Repository: incubator-ranger Updated Branches: refs/heads/master 88db70795 -> 27c81a236
RANGER-434: updated revoke implementation in HBase plugin to remove delegateAdmin Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/27c81a23 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/27c81a23 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/27c81a23 Branch: refs/heads/master Commit: 27c81a236cec7100cd7ed204d0e888848bf19778 Parents: 88db707 Author: Madhan Neethiraj <[email protected]> Authored: Mon Apr 27 17:07:59 2015 -0700 Committer: Madhan Neethiraj <[email protected]> Committed: Mon Apr 27 17:07:59 2015 -0700 ---------------------------------------------------------------------- .../hbase/RangerAuthorizationCoprocessor.java | 2 +- .../org/apache/ranger/rest/ServiceREST.java | 120 ++++++++++--------- 2 files changed, 65 insertions(+), 57 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/27c81a23/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java index 4893aa3..f42c15a 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java @@ -1243,7 +1243,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess GrantRevokeRequest ret = new GrantRevokeRequest(); ret.setGrantor(grantor); - ret.setDelegateAdmin(Boolean.FALSE); + ret.setDelegateAdmin(Boolean.TRUE); // remove delegateAdmin privilege as well ret.setEnableAudit(Boolean.TRUE); ret.setReplaceExistingPermissions(Boolean.TRUE); ret.setResource(mapResource); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/27c81a23/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index a02b932..c2701a6 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -612,37 +612,7 @@ public class ServiceREST { // replace all existing privileges for users and groups if(grantRequest.getReplaceExistingPermissions()) { - List<RangerPolicyItem> policyItems = policy.getPolicyItems(); - - int numOfItems = policyItems.size(); - - for(int i = 0; i < numOfItems; i++) { - RangerPolicyItem policyItem = policyItems.get(i); - - if(CollectionUtils.containsAny(policyItem.getUsers(), grantRequest.getUsers())) { - policyItem.getUsers().removeAll(grantRequest.getUsers()); - - policyUpdated = true; - } - - if(CollectionUtils.containsAny(policyItem.getGroups(), grantRequest.getGroups())) { - policyItem.getGroups().removeAll(grantRequest.getGroups()); - - policyUpdated = true; - } - - if(CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) { - policyItems.remove(i); - numOfItems--; - i--; - - policyUpdated = true; - } - } - - if(compactPolicy(policy)) { - policyUpdated = true; - } + policyUpdated = removeUsersAndGroupsFromPolicy(policy, grantRequest.getUsers(), grantRequest.getGroups()); } for(String user : grantRequest.getUsers()) { @@ -791,45 +761,49 @@ public class ServiceREST { if(policy != null) { boolean policyUpdated = false; - - for(String user : revokeRequest.getUsers()) { - RangerPolicyItem policyItem = getPolicyItemForUser(policy, user); - - if (policyItem != null) { - if (removeAccesses(policyItem, revokeRequest.getAccessTypes())) { - policyUpdated = true; - } + // remove all existing privileges for users and groups + if(revokeRequest.getReplaceExistingPermissions()) { + policyUpdated = removeUsersAndGroupsFromPolicy(policy, revokeRequest.getUsers(), revokeRequest.getGroups()); + } else { + for(String user : revokeRequest.getUsers()) { + RangerPolicyItem policyItem = getPolicyItemForUser(policy, user); - if (revokeRequest.getDelegateAdmin()) { // remove delegate? - if (policyItem.getDelegateAdmin()) { - policyItem.setDelegateAdmin(Boolean.FALSE); + if (policyItem != null) { + if (removeAccesses(policyItem, revokeRequest.getAccessTypes())) { policyUpdated = true; } + if (revokeRequest.getDelegateAdmin()) { // remove delegate? + if (policyItem.getDelegateAdmin()) { + policyItem.setDelegateAdmin(Boolean.FALSE); + policyUpdated = true; + } + + } } } - } - for(String group : revokeRequest.getGroups()) { - RangerPolicyItem policyItem = getPolicyItemForGroup(policy, group); + for(String group : revokeRequest.getGroups()) { + RangerPolicyItem policyItem = getPolicyItemForGroup(policy, group); - if(policyItem != null) { - if(removeAccesses(policyItem, revokeRequest.getAccessTypes())) { - policyUpdated = true; - } - - if(revokeRequest.getDelegateAdmin()) { // remove delegate? - if(policyItem.getDelegateAdmin()) { - policyItem.setDelegateAdmin(Boolean.FALSE); + if(policyItem != null) { + if(removeAccesses(policyItem, revokeRequest.getAccessTypes())) { policyUpdated = true; } + + if(revokeRequest.getDelegateAdmin()) { // remove delegate? + if(policyItem.getDelegateAdmin()) { + policyItem.setDelegateAdmin(Boolean.FALSE); + policyUpdated = true; + } + } } } - } - if(compactPolicy(policy)) { - policyUpdated = true; + if(compactPolicy(policy)) { + policyUpdated = true; + } } if(policyUpdated) { @@ -1342,6 +1316,40 @@ public class ServiceREST { return ret; } + private boolean removeUsersAndGroupsFromPolicy(RangerPolicy policy, Set<String> users, Set<String> groups) { + boolean policyUpdated = false; + + List<RangerPolicyItem> policyItems = policy.getPolicyItems(); + + int numOfItems = policyItems.size(); + + for(int i = 0; i < numOfItems; i++) { + RangerPolicyItem policyItem = policyItems.get(i); + + if(CollectionUtils.containsAny(policyItem.getUsers(), users)) { + policyItem.getUsers().removeAll(users); + + policyUpdated = true; + } + + if(CollectionUtils.containsAny(policyItem.getGroups(), groups)) { + policyItem.getGroups().removeAll(groups); + + policyUpdated = true; + } + + if(CollectionUtils.isEmpty(policyItem.getUsers()) && CollectionUtils.isEmpty(policyItem.getGroups())) { + policyItems.remove(i); + numOfItems--; + i--; + + policyUpdated = true; + } + } + + return policyUpdated; + } + @GET @Path("/policies/eventTime") @Produces({ "application/json", "application/xml" })
