Repository: ranger Updated Branches: refs/heads/master e693837ac -> 0ebc2d30e
RANGER-2168: Add service admin user through service config Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/0ebc2d30 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/0ebc2d30 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/0ebc2d30 Branch: refs/heads/master Commit: 0ebc2d30eb803f61ff51656bbc1a00f148297a08 Parents: e693837 Author: Pradeep <prad...@apache.org> Authored: Wed Aug 1 15:28:19 2018 +0530 Committer: Pradeep <prad...@apache.org> Committed: Wed Aug 1 21:49:01 2018 +0530 ---------------------------------------------------------------------- .../org/apache/ranger/biz/ServiceDBStore.java | 16 +++++++++++ .../apache/ranger/db/XXServiceConfigMapDao.java | 14 +++++++++ .../org/apache/ranger/rest/ServiceREST.java | 30 +++++++------------- .../resources/META-INF/jpa_named_queries.xml | 5 ++++ 4 files changed, 46 insertions(+), 19 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/0ebc2d30/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 10d8aa2..0773616 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -225,6 +225,7 @@ public class ServiceDBStore extends AbstractServiceStore { private static final String TIMESTAMP = "Export time"; private static final String AMBARI_SERVICE_CHECK_USER = "ambari.service.check.user"; + private static final String SERVICE_ADMIN_USERS = "service.admin.users"; public static final String CRYPT_ALGO = PropertiesUtil.getProperty("ranger.password.encryption.algorithm", PasswordUtils.DEFAULT_CRYPT_ALGO); public static final String ENCRYPT_KEY = PropertiesUtil.getProperty("ranger.password.encryption.key", PasswordUtils.DEFAULT_ENCRYPT_KEY); @@ -4787,4 +4788,19 @@ public class ServiceDBStore extends AbstractServiceStore { long userCount = VXUserListKeyAdmin.getTotalCount(); return userCount; } + + public boolean isServiceAdminUser(String serviceName, String userName) { + boolean ret=false; + XXServiceConfigMap cfgSvcAdminUsers = daoMgr.getXXServiceConfigMap().findByServiceNameAndConfigKey(serviceName, SERVICE_ADMIN_USERS); + String svcAdminUsers = cfgSvcAdminUsers != null ? cfgSvcAdminUsers.getConfigvalue() : null; + if (svcAdminUsers != null) { + for (String svcAdminUser : svcAdminUsers.split(",")) { + if (userName.equals(svcAdminUser)) { + ret=true; + break; + } + } + } + return ret; + } } http://git-wip-us.apache.org/repos/asf/ranger/blob/0ebc2d30/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java index 5e94855..4217473 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java @@ -62,4 +62,18 @@ public class XXServiceConfigMapDao extends BaseDao<XXServiceConfigMap> { } } + public XXServiceConfigMap findByServiceNameAndConfigKey(String serviceName, String configKey) { + if(serviceName == null || configKey == null) { + return null; + } + try { + return getEntityManager() + .createNamedQuery("XXServiceConfigMap.findByServiceNameAndConfigKey", tClass) + .setParameter("name", serviceName) + .setParameter("configKey", configKey).getSingleResult(); + } catch (NoResultException e) { + return null; + } + } + } http://git-wip-us.apache.org/repos/asf/ranger/blob/0ebc2d30/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index e4449df..c116ea2 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -3055,12 +3055,13 @@ public class ServiceREST { List<RangerPolicy> listToFilter = entry.getValue(); if (CollectionUtils.isNotEmpty(listToFilter)) { - if (isAdmin || isKeyAdmin || isAuditAdmin || isAuditKeyAdmin) { + boolean isServiceAdminUser=svcStore.isServiceAdminUser(serviceName, userName); + if (isAdmin || isKeyAdmin || isAuditAdmin || isAuditKeyAdmin || isServiceAdminUser) { XXService xService = daoManager.getXXService().findByName(serviceName); Long serviceDefId = xService.getType(); boolean isKmsService = serviceDefId.equals(EmbeddedServiceDefsUtil.instance().getKmsServiceDefId()); - if (isAdmin) { + if (isAdmin || isServiceAdminUser) { if (!isKmsService) { ret.addAll(listToFilter); } @@ -3108,17 +3109,13 @@ public class ServiceREST { boolean isAdmin = bizUtil.isAdmin(); boolean isKeyAdmin = bizUtil.isKeyAdmin(); String userName = bizUtil.getCurrentUserLoginId(); + boolean isSvcAdmin = isAdmin || svcStore.isServiceAdminUser(policy.getService(), userName); - if(!isAdmin && !isKeyAdmin) { + if(!isAdmin && !isKeyAdmin && !isSvcAdmin) { boolean isAllowed = false; - RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy.getService()); - - if (policyEngine != null) { - Set<String> userGroups = userMgr.getGroupsForUser(userName); - - isAllowed = hasAdminAccess(policy, userName, userGroups); - } + Set<String> userGroups = userMgr.getGroupsForUser(userName); + isAllowed = hasAdminAccess(policy, userName, userGroups); if (!isAllowed) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, @@ -3434,17 +3431,12 @@ public class ServiceREST { String userName = bizUtil.getCurrentUserLoginId(); boolean isAuditAdmin = bizUtil.isAuditAdmin(); boolean isAuditKeyAdmin = bizUtil.isAuditKeyAdmin(); - if (!isAdmin && !isKeyAdmin && !isAuditAdmin && !isAuditKeyAdmin) { + boolean isSvcAdmin = isAdmin || svcStore.isServiceAdminUser(policy.getService(), userName); + if (!isAdmin && !isKeyAdmin && !isSvcAdmin && !isAuditAdmin && !isAuditKeyAdmin) { boolean isAllowed = false; - RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy - .getService()); - - if (policyEngine != null) { - Set<String> userGroups = userMgr.getGroupsForUser(userName); - - isAllowed = hasAdminAccess(policy, userName, userGroups); - } + Set<String> userGroups = userMgr.getGroupsForUser(userName); + isAllowed = hasAdminAccess(policy, userName, userGroups); if (!isAllowed) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED,"User '" http://git-wip-us.apache.org/repos/asf/ranger/blob/0ebc2d30/security-admin/src/main/resources/META-INF/jpa_named_queries.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml index d2a6f4b..cdf6ba6 100644 --- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml +++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml @@ -435,6 +435,11 @@ obj.serviceId = :serviceId and obj.configKey = :configKey</query> </named-query> + <named-query name="XXServiceConfigMap.findByServiceNameAndConfigKey"> + <query>select obj from XXServiceConfigMap obj, XXService xSvc where + xSvc.name = :name and xSvc.id=obj.serviceId and obj.configKey = :configKey</query> + </named-query> + <!-- XXService --> <named-query name="XXService.findByName"> <query>select obj from XXService obj where obj.name = :name</query>