Repository: incubator-ranger Updated Branches: refs/heads/master 2a309b5c1 -> ca75aadc6
RANGER-277 : Ranger Public API changes to use Service Model Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/e97c99d8 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/e97c99d8 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/e97c99d8 Branch: refs/heads/master Commit: e97c99d8b17c8cd8b7b578e44acd020e6605911d Parents: 895ac2b Author: rmani <[email protected]> Authored: Mon Mar 9 10:47:21 2015 -0700 Committer: rmani <[email protected]> Committed: Mon Mar 9 10:47:21 2015 -0700 ---------------------------------------------------------------------- .../org/apache/ranger/common/ServiceUtil.java | 881 +++++++++++++++++-- .../java/org/apache/ranger/rest/AssetREST.java | 89 +- .../java/org/apache/ranger/rest/PublicAPIs.java | 338 ++++--- .../org/apache/ranger/rest/ServiceREST.java | 390 ++++---- 4 files changed, 1272 insertions(+), 426 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e97c99d8/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java b/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java index d26f4c5..b340625 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java @@ -19,6 +19,7 @@ package org.apache.ranger.common; +import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; @@ -26,9 +27,17 @@ import java.util.List; import java.util.Map; import java.util.Map.Entry; +import javax.naming.InvalidNameException; +import javax.naming.ldap.LdapName; +import javax.naming.ldap.Rdn; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; import org.apache.log4j.Logger; +import org.apache.ranger.authorization.utils.StringUtil; +import org.apache.ranger.biz.ServiceDBStore; import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.entity.XXGroup; import org.apache.ranger.entity.XXUser; @@ -37,11 +46,17 @@ import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; +import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.view.VXAsset; import org.apache.ranger.view.VXAuditMap; import org.apache.ranger.view.VXDataObject; import org.apache.ranger.view.VXPermMap; +import org.apache.ranger.view.VXPermObj; +import org.apache.ranger.view.VXPolicy; +import org.apache.ranger.view.VXPolicyList; +import org.apache.ranger.view.VXRepositoryList; import org.apache.ranger.view.VXResource; +import org.apache.ranger.view.VXRepository; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @@ -51,6 +66,8 @@ public class ServiceUtil { static Map<String, Integer> mapServiceTypeToAssetType = new HashMap<String, Integer>(); static Map<String, Integer> mapAccessTypeToPermType = new HashMap<String, Integer>(); + static String version; + static String uniqueKeySeparator; @Autowired JSONUtil jsonUtil; @@ -58,6 +75,12 @@ public class ServiceUtil { @Autowired RangerDaoManager xaDaoMgr; + @Autowired + RESTErrorUtil restErrorUtil; + + @Autowired + ServiceDBStore svcStore; + static { mapServiceTypeToAssetType.put(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HDFS_NAME, new Integer(RangerCommonEnums.ASSET_HDFS)); mapServiceTypeToAssetType.put(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_HBASE_NAME, new Integer(RangerCommonEnums.ASSET_HBASE)); @@ -97,6 +120,10 @@ public class ServiceUtil { mapAccessTypeToPermType.put("getUserTopology", 29); mapAccessTypeToPermType.put("getTopologyInfo", 30); mapAccessTypeToPermType.put("uploadNewCredentials", 31); + + version = "0"; + uniqueKeySeparator = "_"; + } public RangerService toRangerService(VXAsset asset) { @@ -140,7 +167,7 @@ public class ServiceUtil { return ret; } - + public RangerPolicy toRangerPolicy(VXResource resource, RangerService service) { if(resource == null) { return null; @@ -175,7 +202,7 @@ public class ServiceUtil { toRangerResourceList(resource.getServices(), "service", Boolean.FALSE, isRecursive, ret.getResources()); HashMap<String, List<VXPermMap>> sortedPermMap = new HashMap<String, List<VXPermMap>>(); - + // re-group the list with permGroup as the key if (resource.getPermMapList() != null) { for(VXPermMap permMap : resource.getPermMapList()) { @@ -296,92 +323,8 @@ public class ServiceUtil { } } - List<VXPermMap> permMapList = new ArrayList<VXPermMap>(); - - int permGroup = 0; - for(RangerPolicy.RangerPolicyItem policyItem : policy.getPolicyItems()) { - String ipAddress = null; - - for(RangerPolicy.RangerPolicyItemCondition condition : policyItem.getConditions()) { - if(condition.getType() == "ipaddress") { - List<String> values = condition.getValues(); - if (CollectionUtils.isNotEmpty(values)) { - // TODO changes this to properly deal with collection for now just returning 1st item - ipAddress = values.get(0); - } - } - - if(ipAddress != null && !ipAddress.isEmpty()) { - break; // only 1 IP-address per permMap - } - } - - for(String userName : policyItem.getUsers()) { - for(RangerPolicyItemAccess access : policyItem.getAccesses()) { - if(! access.getIsAllowed()) { - continue; - } - - VXPermMap permMap = new VXPermMap(); - - permMap.setPermFor(AppConstants.XA_PERM_FOR_USER); - permMap.setPermGroup(new Integer(permGroup).toString()); - permMap.setUserName(userName); - permMap.setUserId(getUserId(userName)); - permMap.setPermType(toPermType(access.getType())); - permMap.setIpAddress(ipAddress); - - permMapList.add(permMap); - } - - if(policyItem.getDelegateAdmin()) { - VXPermMap permMap = new VXPermMap(); - - permMap.setPermFor(AppConstants.XA_PERM_FOR_USER); - permMap.setPermGroup(new Integer(permGroup).toString()); - permMap.setUserName(userName); - permMap.setUserId(getUserId(userName)); - permMap.setPermType(toPermType("Admin")); - permMap.setIpAddress(ipAddress); - - permMapList.add(permMap); - } - } - permGroup++; - - for(String groupName : policyItem.getGroups()) { - for(RangerPolicyItemAccess access : policyItem.getAccesses()) { - if(! access.getIsAllowed()) { - continue; - } - - VXPermMap permMap = new VXPermMap(); - - permMap.setPermFor(AppConstants.XA_PERM_FOR_GROUP); - permMap.setPermGroup(new Integer(permGroup).toString()); - permMap.setGroupName(groupName); - permMap.setGroupId(getGroupId(groupName)); - permMap.setPermType(toPermType(access.getType())); - permMap.setIpAddress(ipAddress); - - permMapList.add(permMap); - } - - if(policyItem.getDelegateAdmin()) { - VXPermMap permMap = new VXPermMap(); - - permMap.setPermFor(AppConstants.XA_PERM_FOR_GROUP); - permMap.setPermGroup(new Integer(permGroup).toString()); - permMap.setGroupName(groupName); - permMap.setGroupId(getGroupId(groupName)); - permMap.setPermType(toPermType("Admin")); - permMap.setIpAddress(ipAddress); - - permMapList.add(permMap); - } - } - permGroup++; - } + List<VXPermMap> permMapList = getVXPermMapList(policy); + ret.setPermMapList(permMapList); return ret; @@ -456,8 +399,52 @@ public class ServiceUtil { return ret; } + + public VXRepository toVXRepository(RangerService service){ + + VXRepository ret = new VXRepository(); + rangerObjectToDataObject(service,ret); + + ret.setRepositoryType(service.getType()); + ret.setName(service.getName()); + ret.setDescription(service.getDescription()); + ret.setIsActive(service.getIsEnabled()); + ret.setConfig(jsonUtil.readMapToString(service.getConfigs())); + ret.setVersion(Long.toString(service.getVersion())); + + return ret; + } + + + public VXAsset publicObjecttoVXAsset(VXRepository vXRepository) { + VXAsset ret = new VXAsset(); + publicDataObjectTovXDataObject(vXRepository,ret); + + ret.setAssetType(toAssetType(vXRepository.getRepositoryType())); + ret.setName(vXRepository.getName()); + ret.setDescription(vXRepository.getDescription()); + ret.setActiveStatus(vXRepository.getIsActive() ? RangerCommonEnums.STATUS_ENABLED : RangerCommonEnums.STATUS_DISABLED); + ret.setConfig(vXRepository.getConfig()); + return ret; + + } + + public VXRepository vXAssetToPublicObject(VXAsset asset) { + VXRepository ret = new VXRepository(); + vXDataObjectToPublicDataObject(ret,asset); + + ret.setRepositoryType(toServiceType(asset.getAssetType())); + ret.setName(asset.getName()); + ret.setDescription(asset.getDescription()); + ret.setIsActive(asset.getActiveStatus() == RangerCommonEnums.STATUS_ENABLED ? true : false); + ret.setConfig(asset.getConfig()); + ret.setVersion(version); + + return ret; + } - private RangerBaseModelObject dataObjectToRangerObject(VXDataObject dataObject, RangerBaseModelObject rangerObject) { + + private RangerBaseModelObject dataObjectToRangerObject(VXDataObject dataObject,RangerBaseModelObject rangerObject) { RangerBaseModelObject ret = rangerObject; ret.setId(dataObject.getId()); @@ -481,6 +468,21 @@ public class ServiceUtil { return ret; } + private String toVxPolicyIncExc(int policyIncExc) { + String ret = ""; + + switch(policyIncExc) { + case 0: + ret = "Inclusion"; + break; + case 1: + ret = "Exclusion"; + break; + } + return ret; + } + + private String getResourceString(List<String> values) { String ret = null; @@ -561,4 +563,705 @@ public class ServiceUtil { return groupId; } + + public SearchCriteria getMappedSearchParams(HttpServletRequest request, + SearchCriteria searchCriteria) { + + Object typeObj = searchCriteria.getParamValue("type"); + Object statusObj = searchCriteria.getParamValue("status"); + + ArrayList<Integer> statusList = new ArrayList<Integer>(); + if (statusObj == null) { + statusList.add(RangerCommonEnums.STATUS_DISABLED); + statusList.add(RangerCommonEnums.STATUS_ENABLED); + } else { + boolean status = restErrorUtil.parseBoolean( + request.getParameter("status"), "Invalid value for " + + "status", MessageEnums.INVALID_INPUT_DATA, null, + "status"); + int statusEnum = (status == false) ? AppConstants.STATUS_DISABLED + : AppConstants.STATUS_ENABLED; + statusList.add(statusEnum); + } + searchCriteria.addParam("status", statusList); + + if (typeObj != null) { + String type = typeObj.toString(); + int typeEnum = AppConstants.getEnumFor_AssetType(type); + searchCriteria.addParam("type", typeEnum); + } + return searchCriteria; + } + + + public VXRepositoryList rangerServiceListToPublicObjectList(List<RangerService> serviceList) { + + List<VXRepository> repoList = new ArrayList<VXRepository>(); + for (RangerService service : serviceList) { + VXRepository vXRepo = toVXRepository(service); + repoList.add(vXRepo); + } + VXRepositoryList vXRepositoryList = new VXRepositoryList(repoList); + return vXRepositoryList; + } + + + private VXDataObject vXDataObjectToPublicDataObject(VXDataObject publicDataObject, VXDataObject vXdataObject) { + + VXDataObject ret = publicDataObject; + + ret.setId(vXdataObject.getId()); + ret.setCreateDate(vXdataObject.getCreateDate()); + ret.setUpdateDate(vXdataObject.getUpdateDate()); + ret.setOwner(vXdataObject.getOwner()); + ret.setUpdatedBy(vXdataObject.getUpdatedBy()); + + return ret; + } + + protected VXDataObject publicDataObjectTovXDataObject(VXDataObject publicDataObject,VXDataObject vXDataObject) { + + VXDataObject ret = vXDataObject; + + ret.setId(publicDataObject.getId()); + ret.setCreateDate(publicDataObject.getCreateDate()); + ret.setUpdateDate(publicDataObject.getUpdateDate()); + ret.setOwner(publicDataObject.getOwner()); + ret.setUpdatedBy(publicDataObject.getUpdatedBy()); + + return ret; + } + + + public VXPolicy toVXPolicy(RangerPolicy policy, RangerService service) { + if(policy == null || service == null) { + return null; + } + + VXPolicy ret = new VXPolicy(); + + rangerObjectToDataObject(policy, ret); + + ret.setPolicyName(policy.getName()); + ret.setDescription(policy.getDescription()); + ret.setRepositoryName(policy.getService()); + ret.setIsEnabled(policy.getIsEnabled() ? true : false); + ret.setRepositoryType(service.getType()); + ret.setIsAuditEnabled(policy.getIsAuditEnabled()); + if (policy.getVersion() != null ) { + ret.setVersion(policy.getVersion().toString()); + } else { + ret.setVersion(version); + } + + for(Map.Entry<String, RangerPolicy.RangerPolicyResource> e : policy.getResources().entrySet()) { + RangerPolicy.RangerPolicyResource res = e.getValue(); + String resType = e.getKey(); + String resString = getResourceString(res.getValues()); + + if(resType.equalsIgnoreCase("path")) { + ret.setResourceName(resString); + ret.setIsRecursive(Boolean.TRUE.equals(res.getIsRecursive()) ? true : false); + } else if(resType.equalsIgnoreCase("table")) { + ret.setTables(resString); + ret.setTableType(Boolean.TRUE.equals(res.getIsExcludes()) ? toVxPolicyIncExc(RangerCommonEnums.POLICY_EXCLUSION):toVxPolicyIncExc(RangerCommonEnums.POLICY_INCLUSION)); + } else if(resType.equalsIgnoreCase("column-family")) { + ret.setColumnFamilies(resString); + } else if(resType.equalsIgnoreCase("column")) { + ret.setColumns(resString); + ret.setColumnType(Boolean.TRUE.equals(res.getIsExcludes()) ? toVxPolicyIncExc(RangerCommonEnums.POLICY_EXCLUSION):toVxPolicyIncExc(RangerCommonEnums.POLICY_INCLUSION)); + } else if(resType.equalsIgnoreCase("database")) { + ret.setDatabases(resString); + } else if(resType.equalsIgnoreCase("udf")) { + ret.setUdfs(resString); + } else if(resType.equalsIgnoreCase("topology")) { + ret.setTopologies(resString); + } else if(resType.equalsIgnoreCase("service")) { + ret.setServices(resString); + } + } + + List<VXPermMap> vXPermMapList = getVXPermMapList(policy); + + List<VXPermObj> vXPermObjList = mapPermMapToPermObj(vXPermMapList); + + ret.setPermMapList(vXPermObjList); + + return ret; + } + + + public List<VXPermMap> getVXPermMapList(RangerPolicy policy) { + + List<VXPermMap> permMapList = new ArrayList<VXPermMap>(); + + int permGroup = 0; + for(RangerPolicy.RangerPolicyItem policyItem : policy.getPolicyItems()) { + String ipAddress = null; + + for(RangerPolicy.RangerPolicyItemCondition condition : policyItem.getConditions()) { + if(condition.getType() == "ipaddress") { + List<String> values = condition.getValues(); + if (CollectionUtils.isNotEmpty(values)) { + // TODO changes this to properly deal with collection for now just returning 1st item + ipAddress = values.get(0); + } + } + + if(ipAddress != null && !ipAddress.isEmpty()) { + break; // only 1 IP-address per permMap + } + } + + for(String userName : policyItem.getUsers()) { + for(RangerPolicyItemAccess access : policyItem.getAccesses()) { + if(! access.getIsAllowed()) { + continue; + } + + VXPermMap permMap = new VXPermMap(); + + permMap.setPermFor(AppConstants.XA_PERM_FOR_USER); + permMap.setPermGroup(new Integer(permGroup).toString()); + permMap.setUserName(userName); + permMap.setUserId(getUserId(userName)); + permMap.setPermType(toPermType(access.getType())); + permMap.setIpAddress(ipAddress); + + permMapList.add(permMap); + } + + if(policyItem.getDelegateAdmin()) { + VXPermMap permMap = new VXPermMap(); + + permMap.setPermFor(AppConstants.XA_PERM_FOR_USER); + permMap.setPermGroup(new Integer(permGroup).toString()); + permMap.setUserName(userName); + permMap.setUserId(getUserId(userName)); + permMap.setPermType(toPermType("Admin")); + permMap.setIpAddress(ipAddress); + + permMapList.add(permMap); + } + } + permGroup++; + + for(String groupName : policyItem.getGroups()) { + for(RangerPolicyItemAccess access : policyItem.getAccesses()) { + if(! access.getIsAllowed()) { + continue; + } + + VXPermMap permMap = new VXPermMap(); + + permMap.setPermFor(AppConstants.XA_PERM_FOR_GROUP); + permMap.setPermGroup(new Integer(permGroup).toString()); + permMap.setGroupName(groupName); + permMap.setGroupId(getGroupId(groupName)); + permMap.setPermType(toPermType(access.getType())); + permMap.setIpAddress(ipAddress); + + permMapList.add(permMap); + } + + if(policyItem.getDelegateAdmin()) { + VXPermMap permMap = new VXPermMap(); + + permMap.setPermFor(AppConstants.XA_PERM_FOR_GROUP); + permMap.setPermGroup(new Integer(permGroup).toString()); + permMap.setGroupName(groupName); + permMap.setGroupId(getGroupId(groupName)); + permMap.setPermType(toPermType("Admin")); + permMap.setIpAddress(ipAddress); + + permMapList.add(permMap); + } + } + permGroup++; + } + return permMapList; + } + + + public List<VXPermObj> mapPermMapToPermObj(List<VXPermMap> permMapList) { + + List<VXPermObj> permObjList = new