This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new df07b0d RANGER-3562: Redesign post commit tasks for updating ref-tables when policy/role is updated df07b0d is described below commit df07b0da94dced97e6022b1d0d243c8b2e358803 Author: Abhay Kulkarni <ab...@apache.org> AuthorDate: Mon Jan 3 18:38:55 2022 -0800 RANGER-3562: Redesign post commit tasks for updating ref-tables when policy/role is updated --- .../main/java/org/apache/ranger/biz/AssetMgr.java | 18 +- .../org/apache/ranger/biz/PolicyRefUpdater.java | 474 ++++++++++----------- .../java/org/apache/ranger/biz/RoleRefUpdater.java | 395 +++++++++-------- .../ranger/service/RangerPluginActivityLogger.java | 15 +- .../service/TestRangerPluginActivityLogger.java | 3 +- 5 files changed, 436 insertions(+), 469 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java index 36f137e..08255b3 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java @@ -48,6 +48,7 @@ import org.apache.ranger.common.RangerCommonEnums; import org.apache.ranger.common.RangerConstants; import org.apache.ranger.common.SearchCriteria; import org.apache.ranger.common.StringUtil; +import org.apache.ranger.common.db.RangerTransactionSynchronizationAdapter; import org.apache.ranger.db.RangerDaoManager; import org.apache.ranger.elasticsearch.ElasticSearchAccessAuditsService; import org.apache.ranger.entity.XXPermMap; @@ -121,7 +122,7 @@ public class AssetMgr extends AssetMgrBase { XPolicyService xPolicyService; @Autowired - RangerPluginActivityLogger activityLogger; + RangerTransactionSynchronizationAdapter transactionSynchronizationAdapter; @Autowired RangerPluginInfoService pluginInfoService; @@ -663,7 +664,7 @@ public class AssetMgr extends AssetMgrBase { } }; - activityLogger.commitAfterTransactionComplete(commitWork); + transactionSynchronizationAdapter.executeOnTransactionCompletion(commitWork); } } else { ret = rangerDaoManager.getXXPolicyExportAudit().create(xXPolicyExportAudit); @@ -733,6 +734,7 @@ public class AssetMgr extends AssetMgrBase { } final boolean isTagVersionResetNeeded; + final Runnable commitWork; if (httpCode == HttpServletResponse.SC_NOT_MODIFIED) { // Create or update PluginInfo record after transaction is completed. If it is created in-line here @@ -757,15 +759,13 @@ public class AssetMgr extends AssetMgrBase { break; } - Runnable commitWork = new Runnable() { + commitWork = new Runnable() { @Override public void run() { doCreateOrUpdateXXPluginInfo(pluginInfo, entityType, isTagVersionResetNeeded, clusterName); } }; - activityLogger.commitAfterTransactionComplete(commitWork); } else if (httpCode == HttpServletResponse.SC_NOT_FOUND) { - Runnable commitWork; if ((isPolicyDownloadRequest(entityType) && (pluginInfo.getPolicyActiveVersion() == null || pluginInfo.getPolicyActiveVersion() == -1)) || (isTagDownloadRequest(entityType) && (pluginInfo.getTagActiveVersion() == null || pluginInfo.getTagActiveVersion() == -1)) || (isRoleDownloadRequest(entityType) && (pluginInfo.getRoleActiveVersion() == null || pluginInfo.getRoleActiveVersion() == -1)) @@ -784,12 +784,16 @@ public class AssetMgr extends AssetMgrBase { } }; } - activityLogger.commitAfterTransactionComplete(commitWork); - } else { isTagVersionResetNeeded = false; + commitWork = null; doCreateOrUpdateXXPluginInfo(pluginInfo, entityType, isTagVersionResetNeeded, clusterName); } + + if (commitWork != null) { + transactionSynchronizationAdapter.executeOnTransactionCompletion(commitWork); + } + if (logger.isDebugEnabled()) { logger.debug("<== createOrUpdatePluginInfo(pluginInfo = " + pluginInfo + ", isPolicyDownloadRequest = " + isPolicyDownloadRequest(entityType) + ", httpCode = " + httpCode + ")"); } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java index 4452676..f8f0ee9 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java @@ -23,8 +23,6 @@ import java.util.HashSet; import java.util.List; import java.util.Set; -import javax.servlet.http.HttpServletResponse; - import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; @@ -58,21 +56,23 @@ import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemCondition; import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemDataMaskInfo; import org.apache.ranger.plugin.model.RangerRole; import org.apache.ranger.service.RangerAuditFields; -import org.apache.ranger.service.RangerTransactionService; import org.apache.ranger.service.XGroupService; -import org.apache.ranger.service.XUserService; import org.apache.ranger.view.VXGroup; import org.apache.ranger.view.VXResponse; import org.apache.ranger.view.VXUser; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; +import javax.servlet.http.HttpServletResponse; + @Component public class PolicyRefUpdater { private static final Log LOG = LogFactory.getLog(PolicyRefUpdater.class); + public enum PRINCIPAL_TYPE { USER, GROUP, ROLE } + @Autowired RangerDaoManager daoMgr; @@ -82,12 +82,8 @@ public class PolicyRefUpdater { @Autowired XUserMgr xUserMgr; - @Autowired - XUserService xUserService; - - @Autowired - RoleDBStore roleStore; + RoleDBStore roleStore; @Autowired RangerBizUtil rangerBizUtil; @@ -99,9 +95,6 @@ public class PolicyRefUpdater { RangerTransactionSynchronizationAdapter rangerTransactionSynchronizationAdapter; @Autowired - RangerTransactionService transactionService; - - @Autowired RESTErrorUtil restErrorUtil; public void createNewPolMappingForRefTable(RangerPolicy policy, XXPolicy xPolicy, XXServiceDef xServiceDef) throws Exception { @@ -175,28 +168,28 @@ public class PolicyRefUpdater { } daoMgr.getXXPolicyRefResource().batchCreate(xPolResources); + final boolean isAdmin = rangerBizUtil.checkAdminAccess(); + List<XXPolicyRefRole> xPolRoles = new ArrayList<>(); for (String role : roleNames) { if (StringUtils.isBlank(role)) { continue; } - - XXRole xRole = daoMgr.getXXRole().findByRoleName(role); - Long roleId = null; - if (xRole != null) { - roleId = xRole.getId(); - } - else { - RangerBizUtil.setBulkMode(false); - roleId = createRoleForPolicy(role); + PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.ROLE, role, xPolicy); + if (associator.doAssociate(false)) { + if (LOG.isDebugEnabled()) { + LOG.debug("Role name: " + role + " specified in policy does not exist in ranger admin."); + } + } else { + if (isAdmin) { + rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator); + } else { + VXResponse gjResponse = new VXResponse(); + gjResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST); + gjResponse.setMsgDesc("Operation denied. Role name: " + role + " specified in policy does not exist in ranger admin."); + throw restErrorUtil.generateRESTException(gjResponse); + } } - XXPolicyRefRole xPolRole = rangerAuditFields.populateAuditFields(new XXPolicyRefRole(), xPolicy); - - xPolRole.setPolicyId(policy.getId()); - xPolRole.setRoleId(roleId); - xPolRole.setRoleName(role); - - xPolRoles.add(xPolRole); } RangerBizUtil.setBulkMode(oldBulkMode); daoMgr.getXXPolicyRefRole().batchCreate(xPolRoles); @@ -206,19 +199,18 @@ public class PolicyRefUpdater { continue; } - XXGroup xGroup = daoMgr.getXXGroup().findByGroupName(group); - Long groupId = null; - if (xGroup != null) { - groupId = xGroup.getId(); - groupPolicyAssociation(xPolicy,groupId,group ); - } - else { - if(rangerBizUtil.checkAdminAccess()) { - createGroupForPolicy(group, xPolicy); - }else { + PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.GROUP, group, xPolicy); + if (associator.doAssociate(false)) { + if (LOG.isDebugEnabled()) { + LOG.debug("Group name: " + group + " specified in policy does not exist in ranger admin."); + } + } else { + if (isAdmin) { + rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator); + } else { VXResponse gjResponse = new VXResponse(); gjResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST); - gjResponse.setMsgDesc("Operation denied. Group name: "+group + " specified in policy does not exist in ranger admin."); + gjResponse.setMsgDesc("Operation denied. Group name: " + group + " specified in policy does not exist in ranger admin."); throw restErrorUtil.generateRESTException(gjResponse); } } @@ -228,24 +220,21 @@ public class PolicyRefUpdater { if (StringUtils.isBlank(user)) { continue; } - - XXUser xUser = daoMgr.getXXUser().findByUserName(user); - Long userId = null; - if(xUser != null){ - userId = xUser.getId(); - userPolicyAssociation(xPolicy,userId, user ); - } - else { - if(rangerBizUtil.checkAdminAccess()) { - createUserForPolicy(user,xPolicy); - }else { + PolicyPrincipalAssociator associator = new PolicyPrincipalAssociator(PRINCIPAL_TYPE.USER, user, xPolicy); + if (associator.doAssociate(false)) { + if (LOG.isDebugEnabled()) { + LOG.debug("User name: " + user + " specified in policy does not exist in ranger admin."); + } + } else { + if (isAdmin) { + rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator); + } else { VXResponse gjResponse = new VXResponse(); gjResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST); - gjResponse.setMsgDesc("Operation denied. User name: "+user + " specified in policy does not exist in ranger admin."); + gjResponse.setMsgDesc("Operation denied. User name: " + user + " specified in policy does not exist in ranger admin."); throw restErrorUtil.generateRESTException(gjResponse); } } - } List<XXPolicyRefAccessType> xPolAccesses = new ArrayList<>(); @@ -303,51 +292,204 @@ public class PolicyRefUpdater { daoMgr.getXXPolicyRefDataMaskType().batchCreate(xxDataMaskInfos); } - private void createUserForPolicy(String user, XXPolicy xPolicy) { - LOG.warn("User specified in policy does not exist in ranger admin, creating new user, User = " + user); - final PolicyUserCreateContext policyUserCreateContext = new PolicyUserCreateContext(user, xPolicy); - Runnable createAndAssociateUser = new Runnable () { - @Override - public void run() { - doCreateAndAssociatePolicyUser(policyUserCreateContext); + private class PolicyPrincipalAssociator implements Runnable { + final PRINCIPAL_TYPE