Repository: incubator-ranger Updated Branches: refs/heads/master 49bebb59f -> be34cc292
RANGER-366: grant, revoke to authorize based on groups of the grantor Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/be34cc29 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/be34cc29 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/be34cc29 Branch: refs/heads/master Commit: be34cc2929e0cb4c4a43d5a2eece40683e61a62d Parents: 49bebb5 Author: Madhan Neethiraj <[email protected]> Authored: Wed Apr 1 22:56:21 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Thu Apr 2 00:44:40 2015 -0700 ---------------------------------------------------------------------- .../java/org/apache/ranger/biz/XUserMgr.java | 31 ++++++++++++++++++++ .../org/apache/ranger/rest/ServiceREST.java | 10 +++++-- 2 files changed, 38 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/be34cc29/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index bc0fc82..1051991 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -32,6 +32,7 @@ import javax.ws.rs.PUT; import javax.ws.rs.Path; import javax.ws.rs.Produces; +import org.apache.commons.collections.CollectionUtils; import org.apache.log4j.Logger; import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.PropertiesUtil; @@ -443,6 +444,36 @@ public class XUserMgr extends XUserMgrBase { return vXGroupList; } + public Set<String> getGroupsForUser(String userName) { + Set<String> ret = new HashSet<String>(); + + try { + VXUser user = getXUserByUserName(userName); + + if(user != null) { + VXGroupList groups = getXUserGroups(user.getId()); + + if(groups != null && !CollectionUtils.isEmpty(groups.getList())) { + for(VXGroup group : groups.getList()) { + ret.add(group.getName()); + } + } else { + if(logger.isDebugEnabled()) { + logger.debug("getGroupsForUser('" + userName + "'): no groups found for user"); + } + } + } else { + if(logger.isDebugEnabled()) { + logger.debug("getGroupsForUser('" + userName + "'): user not found"); + } + } + } catch(Exception excp) { + logger.error("getGroupsForUser('" + userName + "') failed", excp); + } + + return ret; + } + public VXUserList getXGroupUsers(Long xGroupId) { SearchCriteria searchCriteria = new SearchCriteria(); searchCriteria.addParam("xGroupId", xGroupId); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/be34cc29/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 9d8d277..ce175f1 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -47,6 +47,7 @@ import org.apache.ranger.admin.client.datatype.RESTResponse; import org.apache.ranger.biz.AssetMgr; import org.apache.ranger.biz.ServiceDBStore; import org.apache.ranger.biz.ServiceMgr; +import org.apache.ranger.biz.XUserMgr; import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.common.RangerConfigUtil; @@ -106,6 +107,9 @@ public class ServiceREST { AssetMgr assetMgr; @Autowired + XUserMgr userMgr; + + @Autowired ServiceDBStore svcStore; @Autowired @@ -125,7 +129,7 @@ public class ServiceREST { @Autowired RangerSearchUtil searchUtil; - + // this indirection for validation via a factory exists only for testability // TODO move the instantiation to DI framework? RangerValidatorFactory validatorFactory = new RangerValidatorFactory(); @@ -557,7 +561,7 @@ public class ServiceREST { try { String userName = grantRequest.getGrantor(); - Set<String> userGroups = Collections.<String>emptySet(); // TODO: get groups for the grantor from Ranger database + Set<String> userGroups = userMgr.getGroupsForUser(userName); RangerAccessResource resource = new RangerAccessResourceImpl(grantRequest.getResource()); boolean isAdmin = isAdminForResource(userName, userGroups, serviceName, resource); @@ -738,7 +742,7 @@ public class ServiceREST { try { String userName = revokeRequest.getGrantor(); - Set<String> userGroups = Collections.<String>emptySet(); // TODO: get groups for the grantor from Ranger databas + Set<String> userGroups = userMgr.getGroupsForUser(userName); RangerAccessResource resource = new RangerAccessResourceImpl(revokeRequest.getResource()); boolean isAdmin = isAdminForResource(userName, userGroups, serviceName, resource);
