diff --git a/dev-support/checkstyle-suppressions.xml b/dev-support/checkstyle-suppressions.xml index 9856e3ca8c..624016707b 100644 --- a/dev-support/checkstyle-suppressions.xml +++ b/dev-support/checkstyle-suppressions.xml @@ -28,13 +28,18 @@ + + + + + diff --git a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java index bdaeee671a..4d55598883 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java @@ -99,47 +99,68 @@ public class AssetMgr extends AssetMgrBase { private static final String PROP_RANGER_LOG_SC_NOT_MODIFIED = "ranger.log.SC_NOT_MODIFIED"; private static final String PROP_PLUGIN_ACTIVITY_AUDIT_NOT_MODIFIED = "ranger.plugin.activity.audit.not.modified"; private static final String PROP_PLUGIN_ACTIVITY_AUDIT_COMMIT_INLINE = "ranger.plugin.activity.audit.commit.inline"; - private static final String adminCapabilities = Long.toHexString(new RangerPluginCapability().getPluginCapabilities()); + private static final String adminCapabilities = Long.toHexString(new RangerPluginCapability().getPluginCapabilities()); + @Autowired - XPermMapService xPermMapService; + XPermMapService xPermMapService; + @Autowired - XAuditMapService xAuditMapService; + XAuditMapService xAuditMapService; + @Autowired - JSONUtil jsonUtil; + JSONUtil jsonUtil; + @Autowired - RangerBizUtil msBizUtil; + RangerBizUtil msBizUtil; + @Autowired - StringUtil stringUtil; + StringUtil stringUtil; + @Autowired - RangerDaoManager rangerDaoManager; + RangerDaoManager rangerDaoManager; + @Autowired - XUserService xUserService; + XUserService xUserService; + @Autowired - RangerBizUtil xaBizUtil; + RangerBizUtil xaBizUtil; + @Autowired - RangerTrxLogV2Service xTrxLogService; + RangerTrxLogV2Service xTrxLogService; + @Autowired - XAccessAuditService xAccessAuditService; + XAccessAuditService xAccessAuditService; + @Autowired - XGroupService xGroupService; + XGroupService xGroupService; + @Autowired - XUserMgr xUserMgr; + XUserMgr xUserMgr; + @Autowired - SolrAccessAuditsService solrAccessAuditsService; + SolrAccessAuditsService solrAccessAuditsService; + @Autowired - ElasticSearchAccessAuditsService elasticSearchAccessAuditsService; + ElasticSearchAccessAuditsService elasticSearchAccessAuditsService; + @Autowired - CloudWatchAccessAuditsService cloudWatchAccessAuditsService; + CloudWatchAccessAuditsService cloudWatchAccessAuditsService; + @Autowired - XPolicyService xPolicyService; + XPolicyService xPolicyService; + @Autowired RangerTransactionSynchronizationAdapter transactionSynchronizationAdapter; + @Autowired - RangerPluginInfoService pluginInfoService; + RangerPluginInfoService pluginInfoService; + @Autowired - XUgsyncAuditInfoService xUgsyncAuditInfoService; + XUgsyncAuditInfoService xUgsyncAuditInfoService; + @Autowired - ServiceMgr serviceMgr; + ServiceMgr serviceMgr; + boolean rangerLogNotModified; boolean pluginActivityAuditLogNotModified; boolean pluginActivityAuditCommitInline; @@ -162,21 +183,28 @@ public void init() { public String getLatestRepoPolicy(VXAsset xAsset, List xResourceList, Long updatedTime, X509Certificate[] certchain, boolean httpEnabled, String epoch, String ipAddress, boolean isSecure, String count, String agentId) { if (xAsset == null) { logger.error("Requested repository not found"); + throw restErrorUtil.createRESTException("No Data Found.", MessageEnums.DATA_NOT_FOUND); } + if (xResourceList == null) { logger.error("ResourceList is found"); + throw restErrorUtil.createRESTException("No Data Found.", MessageEnums.DATA_NOT_FOUND); } + if (xAsset.getActiveStatus() == RangerCommonEnums.ACT_STATUS_DISABLED) { logger.error("Requested repository is disabled"); + throw restErrorUtil.createRESTException("Unauthorized access.", MessageEnums.OPER_NO_EXPORT); } HashMap updatedRepo = new HashMap<>(); + updatedRepo.put("repository_name", xAsset.getName()); XXPolicyExportAudit policyExportAudit = new XXPolicyExportAudit(); + policyExportAudit.setRepositoryName(xAsset.getName()); if (agentId != null && !agentId.isEmpty()) { @@ -194,22 +222,23 @@ public String getLatestRepoPolicy(VXAsset xAsset, List xResourceList if (!httpEnabled) { if (!isSecure) { policyExportAudit.setHttpRetCode(HttpServletResponse.SC_BAD_REQUEST); + createPolicyAudit(policyExportAudit); - throw restErrorUtil.createRESTException("Unauthorized access -" + " only https allowed", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + throw restErrorUtil.createRESTException("Unauthorized access - only https allowed", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); } if (certchain == null || certchain.length == 0) { policyExportAudit.setHttpRetCode(HttpServletResponse.SC_BAD_REQUEST); + createPolicyAudit(policyExportAudit); - throw restErrorUtil.createRESTException("Unauthorized access -" + " unable to get client certificate", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); + throw restErrorUtil.createRESTException("Unauthorized access - unable to get client certificate", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); } } - Long policyCount = restErrorUtil.parseLong(count, "Invalid value for " + "policyCount", MessageEnums.INVALID_INPUT_DATA, null, "policyCount"); - - String commonName = null; + Long policyCount = restErrorUtil.parseLong(count, "Invalid value for policyCount", MessageEnums.INVALID_INPUT_DATA, null, "policyCount"); + String commonName = null; if (certchain != null) { X509Certificate clientCert = certchain[0]; @@ -217,23 +246,28 @@ public String getLatestRepoPolicy(VXAsset xAsset, List xResourceList try { LdapName ln = new LdapName(dn); + for (Rdn rdn : ln.getRdns()) { if ("CN".equalsIgnoreCase(rdn.getType())) { commonName = rdn.getValue() + ""; break; } } + if (commonName == null) { policyExportAudit.setHttpRetCode(HttpServletResponse.SC_BAD_REQUEST); + createPolicyAudit(policyExportAudit); throw restErrorUtil.createRESTException("Unauthorized access - Unable to find Common Name from [" + dn + "]", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); } } catch (InvalidNameException e) { policyExportAudit.setHttpRetCode(HttpServletResponse.SC_BAD_REQUEST); + createPolicyAudit(policyExportAudit); logger.error("Invalid Common Name.", e); + throw restErrorUtil.createRESTException("Unauthorized access - Invalid Common Name", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); } } @@ -249,6 +283,7 @@ public String getLatestRepoPolicy(VXAsset xAsset, List xResourceList if (!commonName.equalsIgnoreCase(cnFromConfig)) { policyExportAudit.setHttpRetCode(HttpServletResponse.SC_BAD_REQUEST); + createPolicyAudit(policyExportAudit); throw restErrorUtil.createRESTException("Unauthorized access. expected [" + cnFromConfig + "], found [" + commonName + "]", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); @@ -262,27 +297,30 @@ public String getLatestRepoPolicy(VXAsset xAsset, List xResourceList if (policyCount == resourceListSz) { policyExportAudit.setHttpRetCode(HttpServletResponse.SC_NOT_MODIFIED); + createPolicyAudit(policyExportAudit); throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_MODIFIED, "No change since last update", false); } } - List> resourceList = new ArrayList>(); + List> resourceList = new ArrayList<>(); // HDFS Repository if (xAsset.getAssetType() == AppConstants.ASSET_HDFS) { for (VXResource xResource : xResourceList) { HashMap resourceMap = new HashMap<>(); + resourceMap.put("id", xResource.getId()); resourceMap.put("resource", xResource.getName()); resourceMap.put("isRecursive", getBooleanValue(xResource.getIsRecursive())); resourceMap.put("policyStatus", RangerCommonEnums.getLabelFor_ActiveStatus(xResource.getResourceStatus())); - // resourceMap.put("isEncrypt", - // AKAConstants.getLabelFor_BooleanValue(xResource.getIsEncrypt())); + // resourceMap.put("isEncrypt", AKAConstants.getLabelFor_BooleanValue(xResource.getIsEncrypt())); populatePermMap(xResource, resourceMap, AppConstants.ASSET_HDFS); + List xAuditMaps = xResource.getAuditList(); - if (xAuditMaps.size() != 0) { + + if (!xAuditMaps.isEmpty()) { resourceMap.put("audit", 1); } else { resourceMap.put("audit", 0); @@ -293,12 +331,15 @@ public String getLatestRepoPolicy(VXAsset xAsset, List xResourceList } else if (xAsset.getAssetType() == AppConstants.ASSET_HIVE) { for (VXResource xResource : xResourceList) { HashMap resourceMap = new HashMap<>(); + resourceMap.put("id", xResource.getId()); resourceMap.put("database_name", xResource.getDatabases()); resourceMap.put("policyStatus", RangerCommonEnums.getLabelFor_ActiveStatus(xResource.getResourceStatus())); resourceMap.put("tablePolicyType", AppConstants.getLabelFor_PolicyType(xResource.getTableType())); resourceMap.put("columnPolicyType", AppConstants.getLabelFor_PolicyType(xResource.getColumnType())); + int resourceType = xResource.getResourceType(); + if (resourceType == AppConstants.RESOURCE_UDF) { resourceMap.put("udf_name", xResource.getUdfs()); } else if (resourceType == AppConstants.RESOURCE_COLUMN) { @@ -311,11 +352,13 @@ public String getLatestRepoPolicy(VXAsset xAsset, List xResourceList populatePermMap(xResource, resourceMap, AppConstants.ASSET_HIVE); List xAuditMaps = xResource.getAuditList(); - if (xAuditMaps.size() != 0) { + + if (!xAuditMaps.isEmpty()) { resourceMap.put("audit", 1); } else { resourceMap.put("audit", 0); } + resourceList.add(resourceMap); } } else if (xAsset.getAssetType() == AppConstants.ASSET_HBASE) { @@ -327,20 +370,24 @@ public String getLatestRepoPolicy(VXAsset xAsset, List xResourceList resourceMap.put("column_name", xResource.getColumns()); resourceMap.put("column_families", xResource.getColumnFamilies()); resourceMap.put("policyStatus", RangerCommonEnums.getLabelFor_ActiveStatus(xResource.getResourceStatus())); + if (xResource.getIsEncrypt() == 1) { resourceMap.put("encrypt", 1); } else { resourceMap.put("encrypt", 0); } - // resourceMap.put("isEncrypt", - // AKAConstants.getLabelFor_BooleanValue(xResource.getIsEncrypt())); + + // resourceMap.put("isEncrypt", AKAConstants.getLabelFor_BooleanValue(xResource.getIsEncrypt())); populatePermMap(xResource, resourceMap, AppConstants.ASSET_HBASE); + List xAuditMaps = xResource.getAuditList(); - if (xAuditMaps.size() != 0) { + + if (!xAuditMaps.isEmpty()) { resourceMap.put("audit", 1); } else { resourceMap.put("audit", 0); } + resourceList.add(resourceMap); } } else if (xAsset.getAssetType() == AppConstants.ASSET_KNOX) { @@ -351,20 +398,24 @@ public String getLatestRepoPolicy(VXAsset xAsset, List xResourceList resourceMap.put("topology_name", xResource.getTopologies()); resourceMap.put("service_name", xResource.getServices()); resourceMap.put("policyStatus", RangerCommonEnums.getLabelFor_ActiveStatus(xResource.getResourceStatus())); + if (xResource.getIsEncrypt() == 1) { resourceMap.put("encrypt", 1); } else { resourceMap.put("encrypt", 0); } - // resourceMap.put("isEncrypt", - // AKAConstants.getLabelFor_BooleanValue(xResource.getIsEncrypt())); + + // resourceMap.put("isEncrypt", AKAConstants.getLabelFor_BooleanValue(xResource.getIsEncrypt())); populatePermMap(xResource, resourceMap, AppConstants.ASSET_KNOX); + List xAuditMaps = xResource.getAuditList(); - if (xAuditMaps.size() != 0) { + + if (!xAuditMaps.isEmpty()) { resourceMap.put("audit", 1); } else { resourceMap.put("audit", 0); } + resourceList.add(resourceMap); } } else if (xAsset.getAssetType() == AppConstants.ASSET_STORM) { @@ -374,34 +425,54 @@ public String getLatestRepoPolicy(VXAsset xAsset, List xResourceList resourceMap.put("id", xResource.getId()); resourceMap.put("topology_name", xResource.getTopologies()); resourceMap.put("policyStatus", RangerCommonEnums.getLabelFor_ActiveStatus(xResource.getResourceStatus())); + if (xResource.getIsEncrypt() == 1) { resourceMap.put("encrypt", 1); } else { resourceMap.put("encrypt", 0); } + populatePermMap(xResource, resourceMap, AppConstants.ASSET_STORM); + List xAuditMaps = xResource.getAuditList(); - if (xAuditMaps.size() != 0) { + + if (!xAuditMaps.isEmpty()) { resourceMap.put("audit", 1); } else { resourceMap.put("audit", 0); } + resourceList.add(resourceMap); } } else { policyExportAudit.setHttpRetCode(HttpServletResponse.SC_BAD_REQUEST); + createPolicyAudit(policyExportAudit); + throw restErrorUtil.createRESTException("The operation isn't yet supported for the repository", MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); } - policyCount = Long.valueOf(resourceList.size()); + policyCount = (long) resourceList.size(); + updatedRepo.put("last_updated", updatedTime); updatedRepo.put("policyCount", policyCount); updatedRepo.put("acl", resourceList); String updatedPolicyStr = jsonUtil.readMapToString(updatedRepo); + // File file = null; + // try { + // file = jsonUtil.writeMapToFile(updatedRepo, repository); + // } catch (JsonGenerationException e) { + // logger.error("Error exporting policies for repository : {}", repository, e); + // } catch (JsonMappingException e) { + // logger.error("Error exporting policies for repository : {}", repository, e); + // } catch (IOException e) { + // logger.error("Error exporting policies for repository : {}", repository, e); + // } + policyExportAudit.setHttpRetCode(HttpServletResponse.SC_OK); + createPolicyAudit(policyExportAudit); return updatedPolicyStr; @@ -411,31 +482,37 @@ public void updateDefaultPolicyUserAndPerm(VXResource vXResource, String userNam if (userName != null && !userName.isEmpty()) { XXUser xxUser = rangerDaoManager.getXXUser().findByUserName(userName); VXUser vXUser; + if (xxUser != null) { vXUser = xUserService.populateViewBean(xxUser); } else { vXUser = new VXUser(); + vXUser.setName(userName); // FIXME hack : unnecessary. vXUser.setDescription(userName); + vXUser = xUserService.createResource(vXUser); } - // fetch old permission and consider only one permission for default - // policy + + // fetch old permission and consider only one permission for default policy List xxPermMapList = rangerDaoManager.getXXPermMap().findByResourceId(vXResource.getId()); VXPermMap vXPermMap = null; - if (xxPermMapList != null && xxPermMapList.size() != 0) { + + if (xxPermMapList != null && !xxPermMapList.isEmpty()) { vXPermMap = xPermMapService.populateViewBean(xxPermMapList.get(0)); } if (vXPermMap == null) { // create new permission vXPermMap = new VXPermMap(); + vXPermMap.setUserId(vXUser.getId()); vXPermMap.setResourceId(vXResource.getId()); } else { // update old permission after updating userid vXPermMap.setUserId(vXUser.getId()); + xPermMapService.updateResource(vXPermMap); } } @@ -443,6 +520,7 @@ public void updateDefaultPolicyUserAndPerm(VXResource vXResource, String userNam public void createPolicyAudit(final XXPolicyExportAudit xXPolicyExportAudit) { final Runnable commitWork; + if (xXPolicyExportAudit.getHttpRetCode() == HttpServletResponse.SC_NOT_MODIFIED) { if (!rangerLogNotModified) { logger.debug("Not logging HttpServletResponse. SC_NOT_MODIFIED. To enable, set configuration: {}=true", PROP_RANGER_LOG_SC_NOT_MODIFIED); @@ -452,20 +530,10 @@ public void createPolicyAudit(final XXPolicyExportAudit xXPolicyExportAudit) { // Create PolicyExportAudit record after transaction is completed. If it is created in-line here // then the TransactionManager will roll-back the changes because the HTTP return code is // HttpServletResponse.SC_NOT_MODIFIED - commitWork = new Runnable() { - @Override - public void run() { - rangerDaoManager.getXXPolicyExportAudit().create(xXPolicyExportAudit); - } - }; + commitWork = () -> rangerDaoManager.getXXPolicyExportAudit().create(xXPolicyExportAudit); } } else { - commitWork = new Runnable() { - @Override - public void run() { - rangerDaoManager.getXXPolicyExportAudit().create(xXPolicyExportAudit); - } - }; + commitWork = () -> rangerDaoManager.getXXPolicyExportAudit().create(xXPolicyExportAudit); } if (commitWork != null) { @@ -478,15 +546,15 @@ public void run() { } public void createPluginInfo(String serviceName, String pluginId, HttpServletRequest request, int entityType, Long downloadedVersion, Long lastKnownVersion, long lastActivationTime, int httpCode, String clusterName, String pluginCapabilities) { - RangerRESTUtils restUtils = new RangerRESTUtils(); - - final String ipAddress = getRemoteAddress(request); - final String appType = restUtils.getAppIdFromPluginId(pluginId); + RangerRESTUtils restUtils = new RangerRESTUtils(); + final String ipAddress = getRemoteAddress(request); + final String appType = restUtils.getAppIdFromPluginId(pluginId); + String tmpHostName = null; - String tmpHostName = null; if (StringUtils.isNotBlank(pluginId)) { tmpHostName = restUtils.getHostnameFromPluginId(pluginId, serviceName); } + if (StringUtils.isBlank(tmpHostName) && request != null) { tmpHostName = request.getRemoteHost(); } @@ -545,22 +613,29 @@ public VXTrxLogList getReportLogs(SearchCriteria searchCriteria) { if (searchCriteria.getParamList() != null && !searchCriteria.getParamList().isEmpty()) { int clientTimeOffsetInMinute = RestUtil.getClientTimeOffset(); - Date temp = null; DateUtil dateUtil = new DateUtil(); + if (searchCriteria.getParamList().containsKey("startDate")) { - temp = (Date) searchCriteria.getParamList().get("startDate"); + Date temp = (Date) searchCriteria.getParamList().get("startDate"); + temp = dateUtil.getDateFromGivenDate(temp, 0, 0, 0, 0); temp = dateUtil.addTimeOffset(temp, clientTimeOffsetInMinute); + searchCriteria.getParamList().put("startDate", temp); } + if (searchCriteria.getParamList().containsKey("endDate")) { - temp = (Date) searchCriteria.getParamList().get("endDate"); + Date temp = (Date) searchCriteria.getParamList().get("endDate"); + temp = dateUtil.getDateFromGivenDate(temp, 0, 23, 59, 59); temp = dateUtil.addTimeOffset(temp, clientTimeOffsetInMinute); + searchCriteria.getParamList().put("endDate", temp); } + if (searchCriteria.getParamList().containsKey("owner")) { XXPortalUser xXPortalUser = rangerDaoManager.getXXPortalUser().findByLoginId((searchCriteria.getParamList().get("owner").toString())); + if (xXPortalUser != null) { searchCriteria.getParamList().put("owner", xXPortalUser.getId()); } else { @@ -592,23 +667,30 @@ public VXAccessAuditList getAccessLogs(SearchCriteria searchCriteria) { if (searchCriteria == null) { searchCriteria = new SearchCriteria(); } + if (searchCriteria.getParamList() != null && !searchCriteria.getParamList().isEmpty()) { int clientTimeOffsetInMinute = RestUtil.getClientTimeOffset(); - Date temp = null; DateUtil dateUtil = new DateUtil(); + if (searchCriteria.getParamList().containsKey("startDate")) { - temp = (Date) searchCriteria.getParamList().get("startDate"); + Date temp = (Date) searchCriteria.getParamList().get("startDate"); + temp = dateUtil.getDateFromGivenDate(temp, 0, 0, 0, 0); temp = dateUtil.addTimeOffset(temp, clientTimeOffsetInMinute); + searchCriteria.getParamList().put("startDate", temp); } + if (searchCriteria.getParamList().containsKey("endDate")) { - temp = (Date) searchCriteria.getParamList().get("endDate"); + Date temp = (Date) searchCriteria.getParamList().get("endDate"); + temp = dateUtil.getDateFromGivenDate(temp, 0, 23, 59, 59); temp = dateUtil.addTimeOffset(temp, clientTimeOffsetInMinute); + searchCriteria.getParamList().put("endDate", temp); } } + if (searchCriteria.getSortType() == null) { searchCriteria.setSortType("desc"); } else if (!"asc".equalsIgnoreCase(searchCriteria.getSortType()) && !"desc".equalsIgnoreCase(searchCriteria.getSortType())) { @@ -618,25 +700,24 @@ public VXAccessAuditList getAccessLogs(SearchCriteria searchCriteria) { if (!xaBizUtil.isAdmin()) { Long userId = xaBizUtil.getXUserId(); List userZones = rangerDaoManager.getXXSecurityZoneDao().findZoneNamesByUserId(userId); - Set zoneNameSet = new HashSet(userZones); + Set zoneNameSet = new HashSet<>(userZones); + VXGroupList groupList = xUserMgr.getXUserGroups(userId); - VXGroupList groupList = xUserMgr.getXUserGroups(userId); for (VXGroup group : groupList.getList()) { List userGroupZones = rangerDaoManager.getXXSecurityZoneDao().findZoneNamesByGroupId(group.getId()); - for (String zoneName : userGroupZones) { - zoneNameSet.add(zoneName); - } + + zoneNameSet.addAll(userGroupZones); } List zoneNameList = (List) searchCriteria.getParamValue("zoneName"); if ((zoneNameList == null || zoneNameList.isEmpty())) { if (!zoneNameSet.isEmpty()) { - searchCriteria.getParamList().put("zoneName", new ArrayList(zoneNameSet)); + searchCriteria.getParamList().put("zoneName", new ArrayList<>(zoneNameSet)); } else { searchCriteria.getParamList().put("zoneName", null); } - } else if (!zoneNameList.isEmpty() && !zoneNameSet.isEmpty()) { + } else if (!zoneNameSet.isEmpty()) { for (String znName : zoneNameList) { if (!serviceMgr.isZoneAdmin(znName) && !serviceMgr.isZoneAuditor(znName)) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not the zone admin or zone auditor of zone " + znName, true); @@ -694,17 +775,21 @@ public List validateXXTrxLogList(List xTrxLogList) { if (vXTrxLog.getPreviousValue() == null || "null".equalsIgnoreCase(vXTrxLog.getPreviousValue())) { vXTrxLog.setPreviousValue(""); } + if (vXTrxLog.getNewValue() == null || "null".equalsIgnoreCase(vXTrxLog.getNewValue())) { vXTrxLog.setNewValue(""); } + if (vXTrxLog.getAttributeName() != null && "Password".equalsIgnoreCase(vXTrxLog.getAttributeName())) { vXTrxLog.setPreviousValue("*********"); vXTrxLog.setNewValue("***********"); } + if (vXTrxLog.getAttributeName() != null && "Connection Configurations".equalsIgnoreCase(vXTrxLog.getAttributeName())) { if (vXTrxLog.getPreviousValue() != null && vXTrxLog.getPreviousValue().contains("password")) { String tempPreviousStr = vXTrxLog.getPreviousValue(); String[] tempPreviousArr = vXTrxLog.getPreviousValue().split(","); + for (String tempPrevious : tempPreviousArr) { if (tempPrevious.contains("{\"password") && tempPrevious.contains("}")) { vXTrxLog.setPreviousValue(tempPreviousStr.replace(tempPrevious, "{\"password\":\"*****\"}")); @@ -721,9 +806,11 @@ public List validateXXTrxLogList(List xTrxLogList) { } } } + if (vXTrxLog.getNewValue() != null && vXTrxLog.getNewValue().contains("password")) { String tempNewStr = vXTrxLog.getNewValue(); String[] tempNewArr = vXTrxLog.getNewValue().split(","); + for (String tempNew : tempNewArr) { if (tempNew.contains("{\"password") && tempNew.contains("}")) { vXTrxLog.setNewValue(tempNewStr.replace(tempNew, "{\"password\":\"*****\"}")); @@ -744,6 +831,7 @@ public List validateXXTrxLogList(List xTrxLogList) { vXTrxLogs.add(vXTrxLog); } + return vXTrxLogs; } @@ -762,21 +850,26 @@ public VXPolicyExportAuditList searchXPolicyExportAudits(SearchCriteria searchCr if (searchCriteria.getParamList() != null && !searchCriteria.getParamList().isEmpty()) { int clientTimeOffsetInMinute = RestUtil.getClientTimeOffset(); - Date temp = null; DateUtil dateUtil = new DateUtil(); + if (searchCriteria.getParamList().containsKey("startDate")) { - temp = (Date) searchCriteria.getParamList().get("startDate"); + Date temp = (Date) searchCriteria.getParamList().get("startDate"); + temp = dateUtil.getDateFromGivenDate(temp, 0, 0, 0, 0); temp = dateUtil.addTimeOffset(temp, clientTimeOffsetInMinute); + searchCriteria.getParamList().put("startDate", temp); } if (searchCriteria.getParamList().containsKey("endDate")) { - temp = (Date) searchCriteria.getParamList().get("endDate"); + Date temp = (Date) searchCriteria.getParamList().get("endDate"); + temp = dateUtil.getDateFromGivenDate(temp, 0, 23, 59, 59); temp = dateUtil.addTimeOffset(temp, clientTimeOffsetInMinute); + searchCriteria.getParamList().put("endDate", temp); } } + return xPolicyExportAuditService.searchXPolicyExportAudits(searchCriteria); } @@ -784,31 +877,38 @@ public VXUgsyncAuditInfoList getUgsyncAudits(SearchCriteria searchCriteria) { if (!msBizUtil.hasModuleAccess(RangerConstants.MODULE_AUDIT)) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not having permissions on the " + RangerConstants.MODULE_AUDIT + " module.", true); } + if (searchCriteria == null) { searchCriteria = new SearchCriteria(); } + if (searchCriteria.getParamList() != null && !searchCriteria.getParamList().isEmpty()) { int clientTimeOffsetInMinute = RestUtil.getClientTimeOffset(); - Date temp = null; DateUtil dateUtil = new DateUtil(); if (searchCriteria.getParamList().containsKey("startDate")) { - temp = (Date) searchCriteria.getParamList().get("startDate"); + Date temp = (Date) searchCriteria.getParamList().get("startDate"); + temp = dateUtil.getDateFromGivenDate(temp, 0, 0, 0, 0); temp = dateUtil.addTimeOffset(temp, clientTimeOffsetInMinute); + searchCriteria.getParamList().put("startDate", temp); } if (searchCriteria.getParamList().containsKey("endDate")) { - temp = (Date) searchCriteria.getParamList().get("endDate"); + Date temp = (Date) searchCriteria.getParamList().get("endDate"); + temp = dateUtil.getDateFromGivenDate(temp, 0, 23, 59, 59); temp = dateUtil.addTimeOffset(temp, clientTimeOffsetInMinute); + searchCriteria.getParamList().put("endDate", temp); } } + if (searchCriteria.getSortType() == null) { searchCriteria.setSortType("desc"); } else if (!"asc".equalsIgnoreCase(searchCriteria.getSortType()) && !"desc".equalsIgnoreCase(searchCriteria.getSortType())) { searchCriteria.setSortType("desc"); } + return xUgsyncAuditInfoService.searchXUgsyncAuditInfoList(searchCriteria); } @@ -816,6 +916,7 @@ public VXUgsyncAuditInfoList getUgsyncAuditsBySyncSource(String syncSource) { if (!msBizUtil.hasModuleAccess(RangerConstants.MODULE_AUDIT)) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not having permissions on the " + RangerConstants.MODULE_AUDIT + " module.", true); } + if (syncSource != null && !syncSource.trim().isEmpty()) { return xUgsyncAuditInfoService.searchXUgsyncAuditInfoBySyncSource(syncSource); } else { @@ -826,19 +927,21 @@ public VXUgsyncAuditInfoList getUgsyncAuditsBySyncSource(String syncSource) { @SuppressWarnings("unchecked") private HashMap populatePermMap(VXResource xResource, HashMap resourceMap, int assetType) { List xPermMapList = xResource.getPermMapList(); + Set groupList = new HashSet<>(); - Set groupList = new HashSet<>(); for (VXPermMap xPermMap : xPermMapList) { groupList.add(xPermMap.getId()); } - List> sortedPermMapGroupList = new ArrayList>(); + List> sortedPermMapGroupList = new ArrayList<>(); // Loop for adding group perms for (VXPermMap xPermMap : xPermMapList) { String groupKey = xPermMap.getPermGroup(); + if (groupKey != null) { boolean found = false; + for (HashMap sortedPermMap : sortedPermMapGroupList) { if (sortedPermMap.containsValue(groupKey)) { found = true; @@ -851,6 +954,7 @@ private HashMap populatePermMap(VXResource xResource, HashMap populatePermMap(VXResource xResource, HashMap access = (Set) sortedPermMap.get("access"); String perm = AppConstants.getLabelFor_XAPermType(xPermMap.getPermType()); + access.add(perm); + sortedPermMap.put("access", access); } } if (!found) { HashMap sortedPermMap = new HashMap<>(); + sortedPermMap.put("groupKey", xPermMap.getPermGroup()); Set permSet = new HashSet<>(); String perm = AppConstants.getLabelFor_XAPermType(xPermMap.getPermType()); + permSet.add(perm); sortedPermMap.put("access", permSet); if (assetType == AppConstants.ASSET_KNOX) { String[] ipAddrList = new String[0]; + if (xPermMap.getIpAddress() != null) { ipAddrList = xPermMap.getIpAddress().split(","); + sortedPermMap.put("ipAddress", ipAddrList); } else { sortedPermMap.put("ipAddress", ipAddrList); @@ -894,12 +1005,16 @@ private HashMap populatePermMap(VXResource xResource, HashMap groupSet = new HashSet<>(); String group = xPermMap.getGroupName(); + groupSet.add(group); + sortedPermMap.put("groups", groupSet); } else if (userId != null) { Set userSet = new HashSet<>(); String user = xPermMap.getUserName(); + userSet.add(user); + sortedPermMap.put("users", userSet); } @@ -917,6 +1032,7 @@ private HashMap populatePermMap(VXResource xResource, HashMap doCreateOrUpdateXXPluginInfo(pluginInfo, entityType, isTagVersionResetNeeded, clusterName); } } else if (httpCode == HttpServletResponse.SC_NOT_FOUND) { - if ((isPolicyDownloadRequest(entityType) && (pluginInfo.getPolicyActiveVersion() == null || pluginInfo.getPolicyActiveVersion() == -1)) || (isTagDownloadRequest(entityType) && (pluginInfo.getTagActiveVersion() == null || pluginInfo.getTagActiveVersion() == -1)) || (isRoleDownloadRequest(entityType) && (pluginInfo.getRoleActiveVersion() == null || pluginInfo.getRoleActiveVersion() == -1)) || (isUserStoreDownloadRequest(entityType) && (pluginInfo.getUserStoreActiveVersion() == null || pluginInfo.getUserStoreActiveVersion() == -1)) || (isGdsDownloadRequest(entityType) && (pluginInfo.getGdsActiveVersion() == null || pluginInfo.getGdsActiveVersion() == -1))) { - commitWork = new Runnable() { - @Override - public void run() { - doDeleteXXPluginInfo(pluginInfo); - } - }; + if ((isPolicyDownloadRequest(entityType) && (pluginInfo.getPolicyActiveVersion() == null || pluginInfo.getPolicyActiveVersion() == -1)) + || (isTagDownloadRequest(entityType) && (pluginInfo.getTagActiveVersion() == null || pluginInfo.getTagActiveVersion() == -1)) + || (isRoleDownloadRequest(entityType) && (pluginInfo.getRoleActiveVersion() == null || pluginInfo.getRoleActiveVersion() == -1)) + || (isUserStoreDownloadRequest(entityType) && (pluginInfo.getUserStoreActiveVersion() == null || pluginInfo.getUserStoreActiveVersion() == -1)) + || (isGdsDownloadRequest(entityType) && (pluginInfo.getGdsActiveVersion() == null || pluginInfo.getGdsActiveVersion() == -1))) { + commitWork = () -> doDeleteXXPluginInfo(pluginInfo); } else { - commitWork = new Runnable() { - @Override - public void run() { - doCreateOrUpdateXXPluginInfo(pluginInfo, entityType, false, clusterName); - } - }; + commitWork = () -> doCreateOrUpdateXXPluginInfo(pluginInfo, entityType, false, clusterName); } } else { isTagVersionResetNeeded = false; - commitWork = new Runnable() { - @Override - public void run() { - doCreateOrUpdateXXPluginInfo(pluginInfo, entityType, isTagVersionResetNeeded, clusterName); - } - }; + commitWork = () -> doCreateOrUpdateXXPluginInfo(pluginInfo, entityType, isTagVersionResetNeeded, clusterName); } if (commitWork != null) { @@ -1002,18 +1103,20 @@ public void run() { } private XXPluginInfo doCreateOrUpdateXXPluginInfo(RangerPluginInfo pluginInfo, int entityType, final boolean isTagVersionResetNeeded, String clusterName) { - XXPluginInfo ret = null; - Map infoMap = null; + XXPluginInfo ret = null; if (StringUtils.isNotBlank(pluginInfo.getServiceName())) { XXPluginInfo xObj = rangerDaoManager.getXXPluginInfo().find(pluginInfo.getServiceName(), pluginInfo.getHostName(), pluginInfo.getAppType()); if (xObj == null) { - infoMap = pluginInfo.getInfo(); + Map infoMap = pluginInfo.getInfo(); + if (!stringUtil.isEmpty(clusterName) && infoMap != null) { infoMap.put(SearchFilter.CLUSTER_NAME, clusterName); + pluginInfo.setInfo(infoMap); } + // ranger-admin is restarted, plugin contains latest versions and no earlier record for this plug-in client if (isPolicyDownloadRequest(entityType)) { if (pluginInfo.getPolicyDownloadedVersion() != null && pluginInfo.getPolicyDownloadedVersion().equals(pluginInfo.getPolicyActiveVersion())) { @@ -1047,29 +1150,35 @@ private XXPluginInfo doCreateOrUpdateXXPluginInfo(RangerPluginInfo pluginInfo, i xObj = pluginInfoService.populateDBObject(pluginInfo); logger.debug("Creating RangerPluginInfo record for service-version"); + ret = rangerDaoManager.getXXPluginInfo().create(xObj); } else { - boolean needsUpdating = false; - - RangerPluginInfo dbObj = pluginInfoService.populateViewObject(xObj); + boolean needsUpdating = false; + RangerPluginInfo dbObj = pluginInfoService.populateViewObject(xObj); + Map infoMap = dbObj.getInfo(); - infoMap = dbObj.getInfo(); if (infoMap != null && !stringUtil.isEmpty(clusterName)) { if (!stringUtil.isEmpty(infoMap.get(SearchFilter.CLUSTER_NAME)) && !stringUtil.equals(infoMap.get(SearchFilter.CLUSTER_NAME), clusterName)) { infoMap.put(SearchFilter.CLUSTER_NAME, clusterName); + needsUpdating = true; } } + if (!dbObj.getIpAddress().equals(pluginInfo.getIpAddress())) { dbObj.setIpAddress(pluginInfo.getIpAddress()); + needsUpdating = true; } + if (isPolicyDownloadRequest(entityType)) { if (dbObj.getPolicyDownloadedVersion() == null || !dbObj.getPolicyDownloadedVersion().equals(pluginInfo.getPolicyDownloadedVersion())) { dbObj.setPolicyDownloadedVersion(pluginInfo.getPolicyDownloadedVersion()); dbObj.setPolicyDownloadTime(pluginInfo.getPolicyDownloadTime()); + needsUpdating = true; } + Long lastKnownPolicyVersion = pluginInfo.getPolicyActiveVersion(); Long lastPolicyActivationTime = pluginInfo.getPolicyActivationTime(); String lastPluginCapabilityVector = pluginInfo.getPluginCapabilities(); @@ -1077,22 +1186,31 @@ private XXPluginInfo doCreateOrUpdateXXPluginInfo(RangerPluginInfo pluginInfo, i if (lastKnownPolicyVersion != null && lastKnownPolicyVersion == -1) { // First download request after plug-in's policy-refresher starts dbObj.setPolicyDownloadTime(pluginInfo.getPolicyDownloadTime()); + needsUpdating = true; } + if (lastKnownPolicyVersion != null && lastKnownPolicyVersion > 0 && (dbObj.getPolicyActiveVersion() == null || !dbObj.getPolicyActiveVersion().equals(lastKnownPolicyVersion))) { dbObj.setPolicyActiveVersion(lastKnownPolicyVersion); + needsUpdating = true; } + if (lastPolicyActivationTime != null && lastPolicyActivationTime > 0 && (dbObj.getPolicyActivationTime() == null || !dbObj.getPolicyActivationTime().equals(lastPolicyActivationTime))) { dbObj.setPolicyActivationTime(lastPolicyActivationTime); + needsUpdating = true; } + if (lastPluginCapabilityVector != null && (dbObj.getPluginCapabilities() == null || !dbObj.getPluginCapabilities().equals(lastPluginCapabilityVector))) { dbObj.setPluginCapabilities(lastPluginCapabilityVector); + needsUpdating = true; } + if (dbObj.getAdminCapabilities() == null || !dbObj.getAdminCapabilities().equals(adminCapabilities)) { dbObj.setAdminCapabilities(adminCapabilities); + needsUpdating = true; } } else if (isTagDownloadRequest(entityType)) { @@ -1100,6 +1218,7 @@ private XXPluginInfo doCreateOrUpdateXXPluginInfo(RangerPluginInfo pluginInfo, i // First download for tags after tag-service is associated with resource-service dbObj.setTagDownloadedVersion(pluginInfo.getTagDownloadedVersion()); dbObj.setTagDownloadTime(pluginInfo.getTagDownloadTime()); + needsUpdating = true; } @@ -1109,21 +1228,26 @@ private XXPluginInfo doCreateOrUpdateXXPluginInfo(RangerPluginInfo pluginInfo, i if (lastKnownTagVersion != null && lastKnownTagVersion == -1) { // First download request after plug-in's tag-refresher restarts dbObj.setTagDownloadTime(pluginInfo.getTagDownloadTime()); + needsUpdating = true; } + if (lastKnownTagVersion != null && lastKnownTagVersion > 0 && (dbObj.getTagActiveVersion() == null || !dbObj.getTagActiveVersion().equals(lastKnownTagVersion))) { dbObj.setTagActiveVersion(lastKnownTagVersion); + needsUpdating = true; } if (lastTagActivationTime != null && lastTagActivationTime > 0 && (dbObj.getTagActivationTime() == null || !dbObj.getTagActivationTime().equals(lastTagActivationTime))) { dbObj.setTagActivationTime(lastTagActivationTime); + needsUpdating = true; } } else if (isRoleDownloadRequest(entityType)) { if (dbObj.getRoleDownloadedVersion() == null || !dbObj.getRoleDownloadedVersion().equals(pluginInfo.getRoleDownloadedVersion())) { dbObj.setRoleDownloadedVersion(pluginInfo.getRoleDownloadedVersion()); dbObj.setRoleDownloadTime(pluginInfo.getRoleDownloadTime()); + needsUpdating = true; } @@ -1132,22 +1256,26 @@ private XXPluginInfo doCreateOrUpdateXXPluginInfo(RangerPluginInfo pluginInfo, i if (lastKnownRoleVersion != null && lastKnownRoleVersion == -1) { dbObj.setRoleDownloadTime(pluginInfo.getRoleDownloadTime()); + needsUpdating = true; } if (lastKnownRoleVersion != null && lastKnownRoleVersion > 0 && (dbObj.getRoleActiveVersion() == null || !dbObj.getRoleActiveVersion().equals(lastKnownRoleVersion))) { dbObj.setRoleActiveVersion(lastKnownRoleVersion); + needsUpdating = true; } if (lastRoleActivationTime != null && lastRoleActivationTime > 0 && (dbObj.getRoleActivationTime() == null || !dbObj.getRoleActivationTime().equals(lastRoleActivationTime))) { dbObj.setRoleActivationTime(lastRoleActivationTime); + needsUpdating = true; } } else if (isUserStoreDownloadRequest(entityType)) { if (dbObj.getUserStoreDownloadedVersion() == null || !dbObj.getUserStoreDownloadedVersion().equals(pluginInfo.getUserStoreDownloadedVersion())) { dbObj.setUserStoreDownloadedVersion(pluginInfo.getUserStoreDownloadedVersion()); dbObj.setUserStoreDownloadTime(pluginInfo.getUserStoreDownloadTime()); + needsUpdating = true; } @@ -1156,22 +1284,26 @@ private XXPluginInfo doCreateOrUpdateXXPluginInfo(RangerPluginInfo pluginInfo, i if (lastKnownUserStoreVersion != null && lastKnownUserStoreVersion == -1) { dbObj.setUserStoreDownloadTime(pluginInfo.getUserStoreDownloadTime()); + needsUpdating = true; } if (lastKnownUserStoreVersion != null && lastKnownUserStoreVersion > 0 && (dbObj.getUserStoreActiveVersion() == null || !dbObj.getUserStoreActiveVersion().equals(lastKnownUserStoreVersion))) { dbObj.setUserStoreActiveVersion(lastKnownUserStoreVersion); + needsUpdating = true; } if (lastUserStoreActivationTime != null && lastUserStoreActivationTime > 0 && (dbObj.getUserStoreActivationTime() == null || !dbObj.getUserStoreActivationTime().equals(lastUserStoreActivationTime))) { dbObj.setUserStoreActivationTime(lastUserStoreActivationTime); + needsUpdating = true; } } else if (isGdsDownloadRequest(entityType)) { if (dbObj.getGdsDownloadedVersion() == null || !dbObj.getGdsDownloadedVersion().equals(pluginInfo.getGdsDownloadedVersion())) { dbObj.setGdsDownloadedVersion(pluginInfo.getGdsDownloadedVersion()); dbObj.setGdsDownloadTime(pluginInfo.getGdsDownloadTime()); + needsUpdating = true; } @@ -1180,16 +1312,19 @@ private XXPluginInfo doCreateOrUpdateXXPluginInfo(RangerPluginInfo pluginInfo, i if (lastKnownGdsVersion != null && lastKnownGdsVersion == -1) { dbObj.setGdsDownloadTime(pluginInfo.getGdsDownloadTime()); + needsUpdating = true; } if (lastKnownGdsVersion != null && lastKnownGdsVersion > 0 && (dbObj.getGdsActiveVersion() == null || !dbObj.getGdsActiveVersion().equals(lastKnownGdsVersion))) { dbObj.setGdsActiveVersion(lastKnownGdsVersion); + needsUpdating = true; } if (lastGdsActivationTime != null && lastGdsActivationTime > 0 && (dbObj.getGdsActivationTime() == null || !dbObj.getGdsActivationTime().equals(lastGdsActivationTime))) { dbObj.setGdsActivationTime(lastGdsActivationTime); + needsUpdating = true; } } @@ -1199,11 +1334,13 @@ private XXPluginInfo doCreateOrUpdateXXPluginInfo(RangerPluginInfo pluginInfo, i dbObj.setTagDownloadTime(null); dbObj.setTagActiveVersion(null); dbObj.setTagActivationTime(null); + needsUpdating = true; } if (needsUpdating) { logger.debug("Updating XXPluginInfo record for service-version"); + xObj = pluginInfoService.populateDBObject(dbObj); ret = rangerDaoManager.getXXPluginInfo().update(xObj); @@ -1218,6 +1355,7 @@ private XXPluginInfo doCreateOrUpdateXXPluginInfo(RangerPluginInfo pluginInfo, i private void doDeleteXXPluginInfo(RangerPluginInfo pluginInfo) { XXPluginInfo xObj = rangerDaoManager.getXXPluginInfo().find(pluginInfo.getServiceName(), pluginInfo.getHostName(), pluginInfo.getAppType()); + if (xObj != null) { rangerDaoManager.getXXPluginInfo().remove(xObj.getId()); } @@ -1228,17 +1366,21 @@ private String getRemoteAddress(final HttpServletRequest request) { if (request != null) { String xForwardedAddress = request.getHeader("X-Forwarded-For"); + if (StringUtils.isNotBlank(xForwardedAddress)) { String[] forwardedAddresses = xForwardedAddress.split(","); + if (forwardedAddresses.length > 0) { // Use first one. Hope it is the IP of the originating client ret = forwardedAddresses[0].trim(); } } + if (ret == null) { ret = request.getRemoteAddr(); } } + return ret; } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgrBase.java b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgrBase.java index 970cd745d6..50f6676908 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgrBase.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgrBase.java @@ -51,11 +51,13 @@ public VXCredentialStore getXCredentialStore(Long id) { public VXCredentialStore createXCredentialStore(VXCredentialStore vXCredentialStore) { vXCredentialStore = xCredentialStoreService.createResource(vXCredentialStore); + return vXCredentialStore; } public VXCredentialStore updateXCredentialStore(VXCredentialStore vXCredentialStore) { vXCredentialStore = xCredentialStoreService.updateResource(vXCredentialStore); + return vXCredentialStore; } @@ -81,11 +83,13 @@ public VXPolicyExportAudit getXPolicyExportAudit(Long id) { public VXPolicyExportAudit createXPolicyExportAudit(VXPolicyExportAudit vXPolicyExportAudit) { vXPolicyExportAudit = xPolicyExportAuditService.createResource(vXPolicyExportAudit); + return vXPolicyExportAudit; } public VXPolicyExportAudit updateXPolicyExportAudit(VXPolicyExportAudit vXPolicyExportAudit) { vXPolicyExportAudit = xPolicyExportAuditService.updateResource(vXPolicyExportAudit); + return vXPolicyExportAudit; } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/BaseMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/BaseMgr.java index 0803afb752..369958c68d 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/BaseMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/BaseMgr.java @@ -17,6 +17,9 @@ * under the License. */ +/** + * + */ package org.apache.ranger.biz; import org.apache.ranger.common.MessageEnums; @@ -46,12 +49,14 @@ public RangerDaoManager getDaoManager() { public void deleteEntity(BaseDao baseDao, Long id, String entityName) { XXDBBase entity = baseDao.getById(id); + if (entity != null) { try { baseDao.remove(id); } catch (Exception e) { - logger.error("Error deleting {}. Id = {}", entityName, id, e); - throw restErrorUtil.createRESTException("This " + entityName + " can't be deleted", MessageEnums.OPER_NOT_ALLOWED_FOR_STATE, id, null, "" + id + ", error=" + e.getMessage()); + logger.error("Error deleting {}. Id={}", entityName, id, e); + + throw restErrorUtil.createRESTException("This " + entityName + " can't be deleted", MessageEnums.OPER_NOT_ALLOWED_FOR_STATE, id, null, id + ", error=" + e.getMessage()); } } else { // Return without error diff --git a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java index 0656574970..7916f08188 100755 --- a/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java @@ -22,7 +22,7 @@ import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang3.StringUtils; import org.apache.http.HttpStatus; -import org.apache.ranger.biz.ServiceDBStore.RemoveRefType; +import org.apache.ranger.biz.ServiceDBStore.REMOVE_REF_TYPE; import org.apache.ranger.common.GUIDUtil; import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.RESTErrorUtil; @@ -110,15 +110,17 @@ @Component public class GdsDBStore extends AbstractGdsStore { - public static final String RESOURCE_NAME_DATASET_ID = "dataset-id"; - public static final String RESOURCE_NAME_PROJECT_ID = "project-id"; - public static final String NOT_AUTHORIZED_FOR_DATASET_POLICIES = "User is not authorized to manage policies for this dataset"; - public static final String NOT_AUTHORIZED_TO_VIEW_DATASET_POLICIES = "User is not authorized to view policies for this dataset"; - public static final String NOT_AUTHORIZED_FOR_PROJECT_POLICIES = "User is not authorized to manage policies for this dataset"; - public static final String NOT_AUTHORIZED_TO_VIEW_PROJECT_POLICIES = "User is not authorized to view policies for this dataset"; - public static final String GDS_POLICY_NAME_TIMESTAMP_SEP = "@"; private static final Logger LOG = LoggerFactory.getLogger(GdsDBStore.class); - private static final Set SHARE_STATUS_AGR = new HashSet<>(Arrays.asList(GdsShareStatus.ACTIVE.ordinal(), GdsShareStatus.GRANTED.ordinal(), GdsShareStatus.REQUESTED.ordinal())); + + public static final String RESOURCE_NAME_DATASET_ID = "dataset-id"; + public static final String RESOURCE_NAME_PROJECT_ID = "project-id"; + public static final String NOT_AUTHORIZED_FOR_DATASET_POLICIES = "User is not authorized to manage policies for this dataset"; + public static final String NOT_AUTHORIZED_TO_VIEW_DATASET_POLICIES = "User is not authorized to view policies for this dataset"; + public static final String NOT_AUTHORIZED_FOR_PROJECT_POLICIES = "User is not authorized to manage policies for this dataset"; + public static final String NOT_AUTHORIZED_TO_VIEW_PROJECT_POLICIES = "User is not authorized to view policies for this dataset"; + public static final String GDS_POLICY_NAME_TIMESTAMP_SEP = "@"; + + private static final Set SHARE_STATUS_AGR = new HashSet<>(Arrays.asList(GdsShareStatus.ACTIVE.ordinal(), GdsShareStatus.GRANTED.ordinal(), GdsShareStatus.REQUESTED.ordinal())); @Autowired RangerGdsValidator validator; @@ -171,6 +173,7 @@ public class GdsDBStore extends AbstractGdsStore { @PostConstruct public void initStore() { LOG.debug("==> GdsInMemoryStore.initStore()"); + LOG.debug("<== GdsInMemoryStore.initStore()"); } @@ -773,10 +776,13 @@ public PList searchSharedResources(SearchFilter filter) { final Collection resources = sharedResource.getResource().values(); if (CollectionUtils.isNotEmpty(resources)) { - includeResource = resources.stream().filter(Objects::nonNull).map(RangerPolicyResource::getValues).filter(Objects::nonNull).anyMatch(res -> hasResource(res, resourceContains)); + includeResource = resources.stream().filter(Objects::nonNull) + .map(RangerPolicyResource::getValues).filter(Objects::nonNull) + .anyMatch(res -> hasResource(res, resourceContains)); if (!includeResource && sharedResource.getSubResource() != null && CollectionUtils.isNotEmpty(sharedResource.getSubResource().getValues())) { - includeResource = sharedResource.getSubResource().getValues().stream().filter(Objects::nonNull).anyMatch(value -> value.contains(resourceContains)); + includeResource = sharedResource.getSubResource().getValues().stream().filter(Objects::nonNull) + .anyMatch(value -> value.contains(resourceContains)); } } } @@ -1098,7 +1104,7 @@ public RangerPolicy getDatasetPolicy(Long datasetId, Long policyId) throws Excep } @Override - public List getDatasetPolicies(Long datasetId) throws Exception { + public List getDatasetPolicies(Long datasetId) { LOG.debug("==> getDatasetPolicies({})", datasetId); RangerDataset dataset = datasetService.read(datasetId); @@ -1227,7 +1233,7 @@ public RangerPolicy getProjectPolicy(Long projectId, Long policyId) throws Excep } @Override - public List getProjectPolicies(Long projectId) throws Exception { + public List getProjectPolicies(Long projectId) { LOG.debug("==> getProjectPolicies({})", projectId); RangerProject project = projectService.read(projectId); @@ -1351,7 +1357,7 @@ public List addDataSharesInDataset(List GdsDBStore.getGdsInfoIfUpdated({}, {})", serviceName, lastKnownVersion); ServiceGdsInfo latest = serviceGdsInfoCache.get(serviceName); @@ -1363,7 +1369,7 @@ public ServiceGdsInfo getGdsInfoIfUpdated(String serviceName, Long lastKnownVers return ret; } - public PList getDatasetSummary(SearchFilter filter) throws Exception { + public PList getDatasetSummary(SearchFilter filter) { LOG.debug("==> getDatasetSummary({})", filter); PList datasets = getUnscrubbedDatasets(filter); @@ -1505,7 +1511,7 @@ private void setUserId(SearchFilter filter, String filterParam) { filter.setParam(filterParam, Long.toString(userId)); } - private List toDatasetSummary(List datasets, GdsPermission gdsPermission) throws Exception { + private List toDatasetSummary(List datasets, GdsPermission gdsPermission) { List ret = new ArrayList<>(); String currentUser = bizUtil.getCurrentUserLoginId(); @@ -1544,7 +1550,10 @@ private List toDatasetSummary(List datasets, GdsP List dataSharesSummary = getDataSharesSummary(dataShares, filter); datasetSummary.setDataShares(dataSharesSummary); - datasetSummary.setTotalResourceCount(dataSharesSummary.stream().map(DataShareInDatasetSummary::getResourceCount).mapToLong(Long::longValue).sum()); + datasetSummary.setTotalResourceCount(dataSharesSummary.stream() + .map(DataShareInDatasetSummary::getResourceCount) + .mapToLong(Long::longValue) + .sum()); } return ret; @@ -1602,7 +1611,7 @@ private Long getDIPCountForDataset(Long datasetId) { return datasetInProjectService.getDatasetsInProjectCount(datasetId); } - private Map getPrincipalCountForDataset(RangerDataset dataset) throws Exception { + private Map getPrincipalCountForDataset(RangerDataset dataset) { Map ret = new HashMap<>(); Set users = Collections.emptySet(); Set groups = Collections.emptySet(); @@ -1935,7 +1944,9 @@ private void removeDIPForDataset(Long datasetId) { boolean dipDeleted = dipDao.remove(dip.getId()); if (!dipDeleted) { - throw restErrorUtil.createRESTException("DatasetInProject could not be deleted", MessageEnums.ERROR_DELETE_OBJECT, dip.getId(), "DatasetInProjectId", null, HttpStatus.SC_INTERNAL_SERVER_ERROR); + throw restErrorUtil.createRESTException("DatasetInProject could not be deleted", + MessageEnums.ERROR_DELETE_OBJECT, dip.getId(), "DatasetInProjectId", null, + HttpStatus.SC_INTERNAL_SERVER_ERROR); } } } @@ -1948,7 +1959,9 @@ private void removeDSHIDForDataset(Long datasetId) { boolean dshidDeleted = dshidDao.remove(dshid.getId()); if (!dshidDeleted) { - throw restErrorUtil.createRESTException("DataShareInDataset could not be deleted", MessageEnums.ERROR_DELETE_OBJECT, dshid.getId(), "DataShareInDataset", null, HttpStatus.SC_INTERNAL_SERVER_ERROR); + throw restErrorUtil.createRESTException("DataShareInDataset could not be deleted", + MessageEnums.ERROR_DELETE_OBJECT, dshid.getId(), "DataShareInDataset", null, + HttpStatus.SC_INTERNAL_SERVER_ERROR); } } } @@ -1961,7 +1974,9 @@ private void removeDIPForProject(Long projectId) { boolean dipDeleted = dipDao.remove(dip.getId()); if (!dipDeleted) { - throw restErrorUtil.createRESTException("DatasetInProject could not be deleted", MessageEnums.ERROR_DELETE_OBJECT, dip.getId(), "DatasetInProjectId", null, HttpStatus.SC_INTERNAL_SERVER_ERROR); + throw restErrorUtil.createRESTException("DatasetInProject could not be deleted", + MessageEnums.ERROR_DELETE_OBJECT, dip.getId(), "DatasetInProjectId", null, + HttpStatus.SC_INTERNAL_SERVER_ERROR); } } } @@ -2070,7 +2085,8 @@ private DataShareInDatasetSummary toDshInDsSummary(RangerDataset dataset, List zoneIds = new HashMap<>(); DataShareInDatasetSummary summary = new DataShareInDatasetSummary(); @@ -2210,7 +2226,7 @@ private List getPolicies(List policyIds) { private void updateGdsVersionForService(Long serviceId) { updateGdsVersion(); - Runnable serviceVersionUpdater = new ServiceDBStore.ServiceVersionUpdater(daoMgr, serviceId, ServiceDBStore.VersionType.GDS_VERSION, RangerPolicyDelta.CHANGE_TYPE_GDS_UPDATE); + Runnable serviceVersionUpdater = new ServiceDBStore.ServiceVersionUpdater(daoMgr, serviceId, ServiceDBStore.VERSION_TYPE.GDS_VERSION, RangerPolicyDelta.CHANGE_TYPE_GDS_UPDATE); daoMgr.getRangerTransactionSynchronizationAdapter().executeOnTransactionCommit(serviceVersionUpdater); } @@ -2229,7 +2245,7 @@ private void updateGdsVersionForProject(Long projectId) { List serviceIds = daoMgr.getXXGdsProject().findServiceIdsForProject(projectId); for (Long serviceId : serviceIds) { - Runnable serviceVersionUpdater = new ServiceDBStore.ServiceVersionUpdater(daoMgr, serviceId, ServiceDBStore.VersionType.GDS_VERSION, RangerPolicyDelta.CHANGE_TYPE_GDS_UPDATE); + Runnable serviceVersionUpdater = new ServiceDBStore.ServiceVersionUpdater(daoMgr, serviceId, ServiceDBStore.VERSION_TYPE.GDS_VERSION, RangerPolicyDelta.CHANGE_TYPE_GDS_UPDATE); daoMgr.getRangerTransactionSynchronizationAdapter().executeOnTransactionCommit(serviceVersionUpdater); } @@ -2241,7 +2257,7 @@ private void updateGdsVersionForDataset(Long datasetId) { List serviceIds = daoMgr.getXXGdsDataset().findServiceIdsForDataset(datasetId); for (Long serviceId : serviceIds) { - Runnable serviceVersionUpdater = new ServiceDBStore.ServiceVersionUpdater(daoMgr, serviceId, ServiceDBStore.VersionType.GDS_VERSION, RangerPolicyDelta.CHANGE_TYPE_GDS_UPDATE); + Runnable serviceVersionUpdater = new ServiceDBStore.ServiceVersionUpdater(daoMgr, serviceId, ServiceDBStore.VERSION_TYPE.GDS_VERSION, RangerPolicyDelta.CHANGE_TYPE_GDS_UPDATE); daoMgr.getRangerTransactionSynchronizationAdapter().executeOnTransactionCommit(serviceVersionUpdater); } @@ -2258,11 +2274,11 @@ private void updateGdsVersionForDataShare(Long dataShareId) { private GdsPermission deletePrincipalFromAcl(RangerGdsObjectACL acl, String principalName, String principalType) { final Map principalAcls; - if (principalType.equalsIgnoreCase(RemoveRefType.USER.toString())) { + if (principalType.equalsIgnoreCase(REMOVE_REF_TYPE.USER.toString())) { principalAcls = acl.getUsers(); - } else if (principalType.equalsIgnoreCase(RemoveRefType.GROUP.toString())) { + } else if (principalType.equalsIgnoreCase(REMOVE_REF_TYPE.GROUP.toString())) { principalAcls = acl.getGroups(); - } else if (principalType.equalsIgnoreCase(RemoveRefType.ROLE.toString())) { + } else if (principalType.equalsIgnoreCase(REMOVE_REF_TYPE.ROLE.toString())) { principalAcls = acl.getRoles(); } else { principalAcls = null; diff --git a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java index 939970849e..a8fb2942f1 100755 --- a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java @@ -72,10 +72,12 @@ @Component public class KmsKeyMgr { - static final String NAME_RULES = "hadoop.security.auth_to_local"; - static final String RANGER_AUTH_TYPE = "hadoop.security.authentication"; - static final String HOST_NAME = "ranger.service.host"; private static final Logger logger = LoggerFactory.getLogger(KmsKeyMgr.class); + + static final String NAME_RULES = "hadoop.security.auth_to_local"; + static final String RANGER_AUTH_TYPE = "hadoop.security.authentication"; + static final String HOST_NAME = "ranger.service.host"; + private static final String KMS_KEY_LIST_URI = "v1/keys/names"; //GET private static final String KMS_ADD_KEY_URI = "v1/keys"; //POST private static final String KMS_ROLL_KEY_URI = "v1/key/${alias}"; //POST @@ -89,6 +91,7 @@ public class KmsKeyMgr { private static final String ADMIN_USER_KEYTAB = "ranger.admin.kerberos.keytab"; private static final Map providerList = new HashMap<>(); private static int nextProvider; + @Autowired ServiceDBStore svcStore; @@ -104,31 +107,36 @@ public class KmsKeyMgr { @Autowired RangerBizUtil rangerBizUtil; - @SuppressWarnings("unchecked") public VXKmsKeyList searchKeys(HttpServletRequest request, String repoName) throws Exception { String[] providers = null; + try { providers = getKMSURL(repoName); } catch (Exception e) { logger.error("getKey({}) failed", repoName, e); } + List vXKeys = new ArrayList<>(); VXKmsKeyList vxKmsKeyList = new VXKmsKeyList(); - List keys = null; String connProvider = null; boolean isKerberos = false; + try { isKerberos = checkKerberos(); } catch (Exception e1) { logger.error("checkKerberos({}) failed", repoName, e1); } + if (providers != null) { for (int i = 0; i < providers.length; i++) { Client c = getClient(); String currentUserLoginId = StringUtil.getUTFEncodedString(ContextUtil.getCurrentUserLoginId()); String keyLists = KMS_KEY_LIST_URI.replaceAll(Pattern.quote("${userName}"), currentUserLoginId); + connProvider = providers[i]; + String uri = providers[i] + (providers[i].endsWith("/") ? keyLists : ("/" + keyLists)); + if (!isKerberos) { uri = uri.concat("?user.name=" + currentUserLoginId); } else { @@ -136,32 +144,39 @@ public VXKmsKeyList searchKeys(HttpServletRequest request, String repoName) thro } final WebResource r = c.resource(uri); + try { - String response = null; + String response; + if (!isKerberos) { response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class); } else { Subject sub = getSubjectForKerberos(repoName); - response = Subject.doAs(sub, new PrivilegedAction() { - @Override - public String run() { - return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class); - } - }); + + response = Subject.doAs(sub, (PrivilegedAction) () -> r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class)); } logger.debug(" Search Key RESPONSE: [{}]", response); - keys = JsonUtils.jsonToListString(response); + + List keys = JsonUtils.jsonToListString(response); + Collections.sort(keys); + VXKmsKeyList vxKmsKeyList2 = new VXKmsKeyList(); List vXKeys2 = new ArrayList<>(); + for (String name : keys) { VXKmsKey key = new VXKmsKey(); + key.setName(name); + vXKeys2.add(key); } + vxKmsKeyList2.setVXKeys(vXKeys2); + vxKmsKeyList = getFilteredKeyList(request, vxKmsKeyList2); + break; } catch (Exception e) { if (e instanceof UniformInterfaceException || i == providers.length - 1) { @@ -172,83 +187,100 @@ public String run() { } } } + //details if (vxKmsKeyList != null && vxKmsKeyList.getVXKeys() != null && !vxKmsKeyList.getVXKeys().isEmpty()) { List lstKMSKey = vxKmsKeyList.getVXKeys(); int startIndex = restErrorUtil.parseInt(request.getParameter("startIndex"), 0, "Invalid value for parameter startIndex", MessageEnums.INVALID_INPUT_DATA, null, "startIndex"); + startIndex = startIndex < 0 ? 0 : startIndex; int pageSize = restErrorUtil.parseInt(request.getParameter("pageSize"), 0, "Invalid value for parameter pageSize", MessageEnums.INVALID_INPUT_DATA, null, "pageSize"); + pageSize = pageSize < 0 ? 0 : pageSize; vxKmsKeyList.setResultSize(lstKMSKey.size()); vxKmsKeyList.setTotalCount(lstKMSKey.size()); + if ((startIndex + pageSize) <= lstKMSKey.size()) { lstKMSKey = lstKMSKey.subList(startIndex, (startIndex + pageSize)); } else { startIndex = startIndex >= lstKMSKey.size() ? 0 : startIndex; lstKMSKey = lstKMSKey.subList(startIndex, lstKMSKey.size()); } + if (CollectionUtils.isNotEmpty(lstKMSKey)) { for (VXKmsKey kmsKey : lstKMSKey) { if (kmsKey != null) { VXKmsKey key = getKeyFromUri(connProvider, kmsKey.getName(), isKerberos, repoName); + vXKeys.add(key); } } } + vxKmsKeyList.setStartIndex(startIndex); vxKmsKeyList.setPageSize(pageSize); } + if (vxKmsKeyList != null) { vxKmsKeyList.setVXKeys(vXKeys); } + return vxKmsKeyList; } public VXKmsKey rolloverKey(String provider, VXKmsKey vXKey) throws Exception { String[] providers = null; + rangerBizUtil.blockAuditorRoleUser(); + try { providers = getKMSURL(provider); } catch (Exception e) { logger.error("rolloverKey({}, {}) failed", provider, vXKey.getName(), e); } + VXKmsKey ret = null; boolean isKerberos = false; + try { isKerberos = checkKerberos(); } catch (Exception e1) { logger.error("checkKerberos({}) failed", provider, e1); } + if (providers != null) { for (int i = 0; i < providers.length; i++) { Client c = getClient(); String rollRest = KMS_ROLL_KEY_URI.replaceAll(Pattern.quote("${alias}"), vXKey.getName()); String currentUserLoginId = StringUtil.getUTFEncodedString(ContextUtil.getCurrentUserLoginId()); String uri = providers[i] + (providers[i].endsWith("/") ? rollRest : ("/" + rollRest)); + if (!isKerberos) { uri = uri.concat("?user.name=" + currentUserLoginId); } else { uri = uri.concat("?doAs=" + currentUserLoginId); } + final WebResource r = c.resource(uri); final String jsonString = JsonUtils.objectToJson(vXKey); + try { - String response = null; + String response; + if (!isKerberos) { response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString); } else { Subject sub = getSubjectForKerberos(provider); - response = Subject.doAs(sub, new PrivilegedAction() { - @Override - public String run() { - return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString); - } - }); + + response = Subject.doAs(sub, (PrivilegedAction) () -> r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString)); } + logger.debug("Roll RESPONSE: [{}]", response); + ret = JsonUtils.jsonToObject(response, VXKmsKey.class); + break; } catch (Exception e) { if (e instanceof UniformInterfaceException || i == providers.length - 1) { @@ -264,43 +296,48 @@ public String run() { public void deleteKey(String provider, String name) throws Exception { String[] providers = null; + rangerBizUtil.blockAuditorRoleUser(); + try { providers = getKMSURL(provider); } catch (Exception e) { logger.error("deleteKey({}, {}) failed", provider, name, e); } + boolean isKerberos = false; + try { isKerberos = checkKerberos(); } catch (Exception e1) { logger.error("checkKerberos({}) failed", provider, e1); } + if (providers != null) { for (int i = 0; i < providers.length; i++) { Client c = getClient(); String deleteRest = KMS_DELETE_KEY_URI.replaceAll(Pattern.quote("${alias}"), name); String currentUserLoginId = StringUtil.getUTFEncodedString(ContextUtil.getCurrentUserLoginId()); String uri = providers[i] + (providers[i].endsWith("/") ? deleteRest : ("/" + deleteRest)); + if (!isKerberos) { uri = uri.concat("?user.name=" + currentUserLoginId); } else { uri = uri.concat("?doAs=" + currentUserLoginId); } + final WebResource r = c.resource(uri); try { - String response = null; + String response; + if (!isKerberos) { response = r.delete(String.class); } else { Subject sub = getSubjectForKerberos(provider); - response = Subject.doAs(sub, new PrivilegedAction() { - @Override - public String run() { - return r.delete(String.class); - } - }); + + response = Subject.doAs(sub, (PrivilegedAction) () -> r.delete(String.class)); } + logger.debug("delete RESPONSE: [{}]", response); break; } catch (Exception e) { @@ -316,46 +353,54 @@ public String run() { public VXKmsKey createKey(String provider, VXKmsKey vXKey) throws Exception { String[] providers = null; + rangerBizUtil.blockAuditorRoleUser(); + try { providers = getKMSURL(provider); } catch (Exception e) { logger.error("createKey({}, {}) failed", provider, vXKey.getName(), e); } + VXKmsKey ret = null; boolean isKerberos = false; + try { isKerberos = checkKerberos(); } catch (Exception e1) { logger.error("checkKerberos({}) failed", provider, e1); } + if (providers != null) { for (int i = 0; i < providers.length; i++) { Client c = getClient(); String currentUserLoginId = StringUtil.getUTFEncodedString(ContextUtil.getCurrentUserLoginId()); String uri = providers[i] + (providers[i].endsWith("/") ? KMS_ADD_KEY_URI : ("/" + KMS_ADD_KEY_URI)); + if (!isKerberos) { uri = uri.concat("?user.name=" + currentUserLoginId); } else { uri = uri.concat("?doAs=" + currentUserLoginId); } + final WebResource r = c.resource(uri); final String jsonString = JsonUtils.objectToJson(vXKey); + try { - String response = null; + String response; + if (!isKerberos) { response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString); } else { Subject sub = getSubjectForKerberos(provider); - response = Subject.doAs(sub, new PrivilegedAction() { - @Override - public String run() { - return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString); - } - }); + + response = Subject.doAs(sub, (PrivilegedAction) () -> r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString)); } + logger.debug("Create RESPONSE: [{}]", response); + ret = JsonUtils.jsonToObject(response, VXKmsKey.class); + return ret; } catch (Exception e) { if (e instanceof UniformInterfaceException || i == providers.length - 1) { @@ -366,57 +411,66 @@ public String run() { } } } + return ret; } public VXKmsKey getKey(String provider, String name) throws Exception { String[] providers = null; + try { providers = getKMSURL(provider); } catch (Exception e) { logger.error("getKey({}, {}) failed", provider, name, e); } + boolean isKerberos = false; + try { isKerberos = checkKerberos(); } catch (Exception e1) { logger.error("checkKerberos({}) failed", provider, e1); } + if (providers != null) { for (int i = 0; i < providers.length; i++) { Client c = getClient(); String keyRest = KMS_KEY_METADATA_URI.replaceAll(Pattern.quote("${alias}"), name); String currentUserLoginId = StringUtil.getUTFEncodedString(ContextUtil.getCurrentUserLoginId()); String uri = providers[i] + (providers[i].endsWith("/") ? keyRest : ("/" + keyRest)); + if (!isKerberos) { uri = uri.concat("?user.name=" + currentUserLoginId); } else { uri = uri.concat("?doAs=" + currentUserLoginId); } + final WebResource r = c.resource(uri); + try { - String response = null; + String response; + if (!isKerberos) { response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class); } else { Subject sub = getSubjectForKerberos(provider); - response = Subject.doAs(sub, new PrivilegedAction() { - @Override - public String run() { - return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class); - } - }); + + response = Subject.doAs(sub, (PrivilegedAction) () -> r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class)); } + logger.debug("RESPONSE: [{}]", response); - VXKmsKey key = JsonUtils.jsonToObject(response, VXKmsKey.class); - return key; + + return JsonUtils.jsonToObject(response, VXKmsKey.class); } catch (Exception e) { if (e instanceof UniformInterfaceException || i == providers.length - 1) { throw e; + } else { + continue; } } } } + return null; } @@ -425,31 +479,32 @@ public VXKmsKey getKeyFromUri(String provider, String name, boolean isKerberos, String keyRest = KMS_KEY_METADATA_URI.replaceAll(Pattern.quote("${alias}"), name); String currentUserLoginId = StringUtil.getUTFEncodedString(ContextUtil.getCurrentUserLoginId()); String uri = provider + (provider.endsWith("/") ? keyRest : ("/" + keyRest)); + if (!isKerberos) { uri = uri.concat("?user.name=" + currentUserLoginId); } else { uri = uri.concat("?doAs=" + currentUserLoginId); } - final WebResource r = c.resource(uri); - String response = null; + + final WebResource r = c.resource(uri); + String response; + if (!isKerberos) { response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class); } else { Subject sub = getSubjectForKerberos(repoName); - response = Subject.doAs(sub, new PrivilegedAction() { - @Override - public String run() { - return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class); - } - }); + + response = Subject.doAs(sub, (PrivilegedAction) () -> r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class)); } + logger.debug("RESPONSE: [{}]", response); - VXKmsKey key = JsonUtils.jsonToObject(response, VXKmsKey.class); - return key; + + return JsonUtils.jsonToObject(response, VXKmsKey.class); } public VXKmsKeyList getFilteredKeyList(HttpServletRequest request, VXKmsKeyList vXKmsKeyList) { List sortFields = new ArrayList<>(); + sortFields.add(new SortField(KeySearchFilter.KEY_NAME, KeySearchFilter.KEY_NAME)); KeySearchFilter filter = getKeySearchFilter(request, sortFields); @@ -459,33 +514,40 @@ public VXKmsKeyList getFilteredKeyList(HttpServletRequest request, VXKmsKeyList if (pred != null) { CollectionUtils.filter(vXKmsKeyList.getVXKeys(), pred); } + return vXKmsKeyList; } private String[] getKMSURL(String name) throws Exception { - String[] providers = null; - RangerService rangerService = null; + String[] providers; + try { - rangerService = svcStore.getServiceByName(name); + RangerService rangerService = svcStore.getServiceByName(name); + if (rangerService != null) { String kmsUrl = rangerService.getConfigs().get(KMS_URL_CONFIG); String dbKmsUrl = kmsUrl; + if (providerList.containsKey(kmsUrl)) { kmsUrl = providerList.get(kmsUrl); } else { providerList.put(kmsUrl, kmsUrl); } + providers = createProvider(dbKmsUrl, kmsUrl); } else { throw new Exception("Service " + name + " not found"); } } catch (Exception excp) { logger.error("getServiceByName({}) failed", name, excp); + throw new Exception("getServiceByName(" + name + ") failed", excp); } + if (providers == null) { throw new Exception("Providers for service " + name + " not found"); } + return providers; } @@ -493,62 +555,78 @@ private String[] createProvider(String dbKmsUrl, String uri) throws IOException, URI providerUri = new URI(uri); URL origUrl = new URL(extractKMSPath(providerUri).toString()); String authority = origUrl.getAuthority(); - //check for ';' which delimits the backup hosts + + // check for ';' which delimits the backup hosts if (StringUtils.isEmpty(authority)) { throw new IOException("No valid authority in kms uri [" + origUrl + "]"); } + // Check if port is present in authority // In the current scheme, all hosts have to run on the same port int port = -1; String hostsPart = authority; + if (authority.contains(":")) { String[] t = authority.split(":"); + try { port = Integer.parseInt(t[1]); } catch (Exception e) { throw new IOException("Could not parse port in kms uri [" + origUrl + "]"); } + hostsPart = t[0]; } + return createProvider(dbKmsUrl, providerUri, origUrl, port, hostsPart); } - private static Path extractKMSPath(URI uri) throws IOException { + private static Path extractKMSPath(URI uri) { return ProviderUtils.unnestUri(uri); } private String[] createProvider(String dbkmsUrl, URI providerUri, URL origUrl, int port, String hostsPart) throws IOException { String[] hosts = hostsPart.split(";"); String[] providers = new String[hosts.length]; + if (hosts.length == 1) { providers[0] = origUrl.toString(); } else { String providerNext = providerUri.getScheme() + "://" + origUrl.getProtocol() + "@"; + for (int i = nextProvider; i < hosts.length; i++) { providerNext = providerNext + hosts[i]; + if (i != (hosts.length - 1)) { providerNext = providerNext + ";"; } } + for (int i = 0; i < nextProvider && i < hosts.length; i++) { providerNext = providerNext + ";" + hosts[i]; } + if (nextProvider != hosts.length - 1) { nextProvider = nextProvider + 1; } else { nextProvider = 0; } + providerNext = providerNext + ":" + port + origUrl.getPath(); + providerList.put(dbkmsUrl, providerNext); + for (int i = 0; i < hosts.length; i++) { try { String url = origUrl.getProtocol() + "://" + hosts[i] + ":" + port + origUrl.getPath(); + providers[i] = new URI(url).toString(); } catch (URISyntaxException e) { throw new IOException("Could not Prase KMS URL..", e); } } } + return providers; } @@ -556,14 +634,18 @@ private Subject getSubjectForKerberos(String provider) throws Exception { String userName = getKMSUserName(provider); String password = getKMSPassword(provider); String nameRules = PropertiesUtil.getProperty(NAME_RULES); + if (StringUtils.isEmpty(nameRules)) { KerberosName.setRules("DEFAULT"); + nameRules = "DEFAULT"; } else { KerberosName.setRules(nameRules); } - Subject sub = new Subject(); + + Subject sub; String rangerPrincipal = SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL), PropertiesUtil.getProperty(HOST_NAME)); + if (checkKerberos()) { if (SecureClientLogin.isKerberosCredentialExists(rangerPrincipal, PropertiesUtil.getProperty(ADMIN_USER_KEYTAB))) { sub = SecureClientLogin.loginUserFromKeytab(rangerPrincipal, PropertiesUtil.getProperty(ADMIN_USER_KEYTAB), nameRules); @@ -573,6 +655,7 @@ private Subject getSubjectForKerberos(String provider) throws Exception { } else { sub = SecureClientLogin.login(userName); } + return sub; } @@ -580,26 +663,26 @@ private String getKMSPassword(String srvName) throws Exception { XXService rangerService = rangerDaoManagerBase.getXXService().findByName(srvName); XXServiceConfigMap xxConfigMap = rangerDaoManagerBase.getXXServiceConfigMap().findByServiceAndConfigKey(rangerService.getId(), KMS_PASSWORD); String encryptedPwd = xxConfigMap.getConfigvalue(); - String pwd = PasswordUtils.decryptPassword(encryptedPwd); - return pwd; + + return PasswordUtils.decryptPassword(encryptedPwd); } private String getKMSUserName(String srvName) throws Exception { - RangerService rangerService = null; - rangerService = svcStore.getServiceByName(srvName); + RangerService rangerService = svcStore.getServiceByName(srvName); + return rangerService.getConfigs().get(KMS_USERNAME); } - private boolean checkKerberos() throws Exception { + private boolean checkKerberos() { return KERBEROS_TYPE.equalsIgnoreCase(PropertiesUtil.getProperty(RANGER_AUTH_TYPE, "simple")); } private synchronized Client getClient() { - Client ret = null; ClientConfig cc = new DefaultClientConfig(); + cc.getProperties().put(ClientConfig.PROPERTY_FOLLOW_REDIRECTS, true); - ret = Client.create(cc); - return ret; + + return Client.create(cc); } private Predicate getPredicate(KeySearchFilter filter) { @@ -611,9 +694,7 @@ private Predicate getPredicate(KeySearchFilter filter) { addPredicateForKeyName(filter.getParam(KeySearchFilter.KEY_NAME), predicates); - Predicate ret = CollectionUtils.isEmpty(predicates) ? null : PredicateUtils.allPredicate(predicates); - - return ret; + return CollectionUtils.isEmpty(predicates) ? null : PredicateUtils.allPredicate(predicates); } private Predicate addPredicateForKeyName(final String name, List predicates) { @@ -621,28 +702,26 @@ private Predicate addPredicateForKeyName(final String name, List pred return null; } - Predicate ret = new Predicate() { - @Override - public boolean evaluate(Object object) { - if (object == null) { - return false; - } + Predicate ret = object -> { + if (object == null) { + return false; + } - boolean ret = false; + boolean ret1 = false; - if (object instanceof VXKmsKey) { - VXKmsKey vXKmsKey = (VXKmsKey) object; - if (StringUtils.isEmpty(vXKmsKey.getName())) { - ret = true; - } else { - ret = vXKmsKey.getName().contains(name); - } + if (object instanceof VXKmsKey) { + VXKmsKey vXKmsKey = (VXKmsKey) object; + + if (StringUtils.isEmpty(vXKmsKey.getName())) { + ret1 = true; } else { - ret = true; + ret1 = vXKmsKey.getName().contains(name); } - - return ret; + } else { + ret1 = true; } + + return ret1; }; if (predicates != null) { @@ -656,6 +735,7 @@ private KeySearchFilter getKeySearchFilter(HttpServletRequest request, List sortFields) { int startIndex = restErrorUtil.parseInt(request.getParameter(KeySearchFilter.START_INDEX), 0, "Invalid value for parameter startIndex", MessageEnums.INVALID_INPUT_DATA, null, KeySearchFilter.START_INDEX); + ret.setStartIndex(startIndex); int pageSize = restErrorUtil.parseInt(request.getParameter(KeySearchFilter.PAGE_SIZE), configUtil.getDefaultMaxRows(), "Invalid value for parameter pageSize", MessageEnums.INVALID_INPUT_DATA, null, KeySearchFilter.PAGE_SIZE); + ret.setMaxRows(pageSize); ret.setGetCount(restErrorUtil.parseBoolean(request.getParameter("getCount"), true)); + String sortBy = restErrorUtil.validateString(request.getParameter(KeySearchFilter.SORT_BY), StringUtil.VALIDATION_ALPHA, "Invalid value for parameter sortBy", MessageEnums.INVALID_INPUT_DATA, null, KeySearchFilter.SORT_BY); boolean sortSet = false; + if (!StringUtils.isEmpty(sortBy)) { for (SortField sortField : sortFields) { if (sortField.getParamName().equalsIgnoreCase(sortBy)) { ret.setSortBy(sortField.getParamName()); + String sortType = restErrorUtil.validateString(request.getParameter("sortType"), StringUtil.VALIDATION_ALPHA, "Invalid value for parameter sortType", MessageEnums.INVALID_INPUT_DATA, null, "sortType"); + ret.setSortType(sortType); + sortSet = true; + break; } } @@ -696,6 +786,7 @@ private KeySearchFilter extractCommonCriteriasForFilter(HttpServletRequest reque if (ret.getParams() == null) { ret.setParams(new HashMap<>()); } + return ret; } } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java index 3b00f1d1d4..4ed8ef9105 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java @@ -70,22 +70,30 @@ @Component public class PolicyRefUpdater { private static final Logger LOG = LoggerFactory.getLogger(PolicyRefUpdater.class); + @Autowired - RangerDaoManager daoMgr; + RangerDaoManager daoMgr; + @Autowired - RangerAuditFields rangerAuditFields; + RangerAuditFields rangerAuditFields; + @Autowired - XUserMgr xUserMgr; + XUserMgr xUserMgr; + @Autowired - RoleDBStore roleStore; + RoleDBStore roleStore; + @Autowired - RangerBizUtil rangerBizUtil; + RangerBizUtil rangerBizUtil; + @Autowired - XGroupService xGroupService; + XGroupService xGroupService; + @Autowired RangerTransactionSynchronizationAdapter rangerTransactionSynchronizationAdapter; + @Autowired - RESTErrorUtil restErrorUtil; + RESTErrorUtil restErrorUtil; public static List> getAllPolicyItems(RangerPolicy policy) { List> ret = new ArrayList<>(); @@ -134,6 +142,7 @@ public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy boolean oldBulkMode = RangerBizUtil.isBulkMode(); List rangerPolicyConditions = policy.getConditions(); + if (CollectionUtils.isNotEmpty(rangerPolicyConditions)) { for (RangerPolicy.RangerPolicyItemCondition condition : rangerPolicyConditions) { conditionTypes.add(condition.getType()); @@ -171,6 +180,7 @@ public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy } List xPolResources = new ArrayList<>(); + for (String resource : resourceNames) { XXResourceDef xResDef = daoMgr.getXXResourceDef().findByNameAndPolicyId(resource, policy.getId()); @@ -186,32 +196,40 @@ public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy xPolResources.add(xPolRes); } + daoMgr.getXXPolicyRefResource().batchCreate(xPolResources); if (createPrincipalsIfAbsent && !rangerBizUtil.checkAdminAccess()) { - LOG.warn("policy={} createPrincipalIfAbsent=true, but current user does not have admin privileges!", policy.getName()); + LOG.warn("policy={}: createPrincipalIfAbsent=true, but current user does not have admin privileges!", policy.getName()); createPrincipalsIfAbsent = false; } List xPolRoles = new ArrayList<>(); + for (String role : roleNames) { if (StringUtils.isBlank(role)) { continue; } - PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PrincipalType.ROLE, role, xPolicy); + + PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.ROLE, role, xPolicy); + if (!associator.doAssociate(false)) { if (createPrincipalsIfAbsent) { rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator); } else { VXResponse gjResponse = new VXResponse(); + gjResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST); gjResponse.setMsgDesc("Operation denied. Role name: " + role + " specified in policy does not exist in ranger admin."); + throw restErrorUtil.generateRESTException(gjResponse); } } } + RangerBizUtil.setBulkMode(oldBulkMode); + daoMgr.getXXPolicyRefRole().batchCreate(xPolRoles); for (String group : groupNames) { @@ -219,14 +237,17 @@ public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy continue; } - PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PrincipalType.GROUP, group, xPolicy); + PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.GROUP, group, xPolicy); + if (!associator.doAssociate(false)) { if (createPrincipalsIfAbsent) { rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator); } else { VXResponse gjResponse = new VXResponse(); + gjResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST); gjResponse.setMsgDesc("Operation denied. Group name: " + group + " specified in policy does not exist in ranger admin."); + throw restErrorUtil.generateRESTException(gjResponse); } } @@ -236,14 +257,18 @@ public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy if (StringUtils.isBlank(user)) { continue; } - PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PrincipalType.USER, user, xPolicy); + + PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.USER, user, xPolicy); + if (!associator.doAssociate(false)) { if (createPrincipalsIfAbsent) { rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator); } else { VXResponse gjResponse = new VXResponse(); + gjResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST); gjResponse.setMsgDesc("Operation denied. User name: " + user + " specified in policy does not exist in ranger admin."); + throw restErrorUtil.generateRESTException(gjResponse); } } @@ -269,9 +294,11 @@ public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy xPolAccesses.add(xPolAccess); } + daoMgr.getXXPolicyRefAccessType().batchCreate(xPolAccesses); List xPolConds = new ArrayList<>(); + for (String condition : conditionTypes) { XXPolicyConditionDef xPolCondDef = daoMgr.getXXPolicyConditionDef().findByServiceDefIdAndName(xServiceDef.getId(), condition); @@ -291,9 +318,11 @@ public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy