ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From v..@apache.org
Subject [2/2] incubator-ranger git commit: RANGER-630 : Data consistency across API and UI
Date Wed, 16 Sep 2015 04:42:01 GMT
RANGER-630 : Data consistency across API and UI

Signed-off-by: Velmurugan Periasamy <vel@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/1dbc7a1a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/1dbc7a1a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/1dbc7a1a

Branch: refs/heads/ranger-0.5
Commit: 1dbc7a1a25c3d32ebdcbf85398738ad63f9391c1
Parents: 97453ff
Author: Gautam Borad <gborad@gmail.com>
Authored: Tue Sep 15 13:50:35 2015 +0530
Committer: Velmurugan Periasamy <vel@apache.org>
Committed: Wed Sep 16 00:42:56 2015 -0400

----------------------------------------------------------------------
 .../java/org/apache/ranger/biz/UserMgr.java     |  73 +--
 .../java/org/apache/ranger/biz/XAuditMgr.java   |  73 ++-
 .../java/org/apache/ranger/biz/XUserMgr.java    | 278 +++++-----
 .../org/apache/ranger/db/XXGroupUserDao.java    |  21 +
 .../org/apache/ranger/db/XXModuleDefDao.java    |  38 ++
 .../java/org/apache/ranger/rest/AssetREST.java  |  15 +-
 .../org/apache/ranger/rest/PublicAPIsv2.java    |   2 +-
 .../org/apache/ranger/rest/ServiceREST.java     |  30 +-
 .../java/org/apache/ranger/rest/UserREST.java   |  13 +-
 .../java/org/apache/ranger/rest/XAuditREST.java |  10 +-
 .../java/org/apache/ranger/rest/XKeyREST.java   |  10 +-
 .../java/org/apache/ranger/rest/XUserREST.java  | 114 +++-
 .../ranger/security/context/RangerAPIList.java  | 201 +++++++
 .../security/context/RangerAPIMapping.java      | 535 +++++++++++++++++++
 .../context/RangerPreAuthSecurityHandler.java   |  93 ++++
 .../apache/ranger/service/XAuditMapService.java |  60 +++
 .../apache/ranger/service/XPermMapService.java  |  60 ++-
 .../apache/ranger/service/XResourceService.java |  31 +-
 .../resources/META-INF/jpa_named_queries.xml    |  19 +
 .../conf.dist/security-applicationContext.xml   |   2 +
 .../org/apache/ranger/audit/TestAuditQueue.java |   3 +-
 .../java/org/apache/ranger/biz/TestUserMgr.java |  14 +-
 .../org/apache/ranger/biz/TestXUserMgr.java     |   9 +-
 .../org/apache/ranger/rest/TestServiceREST.java |   2 +-
 24 files changed, 1450 insertions(+), 256 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1dbc7a1a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
index 939ddc2..ff0ea01 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
@@ -139,22 +139,8 @@ public class UserMgr {
 
 	public XXPortalUser createUser(VXPortalUser userProfile, int userStatus,
 			Collection<String> userRoleList) {
-		UserSessionBase session = ContextUtil.getCurrentUserSession();
-		if (session != null) {
-			if (!session.isUserAdmin()) {
-				throw restErrorUtil.create403RESTException("User "
-						+ "creation denied. LoggedInUser="
-						+ (session != null ? session.getXXPortalUser().getId()
-								: "Not Logged In")
-						+ " ,isn't permitted to perform the action.");
-			}
-		}else{
-			VXResponse vXResponse = new VXResponse();
-			vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
-			vXResponse.setMsgDesc("Bad Credentials");
-			throw restErrorUtil.generateRESTException(vXResponse);
-		}
 		XXPortalUser user = mapVXPortalUserToXXPortalUser(userProfile);
+		checkAdminAccess();
 		user = createUser(user, userStatus, userRoleList);
 
 		return user;
@@ -366,6 +352,7 @@ public class UserMgr {
 	 * @param vStrings
 	 */
 	public void setUserRoles(Long userId, List<VXString> vStringRolesList) {
+		checkAccess(userId);
 		List<String> stringRolesList = new ArrayList<String>();
 		for (VXString vXString : vStringRolesList) {
 			stringRolesList.add(vXString.getValue());
@@ -384,15 +371,7 @@ public class UserMgr {
 		String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
 		XXPortalUser gjUserCurrent = daoManager.getXXPortalUser()
 				.findByLoginId(currentUserLoginId);
-
-		if (gjUserCurrent == null) {
-			logger.info("changePassword(). Invalid user login id. userId="
-					+ currentUserLoginId);
-			throw restErrorUtil.createRESTException(
-					"serverMsg.userMgrInvalidUser",
-					MessageEnums.DATA_NOT_FOUND, null, null, ""
-							+ currentUserLoginId);
-		}
+		checkAccess(gjUserCurrent);
 
 		String encryptedOldPwd = encrypt(gjUserCurrent.getLoginId(),
 				pwdChange.getOldPassword());
@@ -480,7 +459,7 @@ public class UserMgr {
 	 */
 	public VXPortalUser changeEmailAddress(XXPortalUser gjUser,
 			VXPasswordChange changeEmail) {
-
+		checkAccess(gjUser);
 		if (gjUser.getEmailAddress() != null) {
 			throw restErrorUtil.createRESTException(
 					"serverMsg.userMgrEmailChange",
@@ -530,21 +509,7 @@ public class UserMgr {
 	 * @param userId
 	 */
 	public VXPortalUser deactivateUser(XXPortalUser gjUser) {
-		UserSessionBase session = ContextUtil.getCurrentUserSession();
-		if (session != null) {
-			if (!session.isUserAdmin()) {
-				throw restErrorUtil.create403RESTException("deactivation of user"
-						+ " denied. LoggedInUser="
-						+ (session != null ? session.getXXPortalUser().getId()
-								: "Not Logged In")
-						+ " ,isn't permitted to perform the action.");
-			}
-		}else{
-			VXResponse vXResponse = new VXResponse();
-			vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
-			vXResponse.setMsgDesc("Bad Credentials");
-			throw restErrorUtil.generateRESTException(vXResponse);
-		}
+		checkAdminAccess();
 		if (gjUser != null
 				&& gjUser.getStatus() != RangerConstants.ACT_STATUS_DEACTIVATED) {
 			logger.info("Marking user " + gjUser.getLoginId() + " as deleted");
@@ -1121,6 +1086,7 @@ public class UserMgr {
 	}
 
 	public VXPortalUser createUser(VXPortalUser userProfile) {
+		checkAdminAccess();
 		XXPortalUser xXPortalUser = this.createUser(userProfile,
 				RangerCommonEnums.STATUS_ENABLED);
 		return mapXXPortalUserVXPortalUser(xXPortalUser);
@@ -1132,21 +1098,7 @@ public class UserMgr {
 			userProfile.setUserSource(RangerCommonEnums.USER_EXTERNAL);
 		}
 		// access control
-		UserSessionBase session = ContextUtil.getCurrentUserSession();
-		if (session != null) {
-			if (!session.isUserAdmin()) {
-				throw restErrorUtil.create403RESTException("User "
-						+ "creation denied. LoggedInUser="
-						+ session.getXXPortalUser().getId()
-						+ " ,isn't permitted to perform the action.");
-
-			}
-		}else{
-			VXResponse vXResponse = new VXResponse();
-			vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
-			vXResponse.setMsgDesc("Bad Credentials");
-			throw restErrorUtil.generateRESTException(vXResponse);
-		}
+		checkAdminAccess();
 		logger.info("create:" + userProfile.getEmailAddress());
 		XXPortalUser xXPortalUser = null;
 		String loginId = userProfile.getLoginId();
@@ -1275,4 +1227,15 @@ public class UserMgr {
 
 		return xXPortalUser;
 	}
+	
+	public void checkAdminAccess() {
+		UserSessionBase sess = ContextUtil.getCurrentUserSession();
+		if (sess != null) {
+			if (sess != null && sess.isUserAdmin()) {
+				return;
+			}
+		}
+		throw restErrorUtil.create403RESTException("Operation not allowed." + " loggedInUser=" + (sess != null ? sess.getXXPortalUser().getId() : "Not Logged In"));
+	}
+
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1dbc7a1a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java
index d9812f9..02d725f 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java
@@ -19,13 +19,22 @@
 
 package org.apache.ranger.biz;
 
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.ranger.common.ContextUtil;
 import org.apache.ranger.common.SearchCriteria;
+import org.apache.ranger.common.UserSessionBase;
 import org.apache.ranger.solr.SolrAccessAuditsService;
 import org.apache.ranger.view.VXAccessAudit;
 import org.apache.ranger.view.VXAccessAuditList;
 import org.apache.ranger.view.VXLong;
+import org.apache.ranger.view.VXResponse;
+import org.apache.ranger.view.VXTrxLog;
+import org.apache.ranger.view.VXTrxLogList;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
 
+@Component
 public class XAuditMgr extends XAuditMgrBase {
 
 	@Autowired
@@ -34,9 +43,68 @@ public class XAuditMgr extends XAuditMgrBase {
 	@Autowired
 	RangerBizUtil rangerBizUtil;
 
