Return-Path: 
 <commits-return-1992-apmail-ranger-commits-archive=ranger.apache.org@ranger.incubator.apache.org>
X-Original-To: apmail-ranger-commits-archive@www.apache.org
Delivered-To: apmail-ranger-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 1F71918C06
	for <apmail-ranger-commits-archive@www.apache.org>;
 Thu, 15 Oct 2015 06:56:04 +0000 (UTC)
Received: (qmail 72293 invoked by uid 500); 15 Oct 2015 06:55:57 -0000
Delivered-To: apmail-ranger-commits-archive@ranger.apache.org
Received: (qmail 72264 invoked by uid 500); 15 Oct 2015 06:55:57 -0000
Mailing-List: contact commits-help@ranger.incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@ranger.incubator.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@ranger.incubator.apache.org>
List-Post: <mailto:commits@ranger.incubator.apache.org>
List-Id: <commits.ranger.incubator.apache.org>
Reply-To: dev@ranger.incubator.apache.org
Delivered-To: mailing list commits@ranger.incubator.apache.org
Received: (qmail 72255 invoked by uid 99); 15 Oct 2015 06:55:57 -0000
Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Oct 2015 06:55:57 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org)
 with ESMTP id 33DF7C4848
	for <commits@ranger.apache.org>; Thu, 15 Oct 2015 06:55:57 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.791
X-Spam-Level: *
X-Spam-Status: No, score=1.791 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1,
	T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=disabled
Received: from mx1-eu-west.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new,
 port 10024)
	with ESMTP id WQFM2n28MDyK for <commits@ranger.apache.org>;
	Thu, 15 Oct 2015 06:55:42 +0000 (UTC)
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with
 SMTP id 25DCF2139D
	for <commits@ranger.incubator.apache.org>;
 Thu, 15 Oct 2015 06:55:40 +0000 (UTC)
Received: (qmail 72151 invoked by uid 99); 15 Oct 2015 06:55:40 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org)
 (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Oct 2015 06:55:40 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at
 git1-us-west.apache.org, from userid 33)
	id 3D4E6E053F; Thu, 15 Oct 2015 06:55:40 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: gautam@apache.org
To: commits@ranger.incubator.apache.org
Message-Id: <919fdca3fe6d42c19b61b766cc9b6d65@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: incubator-ranger git commit: RANGER-688 : Handle scenario where ids
 of XUser and XPortalUser are not in sync
Date: Thu, 15 Oct 2015 06:55:40 +0000 (UTC)

Repository: incubator-ranger
Updated Branches:
  refs/heads/ranger-0.5 6dbc6232f -> 7bce05377


RANGER-688 : Handle scenario where ids of XUser and XPortalUser are not in sync


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/7bce0537
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/7bce0537
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/7bce0537

Branch: refs/heads/ranger-0.5
Commit: 7bce05377cc4fbede3a6022d42272a5c0f6c8d1c
Parents: 6dbc623
Author: Gautam Borad <gautam@apache.org>
Authored: Wed Oct 14 15:10:57 2015 +0530
Committer: Gautam Borad <gautam@apache.com>
Committed: Thu Oct 15 12:25:33 2015 +0530

