RANGER-630 : Data consistency across API and UI Signed-off-by: Velmurugan Periasamy <[email protected]>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/4d04a09c Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/4d04a09c Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/4d04a09c Branch: refs/heads/HDP-2.3.2-groupid Commit: 4d04a09c6c52d607528dcb2f9e1f130d3caed170 Parents: ff1ec7b Author: Gautam Borad <[email protected]> Authored: Tue Sep 15 13:50:35 2015 +0530 Committer: Velmurugan Periasamy <[email protected]> Committed: Wed Sep 16 01:22:48 2015 -0400 ---------------------------------------------------------------------- .../java/org/apache/ranger/biz/UserMgr.java | 73 +-- .../java/org/apache/ranger/biz/XAuditMgr.java | 73 ++- .../java/org/apache/ranger/biz/XUserMgr.java | 278 +++++----- .../org/apache/ranger/db/XXGroupUserDao.java | 21 + .../org/apache/ranger/db/XXModuleDefDao.java | 38 ++ .../java/org/apache/ranger/rest/AssetREST.java | 15 +- .../org/apache/ranger/rest/PublicAPIsv2.java | 2 +- .../org/apache/ranger/rest/ServiceREST.java | 30 +- .../java/org/apache/ranger/rest/UserREST.java | 13 +- .../java/org/apache/ranger/rest/XAuditREST.java | 10 +- .../java/org/apache/ranger/rest/XKeyREST.java | 10 +- .../java/org/apache/ranger/rest/XUserREST.java | 114 +++- .../ranger/security/context/RangerAPIList.java | 201 +++++++ .../security/context/RangerAPIMapping.java | 535 +++++++++++++++++++ .../context/RangerPreAuthSecurityHandler.java | 93 ++++ .../apache/ranger/service/XAuditMapService.java | 60 +++ .../apache/ranger/service/XPermMapService.java | 60 ++- .../apache/ranger/service/XResourceService.java | 31 +- .../resources/META-INF/jpa_named_queries.xml | 19 + .../conf.dist/security-applicationContext.xml | 2 + .../org/apache/ranger/audit/TestAuditQueue.java | 3 +- .../java/org/apache/ranger/biz/TestUserMgr.java | 14 +- .../org/apache/ranger/biz/TestXUserMgr.java | 9 +- .../org/apache/ranger/rest/TestServiceREST.java | 2 +- 24 files changed, 1450 insertions(+), 256 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java index 939ddc2..ff0ea01 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java @@ -139,22 +139,8 @@ public class UserMgr { public XXPortalUser createUser(VXPortalUser userProfile, int userStatus, Collection<String> userRoleList) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("User " - + "creation denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } XXPortalUser user = mapVXPortalUserToXXPortalUser(userProfile); + checkAdminAccess(); user = createUser(user, userStatus, userRoleList); return user; @@ -366,6 +352,7 @@ public class UserMgr { * @param vStrings */ public void setUserRoles(Long userId, List<VXString> vStringRolesList) { + checkAccess(userId); List<String> stringRolesList = new ArrayList<String>(); for (VXString vXString : vStringRolesList) { stringRolesList.add(vXString.getValue()); @@ -384,15 +371,7 @@ public class UserMgr { String currentUserLoginId = ContextUtil.getCurrentUserLoginId(); XXPortalUser gjUserCurrent = daoManager.getXXPortalUser() .findByLoginId(currentUserLoginId); - - if (gjUserCurrent == null) { - logger.info("changePassword(). Invalid user login id. userId=" - + currentUserLoginId); - throw restErrorUtil.createRESTException( - "serverMsg.userMgrInvalidUser", - MessageEnums.DATA_NOT_FOUND, null, null, "" - + currentUserLoginId); - } + checkAccess(gjUserCurrent); String encryptedOldPwd = encrypt(gjUserCurrent.getLoginId(), pwdChange.getOldPassword()); @@ -480,7 +459,7 @@ public class UserMgr { */ public VXPortalUser changeEmailAddress(XXPortalUser gjUser, VXPasswordChange changeEmail) { - + checkAccess(gjUser); if (gjUser.getEmailAddress() != null) { throw restErrorUtil.createRESTException( "serverMsg.userMgrEmailChange", @@ -530,21 +509,7 @@ public class UserMgr { * @param userId */ public VXPortalUser deactivateUser(XXPortalUser gjUser) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("deactivation of user" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); if (gjUser != null && gjUser.getStatus() != RangerConstants.ACT_STATUS_DEACTIVATED) { logger.info("Marking user " + gjUser.getLoginId() + " as deleted"); @@ -1121,6 +1086,7 @@ public class UserMgr { } public VXPortalUser createUser(VXPortalUser userProfile) { + checkAdminAccess(); XXPortalUser xXPortalUser = this.createUser(userProfile, RangerCommonEnums.STATUS_ENABLED); return mapXXPortalUserVXPortalUser(xXPortalUser); @@ -1132,21 +1098,7 @@ public class UserMgr { userProfile.setUserSource(RangerCommonEnums.USER_EXTERNAL); } // access control - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("User " - + "creation denied. LoggedInUser=" - + session.getXXPortalUser().getId() - + " ,isn't permitted to perform the action."); - - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); logger.info("create:" + userProfile.getEmailAddress()); XXPortalUser xXPortalUser = null; String loginId = userProfile.getLoginId(); @@ -1275,4 +1227,15 @@ public class UserMgr { return xXPortalUser; } + + public void checkAdminAccess() { + UserSessionBase sess = ContextUtil.getCurrentUserSession(); + if (sess != null) { + if (sess != null && sess.isUserAdmin()) { + return; + } + } + throw restErrorUtil.create403RESTException("Operation not allowed." + " loggedInUser=" + (sess != null ? sess.getXXPortalUser().getId() : "Not Logged In")); + } + } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java index d9812f9..02d725f 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java @@ -19,13 +19,22 @@ package org.apache.ranger.biz; +import javax.servlet.http.HttpServletResponse; + +import org.apache.ranger.common.ContextUtil; import org.apache.ranger.common.SearchCriteria; +import org.apache.ranger.common.UserSessionBase; import org.apache.ranger.solr.SolrAccessAuditsService; import org.apache.ranger.view.VXAccessAudit; import org.apache.ranger.view.VXAccessAuditList; import org.apache.ranger.view.VXLong; +import org.apache.ranger.view.VXResponse; +import org.apache.ranger.view.VXTrxLog; +import org.apache.ranger.view.VXTrxLogList; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; +@Component public class XAuditMgr extends XAuditMgrBase { @Autowired @@ -34,9 +43,68 @@ public class XAuditMgr extends XAuditMgrBase { @Autowired RangerBizUtil rangerBizUtil; + public VXTrxLog getXTrxLog(Long id) { + checkAdminAccess(); + return super.getXTrxLog(id); + } + + public VXTrxLog createXTrxLog(VXTrxLog vXTrxLog) { + checkAdminAccess(); + return super.createXTrxLog(vXTrxLog); + } + + public VXTrxLog updateXTrxLog(VXTrxLog vXTrxLog) { + checkAdminAccess(); + return super.updateXTrxLog(vXTrxLog); + } + + public void deleteXTrxLog(Long id, boolean force) { + checkAdminAccess(); + super.deleteXTrxLog(id, force); + } + + public VXTrxLogList searchXTrxLogs(SearchCriteria searchCriteria) { + checkAdminAccess(); + return super.searchXTrxLogs(searchCriteria); + } + + public VXLong getXTrxLogSearchCount(SearchCriteria searchCriteria) { + checkAdminAccess(); + return super.getXTrxLogSearchCount(searchCriteria); + } + + public VXAccessAudit createXAccessAudit(VXAccessAudit vXAccessAudit) { + checkAdminAccess(); + return super.createXAccessAudit(vXAccessAudit); + } + + public VXAccessAudit updateXAccessAudit(VXAccessAudit vXAccessAudit) { + checkAdminAccess(); + return super.updateXAccessAudit(vXAccessAudit); + } + + public void deleteXAccessAudit(Long id, boolean force) { + checkAdminAccess(); + super.deleteXAccessAudit(id, force); + } + + public void checkAdminAccess() { + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { + if (!session.isUserAdmin()) { + throw