Repository: incubator-ranger Updated Branches: refs/heads/master b802bd3ee -> b05edbc8d
RANGER-421: Streamline usersync process Signed-off-by: sneethiraj <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/b05edbc8 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/b05edbc8 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/b05edbc8 Branch: refs/heads/master Commit: b05edbc8d568119bb709c65ed5007784dc716407 Parents: b802bd3 Author: Velmurugan Periasamy <[email protected]> Authored: Thu Apr 23 04:52:56 2015 -0400 Committer: sneethiraj <[email protected]> Committed: Thu Apr 23 05:04:14 2015 -0400 ---------------------------------------------------------------------- .../db/mysql/patches/012-createusersyncuser.sql | 48 ++++++ .../oracle/patches/012-createusersyncuser.sql | 50 ++++++ .../db/postgres/xa_core_db_postgres.sql | 4 + .../db/sqlserver/xa_core_db_sqlserver.sql | 6 + .../java/org/apache/ranger/biz/UserMgr.java | 38 ++++- .../java/org/apache/ranger/biz/XUserMgr.java | 141 ++++++++++++++- .../org/apache/ranger/common/RESTErrorUtil.java | 22 +++ .../java/org/apache/ranger/rest/UserREST.java | 1 - .../java/org/apache/ranger/rest/XUserREST.java | 7 + .../conf.dist/security-applicationContext.xml | 4 +- src/main/assembly/usersync.xml | 1 + .../process/PolicyMgrUserGroupBuilder.java | 9 +- .../config/UserGroupSyncConfig.java | 60 ++++++- .../process/PolicyMgrUserGroupBuilder.java | 15 +- .../conf.dist/unixauthservice.properties | 4 + .../scripts/updatepolicymgrpassword.py | 171 +++++++++++++++++++ .../scripts/updatepolicymgrpassword.sh | 128 ++++++++++++++ 17 files changed, 698 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/db/mysql/patches/012-createusersyncuser.sql ---------------------------------------------------------------------- diff --git a/security-admin/db/mysql/patches/012-createusersyncuser.sql b/security-admin/db/mysql/patches/012-createusersyncuser.sql new file mode 100644 index 0000000..9f3af62 --- /dev/null +++ b/security-admin/db/mysql/patches/012-createusersyncuser.sql @@ -0,0 +1,48 @@ +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. + +drop procedure if exists create_user_sync; + +delimiter ;; +create procedure create_user_sync() begin +DECLARE loginID varchar(1024); + /* check tables exist or not */ + if exists (select * from information_schema.columns where table_schema=database() and table_name = 'x_portal_user') then + if exists (select * from information_schema.columns where table_schema=database() and table_name = 'x_portal_user_role') then + if exists (select * from information_schema.columns where table_schema=database() and table_name = 'x_user') then + /* check record for login id rangerusersync exist or not */ + if not exists (select * from x_portal_user where login_id = 'rangerusersync') then + INSERT INTO x_portal_user(create_time,update_time,added_by_id,upd_by_id,first_name,last_name,pub_scr_name,login_id,password,email,status,user_src,notes) VALUES (UTC_TIMESTAMP(),UTC_TIMESTAMP(),NULL,NULL,'rangerusersync','','rangerusersync','rangerusersync','70b8374d3dfe0325aaa5002a688c7e3b','rangerusersync',1,0,NULL); + end if; + set loginID = (select id from x_portal_user where login_id = 'rangerusersync'); + if not exists (select * from x_portal_user_role where user_id =loginID ) then + INSERT INTO x_portal_user_role(create_time,update_time,added_by_id,upd_by_id,user_id,user_role,status) VALUES (UTC_TIMESTAMP(),UTC_TIMESTAMP(),NULL,NULL,loginID,'ROLE_SYS_ADMIN',1); + end if; + if not exists (select * from x_user where user_name = 'admin') then + INSERT INTO x_user(create_time,update_time,added_by_id,upd_by_id,user_name,descr,status) values (UTC_TIMESTAMP(), UTC_TIMESTAMP(),NULL,NULL,'admin','Administrator',0); + end if; + if not exists (select * from x_user where user_name = 'rangerusersync') then + INSERT INTO x_user(create_time,update_time,added_by_id,upd_by_id,user_name,descr,status) values (UTC_TIMESTAMP(), UTC_TIMESTAMP(),NULL,NULL,'rangerusersync','rangerusersync',0); + end if; + end if; + end if; + end if; + +end;; + +delimiter ; +call create_user_sync(); + +drop procedure if exists create_user_sync; \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/db/oracle/patches/012-createusersyncuser.sql ---------------------------------------------------------------------- diff --git a/security-admin/db/oracle/patches/012-createusersyncuser.sql b/security-admin/db/oracle/patches/012-createusersyncuser.sql new file mode 100644 index 0000000..5b99b1f --- /dev/null +++ b/security-admin/db/oracle/patches/012-createusersyncuser.sql @@ -0,0 +1,50 @@ +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. + +DECLARE + v_count number:=0; + loginID number:=0; + sql_stmt VARCHAR2(1000); + first_name VARCHAR2(10):='rangerusersync'; + scr_name VARCHAR2(10):='rangerusersync'; + login_name