Repository: incubator-ranger Updated Branches: refs/heads/master 64c4a9532 -> 4da0f20ac
RANGER-977: Adding hdfs and hive policy items while creating default policy for KMS Signed-off-by: Velmurugan Periasamy <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/4da0f20a Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/4da0f20a Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/4da0f20a Branch: refs/heads/master Commit: 4da0f20ac782b629565fc14d5dc3d329a436181e Parents: 64c4a95 Author: Sailaja Polavarapu <[email protected]> Authored: Wed May 18 13:35:32 2016 -0700 Committer: Velmurugan Periasamy <[email protected]> Committed: Thu May 19 01:47:04 2016 -0400 ---------------------------------------------------------------------- .../org/apache/ranger/biz/ServiceDBStore.java | 181 ++++++++++++------- .../resources/conf.dist/ranger-admin-site.xml | 9 + .../apache/ranger/biz/TestServiceDBStore.java | 166 +++++++++++++++++ 3 files changed, 294 insertions(+), 62 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4da0f20a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 69eb630..2f88a9b 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -230,6 +230,9 @@ public class ServiceDBStore extends AbstractServiceStore { public static final String HIDDEN_PASSWORD_STR = "*****"; public static final String CONFIG_KEY_PASSWORD = "password"; + public static final String ACCESS_TYPE_DECRYPT_EEK = "decrypteek"; + public static final String ACCESS_TYPE_GENERATE_EEK = "generateeek"; + public static final String ACCESS_TYPE_GET_METADATA = "getmetadata"; private ServicePredicateUtil predicateUtil = null; @@ -2259,7 +2262,9 @@ public class ServiceDBStore extends AbstractServiceStore { // we need to create one policy for each resource hierarchy RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef); for (List<RangerResourceDef> aHierarchy : serviceDefHelper.getResourceHierarchies(RangerPolicy.POLICY_TYPE_ACCESS)) { - createDefaultPolicy(createdService, vXUser, aHierarchy); + RangerPolicy policy = new RangerPolicy(); + createDefaultPolicy(policy, createdService, vXUser, aHierarchy); + policy = createPolicy(policy); } } } @@ -2380,13 +2385,8 @@ public class ServiceDBStore extends AbstractServiceStore { return ret; } - private void createDefaultPolicy(XXService createdService, VXUser vXUser, List<RangerResourceDef> resourceHierarchy) throws Exception { - String adminPrincipal = PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL); - String adminKeytab = PropertiesUtil.getProperty(ADMIN_USER_KEYTAB); - String authType = PropertiesUtil.getProperty(RANGER_AUTH_TYPE); - String lookupPrincipal = PropertiesUtil.getProperty(LOOKUP_PRINCIPAL); - String lookupKeytab = PropertiesUtil.getProperty(LOOKUP_KEYTAB); - RangerPolicy policy = new RangerPolicy(); + void createDefaultPolicy(RangerPolicy policy, XXService createdService, VXUser vXUser, List<RangerResourceDef> resourceHierarchy) throws Exception { + String policyName=buildPolicyName(resourceHierarchy); policy.setIsEnabled(true); @@ -2395,73 +2395,130 @@ public class ServiceDBStore extends AbstractServiceStore { policy.setService(createdService.getName()); policy.setDescription("Policy for " + policyName); policy.setIsAuditEnabled(true); - + policy.setResources(createDefaultPolicyResource(resourceHierarchy)); - + if (vXUser != null) { List<RangerPolicyItem> policyItems = new ArrayList<RangerPolicyItem>(); - RangerPolicyItem policyItem = new RangerPolicyItem(); + List<XXAccessTypeDef> accessTypeDefs = daoMgr.getXXAccessTypeDef().findByServiceDefId(createdService.getType()); + //Create Default policy item for the service user + RangerPolicyItem policyItem = createDefaultPolicyItem(createdService, vXUser, accessTypeDefs); + policyItems.add(policyItem); + // For KMS add default policies for HDFS & HIVE