use of org.apache.ranger.entity.XXResource in project ranger by apache.
the class XUserMgr method deleteXGroup.
public void deleteXGroup(Long id, boolean force) {
checkAdminAccess();
xaBizUtil.blockAuditorRoleUser();
XXGroupDao xXGroupDao = daoManager.getXXGroup();
XXGroup xXGroup = xXGroupDao.getById(id);
VXGroup vXGroup = xGroupService.populateViewBean(xXGroup);
if (vXGroup == null || StringUtil.isEmpty(vXGroup.getName())) {
throw restErrorUtil.createRESTException("Group ID doesn't exist.", MessageEnums.INVALID_INPUT_DATA);
}
if (logger.isDebugEnabled()) {
logger.info("Force delete status=" + force + " for group=" + vXGroup.getName());
}
SearchCriteria searchCriteria = new SearchCriteria();
searchCriteria.addParam("xGroupId", id);
VXGroupUserList vxGroupUserList = searchXGroupUsers(searchCriteria);
searchCriteria = new SearchCriteria();
searchCriteria.addParam("groupId", id);
VXPermMapList vXPermMapList = searchXPermMaps(searchCriteria);
searchCriteria = new SearchCriteria();
searchCriteria.addParam("groupId", id);
VXAuditMapList vXAuditMapList = searchXAuditMaps(searchCriteria);
XXGroupPermissionDao xXGroupPermissionDao = daoManager.getXXGroupPermission();
List<XXGroupPermission> xXGroupPermissions = xXGroupPermissionDao.findByGroupId(id);
XXGroupGroupDao xXGroupGroupDao = daoManager.getXXGroupGroup();
List<XXGroupGroup> xXGroupGroups = xXGroupGroupDao.findByGroupId(id);
XXPolicyDao xXPolicyDao = daoManager.getXXPolicy();
List<XXPolicy> xXPolicyList = xXPolicyDao.findByGroupId(id);
logger.warn("Deleting GROUP : " + vXGroup.getName());
if (force) {
// delete XXGroupUser records of matching group
XXGroupUserDao xGroupUserDao = daoManager.getXXGroupUser();
XXUserDao xXUserDao = daoManager.getXXUser();
XXUser xXUser = null;
for (VXGroupUser groupUser : vxGroupUserList.getList()) {
if (groupUser != null) {
xXUser = xXUserDao.getById(groupUser.getUserId());
if (xXUser != null) {
logger.warn("Removing user '" + xXUser.getName() + "' from group '" + groupUser.getName() + "'");
}
xGroupUserDao.remove(groupUser.getId());
}
}
// delete XXPermMap records of matching group
XXPermMapDao xXPermMapDao = daoManager.getXXPermMap();
XXResourceDao xXResourceDao = daoManager.getXXResource();
XXResource xXResource = null;
for (VXPermMap vXPermMap : vXPermMapList.getList()) {
if (vXPermMap != null) {
xXResource = xXResourceDao.getById(vXPermMap.getResourceId());
if (xXResource != null) {
logger.warn("Deleting '" + AppConstants.getLabelFor_XAPermType(vXPermMap.getPermType()) + "' permission from policy ID='" + vXPermMap.getResourceId() + "' for group '" + vXPermMap.getGroupName() + "'");
}
xXPermMapDao.remove(vXPermMap.getId());
}
}
// delete XXAuditMap records of matching group
XXAuditMapDao xXAuditMapDao = daoManager.getXXAuditMap();
for (VXAuditMap vXAuditMap : vXAuditMapList.getList()) {
if (vXAuditMap != null) {
xXResource = xXResourceDao.getById(vXAuditMap.getResourceId());
xXAuditMapDao.remove(vXAuditMap.getId());
}
}
// delete XXGroupGroupDao records of group-group mapping
for (XXGroupGroup xXGroupGroup : xXGroupGroups) {
if (xXGroupGroup != null) {
XXGroup xXGroupParent = xXGroupDao.getById(xXGroupGroup.getParentGroupId());
XXGroup xXGroupChild = xXGroupDao.getById(xXGroupGroup.getGroupId());
if (xXGroupParent != null && xXGroupChild != null) {
logger.warn("Removing group '" + xXGroupChild.getName() + "' from group '" + xXGroupParent.getName() + "'");