----------------------------------------------------------------------
 security-admin/scripts/setup.sh                 | 20 +++---
 .../java/org/apache/ranger/biz/XUserMgr.java    | 35 +++++++----
 .../apache/ranger/common/UserSessionBase.java   |  3 +-
 .../org/apache/ranger/db/XXPortalUserDao.java   | 21 ++++---
 .../java/org/apache/ranger/db/XXUserDao.java    | 12 ++++
 .../apache/ranger/db/XXUserPermissionDao.java   |  5 +-
 .../patch/PatchPersmissionModel_J10003.java     |  4 +-
 .../ranger/service/XUserPermissionService.java  | 24 ++------
 .../service/XUserPermissionServiceBase.java     | 65 ++++++++++++++++++--
 .../resources/META-INF/jpa_named_queries.xml    |  7 ++-
 10 files changed, 131 insertions(+), 65 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7bce0537/security-admin/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh
index 9710706..cd5d2bf 100755
--- a/security-admin/scripts/setup.sh
+++ b/security-admin/scripts/setup.sh
@@ -1513,26 +1513,22 @@ setup_install_files(){
 	    log "[I] Copying ${WEBAPP_ROOT}/WEB-INF/classes/conf.dist ${WEBAPP_ROOT}/WEB-INF/classes/conf"
 	    mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/conf
 	    cp ${WEBAPP_ROOT}/WEB-INF/classes/conf.dist/* ${WEBAPP_ROOT}/WEB-INF/classes/conf
+	fi
+	if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then
 		chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf
 	fi
 
-        if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then
-               chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf
-        fi
-
 	if [ ! -d ${WEBAPP_ROOT}/WEB-INF/classes/lib ]; then
 	    log "[I] Creating ${WEBAPP_ROOT}/WEB-INF/classes/lib"
 	    mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/lib
+	fi
+	if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/lib ]; then
 		chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/lib
 	fi
 
 	if [ -d /etc/init.d ]; then
 	    log "[I] Setting up init.d"
 	    cp ${INSTALL_DIR}/ews/${RANGER_ADMIN_INITD} /etc/init.d/${RANGER_ADMIN}
-	    if [ "${unix_user}" != "ranger" ]; then
-           sed  's/LINUX_USER=ranger/LINUX_USER='${unix_user}'/g' -i  /etc/init.d/${RANGER_ADMIN}
-	    fi
-
 	    chmod ug+rx /etc/init.d/${RANGER_ADMIN}
 
 	    if [ -d /etc/rc2.d ]
@@ -1571,15 +1567,19 @@ setup_install_files(){
 		ln -s /etc/init.d/${RANGER_ADMIN} $RC_DIR/K90${RANGER_ADMIN}
 	    fi
 	fi
+	if [  -f /etc/init.d/${RANGER_ADMIN} ]; then
+		if [ "${unix_user}" != "ranger" ]; then
+			sed  's/^LINUX_USER=.*$/LINUX_USER='${unix_user}'/g' -i  /etc/init.d/${RANGER_ADMIN}
+		fi
+	fi
 
 	if [ ! -d ${XAPOLICYMGR_DIR}/ews/logs ]; then
 	    log "[I] ${XAPOLICYMGR_DIR}/ews/logs folder"
 	    mkdir -p ${XAPOLICYMGR_DIR}/ews/logs
-	    chown -R ${unix_user} ${XAPOLICYMGR_DIR}/ews/logs
 	fi
-
 	if [ -d ${XAPOLICYMGR_DIR}/ews/logs ]; then
           chown -R ${unix_user} ${XAPOLICYMGR_DIR}/ews/logs
+          chown -R ${unix_user} ${XAPOLICYMGR_DIR}/ews/logs/*
 	fi
 
 	log "[I] Setting up installation files and directory DONE";

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7bce0537/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
index b860877..572323f 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
@@ -242,38 +242,47 @@ public class XUserMgr extends XUserMgrBase {
 
 			if (role.equals(RangerConstants.ROLE_USER)) {
 
-				createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate);
-				createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate);
+				createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate);
+				createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate);
 			} else if (role.equals(RangerConstants.ROLE_SYS_ADMIN)) {
 
-				createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate);
-				createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate);
-				createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_AUDIT), isCreate);
-				createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_USER_GROUPS), isCreate);
+				createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate);
+				createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate);
+				createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_AUDIT), isCreate);
+				createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_USER_GROUPS), isCreate);
 			} else if (role.equals(RangerConstants.ROLE_KEY_ADMIN)) {
 
-				createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_KEY_MANAGER), isCreate);
-				createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate);
-				createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate);
+				createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_KEY_MANAGER), isCreate);
+				createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate);
+				createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate);
 			}
 
