RANGER-1041 : Failure to sync one user to admin causes other users/groups also not to be synced from usersync to admin
Signed-off-by: Velmurugan Periasamy <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/321c9d96 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/321c9d96 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/321c9d96 Branch: refs/heads/master Commit: 321c9d96321ac1e7248ee159723377eb46b5fa08 Parents: e2fe01c Author: pradeep agrawal <[email protected]> Authored: Tue Jun 21 10:24:12 2016 +0530 Committer: Velmurugan Periasamy <[email protected]> Committed: Tue Jun 21 15:18:36 2016 -0400 ---------------------------------------------------------------------- .../java/org/apache/ranger/biz/SessionMgr.java | 12 +- .../java/org/apache/ranger/biz/XUserMgr.java | 117 ++++++++++--------- .../ranger/solr/SolrAccessAuditsService.java | 4 +- .../process/FileSourceUserGroupBuilder.java | 35 +++--- .../process/PolicyMgrUserGroupBuilder.java | 27 ++++- .../process/UnixUserGroupBuilder.java | 8 +- .../ranger/usergroupsync/UserGroupSync.java | 20 ++-- 7 files changed, 137 insertions(+), 86 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/321c9d96/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java index 6fcf754..2e9d6d5 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java @@ -124,7 +124,7 @@ public class SessionMgr { if (newSessionCreation) { - getSpnegoAuthCheckForAPI(currentLoginId, httpRequest); + getSSOSpnegoAuthCheckForAPI(currentLoginId, httpRequest); // Need to build the UserSession XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(currentLoginId); if (gjUser == null) { @@ -202,12 +202,16 @@ public class SessionMgr { return userSession; } - private void getSpnegoAuthCheckForAPI(String currentLoginId, HttpServletRequest request) { + private void getSSOSpnegoAuthCheckForAPI(String currentLoginId, HttpServletRequest request) { + + RangerSecurityContext context = RangerContextHolder.getSecurityContext(); + UserSessionBase session = context != null ? context.getUserSession() : null; + boolean ssoEnabled = session != null ? session.isSSOEnabled() : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false); XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(currentLoginId); - if (gjUser == null && request.getAttribute("spnegoEnabled") != null && (boolean)request.getAttribute("spnegoEnabled")) { + if (gjUser == null && ((request.getAttribute("spnegoEnabled") != null && (boolean)request.getAttribute("spnegoEnabled")) || (ssoEnabled))) { if(logger.isDebugEnabled()){ - logger.debug("User : "+currentLoginId+" doesn't exist in Ranger DB So creating user as it's spnego authenticated"); + logger.debug("User : "+currentLoginId+" doesn't exist in Ranger DB So creating user as it's SSO or Spnego authenticated"); } xUserMgr.createServiceConfigUser(currentLoginId); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/321c9d96/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index ca27580..43de760 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -1821,57 +1821,70 @@ public class XUserMgr extends XUserMgrBase { } @Transactional(readOnly = false, propagation = Propagation.REQUIRED) - public VXUser createServiceConfigUser(String userName){ - if (userName == null || "null".equalsIgnoreCase(userName) || userName.trim().isEmpty()) { - logger.error("User Name: "+userName); - throw restErrorUtil.createRESTException("Please provide a valid username.",MessageEnums.INVALID_INPUT_DATA); - } - VXUser vXUser = null; - VXPortalUser vXPortalUser=null; - XXUser xxUser = daoManager.getXXUser().findByUserName(userName); - XXPortalUser xXPortalUser = daoManager.getXXPortalUser().findByLoginId(userName); - String actualPassword = ""; - if(xxUser!=null && xXPortalUser!=null){ - vXUser = xUserService.populateViewBean(xxUser); - return vXUser; - } - if(xxUser==null){ - vXUser=new VXUser(); - vXUser.setName(userName); - vXUser.setUserSource(RangerCommonEnums.USER_EXTERNAL); - vXUser.setDescription(vXUser.getName()); - actualPassword = vXUser.getPassword(); - } - if(xXPortalUser==null){ - vXPortalUser=new VXPortalUser(); - vXPortalUser.setLoginId(userName); - vXPortalUser.setEmailAddress(guidUtil.genGUID()); - vXPortalUser.setFirstName(vXUser.getFirstName()); - vXPortalUser.setLastName(vXUser.getLastName()); - vXPortalUser.setPassword(vXUser.getPassword()); - vXPortalUser.setUserSource(RangerCommonEnums.USER_EXTERNAL); - ArrayList<String> roleList = new ArrayList<String>(); - roleList.add(RangerConstants.ROLE_USER); - vXPortalUser.setUserRoleList(roleList); - xXPortalUser = userMgr.mapVXPortalUserToXXPortalUser(vXPortalUser); - xXPortalUser=userMgr.createUser(xXPortalUser, RangerCommonEnums.STATUS_ENABLED, roleList); - } - VXUser createdXUser=null; - if(xxUser==null && vXUser!