Example 26 with XXService
use of org.apache.ranger.entity.XXService in project ranger by apache.
the class RangerPolicyService method processFieldToCreateTrxLog.
private XXTrxLog processFieldToCreateTrxLog(Field field, String objectName, Field nameField, RangerPolicy vObj, XXPolicy mObj, int action) {
String actionString = "";
field.setAccessible(true);
String fieldName = field.getName();
XXTrxLog xTrxLog = new XXTrxLog();
try {
VTrxLogAttr vTrxLogAttr = trxLogAttrs.get(fieldName);
xTrxLog.setAttributeName(vTrxLogAttr.getAttribUserFriendlyName());
String value = null;
boolean isEnum = vTrxLogAttr.isEnum();
if (isEnum) {
} else if (POLICY_RESOURCE_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
value = processPolicyResourcesForTrxLog(field.get(vObj));
} else if (POLICY_ITEM_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
value = processPolicyItemsForTrxLog(field.get(vObj));
} else if (DENYPOLICY_ITEM_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
value = processPolicyItemsForTrxLog(field.get(vObj));
} else if (POLICY_NAME_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
value = processPolicyNameForTrxLog(field.get(vObj));
} else if (ALLOW_EXCEPTIONS_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
value = processPolicyItemsForTrxLog(field.get(vObj));
} else if (DENY_EXCEPTIONS_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
value = processPolicyItemsForTrxLog(field.get(vObj));
} else if (DATAMASK_POLICY_ITEM_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
value = processDataMaskPolicyItemsForTrxLog(field.get(vObj));
if (vObj.getDataMaskPolicyItems() != null && CollectionUtils.isNotEmpty(vObj.getDataMaskPolicyItems())) {
for (RangerDataMaskPolicyItem policyItem : vObj.getDataMaskPolicyItems()) {
if (policyItem.getDataMaskInfo() != null && policyItem.getDataMaskInfo().getDataMaskType() != null) {
List<XXDataMaskTypeDef> xDataMaskDef = daoMgr.getXXDataMaskTypeDef().getAll();
if (CollectionUtils.isNotEmpty(xDataMaskDef) && xDataMaskDef != null) {
for (XXDataMaskTypeDef xxDataMaskTypeDef : xDataMaskDef) {
if (xxDataMaskTypeDef.getName().equalsIgnoreCase(policyItem.getDataMaskInfo().getDataMaskType())) {
String label = xxDataMaskTypeDef.getLabel();
StringBuilder sbValue = new StringBuilder(value);
label = ",\"DataMasklabel\":\"" + label + "\"";
int sbValueIndex = sbValue.lastIndexOf("}]");
sbValue.insert(sbValueIndex, label);
value = sbValue.toString();
break;
}
}
}
}
}
}
} else if (ROWFILTER_POLICY_ITEM_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
value = processRowFilterPolicyItemForTrxLog(field.get(vObj));
} else if (IS_ENABLED_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
value = String.valueOf(processIsEnabledClassFieldNameForTrxLog(field.get(vObj)));
} else if (POLICY_LABELS_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
value = processPolicyLabelsClassFieldNameForTrxLog(field.get(vObj));
} else if (POLICY_VALIDITYSCHEDULES_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
value = processValiditySchedulesClassFieldNameForTrxLog(field.get(vObj));
} else if (POLICY_PRIORITY_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
value = processPriorityClassFieldNameForTrxLog(field.get(vObj));
} else {
value = "" + field.get(vObj);
}
if (action == OPERATION_CREATE_CONTEXT) {
if (stringUtil.isEmpty(value)) {
return null;
}
xTrxLog.setNewValue(value);
actionString = actionCreate;
} else if (action == OPERATION_DELETE_CONTEXT) {
xTrxLog.setPreviousValue(value);
actionString = actionDelete;
} else if (action == OPERATION_UPDATE_CONTEXT) {
actionString = actionUpdate;
String oldValue = null;
Field[] mFields = mObj.getClass().getDeclaredFields();
for (Field mField : mFields) {
mField.setAccessible(true);
String mFieldName = mField.getName();
if (fieldName.equalsIgnoreCase(mFieldName)) {
if (isEnum) {
} else {
oldValue = mField.get(mObj) + "";
}
break;
}
}
RangerPolicy oldPolicy = populateViewBean(mObj);
if (POLICY_RESOURCE_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
if (oldPolicy != null) {
oldValue = processPolicyResourcesForTrxLog(oldPolicy.getResources());
}
} else if (POLICY_ITEM_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
if (oldPolicy != null) {
oldValue = processPolicyItemsForTrxLog(oldPolicy.getPolicyItems());
}
} else if (DENYPOLICY_ITEM_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
if (oldPolicy != null) {
oldValue = processPolicyItemsForTrxLog(oldPolicy.getDenyPolicyItems());
}
} else if (POLICY_NAME_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
if (oldPolicy != null) {
oldValue = processPolicyNameForTrxLog(oldPolicy.getName());
}
} else if (POLICY_DESCRIPTION_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
if (oldPolicy != null) {
oldValue = processPolicyNameForTrxLog(oldPolicy.getDescription());