ArrayList<VXPermObj>(); + HashMap<String, List<VXPermMap>> sortedPemMap = new HashMap<String, List<VXPermMap>>(); + + if (permMapList != null) { + for (VXPermMap vXPermMap : permMapList) { + + String permGrp = vXPermMap.getPermGroup(); + List<VXPermMap> sortedList = sortedPemMap.get(permGrp); + if (sortedList == null) { + sortedList = new ArrayList<VXPermMap>(); + sortedPemMap.put(permGrp, sortedList); + } + sortedList.add(vXPermMap); + } + } + + for (Entry<String, List<VXPermMap>> entry : sortedPemMap.entrySet()) { + VXPermObj vXPermObj = new VXPermObj(); + List<String> userList = new ArrayList<String>(); + List<String> groupList = new ArrayList<String>(); + List<String> permList = new ArrayList<String>(); + String ipAddress = ""; + + List<VXPermMap> permListForGrp = entry.getValue(); + + for (VXPermMap permMap : permListForGrp) { + if (permMap.getPermFor() == AppConstants.XA_PERM_FOR_USER) { + if (!userList.contains(permMap.getUserName())) { + userList.add(permMap.getUserName()); + } + } else if (permMap.getPermFor() == AppConstants.XA_PERM_FOR_GROUP) { + if (!groupList.contains(permMap.getGroupName())) { + groupList.add(permMap.getGroupName()); + } + } + String perm = AppConstants.getLabelFor_XAPermType(permMap + .getPermType()); + if (!permList.contains(perm)) { + permList.add(perm); + } + ipAddress = permMap.getIpAddress(); + } + if (!userList.isEmpty()) { + vXPermObj.setUserList(userList); + } + if (!groupList.isEmpty()) { + vXPermObj.setGroupList(groupList); + } + vXPermObj.setPermList(permList); + vXPermObj.setIpAddress(ipAddress); + + permObjList.add(vXPermObj); + } + return permObjList; + } + + + public RangerPolicy toRangerPolicy(VXPolicy vXPolicy, RangerService service ) { + + if(vXPolicy == null) { + return null; + } + + RangerPolicy ret = new RangerPolicy(); + + ret = (RangerPolicy) dataObjectToRangerObject(vXPolicy, ret); + + if(service != null) { + ret.setService(service.getName()); + } else { + ret.setService(vXPolicy.getRepositoryName()); + } + + ret.setName(vXPolicy.getPolicyName()); + ret.setDescription(vXPolicy.getDescription()); + ret.setIsEnabled(vXPolicy.getIsEnabled() == true); + ret.setIsAuditEnabled(vXPolicy.getIsAuditEnabled()); + + Boolean isRecursive = Boolean.FALSE; + if ( vXPolicy.getIsRecursive() != null) { + isRecursive = vXPolicy.getIsRecursive(); + } + + Boolean isTableExcludes = Boolean.FALSE; + if ( vXPolicy.getTableType() != null) { + isTableExcludes = vXPolicy.getTableType().equals(RangerCommonEnums.getLabelFor_PolicyType(RangerCommonEnums.POLICY_EXCLUSION)); + } + + Boolean isColumnExcludes = Boolean.FALSE; + if ( vXPolicy.getColumnType() != null) { + isColumnExcludes = vXPolicy.getColumnType().equals(RangerCommonEnums.getLabelFor_PolicyType(RangerCommonEnums.POLICY_EXCLUSION)); + } + + if (vXPolicy.getResourceName() != null ) { + toRangerResourceList(vXPolicy.getResourceName(), "path", Boolean.FALSE, isRecursive, ret.getResources()); + } + + if (vXPolicy.getTables() != null) { + toRangerResourceList(vXPolicy.getTables(), "table", isTableExcludes, isRecursive, ret.getResources()); + } + + if (vXPolicy.getColumnFamilies() != null) { + toRangerResourceList(vXPolicy.getColumnFamilies(), "column-family", Boolean.FALSE, isRecursive, ret.getResources()); + } + + if (vXPolicy.getColumns() != null) { + toRangerResourceList(vXPolicy.getColumns(), "column", isColumnExcludes, isRecursive, ret.getResources()); + } + + if (vXPolicy.getDatabases() != null) { + toRangerResourceList(vXPolicy.getDatabases(), "database", Boolean.FALSE, isRecursive, ret.getResources()); + } + + if (vXPolicy.getUdfs() != null) { + toRangerResourceList(vXPolicy.getUdfs(), "udf", Boolean.FALSE, isRecursive, ret.getResources()); + } + + if (vXPolicy.getTopologies() != null) { + toRangerResourceList(vXPolicy.getTopologies(), "topology", Boolean.FALSE, isRecursive, ret.getResources()); + } + + if (vXPolicy.getServices() != null) { + toRangerResourceList(vXPolicy.getServices(), "service", Boolean.FALSE, isRecursive, ret.getResources()); + } + + + if ( vXPolicy.getPermMapList() != null) { + List<VXPermObj> vXPermObjList = vXPolicy.getPermMapList(); + + for(VXPermObj vXPermObj : vXPermObjList ) { + List<String> userList = new ArrayList<String>(); + List<String> groupList = new ArrayList<String>(); + List<RangerPolicyItemAccess> accessList = new ArrayList<RangerPolicyItemAccess>(); + String ipAddress = null; + boolean delegatedAdmin = false; + + if (vXPermObj.getUserList() != null) { + for (String user : vXPermObj.getUserList() ) { + if ( user.contains(getUserName(user))) { + userList.add(user); + } + } + } + + if (vXPermObj.getGroupList() != null) { + for (String group : vXPermObj.getGroupList()) { + if ( group.contains(getGroupName(group))) { + groupList.add(group); + } + } + } + + if (vXPermObj.getPermList() != null) { + for (String perm : vXPermObj.getPermList()) { + if ( AppConstants.getEnumFor_XAPermType(perm) != 0 ) { + if (perm.equalsIgnoreCase("Admin")) { + delegatedAdmin=true; + continue; + } + accessList.add(new RangerPolicyItemAccess(perm)); + } + + + } + } + + if (vXPermObj.getIpAddress() != null ) { + ipAddress = vXPermObj.getIpAddress(); + } + + RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem(); + + policyItem.setUsers(userList); + policyItem.setGroups(groupList); + policyItem.setAccesses(accessList); + + if (delegatedAdmin) { + policyItem.setDelegateAdmin(Boolean.TRUE); + } else { + policyItem.setDelegateAdmin(Boolean.FALSE); + } + + if(ipAddress != null && !ipAddress.isEmpty()) { + RangerPolicy.RangerPolicyItemCondition ipCondition = new RangerPolicy.RangerPolicyItemCondition("ipaddress", Collections.singletonList(ipAddress)); + + policyItem.getConditions().add(ipCondition); + } + + ret.getPolicyItems().add(policyItem); + } + } + + return ret; + } + + private String getUserName(String userName) { + if(userName == null || userName.isEmpty()) { + + XXUser xxUser = xaDaoMgr.getXXUser().findByUserName(userName); + + if(xxUser != null) { + userName = xxUser.getName(); + } + } + return userName; + } + + + private String getGroupName(String groupName) { + + if(groupName == null || groupName.isEmpty()) { + XXGroup xxGroup = xaDaoMgr.getXXGroup().findByGroupName(groupName); + + if(xxGroup != null) { + groupName = xxGroup.getName(); + } + } + return groupName; + } + + + public VXPolicyList rangerPolicyListToPublic(List<RangerPolicy> rangerPolicyList) { + + RangerService service = null; + List<VXPolicy> vXPolicyList = new ArrayList<VXPolicy>(); + + VXPolicyList vXPolicyListObj = new VXPolicyList(); + + for ( RangerPolicy policy : rangerPolicyList) { + try { + service = svcStore.getServiceByName(policy.getService()); + } catch(Exception excp) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); + } + + if(service == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true); + } + + VXPolicy vXPolicy = toVXPolicy(policy,service); + + vXPolicyList.add(vXPolicy); + } + + vXPolicyListObj.setVXPolicies(vXPolicyList); + + return vXPolicyListObj; + + } + + + public GrantRevokeRequest toGrantRevokeRequest(VXPolicy vXPolicy) { + String serviceType = null; + RangerService service = null; + GrantRevokeRequest ret = new GrantRevokeRequest(); + + if ( vXPolicy != null) { + String serviceName = vXPolicy.getRepositoryName(); + try { + service = svcStore.getServiceByName(serviceName); + } catch (Exception e) { + LOG.error( HttpServletResponse.SC_BAD_REQUEST + "No Service Found for ServiceName:" + serviceName ); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, e.getMessage() + serviceName, true); + } + + if ( service != null) { + serviceType = service.getType(); + } else { + LOG.error( HttpServletResponse.SC_BAD_REQUEST + "No Service Found for ServiceName" + serviceName ); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "No Service Found for ServiceName" + serviceName, true); + } + + if (vXPolicy.getGrantor() != null) { + ret.setGrantor(vXPolicy.getGrantor()); + } + ret.setEnableAudit(Boolean.TRUE); + + ret.setIsRecursive(Boolean.FALSE); + + ret.setReplaceExistingPermissions(toBooleanReplacePerm(vXPolicy.isReplacePerm())); + + int