Repository: incubator-ranger Updated Branches: refs/heads/ranger-0.5 5a626203b -> 2073c0a9d
RANGER-743 : External users with Admin Role should be allowed to create/update users Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/2073c0a9 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/2073c0a9 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/2073c0a9 Branch: refs/heads/ranger-0.5 Commit: 2073c0a9d52ad5b002afa9b713419591d5f9e889 Parents: 5a62620 Author: Gautam Borad <[email protected]> Authored: Wed Nov 25 17:35:17 2015 +0530 Committer: Gautam Borad <[email protected]> Committed: Sat Nov 28 23:15:47 2015 +0530 ---------------------------------------------------------------------- .../java/org/apache/ranger/biz/UserMgr.java | 67 ++++++++++++++++++-- .../java/org/apache/ranger/biz/XUserMgr.java | 51 ++++++++++++--- .../handler/RangerAuthenticationProvider.java | 28 +++++++- 3 files changed, 130 insertions(+), 16 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2073c0a9/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java index ee9d14b..571265c 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java @@ -254,6 +254,9 @@ public class UserMgr { // } // firstName + if("null".equalsIgnoreCase(userProfile.getFirstName())){ + userProfile.setFirstName(""); + } if (!stringUtil.isEmpty(userProfile.getFirstName()) && !userProfile.getFirstName().equals(gjUser.getFirstName())) { userProfile.setFirstName(stringUtil.toCamelCaseAllWords(userProfile @@ -261,8 +264,10 @@ public class UserMgr { updateUser = true; } - // lastName allowed to be empty - if (userProfile.getLastName() != null + if("null".equalsIgnoreCase(userProfile.getLastName())){ + userProfile.setLastName(""); + } + if (!stringUtil.isEmpty(userProfile.getLastName()) && !userProfile.getLastName().equals(gjUser.getLastName())) { userProfile.setLastName(stringUtil.toCamelCaseAllWords(userProfile .getLastName())); @@ -270,12 +275,16 @@ public class UserMgr { } // publicScreenName - if (!stringUtil.isEmpty(userProfile.getPublicScreenName()) - && !userProfile.getPublicScreenName().equals( - gjUser.getPublicScreenName())) { + if (userProfile.getFirstName() != null + && userProfile.getLastName() != null + && !userProfile.getFirstName().trim().isEmpty() + && !userProfile.getLastName().trim().isEmpty()) { userProfile.setPublicScreenName(userProfile.getFirstName() + " " + userProfile.getLastName()); updateUser = true; + } else { + userProfile.setPublicScreenName(gjUser.getLoginId()); + updateUser = true; } // notes @@ -554,12 +563,34 @@ public class UserMgr { public XXPortalUser mapVXPortalUserToXXPortalUser(VXPortalUser userProfile) { XXPortalUser gjUser = new XXPortalUser(); gjUser.setEmailAddress(userProfile.getEmailAddress()); + if("null".equalsIgnoreCase(userProfile.getFirstName())){ + userProfile.setFirstName(""); + } gjUser.setFirstName(userProfile.getFirstName()); + if("null".equalsIgnoreCase(userProfile.getLastName())){ + userProfile.setLastName(""); + } gjUser.setLastName(userProfile.getLastName()); + if (userProfile.getLoginId() == null + || userProfile.getLoginId().trim().isEmpty() + || "null".equalsIgnoreCase(userProfile.getLoginId())) { + throw restErrorUtil.createRESTException( + "LoginId should not be null or blank, It is", + MessageEnums.INVALID_INPUT_DATA); + } gjUser.setLoginId(userProfile.getLoginId()); gjUser.setPassword(userProfile.getPassword()); gjUser.setUserSource(userProfile.getUserSource()); gjUser.setPublicScreenName(userProfile.getPublicScreenName()); + if (userProfile.getFirstName() != null + && userProfile.getLastName() != null + && !userProfile.getFirstName().trim().isEmpty() + && !userProfile.getLastName().trim().isEmpty()) { + gjUser.setPublicScreenName(userProfile.getFirstName() + " " + + userProfile.getLastName()); + } else { + gjUser.setPublicScreenName(userProfile.getLoginId()); + } return gjUser; } @@ -1237,4 +1268,30 @@ public class UserMgr { throw restErrorUtil.create403RESTException("Operation not allowed." + " loggedInUser=" + (sess != null ? sess.getXXPortalUser().getId() : "Not Logged In")); } + public Collection<String> getRolesByLoginId(String loginId) { + if (loginId == null || loginId.trim().isEmpty()){ + return DEFAULT_ROLE_LIST; + } + XXPortalUser xXPortalUser=daoManager.getXXPortalUser().findByLoginId(loginId); + if(xXPortalUser==null){ + return DEFAULT_ROLE_LIST; + } + Collection<XXPortalUserRole> xXPortalUserRoles = daoManager + .getXXPortalUserRole().findByUserId(xXPortalUser.getId()); + if(xXPortalUserRoles==null){ + return DEFAULT_ROLE_LIST; + } + Collection<String> roleList = new ArrayList<String>(); + for (XXPortalUserRole role : xXPortalUserRoles) { + if(role!