This is an automated email from the ASF dual-hosted git repository. pradeep pushed a commit to branch ranger-2.4 in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.4 by this push: new 23c42c7b0 RANGER-4255: Introduce option in Ranger to control retention period of x_auth_sess table data 23c42c7b0 is described below commit 23c42c7b0562a2c724ffa557e6a4723eaa7bb8d4 Author: Pradeep AgrawaL <prad...@apache.org> AuthorDate: Thu May 25 18:21:54 2023 +0530 RANGER-4255: Introduce option in Ranger to control retention period of x_auth_sess table data --- .../java/org/apache/ranger/biz/ServiceDBStore.java | 42 ++++++++++++++++++++++ .../main/java/org/apache/ranger/biz/XUserMgr.java | 1 - .../org/apache/ranger/db/XXAuthSessionDao.java | 19 ++++++++-- .../java/org/apache/ranger/rest/PublicAPIsv2.java | 15 ++++++++ .../java/org/apache/ranger/rest/ServiceREST.java | 39 ++++++++++++++++++++ .../main/resources/META-INF/jpa_named_queries.xml | 4 +++ .../main/resources/conf.dist/ranger-admin-site.xml | 8 +++++ 7 files changed, 125 insertions(+), 3 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index a871700b5..2b6bfd271 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -247,6 +247,8 @@ public class ServiceDBStore extends AbstractServiceStore { public static boolean SUPPORTS_IN_PLACE_POLICY_UPDATES = false; public static Integer RETENTION_PERIOD_IN_DAYS = 7; public static Integer TAG_RETENTION_PERIOD_IN_DAYS = 3; + public static boolean SUPPORTS_PURGE_LOGIN_RECORDS = false; + public static Integer LOGIN_RECORDS_RETENTION_PERIOD_IN_DAYS = 0; private static final String RANGER_PLUGIN_CONFIG_PREFIX = "ranger.plugin."; public static final String RANGER_PLUGIN_AUDIT_FILTERS = "ranger.plugin.audit.filters"; @@ -389,9 +391,21 @@ public class ServiceDBStore extends AbstractServiceStore { SUPPORTS_POLICY_DELTAS = config.getBoolean("ranger.admin" + RangerCommonConstants.RANGER_ADMIN_SUFFIX_POLICY_DELTA, RangerCommonConstants.RANGER_ADMIN_SUFFIX_POLICY_DELTA_DEFAULT); RETENTION_PERIOD_IN_DAYS = config.getInt("ranger.admin.delta.retention.time.in.days", 7); TAG_RETENTION_PERIOD_IN_DAYS = config.getInt("ranger.admin.tag.delta.retention.time.in.days", 3); + + SUPPORTS_PURGE_LOGIN_RECORDS = config.getBoolean("ranger.admin.init.purge.login_records", false); + LOGIN_RECORDS_RETENTION_PERIOD_IN_DAYS = config.getInt("ranger.admin.init.purge.login_records.retention.days", 0); + isRolesDownloadedByService = config.getBoolean("ranger.support.for.service.specific.role.download", false); SUPPORTS_IN_PLACE_POLICY_UPDATES = SUPPORTS_POLICY_DELTAS && config.getBoolean("ranger.admin" + RangerCommonConstants.RANGER_ADMIN_SUFFIX_IN_PLACE_POLICY_UPDATES, RangerCommonConstants.RANGER_ADMIN_SUFFIX_IN_PLACE_POLICY_UPDATES_DEFAULT); + LOG.info("SUPPORTS_POLICY_DELTAS=" + SUPPORTS_POLICY_DELTAS); + LOG.info("RETENTION_PERIOD_IN_DAYS=" + RETENTION_PERIOD_IN_DAYS); + LOG.info("TAG_RETENTION_PERIOD_IN_DAYS=" + TAG_RETENTION_PERIOD_IN_DAYS); + LOG.info("SUPPORTS_PURGE_LOGIN_RECORDS=" + SUPPORTS_PURGE_LOGIN_RECORDS); + LOG.info("LOGIN_RECORDS_RETENTION_PERIOD_IN_DAYS=" + LOGIN_RECORDS_RETENTION_PERIOD_IN_DAYS); + LOG.info("isRolesDownloadedByService=" + isRolesDownloadedByService); + LOG.info("SUPPORTS_IN_PLACE_POLICY_UPDATES=" + SUPPORTS_IN_PLACE_POLICY_UPDATES); + TransactionTemplate txTemplate = new TransactionTemplate(txManager); final ServiceDBStore dbStore = this; @@ -406,6 +420,9 @@ public class ServiceDBStore extends AbstractServiceStore { createGenericUsers(); resetPolicyUpdateLog(RETENTION_PERIOD_IN_DAYS, RangerPolicyDelta.CHANGE_TYPE_RANGER_ADMIN_START); resetTagUpdateLog(TAG_RETENTION_PERIOD_IN_DAYS, ServiceTags.TagsChangeType.RANGER_ADMIN_START); + if (SUPPORTS_PURGE_LOGIN_RECORDS) { + removeAuthSessions(LOGIN_RECORDS_RETENTION_PERIOD_IN_DAYS); + } //createUnzonedSecurityZone(); initRMSDaos(); return null; @@ -5250,6 +5267,31 @@ public class ServiceDBStore extends AbstractServiceStore { } } + public void removeAuthSessions(int retentionInDays) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> removeAuthSessions(" + retentionInDays + ")"); + } + + if (retentionInDays > 0) { + long rowsCount = daoMgr.getXXAuthSession().getAllCount(); + long rowsDeleted = daoMgr.getXXAuthSession().deleteOlderThan(retentionInDays); + LOG.info("Deleted " + rowsDeleted + " records from x_auth_sess that are older than " + retentionInDays + " days"); + List<XXTrxLog> trxLogList = new ArrayList<XXTrxLog>(); + XXTrxLog xxTrxLog = new XXTrxLog(); + xxTrxLog.setAction("Deleted Auth Session records"); + xxTrxLog.setObjectClassType(AppConstants.CLASS_TYPE_AUTH_SESS); + xxTrxLog.setPreviousValue("Total Records : "+rowsCount); + xxTrxLog.setNewValue("Deleted Records : "+rowsDeleted); + trxLogList.add(xxTrxLog); + bizUtil.createTrxLog(trxLogList); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== removeAuthSessions(" + retentionInDays + ")"); + + } + } + public List<String> getPolicyLabels(SearchFilter searchFilter) { if (LOG.isDebugEnabled()) { LOG.debug("==> ServiceDBStore.getPolicyLabels()"); diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index a5921d372..43b98d906 100755 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -66,7 +66,6 @@ import org.apache.ranger.db.XXResourceDao; import org.apache.ranger.db.XXUserDao; import org.apache.ranger.db.XXUserPermissionDao; import org.apache.ranger.entity.XXAuditMap; -import org.apache.ranger.entity.XXAuthSession; import org.apache.ranger.entity.XXGroup; import org.apache.ranger.entity.XXGroupGroup; import org.apache.ranger.entity.XXGroupUser; diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXAuthSessionDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXAuthSessionDao.java index c3bd13c63..f69b8d2bb 100644 --- a/security-admin/src/main/java/org/apache/ranger/db/XXAuthSessionDao.java +++ b/security-admin/src/main/java/org/apache/ranger/db/XXAuthSessionDao.java @@ -19,19 +19,24 @@ package org.apache.ranger.db; -import java.util.Date; -import java.util.List; + import java.util.Date; + import java.util.List; + import java.util.concurrent.TimeUnit; import javax.persistence.NoResultException; import org.apache.ranger.common.DateUtil; import org.apache.ranger.common.db.BaseDao; import org.apache.ranger.entity.XXAuthSession; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.stereotype.Service; @Service public class XXAuthSessionDao extends BaseDao<XXAuthSession> { + private static final Logger LOG = LoggerFactory.getLogger(XXAuthSessionDao.class); + public XXAuthSessionDao( RangerDaoManagerBase daoManager ) { super(daoManager); } @@ -89,5 +94,15 @@ public class XXAuthSessionDao extends BaseDao<XXAuthSession> { public void deleteAuthSessionsByIds(List<Long> ids){ batchDeleteByIds("XXAuthSession.deleteByIds", ids, "ids"); } + + public long deleteOlderThan(int olderThanInDays) { + Date since = new Date(System.currentTimeMillis() - TimeUnit.DAYS.toMillis(olderThanInDays)); + LOG.info("Deleting x_auth_sess records that are older than " + olderThanInDays + " days, that is, older than " + since); + + long ret = getEntityManager().createNamedQuery("XXAuthSession.deleteOlderThan").setParameter("olderThan", since).executeUpdate(); + + LOG.info("Deleted " + ret + " x_auth_sess records"); + return ret; + } } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java index 69d2260de..1bdac859c 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java @@ -896,4 +896,19 @@ public class PublicAPIsv2 { public