This is an automated email from the ASF dual-hosted git repository.
mehul pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new cfc0330 RANGER-3259 : [Ranger Audit Filter] Ranger role is allowed to
delete, even if its used in audit filters
cfc0330 is described below
commit cfc033007bcafb1d115825a5c9ed23d4a1a30ee0
Author: Dineshkumar Yadav <dineshkumar.ya...@outlook.com>
AuthorDate: Thu Jul 29 11:59:52 2021 +0530
RANGER-3259 : [Ranger Audit Filter] Ranger role is allowed to delete, even
if its used in audit filters
Signed-off-by: Mehul Parikh <me...@apache.org>
---
.../java/org/apache/ranger/biz/RoleDBStore.java | 8 ++
.../java/org/apache/ranger/biz/ServiceDBStore.java | 126 +++++++++++++++++++++
.../main/java/org/apache/ranger/biz/XUserMgr.java | 5 +
.../apache/ranger/db/XXServiceConfigMapDao.java | 13 +++
.../main/resources/META-INF/jpa_named_queries.xml | 4 +
5 files changed, 156 insertions(+)
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
b/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
index df3fabb..13a3d1f 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RoleDBStore.java
@@ -30,6 +30,7 @@ import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.authorization.hadoop.config.RangerAdminConfig;
+import org.apache.ranger.biz.ServiceDBStore.REMOVE_REF_TYPE;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.RESTErrorUtil;
@@ -82,6 +83,9 @@ public class RoleDBStore implements RoleStore {
@Autowired
RangerTransactionSynchronizationAdapter
transactionSynchronizationAdapter;
+ @Autowired
+ ServiceDBStore svcStore;
+
RangerAdminConfig config;
private Boolean populateExistingBaseFields = true;
@@ -197,6 +201,8 @@ public class RoleDBStore implements RoleStore {
RangerRole role = roleService.read(xxRole.getId());
roleRefUpdater.cleanupRefTables(role);
+ // delete role from audit filter configs
+ svcStore.updateServiceAuditConfig(role.getName(),
REMOVE_REF_TYPE.ROLE);
roleService.delete(role);
List<XXTrxLog> trxLogList = roleService.getTransactionLog(role, null,
"delete");
@@ -213,6 +219,8 @@ public class RoleDBStore implements RoleStore {
transactionSynchronizationAdapter.executeOnTransactionCommit(roleVersionUpdater);
roleRefUpdater.cleanupRefTables(role);
+ // delete role from audit filter configs
+ svcStore.updateServiceAuditConfig(role.getName(),
REMOVE_REF_TYPE.ROLE);
roleService.delete(role);
List<XXTrxLog> trxLogList = roleService.getTransactionLog(role, null,
"delete");
bizUtil.createTrxLog(trxLogList);
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index a888d91..c5add3a 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -61,6 +61,7 @@ import org.apache.poi.ss.usermodel.Sheet;
import org.apache.poi.ss.usermodel.Workbook;
import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.authorization.hadoop.config.RangerAdminConfig;
+import org.apache.ranger.authorization.utils.JsonUtils;
import org.apache.ranger.common.AppConstants;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.MessageEnums;
@@ -133,6 +134,7 @@ import org.apache.ranger.entity.XXServiceDef;
import org.apache.ranger.entity.XXServiceVersionInfo;
import org.apache.ranger.entity.XXTrxLog;
import org.apache.ranger.entity.XXUser;
+import org.apache.ranger.plugin.model.AuditFilter;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem;
import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
@@ -5799,5 +5801,129 @@ public class ServiceDBStore extends
AbstractServiceStore {
return ret;
}
+ private List<XXServiceConfigMap>
getAuditFiltersServiceConfigByName(String searchUsrGrpRoleName) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("===>
ServiceDBStore.getAuditFiltersServiceConfigByName( searchUsrGrpRoleName : "
+ + searchUsrGrpRoleName + ")");
+ }
+ List<XXServiceConfigMap> configMapToBeModified = null;