restErrorUtil.create403RESTException("Operation" + " denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In") + + " ,isn't permitted to perform the action."); + } + } else { + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); + vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); + } + } + @Override public VXAccessAudit getXAccessAudit(Long id) { - // TODO Auto-generated method stub return super.getXAccessAudit(id); } @@ -52,8 +120,7 @@ public class XAuditMgr extends XAuditMgrBase { @Override public VXLong getXAccessAuditSearchCount(SearchCriteria searchCriteria) { if (rangerBizUtil.getAuditDBType().equalsIgnoreCase("solr")) { - return solrAccessAuditsService - .getXAccessAuditSearchCount(searchCriteria); + return solrAccessAuditsService.getXAccessAuditSearchCount(searchCriteria); } else { return super.getXAccessAuditSearchCount(searchCriteria); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index 700caff..2413afb 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -20,7 +20,6 @@ package org.apache.ranger.biz; import java.util.ArrayList; -import java.util.Arrays; import java.util.Collection; import java.util.HashMap; import java.util.HashSet; @@ -37,6 +36,7 @@ import org.apache.ranger.entity.XXUserPermission; import org.apache.ranger.service.XGroupPermissionService; import org.apache.ranger.service.XModuleDefService; import org.apache.ranger.service.XPortalUserService; +import org.apache.ranger.service.XResourceService; import org.apache.ranger.service.XUserPermissionService; import org.apache.ranger.view.VXGroupPermission; import org.apache.ranger.view.VXModuleDef; @@ -49,24 +49,31 @@ import org.apache.ranger.common.SearchCriteria; import org.apache.ranger.common.UserSessionBase; import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.db.XXGroupUserDao; +import org.apache.ranger.entity.XXAuditMap; import org.apache.ranger.entity.XXGroup; +import org.apache.ranger.entity.XXPermMap; import org.apache.ranger.entity.XXPortalUser; -import org.apache.ranger.entity.XXPortalUserRole; import org.apache.ranger.entity.XXTrxLog; import org.apache.ranger.entity.XXUser; import org.apache.ranger.service.XGroupService; import org.apache.ranger.service.XUserService; +import org.apache.ranger.view.VXAuditMapList; import org.apache.ranger.view.VXGroup; +import org.apache.ranger.view.VXGroupGroup; import org.apache.ranger.view.VXGroupList; import org.apache.ranger.view.VXGroupUser; import org.apache.ranger.view.VXGroupUserList; +import org.apache.ranger.view.VXLong; +import org.apache.ranger.view.VXPermMapList; import org.apache.ranger.view.VXPortalUser; import org.apache.ranger.view.VXUser; import org.apache.ranger.view.VXUserGroupInfo; import org.apache.ranger.view.VXUserList; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; + import javax.servlet.http.HttpServletResponse; + import org.apache.ranger.view.VXResponse; @Component public class XUserMgr extends XUserMgrBase { @@ -100,25 +107,14 @@ public class XUserMgr extends XUserMgrBase { @Autowired XPortalUserService xPortalUserService; + + @Autowired + XResourceService xResourceService; static final Logger logger = Logger.getLogger(XUserMgr.class); public void deleteXGroup(Long id, boolean force) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("deletion of group" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); if (force) { SearchCriteria searchCriteria = new SearchCriteria(); searchCriteria.addParam("xGroupId", id); @@ -139,21 +135,7 @@ public class XUserMgr extends XUserMgrBase { } public void deleteXUser(Long id, boolean force) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("deletion of user" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); if (force) { SearchCriteria searchCriteria = new SearchCriteria(); searchCriteria.addParam("xUserId", id); @@ -185,21 +167,7 @@ public class XUserMgr extends XUserMgrBase { } public VXUser createXUser(VXUser vXUser) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("creation of user" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); String userName = vXUser.getName(); if (userName == null || userName.isEmpty()) { throw restErrorUtil.createRESTException("Please provide a valid " @@ -256,7 +224,6 @@ public class XUserMgr extends XUserMgrBase { } // Assigning Permission - @SuppressWarnings("unused") public void assignPermissionToUser(VXPortalUser vXPortalUser, boolean isCreate) { HashMap<String, Long> moduleNameId = getModelNames(); @@ -336,7 +303,6 @@ public class XUserMgr extends XUserMgrBase { } - @SuppressWarnings("unused") public HashMap<String, Long> getModelNames() { List<XXModuleDef> xxModuleDefs = daoManager.getXXModuleDef() .findModuleNamesWithIds(); @@ -369,6 +335,10 @@ public class XUserMgr extends XUserMgrBase { } public VXUser updateXUser(VXUser vXUser) { + if (vXUser == null || vXUser.getName() == null || vXUser.getName().trim().isEmpty()) { + throw restErrorUtil.createRESTException("Please provide a valid " + "username.", MessageEnums.INVALID_INPUT_DATA); + } + checkAccess(vXUser.getName()); VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser .getName()); VXPortalUser vXPortalUser = new VXPortalUser(); @@ -522,21 +492,7 @@ public class XUserMgr extends XUserMgrBase { public VXUserGroupInfo createXUserGroupFromMap( VXUserGroupInfo vXUserGroupInfo) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("User group " - + "creation denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); VXUserGroupInfo vxUGInfo = new VXUserGroupInfo(); VXUser vXUser = vXUserGroupInfo.getXuserInfo(); @@ -563,41 +519,12 @@ public class XUserMgr extends XUserMgrBase { } public VXUser createXUserWithOutLogin(VXUser vXUser) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("creation of user" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); return xUserService.createXUserWithOutLogin(vXUser); } public VXGroup createXGroup(VXGroup vXGroup) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("creation of group" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } - // FIXME Just a hack + checkAdminAccess(); if (vXGroup.getDescription() == null) { vXGroup.setDescription(vXGroup.getName()); } @@ -610,40 +537,12 @@ public class XUserMgr extends XUserMgrBase { } public VXGroup createXGroupWithoutLogin(VXGroup vXGroup) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("creation of group" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); return xGroupService.createXGroupWithOutLogin(vXGroup); } public VXGroupUser createXGroupUser(VXGroupUser vXGroupUser) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("creation of group" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); vXGroupUser = xGroupUserService .createXGroupUserWithOutLogin(vXGroupUser); return vXGroupUser; @@ -690,21 +589,7 @@ public class XUserMgr extends XUserMgrBase { */ public void deleteXGroupAndXUser(String groupName, String userName) { - UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null) { - if (!session.isUserAdmin()) { - throw restErrorUtil.create403RESTException("User " - + "deletion denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "Not Logged In") - + " ,isn't permitted to perform the action."); - } - }else{ - VXResponse vXResponse = new VXResponse(); - vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); - vXResponse.setMsgDesc("Bad Credentials"); - throw restErrorUtil.generateRESTException(vXResponse); - } + checkAdminAccess(); VXGroup vxGroup = xGroupService.getGroupByGroupName(groupName); VXUser vxUser = xUserService.getXUserByUserName(userName); SearchCriteria searchCriteria = new SearchCriteria(); @@ -807,6 +692,7 @@ public class XUserMgr extends XUserMgrBase { @Override public VXGroup updateXGroup(VXGroup vXGroup) { + checkAdminAccess(); XXGroup xGroup = daoManager.getXXGroup().getById(vXGroup.getId()); List<XXTrxLog> trxLogList = xGroupService.getTransactionLog(vXGroup, xGroup, "update"); @@ -814,8 +700,77 @@ public class XUserMgr extends XUserMgrBase { vXGroup = (VXGroup) xGroupService.updateResource(vXGroup); return vXGroup; } + public VXGroupUser updateXGroupUser(VXGroupUser vXGroupUser) { + checkAdminAccess(); + return super.updateXGroupUser(vXGroupUser); + } + + public void deleteXGroupUser(Long id, boolean force) { + checkAdminAccess(); + super.deleteXGroupUser(id, force); + } + + public VXGroupGroup createXGroupGroup(VXGroupGroup vXGroupGroup){ + checkAdminAccess(); + return super.createXGroupGroup(vXGroupGroup); + } + + public VXGroupGroup updateXGroupGroup(VXGroupGroup vXGroupGroup) { + checkAdminAccess(); + return super.updateXGroupGroup(vXGroupGroup); + } + + public void deleteXGroupGroup(Long id, boolean force) { + checkAdminAccess(); + super.deleteXGroupGroup(id, force); + } + + public void deleteXPermMap(Long id, boolean force) { + if (force) { + XXPermMap xPermMap = daoManager.getXXPermMap().getById(id); + if (xPermMap != null) { + if (xResourceService.readResource(xPermMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + xPermMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); + } + } + + xPermMapService.deleteResource(id); + } else { + throw restErrorUtil.createRESTException("serverMsg.modelMgrBaseDeleteModel", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + + public VXLong getXPermMapSearchCount(SearchCriteria searchCriteria) { + VXPermMapList permMapList = xPermMapService.searchXPermMaps(searchCriteria); + VXLong vXLong = new VXLong(); + vXLong.setValue(permMapList.getListSize()); + return vXLong; + } + + public void deleteXAuditMap(Long id, boolean force) { + if (force) { + XXAuditMap xAuditMap = daoManager.getXXAuditMap().getById(id); + if (xAuditMap != null) { + if (xResourceService.readResource(xAuditMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + xAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); + } + } + + xAuditMapService.deleteResource(id); + } else { + throw restErrorUtil.createRESTException("serverMsg.modelMgrBaseDeleteModel", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + } + + public VXLong getXAuditMapSearchCount(SearchCriteria searchCriteria) { + VXAuditMapList auditMapList = xAuditMapService.searchXAuditMaps(searchCriteria); + VXLong vXLong = new VXLong(); + vXLong.setValue(auditMapList.getListSize()); + return vXLong; + } public void modifyUserVisibility(HashMap<Long, Integer> visibilityMap) { + checkAdminAccess(); Set<Map.Entry<Long, Integer>> entries = visibilityMap.entrySet(); for (Map.Entry<Long, Integer> entry : entries) { XXUser xUser = daoManager.getXXUser().getById(entry.getKey()); @@ -826,6 +781,7 @@ public class XUserMgr extends XUserMgrBase { } public void modifyGroupsVisibility(HashMap<Long, Integer> groupVisibilityMap) { + checkAdminAccess(); Set<Map.Entry<Long, Integer>> entries = groupVisibilityMap.entrySet(); for (Map.Entry<Long, Integer> entry : entries) { XXGroup xGroup = daoManager.getXXGroup().getById(entry.getKey()); @@ -878,6 +834,7 @@ public class XUserMgr extends XUserMgrBase { // Module permissions public VXModuleDef createXModuleDefPermission(VXModuleDef vXModuleDef) { + checkAdminAccess(); return xModuleDefService.createResource(vXModuleDef); } @@ -886,6 +843,7 @@ public class XUserMgr extends XUserMgrBase { } public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { + checkAdminAccess(); List<VXGroupPermission> groupPermListNew = vXModuleDef .getGroupPermList(); List<VXUserPermission> userPermListNew = vXModuleDef.getUserPermList(); @@ -970,12 +928,14 @@ public class XUserMgr extends XUserMgrBase { } public void deleteXModuleDefPermission(Long id, boolean force) { + checkAdminAccess(); xModuleDefService.deleteResource(id); } // User permission public VXUserPermission createXUserPermission( VXUserPermission vXUserPermission) { + checkAdminAccess(); return xUserPermissionService.createResource(vXUserPermission); } @@ -985,17 +945,19 @@ public class XUserMgr extends XUserMgrBase { public VXUserPermission updateXUserPermission( VXUserPermission vXUserPermission) { - + checkAdminAccess(); return xUserPermissionService.updateResource(vXUserPermission); } public void deleteXUserPermission(Long id, boolean force) { + checkAdminAccess(); xUserPermissionService.deleteResource(id); } // Group permission public VXGroupPermission createXGroupPermission( VXGroupPermission vXGroupPermission) { + checkAdminAccess(); return xGroupPermissionService.createResource(vXGroupPermission); } @@ -1005,14 +967,17 @@ public class XUserMgr extends XUserMgrBase { public VXGroupPermission updateXGroupPermission( VXGroupPermission vXGroupPermission) { + checkAdminAccess(); return xGroupPermissionService.updateResource(vXGroupPermission); } public void deleteXGroupPermission(Long id, boolean force) { + checkAdminAccess(); xGroupPermissionService.deleteResource(id); } public void modifyUserActiveStatus(HashMap<Long, Integer> statusMap) { + checkAdminAccess(); UserSessionBase session = ContextUtil.getCurrentUserSession(); String currentUser=null; if(session!=null){ @@ -1040,4 +1005,35 @@ public class XUserMgr extends XUserMgrBase { } } } + + public void checkAdminAccess() { + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { + if (!session.isUserAdmin()) { + throw restErrorUtil.create403RESTException("Operation" + " denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In") + + " ,isn't permitted to perform the action."); + } + } else { + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); + vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); + } + } + + public void checkAccess(String loginID) { + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { + if (!session.isUserAdmin() && !session.isKeyAdmin() && !session.getLoginId().equalsIgnoreCase(loginID)) { + throw restErrorUtil.create403RESTException("Operation" + " denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In") + + " ,isn't permitted to perform the action."); + } + } else { + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); + vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); + } + } + } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java index 9f5abfb..104e188 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java @@ -60,4 +60,25 @@ public class XXGroupUserDao extends BaseDao<XXGroupUser> { } return null; } + + /** + * @param xUserId + * -- Id of X_USER table + * @return + */ + @SuppressWarnings("unchecked") + public List<Long> findGroupIdListByUserId(Long xUserId) { + if (xUserId != null) { + try { + return getEntityManager().createNamedQuery("XXGroupUser.findGroupIdListByUserId").setParameter("xUserId", xUserId).getResultList(); + } catch (NoResultException e) { + logger.debug(e.getMessage()); + } + } else { + logger.debug("UserId not provided."); + return new ArrayList<Long>(); + } + return null; + } + } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java index 611eaf8..fa2b3d9 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java @@ -22,7 +22,9 @@ import java.util.List; import javax.persistence.NoResultException; +import org.apache.commons.collections.CollectionUtils; import org.apache.log4j.Logger; +import org.apache.ranger.common.RangerCommonEnums; import org.apache.ranger.common.db.BaseDao; import org.apache.ranger.entity.XXModuleDef; @@ -115,4 +117,40 @@ public class XXModuleDefDao extends BaseDao<XXModuleDef>{ return null; } } + + @SuppressWarnings("unchecked") + public