Example 51 with XXServiceDef
use of org.apache.ranger.entity.XXServiceDef in project ranger by apache.
the class ServiceREST method updateService.
@PUT
@Path("/services/{id}")
@Produces({ "application/json", "application/xml" })
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_SERVICE + "\")")
public RangerService updateService(RangerService service, @Context HttpServletRequest request) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.updateService(): " + service);
}
RangerService ret = null;
RangerPerfTracer perf = null;
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.updateService(serviceName=" + service.getName() + ")");
}
RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore);
validator.validate(service, Action.UPDATE);
bizUtil.hasAdminPermissions("Services");
// TODO: As of now we are allowing SYS_ADMIN to create all the
// services including KMS
XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(service.getType());
bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname());
bizUtil.blockAuditorRoleUser();
Map<String, Object> options = getOptions(request);
ret = svcStore.updateService(service, options);
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("updateService(" + service + ") failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
} finally {
RangerPerfTracer.log(perf);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.updateService(" + service + "): " + ret);
}
return ret;
}
Also used :
XXServiceDef(org.apache.ranger.entity.XXServiceDef)
WebApplicationException(javax.ws.rs.WebApplicationException)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerService(org.apache.ranger.plugin.model.RangerService)
VXString(org.apache.ranger.view.VXString)
RangerServiceValidator(org.apache.ranger.plugin.model.validation.RangerServiceValidator)
Path(javax.ws.rs.Path)
Produces(javax.ws.rs.Produces)
PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)
PUT(javax.ws.rs.PUT)
Example 52 with XXServiceDef
use of org.apache.ranger.entity.XXServiceDef in project ranger by apache.
the class ServiceREST method createService.
@POST
@Path("/services")
@Produces({ "application/json", "application/xml" })
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_SERVICE + "\")")
public RangerService createService(RangerService service) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.createService(" + service + ")");
}
RangerService ret = null;
RangerPerfTracer perf = null;
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createService(serviceName=" + service.getName() + ")");
}
RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore);
validator.validate(service, Action.CREATE);
UserSessionBase session = ContextUtil.getCurrentUserSession();
XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(service.getType());
if (session != null && !session.isSpnegoEnabled()) {
bizUtil.hasAdminPermissions("Services");
// TODO: As of now we are allowing SYS_ADMIN to create all the
// services including KMS
bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname());
}
if (session != null && session.isSpnegoEnabled()) {
if (session.isKeyAdmin() && !EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xxServiceDef.getImplclassname())) {
throw restErrorUtil.createRESTException("KeyAdmin can create/update/delete only KMS ", MessageEnums.OPER_NO_PERMISSION);
}
if ((!session.isKeyAdmin() && !session.isUserAdmin()) && EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xxServiceDef.getImplclassname())) {
throw restErrorUtil.createRESTException("User cannot create/update/delete KMS Service", MessageEnums.OPER_NO_PERMISSION);
}
}
bizUtil.blockAuditorRoleUser();
ret = svcStore.createService(service);
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("createService(" + service + ") failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
} finally {
RangerPerfTracer.log(perf);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.createService(" + service + "): " + ret);
}
return ret;
}
Also used :
XXServiceDef(org.apache.ranger.entity.XXServiceDef)
WebApplicationException(javax.ws.rs.WebApplicationException)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
RangerService(org.apache.ranger.plugin.model.RangerService)
RangerServiceValidator(org.apache.ranger.plugin.model.validation.RangerServiceValidator)
UserSessionBase(org.apache.ranger.common.UserSessionBase)
Path(javax.ws.rs.Path)
POST(javax.ws.rs.POST)
Produces(javax.ws.rs.Produces)
PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)
Example 53 with XXServiceDef
use of org.apache.ranger.entity.XXServiceDef in project ranger by apache.
the class ServiceREST method secureGrantAccess.