 		}
 	}
 
 	// Insert or Updating Mapping permissions depending upon roles
-	private void createOrUpdateUserPermisson(Long portalUserId, Long moduleId, boolean isCreate) {
+	private void createOrUpdateUserPermisson(VXPortalUser portalUser, Long moduleId, boolean isCreate) {
 		VXUserPermission vXUserPermission;
-		XXUserPermission xUserPermission = daoManager.getXXUserPermission().findByModuleIdAndUserId(portalUserId, moduleId);
+		XXUserPermission xUserPermission = daoManager.getXXUserPermission().findByModuleIdAndPortalUserId(portalUser.getId(), moduleId);
 		if (xUserPermission == null) {
 			vXUserPermission = new VXUserPermission();
-			vXUserPermission.setUserId(portalUserId);
+
+			// When Creating XXUserPermission UI sends xUserId, to keep it consistent here xUserId should be used
+			XXUser xUser = daoManager.getXXUser().findByPortalUserId(portalUser.getId());
+			if (xUser == null) {
+				logger.warn("Could not found corresponding xUser for username: [" + portalUser.getLoginId() + "], So not assigning permission to this user");
+				return;
+			} else {
+				vXUserPermission.setUserId(xUser.getId());
+			}
+
 			vXUserPermission.setIsAllowed(RangerCommonEnums.IS_ALLOWED);
 			vXUserPermission.setModuleId(moduleId);
 			try {
 				vXUserPermission = this.createXUserPermission(vXUserPermission);
 				logger.info("Permission assigned to user: [" + vXUserPermission.getUserName() + "] For Module: [" + vXUserPermission.getModuleName() + "]");
 			} catch (Exception e) {
-				logger.error("Error while assigning permission to user: [" + portalUserId + "] for module: [" + moduleId + "]", e);
+				logger.error("Error while assigning permission to user: [" + portalUser.getLoginId() + "] for module: [" + moduleId + "]", e);
 			}
 		} else if (isCreate) {
 			vXUserPermission = xUserPermissionService.populateViewBean(xUserPermission);

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7bce0537/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
index 59e55f3..175459c 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
@@ -128,7 +128,8 @@ public class UserSessionBase implements Serializable {
 
 
 
-	public static class RangerUserPermission {
+	public static class RangerUserPermission implements Serializable {
+		private static final long serialVersionUID = 1L;
 
 		protected CopyOnWriteArraySet<String> userPermissions;
 		protected Long lastUpdatedTime;

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7bce0537/security-admin/src/main/java/org/apache/ranger/db/XXPortalUserDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXPortalUserDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXPortalUserDao.java
index d3467f8..393252c 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXPortalUserDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXPortalUserDao.java
@@ -21,9 +21,10 @@ package org.apache.ranger.db;
 
 import java.util.List;
 
+import javax.persistence.NoResultException;
+
 import org.apache.ranger.common.db.BaseDao;
 import org.apache.ranger.entity.XXPortalUser;
-import org.apache.ranger.entity.XXPortalUserRole;
 
 public class XXPortalUserDao extends BaseDao<XXPortalUser> {
 
@@ -76,16 +77,16 @@ public class XXPortalUserDao extends BaseDao<XXPortalUser> {
     			.getResultList();
     }
 
-
-	public XXPortalUser findByXUserId(Long id) {
-
-		List resultList = getEntityManager()
-				.createNamedQuery("XXPortalUser.findByXUserId")
-				.setParameter("id", id).getResultList();
-		if (resultList.size() != 0) {
-			return (XXPortalUser) resultList.get(0);
+	public XXPortalUser findByXUserId(Long xUserId) {
+		if (xUserId == null) {
+			return null;
+		}
+		try {
+			return getEntityManager().createNamedQuery("XXPortalUser.findByXUserId", tClass)
+					.setParameter("id", xUserId).getSingleResult();
+		} catch (NoResultException e) {
+			return null;
 		}
-		return null;
 	}
 
