Repository: ranger Updated Branches: refs/heads/ranger-1.2 a337dd8bc -> b07b98c33
RANGER-2273 : Allow service admin and delegated admin user to view list of users and groups though they have 'USER' role Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/b07b98c3 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/b07b98c3 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/b07b98c3 Branch: refs/heads/ranger-1.2 Commit: b07b98c33053acf0d04643f879e6069fbb04ced4 Parents: a337dd8 Author: Nikhil P <npur...@hortonworks.com> Authored: Thu Nov 1 19:12:20 2018 +0530 Committer: Pradeep <prad...@apache.org> Committed: Sat Nov 3 20:09:12 2018 +0530 ---------------------------------------------------------------------- .../org/apache/ranger/biz/ServiceDBStore.java | 2 +- .../java/org/apache/ranger/biz/XUserMgr.java | 95 ++++++++++++++++++++ .../java/org/apache/ranger/rest/XUserREST.java | 62 +++++++++++++ .../ranger/security/context/RangerAPIList.java | 2 + .../scripts/views/policies/PermissionList.js | 12 +-- .../scripts/views/reports/UserAccessLayout.js | 12 +-- 6 files changed, 172 insertions(+), 13 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/b07b98c3/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index ea2c220..63c9432 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -4365,7 +4365,7 @@ public class ServiceDBStore extends AbstractServiceStore { String svcAdminUsers = cfgSvcAdminUsers != null ? cfgSvcAdminUsers.getConfigvalue() : null; if (svcAdminUsers != null) { for (String svcAdminUser : svcAdminUsers.split(",")) { - if (userName.equals(svcAdminUser)) { + if (userName.equals(svcAdminUser.trim())) { ret=true; break; } http://git-wip-us.apache.org/repos/asf/ranger/blob/b07b98c3/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index febf221..ced600f 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -23,8 +23,10 @@ import java.util.ArrayList; import java.util.Collection; import java.util.HashMap; import java.util.HashSet; +import java.util.Iterator; import java.util.List; import java.util.Map; +import java.util.Objects; import java.util.Set; import org.apache.commons.collections.CollectionUtils; @@ -83,6 +85,7 @@ import org.springframework.transaction.annotation.Transactional; import javax.servlet.http.HttpServletResponse; import org.apache.ranger.entity.XXPortalUserRole; +import org.springframework.util.StringUtils; @Component public class XUserMgr extends XUserMgrBase { @@ -1850,6 +1853,98 @@ public class XUserMgr extends XUserMgrBase { return vXGroupList; } + public VXGroupList lookupXGroups(SearchCriteria searchCriteria) { + VXGroupList ret = null; + + try { + HashMap<String, Object> searchParams = searchCriteria.getParamList(); + String nameToLookFor = searchParams != null ? (String) searchParams.get("name") : null; + VXGroup exactMatch = null; + + if (StringUtils.isEmpty(searchCriteria.getSortBy())) { + searchCriteria.setSortBy(nameToLookFor != null ? "name" : "id"); + } + + if(nameToLookFor != null) { + exactMatch = getGroupByGroupName(nameToLookFor); + + for (Map.Entry<String, Object> entry : searchParams.entrySet()) { + if(exactMatch == null) { + break; + } + + String paramName = entry.getKey(); + Object paramValue = entry.getValue(); + + switch (paramName.toLowerCase()) { + case "isvisible": + if (!Objects.equals(exactMatch.getIsVisible(), paramValue)) { + exactMatch = null; + } + break; + + case "groupsource": + if (!Objects.equals(exactMatch.getGroupSource(), paramValue)) { + exactMatch = null; + } + break; + + default: + // ignore + break; + } + } + } + + VXGroupList searchResult = xGroupService.searchXGroups(searchCriteria); + + if (exactMatch != null && exactMatch.getId() != null) { + List<VXGroup> groups = searchResult.getList(); + + if (!groups.isEmpty()) { // remove exactMatch from groups if it is present + boolean removed = false; + + for (Iterator<VXGroup> iter = groups.iterator(); iter.hasNext(); ) { + VXGroup group = iter.next(); + + if (group != null && exactMatch.getId().equals(group.getId())) { + iter.remove(); + removed = true; + + break; + } + } + + if (!removed) { // remove the last entry, if exactMatch was not removed above - to accomodate for add() below + groups.remove(groups.size() - 1); + } + } + + groups.add(0, exactMatch); + + ret = new VXGroupList(groups); + + ret.setStartIndex(searchCriteria.getStartIndex()); + ret.setTotalCount(searchResult.getTotalCount()); + ret.setPageSize(searchCriteria.getMaxRows()); + ret.setSortBy(searchCriteria.getSortBy()); + ret.setSortType(searchCriteria.getSortType()); + } else { + ret = searchResult; + } + } catch (Exception e) { + logger.error("Error getting the exact match of group =>"+e); + } + + if (ret != null && ret.getListSize() > 0 && !hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)) { + for(VXGroup vXGroup : ret.getList()) { + getMaskedVXGroup(vXGroup); + } + } + + return ret; + } + public Collection<String> getMaskedCollection(Collection<String> listunMasked){ List<String> listMasked=new ArrayList<String>(); if(listunMasked!=null) { http://git-wip-us.apache.org/repos/asf/ranger/blob/b07b98c3/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java index b5c6e9c..1e8a093 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java @@ -19,6 +19,7 @@ package org.apache.ranger.rest; +import java.util.ArrayList; import java.util.HashMap; import java.util.List; @@ -386,6 +387,67 @@ public class XUserREST { } @GET + @Path("/lookup/users") + @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_USERS_LOOKUP + "\")") + public VXStringList getUsersLookup(@Context HttpServletRequest request) { + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( + request, xUserService.sortFields); + VXStringList ret = new VXStringList(); + List<VXString> vXList = new ArrayList<>(); + searchUtil.extractString(request, searchCriteria, "name", "User name",null); + searchUtil.extractInt(request, searchCriteria, "isVisible", "User Visibility"); + try { + VXUserList vXUserList = xUserMgr.searchXUsers(searchCriteria); + VXString VXString = null; + for (VXUser vxUser : vXUserList.getList()) { + VXString = new VXString(); + VXString.setValue(vxUser.getName()); + vXList.add(VXString); + } + ret.setVXStrings(vXList); + ret.setPageSize(vXUserList.getPageSize()); + ret.setTotalCount(vXUserList.getTotalCount()); + ret.setSortType(vXUserList.getSortType()); + ret.setSortBy(vXUserList.getSortBy()); + } + catch(Throwable excp){ + throw restErrorUtil.createRESTException(excp.getMessage()); + } + return ret; + } + + @GET + @Path("/lookup/groups") + @Produces({ "application/xml", "application/json" }) + @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_GROUPS_LOOKUP + "\")") + public VXStringList getGroupsLookup(@Context HttpServletRequest request) { + VXStringList ret = new VXStringList(); + SearchCriteria searchCriteria = searchUtil.extractCommonCriterias( + request, xGroupService.sortFields); + List<VXString> vXList = new ArrayList<>(); + searchUtil.extractString(request, searchCriteria, "name", "group name", null); + searchUtil.extractInt(request, searchCriteria, "isVisible", "Group Visibility"); + try { + VXGroupList vXGroupList = xUserMgr.lookupXGroups(searchCriteria); + for (VXGroup vxGroup : vXGroupList.getList()) { + VXString VXString = new VXString(); + VXString.setValue(vxGroup.getName()); + vXList.add(VXString); + } + ret.setVXStrings(vXList); + ret.setPageSize(vXGroupList.getPageSize()); + ret.setTotalCount(vXGroupList.getTotalCount()); + ret.setSortType(vXGroupList.getSortType()); + ret.setSortBy(vXGroupList.getSortBy()); + } + catch(Throwable excp){ + throw restErrorUtil.createRESTException(excp.getMessage()); + } + return ret; + } + + @GET @Path("/users/count") @Produces({ "application/xml", "application/json" }) @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.COUNT_X_USERS + "\")") http://git-wip-us.apache.org/repos/asf/ranger/blob/b07b98c3/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java index 4a6a769..1e38ef1 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java +++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java @@ -150,6 +150,8 @@ public class RangerAPIList { public static final String MODIFY_USER_VISIBILITY = "XUserREST.modifyUserVisibility"; public static final String DELETE_X_USER = "XUserREST.deleteXUser"; public static final String SEARCH_X_USERS = "XUserREST.searchXUsers"; + public