assertType = toAssetType(serviceType); + + if (assertType == RangerCommonEnums.ASSET_HIVE) { + + String database = StringUtils.isEmpty(vXPolicy.getDatabases()) ? "*" : vXPolicy.getDatabases(); + String table = getTableOrUdf(vXPolicy); + String column = StringUtils.isEmpty(vXPolicy.getColumns()) ? "*" : vXPolicy.getColumns(); + + Map<String, String> mapResource = new HashMap<String, String>(); + mapResource.put("database", database); + mapResource.put("table", table); + mapResource.put("column", column); + ret.setResource(mapResource); + } + else if ( assertType == RangerCommonEnums.ASSET_HBASE) { + + String tableName = vXPolicy.getTables(); + tableName = StringUtil.isEmpty(tableName) ? "*" : tableName; + + String colFamily = vXPolicy.getColumnFamilies(); + colFamily = StringUtil.isEmpty(colFamily) ? "*": colFamily; + + String qualifier = vXPolicy.getColumns(); + qualifier = StringUtil.isEmpty(qualifier) ? "*" : qualifier; + + Map<String, String> mapResource = new HashMap<String, String>(); + mapResource.put("table", tableName); + mapResource.put("column-family", colFamily); + mapResource.put("column", qualifier); + + } + + List<VXPermObj> vXPermObjList = vXPolicy.getPermMapList(); + + if (vXPermObjList != null) { + for(VXPermObj vXPermObj : vXPermObjList ) { + boolean delegatedAdmin = false; + String ipAddress = null; + + if (vXPermObj.getUserList() != null ) { + for (String user : vXPermObj.getUserList() ) { + if ( user.contains(getUserName(user))) { + ret.getUsers().add(user); + } + } + } + + if (vXPermObj.getGroupList() != null) { + for (String group : vXPermObj.getGroupList()) { + if ( group.contains(getGroupName(group))) { + ret.getGroups().add(group); + } + } + } + + if(vXPermObj.getPermList() != null) { + for (String perm : vXPermObj.getPermList()) { + if ( AppConstants.getEnumFor_XAPermType(perm) != 0 ) { + if (perm.equalsIgnoreCase("Admin")) { + delegatedAdmin=true; + continue; + } + ret.getAccessTypes().add(perm); + } + } + } + + if (vXPermObj.getIpAddress() != null) { + ipAddress = vXPermObj.getIpAddress(); + } + + if (delegatedAdmin) { + ret.setDelegateAdmin(Boolean.TRUE); + } else { + ret.setDelegateAdmin(Boolean.FALSE); + } + } + + } + } + return ret; + + } + + private String getTableOrUdf(VXPolicy vXPolicy) { + String ret = null; + String table = vXPolicy.getTables(); + String udf = vXPolicy.getUdfs(); + + if (!StringUtils.isEmpty(table)) { + ret = table; + } else if (!StringUtils.isEmpty(udf)) { + ret = udf; + } + return ret; + } + + + public boolean isValidateHttpsAuthentication( String serviceName, HttpServletRequest request) { + + boolean isValidAuthentication=false; + boolean httpEnabled = PropertiesUtil.getBooleanProperty("http.enabled",true); + X509Certificate[] certchain = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); + String ipAddress = request.getHeader("X-FORWARDED-FOR"); + if (ipAddress == null) { + ipAddress = request.getRemoteAddr(); + } + boolean isSecure = request.isSecure(); + + if (serviceName == null || serviceName.isEmpty()) { + LOG.error("ServiceName not provided"); + throw restErrorUtil.createRESTException("Unauthorized access.", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + + RangerService service = null; + try { + service = svcStore.getServiceByName(serviceName); + } catch (Exception e) { + LOG.error("Requested Service not found"); + throw restErrorUtil.createRESTException("Serivce:" + serviceName + " not found", + MessageEnums.DATA_NOT_FOUND); + } + if(service==null){ + LOG.error("Requested Service not found"); + throw restErrorUtil.createRESTException("No Data Found.", + MessageEnums.DATA_NOT_FOUND); + } + if(!service.getIsEnabled()){ + LOG.error("Requested Service is disabled"); + throw restErrorUtil.createRESTException("Unauthorized access.", + MessageEnums.OPER_NOT_ALLOWED_FOR_STATE); + } + if (!httpEnabled) { + if (!isSecure) { + throw restErrorUtil.createRESTException("Unauthorized access -" + + " only https allowed", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + if (certchain == null || certchain.length == 0) { + throw restErrorUtil.createRESTException("Unauthorized access -" + + " unable to get client certificate", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + String commonName = null; + if (certchain != null) { + X509Certificate clientCert = certchain[0]; + String dn = clientCert.getSubjectX500Principal().getName(); + try { + LdapName ln = new LdapName(dn); + for (Rdn rdn : ln.getRdns()) { + if (rdn.getType().equalsIgnoreCase("CN")) { + commonName = rdn.getValue() + ""; + break; + } + } + if (commonName == null) { + throw restErrorUtil.createRESTException( + "Unauthorized access - Unable to find Common Name from [" + + dn + "]", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } catch (InvalidNameException e) { + LOG.error("Invalid Common Name.", e); + throw restErrorUtil.createRESTException( + "Unauthorized access - Invalid Common Name", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + if (commonName != null) { + + Map<String, String> configMap = service.getConfigs(); + String cnFromConfig = configMap.get("commonNameForCertificate"); + if (cnFromConfig == null + || !commonName.equalsIgnoreCase(cnFromConfig)) { + throw restErrorUtil.createRESTException( + "Unauthorized access. expected [" + cnFromConfig + + "], found [" + commonName + "]", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + isValidAuthentication=true; + return isValidAuthentication; + } + + private Boolean toBooleanReplacePerm(boolean isReplacePermission) { + + Boolean ret; + + if (isReplacePermission) { + ret = Boolean.TRUE; + } else { + ret = Boolean.FALSE; + } + return ret; + } } + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e97c99d8/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java index 753a3bf..462671a 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java @@ -25,6 +25,7 @@ import java.util.ArrayList; import java.util.List; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; import javax.ws.rs.DELETE; import javax.ws.rs.Encoded; import javax.ws.rs.GET; @@ -38,6 +39,7 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; import org.apache.log4j.Logger; +import org.apache.ranger.admin.client.datatype.RESTResponse; import org.apache.ranger.biz.AssetMgr; import org.apache.ranger.biz.RangerBizUtil; import org.apache.ranger.common.PropertiesUtil; @@ -48,6 +50,7 @@ import org.apache.ranger.common.ServiceUtil; import org.apache.ranger.common.StringUtil; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.model.RangerService; +import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.common.annotation.RangerAnnotationClassName; import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName; import org.apache.ranger.service.AbstractBaseResourceService; @@ -625,28 +628,32 @@ public class AssetREST { @Path("/resources/grant") @Produces({ "application/xml", "application/json" }) public VXPolicy grantPermission(@Context HttpServletRequest request,VXPolicy vXPolicy) { - boolean httpEnabled = PropertiesUtil.getBooleanProperty("http.enabled",true); - X509Certificate[] certchain = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); - String ipAddress = request.getHeader("X-FORWARDED-FOR"); - if (ipAddress == null) { - ipAddress = request.getRemoteAddr(); + + RESTResponse ret = null; + + if(logger.isDebugEnabled()) { + logger.debug("==> AssetREST.grantPermission(" + vXPolicy + ")"); } - boolean isSecure = request.isSecure(); - String repository=null; - if(vXPolicy!