Repository: ranger Updated Branches: refs/heads/ranger-0.7 694ff57f1 -> 99abbcfa9
RANGER-1491:Automatically map group of external users to Administrator Role Signed-off-by: Gautam Borad <gau...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/99abbcfa Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/99abbcfa Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/99abbcfa Branch: refs/heads/ranger-0.7 Commit: 99abbcfa99667b60ae5f217db4bce44ac01bfdce Parents: 694ff57 Author: Bhavik Patel <bhavikpatel...@gmail.com> Authored: Tue Aug 8 10:59:54 2017 +0530 Committer: Gautam Borad <gau...@apache.org> Committed: Fri Aug 11 12:13:08 2017 +0530 ---------------------------------------------------------------------- .../java/org/apache/ranger/biz/UserMgr.java | 63 +++++- .../java/org/apache/ranger/biz/XUserMgr.java | 87 +++++--- .../org/apache/ranger/service/XUserService.java | 7 +- .../java/org/apache/ranger/view/VXUser.java | 1 + .../java/org/apache/ranger/biz/TestUserMgr.java | 4 +- .../org/apache/ranger/biz/TestXUserMgr.java | 45 ++++- .../process/LdapPolicyMgrUserGroupBuilder.java | 123 +++++++++++- .../config/UserGroupSyncConfig.java | 41 ++++ .../ranger/unixusersync/model/XUserInfo.java | 20 +- .../process/PolicyMgrUserGroupBuilder.java | 201 ++++++++++++++++++- unixauthservice/scripts/install.properties | 15 ++ unixauthservice/scripts/setup.py | 17 ++ .../templates/installprop2xml.properties | 4 + .../templates/ranger-ugsync-template.xml | 16 ++ 14 files changed, 588 insertions(+), 56 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java index be16f75..f27bfc1 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java @@ -142,6 +142,7 @@ public class UserMgr { Collection<String> userRoleList) { XXPortalUser user = mapVXPortalUserToXXPortalUser(userProfile); checkAdminAccess(); + xUserMgr.checkAccessRoles((List<String>) userRoleList); user = createUser(user, userStatus, userRoleList); return user; @@ -175,7 +176,11 @@ public class UserMgr { Collection<String> reqRoleList = userProfile.getUserRoleList(); if (reqRoleList != null && reqRoleList.size() > 0) { for (String role : reqRoleList) { - roleList.add(role); + if (role != null) { + roleList.add(role); + } else { + roleList.add(RangerConstants.ROLE_USER); + } } } else { roleList.add(RangerConstants.ROLE_USER); @@ -1109,6 +1114,8 @@ public class UserMgr { checkAdminAccess(); logger.info("create:" + userProfile.getLoginId()); XXPortalUser xXPortalUser = null; + Collection<String> existingRoleList = null; + Collection<String> reqRoleList = null; String loginId = userProfile.getLoginId(); String emailAddress = userProfile.getEmailAddress(); @@ -1143,13 +1150,59 @@ public class UserMgr { */ } } + VXPortalUser userProfileRes = null; if (xXPortalUser != null) { - return mapXXPortalUserToVXPortalUserForDefaultAccount(xXPortalUser); - } else { - return null; - } + userProfileRes = mapXXPortalUserToVXPortalUserForDefaultAccount(xXPortalUser); + if (userProfile.getUserRoleList() != null + && userProfile.getUserRoleList().size() > 0 + && ((List<String>) userProfile.getUserRoleList()).get(0) != null) { + reqRoleList = userProfile.getUserRoleList(); + existingRoleList = this.getRolesByLoginId(loginId); + XXPortalUser xxPortalUser = daoManager.getXXPortalUser() + .findByLoginId(userProfile.getLoginId()); + if (xxPortalUser != null && xxPortalUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { + userProfileRes = updateRoleForExternalUsers(reqRoleList, existingRoleList, userProfileRes); + } + } + } + return userProfileRes; } + protected VXPortalUser updateRoleForExternalUsers(Collection<String> reqRoleList, Collection<String> existingRoleList, VXPortalUser userProfileRes) { + UserSessionBase session = ContextUtil.getCurrentUserSession(); + if ("rangerusersync".equals(session.getXXPortalUser().getLoginId()) + && reqRoleList != null && !reqRoleList.isEmpty() + && existingRoleList != null && !existingRoleList.isEmpty()) { + if (!reqRoleList.equals(existingRoleList)) { + userProfileRes.setUserRoleList(reqRoleList); + userProfileRes.setUserSource(RangerCommonEnums.USER_EXTERNAL); + List<XXUserPermission> xuserPermissionList = daoManager.getXXUserPermission().findByUserPermissionId(userProfileRes.getId()); + + if (xuserPermissionList!=null && xuserPermissionList.size()>0){ + + for (XXUserPermission xXUserPermission : xuserPermissionList) { + if (xXUserPermission != null) { + try { + xUserPermissionService.deleteResource(xXUserPermission.getId()); + } catch (Exception e) { + logger.error(e.getMessage()); + } + } + + } + } + updateUser(userProfileRes); + } + } else { + if (logger.isDebugEnabled()) { + logger.debug("Permission" + " denied. LoggedInUser=" + + (session != null ? session.getXXPortalUser().getId() : "") + + " isn't permitted to perform the action."); + } + } + return userProfileRes; + } + protected VXPortalUser mapXXPortalUserToVXPortalUserForDefaultAccount( XXPortalUser user) { http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index ca06805..676b1e3 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -156,6 +156,9 @@ public class XUserMgr extends XUserMgrBase { @Autowired GUIDUtil guidUtil; + @Autowired + UserMgr userManager; + static final Logger logger = Logger.getLogger(XUserMgr.class); @@ -520,7 +523,13 @@ public class XUserMgr extends XUserMgrBase { VXUserGroupInfo vxUGInfo = new VXUserGroupInfo(); VXUser vXUser = vXUserGroupInfo.getXuserInfo(); - + VXPortalUser vXPortalUser = userMgr.getUserProfileByLoginId(vXUser.getName()); + XXPortalUser xxPortalUser = daoManager.getXXPortalUser().findByLoginId(vXUser.getName()); + Collection<String> reqRoleList = vXUser.getUserRoleList(); + List<String> existingRole = daoManager.getXXPortalUserRole().findXPortalUserRolebyXPortalUserId(xxPortalUser.getId()); + if (xxPortalUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { + vXPortalUser = userManager.updateRoleForExternalUsers(reqRoleList,existingRole, vXPortalUser); + } vXUser = xUserService.createXUserWithOutLogin(vXUser); vxUGInfo.setXuserInfo(vXUser); @@ -536,9 +545,7 @@ public class XUserMgr extends XUserMgrBase { vXGroupUser = xGroupUserService .createXGroupUserWithOutLogin(vXGroupUser); } - VXPortalUser vXPortalUser = userMgr.getUserProfileByLoginId(vXUser - .getName()); - if(vXPortalUser!=null){ + if (vXPortalUser != null) { assignPermissionToUser(vXPortalUser, true); } vxUGInfo.setXgroupInfo(vxg); @@ -562,17 +569,37 @@ public class XUserMgr extends XUserMgrBase { List<VXUser> vxu = new ArrayList<VXUser>(); for (VXUser vXUser : vXGroupUserInfo.getXuserInfo()) { - XXUser xUser = daoManager.getXXUser().findByUserName(vXUser.getName()); + XXUser xUser = daoManager.getXXUser().findByUserName( + vXUser.getName()); + XXPortalUser xXPortalUser = daoManager.getXXPortalUser() + .findByLoginId(vXUser.getName()); if (xUser != null) { - // Add or update group user mapping only if the user already exists in x_user table. + // Add or update group user mapping only if the user already + // exists in x_user table. vXGroup = xGroupService.createXGroupWithOutLogin(vXGroup); vxGUInfo.setXgroupInfo(vXGroup); vxu.add(vXUser); VXGroupUser vXGroupUser = new VXGroupUser(); vXGroupUser.setUserId(xUser.getId()); vXGroupUser.setName(vXGroup.getName()); - vXGroupUser = xGroupUserService - .createXGroupUserWithOutLogin(vXGroupUser); + if (xXPortalUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { + vXGroupUser = xGroupUserService + .createXGroupUserWithOutLogin(vXGroupUser); + } + Collection<String> reqRoleList = vXUser.getUserRoleList(); + + XXPortalUser xxPortalUser = daoManager.getXXPortalUser() + .findByLoginId(vXUser.getName()); + List<String> existingRole = daoManager.getXXPortalUserRole() + .findXPortalUserRolebyXPortalUserId( + xxPortalUser.getId()); + VXPortalUser vxPortalUser = userManager + .mapXXPortalUserToVXPortalUserForDefaultAccount(xxPortalUser); + if (xxPortalUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { + vxPortalUser = userManager.updateRoleForExternalUsers( + reqRoleList, existingRole, vxPortalUser); + assignPermissionToUser(vxPortalUser, true); + } } } @@ -1271,30 +1298,42 @@ public class XUserMgr extends XUserMgrBase { public void checkAccessRoles(List<String> stringRolesList) { UserSessionBase session = ContextUtil.getCurrentUserSession(); - if (session != null && stringRolesList!=null) { + if (session != null && stringRolesList != null) { if (!session.isUserAdmin() && !session.isKeyAdmin()) { throw restErrorUtil.create403RESTException("Permission" + " denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In") + " ,isn't permitted to perform the action."); - }else{ - if (session.isUserAdmin() && stringRolesList.contains(RangerConstants.ROLE_KEY_ADMIN)) { - throw restErrorUtil.create403RESTException("Permission" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "") - + " isn't permitted to perform the action."); - } - if (session.isKeyAdmin() && stringRolesList.contains(RangerConstants.ROLE_SYS_ADMIN)) { - throw restErrorUtil.create403RESTException("Permission" - + " denied. LoggedInUser=" - + (session != null ? session.getXXPortalUser().getId() - : "") - + " isn't permitted to perform the action."); + } else { + if (!"rangerusersync".equals(session.getXXPortalUser() + .getLoginId())) {// new logic for rangerusersync user + if (session.isUserAdmin() + && stringRolesList + .contains(RangerConstants.ROLE_KEY_ADMIN)) { + throw restErrorUtil.create403RESTException("Permission" + + " denied. LoggedInUser=" + + (session != null ? session.getXXPortalUser() + .getId() : "") + + " isn't permitted to perform the action."); + } + if (session.isKeyAdmin() + && stringRolesList + .contains(RangerConstants.ROLE_SYS_ADMIN)) { + throw restErrorUtil.create403RESTException("Permission" + + " denied. LoggedInUser=" + + (session != null ? session.getXXPortalUser() + .getId() : "") + + " isn't permitted to perform the action."); + } + } else { + logger.info("LoggedInUser=" + + (session != null ? session.getXXPortalUser() + .getId() + : " is permitted to perform the action")); } } - }else{ + } else { VXResponse vXResponse = new VXResponse(); vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); vXResponse.setMsgDesc("Bad Credentials"); http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/security-admin/src/main/java/org/apache/ranger/service/XUserService.