}
xXGroupGroupDao.remove(xXGroupGroup.getId());
}
}
// delete XXPolicyItemGroupPerm records of group
for (XXPolicy xXPolicy : xXPolicyList) {
RangerPolicy rangerPolicy = policyService.getPopulatedViewObject(xXPolicy);
List<RangerPolicyItem> policyItems = rangerPolicy.getPolicyItems();
removeUserGroupReferences(policyItems, null, vXGroup.getName());
rangerPolicy.setPolicyItems(policyItems);
List<RangerPolicyItem> denyPolicyItems = rangerPolicy.getDenyPolicyItems();
removeUserGroupReferences(denyPolicyItems, null, vXGroup.getName());
rangerPolicy.setDenyPolicyItems(denyPolicyItems);
List<RangerPolicyItem> allowExceptions = rangerPolicy.getAllowExceptions();
removeUserGroupReferences(allowExceptions, null, vXGroup.getName());
rangerPolicy.setAllowExceptions(allowExceptions);
List<RangerPolicyItem> denyExceptions = rangerPolicy.getDenyExceptions();
removeUserGroupReferences(denyExceptions, null, vXGroup.getName());
rangerPolicy.setDenyExceptions(denyExceptions);
List<RangerDataMaskPolicyItem> dataMaskItems = rangerPolicy.getDataMaskPolicyItems();
removeUserGroupReferences(dataMaskItems, null, vXGroup.getName());
rangerPolicy.setDataMaskPolicyItems(dataMaskItems);
List<RangerRowFilterPolicyItem> rowFilterItems = rangerPolicy.getRowFilterPolicyItems();
removeUserGroupReferences(rowFilterItems, null, vXGroup.getName());
rangerPolicy.setRowFilterPolicyItems(rowFilterItems);
try {
svcStore.updatePolicy(rangerPolicy);
} catch (Throwable excp) {
logger.error("updatePolicy(" + rangerPolicy + ") failed", excp);
restErrorUtil.createRESTException(excp.getMessage());
}
}
if (CollectionUtils.isNotEmpty(xXGroupPermissions)) {
for (XXGroupPermission xXGroupPermission : xXGroupPermissions) {
if (xXGroupPermission != null) {
XXModuleDef xXModuleDef = daoManager.getXXModuleDef().findByModuleId(xXGroupPermission.getModuleId());
if (xXModuleDef != null) {
logger.warn("Deleting '" + xXModuleDef.getModule() + "' module permission for group '" + xXGroup.getName() + "'");
}
xXGroupPermissionDao.remove(xXGroupPermission.getId());
}
}
}
// delete XXGroup
xXGroupDao.remove(id);
// Create XXTrxLog
List<XXTrxLog> xXTrxLogsXXGroup = xGroupService.getTransactionLog(xGroupService.populateViewBean(xXGroup), "delete");
xaBizUtil.createTrxLog(xXTrxLogsXXGroup);
} else {
boolean hasReferences = false;
if (vxGroupUserList.getListSize() > 0) {
hasReferences = true;
}
if (hasReferences == false && CollectionUtils.isNotEmpty(xXPolicyList)) {
hasReferences = true;
}
if (hasReferences == false && vXPermMapList.getListSize() > 0) {
hasReferences = true;
}
if (hasReferences == false && vXAuditMapList.getListSize() > 0) {
hasReferences = true;
}
if (hasReferences == false && CollectionUtils.isNotEmpty(xXGroupGroups)) {
hasReferences = true;
}
if (hasReferences == false && CollectionUtils.isNotEmpty(xXGroupPermissions)) {
hasReferences = true;
}
if (hasReferences) {
// change visibility to Hidden
if (vXGroup.getIsVisible() == RangerCommonEnums.IS_VISIBLE) {
vXGroup.setIsVisible(RangerCommonEnums.IS_HIDDEN);
xGroupService.updateResource(vXGroup);
}
} else {
// delete XXGroup
xXGroupDao.remove(id);
// Create XXTrxLog
List<XXTrxLog> xXTrxLogsXXGroup = xGroupService.getTransactionLog(xGroupService.populateViewBean(xXGroup), "delete");
xaBizUtil.createTrxLog(xXTrxLogsXXGroup);
}
}
}
use of org.apache.ranger.entity.XXResource in project ranger by apache.
