Repository: incubator-ranger Updated Branches: refs/heads/master 3682de522 -> 29faab04b
RANGER-1078 : Grant and Revoke are not working as expected Signed-off-by: Velmurugan Periasamy <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/77b101f1 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/77b101f1 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/77b101f1 Branch: refs/heads/master Commit: 77b101f171fa6df024fa032ce573c3c5f845f61b Parents: 3682de5 Author: Ankita Sinha <[email protected]> Authored: Tue Jul 5 13:35:00 2016 +0530 Committer: Velmurugan Periasamy <[email protected]> Committed: Wed Jul 6 13:10:46 2016 -0400 ---------------------------------------------------------------------- .../java/org/apache/ranger/biz/RangerBizUtil.java | 18 ++++++++++++++++++ .../java/org/apache/ranger/rest/ServiceREST.java | 12 +++++++----- 2 files changed, 25 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/77b101f1/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java index c769ae4..e0a9840 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java @@ -1562,4 +1562,22 @@ public class RangerBizUtil { return false; } + public boolean isUserAllowedForGrantRevoke(RangerService rangerService, + String cfgNameAllowedUsers, String userName) { + Map<String, String> map = rangerService.getConfigs(); + + if (map != null && map.containsKey(cfgNameAllowedUsers)) { + String userNames = map.get(cfgNameAllowedUsers); + String[] userList = userNames.split(","); + if (userList != null) { + for (String u : userList) { + if (u.equals("*") || (userName != null && u.equalsIgnoreCase(userName))) { + return true; + } + } + } + } + return false; + } + } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/77b101f1/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 6146984..587de2d 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -965,7 +965,7 @@ public class ServiceREST { Set<String> userGroups = userMgr.getGroupsForUser(userName); RangerAccessResource resource = new RangerAccessResourceImpl(grantRequest.getResource()); boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource); - + XXService xService = daoManager.getXXService().findByName(serviceName); XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); RangerService rangerService = svcStore.getServiceByName(serviceName); @@ -974,14 +974,14 @@ public class ServiceREST { if (isKeyAdmin) { isAllowed = true; }else { - isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Grant_Revoke); + isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName); } }else{ if (isAdmin) { isAllowed = true; } else{ - isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Grant_Revoke); + isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName); } } @@ -1035,6 +1035,7 @@ public class ServiceREST { } }else{ LOG.error("secureGrantAccess(" + serviceName + ", " + grantRequest + ") failed as User doesn't have permission to grant Policy"); + throw restErrorUtil.createGrantRevokeRESTException( "User doesn't have necessary permission to grant access"); } } catch(WebApplicationException excp) { throw excp; @@ -1146,14 +1147,14 @@ public class ServiceREST { if (isKeyAdmin) { isAllowed = true; }else { - isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Grant_Revoke); + isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName); } }else{ if (isAdmin) { isAllowed = true; } else{ - isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Grant_Revoke); + isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName); } } @@ -1175,6 +1176,7 @@ public class ServiceREST { } }else{ LOG.error("secureRevokeAccess(" + serviceName + ", " + revokeRequest + ") failed as User doesn't have permission to revoke Policy"); + throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to revoke access"); } } catch(WebApplicationException excp) { throw excp;