=null && VALID_ROLE_LIST.contains(role.getUserRole())){ + if(!roleList.contains(role.getUserRole())){ + roleList.add(role.getUserRole()); + } + } + } + if(roleList==null || roleList.size()==0){ + return DEFAULT_ROLE_LIST; + } + return roleList; + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2073c0a9/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index 3f2c041..3784439 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -186,9 +186,11 @@ public class XUserMgr extends XUserMgrBase { public VXUser createXUser(VXUser vXUser) { checkAdminAccess(); String userName = vXUser.getName(); - if (userName == null || userName.isEmpty()) { - throw restErrorUtil.createRESTException("Please provide a valid " - + "username.", MessageEnums.INVALID_INPUT_DATA); + if (userName == null || "null".equalsIgnoreCase(userName) + || userName.trim().isEmpty()) { + throw restErrorUtil.createRESTException( + "Please provide a valid username.", + MessageEnums.INVALID_INPUT_DATA); } if (vXUser.getDescription() == null) { @@ -200,10 +202,23 @@ public class XUserMgr extends XUserMgrBase { VXPortalUser vXPortalUser = new VXPortalUser(); vXPortalUser.setLoginId(userName); vXPortalUser.setFirstName(vXUser.getFirstName()); + if("null".equalsIgnoreCase(vXPortalUser.getFirstName())){ + vXPortalUser.setFirstName(""); + } vXPortalUser.setLastName(vXUser.getLastName()); + if("null".equalsIgnoreCase(vXPortalUser.getLastName())){ + vXPortalUser.setLastName(""); + } vXPortalUser.setEmailAddress(vXUser.getEmailAddress()); - vXPortalUser.setPublicScreenName(vXUser.getFirstName() + " " - + vXUser.getLastName()); + if (vXPortalUser.getFirstName() != null + && vXPortalUser.getLastName() != null + && !vXPortalUser.getFirstName().trim().isEmpty() + && !vXPortalUser.getLastName().trim().isEmpty()) { + vXPortalUser.setPublicScreenName(vXPortalUser.getFirstName() + " " + + vXPortalUser.getLastName()); + } else { + vXPortalUser.setPublicScreenName(vXUser.getName()); + } vXPortalUser.setPassword(actualPassword); vXPortalUser.setUserRoleList(vXUser.getUserRoleList()); vXPortalUser = userMgr.createDefaultAccountUser(vXPortalUser); @@ -324,8 +339,11 @@ public class XUserMgr extends XUserMgrBase { } public VXUser updateXUser(VXUser vXUser) { - if (vXUser == null || vXUser.getName() == null || vXUser.getName().trim().isEmpty()) { - throw restErrorUtil.createRESTException("Please provide a valid " + "username.", MessageEnums.INVALID_INPUT_DATA); + if (vXUser == null || vXUser.getName() == null + || "null".equalsIgnoreCase(vXUser.getName()) + || vXUser.getName().trim().isEmpty()) { + throw restErrorUtil.createRESTException("Please provide a valid " + + "username.", MessageEnums.INVALID_INPUT_DATA); } checkAccess(vXUser.getName()); VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser @@ -337,13 +355,26 @@ public class XUserMgr extends XUserMgrBase { // TODO : There is a possibility that old user may not exist. vXPortalUser.setFirstName(vXUser.getFirstName()); + if("null".equalsIgnoreCase(vXPortalUser.getFirstName())){ + vXPortalUser.setFirstName(""); + } vXPortalUser.setLastName(vXUser.getLastName()); + if("null".equalsIgnoreCase(vXPortalUser.getLastName())){ + vXPortalUser.setLastName(""); + } vXPortalUser.setEmailAddress(vXUser.getEmailAddress()); vXPortalUser.setLoginId(vXUser.getName()); vXPortalUser.setStatus(vXUser.getStatus()); vXPortalUser.setUserRoleList(vXUser.getUserRoleList()); - vXPortalUser.setPublicScreenName(vXUser.getFirstName() + " " - + vXUser.getLastName()); + if (vXPortalUser.getFirstName() != null + && vXPortalUser.getLastName() != null + && !vXPortalUser.getFirstName().trim().isEmpty() + && !vXPortalUser.getLastName().trim().isEmpty()) { + vXPortalUser.setPublicScreenName(vXPortalUser.getFirstName() + " " + + vXPortalUser.getLastName()); + } else { + vXPortalUser.setPublicScreenName(vXUser.getName()); + } vXPortalUser.setUserSource(vXUser.getUserSource()); String hiddenPasswordString = PropertiesUtil.getProperty("ranger.password.hidden", "*****"); String password = vXUser.getPassword(); @@ -1247,6 +1278,7 @@ public class XUserMgr extends XUserMgrBase { if(vXUser==null){ throw restErrorUtil.createRESTException("Please provide a valid ID", MessageEnums.INVALID_INPUT_DATA); } + checkAccess(vXUser.getName()); List<XXPortalUserRole> portalUserRoleList =null; VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser.getName()); if(oldUserProfile!