Repository: incubator-ranger Updated Branches: refs/heads/master 23c7b1148 -> 8762a8c79
RANGER-1090 : Revoke command with grant option does not disable delegated admin permission for users/groups in the corresponding policy Signed-off-by: Velmurugan Periasamy <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/8762a8c7 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/8762a8c7 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/8762a8c7 Branch: refs/heads/master Commit: 8762a8c795d09210fd7293cebf71603bffe644ec Parents: 23c7b11 Author: pradeep agrawal <[email protected]> Authored: Thu Jul 14 19:54:49 2016 +0530 Committer: Velmurugan Periasamy <[email protected]> Committed: Thu Jul 14 17:22:54 2016 -0400 ---------------------------------------------------------------------- .../java/org/apache/ranger/biz/XUserMgr.java | 9 + .../org/apache/ranger/rest/ServiceREST.java | 484 ++++++++++--------- .../org/apache/ranger/rest/ServiceRESTUtil.java | 78 ++- 3 files changed, 331 insertions(+), 240 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8762a8c7/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index 242a27e..86f9d96 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -168,6 +168,15 @@ public class XUserMgr extends XUserMgrBase { return vXUser; } + public VXGroup getGroupByGroupName(String groupName) { + VXGroup vxGroup = xGroupService.getGroupByGroupName(groupName); + if (vxGroup == null) { + throw restErrorUtil.createRESTException( + groupName + " is Not Found", MessageEnums.DATA_NOT_FOUND); + } + return vxGroup; + } + public VXUser createXUser(VXUser vXUser) { checkAdminAccess(); String userName = vXUser.getName(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8762a8c7/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 6cb1968..1185e45 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -870,131 +870,25 @@ public class ServiceREST { RESTResponse ret = new RESTResponse(); RangerPerfTracer perf = null; - if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) { - - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.grantAccess(serviceName=" + serviceName + ")"); - } - - String userName = grantRequest.getGrantor(); - Set<String> userGroups = userMgr.getGroupsForUser(userName); - RangerAccessResource resource = new RangerAccessResourceImpl(grantRequest.getResource()); - - boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource); - - if(!isAdmin) { - throw restErrorUtil.createGrantRevokeRESTException( "User doesn't have necessary permission to grant access"); - } - - RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource); - - if(policy != null) { - boolean policyUpdated = false; - policyUpdated = ServiceRESTUtil.processGrantRequest(policy, grantRequest); - - if(policyUpdated) { - svcStore.updatePolicy(policy); - } else { - LOG.error("processGrantRequest processing failed"); - throw new Exception("processGrantRequest processing failed"); - } - } else { - policy = new RangerPolicy(); - policy.setService(serviceName); - policy.setName("grant-" + System.currentTimeMillis()); // TODO: better policy name - policy.setDescription("created by grant"); - policy.setIsAuditEnabled(grantRequest.getEnableAudit()); - policy.setCreatedBy(userName); - - Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>(); - Set<String> resourceNames = resource.getKeys(); - - if(! CollectionUtils.isEmpty(resourceNames)) { - for(String resourceName : resourceNames) { - RangerPolicyResource policyResource = new RangerPolicyResource(resource.getValue(resourceName)); - policyResource.setIsRecursive(grantRequest.getIsRecursive()); - - policyResources.put(resourceName, policyResource); - } - } - policy.setResources(policyResources); + if(grantRequest!