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/service/XUserService.java b/security-admin/src/main/java/org/apache/ranger/service/XUserService.java index 0d07982..b2b06ff 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/XUserService.java +++ b/security-admin/src/main/java/org/apache/ranger/service/XUserService.java @@ -49,7 +49,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Scope; import org.springframework.stereotype.Service; import org.springframework.util.CollectionUtils; - +import org.apache.ranger.common.RangerCommonEnums; @Service @Scope("singleton") public class XUserService extends XUserServiceBase<XXUser, VXUser> { @@ -168,7 +168,10 @@ public class XUserService extends XUserServiceBase<XXUser, VXUser> { xxUser = new XXUser(); userExists = false; } - + XXPortalUser xxPortalUser = daoManager.getXXPortalUser().findByLoginId(vxUser.getName()); + if (xxPortalUser != null && xxPortalUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { + vxUser.setIsVisible(xxUser.getIsVisible()); + } xxUser = mapViewToEntityBean(vxUser, xxUser, 0); XXPortalUser xXPortalUser = daoManager.getXXPortalUser().getById(createdByUserId); if (xXPortalUser != null) { http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/security-admin/src/main/java/org/apache/ranger/view/VXUser.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/view/VXUser.java b/security-admin/src/main/java/org/apache/ranger/view/VXUser.java index ecfd1ac..6e1d299 100644 --- a/security-admin/src/main/java/org/apache/ranger/view/VXUser.java +++ b/security-admin/src/main/java/org/apache/ranger/view/VXUser.java @@ -300,6 +300,7 @@ public class VXUser extends VXDataObject implements java.io.Serializable { str += "isVisible={" + isVisible + "} "; str += "groupIdList={" + groupIdList + "} "; str += "groupNameList={" + groupNameList + "} "; + str += "roleList={" + userRoleList + "} "; str += "}"; return str; } http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java index 6083778..6dc483d 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java @@ -774,8 +774,8 @@ public class TestUserMgr { dbVXPortalUser.getEmailAddress()); Assert.assertEquals(user.getPassword(), dbVXPortalUser.getPassword()); - Mockito.verify(daoManager).getXXPortalUser(); - Mockito.verify(daoManager).getXXPortalUserRole(); + Mockito.verify(daoManager, Mockito.atLeast(1)).getXXPortalUser(); + Mockito.verify(daoManager, Mockito.atLeast(1)).getXXPortalUserRole(); } @Test http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java index 2542f91..6e6be72 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java @@ -24,7 +24,8 @@ import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; - +import org.apache.ranger.common.RangerCommonEnums; +import org.apache.ranger.common.RangerConstants; import org.apache.ranger.common.ContextUtil; import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.common.SearchCriteria; @@ -175,6 +176,10 @@ public class TestXUserMgr { UserSessionBase currentUserSession = ContextUtil .getCurrentUserSession(); currentUserSession.setUserAdmin(true); + XXPortalUser gjUser = new XXPortalUser(); + gjUser.setLoginId("test"); + gjUser.setId(1L); + currentUserSession.setXXPortalUser(gjUser); } private VXUser vxUser() { @@ -628,14 +633,16 @@ public class TestXUserMgr { Mockito.when(xUserService.getXUserByUserName(userName)).thenReturn( vxUser); - + XXModuleDefDao xxModuleDefDao = Mockito.mock(XXModuleDefDao.class); + Mockito.when(daoManager.getXXModuleDef()).thenReturn(xxModuleDefDao); VXUser dbVXUser = xUserMgr.getXUserByUserName(userName); Assert.assertNotNull(dbVXUser); userId = dbVXUser.getId(); Assert.assertEquals(userId, dbVXUser.getId()); Assert.assertEquals(dbVXUser.getName(), vxUser.getName()); Assert.assertEquals(dbVXUser.getOwner(), vxUser.getOwner()); - Mockito.verify(xUserService).getXUserByUserName(userName); + Mockito.verify(xUserService, Mockito.atLeast(2)).getXUserByUserName( + userName); } @Test @@ -873,6 +880,20 @@ public class TestXUserMgr { Mockito.when( xGroupUserService.createXGroupUserWithOutLogin(vXGroupUser2)) .thenReturn(vXGroupUser2); + XXPortalUserDao portalUser = Mockito.mock(XXPortalUserDao.class); + Mockito.when(daoManager.getXXPortalUser()).thenReturn(portalUser); + XXPortalUser user = new XXPortalUser(); + user.setId(1L); + user.setUserSource(RangerCommonEnums.USER_APP); + Mockito.when(portalUser.findByLoginId(vXUser.getName())).thenReturn( + user); + XXPortalUserRoleDao userDao = Mockito.mock(XXPortalUserRoleDao.class); + Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(userDao); + List<String> lstRole = new ArrayList<String>(); + lstRole.add(RangerConstants.ROLE_SYS_ADMIN); + Mockito.when( + userDao.findXPortalUserRolebyXPortalUserId(Mockito.anyLong())) + .thenReturn(lstRole); VXUserGroupInfo vxUserGroupTest = xUserMgr .createXUserGroupFromMap(vXUserGroupInfo); @@ -882,6 +903,11 @@ public class TestXUserMgr { expected.add(vXGroup1); expected.add(vXGroup2); Assert.assertTrue(result.containsAll(expected)); + Mockito.verify(daoManager).getXXPortalUser(); + Mockito.verify(portalUser).findByLoginId(vXUser.getName()); + Mockito.verify(daoManager).getXXPortalUserRole(); + Mockito.verify(userDao).findXPortalUserRolebyXPortalUserId( + Mockito.anyLong()); } // Module permission @@ -1312,9 +1338,20 @@ public class TestXUserMgr { String userName = "test"; Mockito.when(xUserService.getXUserByUserName(userName)).thenReturn( vxUser); + XXModuleDefDao modDef = Mockito.mock(XXModuleDefDao.class); + Mockito.when(daoManager.getXXModuleDef()).thenReturn(modDef); + List<String> lstModule = new ArrayList<String>(); + lstModule.add(RangerConstants.MODULE_USER_GROUPS); + Mockito.when( + modDef.findAccessibleModulesByUserId(Mockito.anyLong(), + Mockito.anyLong())).thenReturn(lstModule); Set<String> list = xUserMgr.getGroupsForUser(userName); Assert.assertNotNull(list); - Mockito.verify(xUserService).getXUserByUserName(userName); + Mockito.verify(xUserService, Mockito.atLeast(2)).getXUserByUserName( + userName); + Mockito.verify(daoManager).getXXModuleDef(); + Mockito.verify(modDef).findAccessibleModulesByUserId(Mockito.anyLong(), + Mockito.anyLong()); } @Test http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java index 428ad30..9548ed4 100644 --- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java @@ -65,6 +65,10 @@ import com.sun.jersey.api.client.config.ClientConfig; import com.sun.jersey.api.client.config.DefaultClientConfig; import com.sun.jersey.api.client.filter.HTTPBasicAuthFilter; import com.sun.jersey.client.urlconnection.HTTPSProperties; +import java.util.LinkedHashMap; +import java.util.Map; +import java.util.HashMap; +import java.util.StringTokenizer; public class LdapPolicyMgrUserGroupBuilder implements UserGroupSink { @@ -100,7 +104,8 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder private UserGroupInfo usergroupInfo = new UserGroupInfo(); private GroupUserInfo groupuserInfo = new GroupUserInfo(); - + Map<String, String> userMap = new LinkedHashMap<String, String>(); + Map<String, String> groupMap = new LinkedHashMap<String, String>(); Table<String, String, String> groupsUsersTable; private String keyStoreFile = null; @@ -147,7 +152,10 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder } keytab = config.getProperty(KEYTAB,""); nameRules = config.getProperty(NAME_RULE,"DEFAULT"); - + String userGroupRoles = config.getGroupRoleRules(); + if (userGroupRoles != null && !userGroupRoles.isEmpty()) { + getRoleForUserGroups(userGroupRoles); + } } @Override @@ -331,7 +339,11 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder xuserInfo.setName(aUserName); xuserInfo.setDescription(aUserName + " - add from Unix box"); - + if (userMap.containsKey(aUserName)) { + List<String> roleList = new ArrayList<String>(); + roleList.add(userMap.get(aUserName)); + xuserInfo.setUserRoleList(roleList); + } usergroupInfo.setXuserInfo(xuserInfo); return xuserInfo; @@ -414,9 +426,11 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder } List<String> oldUsers = new ArrayList<String>(); + Map <String,List<String>> oldUserMap = new HashMap<String, List<String>>(); if (groupUserInfo != null && groupUserInfo.getXuserInfo() != null) { for (XUserInfo xUserInfo : groupUserInfo.getXuserInfo()) { oldUsers.add(xUserInfo.getName()); + oldUserMap.put(xUserInfo.getName(), xUserInfo.getUserRoleList()); } LOG.debug("Returned users for group " + groupUserInfo.getXgroupInfo().getName() + " are: " + oldUsers); } @@ -433,7 +447,7 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder addUsers = users; } else { for (String user : users) { - if (!oldUsers.contains(user)) { + if (!oldUsers.contains(user)|| !(oldUserMap.get(user).equals(groupMap.get(groupName)))) { addUsers.add(user); } } @@ -569,7 +583,30 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder WebResource r = c.resource(getURL(PM_ADD_GROUP_USER_INFO_URI)); Gson gson = new GsonBuilder().create(); - + if (groupuserInfo != null + && groupuserInfo.getXgroupInfo() != null + && groupuserInfo.getXuserInfo() != null + && groupMap + .containsKey(groupuserInfo.getXgroupInfo().getName()) + && groupuserInfo.getXuserInfo().size() > 0) { + List<String> userRoleList = new ArrayList<String>(); + userRoleList.add(groupMap.get(groupuserInfo.getXgroupInfo() + .getName())); + int i = groupuserInfo.getXuserInfo().size(); + for (int j = 0; j < i; j++) { + if (userMap.containsKey(groupuserInfo.getXuserInfo().get(j) + .getName())) { + List<String> userRole = new ArrayList<String>(); + userRole.add(userMap.get(groupuserInfo.getXuserInfo() + .get(j).getName())); + groupuserInfo.getXuserInfo().get(j) + .setUserRoleList(userRole); + } else { + groupuserInfo.getXuserInfo().get(j) + .setUserRoleList(userRoleList); + } + } + } String jsonString = gson.toJson(groupuserInfo); LOG.debug("GROUP USER MAPPING" + jsonString); @@ -591,7 +628,11 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder userInfo.setLoginId(aUserName); userInfo.setFirstName(aUserName); userInfo.setLastName(aUserName); - + String