Search in sources :

Example 51 with UserSessionBase

use of org.apache.ranger.common.UserSessionBase in project ranger by apache.

the class ServiceDBStore method getService.

@Override
public RangerService getService(Long id) throws Exception {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceDBStore.getService()");
    }
    UserSessionBase session = ContextUtil.getCurrentUserSession();
    if (session == null) {
        throw restErrorUtil.createRESTException("UserSession cannot be null.", MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
    }
    XXService xService = daoMgr.getXXService().getById(id);
    if (!bizUtil.hasAccess(xService, null)) {
        throw restErrorUtil.createRESTException("Logged in user is not allowed to read service, id: " + id, MessageEnums.OPER_NO_PERMISSION);
    }
    return svcService.getPopulatedViewObject(xService);
}
Also used : XXService(org.apache.ranger.entity.XXService) UserSessionBase(org.apache.ranger.common.UserSessionBase)

Example 52 with UserSessionBase

use of org.apache.ranger.common.UserSessionBase in project ranger by apache.

the class ServiceREST method createService.

@POST
@Path("/services")
@Produces({ "application/json", "application/xml" })
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_SERVICE + "\")")
public RangerService createService(RangerService service) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.createService(" + service + ")");
    }
    RangerService ret = null;
    RangerPerfTracer perf = null;
    try {
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
            perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createService(serviceName=" + service.getName() + ")");
        }
        RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore);
        validator.validate(service, Action.CREATE);
        UserSessionBase session = ContextUtil.getCurrentUserSession();
        XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(service.getType());
        if (session != null && !session.isSpnegoEnabled()) {
            bizUtil.hasAdminPermissions("Services");
            // TODO: As of now we are allowing SYS_ADMIN to create all the
            // services including KMS
            bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname());
        }
        if (session != null && session.isSpnegoEnabled()) {
            if (session.isKeyAdmin() && !EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xxServiceDef.getImplclassname())) {
                throw restErrorUtil.createRESTException("KeyAdmin can create/update/delete only KMS ", MessageEnums.OPER_NO_PERMISSION);
            }
            if ((!session.isKeyAdmin() && !session.isUserAdmin()) && EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xxServiceDef.getImplclassname())) {
                throw restErrorUtil.createRESTException("User cannot create/update/delete KMS Service", MessageEnums.OPER_NO_PERMISSION);
            }
        }
        bizUtil.blockAuditorRoleUser();
        ret = svcStore.createService(service);
    } catch (WebApplicationException excp) {
        throw excp;
    } catch (Throwable excp) {
        LOG.error("createService(" + service + ") failed", excp);
        throw restErrorUtil.createRESTException(excp.getMessage());
    } finally {
        RangerPerfTracer.log(perf);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.createService(" + service + "): " + ret);
    }
    return ret;
}
Also used : XXServiceDef(org.apache.ranger.entity.XXServiceDef) WebApplicationException(javax.ws.rs.WebApplicationException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerService(org.apache.ranger.plugin.model.RangerService) RangerServiceValidator(org.apache.ranger.plugin.model.validation.RangerServiceValidator) UserSessionBase(org.apache.ranger.common.UserSessionBase) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Produces(javax.ws.rs.Produces) PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)

Example 53 with UserSessionBase

use of org.apache.ranger.common.UserSessionBase in project ranger by apache.

the class RangerSecurityContextFormationFilter method doFilter.

/*
	 * (non-Javadoc)
	 *
	 * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,
	 * javax.servlet.ServletResponse, javax.servlet.FilterChain)
	 */
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    try {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        if (!(auth instanceof AnonymousAuthenticationToken)) {
            HttpServletRequest httpRequest = (HttpServletRequest) request;
            HttpSession httpSession = httpRequest.getSession(false);
            // [1]get the context from session
            RangerSecurityContext context = null;
            if (httpSession != null) {
                context = (RangerSecurityContext) httpSession.getAttribute(AKA_SC_SESSION_KEY);
            }
            int clientTimeOffset = 0;
            if (context == null) {
                context = new RangerSecurityContext();
                httpSession.setAttribute(AKA_SC_SESSION_KEY, context);
            }
            String userAgent = httpRequest.getHeader(USER_AGENT);
            clientTimeOffset = RestUtil.getTimeOffset(httpRequest);
            // Get the request specific info
            RequestContext requestContext = new RequestContext();
            String reqIP = testIP;
            if (testIP == null) {
                reqIP = httpRequest.getRemoteAddr();
            }
            requestContext.setIpAddress(reqIP);
            requestContext.setUserAgent(userAgent);
            requestContext.setDeviceType(httpUtil.getDeviceType(httpRequest));
            requestContext.setServerRequestId(guidUtil.genGUID());
            requestContext.setRequestURL(httpRequest.getRequestURI());
            requestContext.setClientTimeOffsetInMinute(clientTimeOffset);
            context.setRequestContext(requestContext);
            RangerContextHolder.setSecurityContext(context);
            UserSessionBase userSession = sessionMgr.processSuccessLogin(XXAuthSession.AUTH_TYPE_PASSWORD, userAgent, httpRequest);
            if (userSession != null) {
                Object ssoEnabledObj = request.getAttribute("ssoEnabled");
                Boolean ssoEnabled = ssoEnabledObj != null ? Boolean.valueOf(String.valueOf(ssoEnabledObj)) : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
                userSession.setSSOEnabled(ssoEnabled);
                if (userSession.getClientTimeOffsetInMinute() == 0) {
                    userSession.setClientTimeOffsetInMinute(clientTimeOffset);
                }
            }
            context.setUserSession(userSession);
        }
        HttpServletResponse res = (HttpServletResponse) response;
        res.setHeader("X-Frame-Options", "DENY");
        res.setHeader("X-Content-Type-Options", "nosniff");
        res.setHeader("X-XSS-Protection", "1; mode=block");
        res.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
        chain.doFilter(request, res);
    } finally {
        // [4]remove context from thread-local
        RangerContextHolder.resetSecurityContext();
    }
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) RangerSecurityContext(org.apache.ranger.security.context.RangerSecurityContext) Authentication(org.springframework.security.core.Authentication) HttpSession(javax.servlet.http.HttpSession) HttpServletResponse(javax.servlet.http.HttpServletResponse) RequestContext(org.apache.ranger.common.RequestContext) AnonymousAuthenticationToken(org.springframework.security.authentication.AnonymousAuthenticationToken) UserSessionBase(org.apache.ranger.common.UserSessionBase)