=null){ + if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) { - RangerPolicyItem policyItem = new RangerPolicyItem(); - - policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin()); - policyItem.getUsers().addAll(grantRequest.getUsers()); - policyItem.getGroups().addAll(grantRequest.getGroups()); - - for(String accessType : grantRequest.getAccessTypes()) { - policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE)); + try { + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.grantAccess(serviceName=" + serviceName + ")"); } - policy.getPolicyItems().add(policyItem); - - svcStore.createPolicy(policy); - } - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("grantAccess(" + serviceName + ", " + grantRequest + ") failed", excp); + validateGrantRevokeRequest(grantRequest); + String userName = grantRequest.getGrantor(); + Set<String> userGroups = userMgr.getGroupsForUser(userName); + RangerAccessResource resource = new RangerAccessResourceImpl(grantRequest.getResource()); - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); - } - - ret.setStatusCode(RESTResponse.STATUS_SUCCESS); - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== ServiceREST.grantAccess(" + serviceName + ", " + grantRequest + "): " + ret); - } + boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource); - return ret; - } - - @POST - @Path("/secure/services/grant/{serviceName}") - @Produces({ "application/json", "application/xml" }) - public RESTResponse secureGrantAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest grantRequest, @Context HttpServletRequest request) throws Exception { - if(LOG.isDebugEnabled()) { - LOG.debug("==> ServiceREST.secureGrantAccess(" + serviceName + ", " + grantRequest + ")"); - } - RESTResponse ret = new RESTResponse(); - RangerPerfTracer perf = null; - boolean isAllowed = false; - boolean isKeyAdmin = bizUtil.isKeyAdmin(); - if (serviceUtil.isValidService(serviceName, request)) { - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.scureGrantAccess(serviceName=" + serviceName + ")"); - } - String userName = grantRequest.getGrantor(); - Set<String> userGroups = userMgr.getGroupsForUser(userName); - RangerAccessResource resource = new RangerAccessResourceImpl(grantRequest.getResource()); - boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource); - - XXService xService = daoManager.getXXService().findByName(serviceName); - XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); - RangerService rangerService = svcStore.getServiceByName(serviceName); - - if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { - if (isKeyAdmin) { - isAllowed = true; - }else { - isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName); - } - }else{ - if (isAdmin) { - isAllowed = true; - } - else{ - isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName); + if(!isAdmin) { + throw restErrorUtil.createGrantRevokeRESTException( "User doesn't have necessary permission to grant access"); } - } - - if (isAllowed) { + RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource); if(policy != null) { @@ -1004,8 +898,8 @@ public class ServiceREST { if(policyUpdated) { svcStore.updatePolicy(policy); } else { - LOG.error("processSecureGrantRequest processing failed"); - throw new Exception("processSecureGrantRequest processing failed"); + LOG.error("processGrantRequest processing failed"); + throw new Exception("processGrantRequest processing failed"); } } else { policy = new RangerPolicy(); @@ -1042,21 +936,134 @@ public class ServiceREST { svcStore.createPolicy(policy); } - }else{ - LOG.error("secureGrantAccess(" + serviceName + ", " + grantRequest + ") failed as User doesn't have permission to grant Policy"); - throw restErrorUtil.createGrantRevokeRESTException( "User doesn't have necessary permission to grant access"); + } catch(WebApplicationException excp) { + throw excp; + } catch(Throwable excp) { + LOG.error("grantAccess(" + serviceName + ", " + grantRequest + ") failed", excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("secureGrantAccess(" + serviceName + ", " + grantRequest + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); + + ret.setStatusCode(RESTResponse.STATUS_SUCCESS); } + } + if(LOG.isDebugEnabled()) { + LOG.debug("<== ServiceREST.grantAccess(" + serviceName + ", " + grantRequest + "): " + ret); + } + + return ret; + } - ret.setStatusCode(RESTResponse.STATUS_SUCCESS); + @POST + @Path("/secure/services/grant/{serviceName}") + @Produces({ "application/json", "application/xml" }) + public RESTResponse secureGrantAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest grantRequest, @Context HttpServletRequest request) throws Exception { + if(LOG.isDebugEnabled()) { + LOG.debug("==> ServiceREST.secureGrantAccess(" + serviceName + ", " + grantRequest + ")"); + } + RESTResponse ret = new RESTResponse(); + RangerPerfTracer perf = null; + boolean isAllowed = false; + boolean isKeyAdmin = bizUtil.isKeyAdmin(); + if(grantRequest!