 	@SuppressWarnings("unchecked")

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7bce0537/security-admin/src/main/java/org/apache/ranger/db/XXUserDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXUserDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXUserDao.java
index 0887594..225e733 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXUserDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXUserDao.java
@@ -64,4 +64,16 @@ public class XXUserDao extends BaseDao<XXUser> {
 			return null;
 		}
 	}
+
+	public XXUser findByPortalUserId(Long portalUserId) {
+		if (portalUserId == null) {
+			return null;
+		}
+		try {
+			return getEntityManager().createNamedQuery("XXUser.findByPortalUserId", tClass)
+					.setParameter("portalUserId", portalUserId).getSingleResult();
+		} catch (NoResultException e) {
+			return null;
+		}
+	}
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7bce0537/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java
index e10dc14..2db6fd6 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java
@@ -25,7 +25,6 @@ import javax.persistence.NoResultException;
 import org.apache.log4j.Logger;
 import org.apache.ranger.common.RangerCommonEnums;
 import org.apache.ranger.common.db.BaseDao;
-import org.apache.ranger.entity.XXGroupUser;
 import org.apache.ranger.entity.XXUserPermission;
 
 public class XXUserPermissionDao extends BaseDao<XXUserPermission>{
@@ -99,10 +98,10 @@ public class XXUserPermissionDao extends BaseDao<XXUserPermission>{
 		return null;
 	}
 
-	public XXUserPermission findByModuleIdAndUserId(Long userId, Long moduleId) {
+	public XXUserPermission findByModuleIdAndPortalUserId(Long userId, Long moduleId) {
 		if (userId != null) {
 			try {
-				return getEntityManager().createNamedQuery("XXUserPermission.findByModuleIdAndUserId", XXUserPermission.class)
+				return getEntityManager().createNamedQuery("XXUserPermission.findByModuleIdAndPortalUserId", XXUserPermission.class)
 						.setParameter("userId", userId)
 						.setParameter("moduleId", moduleId)
 						.getSingleResult();

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7bce0537/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java b/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java
index f0aa938..804d08e 100644
--- a/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java
+++ b/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java
@@ -84,9 +84,9 @@ public class PatchPersmissionModel_J10003 extends BaseLoader {
 			vPortalUser.setUserRoleList(daoManager.getXXPortalUser().findXPortalUserRolebyXPortalUserId(vPortalUser.getId()));
 			xUserMgr.assignPermissionToUser(vPortalUser, false);
 			countUserPermissionUpdated += 1;
-			logger.info(" Permission was assigned to UserId - " + xPortalUser.getId());
+			logger.info("Permissions assigned/updated on base of User's Role, UserId [" + xPortalUser.getId() + "]");
 		}
-		logger.info(countUserPermissionUpdated + " permissions where assigned");
+		logger.info(countUserPermissionUpdated + " permissions were assigned");
 	}
 
 	@Override

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7bce0537/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java b/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java
index 3ff9c8d..bd3a50d 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java
@@ -17,7 +17,6 @@
 
 package org.apache.ranger.service;
 
-import org.apache.ranger.common.MessageEnums;
 import org.apache.ranger.common.SearchField;
 import org.apache.ranger.db.RangerDaoManager;
 import org.apache.ranger.entity.XXModuleDef;
@@ -47,36 +46,23 @@ public class XUserPermissionService extends XUserPermissionServiceBase<XXUserPer
 
 	@Override
 	protected void validateForCreate(VXUserPermission vObj) {
-		XXUserPermission xUserPerm = daoManager.getXXUserPermission().findByModuleIdAndUserId(vObj.getUserId(), vObj.getModuleId());
-		if (xUserPerm != null) {
-			throw restErrorUtil.createRESTException("User with ID [" + vObj.getUserId() + "] " + "is already " + "assigned to the module with ID [" + vObj.getModuleId() + "]",
-					MessageEnums.ERROR_DUPLICATE_OBJECT);
-		}
+
 	}
 
