ramackri commented on code in PR #1000:
URL: https://github.com/apache/ranger/pull/1000#discussion_r3377983159
##########
security-admin/scripts/ranger-admin-site-template.xml:
##########
@@ -248,4 +248,14 @@
<name>ranger.ldap.ad.url</name>
<value></value>
</property>
+ <property>
+ <name>ranger.admin.super.users</name>
+ <value></value>
+ <description>Comma-separated list of externally authenticated
users granted full Ranger administrative privileges at login (system admin and
key admin capabilities), independent of database roles. Empty or absent
disables config-based super users.</description>
+ </property>
+ <property>
+ <name>ranger.admin.super.groups</name>
+ <value></value>
+ <description>Comma-separated list of groups whose members are
granted full Ranger administrative privileges at login (system admin and key
admin capabilities), independent of database roles. Group membership is
resolved from the Ranger user store (usersync). Empty or absent disables
config-based super groups.</description>
Review Comment:
Done — removed the usersync/Ranger user store wording from the
`ranger.admin.super.groups` description in both config files (commit 04a79709e).
##########
security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java:
##########
@@ -37,6 +37,8 @@ public class UserSessionBase implements Serializable {
private boolean userAuditAdmin;
private boolean auditKeyAdmin;
private boolean keyAdmin;
+ /** Set at login when login matches {@code ranger.admin.super.users} /
super.groups. */
+ private boolean configSuperUser;
Review Comment:
Done — renamed `configSuperUser` to `superUser` with
`isSuperUser()`/`setSuperUser()`, removed `isEffectiveRangerAdmin()`, and
updated `isUserAdmin()`, `isAuditUserAdmin()`, `isKeyAdmin()`, and
`isAuditKeyAdmin()` to OR with `superUser` as suggested (commit 04a79709e).
##########
security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java:
##########
Review Comment:
Done — refactored `hasKMSPermissions()` to early-return when
`session.isSuperUser()`, using the structure you suggested (commit 04a79709e).
##########
security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java:
##########
@@ -219,7 +221,24 @@ public void resetUserModulePermission(UserSessionBase
userSession) {
XXUser xUser =
daoManager.getXXUser().findByUserName(userSession.getLoginId());
if (xUser != null) {
- List<String> permissionList =
daoManager.getXXModuleDef().findAccessibleModulesByUserId(userSession.getUserId(),
xUser.getId());
+ List<String> permissionList;
+
+ if (userSession.isUserAdmin() || userSession.isKeyAdmin()) {
+ List<XXModuleDef> allModules =
Review Comment:
Done — added `XXModuleDefDao.getAllModuleNames()` and updated `SessionMgr`
to use it instead of loading full `XXModuleDef` objects (commit 6839362f0).
##########
security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java:
##########
@@ -556,6 +575,47 @@ private void setUserRoles(UserSessionBase userSession) {
userSession.setUserAdmin(false);
}
+ applyConfigSuperUserSessionFlags(userSession);
+
+ if (userSession.isSuperUser()) {
+ strRoleList = RangerSuperUserConfig.mergeConfigSuperUserRoles(
Review Comment:
Done — removed unnecessary line splits in `SessionMgr` and reviewed other
files in this PR for similar formatting (commit 6839362f0).
##########
security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java:
##########
@@ -556,6 +575,47 @@ private void setUserRoles(UserSessionBase userSession) {
userSession.setUserAdmin(false);
}
+ applyConfigSuperUserSessionFlags(userSession);
+
+ if (userSession.isSuperUser()) {
+ strRoleList = RangerSuperUserConfig.mergeConfigSuperUserRoles(
+ strRoleList, true);
+ }
+
userSession.setUserRoleList(strRoleList);
}
+
+ /**
+ * Applies config super-user session flag ({@code superUser}) when login
matches
+ * {@code ranger.admin.super.users} / super.groups.
+ */
+ private void applyConfigSuperUserSessionFlags(
+ final UserSessionBase userSession) {
+ if (userSession == null) {
+ return;
+ }
+
+ String loginId = userSession.getLoginId();
+
+ if (loginId == null) {
+ return;
+ }
+
+ if (!RangerSuperUserConfig.isEnabled()) {
+ userSession.setSuperUser(false);
+ return;
+ }
+
+ Set<String> userGroups = xUserMgr.getSyncedGroupsForUser(loginId);
Review Comment:
Done — `applyConfigSuperUserToSession()` now calls `getGroupsForUser()` only
when `RangerSuperUserConfig.isSuperGroupsConfigured()` is true (commit
6839362f0).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