+
+ if (StringUtils.isNotBlank(searchUsrGrpRoleName)) {
+ configMapToBeModified = new
ArrayList<XXServiceConfigMap>();
+ XXServiceConfigMapDao configDao =
daoMgr.getXXServiceConfigMap();
+ List<XXServiceConfigMap> configs =
configDao.findByConfigKey(ServiceDBStore.RANGER_PLUGIN_AUDIT_FILTERS);
+ for (XXServiceConfigMap configMap : configs) {
+ if
(StringUtils.contains(configMap.getConfigvalue(), searchUsrGrpRoleName)) {
+ configMapToBeModified.add(configMap);
+ }
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<===
ServiceDBStore.getAuditFiltersServiceConfigByName( searchUsrGrpRoleName : "
+ + searchUsrGrpRoleName + ")
configMapToBeModified : " + configMapToBeModified);
+ }
+ return configMapToBeModified;
+ }
+
+ public enum REMOVE_REF_TYPE { USER, GROUP, ROLE }
+ public void updateServiceAuditConfig(String searchUsrGrpRoleName,
REMOVE_REF_TYPE removeRefType) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("===>
ServiceDBStore.updateServiceAuditConfig( searchUsrGrpRoleName : " +
searchUsrGrpRoleName + " removeRefType : "
+ + removeRefType + ")");
+ }
+ List<XXServiceConfigMap> configMapToBeModified =
getAuditFiltersServiceConfigByName(searchUsrGrpRoleName);
+ if (CollectionUtils.isNotEmpty(configMapToBeModified)) {
+ for (XXServiceConfigMap xConfigMap :
configMapToBeModified) {
+ String jsonStr = xConfigMap.getConfigvalue() !=
null ? xConfigMap.getConfigvalue() : null;
+ if (StringUtils.isNotBlank(jsonStr)) {
+ List<AuditFilter> auditFilters =
JsonUtils.jsonToAuditFilterList(jsonStr);
+ int filterCount = auditFilters != null
? auditFilters.size() : 0;
+ RangerService rangerService = null;
+ if (filterCount > 0) {
+ String userName = null;
+ String groupName = null;
+ String roleName = null;
+ if (removeRefType ==
REMOVE_REF_TYPE.USER) {
+ userName =
searchUsrGrpRoleName;
+ } else if (removeRefType ==
REMOVE_REF_TYPE.GROUP) {
+ groupName =
searchUsrGrpRoleName;
+ } else if (removeRefType ==
REMOVE_REF_TYPE.ROLE) {
+ roleName =
searchUsrGrpRoleName;
+ }
+
removeUserGroupRoleReferences(auditFilters, userName, groupName, roleName);
+ String updatedJsonStr =
JsonUtils.listToJson(auditFilters);
+ XXService xService =
daoMgr.getXXService().getById(xConfigMap.getServiceId());
+ rangerService =
svcService.getPopulatedViewObject(xService);
+ Map<String, String> configs =
rangerService.getConfigs();
+ if
(configs.containsKey(ServiceDBStore.RANGER_PLUGIN_AUDIT_FILTERS)) {
+ updatedJsonStr =
StringUtils.isBlank(updatedJsonStr) ? ""
+ :
updatedJsonStr.replaceAll("\"", "'");
+
+
configs.put(ServiceDBStore.RANGER_PLUGIN_AUDIT_FILTERS, updatedJsonStr);
+
+ try {
+
LOG.info("==>ServiceDBStore.updateServiceAuditConfig updating audit-filter of
service : "+rangerService.getName() +" as part of delete request for : " +
searchUsrGrpRoleName);
+
updateService(rangerService, null);
+ } catch (Throwable
excp) {
+
LOG.error("updateService(" + rangerService + ") failed", excp);
+
+ throw
restErrorUtil.createRESTException(excp.getMessage());
+ }
+ }
+ } else {
+ if (LOG.isDebugEnabled()) {
+
LOG.debug("ServiceDBStore.updateServiceAuditConfig audit filter count is zero
");
+ }
+ }
+ }
+ }
+ } else {
+ if (LOG.isDebugEnabled()) {
+
LOG.info("ServiceDBStore.updateServiceAuditConfig no service audit filter
Config map found for : "
+ + searchUsrGrpRoleName);
+ }
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<===
ServiceDBStore.updateServiceAuditConfig( searchUsrGrpRoleName : " +
searchUsrGrpRoleName + " removeRefType : "
+ + removeRefType + ")");
+ }
+ }
+
+ private void removeUserGroupRoleReferences(List<AuditFilter>
auditFilters, String user, String group, String role) {
+ List<AuditFilter> itemsToRemove = null;
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("===>
ServiceDBStore.removeUserGroupRoleReferences( user : "+ user + " group : "+