VARCHAR2(10):='rangerusersync'; + password VARCHAR2(50):='70b8374d3dfe0325aaa5002a688c7e3b'; + user_role VARCHAR2(50):='ROLE_SYS_ADMIN'; + email VARCHAR2(20):='rangerusersync'; +BEGIN + select count(*) into v_count from user_tables where table_name IN('X_PORTAL_USER','X_PORTAL_USER_ROLE','X_USER'); + if (v_count = 3) then + v_count:=0; + select count(*) into v_count from x_portal_user where login_id = login_name; + if (v_count = 0) then + sql_stmt := 'INSERT INTO x_portal_user(ID,CREATE_TIME,UPDATE_TIME,FIRST_NAME,LAST_NAME,PUB_SCR_NAME,LOGIN_ID,PASSWORD,EMAIL,STATUS,USER_SRC) VALUES (X_PORTAL_USER_SEQ.nextval,sys_extract_utc(systimestamp),sys_extract_utc(systimestamp),:1,NULL,:2,:3,:4,:5,1,0)'; + EXECUTE IMMEDIATE sql_stmt USING first_name,scr_name,login_name,password,email; + commit; + end if; + select id into loginID from x_portal_user where login_id = login_name; + if (loginID > 0) then + sql_stmt := 'INSERT INTO x_portal_user_role(id,create_time,update_time,user_id,user_role,status) VALUES (X_PORTAL_USER_ROLE_SEQ.nextval,sys_extract_utc(systimestamp),sys_extract_utc(systimestamp),:1,:2,1)'; + EXECUTE IMMEDIATE sql_stmt USING loginID,user_role; + commit; + end if; + v_count:=0; + select count(*) into v_count from x_user where user_name = login_name; + if (v_count = 0) then + sql_stmt := 'INSERT INTO x_user(id,create_time,update_time,user_name,descr,status) values (X_USER_SEQ.nextval,sys_extract_utc(systimestamp),sys_extract_utc(systimestamp),:1,:2,0)'; + EXECUTE IMMEDIATE sql_stmt USING login_name,login_name; + commit; + end if; + end if; +end;/ \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/db/postgres/xa_core_db_postgres.sql ---------------------------------------------------------------------- diff --git a/security-admin/db/postgres/xa_core_db_postgres.sql b/security-admin/db/postgres/xa_core_db_postgres.sql index d4aee9f..574b4ec 100644 --- a/security-admin/db/postgres/xa_core_db_postgres.sql +++ b/security-admin/db/postgres/xa_core_db_postgres.sql @@ -967,4 +967,8 @@ CREATE INDEX x_usr_module_perm_idx_moduleid ON x_user_module_perm(module_id); CREATE INDEX x_usr_module_perm_idx_userid ON x_user_module_perm(user_id); CREATE INDEX x_grp_module_perm_idx_groupid ON x_group_module_perm(group_id); CREATE INDEX x_grp_module_perm_idx_moduleid ON x_group_module_perm(module_id); +COMMIT; +INSERT INTO x_portal_user(CREATE_TIME,UPDATE_TIME,FIRST_NAME,LAST_NAME,PUB_SCR_NAME,LOGIN_ID,PASSWORD,EMAIL,STATUS)VALUES(current_timestamp,current_timestamp,'rangerusersync','','rangerusersync','rangerusersync','70b8374d3dfe0325aaa5002a688c7e3b','rangerusersync',1); +INSERT INTO x_portal_user_role(CREATE_TIME,UPDATE_TIME,USER_ID,USER_ROLE,STATUS)VALUES(current_timestamp,current_timestamp,2,'ROLE_SYS_ADMIN',1); +INSERT INTO x_user(CREATE_TIME,UPDATE_TIME,user_name,status,descr)VALUES(current_timestamp,current_timestamp,'rangerusersync',0,'rangerusersync'); COMMIT; \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/db/sqlserver/xa_core_db_sqlserver.sql ---------------------------------------------------------------------- diff --git a/security-admin/db/sqlserver/xa_core_db_sqlserver.sql b/security-admin/db/sqlserver/xa_core_db_sqlserver.sql index 835dd3e..207b137 100644 --- a/security-admin/db/sqlserver/xa_core_db_sqlserver.sql +++ b/security-admin/db/sqlserver/xa_core_db_sqlserver.sql @@ -2748,4 +2748,10 @@ GO INSERT INTO x_modules_master(create_time,update_time,added_by_id,upd_by_id,module,url) VALUES(CURRENT_TIMESTAMP,CURRENT_TIMESTAMP,1,1,'Audit',''); GO INSERT INTO x_modules_master(create_time,update_time,added_by_id,upd_by_id,module,url) VALUES(CURRENT_TIMESTAMP,CURRENT_TIMESTAMP,1,1,'KMS',''); +GO +insert into x_portal_user (CREATE_TIME,UPDATE_TIME,FIRST_NAME,LAST_NAME,PUB_SCR_NAME,LOGIN_ID,PASSWORD,EMAIL,STATUS) values (CURRENT_TIMESTAMP,CURRENT_TIMESTAMP,'rangerusersync','','rangerusersync','rangerusersync','70b8374d3dfe0325aaa5002a688c7e3b','rangerusersync',1); +GO +insert into x_portal_user_role (CREATE_TIME,UPDATE_TIME,USER_ID,USER_ROLE,STATUS) values (CURRENT_TIMESTAMP,CURRENT_TIMESTAMP,2,'ROLE_SYS_ADMIN',1); +GO +insert into x_user (CREATE_TIME,UPDATE_TIME,user_name,status,descr) values (CURRENT_TIMESTAMP,CURRENT_TIMESTAMP,'rangerusersync',0,'rangerusersync'); exit \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java index 0b6281b..08afe79 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java @@ -25,6 +25,7 @@ import java.util.HashMap; import java.util.List; import javax.persistence.Query; +import javax.servlet.http.HttpServletResponse; import org.apache.log4j.Logger; import org.apache.ranger.common.AppConstants; @@ -135,6 +136,21 @@ public class UserMgr { public XXPortalUser createUser(VXPortalUser userProfile, int userStatus, Collection<String> userRoleList) { + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { + if (!session.isUserAdmin()) { + throw restErrorUtil.create403RESTException("User " + + "creation denied. LoggedInUser=" + + (session != null ? session.getXXPortalUser().getId() + : "Not Logged In") + + " ,isn't permitted to perform the action."); + } + }else{ + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); + vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); + } XXPortalUser user = mapVXPortalUserToXXPortalUser(userProfile); user = createUser(user, userStatus, userRoleList); @@ -511,6 +527,21 @@ public class UserMgr { * @param userId */ public VXPortalUser deactivateUser(XXPortalUser gjUser) { + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { + if (!session.isUserAdmin()) { + throw restErrorUtil.create403RESTException("deactivation of user" + + " denied. LoggedInUser=" + + (session != null ? session.getXXPortalUser().getId() + : "Not Logged In") + + " ,isn't permitted to perform the action."); + } + }else{ + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); + vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); + } if (gjUser != null && gjUser.getStatus() != RangerConstants.ACT_STATUS_DEACTIVATED) { logger.info("Marking user " + gjUser.getLoginId() + " as deleted"); @@ -1101,8 +1132,13 @@ public class UserMgr { + " ,isn't permitted to perform the action."); } + }else{ + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); + vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); } - + logger.info("create:" + userProfile.getEmailAddress()); XXPortalUser xXPortalUser = null; String loginId = userProfile.getLoginId(); String emailAddress = userProfile.getEmailAddress(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index c96eb17..512c58f 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -46,6 +46,7 @@ import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.PropertiesUtil; import org.apache.ranger.common.RangerConstants; import org.apache.ranger.common.SearchCriteria; +import org.apache.ranger.common.UserSessionBase; import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.db.XXGroupUserDao; import org.apache.ranger.entity.XXGroup; @@ -65,7 +66,8 @@ import org.apache.ranger.view.VXUserGroupInfo; import org.apache.ranger.view.VXUserList; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; - +import javax.servlet.http.HttpServletResponse; +import org.apache.ranger.view.VXResponse; @Component public class XUserMgr extends XUserMgrBase { @@ -102,6 +104,21 @@ public class XUserMgr extends XUserMgrBase { static final Logger logger = Logger.getLogger(XUserMgr.class); public void deleteXGroup(Long id, boolean force) { + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { + if (!session.isUserAdmin()) { + throw restErrorUtil.create403RESTException("deletion of group" + + " denied. LoggedInUser=" + + (session != null ? session.getXXPortalUser().getId() + : "Not Logged In") + + " ,isn't permitted to perform the action."); + } + }else{ + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); + vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); + } if (force) { SearchCriteria searchCriteria = new SearchCriteria(); searchCriteria.addParam("xGroupId", id); @@ -122,6 +139,21 @@ public class XUserMgr extends XUserMgrBase { } public void deleteXUser(Long id, boolean force) { + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { + if (!session.isUserAdmin()) { + throw restErrorUtil.create403RESTException("deletion of user" + + " denied. LoggedInUser=" + + (session != null ? session.getXXPortalUser().getId() + : "Not Logged In") + + " ,isn't permitted to perform the action."); + } + }else{ + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); + vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); + } if (force) { SearchCriteria searchCriteria = new SearchCriteria(); searchCriteria.addParam("xUserId", id); @@ -153,7 +185,21 @@ public class XUserMgr extends XUserMgrBase { } public VXUser createXUser(VXUser vXUser) { - + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { + if (!session.isUserAdmin()) { + throw restErrorUtil.create403RESTException("creation of user" + + " denied. LoggedInUser=" + + (session != null ? session.getXXPortalUser().getId() + : "Not Logged In") + + " ,isn't permitted to perform the action."); + } + }else{ + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); + vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); + } String userName = vXUser.getName(); if (userName == null || userName.isEmpty()) { throw restErrorUtil.createRESTException("Please provide a valid " @@ -432,7 +478,21 @@ public class XUserMgr extends XUserMgrBase { public VXUserGroupInfo createXUserGroupFromMap( VXUserGroupInfo vXUserGroupInfo) { - + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { + if (!session.isUserAdmin()) { + throw