This is an automated email from the ASF dual-hosted git repository. spolavarapu pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new 30e1c9f RANGER-3285: Fix missing updates to sync source during upgrades 30e1c9f is described below commit 30e1c9f671c161cfc419224771d6ec35fccfd92c Author: Abhishek Kumar <abhishekkumar100...@gmail.com> AuthorDate: Fri Sep 17 17:18:26 2021 -0700 RANGER-3285: Fix missing updates to sync source during upgrades Signed-off-by: Sailaja Polavarapu <spolavar...@cloudera.com> --- .../process/PolicyMgrUserGroupBuilder.java | 167 +++++++++++++-------- 1 file changed, 107 insertions(+), 60 deletions(-) diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java index ff513aa..6044504 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java @@ -139,6 +139,7 @@ public class PolicyMgrUserGroupBuilder extends AbstractUserGroupSource implement private String authenticationType = null; String principal; String keytab; + String policyMgrUserName; String nameRules; Map<String, String> userMap = new LinkedHashMap<String, String>(); Map<String, String> groupMap = new LinkedHashMap<>(); @@ -219,10 +220,11 @@ public class PolicyMgrUserGroupBuilder extends AbstractUserGroupSource implement // do nothing } keytab = config.getProperty(KEYTAB,""); + policyMgrUserName = config.getPolicyMgrUserName(); nameRules = config.getProperty(NAME_RULE,"DEFAULT"); ldapUgSyncClient = new RangerUgSyncRESTClient(policyMgrBaseUrl, keyStoreFile, keyStoreFilepwd, keyStoreType, trustStoreFile, trustStoreFilepwd, trustStoreType, authenticationType, principal, keytab, - config.getPolicyMgrUserName(), config.getPolicyMgrPassword()); + policyMgrUserName, config.getPolicyMgrPassword()); String userGroupRoles = config.getGroupRoleRules(); if (userGroupRoles != null && !userGroupRoles.isEmpty()) { @@ -606,44 +608,63 @@ public class PolicyMgrUserGroupBuilder extends AbstractUserGroupSource implement Gson gson = new Gson(); for (String groupDN : sourceGroups.keySet()) { Map<String, String> newGroupAttrs = sourceGroups.get(groupDN); - String newGroupAttrsStr = gson.toJson(newGroupAttrs); - String groupName = groupNameMap.get(groupDN); + String newGroupAttrsStr = gson.toJson(newGroupAttrs); + String groupName = groupNameMap.get(groupDN); if (StringUtils.isEmpty(groupName)) { groupName = groupNameTransform(newGroupAttrs.get(UgsyncCommonConstants.ORIGINAL_NAME).trim()); } + if (!isValidString(groupName)) { LOG.warn("Ignoring invalid group " + groupName + " Full name = " + groupDN); + continue; + } + + if (!groupCache.containsKey(groupName)) { + XGroupInfo newGroup = addXGroupInfo(groupName, newGroupAttrs, newGroupAttrsStr); + deltaGroups.put(groupName, newGroup); + noOfNewGroups++; + groupNameMap.put(groupDN, groupName); } else { - if (!groupCache.containsKey(groupName)) { - XGroupInfo newGroup = addXGroupInfo(groupName, newGroupAttrs, newGroupAttrsStr); - deltaGroups.put(groupName, newGroup); - noOfNewGroups++; - groupNameMap.put(groupDN, groupName); - } else { - XGroupInfo oldGroup = groupCache.get(groupName); - String oldGroupAttrsStr = oldGroup.getOtherAttributes(); - if (!StringUtils.equalsIgnoreCase(oldGroupAttrsStr, newGroupAttrsStr)) { - Map<String, String> oldGroupAttrs = oldGroup.getOtherAttrsMap(); - String oldGroupDN = oldGroupAttrs != null ? oldGroupAttrs.get(UgsyncCommonConstants.FULL_NAME) : groupName; - if (oldGroupAttrs == null || (StringUtils.equalsIgnoreCase(groupDN, oldGroupDN) - && (StringUtils.isEmpty(oldGroupAttrs.get(UgsyncCommonConstants.SYNC_SOURCE)) - || StringUtils.equalsIgnoreCase(oldGroupAttrs.get(UgsyncCommonConstants.SYNC_SOURCE), - newGroupAttrs.get(UgsyncCommonConstants.SYNC_SOURCE))))) { - oldGroup.setOtherAttributes(newGroupAttrsStr); - oldGroup.setSyncSource(newGroupAttrs.get(UgsyncCommonConstants.SYNC_SOURCE)); - oldGroup.setOtherAttrsMap(newGroupAttrs); - deltaGroups.put(groupName, oldGroup); - noOfModifiedGroups++; - groupNameMap.put(groupDN, groupName); + XGroupInfo oldGroup = groupCache.get(groupName); + String oldSyncSource = oldGroup.getSyncSource(); + String oldGroupAttrsStr = oldGroup.getOtherAttributes(); + Map<String, String> oldGroupAttrs = oldGroup.getOtherAttrsMap(); + String oldGroupDN = MapUtils.isEmpty(oldGroupAttrs) ? groupName : oldGroupAttrs.get(UgsyncCommonConstants.FULL_NAME); + String newSyncSource = newGroupAttrs.get(UgsyncCommonConstants.SYNC_SOURCE); + + if (MapUtils.isNotEmpty(oldGroupAttrs) && !StringUtils.equalsIgnoreCase(groupDN, oldGroupDN)) { // don't update + if (LOG.isDebugEnabled()) { + LOG.debug("Skipping update for " + groupName + " as same group with different DN already exists"); + LOG.debug("old group DN = " + oldGroupDN + " and new group DN = " + groupDN); + } + + if (StringUtils.equalsIgnoreCase(oldGroupAttrsStr, newGroupAttrsStr)) { + groupNameMap.put(groupDN, groupName); + } + continue; + } + + if (StringUtils.isEmpty(oldSyncSource) || (!StringUtils.equalsIgnoreCase(oldGroupAttrsStr, newGroupAttrsStr) && StringUtils.equalsIgnoreCase(oldSyncSource, newSyncSource))) { // update + if (LOG.isDebugEnabled()) { + if (StringUtils.isEmpty(oldSyncSource)) { + LOG.debug("Sync Source has changed to " + newSyncSource); } else { - if (LOG.isDebugEnabled()) { - LOG.debug("Skipping to update " + groupName + " as same group name with different DN or sync source already exists"); - LOG.debug("old group DN = " + oldGroupDN + " and new group DN = " + groupDN); - } + LOG.debug("Other Attributes changed"); } - } else { - groupNameMap.put(groupDN, groupName); + LOG.debug("Updating " + groupName + " ..."); } + oldGroup.setOtherAttributes(newGroupAttrsStr); + oldGroup.setSyncSource(newSyncSource); + oldGroup.setOtherAttrsMap(newGroupAttrs); + deltaGroups.put(groupName, oldGroup); + noOfModifiedGroups++; + groupNameMap.put(groupDN, groupName); + } else if (LOG.isDebugEnabled()) { + LOG.debug("Skipping update for " + groupName + " as same group with different sync source already exists"); + } + + if (StringUtils.equalsIgnoreCase(oldGroupAttrsStr, newGroupAttrsStr)) { + groupNameMap.put(groupDN, groupName); } } } @@ -662,46 +683,72 @@ public class PolicyMgrUserGroupBuilder extends AbstractUserGroupSource implement Gson gson = new Gson(); for (String userDN : sourceUsers.keySet()) { Map<String, String> newUserAttrs = sourceUsers.get(userDN); - String newUserAttrsStr = gson.toJson(newUserAttrs); - String userName = userNameMap.get(userDN); + String newUserAttrsStr = gson.toJson(newUserAttrs); + String userName = userNameMap.get(userDN); if (StringUtils.isEmpty(userName)) { userName = userNameTransform(newUserAttrs.get(UgsyncCommonConstants.ORIGINAL_NAME).trim()); } + if (!isValidString(userName)) { LOG.warn("Ignoring invalid user " + userName + " Full name = " + userDN); + continue; + } + + if (!userCache.containsKey(userName)) { + XUserInfo newUser = addXUserInfo(userName, newUserAttrs, newUserAttrsStr); + deltaUsers.put(userName, newUser); + noOfNewUsers++; + userNameMap.put(userDN, userName); } else { - if (!userCache.containsKey(userName)) { + // no