This is an automated email from the ASF dual-hosted git repository. vel pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new 10f4cff RANGER-2758 : Option to create missing users/groups while creating/updating roles 10f4cff is described below commit 10f4cff27b703ffbb18e77ac9bd08d4b61e63813 Author: Dineshkumar Yadav <dineshkumar.ya...@outlook.com> AuthorDate: Mon Mar 16 13:11:49 2020 +0530 RANGER-2758 : Option to create missing users/groups while creating/updating roles Signed-off-by: Velmurugan Periasamy <v...@apache.org> --- .../model/validation/RangerRoleValidator.java | 5 +- .../org/apache/ranger/plugin/store/RoleStore.java | 4 +- .../org/apache/ranger/biz/PolicyRefUpdater.java | 2 +- .../java/org/apache/ranger/biz/RoleDBStore.java | 8 ++-- .../java/org/apache/ranger/biz/RoleRefUpdater.java | 56 ++++++++++++++++++---- .../java/org/apache/ranger/rest/PublicAPIsv2.java | 12 +++-- .../main/java/org/apache/ranger/rest/RoleREST.java | 26 +++++----- 7 files changed, 81 insertions(+), 32 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerRoleValidator.java b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerRoleValidator.java index bc34598..54ca93f 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerRoleValidator.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerRoleValidator.java @@ -172,7 +172,10 @@ public class RangerRoleValidator extends RangerValidator { } Long id = rangerRole.getId(); - RangerRole existingRangerRole = getRangerRole(id); + RangerRole existingRangerRole = null; + if (null != id) { + existingRangerRole = getRangerRole(id); + } if (action == Action.CREATE) { if (existingRangerRole != null) { diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java index 7da43d5..22e1e6e 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/RoleStore.java @@ -29,9 +29,9 @@ public interface RoleStore { void init() throws Exception; - RangerRole createRole(RangerRole role) throws Exception; + RangerRole createRole(RangerRole role, Boolean createNonExistUserGroup) throws Exception; - RangerRole updateRole(RangerRole role) throws Exception; + RangerRole updateRole(RangerRole role, Boolean createNonExistUserGroup) throws Exception; void deleteRole(String roleName) throws Exception; diff --git a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java index baacfa4..f978d5d 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java @@ -311,7 +311,7 @@ public class PolicyRefUpdater { xUserMgr.checkAdminAccess(); - RangerRole createdRole= roleStore.createRole(rRole); + RangerRole createdRole= roleStore.createRole(rRole, false); return createdRole.getId(); } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java index 5be8d9d..c4a32e4 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java @@ -94,7 +94,7 @@ public class RoleDBStore implements RoleStore { } @Override - public RangerRole createRole(RangerRole role) throws Exception { + public RangerRole createRole(RangerRole role, Boolean createNonExistUserGroup) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> RoleDBStore.createRole()"); } @@ -112,7 +112,7 @@ public class RoleDBStore implements RoleStore { throw new Exception("Cannot create role:[" + role + "]"); } - roleRefUpdater.createNewRoleMappingForRefTable(createdRole); + roleRefUpdater.createNewRoleMappingForRefTable(createdRole, createNonExistUserGroup); List<XXTrxLog> trxLogList = roleService.getTransactionLog(createdRole, null, "create"); bizUtil.createTrxLog(trxLogList); @@ -120,7 +120,7 @@ public class RoleDBStore implements RoleStore { } @Override - public RangerRole updateRole(RangerRole role) throws Exception { + public RangerRole updateRole(RangerRole role, Boolean createNonExistUserGroup) throws Exception { XXRole xxRole = daoMgr.getXXRole().findByRoleId(role.getId()); if (xxRole == null) { throw restErrorUtil.createRESTException("role with id: " + role.getId() + " does not exist"); @@ -140,7 +140,7 @@ public class RoleDBStore implements RoleStore { throw new Exception("Cannot update role:[" + role + "]"); } - roleRefUpdater.createNewRoleMappingForRefTable(updatedRole); + roleRefUpdater.createNewRoleMappingForRefTable(updatedRole, createNonExistUserGroup); roleService.updatePolicyVersions(updatedRole.getId()); diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java b/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java index 3742bd6..bb68e32 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java @@ -24,8 +24,11 @@ import java.util.Set; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; import org.apache.ranger.common.MessageEnums; import org.apache.ranger.common.RESTErrorUtil; +import org.apache.ranger.common.RangerCommonEnums; import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.db.XXRoleRefGroupDao; import org.apache.ranger.db.XXRoleRefRoleDao; @@ -38,11 +41,18 @@ import org.apache.ranger.entity.XXRoleRefUser; import org.apache.ranger.entity.XXUser; import org.apache.ranger.plugin.model.RangerRole; import org.apache.ranger.service.RangerAuditFields; +import org.apache.ranger.service.XGroupService; +import org.apache.ranger.service.XUserService; +import org.apache.ranger.view.VXGroup; +import org.apache.ranger.view.VXUser; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; + @Component public class RoleRefUpdater { + private static final Log LOG = LogFactory.getLog(RoleRefUpdater.class); + @Autowired RangerDaoManager daoMgr; @@ -52,7 +62,16 @@ public class RoleRefUpdater { @Autowired RESTErrorUtil restErrorUtil; - public void createNewRoleMappingForRefTable(RangerRole rangerRole) throws Exception { + @Autowired + XUserMgr xUserMgr; + + @Autowired + XUserService xUserService; + + @Autowired + XGroupService xGroupService; + + public void createNewRoleMappingForRefTable(RangerRole rangerRole, Boolean createNonExistUserGroup) throws Exception { if (rangerRole == null) { return; } @@ -80,18 +99,26 @@ public class RoleRefUpdater { if (StringUtils.isBlank(roleUser)) { continue; } - + VXUser vXUser = null; XXUser xUser = daoMgr.getXXUser().findByUserName(roleUser); if (xUser == null) { - throw restErrorUtil.createRESTException("user with name: " + roleUser + " does not exist ", - MessageEnums.INVALID_INPUT_DATA); + if (createNonExistUserGroup) { + LOG.warn("User specified in role does not exist in ranger admin, creating new user, User = " + + roleUser); + vXUser = xUserMgr.createExternalUser(roleUser); + } else { + throw restErrorUtil.createRESTException("user with name: " + roleUser + " does not exist ", + MessageEnums.INVALID_INPUT_DATA); + } + }else { + vXUser = xUserService.populateViewBean(xUser); } XXRoleRefUser xRoleRefUser = rangerAuditFields.populateAuditFieldsForCreate(new XXRoleRefUser()); xRoleRefUser.setRoleId(roleId); - xRoleRefUser.setUserId(xUser.getId()); + xRoleRefUser.setUserId(vXUser.getId()); xRoleRefUser.setUserName(roleUser); xRoleRefUser.setUserType(0); daoMgr.getXXRoleRefUser().create(xRoleRefUser); @@ -104,18 +131,29 @@ public class RoleRefUpdater { if (StringUtils.isBlank(roleGroup)) { continue; } - + VXGroup vXGroup = null; XXGroup xGroup = daoMgr.getXXGroup().findByGroupName(roleGroup); if (xGroup == null) { - throw restErrorUtil.createRESTException("group with name: " + roleGroup + " does not exist ", - MessageEnums.INVALID_INPUT_DATA); + if (createNonExistUserGroup) { + LOG.warn("Group specified in role does not exist in ranger admin, creating new group, Group = " + + roleGroup); + VXGroup vxGroupNew = new VXGroup(); + vxGroupNew.setName(roleGroup); + vxGroupNew.setGroupSource(RangerCommonEnums.GROUP_EXTERNAL); + vXGroup = xUserMgr.createXGroup(vxGroupNew); + } else { + throw restErrorUtil.createRESTException("group with name: " + roleGroup + " does not exist ", + MessageEnums.INVALID_INPUT_DATA); + } + }else { + vXGroup = xGroupService.populateViewBean(xGroup); } XXRoleRefGroup xRoleRefGroup = rangerAuditFields.populateAuditFieldsForCreate(new XXRoleRefGroup()); xRoleRefGroup.setRoleId(roleId); - xRoleRefGroup.setGroupId(xGroup.getId()); + xRoleRefGroup.setGroupId(vXGroup.getId()); xRoleRefGroup.setGroupName(roleGroup); xRoleRefGroup.setGroupType(0); daoMgr.getXXRoleRefGroup().create(xRoleRefGroup); diff --git a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java index 1a83949..4862442 