restErrorUtil.create403RESTException("User group " + + "creation denied. LoggedInUser=" + + (session != null ? session.getXXPortalUser().getId() + : "Not Logged In") + + " ,isn't permitted to perform the action."); + } + }else{ + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); + vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); + } VXUserGroupInfo vxUGInfo = new VXUserGroupInfo(); VXUser vXUser = vXUserGroupInfo.getXuserInfo(); @@ -459,10 +519,40 @@ public class XUserMgr extends XUserMgrBase { } public VXUser createXUserWithOutLogin(VXUser vXUser) { + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { + if (!session.isUserAdmin()) { + throw restErrorUtil.create403RESTException("creation of user" + + " denied. LoggedInUser=" + + (session != null ? session.getXXPortalUser().getId() + : "Not Logged In") + + " ,isn't permitted to perform the action."); + } + }else{ + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); + vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); + } return xUserService.createXUserWithOutLogin(vXUser); } public VXGroup createXGroup(VXGroup vXGroup) { + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { + if (!session.isUserAdmin()) { + throw restErrorUtil.create403RESTException("creation of group" + + " denied. LoggedInUser=" + + (session != null ? session.getXXPortalUser().getId() + : "Not Logged In") + + " ,isn't permitted to perform the action."); + } + }else{ + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); + vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); + } // FIXME Just a hack if (vXGroup.getDescription() == null) { vXGroup.setDescription(vXGroup.getName()); @@ -476,10 +566,40 @@ public class XUserMgr extends XUserMgrBase { } public VXGroup createXGroupWithoutLogin(VXGroup vXGroup) { + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { + if (!session.isUserAdmin()) { + throw restErrorUtil.create403RESTException("creation of group" + + " denied. LoggedInUser=" + + (session != null ? session.getXXPortalUser().getId() + : "Not Logged In") + + " ,isn't permitted to perform the action."); + } + }else{ + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); + vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); + } return xGroupService.createXGroupWithOutLogin(vXGroup); } public VXGroupUser createXGroupUser(VXGroupUser vXGroupUser) { + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { + if (!session.isUserAdmin()) { + throw restErrorUtil.create403RESTException("creation of group" + + " denied. LoggedInUser=" + + (session != null ? session.getXXPortalUser().getId() + : "Not Logged In") + + " ,isn't permitted to perform the action."); + } + }else{ + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); + vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); + } vXGroupUser = xGroupUserService .createXGroupUserWithOutLogin(vXGroupUser); return vXGroupUser; @@ -526,6 +646,21 @@ public class XUserMgr extends XUserMgrBase { */ public void deleteXGroupAndXUser(String groupName, String userName) { + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { + if (!session.isUserAdmin()) { + throw restErrorUtil.create403RESTException("User " + + "deletion denied. LoggedInUser=" + + (session != null ? session.getXXPortalUser().getId() + : "Not Logged In") + + " ,isn't permitted to perform the action."); + } + }else{ + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); + vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); + } VXGroup vxGroup = xGroupService.getGroupByGroupName(groupName); VXUser vxUser = xUserService.getXUserByUserName(userName); SearchCriteria searchCriteria = new SearchCriteria(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java b/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java index 8d7d96d..a17da9b 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java @@ -68,6 +68,28 @@ public class RESTErrorUtil { return restException; } + public WebApplicationException generateRESTException(VXResponse gjResponse) { + Response errorResponse = Response + .status(gjResponse.getStatusCode()) + .entity(gjResponse).build(); + + WebApplicationException restException = new WebApplicationException( + errorResponse); + restException.fillInStackTrace(); + UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + Long sessionId = null; + String loginId = null; + if (userSession != null) { + loginId = userSession.getLoginId(); + sessionId = userSession.getSessionId(); + } + + logger.info("Request failed. SessionId=" + sessionId + ", loginId=" + + loginId + ", logMessage=" + gjResponse.getMsgDesc(), + restException); + + return restException; + } /** * * @param logMessage http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java index 3cb2d2d..a9d0059 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java @@ -188,7 +188,6 @@ public class UserREST { public VXPortalUser createDefaultAccountUser(VXPortalUser userProfile, @Context HttpServletRequest servletRequest) { VXPortalUser vxPortalUser; - logger.info("create:" + userProfile.getEmailAddress()); vxPortalUser=userManager.createDefaultAccountUser(userProfile); if(vxPortalUser!