xPolConds.add(xPolCond); } + daoMgr.getXXPolicyRefCondition().batchCreate(xPolConds); List xxDataMaskInfos = new ArrayList<>(); + for (String dataMaskType : dataMaskTypes) { XXDataMaskTypeDef dataMaskDef = daoMgr.getXXDataMaskTypeDef().findByNameAndServiceId(dataMaskType, xPolicy.getService()); @@ -309,6 +338,7 @@ public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy xxDataMaskInfos.add(xxDataMaskInfo); } + daoMgr.getXXPolicyRefDataMaskType().batchCreate(xxDataMaskInfos); } @@ -330,16 +360,14 @@ public Boolean cleanupRefTables(RangerPolicy policy) { return true; } - public enum PrincipalType { - USER, GROUP, ROLE - } + public enum PRINCIPAL_TYPE { USER, GROUP, ROLE } private class PolicyPrincipalAssociator implements Runnable { - final PrincipalType type; - final String name; - final XXPolicy xPolicy; + final PRINCIPAL_TYPE type; + final String name; + final XXPolicy xPolicy; - public PolicyPrincipalAssociator(PrincipalType type, String name, XXPolicy xPolicy) { + public PolicyPrincipalAssociator(PRINCIPAL_TYPE type, String name, XXPolicy xPolicy) { this.type = type; this.name = name; this.xPolicy = xPolicy; @@ -356,18 +384,22 @@ public void run() { boolean doAssociate(boolean isAdmin) { LOG.debug("===> PolicyPrincipalAssociator.doAssociate({})", isAdmin); + final boolean ret; Long id = createOrGetPrincipal(isAdmin); + if (id != null) { // associate with policy createPolicyAssociation(id, name); + ret = true; } else { ret = false; } - LOG.debug("<=== PolicyPrincipalAssociator.doAssociate({}) : ", isAdmin, ret); + LOG.debug("<=== PolicyPrincipalAssociator.doAssociate({}) : {}", isAdmin, ret); + return ret; } @@ -379,6 +411,7 @@ private Long createOrGetPrincipal(final boolean createIfAbsent) { switch (type) { case USER: { XXUser xUser = daoMgr.getXXUser().findByUserName(name); + if (xUser != null) { ret = xUser.getId(); } else { @@ -402,6 +435,7 @@ private Long createOrGetPrincipal(final boolean createIfAbsent) { break; case ROLE: { XXRole xRole = daoMgr.getXXRole().findByRoleName(name); + if (xRole != null) { ret = xRole.getId(); } else { @@ -415,7 +449,9 @@ private Long createOrGetPrincipal(final boolean createIfAbsent) { default: break; } + LOG.debug("<=== PolicyPrincipalAssociator.createOrGetPrincipal({}) : {}", createIfAbsent, ret); + return ret; } @@ -446,10 +482,13 @@ private Long createPrincipal(String user) { case GROUP: { // Create group VXGroup vxGroup = new VXGroup(); + vxGroup.setName(name); vxGroup.setDescription(name); vxGroup.setGroupSource(RangerCommonEnums.GROUP_EXTERNAL); + VXGroup vXGroup = xGroupService.createXGroupWithOutLogin(vxGroup); + if (vXGroup != null) { xGroupService.createTransactionLog(vXGroup, null, OPERATION_CREATE_CONTEXT, xPolicy.getAddedByUserId()); @@ -461,6 +500,7 @@ private Long createPrincipal(String user) { try { RangerRole rRole = new RangerRole(name, null, null, null, null); RangerRole createdRole = roleStore.createRole(rRole, false); + ret = createdRole.getId(); } catch (Exception e) { // Ignore @@ -470,12 +510,15 @@ private Long createPrincipal(String user) { default: break; } - LOG.debug("<=== PolicyPrincipalAssociator.createPrincipal(type={}, name={}) :{} ", type.name(), name, ret); + + LOG.debug("<=== PolicyPrincipalAssociator.createPrincipal(type={}, name={}) : {}", type.name(), name, ret); + return ret; } private void createPolicyAssociation(Long id, String name) { LOG.debug("===> PolicyPrincipalAssociator.createPolicyAssociation(policyId={}, type={}, name={}, id={})", xPolicy.getId(), type.name(), name, id); + switch (type) { case USER: { XXPolicyRefUser xPolUser = rangerAuditFields.populateAuditFields(new XXPolicyRefUser(), xPolicy); @@ -483,6 +526,7 @@ private void createPolicyAssociation(Long id, String name) { xPolUser.setPolicyId(xPolicy.getId()); xPolUser.setUserId(id); xPolUser.setUserName(name); + daoMgr.getXXPolicyRefUser().create(xPolUser); } break; @@ -492,6 +536,7 @@ private void createPolicyAssociation(Long id, String name) { xPolGroup.setPolicyId(xPolicy.getId()); xPolGroup.setGroupId(id); xPolGroup.setGroupName(name); + daoMgr.getXXPolicyRefGroup().create(xPolGroup); } break; @@ -501,12 +546,14 @@ private void createPolicyAssociation(Long id, String name) { xPolRole.setPolicyId(xPolicy.getId()); xPolRole.setRoleId(id); xPolRole.setRoleName(name); + daoMgr.getXXPolicyRefRole().create(xPolRole); } break; default: break; } + LOG.debug("<=== PolicyPrincipalAssociator.createPolicyAssociation(policyId={}, type={}, name={}, id={})", xPolicy.getId(), type.name(), name, id); } } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java index 1d6c5c1ce6..f697d9ce5b 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java @@ -75,13 +75,14 @@ import java.util.Collection; import java.util.Collections; import java.util.HashSet; -import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Set; @Component public class RangerBizUtil { + private static final Logger logger = LoggerFactory.getLogger(RangerBizUtil.class); + public static final String AUDIT_STORE_RDBMS = "DB"; public static final String AUDIT_STORE_SOLR = "solr"; public static final String AUDIT_STORE_ELASTIC_SEARCH = "elasticSearch"; @@ -89,32 +90,42 @@ public class RangerBizUtil { public static final boolean BATCH_CLEAR_ENABLED = PropertiesUtil.getBooleanProperty("ranger.jpa.jdbc.batch-clear.enable", true); public static final int POLICY_BATCH_SIZE = PropertiesUtil.getIntProperty("ranger.jpa.jdbc.batch-clear.size", 10); public static final int BATCH_PERSIST_SIZE = PropertiesUtil.getIntProperty("ranger.jpa.jdbc.batch-persist.size", 500); - private static final Logger logger = LoggerFactory.getLogger(RangerBizUtil.class); - private static final String PATH_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrst0123456789-_."; - private static final char[] PATH_CHAR_SET = PATH_CHARS.toCharArray(); - private static final int PATH_CHAR_SET_LEN = PATH_CHAR_SET.length; - static String fileSeparator = PropertiesUtil.getProperty("ranger.file.separator", "/"); - private final boolean allowUnauthenticatedAccessInSecureEnvironment; - private final boolean allowUnauthenticatedDownloadAccessInSecureEnvironment; - private final Class[] groupEditableClassesList = {}; - private final int maxFirstNameLength; - private final SecureRandom random; + + private static final String PATH_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrst0123456789-_."; + + static String fileSeparator = PropertiesUtil.getProperty("ranger.file.separator", "/"); + + private static final char[] PATH_CHAR_SET = PATH_CHARS.toCharArray(); + private static final int PATH_CHAR_SET_LEN = PATH_CHAR_SET.length; + @Autowired - RESTErrorUtil restErrorUtil; + RESTErrorUtil restErrorUtil; + @Autowired RangerDaoManager daoManager; + @Autowired - StringUtil stringUtil; + StringUtil stringUtil; + @Autowired - UserMgr userMgr; + UserMgr userMgr; + @Autowired - XUserService xUserService; + XUserService xUserService; + @Autowired - GUIDUtil guidUtil; + GUIDUtil guidUtil; + + private final boolean allowUnauthenticatedAccessInSecureEnvironment; + private final boolean allowUnauthenticatedDownloadAccessInSecureEnvironment; + private final Class[] groupEditableClassesList = {}; + private final int maxFirstNameLength; + private final SecureRandom random; + Set> groupEditableClasses; int maxDisplayNameLength = 150; boolean enableResourceAccessControl; - String auditDBType = AUDIT_STORE_RDBMS; + String auditDBType = AUDIT_STORE_RDBMS; public RangerBizUtil() { RangerAdminConfig config = RangerAdminConfig.getInstance(); @@ -129,8 +140,10 @@ public RangerBizUtil() { enableResourceAccessControl = PropertiesUtil.getBooleanProperty("ranger.resource.accessControl.enabled", true); auditDBType = PropertiesUtil.getProperty("ranger.audit.source.type", auditDBType).toLowerCase(); + logger.info("java.library.path is {}", System.getProperty("java.library.path")); logger.info("Audit datasource is {}", auditDBType); + random = new SecureRandom(); } @@ -148,11 +161,16 @@ public static boolean areAllEqual(int checkValue, int... otherValues) { return false; } } + return true; } public static int getDBFlavor() { - String[] propertyNames = {"xa.db.flavor", "ranger.jpa.jdbc.dialect", "ranger.jpa.jdbc.url", "ranger.jpa.jdbc.driver"}; + String[] propertyNames = {"xa.db.flavor", + "ranger.jpa.jdbc.dialect", + "ranger.jpa.jdbc.url", + "ranger.jpa.jdbc.driver" + }; for (String propertyName : propertyNames) { String propertyValue = PropertiesUtil.getProperty(propertyName); @@ -176,7 +194,7 @@ public static int getDBFlavor() { } else if (StringUtils.containsIgnoreCase(propertyValue, "sqla")) { return AppConstants.DB_FLAVOR_SQLANYWHERE; } else { - logger.debug("DB Flavor could not be determined from property - {} = {}", propertyName, propertyValue); + logger.debug("DB Flavor could not be determined from property - {}={}", propertyName, propertyValue); } } @@ -248,9 +266,11 @@ public static boolean setBulkMode(boolean val) { // Access control methods public void checkSystemAdminAccess() { UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + if (currentUserSession != null && currentUserSession.isUserAdmin()) { return; } + throw restErrorUtil.create403RESTException("Only System Administrators can add accounts"); } @@ -265,12 +285,15 @@ public String generatePublicName(VXPortalUser userProfile, XXPortalUser gjUser) public String generatePublicName(String firstName, String lastName) { String publicName = null; String fName = firstName; + if (firstName.length() > maxFirstNameLength) { fName = firstName.substring(0, maxFirstNameLength - (1 + 3)) + "..."; } - if (lastName != null && lastName.length() > 0) { + + if (lastName != null && !lastName.isEmpty()) { publicName = fName + " " + lastName.charAt(0) + "."; } + return publicName; } @@ -280,9 +303,12 @@ public VXStringList mapStringListToVStringList(List stringList) { } List vStringList = new ArrayList<>(); + for (String str : stringList) { VXString vXString = new VXString(); + vXString.setValue(str); + vStringList.add(vXString); } @@ -298,21 +324,26 @@ public VXStringList mapStringListToVStringList(List stringList) { */ public VXResponse hasPermission(VXResource vXResource, int permission) { VXResponse vXResponse = new VXResponse(); + if (!enableResourceAccessControl) { logger.debug("Resource Access Control is disabled !!!"); + return vXResponse; } if (vXResource == null) { vXResponse.setStatusCode(VXResponse.STATUS_ERROR); vXResponse.setMsgDesc("Please provide valid policy."); + return vXResponse; } String resourceNames = vXResource.getName(); + if (stringUtil.isEmpty(resourceNames)) { vXResponse.setStatusCode(VXResponse.STATUS_ERROR); vXResponse.setMsgDesc("Please provide valid policy."); + return vXResponse; } @@ -332,78 +363,107 @@ public VXResponse hasPermission(VXResource vXResource, int permission) { if (assetType == AppConstants.ASSET_HIVE) { String[] requestResNameList = resourceNames.split(","); + if (stringUtil.isEmpty(vXResource.getUdfs())) { int reqTableType = vXResource.getTableType(); int reqColumnType = vXResource.getColumnType(); + for (String resourceName : requestResNameList) { boolean matchFound = matchHivePolicy(resourceName, xResourceList, xUserId, permission, reqTableType, reqColumnType, false); + if (!matchFound) { - vXResponse.setMsgDesc("You're not permitted to perform " + "the action for resource path : " + resourceName); + vXResponse.setMsgDesc("You're not permitted to perform the action for resource path : " + resourceName); vXResponse.setStatusCode(VXResponse.STATUS_ERROR); + return vXResponse; } } } else { for (String resourceName : requestResNameList) { boolean matchFound = matchHivePolicy(resourceName, xResourceList, xUserId, permission); + if (!matchFound) { - vXResponse.setMsgDesc("You're not permitted to perform " + "the action for resource path : " + resourceName); + vXResponse.setMsgDesc("You're not permitted to perform the action for resource path : " + resourceName); vXResponse.setStatusCode(VXResponse.STATUS_ERROR); + return vXResponse; } } } + vXResponse.setStatusCode(VXResponse.STATUS_SUCCESS); + return vXResponse; } else if (assetType == AppConstants.ASSET_HBASE) { String[] requestResNameList = resourceNames.split(","); + for (String resourceName : requestResNameList) { boolean matchFound = matchHbasePolicy(resourceName, xResourceList, vXResponse, xUserId, permission); + if (!matchFound) { vXResponse.setMsgDesc("You're not permitted to perform the action for resource path : " + resourceName); vXResponse.setStatusCode(VXResponse.STATUS_ERROR); + return vXResponse; } } + vXResponse.setStatusCode(VXResponse.STATUS_SUCCESS); + return vXResponse; } else if (assetType == AppConstants.ASSET_HDFS) { String[] requestResNameList = resourceNames.split(","); + for (String resourceName : requestResNameList) { boolean matchFound = matchHdfsPolicy(resourceName, xResourceList, xUserId, permission); + if (!matchFound) { - vXResponse.setMsgDesc("You're not permitted to perform " + "the action for resource path : " + resourceName); + vXResponse.setMsgDesc("You're not permitted to perform the action for resource path : " + resourceName); vXResponse.setStatusCode(VXResponse.STATUS_ERROR); + return vXResponse; } } + vXResponse.setStatusCode(VXResponse.STATUS_SUCCESS); + return vXResponse; } else if (assetType == AppConstants.ASSET_KNOX) { String[] requestResNameList = resourceNames.split(","); + for (String resourceName : requestResNameList) { boolean matchFound = matchKnoxPolicy(resourceName, xResourceList, xUserId, permission); + if (!matchFound) { - vXResponse.setMsgDesc("You're not permitted to perform " + "the action for resource path : " + resourceName); + vXResponse.setMsgDesc("You're not permitted to perform the action for resource path : " + resourceName); vXResponse.setStatusCode(VXResponse.STATUS_ERROR); + return vXResponse; } } + vXResponse.setStatusCode(VXResponse.STATUS_SUCCESS); + return vXResponse; } else if (assetType == AppConstants.ASSET_STORM) { String[] requestResNameList = resourceNames.split(","); + for (String resourceName : requestResNameList) { boolean matchFound = matchStormPolicy(resourceName, xResourceList, xUserId, permission); + if (!matchFound) { - vXResponse.setMsgDesc("You're not permitted to perform " + "the action for resource path : " + resourceName); + vXResponse.setMsgDesc("You're not permitted to perform the action for resource path : " + resourceName); vXResponse.setStatusCode(VXResponse.STATUS_ERROR); + return vXResponse; } } + vXResponse.setStatusCode(VXResponse.STATUS_SUCCESS); + return vXResponse; } + return vXResponse; } @@ -414,8 +474,10 @@ public VXResponse hasPermission(VXResource vXResource, int permission) { */ public boolean isAdmin() { UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + if (currentUserSession == null) { logger.debug("Unable to find session."); + return false; } @@ -424,10 +486,13 @@ public boolean isAdmin() { public boolean isAuditAdmin() { UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + if (currentUserSession == null) { logger.debug("Unable to find session."); + return false; } + return currentUserSession.isAuditUserAdmin(); } @@ -437,8 +502,7 @@ public boolean isAuditAdmin() { * @return */ public String getCurrentUserLoginId() { - String ret = null; - + String ret = null; UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); if (currentUserSession != null) { @@ -455,20 +519,26 @@ public String getCurrentUserLoginId() { */ public Long getXUserId() { UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + if (currentUserSession == null) { logger.debug("Unable to find session."); + return null; } XXPortalUser user = daoManager.getXXPortalUser().getById(currentUserSession.getUserId()); + if (user == null) { logger.debug("XXPortalUser not found with logged in user id : {}", currentUserSession.getUserId()); + return null; } XXUser xUser = daoManager.getXXUser().findByUserName(user.getLoginId()); + if (xUser == null) { logger.debug("XXPortalUser not found for user id :{} with name {}", user.getId(), user.getFirstName()); + return null; } @@ -478,6 +548,7 @@ public Long getXUserId() { public void failUnauthenticatedIfNotAllowed() throws Exception { if (UserGroupInformation.isSecurityEnabled()) { UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + if (currentUserSession == null && !allowUnauthenticatedAccessInSecureEnvironment) { throw new Exception("Unauthenticated access not allowed"); } @@ -487,6 +558,7 @@ public void failUnauthenticatedIfNotAllowed() throws Exception { public void failUnauthenticatedDownloadIfNotAllowed() throws Exception { if (UserGroupInformation.isSecurityEnabled()) { UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + if (currentUserSession == null && !allowUnauthenticatedDownloadAccessInSecureEnvironment) { throw new Exception("Unauthenticated access not allowed"); } @@ -510,8 +582,10 @@ public boolean matchHbasePolicy(String resourceName, List xResourceL } String[] splittedResources = stringUtil.split(resourceName, fileSeparator); + if (splittedResources.length < 1 || splittedResources.length > 3) { logger.debug("Invalid resourceName name : {}", resourceName); + return false; } @@ -520,24 +594,24 @@ public boolean matchHbasePolicy(String resourceName, List xResourceL String colName = splittedResources.length > 2 ? splittedResources[2] : StringUtil.WILDCARD_ASTERISK; boolean policyMatched = false; - // check all resources whether Hbase policy is enabled in any resource - // of provided resource list + + // check all resources whether Hbase policy is enabled in any resource of provided resource list for (XXResource xResource : xResourceList) { if (xResource.getResourceStatus() != AppConstants.STATUS_ENABLED) { continue; } + Long resourceId = xResource.getId(); boolean hasPermission = checkUsrPermForPolicy(xUserId, permission, resourceId); - // if permission is enabled then load Tables,column family and - // columns list from resource + + // if permission is enabled then load Tables,column family and columns list from resource if (!hasPermission) { continue; } // 1. does the policy match the table? - String[] xTables = stringUtil.isEmpty(xResource.getTables()) ? null : stringUtil.split(xResource.getTables(), ","); - - boolean matchFound = (xTables == null || xTables.length == 0) || matchPath(tblName, xTables); + String[] xTables = stringUtil.isEmpty(xResource.getTables()) ? null : stringUtil.split(xResource.getTables(), ","); + boolean matchFound = (xTables == null || xTables.length == 0) || matchPath(tblName, xTables); if (matchFound) { // 2. does the policy match the column? @@ -558,6 +632,7 @@ public boolean matchHbasePolicy(String resourceName, List xResourceL break; } } + return policyMatched; } @@ -583,8 +658,10 @@ public boolean matchHivePolicy(String resourceName, List xResourceLi } String[] splittedResources = stringUtil.split(resourceName, fileSeparator); // get list of resources + if (splittedResources.length < 1 || splittedResources.length > 3) { logger.debug("Invalid resource name : {}", resourceName); + return false; } @@ -593,6 +670,7 @@ public boolean matchHivePolicy(String resourceName, List xResourceLi String colName = splittedResources.length > 2 ? splittedResources[2] : StringUtil.WILDCARD_ASTERISK; boolean policyMatched = false; + for (XXResource xResource : xResourceList) { if (xResource.getResourceStatus() != RangerCommonEnums.STATUS_ENABLED) { continue; @@ -607,8 +685,7 @@ public boolean matchHivePolicy(String resourceName, List xResourceLi // 1. does the policy match the database? String[] xDatabases = stringUtil.isEmpty(xResource.getDatabases()) ? null : stringUtil.split(xResource.getDatabases(), ","); - - boolean matchFound = (xDatabases == null || xDatabases.length == 0) || matchPath(dbName, xDatabases); + boolean matchFound = (xDatabases == null || xDatabases.length == 0) || matchPath(dbName, xDatabases); if (!matchFound) { continue; @@ -661,6 +738,7 @@ public boolean matchHivePolicy(String resourceName, List xResourceLi } } } + return policyMatched; } @@ -677,12 +755,16 @@ public String replaceMetaChars(String path) { if (path.contains("*")) { String replacement = getRandomString(5, 60); + path = path.replaceAll("\\*", replacement); } + if (path.contains("?")) { String replacement = getRandomString(1, 1); + path = path.replaceAll("\\?", replacement); } + return path; } @@ -705,6 +787,7 @@ public boolean isGroupInList(Long groupId, List xGroupList) { return true; } } + return false; } @@ -721,17 +804,22 @@ public boolean isRecursiveWildCardMatch(String pathToCheck, String wildcardPath) if (wildcardPath != null && wildcardPath.equals(fileSeparator)) { return true; } + StringBuilder sb = new StringBuilder(); + for (String p : pathToCheck.split(fileSeparator)) { sb.append(p); + boolean matchFound = FilenameUtils.wildcardMatch(sb.toString(), wildcardPath); + if (matchFound) { return true; } + sb.append(fileSeparator); } - sb = null; } + return false; } @@ -749,6 +837,7 @@ public List getResorceTypeParentHirearchy(int resourceType, int assetTy resourceTypeList.add(AppConstants.RESOURCE_PATH); } else if (assetType == AppConstants.ASSET_HIVE) { resourceTypeList.add(AppConstants.RESOURCE_DB); + if (resourceType == AppConstants.RESOURCE_TABLE) { resourceTypeList.add(AppConstants.RESOURCE_TABLE); } else if (resourceType == AppConstants.RESOURCE_UDF) { @@ -759,6 +848,7 @@ public List getResorceTypeParentHirearchy(int resourceType, int assetTy } } else if (assetType == AppConstants.ASSET_HBASE) { resourceTypeList.add(AppConstants.RESOURCE_TABLE); + if (resourceType == AppConstants.RESOURCE_COL_FAM) { resourceTypeList.add(AppConstants.RESOURCE_COL_FAM); } else if (resourceType == AppConstants.RESOURCE_COLUMN) { @@ -780,12 +870,15 @@ public List getResorceTypeParentHirearchy(int resourceType, int assetTy */ public boolean comparePathsForExactMatch(String path1, String path2) { String pathSeparator = fileSeparator; + if (!path1.endsWith(pathSeparator)) { path1 = path1.concat(pathSeparator); } + if (!path2.endsWith(pathSeparator)) { path2 = path2.concat(pathSeparator); } + return path1.equalsIgnoreCase(path2); } @@ -807,20 +900,24 @@ public boolean nonRecursiveWildCardMatch(String pathToCheck, String wildcardPath if (pathToCheckArray.size() == wildcardPathArray.size()) { boolean match = false; + for (int index = 0; index < pathToCheckArray.size(); index++) { match = matchPath(pathToCheckArray.get(index), wildcardPathArray.get(index)); + if (!match) { return match; } } + return match; } } + return false; } public void createTrxLog(List trxLogList) { - if (trxLogList == null || trxLogList.size() == 0) { + if (trxLogList == null || trxLogList.isEmpty()) { return; } @@ -868,8 +965,10 @@ public void setAuditDBType(String auditDBType) { */ public boolean isKeyAdmin() { UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + if (currentUserSession == null) { logger.debug("Unable to find session."); + return false; } @@ -878,10 +977,12 @@ public boolean isKeyAdmin() { public boolean isAuditKeyAdmin() { UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + if (currentUserSession == null) { logger.debug("Unable to find session."); return false; } + return (currentUserSession.isAuditKeyAdmin()); } @@ -893,6 +994,7 @@ public boolean isAuditKeyAdmin() { */ public Boolean hasAccess(XXDBBase xxDbBase, RangerBaseModelObject baseModel) { UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session == null) { logger.info("User session not found, granting access."); return true; @@ -904,17 +1006,18 @@ public Boolean hasAccess(XXDBBase xxDbBase, RangerBaseModelObject baseModel) { boolean isAuditorKeyAdmin = session.isAuditKeyAdmin(); boolean isUser = session.getUserRoleList().contains(RangerConstants.ROLE_USER); - if (xxDbBase != null && xxDbBase instanceof XXServiceDef) { + if (xxDbBase instanceof XXServiceDef) { return hasAccessToXXServiceDef((XXServiceDef) xxDbBase, isKeyAdmin, isSysAdmin, isAuditor, isAuditorKeyAdmin, isUser); } - if (xxDbBase != null && xxDbBase instanceof XXService) { + if (xxDbBase instanceof XXService) { return hasAccessToXXService((XXService) xxDbBase, isKeyAdmin, isSysAdmin, isAuditor, isAuditorKeyAdmin, isUser); } - if (baseModel != null && baseModel instanceof RangerServiceHeaderInfo) { + if (baseModel instanceof RangerServiceHeaderInfo) { return hasAccessToRangerServiceHeaderInfo((RangerServiceHeaderInfo) baseModel, isKeyAdmin, isSysAdmin, isAuditor, isAuditorKeyAdmin, isUser); } + return false; } @@ -932,6 +1035,7 @@ public void hasAdminPermissions(String objType) { public void hasKMSPermissions(String objType, String implClassName) { UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session == null) { throw restErrorUtil.createRESTException("UserSession cannot be null, only KeyAdmin can create/update/delete " + objType, MessageEnums.OPER_NO_PERMISSION); } @@ -951,24 +1055,34 @@ public void hasKMSPermissions(String objType, String implClassName) { public boolean checkUserAccessible(VXUser vXUser) { boolean isAccessible = true; Collection roleList = userMgr.getRolesByLoginId(vXUser.getName()); + if (isKeyAdmin()) { - if (vXUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN) || vXUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) || roleList.contains(RangerConstants.ROLE_SYS_ADMIN) || roleList.contains(RangerConstants.ROLE_ADMIN_AUDITOR)) { + if (vXUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN) + || vXUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) + || roleList.contains(RangerConstants.ROLE_SYS_ADMIN) + || roleList.contains(RangerConstants.ROLE_ADMIN_AUDITOR)) { isAccessible = false; } } if (isAdmin()) { - if (vXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN) || vXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) || roleList.contains(RangerConstants.ROLE_KEY_ADMIN) || roleList.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) { + if (vXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN) + || vXUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) + || roleList.contains(RangerConstants.ROLE_KEY_ADMIN) + || roleList.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) { isAccessible = false; } } + if (!isAccessible) { throw restErrorUtil.createRESTException("Logged in user is not allowed to create/update user", MessageEnums.OPER_NO_PERMISSION); } + return isAccessible; } public boolean isSSOEnabled() { UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { return session.isSSOEnabled() == null ? PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false) : session.isSSOEnabled(); } else { @@ -980,20 +1094,22 @@ public boolean isUserAllowed(RangerService rangerService, String cfgNameAllowedU Map map = rangerService.getConfigs(); String user = null; UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + if (userSession != null) { user = userSession.getLoginId(); } + if (map != null && map.containsKey(cfgNameAllowedUsers)) { String userNames = map.get(cfgNameAllowedUsers); String[] userList = userNames.split(","); - if (userList != null) { - for (String u : userList) { - if ("*".equals(u) || (u.equalsIgnoreCase(user))) { - return true; - } + + for (String u : userList) { + if ("*".equals(u) || (u.equalsIgnoreCase(user))) { + return true; } } } + return false; } @@ -1003,13 +1119,17 @@ public boolean isUserAllowedForGrantRevoke(RangerService rangerService, String u public boolean isUserRangerAdmin(String username) { boolean isAdmin = false; + try { VXUser vxUser = xUserService.getXUserByUserName(username); + if (vxUser != null && (vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN) || vxUser.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN))) { isAdmin = true; } } catch (Exception ex) { + // ignored } + return isAdmin; } @@ -1029,14 +1149,14 @@ public boolean isUserInConfigParameter(RangerService rangerService, String confi if (map != null && map.containsKey(configParamName)) { String userNames = map.get(configParamName); String[] userList = userNames.split(","); - if (userList != null) { - for (String u : userList) { - if ("*".equals(u) || (u.equalsIgnoreCase(userName))) { - return true; - } + + for (String u : userList) { + if ("*".equals(u) || (u.equalsIgnoreCase(userName))) { + return true; } } } + return false; } @@ -1062,41 +1182,44 @@ public boolean isAnyGroupInConfigParameter(RangerService rangerService, String c public void blockAuditorRoleUser() { UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { if (session.isAuditKeyAdmin() || session.isAuditUserAdmin()) { VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_FORBIDDEN); - vXResponse.setMsgDesc("Operation" + " denied. LoggedInUser=" + session.getXXPortalUser().getId() + " ,isn't permitted to perform the action."); + vXResponse.setMsgDesc("Operation denied. LoggedInUser=" + session.getXXPortalUser().getId() + " ,isn't permitted to perform the action."); + throw restErrorUtil.generateRESTException(vXResponse); } } else { VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); // user is null vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); } } public boolean hasModuleAccess(String moduleName) { UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + if (currentUserSession == null) { return false; } + if (!currentUserSession.isUserAdmin() && !currentUserSession.isAuditUserAdmin()) { return currentUserSession.getRangerUserPermission().getUserPermissions().contains(moduleName); } + return true; } public void removeEmptyStrings(List list) { if (!CollectionUtils.isEmpty(list)) { - Iterator i = list.iterator(); - while (i.hasNext()) { - String item = i.next(); - if (item == null || StringUtils.isEmpty(StringUtils.trim(item))) { - i.remove(); - } - } + list.removeIf(StringUtils::isBlank); + trimAll(list); } } @@ -1105,6 +1228,7 @@ public void trimAll(List list) { if (!CollectionUtils.isEmpty(list)) { for (int i = 0; i < list.size(); i++) { String item = list.get(i); + if (item.startsWith(" ") || item.endsWith(" ")) { list.set(i, StringUtils.trim(item)); } @@ -1123,6 +1247,7 @@ public boolean getCreatePrincipalsIfAbsent() { public void bulkModeOnlyFlushAndClear() { if (BATCH_CLEAR_ENABLED) { XXDBBaseDao xXDBBaseDao = daoManager.getXXDBBase(); + if (xXDBBaseDao != null) { xXDBBaseDao.flush(); xXDBBaseDao.clear(); @@ -1132,12 +1257,15 @@ public void bulkModeOnlyFlushAndClear() { public boolean checkAdminAccess() { UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + if (currentUserSession != null) { return currentUserSession.isUserAdmin(); } else { VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); // user is null vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); } } @@ -1161,18 +1289,24 @@ public boolean isGdsService(XXDBBase xxdbBase) { */ private boolean matchHdfsPolicy(String resourceName, List xResourceList, Long xUserId, int permission) { boolean matchFound = false; + resourceName = replaceMetaChars(resourceName); for (XXResource xResource : xResourceList) { if (xResource.getResourceStatus() != RangerCommonEnums.STATUS_ENABLED) { continue; } + Long resourceId = xResource.getId(); + matchFound = checkUsrPermForPolicy(xUserId, permission, resourceId); + if (matchFound) { matchFound = false; + String resource = xResource.getName(); String[] dbResourceNameList = resource.split(","); + for (String dbResourceName : dbResourceNameList) { if (comparePathsForExactMatch(resourceName, dbResourceName)) { matchFound = true; @@ -1183,15 +1317,18 @@ private boolean matchHdfsPolicy(String resourceName, List xResourceL matchFound = nonRecursiveWildCardMatch(resourceName, dbResourceName); } } + if (matchFound) { break; } } + if (matchFound) { break; } } } + return matchFound; } @@ -1208,22 +1345,25 @@ private boolean matchHdfsPolicy(String resourceName, List xResourceL private boolean matchKnoxPolicy(String resourceName, List xResourceList, Long xUserId, int permission) { String[] splittedResources = stringUtil.split(resourceName, fileSeparator); int numberOfResources = splittedResources.length; + if (numberOfResources < 1 || numberOfResources > 3) { logger.debug("Invalid policy name : {}", resourceName); + return false; } boolean policyMatched = false; - // check all resources whether Knox policy is enabled in any resource - // of provided resource list + + // check all resources whether Knox policy is enabled in any resource of provided resource list for (XXResource xResource : xResourceList) { if (xResource.getResourceStatus() != RangerCommonEnums.STATUS_ENABLED) { continue; } + Long resourceId = xResource.getId(); boolean hasPermission = checkUsrPermForPolicy(xUserId, permission, resourceId); - // if permission is enabled then load Topologies,services list from - // resource + + // if permission is enabled then load Topologies,services list from resource if (hasPermission) { String[] xTopologies = (xResource.getTopologies() == null || "".equalsIgnoreCase(xResource.getTopologies())) ? null : stringUtil.split(xResource.getTopologies(), ","); String[] xServices = (xResource.getServices() == null || "".equalsIgnoreCase(xResource.getServices())) ? null : stringUtil.split(xResource.getServices(), ","); @@ -1232,6 +1372,7 @@ private boolean matchKnoxPolicy(String resourceName, List xResourceL for (int index = 0; index < numberOfResources; index++) { matchFound = false; + // check whether given table resource matches with any // existing topology resource if (index == 0) { @@ -1243,12 +1384,11 @@ private boolean matchKnoxPolicy(String resourceName, List xResourceL } } } + if (!matchFound) { break; } - } // check whether given service resource matches with - // any existing service resource - else if (index == 1) { + } else if (index == 1) { // check whether given service resource matches with any existing service resource if (xServices != null) { for (String xService : xServices) { if (matchPath(splittedResources[index], xService)) { @@ -1257,17 +1397,20 @@ else if (index == 1) { } } } + if (!matchFound) { break; } } } + if (matchFound) { policyMatched = true; break; } } } + return policyMatched; } @@ -1284,29 +1427,34 @@ else if (index == 1) { private boolean matchStormPolicy(String resourceName, List xResourceList, Long xUserId, int permission) { String[] splittedResources = stringUtil.split(resourceName, fileSeparator); int numberOfResources = splittedResources.length; + if (numberOfResources < 1 || numberOfResources > 3) { logger.debug("Invalid policy name : {}", resourceName); + return false; } boolean policyMatched = false; + // check all resources whether Knox policy is enabled in any resource // of provided resource list for (XXResource xResource : xResourceList) { if (xResource.getResourceStatus() != RangerCommonEnums.STATUS_ENABLED) { continue; } + Long resourceId = xResource.getId(); boolean hasPermission = checkUsrPermForPolicy(xUserId, permission, resourceId); + // if permission is enabled then load Topologies,services list from // resource if (hasPermission) { String[] xTopologies = (xResource.getTopologies() == null || "".equalsIgnoreCase(xResource.getTopologies())) ? null : stringUtil.split(xResource.getTopologies(), ","); - - boolean matchFound = false; + boolean matchFound = false; for (int index = 0; index < numberOfResources; index++) { matchFound = false; + // check whether given table resource matches with any // existing topology resource if (index == 0 && xTopologies != null) { @@ -1319,12 +1467,14 @@ private boolean matchStormPolicy(String resourceName, List xResource } // check whether given service resource matches with // any existing service resource } + if (matchFound) { policyMatched = true; break; } } } + return policyMatched; } @@ -1338,10 +1488,13 @@ private boolean matchStormPolicy(String resourceName, List xResource private String getRandomString(int minLen, int maxLen) { StringBuilder sb = new StringBuilder(); int len = getRandomInt(minLen, maxLen); + for (int i = 0; i < len; i++) { int charIdx = random.nextInt(PATH_CHAR_SET_LEN); + sb.append(PATH_CHAR_SET[charIdx]); } + return sb.toString(); } @@ -1358,9 +1511,11 @@ private int getRandomInt(int min, int max) { } else { int interval = max - min; int randomNum = random.nextInt(); + if (randomNum < 0) { randomNum = Math.abs(randomNum); } + return ((randomNum % interval) + min); } } @@ -1380,6 +1535,7 @@ private boolean checkUsrPermForPolicy(Long xUserId, int permission, Long resourc List permMapList = daoManager.getXXPermMap().findByResourceId(resourceId); Long publicGroupId = getPublicGroupId(); boolean matchFound = false; + for (XXPermMap permMap : permMapList) { if (permMap.getPermType() == permission) { if (permMap.getPermFor() == AppConstants.XA_PERM_FOR_GROUP) { @@ -1391,10 +1547,12 @@ private boolean checkUsrPermForPolicy(Long xUserId, int permission, Long resourc matchFound = permMap.getUserId().equals(xUserId); } } + if (matchFound) { break; } } + return matchFound; } @@ -1442,6 +1600,7 @@ private boolean matchPath(String pathToCheck, String[] wildCardPaths) { private Boolean hasAccessToXXServiceDef(XXServiceDef xxDbBase, boolean isKeyAdmin, boolean isSysAdmin, boolean isAuditor, boolean isAuditorKeyAdmin, boolean isUser) { XXServiceDef xServiceDef = xxDbBase; final String implClass = xServiceDef.getImplclassname(); + if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(implClass)) { // KMS case return isKeyAdmin || isAuditorKeyAdmin; @@ -1461,6 +1620,7 @@ private Boolean hasAccessToXXService(XXService xxDbBase, boolean isKeyAdmin, boo XXService xService = xxDbBase; XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType()); String implClass = xServiceDef.getImplclassname(); + if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(implClass)) { // KMS case return isKeyAdmin || isAuditorKeyAdmin; diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java index 5b631766cd..3bd5fb5537 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java @@ -121,11 +121,10 @@ final RangerPolicyAdmin getServicePoliciesAdmin(String serviceName, ServiceStore private RangerPolicyAdminWrapper addOrUpdatePolicyAdmin(RangerPolicyAdminWrapper policyAdminWrapper, ServicePolicies policies, RangerRoles roles, RangerPolicyEngineOptions options) { final RangerPolicyAdminWrapper ret; - RangerPolicyAdmin policyAdmin = null; - boolean isPolicyEngineShared = false; - - RangerPolicyAdminImpl oldPolicyAdmin = policyAdminWrapper == null ? null : (RangerPolicyAdminImpl) policyAdminWrapper.getPolicyAdmin(); - Boolean hasPolicyDeltas = RangerPolicyDeltaUtil.hasPolicyDeltas(policies); + RangerPolicyAdmin policyAdmin = null; + boolean isPolicyEngineShared = false; + RangerPolicyAdminImpl oldPolicyAdmin = policyAdminWrapper == null ? null : (RangerPolicyAdminImpl) policyAdminWrapper.getPolicyAdmin(); + Boolean hasPolicyDeltas = RangerPolicyDeltaUtil.hasPolicyDeltas(policies); if (hasPolicyDeltas != null) { if (hasPolicyDeltas.equals(Boolean.TRUE)) { @@ -134,6 +133,7 @@ private RangerPolicyAdminWrapper addOrUpdatePolicyAdmin(RangerPolicyAdminWrapper try { policyAdminWrapper.getLock().lockInterruptibly(); + isLocked = true; } catch (Exception e) { // Ignore @@ -142,8 +142,10 @@ private RangerPolicyAdminWrapper addOrUpdatePolicyAdmin(RangerPolicyAdminWrapper if (isLocked) { try { policyAdmin = RangerPolicyAdminImpl.getPolicyAdmin(oldPolicyAdmin, policies); + if (policyAdmin != null) { policyAdmin.setRoles(roles); + isPolicyEngineShared = true; } } finally { @@ -157,21 +159,28 @@ private RangerPolicyAdminWrapper addOrUpdatePolicyAdmin(RangerPolicyAdminWrapper if (policies.getPolicies() == null) { policies.setPolicies(new ArrayList<>()); } + policyAdmin = addPolicyAdmin(policies, roles, options); } } else { LOG.warn("Provided policies do not require policy change !! [{}]. Keeping old policy-engine!", policies); + policyAdmin = oldPolicyAdmin; } if (policyAdmin != null) { - if (oldPolicyAdmin == null) { - LOG.debug("Adding policy-engine to cache with serviceName:[{}] as key", policies.getServiceName()); - } else { - LOG.debug("Replacing policy-engine in cache with serviceName:[{}] as key", policies.getServiceName()); + if (LOG.isDebugEnabled()) { + if (oldPolicyAdmin == null) { + LOG.debug("Adding policy-engine to cache with serviceName:[{}] as key", policies.getServiceName()); + } else { + LOG.debug("Replacing policy-engine in cache with serviceName:[{}] as key", policies.getServiceName()); + } } + ret = new RangerPolicyAdminWrapper(policyAdmin); + policyAdminCache.put(policies.getServiceName(), ret); + if (oldPolicyAdmin != null && oldPolicyAdmin != policyAdmin) { oldPolicyAdmin.releaseResources(!isPolicyEngineShared); } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java index 1e7a5f069d..95ed16dad5 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java @@ -66,18 +66,19 @@ public class RangerPolicyAdminImpl implements RangerPolicyAdmin { private static final Logger LOG = LoggerFactory.getLogger(RangerPolicyAdminImpl.class); private static final Logger PERF_POLICYENGINE_REQUEST_LOG = RangerPerfTracer.getPerfLogger("policyengine.request"); - private static final Map wildcardEvalContext = new HashMap() { + private static final Map wildcardEvalContext = new HashMap() { @Override public Object get(Object key) { return RangerAbstractResourceMatcher.WILDCARD_ASTERISK; } }; - private final PolicyEngine policyEngine; - private final RangerAccessRequestProcessor requestProcessor; - private ServiceDBStore serviceDBStore; + + private final PolicyEngine policyEngine; + private final RangerAccessRequestProcessor requestProcessor; + private ServiceDBStore serviceDBStore; RangerPolicyAdminImpl(ServicePolicies servicePolicies, RangerPluginContext pluginContext, RangerRoles roles) { - this.policyEngine = new PolicyEngine(servicePolicies, pluginContext, roles, ServiceDBStore.supportsInPlacePolicyUpdates); + this.policyEngine = new PolicyEngine(servicePolicies, pluginContext, roles, ServiceDBStore.SUPPORTS_IN_PLACE_POLICY_UPDATES); this.requestProcessor = new RangerDefaultRequestProcessor(policyEngine); } @@ -116,25 +117,30 @@ public boolean isDelegatedAdminAccessAllowed(RangerAccessResource resource, Stri } try (RangerReadWriteLock.RangerLock readLock = policyEngine.getReadLock()) { - if (readLock.isLockingEnabled()) { - LOG.debug("Acquired lock - {}", readLock); + if (LOG.isDebugEnabled()) { + if (readLock.isLockingEnabled()) { + LOG.debug("Acquired lock - {}", readLock); + } } final RangerPolicyRepository matchedRepository = policyEngine.getRepositoryForZone(zoneName); if (matchedRepository != null) { - Set roles = getRolesFromUserAndGroups(user, userGroups); - Set requestedAccesses = new HashSet<>(accessTypes); + Set roles = getRolesFromUserAndGroups(user, userGroups); + Set requestedAccesses = new HashSet<>(accessTypes); + RangerAccessRequestImpl request = new RangerAccessRequestImpl(); - RangerAccessRequestImpl request = new RangerAccessRequestImpl(); request.setResource(resource); for (RangerPolicyEvaluator evaluator : matchedRepository.getLikelyMatchPolicyEvaluators(request, RangerPolicy.POLICY_TYPE_ACCESS)) { Set allowedAccesses = evaluator.getAllowedAccesses(resource, user, userGroups, roles, requestedAccesses); + if (CollectionUtils.isNotEmpty(allowedAccesses)) { requestedAccesses.removeAll(allowedAccesses); + if (CollectionUtils.isEmpty(requestedAccesses)) { LOG.debug("Access granted by policy:[{}]", evaluator.getPolicy()); + ret = true; break; } @@ -142,6 +148,7 @@ public boolean isDelegatedAdminAccessAllowed(RangerAccessResource resource, Stri } } } + RangerPerfTracer.log(perf); LOG.debug("<== RangerPolicyAdminImpl.isDelegatedAdminAccessAllowed({}, {}, {}, {}, {}): {}", resource, zoneName, user, userGroups, accessTypes, ret); @@ -166,8 +173,10 @@ public List getExactMatchPolicies(RangerAccessResource resource, S List ret = null; try (RangerReadWriteLock.RangerLock readLock = policyEngine.getReadLock()) { - if (readLock.isLockingEnabled()) { - LOG.debug("Acquired lock - {}", readLock); + if (LOG.isDebugEnabled()) { + if (readLock.isLockingEnabled()) { + LOG.debug("Acquired lock - {}", readLock); + } } RangerPolicyRepository policyRepository = policyEngine.getRepositoryForZone(zoneName); @@ -197,8 +206,10 @@ public List getExactMatchPolicies(RangerPolicy policy, Map ret = null; try (RangerReadWriteLock.RangerLock readLock = policyEngine.getReadLock()) { - if (readLock.isLockingEnabled()) { - LOG.debug("Acquired lock - {}", readLock); + if (LOG.isDebugEnabled()) { + if (readLock.isLockingEnabled()) { + LOG.debug("Acquired lock - {}", readLock); + } } RangerPolicyRepository policyRepository = policyEngine.getRepositoryForMatchedZone(policy); @@ -224,12 +235,16 @@ public List getExactMatchPolicies(RangerPolicy policy, Map getMatchingPolicies(RangerAccessResource resource) { LOG.debug("==> RangerPolicyAdminImpl.getMatchingPolicies({})", resource); + List ret; try (RangerReadWriteLock.RangerLock readLock = policyEngine.getReadLock()) { - if (readLock.isLockingEnabled()) { - LOG.debug("Acquired lock - {}", readLock); + if (LOG.isDebugEnabled()) { + if (readLock.isLockingEnabled()) { + LOG.debug("Acquired lock - {}", readLock); + } } + ret = getMatchingPolicies(resource, RangerPolicyEngine.ANY_ACCESS); } @@ -243,32 +258,44 @@ public long getPolicyVersion() { long ret; try (RangerReadWriteLock.RangerLock readLock = policyEngine.getReadLock()) { - if (readLock.isLockingEnabled()) { - LOG.debug("Acquired lock - {}", readLock); + if (LOG.isDebugEnabled()) { + if (readLock.isLockingEnabled()) { + LOG.debug("Acquired lock - {}", readLock); + } } + ret = policyEngine.getPolicyVersion(); } + return ret; } @Override public long getRoleVersion() { long ret; + try (RangerReadWriteLock.RangerLock readLock = policyEngine.getReadLock()) { - if (readLock.isLockingEnabled()) { - LOG.debug("Acquired lock - {}", readLock); + if (LOG.isDebugEnabled()) { + if (readLock.isLockingEnabled()) { + LOG.debug("Acquired lock - {}", readLock); + } } + ret = policyEngine.getRoleVersion(); } + return ret; } @Override public void setRoles(RangerRoles roles) { try (RangerReadWriteLock.RangerLock writeLock = policyEngine.getWriteLock()) { - if (writeLock.isLockingEnabled()) { - LOG.debug("Acquired lock - {}", writeLock); + if (LOG.isDebugEnabled()) { + if (writeLock.isLockingEnabled()) { + LOG.debug("Acquired lock - {}", writeLock); + } } + policyEngine.setRoles(roles); } } @@ -278,35 +305,49 @@ public String getServiceName() { String ret; try (RangerReadWriteLock.RangerLock readLock = policyEngine.getReadLock()) { - if (readLock.isLockingEnabled()) { - LOG.debug("Acquired lock - {}", readLock); + if (LOG.isDebugEnabled()) { + if (readLock.isLockingEnabled()) { + LOG.debug("Acquired lock - {}", readLock); + } } + ret = policyEngine.getServiceName(); } + return ret; } @Override public RangerServiceDef getServiceDef() { RangerServiceDef ret; + try (RangerReadWriteLock.RangerLock readLock = policyEngine.getReadLock()) { - if (readLock.isLockingEnabled()) { - LOG.debug("Acquired lock - {}", readLock); + if (LOG.isDebugEnabled()) { + if (readLock.isLockingEnabled()) { + LOG.debug("Acquired lock - {}", readLock); + } } + ret = policyEngine.getServiceDef(); } + return ret; } @Override public Set getRolesFromUserAndGroups(String user, Set groups) { Set ret; + try (RangerReadWriteLock.RangerLock readLock = policyEngine.getReadLock()) { - if (readLock.isLockingEnabled()) { - LOG.debug("Acquired lock - {}", readLock); + if (LOG.isDebugEnabled()) { + if (readLock.isLockingEnabled()) { + LOG.debug("Acquired lock - {}", readLock); + } } + ret = policyEngine.getPluginContext().getAuthContext().getRolesForUserAndGroups(user, groups); } + return ret; } @@ -314,11 +355,13 @@ public Set getRolesFromUserAndGroups(String user, Set groups) { public Collection getZoneNamesForResource(Map resource) { LOG.debug("==> RangerPolicyAdminImpl.getSecurityZonesForResource({})", resource); - Collection ret = null; + Collection ret; try (RangerReadWriteLock.RangerLock readLock = policyEngine.getReadLock()) { - if (readLock.isLockingEnabled()) { - LOG.debug("Acquired lock - {}", readLock); + if (LOG.isDebugEnabled()) { + if (readLock.isLockingEnabled()) { + LOG.debug("Acquired lock - {}", readLock); + } } ret = policyEngine.getMatchedZonesForResourceAndChildren(resource); @@ -332,12 +375,16 @@ public Collection getZoneNamesForResource(Map resource) { @Override public String getUniquelyMatchedZoneName(GrantRevokeRequest grantRevokeRequest) { LOG.debug("==> RangerPolicyAdminImpl.getUniquelyMatchedZoneName({})", grantRevokeRequest); + String ret; try (RangerReadWriteLock.RangerLock readLock = policyEngine.getReadLock()) { - if (readLock.isLockingEnabled()) { - LOG.debug("Acquired lock - {}", readLock); + if (LOG.isDebugEnabled()) { + if (readLock.isLockingEnabled()) { + LOG.debug("Acquired lock - {}", readLock); + } } + ret = policyEngine.getUniquelyMatchedZoneName(grantRevokeRequest.getResource()); } @@ -363,13 +410,14 @@ public boolean isAccessAllowedByUnzonedPolicies(Map getAllowedUnzonedPolicies(String user, Set use // TODO: run through evaluator in tagPolicyRepository as well for (RangerPolicyEvaluator evaluator : policyEngine.getPolicyRepository().getPolicyEvaluators()) { - RangerPolicy policy = evaluator.getPolicy(); - - boolean isAccessAllowed = isAccessAllowedByUnzonedPolicies(policy.getResources(), policy.getAdditionalResources(), user, userGroups, accessType); + RangerPolicy policy = evaluator.getPolicy(); + boolean isAccessAllowed = isAccessAllowedByUnzonedPolicies(policy.getResources(), policy.getAdditionalResources(), user, userGroups, accessType); if (isAccessAllowed) { ret.add(policy); } } - LOG.debug("<== RangerPolicyAdminImpl.getAllowedByUnzonedPolicies({}, {}, {}): policyCount={} ", user, userGroups, accessType, ret.size()); + LOG.debug("<== RangerPolicyAdminImpl.getAllowedByUnzonedPolicies({}, {}, {}): policyCount={}", user, userGroups, accessType, ret.size()); return ret; } @@ -405,7 +452,7 @@ public void setServiceStore(ServiceStore svcStore) { } boolean isDelegatedAdminAccessAllowed(RangerPolicy policy, String user, Set userGroups, Set roles, boolean isRead, Map evalContext) { - LOG.debug("==> RangerPolicyAdminImpl.isDelegatedAdminAccessAllowed({}, {}, {}, {}, {})", policy.getId(), user, userGroups, roles, isRead, evalContext); + LOG.debug("==> RangerPolicyAdminImpl.isDelegatedAdminAccessAllowed({}, {}, {}, {}, {}, {})", policy.getId(), user, userGroups, roles, isRead, evalContext); boolean ret = false; RangerPerfTracer perf = null; @@ -415,8 +462,10 @@ boolean isDelegatedAdminAccessAllowed(RangerPolicy policy, String user, Set accessTypes = getAllAccessTypes(policy, getServiceDef()); + ret = isDelegatedAdminAccessAllowedForPolicy(matchedRepository, policy, user, userGroups, roles, accessTypes, true, evalContext); } else { // Get old policy from policy-engine RangerPolicy oldPolicy = null; + if (policy.getId() != null) { try { oldPolicy = serviceDBStore.getPolicy(policy.getId()); @@ -442,19 +493,24 @@ boolean isDelegatedAdminAccessAllowed(RangerPolicy policy, String user, Set modifiedAccessTypes = getAllModifiedAccessTypes(oldPolicy, policy, getServiceDef()); + ret = isDelegatedAdminAccessAllowedForPolicy(matchedRepository, policy, user, userGroups, roles, modifiedAccessTypes, false, evalContext); } else { Set removedAccessTypes = getAllAccessTypes(oldPolicy, getServiceDef()); // Ensure that current policy-engine (without current policy) allows old-policy to be modified final boolean isOldPolicyChangeAllowed = isDelegatedAdminAccessAllowedForPolicy(matchedRepository, oldPolicy, user, userGroups, roles, removedAccessTypes, false, evalContext); + if (isOldPolicyChangeAllowed) { Set addedAccessTypes = getAllAccessTypes(policy, getServiceDef()); + ret = isDelegatedAdminAccessAllowedForPolicy(matchedRepository, policy, user, userGroups, roles, addedAccessTypes, false, evalContext); } } } else { - LOG.warn("Cannot get unmodified policy with id:[{}]. Checking if this", policy.getId()); + LOG.warn("Cannot get unmodified policy with id:[{}]. Checking if thi", policy.getId()); + Set addedAccessTypes = getAllAccessTypes(policy, getServiceDef()); + ret = isDelegatedAdminAccessAllowedForPolicy(matchedRepository, policy, user, userGroups, roles, addedAccessTypes, false, evalContext); } } @@ -463,7 +519,7 @@ boolean isDelegatedAdminAccessAllowed(RangerPolicy policy, String user, Set userGroups, Set roles, Set accessTypes, boolean isRead, Map evalContext) { - LOG.debug("==> RangerPolicyAdminImpl.isDelegatedAdminAccessAllowedForPolicy({}, {}, {}, {}, {}, {}, {})", policy.getId(), user, userGroups, roles, accessTypes, isRead, evalContext); + LOG.debug("==> RangerPolicyAdminImpl.isDelegatedAdminAccessAllowedForPolicy({}, {}, {}, {}, accessTypes{}, {}, {})", policy.getId(), user, userGroups, roles, accessTypes, isRead, evalContext); boolean ret = false; @@ -486,9 +542,7 @@ private boolean isDelegatedAdminAccessAllowedForPolicy(RangerPolicyRepository ma Set allowedAccesses = getAllowedAccesses(matchedRepository, policy.getResources(), user, userGroups, roles, accessTypes, evalContext); - if (CollectionUtils.isEmpty(allowedAccesses)) { - ret = false; - } else { + if (CollectionUtils.isNotEmpty(allowedAccesses)) { ret = isRead ? CollectionUtils.containsAny(allowedAccesses, accessTypes) : allowedAccesses.containsAll(accessTypes); } @@ -523,7 +577,7 @@ private boolean isDelegatedAdminAccessAllowedForPolicy(RangerPolicyRepository ma } } - LOG.debug("<== RangerPolicyAdminImpl.isDelegatedAdminAccessAllowedForPolicy({}, {}, {}, {}, {}, {}, {}) : {}", policy.getId(), user, userGroups, roles, accessTypes, isRead, evalContext, ret); + LOG.debug("<== RangerPolicyAdminImpl.isDelegatedAdminAccessAllowedForPolicy({}, {}, {}, {}, accessTypes{}, {}, {}): {}", policy.getId(), user, userGroups, roles, accessTypes, isRead, evalContext, ret); return ret; } @@ -596,12 +650,14 @@ private void getMatchingPoliciesForZone(RangerAccessRequest request, String zone if (useTagPoliciesFromDefaultZone) { if (StringUtils.isNotEmpty(policyZoneName)) { - LOG.debug("Tag policy [zone: {}] does not belong to default zone. Not evaluating this policy:[{}]", policyZoneName, evaluator.getPolicy()); + LOG.debug("Tag policy [zone:{}] does not belong to default zone. Not evaluating this policy:[{}]", policyZoneName, evaluator.getPolicy()); + continue; } } else { if (!StringUtils.equals(zoneName, policyZoneName)) { LOG.debug("Tag policy [zone:{}] does not belong to the zone:[{}] of the accessed resource. Not evaluating this policy:[{}]", policyZoneName, zoneName, evaluator.getPolicy()); + continue; } } @@ -609,7 +665,8 @@ private void getMatchingPoliciesForZone(RangerAccessRequest request, String zone for (RangerPolicyResourceEvaluator resourceEvaluator : evaluator.getResourceEvaluators()) { RangerPolicyResourceMatcher matcher = resourceEvaluator.getPolicyResourceMatcher(); - if (matcher != null && (request.isAccessTypeAny() ? matcher.isMatch(tagResource, RangerPolicyResourceMatcher.MatchScope.ANY, null) : matcher.isMatch(tagResource, null))) { + if (matcher != null && + (request.isAccessTypeAny() ? matcher.isMatch(tagResource, RangerPolicyResourceMatcher.MatchScope.ANY, null) : matcher.isMatch(tagResource, null))) { ret.add(evaluator.getPolicy()); break; @@ -627,7 +684,8 @@ private void getMatchingPoliciesForZone(RangerAccessRequest request, String zone for (RangerPolicyResourceEvaluator resourceEvaluator : evaluator.getResourceEvaluators()) { RangerPolicyResourceMatcher matcher = resourceEvaluator.getPolicyResourceMatcher(); - if (matcher != null && (request.isAccessTypeAny() ? matcher.isMatch(request.getResource(), RangerPolicyResourceMatcher.MatchScope.ANY, null) : matcher.isMatch(request.getResource(), null))) { + if (matcher != null && + (request.isAccessTypeAny() ? matcher.isMatch(request.getResource(), RangerPolicyResourceMatcher.MatchScope.ANY, null) : matcher.isMatch(request.getResource(), null))) { ret.add(evaluator.getPolicy()); break; @@ -661,10 +719,12 @@ private Map getPolicyResourcesWithMacrosReplaced(M for (String value : values) { // RANGER-3082 - replace macros in value with ASTERISK String modifiedValue = tokenReplacer.replaceTokens(value, evalContext); + modifiedValues.add(modifiedValue); } RangerPolicyResource modifiedPolicyResource = new RangerPolicyResource(modifiedValues, resourceValues.getIsExcludes(), resourceValues.getIsRecursive()); + ret.put(resourceName, modifiedPolicyResource); } else { ret.put(resourceName, resourceValues); @@ -689,7 +749,7 @@ private Set getAllAccessTypes(RangerPolicy policy, RangerServiceDef serv Map> expandedAccesses = ServiceDefUtil.getExpandedImpliedGrants(serviceDef); if (MapUtils.isNotEmpty(expandedAccesses)) { - Integer policyType = policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType(); + int policyType = policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType(); if (policyType == RangerPolicy.POLICY_TYPE_ACCESS) { for (RangerPolicy.RangerPolicyItem item : policy.getPolicyItems()) { @@ -697,16 +757,19 @@ private Set getAllAccessTypes(RangerPolicy policy, RangerServiceDef serv ret.addAll(expandedAccesses.get(access.getType())); } } + for (RangerPolicy.RangerPolicyItem item : policy.getDenyPolicyItems()) { for (RangerPolicy.RangerPolicyItemAccess access : item.getAccesses()) { ret.addAll(expandedAccesses.get(access.getType())); } } + for (RangerPolicy.RangerPolicyItem item : policy.getAllowExceptions()) { for (RangerPolicy.RangerPolicyItemAccess access : item.getAccesses()) { ret.addAll(expandedAccesses.get(access.getType())); } } + for (RangerPolicy.RangerPolicyItem item : policy.getDenyExceptions()) { for (RangerPolicy.RangerPolicyItemAccess access : item.getAccesses()) { ret.addAll(expandedAccesses.get(access.getType())); @@ -726,12 +789,15 @@ private Set getAllAccessTypes(RangerPolicy policy, RangerServiceDef serv } } else { LOG.error("Unknown policy-type :[{}], returning empty access-type set", policyType); + isValid = false; } + if (isValid && ret.isEmpty()) { ret.add(RangerPolicyEngine.ADMIN_ACCESS); } } + return ret; } @@ -756,6 +822,7 @@ private Set getAllModifiedAccessTypes(RangerPolicy oldPolicy, RangerPoli if (ret.isEmpty()) { ret.add(RangerPolicyEngine.ADMIN_ACCESS); } + return ret; } @@ -763,7 +830,7 @@ private void collectAccessTypes(RangerPolicy policy, RangerServiceDef serviceDef Map> expandedAccesses = ServiceDefUtil.getExpandedImpliedGrants(serviceDef); if (MapUtils.isNotEmpty(expandedAccesses)) { - Integer policyType = policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType(); + int policyType = policy.getPolicyType() == null ? RangerPolicy.POLICY_TYPE_ACCESS : policy.getPolicyType(); if (policyType == RangerPolicy.POLICY_TYPE_ACCESS) { collectAccessTypes(expandedAccesses, policy.getPolicyItems(), userAccesses, groupAccesses, roleAccesses); @@ -790,6 +857,7 @@ private void collectAccessTypes(Map> expandedAccesses for (String user : item.getUsers()) { Set oldAccesses = userAccesses.get(user); + if (oldAccesses != null) { oldAccesses.addAll(accessTypes); } else { @@ -799,6 +867,7 @@ private void collectAccessTypes(Map> expandedAccesses for (String group : item.getGroups()) { Set oldAccesses = groupAccesses.get(group); + if (oldAccesses != null) { oldAccesses.addAll(accessTypes); } else { @@ -808,6 +877,7 @@ private void collectAccessTypes(Map> expandedAccesses for (String role : item.getRoles()) { Set oldAccesses = roleAccesses.get(role); + if (oldAccesses != null) { oldAccesses.addAll(accessTypes); } else { @@ -822,17 +892,22 @@ private Set getAccessTypesDiff(Map> newAccessesMap, for (Map.Entry> entry : newAccessesMap.entrySet()) { Set oldAccesses = oldAccessesMap.get(entry.getKey()); + if (oldAccesses != null) { Collection added = CollectionUtils.subtract(entry.getValue(), oldAccesses); + ret.addAll(added); } else { ret.addAll(entry.getValue()); } } + for (Map.Entry> entry : oldAccessesMap.entrySet()) { Set newAccesses = newAccessesMap.get(entry.getKey()); + if (newAccesses != null) { Collection removed = CollectionUtils.subtract(entry.getValue(), newAccesses); + ret.addAll(removed); } else { ret.addAll(entry.getValue()); diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java index 1a6a99d704..f43b982188 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyRetriever.java @@ -43,8 +43,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.transaction.PlatformTransactionManager; -import org.springframework.transaction.TransactionStatus; -import org.springframework.transaction.support.TransactionCallback; import org.springframework.transaction.support.TransactionTemplate; import java.util.ArrayList; @@ -57,15 +55,15 @@ public class RangerPolicyRetriever { static final Logger LOG = LoggerFactory.getLogger(RangerPolicyRetriever.class); static final Logger PERF_LOG = RangerPerfTracer.getPerfLogger("db.RangerPolicyRetriever"); - private final RangerDaoManager daoMgr; - private final LookupCache lookupCache = new LookupCache(); - + private final RangerDaoManager daoMgr; + private final LookupCache lookupCache = new LookupCache(); private final PlatformTransactionManager txManager; private final TransactionTemplate txTemplate; public RangerPolicyRetriever(RangerDaoManager daoMgr, PlatformTransactionManager txManager) { this.daoMgr = daoMgr; this.txManager = txManager; + if (this.txManager != null) { this.txTemplate = new TransactionTemplate(this.txManager); this.txTemplate.setReadOnly(true); @@ -138,16 +136,21 @@ public List getServicePolicies(final XXService xService) { if (xService != null) { if (txTemplate == null) { LOG.debug("Transaction Manager is null; Retrieving policies in the existing transaction"); + RetrieverContext ctx = new RetrieverContext(xService); + ret = ctx.getAllPolicies(); } else { LOG.debug("Retrieving policies in a new, read-only transaction"); PolicyLoaderThread t = new PolicyLoaderThread(txTemplate, xService); + t.setDaemon(true); t.start(); + try { t.join(); + ret = t.getPolicies(); } catch (InterruptedException ie) { LOG.error("Failed to retrieve policies in a new, read-only thread.", ie); @@ -159,7 +162,7 @@ public List getServicePolicies(final XXService xService) { RangerPerfTracer.log(perf); - LOG.debug("<== RangerPolicyRetriever.getServicePolicies(serviceName={}, serviceId={}): policyCount={}", serviceName, serviceId, (ret == null ? 0 : ret.size())); + LOG.debug("<== RangerPolicyRetriever.getServicePolicies(serviceName={}, serviceId={}): policyCount={}", serviceName, serviceId, ret == null ? 0 : ret.size()); return ret; } @@ -218,7 +221,7 @@ public RangerPolicy getPolicy(XXPolicy xPolicy, XXService xService) { RangerPerfTracer.log(perf); - LOG.debug("<== RangerPolicyRetriever.getPolicy({}): ", policyId, ret); + LOG.debug("<== RangerPolicyRetriever.getPolicy({}): {}", policyId, ret); return ret; } @@ -268,7 +271,7 @@ public PolicyTextNameMap(Long policyId, String oldName, String currentName) { private class PolicyLoaderThread extends Thread { final TransactionTemplate txTemplate; final XXService xService; - List policies; + List policies; PolicyLoaderThread(TransactionTemplate txTemplate, final XXService xService) { this.txTemplate = txTemplate; @@ -283,17 +286,17 @@ public List getPolicies() { public void run() { try { txTemplate.setReadOnly(true); - policies = txTemplate.execute(new TransactionCallback>() { - @Override - public List doInTransaction(TransactionStatus status) { - try { - RetrieverContext ctx = new RetrieverContext(xService); - return ctx.getAllPolicies(); - } catch (Exception ex) { - LOG.error("RangerPolicyRetriever.getServicePolicies(): Failed to get policies service:[{}] in a new transaction", xService.getName(), ex); - status.setRollbackOnly(); - return null; - } + policies = txTemplate.execute(status -> { + try { + RetrieverContext ctx = new RetrieverContext(xService); + + return ctx.getAllPolicies(); + } catch (Exception ex) { + LOG.error("RangerPolicyRetriever.getServicePolicies(): Failed to get policies for service:[{}] in a new transaction", xService.getName(), ex); + + status.setRollbackOnly(); + + return null; } }); } catch (Throwable ex) { @@ -303,8 +306,8 @@ public List doInTransaction(TransactionStatus status) { } class LookupCache { - final Map userScreenNames = new HashMap(); - final Map zoneNames = new HashMap(); + final Map userScreenNames = new HashMap<>(); + final Map zoneNames = new HashMap<>(); final Map> roleMappingsPerPolicy = new HashMap<>(); final Map> groupMappingsPerPolicy = new HashMap<>(); final Map> userMappingsPerPolicy = new HashMap<>(); @@ -312,7 +315,7 @@ class LookupCache { final Map> resourceMappingsPerPolicy = new HashMap<>(); final Map> dataMaskMappingsPerPolicy = new HashMap<>(); final Map> conditionMappingsPerPolicy = new HashMap<>(); - final Map policyLabels = new HashMap(); + final Map policyLabels = new HashMap<>(); public void setResourceNameMapping(List resourceNameMapping) { setNameMapping(resourceMappingsPerPolicy, resourceNameMapping); @@ -410,13 +413,7 @@ void setNameMapping(Map> nameMappingContainer, List policyNameMap = nameMappingContainer.get(nameMapping.policyId); - - if (policyNameMap == null) { - policyNameMap = new HashMap<>(); - - nameMappingContainer.put(nameMapping.policyId, policyNameMap); - } + Map policyNameMap = nameMappingContainer.computeIfAbsent(nameMapping.policyId, k -> new HashMap<>()); policyNameMap.put(nameMapping.oldName, nameMapping.currentName); } @@ -650,14 +647,18 @@ List getAllPolicies() { private void getPolicyLabels(RangerPolicy ret) { List xPolicyLabels = new ArrayList<>(); + if (iterPolicyLabels != null) { while (iterPolicyLabels.hasNext()) { XXPolicyLabelMap xPolicyLabel = iterPolicyLabels.next(); + if (xPolicyLabel.getPolicyId().equals(ret.getId())) { String policyLabel = lookupCache.getPolicyLabelName(xPolicyLabel.getPolicyLabelId()); + if (policyLabel != null) { xPolicyLabels.add(policyLabel); } + ret.setPolicyLabels(xPolicyLabels); } else { if (iterPolicyLabels.hasPrevious()) { diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerTagDBRetriever.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerTagDBRetriever.java index ee8c9010d9..779638e7bf 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RangerTagDBRetriever.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerTagDBRetriever.java @@ -40,8 +40,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.transaction.PlatformTransactionManager; -import org.springframework.transaction.TransactionStatus; -import org.springframework.transaction.support.TransactionCallback; import org.springframework.transaction.support.TransactionTemplate; import java.util.ArrayList; @@ -51,11 +49,13 @@ import java.util.Map; public class RangerTagDBRetriever { - public static final TypeReference subsumedDataType = new TypeReference>() {}; private static final Logger LOG = LoggerFactory.getLogger(RangerTagDBRetriever.class); private static final Logger PERF_LOG = RangerPerfTracer.getPerfLogger("db.RangerTagDBRetriever"); - private final RangerDaoManager daoMgr; - private final LookupCache lookupCache; + + public static final TypeReference> subsumedDataType = new TypeReference>() {}; + + private final RangerDaoManager daoMgr; + private final LookupCache lookupCache; private List serviceResources; private Map tagDefs; @@ -67,10 +67,12 @@ public class RangerTagDBRetriever { if (txManager != null) { txTemplate = new TransactionTemplate(txManager); + txTemplate.setReadOnly(true); } else { txTemplate = null; } + this.lookupCache = new LookupCache(); if (this.daoMgr != null && xService != null) { @@ -82,6 +84,7 @@ public class RangerTagDBRetriever { if (txTemplate == null) { LOG.debug("Load Tags in the same thread and using an existing transaction"); + if (!initializeTagCache(xService)) { LOG.error("Failed to get tags for service:[{}] in the same thread and using an existing transaction", xService.getName()); } @@ -89,8 +92,10 @@ public class RangerTagDBRetriever { LOG.debug("Load Tags in a separate thread and using a new transaction"); TagLoaderThread t = new TagLoaderThread(txTemplate, xService); + t.setDaemon(true); t.start(); + try { t.join(); } catch (InterruptedException ie) { @@ -116,6 +121,7 @@ Map getTags() { if (CollectionUtils.isNotEmpty(serviceResources)) { for (RangerServiceResource serviceResource : serviceResources) { List tags = lookupCache.serviceResourceToTags.get(serviceResource.getId()); + if (CollectionUtils.isNotEmpty(tags)) { for (RangerTag tag : tags) { ret.put(tag.getId(), tag); @@ -133,15 +139,19 @@ Map> getResourceToTagIds() { if (CollectionUtils.isNotEmpty(serviceResources)) { for (RangerServiceResource serviceResource : serviceResources) { List tags = lookupCache.serviceResourceToTags.get(serviceResource.getId()); + if (CollectionUtils.isNotEmpty(tags)) { List tagIds = new ArrayList<>(); + ret.put(serviceResource.getId(), tagIds); + for (RangerTag tag : tags) { tagIds.add(tag.getId()); } } } } + return ret; } @@ -154,10 +164,12 @@ private boolean initializeTagCache(XXService xService) { ret = true; } catch (Exception ex) { LOG.error("Failed to get tags for service:[{}]", xService.getName(), ex); + serviceResources = null; tagDefs = null; ret = false; } + return ret; } @@ -213,17 +225,18 @@ private class TagLoaderThread extends Thread { public void run() { try { txTemplate.setReadOnly(true); - Boolean result = txTemplate.execute(new TransactionCallback() { - @Override - public Boolean doInTransaction(TransactionStatus status) { - boolean ret = initializeTagCache(xService); - if (!ret) { - status.setRollbackOnly(); - LOG.error("Failed to get tags for service:[{}] in a new transaction", xService.getName()); - } - return ret; + Boolean result = txTemplate.execute(status -> { + boolean ret = initializeTagCache(xService); + + if (!ret) { + status.setRollbackOnly(); + + LOG.error("Failed to get tags for service:[{}] in a new transaction", xService.getName()); } + + return ret; }); + LOG.debug("transaction result:[{}]", result); } catch (Throwable ex) { LOG.error("Failed to get tags for service:[{}] in a new transaction", xService.getName(), ex); @@ -237,6 +250,7 @@ private class TagRetrieverServiceResourceContext { TagRetrieverServiceResourceContext(XXService xService) { Long serviceId = xService == null ? null : xService.getId(); + this.service = xService; List xServiceResources = daoMgr.getXXServiceResource().findTaggedResourcesInServiceId(serviceId); @@ -254,6 +268,7 @@ List getAllServiceResources() { ret.add(serviceResource); } } + return ret; } @@ -277,27 +292,33 @@ RangerServiceResource getNextServiceResource() { ret.setUpdateTime(xServiceResource.getUpdateTime()); ret.setVersion(xServiceResource.getVersion()); ret.setResourceSignature(xServiceResource.getResourceSignature()); + if (StringUtils.isNotEmpty(xServiceResource.getServiceResourceElements())) { try { Map serviceResourceElements = JsonUtils.jsonToObject(xServiceResource.getServiceResourceElements(), RangerServiceResourceService.subsumedDataType); + ret.setResourceElements(serviceResourceElements); } catch (JsonProcessingException e) { LOG.error("Error occurred while processing JSON ", e); } } + try { List tags = JsonUtils.jsonToObject(xServiceResource.getTags(), RangerServiceResourceService.duplicatedDataType); + if (CollectionUtils.isNotEmpty(tags)) { for (RangerTag tag : tags) { RangerServiceTagsDeltaUtil.pruneUnusedAttributes(tag); } } + lookupCache.serviceResourceToTags.put(xServiceResource.getId(), tags); } catch (JsonProcessingException e) { LOG.error("Error occurred while processing JSON ", e); } } } + return ret; } } @@ -307,9 +328,8 @@ private class TagRetrieverTagDefContext { final ListIterator iterTagDef; TagRetrieverTagDefContext(XXService xService) { - Long serviceId = xService == null ? null : xService.getId(); - - List xTagDefs = daoMgr.getXXTagDef().findByServiceId(serviceId); + Long serviceId = xService == null ? null : xService.getId(); + List xTagDefs = daoMgr.getXXTagDef().findByServiceId(serviceId); this.service = xService; this.iterTagDef = xTagDefs.listIterator(); @@ -325,6 +345,7 @@ Map getAllTagDefs() { ret.put(tagDef.getId(), tagDef); } } + return ret; } @@ -349,9 +370,11 @@ RangerTagDef getNextTagDef() { ret.setVersion(xTagDef.getVersion()); ret.setName(xTagDef.getName()); ret.setSource(xTagDef.getSource()); + if (StringUtils.isNotEmpty(xTagDef.getTagAttrDefs())) { try { - List attributeDefs = (List) JsonUtils.jsonToObject(xTagDef.getTagAttrDefs(), RangerTagDBRetriever.subsumedDataType); + List attributeDefs = JsonUtils.jsonToObject(xTagDef.getTagAttrDefs(), RangerTagDBRetriever.subsumedDataType); + ret.setAttributeDefs(attributeDefs); } catch (JsonProcessingException e) { LOG.error("Error occurred while processing JSON ", e); diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java index 4d98388aee..f9296f699e 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java @@ -18,11 +18,10 @@ package org.apache.ranger.biz; import org.apache.commons.collections.CollectionUtils; -import org.apache.commons.collections.ListUtils; import org.apache.commons.lang.StringUtils; import org.apache.ranger.authorization.hadoop.config.RangerAdminConfig; import org.apache.ranger.authorization.utils.JsonUtils; -import org.apache.ranger.biz.ServiceDBStore.RemoveRefType; +import org.apache.ranger.biz.ServiceDBStore.REMOVE_REF_TYPE; import org.apache.ranger.common.ContextUtil; import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.RESTErrorUtil; @@ -55,6 +54,7 @@ import javax.annotation.PostConstruct; import java.util.ArrayList; +import java.util.Collections; import java.util.HashSet; import java.util.List; import java.util.Set; @@ -64,23 +64,31 @@ @Component public class RoleDBStore implements RoleStore { private static final Logger LOG = LoggerFactory.getLogger(RoleDBStore.class); - private final Boolean populateExistingBaseFields = false; + @Autowired RangerRoleService roleService; + @Autowired XUserService xUserService; + @Autowired RangerDaoManager daoMgr; + @Autowired RESTErrorUtil restErrorUtil; + @Autowired RoleRefUpdater roleRefUpdater; + @Autowired RangerTransactionSynchronizationAdapter transactionSynchronizationAdapter; + @Autowired ServiceDBStore svcStore; + @Autowired GdsDBStore gdsStore; + RangerAdminConfig config; AbstractPredicateUtil predicateUtil; @@ -100,7 +108,9 @@ public RangerRole createRole(RangerRole role, Boolean createNonExistUserGroupRol transactionSynchronizationAdapter.executeOnTransactionCommit(roleVersionUpdater); roleService.create(role); + RangerRole createdRole = getRole(role.getName()); + if (createdRole == null) { throw new Exception("Cannot create role:[" + role + "]"); } @@ -108,12 +118,14 @@ public RangerRole createRole(RangerRole role, Boolean createNonExistUserGroupRol roleRefUpdater.createNewRoleMappingForRefTable(createdRole, createNonExistUserGroupRole); roleService.createTransactionLog(createdRole, null, RangerBaseModelService.OPERATION_CREATE_CONTEXT); + return createdRole; } @Override public RangerRole updateRole(RangerRole role, Boolean createNonExistUserGroupRole) throws Exception { XXRole xxRole = daoMgr.getXXRole().findByRoleId(role.getId()); + if (xxRole == null) { throw restErrorUtil.createRESTException("role with id: " + role.getId() + " does not exist"); } @@ -121,15 +133,19 @@ public RangerRole updateRole(RangerRole role, Boolean createNonExistUserGroupRol if (!role.getName().equals(xxRole.getName())) { // ensure only if role name is changed ensureRoleNameUpdateAllowed(xxRole.getName()); } + RangerRole oldRole = null; + if (StringUtils.isNotEmpty(xxRole.getRoleText())) { oldRole = JsonUtils.jsonToObject(xxRole.getRoleText(), RangerRole.class); } Runnable roleVersionUpdater = new RoleVersionUpdater(daoMgr); + transactionSynchronizationAdapter.executeOnTransactionCommit(roleVersionUpdater); RangerRole updatedRole = roleService.update(role); + if (updatedRole == null) { throw new Exception("Cannot update role:[" + role + "]"); } @@ -143,12 +159,14 @@ public RangerRole updateRole(RangerRole role, Boolean createNonExistUserGroupRol } roleService.createTransactionLog(updatedRole, oldRole, RangerBaseModelService.OPERATION_UPDATE_CONTEXT); + return role; } @Override public void deleteRole(String roleName) throws Exception { XXRole xxRole = daoMgr.getXXRole().findByRoleName(roleName); + if (xxRole == null) { throw restErrorUtil.createRESTException("Role with name: " + roleName + " does not exist"); } @@ -163,38 +181,40 @@ public void deleteRole(Long roleId) throws Exception { ensureRoleDeleteAllowed(role.getName()); Runnable roleVersionUpdater = new RoleVersionUpdater(daoMgr); + transactionSynchronizationAdapter.executeOnTransactionCommit(roleVersionUpdater); roleRefUpdater.cleanupRefTables(role); // delete role from audit filter configs - svcStore.updateServiceAuditConfig(role.getName(), RemoveRefType.ROLE); + svcStore.updateServiceAuditConfig(role.getName(), REMOVE_REF_TYPE.ROLE); // delete gdsObject mapping of role - gdsStore.deletePrincipalFromGdsAcl(RemoveRefType.ROLE.toString(), role.getName()); + gdsStore.deletePrincipalFromGdsAcl(REMOVE_REF_TYPE.ROLE.toString(), role.getName()); roleService.delete(role); roleService.createTransactionLog(role, null, RangerBaseModelService.OPERATION_DELETE_CONTEXT); } @Override - public RangerRole getRole(Long id) throws Exception { + public RangerRole getRole(Long id) { return roleService.read(id); } @Override - public RangerRole getRole(String name) throws Exception { + public RangerRole getRole(String name) { XXRole xxRole = daoMgr.getXXRole().findByRoleName(name); + if (xxRole == null) { throw restErrorUtil.createRESTException("Role with name: " + name + " does not exist"); } + return roleService.read(xxRole.getId()); } @Override public List getRoles(SearchFilter filter) throws Exception { - List ret = new ArrayList<>(); - - List xxRoles = daoMgr.getXXRole().getAll(); + List ret = new ArrayList<>(); + List xxRoles = daoMgr.getXXRole().getAll(); if (CollectionUtils.isNotEmpty(xxRoles)) { for (XXRole xxRole : xxRoles) { @@ -205,6 +225,7 @@ public List getRoles(SearchFilter filter) throws Exception { List copy = new ArrayList<>(ret); predicateUtil.applyFilter(copy, filter); + ret = copy; } } @@ -213,7 +234,7 @@ public List getRoles(SearchFilter filter) throws Exception { } @Override - public List getRoleNames(SearchFilter filter) throws Exception { + public List getRoleNames(SearchFilter filter) { return daoMgr.getXXRole().getAllNames(); } @@ -235,10 +256,11 @@ public RangerRoles getRoles(String serviceName, Long lastKnownRoleVersion) throw @Override public Long getRoleVersion(String serviceName) { - Long ret = null; + Long ret; if (ServiceDBStore.isSupportsRolesDownloadByService()) { XXServiceVersionInfo xxServiceVersionInfo = daoMgr.getXXServiceVersionInfo().findByServiceName(serviceName); + ret = (xxServiceVersionInfo != null) ? xxServiceVersionInfo.getRoleVersion() : null; } else { ret = daoMgr.getXXGlobalState().getAppDataVersion(RANGER_GLOBAL_STATE_NAME_ROLE); @@ -248,14 +270,16 @@ public Long getRoleVersion(String serviceName) { } @Override - public boolean roleExists(Long id) throws Exception { + public boolean roleExists(Long id) { XXRole role = daoMgr.getXXRole().findByRoleId(id); + return role != null; } @Override - public boolean roleExists(String name) throws Exception { + public boolean roleExists(String name) { XXRole role = daoMgr.getXXRole().findByRoleName(name); + return role != null; } @@ -265,7 +289,10 @@ public void initStore() { config = RangerAdminConfig.getInstance(); + Boolean populateExistingBaseFields = false; + roleService.setPopulateExistingBaseFields(populateExistingBaseFields); + predicateUtil = new RolePredicateUtil(); LOG.debug("<== RoleDBStore.initStore()"); @@ -282,34 +309,40 @@ public RangerRoleList getRoles(SearchFilter filter, RangerRoleList rangerRoleLis } rangerRoleList.setRoleList(roles); + return rangerRoleList; } - public RangerRoleList getRolesForUser(SearchFilter filter, RangerRoleList