From commits-return-4578-archive-asf-public=cust-asf.ponee.io@ranger.apache.org Wed Aug 1 18:29:44 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id E5034180634 for ; Wed, 1 Aug 2018 18:29:43 +0200 (CEST) Received: (qmail 71663 invoked by uid 500); 1 Aug 2018 16:29:43 -0000 Mailing-List: contact commits-help@ranger.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ranger.apache.org Delivered-To: mailing list commits@ranger.apache.org Received: (qmail 71654 invoked by uid 99); 1 Aug 2018 16:29:43 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 Aug 2018 16:29:43 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 01338E0BC0; Wed, 1 Aug 2018 16:29:43 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: pradeep@apache.org To: commits@ranger.apache.org Message-Id: <3b0817f956f149bbb803f44d294e72a4@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: ranger git commit: RANGER-2168: Add service admin user through service config Date: Wed, 1 Aug 2018 16:29:43 +0000 (UTC) Repository: ranger Updated Branches: refs/heads/ranger-1 b2f1e6534 -> 0eaea72f8 RANGER-2168: Add service admin user through service config Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/0eaea72f Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/0eaea72f Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/0eaea72f Branch: refs/heads/ranger-1 Commit: 0eaea72f8d6839b3c028c0bfda3637583b5a59a3 Parents: b2f1e65 Author: Pradeep Authored: Wed Aug 1 15:28:19 2018 +0530 Committer: Pradeep Committed: Wed Aug 1 21:59:33 2018 +0530 ---------------------------------------------------------------------- .../org/apache/ranger/biz/ServiceDBStore.java | 16 +++++++++++ .../apache/ranger/db/XXServiceConfigMapDao.java | 14 +++++++++ .../org/apache/ranger/rest/ServiceREST.java | 30 +++++++------------- .../resources/META-INF/jpa_named_queries.xml | 5 ++++ 4 files changed, 46 insertions(+), 19 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/0eaea72f/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 8efc950..e75ea68 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -225,6 +225,7 @@ public class ServiceDBStore extends AbstractServiceStore { private static final String TIMESTAMP = "Export time"; private static final String AMBARI_SERVICE_CHECK_USER = "ambari.service.check.user"; + private static final String SERVICE_ADMIN_USERS = "service.admin.users"; public static final String CRYPT_ALGO = PropertiesUtil.getProperty("ranger.password.encryption.algorithm", PasswordUtils.DEFAULT_CRYPT_ALGO); public static final String ENCRYPT_KEY = PropertiesUtil.getProperty("ranger.password.encryption.key", PasswordUtils.DEFAULT_ENCRYPT_KEY); @@ -4787,4 +4788,19 @@ public class ServiceDBStore extends AbstractServiceStore { long userCount = VXUserListKeyAdmin.getTotalCount(); return userCount; } + + public boolean isServiceAdminUser(String serviceName, String userName) { + boolean ret=false; + XXServiceConfigMap cfgSvcAdminUsers = daoMgr.getXXServiceConfigMap().findByServiceNameAndConfigKey(serviceName, SERVICE_ADMIN_USERS); + String svcAdminUsers = cfgSvcAdminUsers != null ? cfgSvcAdminUsers.getConfigvalue() : null; + if (svcAdminUsers != null) { + for (String svcAdminUser : svcAdminUsers.split(",")) { + if (userName.equals(svcAdminUser)) { + ret=true; + break; + } + } + } + return ret; + } } http://git-wip-us.apache.org/repos/asf/ranger/blob/0eaea72f/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java index 5e94855..4217473 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java @@ -62,4 +62,18 @@ public class XXServiceConfigMapDao extends BaseDao { } } + public XXServiceConfigMap findByServiceNameAndConfigKey(String serviceName, String configKey) { + if(serviceName == null || configKey == null) { + return null; + } + try { + return getEntityManager() + .createNamedQuery("XXServiceConfigMap.findByServiceNameAndConfigKey", tClass) + .setParameter("name", serviceName) + .setParameter("configKey", configKey).getSingleResult(); + } catch (NoResultException e) { + return null; + } + } + } http://git-wip-us.apache.org/repos/asf/ranger/blob/0eaea72f/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index e4449df..c116ea2 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -3055,12 +3055,13 @@ public class ServiceREST { List listToFilter = entry.getValue(); if (CollectionUtils.isNotEmpty(listToFilter)) { - if (isAdmin || isKeyAdmin || isAuditAdmin || isAuditKeyAdmin) { + boolean isServiceAdminUser=svcStore.isServiceAdminUser(serviceName, userName); + if (isAdmin || isKeyAdmin || isAuditAdmin || isAuditKeyAdmin || isServiceAdminUser) { XXService xService = daoManager.getXXService().findByName(serviceName); Long serviceDefId = xService.getType(); boolean isKmsService = serviceDefId.equals(EmbeddedServiceDefsUtil.instance().getKmsServiceDefId()); - if (isAdmin) { + if (isAdmin || isServiceAdminUser) { if (!isKmsService) { ret.addAll(listToFilter); } @@ -3108,17 +3109,13 @@ public class ServiceREST { boolean isAdmin = bizUtil.isAdmin(); boolean isKeyAdmin = bizUtil.isKeyAdmin(); String userName = bizUtil.getCurrentUserLoginId(); + boolean isSvcAdmin = isAdmin || svcStore.isServiceAdminUser(policy.getService(), userName); - if(!isAdmin && !isKeyAdmin) { + if(!isAdmin && !isKeyAdmin && !isSvcAdmin) { boolean isAllowed = false; - RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy.getService()); - - if (policyEngine != null) { - Set userGroups = userMgr.getGroupsForUser(userName); - - isAllowed = hasAdminAccess(policy, userName, userGroups); - } + Set userGroups = userMgr.getGroupsForUser(userName); + isAllowed = hasAdminAccess(policy, userName, userGroups); if (!isAllowed) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, @@ -3434,17 +3431,12 @@ public class ServiceREST { String userName = bizUtil.getCurrentUserLoginId(); boolean isAuditAdmin = bizUtil.isAuditAdmin(); boolean isAuditKeyAdmin = bizUtil.isAuditKeyAdmin(); - if (!isAdmin && !isKeyAdmin && !isAuditAdmin && !isAuditKeyAdmin) { + boolean isSvcAdmin = isAdmin || svcStore.isServiceAdminUser(policy.getService(), userName); + if (!isAdmin && !isKeyAdmin && !isSvcAdmin && !isAuditAdmin && !isAuditKeyAdmin) { boolean isAllowed = false; - RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy - .getService()); - - if (policyEngine != null) { - Set userGroups = userMgr.getGroupsForUser(userName); - - isAllowed = hasAdminAccess(policy, userName, userGroups); - } + Set userGroups = userMgr.getGroupsForUser(userName); + isAllowed = hasAdminAccess(policy, userName, userGroups); if (!isAllowed) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED,"User '" http://git-wip-us.apache.org/repos/asf/ranger/blob/0eaea72f/security-admin/src/main/resources/META-INF/jpa_named_queries.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml index d2a6f4b..cdf6ba6 100644 --- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml +++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml @@ -435,6 +435,11 @@ obj.serviceId = :serviceId and obj.configKey = :configKey + + select obj from XXServiceConfigMap obj, XXService xSvc where + xSvc.name = :name and xSvc.id=obj.serviceId and obj.configKey = :configKey + + select obj from XXService obj where obj.name = :name