=null) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java index 45fea99..4c47584 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java @@ -154,6 +154,7 @@ public class XUserREST { @POST @Path("/groups") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public VXGroup createXGroup(VXGroup vXGroup) { return xUserMgr.createXGroupWithoutLogin(vXGroup); } @@ -161,6 +162,7 @@ public class XUserREST { @POST @Path("/secure/groups") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public VXGroup secureCreateXGroup(VXGroup vXGroup) { return xUserMgr.createXGroup(vXGroup); } @@ -244,6 +246,7 @@ public class XUserREST { @POST @Path("/users") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public VXUser createXUser(VXUser vXUser) { return xUserMgr.createXUserWithOutLogin(vXUser); } @@ -251,6 +254,7 @@ public class XUserREST { @POST @Path("/users/userinfo") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public VXUserGroupInfo createXUserGroupFromMap(VXUserGroupInfo vXUserGroupInfo) { return xUserMgr.createXUserGroupFromMap(vXUserGroupInfo); } @@ -258,6 +262,7 @@ public class XUserREST { @POST @Path("/secure/users") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public VXUser secureCreateXUser(VXUser vXUser) { return xUserMgr.createXUser(vXUser); } @@ -338,6 +343,7 @@ public class XUserREST { @POST @Path("/groupusers") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public VXGroupUser createXGroupUser(VXGroupUser vXGroupUser) { return xUserMgr.createXGroupUser(vXGroupUser); } @@ -604,6 +610,7 @@ public class XUserREST { // @DELETE @Path("/group/{groupName}/user/{userName}") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") public void deleteXGroupAndXUser(@PathParam("groupName") String groupName, @PathParam("userName") String userName, @Context HttpServletRequest request) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/security-admin/src/main/resources/conf.dist/security-applicationContext.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml index 8d2392b..ee73136 100644 --- a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml +++ b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml @@ -61,10 +61,10 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd";> <security:http pattern="/service/plugins/policies/download/*" security="none"/> <security:http pattern="/service/plugins/services/grant/*" security="none"/> <security:http pattern="/service/plugins/services/revoke/*" security="none"/> - <security:http pattern="/service/users/default" security="none"/> + <!--<security:http pattern="/service/users/default" security="none"/> <security:http pattern="/service/xusers/groups/**" security="none"/> <security:http pattern="/service/xusers/users/*" security="none"/> - <security:http pattern="/service/xusers/groupusers/*" security="none"/> + <security:http pattern="/service/xusers/groupusers/*" security="none"/>--> <security:http auto-config="false" create-session="always" entry-point-ref="authenticationProcessingFilterEntryPoint"> <security:session-management session-fixation-protection="newSession" /> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/src/main/assembly/usersync.xml ---------------------------------------------------------------------- diff --git a/src/main/assembly/usersync.xml b/src/main/assembly/usersync.xml index 6ad433c..b5f1620 100644 --- a/src/main/assembly/usersync.xml +++ b/src/main/assembly/usersync.xml @@ -50,6 +50,7 @@ <include>org.apache.ranger:credentialbuilder</include> <include>org.apache.ranger:ranger-util</include> <include>commons-io:commons-io:jar:${commons.io.version}</include> + <include>org.apache.htrace:htrace-core</include> </includes> <unpack>false</unpack> </dependencySet> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java index 7cd06cc..2013f1c 100644 --- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/PolicyMgrUserGroupBuilder.java @@ -59,6 +59,7 @@ import com.sun.jersey.api.client.ClientResponse; import com.sun.jersey.api.client.WebResource; import com.sun.jersey.api.client.config.ClientConfig; import com.sun.jersey.api.client.config.DefaultClientConfig; +import com.sun.jersey.api.client.filter.HTTPBasicAuthFilter; import com.sun.jersey.client.urlconnection.HTTPSProperties; public class PolicyMgrUserGroupBuilder implements UserGroupSink { @@ -669,7 +670,13 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { cc.getProperties().put(ClientConfig.PROPERTY_FOLLOW_REDIRECTS, true); ret = Client.create(cc); } - + if(ret!