Repository: incubator-ranger Updated Branches: refs/heads/master 42501a542 -> 0b9904391
RANGER-1060:Ranger Hbase and Hive Plugin Grant Revoke REST call should send the right http response when authorization fails in kerberized cluster Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/0b990439 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/0b990439 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/0b990439 Branch: refs/heads/master Commit: 0b99043918c867e54d3f46a61b59ae10446dd034 Parents: 42501a5 Author: rmani <[email protected]> Authored: Mon Jun 27 10:00:02 2016 -0700 Committer: rmani <[email protected]> Committed: Mon Jun 27 10:00:02 2016 -0700 ---------------------------------------------------------------------- .../admin/client/RangerAdminRESTClient.java | 4 ++-- .../org/apache/ranger/common/RESTErrorUtil.java | 25 ++++++++++++++++++++ .../org/apache/ranger/rest/ServiceREST.java | 8 +++---- 3 files changed, 31 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0b990439/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java index 139aeba..3975b18 100644 --- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java +++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java @@ -168,7 +168,7 @@ public class RangerAdminRESTClient implements RangerAdminClient { throw new AccessControlException(); } - throw new Exception("HTTP " + response.getStatus()); + throw new Exception("HTTP " + response.getStatus() + " Error: " + resp.getMessage()); } else if(response == null) { throw new Exception("unknown error during grantAccess. serviceName=" + serviceName); } @@ -214,7 +214,7 @@ public class RangerAdminRESTClient implements RangerAdminClient { throw new AccessControlException(); } - throw new Exception("HTTP " + response.getStatus()); + throw new Exception("HTTP " + response.getStatus() + " Error: " + resp.getMessage()); } else if(response == null) { throw new Exception("unknown error. revokeAccess(). serviceName=" + serviceName); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0b990439/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java b/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java index bf53db2..dae5f00 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java @@ -29,6 +29,7 @@ import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.Response; import org.apache.log4j.Logger; +import org.apache.ranger.admin.client.datatype.RESTResponse; import org.apache.ranger.view.VXMessage; import org.apache.ranger.view.VXResponse; import org.springframework.beans.factory.annotation.Autowired; @@ -137,6 +138,30 @@ public class RESTErrorUtil { } + public WebApplicationException createGrantRevokeRESTException(String logMessage) { + RESTResponse resp = new RESTResponse(); + resp.setMsgDesc(logMessage); + + Response errorResponse = Response.status( + javax.servlet.http.HttpServletResponse.SC_FORBIDDEN).entity(resp).build(); + + WebApplicationException restException = new WebApplicationException( + errorResponse); + restException.fillInStackTrace(); + UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + Long sessionId = null; + String loginId = null; + if (userSession != null) { + loginId = userSession.getLoginId(); + sessionId = userSession.getSessionId(); + } + + logger.info("Request failed. SessionId=" + sessionId + ", loginId=" + + loginId + ", logMessage=" + logMessage, + restException); + + return restException; + } public Integer parseInt(String value, String errorMessage, http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0b990439/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index a1c732c..77030fb 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -875,7 +875,7 @@ public class ServiceREST { boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource); if(!isAdmin) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true); + throw restErrorUtil.createGrantRevokeRESTException( "User doesn't have necessary permission to grant access"); } RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource); @@ -967,7 +967,7 @@ public class ServiceREST { boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource); if(!isAdmin) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true); + throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to grant access"); } // New Code XXService xService = daoManager.getXXService().findByName(serviceName); @@ -1083,7 +1083,7 @@ public class ServiceREST { boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource); if(!isAdmin) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true); + throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to revoke access"); } RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource); @@ -1142,7 +1142,7 @@ public class ServiceREST { boolean isAllowed = false; boolean isKeyAdmin = bizUtil.isKeyAdmin(); if(!isAdmin) { - throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true); + throw restErrorUtil.createGrantRevokeRESTException( "User doesn't have necessary permission to revoke access"); } XXService xService = daoManager.getXXService().findByName(serviceName);