=null){ + if (serviceUtil.isValidService(serviceName, request)) { + try { + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.scureGrantAccess(serviceName=" + serviceName + ")"); + } + + validateGrantRevokeRequest(grantRequest); + + String userName = grantRequest.getGrantor(); + Set<String> userGroups = userMgr.getGroupsForUser(userName); + RangerAccessResource resource = new RangerAccessResourceImpl(grantRequest.getResource()); + boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource); + + XXService xService = daoManager.getXXService().findByName(serviceName); + XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); + RangerService rangerService = svcStore.getServiceByName(serviceName); + + if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { + if (isKeyAdmin) { + isAllowed = true; + }else { + isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName); + } + }else{ + if (isAdmin) { + isAllowed = true; + } + else{ + isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName); + } + } + + if (isAllowed) { + RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource); + + if(policy != null) { + boolean policyUpdated = false; + policyUpdated = ServiceRESTUtil.processGrantRequest(policy, grantRequest); + + if(policyUpdated) { + svcStore.updatePolicy(policy); + } else { + LOG.error("processSecureGrantRequest processing failed"); + throw new Exception("processSecureGrantRequest processing failed"); + } + } else { + policy = new RangerPolicy(); + policy.setService(serviceName); + policy.setName("grant-" + System.currentTimeMillis()); // TODO: better policy name + policy.setDescription("created by grant"); + policy.setIsAuditEnabled(grantRequest.getEnableAudit()); + policy.setCreatedBy(userName); + + Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>(); + Set<String> resourceNames = resource.getKeys(); + + if(! CollectionUtils.isEmpty(resourceNames)) { + for(String resourceName : resourceNames) { + RangerPolicyResource policyResource = new RangerPolicyResource(resource.getValue(resourceName)); + policyResource.setIsRecursive(grantRequest.getIsRecursive()); + + policyResources.put(resourceName, policyResource); + } + } + policy.setResources(policyResources); + + RangerPolicyItem policyItem = new RangerPolicyItem(); + + policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin()); + policyItem.getUsers().addAll(grantRequest.getUsers()); + policyItem.getGroups().addAll(grantRequest.getGroups()); + + for(String accessType : grantRequest.getAccessTypes()) { + policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE)); + } + + policy.getPolicyItems().add(policyItem); + + svcStore.createPolicy(policy); + } + }else{ + LOG.error("secureGrantAccess(" + serviceName + ", " + grantRequest + ") failed as User doesn't have permission to grant Policy"); + throw restErrorUtil.createGrantRevokeRESTException( "User doesn't have necessary permission to grant access"); + } + } catch(WebApplicationException excp) { + throw excp; + } catch(Throwable excp) { + LOG.error("secureGrantAccess(" + serviceName + ", " + grantRequest + ") failed", excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + ret.setStatusCode(RESTResponse.STATUS_SUCCESS); + } } if(LOG.isDebugEnabled()) { LOG.debug("<== ServiceREST.secureGrantAccess(" + serviceName + ", " + grantRequest + "): " + ret); @@ -1074,52 +1081,54 @@ public class ServiceREST { RESTResponse ret = new RESTResponse(); RangerPerfTracer perf = null; + if(revokeRequest!