[ranger] branch master updated: RANGER-4070: Provide mechanism to manage potentially multiple enrichment of an access request
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new df0a778cb RANGER-4070: Provide mechanism to manage potentially multiple enrichment of an access request df0a778cb is described below commit df0a778cb7d14e896c7cc88a4b720645d89668c5 Author: Abhay Kulkarni AuthorDate: Sat Feb 4 22:09:42 2023 -0800 RANGER-4070: Provide mechanism to manage potentially multiple enrichment of an access request --- .../plugin/service/RangerDefaultRequestProcessor.java | 5 + .../ranger/plugin/util/RangerAccessRequestUtil.java | 19 --- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java index 636d09038..80d27e8e8 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerDefaultRequestProcessor.java @@ -48,6 +48,11 @@ public class RangerDefaultRequestProcessor implements RangerAccessRequestProcess @Override public void preProcess(RangerAccessRequest request) { +if (RangerAccessRequestUtil.getIsRequestPreprocessed(request.getContext())) { +return; +} +RangerAccessRequestUtil.setIsRequestPreprocessed(request.getContext(), Boolean.TRUE); + setResourceServiceDef(request); RangerAccessRequestImpl reqImpl = null; diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java index 05d9a6007..0ebb9cba5 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerAccessRequestUtil.java @@ -47,6 +47,7 @@ public class RangerAccessRequestUtil { public static final String KEY_CONTEXT_ACCESSTYPES = "ACCESSTYPES"; public static final String KEY_CONTEXT_IS_ANY_ACCESS = "ISANYACCESS"; public static final String KEY_CONTEXT_REQUEST = "_REQUEST"; + public static final String KEY_CONTEXT_IS_REQUEST_PREPROCESSED = "ISREQUESTPREPROCESSED"; public static void setRequestTagsInContext(Map context, Set tags) { if(CollectionUtils.isEmpty(tags)) { @@ -131,6 +132,9 @@ public class RangerAccessRequestUtil { ret.remove(KEY_CONTEXT_TAG_OBJECT); ret.remove(KEY_CONTEXT_RESOURCE); ret.remove(KEY_CONTEXT_REQUEST); + ret.remove(KEY_CONTEXT_ACCESSTYPES); + ret.remove(KEY_CONTEXT_IS_ANY_ACCESS); + ret.remove(KEY_CONTEXT_IS_REQUEST_PREPROCESSED); // don't remove REQUESTED_RESOURCES } @@ -198,9 +202,18 @@ public class RangerAccessRequestUtil { context.put(KEY_CONTEXT_IS_ANY_ACCESS, value); } - public static Boolean getIsAnyAccessInContext(Map context) { - Boolean ret = (Boolean)context.get(KEY_CONTEXT_IS_ANY_ACCESS); - return ret == null ? Boolean.FALSE : ret; + public static boolean getIsAnyAccessInContext(Map context) { + Boolean value = (Boolean)context.get(KEY_CONTEXT_IS_ANY_ACCESS); + return value != null && value; + } + + public static void setIsRequestPreprocessed(Map context, Boolean value) { + context.put(KEY_CONTEXT_IS_REQUEST_PREPROCESSED, value); + } + + public static boolean getIsRequestPreprocessed(Map context) { + Boolean value = (Boolean)context.get(KEY_CONTEXT_IS_REQUEST_PREPROCESSED); + return value != null && value; } public static void setAllRequestedAccessTypes(Map context, Set accessTypes) {
[ranger] branch master updated: RANGER-4057: updated resetCache() APIs to handle invalid service-name with status code 400
This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 380ca0bd0 RANGER-4057: updated resetCache() APIs to handle invalid service-name with status code 400 380ca0bd0 is described below commit 380ca0bd03a181a1b2b750f27bd1446724ab70f0 Author: Ramachandran Krishnan AuthorDate: Tue Jan 24 11:12:33 2023 +0530 RANGER-4057: updated resetCache() APIs to handle invalid service-name with status code 400 Signed-off-by: Madhan Neethiraj --- .../java/org/apache/ranger/rest/ServiceREST.java | 12 - .../main/java/org/apache/ranger/rest/TagREST.java | 12 - .../org/apache/ranger/rest/TestServiceREST.java| 57 +- .../java/org/apache/ranger/rest/TestTagREST.java | 46 + 4 files changed, 124 insertions(+), 3 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java index ec02f47f7..e02b0ea42 