 	@Override
 	protected void validateForUpdate(VXUserPermission vObj, XXUserPermission mObj) {
-		XXUserPermission xUserPerm = daoManager.getXXUserPermission().findByModuleIdAndUserId(vObj.getUserId(), vObj.getModuleId());
-		if (xUserPerm != null && !xUserPerm.getId().equals(vObj.getId())) {
-			throw restErrorUtil.createRESTException("User with ID [" + vObj.getUserId() + "] " + "is already " + "assigned to the module with ID [" + vObj.getModuleId() + "]",
-					MessageEnums.ERROR_DUPLICATE_OBJECT);
-		}
+
 	}
 
 	@Override
 	public VXUserPermission populateViewBean(XXUserPermission xObj) {
 		VXUserPermission vObj = super.populateViewBean(xObj);
 
-		XXPortalUser xUser = rangerDaoManager.getXXPortalUser().getById(xObj.getUserId());
-		if (xUser == null) {
-			xUser=rangerDaoManager.getXXPortalUser().findByXUserId(xObj.getUserId());
-			if(xUser==null)
-			throw restErrorUtil.createRESTException(xUser + " is Not Found",
-					MessageEnums.DATA_NOT_FOUND);
+		XXPortalUser xPortalUser = rangerDaoManager.getXXPortalUser().getById(xObj.getUserId());
+		if (xPortalUser != null) {
+			vObj.setUserName(xPortalUser.getLoginId());
 		}
 
-		vObj.setUserName(xUser.getLoginId());
-
 		XXModuleDef xModuleDef = daoManager.getXXModuleDef().getById(xObj.getModuleId());
 		if (xModuleDef != null) {
 			vObj.setModuleName(xModuleDef.getModule());

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7bce0537/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionServiceBase.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionServiceBase.java b/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionServiceBase.java
index 59c082d..a5a1213 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionServiceBase.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionServiceBase.java
@@ -20,7 +20,10 @@ package org.apache.ranger.service;
 import java.util.ArrayList;
 import java.util.List;
 
+import org.apache.ranger.common.MessageEnums;
 import org.apache.ranger.common.SearchCriteria;
+import org.apache.ranger.entity.XXPortalUser;
+import org.apache.ranger.entity.XXUser;
 import org.apache.ranger.entity.XXUserPermission;
 import org.apache.ranger.view.VXUserPermission;
 import org.apache.ranger.view.VXUserPermissionList;
@@ -34,20 +37,48 @@ public abstract class XUserPermissionServiceBase<T extends XXUserPermission, V e
 
 	}
 
-	@SuppressWarnings("unchecked")
 	@Override
-	protected XXUserPermission mapViewToEntityBean(VXUserPermission vObj,
-			XXUserPermission mObj, int OPERATION_CONTEXT) {
-		mObj.setUserId(vObj.getUserId());
+	@SuppressWarnings("unchecked")
+	protected XXUserPermission mapViewToEntityBean(VXUserPermission vObj, XXUserPermission mObj, int OPERATION_CONTEXT) {
+
+		// Assuming that vObj.userId coming from UI/Client would be of XXUser, but in DB it should be of XXPortalUser so
+		// have to map XXUser.ID to XXPortalUser.ID and if portalUser does not exist then not allowing to create/update
+
+		XXPortalUser portalUser = daoManager.getXXPortalUser().findByXUserId(vObj.getUserId());
+		if (portalUser == null) {
+			throw restErrorUtil.createRESTException("Invalid UserId: [" + vObj.getUserId()
+					+ "], Please make sure while create/update given userId should be of x_user",
+					MessageEnums.INVALID_INPUT_DATA);
+		}
+
+		mObj.setUserId(portalUser.getId());
 		mObj.setModuleId(vObj.getModuleId());
 		mObj.setIsAllowed(vObj.getIsAllowed());
+
+		if (OPERATION_CONTEXT == OPERATION_CREATE_CONTEXT) {
+			validateXUserPermForCreate(mObj);
+		} else if (OPERATION_CONTEXT == OPERATION_UPDATE_CONTEXT) {
+			validateXUserPermForUpdate(mObj);
+		}
+
 		return mObj;
 	}
 