the class PatchMigration_J10002 method migratePoliciesToNewSchema.
public void migratePoliciesToNewSchema() throws Exception {
logger.info("==> MigrationPatch.migratePoliciesToNewSchema()");
try {
List<XXResource> resList = daoMgr.getXXResource().getAll();
if (resList.isEmpty()) {
return;
}
svcDBStore.setPopulateExistingBaseFields(true);
for (XXResource xRes : resList) {
if (xRes.getResourceStatus() == AppConstants.STATUS_DELETED) {
continue;
}
XXAsset xAsset = daoMgr.getXXAsset().getById(xRes.getAssetId());
if (xAsset == null) {
logger.error("No Repository found for policyName: " + xRes.getPolicyName());
continue;
}
RangerService service = svcDBStore.getServiceByName(xAsset.getName());
if (service == null) {
logger.error("No Service found for policy. Ignoring migration of such policy, policyName: " + xRes.getPolicyName());
continue;
}
XXPolicy existing = daoMgr.getXXPolicy().findByNameAndServiceId(xRes.getPolicyName(), service.getId());
if (existing != null) {
logger.info("Policy already exists. Ignoring migration of policy: " + existing.getName());
continue;
}
RangerPolicy policy = new RangerPolicy();
policy = mapXResourceToPolicy(policy, xRes, service);
if (policy != null) {
policy = svcDBStore.createPolicy(policy);
policyCounter++;
logger.info("New policy created. policyName: " + policy.getName());
}
}
svcDBStore.setPopulateExistingBaseFields(false);
} catch (Exception e) {
throw new Exception("Error while migrating data to new Plugin Schema.", e);
}
logger.info("<== MigrationPatch.migratePoliciesToNewSchema()");
}
use of org.apache.ranger.entity.XXResource in project ranger by apache.
the class RangerBizUtil method matchKnoxPolicy.
/**
* returns true if user is having required permission on given Hbase
* resource
*
* @param resourceName
* @param xResourceList
* @param xUserId
* @param permission
* @return
*/
private boolean matchKnoxPolicy(String resourceName, List<XXResource> xResourceList, Long xUserId, int permission) {
String[] splittedResources = stringUtil.split(resourceName, fileSeparator);
int numberOfResources = splittedResources.length;
if (numberOfResources < 1 || numberOfResources > 3) {
logger.debug("Invalid policy name : " + resourceName);
return false;
}
boolean policyMatched = false;
// of provided resource list
for (XXResource xResource : xResourceList) {
if (xResource.getResourceStatus() != AppConstants.STATUS_ENABLED) {
continue;
}
Long resourceId = xResource.getId();
boolean hasPermission = checkUsrPermForPolicy(xUserId, permission, resourceId);
// resource
if (hasPermission) {
String[] xTopologies = (xResource.getTopologies() == null || "".equalsIgnoreCase(xResource.getTopologies())) ? null : stringUtil.split(xResource.getTopologies(), ",");
String[] xServices = (xResource.getServices() == null || "".equalsIgnoreCase(xResource.getServices())) ? null : stringUtil.split(xResource.getServices(), ",");
boolean matchFound = false;
for (int index = 0; index < numberOfResources; index++) {
matchFound = false;
// existing topology resource
if (index == 0) {
if (xTopologies != null) {
for (String xTopology : xTopologies) {
if (matchPath(splittedResources[index], xTopology)) {
matchFound = true;
continue;
}
}
}
if (!matchFound) {
break;
}
} else // any existing service resource
if (index == 1) {
if (xServices != null) {
for (String xService : xServices) {
if (matchPath(splittedResources[index], xService)) {
matchFound = true;
continue;
}
}
}
if (!matchFound) {
break;
}
}
}
if (matchFound) {
policyMatched = true;
break;
}
}
}
return policyMatched;
}
use of org.apache.ranger.entity.XXResource in project ranger by apache.
the class RangerBizUtil method hasPermission.
