Search in sources :

Example 11 with RESTResponse

use of org.apache.ranger.admin.client.datatype.RESTResponse in project ranger by apache.

the class ServiceREST method secureRevokeAccess.

@POST
@Path("/secure/services/revoke/{serviceName}")
@Produces({ "application/json", "application/xml" })
public RESTResponse secureRevokeAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest revokeRequest, @Context HttpServletRequest request) throws Exception {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.secureRevokeAccess(" + serviceName + ", " + revokeRequest + ")");
    }
    RESTResponse ret = new RESTResponse();
    RangerPerfTracer perf = null;
    if (revokeRequest != null) {
        if (serviceUtil.isValidService(serviceName, request)) {
            try {
                if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
                    perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.secureRevokeAccess(serviceName=" + serviceName + ")");
                }
                validateGrantRevokeRequest(revokeRequest);
                String userName = revokeRequest.getGrantor();
                Set<String> userGroups = CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups()) ? revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
                RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()));
                boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
                boolean isAllowed = false;
                boolean isKeyAdmin = bizUtil.isKeyAdmin();
                bizUtil.blockAuditorRoleUser();
                XXService xService = daoManager.getXXService().findByName(serviceName);
                XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
                RangerService rangerService = svcStore.getServiceByName(serviceName);
                if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
                    if (isKeyAdmin) {
                        isAllowed = true;
                    } else {
                        isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName);
                    }
                } else {
                    if (isAdmin) {
                        isAllowed = true;
                    } else {
                        isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName);
                    }
                }
                if (isAllowed) {
                    RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, userName);
                    if (policy != null) {
                        boolean policyUpdated = false;
                        policyUpdated = ServiceRESTUtil.processRevokeRequest(policy, revokeRequest);
                        if (policyUpdated) {
                            svcStore.updatePolicy(policy);
                        } else {
                            LOG.error("processSecureRevokeRequest processing failed");
                            throw new Exception("processSecureRevokeRequest processing failed");
                        }
                    }
                } else {
                    LOG.error("secureRevokeAccess(" + serviceName + ", " + revokeRequest + ") failed as User doesn't have permission to revoke Policy");
                    throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to revoke access");
                }
            } catch (WebApplicationException excp) {
                throw excp;
            } catch (Throwable excp) {
                LOG.error("secureRevokeAccess(" + serviceName + ", " + revokeRequest + ") failed", excp);
                throw restErrorUtil.createRESTException(excp.getMessage());
            } finally {
                RangerPerfTracer.log(perf);
            }
            ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.secureRevokeAccess(" + serviceName + ", " + revokeRequest + "): " + ret);
    }
    return ret;
}
Also used : XXServiceDef(org.apache.ranger.entity.XXServiceDef) WebApplicationException(javax.ws.rs.WebApplicationException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) VXString(org.apache.ranger.view.VXString) WebApplicationException(javax.ws.rs.WebApplicationException) IOException(java.io.IOException) JsonSyntaxException(com.google.gson.JsonSyntaxException) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RESTResponse(org.apache.ranger.admin.client.datatype.RESTResponse) RangerService(org.apache.ranger.plugin.model.RangerService) XXService(org.apache.ranger.entity.XXService) RangerAccessResource(org.apache.ranger.plugin.policyengine.RangerAccessResource) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Produces(javax.ws.rs.Produces)

Example 12 with RESTResponse

use of org.apache.ranger.admin.client.datatype.RESTResponse in project ranger by apache.

the class ServiceREST method revokeAccess.