-	@SuppressWarnings("unchecked")
 	@Override
+	@SuppressWarnings("unchecked")
 	protected VXUserPermission mapEntityToViewBean(VXUserPermission vObj, XXUserPermission mObj) {
-		vObj.setUserId(mObj.getUserId());
+
+		// As XXUserPermission.userID refers to XXPortalUser.ID, But UI/Client expects XXUser.ID so have to map
+		// XXUserPermission.userID from XXPortalUser.ID to XXUser.ID
+		XXUser xUser = daoManager.getXXUser().findByPortalUserId(mObj.getUserId());
+		Long userId;
+		if (xUser != null) {
+			userId = xUser.getId();
+		} else {
+			// In this case rather throwing exception, send it as null
+			userId = null;
+		}
+		vObj.setUserId(userId);
 		vObj.setModuleId(mObj.getModuleId());
 		vObj.setIsAllowed(mObj.getIsAllowed());
 		return vObj;
@@ -75,4 +106,26 @@ public abstract class XUserPermissionServiceBase<T extends XXUserPermission, V e
 		returnList.setvXModuleDef(vXUserPermissions);
 		return returnList;
 	}
+
+	protected void validateXUserPermForCreate(XXUserPermission mObj) {
+		XXUserPermission xUserPerm = daoManager.getXXUserPermission().findByModuleIdAndPortalUserId(mObj.getUserId(),
+				mObj.getModuleId());
+		if (xUserPerm != null) {
+			throw restErrorUtil.createRESTException("User with ID [" + mObj.getUserId() + "] " + "is already "
+					+ "assigned to the module with ID [" + mObj.getModuleId() + "]",
+					MessageEnums.ERROR_DUPLICATE_OBJECT);
+		}
+	}
+
+	protected void validateXUserPermForUpdate(XXUserPermission mObj) {
+
+		XXUserPermission xUserPerm = daoManager.getXXUserPermission().findByModuleIdAndPortalUserId(mObj.getUserId(),
+				mObj.getModuleId());
+		if (xUserPerm != null && !xUserPerm.getId().equals(mObj.getId())) {
+			throw restErrorUtil.createRESTException("User with ID [" + mObj.getUserId() + "] " + "is already "
+					+ "assigned to the module with ID [" + mObj.getModuleId() + "]",
+					MessageEnums.ERROR_DUPLICATE_OBJECT);
+		}
+	}
+
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/7bce0537/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
index 0370e9a..12c4c6d 100644
--- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
+++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
@@ -192,6 +192,11 @@
 		where polItemUser.policyItemId = :polItemId and polItemUser.userId = obj.id </query>
 	</named-query>
 
+	<named-query name="XXUser.findByPortalUserId">
+		<query>select obj from XXUser obj, XXPortalUser portalUser where portalUser.id = :portalUserId and 
+		obj.name = portalUser.loginId</query>
+	</named-query>
+
 	<named-query name="XXGroup.findByPolicyItemId">
 		<query>select obj.name from XXGroup obj, XXPolicyItemGroupPerm polItemGrp 
 		where polItemGrp.policyItemId = :polItemId and polItemGrp.groupId = obj.id </query>
@@ -489,7 +494,7 @@
 		 </query>
 	</named-query>
 
-	<named-query name="XXUserPermission.findByModuleIdAndUserId">
+	<named-query name="XXUserPermission.findByModuleIdAndPortalUserId">
 		<query>SELECT XXUserPermObj
 				FROM XXUserPermission XXUserPermObj
 				WHERE XXUserPermObj.moduleId = :moduleId AND XXUserPermObj.userId =:userId