Repository: incubator-ranger Updated Branches: refs/heads/master f9300ca97 -> c59ea527f
RANGER-1008: Catching & logging any exceptions while performing ldap search and continuing the usersync Signed-off-by: Velmurugan Periasamy <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/c59ea527 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/c59ea527 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/c59ea527 Branch: refs/heads/master Commit: c59ea527f5f878dae128c095d737d53a8fbd4ff4 Parents: f9300ca Author: Sailaja Polavarapu <[email protected]> Authored: Tue May 31 16:28:55 2016 -0700 Committer: Velmurugan Periasamy <[email protected]> Committed: Thu Jun 2 01:06:49 2016 -0400 ---------------------------------------------------------------------- .../process/LdapUserGroupBuilder.java | 200 ++++++++++--------- .../ranger/usergroupsync/LdapUserGroupTest.java | 38 ++++ 2 files changed, 143 insertions(+), 95 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c59ea527/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java index 0b76883..bb9cf88 100644 --- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapUserGroupBuilder.java @@ -385,6 +385,7 @@ public class LdapUserGroupBuilder extends AbstractUserGroupSource { for (int ou=0; ou<userSearchBase.length; ou++) { byte[] cookie = null; int counter = 0; + try { do { userSearchResultEnum = ldapContext .search(userSearchBase[ou], extendedUserSearchFilter, @@ -559,7 +560,11 @@ public class LdapUserGroupBuilder extends AbstractUserGroupSource { } while (cookie != null); LOG.info("LDAPUserGroupBuilder.getUsers() completed with user count: " + counter); - + } catch (Throwable t) { + LOG.error("LDAPUserGroupBuilder.getUsers() failed with exception: " + t); + LOG.info("LDAPUserGroupBuilder.getUsers() user count: " + + counter); + } } } finally { @@ -586,115 +591,120 @@ public class LdapUserGroupBuilder extends AbstractUserGroupSource { for (int ou=0; ou<groupSearchBase.length; ou++) { byte[] cookie = null; int counter = 0; - do { - if (!groupSearchFirstEnabled) { - if (userInfo == null) { - // Should never reach this. - LOG.error("No user information provided for group search!"); - return; - } - groupSearchResultEnum = ldapContext - .search(groupSearchBase[ou], extendedGroupSearchFilter, - new Object[]{userInfo.getUserFullName(), userInfo.getUserName()}, - groupSearchControls); - } else { - // If group based search is enabled, then first retrieve all the groups based on the group configuration. - groupSearchResultEnum = ldapContext - .search(groupSearchBase[ou], extendedAllGroupsSearchFilter, - groupSearchControls); - } - while (groupSearchResultEnum.hasMore()) { - final SearchResult groupEntry = groupSearchResultEnum.next(); - if (groupEntry != null) { - counter++; - Attribute groupNameAttr = groupEntry.getAttributes().get(groupNameAttribute); - if (groupNameAttr == null) { - if (LOG.isInfoEnabled()) { - LOG.info(groupNameAttribute + " empty for entry " + groupEntry.getNameInNamespace() + - ", skipping sync"); - } - continue; + try { + do { + if (!groupSearchFirstEnabled) { + if (userInfo == null) { + // Should never reach this. + LOG.error("No user information provided for group search!"); + return; } - String gName = (String) groupNameAttr.get(); - if (groupNameCaseConversionFlag) { - if (groupNameLowerCaseFlag) { - gName = gName.toLowerCase(); - } else { - gName = gName.toUpperCase(); + groupSearchResultEnum = ldapContext + .search(groupSearchBase[ou], extendedGroupSearchFilter, + new Object[]{userInfo.getUserFullName(), userInfo.getUserName()}, + groupSearchControls); + } else { + // If group based search is enabled, then first retrieve all the groups based on the group configuration. + groupSearchResultEnum = ldapContext + .search(groupSearchBase[ou], extendedAllGroupsSearchFilter, + groupSearchControls); + } + while (groupSearchResultEnum.hasMore()) { + final SearchResult groupEntry = groupSearchResultEnum.next(); + if (groupEntry != null) { + counter++; + Attribute groupNameAttr = groupEntry.getAttributes().get(groupNameAttribute); + if (groupNameAttr == null) { + if (LOG.isInfoEnabled()) { + LOG.info(groupNameAttribute + " empty for entry " + groupEntry.getNameInNamespace() + + ", skipping sync"); + } + continue; } - } - if (groupNameRegExInst != null) { - gName = groupNameRegExInst.transform(gName); - } - if (!groupSearchFirstEnabled) { - //computedGroups.add(gName); - if (LOG.isInfoEnabled()) { - LOG.info("computed groups for user: " + userInfo.getUserName() +", groups: " + gName); + String gName = (String) groupNameAttr.get(); + if (groupNameCaseConversionFlag) { + if (groupNameLowerCaseFlag) { + gName = gName.toLowerCase(); + } else { + gName = gName.toUpperCase(); + } } - userInfo.addGroup(gName); - } else { - // If group based search is enabled, then - // update the group name to ranger admin - // check for group members and populate userInfo object with user's full name and group mapping - Attribute groupMemberAttr = groupEntry.getAttributes().get(groupMemberAttributeName); - LOG.debug("Update Ranger admin with " + gName); - sink.addOrUpdateGroup(gName); - int userCount = 0; - if (groupMemberAttr == null || groupMemberAttr.size() <= 0) { - LOG.info("No members available for " + gName); - continue; + if (groupNameRegExInst != null) { + gName = groupNameRegExInst.transform(gName); } - NamingEnumeration<?> userEnum = groupMemberAttr.getAll(); - while (userEnum.hasMore()) { - String originalUserFullName = (String) userEnum.next(); - if (originalUserFullName == null || originalUserFullName.trim().isEmpty()) { + if (!groupSearchFirstEnabled) { + //computedGroups.add(gName); + if (LOG.isInfoEnabled()) { + LOG.info("computed groups for user: " + userInfo.getUserName() +", groups: " + gName); + } + userInfo.addGroup(gName); + } else { + // If group based search is enabled, then + // update the group name to ranger admin + // check for group members and populate userInfo object with user's full name and group mapping + Attribute groupMemberAttr = groupEntry.getAttributes().get(groupMemberAttributeName); + LOG.debug("Update Ranger admin with " + gName); + sink.addOrUpdateGroup(gName); + int userCount = 0; + if (groupMemberAttr == null || groupMemberAttr.size() <= 0) { + LOG.info("No members available for " + gName); continue; } - String userFullName = originalUserFullName.toLowerCase(); - userCount++; - if (!userGroupMap.containsKey(userFullName)) { - userInfo = new UserInfo(userFullName, originalUserFullName); // Preserving the original full name for later - userGroupMap.put(userFullName, userInfo); - } else { - userInfo = userGroupMap.get(userFullName); + NamingEnumeration<?> userEnum = groupMemberAttr.getAll(); + while (userEnum.hasMore()) { + String originalUserFullName = (String) userEnum.next(); + if (originalUserFullName == null || originalUserFullName.trim().isEmpty()) { + continue; + } + String userFullName = originalUserFullName.toLowerCase(); + userCount++; + if (!userGroupMap.containsKey(userFullName)) { + userInfo = new UserInfo(userFullName, originalUserFullName); // Preserving the original full name for later + userGroupMap.put(userFullName, userInfo); + } else { + userInfo = userGroupMap.get(userFullName); + } + LOG.info("Adding " + gName + " to user " + userInfo.getUserFullName()); + userInfo.addGroup(gName); } - LOG.info("Adding " + gName + " to user " + userInfo.getUserFullName()); - userInfo.addGroup(gName); + LOG.info("No. of members in the group " + gName + " = " + userCount); } - LOG.info("No. of members in the group " + gName + " = " + userCount); } } - } - // Examine the paged results control response - Control[] controls = ldapContext.getResponseControls(); - if (controls != null) { - for (int i = 0; i < controls.length; i++) { - if (controls[i] instanceof PagedResultsResponseControl) { - PagedResultsResponseControl prrc = - (PagedResultsResponseControl)controls[i]; - total = prrc.getResultSize(); - if (total != 0) { - LOG.debug("END-OF-PAGE total : " + total); - } else { - LOG.debug("END-OF-PAGE total : unknown"); + // Examine