=null){ + if (serviceUtil.isValidateHttpsAuthentication(serviceName,request)) { - if (serviceUtil.isValidateHttpsAuthentication(serviceName,request)) { + try { + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.revokeAccess(serviceName=" + serviceName + ")"); + } - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.revokeAccess(serviceName=" + serviceName + ")"); - } + validateGrantRevokeRequest(revokeRequest); - String userName = revokeRequest.getGrantor(); - Set<String> userGroups = userMgr.getGroupsForUser(userName); - RangerAccessResource resource = new RangerAccessResourceImpl(revokeRequest.getResource()); + String userName = revokeRequest.getGrantor(); + Set<String> userGroups = userMgr.getGroupsForUser(userName); + RangerAccessResource resource = new RangerAccessResourceImpl(revokeRequest.getResource()); - boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource); - - if(!isAdmin) { - throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to revoke access"); - } - - RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource); - - if(policy != null) { - boolean policyUpdated = false; - policyUpdated = ServiceRESTUtil.processRevokeRequest(policy, revokeRequest); + boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource); + + if(!isAdmin) { + throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to revoke access"); + } - if(policyUpdated) { - svcStore.updatePolicy(policy); + RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource); + + if(policy != null) { + boolean policyUpdated = false; + policyUpdated = ServiceRESTUtil.processRevokeRequest(policy, revokeRequest); + + if(policyUpdated) { + svcStore.updatePolicy(policy); + } else { + LOG.error("processRevokeRequest processing failed"); + throw new Exception("processRevokeRequest processing failed"); + } } else { - LOG.error("processRevokeRequest processing failed"); - throw new Exception("processRevokeRequest processing failed"); + // nothing to revoke! } - } else { - // nothing to revoke! + } catch(WebApplicationException excp) { + throw excp; + } catch(Throwable excp) { + LOG.error("revokeAccess(" + serviceName + ", " + revokeRequest + ") failed", excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("revokeAccess(" + serviceName + ", " + revokeRequest + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); + + ret.setStatusCode(RESTResponse.STATUS_SUCCESS); } - - ret.setStatusCode(RESTResponse.STATUS_SUCCESS); } - if(LOG.isDebugEnabled()) { LOG.debug("<== ServiceREST.revokeAccess(" + serviceName + ", " + revokeRequest + "): " + ret); } @@ -1136,68 +1145,73 @@ public class ServiceREST { } RESTResponse ret = new RESTResponse(); RangerPerfTracer perf = null; - if (serviceUtil.isValidService(serviceName,request)) { - try { - if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { - perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.secureRevokeAccess(serviceName=" + serviceName + ")"); - } - String userName = revokeRequest.getGrantor(); - Set<String> userGroups = userMgr.getGroupsForUser(userName); - RangerAccessResource resource = new RangerAccessResourceImpl(revokeRequest.getResource()); - boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource); - boolean isAllowed = false; - boolean isKeyAdmin = bizUtil.isKeyAdmin(); - - XXService xService = daoManager.getXXService().findByName(serviceName); - XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); - RangerService rangerService = svcStore.getServiceByName(serviceName); - - if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { - if (isKeyAdmin) { - isAllowed = true; - }else { - isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName); - } - }else{ - if (isAdmin) { - isAllowed = true; + if(revokeRequest!=null){ + if (serviceUtil.isValidService(serviceName,request)) { + try { + if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.secureRevokeAccess(serviceName=" + serviceName + ")"); } - else{ - isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName); + + validateGrantRevokeRequest(revokeRequest); + + String userName = revokeRequest.getGrantor(); + Set<String> userGroups = userMgr.getGroupsForUser(userName); + RangerAccessResource resource = new RangerAccessResourceImpl(revokeRequest.getResource()); + boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource); + boolean isAllowed = false; + boolean isKeyAdmin = bizUtil.isKeyAdmin(); + + XXService xService = daoManager.getXXService().findByName(serviceName); + XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); + RangerService rangerService = svcStore.getServiceByName(serviceName); + + if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { + if (isKeyAdmin) { + isAllowed = true; + }else { + isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName); + } + }else{ + if (isAdmin) { + isAllowed = true; + } + else{ + isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName); + } } - } - - if (isAllowed) { - RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource); - - if(policy != null) { - boolean policyUpdated = false; - policyUpdated = ServiceRESTUtil.processRevokeRequest(policy, revokeRequest); - - if(policyUpdated) { - svcStore.updatePolicy(policy); + + if (isAllowed) { + RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource); + + if(policy != null) { + boolean policyUpdated = false; + policyUpdated = ServiceRESTUtil.processRevokeRequest(policy, revokeRequest); + + if(policyUpdated) { + svcStore.updatePolicy(policy); + } else { + LOG.error("processSecureRevokeRequest processing failed"); + throw new Exception("processSecureRevokeRequest processing failed"); + } } else { - LOG.error("processSecureRevokeRequest processing failed"); - throw new Exception("processSecureRevokeRequest processing failed"); + // nothing to revoke! } - } else { - // nothing to revoke! + }else{ + LOG.error("secureRevokeAccess(" + serviceName + ", " + revokeRequest + ") failed as User doesn't have permission to revoke Policy"); + throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to revoke access"); } - }else{ - LOG.error("secureRevokeAccess(" + serviceName + ", " + revokeRequest + ") failed as User doesn't have permission to revoke Policy"); - throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to revoke access"); + } catch(WebApplicationException excp) { + throw excp; + } catch(Throwable excp) { + LOG.error("secureRevokeAccess(" + serviceName + ", " + revokeRequest + ") failed", excp); + + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); } - } catch(WebApplicationException excp) { - throw excp; - } catch(Throwable excp) { - LOG.error("secureRevokeAccess(" + serviceName + ", " + revokeRequest + ") failed", excp); - - throw restErrorUtil.createRESTException(excp.getMessage()); - } finally { - RangerPerfTracer.log(perf); + + ret.setStatusCode(RESTResponse.STATUS_SUCCESS); } - - ret.setStatusCode(RESTResponse.STATUS_SUCCESS); } if(LOG.isDebugEnabled()) { LOG.debug("<== ServiceREST.secureRevokeAccess(" + serviceName + ", " + revokeRequest + "): " + ret); @@ -2425,4 +2439,26 @@ public class ServiceREST { return ret; } + + private void validateGrantRevokeRequest(GrantRevokeRequest request){ + if( request!=null){ + if(CollectionUtils.isEmpty(request.getUsers()) && CollectionUtils.isEmpty(request.getGroups())){ + throw restErrorUtil.createGrantRevokeRESTException( "Grantee users/groups list is empty"); + } + String grantor=request.getGrantor(); + if(grantor==null || userMgr.getXUserByUserName(grantor) == null) { + throw restErrorUtil.createGrantRevokeRESTException( "Grantor user "+grantor+" doesn't exist"); + } + for(String userName:request.getUsers()){ + if(userMgr.getXUserByUserName(userName) == null) { + throw restErrorUtil.createGrantRevokeRESTException( "Grantee user "+userName+" doesn't exist"); + } + } + for(String groupName:request.getGroups()){ + if(userMgr.getGroupByGroupName(groupName)== null) { + throw restErrorUtil.createGrantRevokeRESTException( "Grantee group "+groupName+" doesn't exist"); + } + } + } + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8762a8c7/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java index dcae9b4..d794565 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java @@ -84,7 +84,7 @@ public class ServiceRESTUtil { return policyUpdated; } - static public boolean processRevokeRequest(RangerPolicy policy, GrantRevokeRequest revokeRequest) { + static public boolean processRevokeRequest(RangerPolicy existingRangerPolicy, GrantRevokeRequest revokeRequest) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceRESTUtil.processRevokeRequest()"); } @@ -93,29 +93,75 @@ public class ServiceRESTUtil { // remove all existing privileges for users and groups if (revokeRequest.getReplaceExistingPermissions()) { - policyUpdated = removeUsersAndGroupsFromPolicy(policy, revokeRequest.getUsers(), revokeRequest.getGroups()); + policyUpdated = removeUsersAndGroupsFromPolicy(existingRangerPolicy, revokeRequest.getUsers(), revokeRequest.getGroups()); } else { //Build a policy and set up policyItem in it to mimic revoke request - RangerPolicy appliedPolicy = new