=null){ - createdXUser = xUserService.createResource(vXUser); - } - if(createdXUser!=null){ - logger.info("User created: "+createdXUser.getName()); - createdXUser.setPassword(actualPassword); - List<XXTrxLog> trxLogList = xUserService.getTransactionLog(createdXUser, "create"); - String hiddenPassword = PropertiesUtil.getProperty("ranger.password.hidden", "*****"); - createdXUser.setPassword(hiddenPassword); - xaBizUtil.createTrxLog(trxLogList); - if(xXPortalUser!=null){ - vXPortalUser=userMgr.mapXXPortalUserToVXPortalUserForDefaultAccount(xXPortalUser); - assignPermissionToUser(vXPortalUser, true); - } - } - return createdXUser; + public VXUser createServiceConfigUser(String userName){ + if (userName == null || "null".equalsIgnoreCase(userName) || userName.trim().isEmpty()) { + logger.error("User Name: "+userName); + throw restErrorUtil.createRESTException("Please provide a valid username.",MessageEnums.INVALID_INPUT_DATA); + } + VXUser vXUser = null; + VXPortalUser vXPortalUser=null; + XXUser xxUser = daoManager.getXXUser().findByUserName(userName); + XXPortalUser xXPortalUser = daoManager.getXXPortalUser().findByLoginId(userName); + String actualPassword = ""; + if(xxUser!=null){ + vXUser = xUserService.populateViewBean(xxUser); + return vXUser; + } + if(xxUser==null){ + vXUser=new VXUser(); + vXUser.setName(userName); + vXUser.setUserSource(RangerCommonEnums.USER_EXTERNAL); + vXUser.setDescription(vXUser.getName()); + actualPassword = vXUser.getPassword(); + } + if(xXPortalUser==null){ + vXPortalUser=new VXPortalUser(); + vXPortalUser.setLoginId(userName); + vXPortalUser.setEmailAddress(guidUtil.genGUID()); + vXPortalUser.setFirstName(vXUser.getFirstName()); + vXPortalUser.setLastName(vXUser.getLastName()); + vXPortalUser.setPassword(vXUser.getPassword()); + vXPortalUser.setUserSource(RangerCommonEnums.USER_EXTERNAL); + ArrayList<String> roleList = new ArrayList<String>(); + roleList.add(RangerConstants.ROLE_USER); + vXPortalUser.setUserRoleList(roleList); + xXPortalUser = userMgr.mapVXPortalUserToXXPortalUser(vXPortalUser); + xXPortalUser=userMgr.createUser(xXPortalUser, RangerCommonEnums.STATUS_ENABLED, roleList); + } + VXUser createdXUser=null; + if(xxUser==null && vXUser!=null){ + try{ + createdXUser = xUserService.createResource(vXUser); + }catch(Exception ex){ + logger.error("Error creating user: "+createdXUser.getName(),ex); + } + } + if(createdXUser!=null){ + try{ + logger.info("User created: "+createdXUser.getName()); + createdXUser.setPassword(actualPassword); + List<XXTrxLog> trxLogList = xUserService.getTransactionLog(createdXUser, "create"); + String hiddenPassword = PropertiesUtil.getProperty("ranger.password.hidden", "*****"); + createdXUser.setPassword(hiddenPassword); + xaBizUtil.createTrxLog(trxLogList); + if(xXPortalUser!=null){ + vXPortalUser=userMgr.mapXXPortalUserToVXPortalUserForDefaultAccount(xXPortalUser); + assignPermissionToUser(vXPortalUser, true); + } + }catch(Exception ex){ + logger.error("Error while assigning permissions to user: "+createdXUser.getName(),ex); + } + }else{ + xxUser = daoManager.getXXUser().findByUserName(userName); + if(xxUser!=null){ + createdXUser = xUserService.populateViewBean(xxUser); + } + } + return createdXUser; } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/321c9d96/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java b/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java index 0d6eefa..322f442 100644 --- a/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java +++ b/security-admin/src/main/java/org/apache/ranger/solr/SolrAccessAuditsService.java @@ -167,7 +167,9 @@ public class SolrAccessAuditsService { private VXAccessAudit populateViewBean(SolrDocument doc) { VXAccessAudit accessAudit = new VXAccessAudit(); Object value = null; - logger.info("doc=" + doc.toString()); + if(logger.isDebugEnabled()) { + logger.debug("doc=" + doc.toString()); + } value = doc.getFieldValue("id"); if (value != null) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/321c9d96/ugsync/src/main/java/org/apache/ranger/unixusersync/process/FileSourceUserGroupBuilder.