}
} else if (ALLOW_EXCEPTIONS_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
if (oldPolicy != null) {
oldValue = processPolicyItemsForTrxLog(oldPolicy.getAllowExceptions());
}
} else if (DENY_EXCEPTIONS_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
if (oldPolicy != null) {
oldValue = processPolicyItemsForTrxLog(oldPolicy.getDenyExceptions());
}
} else if (DATAMASK_POLICY_ITEM_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
if (oldPolicy != null) {
oldValue = processDataMaskPolicyItemsForTrxLog(oldPolicy.getDataMaskPolicyItems());
if (oldPolicy.getDataMaskPolicyItems() != null && CollectionUtils.isNotEmpty(oldPolicy.getDataMaskPolicyItems())) {
for (RangerDataMaskPolicyItem oldPolicyItem : oldPolicy.getDataMaskPolicyItems()) {
if (oldPolicyItem.getDataMaskInfo() != null && oldPolicyItem.getDataMaskInfo().getDataMaskType() != null) {
List<XXDataMaskTypeDef> xDataMaskDef = daoMgr.getXXDataMaskTypeDef().getAll();
if (CollectionUtils.isNotEmpty(xDataMaskDef) && xDataMaskDef != null) {
for (XXDataMaskTypeDef xxDataMaskTypeDef : xDataMaskDef) {
if (xxDataMaskTypeDef.getName().equalsIgnoreCase(oldPolicyItem.getDataMaskInfo().getDataMaskType())) {
String oldLabel = xxDataMaskTypeDef.getLabel();
StringBuilder sbOldValue = new StringBuilder(oldValue);
oldLabel = ",\"DataMasklabel\":\"" + oldLabel + "\"";
int sbValueIndex = sbOldValue.lastIndexOf("}]");
sbOldValue.insert(sbValueIndex, oldLabel);
oldValue = sbOldValue.toString();
break;
}
}
}
}
}
}
}
} else if (ROWFILTER_POLICY_ITEM_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
if (oldPolicy != null) {
oldValue = processRowFilterPolicyItemForTrxLog(oldPolicy.getRowFilterPolicyItems());
}
} else if (IS_ENABLED_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
if (oldPolicy != null) {
oldValue = String.valueOf(processIsEnabledClassFieldNameForTrxLog(oldPolicy.getIsEnabled()));
}
} else if (POLICY_LABELS_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
oldValue = processPolicyLabelsClassFieldNameForTrxLog(oldPolicy.getPolicyLabels());
} else if (POLICY_VALIDITYSCHEDULES_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
oldValue = processValiditySchedulesClassFieldNameForTrxLog(oldPolicy.getValiditySchedules());
} else if (POLICY_PRIORITY_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
oldValue = processPriorityClassFieldNameForTrxLog(oldPolicy.getPolicyPriority());
}
if (oldValue == null || oldValue.equalsIgnoreCase(value)) {
return null;
} else if (POLICY_RESOURCE_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
// Compare old and new resources
if (compareTwoPolicyResources(value, oldValue)) {
return null;
}
} else if (POLICY_ITEM_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
// Compare old and new policyItems
if (compareTwoPolicyItemList(value, oldValue)) {
return null;
}
} else if (POLICY_NAME_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
// compare old and new policyName
if (compareTwoPolicyName(value, oldValue)) {
return null;
}
} else if (DENYPOLICY_ITEM_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
// compare old and new denyPolicyItem
if (compareTwoPolicyItemList(value, oldValue)) {
return null;
}
} else if (ALLOW_EXCEPTIONS_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
// compare old and new allowExceptions
if (compareTwoPolicyItemList(value, oldValue)) {
return null;
}
} else if (DENY_EXCEPTIONS_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
// compare old and new denyExceptions
if (compareTwoPolicyItemList(value, oldValue)) {
return null;
}
} else if (POLICY_DESCRIPTION_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
// compare old and new Description
if (org.apache.commons.lang.StringUtils.equals(value, oldValue)) {
return null;
}
} else if (DATAMASK_POLICY_ITEM_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
// compare old and new dataMaskPolicyItems
if (compareTwoDataMaskingPolicyItemList(value, oldValue)) {
return null;
}
} else if (ROWFILTER_POLICY_ITEM_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
// compare old and new rowFilterPolicyItems
if (compareTwoRowFilterPolicyItemList(value, oldValue)) {
return null;
}
} else if (IS_ENABLED_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
if (oldPolicy != null) {
oldValue = processPolicyNameForTrxLog(String.valueOf(oldPolicy.getIsEnabled()));
}
} else if (IS_AUDIT_ENABLED_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
if (oldPolicy != null) {
oldValue = processPolicyNameForTrxLog(String.valueOf(oldPolicy.getIsAuditEnabled()));
}
} else if (IS_ENABLED_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
if (compareTwoPolicyName(value, oldValue)) {
return null;
}
} else if (IS_AUDIT_ENABLED_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