+	public VXTrxLog getXTrxLog(Long id) {
+		checkAdminAccess();
+		return super.getXTrxLog(id);
+	}
+
+	public VXTrxLog createXTrxLog(VXTrxLog vXTrxLog) {
+		checkAdminAccess();
+		return super.createXTrxLog(vXTrxLog);
+	}
+
+	public VXTrxLog updateXTrxLog(VXTrxLog vXTrxLog) {
+		checkAdminAccess();
+		return super.updateXTrxLog(vXTrxLog);
+	}
+
+	public void deleteXTrxLog(Long id, boolean force) {
+		checkAdminAccess();
+		super.deleteXTrxLog(id, force);
+	}
+
+	public VXTrxLogList searchXTrxLogs(SearchCriteria searchCriteria) {
+		checkAdminAccess();
+		return super.searchXTrxLogs(searchCriteria);
+	}
+
+	public VXLong getXTrxLogSearchCount(SearchCriteria searchCriteria) {
+		checkAdminAccess();
+		return super.getXTrxLogSearchCount(searchCriteria);
+	}
+
+	public VXAccessAudit createXAccessAudit(VXAccessAudit vXAccessAudit) {
+		checkAdminAccess();
+		return super.createXAccessAudit(vXAccessAudit);
+	}
+
+	public VXAccessAudit updateXAccessAudit(VXAccessAudit vXAccessAudit) {
+		checkAdminAccess();
+		return super.updateXAccessAudit(vXAccessAudit);
+	}
+
+	public void deleteXAccessAudit(Long id, boolean force) {
+		checkAdminAccess();
+		super.deleteXAccessAudit(id, force);
+	}
+
+	public void checkAdminAccess() {
+		UserSessionBase session = ContextUtil.getCurrentUserSession();
+		if (session != null) {
+			if (!session.isUserAdmin()) {
+				throw restErrorUtil.create403RESTException("Operation" + " denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In")
+						+ " ,isn't permitted to perform the action.");
+			}
+		} else {
+			VXResponse vXResponse = new VXResponse();
+			vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+			vXResponse.setMsgDesc("Bad Credentials");
+			throw restErrorUtil.generateRESTException(vXResponse);
+		}
+	}
+
 	@Override
 	public VXAccessAudit getXAccessAudit(Long id) {
-		// TODO Auto-generated method stub
 		return super.getXAccessAudit(id);
 	}
 
@@ -52,8 +120,7 @@ public class XAuditMgr extends XAuditMgrBase {
 	@Override
 	public VXLong getXAccessAuditSearchCount(SearchCriteria searchCriteria) {
 		if (rangerBizUtil.getAuditDBType().equalsIgnoreCase("solr")) {
-			return solrAccessAuditsService
-					.getXAccessAuditSearchCount(searchCriteria);
+			return solrAccessAuditsService.getXAccessAuditSearchCount(searchCriteria);
 		} else {
 			return super.getXAccessAuditSearchCount(searchCriteria);
 		}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1dbc7a1a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
index 700caff..2413afb 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
@@ -20,7 +20,6 @@
 package org.apache.ranger.biz;
 
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -37,6 +36,7 @@ import org.apache.ranger.entity.XXUserPermission;
 import org.apache.ranger.service.XGroupPermissionService;
 import org.apache.ranger.service.XModuleDefService;
 import org.apache.ranger.service.XPortalUserService;
+import org.apache.ranger.service.XResourceService;
 import org.apache.ranger.service.XUserPermissionService;
 import org.apache.ranger.view.VXGroupPermission;
 import org.apache.ranger.view.VXModuleDef;
@@ -49,24 +49,31 @@ import org.apache.ranger.common.SearchCriteria;
 import org.apache.ranger.common.UserSessionBase;
 import org.apache.ranger.db.RangerDaoManager;
 import org.apache.ranger.db.XXGroupUserDao;
+import org.apache.ranger.entity.XXAuditMap;
 import org.apache.ranger.entity.XXGroup;
+import org.apache.ranger.entity.XXPermMap;
 import org.apache.ranger.entity.XXPortalUser;
-import org.apache.ranger.entity.XXPortalUserRole;
 import org.apache.ranger.entity.XXTrxLog;
 import org.apache.ranger.entity.XXUser;
 import org.apache.ranger.service.XGroupService;
 import org.apache.ranger.service.XUserService;
+import org.apache.ranger.view.VXAuditMapList;
 import org.apache.ranger.view.VXGroup;
+import org.apache.ranger.view.VXGroupGroup;
 import org.apache.ranger.view.VXGroupList;
 import org.apache.ranger.view.VXGroupUser;
 import org.apache.ranger.view.VXGroupUserList;
+import org.apache.ranger.view.VXLong;
+import org.apache.ranger.view.VXPermMapList;
 import org.apache.ranger.view.VXPortalUser;
 import org.apache.ranger.view.VXUser;
 import org.apache.ranger.view.VXUserGroupInfo;
 import org.apache.ranger.view.VXUserList;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
+
 import javax.servlet.http.HttpServletResponse;
+
 import org.apache.ranger.view.VXResponse;
 @Component
 public class XUserMgr extends XUserMgrBase {
@@ -100,25 +107,14 @@ public class XUserMgr extends XUserMgrBase {
 
 	@Autowired
 	XPortalUserService xPortalUserService;
+	
+	@Autowired
+	XResourceService xResourceService;
 
 	static final Logger logger = Logger.getLogger(XUserMgr.class);
 
 	public void deleteXGroup(Long id, boolean force) {
-		UserSessionBase session = ContextUtil.getCurrentUserSession();
-		if (session != null) {
-			if (!session.isUserAdmin()) {
-				throw restErrorUtil.create403RESTException("deletion of group"
-						+ " denied. LoggedInUser="
-						+ (session != null ? session.getXXPortalUser().getId()
-								: "Not Logged In")
-						+ " ,isn't permitted to perform the action.");
-			}
-		}else{
-			VXResponse vXResponse = new VXResponse();
-			vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
-			vXResponse.setMsgDesc("Bad Credentials");
-			throw restErrorUtil.generateRESTException(vXResponse);
-		}
+		checkAdminAccess();
 		if (force) {
 			SearchCriteria searchCriteria = new SearchCriteria();
 			searchCriteria.addParam("xGroupId", id);
@@ -139,21 +135,7 @@ public class XUserMgr extends XUserMgrBase {
 	}
 
 	public void deleteXUser(Long id, boolean force) {
-		UserSessionBase session = ContextUtil.getCurrentUserSession();
-		if (session != null) {
-			if (!session.isUserAdmin()) {
-				throw restErrorUtil.create403RESTException("deletion of user"
-						+ " denied. LoggedInUser="
-						+ (session != null ? session.getXXPortalUser().getId()
-								: "Not Logged In")
-						+ " ,isn't permitted to perform the action.");
-			}
-		}else{
-			VXResponse vXResponse = new VXResponse();
-			vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
-			vXResponse.setMsgDesc("Bad Credentials");
-			throw restErrorUtil.generateRESTException(vXResponse);
-		}
+		checkAdminAccess();
 		if (force) {
 			SearchCriteria searchCriteria = new SearchCriteria();
 			searchCriteria.addParam("xUserId", id);
@@ -185,21 +167,7 @@ public class XUserMgr extends XUserMgrBase {
 	}
 
 	public VXUser createXUser(VXUser vXUser) {
-		UserSessionBase session = ContextUtil.getCurrentUserSession();
-		if (session != null) {
-			if (!session.isUserAdmin()) {
-				throw restErrorUtil.create403RESTException("creation of user"
-						+ " denied. LoggedInUser="
-						+ (session != null ? session.getXXPortalUser().getId()
-								: "Not Logged In")
-						+ " ,isn't permitted to perform the action.");
-			}
-		}else{
-			VXResponse vXResponse = new VXResponse();
-			vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
-			vXResponse.setMsgDesc("Bad Credentials");
-			throw restErrorUtil.generateRESTException(vXResponse);
-		}
+		checkAdminAccess();
 		String userName = vXUser.getName();
 		if (userName == null || userName.isEmpty()) {
 			throw restErrorUtil.createRESTException("Please provide a valid "
@@ -256,7 +224,6 @@ public class XUserMgr extends XUserMgrBase {
 	}
 
 	// Assigning Permission
-	@SuppressWarnings("unused")
 	public void assignPermissionToUser(VXPortalUser vXPortalUser,
 			boolean isCreate) {
 		HashMap<String, Long> moduleNameId = getModelNames();
@@ -336,7 +303,6 @@ public class XUserMgr extends XUserMgrBase {
 
 	}
 
-	@SuppressWarnings("unused")
 	public HashMap<String, Long> getModelNames() {
 		List<XXModuleDef> xxModuleDefs = daoManager.getXXModuleDef()
 				.findModuleNamesWithIds();
@@ -369,6 +335,10 @@ public class XUserMgr extends XUserMgrBase {
 	}
 
 	public VXUser updateXUser(VXUser vXUser) {
+		if (vXUser == null || vXUser.getName() == null || vXUser.getName().trim().isEmpty()) {
+			throw restErrorUtil.createRESTException("Please provide a valid " + "username.", MessageEnums.INVALID_INPUT_DATA);
+		}
+		checkAccess(vXUser.getName());
 		VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser
 				.getName());
 		VXPortalUser vXPortalUser = new VXPortalUser();
@@ -522,21 +492,7 @@ public class XUserMgr extends XUserMgrBase {
 
 	public VXUserGroupInfo createXUserGroupFromMap(
 			VXUserGroupInfo vXUserGroupInfo) {
-		UserSessionBase session = ContextUtil.getCurrentUserSession();
-		if (session != null) {
-			if (!session.isUserAdmin()) {
-				throw restErrorUtil.create403RESTException("User group "
-						+ "creation denied. LoggedInUser="
-						+ (session != null ? session.getXXPortalUser().getId()
-								: "Not Logged In")
-						+ " ,isn't permitted to perform the action.");
-			}
-		}else{
-			VXResponse vXResponse = new VXResponse();
-			vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
-			vXResponse.setMsgDesc("Bad Credentials");
-			throw restErrorUtil.generateRESTException(vXResponse);
-		}
+		checkAdminAccess();
 		VXUserGroupInfo vxUGInfo = new VXUserGroupInfo();
 