updates allowed for rangerusersync and admin + if (StringUtils.equalsIgnoreCase(policyMgrUserName, userName) || StringUtils.equalsIgnoreCase("admin", userName)) { + if (LOG.isDebugEnabled()) { + LOG.debug("Skipping update for " + userName); + } + continue; + } - XUserInfo newUser = addXUserInfo(userName, newUserAttrs, newUserAttrsStr); - deltaUsers.put(userName, newUser); - noOfNewUsers++; - userNameMap.put(userDN, userName); - } else { - XUserInfo oldUser = userCache.get(userName); - String oldUserAttrsStr = oldUser.getOtherAttributes(); - if (!StringUtils.equalsIgnoreCase(oldUserAttrsStr, newUserAttrsStr)) { - Map<String, String> oldUserAttrs = oldUser.getOtherAttrsMap(); - String oldUserDN = oldUserAttrs != null ? oldUserAttrs.get(UgsyncCommonConstants.FULL_NAME) : userName; - if (oldUserAttrs == null || (StringUtils.equalsIgnoreCase(userDN, oldUserDN) - && (StringUtils.isEmpty(oldUserAttrs.get(UgsyncCommonConstants.SYNC_SOURCE)) - || StringUtils.equalsIgnoreCase(oldUserAttrs.get(UgsyncCommonConstants.SYNC_SOURCE), - newUserAttrs.get(UgsyncCommonConstants.SYNC_SOURCE))))) { - oldUser.setOtherAttributes(newUserAttrsStr); - oldUser.setSyncSource(newUserAttrs.get(UgsyncCommonConstants.SYNC_SOURCE)); - oldUser.setOtherAttrsMap(newUserAttrs); - oldUser.setUserSource(SOURCE_EXTERNAL); - deltaUsers.put(userName, oldUser); - noOfModifiedUsers++; - userNameMap.put(userDN, userName); + XUserInfo oldUser = userCache.get(userName); + String oldSyncSource = oldUser.getSyncSource(); + String oldUserAttrsStr = oldUser.getOtherAttributes(); + Map<String, String> oldUserAttrs = oldUser.getOtherAttrsMap(); + String oldUserDN = MapUtils.isEmpty(oldUserAttrs) ? userName : oldUserAttrs.get(UgsyncCommonConstants.FULL_NAME); + String newSyncSource = newUserAttrs.get(UgsyncCommonConstants.SYNC_SOURCE); + + if (MapUtils.isNotEmpty(oldUserAttrs) && !StringUtils.equalsIgnoreCase(userDN, oldUserDN)){ // don't update + if (LOG.isDebugEnabled()) { + LOG.debug("Skipping update for " + userName + " as same username with different DN already exists"); + LOG.debug("old user DN = " + oldUserDN + " and new user DN = " + userDN); + } + + if (StringUtils.equalsIgnoreCase(oldUserAttrsStr, newUserAttrsStr)) { + userNameMap.put(userDN, userName); + } + continue; + } + + if (StringUtils.isEmpty(oldSyncSource) || (!StringUtils.equalsIgnoreCase(oldUserAttrsStr, newUserAttrsStr) && StringUtils.equalsIgnoreCase(oldSyncSource, newSyncSource))) { // update + if (LOG.isDebugEnabled()) { + if (StringUtils.isEmpty(oldSyncSource)) { + LOG.debug("Sync Source has changed to " + newSyncSource); } else { - if (LOG.isDebugEnabled()) { - LOG.debug("Skipping to update " + userName + " as same username with different DN or sync source already exists"); - LOG.debug("old user DN = " + oldUserDN + " and new user DN = " + userDN); - } + LOG.debug("Other Attributes changed"); } - } else { - userNameMap.put(userDN, userName); + LOG.debug("Updating " + userName + " ..."); } + oldUser.setOtherAttributes(newUserAttrsStr); + oldUser.setSyncSource(newSyncSource); + oldUser.setOtherAttrsMap(newUserAttrs); + oldUser.setUserSource(SOURCE_EXTERNAL); + deltaUsers.put(userName, oldUser); + noOfModifiedUsers++; + userNameMap.put(userDN, userName); + } else if (LOG.isDebugEnabled()) { + LOG.debug("Skipping to update " + userName + " as same username with different sync source already exists"); + } + + if (StringUtils.equalsIgnoreCase(oldUserAttrsStr, newUserAttrsStr)) { + userNameMap.put(userDN, userName); } } }