rangerRoleList) throws Exception { + public RangerRoleList getRolesForUser(SearchFilter filter, RangerRoleList rangerRoleList) { List roles = new ArrayList<>(); - List xxRoles = null; UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + if (userSession != null && userSession.getUserRoleList().size() == 1 && userSession.getUserRoleList().contains(RangerConstants.ROLE_USER) && userSession.getLoginId() != null) { - VXUser loggedInVXUser = xUserService.getXUserByUserName(userSession.getLoginId()); - xxRoles = daoMgr.getXXRole().findByUserId(loggedInVXUser.getId()); + VXUser loggedInVXUser = xUserService.getXUserByUserName(userSession.getLoginId()); + List xxRoles = daoMgr.getXXRole().findByUserId(loggedInVXUser.getId()); if (CollectionUtils.isNotEmpty(xxRoles)) { for (XXRole xxRole : xxRoles) { roles.add(roleService.read(xxRole.getId())); } } + if (predicateUtil != null && filter != null && !filter.isEmpty()) { List copy = new ArrayList<>(roles); predicateUtil.applyFilter(copy, filter); + roles = copy; } + int totalCount = roles.size(); int startIndex = filter.getStartIndex(); int pageSize = filter.getMaxRows(); int toIndex = Math.min(startIndex + pageSize, totalCount); + if (CollectionUtils.isNotEmpty(roles)) { roles = roles.subList(startIndex, toIndex); + rangerRoleList.setResultSize(roles.size()); rangerRoleList.setPageSize(filter.getMaxRows()); rangerRoleList.setSortBy(filter.getSortBy()); @@ -318,7 +351,7 @@ public RangerRoleList getRolesForUser(SearchFilter filter, RangerRoleList ranger rangerRoleList.setTotalCount(totalCount); } } else { - xxRoles = roleService.searchResources(filter, roleService.searchFields, roleService.sortFields, rangerRoleList); + List xxRoles = roleService.searchResources(filter, roleService.searchFields, roleService.sortFields, rangerRoleList); if (CollectionUtils.isNotEmpty(xxRoles)) { for (XXRole xxRole : xxRoles) { @@ -326,21 +359,26 @@ public RangerRoleList getRolesForUser(SearchFilter filter, RangerRoleList ranger } } } + rangerRoleList.setRoleList(roles); return rangerRoleList; } - public Set getRoleNames(String userName, Set userGroups) throws Exception { + public Set getRoleNames(String userName, Set userGroups) { Set ret = new HashSet<>(); + if (StringUtils.isNotEmpty(userName)) { List xxRoleRefUsers = roleRefUpdater.getRangerDaoManager().getXXRoleRefUser().findByUserName(userName); + for (XXRoleRefUser xxRoleRefUser : xxRoleRefUsers) { ret.add(getRole(xxRoleRefUser.getRoleId())); } } + for (String userGroup : userGroups) { List xxRoleRefGroups = roleRefUpdater.getRangerDaoManager().getXXRoleRefGroup().findByGroupName(userGroup); + for (XXRoleRefGroup xxRoleRefGroup : xxRoleRefGroups) { ret.add(getRole(xxRoleRefGroup.getRoleId())); } @@ -350,25 +388,32 @@ public Set getRoleNames(String userName, Set userGroups) thr } public List getRoles(String serviceName) { - List ret = ListUtils.EMPTY_LIST; + List ret = Collections.emptyList(); + if (StringUtils.isNotEmpty(serviceName)) { XXService xxService = daoMgr.getXXService().findByName(serviceName); + ret = getRoles(xxService); } + return ret; } public List getRoles(Long serviceId) { - List ret = ListUtils.EMPTY_LIST; + List ret = Collections.emptyList(); if (serviceId != null) { String serviceTypeName = daoMgr.getXXServiceDef().findServiceDefTypeByServiceId(serviceId); + LOG.debug("Service Type for serviceId ({}) = {}", serviceId, serviceTypeName); + String serviceTypesToGetAllRoles = config.get("ranger.admin.service.types.for.returning.all.roles", "solr"); boolean getAllRoles = false; + if (StringUtils.isNotEmpty(serviceTypesToGetAllRoles)) { String[] allRolesServiceTypes = StringUtils.split(serviceTypesToGetAllRoles, ","); + if (allRolesServiceTypes != null) { for (String allRolesServiceType : allRolesServiceTypes) { if (StringUtils.equalsIgnoreCase(serviceTypeName, allRolesServiceType)) { @@ -378,28 +423,34 @@ public List getRoles(Long serviceId) { } } } + List rolesFromDb = getAllRoles ? daoMgr.getXXRole().getAll() : daoMgr.getXXRole().findByServiceId(serviceId); + if (CollectionUtils.isNotEmpty(rolesFromDb)) { ret = new ArrayList<>(); + for (XXRole xxRole : rolesFromDb) { ret.add(roleService.read(xxRole.getId())); } } } + return ret; } public List getRoles(XXService service) { - return service == null ? ListUtils.EMPTY_LIST : getRoles(service.getId()); + return service == null ? Collections.emptyList() : getRoles(service.getId()); } private void ensureRoleNameUpdateAllowed(String roleName) throws Exception { boolean roleNotInPolicy = ensureRoleNotInPolicy(roleName); + if (!roleNotInPolicy) { throw new Exception("Rolename for '" + roleName + "' can not be updated as it is referenced in one or more policies"); } boolean roleNotInOtherRole = ensureRoleNotInRole(roleName); + if (!roleNotInOtherRole) { throw new Exception("Rolename for '" + roleName + "' can not be updated as it is referenced in one or more other roles"); } @@ -413,11 +464,13 @@ private void ensureRoleNameUpdateAllowed(String roleName) throws Exception { private void ensureRoleDeleteAllowed(String roleName) throws Exception { boolean roleNotInPolicy = ensureRoleNotInPolicy(roleName); + if (!roleNotInPolicy) { throw new Exception("Role '" + roleName + "' can not be deleted as it is referenced in one or more policies"); } boolean roleNotInOtherRole = ensureRoleNotInRole(roleName); + if (!roleNotInOtherRole) { throw new Exception("Role '" + roleName + "' can not be deleted as it is referenced in one or more other roles"); } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java b/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java index 1644c5f1a1..3863f5a088 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java @@ -89,8 +89,8 @@ public void createNewRoleMappingForRefTable(RangerRole rangerRole, Boolean creat } cleanupRefTables(rangerRole); - final Long roleId = rangerRole.getId(); + final Long roleId = rangerRole.getId(); final Set roleUsers = new HashSet<>(); final Set roleGroups = new HashSet<>(); final Set roleRoles = new HashSet<>(); @@ -98,9 +98,11 @@ public void createNewRoleMappingForRefTable(RangerRole rangerRole, Boolean creat for (RangerRole.RoleMember user : rangerRole.getUsers()) { roleUsers.add(user.getName()); } + for (RangerRole.RoleMember group : rangerRole.getGroups()) { roleGroups.add(group.getName()); } + for (RangerRole.RoleMember role : rangerRole.getRoles()) { roleRoles.add(role.getName()); } @@ -112,7 +114,8 @@ public void createNewRoleMappingForRefTable(RangerRole rangerRole, Boolean creat if (StringUtils.isBlank(roleUser)) { continue; } - RolePrincipalAssociator associator = new RolePrincipalAssociator(PolicyRefUpdater.PrincipalType.USER, roleUser, roleId); + + RolePrincipalAssociator associator = new RolePrincipalAssociator(PolicyRefUpdater.PRINCIPAL_TYPE.USER, roleUser, roleId); if (!associator.doAssociate(false)) { if (isCreateNonExistentUGRs) { @@ -129,7 +132,8 @@ public void createNewRoleMappingForRefTable(RangerRole rangerRole, Boolean creat if (StringUtils.isBlank(roleGroup)) { continue; } - RolePrincipalAssociator associator = new RolePrincipalAssociator(PolicyRefUpdater.PrincipalType.GROUP, roleGroup, roleId); + + RolePrincipalAssociator associator = new RolePrincipalAssociator(PolicyRefUpdater.PRINCIPAL_TYPE.GROUP, roleGroup, roleId); if (!associator.doAssociate(false)) { if (isCreateNonExistentUGRs) { @@ -147,7 +151,7 @@ public void createNewRoleMappingForRefTable(RangerRole rangerRole, Boolean creat continue; } - RolePrincipalAssociator associator = new RolePrincipalAssociator(PolicyRefUpdater.PrincipalType.ROLE, roleRole, roleId); + RolePrincipalAssociator associator = new RolePrincipalAssociator(PolicyRefUpdater.PRINCIPAL_TYPE.ROLE, roleRole, roleId); if (!associator.doAssociate(false)) { if (isCreateNonExistentUGRs) { @@ -172,23 +176,26 @@ public Boolean cleanupRefTables(RangerRole rangerRole) { XXRoleRefRoleDao xRoleRoleDao = daoMgr.getXXRoleRefRole(); List xxRoleRefUserIds = xRoleUserDao.findIdsByRoleId(roleId); + xRoleUserDao.deleteRoleRefUserByIds(xxRoleRefUserIds); List xxRoleRefGroupByIds = xRoleGroupDao.findIdsByRoleId(roleId); + xRoleGroupDao.deleteRoleRefGroupByIds(xxRoleRefGroupByIds); List xxRoleRefRoleIds = xRoleRoleDao.findIdsByRoleId(roleId); + xRoleRoleDao.deleteRoleRefRoleByIds(xxRoleRefRoleIds); return true; } private class RolePrincipalAssociator implements Runnable { - final PolicyRefUpdater.PrincipalType type; - final String name; - final Long roleId; + final PolicyRefUpdater.PRINCIPAL_TYPE type; + final String name; + final Long roleId; - public RolePrincipalAssociator(PolicyRefUpdater.PrincipalType type, String name, Long roleId) { + public RolePrincipalAssociator(PolicyRefUpdater.PRINCIPAL_TYPE type, String name, Long roleId) { this.type = type; this.name = name; this.roleId = roleId; @@ -205,18 +212,22 @@ public void run() { boolean doAssociate(boolean isAdmin) { LOG.debug("===> RolePrincipalAssociator.doAssociate({})", isAdmin); + final boolean ret; Long id = createOrGetPrincipal(isAdmin); + if (id != null) { // associate with role createRoleAssociation(id, name); + ret = true; } else { ret = false; } LOG.debug("<=== RolePrincipalAssociator.doAssociate({}) : {}", isAdmin, ret); + return ret; } @@ -228,6 +239,7 @@ private Long createOrGetPrincipal(final boolean createIfAbsent) { switch (type) { case USER: { XXUser xUser = daoMgr.getXXUser().findByUserName(name); + if (xUser != null) { ret = xUser.getId(); } else { @@ -251,6 +263,7 @@ private Long createOrGetPrincipal(final boolean createIfAbsent) { break; case ROLE: { XXRole xRole = daoMgr.getXXRole().findByRoleName(name); + if (xRole != null) { ret = xRole.getId(); } else { @@ -264,12 +277,14 @@ private Long createOrGetPrincipal(final boolean createIfAbsent) { default: break; } + LOG.debug("<=== RolePrincipalAssociator.createOrGetPrincipal({}) : {}", createIfAbsent, ret); + return ret; } private Long createPrincipal(String user) { - LOG.warn("Specified in role does not exist in ranger admin, creating new {}, Type: {}, name = {}", type.name(), type.name(), type.name(), user); + LOG.warn("{} specified in role does not exist in ranger admin, creating new {}, Type: {}, name = {}", type.name(), type.name(), type.name(), user); LOG.debug("===> RolePrincipalAssociator.createPrincipal(type={}, name={})", type.name(), name); @@ -295,10 +310,13 @@ private Long createPrincipal(String user) { case GROUP: { // Create group VXGroup vxGroup = new VXGroup(); + vxGroup.setName(name); vxGroup.setDescription(name); vxGroup.setGroupSource(RangerCommonEnums.GROUP_EXTERNAL); + VXGroup vXGroup = xGroupService.createXGroupWithOutLogin(vxGroup); + if (vXGroup != null) { xGroupService.createTransactionLog(vXGroup, null, OPERATION_CREATE_CONTEXT); @@ -311,6 +329,7 @@ private Long createPrincipal(String user) { try { RangerRole rRole = new RangerRole(name, null, null, null, null); RangerRole createdRole = roleStore.createRole(rRole, false); + ret = createdRole.getId(); } catch (Exception e) { LOG.error("Failed to create Role {}", type.name()); @@ -320,12 +339,15 @@ private Long createPrincipal(String user) { default: break; } + LOG.debug("<=== RolePrincipalAssociator.createPrincipal(type={}, name={}) : {}", type.name(), name, ret); + return ret; } private void createRoleAssociation(Long id, String name) { LOG.debug("===> RolePrincipalAssociator.createRoleAssociation(roleId={}, type={}, name={}, id={})", roleId, type.name(), name, id); + switch (type) { case USER: { XXRoleRefUser xRoleRefUser = rangerAuditFields.populateAuditFieldsForCreate(new XXRoleRefUser()); @@ -334,6 +356,7 @@ private void createRoleAssociation(Long id, String name) { xRoleRefUser.setUserId(id); xRoleRefUser.setUserName(name); xRoleRefUser.setUserType(0); + daoMgr.getXXRoleRefUser().create(xRoleRefUser); } break; @@ -344,6 +367,7 @@ private void createRoleAssociation(Long id, String name) { xRoleRefGroup.setGroupId(id); xRoleRefGroup.setGroupName(name); xRoleRefGroup.setGroupType(0); + daoMgr.getXXRoleRefGroup().create(xRoleRefGroup); } break; @@ -354,12 +378,14 @@ private void createRoleAssociation(Long id, String name) { xRoleRefRole.setSubRoleId(id); xRoleRefRole.setSubRoleName(name); xRoleRefRole.setSubRoleType(0); + daoMgr.getXXRoleRefRole().create(xRoleRefRole); } break; default: break; } + LOG.debug("<=== RolePrincipalAssociator.createRoleAssociation(roleId={}, type={}, name={}, id={})", roleId, type.name(), name, id); } } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java index f414c17136..547ed088ef 100755 --- a/security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java @@ -52,7 +52,6 @@ import java.util.Collections; import java.util.HashMap; import java.util.List; -import java.util.ListIterator; import java.util.Map; @Component @@ -96,11 +95,14 @@ public RangerSecurityZone createSecurityZone(RangerSecurityZone securityZone) th daoMgr.getXXGlobalState().onGlobalStateChange(RANGER_GLOBAL_STATE_NAME); RangerSecurityZone createdSecurityZone = securityZoneService.create(securityZone); + if (createdSecurityZone == null) { throw restErrorUtil.createRESTException("Cannot create security zone:[" + securityZone + "]"); } + securityZoneRefUpdater.createNewZoneMappingForRefTable(createdSecurityZone); securityZoneService.createTransactionLog(createdSecurityZone, null, RangerBaseModelService.OPERATION_CREATE_CONTEXT); + return createdSecurityZone; } @@ -111,24 +113,32 @@ public RangerSecurityZone updateSecurityZoneById(RangerSecurityZone securityZone daoMgr.getXXGlobalState().onGlobalStateChange(RANGER_GLOBAL_STATE_NAME); RangerSecurityZone updatedSecurityZone = securityZoneService.update(securityZone); + if (updatedSecurityZone == null) { throw restErrorUtil.createRESTException("Cannot update security zone:[" + securityZone + "]"); } + securityZoneRefUpdater.createNewZoneMappingForRefTable(updatedSecurityZone); + boolean isRenamed = !StringUtils.equals(securityZone.getName(), (null == oldSecurityZone) ? null : oldSecurityZone.getName()); + if (isRenamed) { securityZoneRefUpdater.updateResourceSignatureWithZoneName(updatedSecurityZone); } + securityZoneService.createTransactionLog(updatedSecurityZone, oldSecurityZone, RangerBaseModelService.OPERATION_UPDATE_CONTEXT); + return securityZone; } @Override public void deleteSecurityZoneByName(String zoneName) throws Exception { XXSecurityZone xxSecurityZone = daoMgr.getXXSecurityZoneDao().findByZoneName(zoneName); + if (xxSecurityZone == null) { throw restErrorUtil.createRESTException("security-zone with name: " + zoneName + " does not exist"); } + RangerSecurityZone securityZone = securityZoneService.read(xxSecurityZone.getId()); daoMgr.getXXGlobalState().onGlobalStateChange(RANGER_GLOBAL_STATE_NAME); @@ -152,24 +162,25 @@ public void deleteSecurityZoneById(Long zoneId) throws Exception { } @Override - public RangerSecurityZone getSecurityZone(Long id) throws Exception { + public RangerSecurityZone getSecurityZone(Long id) { return securityZoneService.read(id); } @Override - public RangerSecurityZone getSecurityZoneByName(String name) throws Exception { + public RangerSecurityZone getSecurityZoneByName(String name) { XXSecurityZone xxSecurityZone = daoMgr.getXXSecurityZoneDao().findByZoneName(name); + if (xxSecurityZone == null) { throw restErrorUtil.createRESTException("security-zone with name: " + name + " does not exist"); } + return securityZoneService.read(xxSecurityZone.getId()); } @Override - public List getSecurityZones(SearchFilter filter) throws Exception { - List ret = new ArrayList<>(); - - List xxSecurityZones = daoMgr.getXXSecurityZoneDao().getAll(); + public List getSecurityZones(SearchFilter filter) { + List ret = new ArrayList<>(); + List xxSecurityZones = daoMgr.getXXSecurityZoneDao().getAll(); for (XXSecurityZone xxSecurityZone : xxSecurityZones) { if (!xxSecurityZone.getId().equals(RangerSecurityZone.RANGER_UNZONED_SECURITY_ZONE_ID)) { @@ -181,6 +192,7 @@ public List getSecurityZones(SearchFilter filter) throws Exc List copy = new ArrayList<>(ret); predicateUtil.applyFilter(copy, filter); + ret = copy; } @@ -192,6 +204,7 @@ public Map getSecurityZone Map ret = null; SearchFilter filter = new SearchFilter(); + filter.setParam(SearchFilter.SERVICE_NAME, serviceName); try { @@ -227,13 +240,7 @@ public List getSecurityZoneHeaderInfoList(HttpServ List ret = daoMgr.getXXSecurityZoneDao().findAllZoneHeaderInfos(); if (!ret.isEmpty() && filterByNamePrefix) { - for (ListIterator iter = ret.listIterator(); iter.hasNext(); ) { - RangerSecurityZoneHeaderInfo zoneHeader = iter.next(); - - if (!StringUtils.startsWithIgnoreCase(zoneHeader.getName(), namePrefix)) { - iter.remove(); - } - } + ret.removeIf(zoneHeader -> !StringUtils.startsWithIgnoreCase(zoneHeader.getName(), namePrefix)); } return ret; @@ -251,13 +258,7 @@ public List getServiceHeaderInfoListByZoneId(Long zoneI ret.addAll(tagServices); if (!ret.isEmpty() && filterByNamePrefix) { - for (ListIterator iter = ret.listIterator(); iter.hasNext(); ) { - RangerServiceHeaderInfo serviceHeader = iter.next(); - - if (!StringUtils.startsWithIgnoreCase(serviceHeader.getName(), namePrefix)) { - iter.remove(); - } - } + ret.removeIf(serviceHeader -> !StringUtils.startsWithIgnoreCase(serviceHeader.getName(), namePrefix)); } return ret; @@ -274,19 +275,13 @@ public List getSecurityZoneHeaderInfoListByService List ret = daoMgr.getXXSecurityZoneDao().findAllZoneHeaderInfosByServiceId(serviceId, isTagService); if (!ret.isEmpty() && filterByNamePrefix) { - for (ListIterator iter = ret.listIterator(); iter.hasNext(); ) { - RangerSecurityZoneHeaderInfo zoneHeader = iter.next(); - - if (!StringUtils.startsWithIgnoreCase(zoneHeader.getName(), namePrefix)) { - iter.remove(); - } - } + ret.removeIf(zoneHeader -> !StringUtils.startsWithIgnoreCase(zoneHeader.getName(), namePrefix)); } return ret; } - public PList getZonesSummary(SearchFilter filter) throws Exception { + public PList getZonesSummary(SearchFilter filter) { int maxRows = filter.getMaxRows(); int startIndex = filter.getStartIndex(); @@ -312,9 +307,7 @@ public PList getZonesSummary(SearchFilter filter) throws Ex paginatedList = Collections.emptyList(); } - PList ret = new PList<>(paginatedList, startIndex, maxRows, summaryList.size(), paginatedList.size(), filter.getSortType(), filter.getSortBy()); - - return ret; + return new PList<>(paginatedList, startIndex, maxRows, summaryList.size(), paginatedList.size(), filter.getSortType(), filter.getSortBy()); } private SecurityZoneSummary toSecurityZoneSummary(RangerSecurityZone securityZone) { diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneRefUpdater.java b/security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneRefUpdater.java index 87468468d8..c7a8c46113 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneRefUpdater.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneRefUpdater.java @@ -83,28 +83,24 @@ public class SecurityZoneRefUpdater { @Autowired RangerPolicyService policyService; - public void createNewZoneMappingForRefTable(RangerSecurityZone rangerSecurityZone) throws Exception { + public void createNewZoneMappingForRefTable(RangerSecurityZone rangerSecurityZone) { if (rangerSecurityZone == null) { return; } cleanupRefTables(rangerSecurityZone); - final Long zoneId = rangerSecurityZone == null ? null : rangerSecurityZone.getId(); + final Long zoneId = rangerSecurityZone.getId(); final Map zoneServices = rangerSecurityZone.getServices(); - final Set users = new HashSet<>(); - final Set userGroups = new HashSet<>(); - final Set roles = new HashSet<>(); - final Set tagServices = new HashSet<>(); + final Set users = new HashSet<>(rangerSecurityZone.getAdminUsers()); + final Set userGroups = new HashSet<>(rangerSecurityZone.getAdminUserGroups()); + final Set roles = new HashSet<>(rangerSecurityZone.getAdminRoles()); + final Set tagServices = new HashSet<>(rangerSecurityZone.getTagServices()); - users.addAll(rangerSecurityZone.getAdminUsers()); - userGroups.addAll(rangerSecurityZone.getAdminUserGroups()); - roles.addAll(rangerSecurityZone.getAdminRoles()); users.addAll(rangerSecurityZone.getAuditUsers()); userGroups.addAll(rangerSecurityZone.getAuditUserGroups()); roles.addAll(rangerSecurityZone.getAuditRoles()); - tagServices.addAll(rangerSecurityZone.getTagServices()); for (Map.Entry service : zoneServices.entrySet()) { String serviceName = service.getKey(); @@ -129,6 +125,7 @@ public void createNewZoneMappingForRefTable(RangerSecurityZone rangerSecurityZon for (Map> resourceMap : service.getValue().getResources()) { //add all resourcedefs in pre defined set for (Map.Entry> resource : resourceMap.entrySet()) { String resourceName = resource.getKey(); + if (StringUtils.isBlank(resourceName)) { continue; } @@ -138,8 +135,7 @@ public void createNewZoneMappingForRefTable(RangerSecurityZone rangerSecurityZon } for (String resourceName : resourceDefNames) { - XXResourceDef xResourceDef = daoMgr.getXXResourceDef().findByNameAndServiceDefId(resourceName, xServiceDef.getId()); - + XXResourceDef xResourceDef = daoMgr.getXXResourceDef().findByNameAndServiceDefId(resourceName, xServiceDef.getId()); XXSecurityZoneRefResource xZoneResource = rangerAuditFields.populateAuditFieldsForCreate(new XXSecurityZoneRefResource()); xZoneResource.setZoneId(zoneId); @@ -157,6 +153,7 @@ public void createNewZoneMappingForRefTable(RangerSecurityZone rangerSecurityZon } XXService xService = daoMgr.getXXService().findByName(tagService); + if (xService == null || xService.getType() != RangerConstants.TAG_SERVICE_TYPE) { throw restErrorUtil.createRESTException("Tag Service named: " + tagService + " does not exist ", MessageEnums.INVALID_INPUT_DATA); } @@ -283,6 +280,7 @@ public Boolean cleanupRefTables(RangerSecurityZone rangerSecurityZone) { public void updateResourceSignatureWithZoneName(RangerSecurityZone updatedSecurityZone) { List policyList = daoMgr.getXXPolicy().findByZoneId(updatedSecurityZone.getId()); + LOG.debug("==> SecurityZoneRefUpdater.updateResourceSignatureWithZoneName() Count of policies with zone id : {} are : {}", updatedSecurityZone.getId(), policyList.size()); for (XXPolicy policy : policyList) { diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 6a4875bb16..8ea288a3bd 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -184,8 +184,6 @@ import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.stereotype.Component; import org.springframework.transaction.PlatformTransactionManager; -import org.springframework.transaction.TransactionStatus; -import org.springframework.transaction.support.TransactionCallback; import org.springframework.transaction.support.TransactionTemplate; import javax.annotation.PostConstruct; @@ -202,7 +200,6 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; -import java.util.Collections; import java.util.Comparator; import java.util.Date; import java.util.HashMap; @@ -223,149 +220,191 @@ @Component public class ServiceDBStore extends AbstractServiceStore { - public static final String SERVICE_ADMIN_USERS = "service.admin.users"; - public static final String SERVICE_ADMIN_GROUPS = "service.admin.groups"; - public static final String GDS_SERVICE_NAME = "_gds"; - public static final String CRYPT_ALGO = PropertiesUtil.getProperty("ranger.password.encryption.algorithm", PasswordUtils.DEFAULT_CRYPT_ALGO); - public static final String ENCRYPT_KEY = PropertiesUtil.getProperty("ranger.password.encryption.key", PasswordUtils.DEFAULT_ENCRYPT_KEY); - public static final String SALT = PropertiesUtil.getProperty("ranger.password.salt", PasswordUtils.DEFAULT_SALT); - public static final Integer ITERATION_COUNT = PropertiesUtil.getIntProperty("ranger.password.iteration.count", PasswordUtils.DEFAULT_ITERATION_COUNT); - public static final String RANGER_PLUGIN_AUDIT_FILTERS = "ranger.plugin.audit.filters"; - public static final String HIDDEN_PASSWORD_STR = "*****"; - public static final String CONFIG_KEY_PASSWORD = "password"; - public static final String ACCESS_TYPE_DECRYPT_EEK = "decrypteek"; - public static final String ACCESS_TYPE_GENERATE_EEK = "generateeek"; - public static final String ACCESS_TYPE_GET_METADATA = "getmetadata"; private static final Logger LOG = LoggerFactory.getLogger(ServiceDBStore.class); - private static final String POLICY_ALLOW_EXCLUDE = "Policy Allow:Exclude"; - private static final String POLICY_ALLOW_INCLUDE = "Policy Allow:Include"; - private static final String POLICY_DENY_EXCLUDE = "Policy Deny:Exclude"; - private static final String POLICY_DENY_INCLUDE = "Policy Deny:Include"; - private static final String POLICY_TYPE_ACCESS = "Access"; - private static final String POLICY_TYPE_DATAMASK = "Masking"; - private static final String POLICY_TYPE_ROWFILTER = "Row Level Filter"; - private static final String HOSTNAME = "Host name"; - private static final String USER_NAME = "Exported by"; - private static final String RANGER_VERSION = "Ranger apache version"; - private static final String TIMESTAMP = "Export time"; - private static final String EXPORT_COUNT = "Exported count"; - private static final String SERVICE_CHECK_USER = "service.check.user"; - private static final String AMBARI_SERVICE_CHECK_USER = "ambari.service.check.user"; - private static final String RANGER_PLUGIN_CONFIG_PREFIX = "ranger.plugin."; - private static final Comparator POLICY_DELTA_ID_COMPARATOR = new RangerPolicyDeltaComparator(); - public static boolean supportsPolicyDeltas; - public static boolean supportsInPlacePolicyUpdates; - public static Integer retentionPeriodInDays = 7; - public static Integer tagRetentionPeriodInDays = 3; - public static boolean supportsPurgeLoginRecords; - public static Integer loginRecordsRetentionPeriodInDays = 0; - public static boolean supportsPurgeTransactionRecords; - public static Integer transactionRecordsRetentionPeriodInDays = 0; - public static boolean supportsPurgePolicyExportLogs; - public static Integer policyExportLogsRetentionPeriodInDays = 0; - private static String localHostname; - private static boolean isRolesDownloadedByService; - private static volatile boolean legacyServiceDefsInitDone; + + public static final String SERVICE_ADMIN_USERS = "service.admin.users"; + public static final String SERVICE_ADMIN_GROUPS = "service.admin.groups"; + public static final String GDS_SERVICE_NAME = "_gds"; + public static final String CRYPT_ALGO = PropertiesUtil.getProperty("ranger.password.encryption.algorithm", PasswordUtils.DEFAULT_CRYPT_ALGO); + public static final String ENCRYPT_KEY = PropertiesUtil.getProperty("ranger.password.encryption.key", PasswordUtils.DEFAULT_ENCRYPT_KEY); + public static final String SALT = PropertiesUtil.getProperty("ranger.password.salt", PasswordUtils.DEFAULT_SALT); + public static final Integer ITERATION_COUNT = PropertiesUtil.getIntProperty("ranger.password.iteration.count", PasswordUtils.DEFAULT_ITERATION_COUNT); + public static final String RANGER_PLUGIN_AUDIT_FILTERS = "ranger.plugin.audit.filters"; + public static final String HIDDEN_PASSWORD_STR = "*****"; + public static final String CONFIG_KEY_PASSWORD = "password"; + public static final String ACCESS_TYPE_DECRYPT_EEK = "decrypteek"; + public static final String ACCESS_TYPE_GENERATE_EEK = "generateeek"; + public static final String ACCESS_TYPE_GET_METADATA = "getmetadata"; + + private static final String POLICY_ALLOW_EXCLUDE = "Policy Allow:Exclude"; + private static final String POLICY_ALLOW_INCLUDE = "Policy Allow:Include"; + private static final String POLICY_DENY_EXCLUDE = "Policy Deny:Exclude"; + private static final String POLICY_DENY_INCLUDE = "Policy Deny:Include"; + private static final String POLICY_TYPE_ACCESS = "Access"; + private static final String POLICY_TYPE_DATAMASK = "Masking"; + private static final String POLICY_TYPE_ROWFILTER = "Row Level Filter"; + private static final String HOSTNAME = "Host name"; + private static final String USER_NAME = "Exported by"; + private static final String RANGER_VERSION = "Ranger apache version"; + private static final String TIMESTAMP = "Export time"; + private static final String EXPORT_COUNT = "Exported count"; + private static final String SERVICE_CHECK_USER = "service.check.user"; + private static final String AMBARI_SERVICE_CHECK_USER = "ambari.service.check.user"; + private static final String RANGER_PLUGIN_CONFIG_PREFIX = "ranger.plugin."; + private static final String LINE_SEPARATOR = "\n"; + private static final String FILE_HEADER = "ID|Name|Resources|Roles|Groups|Users|Accesses|Service Type|Status|Policy Type|Delegate Admin|isRecursive|isExcludes|Service Name|Description|isAuditEnabled|Policy Conditions|Policy Condition Type|Masking Options|Row Filter Expr|Policy Label Name"; + private static final String COMMA_DELIMITER = "|"; + + private static final Comparator POLICY_DELTA_ID_COMPARATOR = new RangerPolicyDeltaComparator(); + + public static boolean SUPPORTS_POLICY_DELTAS; + public static boolean SUPPORTS_IN_PLACE_POLICY_UPDATES; + public static Integer RETENTION_PERIOD_IN_DAYS = 7; + public static Integer TAG_RETENTION_PERIOD_IN_DAYS = 3; + public static boolean SUPPORTS_PURGE_LOGIN_RECORDS; + public static Integer LOGIN_RECORDS_RETENTION_PERIOD_IN_DAYS; + public static boolean SUPPORTS_PURGE_TRANSACTION_RECORDS; + public static Integer TRANSACTION_RECORDS_RETENTION_PERIOD_IN_DAYS; + public static boolean SUPPORTS_PURGE_POLICY_EXPORT_LOGS; + public static Integer POLICY_EXPORT_LOGS_RETENTION_PERIOD_IN_DAYS; + + private static String LOCAL_HOSTNAME; + private static boolean isRolesDownloadedByService; + + private static volatile boolean legacyServiceDefsInitDone; + @Autowired - RangerServiceDefService serviceDefService; + RangerServiceDefService serviceDefService; + @Autowired - RangerDaoManager daoMgr; + RangerDaoManager daoMgr; + @Autowired - RESTErrorUtil restErrorUtil; + RESTErrorUtil restErrorUtil; + @Autowired - RangerServiceService svcService; + RangerServiceService svcService; + @Autowired - StringUtil stringUtil; + StringUtil stringUtil; + @Autowired - RangerAuditFields rangerAuditFields; + RangerAuditFields rangerAuditFields; + @Autowired - RangerPolicyService policyService; + RangerPolicyService policyService; + @Autowired RangerPolicyLabelsService policyLabelsService; + @Autowired - XUserService xUserService; + XUserService xUserService; + @Autowired - XUserMgr xUserMgr; + XUserMgr xUserMgr; + @Autowired - XGroupService xGroupService; + XGroupService xGroupService; + @Autowired - PolicyRefUpdater policyRefUpdater; + PolicyRefUpdater policyRefUpdater; + @Autowired - RangerDataHistService dataHistService; + RangerDataHistService dataHistService; + @Autowired @Qualifier(value = "transactionManager") - PlatformTransactionManager txManager; + PlatformTransactionManager txManager; + @Autowired - RangerBizUtil bizUtil; + RangerBizUtil bizUtil; + @Autowired - RangerPolicyWithAssignedIdService assignedIdPolicyService; + RangerPolicyWithAssignedIdService assignedIdPolicyService; + @Autowired - RangerServiceWithAssignedIdService svcServiceWithAssignedId; + RangerServiceWithAssignedIdService svcServiceWithAssignedId; + @Autowired - RangerServiceDefWithAssignedIdService svcDefServiceWithAssignedId; + RangerServiceDefWithAssignedIdService svcDefServiceWithAssignedId; + @Autowired - RangerFactory factory; + RangerFactory factory; + @Autowired - JSONUtil jsonUtil; + JSONUtil jsonUtil; + @Autowired - ServiceMgr serviceMgr; + ServiceMgr serviceMgr; + @Autowired - AssetMgr assetMgr; + AssetMgr assetMgr; + @Autowired - RangerTransactionSynchronizationAdapter transactionSynchronizationAdapter; + RangerTransactionSynchronizationAdapter transactionSynchronizationAdapter; + @Autowired - RangerSecurityZoneServiceService securityZoneService; + RangerSecurityZoneServiceService securityZoneService; + @Autowired - TagDBStore tagStore; + TagDBStore tagStore; + @Autowired - UserMgr userMgr; + UserMgr userMgr; + @Autowired - SecurityZoneDBStore securityZoneStore; + SecurityZoneDBStore securityZoneStore; + @Autowired - GUIDUtil guidUtil; - private Boolean populateExistingBaseFields = false; + GUIDUtil guidUtil; + + private boolean populateExistingBaseFields; private ServicePredicateUtil predicateUtil; private RangerAdminConfig config; public static void persistVersionChange(ServiceVersionUpdater serviceVersionUpdater) { RangerDaoManager daoMgr = serviceVersionUpdater.daoManager; Long id = serviceVersionUpdater.serviceId; - VersionType versionType = serviceVersionUpdater.versionType; + VERSION_TYPE versionType = serviceVersionUpdater.versionType; + Long nextVersion = 1L; + Date now = new Date(); XXServiceVersionInfoDao serviceVersionInfoDao = daoMgr.getXXServiceVersionInfo(); - - XXServiceVersionInfo serviceVersionInfoDbObj = serviceVersionInfoDao.findByServiceId(id); - XXService service = daoMgr.getXXService().getById(id); - - Long nextVersion = 1L; - Date now = new Date(); + XXServiceVersionInfo serviceVersionInfoDbObj = serviceVersionInfoDao.findByServiceId(id); + XXService service = daoMgr.getXXService().getById(id); if (serviceVersionInfoDbObj != null) { - if (versionType == VersionType.POLICY_VERSION) { + if (versionType == VERSION_TYPE.POLICY_VERSION) { nextVersion = getNextVersion(serviceVersionInfoDbObj.getPolicyVersion()); + serviceVersionInfoDbObj.setPolicyVersion(nextVersion); serviceVersionInfoDbObj.setPolicyUpdateTime(now); - } else if (versionType == VersionType.TAG_VERSION) { + } else if (versionType == VERSION_TYPE.TAG_VERSION) { nextVersion = getNextVersion(serviceVersionInfoDbObj.getTagVersion()); + serviceVersionInfoDbObj.setTagVersion(nextVersion); serviceVersionInfoDbObj.setTagUpdateTime(now); - } else if (versionType == VersionType.ROLE_VERSION) { + } else if (versionType == VERSION_TYPE.ROLE_VERSION) { // get the LatestRoleVersion from the GlobalTable and update ServiceInfo for a service XXGlobalStateDao xxGlobalStateDao = daoMgr.getXXGlobalState(); + if (xxGlobalStateDao != null) { Long roleVersion = xxGlobalStateDao.getAppDataVersion("RangerRole"); + if (roleVersion != null) { nextVersion = roleVersion; } else { LOG.error("No Global state for 'RoleVersion'. Cannot execute this object:[{}]", serviceVersionUpdater); } + serviceVersionInfoDbObj.setRoleVersion(nextVersion); serviceVersionInfoDbObj.setRoleUpdateTime(now); } else { LOG.error("No Global state DAO. Cannot execute this object:[{}]", serviceVersionUpdater); + return; } - } else if (versionType == VersionType.GDS_VERSION) { + } else if (versionType == VERSION_TYPE.GDS_VERSION) { nextVersion = daoMgr.getXXGlobalState().getAppDataVersion(RANGER_GLOBAL_STATE_NAME_GDS); if (nextVersion == null) { @@ -375,15 +414,18 @@ public static void persistVersionChange(ServiceVersionUpdater serviceVersionUpda serviceVersionInfoDbObj.setGdsVersion(nextVersion); serviceVersionInfoDbObj.setGdsUpdateTime(now); } else { - LOG.error("Unknown VersionType:{}. Cannot execute this object:[{}]", versionType, serviceVersionUpdater); + LOG.error("Unknown VERSION_TYPE:{}. Cannot execute this object:[{}]", versionType, serviceVersionUpdater); + return; } serviceVersionUpdater.version = nextVersion; + serviceVersionInfoDao.update(serviceVersionInfoDbObj); } else { if (service != null) { serviceVersionInfoDbObj = new XXServiceVersionInfo(); + serviceVersionInfoDbObj.setServiceId(service.getId()); serviceVersionInfoDbObj.setPolicyVersion(nextVersion); serviceVersionInfoDbObj.setPolicyUpdateTime(now); @@ -395,21 +437,22 @@ public static void persistVersionChange(ServiceVersionUpdater serviceVersionUpda serviceVersionInfoDbObj.setGdsUpdateTime(now); serviceVersionUpdater.version = nextVersion; + serviceVersionInfoDao.create(serviceVersionInfoDbObj); } } if (service != null) { - if (versionType == VersionType.POLICY_VERSION) { + if (versionType == VERSION_TYPE.POLICY_VERSION) { persistChangeLog(service, versionType, serviceVersionInfoDbObj.getPolicyVersion(), serviceVersionUpdater); - } else if (versionType == VersionType.TAG_VERSION) { + } else if (versionType == VERSION_TYPE.TAG_VERSION) { persistChangeLog(service, versionType, serviceVersionInfoDbObj.getTagVersion(), serviceVersionUpdater); } } } public static boolean isSupportsPolicyDeltas() { - return supportsPolicyDeltas; + return SUPPORTS_POLICY_DELTAS; } public static boolean isSupportsRolesDownloadByService() { @@ -428,6 +471,7 @@ public RangerServiceDef createServiceDef(RangerServiceDef serviceDef) throws Exc LOG.debug("==> ServiceDBStore.createServiceDef({})", serviceDef); XXServiceDef xServiceDef = daoMgr.getXXServiceDef().findByName(serviceDef.getName()); + if (xServiceDef != null) { throw restErrorUtil.createRESTException("service-def with name: " + serviceDef.getName() + " already exists", MessageEnums.ERROR_DUPLICATE_OBJECT); } @@ -439,6 +483,7 @@ public RangerServiceDef createServiceDef(RangerServiceDef serviceDef) throws Exc RangerServiceDefValidator validator = new RangerServiceDefValidator(this); List failures = new ArrayList<>(); boolean isValidResources = validator.isValidResources(serviceDef, failures, RangerValidator.Action.CREATE); + if (!isValidResources) { throw restErrorUtil.createRESTException("service-def with name: " + serviceDef.getName() + " has invalid resources:[" + failures + "]", MessageEnums.INVALID_INPUT_DATA); } @@ -450,25 +495,28 @@ public RangerServiceDef createServiceDef(RangerServiceDef serviceDef) throws Exc List enums = serviceDef.getEnums(); RangerDataMaskDef dataMaskDef = serviceDef.getDataMaskDef(); RangerRowFilterDef rowFilterDef = serviceDef.getRowFilterDef(); - List dataMaskTypes = dataMaskDef == null || dataMaskDef.getMaskTypes() == null ? new ArrayList() : dataMaskDef.getMaskTypes(); - List dataMaskAccessTypes = dataMaskDef == null || dataMaskDef.getAccessTypes() == null ? new ArrayList() : dataMaskDef.getAccessTypes(); - List dataMaskResources = dataMaskDef == null || dataMaskDef.getResources() == null ? new ArrayList() : dataMaskDef.getResources(); - List rowFilterAccessTypes = rowFilterDef == null || rowFilterDef.getAccessTypes() == null ? new ArrayList() : rowFilterDef.getAccessTypes(); - List rowFilterResources = rowFilterDef == null || rowFilterDef.getResources() == null ? new ArrayList() : rowFilterDef.getResources(); + List dataMaskTypes = dataMaskDef == null || dataMaskDef.getMaskTypes() == null ? new ArrayList<>() : dataMaskDef.getMaskTypes(); + List dataMaskAccessTypes = dataMaskDef == null || dataMaskDef.getAccessTypes() == null ? new ArrayList<>() : dataMaskDef.getAccessTypes(); + List dataMaskResources = dataMaskDef == null || dataMaskDef.getResources() == null ? new ArrayList<>() : dataMaskDef.getResources(); + List rowFilterAccessTypes = rowFilterDef == null || rowFilterDef.getAccessTypes() == null ? new ArrayList<>() : rowFilterDef.getAccessTypes(); + List rowFilterResources = rowFilterDef == null || rowFilterDef.getResources() == null ? new ArrayList<>() : rowFilterDef.getResources(); RangerServiceDefHelper defHelper = new RangerServiceDefHelper(serviceDef, false); + defHelper.patchServiceDefWithDefaultValues(); // While creating, value of version should be 1. - serviceDef.setVersion(Long.valueOf(1)); + serviceDef.setVersion(1L); if (populateExistingBaseFields) { svcDefServiceWithAssignedId.setPopulateExistingBaseFields(true); + daoMgr.getXXServiceDef().setIdentityInsert(true); svcDefServiceWithAssignedId.create(serviceDef); svcDefServiceWithAssignedId.setPopulateExistingBaseFields(false); + daoMgr.getXXServiceDef().updateSequence(); daoMgr.getXXServiceDef().setIdentityInsert(false); } else { @@ -476,100 +524,126 @@ public RangerServiceDef createServiceDef(RangerServiceDef serviceDef) throws Exc serviceDef.setId(null); serviceDef.setCreateTime(null); serviceDef.setUpdateTime(null); + serviceDef = serviceDefService.create(serviceDef); } - Long serviceDefId = serviceDef.getId(); - XXServiceDef createdSvcDef = daoMgr.getXXServiceDef().getById(serviceDefId); + Long serviceDefId = serviceDef.getId(); + XXServiceDef createdSvcDef = daoMgr.getXXServiceDef().getById(serviceDefId); XXServiceConfigDefDao xxServiceConfigDao = daoMgr.getXXServiceConfigDef(); + for (int i = 0; i < configs.size(); i++) { - RangerServiceConfigDef config = configs.get(i); + RangerServiceConfigDef config = configs.get(i); + XXServiceConfigDef xConfig = new XXServiceConfigDef(); - XXServiceConfigDef xConfig = new XXServiceConfigDef(); xConfig = serviceDefService.populateRangerServiceConfigDefToXX(config, xConfig, createdSvcDef, RangerServiceDefService.OPERATION_CREATE_CONTEXT); + xConfig.setOrder(i); - xConfig = xxServiceConfigDao.create(xConfig); + + xxServiceConfigDao.create(xConfig); } XXResourceDefDao xxResDefDao = daoMgr.getXXResourceDef(); - for (int i = 0; i < resources.size(); i++) { - RangerResourceDef resource = resources.get(i); - XXResourceDef parent = xxResDefDao.findByNameAndServiceDefId(resource.getParent(), serviceDefId); - Long parentId = (parent != null) ? parent.getId() : null; + for (int i = 0; i < resources.size(); i++) { + RangerResourceDef resource = resources.get(i); + XXResourceDef parent = xxResDefDao.findByNameAndServiceDefId(resource.getParent(), serviceDefId); + Long parentId = (parent != null) ? parent.getId() : null; + XXResourceDef xResource = new XXResourceDef(); - XXResourceDef xResource = new XXResourceDef(); xResource = serviceDefService.populateRangerResourceDefToXX(resource, xResource, createdSvcDef, RangerServiceDefService.OPERATION_CREATE_CONTEXT); + xResource.setOrder(i); xResource.setParent(parentId); - xResource = xxResDefDao.create(xResource); + + xxResDefDao.create(xResource); } XXAccessTypeDefDao xxATDDao = daoMgr.getXXAccessTypeDef(); + for (int i = 0; i < accessTypes.size(); i++) { - RangerAccessTypeDef accessType = accessTypes.get(i); + RangerAccessTypeDef accessType = accessTypes.get(i); + XXAccessTypeDef xAccessType = new XXAccessTypeDef(); - XXAccessTypeDef xAccessType = new XXAccessTypeDef(); xAccessType = serviceDefService.populateRangerAccessTypeDefToXX(accessType, xAccessType, createdSvcDef, RangerServiceDefService.OPERATION_CREATE_CONTEXT); + xAccessType.setOrder(i); + xAccessType = xxATDDao.create(xAccessType); Collection impliedGrants = accessType.getImpliedGrants(); XXAccessTypeDefGrantsDao xxATDGrantDao = daoMgr.getXXAccessTypeDefGrants(); + for (String impliedGrant : impliedGrants) { XXAccessTypeDefGrants xImpliedGrant = new XXAccessTypeDefGrants(); + xImpliedGrant.setAtdId(xAccessType.getId()); xImpliedGrant.setImpliedGrant(impliedGrant); - xImpliedGrant = xxATDGrantDao.create(xImpliedGrant); + + xxATDGrantDao.create(xImpliedGrant); } } XXPolicyConditionDefDao xxPolCondDao = daoMgr.getXXPolicyConditionDef(); + for (int i = 0; i < policyConditions.size(); i++) { - RangerPolicyConditionDef policyCondition = policyConditions.get(i); + RangerPolicyConditionDef policyCondition = policyConditions.get(i); + XXPolicyConditionDef xPolicyCondition = new XXPolicyConditionDef(); - XXPolicyConditionDef xPolicyCondition = new XXPolicyConditionDef(); xPolicyCondition = serviceDefService.populateRangerPolicyConditionDefToXX(policyCondition, xPolicyCondition, createdSvcDef, RangerServiceDefService.OPERATION_CREATE_CONTEXT); + xPolicyCondition.setOrder(i); - xPolicyCondition = xxPolCondDao.create(xPolicyCondition); + + xxPolCondDao.create(xPolicyCondition); } XXContextEnricherDefDao xxContextEnricherDao = daoMgr.getXXContextEnricherDef(); + for (int i = 0; i < contextEnrichers.size(); i++) { - RangerContextEnricherDef contextEnricher = contextEnrichers.get(i); + RangerContextEnricherDef contextEnricher = contextEnrichers.get(i); + XXContextEnricherDef xContextEnricher = new XXContextEnricherDef(); - XXContextEnricherDef xContextEnricher = new XXContextEnricherDef(); xContextEnricher = serviceDefService.populateRangerContextEnricherDefToXX(contextEnricher, xContextEnricher, createdSvcDef, RangerServiceDefService.OPERATION_CREATE_CONTEXT); + xContextEnricher.setOrder(i); - xContextEnricher = xxContextEnricherDao.create(xContextEnricher); + + xxContextEnricherDao.create(xContextEnricher); } XXEnumDefDao xxEnumDefDao = daoMgr.getXXEnumDef(); + for (RangerEnumDef vEnum : enums) { XXEnumDef xEnum = new XXEnumDef(); + xEnum = serviceDefService.populateRangerEnumDefToXX(vEnum, xEnum, createdSvcDef, RangerServiceDefService.OPERATION_CREATE_CONTEXT); xEnum = xxEnumDefDao.create(xEnum); List elements = vEnum.getElements(); XXEnumElementDefDao xxEnumEleDefDao = daoMgr.getXXEnumElementDef(); + for (int i = 0; i < elements.size(); i++) { - RangerEnumElementDef element = elements.get(i); + RangerEnumElementDef element = elements.get(i); + XXEnumElementDef xElement = new XXEnumElementDef(); - XXEnumElementDef xElement = new XXEnumElementDef(); xElement = serviceDefService.populateRangerEnumElementDefToXX(element, xElement, xEnum, RangerServiceDefService.OPERATION_CREATE_CONTEXT); + xElement.setOrder(i); - xElement = xxEnumEleDefDao.create(xElement); + + xxEnumEleDefDao.create(xElement); } } XXDataMaskTypeDefDao xxDataMaskDefDao = daoMgr.getXXDataMaskTypeDef(); + for (int i = 0; i < dataMaskTypes.size(); i++) { - RangerDataMaskTypeDef dataMask = dataMaskTypes.get(i); + RangerDataMaskTypeDef dataMask = dataMaskTypes.get(i); + XXDataMaskTypeDef xDataMaskDef = new XXDataMaskTypeDef(); - XXDataMaskTypeDef xDataMaskDef = new XXDataMaskTypeDef(); xDataMaskDef = serviceDefService.populateRangerDataMaskDefToXX(dataMask, xDataMaskDef, createdSvcDef, RangerServiceDefService.OPERATION_CREATE_CONTEXT); + xDataMaskDef.setOrder(i); - xDataMaskDef = xxDataMaskDefDao.create(xDataMaskDef); + + xxDataMaskDefDao.create(xDataMaskDef); } List xxAccessTypeDefs = xxATDDao.findByServiceDefId(createdSvcDef.getId()); @@ -653,6 +727,7 @@ public RangerServiceDef createServiceDef(RangerServiceDef serviceDef) throws Exc } RangerServiceDef createdServiceDef = serviceDefService.getPopulatedViewObject(createdSvcDef); + dataHistService.createObjectDataHistory(createdServiceDef, RangerDataHistService.ACTION_CREATE); postCreate(createdServiceDef); @@ -666,16 +741,15 @@ public RangerServiceDef createServiceDef(RangerServiceDef serviceDef) throws Exc public RangerServiceDef updateServiceDef(RangerServiceDef serviceDef) throws Exception { LOG.debug("==> ServiceDBStore.updateServiceDef({})", serviceDef); - Long serviceDefId = serviceDef.getId(); + Long serviceDefId = serviceDef.getId(); + XXServiceDef existing = daoMgr.getXXServiceDef().getById(serviceDefId); - XXServiceDef existing = daoMgr.getXXServiceDef().getById(serviceDefId); if (existing == null) { throw restErrorUtil.createRESTException("no service-def exists with ID=" + serviceDef.getId(), MessageEnums.DATA_NOT_FOUND); } - String existingName = existing.getName(); - - boolean renamed = !StringUtils.equalsIgnoreCase(serviceDef.getName(), existingName); + String existingName = existing.getName(); + boolean renamed = !StringUtils.equalsIgnoreCase(serviceDef.getName(), existingName); if (renamed) { XXServiceDef renamedSVCDef = daoMgr.getXXServiceDef().findByName(serviceDef.getName()); @@ -693,8 +767,8 @@ public RangerServiceDef updateServiceDef(RangerServiceDef serviceDef) throws Exc List enums = serviceDef.getEnums() != null ? serviceDef.getEnums() : new ArrayList<>(); RangerDataMaskDef dataMaskDef = serviceDef.getDataMaskDef(); RangerRowFilterDef rowFilterDef = serviceDef.getRowFilterDef(); + RangerServiceDefHelper defHelper = new RangerServiceDefHelper(serviceDef, false); - RangerServiceDefHelper defHelper = new RangerServiceDefHelper(serviceDef, false); defHelper.patchServiceDefWithDefaultValues(); serviceDef.setCreateTime(existing.getCreateTime()); @@ -702,11 +776,13 @@ public RangerServiceDef updateServiceDef(RangerServiceDef serviceDef) throws Exc serviceDef.setVersion(existing.getVersion()); serviceDef = serviceDefService.update(serviceDef); + XXServiceDef createdSvcDef = daoMgr.getXXServiceDef().getById(serviceDefId); updateChildObjectsOfServiceDef(createdSvcDef, configs, resources, accessTypes, policyConditions, contextEnrichers, enums, dataMaskDef, rowFilterDef); RangerServiceDef updatedSvcDef = getServiceDef(serviceDefId); + dataHistService.createObjectDataHistory(updatedSvcDef, RangerDataHistService.ACTION_UPDATE); postUpdate(updatedSvcDef); @@ -718,8 +794,11 @@ public RangerServiceDef updateServiceDef(RangerServiceDef serviceDef) throws Exc public void deleteServiceDef(Long serviceDefId, Boolean forceDelete) throws Exception { LOG.debug("==> ServiceDBStore.deleteServiceDef({}, {})", serviceDefId, forceDelete); + bizUtil.blockAuditorRoleUser(); + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session == null) { throw restErrorUtil.createRESTException("UserSession cannot be null, only Admin can update service-def", MessageEnums.OPER_NO_PERMISSION); } @@ -729,11 +808,13 @@ public void deleteServiceDef(Long serviceDefId, Boolean forceDelete) throws Exce } RangerServiceDef serviceDef = getServiceDef(serviceDefId); + if (serviceDef == null) { throw restErrorUtil.createRESTException("No Service Definiton found for Id: " + serviceDefId, MessageEnums.DATA_NOT_FOUND); } List serviceList = daoMgr.getXXService().findByServiceDefId(serviceDefId); + if (!forceDelete) { if (CollectionUtils.isNotEmpty(serviceList)) { throw restErrorUtil.createRESTException("Services exists under given service definition, can't delete Service-Def: " + serviceDef.getName(), MessageEnums.OPER_NOT_ALLOWED_FOR_ENTITY); @@ -748,28 +829,34 @@ public void deleteServiceDef(Long serviceDefId, Boolean forceDelete) throws Exce XXDataMaskTypeDefDao dataMaskDao = daoMgr.getXXDataMaskTypeDef(); List dataMaskDefs = dataMaskDao.findByServiceDefId(serviceDefId); + for (XXDataMaskTypeDef dataMaskDef : dataMaskDefs) { dataMaskDao.remove(dataMaskDef); } List accTypeDefs = daoMgr.getXXAccessTypeDef().findByServiceDefId(serviceDefId); + for (XXAccessTypeDef accessType : accTypeDefs) { deleteXXAccessTypeDef(accessType); } XXContextEnricherDefDao xContextEnricherDao = daoMgr.getXXContextEnricherDef(); List contextEnrichers = xContextEnricherDao.findByServiceDefId(serviceDefId); + for (XXContextEnricherDef context : contextEnrichers) { xContextEnricherDao.remove(context); } XXEnumDefDao enumDefDao = daoMgr.getXXEnumDef(); List enumDefList = enumDefDao.findByServiceDefId(serviceDefId); + for (XXEnumDef enumDef : enumDefList) { List enumEleDefList = daoMgr.getXXEnumElementDef().findByEnumDefId(enumDef.getId()); + for (XXEnumElementDef eleDef : enumEleDefList) { daoMgr.getXXEnumElementDef().remove(eleDef); } + enumDefDao.remove(enumDef); } @@ -778,33 +865,41 @@ public void deleteServiceDef(Long serviceDefId, Boolean forceDelete) throws Exce for (XXPolicyConditionDef policyCond : policyCondList) { List xxPolicyRefConditions = daoMgr.getXXPolicyRefCondition().findByConditionDefId(policyCond.getId()); - for (XXPolicyRefCondition xXPolicyRefCondition : xxPolicyRefConditions) { - daoMgr.getXXPolicyRefCondition().remove(xXPolicyRefCondition); + + for (XXPolicyRefCondition xxPolicyRefCondition : xxPolicyRefConditions) { + daoMgr.getXXPolicyRefCondition().remove(xxPolicyRefCondition); } + policyCondDao.remove(policyCond); } List resDefList = daoMgr.getXXResourceDef().findByServiceDefId(serviceDefId); + for (XXResourceDef resDef : resDefList) { deleteXXResourceDef(resDef); } XXServiceConfigDefDao configDefDao = daoMgr.getXXServiceConfigDef(); List configDefList = configDefDao.findByServiceDefId(serviceDefId); + for (XXServiceConfigDef configDef : configDefList) { configDefDao.remove(configDef); } Long version = serviceDef.getVersion(); + if (version == null) { - version = Long.valueOf(1); + version = 1L; + LOG.info("Found Version Value: `null`, so setting value of version to 1, While updating object, version should not be null."); } else { - version = Long.valueOf(version.longValue() + 1); + version = version + 1; } + serviceDef.setVersion(version); serviceDefService.delete(serviceDef); + LOG.info("ServiceDefinition has been deleted successfully. Service-Def Name: {}", serviceDef.getName()); dataHistService.createObjectDataHistory(serviceDef, RangerDataHistService.ACTION_DELETE); @@ -816,9 +911,10 @@ public void deleteServiceDef(Long serviceDefId, Boolean forceDelete) throws Exce @Override public RangerServiceDef getServiceDef(Long id) throws Exception { - LOG.debug("==> ServiceDBStore.getServiceDef()", id); + LOG.debug("==> ServiceDBStore.getServiceDef({})", id); RangerServiceDef ret = serviceDefService.read(id); + LOG.debug("<== ServiceDBStore.getServiceDef({}): {}", id, ret); return ret; @@ -828,15 +924,14 @@ public RangerServiceDef getServiceDef(Long id) throws Exception { public RangerServiceDef getServiceDefByName(String name) throws Exception { LOG.debug("==> ServiceDBStore.getServiceDefByName({})", name); - RangerServiceDef ret = null; - - XXServiceDef xServiceDef = daoMgr.getXXServiceDef().findByName(name); + RangerServiceDef ret = null; + XXServiceDef xServiceDef = daoMgr.getXXServiceDef().findByName(name); if (xServiceDef != null) { ret = serviceDefService.getPopulatedViewObject(xServiceDef); } - LOG.debug("== ServiceDBStore.getServiceDefByName({}): {}", name, ret); + LOG.debug("== ServiceDBStore.getServiceDefByName({}): ", name); return ret; } @@ -846,12 +941,11 @@ public RangerServiceDef getServiceDefByName(String name) throws Exception { * @return {@link RangerServiceDef} - service using display name if present in DB, null otherwise. */ @Override - public RangerServiceDef getServiceDefByDisplayName(String displayName) throws Exception { + public RangerServiceDef getServiceDefByDisplayName(String displayName) { LOG.debug("==> ServiceDBStore.getServiceDefByDisplayName({})", displayName); - RangerServiceDef ret = null; - - XXServiceDef xServiceDef = daoMgr.getXXServiceDef().findByDisplayName(displayName); + RangerServiceDef ret = null; + XXServiceDef xServiceDef = daoMgr.getXXServiceDef().findByDisplayName(displayName); if (xServiceDef != null) { ret = serviceDefService.getPopulatedViewObject(xServiceDef); @@ -888,31 +982,37 @@ public RangerService createService(RangerService service) throws Exception { boolean createDefaultPolicy = true; Map configs = service.getConfigs(); Map validConfigs = validateRequiredConfigParams(service, configs); + if (validConfigs == null) { LOG.debug("==> ConfigParams cannot be null, ServiceDBStore.createService({})", service); + throw restErrorUtil.createRESTException("ConfigParams cannot be null.", MessageEnums.ERROR_CREATING_OBJECT); } // While creating, value of version should be 1. - service.setVersion(Long.valueOf(1)); - service.setTagVersion(Long.valueOf(1)); + service.setVersion(1L); + service.setTagVersion(1L); if (populateExistingBaseFields) { svcServiceWithAssignedId.setPopulateExistingBaseFields(true); + daoMgr.getXXService().setIdentityInsert(true); service = svcServiceWithAssignedId.create(service); daoMgr.getXXService().setIdentityInsert(false); daoMgr.getXXService().updateSequence(); + svcServiceWithAssignedId.setPopulateExistingBaseFields(false); + createDefaultPolicy = false; } else { service = svcService.create(service); } - XXService xCreatedService = daoMgr.getXXService().getById(service.getId()); - XXServiceConfigMapDao xConfMapDao = daoMgr.getXXServiceConfigMap(); + XXService xCreatedService = daoMgr.getXXService().getById(service.getId()); + XXServiceConfigMapDao xConfMapDao = daoMgr.getXXServiceConfigMap(); + for (Entry configMap : validConfigs.entrySet()) { String configKey = configMap.getKey(); String configValue = configMap.getValue(); @@ -920,40 +1020,49 @@ public RangerService createService(RangerService service) throws Exception { if (StringUtils.equalsIgnoreCase(configKey, "username")) { String userName = stringUtil.getValidUserName(configValue); XXUser xxUser = daoMgr.getXXUser().findByUserName(userName); + if (xxUser != null) { - VXUser vXUser = xUserService.populateViewBean(xxUser); + xUserService.populateViewBean(xxUser); } else { UserSessionBase usb = ContextUtil.getCurrentUserSession(); + if (usb != null && !usb.isUserAdmin() && !usb.isSpnegoEnabled()) { throw restErrorUtil.createRESTException("User does not exist with given username: [" + userName + "] please use existing user", MessageEnums.OPER_NO_PERMISSION); } + xUserMgr.createServiceConfigUser(userName); } } if (StringUtils.equalsIgnoreCase(configKey, CONFIG_KEY_PASSWORD)) { - Joiner joiner = Joiner.on(",").skipNulls(); - String iv = PasswordUtils.generateIvIfNeeded(CRYPT_ALGO); - - String cryptConfigString = joiner.join(CRYPT_ALGO, ENCRYPT_KEY, SALT, ITERATION_COUNT, iv, configValue); - String encryptedPwd = PasswordUtils.encryptPassword(cryptConfigString); - + Joiner joiner = Joiner.on(",").skipNulls(); + String iv = PasswordUtils.generateIvIfNeeded(CRYPT_ALGO); + String cryptConfigString = joiner.join(CRYPT_ALGO, ENCRYPT_KEY, SALT, ITERATION_COUNT, iv, configValue); + String encryptedPwd = PasswordUtils.encryptPassword(cryptConfigString); String paddedEncryptedPwd = joiner.join(CRYPT_ALGO, ENCRYPT_KEY, SALT, ITERATION_COUNT, iv, encryptedPwd); String decryptedPwd = PasswordUtils.decryptPassword(paddedEncryptedPwd); + if (StringUtils.equals(decryptedPwd, configValue)) { configValue = paddedEncryptedPwd; } } + XXServiceConfigMap xConfMap = new XXServiceConfigMap(); + xConfMap = rangerAuditFields.populateAuditFields(xConfMap, xCreatedService); + xConfMap.setServiceId(xCreatedService.getId()); xConfMap.setConfigkey(configKey); + if (StringUtils.equalsIgnoreCase(configKey, "username")) { configValue = stringUtil.getValidUserName(configValue); } + xConfMap.setConfigvalue(configValue); - xConfMap = xConfMapDao.create(xConfMap); + + xConfMapDao.create(xConfMap); } + updateTabPermissions(service.getType(), validConfigs); RangerService createdService = svcService.getPopulatedViewObject(xCreatedService); @@ -1011,6 +1120,7 @@ public RangerService updateService(RangerService service, Map op Map configs = service.getConfigs(); Map validConfigs = validateRequiredConfigParams(service, configs); + if (validConfigs == null) { LOG.debug("==> ConfigParams cannot be null, ServiceDBStore.createService({})", service); @@ -1028,7 +1138,7 @@ public RangerService updateService(RangerService service, Map op service.setTagService(newTagServiceName); - LOG.info("ServiceDBStore.updateService(id={}; name={}): tagService is null; using existing tagService {}", service.getId(), service.getName(), newTagServiceName); + LOG.info("ServiceDBStore.updateService(id={}; name={}): tagService is null; using existing tagService '{}'", service.getId(), service.getName(), newTagServiceName); } } @@ -1037,6 +1147,7 @@ public RangerService updateService(RangerService service, Map op if (tmp == null || !EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME.equals(tmp.getType())) { LOG.debug("ServiceDBStore.updateService() - {} does not refer to a valid tag service.({})", newTagServiceName, service); + throw restErrorUtil.createRESTException("Invalid tag service name " + newTagServiceName, MessageEnums.ERROR_CREATING_OBJECT); } else { newTagServiceId = tmp.getId(); @@ -1060,12 +1171,15 @@ public RangerService updateService(RangerService service, Map op if (populateExistingBaseFields) { svcServiceWithAssignedId.setPopulateExistingBaseFields(true); + service = svcServiceWithAssignedId.update(service); + svcServiceWithAssignedId.setPopulateExistingBaseFields(false); } else { service.setCreateTime(existing.getCreateTime()); service.setGuid(existing.getGuid()); service.setVersion(existing.getVersion()); + service = svcService.update(service); if (hasTagServiceValueChanged || hasIsEnabledChanged || hasServiceConfigForPluginChanged) { @@ -1074,17 +1188,18 @@ public RangerService updateService(RangerService service, Map op } XXService xUpdService = daoMgr.getXXService().getById(service.getId()); - - String oldPassword = null; + String oldPassword = null; for (XXServiceConfigMap dbConfigMap : dbConfigMaps) { if (StringUtils.equalsIgnoreCase(dbConfigMap.getConfigkey(), CONFIG_KEY_PASSWORD)) { oldPassword = dbConfigMap.getConfigvalue(); } + daoMgr.getXXServiceConfigMap().remove(dbConfigMap); } XXServiceConfigMapDao xConfMapDao = daoMgr.getXXServiceConfigMap(); + for (Entry configMap : validConfigs.entrySet()) { String configKey = configMap.getKey(); String configValue = configMap.getValue(); @@ -1092,13 +1207,16 @@ public RangerService updateService(RangerService service, Map op if (StringUtils.equalsIgnoreCase(configKey, "username")) { String userName = stringUtil.getValidUserName(configValue); XXUser xxUser = daoMgr.getXXUser().findByUserName(userName); + if (xxUser != null) { - VXUser vXUser = xUserService.populateViewBean(xxUser); + xUserService.populateViewBean(xxUser); } else { UserSessionBase usb = ContextUtil.getCurrentUserSession(); + if (usb != null && !usb.isUserAdmin()) { throw restErrorUtil.createRESTException("User does not exist with given username: [" + userName + "] please use existing user", MessageEnums.OPER_NO_PERMISSION); } + xUserMgr.createServiceConfigUser(userName); } } @@ -1107,11 +1225,13 @@ public RangerService updateService(RangerService service, Map op if (StringUtils.equalsIgnoreCase(configValue, HIDDEN_PASSWORD_STR)) { if (oldPassword != null && oldPassword.contains(",")) { PasswordUtils util = PasswordUtils.build(oldPassword); + if (!util.getCryptAlgo().equalsIgnoreCase(CRYPT_ALGO)) { String decryptedPwd = PasswordUtils.decryptPassword(oldPassword); String paddingString = Joiner.on(",").skipNulls().join(CRYPT_ALGO, new String(util.getEncryptKey()), new String(util.getSalt()), util.getIterationCount(), PasswordUtils.generateIvIfNeeded(CRYPT_ALGO)); String encryptedPwd = PasswordUtils.encryptPassword(paddingString + "," + decryptedPwd); String newDecryptedPwd = PasswordUtils.decryptPassword(paddingString + "," + encryptedPwd); + if (StringUtils.equals(newDecryptedPwd, decryptedPwd)) { configValue = paddingString + "," + encryptedPwd; } @@ -1125,21 +1245,28 @@ public RangerService updateService(RangerService service, Map op String paddingString = Joiner.on(",").skipNulls().join(CRYPT_ALGO, ENCRYPT_KEY, SALT, ITERATION_COUNT, PasswordUtils.generateIvIfNeeded(CRYPT_ALGO)); String encryptedPwd = PasswordUtils.encryptPassword(paddingString + "," + configValue); String decryptedPwd = PasswordUtils.decryptPassword(paddingString + "," + encryptedPwd); + if (StringUtils.equals(decryptedPwd, configValue)) { configValue = paddingString + "," + encryptedPwd; } } } + XXServiceConfigMap xConfMap = new XXServiceConfigMap(); + xConfMap = rangerAuditFields.populateAuditFields(xConfMap, xUpdService); + xConfMap.setServiceId(service.getId()); xConfMap.setConfigkey(configKey); xConfMap.setConfigvalue(configValue); + xConfMapDao.create(xConfMap); } + updateTabPermissions(service.getType(), validConfigs); RangerService updService = svcService.getPopulatedViewObject(xUpdService); + dataHistService.createObjectDataHistory(updService, RangerDataHistService.ACTION_UPDATE); return updService; @@ -1159,22 +1286,29 @@ public void deleteService(Long id) throws Exception { disassociateZonesForService(service); //RANGER-3016 List policyIds = daoMgr.getXXPolicy().findPolicyIdsByServiceId(service.getId()); + if (CollectionUtils.isNotEmpty(policyIds)) { long totalDeletedPolicies = 0; + for (Long policyID : policyIds) { RangerPolicy rangerPolicy = getPolicy(policyID); + deletePolicy(rangerPolicy, service); + totalDeletedPolicies = totalDeletedPolicies + 1; + // its a bulk policy delete call flush and clear if (totalDeletedPolicies % RangerBizUtil.POLICY_BATCH_SIZE == 0) { bizUtil.bulkModeOnlyFlushAndClear(); } } + bizUtil.bulkModeOnlyFlushAndClear(); } XXServiceConfigMapDao configDao = daoMgr.getXXServiceConfigMap(); List configs = configDao.findByServiceId(service.getId()); + for (XXServiceConfigMap configMap : configs) { configDao.remove(configMap); } @@ -1183,12 +1317,15 @@ public void deleteService(Long id) throws Exception { daoMgr.getXXRMSServiceResource().purge(service.getId()); Long version = service.getVersion(); + if (version == null) { - version = Long.valueOf(1); + version = 1L; + LOG.info("Found Version Value: `null`, so setting value of version to 1, While updating object, version should not be null."); } else { - version = Long.valueOf(version.longValue() + 1); + version = version + 1; } + service.setVersion(version); svcService.delete(service); @@ -1199,18 +1336,16 @@ public void deleteService(Long id) throws Exception { //During the servie deletion ,we need to clear the RangerServicePoliciesCache,RangerServiceTagsCache for the given serviceName. resetPolicyCache(service.getName()); + tagStore.resetTagCache(service.getName()); } @Override public boolean serviceExists(String name) { - boolean ret = false; - LOG.debug("==> ServiceDBStore.serviceExists({})", name); - Long id = daoMgr.getXXService().findIdByName(name); - - ret = id != null; + Long id = daoMgr.getXXService().findIdByName(name); + boolean ret = id != null; LOG.debug("<== ServiceDBStore.serviceExists({}): ret={}", name, ret); @@ -1222,6 +1357,7 @@ public RangerService getService(Long id) throws Exception { LOG.debug("==> ServiceDBStore.getService()"); UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session == null) { throw restErrorUtil.createRESTException("UserSession cannot be null.", MessageEnums.OPER_NOT_ALLOWED_FOR_STATE); } @@ -1234,6 +1370,7 @@ public RangerService getService(Long id) throws Exception { if (xService == null) { throw restErrorUtil.createRESTException("Data Not Found for given Id", MessageEnums.DATA_NOT_FOUND, id, null, "readResource : No Object found with given id."); } + if (!bizUtil.hasAccess(xService, null)) { throw restErrorUtil.createRESTException("Logged in user is not allowed to read service, id: " + id, MessageEnums.OPER_NO_PERMISSION); } @@ -1244,6 +1381,7 @@ public RangerService getService(Long id) throws Exception { @Override public RangerService getServiceByName(String name) throws Exception { LOG.debug("==> ServiceDBStore.getServiceByName()"); + XXService xService = daoMgr.getXXService().findByName(name); // TODO: As of now we are allowing SYS_ADMIN to read all the @@ -1253,26 +1391,31 @@ public RangerService getServiceByName(String name) throws Exception { if (xService == null) { return null; } + if (!bizUtil.hasAccess(xService, null)) { throw restErrorUtil.createRESTException("Logged in user is not allowed to read service, name: " + name, MessageEnums.OPER_NO_PERMISSION); } } + return xService == null ? null : svcService.getPopulatedViewObject(xService); } @Override - public RangerService getServiceByDisplayName(String displayName) throws Exception { + public RangerService getServiceByDisplayName(String displayName) { LOG.debug("==> ServiceDBStore.getServiceByName()"); + XXService xService = daoMgr.getXXService().findByDisplayName(displayName); if (ContextUtil.getCurrentUserSession() != null) { if (xService == null) { return null; } + if (!bizUtil.hasAccess(xService, null)) { throw restErrorUtil.createRESTException("Logged in user is not allowed to read service, name: " + displayName, MessageEnums.OPER_NO_PERMISSION); } } + return xService == null ? null : svcService.getPopulatedViewObject(xService); } @@ -1281,7 +1424,9 @@ public List getServices(SearchFilter filter) throws Exception { LOG.debug("==> ServiceDBStore.getServices()"); RangerServiceList serviceList = svcService.searchRangerServices(filter); + predicateUtil.applyFilter(serviceList.getServices(), filter); + List ret = serviceList.getServices(); LOG.debug("<== ServiceDBStore.getServices()"); @@ -1325,6 +1470,7 @@ public RangerPolicy updatePolicy(RangerPolicy policy) throws Exception { if (!StringUtils.equalsIgnoreCase(existing.getService(), policy.getService())) { throw new Exception("policy id=" + policy.getId() + " already exists in service " + existing.getService() + ". It can not be moved to service " + policy.getService()); } + boolean renamed = !StringUtils.equalsIgnoreCase(policy.getName(), existing.getName()); if (renamed) { @@ -1334,12 +1480,16 @@ public RangerPolicy updatePolicy(RangerPolicy policy) throws Exception { throw new Exception("another policy already exists with name '" + policy.getName() + "'. ID=" + newNamePolicy.getId()); } } + List policyLabels = policy.getPolicyLabels(); Set uniquePolicyLabels = new TreeSet<>(policyLabels); + policy.setCreateTime(xxExisting.getCreateTime()); + if (StringUtils.isEmpty(policy.getGuid())) { policy.setGuid(xxExisting.getGuid()); } + policy.setVersion(xxExisting.getVersion()); policyService.createTransactionLog(policy, existing, RangerPolicyService.OPERATION_UPDATE_CONTEXT); @@ -1347,20 +1497,26 @@ public RangerPolicy updatePolicy(RangerPolicy policy) throws Exception { updatePolicySignature(policy); policy = policyService.update(policy); + XXPolicy newUpdPolicy = daoMgr.getXXPolicy().getById(policy.getId()); policyRefUpdater.cleanupRefTables(policy); + deleteExistingPolicyLabel(policy); policyRefUpdater.createNewPolMappingForRefTable(policy, newUpdPolicy, xServiceDef, bizUtil.getCreatePrincipalsIfAbsent()); + createOrMapLabels(newUpdPolicy, uniquePolicyLabels); - RangerPolicy updPolicy = policyService.getPopulatedViewObject(newUpdPolicy); - boolean updateServiceInfoRoleVersion = false; + RangerPolicy updPolicy = policyService.getPopulatedViewObject(newUpdPolicy); + boolean updateServiceInfoRoleVersion = false; + if (isSupportsRolesDownloadByService()) { updateServiceInfoRoleVersion = isRoleDownloadRequired(updPolicy, service); } + handlePolicyUpdate(service, RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE, updPolicy, updateServiceInfoRoleVersion); + dataHistService.createObjectDataHistory(updPolicy, RangerDataHistService.ACTION_UPDATE); return updPolicy; @@ -1369,29 +1525,42 @@ public RangerPolicy updatePolicy(RangerPolicy policy) throws Exception { @Override public void deletePolicy(RangerPolicy policy, RangerService service) throws Exception { LOG.debug("==> ServiceDBStore.deletePolicy()"); + if (policy != null) { if (service == null) { service = getServiceByName(policy.getService()); } + if (service != null) { String policyName = policy.getName(); + LOG.debug("Deleting Policy, policyName: {}", policyName); + Long version = policy.getVersion(); + if (version == null) { - version = Long.valueOf(1); + version = 1L; + LOG.info("Found Version Value: `null`, so setting value of version to 1, While updating object, version should not be null."); } else { - version = Long.valueOf(version.longValue() + 1); + version = version + 1; } + policy.setVersion(version); + policyRefUpdater.cleanupRefTables(policy); + deleteExistingPolicyLabel(policy); + policyService.delete(policy); + createTransactionLog(policy, RangerPolicyService.OPERATION_IMPORT_DELETE_CONTEXT, RangerPolicyService.OPERATION_DELETE_CONTEXT); handlePolicyUpdate(service, RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE, policy, false); + dataHistService.createObjectDataHistory(policy, RangerDataHistService.ACTION_DELETE); } } + LOG.debug("<== ServiceDBStore.deletePolicy()"); } @@ -1412,10 +1581,11 @@ public void deletePolicy(RangerPolicy policy) throws Exception { Long version = policy.getVersion(); if (version == null) { - version = Long.valueOf(1); + version = 1L; + LOG.info("Found Version Value: `null`, so setting value of version to 1, While updating object, version should not be null."); } else { - version = Long.valueOf(version.longValue() + 1); + version = version + 1; } policy.setVersion(version); @@ -1423,7 +1593,9 @@ public void deletePolicy(RangerPolicy policy) throws Exception { createTransactionLog(policy, RangerPolicyService.OPERATION_IMPORT_DELETE_CONTEXT, RangerPolicyService.OPERATION_DELETE_CONTEXT); policyRefUpdater.cleanupRefTables(policy); + deleteExistingPolicyLabel(policy); + policyService.delete(policy); handlePolicyUpdate(service, RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE, policy, false); @@ -1434,7 +1606,7 @@ public void deletePolicy(RangerPolicy policy) throws Exception { } @Override - public boolean policyExists(Long id) throws Exception { + public boolean policyExists(Long id) { return daoMgr.getXXPolicy().getCountById(id) > 0; } @@ -1446,20 +1618,22 @@ public RangerPolicy getPolicy(Long id) throws Exception { @Override public List getPolicies(SearchFilter filter) throws Exception { LOG.debug("==> ServiceDBStore.getPolicies()"); - Boolean fetchTagPolicies = Boolean.valueOf(filter.getParam(SearchFilter.FETCH_TAG_POLICIES)); - Boolean fetchAllZonePolicies = Boolean.valueOf(filter.getParam(SearchFilter.FETCH_ZONE_UNZONE_POLICIES)); + + boolean fetchTagPolicies = Boolean.parseBoolean(filter.getParam(SearchFilter.FETCH_TAG_POLICIES)); + boolean fetchAllZonePolicies = Boolean.parseBoolean(filter.getParam(SearchFilter.FETCH_ZONE_UNZONE_POLICIES)); String zoneName = filter.getParam(SearchFilter.ZONE_NAME); - List ret = new ArrayList(); + List ret = new ArrayList<>(); RangerPolicyList policyList = searchRangerPolicies(filter); List resourcePolicies = policyList.getPolicies(); - List tagPolicies = new ArrayList<>(); + List tagPolicies; if (fetchTagPolicies) { tagPolicies = searchRangerTagPoliciesOnBasisOfServiceName(resourcePolicies); - Iterator itr = tagPolicies.iterator(); - while (itr.hasNext()) { + + for (Iterator itr = tagPolicies.iterator(); itr.hasNext(); ) { RangerPolicy pol = itr.next(); + if (!fetchAllZonePolicies) { if (StringUtils.isNotEmpty(zoneName)) { if (!zoneName.equals(pol.getZoneName())) { @@ -1472,31 +1646,42 @@ public List getPolicies(SearchFilter filter) throws Exception { } } } + } else { + tagPolicies = new ArrayList<>(); } + LOG.debug("<== ServiceDBStore.getPolicies()"); + ret.addAll(resourcePolicies); ret.addAll(tagPolicies); + return ret; } @Override public Long getPolicyId(final Long serviceId, final String policyName, final Long zoneId) { LOG.debug("==> ServiceDBStore.getPolicyId()"); + Long ret = null; XXPolicy xxPolicy = daoMgr.getXXPolicy().findByNameAndServiceIdAndZoneId(policyName, serviceId, zoneId); + if (xxPolicy != null) { ret = xxPolicy.getId(); } + LOG.debug("<== ServiceDBStore.getPolicyId()"); + return ret; } @Override public List getPoliciesByResourceSignature(String serviceName, String policySignature, Boolean isPolicyEnabled) throws Exception { List xxPolicies = daoMgr.getXXPolicy().findByResourceSignatureByPolicyStatus(serviceName, policySignature, isPolicyEnabled); - List policies = new ArrayList(xxPolicies.size()); + List policies = new ArrayList<>(xxPolicies.size()); + for (XXPolicy xxPolicy : xxPolicies) { RangerPolicy policy = policyService.getPopulatedViewObject(xxPolicy); + policies.add(policy); } @@ -1506,6 +1691,7 @@ public List getPoliciesByResourceSignature(String serviceName, Str @Override public List getServicePolicies(Long serviceId, SearchFilter filter) throws Exception { LOG.debug("==> ServiceDBStore.getServicePolicies({})", serviceId); + String zoneName = filter.getParam(SearchFilter.FETCH_ZONE_NAME); String denyCondition = filter.getParam(SearchFilter.FETCH_DENY_CONDITION); XXService service = daoMgr.getXXService().getById(serviceId); @@ -1515,12 +1701,15 @@ public List getServicePolicies(Long serviceId, SearchFilter filter } List ret = getServicePolicies(service, filter); + if (!"true".equalsIgnoreCase(filter.getParam(SearchFilter.FETCH_ZONE_UNZONE_POLICIES))) { if (StringUtils.isBlank(zoneName) && StringUtils.isBlank(denyCondition)) { ret = noZoneFilter(ret); } } - LOG.debug("<== ServiceDBStore.getServicePolicies({}) : policy-count={}", serviceId, (ret == null ? 0 : ret.size())); + + LOG.debug("<== ServiceDBStore.getServicePolicies({}) : policy-count={}", serviceId, ret == null ? 0 : ret.size()); + return ret; } @@ -1528,19 +1717,20 @@ public List getServicePolicies(Long serviceId, SearchFilter filter public List getServicePolicies(String serviceName, SearchFilter filter) throws Exception { LOG.debug("==> ServiceDBStore.getServicePolicies({})", serviceName); - List ret = null; - String zoneName = filter.getParam("zoneName"); - XXService service = daoMgr.getXXService().findByName(serviceName); + String zoneName = filter.getParam("zoneName"); + XXService service = daoMgr.getXXService().findByName(serviceName); if (service == null) { throw new Exception("service does not exist - name='" + serviceName); } - ret = getServicePolicies(service, filter); + List ret = getServicePolicies(service, filter); + if (StringUtils.isBlank(zoneName)) { ret = noZoneFilter(ret); } - LOG.debug("<== ServiceDBStore.getServicePolicies({}): count={}", serviceName, ((ret == null) ? 0 : ret.size())); + + LOG.debug("<== ServiceDBStore.getServicePolicies({}): count={}", service, ((ret == null) ? 0 : ret.size())); return ret; } @@ -1549,9 +1739,8 @@ public List getServicePolicies(String serviceName, SearchFilter fi public ServicePolicies getServicePoliciesIfUpdated(String serviceName, Long lastKnownVersion, boolean needsBackwardCompatibility) throws Exception { LOG.debug("==> ServiceDBStore.getServicePoliciesIfUpdated({}, {}, {})", serviceName, lastKnownVersion, needsBackwardCompatibility); - ServicePolicies ret = null; - - XXService serviceDbObj = daoMgr.getXXService().findByName(serviceName); + ServicePolicies ret = null; + XXService serviceDbObj = daoMgr.getXXService().findByName(serviceName); if (serviceDbObj == null) { throw new Exception("service does not exist. name=" + serviceName); @@ -1567,7 +1756,9 @@ public ServicePolicies getServicePoliciesIfUpdated(String serviceName, Long last ret = RangerServicePoliciesCache.getInstance().getServicePolicies(serviceName, serviceDbObj.getId(), lastKnownVersion, needsBackwardCompatibility, this); } - RangerServicePoliciesCache.getInstance().dump(); + if (LOG.isDebugEnabled()) { + RangerServicePoliciesCache.getInstance().dump(); + } if (ret != null && lastKnownVersion != null && lastKnownVersion.equals(ret.getPolicyVersion())) { // ServicePolicies are not changed @@ -1576,8 +1767,10 @@ public ServicePolicies getServicePoliciesIfUpdated(String serviceName, Long last if (ret != null) { LOG.debug("Checking if resource-service:[{}] is disabled", ret.getServiceName()); + if (!serviceDbObj.getIsenabled()) { ret = ServicePolicies.copyHeader(ret); + ret.setTagPolicies(null); } else { String tagServiceName = ret.getTagPolicies() != null ? ret.getTagPolicies().getServiceName() : null; @@ -1586,9 +1779,7 @@ public ServicePolicies getServicePoliciesIfUpdated(String serviceName, Long last if (!isTagServiceActive) { ServicePolicies copy = ServicePolicies.copyHeader(ret); - if (!isTagServiceActive) { - copy.setTagPolicies(null); - } + copy.setTagPolicies(null); List copyPolicies = ret.getPolicies() != null ? new ArrayList<>(ret.getPolicies()) : null; List copyPolicyDeltas = ret.getPolicyDeltas() != null ? new ArrayList<>(ret.getPolicyDeltas()) : null; @@ -1602,8 +1793,10 @@ public ServicePolicies getServicePoliciesIfUpdated(String serviceName, Long last Map securityZones = securityZoneStore.getSecurityZonesForService(serviceName); ServicePolicies updatedServicePolicies = ret; + if (MapUtils.isNotEmpty(securityZones)) { updatedServicePolicies = getUpdatedServicePoliciesForZones(ret, securityZones); + patchAssociatedTagServiceInSecurityZoneInfos(updatedServicePolicies); } @@ -1620,7 +1813,7 @@ public ServicePolicies getServicePoliciesIfUpdated(String serviceName, Long last } } - LOG.debug("<== ServiceDBStore.getServicePoliciesIfUpdated({}, {}, {}): count={}", serviceName, lastKnownVersion, needsBackwardCompatibility, ((ret == null || ret.getPolicies() == null) ? 0 : ret.getPolicies().size())); + LOG.debug("<== ServiceDBStore.getServicePoliciesIfUpdated({}, {}, {}): count={}", serviceName, lastKnownVersion, needsBackwardCompatibility, (ret == null || ret.getPolicies() == null) ? 