Repository: incubator-ranger Updated Branches: refs/heads/master 1bd0e0498 -> 7bc2f89e2
RANGER-1094 : One way SSL (when Kerberos is enabled) for Ranger and its plugins Signed-off-by: Velmurugan Periasamy <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/07982526 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/07982526 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/07982526 Branch: refs/heads/master Commit: 07982526f67964f1b32e315fc5382456fafdd7eb Parents: 1bd0e04 Author: Ankita Sinha <[email protected]> Authored: Mon Jul 11 19:50:40 2016 +0530 Committer: Velmurugan Periasamy <[email protected]> Committed: Wed Jul 13 17:15:55 2016 -0400 ---------------------------------------------------------------------- .../ranger/plugin/util/RangerRESTClient.java | 5 ++- .../org/apache/ranger/common/ServiceUtil.java | 43 +++++++++++++++++--- .../org/apache/ranger/rest/ServiceREST.java | 6 +-- 3 files changed, 44 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/07982526/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java index 7cfd040..8eb9b27 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java @@ -349,7 +349,7 @@ public class RangerRESTClient { private SSLContext getSSLContext(KeyManager[] kmList, TrustManager[] tmList) { try { - if(kmList != null && tmList != null) { + if(tmList != null) { SSLContext sslContext = SSLContext.getInstance(RANGER_SSL_CONTEXT_ALGO_TYPE); sslContext.init(kmList, tmList, new SecureRandom()); @@ -360,8 +360,9 @@ public class RangerRESTClient { LOG.error("SSL algorithm is available in the environment", e); } catch (KeyManagementException e) { LOG.error("Unable to initials the SSLContext", e); + }catch (Exception e) { + LOG.error("Unable to initialize the SSLContext", e); } - return null; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/07982526/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java b/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java index 7355e3d..c1baae8 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java @@ -1340,11 +1340,7 @@ public class ServiceUtil { RangerService service = null; try { - if(null != request.getAttribute("downloadPolicy") && StringUtils.equalsIgnoreCase(request.getAttribute("downloadPolicy").toString(), "secure")){ - service = svcStore.getServiceByNameForDP(serviceName); - }else{ - service = svcStore.getServiceByName(serviceName); - } + service = svcStore.getServiceByName(serviceName); } catch (Exception e) { LOG.error("Requested Service not found. serviceName=" + serviceName); throw restErrorUtil.createRESTException("Service:" + serviceName + " not found", @@ -1461,6 +1457,43 @@ public class ServiceUtil { return isValidAuthentication; } + public boolean isValidService(String serviceName, HttpServletRequest request){ + boolean isValid = true; + if (serviceName == null || serviceName.isEmpty()) { + LOG.error("ServiceName not provided"); + isValid = false; + throw restErrorUtil.createRESTException("Unauthorized access.", + MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + } + + RangerService service = null; + try { + if(null != request.getAttribute("downloadPolicy") && StringUtils.equalsIgnoreCase(request.getAttribute("downloadPolicy").toString(), "secure")){ + service = svcStore.getServiceByNameForDP(serviceName); + }else{ + service = svcStore.getServiceByName(serviceName); + } + } catch (Exception e) { + isValid = false; + LOG.error("Requested Service not found. serviceName=" + serviceName); + throw restErrorUtil.createRESTException("Service:" + serviceName + " not found", + MessageEnums.DATA_NOT_FOUND); + } + if(service==null){ + isValid = false; + LOG.error("Requested Service not found. serviceName=" + serviceName); + throw restErrorUtil.createRESTException("Service:" + serviceName + " not found", + MessageEnums.DATA_NOT_FOUND); + } + if(!service.getIsEnabled()){ + isValid = false; + LOG.error("Requested Service is disabled. serviceName=" + serviceName); + throw restErrorUtil.createRESTException("Unauthorized access.", + MessageEnums.OPER_NOT_ALLOWED_FOR_STATE); + } + return isValid; + } + private boolean matchNames(String target, String source, boolean wildcardMatch) { boolean matched = false; if(target != null && source != null) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/07982526/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 0d1e552..5a45c8f 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -956,7 +956,7 @@ public class ServiceREST { RangerPerfTracer perf = null; boolean isAllowed = false; boolean isKeyAdmin = bizUtil.isKeyAdmin(); - if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) { + if (serviceUtil.isValidService(serviceName, request)) { try { if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.scureGrantAccess(serviceName=" + serviceName + ")"); @@ -1127,7 +1127,7 @@ public class ServiceREST { } RESTResponse ret = new RESTResponse(); RangerPerfTracer perf = null; - if (serviceUtil.isValidateHttpsAuthentication(serviceName,request)) { + if (serviceUtil.isValidService(serviceName,request)) { try { if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.secureRevokeAccess(serviceName=" + serviceName + ")"); @@ -1846,7 +1846,7 @@ public class ServiceREST { boolean isAdmin = bizUtil.isAdmin(); boolean isKeyAdmin = bizUtil.isKeyAdmin(); request.setAttribute("downloadPolicy", "secure"); - if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) { + if (serviceUtil.isValidService(serviceName, request)) { if (lastKnownVersion == null) { lastKnownVersion = Long.valueOf(-1); }