type; + final String name; + final XXPolicy xPolicy; + + public PolicyPrincipalAssociator(PRINCIPAL_TYPE type, String name, XXPolicy xPolicy) { + this.type = type; + this.name = name; + this.xPolicy = xPolicy; + } + + @Override + public void run() { + if (doAssociate(true)) { + if (LOG.isDebugEnabled()) { + LOG.debug("Associated " + type.name() + ":" + name + " with policy id:[" + xPolicy.getId() + "]"); + } + } else { + throw new RuntimeException("Failed to associate " + type.name() + ":" + name + " with policy id:[" + xPolicy.getId() + "]"); } - }; - rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(createAndAssociateUser); - } + } - private void createGroupForPolicy(String group, XXPolicy xPolicy) { - LOG.warn("Group specified in policy does not exist in ranger admin, creating new group, Group = " + group); - VXGroup vxGroup = new VXGroup(); - vxGroup.setName(group); - vxGroup.setDescription(group); - vxGroup.setGroupSource(RangerCommonEnums.GROUP_EXTERNAL); - final PolicyGroupCreateContext policyGroupCreateContext = new PolicyGroupCreateContext(vxGroup, xPolicy); - Runnable createAndAssociatePolicyGroup = new Runnable() { - @Override - public void run() { - doCreateAndAssociatePolicyGroup(policyGroupCreateContext); + boolean doAssociate(boolean isAdmin) { + if (LOG.isDebugEnabled()) { + LOG.debug("===> PolicyPrincipalAssociator.doAssociate(" + isAdmin + ")"); } - }; - rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(createAndAssociatePolicyGroup); + final boolean ret; - } + Long id = createOrGetPrincipal(isAdmin); + if (id != null) { + // associate with policy + createPolicyAssociation(id, name); + ret = true; + } else { + ret = false; + } - private Long createRoleForPolicy(String role) throws Exception { - LOG.warn("Role specified in policy does not exist in ranger admin, creating new role = " + role); - - if (rangerBizUtil.checkAdminAccess()) { - RangerRole rRole = new RangerRole(role, null, null, null, null); - RangerRole createdRole = roleStore.createRole(rRole, false); - return createdRole.getId(); - } else { - VXResponse gjResponse = new VXResponse(); - gjResponse.setStatusCode(HttpServletResponse.SC_BAD_REQUEST); - gjResponse.setMsgDesc( - "Operation denied. Role name: " + role + " specified in policy does not exist in ranger admin."); - throw restErrorUtil.generateRESTException(gjResponse); + if (LOG.isDebugEnabled()) { + LOG.debug("<=== PolicyPrincipalAssociator.doAssociate(" + isAdmin + ") : " + ret); + } + return ret; + } + + private Long createOrGetPrincipal(final boolean createIfAbsent) { + if (LOG.isDebugEnabled()) { + LOG.debug("===> PolicyPrincipalAssociator.createOrGetPrincipal(" + createIfAbsent + ")"); + } + + Long ret = null; + + switch (type) { + case USER: { + XXUser xUser = daoMgr.getXXUser().findByUserName(name); + if (xUser != null) { + ret = xUser.getId(); + } else { + if (createIfAbsent) { + ret = createPrincipal(name); + } + } + } + break; + case GROUP: { + XXGroup xGroup = daoMgr.getXXGroup().findByGroupName(name); + + if (xGroup != null) { + ret = xGroup.getId(); + } else { + if (createIfAbsent) { + ret = createPrincipal(name); + } + } + } + break; + case ROLE: { + XXRole xRole = daoMgr.getXXRole().findByRoleName(name); + if (xRole != null) { + ret = xRole.getId(); + } else { + if (createIfAbsent) { + RangerBizUtil.setBulkMode(false); + ret = createPrincipal(name); + } + } + } + break; + default: + break; + } + if (LOG.isDebugEnabled()) { + LOG.debug("<=== PolicyPrincipalAssociator.createOrGetPrincipal(" + createIfAbsent + ") : " + ret); + } + return ret; } - } + private Long createPrincipal(String user) { + LOG.warn("User specified in policy does not exist in ranger admin, creating new user, Type: " + type.name() + ", name = " + user); + + if (LOG.isDebugEnabled()) { + LOG.debug("===> PolicyPrincipalAssociator.createPrincipal(type=" + type.name() +", name=" + name + ")"); + } + + Long ret = null; + + switch (type) { + case USER: { + // Create External user + VXUser vXUser = xUserMgr.createServiceConfigUser(name); + if (vXUser != null) { + XXUser xUser = daoMgr.getXXUser().findByUserName(name); + + if (xUser == null) { + LOG.error("No User created!! Irrecoverable error! [" + name + "]"); + } else { + ret = xUser.getId(); + } + } else { + LOG.error("serviceConfigUser:[" + name + "] creation failed"); + } + } + break; + case GROUP: { + // Create group + VXGroup vxGroup = new VXGroup(); + vxGroup.setName(name); + vxGroup.setDescription(name); + vxGroup.setGroupSource(RangerCommonEnums.GROUP_EXTERNAL); + VXGroup vXGroup = xGroupService.createXGroupWithOutLogin(vxGroup); + if (vXGroup != null) { + List<XXTrxLog> trxLogList = xGroupService.getTransactionLog(vXGroup, "create"); + for (XXTrxLog xTrxLog : trxLogList) { + xTrxLog.setAddedByUserId(xPolicy.getAddedByUserId()); + xTrxLog.setUpdatedByUserId(xPolicy.getAddedByUserId()); + } + rangerBizUtil.createTrxLog(trxLogList); + ret = vXGroup.getId(); + } + } + break; + case