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java @@ -2004,13 +2004,23 @@ public class ServiceREST { throw restErrorUtil.createRESTException("Required parameter [serviceName] is missing.", MessageEnums.INVALID_INPUT_DATA); } + RangerService rangerService = null; + try { + rangerService = svcStore.getServiceByName(serviceName); + } catch (Exception e) { + LOG.error( HttpServletResponse.SC_BAD_REQUEST + "No Service Found for ServiceName:" + serviceName ); + } + + if (rangerService == null) { + throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "Invalid service name", true); + } + // check for ADMIN access if (!bizUtil.isAdmin()) { boolean isServiceAdmin = false; String loggedInUser = bizUtil.getCurrentUserLoginId(); try { -RangerService rangerService = svcStore.getServiceByName(serviceName); isServiceAdmin = bizUtil.isUserServiceAdmin(rangerService, loggedInUser); } catch (Exception e) { LOG.warn("Failed to find if user [" + loggedInUser + "] has service admin privileges on service [" + serviceName + "]", e); diff --git a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java index 443188f9a..6d0019f70 100644 --- a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java @@ -623,13 +623,23 @@ public class TagREST { throw restErrorUtil.createRESTException("Required parameter [serviceName] is missing.", MessageEnums.INVALID_INPUT_DATA); } +RangerService rangerService = null; +try { +rangerService = svcStore.getServiceByName(serviceName); +} catch (Exception e) { +LOG.error( HttpServletResponse.SC_BAD_REQUEST + "No Service Found for ServiceName:" + serviceName ); +} + +if (rangerService == null) { +throw restErrorUtil.createRESTException(HttpServletResponse.SC_BAD_REQUEST , "Invalid service name", true); +} + // check for ADMIN access if (!bizUtil.isAdmin()) { boolean isServiceAdmin = false; String loggedInUser = bizUtil.getCurrentUserLoginId(); try { -RangerService rangerService = svcStore.getServiceByName(serviceName); isServiceAdmin = bizUtil.isUserServiceAdmin(rangerService, loggedInUser); } catch (Exception e) { LOG.warn("Failed to find if user [" + loggedInUser + "] has service admin privileges on service [" + serviceName + "]", e); diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java index 8fdcc43c8..5e3b1908d 100644 --- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java +++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java @@ -2311,13 +2311,22 @@ public class TestServiceREST { } @Test - public void test67ResetPolicyCache(){ + public void test67ResetPolicyCacheForAdmin(){ boolean res = true; String serviceName = "HDFS_1"; Mockito.when(bizUtil.isAdmin()).thenReturn(true); + RangerService rangerService = rangerService(); + try { + Mockito.when(svcStore.getService
[ranger] branch ranger-2.4 updated: RANGER-4055: updated to require user's firstName to be non-empty
This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch ranger-2.4 in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/ranger-2.4 by this push: new 24e743b1d RANGER-4055: updated to require user's firstName to be non-empty 24e743b1d is described below commit 24e743b1d659224f6700c331500c4f894f5c7f4d Author: Ramachandran Krishnan AuthorDate: Fri Feb 3 17:06:28 2023 +0530 RANGER-4055: updated to require user's firstName to be non-empty Signed-off-by: Madhan Neethiraj (cherry picked from commit 08c4cf37639109e44b12b969ae13d36dcd29ff85) --- .../main/java/org/apache/ranger/biz/XUserMgr.java | 22 .../java/org/apache/ranger/biz/TestXUserMgr.java | 59 ++ 2 files changed, 72 insertions(+), 9 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index c5a697995..2955bd513 100755 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -193,6 +193,7 @@ public class XUserMgr extends XUserMgrBase { xaBizUtil.blockAuditorRoleUser(); validatePassword(vXUser); String userName = vXUser.getName(); + String firstName = vXUser.getFirstName(); if (userName == null || "null".equalsIgnoreCase(userName) || userName.trim().isEmpty()) { throw