the paged results control response + Control[] controls = ldapContext.getResponseControls(); + if (controls != null) { + for (int i = 0; i < controls.length; i++) { + if (controls[i] instanceof PagedResultsResponseControl) { + PagedResultsResponseControl prrc = + (PagedResultsResponseControl)controls[i]; + total = prrc.getResultSize(); + if (total != 0) { + LOG.debug("END-OF-PAGE total : " + total); + } else { + LOG.debug("END-OF-PAGE total : unknown"); + } + cookie = prrc.getCookie(); } - cookie = prrc.getCookie(); } + } else { + LOG.debug("No controls were sent from the server"); } - } else { - LOG.debug("No controls were sent from the server"); - } - // Re-activate paged results - if (pagedResultsEnabled) { - ldapContext.setRequestControls(new Control[]{ - new PagedResultsControl(PAGE_SIZE, cookie, Control.CRITICAL) }); - } - } while (cookie != null); - LOG.info("LDAPUserGroupBuilder.getGroups() completed with group count: " - + counter); + // Re-activate paged results + if (pagedResultsEnabled) { + ldapContext.setRequestControls(new Control[]{ + new PagedResultsControl(PAGE_SIZE, cookie, Control.CRITICAL) }); + } + } while (cookie != null); + LOG.info("LDAPUserGroupBuilder.getGroups() completed with group count: " + + counter); + } catch (Throwable t) { + LOG.error("LDAPUserGroupBuilder.getGroups() failed with exception: " + t); + LOG.info("LDAPUserGroupBuilder.getGroups() group count: " + + counter); + } } - } finally { if (groupSearchResultEnum != null) { groupSearchResultEnum.close(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c59ea527/ugsync/src/test/java/org/apache/ranger/usergroupsync/LdapUserGroupTest.java ---------------------------------------------------------------------- diff --git a/ugsync/src/test/java/org/apache/ranger/usergroupsync/LdapUserGroupTest.java b/ugsync/src/test/java/org/apache/ranger/usergroupsync/LdapUserGroupTest.java index 4355c4d..673a88e 100644 --- a/ugsync/src/test/java/org/apache/ranger/usergroupsync/LdapUserGroupTest.java +++ b/ugsync/src/test/java/org/apache/ranger/usergroupsync/LdapUserGroupTest.java @@ -515,6 +515,44 @@ public class LdapUserGroupTest extends AbstractLdapTestUnit{ assertFalse(group.contains("=")); } } + + @Test + public void testGBWithInvalidOU() throws Throwable { + config.setUserSearchBase("DC=ranger,DC=qe,DC=hortonworks,DC=com;"); + config.setUserSearchFilter("cn=User*"); + config.setGroupSearchBase("OU=HdpGroup1,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups,DC=ranger,DC=qe,DC=hortonworks,DC=com"); + config.setGroupSearchFilter("cn=*Group10"); + config.setUserGroupMemberAttributeName("member"); + config.setUserObjectClass("organizationalPerson"); + config.setGroupObjectClass("groupOfNames"); + config.setGroupSearchFirstEnabled(true); + config.setUserSearchEnabled(false); + ldapBuilder.init(); + PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); + sink.init(); + ldapBuilder.updateSink(sink); + assertEquals(1, sink.getTotalUsers()); + assertEquals(1, sink.getTotalGroups()); + } + + @Test + public void testMultipleOUInvalidOU() throws Throwable { + config.setUserSearchBase("cn=users,DC=ranger,DC=qe,DC=hortonworks,DC=com;ou=HadoopUsers1,DC=ranger,DC=qe,DC=hortonworks,DC=com;ou=BusinessUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com"); + config.setUserSearchFilter("cn=*"); + config.setGroupSearchBase("OU=HdpGroups,OU=HadoopUsers,DC=ranger,DC=qe,DC=hortonworks,DC=com;OU=Groups1,DC=ranger,DC=qe,DC=hortonworks,DC=com"); + config.setGroupSearchFilter("cn=*"); + config.setUserGroupMemberAttributeName("member"); + config.setUserObjectClass("organizationalPerson"); + config.setGroupObjectClass("groupOfNames"); + config.setGroupSearchEnabled(true); + config.setGroupSearchFirstEnabled(false); + ldapBuilder.init(); + PolicyMgrUserGroupBuilderTest sink = new PolicyMgrUserGroupBuilderTest(); + sink.init(); + ldapBuilder.updateSink(sink); + assertEquals(110, sink.getTotalUsers()); + assertEquals(0, sink.getTotalGroups()); + } @After public void shutdown() throws Exception {