=null){ + String username = config.getPolicyMgrUserName(); + String password = config.getPolicyMgrPassword(); + if(username!=null && password!=null){ + ret.addFilter(new HTTPBasicAuthFilter(username, password)); + } + } return ret ; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java index 2701353..3ff3a0a 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java @@ -144,6 +144,17 @@ public class UserGroupSyncConfig { private static final String LGSYNC_GROUP_MEMBER_ATTRIBUTE_NAME = "ldapGroupSync.groupMemberAttributeName"; private static final String DEFAULT_LGSYNC_GROUP_MEMBER_ATTRIBUTE_NAME = "member"; + private static final String SYNC_POLICY_MGR_KEYSTORE = "userSync.policyMgrKeystore"; + + private static final String SYNC_POLICY_MGR_ALIAS = "userSync.policyMgrAlias"; + + private static final String SYNC_POLICY_MGR_PASSWORD = "userSync.policyMgrPassword"; + + private static final String SYNC_POLICY_MGR_USERNAME = "userSync.policyMgrUserName"; + + private static final String DEFAULT_POLICYMGR_USERNAME = "rangerusersync"; + + private static final String DEFAULT_POLICYMGR_PASSWORD = "rangerusersync"; private Properties prop = new Properties() ; private static volatile UserGroupSyncConfig me = null ; @@ -564,5 +575,52 @@ public class UserGroupSyncConfig { public String getProperty(String aPropertyName, String aDefaultValue) { return prop.getProperty(aPropertyName, aDefaultValue) ; } - + + public String getPolicyMgrPassword(){ + //update credential from keystore + String password=null; + if(prop!=null && prop.containsKey(SYNC_POLICY_MGR_KEYSTORE)){ + password=prop.getProperty(SYNC_POLICY_MGR_PASSWORD); + if(password!=null && !password.isEmpty()){ + return password; + } + } + if(prop!=null && prop.containsKey(SYNC_POLICY_MGR_KEYSTORE) && prop.containsKey(SYNC_POLICY_MGR_ALIAS)){ + String path=prop.getProperty(SYNC_POLICY_MGR_KEYSTORE); + String alias=prop.getProperty(SYNC_POLICY_MGR_ALIAS,"policymgr.user.password"); + if(path!=null && alias!=null){ + if(!path.trim().isEmpty() && !alias.trim().isEmpty()){ + try{ + password=CredentialReader.getDecryptedString(path.trim(),alias.trim()); + }catch(Exception ex){ + password=null; + } + if(password!=null&& !password.trim().isEmpty() && !password.trim().equalsIgnoreCase("none")){ + prop.setProperty(SYNC_POLICY_MGR_PASSWORD,password); + return password; + } + } + } + } + return null; + } + + public String getPolicyMgrUserName() { + String userName=null; + if(prop!=null && prop.containsKey(SYNC_POLICY_MGR_USERNAME)){ + userName=prop.getProperty(SYNC_POLICY_MGR_USERNAME); + if(userName!=null && !userName.isEmpty()){ + return userName; + } + } + return null; + } + + public String getDefaultPolicyMgrUserName(){ + return DEFAULT_POLICYMGR_USERNAME; + } + + public String getDefaultPolicyMgrPassword(){ + return DEFAULT_POLICYMGR_PASSWORD; + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java index 6d78d25..20ffbf1 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java @@ -50,6 +50,7 @@ import com.sun.jersey.api.client.ClientResponse; import com.sun.jersey.api.client.WebResource; import com.sun.jersey.api.client.config.ClientConfig; import com.sun.jersey.api.client.config.DefaultClientConfig; +import com.sun.jersey.api.client.filter.HTTPBasicAuthFilter; import com.sun.jersey.client.urlconnection.HTTPSProperties; import org.apache.ranger.unixusersync.config.UserGroupSyncConfig; import org.apache.ranger.unixusersync.model.GetXGroupListResponse; @@ -446,7 +447,7 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { addXUserGroupInfo(user, groups) ; } - Client c = new Client(); + Client c = getClient(); WebResource r = c.resource(getURL(PM_ADD_USER_GROUP_INFO_URI)); @@ -687,7 +688,17 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { cc.getProperties().put(ClientConfig.PROPERTY_FOLLOW_REDIRECTS, true); ret = Client.create(cc); } - + if(ret!=null){ + String username = config.getPolicyMgrUserName(); + String password = config.getPolicyMgrPassword(); + if(username==null||password==null||username.trim().isEmpty()||password.trim().isEmpty()){ + username=config.getDefaultPolicyMgrUserName(); + password=config.getDefaultPolicyMgrPassword(); + } + if(username!=null && password!