 		VXUser vXUser = vXUserGroupInfo.getXuserInfo();
@@ -563,41 +519,12 @@ public class XUserMgr extends XUserMgrBase {
 	}
 
 	public VXUser createXUserWithOutLogin(VXUser vXUser) {
-		UserSessionBase session = ContextUtil.getCurrentUserSession();
-		if (session != null) {
-			if (!session.isUserAdmin()) {
-				throw restErrorUtil.create403RESTException("creation of user"
-						+ " denied. LoggedInUser="
-						+ (session != null ? session.getXXPortalUser().getId()
-								: "Not Logged In")
-						+ " ,isn't permitted to perform the action.");
-			}
-		}else{
-			VXResponse vXResponse = new VXResponse();
-			vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
-			vXResponse.setMsgDesc("Bad Credentials");
-			throw restErrorUtil.generateRESTException(vXResponse);
-		}
+		checkAdminAccess();
 		return xUserService.createXUserWithOutLogin(vXUser);
 	}
 
 	public VXGroup createXGroup(VXGroup vXGroup) {
-		UserSessionBase session = ContextUtil.getCurrentUserSession();
-		if (session != null) {
-			if (!session.isUserAdmin()) {
-				throw restErrorUtil.create403RESTException("creation of group"
-						+ " denied. LoggedInUser="
-						+ (session != null ? session.getXXPortalUser().getId()
-								: "Not Logged In")
-						+ " ,isn't permitted to perform the action.");
-			}
-		}else{
-			VXResponse vXResponse = new VXResponse();
-			vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
-			vXResponse.setMsgDesc("Bad Credentials");
-			throw restErrorUtil.generateRESTException(vXResponse);
-		}
-		// FIXME Just a hack
+		checkAdminAccess();
 		if (vXGroup.getDescription() == null) {
 			vXGroup.setDescription(vXGroup.getName());
 		}
@@ -610,40 +537,12 @@ public class XUserMgr extends XUserMgrBase {
 	}
 
 	public VXGroup createXGroupWithoutLogin(VXGroup vXGroup) {
-		UserSessionBase session = ContextUtil.getCurrentUserSession();
-		if (session != null) {
-			if (!session.isUserAdmin()) {
-				throw restErrorUtil.create403RESTException("creation of group"
-						+ " denied. LoggedInUser="
-						+ (session != null ? session.getXXPortalUser().getId()
-								: "Not Logged In")
-						+ " ,isn't permitted to perform the action.");
-			}
-		}else{
-			VXResponse vXResponse = new VXResponse();
-			vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
-			vXResponse.setMsgDesc("Bad Credentials");
-			throw restErrorUtil.generateRESTException(vXResponse);
-		}
+		checkAdminAccess();
 		return xGroupService.createXGroupWithOutLogin(vXGroup);
 	}
 
 	public VXGroupUser createXGroupUser(VXGroupUser vXGroupUser) {
-		UserSessionBase session = ContextUtil.getCurrentUserSession();
-		if (session != null) {
-			if (!session.isUserAdmin()) {
-				throw restErrorUtil.create403RESTException("creation of group"
-						+ " denied. LoggedInUser="
-						+ (session != null ? session.getXXPortalUser().getId()
-								: "Not Logged In")
-						+ " ,isn't permitted to perform the action.");
-			}
-		}else{
-			VXResponse vXResponse = new VXResponse();
-			vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
-			vXResponse.setMsgDesc("Bad Credentials");
-			throw restErrorUtil.generateRESTException(vXResponse);
-		}
+		checkAdminAccess();
 		vXGroupUser = xGroupUserService
 				.createXGroupUserWithOutLogin(vXGroupUser);
 		return vXGroupUser;
@@ -690,21 +589,7 @@ public class XUserMgr extends XUserMgrBase {
 	 */
 
 	public void deleteXGroupAndXUser(String groupName, String userName) {
-		UserSessionBase session = ContextUtil.getCurrentUserSession();
-		if (session != null) {
-			if (!session.isUserAdmin()) {
-				throw restErrorUtil.create403RESTException("User "
-						+ "deletion denied. LoggedInUser="
-						+ (session != null ? session.getXXPortalUser().getId()
-								: "Not Logged In")
-						+ " ,isn't permitted to perform the action.");
-			}
-		}else{
-			VXResponse vXResponse = new VXResponse();
-			vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
-			vXResponse.setMsgDesc("Bad Credentials");
-			throw restErrorUtil.generateRESTException(vXResponse);
-		}
+		checkAdminAccess();
 		VXGroup vxGroup = xGroupService.getGroupByGroupName(groupName);
 		VXUser vxUser = xUserService.getXUserByUserName(userName);
 		SearchCriteria searchCriteria = new SearchCriteria();
@@ -807,6 +692,7 @@ public class XUserMgr extends XUserMgrBase {
 
 	@Override
 	public VXGroup updateXGroup(VXGroup vXGroup) {
+		checkAdminAccess();
 		XXGroup xGroup = daoManager.getXXGroup().getById(vXGroup.getId());
 		List<XXTrxLog> trxLogList = xGroupService.getTransactionLog(vXGroup,
 				xGroup, "update");
@@ -814,8 +700,77 @@ public class XUserMgr extends XUserMgrBase {
 		vXGroup = (VXGroup) xGroupService.updateResource(vXGroup);
 		return vXGroup;
 	}
+	public VXGroupUser updateXGroupUser(VXGroupUser vXGroupUser) {
+		checkAdminAccess();
+		return super.updateXGroupUser(vXGroupUser);
+	}
+
+	public void deleteXGroupUser(Long id, boolean force) {
+		checkAdminAccess();
+		super.deleteXGroupUser(id, force);
+	}
+
+	public VXGroupGroup createXGroupGroup(VXGroupGroup vXGroupGroup){
+		checkAdminAccess();
+		return super.createXGroupGroup(vXGroupGroup);
+	}
+
+	public VXGroupGroup updateXGroupGroup(VXGroupGroup vXGroupGroup) {
+		checkAdminAccess();
+		return super.updateXGroupGroup(vXGroupGroup);
+	}
+
+	public void deleteXGroupGroup(Long id, boolean force) {
+		checkAdminAccess();
+		super.deleteXGroupGroup(id, force);
+	}
+
+	public void deleteXPermMap(Long id, boolean force) {
+		if (force) {
+			XXPermMap xPermMap = daoManager.getXXPermMap().getById(id);
+			if (xPermMap != null) {
+				if (xResourceService.readResource(xPermMap.getResourceId()) == null) {
+					throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + xPermMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA);
+				}
+			}
+
+			xPermMapService.deleteResource(id);
+		} else {
+			throw restErrorUtil.createRESTException("serverMsg.modelMgrBaseDeleteModel", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
+		}
+	}
+
+	public VXLong getXPermMapSearchCount(SearchCriteria searchCriteria) {
+		VXPermMapList permMapList = xPermMapService.searchXPermMaps(searchCriteria);
+		VXLong vXLong = new VXLong();
+		vXLong.setValue(permMapList.getListSize());
+		return vXLong;
+	}
+
+	public void deleteXAuditMap(Long id, boolean force) {
+		if (force) {
+			XXAuditMap xAuditMap = daoManager.getXXAuditMap().getById(id);
+			if (xAuditMap != null) {
+				if (xResourceService.readResource(xAuditMap.getResourceId()) == null) {
+					throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + xAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA);
+				}
+			}
+
+			xAuditMapService.deleteResource(id);
+		} else {
+			throw restErrorUtil.createRESTException("serverMsg.modelMgrBaseDeleteModel", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
+		}
+	}
+
+	public VXLong getXAuditMapSearchCount(SearchCriteria searchCriteria) {
+		VXAuditMapList auditMapList = xAuditMapService.searchXAuditMaps(searchCriteria);
+		VXLong vXLong = new VXLong();
+		vXLong.setValue(auditMapList.getListSize());
+		return vXLong;
+	}
 
 	public void modifyUserVisibility(HashMap<Long, Integer> visibilityMap) {
+		checkAdminAccess();
 		Set<Map.Entry<Long, Integer>> entries = visibilityMap.entrySet();
 		for (Map.Entry<Long, Integer> entry : entries) {
 			XXUser xUser = daoManager.getXXUser().getById(entry.getKey());
@@ -826,6 +781,7 @@ public class XUserMgr extends XUserMgrBase {
 	}
 
 	public void modifyGroupsVisibility(HashMap<Long, Integer> groupVisibilityMap) {
+		checkAdminAccess();
 		Set<Map.Entry<Long, Integer>> entries = groupVisibilityMap.entrySet();
 		for (Map.Entry<Long, Integer> entry : entries) {
 			XXGroup xGroup = daoManager.getXXGroup().getById(entry.getKey());
@@ -878,6 +834,7 @@ public class XUserMgr extends XUserMgrBase {
 
