ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prad...@apache.org
Subject ranger git commit: RANGER-2168: Add service admin user through service config
Date Wed, 01 Aug 2018 16:29:43 GMT
Repository: ranger
Updated Branches:
  refs/heads/ranger-1 b2f1e6534 -> 0eaea72f8


RANGER-2168: Add service admin user through service config


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/0eaea72f
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/0eaea72f
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/0eaea72f

Branch: refs/heads/ranger-1
Commit: 0eaea72f8d6839b3c028c0bfda3637583b5a59a3
Parents: b2f1e65
Author: Pradeep <pradeep@apache.org>
Authored: Wed Aug 1 15:28:19 2018 +0530
Committer: Pradeep <pradeep@apache.org>
Committed: Wed Aug 1 21:59:33 2018 +0530

----------------------------------------------------------------------
 .../org/apache/ranger/biz/ServiceDBStore.java   | 16 +++++++++++
 .../apache/ranger/db/XXServiceConfigMapDao.java | 14 +++++++++
 .../org/apache/ranger/rest/ServiceREST.java     | 30 +++++++-------------
 .../resources/META-INF/jpa_named_queries.xml    |  5 ++++
 4 files changed, 46 insertions(+), 19 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/0eaea72f/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 8efc950..e75ea68 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -225,6 +225,7 @@ public class ServiceDBStore extends AbstractServiceStore {
 	private static final String TIMESTAMP = "Export time";
 
 	private static final String AMBARI_SERVICE_CHECK_USER = "ambari.service.check.user";
+	private static final String SERVICE_ADMIN_USERS = "service.admin.users";
 
         public static final String CRYPT_ALGO = PropertiesUtil.getProperty("ranger.password.encryption.algorithm",
PasswordUtils.DEFAULT_CRYPT_ALGO);
         public static final String ENCRYPT_KEY = PropertiesUtil.getProperty("ranger.password.encryption.key",
PasswordUtils.DEFAULT_ENCRYPT_KEY);
@@ -4787,4 +4788,19 @@ public class ServiceDBStore extends AbstractServiceStore {
             long userCount = VXUserListKeyAdmin.getTotalCount();
             return userCount;
     }
+
+    public boolean isServiceAdminUser(String serviceName, String userName) {
+		boolean ret=false;
+		XXServiceConfigMap cfgSvcAdminUsers = daoMgr.getXXServiceConfigMap().findByServiceNameAndConfigKey(serviceName,
SERVICE_ADMIN_USERS);
+		String svcAdminUsers = cfgSvcAdminUsers != null ? cfgSvcAdminUsers.getConfigvalue() : null;
+		if (svcAdminUsers != null) {
+			for (String svcAdminUser : svcAdminUsers.split(",")) {
+				if (userName.equals(svcAdminUser)) {
+					ret=true;
+					break;
+				}
+			}
+		}
+		return ret;
+	}
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/0eaea72f/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java
b/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java
index 5e94855..4217473 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java
@@ -62,4 +62,18 @@ public class XXServiceConfigMapDao extends BaseDao<XXServiceConfigMap>
{
 		}
 	}
 
+	public XXServiceConfigMap findByServiceNameAndConfigKey(String serviceName, String configKey)
{
+		if(serviceName == null || configKey == null) {
+			return null;
+		}
+		try {
+			return getEntityManager()
+					.createNamedQuery("XXServiceConfigMap.findByServiceNameAndConfigKey", tClass)
+					.setParameter("name", serviceName)
+					.setParameter("configKey", configKey).getSingleResult();
+		} catch (NoResultException e) {
+			return null;
+		}
+	}
+
 }

http://git-wip-us.apache.org/repos/asf/ranger/blob/0eaea72f/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index e4449df..c116ea2 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -3055,12 +3055,13 @@ public class ServiceREST {
 				List<RangerPolicy> listToFilter = entry.getValue();
 
 				if (CollectionUtils.isNotEmpty(listToFilter)) {
-                                        if (isAdmin || isKeyAdmin || isAuditAdmin || isAuditKeyAdmin)
{
+					boolean isServiceAdminUser=svcStore.isServiceAdminUser(serviceName, userName);
+					if (isAdmin || isKeyAdmin || isAuditAdmin || isAuditKeyAdmin || isServiceAdminUser)
{
 						XXService xService     = daoManager.getXXService().findByName(serviceName);
 						Long      serviceDefId = xService.getType();
 						boolean   isKmsService = serviceDefId.equals(EmbeddedServiceDefsUtil.instance().getKmsServiceDefId());
 
-						if (isAdmin) {
+						if (isAdmin || isServiceAdminUser) {
 							if (!isKmsService) {
 								ret.addAll(listToFilter);
 							}
@@ -3108,17 +3109,13 @@ public class ServiceREST {
 		boolean isAdmin = bizUtil.isAdmin();
 		boolean isKeyAdmin = bizUtil.isKeyAdmin();
 		String userName = bizUtil.getCurrentUserLoginId();
+		boolean isSvcAdmin = isAdmin || svcStore.isServiceAdminUser(policy.getService(), userName);
 
-		if(!isAdmin && !isKeyAdmin) {
+		if(!isAdmin && !isKeyAdmin && !isSvcAdmin) {
 			boolean isAllowed = false;
 
-			RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy.getService());
-
-			if (policyEngine != null) {
-				Set<String> userGroups = userMgr.getGroupsForUser(userName);
-
-				isAllowed = hasAdminAccess(policy, userName, userGroups);
-			}
+			Set<String> userGroups = userMgr.getGroupsForUser(userName);
+			isAllowed = hasAdminAccess(policy, userName, userGroups);
 
 			if (!isAllowed) {
 				throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED,
@@ -3434,17 +3431,12 @@ public class ServiceREST {
                 String userName = bizUtil.getCurrentUserLoginId();
                 boolean isAuditAdmin = bizUtil.isAuditAdmin();
                 boolean isAuditKeyAdmin = bizUtil.isAuditKeyAdmin();
-                if (!isAdmin && !isKeyAdmin && !isAuditAdmin && !isAuditKeyAdmin)
{
+                boolean isSvcAdmin = isAdmin || svcStore.isServiceAdminUser(policy.getService(),
userName);
+                if (!isAdmin && !isKeyAdmin && !isSvcAdmin && !isAuditAdmin
&& !isAuditKeyAdmin) {
                         boolean isAllowed = false;
 
-                        RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy
-                                        .getService());
-
-                        if (policyEngine != null) {
-                                Set<String> userGroups = userMgr.getGroupsForUser(userName);
-
-                                isAllowed = hasAdminAccess(policy, userName, userGroups);
-                        }
+                        Set<String> userGroups = userMgr.getGroupsForUser(userName);
+                        isAllowed = hasAdminAccess(policy, userName, userGroups);
 
                         if (!isAllowed) {
                                 throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED,"User
'"

http://git-wip-us.apache.org/repos/asf/ranger/blob/0eaea72f/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
index d2a6f4b..cdf6ba6 100644
--- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
+++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
@@ -435,6 +435,11 @@
 			obj.serviceId = :serviceId and obj.configKey = :configKey</query>
 	</named-query>
 
+	<named-query name="XXServiceConfigMap.findByServiceNameAndConfigKey">
+		<query>select obj from XXServiceConfigMap obj, XXService xSvc where 
+			xSvc.name = :name and xSvc.id=obj.serviceId and obj.configKey = :configKey</query>
+	</named-query>
+
 	<!-- XXService -->
 	<named-query name="XXService.findByName">
 		<query>select obj from XXService obj where obj.name = :name</query>


Mime
View raw message