=null){ - repository=vXPolicy.getRepositoryName(); - vXPolicy.setOwner(vXPolicy.getGrantor()); - vXPolicy.setUpdatedBy(vXPolicy.getGrantor()); - } - boolean isValidAuthentication=assetMgr.isValidHttpsAuthentication(repository,certchain,httpEnabled,ipAddress,isSecure); - if(isValidAuthentication){ - VXResource vXResource = xPolicyService.mapPublicToXAObject(vXPolicy,AbstractBaseResourceService.OPERATION_CREATE_CONTEXT); - vXResource=assetMgr.grantXResource(vXResource,vXPolicy); - vXResource.setPermMapList(xPolicyService.updatePermGroup(vXResource)); - xResourceService.updateResource(vXResource); - vXPolicy=xPolicyService.mapXAToPublicObject(vXResource); - vXPolicy.syncResponseWithJsonRequest(); + + if ( vXPolicy != null) { + String serviceName = vXPolicy.getRepositoryName(); + GrantRevokeRequest grantRevokeRequest = serviceUtil.toGrantRevokeRequest(vXPolicy); + try { + ret = serviceREST.grantAccess(serviceName, grantRevokeRequest, request); + } catch (Exception e) { + logger.error( HttpServletResponse.SC_BAD_REQUEST + "Grant Access Failed for the request " + vXPolicy ); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Grant Access Failed for the request " + e.getMessage(), true); + } + } else { + logger.error( HttpServletResponse.SC_BAD_REQUEST + "Bad Request parameter " + vXPolicy ); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Bad Request parameter " , true); + } + + if(logger.isDebugEnabled()) { + logger.debug("<== AssetREST.grantPermission(" + ret + ")"); } + + // TO DO Current Grant REST doesn't return a policy so returning a null value. Has to be replace with VXpolicy. return vXPolicy; } @@ -654,27 +661,29 @@ public class AssetREST { @Path("/resources/revoke") @Produces({ "application/xml", "application/json" }) public VXPolicy revokePermission(@Context HttpServletRequest request,VXPolicy vXPolicy) { - boolean httpEnabled = PropertiesUtil.getBooleanProperty("http.enabled",true); - X509Certificate[] certchain = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); - String ipAddress = request.getHeader("X-FORWARDED-FOR"); - if (ipAddress == null) { - ipAddress = request.getRemoteAddr(); + + RESTResponse ret = null; + + if(logger.isDebugEnabled()) { + logger.debug("==> AssetREST.revokePermission(" + vXPolicy + ")"); } - boolean isSecure = request.isSecure(); - String repository=null; - if(vXPolicy!=null){ - repository=vXPolicy.getRepositoryName(); - vXPolicy.setOwner(vXPolicy.getGrantor()); - vXPolicy.setUpdatedBy(vXPolicy.getGrantor()); - } - boolean isValidAuthentication=assetMgr.isValidHttpsAuthentication(repository,certchain,httpEnabled,ipAddress,isSecure); - if(isValidAuthentication){ - VXResource vXResource = xPolicyService.mapPublicToXAObject(vXPolicy,AbstractBaseResourceService.OPERATION_CREATE_CONTEXT); - vXResource=assetMgr.revokeXResource(vXResource); - vXResource.setPermMapList(xPolicyService.updatePermGroup(vXResource)); - xResourceService.updateResource(vXResource); - vXPolicy=xPolicyService.mapXAToPublicObject(vXResource); - vXPolicy.syncResponseWithJsonRequest(); + + if ( vXPolicy != null) { + String serviceName = vXPolicy.getRepositoryName(); + GrantRevokeRequest grantRevokeRequest = serviceUtil.toGrantRevokeRequest(vXPolicy); + try { + ret = serviceREST.revokeAccess(serviceName, grantRevokeRequest, request); + } catch (Exception e) { + logger.error( HttpServletResponse.SC_BAD_REQUEST + "Revoke Access Failed for the request " + vXPolicy ); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Grant Access Failed for the request " + e.getMessage(), true); + } + } else { + logger.error( HttpServletResponse.SC_BAD_REQUEST + "Bad Request parameter " + vXPolicy ); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Bad Request parameter " , true); + } + + if(logger.isDebugEnabled()) { + logger.debug("<== AssetREST.revokePermission(" + ret + ")"); } return vXPolicy; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e97c99d8/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java index 0a62f8e..082b2f8 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java @@ -34,31 +34,29 @@ import javax.ws.rs.core.Context; import org.apache.log4j.Logger; import org.apache.ranger.biz.AssetMgr; -import org.apache.ranger.common.AppConstants; -import org.apache.ranger.common.MessageEnums; +import org.apache.ranger.biz.ServiceDBStore; import org.apache.ranger.common.RESTErrorUtil; -import org.apache.ranger.common.RangerCommonEnums; import org.apache.ranger.common.RangerConstants; import org.apache.ranger.common.RangerSearchUtil; import org.apache.ranger.common.SearchCriteria; +import org.apache.ranger.common.ServiceUtil; import org.apache.ranger.common.StringUtil; import org.apache.ranger.common.annotation.RangerAnnotationClassName; import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName; import org.apache.ranger.db.RangerDaoManager; -import org.apache.ranger.service.AbstractBaseResourceService; +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.service.XAssetService; import org.apache.ranger.service.XPolicyService; import org.apache.ranger.service.XRepositoryService; import org.apache.ranger.service.XResourceService; import org.apache.ranger.view.VXAsset; -import org.apache.ranger.view.VXAssetList; import org.apache.ranger.view.VXLong; import org.apache.ranger.view.VXPolicy; import org.apache.ranger.view.VXPolicyList; import org.apache.ranger.view.VXRepository; import org.apache.ranger.view.VXRepositoryList; import org.apache.ranger.view.VXResource; -import org.apache.ranger.view.VXResourceList; import org.apache.ranger.view.VXResponse; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Scope; @@ -101,35 +99,97 @@ public class PublicAPIs { @Autowired RangerDaoManager xaDaoMgr; + + @Autowired + ServiceUtil serviceUtil; + + @Autowired + ServiceREST serviceREST; + + @Autowired + AssetREST assetREST; + @Autowired + ServiceDBStore svcStore; + + @GET @Path("/api/repository/{id}") @Produces({ "application/json", "application/xml" }) public VXRepository getRepository(@PathParam("id") Long id) { - VXAsset vXAsset = assetMgr.getXAsset(id); - return xRepositoryService.mapXAToPublicObject(vXAsset); - } + if(logger.isDebugEnabled()) { + logger.debug("==> PublicAPIs.getRepository(" + id + ")"); + } + + RangerService service = serviceREST.getService(id); + + VXRepository ret = serviceUtil.toVXRepository(service); + if(logger.isDebugEnabled()) { + logger.debug("<= PublicAPIs.getRepository(" + id + ")"); + } + return ret; + } + + @POST @Path("/api/repository/") @Produces({ "application/json", "application/xml" }) public VXRepository createRepository(VXRepository vXRepository) { - VXAsset vXAsset = xRepositoryService.mapPublicToXAObject(vXRepository); - vXAsset = assetMgr.createXAsset(vXAsset); - return xRepositoryService.mapXAToPublicObject(vXAsset); + if(logger.isDebugEnabled()) { + logger.debug("==> PublicAPIs.createRepository(" + vXRepository + ")"); + } + + VXAsset vXAsset = serviceUtil.publicObjecttoVXAsset(vXRepository); + + RangerService service = serviceUtil.toRangerService(vXAsset); + + RangerService createdService = serviceREST.createService(service); + + VXAsset retvXAsset = serviceUtil.toVXAsset(createdService); + + VXRepository ret = serviceUtil.vXAssetToPublicObject(retvXAsset); + + if(logger.isDebugEnabled()) { + logger.debug("<== PublicAPIs.createRepository(" + ret + ")"); + } + + return ret; } + @PUT @Path("/api/repository/{id}") @Produces({ "application/json", "application/xml" }) public VXRepository updateRepository(VXRepository vXRepository, @PathParam("id") Long id) { + + if(logger.isDebugEnabled()) { + logger.debug("==> PublicAPIs.updateRepository(" + id + ")"); + } + vXRepository.setId(id); - VXAsset vXAsset = xRepositoryService.mapPublicToXAObject(vXRepository); - vXAsset = assetMgr.updateXAsset(vXAsset); - return xRepositoryService.mapXAToPublicObject(vXAsset); + + VXAsset vXAsset = serviceUtil.publicObjecttoVXAsset(vXRepository); + + RangerService service = serviceUtil.toRangerService(vXAsset); + + RangerService updatedService = serviceREST.updateService(service); + + VXAsset retvXAsset = serviceUtil.toVXAsset(updatedService); + + VXRepository ret = serviceUtil.vXAssetToPublicObject(retvXAsset); + + if(logger.isDebugEnabled()) { + logger.debug("<== PublicAPIs.updateRepository(" + ret + ")"); + } + + return ret; } + + + @DELETE @Path("/api/repository/{id}") @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") @@ -137,27 +197,53 @@ public class PublicAPIs { public void deleteRepository(@PathParam("id") Long