@POST
@Path("/secure/services/grant/{serviceName}")
@Produces({ "application/json", "application/xml" })
public RESTResponse secureGrantAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest grantRequest, @Context HttpServletRequest request) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.secureGrantAccess(" + serviceName + ", " + grantRequest + ")");
}
RESTResponse ret = new RESTResponse();
RangerPerfTracer perf = null;
boolean isAllowed = false;
boolean isKeyAdmin = bizUtil.isKeyAdmin();
bizUtil.blockAuditorRoleUser();
if (grantRequest != null) {
if (serviceUtil.isValidService(serviceName, request)) {
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.scureGrantAccess(serviceName=" + serviceName + ")");
}
validateGrantRevokeRequest(grantRequest);
String userName = grantRequest.getGrantor();
Set<String> userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
XXService xService = daoManager.getXXService().findByName(serviceName);
XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
RangerService rangerService = svcStore.getServiceByName(serviceName);
if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
if (isKeyAdmin) {
isAllowed = true;
} else {
isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName);
}
} else {
if (isAdmin) {
isAllowed = true;
} else {
isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName);
}
}
if (isAllowed) {
RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, userName);
if (policy != null) {
boolean policyUpdated = false;
policyUpdated = ServiceRESTUtil.processGrantRequest(policy, grantRequest);
if (policyUpdated) {
svcStore.updatePolicy(policy);
} else {
LOG.error("processSecureGrantRequest processing failed");
throw new Exception("processSecureGrantRequest processing failed");
}
} else {
policy = new RangerPolicy();
policy.setService(serviceName);
// TODO: better policy name
policy.setName("grant-" + System.currentTimeMillis());
policy.setDescription("created by grant");
policy.setIsAuditEnabled(grantRequest.getEnableAudit());
policy.setCreatedBy(userName);
Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>();
Set<String> resourceNames = resource.getKeys();
if (!CollectionUtils.isEmpty(resourceNames)) {
for (String resourceName : resourceNames) {
RangerPolicyResource policyResource = new RangerPolicyResource((String) resource.getValue(resourceName));
policyResource.setIsRecursive(grantRequest.getIsRecursive());
policyResources.put(resourceName, policyResource);
}
}
policy.setResources(policyResources);
RangerPolicyItem policyItem = new RangerPolicyItem();
policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin());
policyItem.getUsers().addAll(grantRequest.getUsers());
policyItem.getGroups().addAll(grantRequest.getGroups());
for (String accessType : grantRequest.getAccessTypes()) {
policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE));
}
policy.getPolicyItems().add(policyItem);
svcStore.createPolicy(policy);
}
} else {
LOG.error("secureGrantAccess(" + serviceName + ", " + grantRequest + ") failed as User doesn't have permission to grant Policy");
throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to grant access");
}
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("secureGrantAccess(" + serviceName + ", " + grantRequest + ") failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
} finally {
RangerPerfTracer.log(perf);
}
ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
}
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.secureGrantAccess(" + serviceName + ", " + grantRequest + "): " + ret);
}
return ret;
}
Also used :
XXServiceDef(org.apache.ranger.entity.XXServiceDef)
WebApplicationException(javax.ws.rs.WebApplicationException)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
LinkedHashMap(java.util.LinkedHashMap)
HashMap(java.util.HashMap)
RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)
VXString(org.apache.ranger.view.VXString)
RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem)
WebApplicationException(javax.ws.rs.WebApplicationException)
IOException(java.io.IOException)
JsonSyntaxException(com.google.gson.JsonSyntaxException)
RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy)
RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)
RESTResponse(org.apache.ranger.admin.client.datatype.RESTResponse)
RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess)
RangerService(org.apache.ranger.plugin.model.RangerService)
XXService(org.apache.ranger.entity.XXService)
RangerAccessResource(org.apache.ranger.plugin.policyengine.RangerAccessResource)
Path(javax.ws.rs.Path)
POST(javax.ws.rs.POST)
Produces(javax.ws.rs.Produces)
Example 54 with XXServiceDef
use of org.apache.ranger.entity.XXServiceDef in project ranger by apache.
the class ServiceREST method deleteService.