group + " role : " + role + " auditFilters : " + auditFilters +")");
+ }
+ for (AuditFilter auditFilter : auditFilters) {
+ boolean isAuditFilterModified = false;
+ if (StringUtils.isNotEmpty(user) &&
CollectionUtils.isNotEmpty(auditFilter.getUsers())) {
+ auditFilter.getUsers().remove(user);
+ isAuditFilterModified = true;
+ }
+ if (StringUtils.isNotEmpty(group) &&
CollectionUtils.isNotEmpty(auditFilter.getGroups())) {
+ auditFilter.getGroups().remove(group);
+ isAuditFilterModified = true;
+ }
+ if (StringUtils.isNotEmpty(role) &&
CollectionUtils.isNotEmpty(auditFilter.getRoles())) {
+ auditFilter.getRoles().remove(role);
+ isAuditFilterModified = true;
+ }
+ if (isAuditFilterModified &&
CollectionUtils.isEmpty(auditFilter.getUsers())
+ &&
CollectionUtils.isEmpty(auditFilter.getGroups())
+ &&
CollectionUtils.isEmpty(auditFilter.getRoles())) {
+ if (itemsToRemove == null) {
+ itemsToRemove = new
ArrayList<AuditFilter>();
+ }
+ itemsToRemove.add(auditFilter);
+ }
+ }
+ if (CollectionUtils.isNotEmpty(itemsToRemove)) {
+ auditFilters.removeAll(itemsToRemove);
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<===
ServiceDBStore.removeUserGroupRoleReferences( user : "+ user + " group : "+
group + " role : " + role + " auditFilters : " + auditFilters +")");
+ }
+ }
}
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
index f395225..38b06d1 100755
--- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
@@ -33,6 +33,7 @@ import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.biz.ServiceDBStore.REMOVE_REF_TYPE;
import org.apache.ranger.common.*;
import org.apache.ranger.entity.XXGroupPermission;
import org.apache.ranger.entity.XXModuleDef;
@@ -2153,6 +2154,8 @@ public class XUserMgr extends XUserMgrBase {
}
}
}
+ //delete group from audit filter configs
+ svcStore.updateServiceAuditConfig(vXGroup.getName(),
REMOVE_REF_TYPE.GROUP);
//delete XXGroup
xXGroupDao.remove(id);
//Create XXTrxLog
@@ -2345,6 +2348,8 @@ public class XUserMgr extends XUserMgrBase {
throw
restErrorUtil.createRESTException(excp.getMessage());
}
}
+ //delete user from audit filter configs
+ svcStore.updateServiceAuditConfig(vXUser.getName(),
REMOVE_REF_TYPE.USER);
//delete XXUser entry of user
xXUserDao.remove(id);
//delete XXPortal entry of user
diff --git
a/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java
b/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java
index 00d1a32..b99a7df 100644
---
a/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java
+++
b/security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java
@@ -116,4 +116,17 @@ public class XXServiceConfigMapDao extends
BaseDao<XXServiceConfigMap> {
return Collections.emptyList();
}
}
+
+ public List<XXServiceConfigMap> findByConfigKey(String configKey) {
+ if(configKey == null) {
+ return Collections.emptyList();
+ }
+ try {
+ return getEntityManager()
+
.createNamedQuery("XXServiceConfigMap.findByConfigKey", tClass)
+ .setParameter("configKey",
configKey).getResultList();
+ } catch (NoResultException e) {
+ return Collections.emptyList();
+ }
+ }
}
diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
index 3ef8ba3..8eff336 100755
--- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
+++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
@@ -497,6 +497,10 @@
<query>select obj from XXServiceConfigMap obj where
obj.serviceId = :serviceId</query>
</named-query>
+ <named-query name="XXServiceConfigMap.findByConfigKey">
+ <query>select obj from XXServiceConfigMap obj where
obj.configKey = :configKey</query>
+ </named-query>
+
<named-query name="XXServiceConfigMap.findByServiceAndConfigKey">
<query>select obj from XXServiceConfigMap obj where
obj.serviceId = :serviceId and obj.configKey =
:configKey</query>