id, @Context HttpServletRequest request) { + if(logger.isDebugEnabled()) { + logger.debug("==> PublicAPIs.deleteRepository(" + id + ")"); + } + String forceStr = request.getParameter("force"); boolean force = true; if (!stringUtil.isEmpty(forceStr)) { force = Boolean.parseBoolean(forceStr.trim()); } - assetMgr.deleteXAsset(id, force); + + serviceREST.deleteService(id); + + if(logger.isDebugEnabled()) { + logger.debug("<== PublicAPIs.deleteRepository(" + id + ")"); + } } + - // @POST + /*// @POST // @Path("/api/repository/testConfig") // @Produces({ "application/xml", "application/json" }) public VXResponse testConfig(VXRepository vXRepository) { VXAsset vXAsset = xRepositoryService.mapPublicToXAObject(vXRepository); return assetMgr.testConfig(vXAsset); + }*/ + + + // @POST + // @Path("/api/repository/testConfig") + // @Produces({ "application/xml", "application/json" }) + public VXResponse testConfig(VXRepository vXRepository) { + VXAsset vXAsset = serviceUtil.publicObjecttoVXAsset(vXRepository); + return serviceREST.validateConfig(serviceUtil.toRangerService(vXAsset)); } - + + + @GET @Path("/api/repository/") @Produces({ "application/json", "application/xml" }) public VXRepositoryList searchRepositories( @Context HttpServletRequest request) { + + if(logger.isDebugEnabled()) { + logger.debug("==> PublicAPIs.searchRepositories()"); + } + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xAssetService.sortFields); searchUtil.extractString(request, searchCriteria, "name", @@ -167,58 +253,129 @@ public class PublicAPIs { searchUtil.extractString(request, searchCriteria, "type", "Repository Type", null); - searchCriteria = xRepositoryService.getMappedSearchParams(request, + searchCriteria = serviceUtil.getMappedSearchParams(request, searchCriteria); - VXAssetList vXAssetList = assetMgr.searchXAssets(searchCriteria); - - return xRepositoryService.mapToVXRepositoryList(vXAssetList); + List<RangerService> serviceList = serviceREST.getServices(request); + + VXRepositoryList ret = serviceUtil.rangerServiceListToPublicObjectList(serviceList); + + if(logger.isDebugEnabled()) { + logger.debug("<== PublicAPIs.searchRepositories(): count=" + (ret == null ? 0 : ret.getListSize())); + } + + return ret; } + @GET @Path("/api/repository/count") @Produces({ "application/json", "application/xml" }) public VXLong countRepositories(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xAssetService.sortFields); - + + if(logger.isDebugEnabled()) { + logger.debug("==> PublicAPIs.countRepositories()"); + } + ArrayList<Integer> valueList = new ArrayList<Integer>(); valueList.add(RangerConstants.STATUS_DISABLED); valueList.add(RangerConstants.STATUS_ENABLED); searchCriteria.addParam("status", valueList); + + VXLong ret = new VXLong(); + + ret.setValue(serviceREST.countServices(request)); + + if(logger.isDebugEnabled()) { + logger.debug("<== PublicAPIs.countRepositories(): count=" + ret); + } + + return ret; + } + - return assetMgr.getXAssetSearchCount(searchCriteria); - } - + @GET @Path("/api/policy/{id}") @Produces({ "application/json", "application/xml" }) public VXPolicy getPolicy(@PathParam("id") Long id) { - VXResource vXResource = assetMgr.getXResource(id); - return xPolicyService.mapXAToPublicObject(vXResource); + + if(logger.isDebugEnabled()) { + logger.debug("==> PublicAPIs.getPolicy() " + id); + } + + RangerPolicy policy = null; + RangerService service = null; + + policy = serviceREST.getPolicy(id); + + if(policy != null) { + service = serviceREST.getServiceByName(policy.getService()); + } + + VXPolicy ret = serviceUtil.toVXPolicy(policy, service); + + if(logger.isDebugEnabled()) { + logger.debug("<== PublicAPIs.getPolicy()" + ret); + } + + return ret; } + @POST @Path("/api/policy") @Produces({ "application/json", "application/xml" }) public VXPolicy createPolicy(VXPolicy vXPolicy) { - VXResource vXResource = xPolicyService.mapPublicToXAObject(vXPolicy, - AbstractBaseResourceService.OPERATION_CREATE_CONTEXT); - vXResource = assetMgr.createXResource(vXResource); - vXResource.setPermMapList(xPolicyService.updatePermGroup(vXResource)); - return xPolicyService.mapXAToPublicObject(vXResource); + + if(logger.isDebugEnabled()) { + logger.debug("==> PublicAPIs.createPolicy()"); + } + + RangerService service = serviceREST.getServiceByName(vXPolicy.getRepositoryName()); + + RangerPolicy policy = serviceUtil.toRangerPolicy(vXPolicy,service); + + if(logger.isDebugEnabled()) { + logger.debug("RANGERPOLICY: " + policy.toString()); + } + + RangerPolicy createdPolicy = serviceREST.createPolicy(policy); + VXPolicy ret = serviceUtil.toVXPolicy(createdPolicy, service); + + if(logger.isDebugEnabled()) { + logger.debug("<== PublicAPIs.createPolicy(" + policy + "): " + ret); + } + + return ret; } @PUT @Path("/api/policy/{id}") @Produces({ "application/json", "application/xml" }) public VXPolicy updatePolicy(VXPolicy vXPolicy, @PathParam("id") Long id) { + + if(logger.isDebugEnabled()) { + logger.debug("==> PublicAPIs.updatePolicy(): " + vXPolicy ); + } + vXPolicy.setId(id); - VXResource vXResource = xPolicyService.mapPublicToXAObject(vXPolicy, - AbstractBaseResourceService.OPERATION_UPDATE_CONTEXT); - vXResource = assetMgr.updateXResource(vXResource); - vXResource.setPermMapList(xPolicyService.updatePermGroup(vXResource)); - return xPolicyService.mapXAToPublicObject(vXResource); + + RangerService service = serviceREST.getServiceByName(vXPolicy.getRepositoryName()); + + RangerPolicy policy = serviceUtil.toRangerPolicy(vXPolicy,service); + + RangerPolicy updatedPolicy = serviceREST.createPolicy(policy); + + VXPolicy ret = serviceUtil.toVXPolicy(updatedPolicy, service); + + if(logger.isDebugEnabled()) { + logger.debug("<== AssetREST.updatePolicy(" + policy + "): " + ret); + } + + return ret; } @DELETE @@ -227,92 +384,57 @@ public class PublicAPIs { @RangerAnnotationClassName(class_name = VXResource.class) public void deletePolicy(@PathParam("id") Long id, @Context HttpServletRequest request) { - String forceStr = request.getParameter("force"); - boolean force = true; - if (!stringUtil.isEmpty(forceStr)) { - force = Boolean.parseBoolean(forceStr.trim()); + + if(logger.isDebugEnabled()) { + logger.debug("==> PublicAPIs.deletePolicy(): " + id ); + } + + serviceREST.deletePolicy(id); + + if(logger.isDebugEnabled()) { + logger.debug("<== PublicAPIs.deletePolicy(): " + id ); } - assetMgr.deleteXResource(id, force); } @GET @Path("/api/policy") @Produces({ "application/json", "application/xml" }) public VXPolicyList searchPolicies(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xResourceService.sortFields); - - String resourceName = request.getParameter("resourceName"); - if (!stringUtil.isEmpty(resourceName)) { - searchCriteria.getParamList().put("name", resourceName); - } - searchUtil.extractString(request, searchCriteria, "policyName", - "Policy name", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "columns", - "Column name", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "columnFamilies", - "Column Family", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "tables", "Tables", - StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "udfs", "UDFs", - StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "databases", - "Databases", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "groupName", - "Group Name", StringUtil.VALIDATION_TEXT); - - String repositoryType = request.getParameter("repositoryType"); - if (!stringUtil.isEmpty(repositoryType)) { - searchCriteria.getParamList().put("assetType", - AppConstants.getEnumFor_AssetType(repositoryType)); - } - - String isRec = request.getParameter("isRecursive"); - if (isRec != null) { - boolean isRecursiveBool = restErrorUtil.parseBoolean(isRec, - "Invalid value for " + "isRecursive", - MessageEnums.INVALID_INPUT_DATA, null, "isRecursive"); - int isRecursive = (isRecursiveBool == true) ? RangerConstants.BOOL_TRUE - : RangerConstants.BOOL_FALSE; - searchCriteria.getParamList().put("isRecursive", isRecursive); + + if(logger.isDebugEnabled()) { + logger.debug("==> PublicAPIs.searchPolicies(): "); } - - searchUtil.extractString(request, searchCriteria, "userName", - "User Name", StringUtil.VALIDATION_TEXT); - searchUtil.extractString(request, searchCriteria, "repositoryName", - "Repository Name", StringUtil.VALIDATION_TEXT); - - String resStatus = request.getParameter("isEnabled"); - List<Integer> resList = new ArrayList<Integer>(); - if (stringUtil.isEmpty(resStatus)) { - resList.add(RangerCommonEnums.STATUS_ENABLED); - resList.add(RangerCommonEnums.STATUS_DISABLED); - } else { - boolean policyStatus = restErrorUtil.parseBoolean(resStatus, - "Invalid value for " + "isEnabled", - MessageEnums.INVALID_INPUT_DATA, null, "isEnabled"); - int policyStat = (policyStatus) ? RangerCommonEnums.STATUS_ENABLED - : RangerCommonEnums.STATUS_DISABLED; - resList.add(policyStat); + + List<RangerPolicy> rangerPolicyList = serviceREST.getPolicies(request); + + VXPolicyList vXPolicyList = serviceUtil.rangerPolicyListToPublic(rangerPolicyList); + + if(logger.isDebugEnabled()) { + logger.debug("<== PublicAPIs.searchPolicies(): " + vXPolicyList ); } - searchCriteria.getParamList().put("resourceStatus", resList); - searchCriteria.setDistinct(true); - - VXResourceList vXResourceList = assetMgr - .searchXResources(searchCriteria); - return xPolicyService.mapToVXPolicyList(vXResourceList); + return vXPolicyList; } @GET @Path("/api/policy/count") @Produces({ "application/xml", "application/json" }) public VXLong countPolicies(@Context HttpServletRequest request) { - SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( - request, xResourceService.sortFields); - - - return assetMgr.getXResourceSearchCount(searchCriteria); + + if(logger.isDebugEnabled()) { + logger.debug("==> PublicAPIs.countPolicies(): "); + } + + Long policyCount = serviceREST.countPolicies(request); + + VXLong vXlong = new VXLong(); + vXlong.setValue(policyCount); + + if(logger.isDebugEnabled()) { + logger.debug("<== PublicAPIs.countPolicies(): " + request ); + } + + return vXlong; } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/e97c99d8/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index fc2178f..821562f 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -72,7 +72,10 @@ import org.apache.ranger.admin.client.datatype.RESTResponse; import org.apache.ranger.biz.AssetMgr; import org.apache.ranger.biz.ServiceMgr; import org.apache.ranger.biz.ServiceDBStore; +import org.apache.ranger.common.MessageEnums; +import org.apache.ranger.common.PropertiesUtil; import org.apache.ranger.common.RESTErrorUtil; +import org.apache.ranger.common.ServiceUtil; import org.apache.ranger.entity.XXPolicyExportAudit; @@ -95,6 +98,9 @@ public class ServiceREST { @Autowired ServiceDBStore svcStore; + @Autowired + ServiceUtil serviceUtil; + // this indirection for validation via a factory exists only for testability // TODO move the instantiation to DI framework? RangerValidatorFactory validatorFactory = new RangerValidatorFactory(); @@ -515,168 +521,171 @@ public class ServiceREST { } RESTResponse ret = new RESTResponse(); + + if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) { - try { - String userName = grantRequest.getGrantor(); - Set<String> userGroups = Collections.<String>emptySet(); // TODO: get groups for the grantor from Ranger database - RangerResource resource = new RangerResourceImpl(grantRequest.getResource()); - - boolean isAdmin = isAdminForResource(userName, userGroups, serviceName, resource); - - if(!isAdmin) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true); - } - - RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource); + try { + String userName = grantRequest.getGrantor(); + Set<String> userGroups = Collections.<String>emptySet(); // TODO: get groups for the grantor from Ranger database + RangerResource resource = new RangerResourceImpl(grantRequest.getResource()); - if(policy != null) { - boolean policyUpdated = false; - - // replace all existing privileges for users and groups - if(grantRequest.getReplaceExistingPermissions()) { - List<RangerPolicyItem> policyItems = policy.getPolicyItems(); - - int numOfItems = policyItems.size(); + boolean isAdmin = isAdminForResource(userName, userGroups, serviceName, resource); - for(int i = 0; i < numOfItems; i++) { - RangerPolicyItem policyItem = policyItems.get(i); + if(!isAdmin) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true); + } - if(CollectionUtils.containsAny(policyItem.getUsers(), grantRequest.getUsers())) { - policyItem.getUsers().removeAll(grantRequest.getUsers()); - - policyUpdated = true; - } - - if(CollectionUtils.containsAny(policyItem.getGroups(), grantRequest.getGroups())) { - policyItem.getGroups().removeAll(grantRequest.getGroups()); - - policyUpdated = true; + RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource); + + if(policy != null) { + boolean policyUpdated = false; + + // replace all existing privileges for users and groups + if(grantRequest.getReplaceExistingPermissions()) { + List<RangerPolicyItem> policyItems = policy.getPolicyItems(); + + int numOfItems = policyItems.size(); + + for(int i = 0; i < numOfItems; i++) { + RangerPolicyItem policyItem = policyItems.get(i); + + if(CollectionUtils.containsAny(policyItem.getUsers(), grantRequest.getUsers())) { + policyItem.getUsers().removeAll(grantRequest.getUsers()); + + policyUpdated = true; + } + + if(CollectionUtils.containsAny(policyItem.getGroups(), grantRequest.getGroups())) { + policyItem.getGroups().removeAll(grantRequest.getGroups()); + + policyUpdated = true; + } + + if(CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) { + policyItems.remove(i); + numOfItems--; + i--; + + policyUpdated = true; + } } - - if(CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) { - policyItems.remove(i); - numOfItems--; - i--; - + + if(compactPolicy(policy)) { policyUpdated = true; } } - - if(compactPolicy(policy)) { - policyUpdated = true; - } - } - - for(String user : grantRequest.getUsers()) { - RangerPolicyItem policyItem = getPolicyItemForUser(policy, user); - - if(policyItem != null) { - if(addAccesses(policyItem, grantRequest.getAccessTypes())) { - policyUpdated = true; - } - } else { - policyItem = new RangerPolicyItem(); + + for(String user : grantRequest.getUsers()) { + RangerPolicyItem policyItem = getPolicyItemForUser(policy, user); - policyItem.getUsers().add(user); - addAccesses(policyItem, grantRequest.getAccessTypes()); - policy.getPolicyItems().add(policyItem); - - policyUpdated = true; - } - - if(grantRequest.getDelegateAdmin()) { - if(!policyItem.getDelegateAdmin()) { - policyItem.setDelegateAdmin(Boolean.TRUE); + if(policyItem != null) { + if(addAccesses(policyItem, grantRequest.getAccessTypes())) { + policyUpdated = true; + } + } else { + policyItem = new RangerPolicyItem(); + + policyItem.getUsers().add(user); + addAccesses(policyItem, grantRequest.getAccessTypes()); + policy.getPolicyItems().add(policyItem); policyUpdated = true; } - } - } - - for(String group : grantRequest.getGroups()) { - RangerPolicyItem policyItem = getPolicyItemForGroup(policy, group); - - if(policyItem != null) { - if(addAccesses(policyItem, grantRequest.getAccessTypes())) { - policyUpdated = true; + + if(grantRequest.getDelegateAdmin()) { + if(!policyItem.getDelegateAdmin()) { + policyItem.setDelegateAdmin(Boolean.TRUE); + + policyUpdated = true; + } } - } else { - policyItem = new RangerPolicyItem(); - - policyItem.getGroups().add(group); - addAccesses(policyItem, grantRequest.getAccessTypes()); - policy.getPolicyItems().add(policyItem); - - policyUpdated = true; } - - if(grantRequest.getDelegateAdmin()) { - if(!policyItem.getDelegateAdmin()) { - policyItem.setDelegateAdmin(Boolean.TRUE); + + for(String group : grantRequest.getGroups()) { + RangerPolicyItem policyItem = getPolicyItemForGroup(policy, group); + + if(policyItem != null) { + if(addAccesses(policyItem, grantRequest.getAccessTypes())) { + policyUpdated = true; + } + } else { + policyItem = new