIsRecursive(grantRequest.getIsRecursive()); + + policyResources.put(resourceName, policyResource); } } policy.setResources(policyResources); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/307d51c2/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java index 0a6046b..962f50c 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerBaseModelService.java @@ -102,7 +102,9 @@ public abstract class RangerBaseModelService<T extends XXDBBase, V extends Range if (entityObj.getAddedByUserId() != null) { XXPortalUser tUser = daoMgr.getXXPortalUser().getById( entityObj.getUpdatedByUserId()); - if (!stringUtil.isEmpty(tUser.getPublicScreenName())) { + if(tUser == null) { + // nothing to do + } else if (!stringUtil.isEmpty(tUser.getPublicScreenName())) { vObj.setCreatedBy(tUser.getPublicScreenName()); } else { if (!stringUtil.isEmpty(tUser.getFirstName())) { @@ -120,7 +122,9 @@ public abstract class RangerBaseModelService<T extends XXDBBase, V extends Range if (entityObj.getUpdatedByUserId() != null) { XXPortalUser tUser = daoMgr.getXXPortalUser().getById( entityObj.getUpdatedByUserId()); - if (!stringUtil.isEmpty(tUser.getPublicScreenName())) { + if(tUser == null) { + // nothing to do + } else if (!stringUtil.isEmpty(tUser.getPublicScreenName())) { vObj.setUpdatedBy(tUser.getPublicScreenName()); } else { if (!stringUtil.isEmpty(tUser.getFirstName())) {
