[3/3] incubator-ranger git commit: RANGER-1099 : keyadmin user is not able to create service/repo using public apis

Wed, 13 Jul 2016 14:51:08 -0700 

RANGER-1099 : keyadmin user is not able to create service/repo using public apis

Signed-off-by: Velmurugan Periasamy <[email protected]>


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/7bc2f89e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/7bc2f89e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/7bc2f89e

Branch: refs/heads/master
Commit: 7bc2f89e25b656ca9e80d41d6f4cb1531350f502
Parents: 35e9c10
Author: Ankita Sinha <[email protected]>
Authored: Wed Jul 13 15:24:17 2016 +0530
Committer: Velmurugan Periasamy <[email protected]>
Committed: Wed Jul 13 17:16:34 2016 -0400

----------------------------------------------------------------------
 .../main/java/org/apache/ranger/rest/ServiceREST.java  | 13 +++++++++++--
 .../security/context/RangerPreAuthSecurityHandler.java |  2 +-
 2 files changed, 12 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7bc2f89e/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git 
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 5a45c8f..6cb1968 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -455,15 +455,24 @@ public class ServiceREST {
                        validator.validate(service, Action.CREATE);
 
                        UserSessionBase session = 
ContextUtil.getCurrentUserSession();
+                       XXServiceDef xxServiceDef = 
daoManager.getXXServiceDef().findByName(service.getType());
                        if(session != null && !session.isSpnegoEnabled()){
                                bizUtil.hasAdminPermissions("Services");
 
                                // TODO: As of now we are allowing SYS_ADMIN to 
create all the
                                // services including KMS
-
-                               XXServiceDef xxServiceDef = 
daoManager.getXXServiceDef().findByName(service.getType());
                                bizUtil.hasKMSPermissions("Service", 
xxServiceDef.getImplclassname());
                        }
+                       if(session != null && session.isSpnegoEnabled()){
+                               if (session.isKeyAdmin() && 
!xxServiceDef.getImplclassname().equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME))
 {
+                                       throw 
restErrorUtil.createRESTException("KeyAdmin can create/update/delete only KMS ",
+                                                       
MessageEnums.OPER_NO_PERMISSION);
+                               }
+                               if ((!session.isKeyAdmin() && 
!session.isUserAdmin()) && 
xxServiceDef.getImplclassname().equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME))
 {
+                                       throw 
restErrorUtil.createRESTException("User cannot create/update/delete KMS 
Service",
+                                                       
MessageEnums.OPER_NO_PERMISSION);
+                               }
+                       }
                        ret = svcStore.createService(service);
                } catch(WebApplicationException excp) {
                        throw excp;

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7bc2f89e/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
----------------------------------------------------------------------
diff --git 
a/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
 
b/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
index 899d866..fe225c7 100644
--- 
a/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
+++ 
b/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
@@ -97,7 +97,7 @@ public class RangerPreAuthSecurityHandler {
                UserSessionBase userSession = 
ContextUtil.getCurrentUserSession();
                if (userSession != null && userSession.isSpnegoEnabled()) {
                        return true;
-               }else if(userSession != null && userSession.isUserAdmin()){
+               }else if(userSession != null && (userSession.isUserAdmin() || 
userSession.isKeyAdmin())){
                        return true;
                }
                throw 
restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is 
not allowed to access the API", true);

Reply via email to