if (compareTwoPolicyName(value, oldValue)) {
return null;
}
} else if (POLICY_LABELS_CLASS_FIELD_NAME.equalsIgnoreCase(fieldName)) {
if (compareTwoPolicyLabelList(value, oldValue)) {
return null;
}
}
xTrxLog.setPreviousValue(oldValue);
xTrxLog.setNewValue(value);
}
} catch (IllegalArgumentException | IllegalAccessException e) {
logger.error("Process field to create trx log failure.", e);
}
xTrxLog.setAction(actionString);
xTrxLog.setObjectClassType(AppConstants.CLASS_TYPE_RANGER_POLICY);
xTrxLog.setObjectId(vObj.getId());
xTrxLog.setObjectName(objectName);
XXService parentObj = daoMgr.getXXService().findByName(vObj.getService());
xTrxLog.setParentObjectClassType(AppConstants.CLASS_TYPE_XA_SERVICE);
xTrxLog.setParentObjectId(parentObj.getId());
xTrxLog.setParentObjectName(parentObj.getName());
return xTrxLog;
}
Also used :
XXTrxLog(org.apache.ranger.entity.XXTrxLog)
VTrxLogAttr(org.apache.ranger.common.view.VTrxLogAttr)
Field(java.lang.reflect.Field)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
XXDataMaskTypeDef(org.apache.ranger.entity.XXDataMaskTypeDef)
RangerDataMaskPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerDataMaskPolicyItem)
ArrayList(java.util.ArrayList)
List(java.util.List)
XXService(org.apache.ranger.entity.XXService)
Example 27 with XXService
use of org.apache.ranger.entity.XXService in project ranger by apache.
the class ServiceREST method ensureAdminAccess.
void ensureAdminAccess(RangerPolicy policy) {
boolean isAdmin = bizUtil.isAdmin();
boolean isKeyAdmin = bizUtil.isKeyAdmin();
String userName = bizUtil.getCurrentUserLoginId();
if (!isAdmin && !isKeyAdmin) {
boolean isAllowed = false;
RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy.getService());
if (policyEngine != null) {
Set<String> userGroups = userMgr.getGroupsForUser(userName);
isAllowed = hasAdminAccess(policy, userName, userGroups);
}
if (!isAllowed) {
throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "User '" + userName + "' does not have delegated-admin privilege on given resources", true);
}
} else {
XXService xService = daoManager.getXXService().findByName(policy.getService());
XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
if (isAdmin) {
if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) {
throw restErrorUtil.createRESTException("KMS Policies/Services/Service-Defs are not accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION);
}
} else if (isKeyAdmin) {
if (!EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) {
throw restErrorUtil.createRESTException("Only KMS Policies/Services/Service-Defs are accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION);
}
}
}
}
Also used :
XXServiceDef(org.apache.ranger.entity.XXServiceDef)
RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)
VXString(org.apache.ranger.view.VXString)
XXService(org.apache.ranger.entity.XXService)
Example 28 with XXService
use of org.apache.ranger.entity.XXService in project ranger by apache.
the class ServiceREST method ensureAdminAndAuditAccess.
void ensureAdminAndAuditAccess(RangerPolicy policy) {
boolean isAdmin = bizUtil.isAdmin();
boolean isKeyAdmin = bizUtil.isKeyAdmin();
String userName = bizUtil.getCurrentUserLoginId();
boolean isAuditAdmin = bizUtil.isAuditAdmin();
boolean isAuditKeyAdmin = bizUtil.isAuditKeyAdmin();
if (!isAdmin && !isKeyAdmin && !isAuditAdmin && !isAuditKeyAdmin) {
boolean isAllowed = false;
RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy.getService());
if (policyEngine != null) {
Set<String> userGroups = userMgr.getGroupsForUser(userName);
isAllowed = hasAdminAccess(policy, userName, userGroups);
}
if (!isAllowed) {
throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "User '" + userName + "' does not have delegated-admin privilege on given resources", true);
}
} else {
XXService xService = daoManager.getXXService().findByName(policy.getService());
XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
if (isAdmin || isAuditAdmin) {
if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) {
throw restErrorUtil.createRESTException("KMS Policies/Services/Service-Defs are not accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION);
}
} else if (isKeyAdmin || isAuditKeyAdmin) {
if (!EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xServiceDef.getImplclassname())) {
throw restErrorUtil.createRESTException("Only KMS Policies/Services/Service-Defs are accessible for user '" + userName + "'.", MessageEnums.OPER_NO_PERMISSION);
}
}
}
}
Also used :
XXServiceDef(org.apache.ranger.entity.XXServiceDef)
RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine)
VXString(org.apache.ranger.view.VXString)
XXService(org.apache.ranger.entity.XXService)
Example 29 with XXService
use of org.apache.ranger.entity.XXService in project ranger by apache.