List<String> findAccessibleModulesByGroupIdList(List<Long> grpIdList) { + if (CollectionUtils.isEmpty(grpIdList)) { + return new ArrayList<String>(); + } + try { + return getEntityManager().createNamedQuery("XXModuleDef.findAccessibleModulesByGroupId").setParameter("grpIdList", grpIdList) + .setParameter("isAllowed", RangerCommonEnums.ACCESS_RESULT_ALLOWED).getResultList(); + } catch (NoResultException e) { + return new ArrayList<String>(); + } + } + + /** + * @param portalUserId + * @param xUserId + * @return This function will return all the modules accessible for particular user, considering all the groups as well in which that user belongs + */ + @SuppressWarnings("unchecked") + public List<String> findAccessibleModulesByUserId(Long portalUserId, Long xUserId) { + if (portalUserId == null || xUserId == null) { + return new ArrayList<String>(); + } + try { + + List<String> userPermList = getEntityManager().createNamedQuery("XXModuleDef.findAllAccessibleModulesByUserId").setParameter("portalUserId", portalUserId) + .setParameter("xUserId", xUserId).setParameter("isAllowed", RangerCommonEnums.ACCESS_RESULT_ALLOWED).getResultList(); + + return userPermList; + + } catch (NoResultException e) { + return new ArrayList<String>(); + } + } + } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java index e5de160..19dbfaa 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java @@ -56,6 +56,7 @@ import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.SearchFilter; import org.apache.ranger.plugin.util.ServicePolicies; +import org.apache.ranger.security.context.RangerAPIList; import org.apache.ranger.service.XAccessAuditService; import org.apache.ranger.service.XAgentService; import org.apache.ranger.service.XAssetService; @@ -137,6 +138,7 @@ public class AssetREST { @GET @Path("/assets/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_ASSET + "\")") public VXAsset getXAsset(@PathParam("id") Long id) { if(logger.isDebugEnabled()) { logger.debug("==> AssetREST.getXAsset(" + id + ")"); @@ -156,6 +158,7 @@ public class AssetREST { @POST @Path("/assets") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_ASSET + "\")") public VXAsset createXAsset(VXAsset vXAsset) { if(logger.isDebugEnabled()) { logger.debug("==> AssetREST.createXAsset(" + vXAsset + ")"); @@ -177,6 +180,7 @@ public class AssetREST { @PUT @Path("/assets/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_ASSET + "\")") public VXAsset updateXAsset(VXAsset vXAsset) { if(logger.isDebugEnabled()) { logger.debug("==> AssetREST.updateXAsset(" + vXAsset + ")"); @@ -197,8 +201,8 @@ public class AssetREST { @DELETE @Path("/assets/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") @RangerAnnotationClassName(class_name = VXAsset.class) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_ASSET + "\")") public void deleteXAsset(@PathParam("id") Long id, @Context HttpServletRequest request) { if(logger.isDebugEnabled()) { @@ -215,6 +219,7 @@ public class AssetREST { @POST @Path("/assets/testConfig") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.TEST_CONFIG + "\")") public VXResponse testConfig(VXAsset vXAsset) { if(logger.isDebugEnabled()) { logger.debug("==> AssetREST.testConfig(" + vXAsset + ")"); @@ -234,6 +239,7 @@ public class AssetREST { @GET @Path("/assets") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_ASSETS + "\")") public VXAssetList searchXAssets(@Context HttpServletRequest request) { if(logger.isDebugEnabled()) { logger.debug("==> AssetREST.searchXAssets()"); @@ -269,6 +275,7 @@ public class AssetREST { @GET @Path("/assets/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_ASSETS + "\")") public VXLong countXAssets(@Context HttpServletRequest request) { if(logger.isDebugEnabled()) { logger.debug("==> AssetREST.countXAssets()"); @@ -547,8 +554,10 @@ public class AssetREST { @GET @Path("/exportAudit") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_POLICY_EXPORT_AUDITS + "\")") public VXPolicyExportAuditList searchXPolicyExportAudits( @Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xPolicyExportAudits.sortFields); searchUtil.extractString(request, searchCriteria, "agentId", @@ -572,7 +581,9 @@ public class AssetREST { @GET @Path("/report") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_REPORT_LOGS + "\")") public VXTrxLogList getReportLogs(@Context HttpServletRequest request){ + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xTrxLogService.sortFields); searchUtil.extractInt(request, searchCriteria, "objectClassType", "Class type for report."); @@ -592,6 +603,7 @@ public class AssetREST { @GET @Path("/report/{transactionId}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_TRANSACTION_REPORT + "\")") public VXTrxLogList getTransactionReport(@Context HttpServletRequest request, @PathParam("transactionId") String transactionId){ return assetMgr.getTransactionReport(transactionId); @@ -600,6 +612,7 @@ public class AssetREST { @GET @Path("/accessAudit") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_ACCESS_LOGS + "\")") public VXAccessAuditList getAccessLogs(@Context HttpServletRequest request){ SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xAccessAuditService.sortFields); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java index 059f787..2c30daa 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java @@ -312,7 +312,7 @@ public class PublicAPIsv2 { @Produces({ "application/json", "application/xml" }) public List<RangerPolicy> searchPolicies(@PathParam("servicename") String serviceName, @Context HttpServletRequest request) { - return serviceREST.getServicePolicies(serviceName, request).getPolicies(); + return serviceREST.getServicePoliciesByName(serviceName, request).getPolicies(); } @POST http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 3d2e8b0..f523d67 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -49,6 +49,7 @@ import org.apache.ranger.biz.RangerBizUtil; import org.apache.ranger.biz.ServiceDBStore; import org.apache.ranger.biz.ServiceMgr; import org.apache.ranger.biz.XUserMgr; +import org.apache.ranger.common.AppConstants; import org.apache.ranger.common.GUIDUtil; import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.RESTErrorUtil; @@ -81,6 +82,8 @@ import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.SearchFilter; import org.apache.ranger.plugin.util.ServicePolicies; +import org.apache.ranger.security.context.RangerAPIList; +import org.apache.ranger.security.context.RangerPreAuthSecurityHandler; import org.apache.ranger.service.RangerPolicyService; import org.apache.ranger.service.RangerServiceDefService; import org.apache.ranger.service.RangerServiceService; @@ -151,11 +154,10 @@ public class ServiceREST { public ServiceREST() { } - @POST @Path("/definitions") @Produces({ "application/json", "application/xml" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_SERVICE_DEF + "\")") public RangerServiceDef createServiceDef(RangerServiceDef serviceDef) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.createServiceDef(" + serviceDef + ")"); @@ -189,7 +191,7 @@ public class ServiceREST { @PUT @Path("/definitions/{id}") @Produces({ "application/json", "application/xml" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_SERVICE_DEF + "\")") public RangerServiceDef updateServiceDef(RangerServiceDef serviceDef) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.updateServiceDef(" + serviceDef + ")"); @@ -223,7 +225,7 @@ public class ServiceREST { @DELETE @Path("/definitions/{id}") @Produces({ "application/json", "application/xml" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_SERVICE_DEF + "\")") public