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/FileSourceUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/FileSourceUserGroupBuilder.java index 54e47f6..e41bb68 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/FileSourceUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/FileSourceUserGroupBuilder.java @@ -93,25 +93,28 @@ public class FileSourceUserGroupBuilder extends AbstractUserGroupSource { @Override public void updateSink(UserGroupSink sink) throws Throwable { buildUserGroupInfo(); - + String user=null; + List<String> groups=null; for (Map.Entry<String, List<String>> entry : user2GroupListMap.entrySet()) { - String user = entry.getKey(); - - if (userNameRegExInst != null) { - user = userNameRegExInst.transform(user); - } - - List<String> groups = entry.getValue(); - - if (groupNameRegExInst != null) { - List<String> mappedGroups = new ArrayList<>(); - for (String group : groups) { - mappedGroups.add(groupNameRegExInst.transform(group)); + user = entry.getKey(); + try{ + if (userNameRegExInst != null) { + user = userNameRegExInst.transform(user); + } + groups = entry.getValue(); + if (groupNameRegExInst != null) { + List<String> mappedGroups = new ArrayList<>(); + for (String group : groups) { + mappedGroups.add(groupNameRegExInst.transform(group)); + } + groups = mappedGroups; } - groups = mappedGroups; + sink.addOrUpdateUser(user, groups); + }catch (Throwable t) { + LOG.error("sink.addOrUpdateUser failed with exception: " + t.getMessage() + + ", for user: " + user + + ", groups: " + groups); } - - sink.addOrUpdateUser(user, groups); } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/321c9d96/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java index df029c2..0c62b35 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java @@ -371,7 +371,12 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { if (!addGroups.isEmpty()){ ugInfo.setXuserInfo(addXUserInfo(userName)); ugInfo.setXgroupInfo(getXGroupInfoList(addGroups)); - addUserGroupInfo(ugInfo); + try{ + addUserGroupInfo(ugInfo); + }catch(Throwable t){ + LOG.error("PolicyMgrUserGroupBuilder.addUserGroupInfo failed with exception: " + t.getMessage() + + ", for user-group entry: " + ugInfo); + } } addXUserGroupInfo(user, addGroups) ; } @@ -387,7 +392,12 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { if (!updateGroups.isEmpty()){ ugInfo.setXuserInfo(addXUserInfo(userName)); ugInfo.setXgroupInfo(getXGroupInfoList(updateGroups)); - addUserGroupInfo(ugInfo); + try{ + addUserGroupInfo(ugInfo); + }catch(Throwable t){ + LOG.error("PolicyMgrUserGroupBuilder.addUserGroupInfo failed with exception: " + t.getMessage() + + ", for user-group entry: " + ugInfo); + } } } } @@ -586,7 +596,12 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { LOG.debug("USER GROUP MAPPING" + jsonString); } - String response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString) ; + String response = null; + try{ + response=r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString) ; + }catch(Throwable t){ + LOG.error("Failed to communicate Ranger Admin : ", t); + } if ( LOG.isDebugEnabled() ) { LOG.debug("RESPONSE: [" + response + "]") ; } @@ -629,7 +644,11 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { LOG.error("Failed to Authenticate Using given Principal and Keytab : ",e); } } else { - getUserGroupInfo(ret, usergroupInfo); + try { + getUserGroupInfo(ret, usergroupInfo); + } catch (Throwable t) { + LOG.error("Failed to add User Group Info : ", t); + } } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/321c9d96/ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java index 12e6a93..c71bc90 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/UnixUserGroupBuilder.java @@ -136,7 +136,13 @@ public class UnixUserGroupBuilder implements UserGroupSource { String user = entry.getKey(); List<String> groups = entry.getValue(); - sink.addOrUpdateUser(user, groups); + try{ + sink.addOrUpdateUser(user, groups); + }catch (Throwable t) { + LOG.error("sink.addOrUpdateUser failed with exception: " + t.getMessage() + + ", for user: " + user + + ", groups: " + groups); + } } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/321c9d96/ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSync.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSync.java b/ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSync.java index 9d20aaa..cd610a1 100644 --- a/ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSync.java +++ b/ugsync/src/main/java/org/apache/ranger/usergroupsync/UserGroupSync.java @@ -107,15 +107,19 @@ public class UserGroupSync implements Runnable { private void syncUserGroup(boolean forceSync) throws Throwable { UserGroupSyncConfig config = UserGroupSyncConfig.getInstance() ; - if (config.isUserSyncEnabled()) { - if (forceSync || ugSource.isChanged()) { - LOG.info("Begin: update user/group from source==>sink"); - ugSource.updateSink(ugSink); - LOG.info("End: update user/group from source==>sink"); - } - else { - LOG.debug("UserGroupSource: no change found for synchronization.") ; + try{ + if (config.isUserSyncEnabled()) { + if (forceSync || ugSource.isChanged()) { + LOG.info("Begin: update user/group from source==>sink"); + ugSource.updateSink(ugSink); + LOG.info("End: update user/group from source==>sink"); + } + else { + LOG.debug("UserGroupSource: no change found for synchronization.") ; + } } + }catch(Throwable t){ + LOG.error("Failed to sync user/group : ", t); } }