 	// Module permissions
 	public VXModuleDef createXModuleDefPermission(VXModuleDef vXModuleDef) {
+		checkAdminAccess();
 		return xModuleDefService.createResource(vXModuleDef);
 	}
 
@@ -886,6 +843,7 @@ public class XUserMgr extends XUserMgrBase {
 	}
 
 	public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) {
+		checkAdminAccess();
 		List<VXGroupPermission> groupPermListNew = vXModuleDef
 				.getGroupPermList();
 		List<VXUserPermission> userPermListNew = vXModuleDef.getUserPermList();
@@ -970,12 +928,14 @@ public class XUserMgr extends XUserMgrBase {
 	}
 
 	public void deleteXModuleDefPermission(Long id, boolean force) {
+		checkAdminAccess();
 		xModuleDefService.deleteResource(id);
 	}
 
 	// User permission
 	public VXUserPermission createXUserPermission(
 			VXUserPermission vXUserPermission) {
+		checkAdminAccess();
 		return xUserPermissionService.createResource(vXUserPermission);
 	}
 
@@ -985,17 +945,19 @@ public class XUserMgr extends XUserMgrBase {
 
 	public VXUserPermission updateXUserPermission(
 			VXUserPermission vXUserPermission) {
-
+		checkAdminAccess();
 		return xUserPermissionService.updateResource(vXUserPermission);
 	}
 
 	public void deleteXUserPermission(Long id, boolean force) {
+		checkAdminAccess();
 		xUserPermissionService.deleteResource(id);
 	}
 
 	// Group permission
 	public VXGroupPermission createXGroupPermission(
 			VXGroupPermission vXGroupPermission) {
+		checkAdminAccess();
 		return xGroupPermissionService.createResource(vXGroupPermission);
 	}
 
@@ -1005,14 +967,17 @@ public class XUserMgr extends XUserMgrBase {
 
 	public VXGroupPermission updateXGroupPermission(
 			VXGroupPermission vXGroupPermission) {
+		checkAdminAccess();
 		return xGroupPermissionService.updateResource(vXGroupPermission);
 	}
 
 	public void deleteXGroupPermission(Long id, boolean force) {
+		checkAdminAccess();
 		xGroupPermissionService.deleteResource(id);
 	}
 
 	public void modifyUserActiveStatus(HashMap<Long, Integer> statusMap) {
+		checkAdminAccess();
 		UserSessionBase session = ContextUtil.getCurrentUserSession();
 		String currentUser=null;
 		if(session!=null){
@@ -1040,4 +1005,35 @@ public class XUserMgr extends XUserMgrBase {
 			}
 		}
 	}
+
+	public void checkAdminAccess() {
+		UserSessionBase session = ContextUtil.getCurrentUserSession();
+		if (session != null) {
+			if (!session.isUserAdmin()) {
+				throw restErrorUtil.create403RESTException("Operation" + " denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In")
+						+ " ,isn't permitted to perform the action.");
+			}
+		} else {
+			VXResponse vXResponse = new VXResponse();
+			vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+			vXResponse.setMsgDesc("Bad Credentials");
+			throw restErrorUtil.generateRESTException(vXResponse);
+		}
+	}
+
+	public void checkAccess(String loginID) {
+		UserSessionBase session = ContextUtil.getCurrentUserSession();
+		if (session != null) {
+			if (!session.isUserAdmin() && !session.isKeyAdmin() && !session.getLoginId().equalsIgnoreCase(loginID)) {
+				throw restErrorUtil.create403RESTException("Operation" + " denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In")
+						+ " ,isn't permitted to perform the action.");
+			}
+		} else {
+			VXResponse vXResponse = new VXResponse();
+			vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+			vXResponse.setMsgDesc("Bad Credentials");
+			throw restErrorUtil.generateRESTException(vXResponse);
+		}
+	}
+
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1dbc7a1a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java
index 9f5abfb..104e188 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java
@@ -60,4 +60,25 @@ public class XXGroupUserDao extends BaseDao<XXGroupUser> {
 		}
 		return null;
 	}
+
+	/**
+	 * @param xUserId
+	 *            -- Id of X_USER table
+	 * @return
+	 */
+	@SuppressWarnings("unchecked")
+	public List<Long> findGroupIdListByUserId(Long xUserId) {
+		if (xUserId != null) {
+			try {
+				return getEntityManager().createNamedQuery("XXGroupUser.findGroupIdListByUserId").setParameter("xUserId", xUserId).getResultList();
+			} catch (NoResultException e) {
+				logger.debug(e.getMessage());
+			}
+		} else {
+			logger.debug("UserId not provided.");
+			return new ArrayList<Long>();
+		}
+		return null;
+	}
+
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1dbc7a1a/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java
index 611eaf8..fa2b3d9 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java
@@ -22,7 +22,9 @@ import java.util.List;
 
 import javax.persistence.NoResultException;
 
+import org.apache.commons.collections.CollectionUtils;
 import org.apache.log4j.Logger;
+import org.apache.ranger.common.RangerCommonEnums;
 import org.apache.ranger.common.db.BaseDao;
 import org.apache.ranger.entity.XXModuleDef;
 
@@ -115,4 +117,40 @@ public class XXModuleDefDao extends BaseDao<XXModuleDef>{
 			return null;
 		}
 	}
+
+	@SuppressWarnings("unchecked")
+	public List<String> findAccessibleModulesByGroupIdList(List<Long> grpIdList) {
+		if (CollectionUtils.isEmpty(grpIdList)) {
+			return new ArrayList<String>();
+		}
+		try {
+			return getEntityManager().createNamedQuery("XXModuleDef.findAccessibleModulesByGroupId").setParameter("grpIdList", grpIdList)
+					.setParameter("isAllowed", RangerCommonEnums.ACCESS_RESULT_ALLOWED).getResultList();
+		} catch (NoResultException e) {
+			return new ArrayList<String>();
+		}
+	}
+
+	/**
+	 * @param portalUserId
+	 * @param xUserId
+	 * @return This function will return all the modules accessible for particular user, considering all the groups as well in which that user belongs
+	 */
+	@SuppressWarnings("unchecked")
+	public List<String> findAccessibleModulesByUserId(Long portalUserId, Long xUserId) {
+		if (portalUserId == null || xUserId == null) {
+			return new ArrayList<String>();
+		}
+		try {
+
+			List<String> userPermList = getEntityManager().createNamedQuery("XXModuleDef.findAllAccessibleModulesByUserId").setParameter("portalUserId", portalUserId)
+					.setParameter("xUserId", xUserId).setParameter("isAllowed", RangerCommonEnums.ACCESS_RESULT_ALLOWED).getResultList();
+
+			return userPermList;
+
+		} catch (NoResultException e) {
+			return new ArrayList<String>();
+		}
+	}
+
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1dbc7a1a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
index e5de160..19dbfaa 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
@@ -56,6 +56,7 @@ import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.util.GrantRevokeRequest;
 import org.apache.ranger.plugin.util.SearchFilter;
 import org.apache.ranger.plugin.util.ServicePolicies;
+import org.apache.ranger.security.context.RangerAPIList;
 import org.apache.ranger.service.XAccessAuditService;
 import org.apache.ranger.service.XAgentService;
 import org.apache.ranger.service.XAssetService;
@@ -137,6 +138,7 @@ public class AssetREST {
 	@GET
 	@Path("/assets/{id}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_ASSET + "\")")
 	public VXAsset getXAsset(@PathParam("id") Long id) {
 		if(logger.isDebugEnabled()) {
 			logger.debug("==> AssetREST.getXAsset(" + id + ")");
@@ -156,6 +158,7 @@ public class AssetREST {
 	@POST
 	@Path("/assets")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_ASSET + "\")")
 	public VXAsset createXAsset(VXAsset vXAsset) {
 		if(logger.isDebugEnabled()) {
 			logger.debug("==> AssetREST.createXAsset(" + vXAsset + ")");
@@ -177,6 +180,7 @@ public class AssetREST {
 	@PUT
 	@Path("/assets/{id}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_ASSET + "\")")
 	public VXAsset updateXAsset(VXAsset vXAsset) {
 		if(logger.isDebugEnabled()) {
 			logger.debug("==> AssetREST.updateXAsset(" + vXAsset + ")");
@@ -197,8 +201,8 @@ public class AssetREST {
 
