use of org.apache.ranger.common.UserSessionBase in project ranger by apache.
the class ServiceDBStore method getService.
@Override
public RangerService getService(Long id) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceDBStore.getService()");
}
UserSessionBase session = ContextUtil.getCurrentUserSession();
if (session == null) {
throw restErrorUtil.createRESTException("UserSession cannot be null.", MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
}
XXService xService = daoMgr.getXXService().getById(id);
if (!bizUtil.hasAccess(xService, null)) {
throw restErrorUtil.createRESTException("Logged in user is not allowed to read service, id: " + id, MessageEnums.OPER_NO_PERMISSION);
}
return svcService.getPopulatedViewObject(xService);
}
use of org.apache.ranger.common.UserSessionBase in project ranger by apache.
the class ServiceREST method createService.
@POST
@Path("/services")
@Produces({ "application/json", "application/xml" })
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_SERVICE + "\")")
public RangerService createService(RangerService service) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.createService(" + service + ")");
}
RangerService ret = null;
RangerPerfTracer perf = null;
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createService(serviceName=" + service.getName() + ")");
}
RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore);
validator.validate(service, Action.CREATE);
UserSessionBase session = ContextUtil.getCurrentUserSession();
XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(service.getType());
if (session != null && !session.isSpnegoEnabled()) {
bizUtil.hasAdminPermissions("Services");
// TODO: As of now we are allowing SYS_ADMIN to create all the
// services including KMS
bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname());
}
if (session != null && session.isSpnegoEnabled()) {
if (session.isKeyAdmin() && !EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xxServiceDef.getImplclassname())) {
throw restErrorUtil.createRESTException("KeyAdmin can create/update/delete only KMS ", MessageEnums.OPER_NO_PERMISSION);
}
if ((!session.isKeyAdmin() && !session.isUserAdmin()) && EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xxServiceDef.getImplclassname())) {
throw restErrorUtil.createRESTException("User cannot create/update/delete KMS Service", MessageEnums.OPER_NO_PERMISSION);
}
}
bizUtil.blockAuditorRoleUser();
ret = svcStore.createService(service);
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("createService(" + service + ") failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
} finally {
RangerPerfTracer.log(perf);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.createService(" + service + "): " + ret);
}
return ret;
}
use of org.apache.ranger.common.UserSessionBase in project ranger by apache.
the class RangerSecurityContextFormationFilter method doFilter.
/*
* (non-Javadoc)
*
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,
* javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
try {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (!(auth instanceof AnonymousAuthenticationToken)) {
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpSession httpSession = httpRequest.getSession(false);
// [1]get the context from session
RangerSecurityContext context = null;
if (httpSession != null) {
context = (RangerSecurityContext) httpSession.getAttribute(AKA_SC_SESSION_KEY);
}
int clientTimeOffset = 0;
if (context == null) {
context = new RangerSecurityContext();
httpSession.setAttribute(AKA_SC_SESSION_KEY, context);
}
String userAgent = httpRequest.getHeader(USER_AGENT);
clientTimeOffset = RestUtil.getTimeOffset(httpRequest);
// Get the request specific info
RequestContext requestContext = new RequestContext();
String reqIP = testIP;
if (testIP == null) {
reqIP = httpRequest.getRemoteAddr();
}
requestContext.setIpAddress(reqIP);
requestContext.setUserAgent(userAgent);
requestContext.setDeviceType(httpUtil.getDeviceType(httpRequest));
requestContext.setServerRequestId(guidUtil.genGUID());
requestContext.setRequestURL(httpRequest.getRequestURI());
requestContext.setClientTimeOffsetInMinute(clientTimeOffset);
context.setRequestContext(requestContext);
RangerContextHolder.setSecurityContext(context);
UserSessionBase userSession = sessionMgr.processSuccessLogin(XXAuthSession.AUTH_TYPE_PASSWORD, userAgent, httpRequest);
if (userSession != null) {
Object ssoEnabledObj = request.getAttribute("ssoEnabled");
Boolean ssoEnabled = ssoEnabledObj != null ? Boolean.valueOf(String.valueOf(ssoEnabledObj)) : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
userSession.setSSOEnabled(ssoEnabled);
if (userSession.getClientTimeOffsetInMinute() == 0) {
userSession.setClientTimeOffsetInMinute(clientTimeOffset);
}
}
context.setUserSession(userSession);
}
HttpServletResponse res = (HttpServletResponse) response;
res.setHeader("X-Frame-Options", "DENY");
res.setHeader("X-Content-Type-Options", "nosniff");
res.setHeader("X-XSS-Protection", "1; mode=block");
res.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
chain.doFilter(request, res);
} finally {
// [4]remove context from thread-local
RangerContextHolder.resetSecurityContext();
}
}
use of org.apache.ranger.common.UserSessionBase in project ranger by apache.
the class UserService method mapEntityToViewBean.
@Override
protected VXPortalUser mapEntityToViewBean(VXPortalUser userProfile, XXPortalUser user) {
userProfile.setId(user.getId());
userProfile.setLoginId(user.getLoginId());
userProfile.setFirstName(user.getFirstName());
userProfile.setLastName(user.getLastName());
userProfile.setPublicScreenName(user.getPublicScreenName());
userProfile.setStatus(user.getStatus());
userProfile.setUserRoleList(new ArrayList<String>());
String emailAddress = user.getEmailAddress();
if (emailAddress != null && stringUtil.validateEmail(emailAddress)) {
userProfile.setEmailAddress(user.getEmailAddress());
}
UserSessionBase sess = ContextUtil.getCurrentUserSession();
if (sess != null) {
userProfile.setUserSource(sess.getAuthProvider());
}
List<XXPortalUserRole> gjUserRoleList = daoManager.getXXPortalUserRole().findByParentId(user.getId());
for (XXPortalUserRole gjUserRole : gjUserRoleList) {
userProfile.getUserRoleList().add(gjUserRole.getUserRole());
}
return userProfile;
}
use of org.apache.ranger.common.UserSessionBase in project ranger by apache.
the class XResourceService method searchXResources.
@Override
public VXResourceList searchXResources(SearchCriteria searchCriteria) {
VXResourceList returnList;
UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
// If user is system admin
if (currentUserSession.isUserAdmin()) {
returnList = super.searchXResources(searchCriteria);
} else {
// need to be optimize
returnList = new VXResourceList();
int startIndex = searchCriteria.getStartIndex();
int pageSize = searchCriteria.getMaxRows();
searchCriteria.setStartIndex(0);
searchCriteria.setMaxRows(Integer.MAX_VALUE);
List<XXResource> resultList = (List<XXResource>) searchResources(searchCriteria, searchFields, sortFields, returnList);
List<XXResource> adminPermResourceList = new ArrayList<XXResource>();
for (XXResource xXResource : resultList) {
VXResponse vXResponse = xaBizUtil.hasPermission(populateViewBean(xXResource), AppConstants.XA_PERM_TYPE_ADMIN);
if (vXResponse.getStatusCode() == VXResponse.STATUS_SUCCESS) {
adminPermResourceList.add(xXResource);
}
}
if (!adminPermResourceList.isEmpty()) {
populatePageList(adminPermResourceList, startIndex, pageSize, returnList);
}
}
if (returnList != null && returnList.getResultSize() > 0) {
for (VXResource vXResource : returnList.getVXResources()) {
populateAuditList(vXResource);
}
}
return returnList;
}
Aggregations