Example 54 with UserSessionBase

use of org.apache.ranger.common.UserSessionBase in project ranger by apache.

the class UserService method mapEntityToViewBean.

@Override
protected VXPortalUser mapEntityToViewBean(VXPortalUser userProfile, XXPortalUser user) {
    userProfile.setId(user.getId());
    userProfile.setLoginId(user.getLoginId());
    userProfile.setFirstName(user.getFirstName());
    userProfile.setLastName(user.getLastName());
    userProfile.setPublicScreenName(user.getPublicScreenName());
    userProfile.setStatus(user.getStatus());
    userProfile.setUserRoleList(new ArrayList<String>());
    String emailAddress = user.getEmailAddress();
    if (emailAddress != null && stringUtil.validateEmail(emailAddress)) {
        userProfile.setEmailAddress(user.getEmailAddress());
    }
    UserSessionBase sess = ContextUtil.getCurrentUserSession();
    if (sess != null) {
        userProfile.setUserSource(sess.getAuthProvider());
    }
    List<XXPortalUserRole> gjUserRoleList = daoManager.getXXPortalUserRole().findByParentId(user.getId());
    for (XXPortalUserRole gjUserRole : gjUserRoleList) {
        userProfile.getUserRoleList().add(gjUserRole.getUserRole());
    }
    return userProfile;
}
Also used : XXPortalUserRole(org.apache.ranger.entity.XXPortalUserRole) UserSessionBase(org.apache.ranger.common.UserSessionBase)

Example 55 with UserSessionBase

use of org.apache.ranger.common.UserSessionBase in project ranger by apache.

the class XResourceService method searchXResources.

@Override
public VXResourceList searchXResources(SearchCriteria searchCriteria) {
    VXResourceList returnList;
    UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
    // If user is system admin
    if (currentUserSession.isUserAdmin()) {
        returnList = super.searchXResources(searchCriteria);
    } else {
        // need to be optimize
        returnList = new VXResourceList();
        int startIndex = searchCriteria.getStartIndex();
        int pageSize = searchCriteria.getMaxRows();
        searchCriteria.setStartIndex(0);
        searchCriteria.setMaxRows(Integer.MAX_VALUE);
        List<XXResource> resultList = (List<XXResource>) searchResources(searchCriteria, searchFields, sortFields, returnList);
        List<XXResource> adminPermResourceList = new ArrayList<XXResource>();
        for (XXResource xXResource : resultList) {
            VXResponse vXResponse = xaBizUtil.hasPermission(populateViewBean(xXResource), AppConstants.XA_PERM_TYPE_ADMIN);
            if (vXResponse.getStatusCode() == VXResponse.STATUS_SUCCESS) {
                adminPermResourceList.add(xXResource);
            }
        }
        if (!adminPermResourceList.isEmpty()) {
            populatePageList(adminPermResourceList, startIndex, pageSize, returnList);
        }
    }
    if (returnList != null && returnList.getResultSize() > 0) {
        for (VXResource vXResource : returnList.getVXResources()) {
            populateAuditList(vXResource);
        }
    }
    return returnList;
}
Also used : VXResponse(org.apache.ranger.view.VXResponse) VXResourceList(org.apache.ranger.view.VXResourceList) XXResource(org.apache.ranger.entity.XXResource) ArrayList(java.util.ArrayList) VXResource(org.apache.ranger.view.VXResource) VXResourceList(org.apache.ranger.view.VXResourceList) ArrayList(java.util.ArrayList) List(java.util.List) UserSessionBase(org.apache.ranger.common.UserSessionBase)

Aggregations

UserSessionBase (org.apache.ranger.common.UserSessionBase)69 RangerSecurityContext (org.apache.ranger.security.context.RangerSecurityContext)24 XXPortalUser (org.apache.ranger.entity.XXPortalUser)11 VXString (org.apache.ranger.view.VXString)11 XXUser (org.apache.ranger.entity.XXUser)8 ArrayList (java.util.ArrayList)6 XXPortalUserRole (org.apache.ranger.entity.XXPortalUserRole)6 XXService (org.apache.ranger.entity.XXService)5 VXResponse (org.apache.ranger.view.VXResponse)4 Test (org.junit.Test)4 Authentication (org.springframework.security.core.Authentication)4 HashSet (java.util.HashSet)3 HttpSession (javax.servlet.http.HttpSession)3 XXGroupUser (org.apache.ranger.entity.XXGroupUser)3 XXResource (org.apache.ranger.entity.XXResource)3 EntityManager (javax.persistence.EntityManager)2 CriteriaBuilder (javax.persistence.criteria.CriteriaBuilder)2 Predicate (javax.persistence.criteria.Predicate)2 HttpServletRequest (javax.servlet.http.HttpServletRequest)2 HttpServletResponse (javax.servlet.http.HttpServletResponse)2