 	@DELETE
 	@Path("/assets/{id}")
-	@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
 	@RangerAnnotationClassName(class_name = VXAsset.class)
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_ASSET + "\")")
 	public void deleteXAsset(@PathParam("id") Long id,
 			@Context HttpServletRequest request) {
 		if(logger.isDebugEnabled()) {
@@ -215,6 +219,7 @@ public class AssetREST {
 	@POST
 	@Path("/assets/testConfig")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.TEST_CONFIG + "\")")
 	public VXResponse testConfig(VXAsset vXAsset) {
 		if(logger.isDebugEnabled()) {
 			logger.debug("==> AssetREST.testConfig(" + vXAsset + ")");
@@ -234,6 +239,7 @@ public class AssetREST {
 	@GET
 	@Path("/assets")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_ASSETS + "\")")
 	public VXAssetList searchXAssets(@Context HttpServletRequest request) {
 		if(logger.isDebugEnabled()) {
 			logger.debug("==> AssetREST.searchXAssets()");
@@ -269,6 +275,7 @@ public class AssetREST {
 	@GET
 	@Path("/assets/count")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_ASSETS + "\")")
 	public VXLong countXAssets(@Context HttpServletRequest request) {
 		if(logger.isDebugEnabled()) {
 			logger.debug("==> AssetREST.countXAssets()");
@@ -547,8 +554,10 @@ public class AssetREST {
 	@GET
 	@Path("/exportAudit")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_POLICY_EXPORT_AUDITS + "\")")
 	public VXPolicyExportAuditList searchXPolicyExportAudits(
 			@Context HttpServletRequest request) {
+
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, xPolicyExportAudits.sortFields);
 		searchUtil.extractString(request, searchCriteria, "agentId", 
@@ -572,7 +581,9 @@ public class AssetREST {
 	@GET
 	@Path("/report")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_REPORT_LOGS + "\")")
 	public VXTrxLogList getReportLogs(@Context HttpServletRequest request){
+
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, xTrxLogService.sortFields);
 		searchUtil.extractInt(request, searchCriteria, "objectClassType", "Class type for report.");
@@ -592,6 +603,7 @@ public class AssetREST {
 	@GET
 	@Path("/report/{transactionId}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_TRANSACTION_REPORT + "\")")
 	public VXTrxLogList getTransactionReport(@Context HttpServletRequest request, 
 			@PathParam("transactionId") String transactionId){
 		return assetMgr.getTransactionReport(transactionId);
@@ -600,6 +612,7 @@ public class AssetREST {
 	@GET
 	@Path("/accessAudit")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_ACCESS_LOGS + "\")")
 	public VXAccessAuditList getAccessLogs(@Context HttpServletRequest request){
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, xAccessAuditService.sortFields);

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1dbc7a1a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
index 059f787..2c30daa 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
@@ -312,7 +312,7 @@ public class PublicAPIsv2 {
 	@Produces({ "application/json", "application/xml" })
 	public List<RangerPolicy> searchPolicies(@PathParam("servicename") String serviceName,
 	                                         @Context HttpServletRequest request) {
-		return serviceREST.getServicePolicies(serviceName, request).getPolicies();
+		return serviceREST.getServicePoliciesByName(serviceName, request).getPolicies();
 	}
 
 	@POST

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1dbc7a1a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 3d2e8b0..f523d67 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -49,6 +49,7 @@ import org.apache.ranger.biz.RangerBizUtil;
 import org.apache.ranger.biz.ServiceDBStore;
 import org.apache.ranger.biz.ServiceMgr;
 import org.apache.ranger.biz.XUserMgr;
+import org.apache.ranger.common.AppConstants;
 import org.apache.ranger.common.GUIDUtil;
 import org.apache.ranger.common.MessageEnums;
 import org.apache.ranger.common.RESTErrorUtil;
@@ -81,6 +82,8 @@ import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
 import org.apache.ranger.plugin.util.GrantRevokeRequest;
 import org.apache.ranger.plugin.util.SearchFilter;
 import org.apache.ranger.plugin.util.ServicePolicies;
+import org.apache.ranger.security.context.RangerAPIList;
+import org.apache.ranger.security.context.RangerPreAuthSecurityHandler;
 import org.apache.ranger.service.RangerPolicyService;
 import org.apache.ranger.service.RangerServiceDefService;
 import org.apache.ranger.service.RangerServiceService;
@@ -151,11 +154,10 @@ public class ServiceREST {
 	public ServiceREST() {
 	}
 
-
 	@POST
 	@Path("/definitions")
 	@Produces({ "application/json", "application/xml" })
-	@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_SERVICE_DEF + "\")")
 	public RangerServiceDef createServiceDef(RangerServiceDef serviceDef) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.createServiceDef(" + serviceDef + ")");
@@ -189,7 +191,7 @@ public class ServiceREST {
 	@PUT
 	@Path("/definitions/{id}")
 	@Produces({ "application/json", "application/xml" })
-	@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_SERVICE_DEF + "\")")
 	public RangerServiceDef updateServiceDef(RangerServiceDef serviceDef) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.updateServiceDef(" + serviceDef + ")");
@@ -223,7 +225,7 @@ public class ServiceREST {
 	@DELETE
 	@Path("/definitions/{id}")
 	@Produces({ "application/json", "application/xml" })
-	@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_SERVICE_DEF + "\")")
 	public void deleteServiceDef(@PathParam("id") Long id, @Context HttpServletRequest request) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.deleteServiceDef(" + id + ")");
@@ -260,6 +262,7 @@ public class ServiceREST {
 	@GET
 	@Path("/definitions/{id}")
 	@Produces({ "application/json", "application/xml" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEF + "\")")
 	public RangerServiceDef getServiceDef(@PathParam("id") Long id) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.getServiceDef(" + id + ")");
@@ -298,6 +301,7 @@ public class ServiceREST {
 	@GET
 	@Path("/definitions/name/{name}")
 	@Produces({ "application/json", "application/xml" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEF_BY_NAME + "\")")
 	public RangerServiceDef getServiceDefByName(@PathParam("name") String name) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.getServiceDefByName(" + name + ")");
@@ -338,6 +342,7 @@ public class ServiceREST {
 	@GET
 	@Path("/definitions")
 	@Produces({ "application/json", "application/xml" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_DEFS + "\")")
 	public RangerServiceDefList getServiceDefs(@Context HttpServletRequest request) {
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.getServiceDefs()");
@@ -366,7 +371,7 @@ public class ServiceREST {
 	@POST
 	@Path("/services")
 	@Produces({ "application/json", "application/xml" })
-	@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_SERVICE + "\")")
 	public RangerService createService(RangerService service) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.createService(" + service + ")");
@@ -405,7 +410,7 @@ public class ServiceREST {
 	@PUT
 	@Path("/services/{id}")
 	@Produces({ "application/json", "application/xml" })
-	@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_SERVICE + "\")")
 	public RangerService updateService(RangerService service) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.updateService(): " + service);
@@ -444,7 +449,7 @@ public class ServiceREST {
 	@DELETE
 	@Path("/services/{id}")
 	@Produces({ "application/json", "application/xml" })
-	@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_SERVICE + "\")")
 	public void deleteService(@PathParam("id") Long id) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.deleteService(" + id + ")");
@@ -480,6 +485,7 @@ public class ServiceREST {
 	@GET
 	@Path("/services/{id}")
 	@Produces({ "application/json", "application/xml" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE + "\")")
 	public RangerService getService(@PathParam("id") Long id) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.getService(" + id + ")");
@@ -511,6 +517,7 @@ public class ServiceREST {
 	@GET
 	@Path("/services/name/{name}")
 	@Produces({ "application/json", "application/xml" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICE_BY_NAME + "\")")
 	public RangerService getServiceByName(@PathParam("name") String name) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.getServiceByName(" + name + ")");
@@ -542,6 +549,7 @@ public class ServiceREST {
 	@GET
 	@Path("/services")
 	@Produces({ "application/json", "application/xml" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICES + "\")")
 	public RangerServiceList getServices(@Context HttpServletRequest request) {
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.getServices()");
@@ -595,6 +603,7 @@ public class ServiceREST {
 	@GET
 	@Path("/services/count")
 	@Produces({ "application/json", "application/xml" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_SERVICES + "\")")
 	public Long countServices(@Context HttpServletRequest request) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.countServices():");
@@ -624,6 +633,7 @@ public class ServiceREST {
 	@POST
 	@Path("/services/validateConfig")
 	@Produces({ "application/json", "application/xml" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.VALIDATE_CONFIG + "\")")
 	public VXResponse validateConfig(RangerService service) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.validateConfig(" + service + ")");
@@ -651,6 +661,7 @@ public class ServiceREST {
 	@POST
 	@Path("/services/lookupResource/{serviceName}")
 	@Produces({ "application/json", "application/xml" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.LOOKUP_RESOURCE + "\")")
 	public List<String> lookupResource(@PathParam("serviceName") String serviceName, ResourceLookupContext context) {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.lookupResource(" + serviceName + ")");
@@ -1196,7 +1207,7 @@ public class ServiceREST {
 	@GET
 	@Path("/policies/service/name/{name}")
 	@Produces({ "application/json", "application/xml" })
-	public RangerPolicyList getServicePolicies(@PathParam("name") String serviceName,
+	public RangerPolicyList getServicePoliciesByName(@PathParam("name") String serviceName,
 			@Context HttpServletRequest request) {
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.getServicePolicies(" + serviceName + ")");
@@ -1464,6 +1475,7 @@ public class ServiceREST {
 	@GET
 	@Path("/policies/eventTime")
 	@Produces({ "application/json", "application/xml" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_POLICY_FROM_EVENT_TIME + "\")")
 	public RangerPolicy getPolicyFromEventTime(@Context HttpServletRequest request) {
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.getPolicyFromEventTime()");
@@ -1490,6 +1502,7 @@ public class ServiceREST {
 