ROLE: { + try { + RangerRole rRole = new RangerRole(name, null, null, null, null); + RangerRole createdRole = roleStore.createRole(rRole, false); + ret = createdRole.getId(); + } catch (Exception e) { + // Ignore + } + } + break; + default: + break; + } + if (LOG.isDebugEnabled()) { + LOG.debug("<=== PolicyPrincipalAssociator.createPrincipal(type=" + type.name() + ", name=" + name + ") : " + ret); + } + return ret; + } + + private void createPolicyAssociation(Long id, String name) { + if(LOG.isDebugEnabled()) { + LOG.debug("===> PolicyPrincipalAssociator.createPolicyAssociation(policyId=" + xPolicy.getId() + ", type=" + type.name() + ", name=" + name + ", id=" + id + ")"); + } + switch (type) { + case USER: { + XXPolicyRefUser xPolUser = rangerAuditFields.populateAuditFields(new XXPolicyRefUser(), xPolicy); + + xPolUser.setPolicyId(xPolicy.getId()); + xPolUser.setUserId(id); + xPolUser.setUserName(name); + daoMgr.getXXPolicyRefUser().create(xPolUser); + } + break; + case GROUP: { + XXPolicyRefGroup xPolGroup = rangerAuditFields.populateAuditFields(new XXPolicyRefGroup(), xPolicy); + + xPolGroup.setPolicyId(xPolicy.getId()); + xPolGroup.setGroupId(id); + xPolGroup.setGroupName(name); + daoMgr.getXXPolicyRefGroup().create(xPolGroup); + } + break; + case ROLE: { + XXPolicyRefRole xPolRole = rangerAuditFields.populateAuditFields(new XXPolicyRefRole(), xPolicy); + + xPolRole.setPolicyId(xPolicy.getId()); + xPolRole.setRoleId(id); + xPolRole.setRoleName(name); + daoMgr.getXXPolicyRefRole().create(xPolRole); + } + break; + default: + break; + } + if(LOG.isDebugEnabled()) { + LOG.debug("<=== PolicyPrincipalAssociator.createPolicyAssociation(policyId=" + xPolicy.getId() + ", type=" + type.name() + ", name=" + name + ", id=" + id + ")"); + } + } + } public Boolean cleanupRefTables(RangerPolicy policy) { final Long policyId = policy == null ? null : policy.getId(); @@ -397,156 +539,4 @@ public class PolicyRefUpdater { return ret; } - public void groupPolicyAssociation(XXPolicy xPolicy, Long groupId, String groupName) { - if (LOG.isDebugEnabled()) { - LOG.debug("===> PolicyRefUpdater.groupPolicyAssociation()"); - } - - XXPolicyRefGroup xPolGroup = rangerAuditFields.populateAuditFields(new XXPolicyRefGroup(), xPolicy); - - xPolGroup.setPolicyId(xPolicy.getId()); - xPolGroup.setGroupId(groupId); - xPolGroup.setGroupName(groupName); - daoMgr.getXXPolicyRefGroup().create(xPolGroup); - } - - private static final class PolicyGroupCreateContext { - final VXGroup group; - final XXPolicy xPolicy; - - PolicyGroupCreateContext(VXGroup group, XXPolicy xPolicy) { - this.group = group; - this.xPolicy = xPolicy; - } - - @Override - public String toString() { - return "{group=" + group + ", xPolicy=" + xPolicy + "}"; - } - } - - void doAssociatePolicyGroup(final PolicyGroupCreateContext context) { - if(LOG.isDebugEnabled()) { - LOG.debug("===> PolicyRefUpdater.doAssociatePolicyGroup()"); - } - XXGroup xGroup = daoMgr.getXXGroup().findByGroupName(context.group.getName()); - - if (xGroup == null) { - LOG.error("No Group created!! Irrecoverable error! PolicyGroupContext:[" + context + "]"); - } else { - try { - groupPolicyAssociation(context.xPolicy, xGroup.getId(), context.group.getName()); - } catch (Exception exception) { - LOG.error("Failed to associate group and policy, PolicyGroupContext:[" + context + "]", exception); - } - } - } - - void doCreateAndAssociatePolicyGroup(final PolicyGroupCreateContext context) { - if (LOG.isDebugEnabled()) { - LOG.debug("===> PolicyRefUpdater.doCreateAndAssociatePolicyGroup()"); - } - XXGroup xGroup = daoMgr.getXXGroup().findByGroupName(context.group.getName()); - - if (xGroup != null) { - groupPolicyAssociation(context.xPolicy, xGroup.getId(), context.group.getName()); - } else { - // Create group - VXGroup vXGroup = xGroupService.createXGroupWithOutLogin(context.group); - if (vXGroup != null) { - try { - List<XXTrxLog> trxLogList = xGroupService.getTransactionLog(vXGroup, "create"); - for (XXTrxLog xTrxLog : trxLogList) { - xTrxLog.setAddedByUserId(context.xPolicy.getAddedByUserId()); - xTrxLog.setUpdatedByUserId(context.xPolicy.getAddedByUserId()); - } - rangerBizUtil.createTrxLog(trxLogList); - } catch (Throwable t) { - // Ignore - } - doAssociatePolicyGroup(context); - } else { - if (LOG.isDebugEnabled()) { - LOG.debug("Group:[" + context.group + "] creation failed!"); - throw new RuntimeException("Group:[" + context.group + "] creation failed!"); - } - } - } - if (LOG.isDebugEnabled()) { - LOG.debug("<=== PolicyRefUpdater.doCreateAndAssociatePolicyGroup()"); - } - } - - private static final class PolicyUserCreateContext { - final String userName; - final XXPolicy xPolicy; - - PolicyUserCreateContext(String userName, XXPolicy xPolicy) { - this.userName = userName; - this.xPolicy = xPolicy; - } - - @Override - public String toString() { - return "{userName=" + userName + ", xPolicy=" + xPolicy + "}"; - } - } - - public void userPolicyAssociation(XXPolicy