RESTResponse revokeRoleUsersAndRoles(@PathParam("serviceName") String serviceName, GrantRevokeRoleRequest revokeRoleRequest, @Context HttpServletRequest request) { return roleREST.revokeRole(serviceName, revokeRoleRequest, request); } + + @DELETE + @Path("/api/server/purge/records") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public void purgeRecords(@QueryParam("type") String recordType, @DefaultValue("180") @QueryParam("retentionDays") Integer olderThan, @Context HttpServletRequest request) { + if (logger.isDebugEnabled()) { + logger.debug("==> PublicAPIsv2.purgeRecords(" + recordType + ", " + olderThan + ")"); + } + + serviceREST.purgeRecords(recordType, olderThan, request); + + if (logger.isDebugEnabled()) { + logger.debug("<== PublicAPIsv2.purgeRecords(" + recordType + ", " + olderThan + ")"); + } + } } diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index 6e6541d13..7682051b9 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -3927,6 +3927,45 @@ public class ServiceREST { } } + @DELETE + @Path("/server/purge/records") + @PreAuthorize("hasRole('ROLE_SYS_ADMIN')") + public void purgeRecords(@QueryParam("type") String recordType, @DefaultValue("180") @QueryParam("retentionDays") Integer olderThan, @Context HttpServletRequest request) { + if (LOG.isDebugEnabled()) { + LOG.debug("==> ServiceREST.purgeRecords(" + recordType + ", " + olderThan + ")"); + } + + if (StringUtils.isEmpty(recordType) || !"login_records".equalsIgnoreCase(recordType)) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Invalid record type - " + recordType, true); + } + + if (olderThan < 1) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST, "Retention days can't be lesser than 1", true); + } + + RangerPerfTracer perf = null; + + try { + if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.purgeRecords(recordType=" + recordType + ", olderThan=" + olderThan + ")"); + } + + svcStore.removeAuthSessions(olderThan); + + } catch (WebApplicationException excp) { + throw excp; + } catch (Throwable excp) { + LOG.error("purgeRecords(" + recordType + ", " + olderThan + ") failed", excp); + throw restErrorUtil.createRESTException(excp.getMessage()); + } finally { + RangerPerfTracer.log(perf); + } + + if (LOG.isDebugEnabled()) { + LOG.debug("<== ServiceREST.purgeRecords(" + recordType + ", " + olderThan + ")"); + } + } + private HashMap<String, Object> getCSRFPropertiesMap(HttpServletRequest request) { HashMap<String, Object> map = new HashMap<String, Object>(); map.put(isCSRF_ENABLED, PropertiesUtil.getBooleanProperty(isCSRF_ENABLED, true)); diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml index 673d4956d..21952dc16 100755 --- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml +++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml @@ -24,6 +24,10 @@ WHERE obj.extSessionId = :sessionId </query> </named-query> + <named-query name="XXAuthSession.deleteOlderThan"> + <query>delete from XXAuthSession obj where obj.createTime < :olderThan</query> + </named-query> + <named-query name="XXAuthSession.getRecentAuthFailureCountByLoginId"> <query>SELECT COUNT(1) FROM XXAuthSession obj WHERE obj.loginId = :loginId diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml index 839cf180a..d6bf174e9 100644 --- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml +++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml @@ -385,4 +385,12 @@ <name>ranger.admin.cookie.name</name> <value>RANGERADMINSESSIONID</value> </property> + <property> + <name>ranger.admin.init.purge.login_records</name> + <value>false</value> + </property> + <property> + <name>ranger.admin.init.purge.login_records.retention.days</name> + <value>0</value> + </property> </configuration>