0 : ret.getPolicies().size()); return ret; } @@ -1628,17 +1821,20 @@ public ServicePolicies getServicePoliciesIfUpdated(String serviceName, Long last @Override public ServicePolicies getServicePolicyDeltasOrPolicies(String serviceName, Long lastKnownVersion) throws Exception { boolean getOnlyDeltas = false; - LOG.debug("Support for incremental policy updates enabled using ranger.admin {} configuration parameter :[{}]", RangerCommonConstants.RANGER_ADMIN_SUFFIX_POLICY_DELTA, supportsPolicyDeltas); - return getServicePolicies(serviceName, lastKnownVersion, getOnlyDeltas, supportsPolicyDeltas, Long.MAX_VALUE); + + LOG.debug("Support for incremental policy updates enabled using \"ranger.admin{}\" configuation parameter :[{}]", RangerCommonConstants.RANGER_ADMIN_SUFFIX_POLICY_DELTA, SUPPORTS_POLICY_DELTAS); + + return getServicePolicies(serviceName, lastKnownVersion, getOnlyDeltas, SUPPORTS_POLICY_DELTAS, Long.MAX_VALUE); } @Override public ServicePolicies getServicePolicyDeltas(String serviceName, Long lastKnownVersion, Long cachedPolicyVersion) throws Exception { ServicePolicies ret = null; - if (supportsPolicyDeltas) { - LOG.debug("Support for incremental policy updates enabled using ranger.admin {} configuration parameter :[{}]", RangerCommonConstants.RANGER_ADMIN_SUFFIX_POLICY_DELTA, supportsPolicyDeltas); - ret = getServicePolicies(serviceName, lastKnownVersion, true, supportsPolicyDeltas, cachedPolicyVersion); + if (SUPPORTS_POLICY_DELTAS) { + LOG.debug("Support for incremental policy updates enabled using \"ranger.admin{}\" configuation parameter :[{}]", RangerCommonConstants.RANGER_ADMIN_SUFFIX_POLICY_DELTA, SUPPORTS_POLICY_DELTAS); + + ret = getServicePolicies(serviceName, lastKnownVersion, true, SUPPORTS_POLICY_DELTAS, cachedPolicyVersion); } return ret; @@ -1647,6 +1843,7 @@ public ServicePolicies getServicePolicyDeltas(String serviceName, Long lastKnown @Override public ServicePolicies getServicePolicies(String serviceName, Long lastKnownVersion) throws Exception { boolean getOnlyDeltas = false; + return getServicePolicies(serviceName, lastKnownVersion, getOnlyDeltas, false, Long.MAX_VALUE); } @@ -1655,14 +1852,15 @@ public RangerPolicy getPolicyFromEventTime(String eventTime, Long policyId) { if (xDataHist == null) { String errMsg = "No policy history found for given policy ID: " + policyId + " and event time: " + eventTime; + LOG.error(errMsg); + throw restErrorUtil.createRESTException(errMsg, MessageEnums.DATA_NOT_FOUND); } - String content = xDataHist.getContent(); - RangerPolicy policy = jsonUtil.writeJsonToJavaObject(content, RangerPolicy.class); + String content = xDataHist.getContent(); - return policy; + return jsonUtil.writeJsonToJavaObject(content, RangerPolicy.class); } @Override @@ -1676,27 +1874,31 @@ public void setPopulateExistingBaseFields(Boolean populateExistingBaseFields) { } @Override - public RangerSecurityZone getSecurityZone(Long id) throws Exception { + public RangerSecurityZone getSecurityZone(Long id) { return securityZoneService.read(id); } @Override - public RangerSecurityZone getSecurityZone(String name) throws Exception { + public RangerSecurityZone getSecurityZone(String name) { XXSecurityZone xxSecurityZone = daoMgr.getXXSecurityZoneDao().findByZoneName(name); + if (xxSecurityZone != null) { return getSecurityZone(xxSecurityZone.getId()); } + return null; } @Override public long getPoliciesCount(final String serviceName) { final long ret; + if (StringUtils.isNotBlank(serviceName)) { ret = daoMgr.getXXPolicy().getPoliciesCount(serviceName); } else { ret = 0L; } + return ret; } @@ -1704,6 +1906,7 @@ public long getPoliciesCount(final String serviceName) { public Map getServiceConfigForPlugin(Long serviceId) { Map configs = new HashMap<>(); List xxServiceConfigMaps = daoMgr.getXXServiceConfigMap().findByServiceId(serviceId); + if (CollectionUtils.isNotEmpty(xxServiceConfigMaps)) { for (XXServiceConfigMap svcConfMap : xxServiceConfigMaps) { if (StringUtils.startsWith(svcConfMap.getConfigkey(), RANGER_PLUGIN_CONFIG_PREFIX)) { @@ -1711,6 +1914,7 @@ public Map getServiceConfigForPlugin(Long serviceId) { } } } + return configs; } @@ -1718,25 +1922,33 @@ public Map getServiceConfigForPlugin(Long serviceId) { public List getPoliciesWithMetaAttributes(List policiesList) { if (CollectionUtils.isNotEmpty(policiesList)) { List policies = new ArrayList<>(); + for (RangerPolicy policy : policiesList) { RangerPolicy policyCopy = (RangerPolicy) SerializationUtils.clone(policy); + policies.add(policyCopy); } List policytimeMetaDataList = daoMgr.getXXPolicy().getMetaAttributesForPolicies(policies.stream().map(RangerPolicy::getId).collect(Collectors.toList())); + if (CollectionUtils.isNotEmpty(policytimeMetaDataList)) { - Map> policyMap = policytimeMetaDataList.stream().filter(row -> row != null && row.length == 3 && row[0] != null && row[1] != null && row[2] != null).collect(Collectors.toMap(row -> (Long) row[0], row -> Arrays.asList((Date) row[1], (Date) row[2]))); + Map> policyMap = policytimeMetaDataList.stream() + .filter(row -> row != null && row.length == 3 && row[0] != null && row[1] != null && row[2] != null) + .collect(Collectors.toMap(row -> (Long) row[0], row -> Arrays.asList((Date) row[1], (Date) row[2]))); for (RangerPolicy policy : policies) { List timeMetaData = policyMap.get(policy.getId()); + if (timeMetaData != null && timeMetaData.size() == 2) { policy.setCreateTime(timeMetaData.get(0)); policy.setUpdateTime(timeMetaData.get(1)); } } } + return policies; } + return policiesList; } @@ -1755,67 +1967,65 @@ public void initStore() { if (!legacyServiceDefsInitDone) { synchronized (ServiceDBStore.class) { if (!legacyServiceDefsInitDone) { - supportsPolicyDeltas = config.getBoolean("ranger.admin" + RangerCommonConstants.RANGER_ADMIN_SUFFIX_POLICY_DELTA, RangerCommonConstants.RANGER_ADMIN_SUFFIX_POLICY_DELTA_DEFAULT); - retentionPeriodInDays = config.getInt("ranger.admin.delta.retention.time.in.days", 7); - tagRetentionPeriodInDays = config.getInt("ranger.admin.tag.delta.retention.time.in.days", 3); - - supportsPurgeLoginRecords = config.getBoolean("ranger.admin.init.purge.login_records", false); - supportsPurgeTransactionRecords = config.getBoolean("ranger.admin.init.purge.transaction_records", false); - supportsPurgePolicyExportLogs = config.getBoolean("ranger.admin.init.purge.policy_export_logs", false); - loginRecordsRetentionPeriodInDays = config.getInt("ranger.admin.init.purge.login_records.retention.days", 0); - transactionRecordsRetentionPeriodInDays = config.getInt("ranger.admin.init.purge.transaction_records.retention.days", 0); - policyExportLogsRetentionPeriodInDays = config.getInt("ranger.admin.init.purge.policy_export_logs.retention.days", 0); - - isRolesDownloadedByService = config.getBoolean("ranger.support.for.service.specific.role.download", false); - supportsInPlacePolicyUpdates = supportsPolicyDeltas && config.getBoolean("ranger.admin" + RangerCommonConstants.RANGER_ADMIN_SUFFIX_IN_PLACE_POLICY_UPDATES, RangerCommonConstants.RANGER_ADMIN_SUFFIX_IN_PLACE_POLICY_UPDATES_DEFAULT); - - LOG.info("SUPPORTS_POLICY_DELTAS={}", supportsPolicyDeltas); - LOG.info("RETENTION_PERIOD_IN_DAYS={}", policyExportLogsRetentionPeriodInDays); - LOG.info("TAG_RETENTION_PERIOD_IN_DAYS={}", tagRetentionPeriodInDays); - LOG.info("SUPPORTS_PURGE_LOGIN_RECORDS={}", supportsPurgeLoginRecords); - LOG.info("LOGIN_RECORDS_RETENTION_PERIOD_IN_DAYS={}", loginRecordsRetentionPeriodInDays); - LOG.info("SUPPORTS_PURGE_TRANSACTION_RECORDS={}", supportsPurgeTransactionRecords); - LOG.info("TRANSACTION_RECORDS_RETENTION_PERIOD_IN_DAYS={}", transactionRecordsRetentionPeriodInDays); - LOG.info("SUPPORTS_PURGE_POLICY_EXPORT_LOGS={}", supportsPurgePolicyExportLogs); - LOG.info("POLICY_EXPORT_LOGS_RETENTION_PERIOD_IN_DAYS={}", policyExportLogsRetentionPeriodInDays); + SUPPORTS_POLICY_DELTAS = config.getBoolean("ranger.admin" + RangerCommonConstants.RANGER_ADMIN_SUFFIX_POLICY_DELTA, RangerCommonConstants.RANGER_ADMIN_SUFFIX_POLICY_DELTA_DEFAULT); + RETENTION_PERIOD_IN_DAYS = config.getInt("ranger.admin.delta.retention.time.in.days", 7); + TAG_RETENTION_PERIOD_IN_DAYS = config.getInt("ranger.admin.tag.delta.retention.time.in.days", 3); + + SUPPORTS_PURGE_LOGIN_RECORDS = config.getBoolean("ranger.admin.init.purge.login_records", false); + SUPPORTS_PURGE_TRANSACTION_RECORDS = config.getBoolean("ranger.admin.init.purge.transaction_records", false); + SUPPORTS_PURGE_POLICY_EXPORT_LOGS = config.getBoolean("ranger.admin.init.purge.policy_export_logs", false); + LOGIN_RECORDS_RETENTION_PERIOD_IN_DAYS = config.getInt("ranger.admin.init.purge.login_records.retention.days", 0); + TRANSACTION_RECORDS_RETENTION_PERIOD_IN_DAYS = config.getInt("ranger.admin.init.purge.transaction_records.retention.days", 0); + POLICY_EXPORT_LOGS_RETENTION_PERIOD_IN_DAYS = config.getInt("ranger.admin.init.purge.policy_export_logs.retention.days", 0); + + isRolesDownloadedByService = config.getBoolean("ranger.support.for.service.specific.role.download", false); + SUPPORTS_IN_PLACE_POLICY_UPDATES = SUPPORTS_POLICY_DELTAS && config.getBoolean("ranger.admin" + RangerCommonConstants.RANGER_ADMIN_SUFFIX_IN_PLACE_POLICY_UPDATES, RangerCommonConstants.RANGER_ADMIN_SUFFIX_IN_PLACE_POLICY_UPDATES_DEFAULT); + + LOG.info("SUPPORTS_POLICY_DELTAS={}", SUPPORTS_POLICY_DELTAS); + LOG.info("RETENTION_PERIOD_IN_DAYS={}", RETENTION_PERIOD_IN_DAYS); + LOG.info("TAG_RETENTION_PERIOD_IN_DAYS={}", TAG_RETENTION_PERIOD_IN_DAYS); + LOG.info("SUPPORTS_PURGE_LOGIN_RECORDS={}", SUPPORTS_PURGE_LOGIN_RECORDS); + LOG.info("LOGIN_RECORDS_RETENTION_PERIOD_IN_DAYS={}", LOGIN_RECORDS_RETENTION_PERIOD_IN_DAYS); + LOG.info("SUPPORTS_PURGE_TRANSACTION_RECORDS={}", SUPPORTS_PURGE_TRANSACTION_RECORDS); + LOG.info("TRANSACTION_RECORDS_RETENTION_PERIOD_IN_DAYS={}", TRANSACTION_RECORDS_RETENTION_PERIOD_IN_DAYS); + LOG.info("SUPPORTS_PURGE_POLICY_EXPORT_LOGS={}", SUPPORTS_PURGE_POLICY_EXPORT_LOGS); + LOG.info("POLICY_EXPORT_LOGS_RETENTION_PERIOD_IN_DAYS={}", POLICY_EXPORT_LOGS_RETENTION_PERIOD_IN_DAYS); LOG.info("isRolesDownloadedByService={}", isRolesDownloadedByService); - LOG.info("SUPPORTS_IN_PLACE_POLICY_UPDATES={}", supportsInPlacePolicyUpdates); + LOG.info("SUPPORTS_IN_PLACE_POLICY_UPDATES={}", SUPPORTS_IN_PLACE_POLICY_UPDATES); - TransactionTemplate txTemplate = new TransactionTemplate(txManager); + TransactionTemplate txTemplate = new TransactionTemplate(txManager); + final ServiceDBStore dbStore = this; - final ServiceDBStore dbStore = this; predicateUtil = new ServicePredicateUtil(dbStore); try { - txTemplate.execute(new TransactionCallback() { - @Override - public Object doInTransaction(TransactionStatus status) { - EmbeddedServiceDefsUtil.instance().init(dbStore); - getServiceUpgraded(); - createGenericUsers(); - resetPolicyUpdateLog(retentionPeriodInDays, RangerPolicyDelta.CHANGE_TYPE_RANGER_ADMIN_START); - resetTagUpdateLog(tagRetentionPeriodInDays, ServiceTags.TagsChangeType.RANGER_ADMIN_START); - - List purgeResults = new ArrayList<>(); - - if (supportsPurgeLoginRecords) { - removeAuthSessions(loginRecordsRetentionPeriodInDays, purgeResults); - } + txTemplate.execute(status -> { + EmbeddedServiceDefsUtil.instance().init(dbStore); + getServiceUpgraded(); + createGenericUsers(); + resetPolicyUpdateLog(RETENTION_PERIOD_IN_DAYS, RangerPolicyDelta.CHANGE_TYPE_RANGER_ADMIN_START); + resetTagUpdateLog(TAG_RETENTION_PERIOD_IN_DAYS, ServiceTags.TagsChangeType.RANGER_ADMIN_START); - if (supportsPurgeTransactionRecords) { - removeTransactionLogs(transactionRecordsRetentionPeriodInDays, purgeResults); - } + List purgeResults = new ArrayList<>(); - if (supportsPurgePolicyExportLogs) { - removePolicyExportLogs(policyExportLogsRetentionPeriodInDays, purgeResults); - } + if (SUPPORTS_PURGE_LOGIN_RECORDS) { + removeAuthSessions(LOGIN_RECORDS_RETENTION_PERIOD_IN_DAYS, purgeResults); + } + + if (SUPPORTS_PURGE_TRANSACTION_RECORDS) { + removeTransactionLogs(TRANSACTION_RECORDS_RETENTION_PERIOD_IN_DAYS, purgeResults); + } - initRMSDaos(); - return null; + if (SUPPORTS_PURGE_POLICY_EXPORT_LOGS) { + removePolicyExportLogs(POLICY_EXPORT_LOGS_RETENTION_PERIOD_IN_DAYS, purgeResults); } + + initRMSDaos(); + + return null; }); } catch (Throwable ex) { - LOG.error("ServiceDBStore.initStore(): Failed to update DB: ", ex); + LOG.error("ServiceDBStore.initStore(): Failed to update DB: {}", String.valueOf(ex)); } legacyServiceDefsInitDone = true; @@ -1834,21 +2044,27 @@ public void deleteXXAccessTypeDef(XXAccessTypeDef xAccess) { } List policyRefAccessTypeList = daoMgr.getXXPolicyRefAccessType().findByAccessTypeDefId(xAccess.getId()); + for (XXPolicyRefAccessType xxPolicyRefAccessType : policyRefAccessTypeList) { daoMgr.getXXPolicyRefAccessType().remove(xxPolicyRefAccessType); } + daoMgr.getXXAccessTypeDef().remove(xAccess); } public void deleteXXResourceDef(XXResourceDef xRes) { List xChildObjs = daoMgr.getXXResourceDef().findByParentResId(xRes.getId()); + for (XXResourceDef childRes : xChildObjs) { deleteXXResourceDef(childRes); } + List xxPolicyRefResources = daoMgr.getXXPolicyRefResource().findByResourceDefID(xRes.getId()); + for (XXPolicyRefResource xPolRefRes : xxPolicyRefResources) { daoMgr.getXXPolicyRefResource().remove(xPolRefRes); } + daoMgr.getXXResourceDef().remove(xRes); } @@ -1863,28 +2079,32 @@ public PList getPaginatedServiceDefs(SearchFilter filter) thro LOG.debug("==> ServiceDBStore.getPaginatedServiceDefs({})", filter); - return new PList(svcDefList.getServiceDefs(), svcDefList.getStartIndex(), svcDefList.getPageSize(), svcDefList.getTotalCount(), svcDefList.getResultSize(), svcDefList.getSortType(), svcDefList.getSortBy()); + return new PList<>(svcDefList.getServiceDefs(), svcDefList.getStartIndex(), svcDefList.getPageSize(), svcDefList.getTotalCount(), svcDefList.getResultSize(), svcDefList.getSortType(), svcDefList.getSortBy()); } public PList getPaginatedServices(SearchFilter filter) throws Exception { LOG.debug("==> ServiceDBStore.getPaginatedServices()"); RangerServiceList serviceList = svcService.searchRangerServices(filter); + if (StringUtils.isEmpty(filter.getParam("serviceNamePartial"))) { predicateUtil.applyFilter(serviceList.getServices(), filter); } + LOG.debug("<== ServiceDBStore.getPaginatedServices()"); - return new PList(serviceList.getServices(), serviceList.getStartIndex(), serviceList.getPageSize(), serviceList.getTotalCount(), serviceList.getResultSize(), serviceList.getSortType(), serviceList.getSortBy()); + return new PList<>(serviceList.getServices(), serviceList.getStartIndex(), serviceList.getPageSize(), serviceList.getTotalCount(), serviceList.getResultSize(), serviceList.getSortType(), serviceList.getSortBy()); } - public PList getPaginatedPolicies(SearchFilter filter) throws Exception { - LOG.debug("==> ServiceDBStore.getPaginatedPolicies({})", filter); + public PList getPaginatedPolicies(SearchFilter filter) { + LOG.debug("==> ServiceDBStore.getPaginatedPolicies(+ {})", filter); RangerPolicyList policyList = searchRangerPolicies(filter); LOG.debug("before filter: count={}", policyList.getListSize()); + predicateUtil.applyFilter(policyList.getPolicies(), filter); + LOG.debug("after filter: count={}", policyList.getListSize()); LOG.debug("<== ServiceDBStore.getPaginatedPolicies({}): count={}", filter, policyList.getListSize()); @@ -1904,10 +2124,11 @@ public PList getPaginatedServicePolicies(Long serviceId, SearchFil PList ret = getPaginatedServicePolicies(service.getName(), filter); LOG.debug("<== ServiceDBStore.getPaginatedServicePolicies({})", serviceId); + return ret; } - public PList getPaginatedServicePolicies(String serviceName, SearchFilter filter) throws Exception { + public PList getPaginatedServicePolicies(String serviceName, SearchFilter filter) { LOG.debug("==> ServiceDBStore.getPaginatedServicePolicies({})", serviceName); if (filter == null) { @@ -1918,7 +2139,7 @@ public PList getPaginatedServicePolicies(String serviceName, Searc PList ret = getPaginatedPolicies(filter); - LOG.debug("<== ServiceDBStore.getPaginatedServicePolicies({}): count={}", serviceName, ((ret == null) ? 0 : ret.getListSize())); + LOG.debug("<== ServiceDBStore.getPaginatedServicePolicies({}): count={}", serviceName, (ret == null) ? 0 : ret.getListSize()); return ret; } @@ -1932,18 +2153,15 @@ public Long getServicePolicyVersion(String serviceName) { // when a service-def is updated, the updated service-def should be made available to plugins // this is achieved by incrementing policyVersion of all services of this service-def - protected void updateServicesForServiceDefUpdate(RangerServiceDef serviceDef) throws Exception { + protected void updateServicesForServiceDefUpdate(RangerServiceDef serviceDef) { if (serviceDef == null) { return; } - final RangerDaoManager daoManager = daoMgr; - - boolean isTagServiceDef = StringUtils.equals(serviceDef.getName(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME); - - XXServiceDao serviceDao = daoMgr.getXXService(); - - List services = serviceDao.findByServiceDefId(serviceDef.getId()); + final RangerDaoManager daoManager = daoMgr; + boolean isTagServiceDef = StringUtils.equals(serviceDef.getName(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME); + XXServiceDao serviceDao = daoMgr.getXXService(); + List services = serviceDao.findByServiceDefId(serviceDef.getId()); if (CollectionUtils.isNotEmpty(services)) { for (XXService service : services) { @@ -1952,19 +2170,21 @@ protected void updateServicesForServiceDefUpdate(RangerServiceDef serviceDef) th if (CollectionUtils.isNotEmpty(referringServices)) { for (XXService referringService : referringServices) { - final Long referringServiceId = referringService.getId(); - final VersionType tagServiceVersionType = VersionType.POLICY_VERSION; + final Long referringServiceId = referringService.getId(); + final VERSION_TYPE tagServiceVersionType = VERSION_TYPE.POLICY_VERSION; Runnable tagServiceVersionUpdater = new ServiceVersionUpdater(daoManager, referringServiceId, tagServiceVersionType, RangerPolicyDelta.CHANGE_TYPE_SERVICE_DEF_CHANGE); + transactionSynchronizationAdapter.executeOnTransactionCommit(tagServiceVersionUpdater); } } } - final Long serviceId = service.getId(); - final VersionType versionType = VersionType.POLICY_VERSION; + final Long serviceId = service.getId(); + final VERSION_TYPE versionType = VERSION_TYPE.POLICY_VERSION; Runnable serviceVersionUpdater = new ServiceVersionUpdater(daoManager, serviceId, versionType, RangerPolicyDelta.CHANGE_TYPE_SERVICE_DEF_CHANGE); + transactionSynchronizationAdapter.executeOnTransactionCommit(serviceVersionUpdater); } } @@ -1976,12 +2196,15 @@ public List findAllServiceDefNamesHavingContextEnrichers() { public RangerService getServiceByNameForDP(String name) throws Exception { LOG.debug("==> ServiceDBStore.getServiceByNameForDP()"); + XXService xService = daoMgr.getXXService().findByName(name); + if (ContextUtil.getCurrentUserSession() != null) { if (xService == null) { return null; } } + return xService == null ? null : svcService.getPopulatedViewObject(xService); } @@ -2000,14 +2223,17 @@ public RangerPolicy createPolicy(RangerPolicy policy, boolean createPrincipalsIf Long zoneId = RangerSecurityZone.RANGER_UNZONED_SECURITY_ZONE_ID; String zoneName = policy.getZoneName(); + if (StringUtils.isNotEmpty(zoneName)) { RangerSecurityZone zone = getSecurityZone(zoneName); + if (zone == null) { throw new Exception("zone does not exist - name=" + zoneName); } else { zoneId = zone.getId(); } } + XXPolicy existing = daoMgr.getXXPolicy().findByNameAndServiceIdAndZoneId(policy.getName(), service.getId(), zoneId); if (existing != null) { @@ -2016,32 +2242,41 @@ public RangerPolicy createPolicy(RangerPolicy policy, boolean createPrincipalsIf List policyLabels = policy.getPolicyLabels(); Set uniquePolicyLabels = new TreeSet<>(policyLabels); - policy.setVersion(Long.valueOf(1)); + + policy.setVersion(1L); + updatePolicySignature(policy); if (populateExistingBaseFields) { assignedIdPolicyService.setPopulateExistingBaseFields(true); + daoMgr.getXXPolicy().setIdentityInsert(true); policy = assignedIdPolicyService.create(policy, true); daoMgr.getXXPolicy().setIdentityInsert(false); daoMgr.getXXPolicy().updateSequence(); + assignedIdPolicyService.setPopulateExistingBaseFields(false); } else { policy = policyService.create(policy, true); } XXPolicy xCreatedPolicy = daoMgr.getXXPolicy().getById(policy.getId()); + policyRefUpdater.createNewPolMappingForRefTable(policy, xCreatedPolicy, xServiceDef, createPrincipalsIfAbsent); + createOrMapLabels(xCreatedPolicy, uniquePolicyLabels); - RangerPolicy createdPolicy = policyService.getPopulatedViewObject(xCreatedPolicy); - boolean updateServiceInfoRoleVersion = false; + RangerPolicy createdPolicy = policyService.getPopulatedViewObject(xCreatedPolicy); + boolean updateServiceInfoRoleVersion = false; + if (isSupportsRolesDownloadByService()) { updateServiceInfoRoleVersion = isRoleDownloadRequired(createdPolicy, service); } + handlePolicyUpdate(service, RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE, createdPolicy, updateServiceInfoRoleVersion); + dataHistService.createObjectDataHistory(createdPolicy, RangerDataHistService.ACTION_CREATE); createTransactionLog(createdPolicy, RangerPolicyService.OPERATION_IMPORT_CREATE_CONTEXT, RangerPolicyService.OPERATION_CREATE_CONTEXT); @@ -2064,34 +2299,45 @@ public void createOrMapLabels(XXPolicy xPolicy, Set uniquePolicyLabels) public RangerPolicy getPolicy(String guid, String serviceName, String zoneName) throws Exception { RangerPolicy ret = null; + if (StringUtils.isNotBlank(guid)) { XXPolicy xPolicy = daoMgr.getXXPolicy().findPolicyByGUIDAndServiceNameAndZoneName(guid, serviceName, zoneName); + if (xPolicy != null) { ret = policyService.getPopulatedViewObject(xPolicy); } } + return ret; } public void getPoliciesInExcel(List policies, HttpServletResponse response) throws Exception { LOG.debug("==> ServiceDBStore.getPoliciesInExcel()"); + String timeStamp = new SimpleDateFormat("yyyyMMdd_HHmmss").format(new Date()); String excelFileName = "Ranger_Policies_" + timeStamp + ".xls"; + writeExcel(policies, excelFileName, response); } public void getPoliciesInCSV(List policies, HttpServletResponse response) throws Exception { LOG.debug("==> ServiceDBStore.getPoliciesInCSV()"); + ServletOutputStream out = null; - String csvFileName = null; + String csvfilename = null; + try { String timeStamp = new SimpleDateFormat("yyyyMMdd_HHmmss").format(new Date()); - csvFileName = "Ranger_Policies_" + timeStamp + ".csv"; + + csvfilename = "Ranger_Policies_" + timeStamp + ".csv"; out = response.getOutputStream(); - StringBuilder sb = writeCSV(policies, csvFileName, response); + + StringBuilder sb = writeCSV(policies, csvfilename, response); + IOUtils.write(sb.toString(), out, "UTF-8"); } catch (Exception e) { - LOG.error("Error while generating report file {}", csvFileName, e); + LOG.error("Error while generating report file {}", csvfilename, e); + e.printStackTrace(); } finally { try { @@ -2100,14 +2346,17 @@ public void getPoliciesInCSV(List policies, HttpServletResponse re out.close(); } } catch (Exception ex) { + // ignored } } } - public void getObjectInJson(List objList, HttpServletResponse response, JsonFileNameType type) throws Exception { + public void getObjectInJson(List objList, HttpServletResponse response, JSON_FILE_NAME_TYPE type) throws Exception { LOG.debug("==> ServiceDBStore.getObjectInJson()"); + String timeStamp = new SimpleDateFormat("yyyyMMdd_HHmmss").format(new Date()); String jsonFileName; + switch (type) { case POLICY: jsonFileName = "Ranger_Policies_" + timeStamp + ".json"; @@ -2118,11 +2367,13 @@ public void getObjectInJson(List objList, HttpServletResponse response, J default: throw restErrorUtil.createRESTException("Invalid type " + type); } + writeJson(objList, jsonFileName, response, type); } public List noZoneFilter(List servicePolicies) { List noZonePolicies = new ArrayList<>(); + if (CollectionUtils.isNotEmpty(servicePolicies)) { for (RangerPolicy policy : servicePolicies) { if (StringUtils.isBlank(policy.getZoneName())) { @@ -2130,6 +2381,7 @@ public List noZoneFilter(List servicePolicies) { } } } + return noZonePolicies; } @@ -2168,22 +2420,30 @@ public void createZoneDefaultPolicies(Collection serviceNames, RangerSec public void deleteZonePolicies(Collection serviceNames, Long zoneId) throws Exception { if (CollectionUtils.isNotEmpty(serviceNames)) { XXPolicyDao policyDao = daoMgr.getXXPolicy(); + for (String serviceName : serviceNames) { RangerService service = getServiceByName(serviceName); List policyIds = policyDao.findPolicyIdsByServiceNameAndZoneId(serviceName, zoneId); + if (CollectionUtils.isNotEmpty(policyIds)) { List rangerPolicyList = new ArrayList<>(); + for (Long id : policyIds) { rangerPolicyList.add(getPolicy(id)); } + long totalDeletedPolicies = 0; + for (RangerPolicy rangerPolicy : rangerPolicyList) { deletePolicy(rangerPolicy, service); + totalDeletedPolicies = totalDeletedPolicies + 1; + if (totalDeletedPolicies % RangerBizUtil.POLICY_BATCH_SIZE == 0) { bizUtil.bulkModeOnlyFlushAndClear(); } } + bizUtil.bulkModeOnlyFlushAndClear(); } } @@ -2194,6 +2454,7 @@ public VXString getPolicyVersionList(Long policyId) { List versionList = daoMgr.getXXDataHist().getVersionListOfObject(policyId, AppConstants.CLASS_TYPE_RANGER_POLICY); VXString vXString = new VXString(); + vXString.setValue(StringUtils.join(versionList, ",")); return vXString; @@ -2206,10 +2467,9 @@ public RangerPolicy getPolicyForVersionNumber(Long policyId, int versionNo) { throw restErrorUtil.createRESTException("No Policy found for given version.", MessageEnums.DATA_NOT_FOUND); } - String content = xDataHist.getContent(); - RangerPolicy policy = jsonUtil.writeJsonToJavaObject(content, RangerPolicy.class); + String content = xDataHist.getContent(); - return policy; + return jsonUtil.writeJsonToJavaObject(content, RangerPolicy.class); } public Map getMetaDataInfo() { @@ -2218,7 +2478,7 @@ public Map getMetaDataInfo() { String userId = usb != null ? usb.getLoginId() : null; DateFormat formatter = new SimpleDateFormat("MMM dd, yyyy h:mm:ss a"); - metaDataInfo.put(HOSTNAME, localHostname); + metaDataInfo.put(HOSTNAME, LOCAL_HOSTNAME); metaDataInfo.put(USER_NAME, userId); metaDataInfo.put(TIMESTAMP, formatter.format(MiscUtil.getUTCDateForLocalDate(new Date()))); metaDataInfo.put(RANGER_VERSION, RangerVersionInfo.getVersion()); @@ -2228,16 +2488,21 @@ public Map getMetaDataInfo() { public Map getMapFromInputStream(InputStream mapStream) throws IOException { LOG.debug("==> ServiceDBStore.getMapFromInputStream()"); + Map inputMap = new LinkedHashMap<>(); String inputMapString = IOUtils.toString(mapStream); + if (StringUtils.isNotEmpty(inputMapString)) { inputMap = jsonUtil.jsonToMap(inputMapString); } + if (!CollectionUtils.sizeIsEmpty(inputMap)) { LOG.debug("<== ServiceDBStore.getMapFromInputStream()"); + return inputMap; } else { LOG.error("Provided zone/service input map is empty!!"); + throw restErrorUtil.createRESTException("Provided zone/service map is empty!!"); } } @@ -2247,14 +2512,18 @@ public Map setPolicyMapKeyValue(Map policiesMap.put(policy.getName().trim() + " " + policy.getService().trim() + " " + policy.getResources().toString().trim() + " " + policy.getZoneName(), policy); } else if (StringUtils.isEmpty(policy.getName().trim()) && StringUtils.isNotEmpty(policy.getService().trim())) { LOG.error("Policy Name is not provided for service : {}", policy.getService().trim()); + throw restErrorUtil.createRESTException("Policy Name is not provided for service : " + policy.getService().trim()); } else if (StringUtils.isNotEmpty(policy.getName().trim()) && StringUtils.isEmpty(policy.getService().trim())) { LOG.error("Service Name is not provided for policy : {}", policy.getName().trim()); + throw restErrorUtil.createRESTException("Service Name is not provided for policy : " + policy.getName().trim()); } else { LOG.error("Service Name or Policy Name is not provided!!"); + throw restErrorUtil.createRESTException("Service Name or Policy Name is not provided!!"); } + return policiesMap; } @@ -2262,26 +2531,33 @@ public Map createPolicyMap(Map zoneMapping if (!CollectionUtils.sizeIsEmpty(zoneMappingMap)) { policy.setZoneName(destinationZoneName); // set destination zone name in policy. } + if (!CollectionUtils.sizeIsEmpty(servicesMappingMap)) { if (!StringUtils.isEmpty(policy.getService().trim())) { if (sourceServices.contains(policy.getService().trim())) { int index = sourceServices.indexOf(policy.getService().trim()); + policy.setService(destinationServices.get(index)); + policiesMap = setPolicyMapKeyValue(policiesMap, policy); } } else { LOG.error("Service Name or Policy Name is not provided!!"); + throw restErrorUtil.createRESTException("Service Name or Policy Name is not provided!!"); } } else if (CollectionUtils.sizeIsEmpty(servicesMappingMap)) { policiesMap = setPolicyMapKeyValue(policiesMap, policy); } + return policiesMap; } public void getServiceUpgraded() { LOG.info("==> ServiceDBStore.getServiceUpgraded()"); + updateServiceWithCustomProperty(); + LOG.info("<== ServiceDBStore.getServiceUpgraded()"); } @@ -2291,9 +2567,11 @@ public void resetPolicyUpdateLog(int retentionInDays, Integer policyChangeType) daoMgr.getXXPolicyChangeLog().deleteOlderThan(retentionInDays); List allServiceIds = daoMgr.getXXService().getAllServiceIds(); + if (CollectionUtils.isNotEmpty(allServiceIds)) { for (Long serviceId : allServiceIds) { - ServiceVersionUpdater updater = new ServiceVersionUpdater(daoMgr, serviceId, VersionType.POLICY_VERSION, null, policyChangeType, null); + ServiceVersionUpdater updater = new ServiceVersionUpdater(daoMgr, serviceId, VERSION_TYPE.POLICY_VERSION, null, policyChangeType, null); + persistVersionChange(updater); } } @@ -2307,9 +2585,11 @@ public void resetTagUpdateLog(int retentionInDays, ServiceTags.TagsChangeType ta daoMgr.getXXTagChangeLog().deleteOlderThan(retentionInDays); List allServiceIds = daoMgr.getXXService().getAllServiceIds(); + if (CollectionUtils.isNotEmpty(allServiceIds)) { for (Long serviceId : allServiceIds) { - ServiceVersionUpdater updater = new ServiceVersionUpdater(daoMgr, serviceId, VersionType.TAG_VERSION, tagChangeType, null, null); + ServiceVersionUpdater updater = new ServiceVersionUpdater(daoMgr, serviceId, VERSION_TYPE.TAG_VERSION, tagChangeType, null, null); + persistVersionChange(updater); } } @@ -2373,14 +2653,17 @@ public void removePolicyExportLogs(int retentionInDays, List public List getPolicyLabels(SearchFilter searchFilter) { LOG.debug("==> ServiceDBStore.getPolicyLabels()"); - VXPolicyLabelList vxPolicyLabelList = new VXPolicyLabelList(); - @SuppressWarnings("unchecked") - List xPolList = policyLabelsService.searchResources(searchFilter, policyLabelsService.searchFields, policyLabelsService.sortFields, vxPolicyLabelList); - List result = new ArrayList<>(); + + VXPolicyLabelList vxPolicyLabelList = new VXPolicyLabelList(); + List xPolList = policyLabelsService.searchResources(searchFilter, policyLabelsService.searchFields, policyLabelsService.sortFields, vxPolicyLabelList); + List result = new ArrayList<>(); + for (XXPolicyLabel xPolicyLabel : xPolList) { result.add(xPolicyLabel.getPolicyLabel()); } + LOG.debug("<== ServiceDBStore.getPolicyLabels()"); + return result; } @@ -2394,9 +2677,11 @@ public List getPolicyLabels(SearchFilter searchFilter) { */ public Map getPolicyCountByTypeAndServiceType(Integer policyType) { int type = 0; + if ((!Objects.isNull(policyType)) && policyType >= 0) { type = policyType; } + return daoMgr.getXXServiceDef().getPolicyCountByType(type); } @@ -2408,11 +2693,14 @@ public Map getServiceCountByType() { return daoMgr.getXXServiceDef().getServiceCount(); } - public String getMetricByType(final MetricType metricType) throws Exception { + public String getMetricByType(final METRIC_TYPE metricType) throws Exception { LOG.debug("==> ServiceDBStore.getMetricByType({})", metricType); + String ret = null; + try { SearchCriteria searchCriteria = new SearchCriteria(); + searchCriteria.setStartIndex(0); searchCriteria.setMaxRows(100); searchCriteria.setGetCount(true); @@ -2422,7 +2710,9 @@ public String getMetricByType(final MetricType metricType) throws Exception { } catch (Exception e) { LOG.error("ServiceDBStore.getMetricByType({}): Error calculating Metric : {}", metricType, e.getMessage()); } + LOG.debug("== ServiceDBStore.getMetricByType({}): {}", metricType, ret); + return ret; } @@ -2463,32 +2753,39 @@ public boolean isServiceAdminUser(String serviceName, String userName) { return ret; } - public void updateServiceAuditConfig(String searchUsrGrpRoleName, RemoveRefType removeRefType) { + public void updateServiceAuditConfig(String searchUsrGrpRoleName, REMOVE_REF_TYPE removeRefType) { LOG.debug("===> ServiceDBStore.updateServiceAuditConfig( searchUsrGrpRoleName : {} removeRefType : {})", searchUsrGrpRoleName, removeRefType); + List configMapToBeModified = getAuditFiltersServiceConfigByName(searchUsrGrpRoleName); + if (CollectionUtils.isNotEmpty(configMapToBeModified)) { for (XXServiceConfigMap xConfigMap : configMapToBeModified) { String jsonStr = xConfigMap.getConfigvalue() != null ? xConfigMap.getConfigvalue() : null; + if (StringUtils.isNotBlank(jsonStr)) { List auditFilters = JsonUtils.jsonToAuditFilterList(jsonStr); int filterCount = auditFilters != null ? auditFilters.size() : 0; - RangerService rangerService = null; + if (filterCount > 0) { String userName = null; String groupName = null; String roleName = null; - if (removeRefType == RemoveRefType.USER) { + + if (removeRefType == REMOVE_REF_TYPE.USER) { userName = searchUsrGrpRoleName; - } else if (removeRefType == RemoveRefType.GROUP) { + } else if (removeRefType == REMOVE_REF_TYPE.GROUP) { groupName = searchUsrGrpRoleName; - } else if (removeRefType == RemoveRefType.ROLE) { + } else if (removeRefType == REMOVE_REF_TYPE.ROLE) { roleName = searchUsrGrpRoleName; } + removeUserGroupRoleReferences(auditFilters, userName, groupName, roleName); - String updatedJsonStr = JsonUtils.listToJson(auditFilters); - XXService xService = daoMgr.getXXService().getById(xConfigMap.getServiceId()); - rangerService = svcService.getPopulatedViewObject(xService); - Map configs = rangerService.getConfigs(); + + String updatedJsonStr = JsonUtils.listToJson(auditFilters); + XXService xService = daoMgr.getXXService().getById(xConfigMap.getServiceId()); + RangerService rangerService = svcService.getPopulatedViewObject(xService); + Map configs = rangerService.getConfigs(); + if (configs.containsKey(ServiceDBStore.RANGER_PLUGIN_AUDIT_FILTERS)) { updatedJsonStr = StringUtils.isBlank(updatedJsonStr) ? "" : updatedJsonStr.replaceAll("\"", "'"); @@ -2496,9 +2793,11 @@ public void updateServiceAuditConfig(String searchUsrGrpRoleName, RemoveRefType try { LOG.info("==>ServiceDBStore.updateServiceAuditConfig updating audit-filter of service : {} as part of delete request for : {}", rangerService.getName(), searchUsrGrpRoleName); + updateService(rangerService, null); } catch (Throwable excp) { LOG.error("updateService({}) failed", rangerService, excp); + throw restErrorUtil.createRESTException(excp.getMessage()); } } @@ -2508,13 +2807,15 @@ public void updateServiceAuditConfig(String searchUsrGrpRoleName, RemoveRefType } } } else { - LOG.info("ServiceDBStore.updateServiceAuditConfig no service audit filter Config map found for : {}", searchUsrGrpRoleName); + LOG.debug("ServiceDBStore.updateServiceAuditConfig no service audit filter Config map found for : {}", searchUsrGrpRoleName); } + LOG.debug("<=== ServiceDBStore.updateServiceAuditConfig( searchUsrGrpRoleName : {} removeRefType : {})", searchUsrGrpRoleName, removeRefType); } void createTransactionLog(RangerPolicy policy, int operationImportContext, int operationContext) { StackTraceElement[] trace = Thread.currentThread().getStackTrace(); + if (trace.length > 3 && (StringUtils.contains(trace[4].getMethodName(), "import") || StringUtils.contains(trace[5].getMethodName(), "import"))) { policyService.createTransactionLog(policy, null, operationImportContext); } else { @@ -2523,10 +2824,9 @@ void createTransactionLog(RangerPolicy policy, int operationImportContext, int o } List applyResourceFilter(RangerServiceDef serviceDef, List policies, Map filterResources, SearchFilter filter, RangerPolicyResourceMatcher.MatchScope scope) { - LOG.debug("==> ServiceDBStore.applyResourceFilter(policies-size={}, filterResources={}, scope={})", policies.size(), filterResources, scope); - - List ret = new ArrayList<>(); + LOG.debug("==> ServiceDBStore.applyResourceFilter(policies-size={}, filterResources={}, {})", policies.size(), filterResources, scope); + List ret = new ArrayList<>(); List matchers = getMatchers(serviceDef, filterResources, filter); if (CollectionUtils.isNotEmpty(matchers)) { @@ -2536,6 +2836,7 @@ List applyResourceFilter(RangerServiceDef serviceDef, List applyResourceFilter(RangerServiceDef serviceDef, List applyResourceFilter(RangerServiceDef serviceDef, List getMatchers(RangerServiceDef serviceDef, Map filterResources, SearchFilter filter) { LOG.debug("==> ServiceDBStore.getMatchers(filterResources={})", filterResources); - List ret = new ArrayList<>(); - - RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef); - - String policyTypeStr = filter.getParam(SearchFilter.POLICY_TYPE); - - int[] policyTypes = RangerPolicy.POLICY_TYPES; + List ret = new ArrayList<>(); + RangerServiceDefHelper serviceDefHelper = new RangerServiceDefHelper(serviceDef); + String policyTypeStr = filter.getParam(SearchFilter.POLICY_TYPE); + int[] policyTypes = RangerPolicy.POLICY_TYPES; if (StringUtils.isNotBlank(policyTypeStr)) { policyTypes = new int[1]; @@ -2581,6 +2879,7 @@ List getMatchers(RangerServiceDef serviceDef, Map getMatchers(RangerServiceDef serviceDef, Map ServiceDBStore.getServicePoliciesWithDeltas(serviceType={}, serviceId={}, tagServiceId={}, lastKnownVersion={})", serviceDef.getName(), service.getId(), (tagService != null ? tagService.getId() : null), lastKnownVersion); + LOG.debug("==> ServiceDBStore.getServicePoliciesWithDeltas(serviceType={}, serviceId={}, tagServiceId={}, lastKnownVersion={})", serviceDef.getName(), service.getId(), tagService != null ? tagService.getId() : null, lastKnownVersion); + if (lastKnownVersion != -1L) { - List resourcePolicyDeltas; List tagPolicyDeltas = null; - List gdsPolicyDeltas = null; Long retrievedPolicyVersion = null; Long retrievedTagPolicyVersion = null; - Long retrievedGdsPolicyVersion = null; + String componentServiceType = serviceDef.getName(); - String componentServiceType = serviceDef.getName(); + List resourcePolicyDeltas = daoMgr.getXXPolicyChangeLog().findLaterThan(lastKnownVersion, maxNeededVersion, service.getId()); - boolean isValid; - - resourcePolicyDeltas = daoMgr.getXXPolicyChangeLog().findLaterThan(lastKnownVersion, maxNeededVersion, service.getId()); if (CollectionUtils.isNotEmpty(resourcePolicyDeltas)) { - isValid = RangerPolicyDeltaUtil.isValidDeltas(resourcePolicyDeltas, componentServiceType); + boolean isValid = RangerPolicyDeltaUtil.isValidDeltas(resourcePolicyDeltas, componentServiceType); if (isValid) { retrievedPolicyVersion = resourcePolicyDeltas.get(resourcePolicyDeltas.size() - 1).getPoliciesVersion(); @@ -2626,6 +2921,7 @@ ServicePolicies getServicePoliciesWithDeltas(RangerServiceDef serviceDef, XXServ if (isValid && tagService != null) { Long id = resourcePolicyDeltas.get(0).getId(); + tagPolicyDeltas = daoMgr.getXXPolicyChangeLog().findGreaterThan(id, maxNeededVersion, tagService.getId()); if (CollectionUtils.isNotEmpty(tagPolicyDeltas)) { @@ -2653,6 +2949,7 @@ ServicePolicies getServicePoliciesWithDeltas(RangerServiceDef serviceDef, XXServ if (compressedDeltas != null) { ret = new ServicePolicies(); + ret.setServiceId(service.getId()); ret.setServiceName(service.getName()); ret.setServiceDef(serviceDef); @@ -2662,11 +2959,13 @@ ServicePolicies getServicePoliciesWithDeltas(RangerServiceDef serviceDef, XXServ if (tagServiceDef != null && tagService != null) { ServicePolicies.TagPolicies tagPolicies = new ServicePolicies.TagPolicies(); + tagPolicies.setServiceDef(tagServiceDef); tagPolicies.setServiceId(tagService.getId()); tagPolicies.setServiceName(tagService.getName()); tagPolicies.setPolicies(null); tagPolicies.setPolicyVersion(retrievedTagPolicyVersion); + ret.setTagPolicies(tagPolicies); } } else { @@ -2674,11 +2973,12 @@ ServicePolicies getServicePoliciesWithDeltas(RangerServiceDef serviceDef, XXServ } } } else { - LOG.warn("No policy-deltas found for serviceId={}, tagServiceId={}, lastKnownVersion={})", service.getId(), (tagService != null ? tagService.getId() : null), lastKnownVersion); + LOG.warn("No policy-deltas found for serviceId={}, tagServiceId={}, lastKnownVersion={})", service.getId(), tagService != null ? tagService.getId() : null, lastKnownVersion); } } - LOG.debug("<== ServiceDBStore.getServicePoliciesWithDeltas(serviceType={}, serviceId={}, tagServiceId={}, lastKnownVersion={}) : deltasSize={}", serviceDef.getName(), service.getId(), (tagService != null ? tagService.getId() : null), lastKnownVersion, (ret != null && CollectionUtils.isNotEmpty(ret.getPolicyDeltas()) ? ret.getPolicyDeltas().size() : 0)); + LOG.debug("<== ServiceDBStore.getServicePoliciesWithDeltas(serviceType={}, serviceId={}, tagServiceId={}, lastKnownVersion={}) : deltasSize={}", serviceDef.getName(), service.getId(), tagService != null ? tagService.getId() : null, lastKnownVersion, ret != null && CollectionUtils.isNotEmpty(ret.getPolicyDeltas()) ? ret.getPolicyDeltas().size() : 0); + return ret; } @@ -2694,8 +2994,7 @@ void createDefaultPolicies(RangerService createdService) throws Exception { List populateDefaultPolicies(RangerService service) throws Exception { List ret = null; - - RangerBaseService svc = serviceMgr.getRangerServiceByService(service, this); + RangerBaseService svc = serviceMgr.getRangerServiceByService(service, this); if (svc != null) { List serviceCheckUsers = getServiceCheckUsers(service); @@ -2706,12 +3005,15 @@ List populateDefaultPolicies(RangerService service) throws Excepti for (String userName : serviceCheckUsers) { if (!StringUtils.isEmpty(userName)) { XXUser xxUser = daoMgr.getXXUser().findByUserName(userName); + if (xxUser != null) { - VXUser vXUser = xUserService.populateViewBean(xxUser); + xUserService.populateViewBean(xxUser); } else { xUserMgr.createServiceConfigUser(userName); + LOG.info("Creating Ambari Service Check User : {}", userName); } + users.add(userName); } } @@ -2739,12 +3041,18 @@ List populateDefaultPolicies(RangerService service) throws Excepti } } - boolean isPolicyItemValid = validatePolicyItems(defaultPolicy.getPolicyItems()) && validatePolicyItems(defaultPolicy.getDenyPolicyItems()) && validatePolicyItems(defaultPolicy.getAllowExceptions()) && validatePolicyItems(defaultPolicy.getDenyExceptions()) && validatePolicyItems(defaultPolicy.getDataMaskPolicyItems()) && validatePolicyItems(defaultPolicy.getRowFilterPolicyItems()); + boolean isPolicyItemValid = validatePolicyItems(defaultPolicy.getPolicyItems()) + && validatePolicyItems(defaultPolicy.getDenyPolicyItems()) + && validatePolicyItems(defaultPolicy.getAllowExceptions()) + && validatePolicyItems(defaultPolicy.getDenyExceptions()) + && validatePolicyItems(defaultPolicy.getDataMaskPolicyItems()) + && validatePolicyItems(defaultPolicy.getRowFilterPolicyItems()); if (isPolicyItemValid) { if (ret == null) { ret = new ArrayList<>(); } + ret.add(defaultPolicy); } else { LOG.warn("Default policy won't be created,since policyItems not valid-either users/groups not present or access not present in policy."); @@ -2752,6 +3060,7 @@ List populateDefaultPolicies(RangerService service) throws Excepti } } } + return ret; } @@ -2764,56 +3073,74 @@ void createDefaultPolicyUsersAndGroups(List defaultPolicies) { defaultPolicyUsers.addAll(defaultPolicyItem.getUsers()); defaultPolicyGroups.addAll(defaultPolicyItem.getGroups()); } + for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getAllowExceptions()) { defaultPolicyUsers.addAll(defaultPolicyItem.getUsers()); defaultPolicyGroups.addAll(defaultPolicyItem.getGroups()); } + for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getDenyPolicyItems()) { defaultPolicyUsers.addAll(defaultPolicyItem.getUsers()); defaultPolicyGroups.addAll(defaultPolicyItem.getGroups()); } + for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getDenyExceptions()) { defaultPolicyUsers.addAll(defaultPolicyItem.getUsers()); defaultPolicyGroups.addAll(defaultPolicyItem.getGroups()); } + for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getDataMaskPolicyItems()) { defaultPolicyUsers.addAll(defaultPolicyItem.getUsers()); defaultPolicyGroups.addAll(defaultPolicyItem.getGroups()); } + for (RangerPolicyItem defaultPolicyItem : defaultPolicy.getRowFilterPolicyItems()) { defaultPolicyUsers.addAll(defaultPolicyItem.getUsers()); defaultPolicyGroups.addAll(defaultPolicyItem.getGroups()); } } + for (String policyUser : defaultPolicyUsers) { LOG.debug("Checking policyUser:[{}] for existence", policyUser); + if (StringUtils.isNotBlank(policyUser) && !StringUtils.equals(policyUser, RangerPolicyEngine.USER_CURRENT) && !StringUtils.equals(policyUser, RangerPolicyEngine.RESOURCE_OWNER)) { String userName = stringUtil.getValidUserName(policyUser); XXUser xxUser = daoMgr.getXXUser().findByUserName(userName); + if (xxUser == null) { UserSessionBase usb = ContextUtil.getCurrentUserSession(); + if (usb != null && !usb.isKeyAdmin() && !usb.isUserAdmin() && !usb.isSpnegoEnabled()) { throw restErrorUtil.createRESTException("User does not exist with given username: [" + policyUser + "] please use existing user", MessageEnums.OPER_NO_PERMISSION); } + xUserMgr.createServiceConfigUser(userName); } } } + for (String policyGroup : defaultPolicyGroups) { LOG.debug("Checking policyGroup:[{}] for existence", policyGroup); + if (StringUtils.isNotBlank(policyGroup)) { XXGroup xxGroup = daoMgr.getXXGroup().findByGroupName(policyGroup); + if (xxGroup == null) { UserSessionBase usb = ContextUtil.getCurrentUserSession(); + if (usb != null && !usb.isKeyAdmin() && !usb.isUserAdmin() && !usb.isSpnegoEnabled()) { throw restErrorUtil.createRESTException("Group does not exist with given groupname: [" + policyGroup + "] please use existing group", MessageEnums.OPER_NO_PERMISSION); } + VXGroup vXGroup = new VXGroup(); + vXGroup.setName(policyGroup); vXGroup.setDescription(policyGroup); vXGroup.setGroupSource(RangerCommonEnums.GROUP_INTERNAL); vXGroup.setIsVisible(RangerCommonEnums.IS_VISIBLE); + VXGroup createdVXGrp = xGroupService.createResource(vXGroup); + xGroupService.createTransactionLog(createdVXGrp, null, OPERATION_CREATE_CONTEXT); } } @@ -2821,9 +3148,8 @@ void createDefaultPolicyUsersAndGroups(List defaultPolicies) { } List getServiceCheckUsers(RangerService createdService) { - List ret = new ArrayList<>(); - String userNames = ""; - + List ret = new ArrayList<>(); + String userNames = ""; Map serviceConfig = createdService.getConfigs(); if (serviceConfig.containsKey(SERVICE_CHECK_USER)) { @@ -2834,31 +3160,38 @@ List getServiceCheckUsers(RangerService createdService) { if (!StringUtils.isEmpty(userNames)) { String[] userList = userNames.split(","); + for (String userName : userList) { if (!StringUtils.isEmpty(userName)) { ret.add(userName.trim()); } } } + return ret; } void updatePolicySignature(RangerPolicy policy) { String guid = policy.getGuid(); + if (StringUtils.isEmpty(guid)) { guid = guidUtil.genGUID(); + policy.setGuid(guid); } + RangerPolicyResourceSignature policySignature = factory.createPolicyResourceSignature(policy); String signature = policySignature.getSignature(); + policy.setResourceSignature(signature); - String message = String.format("Setting signature on policy id=%d, name=%s to [%s]", policy.getId(), policy.getName(), signature); - LOG.debug(message); + + LOG.debug("Setting signature on policy id={}, name={} to [{}]", policy.getId(), policy.getName(), signature); } boolean hasServiceConfigForPluginChanged(List dbConfigMaps, Map validConfigs) { boolean ret = false; Map configs = new HashMap<>(); + if (CollectionUtils.isNotEmpty(dbConfigMaps)) { for (XXServiceConfigMap dbConfigMap : dbConfigMaps) { if (StringUtils.startsWith(dbConfigMap.getConfigkey(), RANGER_PLUGIN_CONFIG_PREFIX)) { @@ -2866,6 +3199,7 @@ boolean hasServiceConfigForPluginChanged(List dbConfigMaps, } } } + if (MapUtils.isNotEmpty(validConfigs)) { for (String key : validConfigs.keySet()) { if (StringUtils.startsWith(key, RANGER_PLUGIN_CONFIG_PREFIX)) { @@ -2877,258 +3211,339 @@ boolean hasServiceConfigForPluginChanged(List dbConfigMaps, } } } - if (configs.size() > 0) { + + if (!configs.isEmpty()) { return true; } return ret; } - private void updateChildObjectsOfServiceDef(XXServiceDef createdSvcDef, List configs, List resources, List accessTypes, List policyConditions, List contextEnrichers, List enums, RangerDataMaskDef dataMaskDef, RangerRowFilterDef rowFilterDef) { - Long serviceDefId = createdSvcDef.getId(); - + private void updateChildObjectsOfServiceDef(XXServiceDef createdSvcDef, List configs, + List resources, List accessTypes, + List policyConditions, List contextEnrichers, + List enums, RangerDataMaskDef dataMaskDef, RangerRowFilterDef rowFilterDef) { + Long serviceDefId = createdSvcDef.getId(); List xxConfigs = daoMgr.getXXServiceConfigDef().findByServiceDefId(serviceDefId); List xxResources = daoMgr.getXXResourceDef().findByServiceDefId(serviceDefId); List xxAccessTypes = daoMgr.getXXAccessTypeDef().findByServiceDefId(serviceDefId); List xxPolicyConditions = daoMgr.getXXPolicyConditionDef().findByServiceDefId(serviceDefId); List xxContextEnrichers = daoMgr.getXXContextEnricherDef().findByServiceDefId(serviceDefId); List xxEnums = daoMgr.getXXEnumDef().findByServiceDefId(serviceDefId); + XXServiceConfigDefDao xxServiceConfigDao = daoMgr.getXXServiceConfigDef(); - XXServiceConfigDefDao xxServiceConfigDao = daoMgr.getXXServiceConfigDef(); for (int i = 0; i < configs.size(); i++) { RangerServiceConfigDef config = configs.get(i); boolean found = false; + for (XXServiceConfigDef xConfig : xxConfigs) { if (config.getItemId() != null && config.getItemId().equals(xConfig.getItemId())) { found = true; xConfig = serviceDefService.populateRangerServiceConfigDefToXX(config, xConfig, createdSvcDef, RangerServiceDefService.OPERATION_UPDATE_CONTEXT); + xConfig.setOrder(i); + xConfig = xxServiceConfigDao.update(xConfig); config = serviceDefService.populateXXToRangerServiceConfigDef(xConfig); break; } } + if (!found) { XXServiceConfigDef xConfig = new XXServiceConfigDef(); + xConfig = serviceDefService.populateRangerServiceConfigDefToXX(config, xConfig, createdSvcDef, RangerServiceDefService.OPERATION_CREATE_CONTEXT); + xConfig.setOrder(i); + xConfig = xxServiceConfigDao.create(xConfig); - config = serviceDefService.populateXXToRangerServiceConfigDef(xConfig); + + serviceDefService.populateXXToRangerServiceConfigDef(xConfig); } } + for (XXServiceConfigDef xConfig : xxConfigs) { boolean found = false; + for (RangerServiceConfigDef config : configs) { if (xConfig.getItemId() != null && xConfig.getItemId().equals(config.getItemId())) { found = true; break; } } + if (!found) { xxServiceConfigDao.remove(xConfig); } } XXResourceDefDao xxResDefDao = daoMgr.getXXResourceDef(); + for (RangerResourceDef resource : resources) { boolean found = false; + for (XXResourceDef xRes : xxResources) { if (resource.getItemId() != null && resource.getItemId().equals(xRes.getItemId())) { found = true; xRes = serviceDefService.populateRangerResourceDefToXX(resource, xRes, createdSvcDef, RangerServiceDefService.OPERATION_UPDATE_CONTEXT); + xxResDefDao.update(xRes); + resource = serviceDefService.populateXXToRangerResourceDef(xRes); break; } } - if (!found) { - XXResourceDef parent = xxResDefDao.findByNameAndServiceDefId(resource.getParent(), serviceDefId); - Long parentId = (parent != null) ? parent.getId() : null; + if (!found) { + XXResourceDef parent = xxResDefDao.findByNameAndServiceDefId(resource.getParent(), serviceDefId); + Long parentId = (parent != null) ? parent.getId() : null; XXResourceDef xResource = new XXResourceDef(); + xResource = serviceDefService.populateRangerResourceDefToXX(resource, xResource, createdSvcDef, RangerServiceDefService.OPERATION_CREATE_CONTEXT); + xResource.setParent(parentId); - xResource = xxResDefDao.create(xResource); + + xxResDefDao.create(xResource); } } + for (XXResourceDef xRes : xxResources) { boolean found = false; + for (RangerResourceDef resource : resources) { if (xRes.getItemId() != null && xRes.getItemId().equals(resource.getItemId())) { found = true; break; } } + if (!found) { List xxPolicyRefResource = daoMgr.getXXPolicyRefResource().findByResourceDefID(xRes.getId()); + if (!stringUtil.isEmpty(xxPolicyRefResource)) { throw restErrorUtil.createRESTException("Policy/Policies are referring to this resource: " + xRes.getName() + ". Please remove such references from policy before updating service-def.", MessageEnums.DATA_NOT_UPDATABLE); } + deleteXXResourceDef(xRes); } } XXAccessTypeDefDao xxATDDao = daoMgr.getXXAccessTypeDef(); + for (int i = 0; i < accessTypes.size(); i++) { RangerAccessTypeDef access = accessTypes.get(i); boolean found = false; + for (XXAccessTypeDef xAccess : xxAccessTypes) { if (access.getItemId() != null && access.getItemId().equals(xAccess.getItemId())) { found = true; xAccess = serviceDefService.populateRangerAccessTypeDefToXX(access, xAccess, createdSvcDef, RangerServiceDefService.OPERATION_UPDATE_CONTEXT); + xAccess.setOrder(i); + xAccess = xxATDDao.update(xAccess); Collection impliedGrants = access.getImpliedGrants(); XXAccessTypeDefGrantsDao xxATDGrantDao = daoMgr.getXXAccessTypeDefGrants(); List xxImpliedGrants = xxATDGrantDao.findImpliedGrantsByATDId(xAccess.getId()); + for (String impliedGrant : impliedGrants) { boolean foundGrant = false; + for (String xImpliedGrant : xxImpliedGrants) { if (StringUtils.equalsIgnoreCase(impliedGrant, xImpliedGrant)) { foundGrant = true; break; } } + if (!foundGrant) { XXAccessTypeDefGrants xImpliedGrant = new XXAccessTypeDefGrants(); + xImpliedGrant.setAtdId(xAccess.getId()); xImpliedGrant.setImpliedGrant(impliedGrant); - xImpliedGrant = xxATDGrantDao.create(xImpliedGrant); + + xxATDGrantDao.create(xImpliedGrant); } } + for (String xImpliedGrant : xxImpliedGrants) { boolean foundGrant = false; + for (String impliedGrant : impliedGrants) { if (StringUtils.equalsIgnoreCase(xImpliedGrant, impliedGrant)) { foundGrant = true; break; } } + if (!foundGrant) { XXAccessTypeDefGrants xATDGrant = xxATDGrantDao.findByNameAndATDId(xAccess.getId(), xImpliedGrant); + xxATDGrantDao.remove(xATDGrant); } } + access = serviceDefService.populateXXToRangerAccessTypeDef(xAccess); break; } } + if (!found) { XXAccessTypeDef xAccessType = new XXAccessTypeDef(); + xAccessType = serviceDefService.populateRangerAccessTypeDefToXX(access, xAccessType, createdSvcDef, RangerServiceDefService.OPERATION_CREATE_CONTEXT); + xAccessType.setOrder(i); + xAccessType = xxATDDao.create(xAccessType); Collection impliedGrants = access.getImpliedGrants(); XXAccessTypeDefGrantsDao xxATDGrantDao = daoMgr.getXXAccessTypeDefGrants(); + for (String impliedGrant : impliedGrants) { XXAccessTypeDefGrants xImpliedGrant = new XXAccessTypeDefGrants(); + xImpliedGrant.setAtdId(xAccessType.getId()); xImpliedGrant.setImpliedGrant(impliedGrant); - xImpliedGrant = xxATDGrantDao.create(xImpliedGrant); + + xxATDGrantDao.create(xImpliedGrant); } - access = serviceDefService.populateXXToRangerAccessTypeDef(xAccessType); + + serviceDefService.populateXXToRangerAccessTypeDef(xAccessType); } } for (XXAccessTypeDef xAccess : xxAccessTypes) { boolean found = false; + for (RangerAccessTypeDef access : accessTypes) { if (xAccess.getItemId() != null && xAccess.getItemId().equals(access.getItemId())) { found = true; break; } } + if (!found) { List policyRefAccessTypeList = daoMgr.getXXPolicyRefAccessType().findByAccessTypeDefId(xAccess.getId()); + if (!stringUtil.isEmpty(policyRefAccessTypeList)) { throw restErrorUtil.createRESTException("Policy/Policies are referring to this access-type: " + xAccess.getName() + ". Please remove such references from policy before updating service-def.", MessageEnums.DATA_NOT_UPDATABLE); } + deleteXXAccessTypeDef(xAccess); } } XXPolicyConditionDefDao xxPolCondDao = daoMgr.getXXPolicyConditionDef(); + for (int i = 0; i < policyConditions.size(); i++) { RangerPolicyConditionDef condition = policyConditions.get(i); boolean found = false; + for (XXPolicyConditionDef xCondition : xxPolicyConditions) { if (condition.getItemId() != null && condition.getItemId().equals(xCondition.getItemId())) { found = true; xCondition = serviceDefService.populateRangerPolicyConditionDefToXX(condition, xCondition, createdSvcDef, RangerServiceDefService.OPERATION_UPDATE_CONTEXT); + xCondition.setOrder(i); + xCondition = xxPolCondDao.update(xCondition); condition = serviceDefService.populateXXToRangerPolicyConditionDef(xCondition); break; } } + if (!found) { XXPolicyConditionDef xCondition = new XXPolicyConditionDef(); + xCondition = serviceDefService.populateRangerPolicyConditionDefToXX(condition, xCondition, createdSvcDef, RangerServiceDefService.OPERATION_CREATE_CONTEXT); + xCondition.setOrder(i); + xCondition = xxPolCondDao.create(xCondition); - condition = serviceDefService.populateXXToRangerPolicyConditionDef(xCondition); + + serviceDefService.populateXXToRangerPolicyConditionDef(xCondition); } } + for (XXPolicyConditionDef xCondition : xxPolicyConditions) { boolean found = false; + for (RangerPolicyConditionDef condition : policyConditions) { if (xCondition.getItemId() != null && xCondition.getItemId().equals(condition.getItemId())) { found = true; break; } } + if (!found) { List xxPolicyRefConditions = daoMgr.getXXPolicyRefCondition().findByConditionDefId(xCondition.getId()); + if (!stringUtil.isEmpty(xxPolicyRefConditions)) { throw restErrorUtil.createRESTException("Policy/Policies are referring to this policy-condition: " + xCondition.getName() + ". Please remove such references from policy before updating service-def.", MessageEnums.DATA_NOT_UPDATABLE); } + for (XXPolicyRefCondition xxPolicyRefCondition : xxPolicyRefConditions) { daoMgr.getXXPolicyRefCondition().remove(xxPolicyRefCondition); } + xxPolCondDao.remove(xCondition); } } XXContextEnricherDefDao xxContextEnricherDao = daoMgr.getXXContextEnricherDef(); + for (int i = 0; i < contextEnrichers.size(); i++) { RangerContextEnricherDef context = contextEnrichers.get(i); boolean found = false; + for (XXContextEnricherDef xContext : xxContextEnrichers) { if (context.getItemId() != null && context.getItemId().equals(xContext.getItemId())) { found = true; xContext = serviceDefService.populateRangerContextEnricherDefToXX(context, xContext, createdSvcDef, RangerServiceDefService.OPERATION_UPDATE_CONTEXT); + xContext.setOrder(i); + xContext = xxContextEnricherDao.update(xContext); context = serviceDefService.populateXXToRangerContextEnricherDef(xContext); break; } } + if (!found) { XXContextEnricherDef xContext = new XXContextEnricherDef(); + xContext = serviceDefService.populateRangerContextEnricherDefToXX(context, xContext, createdSvcDef, RangerServiceDefService.OPERATION_UPDATE_CONTEXT); + xContext.setOrder(i); + xContext = xxContextEnricherDao.create(xContext); - context = serviceDefService.populateXXToRangerContextEnricherDef(xContext); + + serviceDefService.populateXXToRangerContextEnricherDef(xContext); } } + for (XXContextEnricherDef xContext : xxContextEnrichers) { boolean found = false; + for (RangerContextEnricherDef context : contextEnrichers) { if (xContext.getItemId() != null && xContext.getItemId().equals(context.getItemId())) { found = true; break; } } + if (!found) { daoMgr.getXXContextEnricherDef().remove(xContext); } } XXEnumDefDao xxEnumDefDao = daoMgr.getXXEnumDef(); + for (RangerEnumDef enumDef : enums) { boolean found = false; + for (XXEnumDef xEnumDef : xxEnums) { if (enumDef.getItemId() != null && enumDef.getItemId().equals(xEnumDef.getItemId())) { found = true; @@ -3142,75 +3557,98 @@ private void updateChildObjectsOfServiceDef(XXServiceDef createdSvcDef, List elements = enumDef.getElements(); XXEnumElementDefDao xxEnumEleDefDao = daoMgr.getXXEnumElementDef(); + for (RangerEnumElementDef element : elements) { XXEnumElementDef xElement = new XXEnumElementDef(); + xElement = serviceDefService.populateRangerEnumElementDefToXX(element, xElement, xEnum, RangerServiceDefService.OPERATION_CREATE_CONTEXT); - xElement = xxEnumEleDefDao.create(xElement); + + xxEnumEleDefDao.create(xElement); } - enumDef = serviceDefService.populateXXToRangerEnumDef(xEnum); + + serviceDefService.populateXXToRangerEnumDef(xEnum); } } + for (XXEnumDef xEnumDef : xxEnums) { boolean found = false; + for (RangerEnumDef enumDef : enums) { if (xEnumDef.getItemId() != null && xEnumDef.getItemId().equals(enumDef.getItemId())) { found = true; break; } } + if (!found) { List enumEleDefList = daoMgr.getXXEnumElementDef().findByEnumDefId(xEnumDef.getId()); + for (XXEnumElementDef eleDef : enumEleDefList) { daoMgr.getXXEnumElementDef().remove(eleDef); } + xxEnumDefDao.remove(xEnumDef); } } - List dataMasks = dataMaskDef == null || dataMaskDef.getMaskTypes() == null ? new ArrayList() : dataMaskDef.getMaskTypes(); - List dataMaskAccessTypes = dataMaskDef == null || dataMaskDef.getAccessTypes() == null ? new ArrayList() : dataMaskDef.getAccessTypes(); - List dataMaskResources = dataMaskDef == null || dataMaskDef.getResources() == null ? new ArrayList() : dataMaskDef.getResources(); - List rowFilterAccessTypes = rowFilterDef == null || rowFilterDef.getAccessTypes() == null ? new ArrayList() : rowFilterDef.getAccessTypes(); - List rowFilterResources = rowFilterDef == null || rowFilterDef.getResources() == null ? new ArrayList() : rowFilterDef.getResources(); + List dataMasks = dataMaskDef == null || dataMaskDef.getMaskTypes() == null ? new ArrayList<>() : dataMaskDef.getMaskTypes(); + List dataMaskAccessTypes = dataMaskDef == null || dataMaskDef.getAccessTypes() == null ? new ArrayList<>() : dataMaskDef.getAccessTypes(); + List dataMaskResources = dataMaskDef == null || dataMaskDef.getResources() == null ? new ArrayList<>() : dataMaskDef.getResources(); + List rowFilterAccessTypes = rowFilterDef == null || rowFilterDef.getAccessTypes() == null ? new ArrayList<>() : rowFilterDef.getAccessTypes(); + List rowFilterResources = rowFilterDef == null || rowFilterDef.getResources() == null ? new ArrayList<>() : rowFilterDef.getResources(); XXDataMaskTypeDefDao dataMaskTypeDao = daoMgr.getXXDataMaskTypeDef(); List xxDataMaskTypes = dataMaskTypeDao.findByServiceDefId(serviceDefId); List xxAccessTypeDefs = xxATDDao.findByServiceDefId(serviceDefId); @@ -3220,13 +3658,16 @@ private void updateChildObjectsOfServiceDef(XXServiceDef createdSvcDef, List svcConfig) { if (StringUtils.equalsIgnoreCase(svcType, EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME)) { String svcAdminUsers = svcConfig.get(SERVICE_ADMIN_USERS); + if (StringUtils.isNotEmpty(svcAdminUsers)) { for (String user : svcAdminUsers.split(",")) { validateUserAndProvideTabTagBasedPolicyPermission(user.trim()); @@ -3347,14 +3796,17 @@ private void updateTabPermissions(String svcType, Map svcConfig) private void validateUserAndProvideTabTagBasedPolicyPermission(String username) { XXPortalUser xxPortalUser = daoMgr.getXXPortalUser().findByLoginId(username); + if (xxPortalUser == null) { throw restErrorUtil.createRESTException("Username : " + username + " does not exist. Please provide valid user as service admin for tag service .", MessageEnums.ERROR_CREATING_OBJECT); } else { VXPortalUser vXPortalUser = userMgr.mapXXPortalUserToVXPortalUserForDefaultAccount(xxPortalUser); + if (CollectionUtils.isNotEmpty(vXPortalUser.getUserRoleList()) && vXPortalUser.getUserRoleList().size() == 1) { for (String userRole : vXPortalUser.getUserRoleList()) { if (userRole.equals(RangerConstants.ROLE_USER)) { HashMap moduleNameId = xUserMgr.getAllModuleNameAndIdMap(); + xUserMgr.createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_TAG_BASED_POLICIES), true); } } @@ -3388,6 +3840,7 @@ private boolean validatePolicyItems(List policyItems if (CollectionUtils.isEmpty(policyItem.getAccesses()) || policyItem.getAccesses().contains(null)) { return false; } + for (RangerPolicyItemAccess itemAccesses : policyItem.getAccesses()) { if (itemAccesses.getType() == null || itemAccesses.getIsAllowed() == null) { return false; @@ -3442,8 +3895,7 @@ private List getServicePolicies(XXService service, SearchFilter fi throw new Exception("service does not exist"); } - List ret = null; - + List ret; ServicePolicies servicePolicies = RangerServicePoliciesCache.getInstance().getServicePolicies(service.getName(), service.getId(), -1L, true, this); final List policies = servicePolicies != null ? servicePolicies.getPolicies() : null; @@ -3455,14 +3907,16 @@ private List getServicePolicies(XXService service, SearchFilter fi if (MapUtils.isNotEmpty(filterResources) && resourceMatchScope != null) { useLegacyResourceSearch = false; + for (Map.Entry entry : filterResources.entrySet()) { searchFilter.removeParam(SearchFilter.RESOURCE_PREFIX + entry.getKey()); } } - LOG.debug("Using {} way of filtering service-policies", (useLegacyResourceSearch ? " old " : " new ")); + LOG.debug("Using{}way of filtering service-policies", useLegacyResourceSearch ? " old " : " new "); ret = new ArrayList<>(policies); + predicateUtil.applyFilter(ret, searchFilter); if (!useLegacyResourceSearch && CollectionUtils.isNotEmpty(ret)) { @@ -3488,10 +3942,10 @@ private List getServicePolicies(XXService service, SearchFilter fi } case ANCESTOR: { Map updatedFilterResources = RangerServiceDefHelper.getFilterResourcesForAncestorPolicyFiltering(serviceDef, filterResources); + if (MapUtils.isNotEmpty(updatedFilterResources)) { - for (Map.Entry entry : updatedFilterResources.entrySet()) { - filterResources.put(entry.getKey(), entry.getValue()); - } + filterResources.putAll(updatedFilterResources); + scope = RangerPolicyResourceMatcher.MatchScope.SELF_OR_ANCESTOR; } break; @@ -3506,19 +3960,18 @@ private List getServicePolicies(XXService service, SearchFilter fi ret = policies; } - LOG.debug("<== ServiceDBStore.getServicePolicies(): count={}", ((ret == null) ? 0 : ret.size())); + LOG.debug("<== ServiceDBStore.getServicePolicies(): count={}", (ret == null) ? 0 : ret.size()); return ret; } - private List getServicePoliciesFromDb(XXService service) throws Exception { + private List getServicePoliciesFromDb(XXService service) { LOG.debug("==> ServiceDBStore.getServicePoliciesFromDb({})", service.getName()); RangerPolicyRetriever policyRetriever = new RangerPolicyRetriever(daoMgr, txManager); + List ret = policyRetriever.getServicePolicies(service); - List ret = policyRetriever.getServicePolicies(service); - - LOG.debug("<== ServiceDBStore.getServicePoliciesFromDb({}): count={}", service.getName(), ((ret == null) ? 0 : ret.size())); + LOG.debug("<== ServiceDBStore.getServicePoliciesFromDb({}): count={}", service.getName(), (ret == null) ? 0 : ret.size()); return ret; } @@ -3526,9 +3979,8 @@ private List getServicePoliciesFromDb(XXService service) throws Ex private ServicePolicies getServicePolicies(String serviceName, Long lastKnownVersion, boolean getOnlyDeltas, boolean isDeltaEnabled, Long maxNeededVersion) throws Exception { LOG.debug("==> ServiceDBStore.getServicePolicies({}, {})", serviceName, lastKnownVersion); - ServicePolicies ret = null; - - XXService serviceDbObj = daoMgr.getXXService().findByName(serviceName); + ServicePolicies ret = null; + XXService serviceDbObj = daoMgr.getXXService().findByName(serviceName); if (serviceDbObj == null) { throw new Exception("service does not exist. name=" + serviceName); @@ -3545,10 +3997,9 @@ private ServicePolicies getServicePolicies(String serviceName, Long lastKnownVer if (serviceDef == null) { throw new Exception("service-def does not exist. id=" + serviceDbObj.getType()); } - String serviceType = serviceDef.getName(); - - String auditMode = getAuditMode(serviceType, serviceName); + String serviceType = serviceDef.getName(); + String auditMode = getAuditMode(serviceType, serviceName); XXService tagServiceDbObj = null; RangerServiceDef tagServiceDef = null; XXServiceVersionInfo tagServiceVersionInfoDbObj = null; @@ -3580,6 +4031,7 @@ private ServicePolicies getServicePolicies(String serviceName, Long lastKnownVer if (ret != null) { ret.setPolicyUpdateTime(serviceVersionInfoDbObj == null ? null : serviceVersionInfoDbObj.getPolicyUpdateTime()); ret.setAuditMode(auditMode); + if (ret.getTagPolicies() != null) { ret.getTagPolicies().setPolicyUpdateTime(tagServiceVersionInfoDbObj == null ? null : tagServiceVersionInfoDbObj.getPolicyUpdateTime()); ret.getTagPolicies().setAuditMode(auditMode); @@ -3613,24 +4065,19 @@ private ServicePolicies getServicePolicies(String serviceName, Long lastKnownVer ret.setTagPolicies(tagPolicies); } - LOG.debug("<== ServiceDBStore.getServicePolicies({}, {}): count={}, delta-count={}", serviceName, lastKnownVersion, ((ret == null || ret.getPolicies() == null) ? 0 : ret.getPolicies().size()), ((ret == null || ret.getPolicyDeltas() == null) ? 0 : ret.getPolicyDeltas().size())); + LOG.debug("<== ServiceDBStore.getServicePolicies({}, {}): count={}, delta-count={}", serviceName, lastKnownVersion, (ret == null || ret.getPolicies() == null) ? 0 : ret.getPolicies().size(), (ret == null || ret.getPolicyDeltas() == null) ? 