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java @@ -561,10 +561,12 @@ public class PublicAPIsv2 { @POST @Path("/api/roles") @Produces({ "application/json", "application/xml" }) - public RangerRole createRole(@QueryParam("serviceName") String serviceName, RangerRole role, @Context HttpServletRequest request) { + public RangerRole createRole(@QueryParam("serviceName") String serviceName, RangerRole role + , @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup + , @Context HttpServletRequest request) { logger.info("==> PublicAPIsv2.createRole"); RangerRole ret; - ret = roleREST.createRole(serviceName, role); + ret = roleREST.createRole(serviceName, role, createNonExistUserGroup); logger.info("<== PublicAPIsv2.createRole" + ret.getName()); return ret; } @@ -575,8 +577,10 @@ public class PublicAPIsv2 { @PUT @Path("/api/roles/{id}") @Produces({ "application/json", "application/xml" }) - public RangerRole updateRole(@PathParam("id") Long roleId, RangerRole role, @Context HttpServletRequest request) { - return roleREST.updateRole(roleId, role); + public RangerRole updateRole(@PathParam("id") Long roleId, RangerRole role + , @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup + , @Context HttpServletRequest request) { + return roleREST.updateRole(roleId, role, createNonExistUserGroup); } @DELETE diff --git a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java index d690297..aa031ae 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java @@ -132,7 +132,9 @@ public class RoleREST { @POST @Path("/roles") - public RangerRole createRole(@QueryParam("serviceName") String serviceName, RangerRole role) { + public RangerRole createRole(@QueryParam("serviceName") String serviceName, RangerRole role + , @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup + ) { if (LOG.isDebugEnabled()) { LOG.debug("==> createRole("+ role + ")"); } @@ -147,7 +149,7 @@ public class RoleREST { if (containsInvalidMember(role.getUsers())) { throw new Exception("Invalid role user(s)"); } - ret = roleStore.createRole(role); + ret = roleStore.createRole(role, createNonExistUserGroup); } catch(WebApplicationException excp) { throw excp; } catch(Throwable excp) { @@ -167,8 +169,10 @@ public class RoleREST { @PUT @Path("/roles/{id}") - public RangerRole updateRole(@PathParam("id") Long roleId, - RangerRole role) { + public RangerRole updateRole(@PathParam("id") Long roleId + , RangerRole role + , @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup + ) { if (LOG.isDebugEnabled()) { LOG.debug("==> updateRole(id=" + roleId +", " + role + ")"); } @@ -187,7 +191,7 @@ public class RoleREST { if (containsInvalidMember(role.getUsers())) { throw new Exception("Invalid role user(s)"); } - ret = roleStore.updateRole(role); + ret = roleStore.updateRole(role, createNonExistUserGroup); } catch(WebApplicationException excp) { throw excp; } catch(Throwable excp) { @@ -429,7 +433,7 @@ public class RoleREST { role.setUsers(new ArrayList<>(roleUsers)); role.setGroups(new ArrayList<>(roleGroups)); - role = roleStore.updateRole(role); + role = roleStore.updateRole(role,false); } catch(WebApplicationException excp) { throw excp; @@ -483,7 +487,7 @@ public class RoleREST { } } - role = roleStore.updateRole(role); + role = roleStore.updateRole(role, false); } catch(WebApplicationException excp) { throw excp; @@ -529,7 +533,7 @@ public class RoleREST { } } - role = roleStore.updateRole(role); + role = roleStore.updateRole(role, false); } catch(WebApplicationException excp) { throw excp; @@ -1105,7 +1109,7 @@ public class RoleREST { role.setGroups(new ArrayList<>(roleGroups)); role.setRoles(new ArrayList<>(roleRoles)); - role = roleStore.updateRole(role); + role = roleStore.updateRole(role, false); } catch(WebApplicationException excp) { throw excp; @@ -1162,7 +1166,7 @@ public class RoleREST { } } - role = roleStore.updateRole(role); + role = roleStore.updateRole(role, false); } catch(WebApplicationException excp) { throw excp; @@ -1207,7 +1211,7 @@ public class RoleREST { } } - role = roleStore.updateRole(role); + role = roleStore.updateRole(role, false); } catch(WebApplicationException excp) { throw excp;