void deleteServiceDef(@PathParam("id") Long id, @Context HttpServletRequest request) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.deleteServiceDef(" + id + ")"); @@ -260,6 +262,7 @@ public class ServiceREST { @GET @Path("/definitions/{id}") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEF + "\")") public RangerServiceDef getServiceDef(@PathParam("id") Long id) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getServiceDef(" + id + ")"); @@ -298,6 +301,7 @@ public class ServiceREST { @GET @Path("/definitions/name/{name}") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEF_BY_NAME + "\")") public RangerServiceDef getServiceDefByName(@PathParam("name") String name) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getServiceDefByName(" + name + ")"); @@ -338,6 +342,7 @@ public class ServiceREST { @GET @Path("/definitions") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEFS + "\")") public RangerServiceDefList getServiceDefs(@Context HttpServletRequest request) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getServiceDefs()"); @@ -366,7 +371,7 @@ public class ServiceREST { @POST @Path("/services") @Produces({ "application/json", "application/xml" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_SERVICE + "\")") public RangerService createService(RangerService service) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.createService(" + service + ")"); @@ -405,7 +410,7 @@ public class ServiceREST { @PUT @Path("/services/{id}") @Produces({ "application/json", "application/xml" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_SERVICE + "\")") public RangerService updateService(RangerService service) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.updateService(): " + service); @@ -444,7 +449,7 @@ public class ServiceREST { @DELETE @Path("/services/{id}") @Produces({ "application/json", "application/xml" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_SERVICE + "\")") public void deleteService(@PathParam("id") Long id) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.deleteService(" + id + ")"); @@ -480,6 +485,7 @@ public class ServiceREST { @GET @Path("/services/{id}") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE + "\")") public RangerService getService(@PathParam("id") Long id) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getService(" + id + ")"); @@ -511,6 +517,7 @@ public class ServiceREST { @GET @Path("/services/name/{name}") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_BY_NAME + "\")") public RangerService getServiceByName(@PathParam("name") String name) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getServiceByName(" + name + ")"); @@ -542,6 +549,7 @@ public class ServiceREST { @GET @Path("/services") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICES + "\")") public RangerServiceList getServices(@Context HttpServletRequest request) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getServices()"); @@ -595,6 +603,7 @@ public class ServiceREST { @GET @Path("/services/count") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_SERVICES + "\")") public Long countServices(@Context HttpServletRequest request) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.countServices():"); @@ -624,6 +633,7 @@ public class ServiceREST { @POST @Path("/services/validateConfig") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.VALIDATE_CONFIG + "\")") public VXResponse validateConfig(RangerService service) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.validateConfig(" + service + ")"); @@ -651,6 +661,7 @@ public class ServiceREST { @POST @Path("/services/lookupResource/{serviceName}") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.LOOKUP_RESOURCE + "\")") public List<String> lookupResource(@PathParam("serviceName") String serviceName, ResourceLookupContext context) { if(LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.lookupResource(" + serviceName + ")"); @@ -1196,7 +1207,7 @@ public class ServiceREST { @GET @Path("/policies/service/name/{name}") @Produces({ "application/json", "application/xml" }) - public RangerPolicyList getServicePolicies(@PathParam("name") String serviceName, + public RangerPolicyList getServicePoliciesByName(@PathParam("name") String serviceName, @Context HttpServletRequest request) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getServicePolicies(" + serviceName + ")"); @@ -1464,6 +1475,7 @@ public class ServiceREST { @GET @Path("/policies/eventTime") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_POLICY_FROM_EVENT_TIME + "\")") public RangerPolicy getPolicyFromEventTime(@Context HttpServletRequest request) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceREST.getPolicyFromEventTime()"); @@ -1490,6 +1502,7 @@ public class ServiceREST { @GET @Path("/policy/{policyId}/versionList") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_POLICY_VERSION_LIST + "\")") public VXString getPolicyVersionList(@PathParam("policyId") Long policyId) { return svcStore.getPolicyVersionList(policyId); } @@ -1497,6 +1510,7 @@ public class ServiceREST { @GET @Path("/policy/{policyId}/version/{versionNo}") @Produces({ "application/json", "application/xml" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_POLICY_FOR_VERSION_NO + "\")") public RangerPolicy getPolicyForVersionNumber(@PathParam("policyId") Long policyId, @PathParam("versionNo") int versionNo) { return svcStore.getPolicyForVersionNumber(policyId, versionNo); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java index a9d0059..4c5e890 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java @@ -45,6 +45,8 @@ import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName; import org.apache.ranger.common.annotation.RangerAnnotationRestAPI; import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.entity.XXPortalUser; +import org.apache.ranger.security.context.RangerAPIList; +import org.apache.ranger.security.context.RangerPreAuthSecurityHandler; import org.apache.ranger.util.RangerRestUtil; import org.apache.ranger.view.VXPasswordChange; import org.apache.ranger.view.VXPortalUser; @@ -99,7 +101,7 @@ public class UserREST { */ @GET @Produces({ "application/xml", "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_USERS + "\")") public VXPortalUserList searchUsers(@Context HttpServletRequest request) { String[] approvedSortByParams = new String[] { "requestDate", "approvedDate", "activationDate", "emailAddress", "firstName", @@ -150,6 +152,7 @@ public class UserREST { @GET @Path("{userId}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_USER_PROFILE_FOR_USER + "\")") public VXPortalUser getUserProfileForUser(@PathParam("userId") Long userId) { try { VXPortalUser userProfile = userManager.getUserProfile(userId); @@ -171,7 +174,7 @@ public class UserREST { @POST @Consumes({ "application/json", "application/xml" }) @Produces({ "application/xml", "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE + "\")") public VXPortalUser create(VXPortalUser userProfile, @Context HttpServletRequest servletRequest) { logger.info("create:" + userProfile.getEmailAddress()); @@ -184,7 +187,7 @@ public class UserREST { @Path("/default") @Consumes({ "application/json", "application/xml" }) @Produces({ "application/xml", "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_DEFAULT_ACCOUNT_USER + "\")") public VXPortalUser createDefaultAccountUser(VXPortalUser userProfile, @Context HttpServletRequest servletRequest) { VXPortalUser vxPortalUser; @@ -201,6 +204,7 @@ public class UserREST { @Consumes({ "application/json", "application/xml" }) @Produces({ "application/xml", "application/json" }) @RangerAnnotationRestAPI(updates_classes = "VUserProfile") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE + "\")") public VXPortalUser update(VXPortalUser userProfile, @Context HttpServletRequest servletRequest) { logger.info("update:" + userProfile.getEmailAddress()); @@ -222,6 +226,7 @@ public class UserREST { @PUT @Path("/{userId}/roles") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SET_USER_ROLES + "\")") public VXResponse setUserRoles(@PathParam("userId") Long userId, VXStringList roleList) { userManager.checkAccess(userId); @@ -240,7 +245,7 @@ public class UserREST { @POST @Path("{userId}/deactivate") @Produces({ "application/xml", "application/json" }) - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DEACTIVATE_USER + "\")") @RangerAnnotationClassName(class_name = VXPortalUser.class) public VXPortalUser deactivateUser(@PathParam("userId") Long userId) { XXPortalUser gjUser = daoManager.getXXPortalUser().getById(userId); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java index 531f395..cbe486b 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java @@ -35,6 +35,7 @@ import org.apache.ranger.common.SearchCriteria; import org.apache.ranger.common.SearchUtil; import org.apache.ranger.common.annotation.RangerAnnotationClassName; import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName; +import org.apache.ranger.security.context.RangerAPIList; import org.apache.ranger.service.XAccessAuditService; import org.apache.ranger.service.XTrxLogService; import org.apache.ranger.view.VXAccessAuditList; @@ -71,6 +72,7 @@ public class XAuditREST { @GET @Path("/trx_log/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_TRX_LOG + "\")") public VXTrxLog getXTrxLog( @PathParam("id") Long id) { return xAuditMgr.getXTrxLog(id); @@ -79,6 +81,7 @@ public class XAuditREST { @POST @Path("/trx_log") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_TRX_LOG + "\")") public VXTrxLog createXTrxLog(VXTrxLog vXTrxLog) { return xAuditMgr.createXTrxLog(vXTrxLog); } @@ -86,13 +89,14 @@ public class XAuditREST { @PUT @Path("/trx_log") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_TRX_LOG + "\")") public VXTrxLog updateXTrxLog(VXTrxLog vXTrxLog) { return xAuditMgr.updateXTrxLog(vXTrxLog); } @DELETE @Path("/trx_log/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_TRX_LOG + "\")") @RangerAnnotationClassName(class_name = VXTrxLog.class) public void deleteXTrxLog(@PathParam("id") Long id, @Context HttpServletRequest request) { @@ -109,6 +113,7 @@ public class XAuditREST { @GET @Path("/trx_log") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_TRX_LOG + "\")") public VXTrxLogList searchXTrxLogs(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xTrxLogService.sortFields); @@ -118,6 +123,7 @@ public class XAuditREST { @GET @Path("/trx_log/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_TRX_LOGS + "\")") public VXLong countXTrxLogs(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xTrxLogService.sortFields); @@ -135,6 +141,7 @@ public class XAuditREST { @GET @Path("/access_audit") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_ACCESS_AUDITS + "\")") public VXAccessAuditList searchXAccessAudits(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xAccessAuditService.sortFields); @@ -144,6 +151,7 @@ public class XAuditREST { @GET @Path("/access_audit/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_ACCESS_AUDITS + "\")") public VXLong countXAccessAudits(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xAccessAuditService.sortFields); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java index 1c0f9fc..c374f8e 100755 --- a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java @@ -35,12 +35,15 @@ import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.common.SearchUtil; import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName; +import org.apache.ranger.security.context.RangerAPIList; +import org.apache.ranger.security.context.RangerPreAuthSecurityHandler; import org.apache.ranger.view.VXKmsKey; import org.apache.ranger.view.VXKmsKeyList; import org.codehaus.jettison.json.JSONException; import org.codehaus.jettison.json.JSONObject; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Scope; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.stereotype.Component; import org.springframework.transaction.annotation.Propagation; import org.springframework.transaction.annotation.Transactional; @@ -66,7 +69,7 @@ public class XKeyREST { @Autowired RESTErrorUtil restErrorUtil; - + /** * Implements the traditional search functionalities for Keys * @@ -76,6 +79,7 @@ public class XKeyREST { @GET @Path("/keys") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_KEYS + "\")") public VXKmsKeyList searchKeys(@Context HttpServletRequest request, @QueryParam("provider") String provider) { VXKmsKeyList vxKmsKeyList = new VXKmsKeyList(); try{ @@ -94,6 +98,7 @@ public class XKeyREST { @PUT @Path("/key") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.ROLLOVER_KEYS + "\")") public VXKmsKey rolloverKey(@QueryParam("provider") String provider, VXKmsKey vXKey) { VXKmsKey vxKmsKey = new VXKmsKey(); try{ @@ -120,6 +125,7 @@ public class XKeyREST { @DELETE @Path("/key/{alias}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_KEY + "\")") public void deleteKey(@PathParam("alias") String name, @QueryParam("provider") String provider, @Context HttpServletRequest request) { try{ if (name == null || name.isEmpty()) { @@ -140,6 +146,7 @@ public class XKeyREST { @POST @Path("/key") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_KEY + "\")") public VXKmsKey createKey(@QueryParam("provider") String provider, VXKmsKey vXKey) { VXKmsKey vxKmsKey = new VXKmsKey(); try{ @@ -167,6 +174,7 @@ public class XKeyREST { @GET @Path("/key/{alias}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_KEY + "\")") public VXKmsKey getKey(@PathParam("alias") String name,@QueryParam("provider") String provider){ VXKmsKey vxKmsKey = new VXKmsKey(); try{ http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d04a09c/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java index 93980b4..472dad6 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java @@ -36,6 +36,7 @@ import org.apache.log4j.Logger; import org.apache.ranger.biz.RangerBizUtil; import org.apache.ranger.biz.SessionMgr; import org.apache.ranger.biz.XUserMgr; +import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.common.SearchCriteria; import org.apache.ranger.common.SearchUtil; @@ -43,6 +44,9 @@ import org.apache.ranger.common.StringUtil; import org.apache.ranger.common.annotation.RangerAnnotationClassName; import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName; import org.apache.ranger.db.RangerDaoManager; +import org.apache.ranger.security.context.RangerAPIList; +import org.apache.ranger.security.context.RangerAPIMapping; +import org.apache.ranger.security.context.RangerPreAuthSecurityHandler; import org.apache.ranger.service.AuthSessionService; import org.apache.ranger.service.XAuditMapService; import org.apache.ranger.service.XGroupGroupService; @@ -51,6 +55,7 @@ import org.apache.ranger.service.XGroupService; import org.apache.ranger.service.XGroupUserService; import org.apache.ranger.service.XModuleDefService; import org.apache.ranger.service.XPermMapService; +import org.apache.ranger.service.XResourceService; import org.apache.ranger.service.XUserPermissionService; import org.apache.ranger.service.XUserService; import org.apache.ranger.view.VXAuditMap; @@ -138,11 +143,15 @@ public class XUserREST { @Autowired RangerBizUtil bizUtil; + + @Autowired + XResourceService xResourceService; // Handle