RangerPolicy(); + RangerPolicy appliedRangerPolicy = new RangerPolicy(); - RangerPolicy.RangerPolicyItem policyItem = new RangerPolicy.RangerPolicyItem(); + RangerPolicy.RangerPolicyItem appliedRangerPolicyItem = new RangerPolicy.RangerPolicyItem(); - policyItem.setDelegateAdmin(revokeRequest.getDelegateAdmin()); - policyItem.getUsers().addAll(revokeRequest.getUsers()); - policyItem.getGroups().addAll(revokeRequest.getGroups()); + appliedRangerPolicyItem.setDelegateAdmin(revokeRequest.getDelegateAdmin()); + appliedRangerPolicyItem.getUsers().addAll(revokeRequest.getUsers()); + appliedRangerPolicyItem.getGroups().addAll(revokeRequest.getGroups()); - List<RangerPolicy.RangerPolicyItemAccess> accesses = new ArrayList<RangerPolicy.RangerPolicyItemAccess>(); + List<RangerPolicy.RangerPolicyItemAccess> appliedRangerPolicyItemAccess = new ArrayList<RangerPolicy.RangerPolicyItemAccess>(); - Set<String> accessTypes = revokeRequest.getAccessTypes(); - for (String accessType : accessTypes) { - accesses.add(new RangerPolicy.RangerPolicyItemAccess(accessType, true)); + Set<String> appliedPolicyItemAccessType = revokeRequest.getAccessTypes(); + for (String accessType : appliedPolicyItemAccessType) { + appliedRangerPolicyItemAccess.add(new RangerPolicy.RangerPolicyItemAccess(accessType, false)); } - policyItem.setAccesses(accesses); - - appliedPolicy.getDenyPolicyItems().add(policyItem); - - processApplyPolicy(policy, appliedPolicy); + appliedRangerPolicyItem.setAccesses(appliedRangerPolicyItemAccess); + + appliedRangerPolicy.getPolicyItems().add(appliedRangerPolicyItem); + + //List<RangerPolicy.RangerPolicyItem> appliedRangerPolicyItems = appliedRangerPolicy.getPolicyItems(); + processApplyPolicyForItemType(existingRangerPolicy, appliedRangerPolicy, POLICYITEM_TYPE.ALLOW); + /*if (CollectionUtils.isNotEmpty(appliedRangerPolicyItems)) { + Set<String> users = new HashSet<String>(); + Set<String> groups = new HashSet<String>(); + + Map<String, RangerPolicy.RangerPolicyItem[]> userPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem[]>(); + Map<String, RangerPolicy.RangerPolicyItem[]> groupPolicyItems = new HashMap<String, RangerPolicy.RangerPolicyItem[]>(); + + // Extract users and groups specified in appliedPolicy items + extractUsersAndGroups(appliedRangerPolicyItems, users, groups); + + // Split existing policyItems for users and groups extracted from appliedPolicyItem into userPolicyItems and groupPolicyItems + splitExistingPolicyItems(existingRangerPolicy, users, userPolicyItems, groups, groupPolicyItems); + + for (RangerPolicy.RangerPolicyItem tempPolicyItem : appliedRangerPolicyItems) { + List<String> appliedPolicyItemsUser = tempPolicyItem.getUsers(); + for (String user : appliedPolicyItemsUser) { + RangerPolicy.RangerPolicyItem[] rangerPolicyItems = userPolicyItems.get(user); + if(rangerPolicyItems!=null && rangerPolicyItems.length>0){ + removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()], tempPolicyItem.getAccesses()); + if(!CollectionUtils.isEmpty(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].getAccesses())){ + rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(revokeRequest.getDelegateAdmin()); + }else{ + rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(Boolean.FALSE); + } + } + } + } + for (RangerPolicy.RangerPolicyItem tempPolicyItem : appliedRangerPolicyItems) { + List<String> appliedPolicyItemsGroup = tempPolicyItem.getGroups(); + for (String group : appliedPolicyItemsGroup) { + RangerPolicy.RangerPolicyItem[] rangerPolicyItems = groupPolicyItems.get(group); + if(rangerPolicyItems!=null && rangerPolicyItems.length>0){ + removeAccesses(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()], tempPolicyItem.getAccesses()); + if(!CollectionUtils.isEmpty(rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].getAccesses())){ + rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(revokeRequest.getDelegateAdmin()); + }else{ + rangerPolicyItems[POLICYITEM_TYPE.ALLOW.ordinal()].setDelegateAdmin(Boolean.FALSE); + } + } + } + } + // Add modified/new policyItems back to existing policy + mergeProcessedPolicyItems(existingRangerPolicy, userPolicyItems, groupPolicyItems); + compactPolicy(existingRangerPolicy); + }*/ policyUpdated = true; }