 	@GET
 	@Path("/policy/{policyId}/versionList")
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_POLICY_VERSION_LIST + "\")")
 	public VXString getPolicyVersionList(@PathParam("policyId") Long policyId) {
 		return svcStore.getPolicyVersionList(policyId);
 	}
@@ -1497,6 +1510,7 @@ public class ServiceREST {
 	@GET
 	@Path("/policy/{policyId}/version/{versionNo}")
 	@Produces({ "application/json", "application/xml" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_POLICY_FOR_VERSION_NO + "\")")
 	public RangerPolicy getPolicyForVersionNumber(@PathParam("policyId") Long policyId,
 			@PathParam("versionNo") int versionNo) {
 		return svcStore.getPolicyForVersionNumber(policyId, versionNo);

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1dbc7a1a/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java
index a9d0059..4c5e890 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/UserREST.java
@@ -45,6 +45,8 @@ import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName;
 import org.apache.ranger.common.annotation.RangerAnnotationRestAPI;
 import org.apache.ranger.db.RangerDaoManager;
 import org.apache.ranger.entity.XXPortalUser;
+import org.apache.ranger.security.context.RangerAPIList;
+import org.apache.ranger.security.context.RangerPreAuthSecurityHandler;
 import org.apache.ranger.util.RangerRestUtil;
 import org.apache.ranger.view.VXPasswordChange;
 import org.apache.ranger.view.VXPortalUser;
@@ -99,7 +101,7 @@ public class UserREST {
 	 */
 	@GET
 	@Produces({ "application/xml", "application/json" })
-	@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_USERS + "\")")
 	public VXPortalUserList searchUsers(@Context HttpServletRequest request) {
 		String[] approvedSortByParams = new String[] { "requestDate",
 				"approvedDate", "activationDate", "emailAddress", "firstName",
@@ -150,6 +152,7 @@ public class UserREST {
 	@GET
 	@Path("{userId}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_USER_PROFILE_FOR_USER + "\")")
 	public VXPortalUser getUserProfileForUser(@PathParam("userId") Long userId) {
 		try {
 			VXPortalUser userProfile = userManager.getUserProfile(userId);
@@ -171,7 +174,7 @@ public class UserREST {
 	@POST
 	@Consumes({ "application/json", "application/xml" })
 	@Produces({ "application/xml", "application/json" })
-	@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE + "\")")
 	public VXPortalUser create(VXPortalUser userProfile,
 			@Context HttpServletRequest servletRequest) {
 		logger.info("create:" + userProfile.getEmailAddress());
@@ -184,7 +187,7 @@ public class UserREST {
 	@Path("/default")
 	@Consumes({ "application/json", "application/xml" })
 	@Produces({ "application/xml", "application/json" })
-	@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_DEFAULT_ACCOUNT_USER + "\")")
 	public VXPortalUser createDefaultAccountUser(VXPortalUser userProfile,
 			@Context HttpServletRequest servletRequest) {
 		VXPortalUser vxPortalUser;
@@ -201,6 +204,7 @@ public class UserREST {
 	@Consumes({ "application/json", "application/xml" })
 	@Produces({ "application/xml", "application/json" })
 	@RangerAnnotationRestAPI(updates_classes = "VUserProfile")
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE + "\")")
 	public VXPortalUser update(VXPortalUser userProfile,
 			@Context HttpServletRequest servletRequest) {
 		logger.info("update:" + userProfile.getEmailAddress());
@@ -222,6 +226,7 @@ public class UserREST {
 	@PUT
 	@Path("/{userId}/roles")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SET_USER_ROLES + "\")")
 	public VXResponse setUserRoles(@PathParam("userId") Long userId,
 			VXStringList roleList) {
 		userManager.checkAccess(userId);
@@ -240,7 +245,7 @@ public class UserREST {
 	@POST
 	@Path("{userId}/deactivate")
 	@Produces({ "application/xml", "application/json" })
-	@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DEACTIVATE_USER + "\")")
 	@RangerAnnotationClassName(class_name = VXPortalUser.class)
 	public VXPortalUser deactivateUser(@PathParam("userId") Long userId) {
 		XXPortalUser gjUser = daoManager.getXXPortalUser().getById(userId);

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1dbc7a1a/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java
index 531f395..cbe486b 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java
@@ -35,6 +35,7 @@ import org.apache.ranger.common.SearchCriteria;
 import org.apache.ranger.common.SearchUtil;
 import org.apache.ranger.common.annotation.RangerAnnotationClassName;
 import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName;
+import org.apache.ranger.security.context.RangerAPIList;
 import org.apache.ranger.service.XAccessAuditService;
 import org.apache.ranger.service.XTrxLogService;
 import org.apache.ranger.view.VXAccessAuditList;
@@ -71,6 +72,7 @@ public class XAuditREST {
 	@GET
 	@Path("/trx_log/{id}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_TRX_LOG + "\")")
 	public VXTrxLog getXTrxLog(
 			@PathParam("id") Long id) {
 		 return xAuditMgr.getXTrxLog(id);
@@ -79,6 +81,7 @@ public class XAuditREST {
 	@POST
 	@Path("/trx_log")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_TRX_LOG + "\")")
 	public VXTrxLog createXTrxLog(VXTrxLog vXTrxLog) {
 		 return xAuditMgr.createXTrxLog(vXTrxLog);
 	}
@@ -86,13 +89,14 @@ public class XAuditREST {
 	@PUT
 	@Path("/trx_log")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_TRX_LOG + "\")")
 	public VXTrxLog updateXTrxLog(VXTrxLog vXTrxLog) {
 		 return xAuditMgr.updateXTrxLog(vXTrxLog);
 	}
 
 	@DELETE
 	@Path("/trx_log/{id}")
-	@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_TRX_LOG + "\")")
 	@RangerAnnotationClassName(class_name = VXTrxLog.class)
 	public void deleteXTrxLog(@PathParam("id") Long id,
 			@Context HttpServletRequest request) {
@@ -109,6 +113,7 @@ public class XAuditREST {
 	@GET
 	@Path("/trx_log")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_TRX_LOG + "\")")
 	public VXTrxLogList searchXTrxLogs(@Context HttpServletRequest request) {
 		 SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 		 request, xTrxLogService.sortFields);
@@ -118,6 +123,7 @@ public class XAuditREST {
 	@GET
 	@Path("/trx_log/count")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_TRX_LOGS + "\")")
 	public VXLong countXTrxLogs(@Context HttpServletRequest request) {
 		 SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 		 request, xTrxLogService.sortFields);
@@ -135,6 +141,7 @@ public class XAuditREST {
 	@GET
 	@Path("/access_audit")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_ACCESS_AUDITS + "\")")
 	public VXAccessAuditList searchXAccessAudits(@Context HttpServletRequest request) {
 		 SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 		 request, xAccessAuditService.sortFields);
@@ -144,6 +151,7 @@ public class XAuditREST {
 	@GET
 	@Path("/access_audit/count")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_ACCESS_AUDITS + "\")")
 	public VXLong countXAccessAudits(@Context HttpServletRequest request) {
 		 SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 		 request, xAccessAuditService.sortFields);

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1dbc7a1a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
index 1c0f9fc..c374f8e 100755
--- a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
@@ -35,12 +35,15 @@ import org.apache.ranger.common.MessageEnums;
 import org.apache.ranger.common.RESTErrorUtil;
 import org.apache.ranger.common.SearchUtil;
 import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName;
+import org.apache.ranger.security.context.RangerAPIList;
+import org.apache.ranger.security.context.RangerPreAuthSecurityHandler;
 import org.apache.ranger.view.VXKmsKey;
 import org.apache.ranger.view.VXKmsKeyList;
 import org.codehaus.jettison.json.JSONException;
 import org.codehaus.jettison.json.JSONObject;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Scope;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Component;
 import org.springframework.transaction.annotation.Propagation;
 import org.springframework.transaction.annotation.Transactional;
@@ -66,7 +69,7 @@ public class XKeyREST {
 	
 	@Autowired
 	RESTErrorUtil restErrorUtil;
-		
+	
 	/**
 	 * Implements the traditional search functionalities for Keys
 	 * 
@@ -76,6 +79,7 @@ public class XKeyREST {
 	@GET
 	@Path("/keys")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_KEYS + "\")")
 	public VXKmsKeyList searchKeys(@Context HttpServletRequest request, @QueryParam("provider") String provider) {
 		VXKmsKeyList vxKmsKeyList = new VXKmsKeyList();
 		try{
@@ -94,6 +98,7 @@ public class XKeyREST {
 	@PUT
 	@Path("/key")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.ROLLOVER_KEYS + "\")")
 	public VXKmsKey rolloverKey(@QueryParam("provider") String provider, VXKmsKey vXKey) {
 		VXKmsKey vxKmsKey = new VXKmsKey();
 		try{
@@ -120,6 +125,7 @@ public class XKeyREST {
 	@DELETE
 	@Path("/key/{alias}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_KEY + "\")")
 	public void deleteKey(@PathParam("alias") String name, @QueryParam("provider") String provider, @Context HttpServletRequest request) {
 		try{
 			if (name == null || name.isEmpty()) {
@@ -140,6 +146,7 @@ public class XKeyREST {
 	@POST
 	@Path("/key")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_KEY + "\")")
 	public VXKmsKey createKey(@QueryParam("provider") String provider, VXKmsKey vXKey) {
 		VXKmsKey vxKmsKey = new VXKmsKey();
 		try{
@@ -167,6 +174,7 @@ public class XKeyREST {
 	@GET
 	@Path("/key/{alias}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_KEY + "\")")
 	public VXKmsKey getKey(@PathParam("alias") String name,@QueryParam("provider") String provider){
 		VXKmsKey vxKmsKey = new VXKmsKey();
 		try{