XGroup @GET @Path("/groups/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP + "\")") public VXGroup getXGroup(@PathParam("id") Long id) { return xUserMgr.getXGroup(id); } @@ -150,6 +159,7 @@ public class XUserREST { @GET @Path("/secure/groups/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SECURE_GET_X_GROUP + "\")") public VXGroup secureGetXGroup(@PathParam("id") Long id) { return xUserMgr.getXGroup(id); } @@ -187,6 +197,7 @@ public class XUserREST { @PUT @Path("/secure/groups/visibility") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.MODIFY_GROUPS_VISIBILITY + "\")") public void modifyGroupsVisibility(HashMap<Long, Integer> groupVisibilityMap){ xUserMgr.modifyGroupsVisibility(groupVisibilityMap); } @@ -210,6 +221,7 @@ public class XUserREST { @GET @Path("/groups") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUPS + "\")") public VXGroupList searchXGroups(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xGroupService.sortFields); @@ -224,6 +236,7 @@ public class XUserREST { @GET @Path("/groups/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUPS + "\")") public VXLong countXGroups(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xGroupService.sortFields); @@ -235,6 +248,7 @@ public class XUserREST { @GET @Path("/users/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER + "\")") public VXUser getXUser(@PathParam("id") Long id) { return xUserMgr.getXUser(id); } @@ -242,6 +256,7 @@ public class XUserREST { @GET @Path("/secure/users/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SECURE_GET_X_USER + "\")") public VXUser secureGetXUser(@PathParam("id") Long id) { return xUserMgr.getXUser(id); } @@ -291,6 +306,7 @@ public class XUserREST { @PUT @Path("/secure/users/visibility") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.MODIFY_USER_VISIBILITY + "\")") public void modifyUserVisibility(HashMap<Long, Integer> visibilityMap){ xUserMgr.modifyUserVisibility(visibilityMap); } @@ -314,6 +330,7 @@ public class XUserREST { @GET @Path("/users") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_USERS + "\")") public VXUserList searchXUsers(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xUserService.sortFields); @@ -334,6 +351,7 @@ public class XUserREST { @GET @Path("/users/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_USERS + "\")") public VXLong countXUsers(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xUserService.sortFields); @@ -345,6 +363,7 @@ public class XUserREST { @GET @Path("/groupusers/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_USER + "\")") public VXGroupUser getXGroupUser(@PathParam("id") Long id) { return xUserMgr.getXGroupUser(id); } @@ -383,6 +402,7 @@ public class XUserREST { @GET @Path("/groupusers") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUP_USERS + "\")") public VXGroupUserList searchXGroupUsers(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xGroupUserService.sortFields); @@ -392,6 +412,7 @@ public class XUserREST { @GET @Path("/groupusers/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUP_USERS + "\")") public VXLong countXGroupUsers(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xGroupUserService.sortFields); @@ -403,6 +424,7 @@ public class XUserREST { @GET @Path("/groupgroups/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_GROUP + "\")") public VXGroupGroup getXGroupGroup(@PathParam("id") Long id) { return xUserMgr.getXGroupGroup(id); } @@ -440,6 +462,7 @@ public class XUserREST { @GET @Path("/groupgroups") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUP_GROUPS + "\")") public VXGroupGroupList searchXGroupGroups( @Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( @@ -450,6 +473,7 @@ public class XUserREST { @GET @Path("/groupgroups/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUP_GROUPS + "\")") public VXLong countXGroupGroups(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xGroupGroupService.sortFields); @@ -461,28 +485,53 @@ public class XUserREST { @GET @Path("/permmaps/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_PERM_MAP + "\")") public VXPermMap getXPermMap(@PathParam("id") Long id) { - return xUserMgr.getXPermMap(id); + VXPermMap permMap = xUserMgr.getXPermMap(id); + + if (permMap != null) { + if (xResourceService.readResource(permMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + permMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); + } + } + + return permMap; } @POST @Path("/permmaps") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_PERM_MAP + "\")") public VXPermMap createXPermMap(VXPermMap vXPermMap) { + + if (vXPermMap != null) { + if (xResourceService.readResource(vXPermMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXPermMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); + } + } + return xUserMgr.createXPermMap(vXPermMap); } @PUT @Path("/permmaps") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_PERM_MAP + "\")") public VXPermMap updateXPermMap(VXPermMap vXPermMap) { + + if (vXPermMap != null) { + if (xResourceService.readResource(vXPermMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXPermMap.getResourceId()); + } + } + return xUserMgr.updateXPermMap(vXPermMap); } @DELETE @Path("/permmaps/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") @RangerAnnotationClassName(class_name = VXPermMap.class) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_PERM_MAP + "\")") public void deleteXPermMap(@PathParam("id") Long id, @Context HttpServletRequest request) { boolean force = false; @@ -498,6 +547,7 @@ public class XUserREST { @GET @Path("/permmaps") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_PERM_MAPS + "\")") public VXPermMapList searchXPermMaps(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xPermMapService.sortFields); @@ -507,6 +557,7 @@ public class XUserREST { @GET @Path("/permmaps/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_PERM_MAPS + "\")") public VXLong countXPermMaps(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xPermMapService.sortFields); @@ -518,28 +569,53 @@ public class XUserREST { @GET @Path("/auditmaps/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_AUDIT_MAP + "\")") public VXAuditMap getXAuditMap(@PathParam("id") Long id) { - return xUserMgr.getXAuditMap(id); + VXAuditMap vXAuditMap = xUserMgr.getXAuditMap(id); + + if (vXAuditMap != null) { + if (xResourceService.readResource(vXAuditMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); + } + } + + return vXAuditMap; } @POST @Path("/auditmaps") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_AUDIT_MAP + "\")") public VXAuditMap createXAuditMap(VXAuditMap vXAuditMap) { + + if (vXAuditMap != null) { + if (xResourceService.readResource(vXAuditMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); + } + } + return xUserMgr.createXAuditMap(vXAuditMap); } @PUT @Path("/auditmaps") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_AUDIT_MAP + "\")") public VXAuditMap updateXAuditMap(VXAuditMap vXAuditMap) { + + if (vXAuditMap != null) { + if (xResourceService.readResource(vXAuditMap.getResourceId()) == null) { + throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); + } + } + return xUserMgr.updateXAuditMap(vXAuditMap); } @DELETE @Path("/auditmaps/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") @RangerAnnotationClassName(class_name = VXAuditMap.class) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_AUDIT_MAP + "\")") public void deleteXAuditMap(@PathParam("id") Long id, @Context HttpServletRequest request) { boolean force = false; @@ -555,6 +631,7 @@ public class XUserREST { @GET @Path("/auditmaps") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_AUDIT_MAPS + "\")") public VXAuditMapList searchXAuditMaps(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xAuditMapService.sortFields); @@ -564,6 +641,7 @@ public class XUserREST { @GET @Path("/auditmaps/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_AUDIT_MAPS + "\")") public VXLong countXAuditMaps(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xAuditMapService.sortFields); @@ -575,6 +653,7 @@ public class XUserREST { @GET @Path("/users/userName/{userName}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER_BY_USER_NAME + "\")") public VXUser getXUserByUserName(@Context HttpServletRequest request, @PathParam("userName") String userName) { return xUserMgr.getXUserByUserName(userName); @@ -583,6 +662,7 @@ public class XUserREST { @GET @Path("/groups/groupName/{groupName}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_BY_GROUP_NAME + "\")") public VXGroup getXGroupByGroupName(@Context HttpServletRequest request, @PathParam("groupName") String groupName) { return xGroupService.getGroupByGroupName(groupName); @@ -629,6 +709,7 @@ public class XUserREST { @GET @Path("/{userId}/groups") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER_GROUPS + "\")") public VXGroupList getXUserGroups(@Context HttpServletRequest request, @PathParam("userId") Long id){ return xUserMgr.getXUserGroups(id); @@ -637,6 +718,7 @@ public class XUserREST { @GET @Path("/{groupId}/users") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_USERS + "\")") public VXUserList getXGroupUsers(@Context HttpServletRequest request, @PathParam("groupId") Long id){ return xUserMgr.getXGroupUsers(id); @@ -645,6 +727,7 @@ public class XUserREST { @GET @Path("/authSessions") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_AUTH_SESSIONS + "\")") public VXAuthSessionList getAuthSessions(@Context HttpServletRequest request){ SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, authSessionService.AUTH_SESSION_SORT_FLDS); @@ -666,6 +749,7 @@ public class XUserREST { @GET @Path("/authSessions/info") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_AUTH_SESSION + "\")") public VXAuthSession getAuthSession(@Context HttpServletRequest request){ String authSessionId = request.getParameter("extSessionId"); return sessionMgr.getAuthSessionBySessionId(authSessionId); @@ -675,6 +759,7 @@ public class XUserREST { @POST @Path("/permission") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_MODULE_DEF_PERMISSION + "\")") public VXModuleDef createXModuleDefPermission(VXModuleDef vXModuleDef) { return xUserMgr.createXModuleDefPermission(vXModuleDef); } @@ -682,6 +767,7 @@ public class XUserREST { @GET @Path("/permission/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_MODULE_DEF_PERMISSION + "\")") public VXModuleDef getXModuleDefPermission(@PathParam("id") Long id) { return xUserMgr.getXModuleDefPermission(id); } @@ -689,13 +775,14 @@ public class XUserREST { @PUT @Path("/permission/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_MODULE_DEF_PERMISSION + "\")") public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { return xUserMgr.updateXModuleDefPermission(vXModuleDef); } @DELETE @Path("/permission/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_MODULE_DEF_PERMISSION + "\")") public void deleteXModuleDefPermission(@PathParam("id") Long id, @Context HttpServletRequest request) { boolean force = true; @@ -705,6 +792,7 @@ public class XUserREST { @GET @Path("/permission") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_MODULE_DEF + "\")") public VXModuleDefList searchXModuleDef(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xModuleDefService.sortFields); @@ -725,6 +813,7 @@ public class XUserREST { @GET @Path("/permission/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_MODULE_DEF + "\")") public VXLong countXModuleDef(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xModuleDefService.sortFields); @@ -735,6 +824,7 @@ public class XUserREST { @POST @Path("/permission/user") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_USER_PERMISSION + "\")") public VXUserPermission createXUserPermission( VXUserPermission vXUserPermission) { return xUserMgr.createXUserPermission(vXUserPermission); @@ -743,6 +833,7 @@ public class XUserREST { @GET @Path("/permission/user/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER_PERMISSION + "\")") public VXUserPermission getXUserPermission(@PathParam("id") Long id) { return xUserMgr.getXUserPermission(id); } @@ -750,6 +841,7 @@ public class XUserREST { @PUT @Path("/permission/user/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_USER_PERMISSION + "\")") public VXUserPermission updateXUserPermission( VXUserPermission vXUserPermission) { return xUserMgr.updateXUserPermission(vXUserPermission); @@ -757,7 +849,7 @@ public class XUserREST { @DELETE @Path("/permission/user/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_USER_PERMISSION + "\")") public void deleteXUserPermission(@PathParam("id") Long id, @Context HttpServletRequest request) { boolean force = true; @@ -767,6 +859,7 @@ public class XUserREST { @GET @Path("/permission/user") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_USER_PERMISSION + "\")") public VXUserPermissionList searchXUserPermission( @Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( @@ -782,6 +875,7 @@ public class XUserREST { @GET @Path("/permission/user/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_USER_PERMISSION + "\")") public VXLong countXUserPermission(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xUserPermissionService.sortFields); @@ -792,6 +886,7 @@ public class XUserREST { @POST @Path("/permission/group") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_GROUP_PERMISSION + "\")") public VXGroupPermission createXGroupPermission( VXGroupPermission vXGroupPermission) { return xUserMgr.createXGroupPermission(vXGroupPermission); @@ -800,6 +895,7 @@ public class XUserREST { @GET @Path("/permission/group/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_PERMISSION + "\")") public VXGroupPermission getXGroupPermission(@PathParam("id") Long id) { return xUserMgr.getXGroupPermission(id); } @@ -807,6 +903,7 @@ public class XUserREST { @PUT @Path("/permission/group/{id}") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_GROUP_PERMISSION + "\")") public VXGroupPermission updateXGroupPermission( VXGroupPermission vXGroupPermission) { return xUserMgr.updateXGroupPermission(vXGroupPermission); @@ -814,7 +911,7 @@ public class XUserREST { @DELETE @Path("/permission/group/{id}") - @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_GROUP_PERMISSION + "\")") public void deleteXGroupPermission(@PathParam("id") Long id, @Context HttpServletRequest request) { boolean force = true; @@ -824,6 +921,7 @@ public class XUserREST { @GET @Path("/permission/group") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUP_PERMISSION + "\")") public VXGroupPermissionList searchXGroupPermission( @Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( @@ -838,6 +936,7 @@ public class XUserREST { @GET @Path("/permission/group/count") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUP_PERMISSION + "\")") public VXLong countXGroupPermission(@Context HttpServletRequest request) { SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( request, xGroupPermissionService.sortFields); @@ -847,6 +946,7 @@ public class XUserREST { @PUT @Path("/secure/users/activestatus") @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.MODIFY_USER_ACTIVE_STATUS + "\")") public void modifyUserActiveStatus(HashMap<Long, Integer> statusMap){ xUserMgr.modifyUserActiveStatus(statusMap); }
