Repository: incubator-ranger Updated Branches: refs/heads/master 4b2fd94fb -> 140f7efb8
RANGER-671 : Add support to retrieve permissions for the logged in user from UserSession rather going to database every time Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/140f7efb Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/140f7efb Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/140f7efb Branch: refs/heads/master Commit: 140f7efb8ad202105bb23aa16469a961004b0c4f Parents: 4b2fd94 Author: Gautam Borad <[email protected]> Authored: Thu Oct 8 12:14:35 2015 +0530 Committer: Gautam Borad <[email protected]> Committed: Thu Oct 8 12:14:35 2015 +0530 ---------------------------------------------------------------------- .../java/org/apache/ranger/biz/SessionMgr.java | 102 ++++++ .../java/org/apache/ranger/biz/XUserMgr.java | 335 +++++++++---------- .../apache/ranger/common/UserSessionBase.java | 63 +++- .../apache/ranger/db/XXGroupPermissionDao.java | 16 +- .../org/apache/ranger/db/XXGroupUserDao.java | 11 + .../org/apache/ranger/db/XXModuleDefDao.java | 10 - .../apache/ranger/db/XXUserPermissionDao.java | 9 +- .../patch/PatchPersmissionModel_J10003.java | 22 +- .../java/org/apache/ranger/rest/XUserREST.java | 9 + .../context/RangerPreAuthSecurityHandler.java | 25 +- .../listener/RangerHttpSessionListener.java | 48 +++ .../ranger/service/XGroupPermissionService.java | 13 +- .../ranger/service/XUserPermissionService.java | 20 +- .../resources/META-INF/jpa_named_queries.xml | 12 +- .../org/apache/ranger/biz/TestXUserMgr.java | 51 ++- 15 files changed, 503 insertions(+), 243 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java index ccb1855..adae1d6 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java @@ -21,10 +21,17 @@ import java.util.ArrayList; import java.util.Calendar; +import java.util.HashSet; import java.util.List; +import java.util.Set; +import java.util.concurrent.CopyOnWriteArrayList; +import java.util.concurrent.CopyOnWriteArraySet; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpSession; +import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.lang.time.DateUtils; import org.apache.log4j.Logger; import org.apache.ranger.common.DateUtil; import org.apache.ranger.common.HTTPUtil; @@ -39,8 +46,11 @@ import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.entity.XXAuthSession; import org.apache.ranger.entity.XXPortalUser; import org.apache.ranger.entity.XXPortalUserRole; +import org.apache.ranger.entity.XXUser; import org.apache.ranger.security.context.RangerContextHolder; import org.apache.ranger.security.context.RangerSecurityContext; +import org.apache.ranger.security.listener.RangerHttpSessionListener; +import org.apache.ranger.security.web.filter.RangerSecurityContextFormationFilter; import org.apache.ranger.service.AuthSessionService; import org.apache.ranger.util.RestUtil; import org.apache.ranger.view.VXAuthSession; @@ -79,6 +89,8 @@ public class SessionMgr { logger.debug("SessionManager created"); } + private static final Long SESSION_UPDATE_INTERVAL_IN_MILLIS = 30 * DateUtils.MILLIS_PER_MINUTE; + public UserSessionBase processSuccessLogin(int authType, String userAgent) { return processSuccessLogin(authType, userAgent, null); } @@ -135,7 +147,10 @@ public class SessionMgr { userSession = new UserSessionBase(); userSession.setXXPortalUser(gjUser); userSession.setXXAuthSession(gjAuthSession); + resetUserSessionForProfiles(userSession); + resetUserModulePermission(userSession); + Calendar cal = Calendar.getInstance(); if (details != null) { logger.info("Login Success: loginId=" + currentLoginId @@ -155,6 +170,28 @@ public class SessionMgr { return userSession; } + public void resetUserModulePermission(UserSessionBase userSession) { + + XXUser xUser = daoManager.getXXUser().findByUserName(userSession.getLoginId()); + if (xUser != null) { + List<String> permissionList = daoManager.getXXModuleDef().findAccessibleModulesByUserId(userSession.getUserId(), xUser.getId()); + CopyOnWriteArraySet<String> userPermissions = new CopyOnWriteArraySet<String>(permissionList); + + UserSessionBase.RangerUserPermission rangerUserPermission = userSession.getRangerUserPermission(); + + if (rangerUserPermission == null) { + rangerUserPermission = new UserSessionBase.RangerUserPermission(); + } + + rangerUserPermission.setUserPermissions(userPermissions); + rangerUserPermission.setLastUpdatedTime(Calendar.getInstance().getTimeInMillis()); + userSession.setRangerUserPermission(rangerUserPermission); + logger.info("UserSession Updated to set new Permissions to User: " + userSession.getLoginId()); + } else { + logger.error("No XUser found with username: " + userSession.getLoginId() + "So Permission is not set for the user"); + } + } + public void resetUserSessionForProfiles(UserSessionBase userSession) { if (userSession == null) { // Nothing to reset @@ -274,6 +311,7 @@ public class SessionMgr { RangerContextHolder.setSecurityContext(context); resetUserSessionForProfiles(userSession); + resetUserModulePermission(userSession); return userSession; } @@ -351,4 +389,68 @@ public class SessionMgr { } + public CopyOnWriteArrayList<UserSessionBase> getActiveSessionsOnServer() { + + CopyOnWriteArrayList<HttpSession> activeHttpUserSessions = RangerHttpSessionListener.getActiveSessionOnServer(); + CopyOnWriteArrayList<UserSessionBase> activeRangerUserSessions = new CopyOnWriteArrayList<UserSessionBase>(); + + if (CollectionUtils.isEmpty(activeHttpUserSessions)) { + return activeRangerUserSessions; + } + + for (HttpSession httpSession : activeHttpUserSessions) { + + if (httpSession.getAttribute(RangerSecurityContextFormationFilter.AKA_SC_SESSION_KEY) == null) { + continue; + } + + RangerSecurityContext securityContext = (RangerSecurityContext) httpSession.getAttribute(RangerSecurityContextFormationFilter.AKA_SC_SESSION_KEY); + if (securityContext.getUserSession() != null) { + activeRangerUserSessions.add(securityContext.getUserSession()); + } + } + + return activeRangerUserSessions; + } + + public Set<UserSessionBase> getActiveUserSessionsForPortalUserId(Long portalUserId) { + CopyOnWriteArrayList<UserSessionBase> activeSessions = getActiveSessionsOnServer(); + + if (CollectionUtils.isEmpty(activeSessions)) { + return null; + } + + Set<UserSessionBase> activeUserSessions = new HashSet<UserSessionBase>(); + for (UserSessionBase session : activeSessions) { + if (session.getUserId().equals(portalUserId)) { + activeUserSessions.add(session); + } + } + if (logger.isDebugEnabled()) { + logger.debug("No Session Found with portalUserId: " + portalUserId); + } + return activeUserSessions; + } + + public Set<UserSessionBase> getActiveUserSessionsForXUserId(Long xUserId) { + XXPortalUser portalUser = daoManager.getXXPortalUser().findByXUserId(xUserId); + if (portalUser != null) { + return getActiveUserSessionsForPortalUserId(portalUser.getId()); + } else { + if (logger.isDebugEnabled()) { + logger.debug("Could not find corresponding portalUser for xUserId" + xUserId); + } + return null; + } + } + + public synchronized void refreshPermissionsIfNeeded(UserSessionBase userSession) { + if (userSession != null) { + Long lastUpdatedTime = (userSession.getRangerUserPermission() != null) ? userSession.getRangerUserPermission().getLastUpdatedTime() : null; + if (lastUpdatedTime == null || (Calendar.getInstance().getTimeInMillis() - lastUpdatedTime) > SESSION_UPDATE_INTERVAL_IN_MILLIS) { + this.resetUserModulePermission(userSession); + } + } + } + } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index 41bc6f8..5f43bc0 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -52,6 +52,7 @@ import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.db.XXGroupUserDao; import org.apache.ranger.entity.XXAuditMap; import org.apache.ranger.entity.XXGroup; +import org.apache.ranger.entity.XXGroupUser; import org.apache.ranger.entity.XXPermMap; import org.apache.ranger.entity.XXPortalUser; import org.apache.ranger.entity.XXResource; @@ -115,6 +116,9 @@ public class XUserMgr extends XUserMgrBase { @Autowired XResourceService xResourceService; + @Autowired + SessionMgr sessionMgr; + static final Logger logger = Logger.getLogger(XUserMgr.class); public void deleteXGroup(Long id, boolean force) { @@ -227,101 +231,64 @@ public class XUserMgr extends XUserMgrBase { return createdXUser; } - // Assigning Permission - public void assignPermissionToUser(VXPortalUser vXPortalUser, - boolean isCreate) { - HashMap<String, Long> moduleNameId = getModelNames(); + public void assignPermissionToUser(VXPortalUser vXPortalUser, boolean isCreate) { + HashMap<String, Long> moduleNameId = getAllModuleNameAndIdMap(); for (String role : vXPortalUser.getUserRoleList()) { if (role.equals(RangerConstants.ROLE_USER)) { - insertMappingUserPermisson(vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), - isCreate); - insertMappingUserPermisson( - vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_REPORTS), - isCreate); + createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate); + createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate); } else if (role.equals(RangerConstants.ROLE_SYS_ADMIN)) { - insertMappingUserPermisson(vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_REPORTS), - isCreate); - insertMappingUserPermisson( - vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), - isCreate); - insertMappingUserPermisson(vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_AUDIT), - isCreate); - /*insertMappingUserPermisson(vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_KMS), - isCreate);*/ - /*insertMappingUserPermisson(vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_PERMISSION), - isCreate);*/ - insertMappingUserPermisson(vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_USER_GROUPS), - isCreate); + createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate); + createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate); + createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_AUDIT), isCreate); + createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_USER_GROUPS), isCreate); } else if (role.equals(RangerConstants.ROLE_KEY_ADMIN)) { - insertMappingUserPermisson(vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_KEY_MANAGER), isCreate); - insertMappingUserPermisson(vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_REPORTS), - isCreate); - insertMappingUserPermisson( - vXPortalUser.getId(), - moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), - isCreate); + + createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_KEY_MANAGER), isCreate); + createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate); + createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate); } } } - // Insert or Updating Mapping permissons depending upon roles - private void insertMappingUserPermisson(Long userId, Long moduleId, - boolean isCreate) { - VXUserPermission vXuserPermission; - List<XXUserPermission> xuserPermissionList = daoManager - .getXXUserPermission() - .findByModuleIdAndUserId(userId, moduleId); - if (xuserPermissionList == null || xuserPermissionList.isEmpty()) { - vXuserPermission = new VXUserPermission(); - vXuserPermission.setUserId(userId); - vXuserPermission.setIsAllowed(RangerCommonEnums.IS_ALLOWED); - vXuserPermission.setModuleId(moduleId); + // Insert or Updating Mapping permissions depending upon roles + private void createOrUpdateUserPermisson(Long portalUserId, Long moduleId, boolean isCreate) { + VXUserPermission vXUserPermission; + XXUserPermission xUserPermission = daoManager.getXXUserPermission().findByModuleIdAndUserId(portalUserId, moduleId); + if (xUserPermission == null) { + vXUserPermission = new VXUserPermission(); + vXUserPermission.setUserId(portalUserId); + vXUserPermission.setIsAllowed(RangerCommonEnums.IS_ALLOWED); + vXUserPermission.setModuleId(moduleId); try { - xUserPermissionService.createResource(vXuserPermission); + vXUserPermission = this.createXUserPermission(vXUserPermission); + logger.info("Permission assigned to user: [" + vXUserPermission.getUserName() + "] For Module: [" + vXUserPermission.getModuleName() + "]"); } catch (Exception e) { - logger.error(e); + logger.error("Error while assigning permission to user: [" + portalUserId + "] for module: [" + moduleId + "]", e); } } else if (isCreate) { - for (XXUserPermission xUserPermission : xuserPermissionList) { - vXuserPermission = xUserPermissionService - .populateViewBean(xUserPermission); - vXuserPermission.setIsAllowed(RangerCommonEnums.IS_ALLOWED); - xUserPermissionService.updateResource(vXuserPermission); - } + vXUserPermission = xUserPermissionService.populateViewBean(xUserPermission); + vXUserPermission.setIsAllowed(RangerCommonEnums.IS_ALLOWED); + vXUserPermission = this.updateXUserPermission(vXUserPermission); + logger.info("Permission Updated for user: [" + vXUserPermission.getUserName() + "] For Module: [" + vXUserPermission.getModuleName() + "]"); } - } - public HashMap<String, Long> getModelNames() { - List<XXModuleDef> xxModuleDefs = daoManager.getXXModuleDef() - .findModuleNamesWithIds(); - if (xxModuleDefs.isEmpty() || xxModuleDefs != null) { - HashMap<String, Long> moduleNameId = new HashMap<String, Long>(); - try { + public HashMap<String, Long> getAllModuleNameAndIdMap() { - for (XXModuleDef xxModuleDef : xxModuleDefs) { - moduleNameId.put(xxModuleDef.getModule(), - xxModuleDef.getId()); - } - return moduleNameId; - } catch (Exception e) { - logger.error(e); + List<XXModuleDef> xXModuleDefs = daoManager.getXXModuleDef().getAll(); + + if (!CollectionUtils.isEmpty(xXModuleDefs)) { + HashMap<String, Long> moduleNameAndIdMap = new HashMap<String, Long>(); + for (XXModuleDef xXModuleDef : xXModuleDefs) { + moduleNameAndIdMap.put(xXModuleDef.getModule(), xXModuleDef.getId()); } + return moduleNameAndIdMap; } return null; @@ -795,50 +762,15 @@ public class XUserMgr extends XUserMgrBase { } } - /*public void checkPermissionRoleByGivenUrls(String enteredURL, String method) { - Long currentUserId = ContextUtil.getCurrentUserId(); - List<String> notPermittedUrls = daoManager.getXXModuleDef() - .findModuleURLOfPemittedModules(currentUserId); - if (notPermittedUrls != null) { - List<XXPortalUserRole> xPortalUserRoles = daoManager - .getXXPortalUserRole().findByUserId(currentUserId); - for (XXPortalUserRole xPortalUserRole : xPortalUserRoles) { - if (xPortalUserRole.getUserRole().equalsIgnoreCase( - RangerConstants.ROLE_USER)) { - notPermittedUrls.add("/permission"); - notPermittedUrls.add("/kms"); - } - } - boolean flag = false; - for (String notPermittedUrl : notPermittedUrls) { - if (enteredURL.toLowerCase().contains( - notPermittedUrl.toLowerCase())) - flag = true; - } - if (flag) { - throw restErrorUtil.create403RESTException("Access Denied"); - } - } - boolean flag = false; - List<XXPortalUserRole> xPortalUserRoles = daoManager - .getXXPortalUserRole().findByUserId(currentUserId); - for (XXPortalUserRole xPortalUserRole : xPortalUserRoles) { - if (xPortalUserRole.getUserRole().equalsIgnoreCase( - RangerConstants.ROLE_USER) - && enteredURL.contains("/permission") - && !enteredURL.contains("/templates")) { - flag = true; - } - } - if (flag) { - throw restErrorUtil.create403RESTException("Access Denied"); - } - - }*/ - // Module permissions public VXModuleDef createXModuleDefPermission(VXModuleDef vXModuleDef) { - checkAdminAccess(); + + XXModuleDef xModDef = daoManager.getXXModuleDef().findByModuleName(vXModuleDef.getModule()); + + if (xModDef != null) { + throw restErrorUtil.createRESTException("Module Def with same name already exists.", MessageEnums.ERROR_DUPLICATE_OBJECT); + } + return xModuleDefService.createResource(vXModuleDef); } @@ -847,36 +779,28 @@ public class XUserMgr extends XUserMgrBase { } public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { - checkAdminAccess(); - List<VXGroupPermission> groupPermListNew = vXModuleDef - .getGroupPermList(); + + List<VXGroupPermission> groupPermListNew = vXModuleDef.getGroupPermList(); List<VXUserPermission> userPermListNew = vXModuleDef.getUserPermList(); List<VXGroupPermission> groupPermListOld = new ArrayList<VXGroupPermission>(); List<VXUserPermission> userPermListOld = new ArrayList<VXUserPermission>(); - XXModuleDef xModuleDef = daoManager.getXXModuleDef().getById( - vXModuleDef.getId()); - VXModuleDef vModuleDefPopulateOld = xModuleDefService - .populateViewBean(xModuleDef); - List<XXGroupPermission> xgroupPermissionList = daoManager - .getXXGroupPermission().findByModuleId(vXModuleDef.getId(), - true); + XXModuleDef xModuleDef = daoManager.getXXModuleDef().getById(vXModuleDef.getId()); + VXModuleDef vModuleDefPopulateOld = xModuleDefService.populateViewBean(xModuleDef); + + List<XXGroupPermission> xgroupPermissionList = daoManager.getXXGroupPermission().findByModuleId(vXModuleDef.getId(), true); for (XXGroupPermission xGrpPerm : xgroupPermissionList) { - VXGroupPermission vXGrpPerm = xGroupPermissionService - .populateViewBean(xGrpPerm); + VXGroupPermission vXGrpPerm = xGroupPermissionService.populateViewBean(xGrpPerm); groupPermListOld.add(vXGrpPerm); } vModuleDefPopulateOld.setGroupPermList(groupPermListOld); - List<XXUserPermission> xuserPermissionList = daoManager - .getXXUserPermission() - .findByModuleId(vXModuleDef.getId(), true); + List<XXUserPermission> xuserPermissionList = daoManager.getXXUserPermission().findByModuleId(vXModuleDef.getId(), true); for (XXUserPermission xUserPerm : xuserPermissionList) { - VXUserPermission vUserPerm = xUserPermissionService - .populateViewBean(xUserPerm); + VXUserPermission vUserPerm = xUserPermissionService.populateViewBean(xUserPerm); userPermListOld.add(vUserPerm); } vModuleDefPopulateOld.setUserPermList(userPermListOld); @@ -887,20 +811,16 @@ public class XUserMgr extends XUserMgrBase { boolean isExist = false; for (VXGroupPermission oldVXGroupPerm : groupPermListOld) { - if (newVXGroupPerm.getModuleId().equals( - oldVXGroupPerm.getModuleId()) - && newVXGroupPerm.getGroupId().equals( - oldVXGroupPerm.getGroupId())) { - oldVXGroupPerm.setIsAllowed(newVXGroupPerm - .getIsAllowed()); - oldVXGroupPerm = xGroupPermissionService - .updateResource(oldVXGroupPerm); + if (newVXGroupPerm.getModuleId().equals(oldVXGroupPerm.getModuleId()) && newVXGroupPerm.getGroupId().equals(oldVXGroupPerm.getGroupId())) { + if (newVXGroupPerm.getIsAllowed() != oldVXGroupPerm.getIsAllowed()) { + oldVXGroupPerm.setIsAllowed(newVXGroupPerm.getIsAllowed()); + oldVXGroupPerm = this.updateXGroupPermission(oldVXGroupPerm); + } isExist = true; } } if (!isExist) { - newVXGroupPerm = xGroupPermissionService - .createResource(newVXGroupPerm); + newVXGroupPerm = this.createXGroupPermission(newVXGroupPerm); } } } @@ -910,74 +830,143 @@ public class XUserMgr extends XUserMgrBase { boolean isExist = false; for (VXUserPermission oldVXUserPerm : userPermListOld) { - if (newVXUserPerm.getModuleId().equals( - oldVXUserPerm.getModuleId()) - && newVXUserPerm.getUserId().equals( - oldVXUserPerm.getUserId())) { - oldVXUserPerm - .setIsAllowed(newVXUserPerm.getIsAllowed()); - oldVXUserPerm = xUserPermissionService - .updateResource(oldVXUserPerm); + if (newVXUserPerm.getModuleId().equals(oldVXUserPerm.getModuleId()) && newVXUserPerm.getUserId().equals(oldVXUserPerm.getUserId())) { + if (newVXUserPerm.getIsAllowed() != oldVXUserPerm.getIsAllowed()) { + oldVXUserPerm.setIsAllowed(newVXUserPerm.getIsAllowed()); + oldVXUserPerm = this.updateXUserPermission(oldVXUserPerm); + } isExist = true; } } if (!isExist) { - newVXUserPerm = xUserPermissionService - .createResource(newVXUserPerm); - + newVXUserPerm = this.createXUserPermission(newVXUserPerm); } } } - return xModuleDefService.updateResource(vXModuleDef); + vXModuleDef = xModuleDefService.updateResource(vXModuleDef); + + return vXModuleDef; } public void deleteXModuleDefPermission(Long id, boolean force) { - checkAdminAccess(); xModuleDefService.deleteResource(id); } // User permission - public VXUserPermission createXUserPermission( - VXUserPermission vXUserPermission) { - checkAdminAccess(); - return xUserPermissionService.createResource(vXUserPermission); + public VXUserPermission createXUserPermission(VXUserPermission vXUserPermission) { + + vXUserPermission = xUserPermissionService.createResource(vXUserPermission); + + Set<UserSessionBase> userSessions = sessionMgr.getActiveUserSessionsForPortalUserId(vXUserPermission.getUserId()); + if (!CollectionUtils.isEmpty(userSessions)) { + for (UserSessionBase userSession : userSessions) { + logger.info("Assigning permission to user who's found logged in into system, so updating permission in session of that user: [" + vXUserPermission.getUserName() + + "]"); + sessionMgr.resetUserModulePermission(userSession); + } + } + + return vXUserPermission; } public VXUserPermission getXUserPermission(Long id) { return xUserPermissionService.readResource(id); } - public VXUserPermission updateXUserPermission( - VXUserPermission vXUserPermission) { - checkAdminAccess(); - return xUserPermissionService.updateResource(vXUserPermission); + public VXUserPermission updateXUserPermission(VXUserPermission vXUserPermission) { + + vXUserPermission = xUserPermissionService.updateResource(vXUserPermission); + + Set<UserSessionBase> userSessions = sessionMgr.getActiveUserSessionsForPortalUserId(vXUserPermission.getUserId()); + if (!CollectionUtils.isEmpty(userSessions)) { + for (UserSessionBase userSession : userSessions) { + logger.info("Updating permission of user who's found logged in into system, so updating permission in session of user: [" + vXUserPermission.getUserName() + "]"); + sessionMgr.resetUserModulePermission(userSession); + } + } + + return vXUserPermission; } public void deleteXUserPermission(Long id, boolean force) { - checkAdminAccess(); + + XXUserPermission xUserPermission = daoManager.getXXUserPermission().getById(id); + if (xUserPermission == null) { + throw restErrorUtil.createRESTException("No UserPermission found to delete, ID: " + id, MessageEnums.DATA_NOT_FOUND); + } + xUserPermissionService.deleteResource(id); + + Set<UserSessionBase> userSessions = sessionMgr.getActiveUserSessionsForPortalUserId(xUserPermission.getUserId()); + if (!CollectionUtils.isEmpty(userSessions)) { + for (UserSessionBase userSession : userSessions) { + logger.info("deleting permission of user who's found logged in into system, so updating permission in session of that user"); + sessionMgr.resetUserModulePermission(userSession); + } + } } // Group permission - public VXGroupPermission createXGroupPermission( - VXGroupPermission vXGroupPermission) { - checkAdminAccess(); - return xGroupPermissionService.createResource(vXGroupPermission); + public VXGroupPermission createXGroupPermission(VXGroupPermission vXGroupPermission) { + + vXGroupPermission = xGroupPermissionService.createResource(vXGroupPermission); + + List<XXGroupUser> grpUsers = daoManager.getXXGroupUser().findByGroupId(vXGroupPermission.getGroupId()); + for (XXGroupUser xGrpUser : grpUsers) { + Set<UserSessionBase> userSessions = sessionMgr.getActiveUserSessionsForXUserId(xGrpUser.getUserId()); + if (!CollectionUtils.isEmpty(userSessions)) { + for (UserSessionBase userSession : userSessions) { + logger.info("Assigning permission to group, one of the user belongs to that group found logged in into system, so updating permission in session of that user"); + sessionMgr.resetUserModulePermission(userSession); + } + } + } + + return vXGroupPermission; } public VXGroupPermission getXGroupPermission(Long id) { return xGroupPermissionService.readResource(id); } - public VXGroupPermission updateXGroupPermission( - VXGroupPermission vXGroupPermission) { - checkAdminAccess(); - return xGroupPermissionService.updateResource(vXGroupPermission); + public VXGroupPermission updateXGroupPermission(VXGroupPermission vXGroupPermission) { + + vXGroupPermission = xGroupPermissionService.updateResource(vXGroupPermission); + + List<XXGroupUser> grpUsers = daoManager.getXXGroupUser().findByGroupId(vXGroupPermission.getGroupId()); + for (XXGroupUser xGrpUser : grpUsers) { + Set<UserSessionBase> userSessions = sessionMgr.getActiveUserSessionsForXUserId(xGrpUser.getUserId()); + if (!CollectionUtils.isEmpty(userSessions)) { + for (UserSessionBase userSession : userSessions) { + logger.info("Assigning permission to group whose one of the user found logged in into system, so updating permission in session of that user"); + sessionMgr.resetUserModulePermission(userSession); + } + } + } + + return vXGroupPermission; } public void deleteXGroupPermission(Long id, boolean force) { - checkAdminAccess(); + + XXGroupPermission xGrpPerm = daoManager.getXXGroupPermission().getById(id); + + if (xGrpPerm == null) { + throw restErrorUtil.createRESTException("No GroupPermission object with ID: [" + id + "found.", MessageEnums.DATA_NOT_FOUND); + } + xGroupPermissionService.deleteResource(id); + + List<XXGroupUser> grpUsers = daoManager.getXXGroupUser().findByGroupId(xGrpPerm.getGroupId()); + for (XXGroupUser xGrpUser : grpUsers) { + Set<UserSessionBase> userSessions = sessionMgr.getActiveUserSessionsForXUserId(xGrpUser.getUserId()); + if (!CollectionUtils.isEmpty(userSessions)) { + for (UserSessionBase userSession : userSessions) { + logger.info("deleting permission of the group whose one of the user found logged in into system, so updating permission in session of that user"); + sessionMgr.resetUserModulePermission(userSession); + } + } + } } public void modifyUserActiveStatus(HashMap<Long, Integer> statusMap) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java index 37b2049..59e55f3 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java +++ b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java @@ -22,6 +22,7 @@ import java.io.Serializable; import java.util.ArrayList; import java.util.List; +import java.util.concurrent.CopyOnWriteArraySet; import org.apache.ranger.entity.XXAuthSession; import org.apache.ranger.entity.XXPortalUser; @@ -36,7 +37,9 @@ public class UserSessionBase implements Serializable { private boolean keyAdmin = false; private int authProvider = RangerConstants.USER_APP; private List<String> userRoleList = new ArrayList<String>(); + private RangerUserPermission rangerUserPermission; int clientTimeOffsetInMinute = 0; + public Long getUserId() { if (xXPortalUser != null) { return xXPortalUser.getId(); @@ -58,14 +61,9 @@ public class UserSessionBase implements Serializable { return null; } - - public boolean isUserAdmin() { return userAdmin; } - - - public void setUserAdmin(boolean userAdmin) { this.userAdmin = userAdmin; @@ -75,13 +73,6 @@ public class UserSessionBase implements Serializable { return xXPortalUser; } - public String getUserName() { - if (xXPortalUser != null) { - return xXPortalUser.getFirstName() + " " + xXPortalUser.getLastName(); - } - return null; - } - public void setXXAuthSession(XXAuthSession gjAuthSession) { this.xXAuthSession = gjAuthSession; } @@ -121,4 +112,52 @@ public class UserSessionBase implements Serializable { this.keyAdmin = keyAdmin; } + /** + * @return the rangerUserPermission + */ + public RangerUserPermission getRangerUserPermission() { + return rangerUserPermission; + } + + /** + * @param rangerUserPermission the rangerUserPermission to set + */ + public void setRangerUserPermission(RangerUserPermission rangerUserPermission) { + this.rangerUserPermission = rangerUserPermission; + } + + + + public static class RangerUserPermission { + + protected CopyOnWriteArraySet<String> userPermissions; + protected Long lastUpdatedTime; + + /** + * @return the userPermissions + */ + public CopyOnWriteArraySet<String> getUserPermissions() { + return userPermissions; + } + /** + * @param userPermissions the userPermissions to set + */ + public void setUserPermissions(CopyOnWriteArraySet<String> userPermissions) { + this.userPermissions = userPermissions; + } + /** + * @return the lastUpdatedTime + */ + public Long getLastUpdatedTime() { + return lastUpdatedTime; + } + /** + * @param lastUpdatedTime the lastUpdatedTime to set + */ + public void setLastUpdatedTime(Long lastUpdatedTime) { + this.lastUpdatedTime = lastUpdatedTime; + } + + } + } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/db/XXGroupPermissionDao.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXGroupPermissionDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXGroupPermissionDao.java index 3121e7a..db69cea 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXGroupPermissionDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXGroupPermissionDao.java @@ -26,7 +26,6 @@ import org.apache.log4j.Logger; import org.apache.ranger.common.RangerCommonEnums; import org.apache.ranger.common.db.BaseDao; import org.apache.ranger.entity.XXGroupPermission; -import org.apache.ranger.entity.XXUserPermission; public class XXGroupPermissionDao extends BaseDao<XXGroupPermission> { @@ -100,4 +99,19 @@ public class XXGroupPermissionDao extends BaseDao<XXGroupPermission> { } return null; } + + public XXGroupPermission findByModuleIdAndGroupId(Long groupId, Long moduleId) { + if (groupId != null && moduleId != null) { + try { + return getEntityManager().createNamedQuery("XXGroupPermission.findByModuleIdAndGroupId", tClass).setParameter("groupId", groupId).setParameter("moduleId", moduleId) + .getSingleResult(); + } catch (NoResultException e) { + logger.debug(e.getMessage()); + } + } else { + return null; + } + return null; + } + } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java index 104e188..ffc3c32 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java @@ -81,4 +81,15 @@ public class XXGroupUserDao extends BaseDao<XXGroupUser> { return null; } + public List<XXGroupUser> findByGroupId(Long groupId) { + if (groupId == null) { + return new ArrayList<XXGroupUser>(); + } + try { + return getEntityManager().createNamedQuery("XXGroupUser.findByGroupId", tClass).setParameter("groupId", groupId).getResultList(); + } catch (NoResultException e) { + return new ArrayList<XXGroupUser>(); + } + } + } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java index fa2b3d9..dd9ae5f 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java @@ -66,16 +66,6 @@ public class XXModuleDefDao extends BaseDao<XXModuleDef>{ return new XXModuleDef(); } } - @SuppressWarnings("unchecked") - public List<XXModuleDef> findModuleNamesWithIds() { - try { - return getEntityManager() - .createNamedQuery("XXModuleDef.findModuleNamesWithIds") - .getResultList(); - } catch (NoResultException e) { - return null; - } - } @SuppressWarnings("unchecked") public List<String> findModuleURLOfPemittedModules(Long userId) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java index 1956b30..e10dc14 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java @@ -99,20 +99,19 @@ public class XXUserPermissionDao extends BaseDao<XXUserPermission>{ return null; } - public List<XXUserPermission> findByModuleIdAndUserId(Long userId,Long moduleId) { + public XXUserPermission findByModuleIdAndUserId(Long userId, Long moduleId) { if (userId != null) { try { - return