xPolicy, Long userId, String userName) { - if(LOG.isDebugEnabled()) { - LOG.debug("===> PolicyRefUpdater.userPolicyAssociation()"); - } - - XXPolicyRefUser xPolUser = rangerAuditFields.populateAuditFields(new XXPolicyRefUser(), xPolicy); - - xPolUser.setPolicyId(xPolicy.getId()); - xPolUser.setUserId(userId); - xPolUser.setUserName(userName); - daoMgr.getXXPolicyRefUser().create(xPolUser); - if(LOG.isDebugEnabled()) { - LOG.debug("<=== PolicyRefUpdater.userPolicyAssociation()"); - } - } - - void doAssociatePolicyUser(final PolicyUserCreateContext context) { - if(LOG.isDebugEnabled()) { - LOG.debug("===> PolicyRefUpdater.doAssociatePolicyUser()"); - } - XXUser xUser = daoMgr.getXXUser().findByUserName(context.userName); - - if (xUser == null) { - LOG.error("No User created!! Irrecoverable error! PolicyUserContext:[" + context + "]"); - } else { - try { - userPolicyAssociation(context.xPolicy, xUser.getId(), context.userName); - } catch (Exception exception) { - LOG.error("Failed to associate user and policy, PolicyUserContext:[" + context + "]", exception); - } - } - } - - void doCreateAndAssociatePolicyUser(final PolicyUserCreateContext context) { - if (LOG.isDebugEnabled()) { - LOG.debug("===> PolicyRefUpdater.doCreateAndAssociatePolicyUser()"); - } - XXUser xUser = daoMgr.getXXUser().findByUserName(context.userName); - - if (xUser != null) { - userPolicyAssociation(context.xPolicy, xUser.getId(), context.userName); - } else { - // Create External user - VXUser vXUser = xUserMgr.createServiceConfigUser(context.userName); - if (vXUser != null) { - doAssociatePolicyUser(context); - } else { - if (LOG.isDebugEnabled()) { - LOG.debug("serviceConfigUser:[" + context.userName + "] creation failed"); - throw new RuntimeException("serviceConfigUser:[" + context.userName + "] creation failed"); - } - } - } - if (LOG.isDebugEnabled()) { - LOG.debug("<=== PolicyRefUpdater.doCreateAndAssociatePolicyUser()"); - } - } } diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java b/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java index 4c50d81..0e5ccd3 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java @@ -44,15 +44,12 @@ import org.apache.ranger.entity.XXTrxLog; import org.apache.ranger.entity.XXUser; import org.apache.ranger.plugin.model.RangerRole; import org.apache.ranger.service.RangerAuditFields; -import org.apache.ranger.service.RangerTransactionService; import org.apache.ranger.service.XGroupService; -import org.apache.ranger.service.XUserService; import org.apache.ranger.view.VXGroup; import org.apache.ranger.view.VXUser; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; - @Component public class RoleRefUpdater { private static final Log LOG = LogFactory.getLog(RoleRefUpdater.class); @@ -70,21 +67,15 @@ public class RoleRefUpdater { XUserMgr xUserMgr; @Autowired - XUserService xUserService; - - @Autowired XGroupService xGroupService; @Autowired RangerTransactionSynchronizationAdapter rangerTransactionSynchronizationAdapter; @Autowired - RangerTransactionService transactionService; - - @Autowired RangerBizUtil xaBizUtil; - public void createNewRoleMappingForRefTable(RangerRole rangerRole, Boolean createNonExistUserGroup) throws Exception { + public void createNewRoleMappingForRefTable(RangerRole rangerRole, Boolean createNonExistUserGroup) { if (rangerRole == null) { return; } @@ -106,39 +97,26 @@ public class RoleRefUpdater { roleRoles.add(role.getName()); } + final boolean isCreateNonExistentUGs = createNonExistUserGroup && xaBizUtil.checkAdminAccess(); + if (CollectionUtils.isNotEmpty(roleUsers)) { for (String roleUser : roleUsers) { if (StringUtils.isBlank(roleUser)) { continue; } - Long userId = null; - XXUser xUser = daoMgr.getXXUser().findByUserName(roleUser); - - if (xUser == null) { - if (createNonExistUserGroup && xaBizUtil.checkAdminAccess()) { - LOG.warn("User specified in role does not exist in ranger admin, creating new user, User = " - + roleUser); - - final RoleUserCreateContext roleUserCreateContext = new RoleUserCreateContext(roleUser, roleId); - Runnable createAndAssociateUser = new Runnable() { - @Override - public void run() { - doCreateAndAssociateRoleUser(roleUserCreateContext); - } - }; - rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(createAndAssociateUser); + RolePrincipalAssociator associator = new RolePrincipalAssociator(PolicyRefUpdater.PRINCIPAL_TYPE.USER, roleUser, roleId); + if (associator.doAssociate(false)) { + if (LOG.isDebugEnabled()) { + LOG.debug("User name: " + roleUser + " specified in role does not exist in ranger admin."); + } + } else { + if (isCreateNonExistentUGs) { + rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator); } else { - throw restErrorUtil.createRESTException("user with name: " + roleUser + " does not exist ", - MessageEnums.INVALID_INPUT_DATA); + throw restErrorUtil.createRESTException("user with name: " + roleUser + " does not exist ", MessageEnums.INVALID_INPUT_DATA); } - }else { - userId = xUser.getId(); - } - - if(null != userId) { - userRoleAssociation(roleId,userId,roleUser); } } } @@ -149,38 +127,18 @@ public class RoleRefUpdater { if (StringUtils.isBlank(roleGroup)) { continue; } - Long groupId = null; - XXGroup xGroup = daoMgr.getXXGroup().findByGroupName(roleGroup); - - if (xGroup == null) { - if (createNonExistUserGroup && xaBizUtil.checkAdminAccess()) { - LOG.warn("Group specified in role does not exist in ranger admin, creating new group, Group = " - + roleGroup); - VXGroup vxGroupNew = new VXGroup(); - vxGroupNew.setName(roleGroup); - vxGroupNew.setDescription(roleGroup); - vxGroupNew.setGroupSource(RangerCommonEnums.GROUP_EXTERNAL); - - final RoleGroupCreateContext roleGroupCreateContext = new RoleGroupCreateContext(vxGroupNew, roleId); - - Runnable createAndAssociateRoleGroup = new Runnable() { - @Override - public void run() { - doCreateAndAssociateRoleGroup(roleGroupCreateContext); - } - }; - rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(createAndAssociateRoleGroup); + RolePrincipalAssociator associator = new RolePrincipalAssociator(PolicyRefUpdater.PRINCIPAL_TYPE.GROUP, roleGroup, roleId); + if (associator.doAssociate(false)) { + if (LOG.isDebugEnabled()) { + LOG.debug("Group name: " + roleGroup + " specified in role does not exist in ranger admin."); + } + } else { + if (isCreateNonExistentUGs) { + rangerTransactionSynchronizationAdapter.executeOnTransactionCommit(associator); } else { - throw restErrorUtil.createRESTException("group with name: " + roleGroup + " does not exist ", - MessageEnums.INVALID_INPUT_DATA); + throw restErrorUtil.createRESTException("Group with name: " + roleGroup + " does not exist ", MessageEnums.INVALID_INPUT_DATA); } - }else { - groupId = xGroup.getId(); - } - - if(null != groupId) { - groupRoleAssociation(roleId, groupId, roleGroup); } } } @@ -192,20 +150,15 @@ public class RoleRefUpdater { continue; } - XXRole xRole = daoMgr.getXXRole().findByRoleName(roleRole); + RolePrincipalAssociator associator = new RolePrincipalAssociator(PolicyRefUpdater.PRINCIPAL_TYPE.ROLE, roleRole, roleId); - if (xRole == null) { - throw restErrorUtil.createRESTException("Role with name: " + roleRole + " does not exist ", - MessageEnums.INVALID_INPUT_DATA); + if (associator.doAssociate(false)) { + if (LOG.isDebugEnabled()) { + LOG.debug("Group name: " + roleRole + " specified in role does not exist in ranger admin."); + } + } else { + throw restErrorUtil.createRESTException("Role with name: " + roleRole + " does not exist ", MessageEnums.INVALID_INPUT_DATA); } - - XXRoleRefRole xRoleRefRole = rangerAuditFields.populateAuditFieldsForCreate(new XXRoleRefRole()); - - xRoleRefRole.setRoleId(roleId); - xRoleRefRole.setSubRoleId(xRole.getId()); - xRoleRefRole.setSubRoleName(roleRole); - xRoleRefRole.setSubRoleType(0); - daoMgr.getXXRoleRefRole().create(xRoleRefRole); } } @@ -236,157 +189,191 @@ public class RoleRefUpdater { return true; } - public void groupRoleAssociation(Long roleId, Long groupId, String groupName) { - if(LOG.isDebugEnabled()) { - LOG.debug("===> groupRoleAssociation()"); - } - - XXRoleRefGroup xRoleRefGroup = rangerAuditFields.populateAuditFieldsForCreate(new XXRoleRefGroup()); - xRoleRefGroup.setRoleId(roleId); - xRoleRefGroup.setGroupId(groupId); - xRoleRefGroup.setGroupName(groupName); - xRoleRefGroup.setGroupType(0); - daoMgr.getXXRoleRefGroup().create(xRoleRefGroup); - } - - private static final class RoleGroupCreateContext { - final VXGroup group; - final Long roleId; + private class RolePrincipalAssociator implements Runnable { + final PolicyRefUpdater.PRINCIPAL_TYPE type; + final String name; + final Long roleId; - RoleGroupCreateContext(VXGroup group, Long roleId) { - this.group = group; - this.roleId = roleId; + public RolePrincipalAssociator(PolicyRefUpdater.PRINCIPAL_TYPE type, String name, Long roleId) { + this.type = type; + this.name = name; + this.roleId = roleId; } @Override - public String toString() { - return "{group=" + group + ", roleId=" + roleId + "}"; - } - } - - void doCreateAndAssociateRoleGroup(final RoleGroupCreateContext context) { - if (LOG.isDebugEnabled()) { - LOG.debug("===> doCreateAndAssociateRoleGroup()"); - } - XXGroup xGroup = daoMgr.getXXGroup().findByGroupName(context.group.getName()); - - if (xGroup != null) { - groupRoleAssociation(context.roleId, xGroup.getId(), context.group.getName()); - } else { - // Create group - VXGroup vXGroup = xGroupService.createXGroupWithOutLogin(context.group); - if (null != vXGroup) { - try { - List<XXTrxLog> trxLogList = xGroupService.getTransactionLog(vXGroup, "create"); - xaBizUtil.createTrxLog(trxLogList); - } catch (Throwable t) { - // Ignore - } - doAssociateRoleGroup(context); - } else { + public void run() { + if (doAssociate(true)) { if (LOG.isDebugEnabled()) { - LOG.debug("Group:[" + context.group + "] creation failed!"); - throw new RuntimeException("Group:[" + context.group + "] creation failed!"); + LOG.debug("Associated " + type.name() + ":" + name + " with role id:[" + roleId + "]"); } + } else { + throw new RuntimeException("Failed to associate " + type.name() + ":" + name + " with role id:[" + roleId + "]"); } } - if (LOG.isDebugEnabled()) { - LOG.debug("<=== doCreateAndAssociateRoleGroup()"); - } - } - void doAssociateRoleGroup(final RoleGroupCreateContext context) { - if(LOG.isDebugEnabled()) { - LOG.debug("===> doAssociateRoleGroup()"); - } - XXGroup xGroup = daoMgr.getXXGroup().findByGroupName(context.group.getName()); - - if (xGroup == null) { - LOG.error("No Group created!! Irrecoverable error! RoleGroupContext:[" + context + "]"); - } else { - try { - groupRoleAssociation(context.roleId, xGroup.getId(), context.group.getName()); - } catch (Exception exception) { - LOG.error("Failed to associate group and role, RoleGroupContext:[" + context + "]", exception); + boolean doAssociate(boolean isAdmin) { + if (LOG.isDebugEnabled()) { + LOG.debug("===> RolePrincipalAssociator.doAssociate(" + isAdmin + ")"); } - } - if(LOG.isDebugEnabled()) { - LOG.debug("<=== doAssociateRoleGroup()"); - } - } + final boolean ret; - private static final class RoleUserCreateContext { - final String userName; - final Long roleId; + Long id = createOrGetPrincipal(isAdmin); + if (id != null) { + // associate with role + createRoleAssociation(id, name); + ret = true; + } else { + ret = false; + } - RoleUserCreateContext(String userName, Long roleId) { - this.userName = userName; - this.roleId = roleId; + if (LOG.isDebugEnabled()) { + LOG.debug("<=== RolePrincipalAssociator.doAssociate(" + isAdmin + ") : " + ret); + } + return ret; } - @Override - public String toString() { - return "{userName=" + userName + ", roleId=" + roleId + "}"; - } - } + private Long createOrGetPrincipal(final boolean createIfAbsent) { + if (LOG.isDebugEnabled()) { + LOG.debug("===> RolePrincipalAssociator.createOrGetPrincipal(" + createIfAbsent + ")"); + } - public void userRoleAssociation(Long roleId, Long userId, String userName) { - if(LOG.isDebugEnabled()) { - LOG.debug("===> userRoleAssociation()"); - } - XXRoleRefUser xRoleRefUser = rangerAuditFields.populateAuditFieldsForCreate(new XXRoleRefUser()); - xRoleRefUser.setRoleId(roleId); - xRoleRefUser.setUserId(userId); - xRoleRefUser.setUserName(userName); - xRoleRefUser.setUserType(0); - daoMgr.getXXRoleRefUser().create(xRoleRefUser); - if(LOG.isDebugEnabled()) { - LOG.debug("<=== userRoleAssociation()"); - } - } + Long ret = null; - void doCreateAndAssociateRoleUser(final RoleUserCreateContext context) { - if (LOG.isDebugEnabled()) { - LOG.debug("===> doCreateAndAssociateRoleUser()"); - } - XXUser xUser = daoMgr.getXXUser().findByUserName(context.userName); - - if (xUser != null) { - userRoleAssociation(context.roleId, xUser.getId(), context.userName); - } else { - // Create External user - VXUser vXUser = xUserMgr.createServiceConfigUser(context.userName); - if (vXUser != null) { - doAssociateRoleUser(context); - } else { - if (LOG.isDebugEnabled()) { - LOG.debug("ServiceConfigUser:[" + context.userName + "] creation failed!"); + switch (type) { + case USER: { + XXUser xUser = daoMgr.getXXUser().findByUserName(name); + if (xUser != null) { + ret = xUser.getId(); + } else { + if (createIfAbsent) { + ret = createPrincipal(name); + } + } } - throw new RuntimeException("ServiceConfigUser:[" + context.userName + "] creation failed!"); + break; + case GROUP: { + XXGroup xGroup = daoMgr.getXXGroup().findByGroupName(name); + + if (xGroup != null) { + ret = xGroup.getId(); + } else { + if (createIfAbsent) { + ret = createPrincipal(name); + } + } + } + break; + case ROLE: { + XXRole xRole = daoMgr.getXXRole().findByRoleName(name); + if (xRole != null) { + ret = xRole.getId(); + } else { + if (createIfAbsent) { + RangerBizUtil.setBulkMode(false); + ret = createPrincipal(name); + } + } + } + break; + default: + break; } + if (LOG.isDebugEnabled()) { + LOG.debug("<=== RolePrincipalAssociator.createOrGetPrincipal(" + createIfAbsent + ") : " + ret); + } + return ret; } - if (LOG.isDebugEnabled()) { - LOG.debug("<=== doCreateAndAssociateRoleUser()"); - } - } - void doAssociateRoleUser(final RoleUserCreateContext context) { - if(LOG.isDebugEnabled()) { - LOG.debug("===> doAssociateRoleUser()"); - } - XXUser xUser = daoMgr.getXXUser().findByUserName(context.userName); - - if (xUser == null) { - LOG.error("No User created!! Irrecoverable error! RoleUserContext:[" + context + "]"); - } else { - try { - userRoleAssociation(context.roleId, xUser.getId(), context.userName); - } catch (Exception exception) { - LOG.error("Failed to associate user and role, RoleUserContext:[" + context + "]", exception); + private Long createPrincipal(String user) { + LOG.warn("User specified in role does not exist in ranger admin, creating new user, Type: " + type.name() + ", name = " + user); + + if (LOG.isDebugEnabled()) { + LOG.debug("===> RolePrincipalAssociator.createPrincipal(type=" + type.name() +", name=" + name + ")"); } + + Long ret = null; + + switch (type) { + case USER: { + // Create External user + VXUser vXUser = xUserMgr.createServiceConfigUser(name); + if (vXUser != null) { + XXUser xUser = daoMgr.getXXUser().findByUserName(name); + + if (xUser == null) { + LOG.error("No User created!! Irrecoverable error! [" + name + "]"); + } else { + ret = xUser.getId(); + } + } else { + LOG.error("serviceConfigUser:[" + name + "] creation failed"); + } + } + break; + case GROUP: { + // Create group + VXGroup vxGroup = new VXGroup(); + vxGroup.setName(name); + vxGroup.setDescription(name); + vxGroup.setGroupSource(RangerCommonEnums.GROUP_EXTERNAL); + VXGroup vXGroup = xGroupService.createXGroupWithOutLogin(vxGroup); + if (vXGroup != null) { + List<XXTrxLog> trxLogList = xGroupService.getTransactionLog(vXGroup, "create"); + xaBizUtil.createTrxLog(trxLogList); + ret = vXGroup.getId(); + } + } + break; + default: + break; + } + if (LOG.isDebugEnabled()) { + LOG.debug("<=== RolePrincipalAssociator.createPrincipal(type=" + type.name() + ", name=" + name + ") : " + ret); + } + return ret; } - if(LOG.isDebugEnabled()) { - LOG.debug("<=== doAssociateRoleUser()"); + + private void createRoleAssociation(Long id, String name) { + if(LOG.isDebugEnabled()) { + LOG.debug("===> RolePrincipalAssociator.createRoleAssociation(roleId=" + roleId + ", type=" + type.name() + ", name=" + name + ", id=" + id + ")"); + } + switch (type) { + case USER: { + XXRoleRefUser xRoleRefUser = rangerAuditFields.populateAuditFieldsForCreate(new XXRoleRefUser()); + + xRoleRefUser.setRoleId(roleId); + xRoleRefUser.setUserId(id); + xRoleRefUser.setUserName(name); + xRoleRefUser.setUserType(0); + daoMgr.getXXRoleRefUser().create(xRoleRefUser); + } + break; + case GROUP: { + XXRoleRefGroup xRoleRefGroup = rangerAuditFields.populateAuditFieldsForCreate(new XXRoleRefGroup()); + + xRoleRefGroup.setRoleId(roleId); + xRoleRefGroup.setGroupId(id); + xRoleRefGroup.setGroupName(name); + xRoleRefGroup.setGroupType(0); + daoMgr.getXXRoleRefGroup().create(xRoleRefGroup); + } + break; + case ROLE: { + XXRoleRefRole xRoleRefRole = rangerAuditFields.populateAuditFieldsForCreate(new XXRoleRefRole()); + + xRoleRefRole.setRoleId(roleId); + xRoleRefRole.setSubRoleId(id); + xRoleRefRole.setSubRoleName(name); + xRoleRefRole.setSubRoleType(0); + daoMgr.getXXRoleRefRole().create(xRoleRefRole); + } + break; + default: + break; + } + if(LOG.isDebugEnabled()) { + LOG.debug("<=== RolePrincipalAssociator.createRoleAssociation(roleId=" + roleId + ", type=" + type.name() + ", name=" + name + ", id=" + id + ")"); + } } } diff --git a/security-admin/src/main/java/org/apache/ranger/service/RangerPluginActivityLogger.java b/security-admin/src/main/java/org/apache/ranger/service/RangerPluginActivityLogger.java index 702df4c..2cc9b91 100644 --- a/security-admin/src/main/java/org/apache/ranger/service/RangerPluginActivityLogger.java +++ b/security-admin/src/main/java/org/apache/ranger/service/RangerPluginActivityLogger.java @@ -30,8 +30,6 @@ import javax.annotation.PostConstruct; @Component public class RangerPluginActivityLogger { - @Autowired - RangerTransactionService transactionService; @Autowired RangerTransactionSynchronizationAdapter transactionSynchronizationAdapter; @@ -52,18 +50,7 @@ public class RangerPluginActivityLogger { } public void commitAfterTransactionComplete(Runnable commitWork) { - if (pluginActivityAuditCommitInline) { - if (LOG.isDebugEnabled()) { - LOG.debug("Using TransactionManager for committing work [pluginActivityAuditCommitInline:" + pluginActivityAuditCommitInline + "]"); - } - transactionSynchronizationAdapter.executeOnTransactionCompletion(commitWork); - } else { - if (LOG.isDebugEnabled()) { - LOG.debug("Using separate thread for committing work [pluginActivityAuditCommitInline:" + pluginActivityAuditCommitInline + "]"); - } - final long delayInMillis = 1000L; - transactionService.scheduleToExecuteInOwnTransaction(commitWork, delayInMillis); - } + transactionSynchronizationAdapter.executeOnTransactionCompletion(commitWork); } } diff --git a/security-admin/src/test/java/org/apache/ranger/service/TestRangerPluginActivityLogger.java b/security-admin/src/test/java/org/apache/ranger/service/TestRangerPluginActivityLogger.java index e501cc3..26d6389 100644 --- a/security-admin/src/test/java/org/apache/ranger/service/TestRangerPluginActivityLogger.java +++ b/security-admin/src/test/java/org/apache/ranger/service/TestRangerPluginActivityLogger.java @@ -21,7 +21,6 @@ import org.junit.FixMethodOrder; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.MethodSorters; -import org.mockito.InjectMocks; import org.mockito.Mock; import org.mockito.junit.MockitoJUnitRunner; @@ -29,7 +28,7 @@ import org.mockito.junit.MockitoJUnitRunner; @FixMethodOrder(MethodSorters.NAME_ASCENDING) public class TestRangerPluginActivityLogger { - @InjectMocks + @Mock RangerPluginActivityLogger rangerPluginActivityLogger; @Mock