Repository: ranger Updated Branches: refs/heads/ranger-0.7 ac456e84c -> 46c6cf878
RANGER-2168: Add service admin user through service config (cherry picked from commit 0ebc2d30eb803f61ff51656bbc1a00f148297a08) (cherry picked from commit a8c4c0091929fa26a6afcc2946617f5ba9eeca10) Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/46c6cf87 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/46c6cf87 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/46c6cf87 Branch: refs/heads/ranger-0.7 Commit: 46c6cf878026b1c2d7e76f838c95733271e1497b Parents: ac456e8 Author: Pradeep Agrawal <prad...@apache.org> Authored: Wed Sep 19 12:33:11 2018 +0530 Committer: Pradeep <prad...@apache.org> Committed: Fri Sep 28 11:48:22 2018 +0530 ---------------------------------------------------------------------- .../org/apache/ranger/biz/ServiceDBStore.java | 16 ++++++++++++++++ .../apache/ranger/db/XXServiceConfigMapDao.java | 14 ++++++++++++++ .../org/apache/ranger/rest/ServiceREST.java | 20 +++++++++----------- .../resources/META-INF/jpa_named_queries.xml | 5 +++++ 4 files changed, 44 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/46c6cf87/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index 64cf043..ceee8ce 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -204,6 +204,7 @@ public class ServiceDBStore extends AbstractServiceStore { private static final String TIMESTAMP = "Export time"; private static final String AMBARI_SERVICE_CHECK_USER = "ambari.service.check.user"; + private static final String SERVICE_ADMIN_USERS = "service.admin.users"; public static final String CRYPT_ALGO = PropertiesUtil.getProperty("ranger.password.encryption.algorithm", PasswordUtils.DEFAULT_CRYPT_ALGO); public static final String ENCRYPT_KEY = PropertiesUtil.getProperty("ranger.password.encryption.key", PasswordUtils.DEFAULT_ENCRYPT_KEY); @@ -3993,4 +3994,19 @@ public class ServiceDBStore extends AbstractServiceStore { genericUser.setDescription(RangerPolicyEngine.RESOURCE_OWNER); xUserService.createXUserWithOutLogin(genericUser); } + + public boolean isServiceAdminUser(String serviceName, String userName) { + boolean ret=false; + XXServiceConfigMap cfgSvcAdminUsers = daoMgr.getXXServiceConfigMap().findByServiceNameAndConfigKey(serviceName, SERVICE_ADMIN_USERS); + String svcAdminUsers = cfgSvcAdminUsers != null ? cfgSvcAdminUsers.getConfigvalue() : null; + if (svcAdminUsers != null) { + for (String svcAdminUser : svcAdminUsers.split(",")) { + if (userName.equals(svcAdminUser)) { + ret=true; + break; + } + } + } + return ret; + } } http://git-wip-us.apache.org/repos/asf/ranger/blob/46c6cf87/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java index 9f97b60..9559161 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java @@ -60,4 +60,18 @@ public class XXServiceConfigMapDao extends BaseDao<XXServiceConfigMap> { } } + public XXServiceConfigMap findByServiceNameAndConfigKey(String serviceName, String configKey) { + if(serviceName == null || configKey == null) { + return null; + } + try { + return getEntityManager() + .createNamedQuery("XXServiceConfigMap.findByServiceNameAndConfigKey", tClass) + .setParameter("name", serviceName) + .setParameter("configKey", configKey).getSingleResult(); + } catch (NoResultException e) { + return null; + } + } + } http://git-wip-us.apache.org/repos/asf/ranger/blob/46c6cf87/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index e2a0c29..5e5e7dd 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -2988,7 +2988,8 @@ public class ServiceREST { List<RangerPolicy> listToFilter = entry.getValue(); if (CollectionUtils.isNotEmpty(listToFilter)) { - if (isAdmin || isKeyAdmin) { + boolean isServiceAdminUser=isAdmin || svcStore.isServiceAdminUser(serviceName, userName); + if (isAdmin || isKeyAdmin || isServiceAdminUser) { XXService xService = daoManager.getXXService().findByName(serviceName); Long serviceDefId = xService.getType(); boolean isKmsService = serviceDefId.equals(EmbeddedServiceDefsUtil.instance().getKmsServiceDefId()); @@ -2997,10 +2998,12 @@ public class ServiceREST { if (!isKmsService) { ret.addAll(listToFilter); } - } else { // isKeyAdmin + } else if (isKeyAdmin) { if (isKmsService) { ret.addAll(listToFilter); } + } else if (isServiceAdminUser) { + ret.addAll(listToFilter); } continue; @@ -3034,16 +3037,11 @@ public class ServiceREST { boolean isKeyAdmin = bizUtil.isKeyAdmin(); String userName = bizUtil.getCurrentUserLoginId(); - if(!isAdmin && !isKeyAdmin) { - boolean isAllowed = false; + boolean isSvcAdmin = isAdmin || svcStore.isServiceAdminUser(serviceName, userName); - RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName); - - if (policyEngine != null) { - Set<String> userGroups = userMgr.getGroupsForUser(userName); - - isAllowed = hasAdminAccess(serviceName, userName, userGroups, resources); - } + if(!isAdmin && !isKeyAdmin && !isSvcAdmin) { + Set<String> userGroups = userMgr.getGroupsForUser(userName); + boolean isAllowed = hasAdminAccess(serviceName, userName, userGroups, resources); if (!isAllowed) { throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, http://git-wip-us.apache.org/repos/asf/ranger/blob/46c6cf87/security-admin/src/main/resources/META-INF/jpa_named_queries.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml index 786b4bf..4a7055d 100644 --- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml +++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml @@ -390,6 +390,11 @@ obj.serviceId = :serviceId and obj.configKey = :configKey</query> </named-query> + <named-query name="XXServiceConfigMap.findByServiceNameAndConfigKey"> + <query>select obj from XXServiceConfigMap obj, XXService xSvc where + xSvc.name = :name and xSvc.id=obj.serviceId and obj.configKey = :configKey</query> + </named-query> + <!-- XXService --> <named-query name="XXService.findByName"> <query>select obj from XXService obj where obj.name = :name</query>