@DELETE
@Path("/services/{id}")
@Produces({ "application/json", "application/xml" })
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.DELETE_SERVICE + "\")")
public void deleteService(@PathParam("id") Long id) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.deleteService(" + id + ")");
}
RangerPerfTracer perf = null;
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.deleteService(serviceId=" + id + ")");
}
RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore);
validator.validate(id, Action.DELETE);
bizUtil.hasAdminPermissions("Services");
// TODO: As of now we are allowing SYS_ADMIN to create all the
// services including KMS
XXService service = daoManager.getXXService().getById(id);
EmbeddedServiceDefsUtil embeddedServiceDefsUtil = EmbeddedServiceDefsUtil.instance();
if (service.getType().equals(embeddedServiceDefsUtil.getTagServiceDefId())) {
List<XXService> referringServices = daoManager.getXXService().findByTagServiceId(id);
if (!CollectionUtils.isEmpty(referringServices)) {
Set<String> referringServiceNames = new HashSet<String>();
for (XXService xXService : referringServices) {
referringServiceNames.add(xXService.getName());
if (referringServiceNames.size() >= 10) {
break;
}
}
if (referringServices.size() <= 10) {
throw restErrorUtil.createRESTException("Tag service '" + service.getName() + "' is being referenced by " + referringServices.size() + " services: " + referringServiceNames, MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
} else {
throw restErrorUtil.createRESTException("Tag service '" + service.getName() + "' is being referenced by " + referringServices.size() + " services: " + referringServiceNames + " and more..", MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
}
}
}
XXServiceDef xxServiceDef = daoManager.getXXServiceDef().getById(service.getType());
bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname());
bizUtil.blockAuditorRoleUser();
tagStore.deleteAllTagObjectsForService(service.getName());
svcStore.deleteService(id);
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("deleteService(" + id + ") failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
} finally {
RangerPerfTracer.log(perf);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.deleteService(" + id + ")");
}
}
Also used :
XXServiceDef(org.apache.ranger.entity.XXServiceDef)
WebApplicationException(javax.ws.rs.WebApplicationException)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
EmbeddedServiceDefsUtil(org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil)
VXString(org.apache.ranger.view.VXString)
XXService(org.apache.ranger.entity.XXService)
RangerServiceValidator(org.apache.ranger.plugin.model.validation.RangerServiceValidator)
HashSet(java.util.HashSet)
Path(javax.ws.rs.Path)
DELETE(javax.ws.rs.DELETE)
Produces(javax.ws.rs.Produces)
PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)
Example 55 with XXServiceDef
use of org.apache.ranger.entity.XXServiceDef in project ranger by apache.
the class ServiceREST method getSecureServicePoliciesIfUpdated.
@GET
@Path("/secure/policies/download/{serviceName}")
@Produces({ "application/json", "application/xml" })
public ServicePolicies getSecureServicePoliciesIfUpdated(@PathParam("serviceName") String serviceName, @QueryParam("lastKnownVersion") Long lastKnownVersion, @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime, @QueryParam("pluginId") String pluginId, @DefaultValue("") @QueryParam("clusterName") String clusterName, @Context HttpServletRequest request) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ServiceREST.getSecureServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ")");
}
ServicePolicies ret = null;
int httpCode = HttpServletResponse.SC_OK;
String logMsg = null;
RangerPerfTracer perf = null;
boolean isAllowed = false;
boolean isAdmin = bizUtil.isAdmin();
boolean isKeyAdmin = bizUtil.isKeyAdmin();
request.setAttribute("downloadPolicy", "secure");
Long downloadedVersion = null;
boolean isValid = false;
try {
isValid = serviceUtil.isValidService(serviceName, request);
} catch (WebApplicationException webException) {
httpCode = webException.getResponse().getStatus();
logMsg = webException.getResponse().getEntity().toString();
} catch (Exception e) {
httpCode = HttpServletResponse.SC_BAD_REQUEST;
logMsg = e.getMessage();
}
if (isValid) {
if (lastKnownVersion == null) {
lastKnownVersion = Long.valueOf(-1);
}