=null){ + ret.addFilter(new HTTPBasicAuthFilter(username, password)); + } + } return ret ; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/unixauthservice/conf.dist/unixauthservice.properties ---------------------------------------------------------------------- diff --git a/unixauthservice/conf.dist/unixauthservice.properties b/unixauthservice/conf.dist/unixauthservice.properties index bedc810..d1a1f5f 100644 --- a/unixauthservice/conf.dist/unixauthservice.properties +++ b/unixauthservice/conf.dist/unixauthservice.properties @@ -242,3 +242,7 @@ ldapGroupSync.pagedResultsEnabled= # search results would be returned page by page with the specified number of entries per page # default value: 500 ldapGroupSync.pagedResultsSize= +userSync.policyMgrUserName =rangerusersync +userSync.policyMgrPassword = +userSync.policyMgrAlias =policymgr.user.password +userSync.policyMgrKeystore =/usr/lib/xausersync/.jceks/xausersync.jceks \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/unixauthservice/scripts/updatepolicymgrpassword.py ---------------------------------------------------------------------- diff --git a/unixauthservice/scripts/updatepolicymgrpassword.py b/unixauthservice/scripts/updatepolicymgrpassword.py new file mode 100644 index 0000000..b07458b --- /dev/null +++ b/unixauthservice/scripts/updatepolicymgrpassword.py @@ -0,0 +1,171 @@ +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. See accompanying LICENSE file. +# + +import os +import re +import sys +import errno +import shlex +import logging +import subprocess +import platform +import fileinput +import getpass +import shutil +from os.path import basename +from subprocess import Popen,PIPE +from datetime import date +from datetime import datetime +globalDict = {} + +os_name = platform.system() +os_name = os_name.upper() + +def check_output(query): + if os_name == "LINUX": + p = subprocess.Popen(shlex.split(query), stdout=subprocess.PIPE) + elif os_name == "WINDOWS": + p = subprocess.Popen(query, stdout=subprocess.PIPE, shell=True) + output = p.communicate ()[0] + return output + +def log(msg,type): + if type == 'info': + logging.info(" %s",msg) + if type == 'debug': + logging.debug(" %s",msg) + if type == 'warning': + logging.warning(" %s",msg) + if type == 'exception': + logging.exception(" %s",msg) + if type == 'error': + logging.error(" %s",msg) + +def populate_global_dict(): + global globalDict + read_config_file = open(os.path.join(os.getcwd(),'install.properties')) + for each_line in read_config_file.read().split('\n') : + if len(each_line) == 0 : continue + if re.search('=', each_line): + key , value = each_line.strip().split("=",1) + key = key.strip() + value = value.strip() + globalDict[key] = value + +def ModConfig(File, Variable, Setting): + """ + Modify Config file variable with new setting + """ + VarFound = False + AlreadySet = False + V=str(Variable) + S=str(Setting) + # use quotes if setting has spaces # + if ' ' in S: + S = '"%s"' % S + + for line in fileinput.input(File, inplace = 1): + # process lines that look like config settings # + if not line.lstrip(' ').startswith('#') and '=' in line: + _infile_var = str(line.split('=')[0].rstrip(' ')) + _infile_set = str(line.split('=')[1].lstrip(' ').rstrip()) + # only change the first matching occurrence # + if VarFound == False and _infile_var.rstrip(' ') == V: + VarFound = True + # don't change it if it is already set # + if _infile_set.lstrip(' ') == S: + AlreadySet = True + else: + line = "%s = %s\n" % (V, S) + + sys.stdout.write(line) + + # Append the variable if it wasn't found # + if not VarFound: + print "property '%s' not found. Adding it to %s" % (V, File) + with open(File, "a") as f: + f.write("%s = %s\n" % (V, S)) + elif AlreadySet == True: + print "property '%s' unchanged" % (V) + else: + print "property '%s' modified to '%s'" % (V, S) + + return + +def main(): + + FORMAT = '%(asctime)-15s %(message)s' + logging.basicConfig(format=FORMAT, level=logging.DEBUG) + populate_global_dict() + + SYNC_LDAP_BIND_KEYSTOREPATH=globalDict['CRED_KEYSTORE_FILENAME'] + SYNC_POLICY_MGR_ALIAS="policymgr.user.password" + SYNC_POLICY_MGR_PASSWORD = '' + SYNC_POLICY_MGR_USERNAME = '' + JAVA_BIN = '' + unix_user = "ranger" + unix_group = "ranger" + + if os.environ['JAVA_HOME'] == "": + log("[E] ---------- JAVA_HOME environment property not defined, aborting installation. ----------", "error") + sys.exit(1) + + JAVA_BIN=os.path.join(os.environ['JAVA_HOME'],'bin','java') + if os_name == "WINDOWS" : + JAVA_BIN = JAVA_BIN+'.exe' + if os.path.isfile(JAVA_BIN): + pass + else: + while os.path.isfile(JAVA_BIN) == False: + log("Enter java executable path: :","info") + JAVA_BIN=raw_input() + + log("[I] Using Java:" + str(JAVA_BIN),"info") + + while SYNC_POLICY_MGR_USERNAME == "": + print "Enter policymgr user name:" + SYNC_POLICY_MGR_USERNAME=raw_input() + + while SYNC_POLICY_MGR_PASSWORD == "": + SYNC_POLICY_MGR_PASSWORD=getpass.getpass("Enter policymgr user password:") + + if SYNC_LDAP_BIND_KEYSTOREPATH != "" or SYNC_POLICY_MGR_ALIAS != "" or SYNC_POLICY_MGR_USERNAME != "" or SYNC_POLICY_MGR_PASSWORD != "": + log("[I] Storing policymgr usersync password in credential store:","info") + cmd="%s -cp lib/* org.apache.ranger.credentialapi.buildks create %s -value %s -provider jceks://file%s" %(JAVA_BIN,SYNC_POLICY_MGR_ALIAS,SYNC_POLICY_MGR_PASSWORD,SYNC_LDAP_BIND_KEYSTOREPATH) + ret=subprocess.call(shlex.split(cmd)) + if