the class KmsKeyMgr method getKMSPassword.
private String getKMSPassword(String srvName) throws Exception {
XXService rangerService = rangerDaoManagerBase.getXXService().findByName(srvName);
XXServiceConfigMap xxConfigMap = rangerDaoManagerBase.getXXServiceConfigMap().findByServiceAndConfigKey(rangerService.getId(), KMS_PASSWORD);
String encryptedPwd = xxConfigMap.getConfigvalue();
String pwd = PasswordUtils.decryptPassword(encryptedPwd);
return pwd;
}
Also used :
XXServiceConfigMap(org.apache.ranger.entity.XXServiceConfigMap)
XXService(org.apache.ranger.entity.XXService)
Example 30 with XXService
use of org.apache.ranger.entity.XXService in project ranger by apache.
the class RangerBizUtil method hasAccess.
/**
* @param xxDbBase
* @param baseModel
* @return Boolean
*
* @NOTE: Kindly check all the references of this function before making any changes
*/
public Boolean hasAccess(XXDBBase xxDbBase, RangerBaseModelObject baseModel) {
UserSessionBase session = ContextUtil.getCurrentUserSession();
if (session == null) {
logger.info("User session not found, granting access.");
return true;
}
boolean isKeyAdmin = session.isKeyAdmin();
boolean isSysAdmin = session.isUserAdmin();
boolean isAuditor = session.isAuditUserAdmin();
boolean isAuditorKeyAdmin = session.isAuditKeyAdmin();
boolean isUser = false;
List<String> roleList = session.getUserRoleList();
if (roleList.contains(RangerConstants.ROLE_USER)) {
isUser = true;
}
if (xxDbBase != null && xxDbBase instanceof XXServiceDef) {
XXServiceDef xServiceDef = (XXServiceDef) xxDbBase;
final String implClass = xServiceDef.getImplclassname();
if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(implClass)) {
// KMS case
return isKeyAdmin || isAuditorKeyAdmin;
} else {
// Other cases - implClass can be null!
return isSysAdmin || isUser || isAuditor;
}
}
if (xxDbBase != null && xxDbBase instanceof XXService) {
// services including KMS
if (isSysAdmin || isAuditor) {
return true;
}
XXService xService = (XXService) xxDbBase;
XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
String implClass = xServiceDef.getImplclassname();
if (EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(implClass)) {
// KMS case
return isKeyAdmin || isAuditorKeyAdmin;
} else {
// Other cases - implClass can be null!
return isUser;
}
}
return false;
}
Also used :
XXServiceDef(org.apache.ranger.entity.XXServiceDef)
VXString(org.apache.ranger.view.VXString)
XXService(org.apache.ranger.entity.XXService)
UserSessionBase(org.apache.ranger.common.UserSessionBase)
Aggregations
XXService (org.apache.ranger.entity.XXService)73
XXServiceDef (org.apache.ranger.entity.XXServiceDef)34
RangerService (org.apache.ranger.plugin.model.RangerService)23
Test (org.junit.Test)21
XXServiceDao (org.apache.ranger.db.XXServiceDao)19
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)19
VXString (org.apache.ranger.view.VXString)19
XXServiceDefDao (org.apache.ranger.db.XXServiceDefDao)17
ArrayList (java.util.ArrayList)14
XXServiceVersionInfo (org.apache.ranger.entity.XXServiceVersionInfo)14
Date (java.util.Date)13
WebApplicationException (javax.ws.rs.WebApplicationException)11
IOException (java.io.IOException)9
ServiceTags (org.apache.ranger.plugin.util.ServiceTags)9
XXServiceVersionInfoDao (org.apache.ranger.db.XXServiceVersionInfoDao)7
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)7
UnknownHostException (java.net.UnknownHostException)6
XXServiceConfigMap (org.apache.ranger.entity.XXServiceConfigMap)6
JSONException (org.codehaus.jettison.json.JSONException)6
HashMap (java.util.HashMap)5