getEntityManager() - .createNamedQuery("XXUserPermission.findByModuleIdAndUserId", XXUserPermission.class) + return getEntityManager().createNamedQuery("XXUserPermission.findByModuleIdAndUserId", XXUserPermission.class) .setParameter("userId", userId) .setParameter("moduleId", moduleId) - .getResultList(); + .getSingleResult(); } catch (NoResultException e) { logger.debug(e.getMessage()); } } else { logger.debug("ResourceUserId not provided."); - return new ArrayList<XXUserPermission>(); + return null; } return null; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java b/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java index 841e386..f0aa938 100644 --- a/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java +++ b/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java @@ -70,27 +70,27 @@ public class PatchPersmissionModel_J10003 extends BaseLoader { @Override public void execLoad() { logger.info("==> PermissionPatch.execLoad()"); - printStats(); + assignPermissionToExistingUsers(); logger.info("<== PermissionPatch.execLoad()"); } - @Override - public void printStats() { + public void assignPermissionToExistingUsers() { int countUserPermissionUpdated = 1; - List<XXPortalUser> allPortalUser = daoManager.getXXPortalUser() - .findAllXPortalUser(); + List<XXPortalUser> allPortalUser = daoManager.getXXPortalUser().findAllXPortalUser(); List<VXPortalUser> vPortalUsers = new ArrayList<VXPortalUser>(); for (XXPortalUser xPortalUser : allPortalUser) { - VXPortalUser vPortalUser = xPortalUserService - .populateViewBean(xPortalUser); + VXPortalUser vPortalUser = xPortalUserService.populateViewBean(xPortalUser); vPortalUsers.add(vPortalUser); - vPortalUser.setUserRoleList(daoManager.getXXPortalUser() - .findXPortalUserRolebyXPortalUserId(vPortalUser.getId())); + vPortalUser.setUserRoleList(daoManager.getXXPortalUser().findXPortalUserRolebyXPortalUserId(vPortalUser.getId())); xUserMgr.assignPermissionToUser(vPortalUser, false); countUserPermissionUpdated += 1; - logger.info(" Permission was assigned to UserId - " - + xPortalUser.getId()); + logger.info(" Permission was assigned to UserId - " + xPortalUser.getId()); } logger.info(countUserPermissionUpdated + " permissions where assigned"); } + + @Override + public void printStats() { + } + } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java index d4d0a76..b7884eb 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java @@ -759,6 +759,7 @@ public class XUserREST { @Produces({ "application/xml", "application/json" }) @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_MODULE_DEF_PERMISSION + "\")") public VXModuleDef createXModuleDefPermission(VXModuleDef vXModuleDef) { + xUserMgr.checkAdminAccess(); return xUserMgr.createXModuleDefPermission(vXModuleDef); } @@ -775,6 +776,7 @@ public class XUserREST { @Produces({ "application/xml", "application/json" }) @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_MODULE_DEF_PERMISSION + "\")") public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { + xUserMgr.checkAdminAccess(); return xUserMgr.updateXModuleDefPermission(vXModuleDef); } @@ -784,6 +786,7 @@ public class XUserREST { public void deleteXModuleDefPermission(@PathParam("id") Long id, @Context HttpServletRequest request) { boolean force = true; + xUserMgr.checkAdminAccess(); xUserMgr.deleteXModuleDefPermission(id, force); } @@ -825,6 +828,7 @@ public class XUserREST { @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_USER_PERMISSION + "\")") public VXUserPermission createXUserPermission( VXUserPermission vXUserPermission) { + xUserMgr.checkAdminAccess(); return xUserMgr.createXUserPermission(vXUserPermission); } @@ -842,6 +846,7 @@ public class XUserREST { @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_USER_PERMISSION + "\")") public VXUserPermission updateXUserPermission( VXUserPermission vXUserPermission) { + xUserMgr.checkAdminAccess(); return xUserMgr.updateXUserPermission(vXUserPermission); } @@ -851,6 +856,7 @@ public class XUserREST { public void deleteXUserPermission(@PathParam("id") Long id, @Context HttpServletRequest request) { boolean force = true; + xUserMgr.checkAdminAccess(); xUserMgr.deleteXUserPermission(id, force); } @@ -887,6 +893,7 @@ public class XUserREST { @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_GROUP_PERMISSION + "\")") public VXGroupPermission createXGroupPermission( VXGroupPermission vXGroupPermission) { + xUserMgr.checkAdminAccess(); return xUserMgr.createXGroupPermission(vXGroupPermission); } @@ -904,6 +911,7 @@ public class XUserREST { @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_GROUP_PERMISSION + "\")") public VXGroupPermission updateXGroupPermission( VXGroupPermission vXGroupPermission) { + xUserMgr.checkAdminAccess(); return xUserMgr.updateXGroupPermission(vXGroupPermission); } @@ -913,6 +921,7 @@ public class XUserREST { public void deleteXGroupPermission(@PathParam("id") Long id, @Context HttpServletRequest request) { boolean force = true; + xUserMgr.checkAdminAccess(); xUserMgr.deleteXGroupPermission(id, force); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java index 6d132e6..daf732e 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java +++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java @@ -19,19 +19,18 @@ package org.apache.ranger.security.context; -import java.util.List; import java.util.Set; +import java.util.concurrent.CopyOnWriteArraySet; import javax.servlet.http.HttpServletResponse; import org.apache.commons.collections.CollectionUtils; import org.apache.log4j.Logger; +import org.apache.ranger.biz.SessionMgr; import org.apache.ranger.common.ContextUtil; -import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.common.UserSessionBase; import org.apache.ranger.db.RangerDaoManager; -import org.apache.ranger.entity.XXUser; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @@ -47,6 +46,9 @@ public class RangerPreAuthSecurityHandler { @Autowired RangerAPIMapping rangerAPIMapping; + + @Autowired + SessionMgr sessionMgr; public boolean isAPIAccessible(String methodName) throws Exception { @@ -77,14 +79,15 @@ public class RangerPreAuthSecurityHandler { public boolean isAPIAccessible(Set<String> associatedTabs) throws Exception { - XXUser xUser = daoManager.getXXUser().findByUserName(ContextUtil.getCurrentUserLoginId()); - if (xUser == null) { - restErrorUtil.createRESTException("x_user cannot be null.", MessageEnums.ERROR_SYSTEM); - } - - List<String> accessibleModules = daoManager.getXXModuleDef().findAccessibleModulesByUserId(ContextUtil.getCurrentUserId(), xUser.getId()); - if (CollectionUtils.containsAny(accessibleModules, associatedTabs)) { - return true; + UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + if (userSession != null) { + sessionMgr.refreshPermissionsIfNeeded(userSession); + if (userSession.getRangerUserPermission() != null) { + CopyOnWriteArraySet<String> accessibleModules = userSession.getRangerUserPermission().getUserPermissions(); + if (CollectionUtils.containsAny(accessibleModules, associatedTabs)) { + return true; + } + } } throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not allowed to access the API", true); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/security/listener/RangerHttpSessionListener.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/listener/RangerHttpSessionListener.java b/security-admin/src/main/java/org/apache/ranger/security/listener/RangerHttpSessionListener.java new file mode 100644 index 0000000..259a7e7 --- /dev/null +++ b/security-admin/src/main/java/org/apache/ranger/security/listener/RangerHttpSessionListener.java @@ -0,0 +1,48 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.security.listener; + +import java.util.concurrent.CopyOnWriteArrayList; + +import javax.servlet.http.HttpSession; +import javax.servlet.http.HttpSessionEvent; +import javax.servlet.http.HttpSessionListener; + +public class RangerHttpSessionListener implements HttpSessionListener { + + private static CopyOnWriteArrayList<HttpSession> listOfSession = new CopyOnWriteArrayList<HttpSession>(); + + @Override + public void sessionCreated(HttpSessionEvent event) { + listOfSession.add(event.getSession()); + } + + @Override + public void sessionDestroyed(HttpSessionEvent event) { + if (listOfSession.size() > 0) { + listOfSession.remove(event.getSession()); + } + } + + public static CopyOnWriteArrayList<HttpSession> getActiveSessionOnServer() { + return listOfSession; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/service/XGroupPermissionService.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/service/XGroupPermissionService.java b/security-admin/src/main/java/org/apache/ranger/service/XGroupPermissionService.java index d5168eb..c3bc78d 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/XGroupPermissionService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/XGroupPermissionService.java @@ -22,6 +22,7 @@ import org.apache.ranger.common.SearchField; import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.entity.XXGroup; import org.apache.ranger.entity.XXGroupPermission; +import org.apache.ranger.entity.XXUserPermission; import org.apache.ranger.view.VXGroupPermission; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Scope; @@ -47,12 +48,20 @@ public class XGroupPermissionService extends XGroupPermissionServiceBase<XXGroup @Override protected void validateForCreate(VXGroupPermission vObj) { - + XXGroupPermission xGroupPerm = daoManager.getXXGroupPermission().findByModuleIdAndGroupId(vObj.getGroupId(), vObj.getModuleId()); + if (xGroupPerm != null) { + throw restErrorUtil.createRESTException("Group with ID [" + vObj.getGroupId() + "] " + "is already " + "assigned to the module with ID [" + vObj.getModuleId() + "]", + MessageEnums.ERROR_DUPLICATE_OBJECT); + } } @Override protected void validateForUpdate(VXGroupPermission vObj, XXGroupPermission mObj) { - + XXGroupPermission xGroupPerm = daoManager.getXXGroupPermission().findByModuleIdAndGroupId(vObj.getGroupId(), vObj.getModuleId()); + if (xGroupPerm != null && !xGroupPerm.getId().equals(vObj.getId())) { + throw restErrorUtil.createRESTException("Group with ID [" + vObj.getGroupId() + "] " + "is already " + "assigned to the module with ID [" + vObj.getModuleId() + "]", + MessageEnums.ERROR_DUPLICATE_OBJECT); + } } @Override http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java b/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java index 92b6951..3ff9c8d 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java @@ -20,8 +20,8 @@ package org.apache.ranger.service; import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.SearchField; import org.apache.ranger.db.RangerDaoManager; +import org.apache.ranger.entity.XXModuleDef; import org.apache.ranger.entity.XXPortalUser; -import org.apache.ranger.entity.XXUser; import org.apache.ranger.entity.XXUserPermission; import org.apache.ranger.view.VXUserPermission; import org.springframework.beans.factory.annotation.Autowired; @@ -47,12 +47,20 @@ public class XUserPermissionService extends XUserPermissionServiceBase<XXUserPer @Override protected void validateForCreate(VXUserPermission vObj) { - + XXUserPermission xUserPerm = daoManager.getXXUserPermission().findByModuleIdAndUserId(vObj.getUserId(), vObj.getModuleId()); + if (xUserPerm != null) { + throw restErrorUtil.createRESTException("User with ID [" + vObj.getUserId() + "] " + "is already " + "assigned to the module with ID [" + vObj.getModuleId() + "]", + MessageEnums.ERROR_DUPLICATE_OBJECT); + } } @Override protected void validateForUpdate(VXUserPermission vObj, XXUserPermission mObj) { - + XXUserPermission xUserPerm = daoManager.getXXUserPermission().findByModuleIdAndUserId(vObj.getUserId(), vObj.getModuleId()); + if (xUserPerm != null && !xUserPerm.getId().equals(vObj.getId())) { + throw restErrorUtil.createRESTException("User with ID [" + vObj.getUserId() + "] " + "is already " + "assigned to the module with ID [" + vObj.getModuleId() + "]", + MessageEnums.ERROR_DUPLICATE_OBJECT); + } } @Override @@ -68,6 +76,12 @@ public class XUserPermissionService extends XUserPermissionServiceBase<XXUserPer } vObj.setUserName(xUser.getLoginId()); + + XXModuleDef xModuleDef = daoManager.getXXModuleDef().getById(xObj.getModuleId()); + if (xModuleDef != null) { + vObj.setModuleName(xModuleDef.getModule()); + } + return vObj; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/resources/META-INF/jpa_named_queries.