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getSecureServicePoliciesIfUpdated(serviceName=" + serviceName + ",lastKnownVersion=" + lastKnownVersion + ",lastActivationTime=" + lastActivationTime + ")");
}
XXService xService = daoManager.getXXService().findByName(serviceName);
XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
RangerService rangerService = null;
if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
rangerService = svcStore.getServiceByNameForDP(serviceName);
if (isKeyAdmin) {
isAllowed = true;
} else {
if (rangerService != null) {
isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Download);
if (!isAllowed) {
isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Grant_Revoke);
}
}
}
} else {
rangerService = svcStore.getServiceByName(serviceName);
if (isAdmin) {
isAllowed = true;
} else {
if (rangerService != null) {
isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Download);
if (!isAllowed) {
isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Grant_Revoke);
}
}
}
}
if (isAllowed) {
ServicePolicies servicePolicies = svcStore.getServicePoliciesIfUpdated(serviceName, lastKnownVersion);
if (servicePolicies == null) {
downloadedVersion = lastKnownVersion;
httpCode = HttpServletResponse.SC_NOT_MODIFIED;
logMsg = "No change since last update";
} else {
downloadedVersion = servicePolicies.getPolicyVersion();
ret = filterServicePolicies(servicePolicies);
httpCode = HttpServletResponse.SC_OK;
logMsg = "Returning " + (ret.getPolicies() != null ? ret.getPolicies().size() : 0) + " policies. Policy version=" + ret.getPolicyVersion();
}
} else {
LOG.error("getSecureServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ") failed as User doesn't have permission to download Policy");
httpCode = HttpServletResponse.SC_UNAUTHORIZED;
logMsg = "User doesn't have permission to download policy";
}
} catch (Throwable excp) {
LOG.error("getSecureServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + lastActivationTime + ") failed");
httpCode = HttpServletResponse.SC_BAD_REQUEST;
logMsg = excp.getMessage();
} finally {
createPolicyDownloadAudit(serviceName, lastKnownVersion, pluginId, httpCode, clusterName, request);
RangerPerfTracer.log(perf);
}
}
assetMgr.createPluginInfo(serviceName, pluginId, request, RangerPluginInfo.ENTITY_TYPE_POLICIES, downloadedVersion, lastKnownVersion, lastActivationTime, httpCode);
if (httpCode != HttpServletResponse.SC_OK) {
boolean logError = httpCode != HttpServletResponse.SC_NOT_MODIFIED;
throw restErrorUtil.createRESTException(httpCode, logMsg, logError);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== ServiceREST.getSecureServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + lastActivationTime + "): count=" + ((ret == null || ret.getPolicies() == null) ? 0 : ret.getPolicies().size()));
}
return ret;
}
Also used :
XXServiceDef(org.apache.ranger.entity.XXServiceDef)
ServicePolicies(org.apache.ranger.plugin.util.ServicePolicies)
WebApplicationException(javax.ws.rs.WebApplicationException)
RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)
VXString(org.apache.ranger.view.VXString)
RangerService(org.apache.ranger.plugin.model.RangerService)
XXService(org.apache.ranger.entity.XXService)
WebApplicationException(javax.ws.rs.WebApplicationException)
IOException(java.io.IOException)
JsonSyntaxException(com.google.gson.JsonSyntaxException)
Path(javax.ws.rs.Path)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
Aggregations
XXServiceDef (org.apache.ranger.entity.XXServiceDef)79
Test (org.junit.Test)38
XXService (org.apache.ranger.entity.XXService)34
RangerService (org.apache.ranger.plugin.model.RangerService)26
XXServiceDefDao (org.apache.ranger.db.XXServiceDefDao)25
VXString (org.apache.ranger.view.VXString)22
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)21
WebApplicationException (javax.ws.rs.WebApplicationException)20
ArrayList (java.util.ArrayList)14
Date (java.util.Date)14
XXServiceDao (org.apache.ranger.db.XXServiceDao)13
Path (javax.ws.rs.Path)11
Produces (javax.ws.rs.Produces)11
RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)11
RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)9
RangerAccessTypeDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerAccessTypeDef)8
RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)7
PreAuthorize (org.springframework.security.access.prepost.PreAuthorize)7
IOException (java.io.IOException)6
XXPortalUser (org.apache.ranger.entity.XXPortalUser)6