0 : ret.getPolicyDeltas().size()); return ret; } private static List compressDeltas(List deltas) { - List ret = new ArrayList<>(); - + List ret = new ArrayList<>(); final Map> policyDeltaMap = new HashMap<>(); for (RangerPolicyDelta delta : deltas) { Long policyId = delta.getPolicyId(); - List oldPolicyDeltas = policyDeltaMap.get(policyId); + List oldPolicyDeltas = policyDeltaMap.computeIfAbsent(policyId, k -> new ArrayList<>()); - if (oldPolicyDeltas == null) { - oldPolicyDeltas = new ArrayList<>(); - policyDeltaMap.put(policyId, oldPolicyDeltas); - } oldPolicyDeltas.add(delta); } @@ -3651,20 +4098,24 @@ private static List compressDeltas(List de case RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE: while (index < policyDeltas.size()) { RangerPolicyDelta policyDelta = policyDeltas.get(index); + switch (policyDelta.getChangeType()) { case RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE: - LOG.error("Multiple policy creates!! :{}", policyDelta); + LOG.error("Multiple policy creates!! [{}]", policyDelta); + policyDeltasForPolicy = null; break; case RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE: for (int i = index + 1; i < policyDeltas.size(); i++) { RangerPolicyDelta next = policyDeltas.get(i); + if (next.getChangeType() == RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE) { index = i; } else { break; } } + policyDeltasForPolicy.clear(); policyDeltas.get(index).setChangeType(RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE); policyDeltasForPolicy.add(policyDeltas.get(index)); @@ -3677,6 +4128,7 @@ private static List compressDeltas(List de index++; } else { LOG.error("CHANGE_TYPE_POLICY_DELETE should be the last policyDelta, found:[{}]", policyDeltas.get(index + 1)); + policyDeltasForPolicy = null; } break; @@ -3695,17 +4147,20 @@ private static List compressDeltas(List de switch (policyDelta.getChangeType()) { case RangerPolicyDelta.CHANGE_TYPE_POLICY_CREATE: LOG.error("Should not get here! policy is created after it is updated!! policy-delta:[{}]", policyDelta); + policyDeltasForPolicy = null; break; case RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE: for (int i = index + 1; i < policyDeltas.size(); i++) { RangerPolicyDelta next = policyDeltas.get(i); + if (next.getChangeType() == RangerPolicyDelta.CHANGE_TYPE_POLICY_UPDATE) { index = i; } else { break; } } + policyDeltasForPolicy.clear(); policyDeltasForPolicy.add(policyDeltas.get(index)); index++; @@ -3718,12 +4173,14 @@ private static List compressDeltas(List de index++; } else { LOG.error("CHANGE_TYPE_POLICY_DELETE should be the last policyDelta, found:[{}]", policyDeltas.get(index + 1)); + policyDeltasForPolicy = null; } break; default: break; } + if (policyDeltasForPolicy == null) { break; } @@ -3731,17 +4188,21 @@ private static List compressDeltas(List de break; case RangerPolicyDelta.CHANGE_TYPE_POLICY_DELETE: LOG.error("CHANGE_TYPE_POLICY_DELETE should be the last policyDelta, found:[{}]", policyDeltas.get(index)); + policyDeltasForPolicy = null; break; default: LOG.error("Should not get here for valid policy-delta:[{}]", first); break; } + if (policyDeltasForPolicy != null) { LOG.debug("Processed deltas for policy:[{}], compressed-deltas:[{}]", entry.getKey(), policyDeltasForPolicy); + ret.addAll(policyDeltasForPolicy); } else { LOG.error("Error processing deltas for policy:[{}], Cannot compress deltas", entry.getKey()); + ret = null; break; } @@ -3757,11 +4218,13 @@ private static List compressDeltas(List de private Map validateRequiredConfigParams(RangerService service, Map configs) { LOG.debug("==> ServiceDBStore.validateRequiredConfigParams()"); + if (configs == null) { return null; } List svcConfDefList = daoMgr.getXXServiceConfigDef().findByServiceDefName(service.getType()); + for (XXServiceConfigDef svcConfDef : svcConfDefList) { String confField = configs.get(svcConfDef.getName()); @@ -3773,32 +4236,36 @@ private Map validateRequiredConfigParams(RangerService service, if (svcConfDef.getDefaultvalue() != null && !configs.containsKey(RANGER_PLUGIN_AUDIT_FILTERS)) { configs.put(RANGER_PLUGIN_AUDIT_FILTERS, svcConfDef.getDefaultvalue()); } + if (!stringUtil.isEmpty(configs.get(RANGER_PLUGIN_AUDIT_FILTERS)) && JsonUtils.jsonToAuditFilterList(configs.get(RANGER_PLUGIN_AUDIT_FILTERS)) == null) { throw restErrorUtil.createRESTException("Invalid value for " + svcConfDef.getName()); } } } + Map validConfigs = new HashMap<>(); + for (Entry config : configs.entrySet()) { if (!stringUtil.isEmpty(config.getValue())) { validConfigs.put(config.getKey(), config.getValue()); } } + return validConfigs; } - private void handlePolicyUpdate(RangerService service, Integer policyDeltaType, RangerPolicy policy, boolean updateServiceInfoRoleVersion) throws Exception { + private void handlePolicyUpdate(RangerService service, Integer policyDeltaType, RangerPolicy policy, boolean updateServiceInfoRoleVersion) { updatePolicyVersion(service, policyDeltaType, policy, updateServiceInfoRoleVersion); } - private void updatePolicyVersion(RangerService service, Integer policyDeltaType, RangerPolicy policy, boolean updateServiceInfoRoleVersion) throws Exception { + private void updatePolicyVersion(RangerService service, Integer policyDeltaType, RangerPolicy policy, boolean updateServiceInfoRoleVersion) { if (service == null || service.getId() == null) { return; } - XXServiceDao serviceDao = daoMgr.getXXService(); - + XXServiceDao serviceDao = daoMgr.getXXService(); final XXService serviceDbObj = serviceDao.getById(service.getId()); + if (serviceDbObj == null) { LOG.warn("updatePolicyVersion(serviceId={}): service not found", service.getId()); @@ -3816,23 +4283,27 @@ private void updatePolicyVersion(RangerService service, Integer policyDeltaType, List referringServiceIds = serviceDao.findIdsByTagServiceId(serviceId); for (Long referringServiceId : referringServiceIds) { - Runnable policyVersionUpdater = new ServiceVersionUpdater(daoManager, referringServiceId, VersionType.POLICY_VERSION, policy != null ? policy.getZoneName() : null, policyDeltaType, policy); + Runnable policyVersionUpdater = new ServiceVersionUpdater(daoManager, referringServiceId, VERSION_TYPE.POLICY_VERSION, policy != null ? policy.getZoneName() : null, policyDeltaType, policy); + transactionSynchronizationAdapter.executeOnTransactionCommit(policyVersionUpdater); if (updateServiceInfoRoleVersion) { - Runnable roleVersionUpdater = new ServiceVersionUpdater(daoManager, referringServiceId, VersionType.ROLE_VERSION, policy != null ? policy.getZoneName() : null, policyDeltaType, policy); + Runnable roleVersionUpdater = new ServiceVersionUpdater(daoManager, referringServiceId, VERSION_TYPE.ROLE_VERSION, policy != null ? policy.getZoneName() : null, policyDeltaType, policy); + transactionSynchronizationAdapter.executeOnTransactionCommit(roleVersionUpdater); } } } - final VersionType versionType = VersionType.POLICY_VERSION; + final VERSION_TYPE versionType = VERSION_TYPE.POLICY_VERSION; Runnable serviceVersionUpdater = new ServiceVersionUpdater(daoManager, serviceId, versionType, policy != null ? policy.getZoneName() : null, policyDeltaType, policy); + transactionSynchronizationAdapter.executeOnTransactionCommit(serviceVersionUpdater); if (updateServiceInfoRoleVersion) { - Runnable roleVersionUpdater = new ServiceVersionUpdater(daoManager, serviceId, VersionType.ROLE_VERSION, policy != null ? policy.getZoneName() : null, policyDeltaType, policy); + Runnable roleVersionUpdater = new ServiceVersionUpdater(daoManager, serviceId, VERSION_TYPE.ROLE_VERSION, policy != null ? policy.getZoneName() : null, policyDeltaType, policy); + transactionSynchronizationAdapter.executeOnTransactionCommit(roleVersionUpdater); } } @@ -3844,12 +4315,16 @@ private boolean isRoleDownloadRequired(RangerPolicy policy, RangerService servic if (policy != null) { Set roleNames = getAllPolicyItemRoleNames(policy); + if (CollectionUtils.isNotEmpty(roleNames)) { Long serviceId = service.getId(); + checkAndFilterRoleNames(roleNames, service); + if (CollectionUtils.isNotEmpty(roleNames)) { for (String roleName : roleNames) { long roleRefPolicyCount = daoMgr.getXXPolicy().findRoleRefPolicyCount(roleName, serviceId); + if (roleRefPolicyCount == 0) { ret = true; break; @@ -3867,14 +4342,17 @@ private void checkAndFilterRoleNames(Set roleNames, RangerService servic Set rolesToRemove = new HashSet<>(); Long serviceId = service.getId(); List rolesFromDb = daoMgr.getXXRole().findRoleNamesByServiceId(serviceId); + if (CollectionUtils.isNotEmpty(rolesFromDb)) { rolesToRemove.addAll(rolesFromDb); } String tagService = service.getTagService(); XXService serviceDbObj = daoMgr.getXXService().findByName(tagService); + if (serviceDbObj != null) { List rolesFromServiceTag = daoMgr.getXXRole().findRoleNamesByServiceId(serviceDbObj.getId()); + if (CollectionUtils.isNotEmpty(rolesFromServiceTag)) { rolesToRemove.addAll(rolesFromServiceTag); } @@ -3884,34 +4362,39 @@ private void checkAndFilterRoleNames(Set roleNames, RangerService servic } private Set getAllPolicyItemRoleNames(RangerPolicy policy) { - Set ret = new HashSet<>(); - + Set ret = new HashSet<>(); List policyItems = policy.getPolicyItems(); + if (CollectionUtils.isNotEmpty(policyItems)) { collectRolesFromPolicyItems(policyItems, ret); } policyItems = policy.getDenyPolicyItems(); + if (CollectionUtils.isNotEmpty(policyItems)) { collectRolesFromPolicyItems(policyItems, ret); } policyItems = policy.getAllowExceptions(); + if (CollectionUtils.isNotEmpty(policyItems)) { collectRolesFromPolicyItems(policyItems, ret); } policyItems = policy.getDenyExceptions(); + if (CollectionUtils.isNotEmpty(policyItems)) { collectRolesFromPolicyItems(policyItems, ret); } policyItems = policy.getDataMaskPolicyItems(); + if (CollectionUtils.isNotEmpty(policyItems)) { collectRolesFromPolicyItems(policyItems, ret); } policyItems = policy.getRowFilterPolicyItems(); + if (CollectionUtils.isNotEmpty(policyItems)) { collectRolesFromPolicyItems(policyItems, ret); } @@ -3922,6 +4405,7 @@ private Set getAllPolicyItemRoleNames(RangerPolicy policy) { private void collectRolesFromPolicyItems(List rangerPolicyItems, Set roleNames) { for (RangerPolicyItem rangerPolicyItem : rangerPolicyItems) { List rangerPolicyItemRoles = rangerPolicyItem.getRoles(); + if (CollectionUtils.isNotEmpty(rangerPolicyItemRoles)) { roleNames.addAll(rangerPolicyItemRoles); } @@ -3929,28 +4413,28 @@ private void collectRolesFromPolicyItems(List ranger } private void persistChangeLog(ServiceVersionUpdater serviceVersionUpdater) { - XXServiceVersionInfoDao serviceVersionInfoDao = serviceVersionUpdater.daoManager.getXXServiceVersionInfo(); + XXServiceVersionInfoDao serviceVersionInfoDao = serviceVersionUpdater.daoManager.getXXServiceVersionInfo(); + XXServiceVersionInfo serviceVersionInfoDbObj = serviceVersionInfoDao.findByServiceId(serviceVersionUpdater.serviceId); + XXService service = serviceVersionUpdater.daoManager.getXXService().getById(serviceVersionUpdater.serviceId); - XXServiceVersionInfo serviceVersionInfoDbObj = serviceVersionInfoDao.findByServiceId(serviceVersionUpdater.serviceId); - XXService service = serviceVersionUpdater.daoManager.getXXService().getById(serviceVersionUpdater.serviceId); + if (service != null) { + Long version = serviceVersionUpdater.versionType == VERSION_TYPE.TAG_VERSION ? serviceVersionInfoDbObj.getTagVersion() : serviceVersionInfoDbObj.getPolicyVersion(); - if (service != null && serviceVersionInfoDao != null) { - Long version = serviceVersionUpdater.versionType == VersionType.TAG_VERSION ? serviceVersionInfoDbObj.getTagVersion() : serviceVersionInfoDbObj.getPolicyVersion(); persistChangeLog(service, serviceVersionUpdater.versionType, version, serviceVersionUpdater); } } - private static void persistChangeLog(XXService service, VersionType versionType, Long version, ServiceVersionUpdater serviceVersionUpdater) { + private static void persistChangeLog(XXService service, VERSION_TYPE versionType, Long version, ServiceVersionUpdater serviceVersionUpdater) { Date now = new Date(); - if (versionType == VersionType.TAG_VERSION) { + if (versionType == VERSION_TYPE.TAG_VERSION) { ServiceTags.TagsChangeType tagChangeType = serviceVersionUpdater.tagChangeType; + if (tagChangeType == ServiceTags.TagsChangeType.RANGER_ADMIN_START || TagDBStore.isSupportsTagDeltas()) { // Build and save TagChangeLog - XXTagChangeLog tagChangeLog = new XXTagChangeLog(); - - Long serviceResourceId = serviceVersionUpdater.resourceId; - Long tagId = serviceVersionUpdater.tagId; + XXTagChangeLog tagChangeLog = new XXTagChangeLog(); + Long serviceResourceId = serviceVersionUpdater.resourceId; + Long tagId = serviceVersionUpdater.tagId; tagChangeLog.setCreateTime(now); tagChangeLog.setServiceId(service.getId()); @@ -3975,6 +4459,7 @@ private static void persistChangeLog(XXService service, VersionType versionType, policyChangeLog.setZoneName(serviceVersionUpdater.zoneName); RangerPolicy policy = serviceVersionUpdater.policy; + if (policy != null) { policyChangeLog.setServiceType(policy.getServiceType()); policyChangeLog.setPolicyType(policy.getPolicyType()); @@ -3994,9 +4479,11 @@ private Boolean deleteExistingPolicyLabel(RangerPolicy policy) { List xxPolicyLabelMaps = daoMgr.getXXPolicyLabelMap().findByPolicyId(policy.getId()); XXPolicyLabelMapDao policyLabelMapDao = daoMgr.getXXPolicyLabelMap(); + for (XXPolicyLabelMap xxPolicyLabelMap : xxPolicyLabelMaps) { policyLabelMapDao.remove(xxPolicyLabelMap); } + return true; } @@ -4036,12 +4523,17 @@ private boolean isResourceInList(String resource, List xResourceD private void writeExcel(List policies, String excelFileName, HttpServletResponse response) throws IOException { OutputStream outStream = null; + try (Workbook workbook = new HSSFWorkbook()) { Sheet sheet = workbook.createSheet(); + createHeaderRow(sheet); + int rowCount = 0; + if (!CollectionUtils.isEmpty(policies)) { Map svcNameToSvcType = new HashMap<>(); + for (RangerPolicy policy : policies) { List policyItems = policy.getPolicyItems(); List rowFilterPolicyItems = policy.getRowFilterPolicyItems(); @@ -4049,12 +4541,14 @@ private void writeExcel(List policies, String excelFileName, HttpS List allowExceptions = policy.getAllowExceptions(); List denyExceptions = policy.getDenyExceptions(); List denyPolicyItems = policy.getDenyPolicyItems(); + String serviceType = policy.getServiceType(); - String serviceType = policy.getServiceType(); if (StringUtils.isBlank(serviceType)) { serviceType = svcNameToSvcType.get(policy.getService()); + if (StringUtils.isBlank(serviceType)) { serviceType = daoMgr.getXXServiceDef().findServiceDefTypeByServiceName(policy.getService()); + if (StringUtils.isNotBlank(serviceType)) { svcNameToSvcType.put(policy.getService(), serviceType); } @@ -4064,58 +4558,75 @@ private void writeExcel(List policies, String excelFileName, HttpS if (CollectionUtils.isNotEmpty(policyItems)) { for (RangerPolicyItem policyItem : policyItems) { Row row = sheet.createRow(++rowCount); + writeBookForPolicyItems(svcNameToSvcType, policy, policyItem, null, null, row, POLICY_ALLOW_INCLUDE); } } else if (CollectionUtils.isNotEmpty(dataMaskPolicyItems)) { for (RangerDataMaskPolicyItem dataMaskPolicyItem : dataMaskPolicyItems) { Row row = sheet.createRow(++rowCount); + writeBookForPolicyItems(svcNameToSvcType, policy, null, dataMaskPolicyItem, null, row, null); } } else if (CollectionUtils.isNotEmpty(rowFilterPolicyItems)) { for (RangerRowFilterPolicyItem rowFilterPolicyItem : rowFilterPolicyItems) { Row row = sheet.createRow(++rowCount); + writeBookForPolicyItems(svcNameToSvcType, policy, null, null, rowFilterPolicyItem, row, null); } } else if (serviceType.equalsIgnoreCase(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME)) { if (CollectionUtils.isEmpty(policyItems)) { Row row = sheet.createRow(++rowCount); RangerPolicyItem policyItem = new RangerPolicyItem(); + writeBookForPolicyItems(svcNameToSvcType, policy, policyItem, null, null, row, POLICY_ALLOW_INCLUDE); } } else if (CollectionUtils.isEmpty(policyItems)) { Row row = sheet.createRow(++rowCount); RangerPolicyItem policyItem = new RangerPolicyItem(); + writeBookForPolicyItems(svcNameToSvcType, policy, policyItem, null, null, row, POLICY_ALLOW_INCLUDE); } + if (CollectionUtils.isNotEmpty(allowExceptions)) { for (RangerPolicyItem policyItem : allowExceptions) { Row row = sheet.createRow(++rowCount); + writeBookForPolicyItems(svcNameToSvcType, policy, policyItem, null, null, row, POLICY_ALLOW_EXCLUDE); } } + if (CollectionUtils.isNotEmpty(denyExceptions)) { for (RangerPolicyItem policyItem : denyExceptions) { Row row = sheet.createRow(++rowCount); + writeBookForPolicyItems(svcNameToSvcType, policy, policyItem, null, null, row, POLICY_DENY_EXCLUDE); } } + if (CollectionUtils.isNotEmpty(denyPolicyItems)) { for (RangerPolicyItem policyItem : denyPolicyItems) { Row row = sheet.createRow(++rowCount); + writeBookForPolicyItems(svcNameToSvcType, policy, policyItem, null, null, row, POLICY_DENY_INCLUDE); } } } } + ByteArrayOutputStream outByteStream = new ByteArrayOutputStream(); + workbook.write(outByteStream); + byte[] outArray = outByteStream.toByteArray(); + response.setContentType("application/ms-excel"); response.setContentLength(outArray.length); response.setHeader("Expires:", "0"); response.setHeader("Content-Disposition", "attachment; filename=" + excelFileName); response.setStatus(HttpServletResponse.SC_OK); + outStream = response.getOutputStream(); + outStream.write(outArray); outStream.flush(); } catch (IOException ex) { @@ -4132,13 +4643,14 @@ private void writeExcel(List policies, String excelFileName, HttpS private StringBuilder writeCSV(List policies, String cSVFileName, HttpServletResponse response) { response.setContentType("text/csv"); - final String lineSeparator = "\n"; - final String fileHeader = "ID|Name|Resources|Roles|Groups|Users|Accesses|Service Type|Status|Policy Type|Delegate Admin|isRecursive|" + "isExcludes|Service Name|Description|isAuditEnabled|Policy Conditions|Policy Condition Type|Masking Options|Row Filter Expr|Policy Label Name"; - StringBuilder csvBuffer = new StringBuilder(); - csvBuffer.append(fileHeader); - csvBuffer.append(lineSeparator); + StringBuilder csvBuffer = new StringBuilder(); + + csvBuffer.append(FILE_HEADER); + csvBuffer.append(LINE_SEPARATOR); + if (!CollectionUtils.isEmpty(policies)) { Map svcNameToSvcType = new HashMap<>(); + for (RangerPolicy policy : policies) { List policyItems = policy.getPolicyItems(); List rowFilterPolicyItems = policy.getRowFilterPolicyItems(); @@ -4146,12 +4658,14 @@ private StringBuilder writeCSV(List policies, String cSVFileName, List allowExceptions = policy.getAllowExceptions(); List denyExceptions = policy.getDenyExceptions(); List denyPolicyItems = policy.getDenyPolicyItems(); + String serviceType = policy.getServiceType(); - String serviceType = policy.getServiceType(); if (StringUtils.isBlank(serviceType)) { serviceType = svcNameToSvcType.get(policy.getService()); + if (StringUtils.isBlank(serviceType)) { serviceType = daoMgr.getXXServiceDef().findServiceDefTypeByServiceName(policy.getService()); + if (StringUtils.isNotBlank(serviceType)) { svcNameToSvcType.put(policy.getService(), serviceType); } @@ -4179,16 +4693,19 @@ private StringBuilder writeCSV(List policies, String cSVFileName, RangerPolicyItem policyItem = new RangerPolicyItem(); writeCSVForPolicyItems(svcNameToSvcType, policy, policyItem, null, null, csvBuffer, POLICY_ALLOW_INCLUDE); } + if (CollectionUtils.isNotEmpty(allowExceptions)) { for (RangerPolicyItem policyItem : allowExceptions) { writeCSVForPolicyItems(svcNameToSvcType, policy, policyItem, null, null, csvBuffer, POLICY_ALLOW_EXCLUDE); } } + if (CollectionUtils.isNotEmpty(denyExceptions)) { for (RangerPolicyItem policyItem : denyExceptions) { writeCSVForPolicyItems(svcNameToSvcType, policy, policyItem, null, null, csvBuffer, POLICY_DENY_EXCLUDE); } } + if (CollectionUtils.isNotEmpty(denyPolicyItems)) { for (RangerPolicyItem policyItem : denyPolicyItems) { writeCSVForPolicyItems(svcNameToSvcType, policy, policyItem, null, null, csvBuffer, POLICY_DENY_INCLUDE); @@ -4196,75 +4713,69 @@ private StringBuilder writeCSV(List policies, String cSVFileName, } } } + response.setHeader("Content-Disposition", "attachment; filename=" + cSVFileName); response.setStatus(HttpServletResponse.SC_OK); + return csvBuffer; } private void writeCSVForPolicyItems(Map svcNameToSvcType, RangerPolicy policy, RangerPolicyItem policyItem, RangerDataMaskPolicyItem dataMaskPolicyItem, RangerRowFilterPolicyItem rowFilterPolicyItem, StringBuilder csvBuffer, String policyConditionType) { LOG.debug("policyConditionType:[{}]", policyConditionType); - final String commaDelimiter = "|"; - final String lineSeparator = "\n"; - List roles = new ArrayList<>(); - List groups = new ArrayList<>(); - List users = new ArrayList<>(); - String roleNames = ""; - String groupNames = ""; - String userNames = ""; - String policyLabelName = ""; - String accessType = ""; - String policyStatus = ""; - String policyType = ""; - Boolean delegateAdmin = false; - String isRecursive = ""; - String isExcludes = ""; - String serviceName = ""; - String description = ""; - Boolean isAuditEnabled = true; - String isExcludesValue = ""; - String maskingInfo = ""; - List accesses = new ArrayList(); - List conditionsList = new ArrayList<>(); - String conditionKeyValue = ""; - String resValue = ""; - String resourceKeyVal = ""; - String isRecursiveValue = ""; - String resKey = ""; - String serviceType = ""; - String filterExpr = ""; - String policyName = ""; - List policyLabels = new ArrayList<>(); - String policyConditionTypeValue = ""; - serviceName = policy.getService(); - description = policy.getDescription(); - isAuditEnabled = policy.getIsAuditEnabled(); - policyLabels = policy.getPolicyLabels(); - StringBuffer sb = new StringBuffer(); - StringBuffer sbIsRecursive = new StringBuffer(); - StringBuffer sbIsExcludes = new StringBuffer(); - Map resources = policy.getResources(); - RangerPolicy.RangerPolicyItemDataMaskInfo dataMaskInfo = new RangerPolicy.RangerPolicyItemDataMaskInfo(); - RangerPolicy.RangerPolicyItemRowFilterInfo filterInfo = new RangerPolicy.RangerPolicyItemRowFilterInfo(); - policyName = policy.getName(); + + List roles = new ArrayList<>(); + List groups = new ArrayList<>(); + List users = new ArrayList<>(); + String roleNames = ""; + String groupNames = ""; + String userNames = ""; + String policyLabelName = ""; + String accessType = ""; + String policyType = ""; + Boolean delegateAdmin = false; + String isExcludesValue = ""; + String maskingInfo = ""; + List accesses = new ArrayList<>(); + List conditionsList = new ArrayList<>(); + String conditionKeyValue = ""; + String resourceKeyVal = ""; + String isRecursiveValue = ""; + String serviceType = ""; + String filterExpr = ""; + String policyConditionTypeValue = ""; + String serviceName = policy.getService(); + String description = policy.getDescription(); + Boolean isAuditEnabled = policy.getIsAuditEnabled(); + List policyLabels = policy.getPolicyLabels(); + StringBuilder sb = new StringBuilder(); + StringBuilder sbIsRecursive = new StringBuilder(); + StringBuilder sbIsExcludes = new StringBuilder(); + Map resources = policy.getResources(); + String policyName = policy.getName(); + policyName = policyName.replace("|", ""); + if (resources != null) { for (Entry resource : resources.entrySet()) { - resKey = resource.getKey(); + String resKey = resource.getKey(); RangerPolicyResource policyResource = resource.getValue(); List resvalueList = policyResource.getValues(); - isExcludes = policyResource.getIsExcludes().toString(); - isRecursive = policyResource.getIsRecursive().toString(); - resValue = resvalueList.toString(); - sb = sb.append(resourceKeyVal).append(" ").append(resKey).append("=").append(resValue); - sbIsExcludes = sbIsExcludes.append(resourceKeyVal).append(" ").append(resKey).append("=[").append(isExcludes).append("]"); - sbIsRecursive = sbIsRecursive.append(resourceKeyVal).append(" ").append(resKey).append("=[").append(isRecursive).append("]"); + String isExcludes = policyResource.getIsExcludes().toString(); + String isRecursive = policyResource.getIsRecursive().toString(); + String resValue = resvalueList.toString(); + + sb.append(resourceKeyVal).append(" ").append(resKey).append("=").append(resValue); + sbIsExcludes.append(resourceKeyVal).append(" ").append(resKey).append("=[").append(isExcludes).append("]"); + sbIsRecursive.append(resourceKeyVal).append(" ").append(resKey).append("=[").append(isRecursive).append("]"); } + isExcludesValue = sbIsExcludes.toString(); isExcludesValue = isExcludesValue.substring(1); isRecursiveValue = sbIsRecursive.toString(); isRecursiveValue = isRecursiveValue.substring(1); resourceKeyVal = sb.toString(); resourceKeyVal = resourceKeyVal.substring(1); + if (policyItem != null && dataMaskPolicyItem == null && rowFilterPolicyItem == null) { roles = policyItem.getRoles(); groups = policyItem.getGroups(); @@ -4279,11 +4790,15 @@ private void writeCSVForPolicyItems(Map svcNameToSvcType, Ranger accesses = dataMaskPolicyItem.getAccesses(); delegateAdmin = dataMaskPolicyItem.getDelegateAdmin(); conditionsList = dataMaskPolicyItem.getConditions(); - dataMaskInfo = dataMaskPolicyItem.getDataMaskInfo(); + + RangerPolicy.RangerPolicyItemDataMaskInfo dataMaskInfo = dataMaskPolicyItem.getDataMaskInfo(); + String dataMaskType = dataMaskInfo.getDataMaskType(); String conditionExpr = dataMaskInfo.getConditionExpr(); String valueExpr = dataMaskInfo.getValueExpr(); + maskingInfo = "dataMasktype=[" + dataMaskType + "]"; + if (conditionExpr != null && !conditionExpr.isEmpty() && valueExpr != null && !valueExpr.isEmpty()) { maskingInfo = maskingInfo + "; conditionExpr=[" + conditionExpr + "]"; } @@ -4294,19 +4809,24 @@ private void writeCSVForPolicyItems(Map svcNameToSvcType, Ranger accesses = rowFilterPolicyItem.getAccesses(); delegateAdmin = rowFilterPolicyItem.getDelegateAdmin(); conditionsList = rowFilterPolicyItem.getConditions(); - filterInfo = rowFilterPolicyItem.getRowFilterInfo(); - filterExpr = filterInfo.getFilterExpr(); + + RangerPolicy.RangerPolicyItemRowFilterInfo filterInfo = rowFilterPolicyItem.getRowFilterInfo(); + + filterExpr = filterInfo.getFilterExpr(); } + if (CollectionUtils.isNotEmpty(accesses)) { for (RangerPolicyItemAccess access : accesses) { if (access != null) { accessType = accessType + access.getType().replace("#", "").replace("|", "") + "#"; } } - if (accessType.length() > 0) { + + if (!accessType.isEmpty()) { accessType = accessType.substring(0, accessType.lastIndexOf("#")); } } + if (CollectionUtils.isNotEmpty(roles)) { for (String role : roles) { if (StringUtils.isNotBlank(role)) { @@ -4315,10 +4835,12 @@ private void writeCSVForPolicyItems(Map svcNameToSvcType, Ranger roleNames = roleNames + role + "#"; } } - if (roleNames.length() > 0) { + + if (!roleNames.isEmpty()) { roleNames = roleNames.substring(0, roleNames.lastIndexOf("#")); } } + if (CollectionUtils.isNotEmpty(groups)) { for (String group : groups) { if (StringUtils.isNotBlank(group)) { @@ -4327,10 +4849,12 @@ private void writeCSVForPolicyItems(Map svcNameToSvcType, Ranger groupNames = groupNames + group + "#"; } } - if (groupNames.length() > 0) { + + if (!groupNames.isEmpty()) { groupNames = groupNames.substring(0, groupNames.lastIndexOf("#")); } } + if (CollectionUtils.isNotEmpty(users)) { for (String user : users) { if (StringUtils.isNotBlank(user)) { @@ -4339,40 +4863,51 @@ private void writeCSVForPolicyItems(Map svcNameToSvcType, Ranger userNames = userNames + user + "#"; } } - if (userNames.length() > 0) { + + if (!userNames.isEmpty()) { userNames = userNames.substring(0, userNames.lastIndexOf("#")); } } - String conditionValue = ""; + for (RangerPolicyItemCondition conditions : conditionsList) { - String conditionType = conditions.getType(); - List conditionList = conditions.getValues(); - conditionValue = conditionList.toString(); + String conditionType = conditions.getType(); + List conditionList = conditions.getValues(); + String conditionValue = conditionList.toString(); + conditionKeyValue = conditionType + "=" + conditionValue; } serviceType = policy.getServiceType(); + if (StringUtils.isBlank(serviceType)) { serviceType = svcNameToSvcType.get(policy.getService()); + if (serviceType == null) { serviceType = ""; } } } + if (policyConditionType != null) { policyConditionTypeValue = policyConditionType; } + if (policyConditionType == null && serviceType.equalsIgnoreCase("tag")) { policyConditionTypeValue = POLICY_ALLOW_INCLUDE; } else if (policyConditionType == null) { policyConditionTypeValue = ""; } + + String policyStatus; + if (policy.getIsEnabled()) { policyStatus = "Enabled"; } else { policyStatus = "Disabled"; } + int policyTypeInt = policy.getPolicyType(); + switch (policyTypeInt) { case RangerPolicy.POLICY_TYPE_ACCESS: policyType = POLICY_TYPE_ACCESS; @@ -4384,6 +4919,7 @@ private void writeCSVForPolicyItems(Map svcNameToSvcType, Ranger policyType = POLICY_TYPE_ROWFILTER; break; } + if (CollectionUtils.isNotEmpty(policyLabels)) { for (String policyLabel : policyLabels) { if (StringUtils.isNotBlank(policyLabel)) { @@ -4392,84 +4928,95 @@ private void writeCSVForPolicyItems(Map svcNameToSvcType, Ranger policyLabelName = policyLabelName + policyLabel + "#"; } } - if (policyLabelName.length() > 0) { + + if (!policyLabelName.isEmpty()) { policyLabelName = policyLabelName.substring(0, policyLabelName.lastIndexOf("#")); } } csvBuffer.append(policy.getId()); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(policyName); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(resourceKeyVal); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(roleNames); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(groupNames); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(userNames); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(accessType.trim()); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(serviceType); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(policyStatus); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(policyType); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(delegateAdmin.toString().toUpperCase()); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(isRecursiveValue); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(isExcludesValue); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(serviceName); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(description); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(isAuditEnabled.toString().toUpperCase()); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(conditionKeyValue.trim()); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(policyConditionTypeValue); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(maskingInfo); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(filterExpr); - csvBuffer.append(commaDelimiter); + csvBuffer.append(COMMA_DELIMITER); csvBuffer.append(policyLabelName); - csvBuffer.append(commaDelimiter); - csvBuffer.append(lineSeparator); + csvBuffer.append(COMMA_DELIMITER); + csvBuffer.append(LINE_SEPARATOR); } - private void writeJson(List objList, String jsonFileName, HttpServletResponse response, JsonFileNameType type) throws IOException { + private void writeJson(List objList, String jsonFileName, HttpServletResponse response, JSON_FILE_NAME_TYPE type) { response.setContentType("text/json"); response.setHeader("Content-Disposition", "attachment; filename=" + jsonFileName); - ServletOutputStream out = null; - String json = null; + ServletOutputStream out = null; + String json; switch (type) { case POLICY: RangerExportPolicyList rangerExportPolicyList = new RangerExportPolicyList(); + rangerExportPolicyList.setGenericPolicies(objList); rangerExportPolicyList.setMetaDataInfo(getMetaDataInfo()); + json = JsonUtils.objectToJson(rangerExportPolicyList); break; case ROLE: RangerExportRoleList rangerExportRoleList = new RangerExportRoleList(); + rangerExportRoleList.setGenericRoleList(objList); + Map metaDataInfo = getMetaDataInfo(); + metaDataInfo.put(EXPORT_COUNT, rangerExportRoleList.getListSize()); + rangerExportRoleList.setMetaDataInfo(metaDataInfo); + json = JsonUtils.objectToJson(rangerExportRoleList); break; default: throw restErrorUtil.createRESTException("Invalid type " + type); } + try { out = response.getOutputStream(); + response.setStatus(HttpServletResponse.SC_OK); + IOUtils.write(json, out, "UTF-8"); } catch (Exception e) { LOG.error("Error while exporting json file {}", jsonFileName, e); @@ -4480,12 +5027,14 @@ private void writeJson(List objList, String jsonFileName, HttpServletResp out.close(); } } catch (Exception ex) { + // ignored } } } private void writeBookForPolicyItems(Map svcNameToSvcType, RangerPolicy policy, RangerPolicyItem policyItem, RangerDataMaskPolicyItem dataMaskPolicyItem, RangerRowFilterPolicyItem rowFilterPolicyItem, Row row, String policyConditionType) { LOG.debug("policyConditionType:[{}]", policyConditionType); + List groups = new ArrayList<>(); List users = new ArrayList<>(); List roles = new ArrayList<>(); @@ -4495,55 +5044,65 @@ private void writeBookForPolicyItems(Map svcNameToSvcType, Range String userNames = ""; String policyLabelNames = ""; String accessType = ""; - String policyStatus = ""; + String policyStatus; String policyType = ""; Boolean delegateAdmin = false; - String isRecursive = ""; - String isExcludes = ""; - String serviceName = ""; - - String description = ""; - Boolean isAuditEnabled = true; - isAuditEnabled = policy.getIsAuditEnabled(); - String isExcludesValue = ""; - Cell cell = row.createCell(0); + String isRecursive; + String isExcludes; + String serviceName; + String description; + Boolean isAuditEnabled = policy.getIsAuditEnabled(); + String isExcludesValue = ""; + Cell cell = row.createCell(0); + cell.setCellValue(policy.getId()); + List accesses = new ArrayList<>(); List conditionsList = new ArrayList<>(); String conditionKeyValue = ""; - List policyLabels = new ArrayList<>(); - String resValue = ""; + List policyLabels; + String resValue; String resourceKeyVal = ""; String isRecursiveValue = ""; - String resKey = ""; - StringBuffer sb = new StringBuffer(); - StringBuffer sbIsRecursive = new StringBuffer(); - StringBuffer sbIsExcludes = new StringBuffer(); - Map resources = policy.getResources(); - RangerPolicy.RangerPolicyItemDataMaskInfo dataMaskInfo = new RangerPolicy.RangerPolicyItemDataMaskInfo(); - RangerPolicy.RangerPolicyItemRowFilterInfo filterInfo = new RangerPolicy.RangerPolicyItemRowFilterInfo(); + String resKey; + StringBuilder sb = new StringBuilder(); + StringBuilder sbIsRecursive = new StringBuilder(); + StringBuilder sbIsExcludes = new StringBuilder(); + Map resources = policy.getResources(); + RangerPolicy.RangerPolicyItemDataMaskInfo dataMaskInfo; + RangerPolicy.RangerPolicyItemRowFilterInfo filterInfo; + cell = row.createCell(1); + cell.setCellValue(policy.getName()); + cell = row.createCell(2); + if (resources != null) { for (Entry resource : resources.entrySet()) { resKey = resource.getKey(); + RangerPolicyResource policyResource = resource.getValue(); List resvalueList = policyResource.getValues(); + isExcludes = policyResource.getIsExcludes().toString(); isRecursive = policyResource.getIsRecursive().toString(); resValue = resvalueList.toString(); - sb = sb.append(resourceKeyVal).append("; ").append(resKey).append("=").append(resValue); - sbIsExcludes = sbIsExcludes.append(resourceKeyVal).append("; ").append(resKey).append("=[").append(isExcludes).append("]"); - sbIsRecursive = sbIsRecursive.append(resourceKeyVal).append("; ").append(resKey).append("=[").append(isRecursive).append("]"); + + sb.append(resourceKeyVal).append("; ").append(resKey).append("=").append(resValue); + sbIsExcludes.append(resourceKeyVal).append("; ").append(resKey).append("=[").append(isExcludes).append("]"); + sbIsRecursive.append(resourceKeyVal).append("; ").append(resKey).append("=[").append(isRecursive).append("]"); } + isExcludesValue = sbIsExcludes.toString(); isExcludesValue = isExcludesValue.substring(1); isRecursiveValue = sbIsRecursive.toString(); isRecursiveValue = isRecursiveValue.substring(1); resourceKeyVal = sb.toString(); resourceKeyVal = resourceKeyVal.substring(1); + cell.setCellValue(resourceKeyVal); + if (policyItem != null && dataMaskPolicyItem == null && rowFilterPolicyItem == null) { roles = policyItem.getRoles(); groups = policyItem.getGroups(); @@ -4559,13 +5118,16 @@ private void writeBookForPolicyItems(Map svcNameToSvcType, Range delegateAdmin = dataMaskPolicyItem.getDelegateAdmin(); conditionsList = dataMaskPolicyItem.getConditions(); dataMaskInfo = dataMaskPolicyItem.getDataMaskInfo(); + String dataMaskType = dataMaskInfo.getDataMaskType(); String conditionExpr = dataMaskInfo.getConditionExpr(); String valueExpr = dataMaskInfo.getValueExpr(); String maskingInfo = "dataMasktype=[" + dataMaskType + "]"; + if (conditionExpr != null && !conditionExpr.isEmpty() && valueExpr != null && !valueExpr.isEmpty()) { maskingInfo = maskingInfo + "; conditionExpr=[" + conditionExpr + "]"; } + cell = row.createCell(18); cell.setCellValue(maskingInfo); } else if (rowFilterPolicyItem != null && policyItem == null && dataMaskPolicyItem == null) { @@ -4576,45 +5138,62 @@ private void writeBookForPolicyItems(Map svcNameToSvcType, Range delegateAdmin = rowFilterPolicyItem.getDelegateAdmin(); conditionsList = rowFilterPolicyItem.getConditions(); filterInfo = rowFilterPolicyItem.getRowFilterInfo(); + String filterExpr = filterInfo.getFilterExpr(); + cell = row.createCell(19); + cell.setCellValue(filterExpr); } + if (CollectionUtils.isNotEmpty(accesses)) { for (RangerPolicyItemAccess access : accesses) { accessType = accessType + access.getType(); accessType = accessType + " ,"; } + accessType = accessType.substring(0, accessType.lastIndexOf(",")); } if (CollectionUtils.isNotEmpty(roles)) { roleNames = roleNames + roles; + StringTokenizer roleToken = new StringTokenizer(roleNames, "[]"); + while (roleToken.hasMoreTokens()) { roleNames = roleToken.nextToken(); } } + if (CollectionUtils.isNotEmpty(groups)) { groupNames = groupNames + groups; + StringTokenizer groupToken = new StringTokenizer(groupNames, "[]"); + while (groupToken.hasMoreTokens()) { groupNames = groupToken.nextToken(); } } + if (CollectionUtils.isNotEmpty(users)) { userNames = userNames + users; + StringTokenizer userToken = new StringTokenizer(userNames, "[]"); + while (userToken.hasMoreTokens()) { userNames = userToken.nextToken(); } } + String conditionValue = ""; + for (RangerPolicyItemCondition conditions : conditionsList) { String conditionType = conditions.getType(); List conditionList = conditions.getValues(); + conditionValue = conditionList.toString(); conditionKeyValue = conditionType + "=" + conditionValue; } + cell = row.createCell(3); cell.setCellValue(roleNames); cell = row.createCell(4); @@ -4626,8 +5205,10 @@ private void writeBookForPolicyItems(Map svcNameToSvcType, Range cell = row.createCell(7); String serviceType = policy.getServiceType(); + if (StringUtils.isBlank(serviceType)) { serviceType = svcNameToSvcType.get(policy.getService()); + if (serviceType == null) { serviceType = ""; } @@ -4636,6 +5217,7 @@ private void writeBookForPolicyItems(Map svcNameToSvcType, Range if (policyConditionType != null) { policyConditionTypeValue = policyConditionType; } + if (policyConditionType == null && serviceType.equalsIgnoreCase("tag")) { policyConditionTypeValue = POLICY_ALLOW_INCLUDE; } else if (policyConditionType == null) { @@ -4643,24 +5225,34 @@ private void writeBookForPolicyItems(Map svcNameToSvcType, Range } cell.setCellValue(serviceType); + cell = row.createCell(8); } + if (policy.getIsEnabled()) { policyStatus = "Enabled"; } else { policyStatus = "Disabled"; } + policyLabels = policy.getPolicyLabels(); + if (CollectionUtils.isNotEmpty(policyLabels)) { policyLabelNames = policyLabelNames + policyLabels; + StringTokenizer policyLabelToken = new StringTokenizer(policyLabelNames, "[]"); + while (policyLabelToken.hasMoreTokens()) { policyLabelNames = policyLabelToken.nextToken(); } } + cell.setCellValue(policyStatus); + cell = row.createCell(9); + int policyTypeInt = policy.getPolicyType(); + switch (policyTypeInt) { case RangerPolicy.POLICY_TYPE_ACCESS: policyType = POLICY_TYPE_ACCESS; @@ -4674,6 +5266,7 @@ private void writeBookForPolicyItems(Map svcNameToSvcType, Range policyType = POLICY_TYPE_ROWFILTER; break; } + cell.setCellValue(policyType); cell = row.createCell(10); cell.setCellValue(delegateAdmin.toString().toUpperCase()); @@ -4700,6 +5293,7 @@ private void writeBookForPolicyItems(Map svcNameToSvcType, Range private void createHeaderRow(Sheet sheet) { CellStyle cellStyle = sheet.getWorkbook().createCellStyle(); Font font = sheet.getWorkbook().createFont(); + font.setBold(true); font.setFontHeightInPoints((short) 12); cellStyle.setFont(font); @@ -4798,23 +5392,18 @@ private RangerPolicyList searchRangerPolicies(SearchFilter searchFilter) { Set processedServices = new HashSet<>(); Set processedSvcIdsForRole = new HashSet<>(); Set processedPolicies = new HashSet<>(); - Comparator comparator = new Comparator() { - public int compare(RangerPolicy c1, RangerPolicy c2) { - return (c1.getId()).compareTo(c2.getId()); - } - }; - - List xPolList = null; - Long serviceId = null; - String serviceName = searchFilter.getParam(ServiceREST.PARAM_SERVICE_NAME); + List xPolList = null; + String serviceName = searchFilter.getParam(ServiceREST.PARAM_SERVICE_NAME); if (StringUtils.isNotBlank(serviceName)) { - serviceId = getRangerServiceByName(serviceName.trim()); + Long serviceId = getRangerServiceByName(serviceName.trim()); + if (serviceId != null) { loadRangerPolicies(serviceId, processedServices, policyMap, searchFilter); } } else { xPolList = policyService.searchResources(searchFilter, policyService.searchFields, policyService.sortFields, retList); + if (!CollectionUtils.isEmpty(xPolList)) { for (XXPolicy xXPolicy : xPolList) { if (!processedServices.contains(xXPolicy.getService())) { @@ -4825,18 +5414,23 @@ public int compare(RangerPolicy c1, RangerPolicy c2) { } String userName = searchFilter.getParam("user"); + if (!StringUtils.isEmpty(userName)) { searchFilter.setParam("user", RangerPolicyEngine.USER_CURRENT); + List xPolListForMacroUser = policyService.searchResources(searchFilter, policyService.searchFields, policyService.sortFields, retList); Set processedSvcIdsForMacroUser = new HashSet<>(); + if (!CollectionUtils.isEmpty(xPolListForMacroUser)) { for (XXPolicy xXPolicy : xPolListForMacroUser) { if (!processedPolicies.contains(xXPolicy.getId())) { if (!processedSvcIdsForMacroUser.contains(xXPolicy.getService())) { loadRangerPolicies(xXPolicy.getService(), processedSvcIdsForMacroUser, policyMap, searchFilter); } + if (policyMap.get(xXPolicy.getId()) != null) { policyList.add(policyMap.get(xXPolicy.getId())); + processedPolicies.add(xXPolicy.getId()); } } @@ -4844,24 +5438,32 @@ public int compare(RangerPolicy c1, RangerPolicy c2) { } searchFilter.removeParam("user"); + Set groupNames = daoMgr.getXXGroupUser().findGroupNamesByUserName(userName); + groupNames.add(RangerConstants.GROUP_PUBLIC); + Set processedSvcIdsForGroup = new HashSet<>(); Set processedGroupsName = new HashSet<>(); - List xPolList2; + for (String groupName : groupNames) { searchFilter.setParam("group", groupName); - xPolList2 = policyService.searchResources(searchFilter, policyService.searchFields, policyService.sortFields, retList); + + List xPolList2 = policyService.searchResources(searchFilter, policyService.searchFields, policyService.sortFields, retList); + if (!CollectionUtils.isEmpty(xPolList2)) { for (XXPolicy xPol2 : xPolList2) { if (xPol2 != null) { if (!processedPolicies.contains(xPol2.getId())) { if (!processedSvcIdsForGroup.contains(xPol2.getService()) || !processedGroupsName.contains(groupName)) { loadRangerPolicies(xPol2.getService(), processedSvcIdsForGroup, policyMap, searchFilter); + processedGroupsName.add(groupName); } + if (policyMap.containsKey(xPol2.getId())) { policyList.add(policyMap.get(xPol2.getId())); + processedPolicies.add(xPol2.getId()); } } @@ -4872,29 +5474,38 @@ public int compare(RangerPolicy c1, RangerPolicy c2) { // fetch policies maintained for the roles belonging to the user searchFilter.removeParam("group"); + XXUser xxUser = daoMgr.getXXUser().findByUserName(userName); + if (xxUser != null) { Set allContainedRoles = new HashSet<>(); List xxRoles = daoMgr.getXXRole().findByUserId(xxUser.getId()); + for (XXRole xxRole : xxRoles) { getContainingRoles(xxRole.getId(), allContainedRoles); } - Set roleNames = getRoleNames(allContainedRoles); - Set processedRoleName = new HashSet<>(); - List xPolList3; + + Set roleNames = getRoleNames(allContainedRoles); + Set processedRoleName = new HashSet<>(); + for (String roleName : roleNames) { searchFilter.setParam("role", roleName); - xPolList3 = policyService.searchResources(searchFilter, policyService.searchFields, policyService.sortFields, retList); + + List xPolList3 = policyService.searchResources(searchFilter, policyService.searchFields, policyService.sortFields, retList); + if (!CollectionUtils.isEmpty(xPolList3)) { for (XXPolicy xPol3 : xPolList3) { if (xPol3 != null) { if (!processedPolicies.contains(xPol3.getId())) { if (!processedSvcIdsForRole.contains(xPol3.getService()) || !processedRoleName.contains(roleName)) { loadRangerPolicies(xPol3.getService(), processedSvcIdsForRole, policyMap, searchFilter); + processedRoleName.add(roleName); } + if (policyMap.containsKey(xPol3.getId())) { policyList.add(policyMap.get(xPol3.getId())); + processedPolicies.add(xPol3.getId()); } } @@ -4907,27 +5518,36 @@ public int compare(RangerPolicy c1, RangerPolicy c2) { // fetch policies maintained for the roles and groups belonging to the group String groupName = searchFilter.getParam("group"); + if (StringUtils.isBlank(groupName)) { groupName = RangerConstants.GROUP_PUBLIC; } + Set groupNames = daoMgr.getXXGroupGroup().findGroupNamesByGroupName(groupName); + groupNames.add(groupName); - Set processedSvcIdsForGroup = new HashSet<>(); - Set processedGroupsName = new HashSet<>(); - List xPolList2; + + Set processedSvcIdsForGroup = new HashSet<>(); + Set processedGroupsName = new HashSet<>(); + for (String grpName : groupNames) { searchFilter.setParam("group", grpName); - xPolList2 = policyService.searchResources(searchFilter, policyService.searchFields, policyService.sortFields, retList); + + List xPolList2 = policyService.searchResources(searchFilter, policyService.searchFields, policyService.sortFields, retList); + if (!CollectionUtils.isEmpty(xPolList2)) { for (XXPolicy xPol2 : xPolList2) { if (xPol2 != null) { if (!processedPolicies.contains(xPol2.getId())) { if (!processedSvcIdsForGroup.contains(xPol2.getService()) || !processedGroupsName.contains(groupName)) { loadRangerPolicies(xPol2.getService(), processedSvcIdsForGroup, policyMap, searchFilter); + processedGroupsName.add(groupName); } + if (policyMap.containsKey(xPol2.getId())) { policyList.add(policyMap.get(xPol2.getId())); + processedPolicies.add(xPol2.getId()); } } @@ -4937,29 +5557,38 @@ public int compare(RangerPolicy c1, RangerPolicy c2) { } searchFilter.removeParam("group"); + XXGroup xxGroup = daoMgr.getXXGroup().findByGroupName(groupName); + if (xxGroup != null) { Set allContainedRoles = new HashSet<>(); List xxRoles = daoMgr.getXXRole().findByGroupId(xxGroup.getId()); + for (XXRole xxRole : xxRoles) { getContainingRoles(xxRole.getId(), allContainedRoles); } + Set roleNames = getRoleNames(allContainedRoles); Set processedRoleName = new HashSet<>(); - List xPolList3; + for (String roleName : roleNames) { searchFilter.setParam("role", roleName); - xPolList3 = policyService.searchResources(searchFilter, policyService.searchFields, policyService.sortFields, retList); + + List xPolList3 = policyService.searchResources(searchFilter, policyService.searchFields, policyService.sortFields, retList); + if (!CollectionUtils.isEmpty(xPolList3)) { for (XXPolicy xPol3 : xPolList3) { if (xPol3 != null) { if (!processedPolicies.contains(xPol3.getId())) { if (!processedSvcIdsForRole.contains(xPol3.getService()) || !processedRoleName.contains(roleName)) { loadRangerPolicies(xPol3.getService(), processedSvcIdsForRole, policyMap, searchFilter); + processedRoleName.add(roleName); } + if (policyMap.containsKey(xPol3.getId())) { policyList.add(policyMap.get(xPol3.getId())); + processedPolicies.add(xPol3.getId()); } } @@ -4975,6 +5604,7 @@ public int compare(RangerPolicy c1, RangerPolicy c2) { for (Entry entry : policyMap.entrySet()) { if (!processedPolicies.contains(entry.getKey())) { policyList.add(entry.getValue()); + processedPolicies.add(entry.getKey()); } } @@ -4986,8 +5616,10 @@ public int compare(RangerPolicy c1, RangerPolicy c2) { if (!processedServices.contains(xPol.getService())) { loadRangerPolicies(xPol.getService(), processedServices, policyMap, searchFilter); } + if (policyMap.containsKey(xPol.getId())) { policyList.add(policyMap.get(xPol.getId())); + processedPolicies.add(xPol.getId()); } } @@ -4999,46 +5631,58 @@ public int compare(RangerPolicy c1, RangerPolicy c2) { for (Entry entry : policyMap.entrySet()) { if (!processedPolicies.contains(entry.getKey())) { policyList.add(entry.getValue()); + processedPolicies.add(entry.getKey()); } } } } + Comparator comparator = Comparator.comparing(RangerBaseModelObject::getId); + if (CollectionUtils.isNotEmpty(policyList)) { - Collections.sort(policyList, comparator); + policyList.sort(comparator); } + retList.setPolicies(policyList); + return retList; } private boolean isSearchQuerybyResource(SearchFilter searchFilter) { boolean ret = false; Map filterResourcesPrefix = searchFilter.getParamsWithPrefix(SearchFilter.RESOURCE_PREFIX, true); + if (MapUtils.isNotEmpty(filterResourcesPrefix)) { ret = true; } + if (!ret) { Map filterResourcesPolResource = searchFilter.getParamsWithPrefix(SearchFilter.POL_RESOURCE, true); + if (MapUtils.isNotEmpty(filterResourcesPolResource)) { ret = true; } } + return ret; } private Long getRangerServiceByName(String name) { XXService xxService = null; XXServiceDao xxServiceDao = daoMgr.getXXService(); + if (xxServiceDao != null) { xxService = xxServiceDao.findByName(name); } + return xxService == null ? null : xxService.getId(); } private void loadRangerPolicies(Long serviceId, Set processedServices, Map policyMap, SearchFilter searchFilter) { try { List tempPolicyList = getServicePolicies(serviceId, searchFilter); + if (!CollectionUtils.isEmpty(tempPolicyList)) { for (RangerPolicy rangerPolicy : tempPolicyList) { if (!policyMap.containsKey(rangerPolicy.getId())) { @@ -5046,35 +5690,50 @@ private void loadRangerPolicies(Long serviceId, Set processedServices, Map } } } + processedServices.add(serviceId); } catch (Exception e) { + // ignore } } private void updateServiceWithCustomProperty() { LOG.info("Adding custom properties to services"); + SearchFilter filter = new SearchFilter(); + try { List lstRangerService = getServices(filter); + for (RangerService rangerService : lstRangerService) { String serviceUser = PropertiesUtil.getProperty("ranger.plugins." + rangerService.getType() + ".serviceuser"); + if (!StringUtils.isEmpty(serviceUser)) { boolean chkServiceUpdate = false; + LOG.debug("customproperty = {} for service = {}", rangerService.getConfigs().get(ServiceREST.Allowed_User_List_For_Download), rangerService.getName()); + if (!rangerService.getConfigs().containsKey(ServiceREST.Allowed_User_List_For_Download)) { rangerService.getConfigs().put(ServiceREST.Allowed_User_List_For_Download, serviceUser); + chkServiceUpdate = true; } + if ((!rangerService.getConfigs().containsKey(ServiceREST.Allowed_User_List_For_Grant_Revoke)) && ("hbase".equalsIgnoreCase(rangerService.getType()) || "hive".equalsIgnoreCase(rangerService.getType()))) { rangerService.getConfigs().put(ServiceREST.Allowed_User_List_For_Grant_Revoke, serviceUser); + chkServiceUpdate = true; } + if (!rangerService.getConfigs().containsKey(TagREST.Allowed_User_List_For_Tag_Download)) { rangerService.getConfigs().put(TagREST.Allowed_User_List_For_Tag_Download, serviceUser); + chkServiceUpdate = true; } + if (chkServiceUpdate) { updateService(rangerService, null); + LOG.debug("Updated service {} with custom properties in secure environment", rangerService.getName()); } } @@ -5086,17 +5745,23 @@ private void updateServiceWithCustomProperty() { private String getAuditMode(String serviceTypeName, String serviceName) { String ret = config.get("ranger.audit.global.mode"); + if (StringUtils.isNotBlank(ret)) { return ret; } + ret = config.get("ranger.audit.servicedef." + serviceTypeName + ".mode"); + if (StringUtils.isNotBlank(ret)) { return ret; } + ret = config.get("ranger.audit.service." + serviceName + ".mode"); + if (StringUtils.isNotBlank(ret)) { return ret; } + return RangerPolicyEngine.AUDIT_DEFAULT; } @@ -5105,10 +5770,12 @@ private void createGenericUsers() { genericUser.setName(RangerPolicyEngine.USER_CURRENT); genericUser.setDescription(RangerPolicyEngine.USER_CURRENT); + xUserService.createXUserWithOutLogin(genericUser); genericUser.setName(RangerPolicyEngine.RESOURCE_OWNER); genericUser.setDescription(RangerPolicyEngine.RESOURCE_OWNER); + xUserService.createXUserWithOutLogin(genericUser); } @@ -5127,22 +5794,33 @@ private String getMetricOfTypeUserGroup(final SearchCriteria searchCriteria) { VXGroupList vxGroupList = xUserMgr.searchXGroups(searchCriteria); long groupCount = vxGroupList.getTotalCount(); ArrayList userAdminRoleCount = new ArrayList<>(); + userAdminRoleCount.add(RangerConstants.ROLE_SYS_ADMIN); + long userSysAdminCount = getUserCountBasedOnUserRole(userAdminRoleCount); ArrayList userAdminAuditorRoleCount = new ArrayList<>(); + userAdminAuditorRoleCount.add(RangerConstants.ROLE_ADMIN_AUDITOR); + long userSysAdminAuditorCount = getUserCountBasedOnUserRole(userAdminAuditorRoleCount); ArrayList userRoleListKeyRoleAdmin = new ArrayList<>(); + userRoleListKeyRoleAdmin.add(RangerConstants.ROLE_KEY_ADMIN); + long userKeyAdminCount = getUserCountBasedOnUserRole(userRoleListKeyRoleAdmin); ArrayList userRoleListKeyadminAduitorRole = new ArrayList<>(); + userRoleListKeyadminAduitorRole.add(RangerConstants.ROLE_KEY_ADMIN_AUDITOR); + long userKeyadminAuditorCount = getUserCountBasedOnUserRole(userRoleListKeyadminAduitorRole); ArrayList userRoleListUser = new ArrayList<>(); + userRoleListUser.add(RangerConstants.ROLE_USER); + long userRoleCount = getUserCountBasedOnUserRole(userRoleListUser); long userTotalCount = userSysAdminCount + userKeyAdminCount + userRoleCount + userKeyadminAuditorCount + userSysAdminAuditorCount; VXMetricUserGroupCount metricUserGroupCount = new VXMetricUserGroupCount(); + metricUserGroupCount.setUserCountOfUserRole(userRoleCount); metricUserGroupCount.setUserCountOfKeyAdminRole(userKeyAdminCount); metricUserGroupCount.setUserCountOfSysAdminRole(userSysAdminCount); @@ -5150,8 +5828,8 @@ private String getMetricOfTypeUserGroup(final SearchCriteria searchCriteria) { metricUserGroupCount.setUserCountOfSysAdminAuditorRole(userSysAdminAuditorCount); metricUserGroupCount.setUserTotalCount(userTotalCount); metricUserGroupCount.setGroupCount(groupCount); - final String jsonUserGroupCount = JsonUtils.objectToJson(metricUserGroupCount); - ret = jsonUserGroupCount; + + ret = JsonUtils.objectToJson(metricUserGroupCount); } catch (Exception e) { LOG.error("ServiceDBStore.getMetricByType(usergroup): Error calculating Metric for usergroup : {}", e.getMessage()); } @@ -5161,6 +5839,7 @@ private String getMetricOfTypeUserGroup(final SearchCriteria searchCriteria) { private String getMetricOfTypeAudits(final SearchCriteria searchCriteria) { String ret = null; + try { int clientTimeOffsetInMinute = RestUtil.getClientTimeOffset(); String defaultDateFormat = "MM/dd/yyyy"; @@ -5169,19 +5848,24 @@ private String getMetricOfTypeAudits(final SearchCriteria searchCriteria) { VXMetricAuditDetailsCount auditObj = new VXMetricAuditDetailsCount(); DateUtil dateUtilTwoDays = new DateUtil(); Date startDateUtilTwoDays = dateUtilTwoDays.getDateFromNow(-2); - Date dStart2 = restErrorUtil.parseDate(formatter.format(startDateUtilTwoDays), "Invalid value for startDate", MessageEnums.INVALID_INPUT_DATA, null, "startDate", defaultDateFormat); + Date dStart2 = restErrorUtil.parseDate(formatter.format(startDateUtilTwoDays), "Invalid value for startDate", MessageEnums.INVALID_INPUT_DATA, null, "startDate", defaultDateFormat); Date endDateTwoDays = MiscUtil.getUTCDate(); Date dEnd2 = restErrorUtil.parseDate(formatter.format(endDateTwoDays), "Invalid value for endDate", MessageEnums.INVALID_INPUT_DATA, null, "endDate", defaultDateFormat); + dEnd2 = dateUtilTwoDays.getDateFromGivenDate(dEnd2, 0, 23, 59, 59); dEnd2 = dateUtilTwoDays.addTimeOffset(dEnd2, clientTimeOffsetInMinute); + VXMetricServiceCount deniedCountObj = getAuditsCount(0, dStart2, dEnd2); + auditObj.setDenialEventsCountTwoDays(deniedCountObj); VXMetricServiceCount allowedCountObj = getAuditsCount(1, dStart2, dEnd2); + auditObj.setAccessEventsCountTwoDays(allowedCountObj); long totalAuditsCountTwoDays = deniedCountObj.getTotalCount() + allowedCountObj.getTotalCount(); + auditObj.setSolrIndexCountTwoDays(totalAuditsCountTwoDays); DateUtil dateUtilWeek = new DateUtil(); @@ -5191,19 +5875,23 @@ private String getMetricOfTypeAudits(final SearchCriteria searchCriteria) { Date endDateWeek = MiscUtil.getUTCDate(); DateUtil dateUtilweek = new DateUtil(); Date dEnd7 = restErrorUtil.parseDate(formatter.format(endDateWeek), "Invalid value for endDate", MessageEnums.INVALID_INPUT_DATA, null, "endDate", defaultDateFormat); + dEnd7 = dateUtilweek.getDateFromGivenDate(dEnd7, 0, 23, 59, 59); dEnd7 = dateUtilweek.addTimeOffset(dEnd7, clientTimeOffsetInMinute); + VXMetricServiceCount deniedCountObjWeek = getAuditsCount(0, dStart7, dEnd7); + auditObj.setDenialEventsCountWeek(deniedCountObjWeek); VXMetricServiceCount allowedCountObjWeek = getAuditsCount(1, dStart7, dEnd7); + auditObj.setAccessEventsCountWeek(allowedCountObjWeek); long totalAuditsCountWeek = deniedCountObjWeek.getTotalCount() + allowedCountObjWeek.getTotalCount(); + auditObj.setSolrIndexCountWeek(totalAuditsCountWeek); - final String jsonAudit = JsonUtils.objectToJson(auditObj); - ret = jsonAudit; + ret = JsonUtils.objectToJson(auditObj); } catch (Exception e) { LOG.error("ServiceDBStore.getMetricByType(audits): Error calculating Metric for audits : {}", e.getMessage()); } @@ -5213,53 +5901,68 @@ private String getMetricOfTypeAudits(final SearchCriteria searchCriteria) { private String getMetricOfTypeServices(final SearchCriteria searchCriteria) { String ret = null; + try { SearchFilter serviceFilter = new SearchFilter(); + serviceFilter.setMaxRows(200); serviceFilter.setStartIndex(0); serviceFilter.setGetCount(true); serviceFilter.setSortBy("serviceId"); serviceFilter.setSortType("asc"); + VXMetricServiceCount vXMetricServiceCount = new VXMetricServiceCount(); PList paginatedSvcs = getPaginatedServices(serviceFilter); long totalServiceCount = paginatedSvcs.getTotalCount(); List rangerServiceList = paginatedSvcs.getList(); Map services = new HashMap<>(); - for (Object rangerService : rangerServiceList) { - RangerService rangerServiceObj = (RangerService) rangerService; - String serviceName = rangerServiceObj.getType(); + + for (RangerService rangerService : rangerServiceList) { + String serviceName = rangerService.getType(); + if (!(services.containsKey(serviceName))) { serviceFilter.setParam("serviceType", serviceName); + PList paginatedSvcscount = getPaginatedServices(serviceFilter); + services.put(serviceName, paginatedSvcscount.getTotalCount()); } } + vXMetricServiceCount.setServiceBasedCountList(services); vXMetricServiceCount.setTotalCount(totalServiceCount); - final String jsonServices = JsonUtils.objectToJson(vXMetricServiceCount); - ret = jsonServices; + + ret = JsonUtils.objectToJson(vXMetricServiceCount); } catch (Exception e) { LOG.error("ServiceDBStore.getMetricByType(services): Error calculating Metric for services : {}", e.getMessage()); } + return ret; } private String getMetricOfTypePolicies(final SearchCriteria searchCriteria) { String ret = null; + try { SearchFilter policyFilter = new SearchFilter(); + policyFilter.setMaxRows(200); policyFilter.setStartIndex(0); policyFilter.setGetCount(true); policyFilter.setSortBy("serviceId"); policyFilter.setSortType("asc"); + VXMetricPolicyWithServiceNameCount vXMetricPolicyWithServiceNameCount = new VXMetricPolicyWithServiceNameCount(); PList paginatedSvcsList = getPaginatedPolicies(policyFilter); + vXMetricPolicyWithServiceNameCount.setTotalCount(paginatedSvcsList.getTotalCount()); + Map servicesWithPolicy = new HashMap<>(); + for (int k = 2; k >= 0; k--) { String policyType = String.valueOf(k); VXMetricServiceNameCount vXMetricServiceNameCount = getVXMetricServiceCount(policyType); + if (k == 2) { servicesWithPolicy.put("rowFilteringPolicies", vXMetricServiceNameCount); } else if (k == 1) { @@ -5268,13 +5971,17 @@ private String getMetricOfTypePolicies(final SearchCriteria searchCriteria) { servicesWithPolicy.put("resourceAccessPolicies", vXMetricServiceNameCount); } } + Map> tagMap = new HashMap<>(); Map serviceNameWithPolicyCount = new HashMap<>(); boolean tagFlag = false; + if (!tagFlag) { policyFilter.setParam("serviceType", "tag"); + PList policiestype = getPaginatedPolicies(policyFilter); List policies = policiestype.getList(); + for (RangerPolicy rangerPolicy : policies) { if (serviceNameWithPolicyCount.containsKey(rangerPolicy.getService())) { Long tagServicePolicyCount = serviceNameWithPolicyCount.get(rangerPolicy.getService()) + 1L; @@ -5283,25 +5990,31 @@ private String getMetricOfTypePolicies(final SearchCriteria searchCriteria) { serviceNameWithPolicyCount.put(rangerPolicy.getService(), 1L); } } + tagMap.put("tag", serviceNameWithPolicyCount); + long tagCount = policiestype.getTotalCount(); VXMetricServiceNameCount vXMetricServiceNameCount = new VXMetricServiceNameCount(); + vXMetricServiceNameCount.setServiceBasedCountList(tagMap); vXMetricServiceNameCount.setTotalCount(tagCount); + servicesWithPolicy.put("tagAccessPolicies", vXMetricServiceNameCount); - tagFlag = true; } + vXMetricPolicyWithServiceNameCount.setPolicyCountList(servicesWithPolicy); - final String jsonPolicies = JsonUtils.objectToJson(vXMetricPolicyWithServiceNameCount); - ret = jsonPolicies; + + ret = JsonUtils.objectToJson(vXMetricPolicyWithServiceNameCount); } catch (Exception e) { LOG.error("ServiceDBStore.getMetricByType(policies): Error calculating Metric for policies : {}", e.getMessage()); } + return ret; } private String getMetricOfTypeDatabase(final SearchCriteria searchCriteria) { String ret = null; + try { int dbFlavor = RangerBizUtil.getDBFlavor(); String dbFlavourType = RangerBizUtil.getDBFlavorType(dbFlavor); @@ -5311,65 +6024,82 @@ private String getMetricOfTypeDatabase(final SearchCriteria searchCriteria) { } catch (Exception e) { LOG.error("ServiceDBStore.getMetricByType(database): Error calculating Metric for database : {}", e.getMessage()); } + return ret; } private String getMetricOfTypeContextEnrichers(final SearchCriteria searchCriteria) { String ret = null; + try { SearchFilter filter = new SearchFilter(); + filter.setStartIndex(0); + VXMetricContextEnricher serviceWithContextEnrichers = new VXMetricContextEnricher(); PList paginatedSvcDefs = getPaginatedServiceDefs(filter); List repoTypeList = paginatedSvcDefs.getList(); + if (repoTypeList != null) { for (RangerServiceDef repoType : repoTypeList) { - RangerServiceDef rangerServiceDefObj = repoType; - String name = rangerServiceDefObj.getName(); - List contextEnrichers = rangerServiceDefObj.getContextEnrichers(); + String name = repoType.getName(); + List contextEnrichers = repoType.getContextEnrichers(); + if (contextEnrichers != null && !contextEnrichers.isEmpty()) { serviceWithContextEnrichers.setServiceName(name); serviceWithContextEnrichers.setTotalCount(contextEnrichers.size()); } } } - final String jsonContextEnrichers = JsonUtils.objectToJson(serviceWithContextEnrichers); - ret = jsonContextEnrichers; + + ret = JsonUtils.objectToJson(serviceWithContextEnrichers); } catch (Exception e) { LOG.error("ServiceDBStore.getMetricByType(contextenrichers): Error calculating Metric for contextenrichers : {}", e.getMessage()); } + return ret; } private String getMetricOfTypeDenyConditions(final SearchCriteria searchCriteria) { String ret = null; + try { SearchFilter policyFilter1 = new SearchFilter(); + policyFilter1.setMaxRows(200); policyFilter1.setStartIndex(0); policyFilter1.setGetCount(true); policyFilter1.setSortBy("serviceId"); policyFilter1.setSortType("asc"); policyFilter1.setParam("denyCondition", "true"); + int denyCount = 0; Map denyconditionsonMap = new HashMap<>(); PList paginatedSvcDefs = getPaginatedServiceDefs(policyFilter1); + if (paginatedSvcDefs != null) { List rangerServiceDefs = paginatedSvcDefs.getList(); + if (rangerServiceDefs != null && !rangerServiceDefs.isEmpty()) { for (RangerServiceDef rangerServiceDef : rangerServiceDefs) { if (rangerServiceDef != null) { String serviceDef = rangerServiceDef.getName(); + if (!StringUtils.isEmpty(serviceDef)) { policyFilter1.setParam("serviceType", serviceDef); + PList policiesList = getPaginatedPolicies(policyFilter1); + if (policiesList != null && policiesList.getListSize() > 0) { int policyListCount = policiesList.getListSize(); + if (policyListCount > 0 && policiesList.getList() != null) { List policies = policiesList.getList(); + for (RangerPolicy policy : policies) { if (policy != null) { List policyItem = policy.getDenyPolicyItems(); + if (policyItem != null && !policyItem.isEmpty()) { if (denyconditionsonMap.get(serviceDef) != null) { denyCount = denyconditionsonMap.get(serviceDef) + denyCount + policyItem.size(); @@ -5377,7 +6107,9 @@ private String getMetricOfTypeDenyConditions(final SearchCriteria searchCriteria denyCount = denyCount + policyItem.size(); } } + List policyItemExclude = policy.getDenyExceptions(); + if (policyItemExclude != null && !policyItemExclude.isEmpty()) { if (denyconditionsonMap.get(serviceDef) != null) { denyCount = denyconditionsonMap.get(serviceDef) + denyCount + policyItemExclude.size(); @@ -5389,44 +6121,53 @@ private String getMetricOfTypeDenyConditions(final SearchCriteria searchCriteria } } } + policyFilter1.removeParam("serviceType"); } + denyconditionsonMap.put(serviceDef, denyCount); + denyCount = 0; } } } } - String jsonContextDenyCondtionOn = JsonUtils.objectToJson(denyconditionsonMap); - ret = jsonContextDenyCondtionOn; + + ret = JsonUtils.objectToJson(denyconditionsonMap); } catch (Exception e) { LOG.error("ServiceDBStore.getMetricByType(denyconditions): Error calculating Metric for denyconditions : {}", e.getMessage()); } + return ret; } private VXMetricServiceNameCount getVXMetricServiceCount(String policyType) throws Exception { SearchFilter policyFilter1 = new SearchFilter(); + policyFilter1.setMaxRows(200); policyFilter1.setStartIndex(0); policyFilter1.setGetCount(true); policyFilter1.setSortBy("serviceId"); policyFilter1.setSortType("asc"); policyFilter1.setParam("policyType", policyType); + PList policies = getPaginatedPolicies(policyFilter1); PList paginatedSvcsSevice = getPaginatedServices(policyFilter1); List rangerServiceList = paginatedSvcsSevice.getList(); Map> servicesforPolicyType = new HashMap<>(); long tagCount = 0; - for (Object rangerService : rangerServiceList) { - RangerService rangerServiceObj = (RangerService) rangerService; - String servicetype = rangerServiceObj.getType(); - String serviceName = rangerServiceObj.getName(); + + for (RangerService rangerService : rangerServiceList) { + String servicetype = rangerService.getType(); + String serviceName = rangerService.getName(); + policyFilter1.setParam("serviceName", serviceName); + Map servicesNamewithPolicyCount = new HashMap<>(); PList policiestype = getPaginatedPolicies(policyFilter1); long count = policiestype.getTotalCount(); + if (count != 0) { if (!"tag".equalsIgnoreCase(servicetype)) { if (!(servicesforPolicyType.containsKey(servicetype))) { @@ -5434,6 +6175,7 @@ private VXMetricServiceNameCount getVXMetricServiceCount(String policyType) thro servicesforPolicyType.put(servicetype, servicesNamewithPolicyCount); } else if (servicesforPolicyType.containsKey(servicetype)) { Map previousPolicyCount = servicesforPolicyType.get(servicetype); + if (!previousPolicyCount.containsKey(serviceName)) { previousPolicyCount.put(serviceName, count); servicesforPolicyType.put(servicetype, previousPolicyCount); @@ -5444,42 +6186,54 @@ private VXMetricServiceNameCount getVXMetricServiceCount(String policyType) thro } } } + VXMetricServiceNameCount vXMetricServiceNameCount = new VXMetricServiceNameCount(); + vXMetricServiceNameCount.setServiceBasedCountList(servicesforPolicyType); - long totalCountOfPolicyType = 0; - totalCountOfPolicyType = policies.getTotalCount() - tagCount; + + long totalCountOfPolicyType = policies.getTotalCount() - tagCount; + vXMetricServiceNameCount.setTotalCount(totalCountOfPolicyType); + return vXMetricServiceNameCount; } private VXMetricServiceCount getAuditsCount(int accessResult, Date startDate, Date endDate) throws Exception { long totalCountOfAudits = 0; SearchFilter filter = new SearchFilter(); + filter.setStartIndex(0); + Map servicesRepoType = new HashMap<>(); VXMetricServiceCount vXMetricServiceCount = new VXMetricServiceCount(); PList paginatedSvcDefs = getPaginatedServiceDefs(filter); Iterable repoTypeGet = paginatedSvcDefs.getList(); - for (Object repo : repoTypeGet) { - RangerServiceDef rangerServiceDefObj = (RangerServiceDef) repo; - long id = rangerServiceDefObj.getId(); - String serviceRepoName = rangerServiceDefObj.getName(); + + for (RangerServiceDef repoType : repoTypeGet) { + long id = repoType.getId(); + String serviceRepoName = repoType.getName(); SearchCriteria searchCriteriaWithType = new SearchCriteria(); + searchCriteriaWithType.getParamList().put("repoType", id); searchCriteriaWithType.getParamList().put("accessResult", accessResult); searchCriteriaWithType.addParam("startDate", startDate); searchCriteriaWithType.addParam("endDate", endDate); searchCriteriaWithType.setMaxRows(0); searchCriteriaWithType.setGetCount(true); + VXAccessAuditList vXAccessAuditListwithType = assetMgr.getAccessLogs(searchCriteriaWithType); - long toltalCountOfRepo = vXAccessAuditListwithType.getTotalCount(); - if (toltalCountOfRepo != 0) { - servicesRepoType.put(serviceRepoName, toltalCountOfRepo); - totalCountOfAudits += toltalCountOfRepo; + long totalCountOfRepo = vXAccessAuditListwithType.getTotalCount(); + + if (totalCountOfRepo != 0) { + servicesRepoType.put(serviceRepoName, totalCountOfRepo); + + totalCountOfAudits += totalCountOfRepo; } } + vXMetricServiceCount.setServiceBasedCountList(servicesRepoType); vXMetricServiceCount.setTotalCount(totalCountOfAudits); + return vXMetricServiceCount; } @@ -5490,6 +6244,7 @@ private Long getUserCountBasedOnUserRole(@SuppressWarnings("rawtypes") List user searchCriteria.setGetCount(true); searchCriteria.setSortType("asc"); searchCriteria.addParam("userRoleList", userRoleList); + return xUserMgr.searchXUsers(searchCriteria).getTotalCount(); } @@ -5502,6 +6257,7 @@ private Long getUserCountBasedOnUserRole(@SuppressWarnings("rawtypes") List user private void disassociateZonesForService(RangerService service) throws Exception { String serviceName = service.getName(); List zonesNameList = daoMgr.getXXSecurityZoneDao().findZonesByServiceName(serviceName); + if (CollectionUtils.isNotEmpty(zonesNameList)) { for (String zoneName : zonesNameList) { RangerSecurityZone securityZone = securityZoneStore.getSecurityZoneByName(zoneName); @@ -5510,6 +6266,7 @@ private void disassociateZonesForService(RangerService service) throws Exception if (zoneServices != null && !zoneServices.isEmpty()) { zoneServices.remove(serviceName); securityZone.setServices(zoneServices); + securityZoneStore.updateSecurityZoneById(securityZone); } } @@ -5548,6 +6305,7 @@ private static ServicePolicies getUpdatedServicePoliciesForZones(ServicePolicies securityZoneInfo.setPolicies(zonePolicies); securityZoneInfo.setResources(entry.getValue().getResources()); securityZoneInfo.setContainsAssociatedTagService(false); + securityZonesInfo.put(entry.getKey(), securityZoneInfo); } @@ -5568,6 +6326,7 @@ private static ServicePolicies getUpdatedServicePoliciesForZones(ServicePolicies securityZoneInfo.setPolicyDeltas(zonePolicyDeltas); securityZoneInfo.setResources(entry.getValue().getResources()); securityZoneInfo.setContainsAssociatedTagService(false); + securityZonesInfo.put(entry.getKey(), securityZoneInfo); } @@ -5586,12 +6345,12 @@ private void patchAssociatedTagServiceInSecurityZoneInfos(ServicePolicies servic if (servicePolicies != null && MapUtils.isNotEmpty(servicePolicies.getSecurityZones())) { // Get list of zones that associated tag-service (if any) is associated with List zonesInAssociatedTagService = new ArrayList<>(); - - String tagServiceName = servicePolicies.getTagPolicies() != null ? servicePolicies.getTagPolicies().getServiceName() : null; + String tagServiceName = servicePolicies.getTagPolicies() != null ? servicePolicies.getTagPolicies().getServiceName() : null; if (StringUtils.isNotEmpty(tagServiceName)) { try { RangerService tagService = getServiceByName(tagServiceName); + if (tagService != null && tagService.getIsEnabled()) { zonesInAssociatedTagService = daoMgr.getXXSecurityZoneDao().findZonesByTagServiceName(tagServiceName); } @@ -5641,9 +6400,8 @@ private ServicePolicies filterServicePolicies(ServicePolicies servicePolicies) { boolean containsDisabledTagPolicies = false; if (servicePolicies != null) { - List policies = null; + List policies = servicePolicies.getPolicies(); - policies = servicePolicies.getPolicies(); if (CollectionUtils.isNotEmpty(policies)) { for (RangerPolicy policy : policies) { if (!policy.getIsEnabled()) { @@ -5655,6 +6413,7 @@ private ServicePolicies filterServicePolicies(ServicePolicies servicePolicies) { if (servicePolicies.getTagPolicies() != null) { policies = servicePolicies.getTagPolicies().getPolicies(); + if (CollectionUtils.isNotEmpty(policies)) { for (RangerPolicy policy : policies) { if (!policy.getIsEnabled()) { @@ -5681,11 +6440,13 @@ private ServicePolicies filterServicePolicies(ServicePolicies servicePolicies) { if (containsDisabledResourcePolicies) { List filteredPolicies = new ArrayList<>(); + for (RangerPolicy policy : servicePolicies.getPolicies()) { if (policy.getIsEnabled()) { filteredPolicies.add(policy); } } + ret.setPolicies(filteredPolicies); } @@ -5699,11 +6460,13 @@ private ServicePolicies filterServicePolicies(ServicePolicies servicePolicies) { tagPolicies.setPolicyUpdateTime(servicePolicies.getTagPolicies().getPolicyUpdateTime()); List filteredPolicies = new ArrayList<>(); + for (RangerPolicy policy : servicePolicies.getTagPolicies().getPolicies()) { if (policy.getIsEnabled()) { filteredPolicies.add(policy); } } + tagPolicies.setPolicies(filteredPolicies); ret.setTagPolicies(tagPolicies); @@ -5716,12 +6479,15 @@ private ServicePolicies filterServicePolicies(ServicePolicies servicePolicies) { private List getAuditFiltersServiceConfigByName(String searchUsrGrpRoleName) { LOG.debug("===> ServiceDBStore.getAuditFiltersServiceConfigByName( searchUsrGrpRoleName : {})", searchUsrGrpRoleName); + List configMapToBeModified = null; if (StringUtils.isNotBlank(searchUsrGrpRoleName)) { configMapToBeModified = new ArrayList<>(); + XXServiceConfigMapDao configDao = daoMgr.getXXServiceConfigMap(); List configs = configDao.findByConfigKey(ServiceDBStore.RANGER_PLUGIN_AUDIT_FILTERS); + for (XXServiceConfigMap configMap : configs) { if (StringUtils.contains(configMap.getConfigvalue(), searchUsrGrpRoleName)) { configMapToBeModified.add(configMap); @@ -5729,44 +6495,59 @@ private List getAuditFiltersServiceConfigByName(String searc } } - LOG.debug("<=== ServiceDBStore.getAuditFiltersServiceConfigByName(searchUsrGrpRoleName : {}) configMapToBeModified : {}", searchUsrGrpRoleName, configMapToBeModified); + LOG.debug("<=== ServiceDBStore.getAuditFiltersServiceConfigByName( searchUsrGrpRoleName : {}) configMapToBeModified : {}", searchUsrGrpRoleName, configMapToBeModified); + return configMapToBeModified; } private void removeUserGroupRoleReferences(List auditFilters, String user, String group, String role) { List itemsToRemove = null; - LOG.debug("===> ServiceDBStore.removeUserGroupRoleReferences(user : {}, group : {}, role : {}, auditFilters : {})", user, group, role, auditFilters); + + LOG.debug("===> ServiceDBStore.removeUserGroupRoleReferences( user : {} group : {} role : {} auditFilters : {})", user, group, role, auditFilters); + for (AuditFilter auditFilter : auditFilters) { boolean isAuditFilterModified = false; + if (StringUtils.isNotEmpty(user) && CollectionUtils.isNotEmpty(auditFilter.getUsers())) { auditFilter.getUsers().remove(user); + isAuditFilterModified = true; } + if (StringUtils.isNotEmpty(group) && CollectionUtils.isNotEmpty(auditFilter.getGroups())) { auditFilter.getGroups().remove(group); + isAuditFilterModified = true; } + if (StringUtils.isNotEmpty(role) && CollectionUtils.isNotEmpty(auditFilter.getRoles())) { auditFilter.getRoles().remove(role); + isAuditFilterModified = true; } + if (isAuditFilterModified && CollectionUtils.isEmpty(auditFilter.getUsers()) && CollectionUtils.isEmpty(auditFilter.getGroups()) && CollectionUtils.isEmpty(auditFilter.getRoles())) { if (itemsToRemove == null) { itemsToRemove = new ArrayList<>(); } + itemsToRemove.add(auditFilter); } } + if (CollectionUtils.isNotEmpty(itemsToRemove)) { auditFilters.removeAll(itemsToRemove); } - LOG.debug("<=== ServiceDBStore.removeUserGroupRoleReferences(user : {}, group : {}, role : {}, auditFilters : {})", user, group, role, auditFilters); + + LOG.debug("<=== ServiceDBStore.removeUserGroupRoleReferences( user : {} group : {} role : {} auditFilters : {})", user, group, role, auditFilters); } private void getContainingRoles(Long roleId, Set allRoles) { if (!allRoles.contains(roleId)) { allRoles.add(roleId); + Set roles = daoMgr.getXXRoleRefRole().getContainingRoles(roleId); + for (Long role : roles) { getContainingRoles(role, allRoles); } @@ -5775,17 +6556,20 @@ private void getContainingRoles(Long roleId, Set allRoles) { private Set getRoleNames(Set roles) { Set roleNames = new HashSet<>(); + if (CollectionUtils.isNotEmpty(roles)) { List xxRoles = daoMgr.getXXRole().getAll(); + for (Long role : roles) { for (XXRole xxRole : xxRoles) { - if (xxRole.getId() == role) { + if (Objects.equals(xxRole.getId(), role)) { roleNames.add(xxRole.getName()); break; } } } } + return roleNames; } @@ -5803,15 +6587,11 @@ private boolean isServiceActive(String serviceName) { return ret; } - public enum JsonFileNameType { - POLICY, ROLE - } + public enum JSON_FILE_NAME_TYPE { POLICY, ROLE } - public enum VersionType { - POLICY_VERSION, TAG_VERSION, ROLE_VERSION, GDS_VERSION - } + public enum VERSION_TYPE { POLICY_VERSION, TAG_VERSION, ROLE_VERSION, GDS_VERSION } - public enum MetricType { + public enum METRIC_TYPE { USER_GROUP { @Override public String getMetric(ServiceDBStore ref, SearchCriteria searchCriteria) { @@ -5855,31 +6635,31 @@ public String getMetric(ServiceDBStore ref, SearchCriteria searchCriteria) { } }; - public static MetricType getMetricTypeByName(final String metricTypeName) { - MetricType ret = null; + public static METRIC_TYPE getMetricTypeByName(final String metricTypeName) { + METRIC_TYPE ret = null; if (metricTypeName != null) { switch (metricTypeName) { case "usergroup": - ret = MetricType.USER_GROUP; + ret = METRIC_TYPE.USER_GROUP; break; case "audits": - ret = MetricType.AUDITS; + ret = METRIC_TYPE.AUDITS; break; case "services": - ret = MetricType.SERVICES; + ret = METRIC_TYPE.SERVICES; break; case "policies": - ret = MetricType.POLICIES; + ret = METRIC_TYPE.POLICIES; break; case "database": - ret = MetricType.DATABASE; + ret = METRIC_TYPE.DATABASE; break; case "contextenrichers": - ret = MetricType.CONTEXT_ENRICHERS; + ret = METRIC_TYPE.CONTEXT_ENRICHERS; break; case "denyconditions": - ret = MetricType.DENY_CONDITIONS; + ret = METRIC_TYPE.DENY_CONDITIONS; break; } } @@ -5890,9 +6670,7 @@ public static MetricType getMetricTypeByName(final String metricTypeName) { abstract String getMetric(ServiceDBStore ref, SearchCriteria searchCriteria); } - public enum RemoveRefType { - USER, GROUP, ROLE - } + public enum REMOVE_REF_TYPE { USER, GROUP, ROLE } private static class RangerPolicyDeltaComparator implements Comparator, java.io.Serializable { @Override @@ -5904,20 +6682,21 @@ public int compare(RangerPolicyDelta me, RangerPolicyDelta other) { public static class ServiceVersionUpdater implements Runnable { final Long serviceId; final RangerDaoManager daoManager; - final VersionType versionType; + final VERSION_TYPE versionType; final String zoneName; final Integer policyDeltaChange; final RangerPolicy policy; final ServiceTags.TagsChangeType tagChangeType; final Long resourceId; final Long tagId; + long version = -1; - public ServiceVersionUpdater(RangerDaoManager daoManager, Long serviceId, VersionType versionType, Integer policyDeltaType) { + public ServiceVersionUpdater(RangerDaoManager daoManager, Long serviceId, VERSION_TYPE versionType, Integer policyDeltaType) { this(daoManager, serviceId, versionType, null, policyDeltaType, null); } - public ServiceVersionUpdater(RangerDaoManager daoManager, Long serviceId, VersionType versionType, String zoneName, Integer policyDeltaType, RangerPolicy policy) { + public ServiceVersionUpdater(RangerDaoManager daoManager, Long serviceId, VERSION_TYPE versionType, String zoneName, Integer policyDeltaType, RangerPolicy policy) { this.serviceId = serviceId; this.daoManager = daoManager; this.versionType = versionType; @@ -5929,7 +6708,7 @@ public ServiceVersionUpdater(RangerDaoManager daoManager, Long serviceId, Versio this.tagId = null; } - public ServiceVersionUpdater(RangerDaoManager daoManager, Long serviceId, VersionType versionType, ServiceTags.TagsChangeType tagChangeType, Long resourceId, Long tagId) { + public ServiceVersionUpdater(RangerDaoManager daoManager, Long serviceId, VERSION_TYPE versionType, ServiceTags.TagsChangeType tagChangeType, Long resourceId, Long tagId) { this.serviceId = serviceId; this.daoManager = daoManager; this.versionType = versionType; @@ -5986,7 +6765,9 @@ private void getOrCreateLabel() { if (xxPolicyLabel == null) { xxPolicyLabel = new XXPolicyLabel(); + xxPolicyLabel.setPolicyLabel(policyLabel); + xxPolicyLabel = rangerAuditFields.populateAuditFieldsForCreate(xxPolicyLabel); xxPolicyLabel = daoMgr.getXXPolicyLabels().create(xxPolicyLabel); } @@ -5994,20 +6775,24 @@ private void getOrCreateLabel() { if (xxPolicyLabel != null) { XXPolicyLabelMap xxPolicyLabelMap = new XXPolicyLabelMap(); + xxPolicyLabelMap.setPolicyId(xPolicy.getId()); xxPolicyLabelMap.setPolicyLabelId(xxPolicyLabel.getId()); + xxPolicyLabelMap = rangerAuditFields.populateAuditFieldsForCreate(xxPolicyLabelMap); + daoMgr.getXXPolicyLabelMap().create(xxPolicyLabelMap); } + LOG.debug("<== AssociatePolicyLabel.getOrCreateLabel(policyId={}, label={})", xPolicy.getId(), policyLabel); } } static { try { - localHostname = java.net.InetAddress.getLocalHost().getCanonicalHostName(); + LOCAL_HOSTNAME = java.net.InetAddress.getLocalHost().getCanonicalHostName(); } catch (UnknownHostException e) { - localHostname = "unknown"; + LOCAL_HOSTNAME = "unknown"; } } } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java index 58978281fa..cea1c5736e 100755 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java @@ -124,6 +124,7 @@ public List lookupResource(String serviceName, ResourceLookupContext con service.getConfigs().put(HadoopConfigHolder.RANGER_AUTH_TYPE, authType); } } + if (!StringUtils.isEmpty(authType) && KERBEROS_TYPE.equalsIgnoreCase(authType.trim()) && SecureClientLogin.isKerberosCredentialExists(rangerPrincipal, rangerkeytab)) { if (service != null && service.getConfigs() != null) { service.getConfigs().put(HadoopConfigHolder.RANGER_PRINCIPAL, rangerPrincipal); @@ -134,11 +135,12 @@ public List lookupResource(String serviceName, ResourceLookupContext con } Map newConfigs = rangerSvcService.getConfigsWithDecryptedPassword(service); + service.setConfigs(newConfigs); RangerBaseService svc = getRangerServiceByService(service, svcStore); - LOG.debug("==> ServiceMgr.lookupResource for Service: ({} Context: {})", svc, context); + LOG.debug("==> ServiceMgr.lookupResource for Service: ({}Context: {})", svc, context); if (svc != null) { if (StringUtils.equals(svc.getServiceDef().getName(), EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TAG_NAME)) { @@ -146,6 +148,7 @@ public List lookupResource(String serviceName, ResourceLookupContext con } else { LookupCallable callable = new LookupCallable(svc, context); long time = getTimeoutValueForLookupInMilliSeconds(svc); + ret = timedExecutor.timedTask(callable, time, TimeUnit.MILLISECONDS); } } @@ -172,6 +175,7 @@ public VXResponse validateConfig(RangerService service, ServiceStore svcStore) t service.getConfigs().put(HadoopConfigHolder.RANGER_AUTH_TYPE, authType); } } + if (!StringUtils.isEmpty(authType) && KERBEROS_TYPE.equalsIgnoreCase(authType.trim()) && SecureClientLogin.isKerberosCredentialExists(rangerPrincipal, rangerkeytab)) { if (service != null && service.getConfigs() != null) { service.getConfigs().put(HadoopConfigHolder.RANGER_PRINCIPAL, rangerPrincipal); @@ -180,12 +184,17 @@ public VXResponse validateConfig(RangerService service, ServiceStore svcStore) t service.getConfigs().put(HadoopConfigHolder.RANGER_AUTH_TYPE, authType); } } + RangerBaseService svc = null; + if (service != null) { Map newConfigs = rangerSvcService.getConfigsWithDecryptedPassword(service); + service.setConfigs(newConfigs); + svc = getRangerServiceByService(service, svcStore); } + LOG.debug("==> ServiceMgr.validateConfig for Service: ({})", svc); // check if service configs contains localhost/127.0.0.1 @@ -193,6 +202,7 @@ public VXResponse validateConfig(RangerService service, ServiceStore svcStore) t for (Map.Entry entry : service.getConfigs().entrySet()) { if (entry.getValue() != null && StringUtils.containsIgnoreCase(entry.getValue(), "localhost") || StringUtils.containsIgnoreCase(entry.getValue(), "127.0.0.1")) { URL url = getValidURL(entry.getValue()); + if ((url != null) && (url.getHost().equalsIgnoreCase("localhost") || url.getHost().equals("127.0.0.1"))) { throw new Exception("Invalid value for configuration " + entry.getKey() + ": host " + url.getHost() + " is not allowed"); } @@ -220,7 +230,7 @@ public VXResponse validateConfig(RangerService service, ServiceStore svcStore) t ret = generateResponseForTestConn(respData, msg); - LOG.error("==> ServiceMgr.validateConfig Error:", e); + LOG.error("==> ServiceMgr.validateConfig Error:{}", String.valueOf(e)); } } @@ -353,13 +363,13 @@ public RangerBaseService getRangerServiceByService(RangerService service, Servic ((RangerServiceTag) ret).setTagStore(tagStore); } } else { - LOG.warn("ServiceMgr.getRangerServiceByService({}): could not find service class {} for the service type {}", service, serviceDef.getImplClass(), serviceType); + LOG.warn("ServiceMgr.getRangerServiceByService({}): could not find service class '{}' for the service type '{}'", service, serviceDef.getImplClass(), serviceType); } } else { - LOG.warn("ServiceMgr.getRangerServiceByService({}): could not find the service-def for the service type {}", service, serviceType); + LOG.warn("ServiceMgr.getRangerServiceByService({}): could not find the service-def for the service type '{}'", service, serviceType); } } else { - LOG.warn("ServiceMgr.getRangerServiceByService({}): could not find the service-type {}", service, serviceType); + LOG.warn("ServiceMgr.getRangerServiceByService({}): could not find the service-type '{}'", service, serviceType); } LOG.debug("<== ServiceMgr.getRangerServiceByService({}): {}", service, ret); @@ -376,36 +386,48 @@ long getTimeoutValueForValidateConfigInMilliSeconds(RangerBaseService svc) { } long getTimeoutValueInMilliSeconds(final String type, RangerBaseService svc, long defaultValue) { - LOG.debug(String.format("==> ServiceMgr.getTimeoutValueInMilliSeconds (%s, %s)", type, svc)); - String propertyName = type + ".timeout.value.in.ms"; // type == "lookup" || type == "validate-config" + LOG.debug("==> ServiceMgr.getTimeoutValueInMilliSeconds ({}, {})", type, svc); + + String propertyName = type + ".timeout.value.in.ms"; // type == "lookup" || type == "validate-config" + Long result = null; + Map config = svc.getConfigs(); - Long result = null; - Map config = svc.getConfigs(); if (config != null && config.containsKey(propertyName)) { result = parseLong(config.get(propertyName)); } + if (result != null) { LOG.debug("Found override in service config!"); } else { - String[] keys = new String[] {"ranger.service." + svc.getServiceName() + "." + propertyName, "ranger.servicetype." + svc.getServiceType() + "." + propertyName, "ranger." + propertyName + String[] keys = new String[] { + "ranger.service." + svc.getServiceName() + "." + propertyName, + "ranger.servicetype." + svc.getServiceType() + "." + propertyName, + "ranger." + propertyName }; + for (String key : keys) { String value = PropertiesUtil.getProperty(key); + if (value != null) { result = parseLong(value); + if (result != null) { LOG.debug("Using the value[{}] found in property[{}]", value, key); + break; } } } } + if (result == null) { LOG.debug("No overrides found in service config of properties file. Using supplied default of[{}]!", defaultValue); + result = defaultValue; } - LOG.debug(String.format("<== ServiceMgr.getTimeoutValueInMilliSeconds (%s, %s): %s", type, svc, result)); + LOG.debug("<== ServiceMgr.getTimeoutValueInMilliSeconds ({}, {}): {}", type, svc, result); + return result; } @@ -414,6 +436,7 @@ Long parseLong(String str) { return Long.valueOf(str); } catch (NumberFormatException e) { LOG.debug("ServiceMgr.parseLong: could not parse [{}] as Long! Returning null", str); + return null; } } @@ -427,7 +450,7 @@ private static URL getValidURL(String urlString) { } @SuppressWarnings("unchecked") - private Class getClassForServiceType(RangerServiceDef serviceDef) throws Exception { + private Class getClassForServiceType(RangerServiceDef serviceDef) { LOG.debug("==> ServiceMgr.getClassForServiceType({})", serviceDef); Class ret = null; @@ -443,10 +466,13 @@ private Class getClassForServiceType(RangerServiceD if (ret == null) { String clsName = serviceDef.getImplClass(); + LOG.debug("ServiceMgr.getClassForServiceType({}): service-class {} not found in cache", serviceType, clsName); + try { if (StringUtils.isEmpty(clsName)) { LOG.debug("No service-class configured for service-type:[{}], using RangerDefaultService", serviceType); + ret = RangerDefaultService.class; } else { URL[] pluginFiles = getPluginFilesForServiceType(serviceType); @@ -456,14 +482,14 @@ private Class getClassForServiceType(RangerServiceD ret = (Class) cls; } } catch (Exception excp) { - LOG.warn("ServiceMgr.getClassForServiceType({}): failed to find service-class {}. Resource lookup will not be available. Using RangerDefaultService", serviceType, clsName, excp); + LOG.warn("ServiceMgr.getClassForServiceType({}): failed to find service-class '{}'. Resource lookup will not be available. Using RangerDefaultService", serviceType, clsName, excp); ret = RangerDefaultService.class; } serviceTypeClassMap.put(serviceType, ret); - LOG.debug("ServiceMgr.getClassForServiceType({}): service-class {}} added to cache", serviceType, ret.getCanonicalName()); + LOG.debug("ServiceMgr.getClassForServiceType({}): service-class {} added to cache", serviceType, ret.getCanonicalName()); } else { LOG.debug("ServiceMgr.getClassForServiceType({}): service-class {} found in cache", serviceType, ret.getCanonicalName()); } @@ -504,20 +530,21 @@ private void getFilesInDirectory(String dirPath, List files) { try { URL jarPath = dirFile.toURI().toURL(); - LOG.debug("getFilesInDirectory({}): adding {}", dirPath, dirFile.getAbsolutePath()); + LOG.debug("getFilesInDirectory('{}'): adding {}", dirPath, dirFile.getAbsolutePath()); files.add(jarPath); } catch (Exception excp) { - LOG.warn("getFilesInDirectory({}): failed to get URI for file {}", dirPath, dirFile.getAbsolutePath(), excp); + LOG.warn("getFilesInDirectory('{}'): failed to get URI for file {}", dirPath, dirFile.getAbsolutePath(), excp); } } } } catch (Exception excp) { - LOG.warn("getFilesInDirectory({}): error", dirPath, excp); + LOG.warn("getFilesInDirectory('{}'): error", dirPath, excp); } } else { - LOG.debug("getFilesInDirectory({}): could not find directory in CLASSPATH", dirPath); + LOG.debug("getFilesInDirectory('{}'): could not find directory in CLASSPATH", dirPath); } + LOG.debug("<== ServiceMgr.getFilesInDirectory({})", dirPath); } @@ -535,18 +562,23 @@ private VXResponse generateResponseForTestConn(Map responseData, if (responseData.get("objectId") != null) { objId = Long.parseLong(responseData.get("objectId").toString()); } + if (responseData.get("connectivityStatus") != null) { connectivityStatus = Boolean.parseBoolean(responseData.get("connectivityStatus").toString()); } + if (connectivityStatus) { statusCode = VXResponse.STATUS_SUCCESS; } + if (responseData.get("message") != null) { message = responseData.get("message").toString(); } + if (responseData.get("description") != null) { description = responseData.get("description").toString(); } + if (responseData.get("fieldName") != null) { fieldName = responseData.get("fieldName").toString(); } @@ -554,6 +586,7 @@ private VXResponse generateResponseForTestConn(Map responseData, VXMessage vXMsg = new VXMessage(); List vXMsgList = new ArrayList<>(); + vXMsg.setFieldName(fieldName); vXMsg.setMessage(message); vXMsg.setObjectId(objId); @@ -562,6 +595,7 @@ private VXResponse generateResponseForTestConn(Map responseData, vXResponse.setMessageList(vXMsgList); vXResponse.setMsgDesc(description); vXResponse.setStatusCode(statusCode); + return vXResponse; } @@ -609,22 +643,33 @@ public TimedCallable(RangerBaseService svc) { @Override public T call() throws Exception { Date start = null; - start = new Date(); - LOG.debug("==> TimedCallable: {}", this); + + if (LOG.isDebugEnabled()) { + start = new Date(); + + LOG.debug("==> TimedCallable: {}", this); + } ClassLoader clsLoader = Thread.currentThread().getContextClassLoader(); + try { Thread.currentThread().setContextClassLoader(svc.getClass().getClassLoader()); + return actualCall(); } catch (Exception e) { - LOG.error("TimedCallable.call: Error:", e); + LOG.error("TimedCallable.call: Error:{}", String.valueOf(e)); + throw e; } finally { Thread.currentThread().setContextClassLoader(clsLoader); - Date finish = new Date(); - long waitTime = start.getTime() - creation.getTime(); - long executionTime = finish.getTime() - start.getTime(); - LOG.debug(String.format("<== TimedCallable: %s: wait time[%d ms], execution time [%d ms]", this, waitTime, executionTime)); + + if (LOG.isDebugEnabled()) { + Date finish = new Date(); + long waitTime = start.getTime() - creation.getTime(); + long executionTime = finish.getTime() - start.getTime(); + + LOG.debug("<== TimedCallable: {}: wait time[{} ms], execution time [{} ms]", this, waitTime, executionTime); + } } } @@ -636,6 +681,7 @@ static class LookupCallable extends TimedCallable> { public LookupCallable(final RangerBaseService svc, final ResourceLookupContext context) { super(svc); + this.context = context; } @@ -646,8 +692,7 @@ public String toString() { @Override public List actualCall() throws Exception { - List ret = svc.lookupResource(context); - return ret; + return svc.lookupResource(context); } } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java index cb5e469d97..68874e86c0 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java @@ -61,6 +61,7 @@ import java.util.ArrayList; import java.util.Calendar; +import java.util.Date; import java.util.HashSet; import java.util.List; import java.util.Set; @@ -73,36 +74,42 @@ public class SessionMgr { static final Logger logger = LoggerFactory.getLogger(SessionMgr.class); private static final Long SESSION_UPDATE_INTERVAL_IN_MILLIS = 30 * DateUtils.MILLIS_PER_MINUTE; + @Autowired - RESTErrorUtil restErrorUtil; + RESTErrorUtil restErrorUtil; + @Autowired - RangerDaoManager daoManager; + RangerDaoManager daoManager; + @Autowired - XUserMgr xUserMgr; + XUserMgr xUserMgr; + @Autowired AuthSessionService authSessionService; + @Autowired - HTTPUtil httpUtil; + HTTPUtil httpUtil; + @Autowired - StringUtil stringUtil; + StringUtil stringUtil; public SessionMgr() { logger.debug("SessionManager created"); } public UserSessionBase processSuccessLogin(int authType, String userAgent, HttpServletRequest httpRequest) { - boolean newSessionCreation = true; - UserSessionBase userSession = null; + boolean newSessionCreation = true; + UserSessionBase userSession = null; + RangerSecurityContext context = RangerContextHolder.getSecurityContext(); - RangerSecurityContext context = RangerContextHolder.getSecurityContext(); if (context != null) { userSession = context.getUserSession(); } Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); WebAuthenticationDetails details = (WebAuthenticationDetails) authentication.getDetails(); + String currentLoginId = authentication.getName(); - String currentLoginId = authentication.getName(); if (userSession != null) { if (validateUserSession(userSession, currentLoginId)) { newSessionCreation = false; @@ -111,19 +118,24 @@ public UserSessionBase processSuccessLogin(int authType, String userAgent, HttpS if (newSessionCreation) { getSSOSpnegoAuthCheckForAPI(currentLoginId, httpRequest); + // Need to build the UserSession XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(currentLoginId); + if (gjUser == null) { logger.error("Error getting user for loginId={}", currentLoginId, new Exception()); + return null; } XXAuthSession gjAuthSession = new XXAuthSession(); + gjAuthSession.setLoginId(currentLoginId); gjAuthSession.setUserId(gjUser.getId()); gjAuthSession.setAuthTime(DateUtil.getUTCDate()); gjAuthSession.setAuthStatus(XXAuthSession.AUTH_STATUS_SUCCESS); gjAuthSession.setAuthType(authType); + if (details != null) { gjAuthSession.setExtSessionId(details.getSessionId()); gjAuthSession.setRequestIP(details.getRemoteAddress()); @@ -132,21 +144,28 @@ public UserSessionBase processSuccessLogin(int authType, String userAgent, HttpS if (userAgent != null) { gjAuthSession.setRequestUserAgent(userAgent); } + gjAuthSession.setDeviceType(httpUtil.getDeviceType(userAgent)); + HttpSession session = httpRequest.getSession(); + if (session != null) { if (session.getAttribute("auditLoginId") == null) { synchronized (session) { if (session.getAttribute("auditLoginId") == null) { boolean isDownloadLogEnabled = PropertiesUtil.getBooleanProperty("ranger.downloadpolicy.session.log.enabled", false); + if (isDownloadLogEnabled) { gjAuthSession = storeAuthSession(gjAuthSession); + session.setAttribute("auditLoginId", gjAuthSession.getId()); } else if (!StringUtils.isEmpty(httpRequest.getRequestURI()) && !