static final String GET_USERS_LOOKUP = "XUserREST.getUsersLookup"; + public static final String GET_GROUPS_LOOKUP = "XUserREST.getGroupsLookup"; public static final String COUNT_X_USERS = "XUserREST.countXUsers"; public static final String GET_X_GROUP_USER = "XUserREST.getXGroupUser"; public static final String CREATE_X_GROUP_USER = "XUserREST.createXGroupUser"; http://git-wip-us.apache.org/repos/asf/ranger/blob/b07b98c3/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js b/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js index 2b996b0..0c3824b 100644 --- a/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js +++ b/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js @@ -192,10 +192,10 @@ define(function(require) { } }); }, - createDropDown :function($select, typeGroup){ - var that = this, tags = [], + createDropDown :function($select, typeGroup){ + var that = this, tags = [], placeholder = (typeGroup) ? 'Select Group' : 'Select User', - searchUrl = (typeGroup) ? "service/xusers/groups" : "service/xusers/users"; + searchUrl = (typeGroup) ? "service/xusers/lookup/groups" : "service/xusers/lookup/users"; if(this.model.has('editMode') && !_.isEmpty($select.val())){ var temp = this.model.attributes[ (typeGroup) ? 'groupName': 'userName']; _.each(temp , function(name){ @@ -221,11 +221,11 @@ define(function(require) { var results = [] , selectedVals = []; //Get selected values of groups/users dropdown selectedVals = that.getSelectedValues($select, typeGroup); - if(data.resultSize != "0"){ + if(data.totalCount != "0"){ if(typeGroup){ - results = data.vXGroups.map(function(m, i){ return {id : _.escape(m.name), text: _.escape(m.name) }; }); + results = data.vXStrings.map(function(m){ return {id : _.escape(m.value), text: _.escape(m.value) }; }); } else { - results = data.vXUsers.map(function(m, i){ return {id : _.escape(m.name), text: _.escape(m.name) }; }); + results = data.vXStrings.map(function(m){ return {id : _.escape(m.value), text: _.escape(m.value) }; }); } if(!_.isEmpty(selectedVals)){ results = XAUtil.filterResultByText(results, selectedVals); http://git-wip-us.apache.org/repos/asf/ranger/blob/b07b98c3/security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js ---------------------------------------------------------------------- diff --git a/security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js b/security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js index d5bad70..f0e5c1d 100644 --- a/security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js +++ b/security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js @@ -662,7 +662,7 @@ define(function(require) {'use strict'; callback(data); }, ajax: { - url: "service/xusers/groups", + url: "service/xusers/lookup/groups", dataType: 'json', data: function (term, page) { return {name : term}; @@ -671,8 +671,8 @@ define(function(require) {'use strict'; var results = [],selectedVals = []; if(!_.isEmpty(that.ui.userGroup.val())) selectedVals = that.ui.userGroup.val().split(','); - if(data.resultSize != "0"){ - results = data.vXGroups.map(function(m, i){ return {id : m.name, text: _.escape(m.name) }; }); + if(data.totalCount != "0"){ + results = data.vXStrings.map(function(m){ return {id : m.value, text: _.escape(m.value) }; }); if(!_.isEmpty(selectedVals)) results = XAUtil.filterResultByIds(results, selectedVals); return {results : results}; @@ -716,7 +716,7 @@ define(function(require) {'use strict'; callback(data); }, ajax: { - url: "service/xusers/users", + url: "service/xusers/lookup/users", dataType: 'json', data: function (term, page) { return {name : term}; @@ -725,8 +725,8 @@ define(function(require) {'use strict'; var results = [],selectedVals=[]; if(!_.isEmpty(that.ui.userName.select2('val'))) selectedVals = that.ui.userName.select2('val'); - if(data.resultSize != "0"){ - results = data.vXUsers.map(function(m, i){ return {id : m.name, text: _.escape(m.name) }; }); + if(data.totalCount != "0"){ + results = data.vXStrings.map(function(m){ return {id : m.value, text: _.escape(m.value) }; }); if(!_.isEmpty(selectedVals)) results = XAUtil.filterResultByIds(results, selectedVals); return {results : results};