@POST
@Path("/services/revoke/{serviceName}")
@Produces({ "application/json", "application/xml" })
public RESTResponse revokeAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest revokeRequest, @Context HttpServletRequest request) throws Exception {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.revokeAccess(" + serviceName + ", " + revokeRequest + ")");
    }
    RESTResponse ret = new RESTResponse();
    RangerPerfTracer perf = null;
    if (revokeRequest != null) {
        if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) {
            try {
                if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
                    perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.revokeAccess(serviceName=" + serviceName + ")");
                }
                validateGrantRevokeRequest(revokeRequest);
                String userName = revokeRequest.getGrantor();
                Set<String> userGroups = CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups()) ? revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
                RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()));
                VXUser vxUser = xUserService.getXUserByUserName(userName);
                if (vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) || vxUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) {
                    VXResponse vXResponse = new VXResponse();
                    vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
                    vXResponse.setMsgDesc("Operation" + " denied. LoggedInUser=" + vxUser.getId() + " ,isn't permitted to perform the action.");
                    throw restErrorUtil.generateRESTException(vXResponse);
                }
                boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
                if (!isAdmin) {
                    throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to revoke access");
                }
                RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, userName);
                if (policy != null) {
                    boolean policyUpdated = false;
                    policyUpdated = ServiceRESTUtil.processRevokeRequest(policy, revokeRequest);
                    if (policyUpdated) {
                        svcStore.updatePolicy(policy);
                    } else {
                        LOG.error("processRevokeRequest processing failed");
                        throw new Exception("processRevokeRequest processing failed");
                    }
                }
            } catch (WebApplicationException excp) {
                throw excp;
            } catch (Throwable excp) {
                LOG.error("revokeAccess(" + serviceName + ", " + revokeRequest + ") failed", excp);
                throw restErrorUtil.createRESTException(excp.getMessage());
            } finally {
                RangerPerfTracer.log(perf);
            }
            ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.revokeAccess(" + serviceName + ", " + revokeRequest + "): " + ret);
    }
    return ret;
}
Also used : VXResponse(org.apache.ranger.view.VXResponse) WebApplicationException(javax.ws.rs.WebApplicationException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) VXString(org.apache.ranger.view.VXString) VXUser(org.apache.ranger.view.VXUser) WebApplicationException(javax.ws.rs.WebApplicationException) IOException(java.io.IOException) JsonSyntaxException(com.google.gson.JsonSyntaxException) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RESTResponse(org.apache.ranger.admin.client.datatype.RESTResponse) RangerAccessResource(org.apache.ranger.plugin.policyengine.RangerAccessResource) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Produces(javax.ws.rs.Produces)

Example 13 with RESTResponse

use of org.apache.ranger.admin.client.datatype.RESTResponse in project ranger by apache.

the class ServiceREST method secureGrantAccess.