users. + XXServiceDef xServiceDef = daoMgr.getXXServiceDef().getById(createdService.getType()); + if (xServiceDef.getImplclassname().equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { + List<XXAccessTypeDef> hdfsAccessTypeDefs = new ArrayList<XXAccessTypeDef>(); + List<XXAccessTypeDef> hiveAccessTypeDefs = new ArrayList<XXAccessTypeDef>(); + for(XXAccessTypeDef accessTypeDef : accessTypeDefs) { + if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GET_METADATA)) { + hdfsAccessTypeDefs.add(accessTypeDef); + hiveAccessTypeDefs.add(accessTypeDef); + } else if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GENERATE_EEK)) { + hdfsAccessTypeDefs.add(accessTypeDef); + } else if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_DECRYPT_EEK)) { + hiveAccessTypeDefs.add(accessTypeDef); + } + } - List<String> users = new ArrayList<String>(); - users.add(vXUser.getName()); - VXUser vXLookupUser = getLookupUser(authType, lookupPrincipal, lookupKeytab); - - XXService xService = daoMgr.getXXService().findByName(createdService.getName()); - XXServiceDef xServiceDef = daoMgr.getXXServiceDef().getById(xService.getType()); - if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)){ - VXUser vXAdminUser = getLookupUser(authType, adminPrincipal, adminKeytab); - if(vXAdminUser != null){ - users.add(vXAdminUser.getName()); - } - }else if(vXLookupUser != null){ - users.add(vXLookupUser.getName()); - }else{ - // do nothing + String hdfsUser = PropertiesUtil.getProperty("ranger.kms.service.user.hdfs", "hdfs"); + if (hdfsUser != null && !hdfsUser.isEmpty()) { + XXUser xxUser = daoMgr.getXXUser().findByUserName(hdfsUser); + if (xxUser != null) { + vXUser = xUserService.populateViewBean(xxUser); + } else { + vXUser = xUserMgr.createServiceConfigUser(hdfsUser); + } + if (vXUser != null) { + LOG.info("Creating default KMS policy item for " + hdfsUser); + policyItem = createDefaultPolicyItem(createdService, vXUser, hdfsAccessTypeDefs); + policyItems.add(policyItem); + } + } + + String hiveUser = PropertiesUtil.getProperty("ranger.kms.service.user.hive", "hive"); + if (hiveUser != null && !hiveUser.isEmpty()) { + XXUser xxUser = daoMgr.getXXUser().findByUserName(hiveUser); + if (xxUser != null) { + vXUser = xUserService.populateViewBean(xxUser); + } else { + vXUser = xUserMgr.createServiceConfigUser(hiveUser); + } + if (vXUser != null) { + LOG.info("Creating default KMS policy item for " + hiveUser); + policyItem = createDefaultPolicyItem(createdService, vXUser, hiveAccessTypeDefs); + policyItems.add(policyItem); + } + } } - - RangerService rangerService = getServiceByName(createdService.getName()); - if (rangerService != null){ - Map<String, String> map = rangerService.getConfigs(); - if (map != null && map.containsKey(AMBARI_SERVICE_CHECK_USER)){ - String userNames = map.get(AMBARI_SERVICE_CHECK_USER); - String[] userList = userNames.split(","); - if(userList != null){ - for (String userName : userList) { - if(!StringUtils.isEmpty(userName)){ - XXUser xxUser = daoMgr.getXXUser().findByUserName(userName); - if (xxUser != null) { - vXUser = xUserService.populateViewBean(xxUser); - } else { - vXUser = xUserMgr.createServiceConfigUser(userName); - LOG.info("Creating Ambari Service Check User : "+vXUser.getName()); - } - if(vXUser != null){ - users.add(vXUser.getName()); - } + policy.setPolicyItems(policyItems); + } + } + + private RangerPolicyItem createDefaultPolicyItem(XXService createdService, VXUser vXUser, List<XXAccessTypeDef> accessTypeDefs) throws Exception { + String adminPrincipal = PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL); + String adminKeytab = PropertiesUtil.getProperty(ADMIN_USER_KEYTAB); + String authType = PropertiesUtil.getProperty(RANGER_AUTH_TYPE); + String lookupPrincipal = PropertiesUtil.getProperty(LOOKUP_PRINCIPAL); + String