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1dbc7a1a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
index 93980b4..472dad6 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
@@ -36,6 +36,7 @@ import org.apache.log4j.Logger;
 import org.apache.ranger.biz.RangerBizUtil;
 import org.apache.ranger.biz.SessionMgr;
 import org.apache.ranger.biz.XUserMgr;
+import org.apache.ranger.common.MessageEnums;
 import org.apache.ranger.common.RESTErrorUtil;
 import org.apache.ranger.common.SearchCriteria;
 import org.apache.ranger.common.SearchUtil;
@@ -43,6 +44,9 @@ import org.apache.ranger.common.StringUtil;
 import org.apache.ranger.common.annotation.RangerAnnotationClassName;
 import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName;
 import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.security.context.RangerAPIList;
+import org.apache.ranger.security.context.RangerAPIMapping;
+import org.apache.ranger.security.context.RangerPreAuthSecurityHandler;
 import org.apache.ranger.service.AuthSessionService;
 import org.apache.ranger.service.XAuditMapService;
 import org.apache.ranger.service.XGroupGroupService;
@@ -51,6 +55,7 @@ import org.apache.ranger.service.XGroupService;
 import org.apache.ranger.service.XGroupUserService;
 import org.apache.ranger.service.XModuleDefService;
 import org.apache.ranger.service.XPermMapService;
+import org.apache.ranger.service.XResourceService;
 import org.apache.ranger.service.XUserPermissionService;
 import org.apache.ranger.service.XUserService;
 import org.apache.ranger.view.VXAuditMap;
@@ -138,11 +143,15 @@ public class XUserREST {
 
 	@Autowired
 	RangerBizUtil bizUtil;
+	
+	@Autowired
+	XResourceService xResourceService;
 
 	// Handle XGroup
 	@GET
 	@Path("/groups/{id}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP + "\")")
 	public VXGroup getXGroup(@PathParam("id") Long id) {
 		return xUserMgr.getXGroup(id);
 	}
@@ -150,6 +159,7 @@ public class XUserREST {
 	@GET
 	@Path("/secure/groups/{id}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SECURE_GET_X_GROUP + "\")")
 	public VXGroup secureGetXGroup(@PathParam("id") Long id) {
 		return xUserMgr.getXGroup(id);
 	}
@@ -187,6 +197,7 @@ public class XUserREST {
 	@PUT
 	@Path("/secure/groups/visibility")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.MODIFY_GROUPS_VISIBILITY + "\")")
 	public void modifyGroupsVisibility(HashMap<Long, Integer> groupVisibilityMap){
 		 xUserMgr.modifyGroupsVisibility(groupVisibilityMap);
 	}
@@ -210,6 +221,7 @@ public class XUserREST {
 	@GET
 	@Path("/groups")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUPS + "\")")
 	public VXGroupList searchXGroups(@Context HttpServletRequest request) {
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, xGroupService.sortFields);
@@ -224,6 +236,7 @@ public class XUserREST {
 	@GET
 	@Path("/groups/count")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUPS + "\")")
 	public VXLong countXGroups(@Context HttpServletRequest request) {
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, xGroupService.sortFields);
@@ -235,6 +248,7 @@ public class XUserREST {
 	@GET
 	@Path("/users/{id}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER + "\")")
 	public VXUser getXUser(@PathParam("id") Long id) {
 		return xUserMgr.getXUser(id);
 	}
@@ -242,6 +256,7 @@ public class XUserREST {
 	@GET
 	@Path("/secure/users/{id}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SECURE_GET_X_USER + "\")")
 	public VXUser secureGetXUser(@PathParam("id") Long id) {
 		return xUserMgr.getXUser(id);
 	}
@@ -291,6 +306,7 @@ public class XUserREST {
 	@PUT
 	@Path("/secure/users/visibility")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.MODIFY_USER_VISIBILITY + "\")")
 	public void modifyUserVisibility(HashMap<Long, Integer> visibilityMap){
 		 xUserMgr.modifyUserVisibility(visibilityMap);
 	}
@@ -314,6 +330,7 @@ public class XUserREST {
 	@GET
 	@Path("/users")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_USERS + "\")")
 	public VXUserList searchXUsers(@Context HttpServletRequest request) {
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, xUserService.sortFields);
@@ -334,6 +351,7 @@ public class XUserREST {
 	@GET
 	@Path("/users/count")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_USERS + "\")")
 	public VXLong countXUsers(@Context HttpServletRequest request) {
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, xUserService.sortFields);
@@ -345,6 +363,7 @@ public class XUserREST {
 	@GET
 	@Path("/groupusers/{id}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_USER + "\")")
 	public VXGroupUser getXGroupUser(@PathParam("id") Long id) {
 		return xUserMgr.getXGroupUser(id);
 	}
@@ -383,6 +402,7 @@ public class XUserREST {
 	@GET
 	@Path("/groupusers")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUP_USERS + "\")")
 	public VXGroupUserList searchXGroupUsers(@Context HttpServletRequest request) {
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, xGroupUserService.sortFields);
@@ -392,6 +412,7 @@ public class XUserREST {
 	@GET
 	@Path("/groupusers/count")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUP_USERS + "\")")
 	public VXLong countXGroupUsers(@Context HttpServletRequest request) {
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, xGroupUserService.sortFields);
@@ -403,6 +424,7 @@ public class XUserREST {
 	@GET
 	@Path("/groupgroups/{id}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_GROUP + "\")")
 	public VXGroupGroup getXGroupGroup(@PathParam("id") Long id) {
 		return xUserMgr.getXGroupGroup(id);
 	}
@@ -440,6 +462,7 @@ public class XUserREST {
 	@GET
 	@Path("/groupgroups")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUP_GROUPS + "\")")
 	public VXGroupGroupList searchXGroupGroups(
 			@Context HttpServletRequest request) {
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
@@ -450,6 +473,7 @@ public class XUserREST {
 	@GET
 	@Path("/groupgroups/count")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUP_GROUPS + "\")")
 	public VXLong countXGroupGroups(@Context HttpServletRequest request) {
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, xGroupGroupService.sortFields);
@@ -461,28 +485,53 @@ public class XUserREST {
 	@GET
 	@Path("/permmaps/{id}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_PERM_MAP + "\")")
 	public VXPermMap getXPermMap(@PathParam("id") Long id) {
-		return xUserMgr.getXPermMap(id);
+		VXPermMap permMap = xUserMgr.getXPermMap(id);
+
+		if (permMap != null) {
+			if (xResourceService.readResource(permMap.getResourceId()) == null) {
+				throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + permMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA);
+			}
+		}
+
+		return permMap;
 	}
 
 	@POST
 	@Path("/permmaps")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_PERM_MAP + "\")")
 	public VXPermMap createXPermMap(VXPermMap vXPermMap) {
+
+		if (vXPermMap != null) {
+			if (xResourceService.readResource(vXPermMap.getResourceId()) == null) {
+				throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXPermMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA);
+			}
+		}
+
 		return xUserMgr.createXPermMap(vXPermMap);
 	}
 
 	@PUT
 	@Path("/permmaps")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_PERM_MAP + "\")")
 	public VXPermMap updateXPermMap(VXPermMap vXPermMap) {
+
+		if (vXPermMap != null) {
+			if (xResourceService.readResource(vXPermMap.getResourceId()) == null) {
+				throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXPermMap.getResourceId());
+			}
+		}
+
 		return xUserMgr.updateXPermMap(vXPermMap);
 	}
 
 	@DELETE
 	@Path("/permmaps/{id}")
-	@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
 	@RangerAnnotationClassName(class_name = VXPermMap.class)
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_PERM_MAP + "\")")
 	public void deleteXPermMap(@PathParam("id") Long id,
 			@Context HttpServletRequest request) {
 		boolean force = false;
@@ -498,6 +547,7 @@ public class XUserREST {
 	@GET
 	@Path("/permmaps")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_PERM_MAPS + "\")")
 	public VXPermMapList searchXPermMaps(@Context HttpServletRequest request) {
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, xPermMapService.sortFields);
@@ -507,6 +557,7 @@ public class XUserREST {
 	@GET
 	@Path("/permmaps/count")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_PERM_MAPS + "\")")
 	public VXLong countXPermMaps(@Context HttpServletRequest request) {
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, xPermMapService.sortFields);
@@ -518,28 +569,53 @@ public class XUserREST {
 	@GET
 	@Path("/auditmaps/{id}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_AUDIT_MAP + "\")")
 	public VXAuditMap getXAuditMap(@PathParam("id") Long id) {
-		return xUserMgr.getXAuditMap(id);
+		VXAuditMap vXAuditMap = xUserMgr.getXAuditMap(id);
+
+		if (vXAuditMap != null) {
+			if (xResourceService.readResource(vXAuditMap.getResourceId()) == null) {
+				throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA);
+			}
+		}
+
+		return vXAuditMap;
 	}
 
 	@POST
 	@Path("/auditmaps")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_AUDIT_MAP + "\")")
 	public VXAuditMap createXAuditMap(VXAuditMap vXAuditMap) {
+
+		if (vXAuditMap != null) {
+			if (xResourceService.readResource(vXAuditMap.getResourceId()) == null) {
+				throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA);
+			}
+		}
+
 		return xUserMgr.createXAuditMap(vXAuditMap);
 	}
 