@POST
@Path("/secure/services/grant/{serviceName}")
@Produces({ "application/json", "application/xml" })
public RESTResponse secureGrantAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest grantRequest, @Context HttpServletRequest request) throws Exception {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.secureGrantAccess(" + serviceName + ", " + grantRequest + ")");
    }
    RESTResponse ret = new RESTResponse();
    RangerPerfTracer perf = null;
    boolean isAllowed = false;
    boolean isKeyAdmin = bizUtil.isKeyAdmin();
    bizUtil.blockAuditorRoleUser();
    if (grantRequest != null) {
        if (serviceUtil.isValidService(serviceName, request)) {
            try {
                if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
                    perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.scureGrantAccess(serviceName=" + serviceName + ")");
                }
                validateGrantRevokeRequest(grantRequest);
                String userName = grantRequest.getGrantor();
                Set<String> userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
                RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
                boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
                XXService xService = daoManager.getXXService().findByName(serviceName);
                XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
                RangerService rangerService = svcStore.getServiceByName(serviceName);
                if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
                    if (isKeyAdmin) {
                        isAllowed = true;
                    } else {
                        isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName);
                    }
                } else {
                    if (isAdmin) {
                        isAllowed = true;
                    } else {
                        isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName);
                    }
                }
                if (isAllowed) {
                    RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, userName);
                    if (policy != null) {
                        boolean policyUpdated = false;
                        policyUpdated = ServiceRESTUtil.processGrantRequest(policy, grantRequest);
                        if (policyUpdated) {
                            svcStore.updatePolicy(policy);
                        } else {
                            LOG.error("processSecureGrantRequest processing failed");
                            throw new Exception("processSecureGrantRequest processing failed");
                        }
                    } else {
                        policy = new RangerPolicy();
                        policy.setService(serviceName);
                        // TODO: better policy name
                        policy.setName("grant-" + System.currentTimeMillis());
                        policy.setDescription("created by grant");
                        policy.setIsAuditEnabled(grantRequest.getEnableAudit());
                        policy.setCreatedBy(userName);
                        Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>();
                        Set<String> resourceNames = resource.getKeys();
                        if (!CollectionUtils.isEmpty(resourceNames)) {
                            for (String resourceName : resourceNames) {
                                RangerPolicyResource policyResource = new RangerPolicyResource((String) resource.getValue(resourceName));
                                policyResource.setIsRecursive(grantRequest.getIsRecursive());
                                policyResources.put(resourceName, policyResource);
                            }
                        }
                        policy.setResources(policyResources);
                        RangerPolicyItem policyItem = new RangerPolicyItem();
                        policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin());
                        policyItem.getUsers().addAll(grantRequest.getUsers());
                        policyItem.getGroups().addAll(grantRequest.getGroups());
                        for (String accessType : grantRequest.getAccessTypes()) {
                            policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE));
                        }
                        policy.getPolicyItems().add(policyItem);
                        svcStore.createPolicy(policy);
                    }
                } else {
                    LOG.error("secureGrantAccess(" + serviceName + ", " + grantRequest + ") failed as User doesn't have permission to grant Policy");
                    throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to grant access");
                }
            } catch (WebApplicationException excp) {
                throw excp;
            } catch (Throwable excp) {
                LOG.error("secureGrantAccess(" + serviceName + ", " + grantRequest + ") failed", excp);
                throw restErrorUtil.createRESTException(excp.getMessage());
            } finally {
                RangerPerfTracer.log(perf);
            }
            ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.secureGrantAccess(" + serviceName + ", " + grantRequest + "): " + ret);
    }
    return ret;
}
Also used : XXServiceDef(org.apache.ranger.entity.XXServiceDef) WebApplicationException(javax.ws.rs.WebApplicationException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) LinkedHashMap(java.util.LinkedHashMap) HashMap(java.util.HashMap) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) VXString(org.apache.ranger.view.VXString) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) WebApplicationException(javax.ws.rs.WebApplicationException) IOException(java.io.IOException) JsonSyntaxException(com.google.gson.JsonSyntaxException) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RESTResponse(org.apache.ranger.admin.client.datatype.RESTResponse) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) RangerService(org.apache.ranger.plugin.model.RangerService) XXService(org.apache.ranger.entity.XXService) RangerAccessResource(org.apache.ranger.plugin.policyengine.RangerAccessResource) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Produces(javax.ws.rs.Produces)

Example 14 with RESTResponse

use of org.apache.ranger.admin.client.datatype.RESTResponse in project ranger by apache.

the class RangerAdminRESTClient method revokeAccess.

@Override
public void revokeAccess(final GrantRevokeRequest request) throws Exception {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerAdminRESTClient.revokeAccess(" + request + ")");
    }
    ClientResponse response = null;
    UserGroupInformation user = MiscUtil.getUGILoginUser();
    boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
    if (isSecureMode) {
        PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {

            public ClientResponse run() {
                WebResource secureWebResource = createWebResource(RangerRESTUtils.REST_URL_SECURE_SERVICE_REVOKE_ACCESS + serviceName).queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
                return secureWebResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).type(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).post(ClientResponse.class, restClient.toJson(request));
            }
        };
        if (LOG.isDebugEnabled()) {
            LOG.debug("revokeAccess as user " + user);
        }
        response = user.doAs(action);
    } else {
        WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_SERVICE_REVOKE_ACCESS + serviceName).queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
        response = webResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).type(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).post(ClientResponse.class, restClient.toJson(request));
    }
    if (response != null && response.getStatus() != HttpServletResponse.SC_OK) {
        RESTResponse resp = RESTResponse.fromClientResponse(response);
        LOG.error("revokeAccess() failed: HTTP status=" + response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" + isSecureMode + (isSecureMode ? (", user=" + user) : ""));
        if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) {
            throw new AccessControlException();
        }
        throw new Exception("HTTP " + response.getStatus() + " Error: " + resp.getMessage());
    } else if (response == null) {
        throw new Exception("unknown error. revokeAccess(). serviceName=" + serviceName);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerAdminRESTClient.revokeAccess(" + request + ")");
    }
}
Also used : ClientResponse(com.sun.jersey.api.client.ClientResponse) PrivilegedAction(java.security.PrivilegedAction) RESTResponse(org.apache.ranger.admin.client.datatype.RESTResponse) WebResource(com.sun.jersey.api.client.WebResource) AccessControlException(org.apache.hadoop.security.AccessControlException) AccessControlException(org.apache.hadoop.security.AccessControlException) RangerServiceNotFoundException(org.apache.ranger.plugin.util.RangerServiceNotFoundException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 15 with RESTResponse

use of org.apache.ranger.admin.client.datatype.RESTResponse in project ranger by apache.

the class RangerAdminRESTClient method getTagTypes.

@Override
public List<String> getTagTypes(String pattern) throws Exception {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerAdminRESTClient.getTagTypes(" + pattern + "): ");
    }
    List<String> ret = null;
    String emptyString = "";
    UserGroupInformation user = MiscUtil.getUGILoginUser();
    boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
    final WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_LOOKUP_TAG_NAMES).queryParam(RangerRESTUtils.SERVICE_NAME_PARAM, serviceName).queryParam(RangerRESTUtils.PATTERN_PARAM, pattern);
    ClientResponse response = null;
    if (isSecureMode) {
        PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {

            public ClientResponse run() {
                return webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class);
            }
        };
        if (LOG.isDebugEnabled()) {
            LOG.debug("getTagTypes as user " + user);
        }
        response = user.doAs(action);
    } else {
        response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class);
    }
    if (response != null && response.getStatus() == HttpServletResponse.SC_OK) {
        ret = response.getEntity(getGenericType(emptyString));
    } else {
        RESTResponse resp = RESTResponse.fromClientResponse(response);
        LOG.error("Error getting tags. request=" + webResource + ", response=" + resp + ", serviceName=" + serviceName + ", " + "pattern=" + pattern);
        throw new Exception(resp.getMessage());
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerAdminRESTClient.getTagTypes(" + pattern + "): " + ret);
    }
    return ret;
}
Also used : ClientResponse(com.sun.jersey.api.client.ClientResponse) PrivilegedAction(java.security.PrivilegedAction) RESTResponse(org.apache.ranger.admin.client.datatype.RESTResponse) WebResource(com.sun.jersey.api.client.WebResource) AccessControlException(org.apache.hadoop.security.AccessControlException) RangerServiceNotFoundException(org.apache.ranger.plugin.util.RangerServiceNotFoundException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Aggregations

RESTResponse (org.apache.ranger.admin.client.datatype.RESTResponse)17 WebApplicationException (javax.ws.rs.WebApplicationException)9 ClientResponse (com.sun.jersey.api.client.ClientResponse)6 WebResource (com.sun.jersey.api.client.WebResource)6 POST (javax.ws.rs.POST)6 Path (javax.ws.rs.Path)6 Produces (javax.ws.rs.Produces)6 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)6 GrantRevokeRequest (org.apache.ranger.plugin.util.GrantRevokeRequest)6 VXString (org.apache.ranger.view.VXString)6 IOException (java.io.IOException)5 PrivilegedAction (java.security.PrivilegedAction)5 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)5 JsonSyntaxException (com.google.gson.JsonSyntaxException)4 RangerService (org.apache.ranger.plugin.model.RangerService)4 RangerAccessResource (org.apache.ranger.plugin.policyengine.RangerAccessResource)4 RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)4 RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)4 Test (org.junit.Test)4 AccessControlException (org.apache.hadoop.security.AccessControlException)3