=null){ @@ -1260,6 +1292,7 @@ public class XUserMgr extends XUserMgrBase { public VXStringList getUserRolesByName(String userName) { VXPortalUser vXPortalUser=null; if(userName!=null && !userName.trim().isEmpty()){ + checkAccess(userName); vXPortalUser = userMgr.getUserProfileByLoginId(userName); if(vXPortalUser!=null && vXPortalUser.getUserRoleList()!=null){ List<XXPortalUserRole> portalUserRoleList = daoManager.getXXPortalUserRole().findByUserId(vXPortalUser.getId()); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2073c0a9/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java index 40b08c4..f7e5d40 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java +++ b/security-admin/src/main/java/org/apache/ranger/security/handler/RangerAuthenticationProvider.java @@ -20,6 +20,7 @@ package org.apache.ranger.security.handler; import java.util.ArrayList; +import java.util.Collection; import java.util.List; import java.util.Map; import java.util.HashMap; @@ -230,6 +231,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { authentication = ldapAuthenticationProvider .authenticate(finalAuthentication); + authentication=getAuthenticationWithGrantedAuthority(authentication); return authentication; } else { return authentication; @@ -272,6 +274,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { principal, userPassword, grantedAuths); authentication = adAuthenticationProvider .authenticate(finalAuthentication); + authentication=getAuthenticationWithGrantedAuthority(authentication); return authentication; } else { return authentication; @@ -323,6 +326,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { principal, userPassword, grantedAuths); authentication = jaasAuthenticationProvider .authenticate(finalAuthentication); + authentication=getAuthenticationWithGrantedAuthority(authentication); return authentication; } else { return authentication; @@ -399,6 +403,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths); authentication = ldapAuthenticationProvider.authenticate(finalAuthentication); + authentication=getAuthenticationWithGrantedAuthority(authentication); return authentication; } else { return authentication; @@ -464,6 +469,7 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths); authentication = ldapAuthenticationProvider.authenticate(finalAuthentication); + authentication=getAuthenticationWithGrantedAuthority(authentication); return authentication; } else { return authentication; @@ -499,8 +505,6 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { if (userName != null && userPassword != null && !userName.trim().isEmpty()&& !userPassword.trim().isEmpty()) { final List<GrantedAuthority> grantedAuths = new ArrayList<>(); grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole)); - grantedAuths.add(new SimpleGrantedAuthority("ROLE_SYS_ADMIN")); - grantedAuths.add(new SimpleGrantedAuthority("ROLE_KEY_ADMIN")); final UserDetails principal = new User(userName, userPassword,grantedAuths); final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths); authentication= authenticator.authenticate(finalAuthentication); @@ -521,4 +525,24 @@ public class RangerAuthenticationProvider implements AuthenticationProvider { } return authentication; } + private List<GrantedAuthority> getAuthorities(String username) { + Collection<String> roleList=userMgr.getRolesByLoginId(username); + final List<GrantedAuthority> grantedAuths = new ArrayList<>(); + for(String role:roleList){ + grantedAuths.add(new SimpleGrantedAuthority(role)); + } + return grantedAuths; + } + + public Authentication getAuthenticationWithGrantedAuthority(Authentication authentication){ + UsernamePasswordAuthenticationToken result=null; + if(authentication!=null && authentication.isAuthenticated()){ + final List<GrantedAuthority> grantedAuths=getAuthorities(authentication.getName().toString()); + final UserDetails userDetails = new User(authentication.getName().toString(), authentication.getCredentials().toString(),grantedAuths); + result = new UsernamePasswordAuthenticationToken(userDetails,authentication.getCredentials(),grantedAuths); + result.setDetails(authentication.getDetails()); + return result; + } + return authentication; + } }