lookupKeytab = PropertiesUtil.getProperty(LOOKUP_KEYTAB); + + RangerPolicyItem policyItem = new RangerPolicyItem(); + + List<String> users = new ArrayList<String>(); + users.add(vXUser.getName()); + VXUser vXLookupUser = getLookupUser(authType, lookupPrincipal, lookupKeytab); + + XXService xService = daoMgr.getXXService().findByName(createdService.getName()); + XXServiceDef xServiceDef = daoMgr.getXXServiceDef().getById(xService.getType()); + if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)){ + VXUser vXAdminUser = getLookupUser(authType, adminPrincipal, adminKeytab); + if(vXAdminUser != null){ + users.add(vXAdminUser.getName()); + } + }else if(vXLookupUser != null){ + users.add(vXLookupUser.getName()); + }else{ + // do nothing + } + + RangerService rangerService = getServiceByName(createdService.getName()); + if (rangerService != null){ + Map<String, String> map = rangerService.getConfigs(); + if (map != null && map.containsKey(AMBARI_SERVICE_CHECK_USER)){ + String userNames = map.get(AMBARI_SERVICE_CHECK_USER); + String[] userList = userNames.split(","); + if(userList != null){ + for (String userName : userList) { + if(!StringUtils.isEmpty(userName)){ + XXUser xxUser = daoMgr.getXXUser().findByUserName(userName); + if (xxUser != null) { + vXUser = xUserService.populateViewBean(xxUser); + } else { + vXUser = xUserMgr.createServiceConfigUser(userName); + LOG.info("Creating Ambari Service Check User : "+vXUser.getName()); + } + if(vXUser != null){ + users.add(vXUser.getName()); } } } } } - policyItem.setUsers(users); - - List<XXAccessTypeDef> accessTypeDefs = daoMgr.getXXAccessTypeDef().findByServiceDefId(createdService.getType()); - List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>(); - for(XXAccessTypeDef accessTypeDef : accessTypeDefs) { - RangerPolicyItemAccess access = new RangerPolicyItemAccess(); - access.setType(accessTypeDef.getName()); - access.setIsAllowed(true); - accesses.add(access); - } - policyItem.setAccesses(accesses); + } + policyItem.setUsers(users); - policyItem.setDelegateAdmin(true); - policyItems.add(policyItem); - policy.setPolicyItems(policyItems); + List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>(); + for(XXAccessTypeDef accessTypeDef : accessTypeDefs) { + RangerPolicyItemAccess access = new RangerPolicyItemAccess(); + access.setType(accessTypeDef.getName()); + access.setIsAllowed(true); + accesses.add(access); } - policy = createPolicy(policy); + policyItem.setAccesses(accesses); + + policyItem.setDelegateAdmin(true); + return policyItem; } - + private VXUser getLookupUser(String authType, String lookupPrincipal, String lookupKeytab) { VXUser vXUser = null; if(!StringUtils.isEmpty(authType) && authType.equalsIgnoreCase(KERBEROS_TYPE)){ http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4da0f20a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml index 54bad58..c1a91ae 100644 --- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml +++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml @@ -279,4 +279,13 @@ <name>ranger.downloadpolicy.session.log.enabled</name> <value>false</value> </property> + <!-- Service user for KMS --> + <property> + <name>ranger.kms.service.user.hdfs</name> + <value>hdfs</value> + </property> + <property> + <name>ranger.kms.service.user.hive</name> + <value>hive</value> + </property> </configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4da0f20a/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java b/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java index aaafde0..a3cd613 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java @@ -45,6 +45,7 @@ import org.apache.ranger.plugin.model.RangerServiceDef.RangerEnumElementDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerPolicyConditionDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef; import