/**
* return response object if users is having permission on given resource
*
* @param vXResource
* @param permission
* @return
*/
public VXResponse hasPermission(VXResource vXResource, int permission) {
VXResponse vXResponse = new VXResponse();
if (!enableResourceAccessControl) {
logger.debug("Resource Access Control is disabled !!!");
return vXResponse;
}
if (vXResource == null) {
vXResponse.setStatusCode(VXResponse.STATUS_ERROR);
vXResponse.setMsgDesc("Please provide valid policy.");
return vXResponse;
}
String resourceNames = vXResource.getName();
if (stringUtil.isEmpty(resourceNames)) {
vXResponse.setStatusCode(VXResponse.STATUS_ERROR);
vXResponse.setMsgDesc("Please provide valid policy.");
return vXResponse;
}
if (isAdmin()) {
return vXResponse;
}
Long xUserId = getXUserId();
Long assetId = vXResource.getAssetId();
List<XXResource> xResourceList = daoManager.getXXResource().findByAssetIdAndResourceStatus(assetId, AppConstants.STATUS_ENABLED);
XXAsset xAsset = daoManager.getXXAsset().getById(assetId);
int assetType = xAsset.getAssetType();
vXResponse.setStatusCode(VXResponse.STATUS_ERROR);
vXResponse.setMsgDesc("Permission Denied !");
if (assetType == AppConstants.ASSET_HIVE) {
String[] requestResNameList = resourceNames.split(",");
if (stringUtil.isEmpty(vXResource.getUdfs())) {
int reqTableType = vXResource.getTableType();
int reqColumnType = vXResource.getColumnType();
for (String resourceName : requestResNameList) {
boolean matchFound = matchHivePolicy(resourceName, xResourceList, xUserId, permission, reqTableType, reqColumnType, false);
if (!matchFound) {
vXResponse.setMsgDesc("You're not permitted to perform " + "the action for resource path : " + resourceName);
vXResponse.setStatusCode(VXResponse.STATUS_ERROR);
return vXResponse;
}
}
} else {
for (String resourceName : requestResNameList) {
boolean matchFound = matchHivePolicy(resourceName, xResourceList, xUserId, permission);
if (!matchFound) {
vXResponse.setMsgDesc("You're not permitted to perform " + "the action for resource path : " + resourceName);
vXResponse.setStatusCode(VXResponse.STATUS_ERROR);
return vXResponse;
}
}
}
vXResponse.setStatusCode(VXResponse.STATUS_SUCCESS);
return vXResponse;
} else if (assetType == AppConstants.ASSET_HBASE) {
String[] requestResNameList = resourceNames.split(",");
for (String resourceName : requestResNameList) {
boolean matchFound = matchHbasePolicy(resourceName, xResourceList, vXResponse, xUserId, permission);
if (!matchFound) {
vXResponse.setMsgDesc("You're not permitted to perform " + "the action for resource path : " + resourceName);
vXResponse.setStatusCode(VXResponse.STATUS_ERROR);
return vXResponse;
}
}
vXResponse.setStatusCode(VXResponse.STATUS_SUCCESS);
return vXResponse;
} else if (assetType == AppConstants.ASSET_HDFS) {
String[] requestResNameList = resourceNames.split(",");
for (String resourceName : requestResNameList) {
boolean matchFound = matchHdfsPolicy(resourceName, xResourceList, xUserId, permission);
if (!matchFound) {
vXResponse.setMsgDesc("You're not permitted to perform " + "the action for resource path : " + resourceName);
vXResponse.setStatusCode(VXResponse.STATUS_ERROR);
return vXResponse;
}
}
vXResponse.setStatusCode(VXResponse.STATUS_SUCCESS);
return vXResponse;
} else if (assetType == AppConstants.ASSET_KNOX) {
String[] requestResNameList = resourceNames.split(",");
for (String resourceName : requestResNameList) {
boolean matchFound = matchKnoxPolicy(resourceName, xResourceList, xUserId, permission);
if (!matchFound) {
vXResponse.setMsgDesc("You're not permitted to perform " + "the action for resource path : " + resourceName);
vXResponse.setStatusCode(VXResponse.STATUS_ERROR);
return vXResponse;
}
}
vXResponse.setStatusCode(VXResponse.STATUS_SUCCESS);
return vXResponse;
} else if (assetType == AppConstants.ASSET_STORM) {
String[] requestResNameList = resourceNames.split(",");
for (String resourceName : requestResNameList) {
boolean matchFound = matchStormPolicy(resourceName, xResourceList, xUserId, permission);
if (!matchFound) {
vXResponse.setMsgDesc("You're not permitted to perform " + "the action for resource path : " + resourceName);
vXResponse.setStatusCode(VXResponse.STATUS_ERROR);
return vXResponse;
}
}
vXResponse.setStatusCode(VXResponse.STATUS_SUCCESS);
return vXResponse;
}
return vXResponse;
}
use of org.apache.ranger.entity.XXResource in project ranger by apache.