restErrorUtil.createRESTException( @@ -200,6 +201,13 @@ public class XUserMgr extends XUserMgrBase { MessageEnums.INVALID_INPUT_DATA); } + if (firstName == null || "null".equalsIgnoreCase(firstName) + || firstName.trim().isEmpty()) { + throw restErrorUtil.createRESTException( + "Please provide a valid first name.", + MessageEnums.INVALID_INPUT_DATA); + } + if (vXUser.getDescription() == null) { vXUser.setDescription(vXUser.getName()); } @@ -386,6 +394,12 @@ public class XUserMgr extends XUserMgrBase { throw restErrorUtil.createRESTException("Please provide a valid " + "username.", MessageEnums.INVALID_INPUT_DATA); } + String firstName = vXUser.getFirstName(); + if (firstName == null || "null".equalsIgnoreCase(firstName) + || firstName.trim().isEmpty()) { + throw restErrorUtil.createRESTException("Please provide a valid first name.", MessageEnums.INVALID_INPUT_DATA); + } + checkAccess(vXUser.getName()); xaBizUtil.blockAuditorRoleUser(); VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser @@ -2606,6 +2620,14 @@ public class XUserMgr extends XUserMgrBase { logger.warn("Ignoring invalid username " + vXUser==null? null : vXUser.getName()); continue; } + + String firstName = vXUser.getFirstName(); + if (firstName == null || "null".equalsIgnoreCase(firstName) + || firstName.trim().isEmpty()) { + logger.warn("Ignoring invalid first name " + vXUser == null ? null : vXUser.getFirstName()); + continue; + } + checkAccess(vXUser.getName()); TransactionTemplate txTemplate = new TransactionTemplate(txManager); txTemplate.setPropagationBehavior(TransactionDefinition.PROPAGATION_REQUIRES_NEW); diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java index 4c1e2e797..027c3b103 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java @@ -663,8 +663,7 @@ public class TestXUserMgr { vxUser.setName(null); Mockito.when(restErrorUtil.createRESTException("Please provide a valid username.",MessageEnums.INVALID_INPUT_DATA)).thenThrow(new WebApplicationException()); thrown.expect(WebApplicationException.class); - VXUser vXUser=xUserMgr.createXUser(vxUser); - Assert.assertNull(vXUser); + xUserMgr.createXUser(vxUser); } @Test @@ -681,8 +680,33 @@ public class TestXUserMgr { xUserMgr.createXUser(vxUser); } +
[ranger] branch master updated: RANGER-4055: updated to require user's firstName to be non-empty
This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new 08c4cf376 RANGER-4055: updated to require user's firstName to be non-empty 08c4cf376 is described below commit 08c4cf37639109e44b12b969ae13d36dcd29ff85 Author: Ramachandran Krishnan AuthorDate: Fri Feb 3 17:06:28 2023 +0530 RANGER-4055: updated to require user's firstName to be non-empty Signed-off-by: Madhan Neethiraj --- .../main/java/org/apache/ranger/biz/XUserMgr.java | 22 .../java/org/apache/ranger/biz/TestXUserMgr.java | 59 ++ 2 files changed, 72 insertions(+), 9 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index 0a03da567..bbbf90c52 100755 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -193,6 +193,7 @@ public class XUserMgr extends XUserMgrBase { xaBizUtil.blockAuditorRoleUser(); validatePassword(vXUser); String userName = vXUser.getName(); + String firstName = vXUser.getFirstName(); if (userName == null || "null".equalsIgnoreCase(userName) || userName.trim().isEmpty()) { throw restErrorUtil.createRESTException( @@ -200,6 +201,13 @@ public class XUserMgr extends XUserMgrBase { MessageEnums.INVALID_INPUT_DATA); } + if (firstName == null || "null".equalsIgnoreCase(firstName) + || firstName.trim().isEmpty()) { + throw restErrorUtil.createRESTException( + "Please provide a valid first name.", + MessageEnums.INVALID_INPUT_DATA); + } + if (vXUser.getDescription() == null) { vXUser.setDescription(vXUser.getName()); } @@ -386,6 +394,12 @@ public class XUserMgr extends XUserMgrBase { throw restErrorUtil.createRESTException("Please provide a valid " + "username.", MessageEnums.INVALID_INPUT_DATA); } + String firstName = vXUser.getFirstName(); + if (firstName == null || "null".equalsIgnoreCase(firstName) + || firstName.trim().isEmpty()) { + throw restErrorUtil.createRESTException("Please provide a valid first name.", MessageEnums.INVALID_INPUT_DATA); + } + checkAccess(vXUser.getName()); xaBizUtil.blockAuditorRoleUser(); VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser @@ -2626,6 +2640,14 @@ public class XUserMgr extends XUserMgrBase { logger.warn("Ignoring invalid username " + vXUser==null? null : vXUser.getName()); continue; } + + String firstName = vXUser.getFirstName(); + if (firstName == null || "null".equalsIgnoreCase(firstName) + || firstName.trim().isEmpty()) { + logger.warn("Ignoring invalid first name " + vXUser == null ? null : vXUser.getFirstName()); + continue; + } + checkAccess(vXUser.getName()); TransactionTemplate txTemplate = new TransactionTemplate(txManager); txTemplate.setPropagationBehavior(TransactionDefinition.PROPAGATION_REQUIRES_NEW); diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java index 871857bbf..528f4e511 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java @@ -663,8 +663,7 @@ public class TestXUserMgr { vxUser.setName(null); Mockito.when(restErrorUtil.createRESTException("Please provide a valid username.",MessageEnums.INVALID_INPUT_DATA)).thenThrow(new WebApplicationException()); thrown.expect(WebApplicationException.class); - VXUser vXUser=xUserMgr.createXUser(vxUser); - Assert.assertNull(vXUser); + xUserMgr.createXUser(vxUser); } @Test @@ -681,8 +680,33 @@ public class TestXUserMgr { xUserMgr.createXUser(vxUser); } + @Test + public void testCreateXUser_WithBlankFirstName() { +
[ranger] branch master updated: RANGER-4069: Add performance tracing instrumentation to Tag Enricher
This is an automated email from the ASF dual-hosted git repository. abhay pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git The following commit(s) were added to refs/heads/master by this push: new f9bfc90fb RANGER-4069: Add performance tracing instrumentation to Tag Enricher f9bfc90fb is described below commit f9bfc90fb53f06a752f4190e20be337ed70ec657 Author: Abhay Kulkarni AuthorDate: Sat Feb 4 11:25:16 2023 -0800 RANGER-4069: Add performance tracing instrumentation to Tag Enricher --- .../apache/ranger/plugin/contextenricher/RangerTagEnricher.java | 9 + 1 file changed, 9 insertions(+) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java index da06e4161..bbea4cec6 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java @@ -75,6 +75,7 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { private static final Logger PERF_CONTEXTENRICHER_INIT_LOG = RangerPerfTracer.getPerfLogger("contextenricher.init"); private static final Logger PERF_TRIE_OP_LOG = RangerPerfTracer.getPerfLogger("resourcetrie.retrieval"); private static final Logger PERF_SET_SERVICETAGS_LOG = RangerPerfTracer.getPerfLogger("tagenricher.setservicetags"); + private static final Logger PERF_SERVICETAGS_RETRIEVAL_LOG = RangerPerfTracer.getPerfLogger("tagenricher.tags.retrieval"); private static final String TAG_REFRESHER_POLLINGINTERVAL_OPTION = "tagRefresherPollingInterval"; @@ -665,6 +666,12 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { RangerAccessResource resource = request.getResource(); + RangerPerfTracer perf = null; + + if (RangerPerfTracer.isPerfTraceEnabled(PERF_SERVICETAGS_RETRIEVAL_LOG)) { + perf = RangerPerfTracer.getPerfTracer(PERF_SERVICETAGS_RETRIEVAL_LOG, "RangerTagEnricher.findMatchingTags=" + resource.getAsString() + ")"); + } + if ((resource == null || resource.getKeys() == null || resource.getKeys().isEmpty()) && request.isAccessTypeAny()) { ret = enrichedServiceTags.getTagsForEmptyResourceAndAnyAccess(); } else { @@ -698,6 +705,8 @@ public class RangerTagEnricher extends RangerAbstractContextEnricher { } } + RangerPerfTracer.logAlways(perf); + if (CollectionUtils.isEmpty(ret)) { if (LOG.isDebugEnabled()) { LOG.debug("RangerTagEnricher.findMatchingTags(" + resource + ") - No tags Found ");