str[] = new String[1]; + if (userMap.containsKey(aUserName)) { + str[0] = userMap.get(aUserName); + } + userInfo.setUserRoleList(str); if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)) { try { Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules); @@ -804,4 +845,74 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder return ret; } + private void getRoleForUserGroups(String userGroupRolesData) { + String roleDelimiter = config.getRoleDelimiter(); + String userGroupDelimiter = config.getUserGroupDelimiter(); + String userNameDelimiter = config.getUserGroupNameDelimiter(); + if (roleDelimiter == null || roleDelimiter.isEmpty()) { + roleDelimiter = "&"; + } + if (userGroupDelimiter == null || userGroupDelimiter.isEmpty()) { + userGroupDelimiter = ":"; + } + if (userNameDelimiter == null || userNameDelimiter.isEmpty()) { + userNameDelimiter = ","; + } + StringTokenizer str = new StringTokenizer(userGroupRolesData, + roleDelimiter); + int flag = 0; + String userGroupCheck = null; + String roleName = null; + while (str.hasMoreTokens()) { + flag = 0; + String tokens = str.nextToken(); + if (tokens != null && !tokens.isEmpty()) { + StringTokenizer userGroupRoles = new StringTokenizer(tokens, + userGroupDelimiter); + if (userGroupRoles != null) { + while (userGroupRoles.hasMoreElements()) { + String userGroupRolesTokens = userGroupRoles + .nextToken(); + if (userGroupRolesTokens != null + && !userGroupRolesTokens.isEmpty()) { + flag++; + switch (flag) { + case 1: + roleName = userGroupRolesTokens; + break; + case 2: + userGroupCheck = userGroupRolesTokens; + break; + case 3: + StringTokenizer userGroupNames = new StringTokenizer( + userGroupRolesTokens, userNameDelimiter); + if (userGroupNames != null) { + while (userGroupNames.hasMoreElements()) { + String userGroup = userGroupNames + .nextToken(); + if (userGroup != null + && !userGroup.isEmpty()) { + if (userGroupCheck + .equalsIgnoreCase("u")) { + userMap.put(userGroup.trim(), roleName.trim()); + } else if (userGroupCheck + .equalsIgnoreCase("g")) { + groupMap.put(userGroup.trim(), + roleName.trim()); + } + } + } + } + break; + default: + userMap.clear(); + groupMap.clear(); + break; + } + } + } + } + } + } + } } http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java index fc239af..df16043 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java @@ -235,6 +235,11 @@ public class UserGroupSyncConfig { private static final String SYNC_MAPPING_GROUPNAME_HANDLER = "ranger.usersync.mapping.groupname.handler"; private static final String DEFAULT_SYNC_MAPPING_GROUPNAME_HANDLER = "org.apache.ranger.usergroupsync.RegEx"; + private static final String ROLE_ASSIGNMENT_LIST_DELIMITER = "ranger.usersync.role.assignment.list.delimiter"; + private static final String USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER = "ranger.usersync.users.groups.assignment.list.delimiter"; + private static final String USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER = "ranger.usersync.username.groupname.assignment.list.delimiter"; + private static final String GROUP_BASED_ROLE_ASSIGNMENT_RULES = "ranger.usersync.group.based.role.assignment.rules"; + private Properties prop = new Properties(); private static volatile UserGroupSyncConfig me = null; @@ -1063,4 +1068,40 @@ public class UserGroupSyncConfig { public void setDeltaSync(boolean deltaSyncEnabled) { prop.setProperty(LGSYNC_LDAP_DELTASYNC_ENABLED, String.valueOf(deltaSyncEnabled)); } + public String getGroupRoleRules() { + if(prop != null && prop.containsKey(GROUP_BASED_ROLE_ASSIGNMENT_RULES)) { + String GroupRoleRules = prop.getProperty(GROUP_BASED_ROLE_ASSIGNMENT_RULES); + if(GroupRoleRules != null && !GroupRoleRules.isEmpty()) { + return GroupRoleRules.trim(); + } + } + return null; + } + public String getUserGroupDelimiter() { + if(prop != null && prop.containsKey(USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER)) { + String UserGroupDelimiter = prop.getProperty(USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER); + if(UserGroupDelimiter != null && !UserGroupDelimiter.isEmpty()) { + return UserGroupDelimiter; + } + } + return null; + } + public String getUserGroupNameDelimiter() { + if(prop != null && prop.containsKey(USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER)) { + String UserGroupNameDelimiter = prop.getProperty(USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER); + if(UserGroupNameDelimiter != null && !UserGroupNameDelimiter.isEmpty()) { + return UserGroupNameDelimiter; + } + } + return null; + } + public String getRoleDelimiter() { + if(prop != null && prop.containsKey(ROLE_ASSIGNMENT_LIST_DELIMITER)) { + String roleDelimiter = prop.getProperty(ROLE_ASSIGNMENT_LIST_DELIMITER); + if(roleDelimiter != null && !roleDelimiter.isEmpty()) { + return roleDelimiter; + } + } + return null; + } } http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/ugsync/src/main/java/org/apache/ranger/unixusersync/model/XUserInfo.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/model/XUserInfo.