the class RangerBizUtil method matchHivePolicy.
/**
* returns true if user is having required permission on given Hive resource
*
* @param resourceName
* @param xResourceList
* @param xUserId
* @param permission
* @param reqTableType
* @param reqColumnType
* @param isUdfPolicy
* @return
*/
public boolean matchHivePolicy(String resourceName, List<XXResource> xResourceList, Long xUserId, int permission, int reqTableType, int reqColumnType, boolean isUdfPolicy) {
if (stringUtil.isEmpty(resourceName) || xResourceList == null || xUserId == null) {
return false;
}
String[] splittedResources = stringUtil.split(resourceName, // get list of resources
fileSeparator);
if (splittedResources.length < 1 || splittedResources.length > 3) {
logger.debug("Invalid resource name : " + resourceName);
return false;
}
String dbName = splittedResources.length > 0 ? splittedResources[0] : StringUtil.WILDCARD_ASTERISK;
String tblName = splittedResources.length > 1 ? splittedResources[1] : StringUtil.WILDCARD_ASTERISK;
String colName = splittedResources.length > 2 ? splittedResources[2] : StringUtil.WILDCARD_ASTERISK;
boolean policyMatched = false;
for (XXResource xResource : xResourceList) {
if (xResource.getResourceStatus() != AppConstants.STATUS_ENABLED) {
continue;
}
Long resourceId = xResource.getId();
boolean hasPermission = checkUsrPermForPolicy(xUserId, permission, resourceId);
if (!hasPermission) {
continue;
}
// 1. does the policy match the database?
String[] xDatabases = stringUtil.isEmpty(xResource.getDatabases()) ? null : stringUtil.split(xResource.getDatabases(), ",");
boolean matchFound = (xDatabases == null || xDatabases.length == 0) || matchPath(dbName, xDatabases);
if (!matchFound) {
continue;
}
// should be of same as type of policy being iterated
if (!stringUtil.isEmpty(xResource.getUdfs()) && !isUdfPolicy) {
continue;
}
if (isUdfPolicy) {
// 2. does the policy match the UDF?
String[] xUdfs = stringUtil.isEmpty(xResource.getUdfs()) ? null : stringUtil.split(xResource.getUdfs(), ",");
if (!matchPath(tblName, xUdfs)) {
continue;
} else {
policyMatched = true;
break;
}
} else {
// 2. does the policy match the table?
String[] xTables = stringUtil.isEmpty(xResource.getTables()) ? null : stringUtil.split(xResource.getTables(), ",");
matchFound = (xTables == null || xTables.length == 0) || matchPath(tblName, xTables);
if (xResource.getTableType() == AppConstants.POLICY_EXCLUSION) {
matchFound = !matchFound;
}
if (!matchFound) {
continue;
}
// 3. does current policy match the column?
String[] xColumns = stringUtil.isEmpty(xResource.getColumns()) ? null : stringUtil.split(xResource.getColumns(), ",");
matchFound = (xColumns == null || xColumns.length == 0) || matchPath(colName, xColumns);
if (xResource.getColumnType() == AppConstants.POLICY_EXCLUSION) {
matchFound = !matchFound;
}
if (!matchFound) {
continue;
} else {
policyMatched = true;
break;
}
}
}
return policyMatched;
}
Aggregations