(httpRequest.getRequestURI().contains("/secure/policies/download/") || httpRequest.getRequestURI().contains("/secure/download/"))) { gjAuthSession = storeAuthSession(gjAuthSession); + session.setAttribute("auditLoginId", gjAuthSession.getId()); } else if (StringUtils.isEmpty(httpRequest.getRequestURI())) { gjAuthSession = storeAuthSession(gjAuthSession); + session.setAttribute("auditLoginId", gjAuthSession.getId()); } else { //NOPMD //do not log the details for download policy and tag @@ -157,31 +176,39 @@ public UserSessionBase processSuccessLogin(int authType, String userAgent, HttpS } userSession = new UserSessionBase(); + userSession.setXXPortalUser(gjUser); userSession.setXXAuthSession(gjAuthSession); + if (httpRequest.getAttribute("spnegoEnabled") != null && (boolean) httpRequest.getAttribute("spnegoEnabled")) { userSession.setSpnegoEnabled(true); } - Boolean ssoEnabled; + boolean ssoEnabled; + if (authType == XXAuthSession.AUTH_TYPE_TRUSTED_PROXY) { ssoEnabled = true; } else { Object ssoEnabledObj = httpRequest.getAttribute("ssoEnabled"); - ssoEnabled = ssoEnabledObj != null ? Boolean.valueOf(String.valueOf(ssoEnabledObj)) : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false); + + ssoEnabled = ssoEnabledObj != null ? Boolean.parseBoolean(String.valueOf(ssoEnabledObj)) : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false); } logger.debug("session id = {} ssoenabled = {}", userSession.getLoginId(), ssoEnabled); + userSession.setSSOEnabled(ssoEnabled); resetUserSessionForProfiles(userSession); resetUserModulePermission(userSession); - Calendar cal = Calendar.getInstance(); - if (details != null) { - logger.debug("Login Success: loginId={}, sessionId={}, sessionId={}, requestId={}, epoch={}", currentLoginId, gjAuthSession.getId(), details.getSessionId(), details.getRemoteAddress(), cal.getTimeInMillis()); - } else { - logger.debug("Login Success: loginId={}, sessionId={}, details is null, epoch={}", currentLoginId, gjAuthSession.getId(), cal.getTimeInMillis()); + if (logger.isDebugEnabled()) { + Calendar cal = Calendar.getInstance(); + + if (details != null) { + logger.debug("Login Success: loginId={}, sessionId={}, sessionId={}, requestId={}, epoch={}", currentLoginId, gjAuthSession.getId(), details.getSessionId(), details.getRemoteAddress(), cal.getTimeInMillis()); + } else { + logger.debug("Login Success: loginId={}, sessionId={}, details is null, epoch={}", currentLoginId, gjAuthSession.getId(), cal.getTimeInMillis()); + } } } @@ -190,10 +217,10 @@ public UserSessionBase processSuccessLogin(int authType, String userAgent, HttpS public void resetUserModulePermission(UserSessionBase userSession) { XXUser xUser = daoManager.getXXUser().findByUserName(userSession.getLoginId()); - if (xUser != null) { - List permissionList = daoManager.getXXModuleDef().findAccessibleModulesByUserId(userSession.getUserId(), xUser.getId()); - CopyOnWriteArraySet userPermissions = new CopyOnWriteArraySet(permissionList); + if (xUser != null) { + List permissionList = daoManager.getXXModuleDef().findAccessibleModulesByUserId(userSession.getUserId(), xUser.getId()); + CopyOnWriteArraySet userPermissions = new CopyOnWriteArraySet<>(permissionList); UserSessionBase.RangerUserPermission rangerUserPermission = userSession.getRangerUserPermission(); if (rangerUserPermission == null) { @@ -203,9 +230,10 @@ public void resetUserModulePermission(UserSessionBase userSession) { rangerUserPermission.setUserPermissions(userPermissions); rangerUserPermission.setLastUpdatedTime(Calendar.getInstance().getTimeInMillis()); userSession.setRangerUserPermission(rangerUserPermission); + logger.debug("UserSession Updated to set new Permissions to User: {}", userSession.getLoginId()); } else { - logger.error("No XUser found with username: {} So Permission is not set for the user", userSession.getLoginId()); + logger.error("No XUser found with username: {}So Permission is not set for the user", userSession.getLoginId()); } } @@ -216,9 +244,9 @@ public void resetUserSessionForProfiles(UserSessionBase userSession) { } // Let's get the Current User Again - String currentLoginId = userSession.getLoginId(); + String currentLoginId = userSession.getLoginId(); + XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(currentLoginId); - XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(currentLoginId); userSession.setXXPortalUser(gjUser); setUserRoles(userSession); @@ -226,6 +254,7 @@ public void resetUserSessionForProfiles(UserSessionBase userSession) { public XXAuthSession processFailureLogin(int authStatus, int authType, String loginId, String remoteAddr, String sessionId, String userAgent) { XXAuthSession gjAuthSession = new XXAuthSession(); + gjAuthSession.setLoginId(loginId); gjAuthSession.setUserId(null); gjAuthSession.setAuthTime(DateUtil.getUTCDate()); @@ -237,23 +266,24 @@ public XXAuthSession processFailureLogin(int authStatus, int authType, String lo gjAuthSession.setRequestUserAgent(userAgent); gjAuthSession = storeAuthSession(gjAuthSession); + return gjAuthSession; } // non-WEB processing public UserSessionBase processStandaloneSuccessLogin(int authType, String ipAddress) { Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); + String currentLoginId = authentication.getName(); + XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(currentLoginId); // Need to build the UserSession - String currentLoginId = authentication.getName(); - - // Need to build the UserSession - XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(currentLoginId); if (gjUser == null) { logger.error("Error getting user for loginId={}", currentLoginId, new Exception()); + return null; } XXAuthSession gjAuthSession = new XXAuthSession(); + gjAuthSession.setLoginId(currentLoginId); gjAuthSession.setUserId(gjUser.getId()); gjAuthSession.setAuthTime(DateUtil.getUTCDate()); @@ -267,12 +297,15 @@ public UserSessionBase processStandaloneSuccessLogin(int authType, String ipAddr gjAuthSession = storeAuthSession(gjAuthSession); UserSessionBase userSession = new UserSessionBase(); + userSession.setXXPortalUser(gjUser); userSession.setXXAuthSession(gjAuthSession); // create context with user-session and set in thread-local RangerSecurityContext context = new RangerSecurityContext(); + context.setUserSession(userSession); + RangerContextHolder.setSecurityContext(context); resetUserSessionForProfiles(userSession); @@ -289,20 +322,26 @@ public VXAuthSessionList searchAuthSessions(SearchCriteria searchCriteria) { if (searchCriteria == null) { searchCriteria = new SearchCriteria(); } + if (searchCriteria.getParamList() != null && !searchCriteria.getParamList().isEmpty()) { - int clientTimeOffsetInMinute = RestUtil.getClientTimeOffset(); - java.util.Date temp = null; - DateUtil dateUtil = new DateUtil(); + int clientTimeOffsetInMinute = RestUtil.getClientTimeOffset(); + DateUtil dateUtil = new DateUtil(); + if (searchCriteria.getParamList().containsKey("startDate")) { - temp = (java.util.Date) searchCriteria.getParamList().get("startDate"); + Date temp = (Date) searchCriteria.getParamList().get("startDate"); + temp = dateUtil.getDateFromGivenDate(temp, 0, 0, 0, 0); temp = dateUtil.addTimeOffset(temp, clientTimeOffsetInMinute); + searchCriteria.getParamList().put("startDate", temp); } + if (searchCriteria.getParamList().containsKey("endDate")) { - temp = (java.util.Date) searchCriteria.getParamList().get("endDate"); + Date temp = (Date) searchCriteria.getParamList().get("endDate"); + temp = dateUtil.getDateFromGivenDate(temp, 0, 23, 59, 59); temp = dateUtil.addTimeOffset(temp, clientTimeOffsetInMinute); + searchCriteria.getParamList().put("endDate", temp); } } @@ -329,8 +368,7 @@ public VXAuthSession getAuthSessionBySessionId(String authSessionId) { throw restErrorUtil.createRESTException("Please provide a valid " + "session id.", MessageEnums.INVALID_INPUT_DATA); } - VXAuthSession vXAuthSession = authSessionService.populateViewBean(xXAuthSession); - return vXAuthSession; + return authSessionService.populateViewBean(xXAuthSession); } /** @@ -360,11 +398,14 @@ public boolean isLoginIdLocked(String loginId) { public boolean isValidXAUser(String loginId) { XXPortalUser pUser = daoManager.getXXPortalUser().findByLoginId(loginId); + if (pUser == null || pUser.getUserSource() == RangerCommonEnums.USER_FEDERATED) { logger.error("Error getting user for loginId={} or federated user", loginId); + return false; } else { logger.debug("{} is a valid user", loginId); + return true; } } @@ -383,6 +424,7 @@ public CopyOnWriteArrayList getActiveSessionsOnServer() { } RangerSecurityContext securityContext = (RangerSecurityContext) httpSession.getAttribute(RangerSecurityContextFormationFilter.AKA_SC_SESSION_KEY); + if (securityContext.getUserSession() != null) { activeRangerUserSessions.add(securityContext.getUserSession()); } @@ -399,21 +441,26 @@ public Set getActiveUserSessionsForPortalUserId(Long portalUser } Set activeUserSessions = new HashSet<>(); + for (UserSessionBase session : activeSessions) { if (session.getUserId().equals(portalUserId)) { activeUserSessions.add(session); } } + logger.debug("No Session Found with portalUserId: {}", portalUserId); + return activeUserSessions; } public Set getActiveUserSessionsForXUserId(Long xUserId) { XXPortalUser portalUser = daoManager.getXXPortalUser().findByXUserId(xUserId); + if (portalUser != null) { return getActiveUserSessionsForPortalUserId(portalUser.getId()); } else { - logger.debug("Could not find corresponding portalUser for xUserId {}", xUserId); + logger.debug("Could not find corresponding portalUser for xUserId{}", xUserId); + return null; } } @@ -421,6 +468,7 @@ public Set getActiveUserSessionsForXUserId(Long xUserId) { public synchronized void refreshPermissionsIfNeeded(UserSessionBase userSession) { if (userSession != null) { Long lastUpdatedTime = (userSession.getRangerUserPermission() != null) ? userSession.getRangerUserPermission().getLastUpdatedTime() : null; + if (lastUpdatedTime == null || (Calendar.getInstance().getTimeInMillis() - lastUpdatedTime) > SESSION_UPDATE_INTERVAL_IN_MILLIS) { this.resetUserModulePermission(userSession); } @@ -432,6 +480,7 @@ protected boolean validateUserSession(UserSessionBase userSession, String curren return true; } else { logger.warn("loginId doesn't match loginId from HTTPSession. Will create new session. loginId={}, userSession={}", currentLoginId, userSession, new Exception()); + return false; } } @@ -440,6 +489,7 @@ protected boolean validateUserSession(UserSessionBase userSession, String curren protected XXAuthSession storeAuthSession(XXAuthSession gjAuthSession) { // daoManager.getEntityManager().getTransaction().begin(); XXAuthSession dbMAuthSession = daoManager.getXXAuthSession().create(gjAuthSession); + // daoManager.getEntityManager().getTransaction().commit(); return dbMAuthSession; } @@ -448,10 +498,11 @@ private void getSSOSpnegoAuthCheckForAPI(String currentLoginId, HttpServletReque RangerSecurityContext context = RangerContextHolder.getSecurityContext(); UserSessionBase session = context != null ? context.getUserSession() : null; boolean ssoEnabled = session != null ? session.isSSOEnabled() : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false); + XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(currentLoginId); - XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(currentLoginId); if (gjUser == null && ((request.getAttribute("spnegoEnabled") != null && (boolean) request.getAttribute("spnegoEnabled")) || (ssoEnabled))) { logger.debug("User : {} doesn't exist in Ranger DB So creating user as it's SSO or Spnego authenticated", currentLoginId); + xUserMgr.createServiceConfigUser(currentLoginId); } } @@ -459,8 +510,10 @@ private void getSSOSpnegoAuthCheckForAPI(String currentLoginId, HttpServletReque private void setUserRoles(UserSessionBase userSession) { List strRoleList = new ArrayList<>(); List roleList = daoManager.getXXPortalUserRole().findByUserId(userSession.getUserId()); + for (XXPortalUserRole gjUserRole : roleList) { String userRole = gjUserRole.getUserRole(); + strRoleList.add(userRole); } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java index 5144361e84..f7b750aba4 100755 --- a/security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java @@ -85,35 +85,46 @@ public class TagDBStore extends AbstractTagStore { private static final Logger LOG = LoggerFactory.getLogger(TagDBStore.class); private static final Logger PERF_LOG = RangerPerfTracer.getPerfLogger("db.TagDBStore"); - public static boolean supportsInPlaceTagUpdates; - private static boolean supportsTagDeltas; - private static boolean isSupportsTagDeltasInitialized; - private static boolean supportsTagDedupInitialized; - private static boolean supportsTagDedup; + public static boolean SUPPORTS_IN_PLACE_TAG_UPDATES; + + private static boolean SUPPORTS_TAG_DELTAS; + private static boolean IS_SUPPORTS_TAG_DELTAS_INITIALIZED; + private static boolean SUPPORTS_TAGS_DEDUP_INITIALIZED; + private static boolean SUPPORTS_TAGS_DEDUP; + @Autowired - RangerTagDefService rangerTagDefService; + RangerTagDefService rangerTagDefService; + @Autowired - RangerTagService rangerTagService; + RangerTagService rangerTagService; + @Autowired - RangerServiceResourceService rangerServiceResourceService; + RangerServiceResourceService rangerServiceResourceService; + @Autowired RangerServiceResourceWithTagsService rangerServiceResourceWithTagsService; + @Autowired - RangerTagResourceMapService rangerTagResourceMapService; + RangerTagResourceMapService rangerTagResourceMapService; + @Autowired - RangerDaoManager daoManager; + RangerDaoManager daoManager; + @Autowired @Qualifier(value = "transactionManager") - PlatformTransactionManager txManager; + PlatformTransactionManager txManager; + @Autowired - RESTErrorUtil errorUtil; + RESTErrorUtil errorUtil; + @Autowired - RESTErrorUtil restErrorUtil; + RESTErrorUtil restErrorUtil; RangerAdminConfig config; public static boolean isSupportsTagDeltas() { initStatics(); - return supportsTagDeltas; + + return SUPPORTS_TAG_DELTAS; } public static RangerServiceResource toRangerServiceResource(String serviceName, Map resourceMap) { @@ -129,8 +140,7 @@ public static RangerServiceResource toRangerServiceResource(String serviceName, continue; } - String key = parts[0]; - + String key = parts[0]; RangerPolicyResource policyResource = resourceElements.get(key); if (policyResource == null) { @@ -167,13 +177,13 @@ public static RangerServiceResource toRangerServiceResource(String serviceName, } public static boolean isSupportsTagsDedup() { - if (!supportsTagDedupInitialized) { + if (!SUPPORTS_TAGS_DEDUP_INITIALIZED) { RangerAdminConfig config = RangerAdminConfig.getInstance(); - supportsTagDedup = config.getBoolean("ranger.admin" + RangerCommonConstants.RANGER_SUPPORTS_TAGS_DEDUP, RangerCommonConstants.RANGER_SUPPORTS_TAGS_DEDUP_DEFAULT); - supportsTagDedupInitialized = true; + SUPPORTS_TAGS_DEDUP = config.getBoolean("ranger.admin" + RangerCommonConstants.RANGER_SUPPORTS_TAGS_DEDUP, RangerCommonConstants.RANGER_SUPPORTS_TAGS_DEDUP_DEFAULT); + SUPPORTS_TAGS_DEDUP_INITIALIZED = true; } - return supportsTagDedup; + return SUPPORTS_TAGS_DEDUP; } @PostConstruct @@ -185,20 +195,20 @@ public void initStore() { } @Override - public RangerTagDef createTagDef(RangerTagDef tagDef) throws Exception { + public RangerTagDef createTagDef(RangerTagDef tagDef) { LOG.debug("==> TagDBStore.createTagDef({})", tagDef); RangerTagDef ret = rangerTagDefService.create(tagDef); ret = rangerTagDefService.read(ret.getId()); - LOG.debug("<== TagDBStore.createTagDef({}): id={}", tagDef, (ret == null ? null : ret.getId())); + LOG.debug("<== TagDBStore.createTagDef({}): id={}", tagDef, ret == null ? null : ret.getId()); return ret; } @Override - public RangerTagDef updateTagDef(RangerTagDef tagDef) throws Exception { + public RangerTagDef updateTagDef(RangerTagDef tagDef) { LOG.debug("==> TagDBStore.updateTagDef({})", tagDef); RangerTagDef existing = rangerTagDefService.read(tagDef.getId()); @@ -246,29 +256,29 @@ public void deleteTagDef(Long id) throws Exception { } @Override - public RangerTagDef getTagDef(Long id) throws Exception { + public RangerTagDef getTagDef(Long id) { LOG.debug("==> TagDBStore.getTagDef({})", id); RangerTagDef ret = rangerTagDefService.read(id); - LOG.debug("<== TagDBStore.getTagDef({}) {}", id, ret); + LOG.debug("<== TagDBStore.getTagDef({}): {}", id, ret); return ret; } @Override - public RangerTagDef getTagDefByGuid(String guid) throws Exception { + public RangerTagDef getTagDefByGuid(String guid) { LOG.debug("==> TagDBStore.getTagDefByGuid({})", guid); RangerTagDef ret = rangerTagDefService.getTagDefByGuid(guid); - LOG.debug("<== TagDBStore.getTagDefByGuid({}) {}", guid, ret); + LOG.debug("<== TagDBStore.getTagDefByGuid({}): {}", guid, ret); return ret; } @Override - public RangerTagDef getTagDefByName(String name) throws Exception { + public RangerTagDef getTagDefByName(String name) { LOG.debug("==> TagDBStore.getTagDefByName({})", name); RangerTagDef ret = null; @@ -277,40 +287,40 @@ public RangerTagDef getTagDefByName(String name) throws Exception { ret = rangerTagDefService.getTagDefByName(name); } - LOG.debug("<== TagDBStore.getTagDefByName({}) {}", name, ret); + LOG.debug("<== TagDBStore.getTagDefByName({}): {}", name, ret); return ret; } @Override - public List getTagDefs(SearchFilter filter) throws Exception { + public List getTagDefs(SearchFilter filter) { LOG.debug("==> TagDBStore.getTagDefs({})", filter); List ret = getPaginatedTagDefs(filter).getList(); - LOG.debug("<== TagDBStore.getTagDefs({}) {}", filter, ret); + LOG.debug("<== TagDBStore.getTagDefs({}): {}", filter, ret); return ret; } @Override - public PList getPaginatedTagDefs(SearchFilter filter) throws Exception { + public PList getPaginatedTagDefs(SearchFilter filter) { LOG.debug("==> TagDBStore.getPaginatedTagDefs({})", filter); PList ret = rangerTagDefService.searchRangerTagDefs(filter); - LOG.debug("<== TagDBStore.getPaginatedTagDefs({}) {}", filter, ret); + LOG.debug("<== TagDBStore.getPaginatedTagDefs({}): {}", filter, ret); return ret; } @Override - public List getTagTypes() throws Exception { + public List getTagTypes() { LOG.debug("==> TagDBStore.getTagTypes()"); List ret = daoManager.getXXTagDef().getAllNames(); - LOG.debug("<== TagDBStore.getTagTypes(): count={}", (ret != null ? ret.size() : 0)); + LOG.debug("<== TagDBStore.getTagTypes(): count={}", ret != null ? ret.size() : 0); return ret; } @@ -325,7 +335,7 @@ public RangerTag createTag(RangerTag tag) throws Exception { ret = rangerTagService.read(ret.getId()); - LOG.debug("<== TagDBStore.createTag({}) {}", tag, ret); + LOG.debug("<== TagDBStore.createTag({}): {}", tag, ret); return ret; } @@ -351,13 +361,13 @@ public RangerTag updateTag(RangerTag tag) throws Exception { ret = rangerTagService.read(ret.getId()); - LOG.debug("<== TagDBStore.updateTag({}) {}", tag, ret); + LOG.debug("<== TagDBStore.updateTag({}) : {}", tag, ret); return ret; } @Override - public void deleteTag(Long id) throws Exception { + public void deleteTag(Long id) { LOG.debug("==> TagDBStore.deleteTag({})", id); RangerTag tag = rangerTagService.read(id); @@ -368,18 +378,18 @@ public void deleteTag(Long id) throws Exception { } @Override - public RangerTag getTag(Long id) throws Exception { + public RangerTag getTag(Long id) { LOG.debug("==> TagDBStore.getTag({})", id); RangerTag ret = rangerTagService.read(id); - LOG.debug("<== TagDBStore.getTag({}) {}", id, ret); + LOG.debug("<== TagDBStore.getTag({}): {}", id, ret); return ret; } @Override - public RangerTag getTagByGuid(String guid) throws Exception { + public RangerTag getTagByGuid(String guid) { LOG.debug("==> TagDBStore.getTagByGuid({})", guid); RangerTag ret = rangerTagService.getTagByGuid(guid); @@ -390,18 +400,18 @@ public RangerTag getTagByGuid(String guid) throws Exception { } @Override - public List getTagIdsForResourceId(Long resourceId) throws Exception { + public List getTagIdsForResourceId(Long resourceId) { LOG.debug("==> TagDBStore.getTagIdsForResourceId({})", resourceId); List ret = rangerTagResourceMapService.getTagIdsForResourceId(resourceId); - LOG.debug("<== TagDBStore.getTagIdsForResourceId({}): count={}", resourceId, (ret == null ? 0 : ret.size())); + LOG.debug("<== TagDBStore.getTagIdsForResourceId({}): count={}", resourceId, ret == null ? 0 : ret.size()); return ret; } @Override - public List getTagsByType(String type) throws Exception { + public List getTagsByType(String type) { LOG.debug("==> TagDBStore.getTagsByType({})", type); List ret = null; @@ -410,13 +420,13 @@ public List getTagsByType(String type) throws Exception { ret = rangerTagService.getTagsByType(type); } - LOG.debug("<== TagDBStore.getTagsByType({}): count={}", type, (ret == null ? 0 : ret.size())); + LOG.debug("<== TagDBStore.getTagsByType({}): count={}", type, ret == null ? 0 : ret.size()); return ret; } @Override - public List getTagsForResourceId(Long resourceId) throws Exception { + public List getTagsForResourceId(Long resourceId) { LOG.debug("==> TagDBStore.getTagsForResourceId({})", resourceId); List ret = null; @@ -425,13 +435,13 @@ public List getTagsForResourceId(Long resourceId) throws Exception { ret = rangerTagService.getTagsForResourceId(resourceId); } - LOG.debug("<== TagDBStore.getTagsForResourceId({}): count={}", resourceId, (ret == null ? 0 : ret.size())); + LOG.debug("<== TagDBStore.getTagsForResourceId({}): count={}", resourceId, ret == null ? 0 : ret.size()); return ret; } @Override - public List getTagsForResourceGuid(String resourceGuid) throws Exception { + public List getTagsForResourceGuid(String resourceGuid) { LOG.debug("==> TagDBStore.getTagsForResourceGuid({})", resourceGuid); List ret = null; @@ -440,7 +450,7 @@ public List getTagsForResourceGuid(String resourceGuid) throws Except ret = rangerTagService.getTagsForResourceGuid(resourceGuid); } - LOG.debug("<== TagDBStore.getTagsForResourceGuid({}): count={}", resourceGuid, (ret == null ? 0 : ret.size())); + LOG.debug("<== TagDBStore.getTagsForResourceGuid({}): count={}", resourceGuid, ret == null ? 0 : ret.size()); return ret; } @@ -451,24 +461,24 @@ public List getTags(SearchFilter filter) throws Exception { List ret = rangerTagService.searchRangerTags(filter).getList(); - LOG.debug("<== TagDBStore.getTags({}): count={}", filter, (ret == null ? 0 : ret.size())); + LOG.debug("<== TagDBStore.getTags({}): count={}", filter, ret == null ? 0 : ret.size()); return ret; } @Override - public PList getPaginatedTags(SearchFilter filter) throws Exception { + public PList getPaginatedTags(SearchFilter filter) { LOG.debug("==> TagDBStore.getPaginatedTags({})", filter); PList ret = rangerTagService.searchRangerTags(filter); - LOG.debug("<== TagDBStore.getPaginatedTags({}): count={}", filter, (ret == null ? 0 : ret.getPageSize())); + LOG.debug("<== TagDBStore.getPaginatedTags({}): count={}", filter, ret == null ? 0 : ret.getPageSize()); return ret; } @Override - public RangerServiceResource createServiceResource(RangerServiceResource resource) throws Exception { + public RangerServiceResource createServiceResource(RangerServiceResource resource) { LOG.debug("==> TagDBStore.createServiceResource({})", resource); if (StringUtils.isEmpty(resource.getResourceSignature())) { @@ -487,7 +497,7 @@ public RangerServiceResource createServiceResource(RangerServiceResource resourc } @Override - public RangerServiceResource updateServiceResource(RangerServiceResource resource) throws Exception { + public RangerServiceResource updateServiceResource(RangerServiceResource resource) { LOG.debug("==> TagDBStore.updateResource({})", resource); RangerServiceResource existing = rangerServiceResourceService.read(resource.getId()); @@ -511,13 +521,13 @@ public RangerServiceResource updateServiceResource(RangerServiceResource resourc RangerServiceResource ret = rangerServiceResourceService.read(existing.getId()); - LOG.debug("<== TagDBStore.updateResource({}, {})", resource, ret); + LOG.debug("<== TagDBStore.updateResource({}) : {}", resource, ret); return ret; } @Override - public void refreshServiceResource(Long resourceId) throws Exception { + public void refreshServiceResource(Long resourceId) { XXServiceResource serviceResourceEntity = daoManager.getXXServiceResource().getById(resourceId); String tagsText = null; @@ -534,7 +544,7 @@ public void refreshServiceResource(Long resourceId) throws Exception { } @Override - public void deleteServiceResource(Long id) throws Exception { + public void deleteServiceResource(Long id) { LOG.debug("==> TagDBStore.deleteServiceResource({})", id); RangerServiceResource resource = getServiceResource(id); @@ -547,7 +557,7 @@ public void deleteServiceResource(Long id) throws Exception { } @Override - public void deleteServiceResourceByGuid(String guid) throws Exception { + public void deleteServiceResourceByGuid(String guid) { LOG.debug("==> TagDBStore.deleteServiceResourceByGuid({})", guid); RangerServiceResource resource = getServiceResourceByGuid(guid); @@ -560,29 +570,29 @@ public void deleteServiceResourceByGuid(String guid) throws Exception { } @Override - public RangerServiceResource getServiceResource(Long id) throws Exception { + public RangerServiceResource getServiceResource(Long id) { LOG.debug("==> TagDBStore.getServiceResource({})", id); RangerServiceResource ret = rangerServiceResourceService.read(id); - LOG.debug("<== TagDBStore.getServiceResource({}, {})", id, ret); + LOG.debug("<== TagDBStore.getServiceResource({}): {}", id, ret); return ret; } @Override - public RangerServiceResource getServiceResourceByGuid(String guid) throws Exception { + public RangerServiceResource getServiceResourceByGuid(String guid) { LOG.debug("==> TagDBStore.getServiceResourceByGuid({})", guid); RangerServiceResource ret = rangerServiceResourceService.getServiceResourceByGuid(guid); - LOG.debug("<== TagDBStore.getServiceResourceByGuid({}, {})", guid, ret); + LOG.debug("<== TagDBStore.getServiceResourceByGuid({}): {}", guid, ret); return ret; } @Override - public List getServiceResourcesByService(String serviceName) throws Exception { + public List getServiceResourcesByService(String serviceName) { LOG.debug("==> TagDBStore.getServiceResourcesByService({})", serviceName); List ret = null; @@ -593,7 +603,7 @@ public List getServiceResourcesByService(String serviceNa ret = rangerServiceResourceService.getByServiceId(serviceId); } - LOG.debug("<== TagDBStore.getServiceResourcesByService({}): count={}", serviceName, (ret == null ? 0 : ret.size())); + LOG.debug("<== TagDBStore.getServiceResourcesByService({}): count={}", serviceName, ret == null ? 0 : ret.size()); return ret; } @@ -610,13 +620,13 @@ public List getServiceResourceGuidsByService(String serviceName) { ret = daoManager.getXXServiceResource().findServiceResourceGuidsInServiceId(serviceId); } - LOG.debug("<== TagDBStore.getServiceResourceGuidsByService({}): count={}", serviceName, (ret == null ? 0 : ret.size())); + LOG.debug("<== TagDBStore.getServiceResourceGuidsByService({}): count={}", serviceName, ret == null ? 0 : ret.size()); return ret; } @Override - public RangerServiceResource getServiceResourceByServiceAndResourceSignature(String serviceName, String resourceSignature) throws Exception { + public RangerServiceResource getServiceResourceByServiceAndResourceSignature(String serviceName, String resourceSignature) { LOG.debug("==> TagDBStore.getServiceResourceByServiceAndResourceSignature({}, {})", serviceName, resourceSignature); RangerServiceResource ret = null; @@ -633,29 +643,29 @@ public RangerServiceResource getServiceResourceByServiceAndResourceSignature(Str } @Override - public List getServiceResources(SearchFilter filter) throws Exception { + public List getServiceResources(SearchFilter filter) { LOG.debug("==> TagDBStore.getServiceResources({})", filter); List ret = rangerServiceResourceService.searchServiceResources(filter).getList(); - LOG.debug("<== TagDBStore.getServiceResources({}): count={}", filter, (ret == null ? 0 : ret.size())); + LOG.debug("<== TagDBStore.getServiceResources({}): count={}", filter, ret == null ? 0 : ret.size()); return ret; } @Override - public PList getPaginatedServiceResources(SearchFilter filter) throws Exception { + public PList getPaginatedServiceResources(SearchFilter filter) { LOG.debug("==> TagDBStore.getPaginatedServiceResources({})", filter); PList ret = rangerServiceResourceService.searchServiceResources(filter); - LOG.debug("<== TagDBStore.getPaginatedServiceResources({}): count={}", filter, (ret == null ? 0 : ret.getPageSize())); + LOG.debug("<== TagDBStore.getPaginatedServiceResources({}): count={}", filter, ret == null ? 0 : ret.getPageSize()); return ret; } @Override - public RangerTagResourceMap createTagResourceMap(RangerTagResourceMap tagResourceMap) throws Exception { + public RangerTagResourceMap createTagResourceMap(RangerTagResourceMap tagResourceMap) { LOG.debug("==> TagDBStore.createTagResourceMap({})", tagResourceMap); RangerTagResourceMap ret = rangerTagResourceMapService.create(tagResourceMap); @@ -663,13 +673,13 @@ public RangerTagResourceMap createTagResourceMap(RangerTagResourceMap tagResourc // We also need to update tags stored with the resource refreshServiceResource(tagResourceMap.getResourceId()); - LOG.debug("<== TagDBStore.createTagResourceMap({}, {})", tagResourceMap, ret); + LOG.debug("<== TagDBStore.createTagResourceMap({}): {}", tagResourceMap, ret); return ret; } @Override - public void deleteTagResourceMap(Long id) throws Exception { + public void deleteTagResourceMap(Long id) { LOG.debug("==> TagDBStore.deleteTagResourceMap({})", id); RangerTagResourceMap tagResourceMap = rangerTagResourceMapService.read(id); @@ -688,7 +698,7 @@ public void deleteTagResourceMap(Long id) throws Exception { } @Override - public RangerTagResourceMap getTagResourceMap(Long id) throws Exception { + public RangerTagResourceMap getTagResourceMap(Long id) { LOG.debug("==> TagDBStore.getTagResourceMap({})", id); RangerTagResourceMap ret = rangerTagResourceMapService.read(id); @@ -699,7 +709,7 @@ public RangerTagResourceMap getTagResourceMap(Long id) throws Exception { } @Override - public RangerTagResourceMap getTagResourceMapByGuid(String guid) throws Exception { + public RangerTagResourceMap getTagResourceMapByGuid(String guid) { LOG.debug("==> TagDBStore.getTagResourceMapByGuid({})", guid); RangerTagResourceMap ret = rangerTagResourceMapService.getByGuid(guid); @@ -710,51 +720,51 @@ public RangerTagResourceMap getTagResourceMapByGuid(String guid) throws Exceptio } @Override - public List getTagResourceMapsForTagId(Long tagId) throws Exception { + public List getTagResourceMapsForTagId(Long tagId) { LOG.debug("==> TagDBStore.getTagResourceMapsForTagId({})", tagId); List ret = rangerTagResourceMapService.getByTagId(tagId); - LOG.debug("<== TagDBStore.getTagResourceMapsForTagId({}): count={}", tagId, (ret == null ? 0 : ret.size())); + LOG.debug("<== TagDBStore.getTagResourceMapsForTagId({}): count={}", tagId, ret == null ? 0 : ret.size()); return ret; } @Override - public List getTagResourceMapsForTagGuid(String tagGuid) throws Exception { + public List getTagResourceMapsForTagGuid(String tagGuid) { LOG.debug("==> TagDBStore.getTagResourceMapsForTagGuid({})", tagGuid); List ret = rangerTagResourceMapService.getByTagGuid(tagGuid); - LOG.debug("<== TagDBStore.getTagResourceMapsForTagGuid({}): count={}", tagGuid, (ret == null ? 0 : ret.size())); + LOG.debug("<== TagDBStore.getTagResourceMapsForTagGuid({}): count={}", tagGuid, ret == null ? 0 : ret.size()); return ret; } @Override - public List getTagResourceMapsForResourceId(Long resourceId) throws Exception { + public List getTagResourceMapsForResourceId(Long resourceId) { LOG.debug("==> TagDBStore.getTagResourceMapsForResourceId({})", resourceId); List ret = rangerTagResourceMapService.getByResourceId(resourceId); - LOG.debug("<== TagDBStore.getTagResourceMapsForResourceId({}): count={}", resourceId, (ret == null ? 0 : ret.size())); + LOG.debug("<== TagDBStore.getTagResourceMapsForResourceId({}): count={}", resourceId, ret == null ? 0 : ret.size()); return ret; } @Override - public List getTagResourceMapsForResourceGuid(String resourceGuid) throws Exception { + public List getTagResourceMapsForResourceGuid(String resourceGuid) { LOG.debug("==> TagDBStore.getTagResourceMapsForResourceGuid({})", resourceGuid); List ret = rangerTagResourceMapService.getByResourceGuid(resourceGuid); - LOG.debug("<== TagDBStore.getTagResourceMapsForResourceGuid({}): count={}", resourceGuid, (ret == null ? 0 : ret.size())); + LOG.debug("<== TagDBStore.getTagResourceMapsForResourceGuid({}): count={}", resourceGuid, ret == null ? 0 : ret.size()); return ret; } @Override - public RangerTagResourceMap getTagResourceMapForTagAndResourceId(Long tagId, Long resourceId) throws Exception { + public RangerTagResourceMap getTagResourceMapForTagAndResourceId(Long tagId, Long resourceId) { LOG.debug("==> TagDBStore.getTagResourceMapsForTagAndResourceId({}, {})", tagId, resourceId); RangerTagResourceMap ret = rangerTagResourceMapService.getByTagAndResourceId(tagId, resourceId); @@ -765,7 +775,7 @@ public RangerTagResourceMap getTagResourceMapForTagAndResourceId(Long tagId, Lon } @Override - public RangerTagResourceMap getTagResourceMapForTagAndResourceGuid(String tagGuid, String resourceGuid) throws Exception { + public RangerTagResourceMap getTagResourceMapForTagAndResourceGuid(String tagGuid, String resourceGuid) { LOG.debug("==> TagDBStore.getTagResourceMapForTagAndResourceGuid({}, {})", tagGuid, resourceGuid); RangerTagResourceMap ret = rangerTagResourceMapService.getByTagAndResourceGuid(tagGuid, resourceGuid); @@ -776,23 +786,23 @@ public RangerTagResourceMap getTagResourceMapForTagAndResourceGuid(String tagGui } @Override - public List getTagResourceMaps(SearchFilter filter) throws Exception { + public List getTagResourceMaps(SearchFilter filter) { LOG.debug("==> TagDBStore.getTagResourceMaps({})", filter); List ret = rangerTagResourceMapService.searchRangerTaggedResources(filter).getList(); - LOG.debug("<== TagDBStore.getTagResourceMap({}): count={}", filter, (ret == null ? 0 : ret.size())); + LOG.debug("<== TagDBStore.getTagResourceMaps({}): count={}", filter, ret == null ? 0 : ret.size()); return ret; } @Override - public PList getPaginatedTagResourceMaps(SearchFilter filter) throws Exception { + public PList getPaginatedTagResourceMaps(SearchFilter filter) { LOG.debug("==> TagDBStore.getPaginatedTagResourceMaps({})", filter); PList ret = rangerTagResourceMapService.searchRangerTaggedResources(filter); - LOG.debug("<== TagDBStore.getPaginatedTagResourceMaps({}): count={}", filter, (ret == null ? 0 : ret.getPageSize())); + LOG.debug("<== TagDBStore.getPaginatedTagResourceMaps({}): count={}", filter, ret == null ? 0 : ret.getPageSize()); return ret; } @@ -801,12 +811,12 @@ public PList getPaginatedTagResourceMaps(SearchFilter filt public ServiceTags getServiceTagsIfUpdated(String serviceName, Long lastKnownVersion, boolean needsBackwardCompatibility) throws Exception { LOG.debug("==> TagDBStore.getServiceTagsIfUpdated({}, {}, {})", serviceName, lastKnownVersion, needsBackwardCompatibility); - ServiceTags ret = null; - - Long serviceId = daoManager.getXXService().findIdByName(serviceName); + ServiceTags ret = null; + Long serviceId = daoManager.getXXService().findIdByName(serviceName); if (serviceId == null) { LOG.error("Requested Service not found. serviceName={}", serviceName); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, RangerServiceNotFoundException.buildExceptionMsg(serviceName), false); } @@ -825,9 +835,11 @@ public ServiceTags getServiceTagsIfUpdated(String serviceName, Long lastKnownVer ret = null; } - RangerServiceTagsCache.getInstance().dump(); + if (LOG.isDebugEnabled()) { + RangerServiceTagsCache.getInstance().dump(); + } - LOG.debug("<== TagDBStore.getServiceTagsIfUpdated({}, {}, {}): count={}", serviceName, lastKnownVersion, needsBackwardCompatibility, ((ret == null || ret.getTags() == null) ? 0 : ret.getTags().size())); + LOG.debug("<== TagDBStore.getServiceTagsIfUpdated({}, {}, {}): count={}", serviceName, lastKnownVersion, needsBackwardCompatibility, (ret == null || ret.getTags() == null) ? 0 : ret.getTags().size()); return ret; } @@ -836,8 +848,6 @@ public ServiceTags getServiceTagsIfUpdated(String serviceName, Long lastKnownVer public ServiceTags getServiceTags(String serviceName, Long lastKnownVersion) throws Exception { LOG.debug("==> TagDBStore.getServiceTags({}, {})", serviceName, lastKnownVersion); - final ServiceTags ret; - XXService xxService = daoManager.getXXService().findByName(serviceName); if (xxService == null) { @@ -856,7 +866,8 @@ public ServiceTags getServiceTags(String serviceName, Long lastKnownVersion) thr throw new Exception("service-def does not exist. id=" + xxService.getType()); } - ServiceTags delta = getServiceTagsDelta(xxService.getId(), serviceName, lastKnownVersion); + ServiceTags delta = getServiceTagsDelta(xxService.getId(), serviceName, lastKnownVersion); + final ServiceTags ret; if (delta != null) { ret = delta; @@ -877,12 +888,12 @@ public ServiceTags getServiceTags(String serviceName, Long lastKnownVersion) thr ret.setTags(tagMap); ret.setServiceResources(resources); ret.setResourceToTagIds(resourceToTagIds); - ret.setIsTagsDeduped(isSupportsTagsDedup()); if (isSupportsTagsDedup()) { final int countOfDuplicateTags = ret.dedupTags(); - LOG.debug("Number of duplicate tags removed from the received serviceTags:[{}]. Number of tags in the de-duplicated serviceTags :{}", countOfDuplicateTags, ret.getTags().size()); + + LOG.debug("Number of duplicate tags removed from the received serviceTags:[{}]. Number of tags in the de-duplicated serviceTags :[{}].", countOfDuplicateTags, ret.getTags().size()); } } @@ -898,7 +909,8 @@ public ServiceTags getServiceTagsDelta(String serviceName, Long lastKnownVersion final ServiceTags ret; if (lastKnownVersion == -1L || !isSupportsTagDeltas()) { - LOG.debug("Returning without computing tags-deltas.., SUPPORTS_TAG_DELTAS:[{}], lastKnownVersion:[{}]", supportsTagDeltas, lastKnownVersion); + LOG.debug("Returning without computing tags-deltas.., SUPPORTS_TAG_DELTAS:[{}], lastKnownVersion:[{}]", SUPPORTS_TAG_DELTAS, lastKnownVersion); + ret = null; } else { Long serviceId = daoManager.getXXService().findIdByName(serviceName); @@ -911,6 +923,7 @@ public ServiceTags getServiceTagsDelta(String serviceName, Long lastKnownVersion } LOG.debug("<== TagDBStore.getServiceTagsDelta({}, {})", serviceName, lastKnownVersion); + return ret; } @@ -922,16 +935,14 @@ public Long getTagVersion(String serviceName) { } @Override - public void deleteAllTagObjectsForService(String serviceName) throws Exception { + public void deleteAllTagObjectsForService(String serviceName) { LOG.debug("==> TagDBStore.deleteAllTagObjectsForService({})", serviceName); XXService service = daoManager.getXXService().findByName(serviceName); if (service != null) { - Long serviceId = service.getId(); - - List xxTags = daoManager.getXXTag().findByServiceIdAndOwner(serviceId, RangerTag.OWNER_SERVICERESOURCE); - + Long serviceId = service.getId(); + List xxTags = daoManager.getXXTag().findByServiceIdAndOwner(serviceId, RangerTag.OWNER_SERVICERESOURCE); List xxTagResourceMaps = daoManager.getXXTagResourceMap().findByServiceId(serviceId); if (CollectionUtils.isNotEmpty(xxTagResourceMaps)) { @@ -940,6 +951,7 @@ public void deleteAllTagObjectsForService(String serviceName) throws Exception { daoManager.getXXTagResourceMap().remove(xxTagResourceMap); } catch (Exception e) { LOG.error("Error deleting RangerTagResourceMap with id={}", xxTagResourceMap.getId(), e); + throw e; } } @@ -951,6 +963,7 @@ public void deleteAllTagObjectsForService(String serviceName) throws Exception { daoManager.getXXTag().remove(xxTag); } catch (Exception e) { LOG.error("Error deleting RangerTag with id={}", xxTag.getId(), e); + throw e; } } @@ -964,6 +977,7 @@ public void deleteAllTagObjectsForService(String serviceName) throws Exception { daoManager.getXXServiceResource().remove(xxServiceResource); } catch (Exception e) { LOG.error("Error deleting RangerServiceResource with id={}", xxServiceResource.getId(), e); + throw e; } } @@ -975,7 +989,7 @@ public void deleteAllTagObjectsForService(String serviceName) throws Exception { public boolean isInPlaceTagUpdateSupported() { initStatics(); - return supportsInPlaceTagUpdates; + return SUPPORTS_IN_PLACE_TAG_UPDATES; } public boolean resetTagCache(final String serviceName) { @@ -988,7 +1002,7 @@ public boolean resetTagCache(final String serviceName) { return ret; } - public RangerServiceResourceWithTagsList getPaginatedServiceResourcesWithTags(SearchFilter filter) throws Exception { + public RangerServiceResourceWithTagsList getPaginatedServiceResourcesWithTags(SearchFilter filter) { return rangerServiceResourceWithTagsService.searchServiceResourcesWithTags(filter); } @@ -1005,6 +1019,7 @@ private RangerTag validateTag(RangerTag tag) throws Exception { if (normalizedValidityPeriod != null && CollectionUtils.isEmpty(failures)) { LOG.debug("Normalized ValidityPeriod:[{}]", normalizedValidityPeriod); + normalizedValidityPeriods.add(normalizedValidityPeriod); } else { String error = "Incorrect time-specification:[" + Collections.singletonList(failures) + "]"; @@ -1023,10 +1038,11 @@ private RangerTag validateTag(RangerTag tag) throws Exception { private ServiceTags getServiceTagsDelta(Long serviceId, String serviceName, Long lastKnownVersion) { LOG.debug("==> TagDBStore.getServiceTagsDelta(lastKnownVersion={})", lastKnownVersion); + ServiceTags ret = null; if (lastKnownVersion == -1L || !isSupportsTagDeltas()) { - LOG.debug("Returning without computing tags-deltas.., SUPPORTS_TAG_DELTAS:[{}], lastKnownVersion:[{}]", supportsTagDeltas, lastKnownVersion); + LOG.debug("Returning without computing tags-deltas.., SUPPORTS_TAG_DELTAS:[{}], lastKnownVersion:[{}]", SUPPORTS_TAG_DELTAS, lastKnownVersion); } else { RangerPerfTracer perf = null; @@ -1036,10 +1052,11 @@ private ServiceTags getServiceTagsDelta(Long serviceId, String serviceName, Long List changeLogRecords = daoManager.getXXTagChangeLog().findLaterThan(lastKnownVersion, serviceId); - LOG.debug("Number of tag-change-log records found since {} :[{}] for serviceId:[{}]", lastKnownVersion, (changeLogRecords == null ? 0 : changeLogRecords.size()), serviceId); + LOG.debug("Number of tag-change-log records found since {} :[{}] for serviceId:[{}]", lastKnownVersion, changeLogRecords == null ? 0 : changeLogRecords.size(), serviceId); try { ret = createServiceTagsDelta(changeLogRecords); + if (ret != null) { ret.setServiceName(serviceName); } @@ -1055,7 +1072,7 @@ private ServiceTags getServiceTagsDelta(Long serviceId, String serviceName, Long return ret; } - private ServiceTags createServiceTagsDelta(List changeLogs) throws Exception { + private ServiceTags createServiceTagsDelta(List changeLogs) { LOG.debug("==> TagDBStore.createServiceTagsDelta()"); ServiceTags ret = null; @@ -1074,16 +1091,20 @@ private ServiceTags createServiceTagsDelta(List changeLogs) thro tagIds.add(record.getTagId()); serviceResourceIds.add(record.getServiceResourceId()); } else { - LOG.debug("Unknown changeType in tag-change-log record: [{}]", record); - LOG.debug("Returning without further processing"); - tagIds.clear(); - serviceResourceIds.clear(); - break; + if (LOG.isDebugEnabled()) { + LOG.debug("Unknown changeType in tag-change-log record: [{}]", record); + LOG.debug("Returning without further processing"); + + tagIds.clear(); + serviceResourceIds.clear(); + break; + } } } if (CollectionUtils.isNotEmpty(serviceResourceIds) || CollectionUtils.isNotEmpty(tagIds)) { ret = new ServiceTags(); + ret.setIsDelta(true); ret.setIsTagsDeduped(isSupportsTagsDedup()); @@ -1109,6 +1130,7 @@ private ServiceTags createServiceTagsDelta(List changeLogs) thro } finally { if (tag == null) { tag = new RangerTag(); + tag.setId(tagId); } } @@ -1140,6 +1162,7 @@ private ServiceTags createServiceTagsDelta(List changeLogs) thro for (Long serviceResourceId : serviceResourceIds) { // Check if serviceResourceId is part of any resource->id mapping XXServiceResource xServiceResource = null; + try { xServiceResource = daoManager.getXXServiceResource().getById(serviceResourceId); } catch (Throwable t) { @@ -1150,6 +1173,7 @@ private ServiceTags createServiceTagsDelta(List changeLogs) thro if (xServiceResource == null) { serviceResource = new RangerServiceResource(); + serviceResource.setId(serviceResourceId); } else { serviceResource = rangerServiceResourceService.getPopulatedViewObject(xServiceResource); @@ -1182,6 +1206,7 @@ private ServiceTags createServiceTagsDelta(List changeLogs) thro RangerServiceTagsDeltaUtil.pruneUnusedAttributes(serviceResource); ret.getServiceResources().add(serviceResource); + tagsChangeExtent = ServiceTags.TagsChangeExtent.SERVICE_RESOURCE; } @@ -1190,21 +1215,22 @@ private ServiceTags createServiceTagsDelta(List changeLogs) thro } else { LOG.debug("No tag-change-log records provided to createServiceTagsDelta()"); } - LOG.debug("<== TagDBStore.createServiceTagsDelta() : serviceTagsDelta={}", ret); + + LOG.debug("<== TagDBStore.createServiceTagsDelta() : serviceTagsDelta={{}}", ret); return ret; } private static void initStatics() { - if (!isSupportsTagDeltasInitialized) { + if (!IS_SUPPORTS_TAG_DELTAS_INITIALIZED) { RangerAdminConfig config = RangerAdminConfig.getInstance(); - supportsTagDeltas = config.getBoolean("ranger.admin" + RangerCommonConstants.RANGER_ADMIN_SUFFIX_TAG_DELTA, RangerCommonConstants.RANGER_ADMIN_SUFFIX_TAG_DELTA_DEFAULT); - supportsInPlaceTagUpdates = supportsTagDeltas && config.getBoolean("ranger.admin" + RangerCommonConstants.RANGER_ADMIN_SUFFIX_IN_PLACE_TAG_UPDATES, RangerCommonConstants.RANGER_ADMIN_SUFFIX_IN_PLACE_TAG_UPDATES_DEFAULT); - isSupportsTagDeltasInitialized = true; + SUPPORTS_TAG_DELTAS = config.getBoolean("ranger.admin" + RangerCommonConstants.RANGER_ADMIN_SUFFIX_TAG_DELTA, RangerCommonConstants.RANGER_ADMIN_SUFFIX_TAG_DELTA_DEFAULT); + SUPPORTS_IN_PLACE_TAG_UPDATES = SUPPORTS_TAG_DELTAS && config.getBoolean("ranger.admin" + RangerCommonConstants.RANGER_ADMIN_SUFFIX_IN_PLACE_TAG_UPDATES, RangerCommonConstants.RANGER_ADMIN_SUFFIX_IN_PLACE_TAG_UPDATES_DEFAULT); + IS_SUPPORTS_TAG_DELTAS_INITIALIZED = true; - LOG.info("SUPPORTS_TAG_DELTAS={}", supportsTagDeltas); - LOG.info("SUPPORTS_IN_PLACE_TAG_UPDATES={}", supportsInPlaceTagUpdates); + LOG.info("SUPPORTS_TAG_DELTAS={}", SUPPORTS_TAG_DELTAS); + LOG.info("SUPPORTS_IN_PLACE_TAG_UPDATES={}", SUPPORTS_IN_PLACE_TAG_UPDATES); } } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java index 410e2e6387..0686f37a51 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java @@ -79,35 +79,50 @@ public class UserMgr { private static final Logger logger = LoggerFactory.getLogger(UserMgr.class); private static final int DEFAULT_PASSWORD_HISTORY_COUNT = 4; - private static final List DEFAULT_ROLE_LIST = new ArrayList(1); - private static final List VALID_ROLE_LIST = new ArrayList(2); - private final boolean isFipsEnabled; + private static final List DEFAULT_ROLE_LIST = new ArrayList<>(1); + private static final List VALID_ROLE_LIST = new ArrayList<>(2); + + private final boolean isFipsEnabled; + @Autowired - RangerDaoManager daoManager; + RangerDaoManager daoManager; + @Autowired - RESTErrorUtil restErrorUtil; + RESTErrorUtil restErrorUtil; + @Autowired - StringUtil stringUtil; + StringUtil stringUtil; + @Autowired - SearchUtil searchUtil; + SearchUtil searchUtil; + @Autowired - RangerBizUtil rangerBizUtil; + RangerBizUtil rangerBizUtil; + @Autowired - SessionMgr sessionMgr; + SessionMgr sessionMgr; + @Autowired - XPortalUserService xPortalUserService; + XPortalUserService xPortalUserService; + @Autowired - XUserPermissionService xUserPermissionService; + XUserPermissionService xUserPermissionService; + @Autowired XGroupPermissionService xGroupPermissionService; + @Autowired - XUserMgr xUserMgr; + XUserMgr xUserMgr; + String[] publicRoles = new String[] {RangerConstants.ROLE_USER, RangerConstants.ROLE_OTHER}; + private int passwordHistoryCount = PropertiesUtil.getIntProperty("ranger.password.history.count", DEFAULT_PASSWORD_HISTORY_COUNT); public UserMgr() { logger.debug("UserMgr()"); + this.isFipsEnabled = RangerAdminConfig.getInstance().isFipsEnabled(); + if (passwordHistoryCount < 0) { passwordHistoryCount = 0; } @@ -115,10 +130,15 @@ public UserMgr() { public XXPortalUser createUser(VXPortalUser userProfile, int userStatus, Collection userRoleList) { XXPortalUser user = mapVXPortalUserToXXPortalUser(userProfile); + checkAdminAccess(); + rangerBizUtil.blockAuditorRoleUser(); - List userRolesList = new ArrayList(userRoleList); + + List userRolesList = new ArrayList<>(userRoleList); + xUserMgr.checkAccessRoles(userRolesList); + user = createUser(user, userStatus, userRoleList); return user; @@ -126,11 +146,16 @@ public XXPortalUser createUser(VXPortalUser userProfile, int userStatus, Collect public XXPortalUser createUser(XXPortalUser user, int userStatus, Collection userRoleList) { user.setStatus(userStatus); + String saltEncodedpasswd = encrypt(user.getLoginId(), user.getPassword()); + user.setPassword(saltEncodedpasswd); user.setPasswordUpdatedTime(DateUtil.getUTCDate()); + daoManager.getXXPortalUser().create(user); + XXPortalUser xXPortalUser = daoManager.getXXPortalUser().findByLoginId(user.getLoginId()); + // Create the XXPortalUserRole entries for this user if (xXPortalUser != null && xXPortalUser.getId() != null) { if (CollectionUtils.isNotEmpty(userRoleList)) { @@ -148,7 +173,8 @@ public XXPortalUser createUser(XXPortalUser user, int userStatus, Collection roleList = new ArrayList<>(); Collection reqRoleList = userProfile.getUserRoleList(); - if (reqRoleList != null && reqRoleList.size() > 0) { + + if (reqRoleList != null && !reqRoleList.isEmpty()) { for (String role : reqRoleList) { if (role != null) { roleList.add(role); @@ -172,10 +198,12 @@ public XXPortalUser updateUser(VXPortalUser userProfile) { if (gjUser == null) { logger.error("updateUser(). User not found. userProfile={}", userProfile); + return null; } checkAccess(gjUser); + rangerBizUtil.blockAuditorRoleUser(); VXPortalUser existing = xPortalUserService.populateViewBean(gjUser); @@ -184,13 +212,16 @@ public XXPortalUser updateUser(VXPortalUser userProfile) { // Allowing email address update even when its set to empty. String emailAddress = userProfile.getEmailAddress(); + if (stringUtil.isEmpty(emailAddress)) { userProfile.setEmailAddress(null); } else { if (stringUtil.validateEmail(emailAddress)) { XXPortalUser checkUser = daoManager.getXXPortalUser().findByEmailAddress(emailAddress); + if (checkUser != null) { String loginId = userProfile.getLoginId(); + if (loginId == null) { throw restErrorUtil.createRESTException("Invalid user, please provide valid username.", MessageEnums.INVALID_INPUT_DATA); } else if (!loginId.equals(checkUser.getLoginId())) { @@ -210,12 +241,15 @@ public XXPortalUser updateUser(VXPortalUser userProfile) { if ("null".equalsIgnoreCase(userProfile.getFirstName())) { userProfile.setFirstName(""); } + if (!stringUtil.isEmpty(userProfile.getFirstName()) && !userProfile.getFirstName().equals(gjUser.getFirstName())) { userProfile.setFirstName(stringUtil.toCamelCaseAllWords(userProfile.getFirstName())); } + if ("null".equalsIgnoreCase(userProfile.getLastName())) { userProfile.setLastName(""); } + if (!stringUtil.isEmpty(userProfile.getLastName()) && !userProfile.getLastName().equals(gjUser.getLastName())) { userProfile.setLastName(stringUtil.toCamelCaseAllWords(userProfile.getLastName())); } @@ -235,38 +269,52 @@ public XXPortalUser updateUser(VXPortalUser userProfile) { updateRoles(userProfile.getId(), userProfile.getUserRoleList()); List trxLogList = xPortalUserService.getTransactionLog(userProfile, existing, OPERATION_UPDATE_CONTEXT); + userProfile.setPassword(gjUser.getPassword()); + xPortalUserService.updateResource(userProfile); + sessionMgr.resetUserSessionForProfiles(ContextUtil.getCurrentUserSession()); + rangerBizUtil.createTrxLog(trxLogList); + return gjUser; } public boolean updateRoles(Long userId, Collection rolesList) { boolean rolesUpdated = false; - if (rolesList == null || rolesList.size() == 0) { + + if (rolesList == null || rolesList.isEmpty()) { return false; } + List stringRolesList = new ArrayList<>(); + for (String userRole : rolesList) { if (!VALID_ROLE_LIST.contains(userRole.toUpperCase())) { throw restErrorUtil.createRESTException("Invalid user role, please provide valid user role.", MessageEnums.INVALID_INPUT_DATA); } + stringRolesList.add(userRole); } + xUserMgr.checkAccessRoles(stringRolesList); + rangerBizUtil.blockAuditorRoleUser(); + // Let's first delete old roles List gjUserRoles = daoManager.getXXPortalUserRole().findByUserId(userId); for (XXPortalUserRole gjUserRole : gjUserRoles) { boolean found = false; + for (String userRole : rolesList) { if (gjUserRole.getUserRole().equalsIgnoreCase(userRole)) { found = true; break; } } + if (!found) { if (deleteUserRole(userId, gjUserRole)) { rolesUpdated = true; @@ -277,18 +325,21 @@ public boolean updateRoles(Long userId, Collection rolesList) { // Let's add new roles for (String userRole : rolesList) { boolean found = false; + for (XXPortalUserRole gjUserRole : gjUserRoles) { if (gjUserRole.getUserRole().equalsIgnoreCase(userRole)) { found = true; break; } } + if (!found) { if (addUserRole(userId, userRole) != null) { rolesUpdated = true; } } } + return rolesUpdated; } @@ -298,12 +349,17 @@ public boolean updateRoles(Long userId, Collection rolesList) { */ public void setUserRoles(Long userId, List vStringRolesList) { List stringRolesList = new ArrayList<>(); + for (VXString vXString : vStringRolesList) { stringRolesList.add(vXString.getValue()); } + xUserMgr.checkAccessRoles(stringRolesList); + rangerBizUtil.blockAuditorRoleUser(); + VXPortalUser oldUserProfile = getUserProfile(userId); + xUserMgr.updateUserRolesPermissions(oldUserProfile, stringRolesList); } @@ -313,37 +369,52 @@ public void setUserRoles(Long userId, List vStringRolesList) { */ public VXResponse changePassword(VXPasswordChange pwdChange) { VXResponse ret = new VXResponse(); + // Get the user of whom we want to change the password XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(pwdChange.getLoginId()); + if (gjUser == null) { logger.warn("SECURITY:changePassword(). User not found. LoginId={}", pwdChange.getLoginId()); + throw restErrorUtil.createRESTException("serverMsg.userMgrInvalidUser", MessageEnums.DATA_NOT_FOUND, null, null, pwdChange.getLoginId()); } + if (gjUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { logger.info("SECURITY:changePassword().Ranger External Users cannot change password. LoginId={}", pwdChange.getLoginId()); + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_FORBIDDEN); vXResponse.setMsgDesc("SECURITY:changePassword().Ranger External Users cannot change password. LoginId=" + pwdChange.getLoginId()); + throw restErrorUtil.generateRESTException(vXResponse); } + checkAccess(gjUser); + String currentPassword = gjUser.getPassword(); + //check current password and provided old password is same or not if (this.isFipsEnabled) { if (!isPasswordValid(pwdChange.getLoginId(), currentPassword, pwdChange.getOldPassword())) { logger.info("changePassword(). Invalid old password. LoginId={}", pwdChange.getLoginId()); + throw restErrorUtil.createRESTException("serverMsg.userMgrOldPassword", MessageEnums.INVALID_INPUT_DATA, null, null, pwdChange.getLoginId()); } } else { String encryptedOldPwd = encrypt(pwdChange.getLoginId(), pwdChange.getOldPassword()); + if (!stringUtil.equals(encryptedOldPwd, gjUser.getPassword())) { logger.info("changePassword(). Invalid old password. LoginId={}", pwdChange.getLoginId()); + throw restErrorUtil.createRESTException("serverMsg.userMgrOldPassword", MessageEnums.INVALID_INPUT_DATA, null, null, pwdChange.getLoginId()); } } + //validate new password if (!stringUtil.validatePassword(pwdChange.getUpdPassword(), new String[] {gjUser.getFirstName(), gjUser.getLastName(), gjUser.getLoginId()})) { logger.warn("SECURITY:changePassword(). Invalid new password. LoginId={}", pwdChange.getLoginId()); + throw restErrorUtil.createRESTException("serverMsg.userMgrNewPassword", MessageEnums.INVALID_PASSWORD, null, null, pwdChange.getLoginId()); } @@ -356,35 +427,46 @@ public VXResponse changePassword(VXPasswordChange pwdChange) { } else { oldPasswords = new ArrayList<>(); } + oldPasswords.add(gjUser.getPassword()); + while (oldPasswords.size() > this.passwordHistoryCount) { oldPasswords.remove(0); } + boolean isNewPasswordDifferent = oldPasswords.isEmpty(); + for (String oldPassword : oldPasswords) { if (this.isFipsEnabled) { isNewPasswordDifferent = isNewPasswordDifferent(pwdChange.getLoginId(), oldPassword, encryptedNewPwd); } else { isNewPasswordDifferent = !encryptedNewPwd.equals(oldPassword); } + if (!isNewPasswordDifferent) { break; } } + if (isNewPasswordDifferent) { xPortalUserService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_PASSWORD_CHANGE, pwdChange.getId(), pwdChange.getLoginId(), "password change"), "Password", currentPassword, encryptedNewPwd); gjUser.setPassword(encryptedNewPwd); updateOldPasswords(gjUser, oldPasswords); + gjUser = daoManager.getXXPortalUser().update(gjUser); + ret.setMsgDesc("Password successfully updated"); ret.setStatusCode(VXResponse.STATUS_SUCCESS); } else { logger.error("SECURITY:changePassword(). Password update failed. LoginId={}", pwdChange.getLoginId()); + ret.setMsgDesc("Password update failed"); ret.setStatusCode(VXResponse.STATUS_ERROR); + throw restErrorUtil.createRESTException("serverMsg.userMgrOldPassword", MessageEnums.INVALID_INPUT_DATA, gjUser.getId(), "password", gjUser.toString()); } + return ret; } @@ -395,26 +477,32 @@ public VXResponse changePassword(VXPasswordChange pwdChange) { */ public VXPortalUser changeEmailAddress(XXPortalUser gjUser, VXPasswordChange changeEmail) { checkAccess(gjUser); + if (StringUtils.isEmpty(changeEmail.getEmailAddress())) { changeEmail.setEmailAddress(null); } if (!StringUtils.isEmpty(changeEmail.getEmailAddress()) && !stringUtil.validateEmail(changeEmail.getEmailAddress())) { logger.info("Invalid email address.{}", changeEmail); + throw restErrorUtil.createRESTException("serverMsg.userMgrInvalidEmail", MessageEnums.INVALID_INPUT_DATA, changeEmail.getId(), "emailAddress", changeEmail.toString()); } if (this.isFipsEnabled) { if (!isPasswordValid(changeEmail.getLoginId(), gjUser.getPassword(), changeEmail.getOldPassword())) { logger.info("changeEmailAddress(). Invalid password. changeEmail={}", changeEmail); + throw restErrorUtil.createRESTException("serverMsg.userMgrWrongPassword", MessageEnums.OPER_NO_PERMISSION, null, null, "" + changeEmail); } } else { String encryptedOldPwd = encrypt(gjUser.getLoginId(), changeEmail.getOldPassword()); + if (!stringUtil.equals(encryptedOldPwd, gjUser.getPassword())) { encryptedOldPwd = encryptWithOlderAlgo(gjUser.getLoginId(), changeEmail.getOldPassword()); + if (!stringUtil.equals(encryptedOldPwd, gjUser.getPassword())) { logger.info("changeEmailAddress(). Invalid password. changeEmail={}", changeEmail); + throw restErrorUtil.createRESTException("serverMsg.userMgrWrongPassword", MessageEnums.OPER_NO_PERMISSION, null, null, "" + changeEmail); } } @@ -424,12 +512,15 @@ public VXPortalUser changeEmailAddress(XXPortalUser gjUser, VXPasswordChange cha gjUser.setEmailAddress(stringUtil.normalizeEmail(changeEmail.getEmailAddress())); String saltEncodedpasswd = encrypt(gjUser.getLoginId(), changeEmail.getOldPassword()); + if (gjUser.getUserSource() == RangerCommonEnums.USER_APP) { gjUser.setPassword(saltEncodedpasswd); } else if (gjUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { gjUser.setPassword(gjUser.getPassword()); } + daoManager.getXXPortalUser().update(gjUser); + return mapXXPortalUserVXPortalUser(gjUser); } @@ -438,56 +529,75 @@ public VXPortalUser changeEmailAddress(XXPortalUser gjUser, VXPasswordChange cha */ public VXPortalUser deactivateUser(XXPortalUser gjUser) { checkAdminAccess(); + rangerBizUtil.blockAuditorRoleUser(); + if (gjUser != null && gjUser.getStatus() != RangerConstants.ACT_STATUS_DEACTIVATED) { logger.info("Marking user {} as deleted", gjUser.getLoginId()); + gjUser.setStatus(RangerConstants.ACT_STATUS_DEACTIVATED); + gjUser = daoManager.getXXPortalUser().update(gjUser); + return mapXXPortalUserVXPortalUser(gjUser); } + return null; } public VXPortalUser getUserProfile(Long id) { XXPortalUser user = daoManager.getXXPortalUser().getById(id); + if (user != null) { checkAccess(user); + return mapXXPortalUserVXPortalUser(user); } else { logger.debug("User not found. userId={}", id); + return null; } } public VXPortalUser getUserProfileByLoginId() { String loginId = ContextUtil.getCurrentUserLoginId(); + return getUserProfileByLoginId(loginId); } public VXPortalUser getUserProfileByLoginId(String loginId) { XXPortalUser user = daoManager.getXXPortalUser().findByLoginId(loginId); + if (user != null) { return mapXXPortalUserVXPortalUser(user); } else { logger.debug("User not found. loginId={}", loginId); + return null; } } public XXPortalUser mapVXPortalUserToXXPortalUser(VXPortalUser userProfile) { XXPortalUser gjUser = new XXPortalUser(); + gjUser.setEmailAddress(userProfile.getEmailAddress()); + if ("null".equalsIgnoreCase(userProfile.getFirstName())) { userProfile.setFirstName(""); } + gjUser.setFirstName(userProfile.getFirstName()); + if ("null".equalsIgnoreCase(userProfile.getLastName())) { userProfile.setLastName(""); } + gjUser.setLastName(userProfile.getLastName()); + if (userProfile.getLoginId() == null || userProfile.getLoginId().trim().isEmpty() || "null".equalsIgnoreCase(userProfile.getLoginId())) { throw restErrorUtil.createRESTException("LoginId should not be null or blank, It is", MessageEnums.INVALID_INPUT_DATA); } + gjUser.setLoginId(userProfile.getLoginId()); gjUser.setPassword(userProfile.getPassword()); gjUser.setUserSource(userProfile.getUserSource()); @@ -495,11 +605,13 @@ public XXPortalUser mapVXPortalUserToXXPortalUser(VXPortalUser userProfile) { gjUser.setOtherAttributes(userProfile.getOtherAttributes()); gjUser.setSyncSource(userProfile.getSyncSource()); gjUser.setStatus(userProfile.getStatus()); + if (userProfile.getFirstName() != null && userProfile.getLastName() != null && !userProfile.getFirstName().trim().isEmpty() && !userProfile.getLastName().trim().isEmpty()) { gjUser.setPublicScreenName(userProfile.getFirstName() + " " + userProfile.getLastName()); } else { gjUser.setPublicScreenName(userProfile.getLoginId()); } + return gjUser; } @@ -511,16 +623,21 @@ public VXPortalUser mapXXPortalUserToVXPortalUser(XXPortalUser user, Collection< if (user == null) { return null; } + UserSessionBase sess = ContextUtil.getCurrentUserSession(); + if (sess == null) { return null; } VXPortalUser userProfile = new VXPortalUser(); + gjUserToUserProfile(user, userProfile); + if (sess.isUserAdmin() || sess.isKeyAdmin() || sess.getXXPortalUser().getId().equals(user.getId())) { if (userRoleList == null) { userRoleList = new ArrayList<>(); + List gjUserRoleList = daoManager.getXXPortalUserRole().findByParentId(user.getId()); for (XXPortalUserRole userRole : gjUserRoleList) { @@ -530,7 +647,9 @@ public VXPortalUser mapXXPortalUserToVXPortalUser(XXPortalUser user, Collection< userProfile.setUserRoleList(userRoleList); } + userProfile.setUserSource(user.getUserSource()); + return userProfile; } @@ -560,12 +679,13 @@ public XXPortalUser findByLoginId(String loginId) { @Transactional(readOnly = true, propagation = Propagation.REQUIRED) public Collection getRolesForUser(XXPortalUser user) { - Collection roleList = new ArrayList<>(); - + Collection roleList = new ArrayList<>(); Collection roleCollection = daoManager.getXXPortalUserRole().findByUserId(user.getId()); + for (XXPortalUserRole role : roleCollection) { roleList.add(role.getUserRole()); } + return roleList; } @@ -583,6 +703,7 @@ public VXPortalUserList searchUsers(SearchCriteria searchCriteria) { Query query = createUserSearchQuery(countQueryStr, null, searchCriteria); Long count = (Long) query.getSingleResult(); int resultSize = count != null ? count.intValue() : 0; + if (resultSize == 0) { return returnList; } @@ -592,8 +713,10 @@ public VXPortalUserList searchUsers(SearchCriteria searchCriteria) { // Add sort by String sortBy = searchCriteria.getSortBy(); String querySortBy = "u.loginId"; + if (sortBy != null && !sortBy.trim().isEmpty()) { sortBy = sortBy.trim(); + if (sortBy.equalsIgnoreCase("userId")) { querySortBy = "u.id"; } else if (sortBy.equalsIgnoreCase("loginId")) { @@ -606,6 +729,7 @@ public VXPortalUserList searchUsers(SearchCriteria searchCriteria) { querySortBy = "u.lastName"; } else { sortBy = "loginId"; + logger.error("Invalid sortBy provided. sortBy={}", sortBy); } } else { @@ -618,6 +742,7 @@ public VXPortalUserList searchUsers(SearchCriteria searchCriteria) { // Add sort type String sortType = searchCriteria.getSortType(); String querySortType = "asc"; + if (sortType != null) { if (sortType.equalsIgnoreCase("asc") || sortType.equalsIgnoreCase("desc")) { querySortType = sortType; @@ -625,6 +750,7 @@ public VXPortalUserList searchUsers(SearchCriteria searchCriteria) { logger.error("Invalid sortType. sortType={}", sortType); } } + sortClause += querySortType; query = createUserSearchQuery(queryStr, sortClause, searchCriteria); @@ -636,15 +762,17 @@ public VXPortalUserList searchUsers(SearchCriteria searchCriteria) { @SuppressWarnings("rawtypes") List resultList = query.getResultList(); + int adminCount = 0; + // Iterate over the result list and create the return list - int adminCount = 0; for (Object object : resultList) { XXPortalUser gjUser = (XXPortalUser) object; VXPortalUser userProfile = new VXPortalUser(); + gjUserToUserProfile(gjUser, userProfile); + if (rangerBizUtil.isKeyAdmin() && (userProfile.getUserRoleList().contains(RangerConstants.ROLE_SYS_ADMIN) || userProfile.