RANGER-1099 : keyadmin user is not able to create service/repo using public apis
Signed-off-by: Velmurugan Periasamy <v...@apache.org> (cherry picked from commit 7bc2f89e25b656ca9e80d41d6f4cb1531350f502) Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/c3a2b50c Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/c3a2b50c Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/c3a2b50c Branch: refs/heads/ranger-0.6 Commit: c3a2b50c4d62987b101735087df40f7de97075de Parents: 115f9d4 Author: Ankita Sinha <ankita.si...@freestoneinfotech.com> Authored: Wed Jul 13 15:24:17 2016 +0530 Committer: Madhan Neethiraj <mad...@apache.org> Committed: Mon Jan 2 23:35:57 2017 -0800 ---------------------------------------------------------------------- .../main/java/org/apache/ranger/rest/ServiceREST.java | 13 +++++++++++-- .../security/context/RangerPreAuthSecurityHandler.java | 2 +- 2 files changed, 12 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c3a2b50c/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index b550c17..bd98e67 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -455,15 +455,24 @@ public class ServiceREST { validator.validate(service, Action.CREATE); UserSessionBase session = ContextUtil.getCurrentUserSession(); + XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(service.getType()); if(session != null && !session.isSpnegoEnabled()){ bizUtil.hasAdminPermissions("Services"); // TODO: As of now we are allowing SYS_ADMIN to create all the // services including KMS - - XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(service.getType()); bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname()); } + if(session != null && session.isSpnegoEnabled()){ + if (session.isKeyAdmin() && !xxServiceDef.getImplclassname().equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { + throw restErrorUtil.createRESTException("KeyAdmin can create/update/delete only KMS ", + MessageEnums.OPER_NO_PERMISSION); + } + if ((!session.isKeyAdmin() && !session.isUserAdmin()) && xxServiceDef.getImplclassname().equals(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) { + throw restErrorUtil.createRESTException("User cannot create/update/delete KMS Service", + MessageEnums.OPER_NO_PERMISSION); + } + } ret = svcStore.createService(service); } catch(WebApplicationException excp) { throw excp; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c3a2b50c/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java index 899d866..fe225c7 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java +++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java @@ -97,7 +97,7 @@ public class RangerPreAuthSecurityHandler { UserSessionBase userSession = ContextUtil.getCurrentUserSession(); if (userSession != null && userSession.isSpnegoEnabled()) { return true; - }else if(userSession != null && userSession.isUserAdmin()){ + }else if(userSession != null && (userSession.isUserAdmin() || userSession.isKeyAdmin())){ return true; } throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not allowed to access the API", true);