ret == 0: + cmd="chown %s:%s %s" %(unix_user,unix_group,SYNC_LDAP_BIND_KEYSTOREPATH) + ret=subprocess.call(shlex.split(cmd)) + if ret == 0: + CFG_FILE=os.path.join(os.getcwd(),'conf','unixauthservice.properties') + NEW_CFG_FILE=os.path.join(os.getcwd(),'conf','unixauthservice.properties.tmp') + if os.path.isfile(CFG_FILE): + shutil.copyfile(CFG_FILE, NEW_CFG_FILE) + ModConfig(NEW_CFG_FILE, "userSync.policyMgrUserName", SYNC_POLICY_MGR_USERNAME) + ModConfig(NEW_CFG_FILE, "userSync.policyMgrKeystore", SYNC_LDAP_BIND_KEYSTOREPATH) + ModConfig(NEW_CFG_FILE, "userSync.policyMgrAlias", SYNC_POLICY_MGR_ALIAS) + now = datetime.now() + shutil.copyfile(CFG_FILE, CFG_FILE+"."+now.strftime('%Y%m%d%H%M%S')) + shutil.copyfile(NEW_CFG_FILE,CFG_FILE) + else: + log("[E] Required file not found: ["+CFG_FILE+"]","error") + else: + log("[E] unable to execute command ["+cmd+"]","error") + else: + log("[E] unable to execute command ["+cmd+"]","error") + else: + log("[E] Input Error","error") + + +main() http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b05edbc8/unixauthservice/scripts/updatepolicymgrpassword.sh ---------------------------------------------------------------------- diff --git a/unixauthservice/scripts/updatepolicymgrpassword.sh b/unixauthservice/scripts/updatepolicymgrpassword.sh new file mode 100644 index 0000000..a13c030 --- /dev/null +++ b/unixauthservice/scripts/updatepolicymgrpassword.sh @@ -0,0 +1,128 @@ +#!/bin/bash + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +INSTALL_BASE=$PWD + +MOD_NAME="ranger-usersync" +unix_user=ranger +unix_group=ranger + +INSTALL_DIR=${INSTALL_BASE} + +curDt=`date '+%Y%m%d%H%M%S'` +LOGFILE=setup.log.$curDt + +log() { + local prefix="[$(date +%Y/%m/%d\ %H:%M:%S)]: " + echo "${prefix} $@" >> $LOGFILE + echo "${prefix} $@" +} + +# Ensure that the user is root +MY_ID=`id -u` +if [ "${MY_ID}" -ne 0 ] +then + echo "ERROR: You must run this script as root user." + exit 1 +fi + +# Ensure JAVA_HOME is set +if [ "${JAVA_HOME}" == "" ] +then + echo "ERROR: JAVA_HOME environment property not defined, aborting installation" + exit 2 +fi + +# Grep configuration properties from install.properties +cdir=`dirname $0` + +check_ret_status(){ + if [ $1 -ne 0 ]; then + log "[E] $2"; + exit 1; + fi +} + +SYNC_LDAP_BIND_KEYSTOREPATH=`grep '^[ \t]*CRED_KEYSTORE_FILENAME[ \t]*=' ${cdir}/install.properties | sed -e 's:^[ \t]*CRED_KEYSTORE_FILENAME[ \t]*=[ \t]*::'` + +# END Grep configuration properties from install.properties +# Store POLICY_MGR user password in credential store +SYNC_POLICY_MGR_ALIAS="policymgr.user.password" +SYNC_POLICY_MGR_PASSWORD="rangerusersync" +SYNC_POLICY_MGR_USERNAME="rangerusersync" +count=0 +while : +do + if [ $count -gt 2 ] + then + log "[E] Unable to continue as correct input is not provided in 3 attempts." + exit 1 + fi + printf "Please enter policymgr username: " + read SYNC_POLICY_MGR_USERNAME + if [[ "${SYNC_POLICY_MGR_USERNAME}" != "" ]] + then + break; + fi +done +while : +do + if [ $count -gt 2 ] + then + log "[E] Unable to continue as correct input is not provided in 3 attempts." + exit 1 + fi + printf "Please enter policymgr password: " + stty -echo + read SYNC_POLICY_MGR_PASSWORD + stty echo + if [[ "${SYNC_POLICY_MGR_PASSWORD}" != "" ]] + then + break; + fi +done +if [[ "${SYNC_POLICY_MGR_ALIAS}" != "" && "${SYNC_LDAP_BIND_KEYSTOREPATH}" != "" && "${SYNC_POLICY_MGR_PASSWORD}" != "" && "${SYNC_POLICY_MGR_USERNAME}" != "" ]] +then + log "[I] Storing policymgr usersync password in credential store" + mkdir -p `dirname "${SYNC_LDAP_BIND_KEYSTOREPATH}"` + chown ${unix_user}:${unix_group} `dirname "${SYNC_LDAP_BIND_KEYSTOREPATH}"` + $JAVA_HOME/bin/java -cp "lib/*" org.apache.ranger.credentialapi.buildks create "$SYNC_POLICY_MGR_ALIAS" -value "$SYNC_POLICY_MGR_PASSWORD" -provider jceks://file$SYNC_LDAP_BIND_KEYSTOREPATH +fi + +# Create $INSTALL_DIR/conf/unixauthservice.properties + +CFG_FILE="${cdir}/conf/unixauthservice.properties" +NEW_CFG_FILE=${cdir}/conf/unixauthservice.properties.tmp + +if [ -f ${CFG_FILE} ] +then + sed \ + -e "s|^\( *userSync.policyMgrUserName *=\).*|\1 ${SYNC_POLICY_MGR_USERNAME}|" \ + -e "s|^\( *userSync.policyMgrKeystore *=\).*|\1 ${SYNC_LDAP_BIND_KEYSTOREPATH}|" \ + -e "s|^\( *userSync.policyMgrAlias *=\).*|\1 ${SYNC_POLICY_MGR_ALIAS}|" \ + ${CFG_FILE} > ${NEW_CFG_FILE} + + echo "<${logdir}> ${CFG_FILE} > ${NEW_CFG_FILE}" +else + echo "ERROR: Required file, not found: ${CFG_FILE}, Aborting installation" + exit 8 +fi + +mv ${cdir}/conf/unixauthservice.properties ${cdir}/conf/unixauthservice.properties.${curDt} +mv ${cdir}/conf/unixauthservice.properties.tmp ${cdir}/conf/unixauthservice.properties + +#END Create $INSTALL_DIR/conf/unixauthservice.properties \ No newline at end of file