RangerPolicyItem(); + + policyItem.getGroups().add(group); + addAccesses(policyItem, grantRequest.getAccessTypes()); + policy.getPolicyItems().add(policyItem); policyUpdated = true; } - } - } - - if(policyUpdated) { - updatePolicy(policy); - } - } else { - policy = new RangerPolicy(); - policy.setService(serviceName); - policy.setName("grant-" + System.currentTimeMillis()); // TODO: better policy name - policy.setDescription("created by grant"); - policy.setIsAuditEnabled(grantRequest.getEnableAudit()); - policy.setCreatedBy(userName); - Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>(); - Set<String> resourceNames = resource.getKeys(); - - if(! CollectionUtils.isEmpty(resourceNames)) { - for(String resourceName : resourceNames) { - RangerPolicyResource policyResource = new RangerPolicyResource(resource.getValue(resourceName)); - policyResource.setIsRecursive(grantRequest.getIsRecursive()); - - policyResources.put(resourceName, policyResource); + if(grantRequest.getDelegateAdmin()) { + if(!policyItem.getDelegateAdmin()) { + policyItem.setDelegateAdmin(Boolean.TRUE); + + policyUpdated = true; + } + } } - } - policy.setResources(policyResources); - for(String user : grantRequest.getUsers()) { - RangerPolicyItem policyItem = new RangerPolicyItem(); + if(policyUpdated) { + updatePolicy(policy); + } + } else { + policy = new RangerPolicy(); + policy.setService(serviceName); + policy.setName("grant-" + System.currentTimeMillis()); // TODO: better policy name + policy.setDescription("created by grant"); + policy.setIsAuditEnabled(grantRequest.getEnableAudit()); + policy.setCreatedBy(userName); + + Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>(); + Set<String> resourceNames = resource.getKeys(); - policyItem.getUsers().add(user); - for(String accessType : grantRequest.getAccessTypes()) { - policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE)); + if(! CollectionUtils.isEmpty(resourceNames)) { + for(String resourceName : resourceNames) { + RangerPolicyResource policyResource = new RangerPolicyResource(resource.getValue(resourceName)); + policyResource.setIsRecursive(grantRequest.getIsRecursive()); + + policyResources.put(resourceName, policyResource); + } } - policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin()); - policy.getPolicyItems().add(policyItem); - } - - for(String group : grantRequest.getGroups()) { - RangerPolicyItem policyItem = new RangerPolicyItem(); + policy.setResources(policyResources); - policyItem.getGroups().add(group); - for(String accessType : grantRequest.getAccessTypes()) { - policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE)); + for(String user : grantRequest.getUsers()) { + RangerPolicyItem policyItem = new RangerPolicyItem(); + + policyItem.getUsers().add(user); + for(String accessType : grantRequest.getAccessTypes()) { + policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE)); + } + policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin()); + policy.getPolicyItems().add(policyItem); + } + + for(String group : grantRequest.getGroups()) { + RangerPolicyItem policyItem = new RangerPolicyItem(); + + policyItem.getGroups().add(group); + for(String accessType : grantRequest.getAccessTypes()) { + policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE)); + } + policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin()); + policy.getPolicyItems().add(policyItem); } - policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin()); - policy.getPolicyItems().add(policyItem); + + createPolicy(policy); } + } catch(WebApplicationException excp) { + throw excp; + } catch(Exception excp) { + LOG.error("grantAccess(" + serviceName + ", " + grantRequest + ") failed", excp); - createPolicy(policy); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - } catch(WebApplicationException excp) { - throw excp; - } catch(Exception excp) { - LOG.error("grantAccess(" + serviceName + ", " + grantRequest + ") failed", excp); - - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); + + ret.setStatusCode(RESTResponse.STATUS_SUCCESS); } - ret.setStatusCode(RESTResponse.STATUS_SUCCESS); - if(LOG.isDebugEnabled()) { LOG.debug("<== ServiceREST.grantAccess(" + serviceName + ", " + grantRequest + "): " + ret); } @@ -694,47 +703,33 @@ public class ServiceREST { RESTResponse ret = new RESTResponse(); - try { - String userName = revokeRequest.getGrantor(); - Set<String> userGroups = Collections.<String>emptySet(); // TODO: get groups for the grantor from Ranger databas - RangerResource resource = new RangerResourceImpl(revokeRequest.getResource()); - - boolean isAdmin = isAdminForResource(userName, userGroups, serviceName, resource); - - if(!isAdmin) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true); - } - - RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource); - - if(policy != null) { - boolean policyUpdated = false; - - for(String user : revokeRequest.getUsers()) { - RangerPolicyItem policyItem = getPolicyItemForUser(policy, user); - - if(policyItem != null) { - if(removeAccesses(policyItem, revokeRequest.getAccessTypes())) { - policyUpdated = true; - } - } + if (serviceUtil.isValidateHttpsAuthentication(serviceName,request)) { - if(revokeRequest.getDelegateAdmin()) { // remove delegate? - if(policyItem.getDelegateAdmin()) { - policyItem.setDelegateAdmin(Boolean.FALSE); - policyUpdated = true; - } - } + try { + String userName = revokeRequest.getGrantor(); + Set<String> userGroups = Collections.<String>emptySet(); // TODO: get groups for the grantor from Ranger databas + RangerResource resource = new RangerResourceImpl(revokeRequest.getResource()); + + boolean isAdmin = isAdminForResource(userName, userGroups, serviceName, resource); + + if(!isAdmin) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true); } - - for(String group : revokeRequest.getGroups()) { - RangerPolicyItem policyItem = getPolicyItemForGroup(policy, group); - - if(policyItem != null) { - if(removeAccesses(policyItem, revokeRequest.getAccessTypes())) { - policyUpdated = true; + + RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource); + + if(policy != null) { + boolean policyUpdated = false; + + for(String user : revokeRequest.getUsers()) { + RangerPolicyItem policyItem = getPolicyItemForUser(policy, user); + + if(policyItem != null) { + if(removeAccesses(policyItem, revokeRequest.getAccessTypes())) { + policyUpdated = true; + } } - + if(revokeRequest.getDelegateAdmin()) { // remove delegate? if(policyItem.getDelegateAdmin()) { policyItem.setDelegateAdmin(Boolean.FALSE); @@ -742,28 +737,45 @@ public class ServiceREST { } } } + + for(String group : revokeRequest.getGroups()) { + RangerPolicyItem policyItem = getPolicyItemForGroup(policy, group); + + if(policyItem != null) { + if(removeAccesses(policyItem, revokeRequest.getAccessTypes())) { + policyUpdated = true; + } + + if(revokeRequest.getDelegateAdmin()) { // remove delegate? + if(policyItem.getDelegateAdmin()) { + policyItem.setDelegateAdmin(Boolean.FALSE); + policyUpdated = true; + } + } + } + } + + if(compactPolicy(policy)) { + policyUpdated = true; + } + + if(policyUpdated) { + updatePolicy(policy); + } + } else { + // nothing to revoke! } - - if(compactPolicy(policy)) { - policyUpdated = true; - } - - if(policyUpdated) { - updatePolicy(policy); - } - } else { - // nothing to revoke! + } catch(WebApplicationException excp) { + throw excp; + } catch(Exception excp) { + LOG.error("revokeAccess(" + serviceName + ", " + revokeRequest + ") failed", excp); + + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); } - } catch(WebApplicationException excp) { - throw excp; - } catch(Exception excp) { - LOG.error("revokeAccess(" + serviceName + ", " + revokeRequest + ") failed", excp); - - throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, excp.getMessage(), true); + + ret.setStatusCode(RESTResponse.STATUS_SUCCESS); } - ret.setStatusCode(RESTResponse.STATUS_SUCCESS); - if(LOG.isDebugEnabled()) { LOG.debug("<== ServiceREST.revokeAccess(" + serviceName + ", " + revokeRequest + "): " + ret); }