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml index ac4c753..0370e9a 100644 --- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml +++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml @@ -177,6 +177,11 @@ </query> </named-query> + <named-query name="XXGroupUser.findByGroupId"> + <query>SELECT obj FROM XXGroupUser obj WHERE obj.parentGroupId=:groupId + </query> + </named-query> + <named-query name="XXTrxLog.findByTrxId"> <query>SELECT obj FROM XXTrxLog obj WHERE obj.transactionId = :transactionId </query> @@ -490,10 +495,9 @@ WHERE XXUserPermObj.moduleId = :moduleId AND XXUserPermObj.userId =:userId </query> </named-query> - - <named-query name="XXModuleDef.findModuleNamesWithIds"> - <query>SELECT XXMObj - FROM XXModuleDef XXMObj + + <named-query name="XXGroupPermission.findByModuleIdAndGroupId"> + <query>SELECT obj FROM XXGroupPermission obj WHERE obj.moduleId = :moduleId AND obj.groupId =:groupId </query> </named-query> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java index ab149ad..cda423e 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java @@ -20,6 +20,7 @@ import java.util.ArrayList; import java.util.Collection; import java.util.Date; import java.util.HashMap; +import java.util.HashSet; import java.util.List; import java.util.Set; @@ -129,6 +130,9 @@ public class TestXUserMgr { @Mock XPortalUserService xPortalUserService; + + @Mock + SessionMgr sessionMgr; @Rule public ExpectedException thrown = ExpectedException.none(); @@ -225,7 +229,6 @@ public class TestXUserMgr { XXModuleDefDao value = Mockito.mock(XXModuleDefDao.class); Mockito.when(daoManager.getXXModuleDef()).thenReturn(value); List<XXModuleDef> lsvalue = new ArrayList<XXModuleDef>(); - Mockito.when(value.findModuleNamesWithIds()).thenReturn(lsvalue); Mockito.when( userMgr.createDefaultAccountUser((VXPortalUser) Mockito @@ -250,7 +253,6 @@ public class TestXUserMgr { Mockito.verify(userMgr).createDefaultAccountUser( (VXPortalUser) Mockito.anyObject()); Mockito.verify(daoManager).getXXModuleDef(); - Mockito.verify(value).findModuleNamesWithIds(); Assert.assertNotNull(dbvxUser); Assert.assertEquals(userId, dbvxUser.getId()); Assert.assertEquals(dbvxUser.getDescription(), vxUser.getDescription()); @@ -726,6 +728,8 @@ public class TestXUserMgr { Mockito.when(xModuleDefService.createResource(vXModuleDef)).thenReturn( vXModuleDef); + XXModuleDefDao obj = Mockito.mock(XXModuleDefDao.class); + Mockito.when(daoManager.getXXModuleDef()).thenReturn(obj); VXModuleDef dbMuduleDef = xUserMgr .createXModuleDefPermission(vXModuleDef); @@ -825,7 +829,17 @@ public class TestXUserMgr { xGroupPermission); Mockito.when(xGroupPermissionService.populateViewBean(xGroupPermission)) .thenReturn(vXGroupPermission); - + XXGroupUserDao xGrpUserDao = Mockito.mock(XXGroupUserDao.class); + Mockito.when(daoManager.getXXGroupUser()).thenReturn(xGrpUserDao); + + UserSessionBase userSession = Mockito.mock(UserSessionBase.class); + Set<UserSessionBase> userSessions = new HashSet<UserSessionBase>(); + userSessions.add(userSession); + + Mockito.when(xGroupPermissionService.createResource((VXGroupPermission) Mockito.anyObject())).thenReturn(vXGroupPermission); + Mockito.when(xUserPermissionService.createResource((VXUserPermission) Mockito.anyObject())).thenReturn(vXUserPermission); + Mockito.when(sessionMgr.getActiveUserSessionsForPortalUserId(userId)).thenReturn(userSessions); + VXModuleDef dbMuduleDef = xUserMgr .updateXModuleDefPermission(vXModuleDef); Assert.assertEquals(dbMuduleDef, vXModuleDef); @@ -962,6 +976,10 @@ public class TestXUserMgr { Mockito.when(xUserPermissionService.deleteResource(1L)) .thenReturn(true); + XXUserPermission xUserPerm = Mockito.mock(XXUserPermission.class); + XXUserPermissionDao xUserPermDao = Mockito.mock(XXUserPermissionDao.class); + Mockito.when(daoManager.getXXUserPermission()).thenReturn(xUserPermDao); + Mockito.when(daoManager.getXXUserPermission().getById(1L)).thenReturn(xUserPerm); xUserMgr.deleteXUserPermission(1L, true); Mockito.verify(xUserPermissionService).deleteResource(1L); } @@ -970,9 +988,11 @@ public class TestXUserMgr { public void test39createXGroupPermission() { VXGroupPermission vXGroupPermission = vXGroupPermission(); - Mockito.when(xGroupPermissionService.createResource(vXGroupPermission)) - .thenReturn(vXGroupPermission); - + XXGroupUserDao xGrpUserDao = Mockito.mock(XXGroupUserDao.class); + Mockito.when(daoManager.getXXGroupUser()).thenReturn(xGrpUserDao); + + Mockito.when(xGroupPermissionService.createResource(vXGroupPermission)).thenReturn(vXGroupPermission); + VXGroupPermission dbGroupPermission = xUserMgr .createXGroupPermission(vXGroupPermission); Assert.assertNotNull(dbGroupPermission); @@ -1036,8 +1056,9 @@ public class TestXUserMgr { public void test41updateXGroupPermission() { VXGroupPermission vXGroupPermission = vXGroupPermission(); - Mockito.when(xGroupPermissionService.updateResource(vXGroupPermission)) - .thenReturn(vXGroupPermission); + XXGroupUserDao xGrpUserDao = Mockito.mock(XXGroupUserDao.class); + Mockito.when(daoManager.getXXGroupUser()).thenReturn(xGrpUserDao); + Mockito.when(xGroupPermissionService.updateResource(vXGroupPermission)).thenReturn(vXGroupPermission); VXGroupPermission dbGroupPermission = xUserMgr .updateXGroupPermission(vXGroupPermission); @@ -1069,12 +1090,20 @@ public class TestXUserMgr { @Test public void test42deleteXGroupPermission() { - Mockito.when(xGroupPermissionService.deleteResource(1L)).thenReturn( - true); + XXGroupPermissionDao xGrpPermDao = Mockito.mock(XXGroupPermissionDao.class); + XXGroupPermission xGrpPerm = Mockito.mock(XXGroupPermission.class); + + Mockito.when(daoManager.getXXGroupPermission()).thenReturn(xGrpPermDao); + Mockito.when(daoManager.getXXGroupPermission().getById(1L)).thenReturn(xGrpPerm); + + XXGroupUserDao xGrpUserDao = Mockito.mock(XXGroupUserDao.class); + Mockito.when(daoManager.getXXGroupUser()).thenReturn(xGrpUserDao); + + Mockito.when(xGroupPermissionService.deleteResource(1L)).thenReturn(true); xUserMgr.deleteXGroupPermission(1L, true); Mockito.verify(xGroupPermissionService).deleteResource(1L); } - + /*@Test public void test43checkPermissionRoleByGivenUrls() { XXModuleDefDao value = Mockito.mock(XXModuleDefDao.class);