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR))) { adminCount++; - continue; } else { objectList.add(userProfile); } @@ -655,18 +783,21 @@ public VXPortalUserList searchUsers(SearchCriteria searchCriteria) { returnList.setSortBy(sortBy); returnList.setSortType(querySortType); returnList.setStartIndex(query.getFirstResult()); - returnList.setTotalCount(count.longValue()); + returnList.setTotalCount(count); returnList.setVXPortalUsers(objectList); + return returnList; } public boolean deleteUserRole(Long userId, String userRole) { List roleList = daoManager.getXXPortalUserRole().findByUserId(userId); + for (XXPortalUserRole gjUserRole : roleList) { if (gjUserRole.getUserRole().equalsIgnoreCase(userRole)) { return deleteUserRole(userId, gjUserRole); } } + return false; } @@ -676,42 +807,52 @@ public boolean deleteUserRole(Long userId, XXPortalUserRole gjUserRole) { * return false; } */ boolean publicRole = false; + for (String publicRoleStr : publicRoles) { if (publicRoleStr.equalsIgnoreCase(gjUserRole.getUserRole())) { publicRole = true; break; } } + if (!publicRole) { UserSessionBase sess = ContextUtil.getCurrentUserSession(); + if (sess == null || (!sess.isUserAdmin() && !sess.isKeyAdmin())) { return false; } } daoManager.getXXPortalUserRole().remove(gjUserRole.getId()); + return true; } public XXPortalUserRole addUserRole(Long userId, String userRole) { List roleList = daoManager.getXXPortalUserRole().findByUserId(userId); boolean publicRole = false; + for (String publicRoleStr : publicRoles) { if (publicRoleStr.equalsIgnoreCase(userRole)) { publicRole = true; break; } } + if (!publicRole) { UserSessionBase sess = ContextUtil.getCurrentUserSession(); + if (sess == null) { return null; } + // Admin if (!sess.isUserAdmin() && !sess.isKeyAdmin()) { logger.error("SECURITY WARNING: User trying to add non public role. userId={}, role={}, session={}", userId, userRole, sess, new Throwable()); + return null; } + rangerBizUtil.blockAuditorRoleUser(); } @@ -720,13 +861,17 @@ public XXPortalUserRole addUserRole(Long userId, String userRole) { return gjUserRole; } } + XXPortalUserRole userRoleObj = new XXPortalUserRole(); + if (!VALID_ROLE_LIST.contains(userRole.toUpperCase())) { throw restErrorUtil.createRESTException("Invalid user role, please provide valid user role.", MessageEnums.INVALID_INPUT_DATA); } + userRoleObj.setUserRole(userRole.toUpperCase()); userRoleObj.setUserId(userId); userRoleObj.setStatus(RangerConstants.STATUS_ENABLED); + daoManager.getXXPortalUserRole().create(userRoleObj); // If role is not OTHER, then remove OTHER @@ -735,11 +880,13 @@ public XXPortalUserRole addUserRole(Long userId, String userRole) { } sessionMgr.resetUserSessionForProfiles(ContextUtil.getCurrentUserSession()); + return null; } public void checkAccess(Long userId) { XXPortalUser gjUser = daoManager.getXXPortalUser().getById(userId); + if (gjUser == null) { throw restErrorUtil.create403RESTException("serverMsg.userMgrWrongUser: " + userId); } @@ -749,32 +896,39 @@ public void checkAccess(Long userId) { /** * @param gjUser - * @return */ public void checkAccess(XXPortalUser gjUser) { if (gjUser == null) { throw restErrorUtil.create403RESTException("serverMsg.userMgrWrongUser"); } + VXPortalUser requestedVXUser = getUserProfileByLoginId(gjUser.getLoginId()); + if (requestedVXUser != null && CollectionUtils.isNotEmpty(requestedVXUser.getUserRoleList()) && hasAccessToGetUserInfo(requestedVXUser)) { return; } + logger.info("Logged-In user is not allowed to access requested user data."); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "Logged-In user is not allowed to access requested user data", true); } public String encrypt(String loginId, String password) { String saltEncodedpasswd = ""; + if (this.isFipsEnabled) { try { Pbkdf2PasswordEncoderCust pbkdf2Encoder = new Pbkdf2PasswordEncoderCust(loginId); + pbkdf2Encoder.setEncodeHashAsBase64(true); + if (password != null) { saltEncodedpasswd = pbkdf2Encoder.encode(password); } } catch (Throwable t) { logger.error("Password doesn't meet requirements"); - throw restErrorUtil.createRESTException("Invalid password", MessageEnums.INVALID_PASSWORD, null, null, "" + loginId); + + throw restErrorUtil.createRESTException("Invalid password", MessageEnums.INVALID_PASSWORD, null, null, loginId); } } else { String sha256PasswordUpdateDisable = PropertiesUtil.getProperty("ranger.sha256Password.update.disable", "false"); @@ -790,17 +944,16 @@ public String encrypt(String loginId, String password) { } public String encryptWithOlderAlgo(String loginId, String password) { - String saltEncodedpasswd = ""; - - saltEncodedpasswd = encodeString(password, loginId, "MD5"); - - return saltEncodedpasswd; + return encodeString(password, loginId, "MD5"); } public VXPortalUser createUser(VXPortalUser userProfile) { checkAdminAccess(); + rangerBizUtil.blockAuditorRoleUser(); + XXPortalUser xXPortalUser = this.createUser(userProfile, RangerCommonEnums.STATUS_ENABLED); + return mapXXPortalUserVXPortalUser(xXPortalUser); } @@ -810,21 +963,27 @@ public VXPortalUser createDefaultAccountUser(VXPortalUser userProfile) { userProfile.setUserSource(RangerCommonEnums.USER_EXTERNAL); } } + // access control checkAdminAccess(); + rangerBizUtil.blockAuditorRoleUser(); + logger.info("create:{}", userProfile.getLoginId()); + XXPortalUser xXPortalUser = null; - Collection existingRoleList = null; - Collection reqRoleList = null; + Collection existingRoleList; + Collection reqRoleList; String loginId = userProfile.getLoginId(); String emailAddress = userProfile.getEmailAddress(); if (loginId != null && !loginId.isEmpty()) { xXPortalUser = this.findByLoginId(loginId); + if (xXPortalUser == null) { if (emailAddress != null && !emailAddress.trim().isEmpty()) { xXPortalUser = this.findByEmailAddress(emailAddress); + if (xXPortalUser == null) { xXPortalUser = this.createUser(userProfile, RangerCommonEnums.STATUS_ENABLED); } else { @@ -832,6 +991,7 @@ public VXPortalUser createDefaultAccountUser(VXPortalUser userProfile) { } } else { userProfile.setEmailAddress(null); + xXPortalUser = this.createUser(userProfile, RangerCommonEnums.STATUS_ENABLED); } } else { //NOPMD @@ -845,26 +1005,34 @@ public VXPortalUser createDefaultAccountUser(VXPortalUser userProfile) { } VXPortalUser userProfileRes = null; + if (xXPortalUser != null) { userProfileRes = mapXXPortalUserToVXPortalUserForDefaultAccount(xXPortalUser); - if (userProfile.getUserRoleList() != null && userProfile.getUserRoleList().size() > 0 && ((List) userProfile.getUserRoleList()).get(0) != null) { + + if (userProfile.getUserRoleList() != null && !userProfile.getUserRoleList().isEmpty() && ((List) userProfile.getUserRoleList()).get(0) != null) { reqRoleList = userProfile.getUserRoleList(); existingRoleList = this.getRolesByLoginId(loginId); + XXPortalUser xxPortalUser = daoManager.getXXPortalUser().findByLoginId(userProfile.getLoginId()); + if (xxPortalUser != null && xxPortalUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { userProfileRes = updateRoleForExternalUsers(reqRoleList, existingRoleList, userProfileRes); } } } + return userProfileRes; } public boolean isUserInRole(Long userId, String role) { XXPortalUserRole xXPortalUserRole = daoManager.getXXPortalUserRole().findByRoleUserId(userId, role); + if (xXPortalUserRole != null) { String userRole = xXPortalUserRole.getUserRole(); + return userRole.equalsIgnoreCase(role); } + return false; } @@ -884,20 +1052,27 @@ public XXPortalUser updateUserWithPass(VXPortalUser userProfile) { } String encryptedNewPwd = encrypt(xXPortalUser.getLoginId(), updatedPassword); + if (xXPortalUser.getUserSource() != RangerCommonEnums.USER_EXTERNAL) { String oldPasswordsStr = xXPortalUser.getOldPasswords(); List oldPasswords; + if (StringUtils.isNotEmpty(oldPasswordsStr)) { oldPasswords = new ArrayList<>(Arrays.asList(oldPasswordsStr.split(","))); } else { oldPasswords = new ArrayList<>(); } + oldPasswords.add(encryptedNewPwd); + updateOldPasswords(xXPortalUser, oldPasswords); + xXPortalUser.setPassword(encryptedNewPwd); } + xXPortalUser = daoManager.getXXPortalUser().update(xXPortalUser); } + return xXPortalUser; } @@ -912,15 +1087,19 @@ public XXPortalUser updatePasswordInSHA256(String userName, String userPassword, if (xXPortalUser == null) { return null; } + String dbOldPwd = xXPortalUser.getPassword(); String encryptedNewPwd = encrypt(xXPortalUser.getLoginId(), userPassword); + if (xXPortalUser.getUserSource() != RangerCommonEnums.USER_EXTERNAL) { xXPortalUser.setPassword(encryptedNewPwd); } xXPortalUser = daoManager.getXXPortalUser().update(xXPortalUser); + if (xXPortalUser != null && logAudits) { String dbNewPwd = xXPortalUser.getPassword(); + if (!dbOldPwd.equals(dbNewPwd)) { xPortalUserService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_PASSWORD_CHANGE, xXPortalUser.getId(), xXPortalUser.getLoginId(), "password change"), "Password", dbOldPwd, dbNewPwd); } @@ -931,9 +1110,11 @@ public XXPortalUser updatePasswordInSHA256(String userName, String userPassword, public void checkAdminAccess() { UserSessionBase sess = ContextUtil.getCurrentUserSession(); + if (sess != null && sess.isUserAdmin()) { return; } + throw restErrorUtil.create403RESTException("Operation not allowed." + " loggedInUser=" + (sess != null ? sess.getXXPortalUser().getId() : ". Not Logged In.")); } @@ -941,15 +1122,21 @@ public Collection getRolesByLoginId(String loginId) { if (loginId == null || loginId.trim().isEmpty()) { return DEFAULT_ROLE_LIST; } + XXPortalUser xXPortalUser = daoManager.getXXPortalUser().findByLoginId(loginId); + if (xXPortalUser == null) { return DEFAULT_ROLE_LIST; } + Collection xXPortalUserRoles = daoManager.getXXPortalUserRole().findByUserId(xXPortalUser.getId()); + if (xXPortalUserRoles == null) { return DEFAULT_ROLE_LIST; } + Collection roleList = new ArrayList<>(); + for (XXPortalUserRole role : xXPortalUserRoles) { if (role != null && VALID_ROLE_LIST.contains(role.getUserRole())) { if (!roleList.contains(role.getUserRole())) { @@ -957,9 +1144,11 @@ public Collection getRolesByLoginId(String loginId) { } } } - if (roleList == null || roleList.size() == 0) { + + if (roleList.isEmpty()) { return DEFAULT_ROLE_LIST; } + return roleList; } @@ -971,20 +1160,26 @@ public XXPortalUser updateOldUserName(String userLoginId, String newUserName, St XXPortalUser xXPortalUser = this.findByLoginId(userLoginId); XXUser xXUser = daoManager.getXXUser().findByUserName(userLoginId); + if (xXPortalUser == null || xXUser == null) { return null; } + xXUser.setName(newUserName); + daoManager.getXXUser().update(xXUser); xXPortalUser.setLoginId(newUserName); + // The old password needs to be encrypted by the new user name String updatedPwd = encrypt(newUserName, currentPassword); + if (xXPortalUser.getUserSource() == RangerCommonEnums.USER_APP) { xXPortalUser.setPassword(updatedPwd); } else if (xXPortalUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { xXPortalUser.setPassword(xXPortalUser.getPassword()); } + xXPortalUser = daoManager.getXXPortalUser().update(xXPortalUser); xPortalUserService.createTransactionLog(new XXTrxLogV2(AppConstants.CLASS_TYPE_USER_PROFILE, xXPortalUser.getId(), xXPortalUser.getLoginId(), "update"), "User Name", userLoginId, newUserName); @@ -994,8 +1189,10 @@ public XXPortalUser updateOldUserName(String userLoginId, String newUserName, St public boolean isPasswordValid(String loginId, String encodedPassword, String password) { boolean isPasswordValid = false; + try { Pbkdf2PasswordEncoderCust pbkdf2Encoder = new Pbkdf2PasswordEncoderCust(loginId); + pbkdf2Encoder.setEncodeHashAsBase64(true); if (pbkdf2Encoder.matches(password, encodedPassword)) { @@ -1011,12 +1208,16 @@ public boolean isPasswordValid(String loginId, String encodedPassword, String pa public boolean isNewPasswordDifferent(String loginId, String currentPassword, String newPassword) { boolean isNewPasswordDifferent = true; String saltEncodedpasswd = ""; + try { Pbkdf2PasswordEncoderCust pbkdf2Encoder = new Pbkdf2PasswordEncoderCust(loginId); + pbkdf2Encoder.setEncodeHashAsBase64(true); + if (currentPassword != null) { saltEncodedpasswd = pbkdf2Encoder.encode(currentPassword); } + if (pbkdf2Encoder.matches(newPassword, saltEncodedpasswd)) { isNewPasswordDifferent = false; } @@ -1029,6 +1230,7 @@ public boolean isNewPasswordDifferent(String loginId, String currentPassword, St protected void gjUserToUserProfile(XXPortalUser user, VXPortalUser userProfile) { UserSessionBase sess = ContextUtil.getCurrentUserSession(); + if (sess == null) { return; } @@ -1054,24 +1256,33 @@ protected void gjUserToUserProfile(XXPortalUser user, VXPortalUser userProfile) } userProfile.setId(user.getId()); + if (sess.isUserAdmin() || sess.getXXPortalUser().getId().equals(user.getId())) { List xUserPermissions = daoManager.getXXUserPermission().findByUserPermissionIdAndIsAllowed(userProfile.getId()); List xxGroupPermissions = daoManager.getXXGroupPermission().findbyVXPortalUserId(userProfile.getId()); - List groupPermissions = new ArrayList(); - List vxUserPermissions = new ArrayList(); + List groupPermissions = new ArrayList<>(); + List vxUserPermissions = new ArrayList<>(); + for (XXGroupPermission xxGroupPermission : xxGroupPermissions) { VXGroupPermission groupPermission = xGroupPermissionService.populateViewBean(xxGroupPermission); + groupPermission.setModuleName(daoManager.getXXModuleDef().findByModuleId(groupPermission.getModuleId()).getModule()); + groupPermissions.add(groupPermission); } + for (XXUserPermission xUserPermission : xUserPermissions) { VXUserPermission vXUserPermission = xUserPermissionService.populateViewBean(xUserPermission); + vXUserPermission.setModuleName(daoManager.getXXModuleDef().findByModuleId(vXUserPermission.getModuleId()).getModule()); + vxUserPermissions.add(vXUserPermission); } + userProfile.setGroupPermissions(groupPermissions); userProfile.setUserPermList(vxUserPermissions); } + userProfile.setFirstName(user.getFirstName()); userProfile.setLastName(user.getLastName()); userProfile.setPublicScreenName(user.getPublicScreenName()); @@ -1085,15 +1296,16 @@ protected void gjUserToUserProfile(XXPortalUser user, VXPortalUser userProfile) * @return */ protected Query createUserSearchQuery(String queryStr, String sortClause, SearchCriteria searchCriteria) { - HashMap paramList = searchCriteria.getParamList(); - - String whereClause = "WHERE 1 = 1 "; + HashMap paramList = searchCriteria.getParamList(); + String whereClause = "WHERE 1 = 1 "; // roles @SuppressWarnings("unchecked") List roleList = (List) paramList.get("roleList"); - if (roleList != null && roleList.size() > 0) { + + if (roleList != null && !roleList.isEmpty()) { whereClause = ", XXPortalUserRole ur WHERE u.id = ur.userId"; + if (roleList.size() == 1) { // For only one role, let's do an equal to whereClause += " and ur.userRole = :role"; @@ -1104,38 +1316,45 @@ protected Query createUserSearchQuery(String queryStr, String sortClause, Search // userId Long userId = (Long) paramList.get("userId"); + if (userId != null) { whereClause += " and u.id = :userId "; } // loginId String loginId = (String) paramList.get("loginId"); + if (loginId != null) { whereClause += " and LOWER(u.loginId) = :loginId "; } // emailAddress String emailAddress = (String) paramList.get("emailAddress"); + if (emailAddress != null) { whereClause += " and LOWER(u.emailAddress) = :emailAddress "; } // firstName String firstName = (String) paramList.get("firstName"); + if (firstName != null) { whereClause += " and LOWER(u.firstName) = :firstName "; } // lastName String lastName = (String) paramList.get("lastName"); + if (lastName != null) { whereClause += " and LOWER(u.lastName) = :lastName "; } // status Integer status = null; + @SuppressWarnings("unchecked") List statusList = (List) paramList.get("statusList"); + if (statusList != null && statusList.size() == 1) { // use == condition whereClause += " and u.status = :status"; @@ -1147,12 +1366,14 @@ protected Query createUserSearchQuery(String queryStr, String sortClause, Search // publicScreenName String publicScreenName = (String) paramList.get("publicScreenName"); + if (publicScreenName != null) { whereClause += " and LOWER(u.publicScreenName) = :publicScreenName "; } // familyScreenName String familyScreenName = (String) paramList.get("familyScreenName"); + if (familyScreenName != null) { whereClause += " and LOWER(u.familyScreenName) = :familyScreenName "; } @@ -1163,7 +1384,7 @@ protected Query createUserSearchQuery(String queryStr, String sortClause, Search Query query = daoManager.getEntityManager().createQuery(queryStr + whereClause); - if (roleList != null && roleList.size() > 0) { + if (roleList != null && !roleList.isEmpty()) { if (roleList.size() == 1) { query.setParameter("role", roleList.get(0)); } else { @@ -1174,9 +1395,11 @@ protected Query createUserSearchQuery(String queryStr, String sortClause, Search if (status != null) { query.setParameter("status", status); } + if (statusList != null && statusList.size() > 1) { query.setParameter("statusList", statusList); } + if (emailAddress != null) { query.setParameter("emailAddress", emailAddress.toLowerCase()); } @@ -1185,10 +1408,12 @@ protected Query createUserSearchQuery(String queryStr, String sortClause, Search if (userId != null) { query.setParameter("userId", userId); } + // firstName if (firstName != null) { query.setParameter("firstName", firstName.toLowerCase()); } + // lastName if (lastName != null) { query.setParameter("lastName", lastName.toLowerCase()); @@ -1214,12 +1439,16 @@ protected Query createUserSearchQuery(String queryStr, String sortClause, Search protected VXPortalUser updateRoleForExternalUsers(Collection reqRoleList, Collection existingRoleList, VXPortalUser userProfileRes) { UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null && session.getXXPortalUser() != null && session.getXXPortalUser().getLoginId() != null && "rangerusersync".equals(session.getXXPortalUser().getLoginId()) && reqRoleList != null && !reqRoleList.isEmpty() && existingRoleList != null && !existingRoleList.isEmpty()) { + + if (session != null && session.getXXPortalUser() != null && session.getXXPortalUser().getLoginId() != null && "rangerusersync".equals(session.getXXPortalUser().getLoginId()) + && reqRoleList != null && !reqRoleList.isEmpty() && existingRoleList != null && !existingRoleList.isEmpty()) { if (!reqRoleList.equals(existingRoleList)) { userProfileRes.setUserRoleList(reqRoleList); userProfileRes.setUserSource(RangerCommonEnums.USER_EXTERNAL); + List xuserPermissionList = daoManager.getXXUserPermission().findByUserPermissionId(userProfileRes.getId()); - if (xuserPermissionList != null && xuserPermissionList.size() > 0) { + + if (xuserPermissionList != null && !xuserPermissionList.isEmpty()) { for (XXUserPermission xXUserPermission : xuserPermissionList) { if (xXUserPermission != null) { try { @@ -1230,11 +1459,13 @@ protected VXPortalUser updateRoleForExternalUsers(Collection reqRoleList } } } + updateUser(userProfileRes); } } else { - logger.debug("Permission denied. LoggedInUser={} isn't permitted to perform the action.", (session != null && session.getXXPortalUser() != null ? session.getXXPortalUser().getId() : "")); + logger.debug("Permission denied. LoggedInUser={} isn't permitted to perform the action.", session != null && session.getXXPortalUser() != null ? session.getXXPortalUser().getId() : ""); } + return userProfileRes; } @@ -1251,6 +1482,7 @@ protected VXPortalUser mapXXPortalUserToVXPortalUserForDefaultAccount(XXPortalUs userProfile.setPublicScreenName(user.getPublicScreenName()); userProfile.setOtherAttributes(user.getOtherAttributes()); userProfile.setSyncSource(user.getSyncSource()); + List gjUserRoleList = daoManager.getXXPortalUserRole().findByParentId(user.getId()); for (XXPortalUserRole gjUserRole : gjUserRoleList) { @@ -1262,6 +1494,7 @@ protected VXPortalUser mapXXPortalUserToVXPortalUserForDefaultAccount(XXPortalUs private void updateOldPasswords(XXPortalUser gjUser, List oldPasswords) { String oldPasswordStr = CollectionUtils.isNotEmpty(oldPasswords) ? StringUtils.join(oldPasswords, ",") : null; + gjUser.setOldPasswords(oldPasswordStr); gjUser.setPasswordUpdatedTime(DateUtil.getUTCDate()); } @@ -1278,13 +1511,16 @@ private String mergeTextAndSalt(String text, Object salt, boolean strict) { if ((salt == null) || ("".equals(salt))) { return text; } + return text + "{" + salt + "}"; } private String encodeString(String text, String salt, String algorithm) { String mergedString = mergeTextAndSalt(text, salt, false); + try { MessageDigest digest = MessageDigest.getInstance(algorithm); + return new String(Hex.encode(digest.digest(mergedString.getBytes(StandardCharsets.UTF_8)))); } catch (NoSuchAlgorithmException e) { throw restErrorUtil.createRESTException("algorithm `" + algorithm + "' not supported"); @@ -1293,8 +1529,10 @@ private String encodeString(String text, String salt, String algorithm) { private boolean hasAccessToGetUserInfo(VXPortalUser requestedVXUser) { UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + if (userSession != null && userSession.getLoginId() != null) { VXPortalUser loggedInVXUser = getUserProfileByLoginId(userSession.getLoginId()); + if (loggedInVXUser != null && loggedInVXUser.getUserRoleList().size() == 1) { if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) { return requestedVXUser.getId().equals(loggedInVXUser.getId()); @@ -1309,6 +1547,7 @@ private boolean hasAccessToGetUserInfo(VXPortalUser requestedVXUser) { } } } + return false; } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgrBase.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgrBase.java index 92b770d9bd..ccbd2a055e 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgrBase.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgrBase.java @@ -41,11 +41,13 @@ public VXPortalUser getXPortalUser(Long id) { public VXPortalUser createXPortalUser(VXPortalUser vXPortalUser) { vXPortalUser = xPortalUserService.createResource(vXPortalUser); + return vXPortalUser; } public VXPortalUser updateXPortalUser(VXPortalUser vXPortalUser) { vXPortalUser = xPortalUserService.updateResource(vXPortalUser); + return vXPortalUser; } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java index 878802bb8d..67b10246c6 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java @@ -52,55 +52,68 @@ public class XAuditMgr extends XAuditMgrBase { public VXTrxLog getXTrxLog(Long id) { checkAllAdminsAccess(); + return super.getXTrxLog(id); } public VXTrxLog createXTrxLog(VXTrxLog vXTrxLog) { checkAdminAccess(); + rangerBizUtil.blockAuditorRoleUser(); + return super.createXTrxLog(vXTrxLog); } public VXTrxLog updateXTrxLog(VXTrxLog vXTrxLog) { checkAdminAccess(); + rangerBizUtil.blockAuditorRoleUser(); + return super.updateXTrxLog(vXTrxLog); } public void deleteXTrxLog(Long id, boolean force) { checkAdminAccess(); + rangerBizUtil.blockAuditorRoleUser(); + super.deleteXTrxLog(id, force); } public VXTrxLogList searchXTrxLogs(SearchCriteria searchCriteria) { checkAllAdminsAccess(); + return super.searchXTrxLogs(searchCriteria); } public VXLong getXTrxLogSearchCount(SearchCriteria searchCriteria) { checkAllAdminsAccess(); + return super.getXTrxLogSearchCount(searchCriteria); } public VXAccessAudit createXAccessAudit(VXAccessAudit vXAccessAudit) { checkAdminAccess(); + return super.createXAccessAudit(vXAccessAudit); } public VXAccessAudit updateXAccessAudit(VXAccessAudit vXAccessAudit) { checkAdminAccess(); + return super.updateXAccessAudit(vXAccessAudit); } public void deleteXAccessAudit(Long id, boolean force) { checkAdminAccess(); + super.deleteXAccessAudit(id, force); } @Override public VXAccessAuditList searchXAccessAudits(SearchCriteria searchCriteria) { String auditDBType = rangerBizUtil.getAuditDBType(); + if (RangerBizUtil.AUDIT_STORE_SOLR.equalsIgnoreCase(auditDBType)) { return solrAccessAuditsService.searchXAccessAudits(searchCriteria); } else if (RangerBizUtil.AUDIT_STORE_ELASTIC_SEARCH.equalsIgnoreCase(auditDBType)) { @@ -115,6 +128,7 @@ public VXAccessAuditList searchXAccessAudits(SearchCriteria searchCriteria) { @Override public VXLong getXAccessAuditSearchCount(SearchCriteria searchCriteria) { String auditDBType = rangerBizUtil.getAuditDBType(); + if (RangerBizUtil.AUDIT_STORE_SOLR.equalsIgnoreCase(auditDBType)) { return solrAccessAuditsService.getXAccessAuditSearchCount(searchCriteria); } else if (RangerBizUtil.AUDIT_STORE_ELASTIC_SEARCH.equalsIgnoreCase(auditDBType)) { @@ -128,14 +142,17 @@ public VXLong getXAccessAuditSearchCount(SearchCriteria searchCriteria) { public void checkAdminAccess() { UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { if (!session.isUserAdmin()) { throw restErrorUtil.create403RESTException("Operation" + " denied. LoggedInUser=" + session.getXXPortalUser().getId() + " ,isn't permitted to perform the action."); } } else { VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); // user is null vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); } } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgrBase.java b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgrBase.java index 4348958e26..5aa3e5c5c7 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgrBase.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgrBase.java @@ -103,11 +103,13 @@ public VXAccessAudit getXAccessAudit(Long id) { public VXAccessAudit createXAccessAudit(VXAccessAudit vXAccessAudit) { vXAccessAudit = xAccessAuditService.createResource(vXAccessAudit); + return vXAccessAudit; } public VXAccessAudit updateXAccessAudit(VXAccessAudit vXAccessAudit) { vXAccessAudit = xAccessAuditService.updateResource(vXAccessAudit); + return vXAccessAudit; } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index e31e87d5a6..7941779fea 100755 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -23,7 +23,7 @@ import org.apache.commons.collections.MapUtils; import org.apache.commons.lang.StringUtils; import org.apache.hadoop.util.Time; -import org.apache.ranger.biz.ServiceDBStore.RemoveRefType; +import org.apache.ranger.biz.ServiceDBStore.REMOVE_REF_TYPE; import org.apache.ranger.common.AppConstants; import org.apache.ranger.common.ContextUtil; import org.apache.ranger.common.GUIDUtil; @@ -114,7 +114,6 @@ import org.springframework.stereotype.Component; import org.springframework.transaction.PlatformTransactionManager; import org.springframework.transaction.TransactionDefinition; -import org.springframework.transaction.TransactionStatus; import org.springframework.transaction.annotation.Propagation; import org.springframework.transaction.annotation.Transactional; import org.springframework.transaction.support.TransactionCallback; @@ -142,72 +141,96 @@ public class XUserMgr extends XUserMgrBase { static final Logger logger = LoggerFactory.getLogger(XUserMgr.class); - static final Set roleAssignmentUpdatedUsers = new HashSet<>(); - static final String MSG_DATA_ACCESS_DENY = "Logged-In user is not allowed to access requested user data"; - private static final String USER = "User"; - private static final String GROUP = "Group"; - private static final int MAX_DB_TRANSACTION_RETRIES = 5; - private static final int PASSWORD_LENGTH = 16; + static final Set roleAssignmentUpdatedUsers = new HashSet<>(); + static final String MSG_DATA_ACCESS_DENY = "Logged-In user is not allowed to access requested user data"; + + private static final String USER = "User"; + private static final String GROUP = "Group"; + private static final int MAX_DB_TRANSACTION_RETRIES = 5; + private static final int PASSWORD_LENGTH = 16; + @Autowired - RangerBizUtil msBizUtil; + RangerBizUtil msBizUtil; + @Autowired - UserMgr userMgr; + UserMgr userMgr; + @Autowired - RangerDaoManager daoManager; + RangerDaoManager daoManager; + @Autowired - RangerBizUtil xaBizUtil; + RangerBizUtil xaBizUtil; + @Autowired - XPortalUserService xPortalUserService; + XPortalUserService xPortalUserService; + @Autowired - XResourceService xResourceService; + XResourceService xResourceService; + @Autowired - SessionMgr sessionMgr; + SessionMgr sessionMgr; + @Autowired - RangerPolicyService policyService; + RangerPolicyService policyService; + @Autowired - ServiceDBStore svcStore; + ServiceDBStore svcStore; + @Autowired - GUIDUtil guidUtil; + GUIDUtil guidUtil; + @Autowired - XUgsyncAuditInfoService xUgsyncAuditInfoService; + XUgsyncAuditInfoService xUgsyncAuditInfoService; + @Autowired - StringUtil stringUtil; + StringUtil stringUtil; + @Autowired RangerTransactionSynchronizationAdapter transactionSynchronizationAdapter; + @Autowired - GdsDBStore gdsStore; + GdsDBStore gdsStore; + @Autowired @Qualifier(value = "transactionManager") - PlatformTransactionManager txManager; + + PlatformTransactionManager txManager; public VXUser getXUserByUserName(String userName) { - VXUser vXUser = null; - vXUser = xUserService.getXUserByUserName(userName); + VXUser vXUser = xUserService.getXUserByUserName(userName); + if (vXUser != null && !hasAccessToGetUserInfo(vXUser)) { logger.info(MSG_DATA_ACCESS_DENY); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, MSG_DATA_ACCESS_DENY, true); } + if (vXUser != null && !hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)) { vXUser = getMaskedVXUser(vXUser); } + return vXUser; } public VXGroup getGroupByGroupName(String groupName) { VXGroup vxGroup = xGroupService.getGroupByGroupName(groupName); + if (vxGroup == null) { throw restErrorUtil.createRESTException(groupName + " is Not Found", MessageEnums.DATA_NOT_FOUND); } + return vxGroup; } public void assignPermissionToUser(VXPortalUser vXPortalUser, boolean isCreate) { HashMap moduleNameId = getAllModuleNameAndIdMap(); + if (moduleNameId != null && vXPortalUser != null && CollectionUtils.isNotEmpty(vXPortalUser.getUserRoleList())) { for (String role : vXPortalUser.getUserRoleList()) { if (RangerConstants.VALID_USER_ROLE_LIST.contains(role)) { createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate); createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate); + if (role.equals(RangerConstants.ROLE_USER)) { createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_SECURITY_ZONE), isCreate); } else { @@ -231,13 +254,16 @@ public void assignPermissionToUser(VXPortalUser vXPortalUser, boolean isCreate) public void createOrUpdateUserPermisson(VXPortalUser portalUser, Long moduleId, boolean isCreate) { VXUserPermission vXUserPermission; XXUserPermission xUserPermission = daoManager.getXXUserPermission().findByModuleIdAndPortalUserId(portalUser.getId(), moduleId); + if (xUserPermission == null) { vXUserPermission = new VXUserPermission(); // When Creating XXUserPermission UI sends xUserId, to keep it consistent here xUserId should be used XXUser xUser = daoManager.getXXUser().findByPortalUserId(portalUser.getId()); + if (xUser == null) { logger.warn("Could not found corresponding xUser for username: [{}], So not assigning permission to this user", portalUser.getLoginId()); + return; } else { vXUserPermission.setUserId(xUser.getId()); @@ -245,16 +271,21 @@ public void createOrUpdateUserPermisson(VXPortalUser portalUser, Long moduleId, vXUserPermission.setIsAllowed(RangerCommonEnums.IS_ALLOWED); vXUserPermission.setModuleId(moduleId); + try { vXUserPermission = this.createXUserPermission(vXUserPermission); + logger.info("Permission assigned to user: [{}] For Module: [{}]", vXUserPermission.getUserName(), vXUserPermission.getModuleName()); } catch (Exception e) { logger.error("Error while assigning permission to user: [{}] for module: [{}]", portalUser.getLoginId(), moduleId, e); } } else if (isCreate) { vXUserPermission = xUserPermissionService.populateViewBean(xUserPermission); + vXUserPermission.setIsAllowed(RangerCommonEnums.IS_ALLOWED); + vXUserPermission = this.updateXUserPermission(vXUserPermission); + logger.info("Permission Updated for user: [{}] For Module: [{}]", vXUserPermission.getUserName(), vXUserPermission.getModuleName()); } } @@ -264,9 +295,11 @@ public HashMap getAllModuleNameAndIdMap() { if (!CollectionUtils.isEmpty(xXModuleDefs)) { HashMap moduleNameAndIdMap = new HashMap<>(); + for (XXModuleDef xXModuleDef : xXModuleDefs) { moduleNameAndIdMap.put(xXModuleDef.getModule(), xXModuleDef.getId()); } + return moduleNameAndIdMap; } @@ -275,30 +308,43 @@ public HashMap getAllModuleNameAndIdMap() { public VXUserGroupInfo createXUserGroupFromMap(VXUserGroupInfo vXUserGroupInfo) { checkAdminAccess(); + xaBizUtil.blockAuditorRoleUser(); + VXUserGroupInfo vxUGInfo = new VXUserGroupInfo(); VXUser vXUser = vXUserGroupInfo.getXuserInfo(); VXPortalUser vXPortalUser = userMgr.getUserProfileByLoginId(vXUser.getName()); XXPortalUser xxPortalUser = daoManager.getXXPortalUser().findByLoginId(vXUser.getName()); Collection reqRoleList = vXUser.getUserRoleList(); List existingRole = daoManager.getXXPortalUserRole().findXPortalUserRolebyXPortalUserId(xxPortalUser.getId()); + if (xxPortalUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { vXPortalUser = userMgr.updateRoleForExternalUsers(reqRoleList, existingRole, vXPortalUser); } + vXUser = xUserService.createXUserWithOutLogin(vXUser); + vxUGInfo.setXuserInfo(vXUser); + List vxg = new ArrayList<>(); + for (VXGroup vXGroup : vXUserGroupInfo.getXgroupInfo()) { - VXGroup vVXGroup = xGroupService.createXGroupWithOutLogin(vXGroup); - vxg.add(vVXGroup); + VXGroup vvXGroup = xGroupService.createXGroupWithOutLogin(vXGroup); + + vxg.add(vvXGroup); + VXGroupUser vXGroupUser = new VXGroupUser(); + vXGroupUser.setUserId(vXUser.getId()); - vXGroupUser.setName(vVXGroup.getName()); - vXGroupUser = xGroupUserService.createXGroupUserWithOutLogin(vXGroupUser); + vXGroupUser.setName(vvXGroup.getName()); + + xGroupUserService.createXGroupUserWithOutLogin(vXGroupUser); } + if (vXPortalUser != null) { assignPermissionToUser(vXPortalUser, true); } + vxUGInfo.setXgroupInfo(vxg); updateUserStoreVersion("createXUserGroupFromMap(" + vXUser.getName() + ")"); @@ -309,40 +355,52 @@ public VXUserGroupInfo createXUserGroupFromMap(VXUserGroupInfo vXUserGroupInfo) @Transactional(readOnly = false, propagation = Propagation.REQUIRED) public VXGroupUserInfo createXGroupUserFromMap(VXGroupUserInfo vXGroupUserInfo) { checkAdminAccess(); + xaBizUtil.blockAuditorRoleUser(); + VXGroupUserInfo vxGUInfo = new VXGroupUserInfo(); + VXGroup vXGroup = vXGroupUserInfo.getXgroupInfo(); - VXGroup vXGroup = vXGroupUserInfo.getXgroupInfo(); // Add the group user mappings for a given group to x_group_user table /*XXGroup xGroup = daoManager.getXXGroup().findByGroupName(vXGroup.getName()); if (xGroup == null) { - return vxGUInfo; + return vxGUInfo; }*/ List vxu = new ArrayList<>(); + for (VXUser vXUser : vXGroupUserInfo.getXuserInfo()) { XXUser xUser = daoManager.getXXUser().findByUserName(vXUser.getName()); XXPortalUser xXPortalUser = daoManager.getXXPortalUser().findByLoginId(vXUser.getName()); + if (xUser != null) { // Add or update group user mapping only if the user already exists in x_user table. - logger.debug(String.format("createXGroupUserFromMap(): Create or update group %s ", vXGroup.getName())); + logger.debug("createXGroupUserFromMap(): Create or update group {}", vXGroup.getName()); + vXGroup = xGroupService.createXGroupWithOutLogin(vXGroup); + vxGUInfo.setXgroupInfo(vXGroup); vxu.add(vXUser); + VXGroupUser vXGroupUser = new VXGroupUser(); + vXGroupUser.setUserId(xUser.getId()); vXGroupUser.setName(vXGroup.getName()); + if (xXPortalUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { - vXGroupUser = xGroupUserService.createXGroupUserWithOutLogin(vXGroupUser); - logger.debug("createXGroupUserFromMap(): Create or update group user mapping with groupname = {} username = {} userId = {}", vXGroup.getName(), xXPortalUser.getLoginId(), xUser.getId()); + xGroupUserService.createXGroupUserWithOutLogin(vXGroupUser); + + logger.debug("createXGroupUserFromMap(): Create or update group user mapping with groupname = {} username = {} userId = {}", vXGroup.getName(), xXPortalUser.getLoginId(), xUser.getId()); } - Collection reqRoleList = vXUser.getUserRoleList(); - XXPortalUser xxPortalUser = daoManager.getXXPortalUser().findByLoginId(vXUser.getName()); - List existingRole = daoManager.getXXPortalUserRole().findXPortalUserRolebyXPortalUserId(xxPortalUser.getId()); - VXPortalUser vxPortalUser = userMgr.mapXXPortalUserToVXPortalUserForDefaultAccount(xxPortalUser); + Collection reqRoleList = vXUser.getUserRoleList(); + XXPortalUser xxPortalUser = daoManager.getXXPortalUser().findByLoginId(vXUser.getName()); + List existingRole = daoManager.getXXPortalUserRole().findXPortalUserRolebyXPortalUserId(xxPortalUser.getId()); + VXPortalUser vxPortalUser = userMgr.mapXXPortalUserToVXPortalUserForDefaultAccount(xxPortalUser); + if (xxPortalUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { vxPortalUser = userMgr.updateRoleForExternalUsers(reqRoleList, existingRole, vxPortalUser); + assignPermissionToUser(vxPortalUser, true); } } @@ -357,37 +415,49 @@ public VXGroupUserInfo createXGroupUserFromMap(VXGroupUserInfo vXGroupUserInfo) public VXGroupUserInfo getXGroupUserFromMap(String groupName) { checkAdminAccess(); + VXGroupUserInfo vxGUInfo = new VXGroupUserInfo(); + XXGroup xGroup = daoManager.getXXGroup().findByGroupName(groupName); - XXGroup xGroup = daoManager.getXXGroup().findByGroupName(groupName); if (xGroup == null) { return vxGUInfo; } VXGroup xgroupInfo = xGroupService.populateViewBean(xGroup); + vxGUInfo.setXgroupInfo(xgroupInfo); SearchCriteria searchCriteria = new SearchCriteria(); + searchCriteria.addParam("xGroupId", xGroup.getId()); VXGroupUserList vxGroupUserList = searchXGroupUsers(searchCriteria); List vxu = new ArrayList<>(); + logger.debug("removing all the group user mapping for : {}", xGroup.getName()); + for (VXGroupUser groupUser : vxGroupUserList.getList()) { XXUser xUser = daoManager.getXXUser().getById(groupUser.getUserId()); + if (xUser != null) { VXUser vxUser = new VXUser(); + vxUser.setName(xUser.getName()); + XXPortalUser xXPortalUser = daoManager.getXXPortalUser().findByLoginId(xUser.getName()); + if (xXPortalUser != null) { List existingRole = daoManager.getXXPortalUserRole().findXPortalUserRolebyXPortalUserId(xXPortalUser.getId()); + if (existingRole != null) { vxUser.setUserRoleList(existingRole); } } + vxu.add(vxUser); } } + vxGUInfo.setXuserInfo(vxu); return vxGUInfo; @@ -395,8 +465,11 @@ public VXGroupUserInfo getXGroupUserFromMap(String groupName) { public VXUser createXUserWithOutLogin(VXUser vXUser) { checkAdminAccess(); + xaBizUtil.blockAuditorRoleUser(); + validatePassword(vXUser); + VXUser ret = xUserService.createXUserWithOutLogin(vXUser); updateUserStoreVersion("createXUserWithOutLogin(" + vXUser.getName() + ")"); @@ -406,12 +479,15 @@ public VXUser createXUserWithOutLogin(VXUser vXUser) { public VXUser createExternalUser(String userName) { checkAdminAccess(); + xaBizUtil.blockAuditorRoleUser(); + return createServiceConfigUser(userName); } public VXGroup createXGroupWithoutLogin(VXGroup vXGroup) { checkAdminAccess(); + xaBizUtil.blockAuditorRoleUser(); VXGroup ret = xGroupService.createXGroupWithOutLogin(vXGroup); @@ -422,37 +498,44 @@ public VXGroup createXGroupWithoutLogin(VXGroup vXGroup) { } public VXGroup getXGroup(Long id) { - VXGroup vXGroup = null; - UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + if (userSession != null && userSession.getLoginId() != null) { VXUser loggedInVXUser = xUserService.getXUserByUserName(userSession.getLoginId()); + if (loggedInVXUser != null) { if (loggedInVXUser.getUserRoleList().size() == 1 && loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) { List listGroupId = daoManager.getXXGroupUser().findGroupIdListByUserId(loggedInVXUser.getId()); if (!listGroupId.contains(id)) { logger.info(MSG_DATA_ACCESS_DENY); + throw restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested group data."); } } } } - vXGroup = xGroupService.readResourceWithOutLogin(id); + + VXGroup vXGroup = xGroupService.readResourceWithOutLogin(id); + if (vXGroup != null && !hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)) { vXGroup = getMaskedVXGroup(vXGroup); } + return vXGroup; } public VXGroup createXGroup(VXGroup vXGroup) { checkAdminAccess(); + xaBizUtil.blockAuditorRoleUser(); + if (vXGroup.getDescription() == null) { vXGroup.setDescription(vXGroup.getName()); } vXGroup = xGroupService.createResource(vXGroup); + xGroupService.createTransactionLog(vXGroup, null, OPERATION_CREATE_CONTEXT); updateUserStoreVersion("createXGroup(" + vXGroup.getName() + ")"); @@ -463,95 +546,128 @@ public VXGroup createXGroup(VXGroup vXGroup) { @Override public VXGroup updateXGroup(VXGroup vXGroup) { checkAdminAccess(); + xaBizUtil.blockAuditorRoleUser(); + XXGroup xGroup = daoManager.getXXGroup().getById(vXGroup.getId()); - if (vXGroup != null && xGroup != null && !vXGroup.getName().equals(xGroup.getName())) { + + if (xGroup != null && !vXGroup.getName().equals(xGroup.getName())) { throw restErrorUtil.createRESTException("group name updates are not allowed.", MessageEnums.INVALID_INPUT_DATA); } + VXGroup existing = xGroup != null ? xGroupService.populateViewBean(xGroup) : null; List trxLogList = xGroupService.getTransactionLog(vXGroup, existing, OPERATION_UPDATE_CONTEXT); + xaBizUtil.createTrxLog(trxLogList); + vXGroup = xGroupService.updateResource(vXGroup); + if (vXGroup != null) { updateXgroupUserForGroupUpdate(vXGroup); + RangerServicePoliciesCache.sInstance = null; } + return vXGroup; } public void deleteXGroup(Long id, boolean force) { checkAdminAccess(); + blockIfZoneGroup(id); + this.blockIfRoleGroup(id); + xaBizUtil.blockAuditorRoleUser(); + XXGroupDao xXGroupDao = daoManager.getXXGroup(); XXGroup xXGroup = xXGroupDao.getById(id); + if (xXGroup == null) { throw restErrorUtil.create404RESTException("Data Not Found for given Id", MessageEnums.DATA_NOT_FOUND, id, null, "readResource : No Object found with given id."); } + VXGroup vXGroup = xGroupService.populateViewBean(xXGroup); + if (vXGroup == null || StringUtils.isEmpty(vXGroup.getName())) { throw restErrorUtil.createRESTException("Group ID doesn't exist.", MessageEnums.INVALID_INPUT_DATA); } - logger.info("Force delete status={} for group={}", force, vXGroup.getName()); + + logger.debug("Force delete status={} for group={}", force, vXGroup.getName()); SearchCriteria searchCriteria = new SearchCriteria(); + searchCriteria.addParam("xGroupId", id); + VXGroupUserList vxGroupUserList = searchXGroupUsers(searchCriteria); searchCriteria = new SearchCriteria(); + searchCriteria.addParam("groupId", id); + VXPermMapList vXPermMapList = searchXPermMaps(searchCriteria); searchCriteria = new SearchCriteria(); + searchCriteria.addParam("groupId", id); - VXAuditMapList vXAuditMapList = searchXAuditMaps(searchCriteria); + VXAuditMapList vXAuditMapList = searchXAuditMaps(searchCriteria); XXGroupPermissionDao xXGroupPermissionDao = daoManager.getXXGroupPermission(); List xXGroupPermissions = xXGroupPermissionDao.findByGroupId(id); + XXPolicyDao xXPolicyDao = daoManager.getXXPolicy(); + List xXPolicyList = xXPolicyDao.findByGroupId(id); - XXPolicyDao xXPolicyDao = daoManager.getXXPolicy(); - List xXPolicyList = xXPolicyDao.findByGroupId(id); logger.warn("Deleting GROUP : {}", vXGroup.getName()); + if (force) { //delete XXGroupUser records of matching group XXGroupUserDao xGroupUserDao = daoManager.getXXGroupUser(); XXUserDao xXUserDao = daoManager.getXXUser(); - XXUser xXUser = null; + for (VXGroupUser groupUser : vxGroupUserList.getList()) { if (groupUser != null) { - xXUser = xXUserDao.getById(groupUser.getUserId()); + XXUser xXUser = xXUserDao.getById(groupUser.getUserId()); + if (xXUser != null) { - logger.warn("Removing user {} from group {}", xXUser.getName(), groupUser.getName()); + logger.warn("Removing user '{}' from group '{}'", xXUser.getName(), groupUser.getName()); } + xGroupUserDao.remove(groupUser.getId()); } } + //delete XXPermMap records of matching group XXPermMapDao xXPermMapDao = daoManager.getXXPermMap(); XXResourceDao xXResourceDao = daoManager.getXXResource(); - XXResource xXResource = null; + for (VXPermMap vXPermMap : vXPermMapList.getList()) { if (vXPermMap != null) { - xXResource = xXResourceDao.getById(vXPermMap.getResourceId()); + XXResource xXResource = xXResourceDao.getById(vXPermMap.getResourceId()); + if (xXResource != null) { - logger.warn("Deleting {} permission from policy ID={} for group {}", AppConstants.getLabelFor_XAPermType(vXPermMap.getPermType()), vXPermMap.getResourceId(), vXPermMap.getGroupName()); + logger.warn("Deleting '{}' permission from policy ID='{}' for group '{}'", AppConstants.getLabelFor_XAPermType(vXPermMap.getPermType()), vXPermMap.getResourceId(), vXPermMap.getGroupName()); } + xXPermMapDao.remove(vXPermMap.getId()); } } + //delete XXAuditMap records of matching group XXAuditMapDao xXAuditMapDao = daoManager.getXXAuditMap(); + for (VXAuditMap vXAuditMap : vXAuditMapList.getList()) { if (vXAuditMap != null) { - xXResource = xXResourceDao.getById(vXAuditMap.getResourceId()); + xXResourceDao.getById(vXAuditMap.getResourceId()); + xXAuditMapDao.remove(vXAuditMap.getId()); } } + //delete XXPolicyItemGroupPerm records of group for (XXPolicy xXPolicy : xXPolicyList) { RangerPolicy rangerPolicy = policyService.getPopulatedViewObject(xXPolicy); List policyItems = rangerPolicy.getPolicyItems(); + removeUserGroupReferences(policyItems, null, vXGroup.getName()); rangerPolicy.setPolicyItems(policyItems); @@ -603,7 +719,8 @@ public void deleteXGroup(Long id, boolean force) { } } catch (Throwable excp) { logger.error("updatePolicy({}) failed", rangerPolicy, excp); - restErrorUtil.createRESTException(excp.getMessage()); + + throw restErrorUtil.createRESTException(excp.getMessage()); } } @@ -611,19 +728,25 @@ public void deleteXGroup(Long id, boolean force) { for (XXGroupPermission xXGroupPermission : xXGroupPermissions) { if (xXGroupPermission != null) { XXModuleDef xXModuleDef = daoManager.getXXModuleDef().findByModuleId(xXGroupPermission.getModuleId()); + if (xXModuleDef != null) { - logger.warn("Deleting {} module permission for group {}", xXModuleDef.getModule(), xXGroup.getName()); + logger.warn("Deleting '{}' module permission for group '{}'", xXModuleDef.getModule(), xXGroup.getName()); } + xXGroupPermissionDao.remove(xXGroupPermission.getId()); } } } + //delete group from audit filter configs - svcStore.updateServiceAuditConfig(vXGroup.getName(), RemoveRefType.GROUP); + svcStore.updateServiceAuditConfig(vXGroup.getName(), REMOVE_REF_TYPE.GROUP); + // delete group from dataset,datashare,project - gdsStore.deletePrincipalFromGdsAcl(RemoveRefType.GROUP.toString(), vXGroup.getName()); + gdsStore.deletePrincipalFromGdsAcl(REMOVE_REF_TYPE.GROUP.toString(), vXGroup.getName()); + //delete XXGroup xXGroupDao.remove(id); + //Create XXTrxLog xGroupService.createTransactionLog(xGroupService.populateViewBean(xXGroup), null, OPERATION_DELETE_CONTEXT); } else { @@ -632,12 +755,15 @@ public void deleteXGroup(Long id, boolean force) { if (!hasReferences && CollectionUtils.isNotEmpty(xXPolicyList)) { hasReferences = true; } + if (!hasReferences && vXPermMapList.getListSize() > 0) { hasReferences = true; } + if (!hasReferences && vXAuditMapList.getListSize() > 0) { hasReferences = true; } + if (!hasReferences && CollectionUtils.isNotEmpty(xXGroupPermissions)) { hasReferences = true; } @@ -645,11 +771,13 @@ public void deleteXGroup(Long id, boolean force) { if (hasReferences) { //change visibility to Hidden if (vXGroup.getIsVisible() == RangerCommonEnums.IS_VISIBLE) { vXGroup.setIsVisible(RangerCommonEnums.IS_HIDDEN); + xGroupService.updateResource(vXGroup); } } else { //delete XXGroup xXGroupDao.remove(id); + //Create XXTrxLog xGroupService.createTransactionLog(xGroupService.populateViewBean(xXGroup), null, OPERATION_DELETE_CONTEXT); } @@ -661,38 +789,50 @@ public VXGroupList searchXGroups(SearchCriteria searchCriteria) { VXGroupList vXGroupList = new VXGroupList(); VXGroup vXGroupExactMatch = null; VXUser loggedInVXUser = null; + try { //In case of user we need to fetch only its associated groups. UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + if (userSession != null && userSession.getUserRoleList().size() == 1 && userSession.getUserRoleList().contains(RangerConstants.ROLE_USER) && userSession.getLoginId() != null) { loggedInVXUser = xUserService.getXUserByUserName(userSession.getLoginId()); + if (loggedInVXUser != null) { searchCriteria.addParam("userId", loggedInVXUser.getId()); } } VXGroupList vXGroupListSort = new VXGroupList(); + if (searchCriteria.getParamList() != null && searchCriteria.getParamList().get("name") != null) { searchCriteria.setSortBy("name"); + vXGroupListSort = xGroupService.searchXGroups(searchCriteria); vXGroupExactMatch = getGroupByGroupName((String) searchCriteria.getParamList().get("name")); } + int vXGroupExactMatchwithSearchCriteria = 0; + if (vXGroupExactMatch != null) { HashMap searchCriteriaParamList = searchCriteria.getParamList(); + vXGroupExactMatchwithSearchCriteria = 1; + for (Map.Entry entry : searchCriteriaParamList.entrySet()) { String caseKey = entry.getKey(); + switch (caseKey.toLowerCase()) { case "isvisible": Integer isVisible = vXGroupExactMatch.getIsVisible(); + if (isVisible != null && !isVisible.equals(entry.getValue())) { vXGroupExactMatchwithSearchCriteria = -1; } break; case "groupsource": Integer groupsource = vXGroupExactMatch.getGroupSource(); - if (groupsource != null && !groupsource.equals(entry.getValue())) { + + if (!groupsource.equals(entry.getValue())) { vXGroupExactMatchwithSearchCriteria = -1; } break; @@ -700,6 +840,7 @@ public VXGroupList searchXGroups(SearchCriteria searchCriteria) { case "userid": if (loggedInVXUser != null) { List listGroupId = daoManager.getXXGroupUser().findGroupIdListByUserId(loggedInVXUser.getId()); + if (!listGroupId.contains(vXGroupExactMatch.getId())) { vXGroupExactMatchwithSearchCriteria = -1; } @@ -710,6 +851,7 @@ public VXGroupList searchXGroups(SearchCriteria searchCriteria) { logger.warn("XUserMgr.searchXGroups: unexpected searchCriteriaParam:{}", caseKey); break; } + if (vXGroupExactMatchwithSearchCriteria == -1) { break; } @@ -718,9 +860,11 @@ public VXGroupList searchXGroups(SearchCriteria searchCriteria) { if (vXGroupExactMatchwithSearchCriteria == 1) { List vXGroups = new ArrayList<>(); + if (searchCriteria.getStartIndex() == 0) { vXGroups.add(0, vXGroupExactMatch); } + for (VXGroup vXGroup : vXGroupListSort.getList()) { if (vXGroupExactMatch.getId() != null && vXGroup != null) { if (!vXGroupExactMatch.getId().equals(vXGroup.getId())) { @@ -728,6 +872,7 @@ public VXGroupList searchXGroups(SearchCriteria searchCriteria) { } } } + vXGroupList.setVXGroups(vXGroups); vXGroupList.setStartIndex(searchCriteria.getStartIndex()); vXGroupList.setResultSize(vXGroupList.getList().size()); @@ -737,57 +882,74 @@ public VXGroupList searchXGroups(SearchCriteria searchCriteria) { vXGroupList.setSortType(searchCriteria.getSortType()); } } catch (Exception e) { - logger.error("Error getting the exact match of group =>", e); + logger.error("Error getting the exact match of group =>{}", String.valueOf(e)); } + if (vXGroupList.getList().isEmpty()) { if (StringUtils.isBlank(searchCriteria.getSortBy())) { searchCriteria.setSortBy("id"); } + vXGroupList = xGroupService.searchXGroups(searchCriteria); } if (vXGroupList != null && !hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)) { - if (vXGroupList != null && vXGroupList.getListSize() > 0) { + if (vXGroupList.getListSize() > 0) { List listMasked = new ArrayList<>(); + for (VXGroup vXGroup : vXGroupList.getList()) { vXGroup = getMaskedVXGroup(vXGroup); + listMasked.add(vXGroup); } + vXGroupList.setVXGroups(listMasked); } } + return vXGroupList; } public VXUser getXUser(Long id) { - VXUser vXUser = null; - vXUser = xUserService.readResourceWithOutLogin(id); + VXUser vXUser = xUserService.readResourceWithOutLogin(id); + if (vXUser != null && !hasAccessToGetUserInfo(vXUser)) { logger.info(MSG_DATA_ACCESS_DENY); + throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, MSG_DATA_ACCESS_DENY, true); } if (vXUser != null && !hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)) { vXUser = getMaskedVXUser(vXUser); } + return vXUser; } public VXUser createXUser(VXUser vXUser) { checkAdminAccess(); + xaBizUtil.blockAuditorRoleUser(); if (vXUser.getUserSource() == RangerCommonEnums.USER_FEDERATED) { if (StringUtils.isEmpty(vXUser.getPassword())) { - PasswordGenerator passwordGenerator = new PasswordGenerator.PasswordGeneratorBuilder().useLower(true).useUpper(true).useDigits(true).useSymbols(true).build(); - String passWd = passwordGenerator.generate(PASSWORD_LENGTH); + PasswordGenerator passwordGenerator = new PasswordGenerator.PasswordGeneratorBuilder() + .useLower(true) + .useUpper(true) + .useDigits(true) + .useSymbols(true) + .build(); + String passWd = passwordGenerator.generate(PASSWORD_LENGTH); + vXUser.setPassword(passWd); } } validatePassword(vXUser); + String userName = vXUser.getName(); String firstName = vXUser.getFirstName(); + if (userName == null || "null".equalsIgnoreCase(userName) || userName.trim().isEmpty()) { throw restErrorUtil.createRESTException("Please provide a valid username.", MessageEnums.INVALID_INPUT_DATA); } @@ -800,24 +962,30 @@ public VXUser createXUser(VXUser vXUser) { vXUser.setDescription(vXUser.getName()); } - String actualPassword = vXUser.getPassword(); + String actualPassword = vXUser.getPassword(); + VXPortalUser vXPortalUser = new VXPortalUser(); - VXPortalUser vXPortalUser = new VXPortalUser(); vXPortalUser.setLoginId(userName); vXPortalUser.setFirstName(vXUser.getFirstName()); + if ("null".equalsIgnoreCase(vXPortalUser.getFirstName())) { vXPortalUser.setFirstName(""); } + vXPortalUser.setLastName(vXUser.getLastName()); + if ("null".equalsIgnoreCase(vXPortalUser.getLastName())) { vXPortalUser.setLastName(""); } String emailAddress = vXUser.getEmailAddress(); + if (StringUtils.isNotEmpty(emailAddress) && !stringUtil.validateEmail(emailAddress)) { logger.warn("Invalid email address:{}", emailAddress); + throw restErrorUtil.createRESTException("Please provide valid email address.", MessageEnums.INVALID_INPUT_DATA); } + vXPortalUser.setEmailAddress(emailAddress); if (vXPortalUser.getFirstName() != null && vXPortalUser.getLastName() != null && !vXPortalUser.getFirstName().trim().isEmpty() && !vXPortalUser.getLastName().trim().isEmpty()) { @@ -825,30 +993,40 @@ public VXUser createXUser(VXUser vXUser) { } else { vXPortalUser.setPublicScreenName(vXUser.getName()); } + vXPortalUser.setPassword(actualPassword); vXPortalUser.setUserRoleList(vXUser.getUserRoleList()); + vXPortalUser = userMgr.createDefaultAccountUser(vXPortalUser); VXUser createdXUser = xUserService.createResource(vXUser); createdXUser.setPassword(actualPassword); - List trxLogList = xUserService.getTransactionLog(createdXUser, null, OPERATION_CREATE_CONTEXT); - String hiddenPassword = PropertiesUtil.getProperty("ranger.password.hidden", "*****"); + List trxLogList = xUserService.getTransactionLog(createdXUser, null, OPERATION_CREATE_CONTEXT); + String hiddenPassword = PropertiesUtil.getProperty("ranger.password.hidden", "*****"); + createdXUser.setPassword(hiddenPassword); + Collection groupNamesList = new ArrayList<>(); Collection groupIdList = vXUser.getGroupIdList(); List vXGroupUsers = new ArrayList<>(); + if (groupIdList != null) { for (Long groupId : groupIdList) { VXGroupUser vXGroupUser = createXGroupUser(createdXUser.getId(), groupId); - // trxLogList.addAll(xGroupUserService.getTransactionLog(vXGroupUser, "create")); + + // trxLogList.addAll(xGroupUserService.getTransactionLog( + // vXGroupUser, "create")); vXGroupUsers.add(vXGroupUser); + groupNamesList.add(vXGroupUser.getName()); } } + createdXUser.setGroupIdList(groupIdList); createdXUser.setGroupNameList(groupNamesList); + for (VXGroupUser vXGroupUser : vXGroupUsers) { List groupUserTrxLogs = xGroupUserService.getTransactionLog(vXGroupUser, null, OPERATION_CREATE_CONTEXT); @@ -860,8 +1038,10 @@ public VXUser createXUser(VXUser vXUser) { trxLogList.addAll(groupUserTrxLogs); } } + // xaBizUtil.createTrxLog(trxLogList); + if (vXPortalUser != null) { assignPermissionToUser(vXPortalUser, true); } @@ -875,62 +1055,81 @@ public VXUser updateXUser(VXUser vXUser) { if (vXUser == null || vXUser.getName() == null || "null".equalsIgnoreCase(vXUser.getName()) || vXUser.getName().trim().isEmpty()) { throw restErrorUtil.createRESTException("Please provide a valid " + "username.", MessageEnums.INVALID_INPUT_DATA); } + String firstName = vXUser.getFirstName(); + if (firstName == null || "null".equalsIgnoreCase(firstName) || firstName.trim().isEmpty()) { throw restErrorUtil.createRESTException("Please provide a valid first name.", MessageEnums.INVALID_INPUT_DATA); } checkAccess(vXUser); + xaBizUtil.blockAuditorRoleUser(); + VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser.getName()); + if (oldUserProfile == null) { throw restErrorUtil.createRESTException("user " + vXUser.getName() + " does not exist.", MessageEnums.INVALID_INPUT_DATA); } + VXPortalUser vXPortalUser = new VXPortalUser(); - if (oldUserProfile != null && oldUserProfile.getId() != null) { + + if (oldUserProfile.getId() != null) { vXPortalUser.setId(oldUserProfile.getId()); } vXPortalUser.setFirstName(vXUser.getFirstName()); + if ("null".equalsIgnoreCase(vXPortalUser.getFirstName())) { vXPortalUser.setFirstName(""); } + vXPortalUser.setLastName(vXUser.getLastName()); + if ("null".equalsIgnoreCase(vXPortalUser.getLastName())) { vXPortalUser.setLastName(""); } + vXPortalUser.setEmailAddress(vXUser.getEmailAddress()); vXPortalUser.setLoginId(vXUser.getName()); vXPortalUser.setStatus(vXUser.getStatus()); vXPortalUser.setUserRoleList(vXUser.getUserRoleList()); + if (vXPortalUser.getFirstName() != null && vXPortalUser.getLastName() != null && !vXPortalUser.getFirstName().trim().isEmpty() && !vXPortalUser.getLastName().trim().isEmpty()) { vXPortalUser.setPublicScreenName(vXPortalUser.getFirstName() + " " + vXPortalUser.getLastName()); } else { vXPortalUser.setPublicScreenName(vXUser.getName()); } + vXPortalUser.setUserSource(oldUserProfile.getUserSource()); String hiddenPasswordString = PropertiesUtil.getProperty("ranger.password.hidden", "*****"); String password = vXUser.getPassword(); - if (oldUserProfile != null && password != null && password.equals(hiddenPasswordString)) { + + if (password != null && password.equals(hiddenPasswordString)) { vXPortalUser.setPassword(oldUserProfile.getPassword()); - } else if (oldUserProfile != null && oldUserProfile.getUserSource() == RangerCommonEnums.USER_EXTERNAL && password != null) { + } else if (oldUserProfile.getUserSource() == RangerCommonEnums.USER_EXTERNAL && password != null) { vXPortalUser.setPassword(oldUserProfile.getPassword()); + logger.debug("User is trrying to change external user password which we are not allowing it to change"); } else if (password != null) { validatePassword(vXUser); + vXPortalUser.setPassword(password); } + Collection groupIdList = vXUser.getGroupIdList(); VXUser existing = xUserService.readResource(vXUser.getId()); - XXPortalUser xXPortalUser = new XXPortalUser(); - xXPortalUser = userMgr.updateUserWithPass(vXPortalUser); + XXPortalUser xXPortalUser = userMgr.updateUserWithPass(vXPortalUser); + //update permissions start Collection roleListUpdatedProfile = new ArrayList<>(); - if (oldUserProfile != null && oldUserProfile.getId() != null) { - if (vXUser != null && vXUser.getUserRoleList() != null) { + + if (oldUserProfile.getId() != null) { + if (vXUser.getUserRoleList() != null) { Collection roleListOldProfile = oldUserProfile.getUserRoleList(); Collection roleListNewProfile = vXUser.getUserRoleList(); + if (roleListNewProfile != null && roleListOldProfile != null) { for (String role : roleListNewProfile) { if (role != null && !roleListOldProfile.contains(role)) { @@ -940,10 +1139,13 @@ public VXUser updateXUser(VXUser vXUser) { } } } - if (roleListUpdatedProfile != null && roleListUpdatedProfile.size() > 0) { + + if (!roleListUpdatedProfile.isEmpty()) { vXPortalUser.setUserRoleList(roleListUpdatedProfile); + List xuserPermissionList = daoManager.getXXUserPermission().findByUserPermissionId(vXPortalUser.getId()); - if (xuserPermissionList != null && xuserPermissionList.size() > 0) { + + if (xuserPermissionList != null && !xuserPermissionList.isEmpty()) { for (XXUserPermission xXUserPermission : xuserPermissionList) { if (xXUserPermission != null) { try { @@ -954,38 +1156,45 @@ public VXUser updateXUser(VXUser vXUser) { } } } + assignPermissionToUser(vXPortalUser, true); } + //update permissions end Collection roleList = new ArrayList<>(); + if (xXPortalUser != null) { roleList = userMgr.getRolesForUser(xXPortalUser); } - if (roleList == null || roleList.size() == 0) { + + if (roleList == null || roleList.isEmpty()) { roleList = new ArrayList<>(); + roleList.add(RangerConstants.ROLE_USER); } // TODO I've to get the transaction log from here. // There is nothing to log anything in XXUser so far. vXUser = xUserService.updateResource(vXUser); + vXUser.setUserRoleList(roleList); - if (oldUserProfile != null) { - if (oldUserProfile.getUserSource() == RangerCommonEnums.USER_APP) { - vXUser.setPassword(password); - } else if (oldUserProfile.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { - vXUser.setPassword(oldUserProfile.getPassword()); - } + + if (oldUserProfile.getUserSource() == RangerCommonEnums.USER_APP) { + vXUser.setPassword(password); + } else if (oldUserProfile.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { + vXUser.setPassword(oldUserProfile.getPassword()); } if (password == null) { vXUser.setPassword(hiddenPasswordString); //To stop Auditing Password transaction log, when it is not edited. } + List trxLogList = xUserService.getTransactionLog(vXUser, existing, OPERATION_UPDATE_CONTEXT); + vXUser.setPassword(hiddenPasswordString); Long userId = vXUser.getId(); - List groupUsersToRemove = new ArrayList(); + List groupUsersToRemove = new ArrayList<>(); List groupUserTrxLogs = createOrDelGrpUserWithUpdatedGrpId(vXUser, groupIdList, userId, groupUsersToRemove); if (CollectionUtils.isNotEmpty(groupUserTrxLogs)) { @@ -1005,125 +1214,163 @@ public VXUser updateXUser(VXUser vXUser) { public synchronized void deleteXUser(Long id, boolean force) { checkAdminAccess(); + xaBizUtil.blockAuditorRoleUser(); + XXUserDao xXUserDao = daoManager.getXXUser(); XXUser xXUser = xXUserDao.getById(id); + if (xXUser == null) { throw restErrorUtil.create404RESTException("Data Not Found for given Id", MessageEnums.DATA_NOT_FOUND, id, null, "readResource : No Object found with given id."); } + VXUser vXUser = xUserService.populateViewBean(xXUser); + if (vXUser == null || StringUtils.isEmpty(vXUser.getName())) { throw restErrorUtil.createRESTException("No user found with id=" + id); } + XXPortalUserDao xXPortalUserDao = daoManager.getXXPortalUser(); XXPortalUser xXPortalUser = xXPortalUserDao.findByLoginId(vXUser.getName().trim()); VXPortalUser vXPortalUser = null; + if (xXPortalUser != null) { vXPortalUser = xPortalUserService.populateViewBean(xXPortalUser); } + if (vXPortalUser == null || StringUtils.isEmpty(vXPortalUser.getLoginId())) { throw restErrorUtil.createRESTException("No user found with id=" + id); } + logger.debug("Force delete status={} for user={}", force, vXUser.getName()); + restrictSelfAccountDeletion(vXUser.getName().trim()); + blockIfZoneUser(id); + this.blockIfRoleUser(id); + SearchCriteria searchCriteria = new SearchCriteria(); + searchCriteria.addParam("xUserId", id); + VXGroupUserList vxGroupUserList = searchXGroupUsers(searchCriteria); searchCriteria = new SearchCriteria(); + searchCriteria.addParam("userId", id); + VXPermMapList vXPermMapList = searchXPermMaps(searchCriteria); searchCriteria = new SearchCriteria(); + searchCriteria.addParam("userId", id); - VXAuditMapList vXAuditMapList = searchXAuditMaps(searchCriteria); - long xXPortalUserId = 0; - xXPortalUserId = vXPortalUser.getId(); + VXAuditMapList vXAuditMapList = searchXAuditMaps(searchCriteria); + long xXPortalUserId = vXPortalUser.getId(); XXAuthSessionDao xXAuthSessionDao = daoManager.getXXAuthSession(); XXUserPermissionDao xXUserPermissionDao = daoManager.getXXUserPermission(); XXPortalUserRoleDao xXPortalUserRoleDao = daoManager.getXXPortalUserRole(); List xXAuthSessionIds = xXAuthSessionDao.getAuthSessionIdsByUserId(xXPortalUserId); List xXUserPermissions = xXUserPermissionDao.findByUserPermissionId(xXPortalUserId); List xXPortalUserRoles = xXPortalUserRoleDao.findByUserId(xXPortalUserId); + XXPolicyDao xXPolicyDao = daoManager.getXXPolicy(); - XXPolicyDao xXPolicyDao = daoManager.getXXPolicy(); logger.warn("Deleting User : {}", vXUser.getName()); + if (force) { //delete XXGroupUser mapping XXGroupUserDao xGroupUserDao = daoManager.getXXGroupUser(); + for (VXGroupUser groupUser : vxGroupUserList.getList()) { if (groupUser != null) { - logger.warn("Removing user {} from group {}", vXUser.getName(), groupUser.getName()); + logger.warn("Removing user '{}' from group '{}'", vXUser.getName(), groupUser.getName()); + xGroupUserDao.remove(groupUser.getId()); } } + //delete XXPermMap records of user XXPermMapDao xXPermMapDao = daoManager.getXXPermMap(); + for (VXPermMap vXPermMap : vXPermMapList.getList()) { if (vXPermMap != null) { - logger.warn("Deleting {} permission from policy ID={} for user {}", AppConstants.getLabelFor_XAPermType(vXPermMap.getPermType()), vXPermMap.getResourceId(), vXPermMap.getUserName()); + logger.warn("Deleting '{}' permission from policy ID='{}' for user '{}'", AppConstants.getLabelFor_XAPermType(vXPermMap.getPermType()), vXPermMap.getResourceId(), vXPermMap.getUserName()); + xXPermMapDao.remove(vXPermMap.getId()); } } + //delete XXAuditMap records of user XXAuditMapDao xXAuditMapDao = daoManager.getXXAuditMap(); + for (VXAuditMap vXAuditMap : vXAuditMapList.getList()) { if (vXAuditMap != null) { xXAuditMapDao.remove(vXAuditMap.getId()); } } + //delete XXPortalUser references - if (vXPortalUser != null) { - xPortalUserService.updateXXPortalUserReferences(xXPortalUserId); - if (CollectionUtils.isNotEmpty(xXAuthSessionIds)) { - logger.warn("Deleting {} login session records for user {}", xXAuthSessionIds.size(), vXPortalUser.getLoginId()); - xXAuthSessionDao.deleteAuthSessionsByIds(xXAuthSessionIds); - } + xPortalUserService.updateXXPortalUserReferences(xXPortalUserId); - for (XXUserPermission xXUserPermission : xXUserPermissions) { - if (xXUserPermission != null) { - XXModuleDef xXModuleDef = daoManager.getXXModuleDef().findByModuleId(xXUserPermission.getModuleId()); - if (xXModuleDef != null) { - logger.warn("Deleting {} module permission for user {}", xXAuthSessionIds.size(), vXPortalUser.getLoginId()); - } - xXUserPermissionDao.remove(xXUserPermission.getId()); + if (CollectionUtils.isNotEmpty(xXAuthSessionIds)) { + logger.warn("Deleting {} login session records for user '{}'", xXAuthSessionIds.size(), vXPortalUser.getLoginId()); + + xXAuthSessionDao.deleteAuthSessionsByIds(xXAuthSessionIds); + } + + for (XXUserPermission xXUserPermission : xXUserPermissions) { + if (xXUserPermission != null) { + XXModuleDef xXModuleDef = daoManager.getXXModuleDef().findByModuleId(xXUserPermission.getModuleId()); + + if (xXModuleDef != null) { + logger.warn("Deleting '{}' module permission for user '{}'", xXModuleDef.getModule(), vXPortalUser.getLoginId()); } + + xXUserPermissionDao.remove(xXUserPermission.getId()); } - for (XXPortalUserRole xXPortalUserRole : xXPortalUserRoles) { - if (xXPortalUserRole != null) { - logger.warn("Deleting {} role for user {}", xXPortalUserRole.getUserRole(), vXPortalUser.getLoginId()); - xXPortalUserRoleDao.remove(xXPortalUserRole.getId()); - } + } + + for (XXPortalUserRole xXPortalUserRole : xXPortalUserRoles) { + if (xXPortalUserRole != null) { + logger.warn("Deleting '{}' role for user '{}'", xXPortalUserRole.getUserRole(), vXPortalUser.getLoginId()); + + xXPortalUserRoleDao.remove(xXPortalUserRole.getId()); } } + //delete XXPolicyItemUserPerm records of user List xXPolicyList = xXPolicyDao.findByUserId(id); + for (XXPolicy xXPolicy : xXPolicyList) { RangerPolicy rangerPolicy = policyService.getPopulatedViewObject(xXPolicy); List policyItems = rangerPolicy.getPolicyItems(); + removeUserGroupReferences(policyItems, vXUser.getName(), null); rangerPolicy.setPolicyItems(policyItems); List denyPolicyItems = rangerPolicy.getDenyPolicyItems(); + removeUserGroupReferences(denyPolicyItems, vXUser.getName(), null); rangerPolicy.setDenyPolicyItems(denyPolicyItems); List allowExceptions = rangerPolicy.getAllowExceptions(); + removeUserGroupReferences(allowExceptions, vXUser.getName(), null); rangerPolicy.setAllowExceptions(allowExceptions); List denyExceptions = rangerPolicy.getDenyExceptions(); + removeUserGroupReferences(denyExceptions, vXUser.getName(), null); rangerPolicy.setDenyExceptions(denyExceptions); List dataMaskItems = rangerPolicy.getDataMaskPolicyItems(); + removeUserGroupReferences(dataMaskItems, vXUser.getName(), null); rangerPolicy.setDataMaskPolicyItems(dataMaskItems); List rowFilterItems = rangerPolicy.getRowFilterPolicyItems(); + removeUserGroupReferences(rowFilterItems, vXUser.getName(), null); rangerPolicy.setRowFilterPolicyItems(rowFilterItems); @@ -1155,61 +1402,81 @@ public synchronized void deleteXUser(Long id, boolean force) { } } catch (Throwable excp) { logger.error("updatePolicy({}) failed", rangerPolicy, excp); + throw restErrorUtil.createRESTException(excp.getMessage()); } } //delete user from audit filter configs - svcStore.updateServiceAuditConfig(vXUser.getName(), RemoveRefType.USER); + svcStore.updateServiceAuditConfig(vXUser.getName(), REMOVE_REF_TYPE.USER); + //delete gdsObject mapping of user - gdsStore.deletePrincipalFromGdsAcl(RemoveRefType.USER.toString(), vXUser.getName()); + gdsStore.deletePrincipalFromGdsAcl(REMOVE_REF_TYPE.USER.toString(), vXUser.getName()); + //delete XXUser entry of user xXUserDao.remove(id); + //delete XXPortal entry of user logger.warn("Deleting Portal User : {}", vXPortalUser.getLoginId()); + xXPortalUserDao.remove(xXPortalUserId); + xUserService.createTransactionLog(xUserService.populateViewBean(xXUser), null, OPERATION_DELETE_CONTEXT); - if (xXPortalUser != null) { - xPortalUserService.createTransactionLog(xPortalUserService.populateViewBean(xXPortalUser), null, OPERATION_DELETE_CONTEXT); - } + + xPortalUserService.createTransactionLog(xPortalUserService.populateViewBean(xXPortalUser), null, OPERATION_DELETE_CONTEXT); } else { boolean hasReferences = false; List xXPolicyList = xXPolicyDao.findByUserId(id); + if (vxGroupUserList != null && vxGroupUserList.getListSize() > 0) { hasReferences = true; } - if (!hasReferences && xXPolicyList != null && xXPolicyList.size() > 0) { + + if (!hasReferences && xXPolicyList != null && !xXPolicyList.isEmpty()) { hasReferences = true; } + if (!hasReferences && vXPermMapList != null && vXPermMapList.getListSize() > 0) { hasReferences = true; } + if (!hasReferences && vXAuditMapList != null && vXAuditMapList.getListSize() > 0) { hasReferences = true; } + if (!hasReferences && CollectionUtils.isNotEmpty(xXAuthSessionIds)) { hasReferences = true; } - if (!hasReferences && xXUserPermissions != null && xXUserPermissions.size() > 0) { + + if (!hasReferences && xXUserPermissions != null && !xXUserPermissions.isEmpty()) { hasReferences = true; } - if (!hasReferences && xXPortalUserRoles != null && xXPortalUserRoles.size() > 0) { + + if (!hasReferences && xXPortalUserRoles != null && !xXPortalUserRoles.isEmpty()) { hasReferences = true; } + if (hasReferences) { if (vXUser.getIsVisible() != RangerCommonEnums.IS_HIDDEN) { - logger.info("Updating visibility of user {} to Hidden!", vXUser.getName()); + logger.info("Updating visibility of user '{}' to Hidden!", vXUser.getName()); + vXUser.setIsVisible(RangerCommonEnums.IS_HIDDEN); + xUserService.updateResource(vXUser); } } else { xPortalUserService.updateXXPortalUserReferences(xXPortalUserId); + //delete XXUser entry of user xXUserDao.remove(id); + //delete XXPortal entry of user logger.warn("Deleting Portal User : {}", vXPortalUser.getLoginId()); + xXPortalUserDao.remove(xXPortalUserId); + xUserService.createTransactionLog(xUserService.populateViewBean(xXUser), null, OPERATION_DELETE_CONTEXT); + xPortalUserService.createTransactionLog(xPortalUserService.populateViewBean(xXPortalUser), null, OPERATION_DELETE_CONTEXT); } } @@ -1219,42 +1486,54 @@ public synchronized void deleteXUser(Long id, boolean force) { public VXUserList searchXUsers(SearchCriteria searchCriteria) { VXUserList vXUserList = new VXUserList(); VXUser vXUserExactMatch = null; + try { VXUserList vXUserListSort = new VXUserList(); if (searchCriteria.getParamList() != null && searchCriteria.getParamList().get("name") != null) { searchCriteria.setSortBy("name"); + vXUserListSort = xUserService.searchXUsers(searchCriteria); vXUserExactMatch = getXUserByUserName((String) searchCriteria.getParamList().get("name")); } + int vXUserExactMatchwithSearchCriteria = 0; + if (vXUserExactMatch != null) { vXUserListSort = xUserService.searchXUsers(searchCriteria); + HashMap searchCriteriaParamList = searchCriteria.getParamList(); + vXUserExactMatchwithSearchCriteria = 1; + for (Map.Entry entry : searchCriteriaParamList.entrySet()) { String caseKey = entry.getKey(); + switch (caseKey.toLowerCase()) { case "isvisible": Integer isVisible = vXUserExactMatch.getIsVisible(); + if (isVisible != null && !isVisible.equals(entry.getValue())) { vXUserExactMatchwithSearchCriteria = -1; } break; case "status": Integer status = vXUserExactMatch.getStatus(); - if (status != null && !status.equals(entry.getValue())) { + + if (!status.equals(entry.getValue())) { vXUserExactMatchwithSearchCriteria = -1; } break; case "usersource": Integer userSource = vXUserExactMatch.getUserSource(); - if (userSource != null && !userSource.equals(entry.getValue())) { + + if (!userSource.equals(entry.getValue())) { vXUserExactMatchwithSearchCriteria = -1; } break; case "emailaddress": String email = (String) entry.getValue(); + if (email != null && !email.equals(vXUserExactMatch.getEmailAddress())) { vXUserExactMatchwithSearchCriteria = -1; } @@ -1267,6 +1546,7 @@ public VXUserList searchXUsers(SearchCriteria searchCriteria) { case "userrolelist": @SuppressWarnings("unchecked") Collection userrolelist = (Collection) entry.getValue(); + if (!CollectionUtils.isEmpty(userrolelist)) { for (String role : userrolelist) { if (vXUserExactMatch.getUserRoleList() != null && vXUserExactMatch.getUserRoleList().contains(role)) { @@ -1282,27 +1562,36 @@ public VXUserList searchXUsers(SearchCriteria searchCriteria) { logger.warn("XUserMgr.searchXUsers: unexpected searchCriteriaParam:{}", caseKey); break; } + if (vXUserExactMatchwithSearchCriteria == -1) { break; } } } + if (vXUserExactMatchwithSearchCriteria == 1) { VXGroupList groups = getXUserGroups(vXUserExactMatch.getId()); + if (groups.getListSize() > 0) { Collection groupNameList = new ArrayList<>(); - Collection groupIdList = new ArrayList(); + Collection groupIdList = new ArrayList<>(); + for (VXGroup group : groups.getList()) { groupIdList.add(group.getId()); + groupNameList.add(group.getName()); } + vXUserExactMatch.setGroupIdList(groupIdList); vXUserExactMatch.setGroupNameList(groupNameList); } - List vXUsers = new ArrayList(); + + List vXUsers = new ArrayList<>(); + if (searchCriteria.getStartIndex() == 0) { vXUsers.add(0, vXUserExactMatch); } + for (VXUser vxUser : vXUserListSort.getVXUsers()) { if (vXUserExactMatch.getId() != null && vxUser != null) { if (!vXUserExactMatch.getId().equals(vxUser.getId())) { @@ -1310,6 +1599,7 @@ public VXUserList searchXUsers(SearchCriteria searchCriteria) { } } } + vXUserList.setVXUsers(vXUsers); vXUserList.setStartIndex(searchCriteria.getStartIndex()); vXUserList.setResultSize(vXUserList.getVXUsers().size()); @@ -1319,24 +1609,31 @@ public VXUserList searchXUsers(SearchCriteria searchCriteria) { vXUserList.setSortType(searchCriteria.getSortType()); } } catch (Exception e) { - logger.error("Error getting the exact match of user =>", e); + logger.error("Error getting the exact match of user =>{}", String.valueOf(e)); } + if (vXUserList.getVXUsers().isEmpty()) { if (StringUtils.isBlank(searchCriteria.getSortBy())) { searchCriteria.setSortBy("id"); } + vXUserList = xUserService.searchXUsers(searchCriteria); } + if (vXUserList != null && !hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)) { - List vXUsers = new ArrayList(); - if (vXUserList != null && vXUserList.getListSize() > 0) { + List vXUsers = new ArrayList<>(); + + if (vXUserList.getListSize() > 0) { for (VXUser vXUser : vXUserList.getList()) { vXUser = getMaskedVXUser(vXUser); + vXUsers.add(vXUser); } + vXUserList.setVXUsers(vXUsers); } } + return vXUserList; } @@ -1346,27 +1643,36 @@ public VXGroupUser getXGroupUser(Long id) { public VXGroupUser createXGroupUser(VXGroupUser vXGroupUser) { checkAdminAccess(); + xaBizUtil.blockAuditorRoleUser(); + vXGroupUser = xGroupUserService.createXGroupUserWithOutLogin(vXGroupUser); + return vXGroupUser; } public VXGroupUser updateXGroupUser(VXGroupUser vXGroupUser) { checkAdminAccess(); + xaBizUtil.blockAuditorRoleUser(); + return super.updateXGroupUser(vXGroupUser); } public void deleteXGroupUser(Long id, boolean force) { checkAdminAccess(); + xaBizUtil.blockAuditorRoleUser(); + super.deleteXGroupUser(id, force); } public void deleteXPermMap(Long id, boolean force) { xaBizUtil.blockAuditorRoleUser(); + if (force) { XXPermMap xPermMap = daoManager.getXXPermMap().getById(id); + if (xPermMap != null) { if (xResourceService.readResource(xPermMap.getResourceId()) == null) { throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + xPermMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); @@ -1380,45 +1686,55 @@ public void deleteXPermMap(Long id, boolean force) { } public VXPermMapList searchXPermMaps(SearchCriteria searchCriteria) { - VXPermMapList returnList = null; + VXPermMapList returnList; UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + if (currentUserSession != null && currentUserSession.isUserAdmin()) { returnList = super.searchXPermMaps(searchCriteria); } else { returnList = new VXPermMapList(); + int startIndex = searchCriteria.getStartIndex(); int pageSize = searchCriteria.getMaxRows(); + searchCriteria.setStartIndex(0); searchCriteria.setMaxRows(Integer.MAX_VALUE); - List resultList = xPermMapService.searchXPermMaps(searchCriteria).getVXPermMaps(); - List adminPermResourceList = new ArrayList(); + List resultList = xPermMapService.searchXPermMaps(searchCriteria).getVXPermMaps(); + List adminPermResourceList = new ArrayList<>(); + for (VXPermMap xXPermMap : resultList) { XXResource xRes = daoManager.getXXResource().getById(xXPermMap.getResourceId()); VXResponse vXResponse = msBizUtil.hasPermission(xResourceService.populateViewBean(xRes), AppConstants.XA_PERM_TYPE_ADMIN); + if (vXResponse.getStatusCode() == VXResponse.STATUS_SUCCESS) { adminPermResourceList.add(xXPermMap); } } - if (adminPermResourceList.size() > 0) { + if (!adminPermResourceList.isEmpty()) { populatePageList(adminPermResourceList, startIndex, pageSize, returnList); } } + return returnList; } public VXLong getXPermMapSearchCount(SearchCriteria searchCriteria) { VXPermMapList permMapList = xPermMapService.searchXPermMaps(searchCriteria); VXLong vXLong = new VXLong(); + vXLong.setValue(permMapList.getListSize()); + return vXLong; } public void deleteXAuditMap(Long id, boolean force) { xaBizUtil.blockAuditorRoleUser(); + if (force) { XXAuditMap xAuditMap = daoManager.getXXAuditMap().getById(id); + if (xAuditMap != null) { if (xResourceService.readResource(xAuditMap.getResourceId()) == null) { throw restErrorUtil.createRESTException("Invalid Input Data - No resource found with Id: " + xAuditMap.getResourceId(), MessageEnums.INVALID_INPUT_DATA); @@ -1434,26 +1750,30 @@ public void deleteXAuditMap(Long id, boolean force) { public VXAuditMapList searchXAuditMaps(SearchCriteria searchCriteria) { VXAuditMapList returnList = new VXAuditMapList(); UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession(); + // If user is system admin if (currentUserSession != null && currentUserSession.isUserAdmin()) { returnList = super.searchXAuditMaps(searchCriteria); } else { int startIndex = searchCriteria.getStartIndex(); int pageSize = searchCriteria.getMaxRows(); + searchCriteria.setStartIndex(0); searchCriteria.setMaxRows(Integer.MAX_VALUE); - List resultList = xAuditMapService.searchXAuditMaps(searchCriteria).getVXAuditMaps(); - List adminAuditResourceList = new ArrayList(); + List resultList = xAuditMapService.searchXAuditMaps(searchCriteria).getVXAuditMaps(); + List adminAuditResourceList = new ArrayList<>(); + for (VXAuditMap xXAuditMap : resultList) { XXResource xRes = daoManager.getXXResource().getById(xXAuditMap.getResourceId()); VXResponse vXResponse = msBizUtil.hasPermission(xResourceService.populateViewBean(xRes), AppConstants.XA_PERM_TYPE_ADMIN); + if (vXResponse.getStatusCode() == VXResponse.STATUS_SUCCESS) { adminAuditResourceList.add(xXAuditMap); } } - if (adminAuditResourceList.size() > 0) { + if (!adminAuditResourceList.isEmpty()) { populatePageList(adminAuditResourceList, startIndex, pageSize, returnList); } } @@ -1464,7 +1784,9 @@ public VXAuditMapList searchXAuditMaps(SearchCriteria searchCriteria) { public VXLong getXAuditMapSearchCount(SearchCriteria searchCriteria) { VXAuditMapList auditMapList = xAuditMapService.searchXAuditMaps(searchCriteria); VXLong vXLong = new VXLong(); + vXLong.setValue(auditMapList.getListSize()); + return vXLong; } @@ -1495,13 +1817,18 @@ public VXLong getXAuditMapSearchCount(SearchCriteria searchCriteria) { public void deleteXGroupAndXUser(String groupName, String userName) { checkAdminAccess(); + xaBizUtil.blockAuditorRoleUser(); + VXGroup vxGroup = xGroupService.getGroupByGroupName(groupName); VXUser vxUser = xUserService.getXUserByUserName(userName); SearchCriteria searchCriteria = new SearchCriteria(); + searchCriteria.addParam("xGroupId", vxGroup.getId()); searchCriteria.addParam("xUserId", vxUser.getId()); + VXGroupUserList vxGroupUserList = xGroupUserService.searchXGroupUsers(searchCriteria); + for (VXGroupUser vxGroupUser : vxGroupUserList.getList()) { daoManager.getXXGroupUser().remove(vxGroupUser.getId()); } @@ -1510,23 +1837,30 @@ public void deleteXGroupAndXUser(String groupName, String userName) { public VXGroupList getXUserGroups(Long xUserId) { SearchCriteria searchCriteria = new SearchCriteria(); searchCriteria.addParam("xUserId", xUserId); + VXGroupUserList vXGroupUserList = xGroupUserService.searchXGroupUsers(searchCriteria); VXGroupList vXGroupList = new VXGroupList(); - List vXGroups = new ArrayList(); + List vXGroups = new ArrayList<>(); + if (vXGroupUserList != null) { List vXGroupUsers = vXGroupUserList.getList(); - Set groupIdList = new HashSet(); + Set groupIdList = new HashSet<>(); + for (VXGroupUser vXGroupUser : vXGroupUsers) { groupIdList.add(vXGroupUser.getParentGroupId()); } + for (Long groupId : groupIdList) { VXGroup vXGroup = xGroupService.readResource(groupId); + vXGroups.add(vXGroup); } + vXGroupList.setVXGroups(vXGroups); } else { logger.debug("No groups found for user id : {}", xUserId); } + return vXGroupList; } @@ -1544,13 +1878,13 @@ public Set getGroupsForUser(String userName) { ret.add(group.getName()); } } else { - logger.debug("getGroupsForUser({}): no groups found for user", userName); + logger.debug("getGroupsForUser('{}'): no groups found for user", userName); } } else { - logger.debug("getGroupsForUser({}): user not found", userName); + logger.debug("getGroupsForUser('{}'): user not found", userName); } } catch (Exception excp) { - logger.error("getGroupsForUser({}) failed", userName, excp); + logger.error("getGroupsForUser('{}') failed", userName, excp); } return ret; @@ -1560,21 +1894,25 @@ public VXUserList getXGroupUsers(SearchCriteria searchCriteria) { if (!msBizUtil.hasModuleAccess(RangerConstants.MODULE_USER_GROUPS)) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not having permissions on the " + RangerConstants.MODULE_USER_GROUPS + " module.", true); } - VXUserList