ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject [1/9] incubator-ranger git commit: RANGER-1094 : One way SSL (when Kerberos is enabled) for Ranger and its plugins
Date Tue, 03 Jan 2017 08:17:02 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/ranger-0.6 d6308e68a -> dd8a58177


RANGER-1094 : One way SSL (when Kerberos is enabled) for Ranger and its plugins

Signed-off-by: Velmurugan Periasamy <vel@apache.org>
(cherry picked from commit 07982526f67964f1b32e315fc5382456fafdd7eb)


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/115f9d43
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/115f9d43
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/115f9d43

Branch: refs/heads/ranger-0.6
Commit: 115f9d434894097b295efdf4a73e31ae560de508
Parents: d6308e6
Author: Ankita Sinha <ankita.sinha@freestoneinfotech.com>
Authored: Mon Jul 11 19:50:40 2016 +0530
Committer: Madhan Neethiraj <madhan@apache.org>
Committed: Mon Jan 2 23:35:36 2017 -0800

----------------------------------------------------------------------
 .../ranger/plugin/util/RangerRESTClient.java    |  5 ++-
 .../org/apache/ranger/common/ServiceUtil.java   | 43 +++++++++++++++++---
 .../org/apache/ranger/rest/ServiceREST.java     |  6 +--
 3 files changed, 44 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/115f9d43/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
index 7cfd040..8eb9b27 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
@@ -349,7 +349,7 @@ public class RangerRESTClient {
 	
 	private SSLContext getSSLContext(KeyManager[] kmList, TrustManager[] tmList) {
 		try {
-			if(kmList != null && tmList != null) {
+			if(tmList != null) {
 				SSLContext sslContext = SSLContext.getInstance(RANGER_SSL_CONTEXT_ALGO_TYPE);
 	
 				sslContext.init(kmList, tmList, new SecureRandom());
@@ -360,8 +360,9 @@ public class RangerRESTClient {
 			LOG.error("SSL algorithm is available in the environment", e);
 		} catch (KeyManagementException e) {
 			LOG.error("Unable to initials the SSLContext", e);
+		}catch (Exception e) {
+			LOG.error("Unable to initialize the SSLContext", e);
 		}
-		
 		return null;
 	}
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/115f9d43/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java b/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
index 8252bca..dad1458 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
@@ -1340,11 +1340,7 @@ public class ServiceUtil {
 
 		RangerService service = null;
 		try {
-			if(null != request.getAttribute("downloadPolicy") && StringUtils.equalsIgnoreCase(request.getAttribute("downloadPolicy").toString(),
"secure")){
-				service = svcStore.getServiceByNameForDP(serviceName);
-			}else{
-				service = svcStore.getServiceByName(serviceName);
-			}
+			service = svcStore.getServiceByName(serviceName);
 		} catch (Exception e) {
 			LOG.error("Requested Service not found. serviceName=" + serviceName);
 			throw restErrorUtil.createRESTException("Service:" + serviceName + " not found",  
@@ -1461,6 +1457,43 @@ public class ServiceUtil {
 		return isValidAuthentication;
 	}
 
+	public boolean isValidService(String serviceName, HttpServletRequest request){
+		boolean isValid = true;
+		if (serviceName == null || serviceName.isEmpty()) {
+			LOG.error("ServiceName not provided");
+			isValid = false;
+			throw restErrorUtil.createRESTException("Unauthorized access.",
+					MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY);
+		}
+
+		RangerService service = null;
+		try {
+			if(null != request.getAttribute("downloadPolicy") && StringUtils.equalsIgnoreCase(request.getAttribute("downloadPolicy").toString(),
"secure")){
+				service = svcStore.getServiceByNameForDP(serviceName);
+			}else{
+				service = svcStore.getServiceByName(serviceName);
+			}
+		} catch (Exception e) {
+			isValid = false;
+			LOG.error("Requested Service not found. serviceName=" + serviceName);
+			throw restErrorUtil.createRESTException("Service:" + serviceName + " not found",
+					MessageEnums.DATA_NOT_FOUND);
+		}
+		if(service==null){
+			isValid = false;
+			LOG.error("Requested Service not found. serviceName=" + serviceName);
+			throw restErrorUtil.createRESTException("Service:" + serviceName + " not found",
+					MessageEnums.DATA_NOT_FOUND);
+		}
+		if(!service.getIsEnabled()){
+			isValid = false;
+			LOG.error("Requested Service is disabled. serviceName=" + serviceName);
+			throw restErrorUtil.createRESTException("Unauthorized access.",
+					MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
+		}
+		return isValid;
+	}
+
    private boolean matchNames(String target, String source, boolean wildcardMatch) {
        boolean matched = false;
        if(target != null && source != null) {

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/115f9d43/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index eea2ad3..b550c17 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -956,7 +956,7 @@ public class ServiceREST {
 		RangerPerfTracer perf = null;
 		boolean isAllowed = false;
 		boolean isKeyAdmin = bizUtil.isKeyAdmin();
-		if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) {
+		if (serviceUtil.isValidService(serviceName, request)) {
 			try {
 				if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
 					perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.scureGrantAccess(serviceName="
+ serviceName + ")");
@@ -1127,7 +1127,7 @@ public class ServiceREST {
 		}
 		RESTResponse     ret  = new RESTResponse();
 		RangerPerfTracer perf = null;
-		if (serviceUtil.isValidateHttpsAuthentication(serviceName,request)) {
+		if (serviceUtil.isValidService(serviceName,request)) {
 			try {
 				if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
 					perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.secureRevokeAccess(serviceName="
+ serviceName + ")");
@@ -1846,7 +1846,7 @@ public class ServiceREST {
 		boolean isAdmin = bizUtil.isAdmin();
 		boolean isKeyAdmin = bizUtil.isKeyAdmin();
 		request.setAttribute("downloadPolicy", "secure");
-		if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) {
+		if (serviceUtil.isValidService(serviceName, request)) {
 			if (lastKnownVersion == null) {
 				lastKnownVersion = Long.valueOf(-1);
 			}


Mime
View raw message