 	@PUT
 	@Path("/auditmaps")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_AUDIT_MAP + "\")")
 	public VXAuditMap updateXAuditMap(VXAuditMap vXAuditMap) {
+
+		if (vXAuditMap != null) {
+			if (xResourceService.readResource(vXAuditMap.getResourceId()) == null) {
+				throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + vXAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA);
+			}
+		}
+
 		return xUserMgr.updateXAuditMap(vXAuditMap);
 	}
 
 	@DELETE
 	@Path("/auditmaps/{id}")
-	@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
 	@RangerAnnotationClassName(class_name = VXAuditMap.class)
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_AUDIT_MAP + "\")")
 	public void deleteXAuditMap(@PathParam("id") Long id,
 			@Context HttpServletRequest request) {
 		boolean force = false;
@@ -555,6 +631,7 @@ public class XUserREST {
 	@GET
 	@Path("/auditmaps")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_AUDIT_MAPS + "\")")
 	public VXAuditMapList searchXAuditMaps(@Context HttpServletRequest request) {
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, xAuditMapService.sortFields);
@@ -564,6 +641,7 @@ public class XUserREST {
 	@GET
 	@Path("/auditmaps/count")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_AUDIT_MAPS + "\")")
 	public VXLong countXAuditMaps(@Context HttpServletRequest request) {
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, xAuditMapService.sortFields);
@@ -575,6 +653,7 @@ public class XUserREST {
 	@GET
 	@Path("/users/userName/{userName}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER_BY_USER_NAME + "\")")
 	public VXUser getXUserByUserName(@Context HttpServletRequest request,
 			@PathParam("userName") String userName) {
 		return xUserMgr.getXUserByUserName(userName);
@@ -583,6 +662,7 @@ public class XUserREST {
 	@GET
 	@Path("/groups/groupName/{groupName}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_BY_GROUP_NAME + "\")")
 	public VXGroup getXGroupByGroupName(@Context HttpServletRequest request,
 			@PathParam("groupName") String groupName) {
 		return xGroupService.getGroupByGroupName(groupName);
@@ -629,6 +709,7 @@ public class XUserREST {
 	@GET
 	@Path("/{userId}/groups")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER_GROUPS + "\")")
 	public VXGroupList getXUserGroups(@Context HttpServletRequest request, 
 			@PathParam("userId") Long id){
 		return xUserMgr.getXUserGroups(id);
@@ -637,6 +718,7 @@ public class XUserREST {
 	@GET
 	@Path("/{groupId}/users")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_USERS + "\")")
 	public VXUserList getXGroupUsers(@Context HttpServletRequest request, 
 			@PathParam("groupId") Long id){
 		return xUserMgr.getXGroupUsers(id);
@@ -645,6 +727,7 @@ public class XUserREST {
 	@GET
 	@Path("/authSessions")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_AUTH_SESSIONS + "\")")
 	public VXAuthSessionList getAuthSessions(@Context HttpServletRequest request){
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, authSessionService.AUTH_SESSION_SORT_FLDS);
@@ -666,6 +749,7 @@ public class XUserREST {
 	@GET
 	@Path("/authSessions/info")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_AUTH_SESSION + "\")")
 	public VXAuthSession getAuthSession(@Context HttpServletRequest request){
 		String authSessionId = request.getParameter("extSessionId");
 		return sessionMgr.getAuthSessionBySessionId(authSessionId);
@@ -675,6 +759,7 @@ public class XUserREST {
 	@POST
 	@Path("/permission")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_MODULE_DEF_PERMISSION + "\")")
 	public VXModuleDef createXModuleDefPermission(VXModuleDef vXModuleDef) {
 		return xUserMgr.createXModuleDefPermission(vXModuleDef);
 	}
@@ -682,6 +767,7 @@ public class XUserREST {
 	@GET
 	@Path("/permission/{id}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_MODULE_DEF_PERMISSION + "\")")
 	public VXModuleDef getXModuleDefPermission(@PathParam("id") Long id) {
 		return xUserMgr.getXModuleDefPermission(id);
 	}
@@ -689,13 +775,14 @@ public class XUserREST {
 	@PUT
 	@Path("/permission/{id}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_MODULE_DEF_PERMISSION + "\")")
 	public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) {
 		return xUserMgr.updateXModuleDefPermission(vXModuleDef);
 	}
 
 	@DELETE
 	@Path("/permission/{id}")
-	@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_MODULE_DEF_PERMISSION + "\")")
 	public void deleteXModuleDefPermission(@PathParam("id") Long id,
 			@Context HttpServletRequest request) {
 		boolean force = true;
@@ -705,6 +792,7 @@ public class XUserREST {
 	@GET
 	@Path("/permission")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_MODULE_DEF + "\")")
 	public VXModuleDefList searchXModuleDef(@Context HttpServletRequest request) {
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, xModuleDefService.sortFields);
@@ -725,6 +813,7 @@ public class XUserREST {
 	@GET
 	@Path("/permission/count")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_MODULE_DEF + "\")")
 	public VXLong countXModuleDef(@Context HttpServletRequest request) {
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, xModuleDefService.sortFields);
@@ -735,6 +824,7 @@ public class XUserREST {
 	@POST
 	@Path("/permission/user")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_USER_PERMISSION + "\")")
 	public VXUserPermission createXUserPermission(
 			VXUserPermission vXUserPermission) {
 		return xUserMgr.createXUserPermission(vXUserPermission);
@@ -743,6 +833,7 @@ public class XUserREST {
 	@GET
 	@Path("/permission/user/{id}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_USER_PERMISSION + "\")")
 	public VXUserPermission getXUserPermission(@PathParam("id") Long id) {
 		return xUserMgr.getXUserPermission(id);
 	}
@@ -750,6 +841,7 @@ public class XUserREST {
 	@PUT
 	@Path("/permission/user/{id}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_USER_PERMISSION + "\")")
 	public VXUserPermission updateXUserPermission(
 			VXUserPermission vXUserPermission) {
 		return xUserMgr.updateXUserPermission(vXUserPermission);
@@ -757,7 +849,7 @@ public class XUserREST {
 
 	@DELETE
 	@Path("/permission/user/{id}")
-	@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_USER_PERMISSION + "\")")
 	public void deleteXUserPermission(@PathParam("id") Long id,
 			@Context HttpServletRequest request) {
 		boolean force = true;
@@ -767,6 +859,7 @@ public class XUserREST {
 	@GET
 	@Path("/permission/user")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_USER_PERMISSION + "\")")
 	public VXUserPermissionList searchXUserPermission(
 			@Context HttpServletRequest request) {
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
@@ -782,6 +875,7 @@ public class XUserREST {
 	@GET
 	@Path("/permission/user/count")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_USER_PERMISSION + "\")")
 	public VXLong countXUserPermission(@Context HttpServletRequest request) {
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, xUserPermissionService.sortFields);
@@ -792,6 +886,7 @@ public class XUserREST {
 	@POST
 	@Path("/permission/group")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_GROUP_PERMISSION + "\")")
 	public VXGroupPermission createXGroupPermission(
 			VXGroupPermission vXGroupPermission) {
 		return xUserMgr.createXGroupPermission(vXGroupPermission);
@@ -800,6 +895,7 @@ public class XUserREST {
 	@GET
 	@Path("/permission/group/{id}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_X_GROUP_PERMISSION + "\")")
 	public VXGroupPermission getXGroupPermission(@PathParam("id") Long id) {
 		return xUserMgr.getXGroupPermission(id);
 	}
@@ -807,6 +903,7 @@ public class XUserREST {
 	@PUT
 	@Path("/permission/group/{id}")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_GROUP_PERMISSION + "\")")
 	public VXGroupPermission updateXGroupPermission(
 			VXGroupPermission vXGroupPermission) {
 		return xUserMgr.updateXGroupPermission(vXGroupPermission);
@@ -814,7 +911,7 @@ public class XUserREST {
 
 	@DELETE
 	@Path("/permission/group/{id}")
-	@PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_X_GROUP_PERMISSION + "\")")
 	public void deleteXGroupPermission(@PathParam("id") Long id,
 			@Context HttpServletRequest request) {
 		boolean force = true;
@@ -824,6 +921,7 @@ public class XUserREST {
 	@GET
 	@Path("/permission/group")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SEARCH_X_GROUP_PERMISSION + "\")")
 	public VXGroupPermissionList searchXGroupPermission(
 			@Context HttpServletRequest request) {
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
@@ -838,6 +936,7 @@ public class XUserREST {
 	@GET
 	@Path("/permission/group/count")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_GROUP_PERMISSION + "\")")
 	public VXLong countXGroupPermission(@Context HttpServletRequest request) {
 		SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
 				request, xGroupPermissionService.sortFields);
@@ -847,6 +946,7 @@ public class XUserREST {
 	@PUT
 	@Path("/secure/users/activestatus")
 	@Produces({ "application/xml", "application/json" })
+	@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.MODIFY_USER_ACTIVE_STATUS + "\")")
 	public void modifyUserActiveStatus(HashMap<Long, Integer> statusMap){
 		 xUserMgr.modifyUserActiveStatus(statusMap);
 	}


Mime
View raw message