vXUserList = new VXUserList(); + VXUserList vXUserList = new VXUserList(); VXGroupUserList vXGroupUserList = xGroupUserService.searchXGroupUsers(searchCriteria); + List vXUsers = new ArrayList<>(); - List vXUsers = new ArrayList(); if (vXGroupUserList != null) { List vXGroupUsers = vXGroupUserList.getList(); - Set userIdList = new HashSet(); + Set userIdList = new HashSet<>(); + for (VXGroupUser vXGroupUser : vXGroupUsers) { userIdList.add(vXGroupUser.getUserId()); } + for (Long userId : userIdList) { VXUser vXUser = xUserService.readResource(userId); + vXUsers.add(vXUser); } + vXUserList.setVXUsers(vXUsers); vXUserList.setStartIndex(searchCriteria.getStartIndex()); vXUserList.setResultSize(vXGroupUserList.getList().size()); @@ -1585,30 +1923,41 @@ public VXUserList getXGroupUsers(SearchCriteria searchCriteria) { } else { logger.debug("No users found for group id : {}", searchCriteria.getParamValue("xGroupId")); } + return vXUserList; } public void modifyUserVisibility(HashMap visibilityMap) { checkAdminAccess(); + xaBizUtil.blockAuditorRoleUser(); + Set> entries = visibilityMap.entrySet(); + for (Map.Entry entry : entries) { XXUser xUser = daoManager.getXXUser().getById(entry.getKey()); VXUser vObj = xUserService.populateViewBean(xUser); + vObj.setIsVisible(entry.getValue()); - vObj = xUserService.updateResource(vObj); + + xUserService.updateResource(vObj); } } public void modifyGroupsVisibility(HashMap groupVisibilityMap) { checkAdminAccess(); + xaBizUtil.blockAuditorRoleUser(); + Set> entries = groupVisibilityMap.entrySet(); + for (Map.Entry entry : entries) { XXGroup xGroup = daoManager.getXXGroup().getById(entry.getKey()); VXGroup vObj = xGroupService.populateViewBean(xGroup); + vObj.setIsVisible(entry.getValue()); - vObj = xGroupService.updateResource(vObj); + + xGroupService.updateResource(vObj); } } @@ -1630,11 +1979,8 @@ public VXModuleDef getXModuleDefPermission(Long id) { public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { List groupPermListNew = vXModuleDef.getGroupPermList(); List userPermListNew = vXModuleDef.getUserPermList(); + XXModuleDef xModuleDef = daoManager.getXXModuleDef().getById(vXModuleDef.getId()); - List groupPermListOld = new ArrayList(); - List userPermListOld = new ArrayList(); - - XXModuleDef xModuleDef = daoManager.getXXModuleDef().getById(vXModuleDef.getId()); if (!StringUtils.equals(xModuleDef.getModule(), vXModuleDef.getModule())) { throw restErrorUtil.createRESTException("Module name change is not allowed!", MessageEnums.DATA_NOT_UPDATABLE); } @@ -1642,24 +1988,29 @@ public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { Map xXPortalUserIdXXUserMap = xUserService.getXXPortalUserIdXXUserNameMap(); Map xXGroupMap = xGroupService.getXXGroupIdNameMap(); VXModuleDef vModuleDefPopulateOld = xModuleDefService.populateViewBean(xModuleDef, xXPortalUserIdXXUserMap, xXGroupMap, true); - groupPermListOld = vModuleDefPopulateOld.getGroupPermList(); - userPermListOld = vModuleDefPopulateOld.getUserPermList(); - Map userPermMapOld = xUserPermissionService.convertVListToVMap(userPermListOld); - Map groupPermMapOld = xGroupPermissionService.convertVListToVMap(groupPermListOld); + + List groupPermListOld = vModuleDefPopulateOld.getGroupPermList(); + List userPermListOld = vModuleDefPopulateOld.getUserPermList(); + Map userPermMapOld = xUserPermissionService.convertVListToVMap(userPermListOld); + Map groupPermMapOld = xGroupPermissionService.convertVListToVMap(groupPermListOld); if (groupPermMapOld != null && groupPermListNew != null) { for (VXGroupPermission newVXGroupPerm : groupPermListNew) { boolean isExist = false; VXGroupPermission oldVXGroupPerm = groupPermMapOld.get(newVXGroupPerm.getGroupId()); + if (oldVXGroupPerm != null && newVXGroupPerm.getGroupId().equals(oldVXGroupPerm.getGroupId()) && newVXGroupPerm.getModuleId().equals(oldVXGroupPerm.getModuleId())) { isExist = true; + if (!newVXGroupPerm.getIsAllowed().equals(oldVXGroupPerm.getIsAllowed())) { oldVXGroupPerm.setIsAllowed(newVXGroupPerm.getIsAllowed()); - oldVXGroupPerm = this.updateXGroupPermission(oldVXGroupPerm); + + this.updateXGroupPermission(oldVXGroupPerm); } } + if (!isExist) { - newVXGroupPerm = this.createXGroupPermission(newVXGroupPerm); + this.createXGroupPermission(newVXGroupPerm); } } } @@ -1668,18 +2019,23 @@ public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { for (VXUserPermission newVXUserPerm : userPermListNew) { boolean isExist = false; VXUserPermission oldVXUserPerm = userPermMapOld.get(newVXUserPerm.getUserId()); + if (oldVXUserPerm != null && newVXUserPerm.getUserId().equals(oldVXUserPerm.getUserId()) && newVXUserPerm.getModuleId().equals(oldVXUserPerm.getModuleId())) { isExist = true; + if (!newVXUserPerm.getIsAllowed().equals(oldVXUserPerm.getIsAllowed())) { oldVXUserPerm.setIsAllowed(newVXUserPerm.getIsAllowed()); - oldVXUserPerm = this.updateXUserPermission(oldVXUserPerm); + + this.updateXUserPermission(oldVXUserPerm); } } + if (!isExist) { - newVXUserPerm = this.createXUserPermission(newVXUserPerm); + this.createXUserPermission(newVXUserPerm); } } } + vXModuleDef = xModuleDefService.updateResource(vXModuleDef); return vXModuleDef; @@ -1688,6 +2044,7 @@ public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) { public void deleteXModuleDefPermission(Long id, boolean force) { daoManager.getXXUserPermission().deleteByModuleId(id); daoManager.getXXGroupPermission().deleteByModuleId(id); + xModuleDefService.deleteResource(id); } @@ -1696,9 +2053,11 @@ public VXUserPermission createXUserPermission(VXUserPermission vXUserPermission) vXUserPermission = xUserPermissionService.createResource(vXUserPermission); Set userSessions = sessionMgr.getActiveUserSessionsForPortalUserId(vXUserPermission.getUserId()); + if (!CollectionUtils.isEmpty(userSessions)) { for (UserSessionBase userSession : userSessions) { logger.info("Assigning permission to user who's found logged in into system, so updating permission in session of that user: [{}]", vXUserPermission.getUserName()); + sessionMgr.resetUserModulePermission(userSession); } } @@ -1714,9 +2073,11 @@ public VXUserPermission updateXUserPermission(VXUserPermission vXUserPermission) vXUserPermission = xUserPermissionService.updateResource(vXUserPermission); Set userSessions = sessionMgr.getActiveUserSessionsForPortalUserId(vXUserPermission.getUserId()); + if (!CollectionUtils.isEmpty(userSessions)) { for (UserSessionBase userSession : userSessions) { logger.info("Updating permission of user who's found logged in into system, so updating permission in session of user: [{}]", vXUserPermission.getUserName()); + sessionMgr.resetUserModulePermission(userSession); } } @@ -1726,6 +2087,7 @@ public VXUserPermission updateXUserPermission(VXUserPermission vXUserPermission) public void deleteXUserPermission(Long id, boolean force) { XXUserPermission xUserPermission = daoManager.getXXUserPermission().getById(id); + if (xUserPermission == null) { throw restErrorUtil.createRESTException("No UserPermission found to delete, ID: " + id, MessageEnums.DATA_NOT_FOUND); } @@ -1733,9 +2095,11 @@ public void deleteXUserPermission(Long id, boolean force) { xUserPermissionService.deleteResource(id); Set userSessions = sessionMgr.getActiveUserSessionsForPortalUserId(xUserPermission.getUserId()); + if (!CollectionUtils.isEmpty(userSessions)) { for (UserSessionBase userSession : userSessions) { logger.info("deleting permission of user who's found logged in into system, so updating permission in session of that user"); + sessionMgr.resetUserModulePermission(userSession); } } @@ -1746,11 +2110,14 @@ public VXGroupPermission createXGroupPermission(VXGroupPermission vXGroupPermiss vXGroupPermission = xGroupPermissionService.createResource(vXGroupPermission); List grpUsers = daoManager.getXXGroupUser().findByGroupId(vXGroupPermission.getGroupId()); + for (XXGroupUser xGrpUser : grpUsers) { Set userSessions = sessionMgr.getActiveUserSessionsForXUserId(xGrpUser.getUserId()); + if (!CollectionUtils.isEmpty(userSessions)) { for (UserSessionBase userSession : userSessions) { logger.info("Assigning permission to group, one of the user belongs to that group found logged in into system, so updating permission in session of that user"); + sessionMgr.resetUserModulePermission(userSession); } } @@ -1767,11 +2134,14 @@ public VXGroupPermission updateXGroupPermission(VXGroupPermission vXGroupPermiss vXGroupPermission = xGroupPermissionService.updateResource(vXGroupPermission); List grpUsers = daoManager.getXXGroupUser().findByGroupId(vXGroupPermission.getGroupId()); + for (XXGroupUser xGrpUser : grpUsers) { Set userSessions = sessionMgr.getActiveUserSessionsForXUserId(xGrpUser.getUserId()); + if (!CollectionUtils.isEmpty(userSessions)) { for (UserSessionBase userSession : userSessions) { logger.info("Assigning permission to group whose one of the user found logged in into system, so updating permission in session of that user"); + sessionMgr.resetUserModulePermission(userSession); } } @@ -1790,11 +2160,14 @@ public void deleteXGroupPermission(Long id, boolean force) { xGroupPermissionService.deleteResource(id); List grpUsers = daoManager.getXXGroupUser().findByGroupId(xGrpPerm.getGroupId()); + for (XXGroupUser xGrpUser : grpUsers) { Set userSessions = sessionMgr.getActiveUserSessionsForXUserId(xGrpUser.getUserId()); + if (!CollectionUtils.isEmpty(userSessions)) { for (UserSessionBase userSession : userSessions) { logger.info("deleting permission of the group whose one of the user found logged in into system, so updating permission in session of that user"); + sessionMgr.resetUserModulePermission(userSession); } } @@ -1803,26 +2176,35 @@ public void deleteXGroupPermission(Long id, boolean force) { public void modifyUserActiveStatus(HashMap statusMap) { checkAdminAccess(); + UserSessionBase session = ContextUtil.getCurrentUserSession(); String currentUser = null; + if (session != null) { currentUser = session.getLoginId(); + if (currentUser == null || currentUser.trim().isEmpty()) { currentUser = null; } } + if (currentUser == null) { return; } + Set> entries = statusMap.entrySet(); + for (Map.Entry entry : entries) { if (entry != null && entry.getKey() != null && entry.getValue() != null) { XXUser xUser = daoManager.getXXUser().getById(entry.getKey()); + if (xUser != null) { VXPortalUser vXPortalUser = userMgr.getUserProfileByLoginId(xUser.getName()); + if (vXPortalUser != null) { if (vXPortalUser.getLoginId() != null && !vXPortalUser.getLoginId().equalsIgnoreCase(currentUser)) { vXPortalUser.setStatus(entry.getValue()); + userMgr.updateUser(vXPortalUser); } } @@ -1833,74 +2215,92 @@ public void modifyUserActiveStatus(HashMap statusMap) { public void checkAdminAccess() { UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { if (!session.isUserAdmin()) { VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_FORBIDDEN); - vXResponse.setMsgDesc("Operation" + " denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In") + " ,isn't permitted to perform the action."); + vXResponse.setMsgDesc("Operation" + " denied. LoggedInUser=" + session.getXXPortalUser().getId() + " ,isn't permitted to perform the action."); + throw restErrorUtil.generateRESTException(vXResponse); } } else { VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); // user is null vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); } } public void checkAccess(VXUser vxUser) { UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { if (!hasAccessToGetUserInfo(vxUser)) { - throw restErrorUtil.create403RESTException("Operation" + " denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In") + " ,isn't permitted to perform the action."); + throw restErrorUtil.create403RESTException("Operation" + " denied. LoggedInUser=" + session.getXXPortalUser().getId() + " ,isn't permitted to perform the action."); } } else { VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); // user is null vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); } } public void checkAccessRoles(List stringRolesList) { UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null && stringRolesList != null) { if (!session.isUserAdmin() && !session.isKeyAdmin()) { - throw restErrorUtil.create403RESTException("Permission denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In") + " ,isn't permitted to perform the action."); + throw restErrorUtil.create403RESTException("Permission denied. LoggedInUser=" + session.getXXPortalUser().getId() + " ,isn't permitted to perform the action."); } else { if (!"rangerusersync".equals(session.getXXPortalUser().getLoginId())) { // new logic for rangerusersync user if (session.isUserAdmin() && (stringRolesList.contains(RangerConstants.ROLE_KEY_ADMIN) || stringRolesList.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR))) { - throw restErrorUtil.create403RESTException("Permission denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "") + " isn't permitted to perform the action."); + throw restErrorUtil.create403RESTException("Permission denied. LoggedInUser=" + session.getXXPortalUser().getId() + " isn't permitted to perform the action."); } else if (session.isKeyAdmin() && (stringRolesList.contains(RangerConstants.ROLE_SYS_ADMIN) || stringRolesList.contains(RangerConstants.ROLE_ADMIN_AUDITOR))) { - throw restErrorUtil.create403RESTException("Permission denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "") + " isn't permitted to perform the action."); + throw restErrorUtil.create403RESTException("Permission denied. LoggedInUser=" + session.getXXPortalUser().getId() + " isn't permitted to perform the action."); } } } } else { VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); // user is null or role is null vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); } } public VXStringList setUserRolesByExternalID(Long userId, List vStringRolesList) { xaBizUtil.blockAuditorRoleUser(); + List roleListNewProfile = new ArrayList<>(); + if (vStringRolesList != null) { for (VXString vXString : vStringRolesList) { roleListNewProfile.add(vXString.getValue()); } } + VXUser vXUser = getXUser(userId); + checkAccessRoles(roleListNewProfile); - List portalUserRoleList = null; - if (vXUser != null && roleListNewProfile.size() > 0) { + + if (vXUser != null && !roleListNewProfile.isEmpty()) { VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser.getName()); + if (oldUserProfile != null) { denySelfRoleChange(oldUserProfile.getLoginId()); updateUserRolesPermissions(oldUserProfile, roleListNewProfile); - portalUserRoleList = daoManager.getXXPortalUserRole().findByUserId(oldUserProfile.getId()); + + List portalUserRoleList = daoManager.getXXPortalUserRole().findByUserId(oldUserProfile.getId()); + return getStringListFromUserRoleList(portalUserRoleList); } else { throw restErrorUtil.createRESTException("User ID doesn't exist.", MessageEnums.INVALID_INPUT_DATA); @@ -1912,20 +2312,28 @@ public VXStringList setUserRolesByExternalID(Long userId, List vString public VXStringList setUserRolesByName(String userName, List vStringRolesList) { xaBizUtil.blockAuditorRoleUser(); + List roleListNewProfile = new ArrayList<>(); + if (vStringRolesList != null) { for (VXString vXString : vStringRolesList) { roleListNewProfile.add(vXString.getValue()); } } + VXUser vXUser = getXUserByUserName(userName); + checkAccessRoles(roleListNewProfile); - if (vXUser != null && roleListNewProfile.size() > 0) { + + if (vXUser != null && !roleListNewProfile.isEmpty()) { VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser.getName()); + if (oldUserProfile != null) { denySelfRoleChange(oldUserProfile.getLoginId()); updateUserRolesPermissions(oldUserProfile, roleListNewProfile); + List portalUserRoleList = daoManager.getXXPortalUserRole().findByUserId(oldUserProfile.getId()); + return getStringListFromUserRoleList(portalUserRoleList); } else { throw restErrorUtil.createRESTException("Login ID doesn't exist.", MessageEnums.INVALID_INPUT_DATA); @@ -1937,14 +2345,18 @@ public VXStringList setUserRolesByName(String userName, List vStringRo public VXStringList getUserRolesByExternalID(Long userId) { VXUser vXUser = getXUser(userId); + if (vXUser == null) { throw restErrorUtil.createRESTException("Please provide a valid ID", MessageEnums.INVALID_INPUT_DATA); } + checkAccess(vXUser); - List portalUserRoleList = null; - VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser.getName()); + + VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser.getName()); + if (oldUserProfile != null) { - portalUserRoleList = daoManager.getXXPortalUserRole().findByUserId(oldUserProfile.getId()); + List portalUserRoleList = daoManager.getXXPortalUserRole().findByUserId(oldUserProfile.getId()); + return getStringListFromUserRoleList(portalUserRoleList); } else { throw restErrorUtil.createRESTException("User ID doesn't exist.", MessageEnums.INVALID_INPUT_DATA); @@ -1952,13 +2364,16 @@ public VXStringList getUserRolesByExternalID(Long userId) { } public VXStringList getUserRolesByName(String userName) { - VXPortalUser vXPortalUser = null; if (userName != null && !userName.trim().isEmpty()) { VXUser vXUser = xUserService.getXUserByUserName(userName); + checkAccess(vXUser); - vXPortalUser = userMgr.getUserProfileByLoginId(userName); + + VXPortalUser vXPortalUser = userMgr.getUserProfileByLoginId(userName); + if (vXPortalUser != null && vXPortalUser.getUserRoleList() != null) { List portalUserRoleList = daoManager.getXXPortalUserRole().findByUserId(vXPortalUser.getId()); + return getStringListFromUserRoleList(portalUserRoleList); } else { throw restErrorUtil.createRESTException("Please provide a valid userName", MessageEnums.INVALID_INPUT_DATA); @@ -1971,8 +2386,10 @@ public VXStringList getUserRolesByName(String userName) { public void updateUserRolesPermissions(VXPortalUser oldUserProfile, List roleListNewProfile) { //update permissions start Collection roleListUpdatedProfile = new ArrayList<>(); + if (oldUserProfile != null && oldUserProfile.getId() != null) { Collection roleListOldProfile = oldUserProfile.getUserRoleList(); + if (roleListNewProfile != null && roleListOldProfile != null) { for (String role : roleListNewProfile) { if (role != null && !roleListOldProfile.contains(role)) { @@ -1981,18 +2398,23 @@ public void updateUserRolesPermissions(VXPortalUser oldUserProfile, List } } } - if (roleListUpdatedProfile != null && roleListUpdatedProfile.size() > 0) { + + if (!roleListUpdatedProfile.isEmpty()) { oldUserProfile.setUserRoleList(roleListUpdatedProfile); + List xuserPermissionList = daoManager.getXXUserPermission().findByUserPermissionId(oldUserProfile.getId()); - if (xuserPermissionList != null && xuserPermissionList.size() > 0) { + + if (xuserPermissionList != null && !xuserPermissionList.isEmpty()) { for (XXUserPermission xXUserPermission : xuserPermissionList) { if (xXUserPermission != null) { xUserPermissionService.deleteResource(xXUserPermission.getId()); } } } + assignPermissionToUser(oldUserProfile, true); - if (roleListUpdatedProfile != null && roleListUpdatedProfile.size() > 0) { + + if (!roleListUpdatedProfile.isEmpty()) { userMgr.updateRoles(oldUserProfile.getId(), oldUserProfile.getUserRoleList()); } } @@ -2003,40 +2425,48 @@ public VXStringList getStringListFromUserRoleList(List listXXP if (listXXPortalUserRole == null) { return null; } - List xStrList = new ArrayList(); - VXString vXStr = null; + + List xStrList = new ArrayList<>(); + for (XXPortalUserRole userRole : listXXPortalUserRole) { if (userRole != null) { - vXStr = new VXString(); + VXString vXStr = new VXString(); + vXStr.setValue(userRole.getUserRole()); xStrList.add(vXStr); } } - VXStringList vXStringList = new VXStringList(xStrList); - return vXStringList; + + return new VXStringList(xStrList); } public boolean hasAccess(String loginID) { UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { return session.isUserAdmin() || session.getLoginId().equalsIgnoreCase(loginID); } + return false; } public VXUser getMaskedVXUser(VXUser vXUser) { if (vXUser != null) { - if (vXUser.getGroupIdList() != null && vXUser.getGroupIdList().size() > 0) { - vXUser.setGroupIdList(new ArrayList()); + if (vXUser.getGroupIdList() != null && !vXUser.getGroupIdList().isEmpty()) { + vXUser.setGroupIdList(new ArrayList<>()); } - if (vXUser.getGroupNameList() != null && vXUser.getGroupNameList().size() > 0) { + + if (vXUser.getGroupNameList() != null && !vXUser.getGroupNameList().isEmpty()) { vXUser.setGroupNameList(getMaskedCollection(vXUser.getGroupNameList())); } - if (vXUser.getUserRoleList() != null && vXUser.getUserRoleList().size() > 0) { + + if (vXUser.getUserRoleList() != null && !vXUser.getUserRoleList().isEmpty()) { vXUser.setUserRoleList(getMaskedCollection(vXUser.getUserRoleList())); } + vXUser.setUpdatedBy(AppConstants.Masked_String); } + return vXUser; } @@ -2044,6 +2474,7 @@ public VXGroup getMaskedVXGroup(VXGroup vXGroup) { if (vXGroup != null) { vXGroup.setUpdatedBy(AppConstants.Masked_String); } + return vXGroup; } @@ -2127,12 +2558,15 @@ public VXGroupList lookupXGroups(SearchCriteria searchCriteria) { ret = searchResult; } } catch (Exception e) { - logger.error("Error getting the exact match of group =>", e); + logger.error("Error getting the exact match of group => {}", String.valueOf(e)); } + if (ret == null || ret.getList().isEmpty()) { searchCriteria.setSortBy("id"); + ret = xGroupService.searchXGroups(searchCriteria); } + if (ret != null && ret.getListSize() > 0 && !hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)) { for (VXGroup vXGroup : ret.getList()) { getMaskedVXGroup(vXGroup); @@ -2144,11 +2578,13 @@ public VXGroupList lookupXGroups(SearchCriteria searchCriteria) { public Collection getMaskedCollection(Collection listunMasked) { List listMasked = new ArrayList<>(); + if (listunMasked != null) { for (int i = 0; i < listunMasked.size(); i++) { listMasked.add(AppConstants.Masked_String); } } + return listMasked; } @@ -2157,20 +2593,22 @@ public List getRangerPrincipals(SearchCriteria searchCriteria) int startIdx = searchCriteria.getStartIndex(); int maxRows = searchCriteria.getMaxRows(); - List ret = daoManager.getXXUser().lookupPrincipalByName(searchString, startIdx, maxRows); - - return ret; + return daoManager.getXXUser().lookupPrincipalByName(searchString, startIdx, maxRows); } public boolean hasAccessToModule(String moduleName) { UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + if (userSession != null && userSession.getLoginId() != null) { VXUser vxUser = xUserService.getXUserByUserName(userSession.getLoginId()); + if (vxUser != null) { List permissionList = daoManager.getXXModuleDef().findAccessibleModulesByUserId(userSession.getUserId(), vxUser.getId()); + return permissionList != null && permissionList.contains(moduleName); } } + return false; } @@ -2178,33 +2616,37 @@ public long forceDeleteExternalGroups(List groupIds) { long groupsDeleted = 0; long failedDeletes = 0; long startTime = Time.now(); + for (Long groupId : groupIds) { TransactionTemplate txTemplate = new TransactionTemplate(txManager); + txTemplate.setPropagationBehavior(TransactionDefinition.PROPAGATION_REQUIRES_NEW); try { - txTemplate.execute(new TransactionCallback() { - @Override - public Object doInTransaction(TransactionStatus status) { - deleteXGroup(groupId, true); - return null; - } + txTemplate.execute(status -> { + deleteXGroup(groupId, true); + return null; }); + groupsDeleted += 1; } catch (Throwable ex) { logger.error("forceDeleteExternalGroups(): Failed to delete group id: {}", groupId, ex); + failedDeletes += 1; } } + if (failedDeletes == 1) { logger.error("Failed to delete 1 group"); } else if (failedDeletes > 1) { logger.error("Failed to delete {} groups", failedDeletes); } + if (groupIds.size() == 1) { logger.info("Force Deletion of 1 group took {} milliseconds", (Time.now() - startTime)); } else if (groupIds.size() > 1) { logger.info("Force Deletion of {} groups took {} milliseconds", groupIds.size(), (Time.now() - startTime)); } + return groupsDeleted; } @@ -2212,56 +2654,69 @@ public long forceDeleteExternalUsers(List userIds) { long usersDeleted = 0; long failedDeletes = 0; long startTime = Time.now(); + for (Long userId : userIds) { TransactionTemplate txTemplate = new TransactionTemplate(txManager); + txTemplate.setPropagationBehavior(TransactionDefinition.PROPAGATION_REQUIRES_NEW); + try { - txTemplate.execute(new TransactionCallback() { - @Override - public Object doInTransaction(TransactionStatus status) { - deleteXUser(userId, true); - return null; - } + txTemplate.execute(status -> { + deleteXUser(userId, true); + + return null; }); + usersDeleted += 1; } catch (Throwable ex) { logger.error("forceDeleteExternalUsers(): Failed to delete user id: {}", userId, ex); + failedDeletes += 1; } } + if (failedDeletes == 1) { logger.error("Failed to delete 1 user"); } else if (failedDeletes > 1) { logger.error("Failed to delete {} users", failedDeletes); } + if (userIds.size() == 1) { logger.info("Force Deletion of 1 user took {} milliseconds", (Time.now() - startTime)); } else if (userIds.size() > 1) { logger.info("Force Deletion of {} users took {} milliseconds", userIds.size(), (Time.now() - startTime)); } + return usersDeleted; } public void restrictSelfAccountDeletion(String loginID) { UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null) { if (!session.isUserAdmin()) { VXResponse vXRes = new VXResponse(); + vXRes.setStatusCode(HttpServletResponse.SC_FORBIDDEN); vXRes.setMsgDesc("Operation denied. LoggedInUser= " + session.getXXPortalUser().getLoginId() + " isn't permitted to perform the action."); + throw restErrorUtil.generateRESTException(vXRes); } else { if (StringUtils.isNotEmpty(loginID) && loginID.equals(session.getLoginId())) { VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_FORBIDDEN); vXResponse.setMsgDesc("Operation denied. LoggedInUser= " + session.getXXPortalUser().getLoginId() + " isn't permitted to delete his own profile."); + throw restErrorUtil.generateRESTException(vXResponse); } } } else { VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); // user is null vXResponse.setMsgDesc("Bad Credentials"); + throw restErrorUtil.generateRESTException(vXResponse); } } @@ -2269,48 +2724,58 @@ public void restrictSelfAccountDeletion(String loginID) { public VXUser createServiceConfigUser(String userName) { if (userName == null || "null".equalsIgnoreCase(userName) || userName.trim().isEmpty()) { logger.error("User Name: {}", userName); + throw restErrorUtil.createRESTException("Please provide a valid username.", MessageEnums.INVALID_INPUT_DATA); } XXUser xxUser = daoManager.getXXUser().findByUserName(userName); + if (xxUser == null) { transactionSynchronizationAdapter.executeOnTransactionCommit(new ExternalUserCreator(userName)); } xxUser = daoManager.getXXUser().findByUserName(userName); + VXUser vXUser = null; + if (xxUser != null) { vXUser = xUserService.populateViewBean(xxUser); } + return vXUser; } public VXUser createServiceConfigUserSynchronously(String userName) { if (userName == null || "null".equalsIgnoreCase(userName) || userName.trim().isEmpty()) { logger.error("User Name: {}", userName); + throw restErrorUtil.createRESTException("Please provide a valid username.", MessageEnums.INVALID_INPUT_DATA); } VXUser vXUser = null; - XXUser xxUser = daoManager.getXXUser().findByUserName(userName); + if (xxUser == null) { ExternalUserCreator externalUserCreator = new ExternalUserCreator(userName); + externalUserCreator.run(); + xxUser = daoManager.getXXUser().findByUserName(userName); } if (xxUser != null) { vXUser = xUserService.populateViewBean(xxUser); } + return vXUser; } public void denySelfRoleChange(String userName) { UserSessionBase session = ContextUtil.getCurrentUserSession(); + if (session != null && session.getXXPortalUser() != null) { if (userName.equals(session.getXXPortalUser().getLoginId())) { - throw restErrorUtil.create403RESTException("Permission" + " denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In") + " ,isn't permitted to change its own role."); + throw restErrorUtil.create403RESTException("Permission denied. LoggedInUser=" + session.getXXPortalUser().getId() + " ,isn't permitted to change its own role."); } } } @@ -2318,8 +2783,10 @@ public void denySelfRoleChange(String userName) { @Transactional(readOnly = false, propagation = Propagation.REQUIRED) public synchronized VXUgsyncAuditInfo postUserGroupAuditInfo(VXUgsyncAuditInfo vxUgsyncAuditInfo) { checkAdminAccess(); + //logger.info("post usersync audit info"); vxUgsyncAuditInfo = xUgsyncAuditInfoService.createUgsyncAuditInfo(vxUgsyncAuditInfo); + return vxUgsyncAuditInfo; } @@ -2339,8 +2806,8 @@ public Map> getUserGroups() { return daoManager.getXXUser().findGroupsByUserIds(); } - public RangerUserStore getRangerUserStoreIfUpdated(Long lastKnownUserStoreVersion) throws Exception { - logger.debug("==> XUserMgr.getRangerUserStoreIfUpdated(lastKnownUserStoreVersion=){}", lastKnownUserStoreVersion); + public RangerUserStore getRangerUserStoreIfUpdated(Long lastKnownUserStoreVersion) { + logger.debug("==> XUserMgr.getRangerUserStoreIfUpdated(lastKnownUserStoreVersion={})", lastKnownUserStoreVersion); RangerUserStore ret = RangerUserStoreCache.getInstance().getLatestRangerUserStoreOrCached(this); @@ -2355,7 +2822,9 @@ public RangerUserStore getRangerUserStoreIfUpdated(Long lastKnownUserStoreVersio public int createOrUpdateXUsers(VXUserList users) { logger.debug("==> createOrUpdateXUsers(): Started"); + xaBizUtil.blockAuditorRoleUser(); + int ret = 0; for (VXUser vXUser : users.getList()) { @@ -2364,36 +2833,43 @@ public int createOrUpdateXUsers(VXUserList users) { if (userName == null || "null".equalsIgnoreCase(userName) || userName.trim().isEmpty()) { logger.warn("Ignoring user {}: invalid username", userName); + continue; } if (firstName == null || "null".equalsIgnoreCase(firstName) || firstName.trim().isEmpty()) { logger.warn("Ignoring user {}: invalid firstName {}", userName, firstName); + continue; } checkAccess(vXUser); + TransactionTemplate txTemplate = new TransactionTemplate(txManager); + txTemplate.setPropagationBehavior(TransactionDefinition.PROPAGATION_REQUIRES_NEW); try { - txTemplate.execute(new TransactionCallback() { - @Override - public Object doInTransaction(TransactionStatus status) { - VXPortalUser vXPortalUser = userMgr.getUserProfileByLoginId(userName); - if (vXPortalUser == null) { - logger.debug("create user {}", userName); - createXUser(vXUser, userName); - } else { - logger.debug("Update user {}", userName); - updateXUser(vXUser, vXPortalUser); - } - return null; + txTemplate.execute(status -> { + VXPortalUser vXPortalUser = userMgr.getUserProfileByLoginId(userName); + + if (vXPortalUser == null) { + logger.debug("create user {}", userName); + + createXUser(vXUser, userName); + } else { + logger.debug("Update user {}", userName); + + updateXUser(vXUser, vXPortalUser); } + + return null; }); } catch (Throwable ex) { logger.error("XUserMgr.createOrUpdateXUsers(): Failed to update DB for users: ", ex); + throw restErrorUtil.createRESTException("Failed to create or update users ", MessageEnums.ERROR_CREATING_OBJECT); } + ret++; } @@ -2404,33 +2880,41 @@ public Object doInTransaction(TransactionStatus status) { } TransactionTemplate txTemplate = new TransactionTemplate(txManager); + txTemplate.setPropagationBehavior(TransactionDefinition.PROPAGATION_REQUIRES_NEW); + try { - txTemplate.execute(new TransactionCallback() { - @Override - public Void doInTransaction(TransactionStatus status) { - int noOfRetries = 0; - Exception failureException = null; - do { - noOfRetries++; - try { - daoManager.getXXGlobalState().onGlobalAppDataChange(RANGER_GLOBAL_STATE_NAME_USER_GROUP); - logger.debug("createOrUpdateXGroups(): Successfully updated x_ranger_global_state table"); - return null; - } catch (Exception excp) { - logger.warn("createOrUpdateXGroups(): Failed to update x_ranger_global_state table and retry count = {}", noOfRetries); - failureException = excp; - } + txTemplate.execute((TransactionCallback) status -> { + int noOfRetries = 0; + Exception failureException; + + do { + noOfRetries++; + + try { + daoManager.getXXGlobalState().onGlobalAppDataChange(RANGER_GLOBAL_STATE_NAME_USER_GROUP); + + logger.debug("createOrUpdateXGroups(): Successfully updated x_ranger_global_state table"); + + return null; + } catch (Exception excp) { + logger.warn("createOrUpdateXGroups(): Failed to update x_ranger_global_state table and retry count = {}", noOfRetries); + + failureException = excp; } - while (noOfRetries <= MAX_DB_TRANSACTION_RETRIES); - logger.error("createOrUpdateXGroups(): Failed to update x_ranger_global_state table after max retries", failureException); - throw new RuntimeException(failureException); } + while (noOfRetries <= MAX_DB_TRANSACTION_RETRIES); + + logger.error("createOrUpdateXGroups(): Failed to update x_ranger_global_state table after max retries", failureException); + + throw new RuntimeException(failureException); }); } catch (Throwable ex) { logger.error("XUserMgr.createOrUpdateXUsers(): Failed to update DB for GlobalState table ", ex); + throw restErrorUtil.createRESTException("Failed to create or update users ", MessageEnums.ERROR_CREATING_OBJECT); } + logger.debug("<== createOrUpdateXUsers(): Done"); return ret; @@ -2441,8 +2925,10 @@ public int createOrUpdateXGroups(VXGroupList groups) { for (VXGroup vXGroup : groups.getList()) { if (vXGroup == null || vXGroup.getName() == null || "null".equalsIgnoreCase(vXGroup.getName()) || vXGroup.getName().trim().isEmpty()) { logger.warn("Ignoring invalid groupname {}", vXGroup == null ? null : vXGroup.getName()); + continue; } + createXGroupWithoutLogin(vXGroup); } @@ -2453,25 +2939,41 @@ public int createOrUpdateXGroups(VXGroupList groups) { public int createOrDeleteXGroupUserList(List groupUserInfoList) { int updatedGroups = 0; - Long mb = 1024L * 1024L; - logger.debug("==>> createOrDeleteXGroupUserList"); - logger.debug("Max memory = {} Free memory = {} Total memory = {}", Runtime.getRuntime().maxMemory() / mb, Runtime.getRuntime().freeMemory() / mb, Runtime.getRuntime().totalMemory() / mb); + long mb = 1024L * 1024L; + + if (logger.isDebugEnabled()) { + logger.debug("==>> createOrDeleteXGroupUserList"); + logger.debug("Max memory = {} Free memory = {} Total memory = {}", Runtime.getRuntime().maxMemory() / mb, Runtime.getRuntime().freeMemory() / mb, Runtime.getRuntime().totalMemory() / mb); + } + checkAdminAccess(); + xaBizUtil.blockAuditorRoleUser(); + if (CollectionUtils.isNotEmpty(groupUserInfoList)) { logger.debug("No. of groups to be updated = {}", groupUserInfoList.size()); + Map usersFromDB = daoManager.getXXUser().getAllUserIds(); + if (MapUtils.isNotEmpty(usersFromDB)) { - logger.debug("No. of users in DB = {}", usersFromDB.size()); - logger.debug("After users from DB - Max memory = {} Free memory = {} Total memory = {}", Runtime.getRuntime().maxMemory() / mb, Runtime.getRuntime().freeMemory() / mb, Runtime.getRuntime().totalMemory() / mb); + if (logger.isDebugEnabled()) { + logger.debug("No. of users in DB = {}", usersFromDB.size()); + logger.debug("After users from DB - Max memory = {} Free memory = {} Total memory = {}", Runtime.getRuntime().maxMemory() / mb, Runtime.getRuntime().freeMemory() / mb, Runtime.getRuntime().totalMemory() / mb); + } + for (GroupUserInfo groupUserInfo : groupUserInfoList) { xGroupUserService.createOrDeleteXGroupUsers(groupUserInfo, usersFromDB); } + updatedGroups = groupUserInfoList.size(); } } - logger.debug("<<== createOrDeleteXGroupUserList"); - logger.debug("Max memory = {} Free memory = {} Total memory = {}", Runtime.getRuntime().maxMemory() / mb, Runtime.getRuntime().freeMemory() / mb, Runtime.getRuntime().totalMemory() / mb); + + if (logger.isDebugEnabled()) { + logger.debug("<<== createOrDeleteXGroupUserList"); + logger.debug("Max memory = {} Free memory = {} Total memory = {}", Runtime.getRuntime().maxMemory() / mb, Runtime.getRuntime().freeMemory() / mb, Runtime.getRuntime().totalMemory() / mb); + } + return updatedGroups; } @@ -2483,25 +2985,30 @@ public List updateUserRoleAssignments(UsersGroupRoleAssignments ugRoleAs Map groupMap = ugRoleAssignments.getGroupRoleAssignments(); Map whiteListUserMap = ugRoleAssignments.getWhiteListUserRoleAssignments(); Map whiteListGroupMap = ugRoleAssignments.getWhiteListGroupRoleAssignments(); + logger.debug("Request users for role updates = {}", requestedUsers); // For each user get groups and compute roles based on group role assignments for (String userName : requestedUsers) { VXPortalUser vXPortalUser = userMgr.getUserProfileByLoginId(userName); + if (vXPortalUser == null) { logger.info("{} doesn't exist and hence ignoring role assignments", userName); + continue; } + if (vXPortalUser.getUserSource() != RangerCommonEnums.USER_EXTERNAL) { logger.info("{} is internal to ranger admin and hence ignoring role assignments", userName); + continue; } logger.debug("Computing role for {}", userName); - Set groupUsers = getGroupsForUser(userName); + Set groupUsers = getGroupsForUser(userName); + String userRole = RangerConstants.ROLE_USER; - String userRole = RangerConstants.ROLE_USER; if (MapUtils.isNotEmpty(userMap) && userMap.containsKey(userName)) { // Add the user role that is defined in user role assignments userRole = userMap.get(userName); @@ -2509,6 +3016,7 @@ public List updateUserRoleAssignments(UsersGroupRoleAssignments ugRoleAs for (String group : groupMap.keySet()) { if (groupUsers.contains(group)) { String value = groupMap.get(group); + if (value != null) { userRole = value; break; @@ -2523,6 +3031,7 @@ public List updateUserRoleAssignments(UsersGroupRoleAssignments ugRoleAs for (String group : whiteListGroupMap.keySet()) { if (groupUsers.contains(group)) { String value = whiteListGroupMap.get(group); + if (value != null) { userRole = value; break; @@ -2532,14 +3041,16 @@ public List updateUserRoleAssignments(UsersGroupRoleAssignments ugRoleAs } if (!vXPortalUser.getUserRoleList().contains(userRole)) { - logger.debug(String.format("Updating role for %s to %s", userName, userRole)); + logger.debug("Updating role for {} to {}", userName, userRole); + //Update the role of the user only if newly computed role is different from the existing role. String updatedUser = setRolesByUserName(userName, Collections.singletonList(userRole)); + if (updatedUser != null) { updatedUsers.add(updatedUser); } } else { - logger.debug(String.format("Role for %s unchanged: %s", userName, userRole)); + logger.debug("Role for {} unchanged: {}", userName, userRole); } if (ugRoleAssignments.isReset()) { // use below data structure only when reset is true @@ -2550,51 +3061,68 @@ public List updateUserRoleAssignments(UsersGroupRoleAssignments ugRoleAs // Reset the role of any other users that are not part of the updated role assignments rules if (ugRoleAssignments.isReset() && ugRoleAssignments.isLastPage()) { List externalUsersWithNonUserRole = daoManager.getXXPortalUser().getNonUserRoleExternalUsers(); + logger.debug("Existing external users with roles excluding ROLE_USER role: {}", externalUsersWithNonUserRole); + for (String userName : externalUsersWithNonUserRole) { if (!roleAssignmentUpdatedUsers.contains(userName)) { logger.debug("Resetting to ROLE_USER for {}", userName); + String updatedUser = setRolesByUserName(userName, Collections.singletonList(RangerConstants.ROLE_USER)); + if (updatedUser != null) { updatedUsers.add(updatedUser); } } } + roleAssignmentUpdatedUsers.clear(); } + return updatedUsers; } public int updateDeletedUsers(Set deletedUsers) { for (String deletedUser : deletedUsers) { XXUser xUser = daoManager.getXXUser().findByUserName(deletedUser); + if (xUser != null) { VXUser vObj = xUserService.populateViewBean(xUser); + vObj.setIsVisible(RangerCommonEnums.IS_HIDDEN); + xUserService.updateResource(vObj); } } + return deletedUsers.size(); } public int updateDeletedGroups(Set deletedGroups) { for (String deletedGroup : deletedGroups) { XXGroup xGroup = daoManager.getXXGroup().findByGroupName(deletedGroup); + if (xGroup != null) { VXGroup vObj = xGroupService.populateViewBean(xGroup); + vObj.setIsVisible(RangerCommonEnums.IS_HIDDEN); + xGroupService.updateResource(vObj); } } + return deletedGroups.size(); } public VXUserList lookupXUsers(SearchCriteria searchCriteria) { VXUserList vXUserList = new VXUserList(); + if (StringUtils.isBlank(searchCriteria.getSortBy())) { searchCriteria.setSortBy("id"); } + vXUserList = xUserService.lookupXUsers(searchCriteria, vXUserList); + return vXUserList; } @@ -2604,10 +3132,14 @@ public Map getUserCountByRole() { protected VXGroupUser createXGroupUser(Long userId, Long groupId) { VXGroupUser vXGroupUser = new VXGroupUser(); + vXGroupUser.setParentGroupId(groupId); vXGroupUser.setUserId(userId); + VXGroup vXGroup = xGroupService.readResource(groupId); + vXGroupUser.setName(vXGroup.getName()); + vXGroupUser = xGroupUserService.createResource(vXGroupUser); return vXGroupUser; @@ -2615,10 +3147,13 @@ protected VXGroupUser createXGroupUser(Long userId, Long groupId) { protected void updateXgroupUserForGroupUpdate(VXGroup vXGroup) { List grpUsers = daoManager.getXXGroupUser().findByGroupId(vXGroup.getId()); + if (CollectionUtils.isNotEmpty(grpUsers)) { for (XXGroupUser grpUser : grpUsers) { VXGroupUser vXGroupUser = xGroupUserService.populateViewBean(grpUser); + vXGroupUser.setName(vXGroup.getName()); + updateXGroupUser(vXGroupUser); } } @@ -2626,14 +3161,16 @@ protected void updateXgroupUserForGroupUpdate(VXGroup vXGroup) { protected void validatePassword(VXUser vXUser) { if (vXUser.getPassword() != null && !vXUser.getPassword().isEmpty()) { - boolean checkPassword = false; - checkPassword = vXUser.getPassword().trim().matches(StringUtil.VALIDATION_CRED); + boolean checkPassword = vXUser.getPassword().trim().matches(StringUtil.VALIDATION_CRED); + if (!checkPassword) { logger.warn("validatePassword(). Password should be minimum 8 characters, at least one uppercase letter, one lowercase letter and one numeric."); + throw restErrorUtil.createRESTException("serverMsg.xuserMgrValidatePassword", MessageEnums.INVALID_PASSWORD, null, "Password should be minimum 8 characters, at least one uppercase letter, one lowercase letter and one numeric.", null); } } else { logger.warn("validatePassword(). Password cannot be blank/null."); + throw restErrorUtil.createRESTException("serverMsg.xuserMgrValidatePassword", MessageEnums.INVALID_PASSWORD, null, "Password cannot be blank/null", null); } } @@ -2641,11 +3178,15 @@ protected void validatePassword(VXUser vXUser) { private List createOrDelGrpUserWithUpdatedGrpId(VXUser vXUser, Collection groupIdList, Long userId, List groupUsersToRemove) { Collection groupNamesSet = new HashSet<>(); List trxLogList = new ArrayList<>(); + if (groupIdList != null) { SearchCriteria searchCriteria = new SearchCriteria(); + searchCriteria.addParam("xUserId", userId); + VXGroupUserList vXGroupUserList = xGroupUserService.searchXGroupUsers(searchCriteria); List vXGroupUsers = vXGroupUserList.getList(); + if (vXGroupUsers != null) { for (VXGroupUser eachVXGrpUser : vXGroupUsers) { groupNamesSet.add(eachVXGrpUser.getName()); @@ -2654,18 +3195,22 @@ private List createOrDelGrpUserWithUpdatedGrpId(VXUser vXUser, Colle // Create for (Long groupId : groupIdList) { boolean found = false; + for (VXGroupUser vXGroupUser : vXGroupUsers) { if (groupId.equals(vXGroupUser.getParentGroupId())) { found = true; break; } } + if (!found) { VXGroupUser vXGroupUser = createXGroupUser(userId, groupId); List groupUserTrxLogs = xGroupUserService.getTransactionLog(vXGroupUser, null, OPERATION_CREATE_CONTEXT); + if (CollectionUtils.isNotEmpty(groupUserTrxLogs)) { trxLogList.addAll(groupUserTrxLogs); } + groupNamesSet.add(vXGroupUser.getName()); } } @@ -2673,22 +3218,28 @@ private List createOrDelGrpUserWithUpdatedGrpId(VXUser vXUser, Colle // Delete for (VXGroupUser vXGroupUser : vXGroupUsers) { boolean found = false; + for (Long groupId : groupIdList) { if (groupId.equals(vXGroupUser.getParentGroupId())) { List groupUserTrxLogs = xGroupUserService.getTransactionLog(vXGroupUser, null, OPERATION_UPDATE_CONTEXT); + if (CollectionUtils.isNotEmpty(groupUserTrxLogs)) { trxLogList.addAll(groupUserTrxLogs); } + found = true; break; } } + if (!found) { // TODO I've to get the transaction log from here. List groupUserTrxLogs = xGroupUserService.getTransactionLog(vXGroupUser, null, OPERATION_DELETE_CONTEXT); + if (CollectionUtils.isNotEmpty(groupUserTrxLogs)) { trxLogList.addAll(groupUserTrxLogs); } + groupUsersToRemove.add(vXGroupUser.getId()); // xGroupUserService.deleteResource(vXGroupUser.getId()); groupNamesSet.remove(vXGroupUser.getName()); @@ -2698,27 +3249,34 @@ private List createOrDelGrpUserWithUpdatedGrpId(VXUser vXUser, Colle for (Long groupId : groupIdList) { VXGroupUser vXGroupUser = createXGroupUser(userId, groupId); List groupUserTrxLogs = xGroupUserService.getTransactionLog(vXGroupUser, null, OPERATION_CREATE_CONTEXT); + if (CollectionUtils.isNotEmpty(groupUserTrxLogs)) { trxLogList.addAll(groupUserTrxLogs); } + groupNamesSet.add(vXGroupUser.getName()); } } + vXUser.setGroupIdList(groupIdList); vXUser.setGroupNameList(new ArrayList<>(groupNamesSet)); } else { logger.debug("Group id list can't be null for user. Group user mapping not updated for user : {}", userId); } + for (Long groupUserId : groupUsersToRemove) { xGroupUserService.deleteResource(groupUserId); } + return trxLogList; } private boolean hasAccessToGetUserInfo(VXUser requestedVXUser) { UserSessionBase userSession = ContextUtil.getCurrentUserSession(); + if (userSession != null && userSession.getLoginId() != null) { VXUser loggedInVXUser = xUserService.getXUserByUserName(userSession.getLoginId()); + if (requestedVXUser != null && CollectionUtils.isNotEmpty(requestedVXUser.getUserRoleList()) && loggedInVXUser != null && loggedInVXUser.getUserRoleList().size() == 1) { if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) { return requestedVXUser.getId().equals(loggedInVXUser.getId()); @@ -2733,15 +3291,19 @@ private boolean hasAccessToGetUserInfo(VXUser requestedVXUser) { } } } + return false; } private void populatePageList(List permMapList, int startIndex, int pageSize, VXPermMapList vxPermMapList) { - List onePageList = new ArrayList(); + List onePageList = new ArrayList<>(); + for (int i = startIndex; i < pageSize + startIndex && i < permMapList.size(); i++) { VXPermMap vXPermMap = permMapList.get(i); + onePageList.add(vXPermMap); } + vxPermMapList.setVXPermMaps(onePageList); vxPermMapList.setStartIndex(startIndex); vxPermMapList.setPageSize(pageSize); @@ -2750,11 +3312,14 @@ private void populatePageList(List permMapList, int startIndex, int p } private void populatePageList(List auditMapList, int startIndex, int pageSize, VXAuditMapList vxAuditMapList) { - List onePageList = new ArrayList(); + List onePageList = new ArrayList<>(); + for (int i = startIndex; i < pageSize + startIndex && i < auditMapList.size(); i++) { VXAuditMap vXAuditMap = auditMapList.get(i); + onePageList.add(vXAuditMap); } + vxAuditMapList.setVXAuditMaps(onePageList); vxAuditMapList.setStartIndex(startIndex); vxAuditMapList.setPageSize(pageSize); @@ -2764,88 +3329,114 @@ private void populatePageList(List auditMapList, int startIndex, int private void blockIfZoneGroup(Long grpId) { List zoneRefGrpList = daoManager.getXXSecurityZoneRefGroup().findByGroupId(grpId); + if (CollectionUtils.isNotEmpty(zoneRefGrpList)) { StringBuilder zones = new StringBuilder(); + for (XXSecurityZoneRefGroup zoneRefGrp : zoneRefGrpList) { XXSecurityZone xSecZone = daoManager.getXXSecurityZoneDao().getById(zoneRefGrp.getZoneId()); + if (zones.indexOf(xSecZone.getName()) < 0) { - zones.append(xSecZone.getName() + ","); + zones.append(xSecZone.getName()).append(","); } } + this.prepareAndThrow(zoneRefGrpList.get(0).getGroupName(), RangerConstants.MODULE_SECURITY_ZONE, zones, GROUP); } } private void blockIfZoneUser(Long id) { List zoneRefUserList = daoManager.getXXSecurityZoneRefUser().findByUserId(id); + if (CollectionUtils.isNotEmpty(zoneRefUserList)) { StringBuilder zones = new StringBuilder(); + for (XXSecurityZoneRefUser zoneRefUser : zoneRefUserList) { XXSecurityZone xSecZone = daoManager.getXXSecurityZoneDao().getById(zoneRefUser.getZoneId()); + if (zones.indexOf(xSecZone.getName()) < 0) { - zones.append(xSecZone.getName() + ","); + zones.append(xSecZone.getName()).append(","); } } + this.prepareAndThrow(zoneRefUserList.get(0).getUserName(), RangerConstants.MODULE_SECURITY_ZONE, zones, USER); } } private void blockIfRoleUser(Long id) { List roleRefUsers = this.daoManager.getXXRoleRefUser().findByUserId(id); + if (CollectionUtils.isNotEmpty(roleRefUsers)) { StringBuilder roles = new StringBuilder(); + for (XXRoleRefUser roleRefUser : roleRefUsers) { XXRole xxRole = this.daoManager.getXXRole().getById(roleRefUser.getRoleId()); final String roleName = xxRole.getName(); + if (roles.indexOf(roleName) < 0) { - roles.append(roleName + ","); + roles.append(roleName).append(","); } } + final String roleRefUserName = roleRefUsers.get(0).getUserName(); + this.prepareAndThrow(roleRefUserName, RangerConstants.ROLE_FIELD, roles, USER); } } private void blockIfRoleGroup(Long id) { List roleRefGroups = this.daoManager.getXXRoleRefGroup().findByGroupId(id); + if (CollectionUtils.isNotEmpty(roleRefGroups)) { StringBuilder roles = new StringBuilder(); + for (XXRoleRefGroup roleRefGroup : roleRefGroups) { XXRole xxRole = this.daoManager.getXXRole().getById(roleRefGroup.getRoleId()); final String roleName = xxRole.getName(); + if (roles.indexOf(roleName) < 0) { - roles.append(roleName + ","); + roles.append(roleName).append(","); } } + final String roleRefGroupName = roleRefGroups.get(0).getGroupName(); + this.prepareAndThrow(roleRefGroupName, RangerConstants.ROLE_FIELD, roles, GROUP); } } private void prepareAndThrow(String userGrpName, String moduleName, StringBuilder rolesOrZones, String userOrGrp) { logger.error("Can Not Delete {}:{}", userOrGrp, userGrpName); + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST); vXResponse.setMsgDesc("Can Not Delete " + userOrGrp + ": '" + userGrpName + "' as its present in " + moduleName + " : " + rolesOrZones.deleteCharAt(rolesOrZones.length() - 1)); + throw restErrorUtil.generateRESTException(vXResponse); } private void removeUserGroupReferences(List policyItems, String user, String group) { List itemsToRemove = null; + for (T policyItem : policyItems) { if (StringUtils.isNotEmpty(user)) { policyItem.removeUser(user); } + if (StringUtils.isNotEmpty(group)) { policyItem.removeGroup(group); } + if (policyItem.getUsers().isEmpty() && policyItem.getGroups().isEmpty() && policyItem.getRoles().isEmpty()) { if (itemsToRemove == null) { - itemsToRemove = new ArrayList(); + itemsToRemove = new ArrayList<>(); } + itemsToRemove.add(policyItem); } } + if (CollectionUtils.isNotEmpty(itemsToRemove)) { policyItems.removeAll(itemsToRemove); } @@ -2853,22 +3444,30 @@ private void removeUserGroupReferences(List poli private void createXUser(VXUser vXUser, String username) { logger.debug("Creating user: {}", username); + VXPortalUser vXPortalUser = new VXPortalUser(); + vXPortalUser.setLoginId(username); vXPortalUser.setFirstName(vXUser.getFirstName()); + if ("null".equalsIgnoreCase(vXPortalUser.getFirstName())) { vXPortalUser.setFirstName(""); } + vXPortalUser.setLastName(vXUser.getLastName()); + if ("null".equalsIgnoreCase(vXPortalUser.getLastName())) { vXPortalUser.setLastName(""); } String emailAddress = vXUser.getEmailAddress(); + if (StringUtils.isNotEmpty(emailAddress) && !stringUtil.validateEmail(emailAddress)) { logger.warn("Invalid email address:{}", emailAddress); + throw restErrorUtil.createRESTException("Please provide valid email address.", MessageEnums.INVALID_INPUT_DATA); } + vXPortalUser.setEmailAddress(emailAddress); if (vXPortalUser.getFirstName() != null && vXPortalUser.getLastName() != null && !vXPortalUser.getFirstName().trim().isEmpty() && !vXPortalUser.getLastName().trim().isEmpty()) { @@ -2879,15 +3478,19 @@ private void createXUser(VXUser vXUser, String username) { vXPortalUser.setStatus(RangerCommonEnums.STATUS_ENABLED); vXPortalUser.setUserSource(RangerCommonEnums.USER_EXTERNAL); + String saltEncodedpasswd = userMgr.encrypt(username, vXUser.getPassword()); + vXPortalUser.setPassword(saltEncodedpasswd); vXPortalUser.setUserRoleList(vXUser.getUserRoleList()); + XXPortalUser user = userMgr.mapVXPortalUserToXXPortalUser(vXPortalUser); user = daoManager.getXXPortalUser().create(user); // Create the UserRole for this user Collection userRoleList = vXUser.getUserRoleList(); + if (userRoleList != null) { for (String userRole : userRoleList) { userMgr.addUserRole(user.getId(), userRole); @@ -2895,6 +3498,7 @@ private void createXUser(VXUser vXUser, String username) { } XXUser xUser = daoManager.getXXUser().findByUserName(vXUser.getName()); + if (xUser == null) { vXUser = xUserService.createResource(vXUser); } else { @@ -2903,45 +3507,55 @@ private void createXUser(VXUser vXUser, String username) { xUserService.createTransactionLog(vXUser, null, OPERATION_CREATE_CONTEXT); - if (vXPortalUser != null) { - assignPermissionToUser(vXPortalUser.getUserRoleList(), vXPortalUser.getId(), vXUser.getId(), true); - } + assignPermissionToUser(vXPortalUser.getUserRoleList(), vXPortalUser.getId(), vXUser.getId(), true); + logger.debug("Done creating user: {}", username); } private String setRolesByUserName(String userName, List roleListNewProfile) { logger.debug("==> XUserMgr.setRolesByUserName({}, {})", userName, roleListNewProfile); + String ret = null; + xaBizUtil.blockAuditorRoleUser(); + if (roleListNewProfile == null) { roleListNewProfile = new ArrayList<>(); } - if (userName != null && roleListNewProfile.size() > 0) { + if (userName != null && !roleListNewProfile.isEmpty()) { checkAccessRoles(roleListNewProfile); + VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(userName); + if (oldUserProfile != null) { denySelfRoleChange(oldUserProfile.getLoginId()); updateUserRolesPermissions(oldUserProfile, roleListNewProfile); + logger.info("<== XUserMgr.setRolesByUserName returned roles for {} are: {}", userName, roleListNewProfile); + ret = userName; } else { - logger.error("{} doesn't exist.", userName); + logger.error("{}doesn't exist.", userName); } } else { - logger.error("{} doesn't exist or new role assignments are empty", userName); + logger.error("{}doesn't exist or new role assignments are empty", userName); } + logger.debug("<== XUserMgr.setRolesByUserName({}, {}) ret = {}", userName, roleListNewProfile, ret); + return ret; } private void assignPermissionToUser(Collection vXPortalUserList, Long vXPortalUserId, Long xUserId, boolean isCreate) { HashMap moduleNameId = getAllModuleNameAndIdMap(); + if (moduleNameId != null && CollectionUtils.isNotEmpty(vXPortalUserList)) { for (String role : vXPortalUserList) { if (RangerConstants.VALID_USER_ROLE_LIST.contains(role)) { createOrUpdateUserPermisson(vXPortalUserId, xUserId, moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate); createOrUpdateUserPermisson(vXPortalUserId, xUserId, moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate); + if (role.equals(RangerConstants.ROLE_USER)) { createOrUpdateUserPermisson(vXPortalUserId, xUserId, moduleNameId.get(RangerConstants.MODULE_SECURITY_ZONE), isCreate); } else { @@ -2963,75 +3577,92 @@ private void assignPermissionToUser(Collection vXPortalUserList, Long vX private void createOrUpdateUserPermisson(Long portalUserId, Long xUserId, Long moduleId, boolean isCreate) { VXUserPermission vXUserPermission; XXUserPermission xUserPermission = daoManager.getXXUserPermission().findByModuleIdAndPortalUserId(portalUserId, moduleId); + if (xUserPermission == null) { vXUserPermission = new VXUserPermission(); // When Creating XXUserPermission UI sends xUserId, to keep it consistent here xUserId should be used vXUserPermission.setUserId(xUserId); - vXUserPermission.setIsAllowed(RangerCommonEnums.IS_ALLOWED); vXUserPermission.setModuleId(moduleId); + try { vXUserPermission = this.createXUserPermission(vXUserPermission); + logger.info("Permission assigned to user: [{}] For Module: [{}]", vXUserPermission.getUserName(), vXUserPermission.getModuleName()); } catch (Exception e) { logger.error("Error while assigning permission to user: [{}] for module: [{}]", portalUserId, moduleId, e); } } else if (isCreate) { vXUserPermission = xUserPermissionService.populateViewBean(xUserPermission); + vXUserPermission.setIsAllowed(RangerCommonEnums.IS_ALLOWED); + vXUserPermission = this.updateXUserPermission(vXUserPermission); + logger.info("Permission Updated for user: [{}] For Module: [{}]", vXUserPermission.getUserName(), vXUserPermission.getModuleName()); } } private VXUser updateXUser(VXUser vXUser, VXPortalUser oldUserProfile) { logger.debug("Updating user: {}", vXUser.getName()); + VXPortalUser vXPortalUser = new VXPortalUser(); + if (oldUserProfile != null && oldUserProfile.getId() != null) { vXPortalUser.setId(oldUserProfile.getId()); } vXPortalUser.setFirstName(vXUser.getFirstName()); + if ("null".equalsIgnoreCase(vXPortalUser.getFirstName())) { vXPortalUser.setFirstName(""); } + vXPortalUser.setLastName(vXUser.getLastName()); + if ("null".equalsIgnoreCase(vXPortalUser.getLastName())) { vXPortalUser.setLastName(""); } + vXPortalUser.setEmailAddress(vXUser.getEmailAddress()); vXPortalUser.setLoginId(vXUser.getName()); vXPortalUser.setStatus(vXUser.getStatus()); vXPortalUser.setUserRoleList(vXUser.getUserRoleList()); + if (vXPortalUser.getFirstName() != null && vXPortalUser.getLastName() != null && !vXPortalUser.getFirstName().trim().isEmpty() && !vXPortalUser.getLastName().trim().isEmpty()) { vXPortalUser.setPublicScreenName(vXPortalUser.getFirstName() + " " + vXPortalUser.getLastName()); } else { vXPortalUser.setPublicScreenName(vXUser.getName()); } + vXPortalUser.setUserSource(vXUser.getUserSource()); vXPortalUser.setSyncSource(vXUser.getSyncSource()); String hiddenPasswordString = PropertiesUtil.getProperty("ranger.password.hidden", "*****"); String password = vXUser.getPassword(); + if (oldUserProfile != null && password != null && password.equals(hiddenPasswordString)) { vXPortalUser.setPassword(oldUserProfile.getPassword()); } else if (oldUserProfile != null && oldUserProfile.getUserSource() == RangerCommonEnums.USER_EXTERNAL && password != null) { vXPortalUser.setPassword(oldUserProfile.getPassword()); + logger.debug("User is trying to change external user password which we are not allowing it to change"); } else if (password != null) { validatePassword(vXUser); vXPortalUser.setPassword(password); } - XXPortalUser xXPortalUser = new XXPortalUser(); - xXPortalUser = userMgr.updateUserWithPass(vXPortalUser); + + XXPortalUser xXPortalUser = userMgr.updateUserWithPass(vXPortalUser); //update permissions start Collection roleListUpdatedProfile = new ArrayList<>(); + if (oldUserProfile != null && oldUserProfile.getId() != null) { - if (vXUser != null && vXUser.getUserRoleList() != null) { + if (vXUser.getUserRoleList() != null) { Collection roleListOldProfile = oldUserProfile.getUserRoleList(); Collection roleListNewProfile = vXUser.getUserRoleList(); + if (roleListNewProfile != null && roleListOldProfile != null) { for (String role : roleListNewProfile) { if (role != null && !roleListOldProfile.contains(role)) { @@ -3041,10 +3672,13 @@ private VXUser updateXUser(VXUser vXUser, VXPortalUser oldUserProfile) { } } } - if (roleListUpdatedProfile != null && roleListUpdatedProfile.size() > 0) { + + if (!roleListUpdatedProfile.isEmpty()) { vXPortalUser.setUserRoleList(roleListUpdatedProfile); + List xuserPermissionList = daoManager.getXXUserPermission().findByUserPermissionId(vXPortalUser.getId()); - if (xuserPermissionList != null && xuserPermissionList.size() > 0) { + + if (xuserPermissionList != null && !xuserPermissionList.isEmpty()) { for (XXUserPermission xXUserPermission : xuserPermissionList) { if (xXUserPermission != null) { try { @@ -3056,35 +3690,45 @@ private VXUser updateXUser(VXUser vXUser, VXPortalUser oldUserProfile) { } } } + //update permissions end Collection roleList = new ArrayList<>(); + if (xXPortalUser != null) { roleList = userMgr.getRolesForUser(xXPortalUser); } - if (roleList == null || roleList.size() == 0) { + + if (roleList == null || roleList.isEmpty()) { roleList = new ArrayList<>(); + roleList.add(RangerConstants.ROLE_USER); } // TODO I've to get the transaction log from here. // There is nothing to log anything in XXUser so far. XXUser xUser = daoManager.getXXUser().findByUserName(vXUser.getName()); + if (xUser == null) { logger.warn("Could not find corresponding xUser for username: [{}], So not updating this user", vXPortalUser.getLoginId()); + return vXUser; } VXUser existing = xUserService.populateViewBean(xUser); logger.info("xUser.getName() = {} vXUser.getName() = {}", xUser.getName(), vXUser.getName()); + vXUser.setId(xUser.getId()); + try { vXUser = xUserService.updateResource(vXUser); } catch (Exception ex) { logger.warn("Failed to update username {}", vXUser.getName()); logger.debug("Failed to update username {}", vXUser.getName(), ex); } + vXUser.setUserRoleList(roleList); + if (oldUserProfile != null) { if (oldUserProfile.getUserSource() == RangerCommonEnums.USER_APP) { vXUser.setPassword(password); @@ -3094,9 +3738,11 @@ private VXUser updateXUser(VXUser vXUser, VXPortalUser oldUserProfile) { } List trxLogList = xUserService.getTransactionLog(vXUser, existing, OPERATION_UPDATE_CONTEXT); + vXUser.setPassword(hiddenPasswordString); Long userId = vXUser.getId(); + assignPermissionToUser(vXPortalUser.getUserRoleList(), vXPortalUser.getId(), userId, true); xaBizUtil.createTrxLog(trxLogList); @@ -3130,17 +3776,26 @@ private void createExternalUser() { logger.debug("==> ExternalUserCreator.createExternalUser(username={}", userName); XXPortalUser xXPortalUser = daoManager.getXXPortalUser().findByLoginId(userName); + if (xXPortalUser == null) { logger.debug("createExternalUser(): Couldn't find {} and hence creating user in x_portal_user table", userName); + VXPortalUser vXPortalUser = new VXPortalUser(); + vXPortalUser.setLoginId(userName); vXPortalUser.setUserSource(RangerCommonEnums.USER_EXTERNAL); + ArrayList roleList = new ArrayList<>(); + roleList.add(RangerConstants.ROLE_USER); + vXPortalUser.setUserRoleList(roleList); + xXPortalUser = userMgr.mapVXPortalUserToXXPortalUser(vXPortalUser); + try { xXPortalUser = userMgr.createUser(xXPortalUser, RangerCommonEnums.STATUS_ENABLED, roleList); + logger.debug("createExternalUser(): Successfully created user in x_portal_user table {}", xXPortalUser.getLoginId()); } catch (Exception ex) { throw new RuntimeException("Failed to create user " + userName + " in x_portal_user table. retrying", ex); @@ -3150,14 +3805,19 @@ private void createExternalUser() { VXUser createdXUser = null; String actualPassword = ""; XXUser xXUser = daoManager.getXXUser().findByUserName(userName); - if (xXPortalUser != null && xXUser == null) { + + if (xXUser == null) { VXUser vXUser = new VXUser(); + vXUser.setName(userName); vXUser.setUserSource(RangerCommonEnums.USER_EXTERNAL); vXUser.setDescription(vXUser.getName()); + actualPassword = vXUser.getPassword(); + try { createdXUser = xUserService.createResource(vXUser); + logger.debug("createExternalUser(): Successfully created user in x_user table {}", vXUser.getName()); } catch (Exception ex) { throw new RuntimeException("Failed to create user " + userName + " in x_user table. retrying", ex); @@ -3166,20 +3826,23 @@ private void createExternalUser() { if (createdXUser != null) { logger.info("User created: {}", createdXUser.getName()); + try { createdXUser.setPassword(actualPassword); + xUserService.createTransactionLog(createdXUser, null, OPERATION_CREATE_CONTEXT); + String hiddenPassword = PropertiesUtil.getProperty("ranger.password.hidden", "*****"); + createdXUser.setPassword(hiddenPassword); } catch (Exception ex) { throw new RuntimeException("Error while creating trx logs for user: " + createdXUser.getName(), ex); } try { - if (xXPortalUser != null) { - VXPortalUser createdXPortalUser = userMgr.mapXXPortalUserToVXPortalUserForDefaultAccount(xXPortalUser); - assignPermissionToUser(createdXPortalUser, true); - } + VXPortalUser createdXPortalUser = userMgr.mapXXPortalUserToVXPortalUserForDefaultAccount(xXPortalUser); + + assignPermissionToUser(createdXPortalUser, true); } catch (Exception ex) { throw new RuntimeException("Error while assigning permissions to user: " + createdXUser.getName(), ex); } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgrBase.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgrBase.java index 6400e57534..d3bb1f6c99 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgrBase.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgrBase.java @@ -81,11 +81,13 @@ public VXGroup getXGroup(Long id) { public VXGroup createXGroup(VXGroup vXGroup) { vXGroup = xGroupService.createResource(vXGroup); + return vXGroup; } public VXGroup updateXGroup(VXGroup vXGroup) { vXGroup = xGroupService.updateResource(vXGroup); + return vXGroup; } @@ -111,11 +113,13 @@ public VXUser getXUser(Long id) { public VXUser createXUser(VXUser vXUser) { vXUser = xUserService.createResource(vXUser); + return vXUser; } public VXUser updateXUser(VXUser vXUser) { vXUser = xUserService.updateResource(vXUser); + return vXUser; } @@ -141,11 +145,13 @@ public VXGroupUser getXGroupUser(Long id) { public VXGroupUser createXGroupUser(VXGroupUser vXGroupUser) { vXGroupUser = xGroupUserService.createResource(vXGroupUser); + return vXGroupUser; } public VXGroupUser updateXGroupUser(VXGroupUser vXGroupUser) { vXGroupUser = xGroupUserService.updateResource(vXGroupUser); + return vXGroupUser; } @@ -171,11 +177,13 @@ public VXPermMap getXPermMap(Long id) { public VXPermMap createXPermMap(VXPermMap vXPermMap) { vXPermMap = xPermMapService.createResource(vXPermMap); + return vXPermMap; } public VXPermMap updateXPermMap(VXPermMap vXPermMap) { vXPermMap = xPermMapService.updateResource(vXPermMap); + return vXPermMap; } @@ -201,11 +209,13 @@ public VXAuditMap getXAuditMap(Long id) { public VXAuditMap createXAuditMap(VXAuditMap vXAuditMap) { vXAuditMap = xAuditMapService.createResource(vXAuditMap); + return vXAuditMap; } public VXAuditMap updateXAuditMap(VXAuditMap vXAuditMap) { vXAuditMap = xAuditMapService.updateResource(vXAuditMap); + return vXAuditMap; } diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXServiceVersionInfoDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXServiceVersionInfoDao.java index f09d5067a2..05bba57617 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXServiceVersionInfoDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXServiceVersionInfoDao.java @@ -148,7 +148,7 @@ public void updateServiceVersionInfoForTagUpdate(Long tagId) { private void updateTagVersionAndTagUpdateTime(List serviceVersionInfos, Long resourceId, Long tagId) { if (resourceId != null || tagId != null) { if (CollectionUtils.isNotEmpty(serviceVersionInfos)) { - final ServiceDBStore.VersionType versionType = ServiceDBStore.VersionType.TAG_VERSION; + final ServiceDBStore.VERSION_TYPE versionType = ServiceDBStore.VERSION_TYPE.TAG_VERSION; final ServiceTags.TagsChangeType tagChangeType; if (tagId == null) { diff --git a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java index c302d33126..3a80595da7 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java @@ -30,7 +30,7 @@ import org.apache.ranger.biz.RangerBizUtil; import org.apache.ranger.biz.RoleDBStore; import org.apache.ranger.biz.ServiceDBStore; -import org.apache.ranger.biz.ServiceDBStore.JsonFileNameType; +import org.apache.ranger.biz.ServiceDBStore.JSON_FILE_NAME_TYPE; import org.apache.ranger.biz.XUserMgr; import org.apache.ranger.common.AppConstants; import org.apache.ranger.common.ContextUtil; @@ -402,7 +402,7 @@ public void getRolesInJson(@Context HttpServletRequest request, @Context HttpSer List roleLists = getAllFilteredRoleList(request); if (CollectionUtils.isNotEmpty(roleLists)) { - svcStore.getObjectInJson(roleLists, response, JsonFileNameType.ROLE); + svcStore.getObjectInJson(roleLists, response, JSON_FILE_NAME_TYPE.ROLE); } else { response.setStatus(HttpServletResponse.SC_NO_CONTENT); diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index bf2377e500..fb1a729952 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -39,7 +39,7 @@ import org.apache.ranger.biz.RoleDBStore; import org.apache.ranger.biz.SecurityZoneDBStore; import org.apache.ranger.biz.ServiceDBStore; -import org.apache.ranger.biz.ServiceDBStore.JsonFileNameType; +import org.apache.ranger.biz.ServiceDBStore.JSON_FILE_NAME_TYPE; import org.apache.ranger.biz.ServiceMgr; import org.apache.ranger.biz.TagDBStore; import org.apache.ranger.biz.XUserMgr; @@ -2125,7 +2125,7 @@ public void getPoliciesInJson(@Context HttpServletRequest request, @Context Http bizUtil.blockAuditorRoleUser(); - svcStore.getObjectInJson(policyLists, response, JsonFileNameType.POLICY); + svcStore.getObjectInJson(policyLists, response, JSON_FILE_NAME_TYPE.POLICY); } else { checkPoliciesExists = true; @@ -2892,7 +2892,7 @@ public String getMetricByType(@PathParam("type") String type) { String ret; try { - ServiceDBStore.MetricType metricType = ServiceDBStore.MetricType.getMetricTypeByName(type); + ServiceDBStore.METRIC_TYPE metricType = ServiceDBStore.METRIC_TYPE.getMetricTypeByName(type); if (metricType == null) { throw restErrorUtil.createRESTException("Metric type=" + type + ", not supported."); diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java index 3c28c45d09..e9388e2b06 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerRoleService.java @@ -149,7 +149,7 @@ private void updatePolicyVersions(Set roleIds) { if (CollectionUtils.isNotEmpty(allAffectedServiceIds)) { for (final Long serviceId : allAffectedServiceIds) { - Runnable serviceVersionUpdater = new ServiceDBStore.ServiceVersionUpdater(daoMgr, serviceId, ServiceDBStore.VersionType.POLICY_VERSION, null, RangerPolicyDelta.CHANGE_TYPE_SERVICE_CHANGE, null); + Runnable serviceVersionUpdater = new ServiceDBStore.ServiceVersionUpdater(daoMgr, serviceId, ServiceDBStore.VERSION_TYPE.POLICY_VERSION, null, RangerPolicyDelta.CHANGE_TYPE_SERVICE_CHANGE, null); daoMgr.getRangerTransactionSynchronizationAdapter().executeOnTransactionCommit(serviceVersionUpdater); } } @@ -174,7 +174,7 @@ private void updateRoleVersions(Set roleIds) { if (CollectionUtils.isNotEmpty(allAffectedServiceIds)) { for (final Long serviceId : allAffectedServiceIds) { - Runnable serviceVersionUpdater = new ServiceDBStore.ServiceVersionUpdater(daoMgr, serviceId, ServiceDBStore.VersionType.ROLE_VERSION, null, RangerPolicyDelta.CHANGE_TYPE_ROLE_UPDATE, null); + Runnable serviceVersionUpdater = new ServiceDBStore.ServiceVersionUpdater(daoMgr, serviceId, ServiceDBStore.VERSION_TYPE.ROLE_VERSION, null, RangerPolicyDelta.CHANGE_TYPE_ROLE_UPDATE, null); daoMgr.getRangerTransactionSynchronizationAdapter().executeOnTransactionCommit(serviceVersionUpdater); XXService serviceDbObj = serviceDao.getById(serviceId); @@ -196,7 +196,7 @@ private void updateRoleVersionOfAllServicesRefferingTag(RangerDaoManager daoMana if (CollectionUtils.isNotEmpty(referringServices)) { for (XXService referringService : referringServices) { final Long referringServiceId = referringService.getId(); - Runnable roleVersionUpdater = new ServiceDBStore.ServiceVersionUpdater(daoManager, referringServiceId, ServiceDBStore.VersionType.ROLE_VERSION, null, RangerPolicyDelta.CHANGE_TYPE_ROLE_UPDATE, null); + Runnable roleVersionUpdater = new ServiceDBStore.ServiceVersionUpdater(daoManager, referringServiceId, ServiceDBStore.VERSION_TYPE.ROLE_VERSION, null, RangerPolicyDelta.CHANGE_TYPE_ROLE_UPDATE, null); daoMgr.getRangerTransactionSynchronizationAdapter().executeOnTransactionCommit(roleVersionUpdater); } } diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneServiceService.java b/security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneServiceService.java index 56b58b0c69..18d7bf90ea 100755 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneServiceService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerSecurityZoneServiceService.java @@ -288,9 +288,9 @@ private void updateServiceInfos(Collection services) { } for (XXServiceVersionInfo serviceVersionInfo : serviceVersionInfos) { - final RangerDaoManager finaldaoManager = daoMgr; - final Long finalServiceId = serviceVersionInfo.getServiceId(); - final ServiceDBStore.VersionType versionType = ServiceDBStore.VersionType.POLICY_VERSION; + final RangerDaoManager finaldaoManager = daoMgr; + final Long finalServiceId = serviceVersionInfo.getServiceId(); + final ServiceDBStore.VERSION_TYPE versionType = ServiceDBStore.VERSION_TYPE.POLICY_VERSION; Runnable serviceVersionUpdater = new ServiceDBStore.ServiceVersionUpdater(finaldaoManager, finalServiceId, versionType, null, RangerPolicyDelta.CHANGE_TYPE_SERVICE_CHANGE, null); diff --git a/security-admin/src/main/java/org/apache/ranger/util/RestUtil.java b/security-admin/src/main/java/org/apache/ranger/util/RestUtil.java index 3e9f14a3e4..d73a2f10b6 100644 --- a/security-admin/src/main/java/org/apache/ranger/util/RestUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/util/RestUtil.java @@ -42,7 +42,7 @@ public class RestUtil { public static final String TIMEOUT_ACTION = "timeout"; public static final String LOCAL_LOGIN_URL = "locallogin"; public static final String ZONED_EVENT_TIME_FORMAT = "yyyy-MM-dd HH:mm:ss z"; - + private static final String PROXY_RANGER_URL_PATH = "/ranger"; private RestUtil() { diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java b/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java index 8ff515cf78..7747e327ac 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java @@ -2008,7 +2008,7 @@ public void test41getMetricByTypeusergroup() throws Exception { vXUserList.setTotalCount(4L); Mockito.when(xUserMgr.searchXGroups(Mockito.any(SearchCriteria.class))).thenReturn(vxGroupList); Mockito.when(xUserMgr.searchXUsers(Mockito.any(SearchCriteria.class))).thenReturn(vXUserList); - serviceDBStore.getMetricByType(ServiceDBStore.MetricType.getMetricTypeByName(type)); + serviceDBStore.getMetricByType(ServiceDBStore.METRIC_TYPE.getMetricTypeByName(type)); } @Test @@ -2023,7 +2023,7 @@ public void test42getMetricByTypeAudits() throws Exception { svcDefList.setTotalCount(10L); Mockito.when(serviceDefService.searchRangerServiceDefs(Mockito.any(SearchFilter.class))).thenReturn(svcDefList); - serviceDBStore.getMetricByType(ServiceDBStore.MetricType.getMetricTypeByName(type)); + serviceDBStore.getMetricByType(ServiceDBStore.METRIC_TYPE.getMetricTypeByName(type)); } @Test @@ -2032,7 +2032,7 @@ public void test43getMetricByTypeServices() throws Exception { RangerServiceList svcList = new RangerServiceList(); svcList.setTotalCount(10L); Mockito.when(svcService.searchRangerServices(Mockito.any(SearchFilter.class))).thenReturn(svcList); - serviceDBStore.getMetricByType(ServiceDBStore.MetricType.getMetricTypeByName(type)); + serviceDBStore.getMetricByType(ServiceDBStore.METRIC_TYPE.getMetricTypeByName(type)); } @Test @@ -2040,14 +2040,14 @@ public void test44getMetricByTypePolicies() throws Exception { String type = "policies"; RangerServiceList svcList = new RangerServiceList(); svcList.setTotalCount(10L); - serviceDBStore.getMetricByType(ServiceDBStore.MetricType.getMetricTypeByName(type)); + serviceDBStore.getMetricByType(ServiceDBStore.METRIC_TYPE.getMetricTypeByName(type)); } @Test public void test45getMetricByTypeDatabase() throws Exception { String type = "database"; Mockito.when(bizUtil.getDBVersion()).thenReturn("MYSQL"); - serviceDBStore.getMetricByType(ServiceDBStore.MetricType.getMetricTypeByName(type)); + serviceDBStore.getMetricByType(ServiceDBStore.METRIC_TYPE.getMetricTypeByName(type)); } @Test @@ -2056,7 +2056,7 @@ public void test46getMetricByTypeContextEnrichers() throws Exception { RangerServiceDefList svcDefList = new RangerServiceDefList(); svcDefList.setTotalCount(10L); Mockito.when(serviceDefService.searchRangerServiceDefs(Mockito.any(SearchFilter.class))).thenReturn(svcDefList); - serviceDBStore.getMetricByType(ServiceDBStore.MetricType.getMetricTypeByName(type)); + serviceDBStore.getMetricByType(ServiceDBStore.METRIC_TYPE.getMetricTypeByName(type)); } @Test @@ -2065,7 +2065,7 @@ public void test47getMetricByTypeDenyConditions() throws Exception { RangerServiceDefList svcDefList = new RangerServiceDefList(); svcDefList.setTotalCount(10L); Mockito.when(serviceDefService.searchRangerServiceDefs(Mockito.any(SearchFilter.class))).thenReturn(svcDefList); - serviceDBStore.getMetricByType(ServiceDBStore.MetricType.getMetricTypeByName(type)); + serviceDBStore.getMetricByType(ServiceDBStore.METRIC_TYPE.getMetricTypeByName(type)); } @Test diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestRoleREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestRoleREST.java index 3f1d5c0146..ae2095d499 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestRoleREST.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestRoleREST.java @@ -23,7 +23,7 @@ import org.apache.ranger.biz.RoleDBStore; import org.apache.ranger.biz.RoleRefUpdater; import org.apache.ranger.biz.ServiceDBStore; -import org.apache.ranger.biz.ServiceDBStore.JsonFileNameType; +import org.apache.ranger.biz.ServiceDBStore.JSON_FILE_NAME_TYPE; import org.apache.ranger.biz.XUserMgr; import org.apache.ranger.common.ContextUtil; import org.apache.ranger.common.RESTErrorUtil; @@ -91,7 +91,7 @@ public class TestRoleREST { private static final Long roleId = 9L; private static final Long Id = 7L; private static final String adminLoginID = "admin"; - private static final JsonFileNameType ROLE = JsonFileNameType.ROLE; + private static final JSON_FILE_NAME_TYPE ROLE = JSON_FILE_NAME_TYPE.ROLE; String importRoleTestFilePath = "./src/test/java/org/apache/ranger/rest/importRole/import_role_test_file.json"; @Mock diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java index 14adc9fd7f..3a23d96ceb 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java @@ -27,7 +27,7 @@ import org.apache.ranger.biz.RangerPolicyAdmin; import org.apache.ranger.biz.SecurityZoneDBStore; import org.apache.ranger.biz.ServiceDBStore; -import org.apache.ranger.biz.ServiceDBStore.JsonFileNameType; +import org.apache.ranger.biz.ServiceDBStore.JSON_FILE_NAME_TYPE; import org.apache.ranger.biz.ServiceMgr; import org.apache.ranger.biz.TagDBStore; import org.apache.ranger.biz.XUserMgr; @@ -1456,7 +1456,7 @@ public void test45exportPoliciesInJSON() throws Exception { Mockito.when(daoManager.getXXServiceDef().getById(xService.getType())).thenReturn(xServiceDef); serviceREST.getPoliciesInJson(request, response, false); - Mockito.verify(svcStore).getObjectInJson(rangerPolicyList, response, JsonFileNameType.POLICY); + Mockito.verify(svcStore).getObjectInJson(rangerPolicyList, response, JSON_FILE_NAME_TYPE.POLICY); } @Test @@ -1653,7 +1653,7 @@ public void test51getMetricByType() throws Exception { String type = "usergroup"; String ret = "{\"groupCount\":1,\"userCountOfUserRole\":0,\"userCountOfKeyAdminRole\":1," + "\"userCountOfSysAdminRole\":3,\"userCountOfKeyadminAuditorRole\":0,\"userCountOfSysAdminAuditorRole\":0,\"userTotalCount\":4}"; - ServiceDBStore.MetricType metricType = ServiceDBStore.MetricType.getMetricTypeByName(type); + ServiceDBStore.METRIC_TYPE metricType = ServiceDBStore.METRIC_TYPE.getMetricTypeByName(type); Mockito.when(svcStore.getMetricByType(metricType)).thenReturn(ret); serviceREST.getMetricByType(type); Mockito.verify(svcStore).getMetricByType(metricType);