org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef; +import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil; import org.apache.ranger.plugin.store.PList; import org.apache.ranger.plugin.store.ServicePredicateUtil; import org.apache.ranger.plugin.util.SearchFilter; @@ -136,6 +137,22 @@ public class TestServiceDBStore { .getCurrentUserSession(); currentUserSession.setUserAdmin(true); } + + private XXAccessTypeDef rangerKmsAccessTypes(String accessTypeName, int itemId) { + XXAccessTypeDef accessTypeDefObj = new XXAccessTypeDef(); + accessTypeDefObj.setAddedByUserId(Id); + accessTypeDefObj.setCreateTime(new Date()); + accessTypeDefObj.setDefid(Long.valueOf(itemId)); + accessTypeDefObj.setId(Long.valueOf(itemId)); + accessTypeDefObj.setItemId(Long.valueOf(itemId)); + accessTypeDefObj.setLabel(accessTypeName); + accessTypeDefObj.setName(accessTypeName); + accessTypeDefObj.setOrder(null); + accessTypeDefObj.setRbkeylabel(null); + accessTypeDefObj.setUpdatedByUserId(Id); + accessTypeDefObj.setUpdateTime(new Date()); + return accessTypeDefObj; + } private RangerServiceDef rangerServiceDef() { List<RangerServiceConfigDef> configs = new ArrayList<RangerServiceConfigDef>(); @@ -205,6 +222,28 @@ public class TestServiceDBStore { return rangerService; } + + private RangerService rangerKMSService() { + Map<String, String> configs = new HashMap<String, String>(); + configs.put("username", "servicemgr"); + configs.put("password", "servicemgr"); + configs.put("provider", "kmsurl"); + + RangerService rangerService = new RangerService(); + rangerService.setId(Id); + rangerService.setConfigs(configs); + rangerService.setCreateTime(new Date()); + rangerService.setDescription("service kms policy"); + rangerService.setGuid("1427365526516_835_1"); + rangerService.setIsEnabled(true); + rangerService.setName("KMS_1"); + rangerService.setPolicyUpdateTime(new Date()); + rangerService.setType("7"); + rangerService.setUpdatedBy("Admin"); + rangerService.setUpdateTime(new Date()); + + return rangerService; + } private RangerPolicy rangerPolicy() { List<RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicyItemAccess>(); @@ -2649,4 +2688,131 @@ public class TestServiceDBStore { Assert.assertNotNull(policyList); Mockito.verify(daoManager).getXXPolicy(); } + + @Test + public void test41createKMSService() throws Exception { + XXServiceDefDao xServiceDefDao = Mockito.mock(XXServiceDefDao.class); + XXPolicy xPolicy = Mockito.mock(XXPolicy.class); + XXPolicyDao xPolicyDao = Mockito.mock(XXPolicyDao.class); + XXAccessTypeDefDao xAccessTypeDefDao = Mockito + .mock(XXAccessTypeDefDao.class); + XXServiceDao xServiceDao = Mockito.mock(XXServiceDao.class); + XXServiceConfigMapDao xServiceConfigMapDao = Mockito + .mock(XXServiceConfigMapDao.class); + XXUserDao xUserDao = Mockito.mock(XXUserDao.class); + XXServiceConfigDefDao xServiceConfigDefDao = Mockito + .mock(XXServiceConfigDefDao.class); + XXService xService = Mockito.mock(XXService.class); + XXUser xUser = Mockito.mock(XXUser.class); + XXServiceDef xServiceDef = Mockito.mock(XXServiceDef.class); + Mockito.when(daoManager.getXXServiceDef()).thenReturn(xServiceDefDao); + Mockito.when(xServiceDefDao.findByName("KMS_1")).thenReturn( + xServiceDef); + Mockito.when(xService.getName()).thenReturn( + "KMS_1"); + Mockito.when(xServiceDao.findByName("KMS_1")).thenReturn( + xService); + Mockito.when(!bizUtil.hasAccess(xService, null)).thenReturn(true); + + RangerService rangerService = rangerKMSService(); + VXUser vXUser = null; + String userName = "servicemgr"; + Mockito.when(xService.getType()).thenReturn(Long.valueOf(rangerService.getType())); + Mockito.when(xServiceDefDao.getById(Long.valueOf(rangerService.getType()))).thenReturn(xServiceDef); + Mockito.when(xServiceDef.getImplclassname()).thenReturn(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME); + List<XXServiceConfigDef> svcConfDefList = new ArrayList<XXServiceConfigDef>(); + XXServiceConfigDef serviceConfigDefObj = new XXServiceConfigDef(); + serviceConfigDefObj.setId(Id); + serviceConfigDefObj.setType("7"); + svcConfDefList.add(serviceConfigDefObj); + Mockito.when(daoManager.getXXServiceConfigDef()).thenReturn( + xServiceConfigDefDao); + Mockito.when(xServiceConfigDefDao.findByServiceDefName(userName)) + .thenReturn(svcConfDefList); + + Mockito.when(svcService.create(rangerService)).thenReturn(rangerService); + + Mockito.when(daoManager.getXXService()).thenReturn(xServiceDao); + Mockito.when(xServiceDao.getById(rangerService.getId())).thenReturn( + xService); + Mockito.when(daoManager.getXXServiceConfigMap()).thenReturn( + xServiceConfigMapDao); + + Mockito.when(stringUtil.getValidUserName(userName)) + .thenReturn(userName); + Mockito.when(daoManager.getXXUser()).thenReturn(xUserDao); + Mockito.when(xUserDao.findByUserName(userName)).thenReturn(xUser); + + Mockito.when(xUserService.populateViewBean(xUser)).thenReturn(vXUser); + Mockito.when(xUserMgr.createServiceConfigUser(userName)).thenReturn(vXUser); + VXUser vXUserHdfs = new VXUser(); + vXUserHdfs.setName("hdfs"); + vXUserHdfs.setPassword("hdfs"); + Mockito.when(xUserMgr.createServiceConfigUser("hdfs")).thenReturn(vXUserHdfs); + VXUser vXUserHive = new VXUser(); + vXUserHive.setName("hive"); + vXUserHive.setPassword("hive"); + Mockito.when(xUserMgr.createServiceConfigUser("hive")).thenReturn(vXUserHive); + + XXServiceConfigMap xConfMap = new XXServiceConfigMap(); + Mockito.when(rangerAuditFields.populateAuditFields(xConfMap, xService)) + .thenReturn(xService); + + Mockito.when(svcService.getPopulatedViewObject(xService)).thenReturn( + rangerService); + + Mockito.when( + rangerAuditFields.populateAuditFields( + Mockito.isA(XXServiceConfigMap.class), + Mockito.isA(XXService.class))).thenReturn(xConfMap); + + Mockito.when(daoManager.getXXPolicy()).thenReturn(xPolicyDao); + + Mockito.when(xPolicyDao.getById(Id)).thenReturn(xPolicy); + + + List<XXAccessTypeDef> accessTypeDefList = new ArrayList<XXAccessTypeDef>(); + accessTypeDefList.add(rangerKmsAccessTypes("getmetadata", 7)); + accessTypeDefList.add(rangerKmsAccessTypes("generateeek", 8)); + accessTypeDefList.add(rangerKmsAccessTypes("decrypteek", 9)); + + RangerServiceDef ran = new RangerServiceDef(); + ran.setName("KMS Test"); + Mockito.when(serviceDefService.read(1L)).thenReturn(ran); + Long serviceDefId = ran.getId(); + + ServiceDBStore spy = Mockito.spy(serviceDBStore); + + Mockito.when(daoManager.getXXAccessTypeDef()).thenReturn( + xAccessTypeDefDao); + Mockito.when(xAccessTypeDefDao.findByServiceDefId(serviceDefId)) + .thenReturn(accessTypeDefList); + Mockito.when(spy.getServiceByName("KMS_1")).thenReturn( + rangerService); + Mockito.doNothing().when(spy).createDefaultPolicies(xService, vXUser); + + RangerPolicy policy = new RangerPolicy(); + RangerResourceDef resourceDef = new RangerResourceDef(); + resourceDef.setItemId(Id); + resourceDef.setName("keyname"); + resourceDef.setType("string"); + resourceDef.setType("string"); + resourceDef.setLabel("Key Name"); + resourceDef.setDescription("Key Name"); + + List<RangerResourceDef> resourceHierarchy = new ArrayList<RangerResourceDef>(); + resourceHierarchy.addAll(resourceHierarchy); + + spy.createService(rangerService); + vXUser = new VXUser(); + vXUser.setName(userName); + vXUser.setPassword(userName); + + spy.createDefaultPolicy(policy, xService, vXUser, resourceHierarchy); + + Mockito.verify(daoManager, Mockito.atLeast(1)).getXXService(); + Mockito.verify(daoManager).getXXServiceConfigMap(); + //Assert.assertNull(policy); + Assert.assertEquals(3, policy.getPolicyItems().size()); + } }