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/model/XUserInfo.java index 7d636fd..b21468b 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/model/XUserInfo.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/model/XUserInfo.java @@ -26,8 +26,8 @@ public class XUserInfo { private String id; private String name; private String description; - - private List<String> groupNameList = new ArrayList<String>(); + private List<String> groupNameList = new ArrayList<String>(); + private List<String> userRoleList = new ArrayList<String>(); public String getId() { return id; @@ -59,5 +59,19 @@ public class XUserInfo { public List<String> getGroups() { return groupNameList; } - + + public List<String> getUserRoleList() { + return userRoleList; + } + + public void setUserRoleList(List<String> userRoleList) { + this.userRoleList = userRoleList; + } + + @Override + public String toString() { + return "XUserInfo [id=" + id + ", name=" + name + ", description=" + + description + ", groupNameList=" + groupNameList + + ", userRoleList=" + userRoleList + "]"; + } } http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java index 070a39b..87b4883 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java @@ -68,7 +68,9 @@ import org.apache.ranger.unixusersync.model.XUserInfo; import org.apache.ranger.unixusersync.model.UserGroupInfo; import org.apache.ranger.usergroupsync.UserGroupSink; import org.apache.ranger.usersync.util.UserSyncUtil; - +import java.util.LinkedHashMap; +import java.util.Map; +import java.util.StringTokenizer; public class PolicyMgrUserGroupBuilder implements UserGroupSink { private static final Logger LOG = Logger.getLogger(PolicyMgrUserGroupBuilder.class); @@ -121,7 +123,8 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { String principal; String keytab; String nameRules; - + Map<String, String> userMap = new LinkedHashMap<String, String>(); + Map<String, String> groupMap = new LinkedHashMap<String, String>(); static { try { LOCAL_HOSTNAME = java.net.InetAddress.getLocalHost().getCanonicalHostName(); @@ -160,6 +163,10 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { } keytab = config.getProperty(KEYTAB,""); nameRules = config.getProperty(NAME_RULE,"DEFAULT"); + String userGroupRoles = config.getGroupRoleRules(); + if (userGroupRoles != null && !userGroupRoles.isEmpty()) { + getRoleForUserGroups(userGroupRoles); + } buildUserGroupInfo(); } @@ -366,7 +373,28 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { } if (! isMockRun) { if (!addGroups.isEmpty()){ - ugInfo.setXuserInfo(addXUserInfo(userName)); + XUserInfo obj = addXUserInfo(userName); + if (obj != null) { + for (int i = 0; i < addGroups.size(); i++) { + if (groupMap.containsKey(addGroups.get(i))) { + List<String> userRoleList = new ArrayList<String>(); + userRoleList + .add(groupMap.get(addGroups.get(i))); + if (userMap.containsKey(obj.getName())) { + List<String> userRole = new ArrayList<String>(); + userRole.add(userMap.get(obj.getName())); + if (!obj.getUserRoleList().equals(userRole)) { + obj.setUserRoleList(userRole); + + } + } else if (!obj.getUserRoleList().equals( + userRoleList)) { + obj.setUserRoleList(userRoleList); + } + } + } + } + ugInfo.setXuserInfo(obj); ugInfo.setXgroupInfo(getXGroupInfoList(addGroups)); try{ // If the rest call to ranger admin fails, @@ -393,7 +421,27 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { } if (! isMockRun) { if (!updateGroups.isEmpty()){ - ugInfo.setXuserInfo(addXUserInfo(userName)); + XUserInfo obj = addXUserInfo(userName); + if (obj != null) { + for (int i = 0; i < updateGroups.size(); i++) { + if (groupMap.containsKey(updateGroups.get(i))) { + List<String> userRoleList = new ArrayList<String>(); + userRoleList.add(groupMap.get(updateGroups + .get(i))); + if (userMap.containsKey(obj.getName())) { + List<String> userRole = new ArrayList<String>(); + userRole.add(userMap.get(obj.getName())); + if (!obj.getUserRoleList().equals(userRole)) { + obj.setUserRoleList(userRole); + } + } else if (!obj.getUserRoleList().equals( + userRoleList)) { + obj.setUserRoleList(userRoleList); + } + } + } + } + ugInfo.setXuserInfo(obj); ugInfo.setXgroupInfo(getXGroupInfoList(updateGroups)); try{ // If the rest call to ranger admin fails, @@ -409,8 +457,53 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { } } } - } - } + if (!isMockRun) { + XUserInfo obj = addXUserInfo(userName); + boolean roleFlag = false; + if (obj != null && updateGroups.isEmpty() + && addGroups.isEmpty()) { + if (userMap.containsKey(obj.getName())) { + List<String> userRole = new ArrayList<String>(); + userRole.add(userMap.get(obj.getName())); + if (!obj.getUserRoleList().equals(userRole)) { + obj.setUserRoleList(userRole); + roleFlag = true; + } + } else { + for (int i = 0; i < groups.size(); i++) { + if (groupMap.containsKey(groups.get(i))) { + List<String> userRoleList = new ArrayList<String>(); + userRoleList.add(groupMap.get(groups.get(i))); + if (!obj.getUserRoleList().equals(userRoleList)) { + obj.setUserRoleList(userRoleList); + roleFlag = true; + } + } + } + + } + ugInfo.setXuserInfo(obj); + ugInfo.setXgroupInfo(getXGroupInfoList(groups)); + } + if (roleFlag) { + try { + // If the rest call to ranger admin fails, + // propagate the failure to the caller for retry in next + // sync cycle. + if (addUserGroupInfo(ugInfo) == null) { + String msg = "Failed to add user group info"; + LOG.error(msg); + throw new Exception(msg); + } + } catch (Throwable t) { + LOG.error("PolicyMgrUserGroupBuilder.addUserGroupInfo failed with exception: " + + t.getMessage() + + ", for user-group entry: " + + ugInfo); + } + } + } + } } private void buildGroupList() { if (LOG.isDebugEnabled()) { @@ -530,6 +623,23 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { if (! isMockRun) { user = addXUserInfo(userName); } + if (!groups.isEmpty() && user != null) { + for (int i = 0; i < groups.size(); i++) { + if (groupMap.containsKey(groups.get(i))) { + List<String> userRoleList = new ArrayList<String>(); + userRoleList.add(groupMap.get(groups.get(i))); + if (userMap.containsKey(user.getName())) { + List<String> userRole = new ArrayList<String>(); + userRole.add(userMap.get(user.getName())); + user.setUserRoleList(userRole); + } else { + user.setUserRoleList(userRoleList); + } + } + } + } + usergroupInfo.setXuserInfo(user); + for(String g : groups) { LOG.debug("INFO: addPMXAGroupToUser(" + userName + "," + g + ")" ); @@ -809,7 +919,11 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { userInfo.setLoginId(aUserName); userInfo.setFirstName(aUserName); userInfo.setLastName(aUserName); - + String str[] = new String[1]; + if (userMap.containsKey(aUserName)) { + str[0] = userMap.get(aUserName); + } + userInfo.setUserRoleList(str); if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)) { try { Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules); @@ -1080,6 +1194,73 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { // TODO Auto-generated method stub } - - -} + private void getRoleForUserGroups(String userGroupRolesData) { + + String roleDelimiter = config.getRoleDelimiter(); + String userGroupDelimiter = config.getUserGroupDelimiter(); + String userNameDelimiter = config.getUserGroupNameDelimiter(); + if (roleDelimiter == null || roleDelimiter.isEmpty()) { + roleDelimiter = "&"; + } + if (userGroupDelimiter == null || userGroupDelimiter.isEmpty()) { + userGroupDelimiter = ":"; + } + if (userNameDelimiter == null || userNameDelimiter.isEmpty()) { + userNameDelimiter = ","; + } + StringTokenizer str = new StringTokenizer(userGroupRolesData, + roleDelimiter); + int flag = 0; + String userGroupCheck = null; + String roleName = null; + while (str.hasMoreTokens()) { + flag = 0; + String tokens = str.nextToken(); + if (tokens != null && !tokens.isEmpty()) { + StringTokenizer userGroupRoles = new StringTokenizer(tokens, + userGroupDelimiter); + if (userGroupRoles != null) { + while (userGroupRoles.hasMoreElements()) { + String userGroupRolesTokens = userGroupRoles + .nextToken(); + if (userGroupRolesTokens != null + && !userGroupRolesTokens.isEmpty()) { + flag++; + switch (flag) { + case 1: + roleName = userGroupRolesTokens; + break; + case 2: + userGroupCheck = userGroupRolesTokens; + break; + case 3: + StringTokenizer userGroupNames = new StringTokenizer( + userGroupRolesTokens, userNameDelimiter); + if (userGroupNames != null) { + while (userGroupNames.hasMoreElements()) { + String userGroup = userGroupNames + .nextToken(); + if (userGroup != null + && !userGroup.isEmpty()) { + if (userGroupCheck.trim().equalsIgnoreCase("u")) { + userMap.put(userGroup.trim(), roleName.trim()); + } else if (userGroupCheck.trim().equalsIgnoreCase("g")) { + groupMap.put(userGroup.trim(), + roleName.trim()); + } + } + } + } + break; + default: + userMap.clear(); + groupMap.clear(); + break; + } + } + } + } + } + } + } + } http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/unixauthservice/scripts/install.properties ---------------------------------------------------------------------- diff --git a/unixauthservice/scripts/install.properties b/unixauthservice/scripts/install.properties index 13ae1e5..0be2c8f 100644 --- a/unixauthservice/scripts/install.properties +++ b/unixauthservice/scripts/install.properties @@ -64,6 +64,21 @@ AUTH_SSL_TRUSTSTORE_PASSWORD= # --------------------------------------------------------------- # The following properties are relevant only if SYNC_SOURCE = ldap # --------------------------------------------------------------- +# The below properties ROLE_ASSIGNMENT_LIST_DELIMITER, USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER, USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER, +#and GROUP_BASED_ROLE_ASSIGNMENT_RULES can be used to assign role to LDAP synced users and groups +#NOTE all the delimiters should have different values and the delimiters should not contain characters that are allowed in userName or GroupName + +# default value ROLE_ASSIGNMENT_LIST_DELIMITER = & +ROLE_ASSIGNMENT_LIST_DELIMITER = & + +#default value USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER = : +USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER = : + +#default value USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER = , +USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER = , + +# with above mentioned delimiters a sample value would be &ROLE_SYS_ADMIN:u:userName1,userName2&ROLE_SYS_ADMIN:g:groupName1,groupName2&ROLE_KEY_ADMIN:u:userName&ROLE_KEY_ADMIN:g:groupName +GROUP_BASED_ROLE_ASSIGNMENT_RULES = # URL of source ldap # a sample value would be: ldap://ldap.example.com:389 http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/unixauthservice/scripts/setup.py ---------------------------------------------------------------------- diff --git a/unixauthservice/scripts/setup.py b/unixauthservice/scripts/setup.py index c7aa959..211da64 100755 --- a/unixauthservice/scripts/setup.py +++ b/unixauthservice/scripts/setup.py @@ -347,6 +347,23 @@ def main(): hadoop_conf = globalDict['hadoop_conf'] pid_dir_path = globalDict['USERSYNC_PID_DIR_PATH'] unix_user = globalDict['unix_user'] + if globalDict['SYNC_SOURCE'].lower() == SYNC_SOURCE_LDAP and globalDict.has_key('ROLE_ASSIGNMENT_LIST_DELIMITER') \ + and globalDict.has_key('USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER') and globalDict.has_key('USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER'): + roleAssignmentDelimiter = globalDict['ROLE_ASSIGNMENT_LIST_DELIMITER'] + userGroupAssignmentDelimiter= globalDict['USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER'] + userNameGroupNameAssignmentListDelimiter= globalDict['USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER']; + if roleAssignmentDelimiter != "" : + if roleAssignmentDelimiter == userGroupAssignmentDelimiter or roleAssignmentDelimiter == userNameGroupNameAssignmentListDelimiter : + print "ERROR: All Delimiters ROLE_ASSIGNMENT_LIST_DELIMITER, USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER and USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER should be different" + sys.exit(1) + if userGroupAssignmentDelimiter != "" : + if roleAssignmentDelimiter == userGroupAssignmentDelimiter or userGroupAssignmentDelimiter == userNameGroupNameAssignmentListDelimiter: + print "ERROR: All Delimiters ROLE_ASSIGNMENT_LIST_DELIMITER, USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER and USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER should be different" + sys.exit(1) + if userNameGroupNameAssignmentListDelimiter != "": + if roleAssignmentDelimiter == userNameGroupNameAssignmentListDelimiter or userGroupAssignmentDelimiter == userNameGroupNameAssignmentListDelimiter: + print "ERROR: All Delimiters ROLE_ASSIGNMENT_LIST_DELIMITER, USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER and USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER should be different" + sys.exit(1) if pid_dir_path == "": pid_dir_path = "/var/run/ranger" http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/unixauthservice/scripts/templates/installprop2xml.properties ---------------------------------------------------------------------- diff --git a/unixauthservice/scripts/templates/installprop2xml.properties b/unixauthservice/scripts/templates/installprop2xml.properties index 1a9bf36..8a889a9 100644 --- a/unixauthservice/scripts/templates/installprop2xml.properties +++ b/unixauthservice/scripts/templates/installprop2xml.properties @@ -16,6 +16,10 @@ POLICY_MGR_URL = ranger.usersync.policymanager.baseURL MIN_UNIX_USER_ID_TO_SYNC = ranger.usersync.unix.minUserId SYNC_INTERVAL = ranger.usersync.sleeptimeinmillisbetweensynccycle +ROLE_ASSIGNMENT_LIST_DELIMITER = ranger.usersync.role.assignment.list.delimiter +USERS_GROUPS_ASSIGNMENT_LIST_DELIMITER = ranger.usersync.users.groups.assignment.list.delimiter +USERNAME_GROUPNAME_ASSIGNMENT_LIST_DELIMITER = ranger.usersync.username.groupname.assignment.list.delimiter +GROUP_BASED_ROLE_ASSIGNMENT_RULES = ranger.usersync.group.based.role.assignment.rules SYNC_LDAP_URL = ranger.usersync.ldap.url SYNC_LDAP_BIND_DN = ranger.usersync.ldap.binddn SYNC_LDAP_BIND_PASSWORD = ranger.usersync.ldap.ldapbindpassword http://git-wip-us.apache.org/repos/asf/ranger/blob/99abbcfa/unixauthservice/scripts/templates/ranger-ugsync-template.xml ---------------------------------------------------------------------- diff --git a/unixauthservice/scripts/templates/ranger-ugsync-template.xml b/unixauthservice/scripts/templates/ranger-ugsync-template.xml index 0025dc8..5a0cf98 100644 --- a/unixauthservice/scripts/templates/ranger-ugsync-template.xml +++ b/unixauthservice/scripts/templates/ranger-ugsync-template.xml @@ -205,4 +205,20 @@ <name>ranger.usersync.truststore.password</name> <value></value> </property> + <property> + <name>ranger.usersync.role.assignment.list.delimiter</name> + <value></value> + </property> + <property> + <name>ranger.usersync.users.groups.assignment.list.delimiter</name> + <value></value> + </property> + <property> + <name>ranger.usersync.username.groupname.assignment.list.delimiter</name> + <value></value> + </property> + <property> + <name>ranger.usersync.group.based.role.assignment.rules</name> + <value></value> + </property> </configuration>