Example 11 with RangerRole
use of org.apache.ranger.plugin.model.RangerRole in project ranger by apache.
the class RoleREST method addUsersAndGroups.
/*
This API is used to add users and groups with/without GRANT privileges to this Role. It follows add-or-update semantics
*/
@PUT
@Path("/roles/{id}/addUsersAndGroups")
public RangerRole addUsersAndGroups(Long roleId, List<String> users, List<String> groups, Boolean isAdmin) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> addUsersAndGroups(id=" + roleId + ", users=" + Arrays.toString(users.toArray()) + ", groups=" + Arrays.toString(groups.toArray()) + ", isAdmin=" + isAdmin + ")");
}
RangerRole role;
try {
// Real processing
ensureAdminAccess(null, null);
if (containsInvalidUser(users)) {
throw new Exception("Invalid role user(s)");
}
role = getRole(roleId);
Set<RangerRole.RoleMember> roleUsers = new HashSet<>();
Set<RangerRole.RoleMember> roleGroups = new HashSet<>();
for (RangerRole.RoleMember user : role.getUsers()) {
if (users.contains(user.getName()) && isAdmin == Boolean.TRUE) {
user.setIsAdmin(isAdmin);
roleUsers.add(user);
}
}
Set<String> existingUsernames = getUserNames(role);
for (String user : users) {
if (!existingUsernames.contains(user)) {
roleUsers.add(new RangerRole.RoleMember(user, isAdmin));
}
}
for (RangerRole.RoleMember group : role.getGroups()) {
if (group.getIsAdmin() == isAdmin) {
roleGroups.add(group);
}
}
for (String group : groups) {
roleGroups.add(new RangerRole.RoleMember(group, isAdmin));
}
role.setUsers(new ArrayList<>(roleUsers));
role.setGroups(new ArrayList<>(roleGroups));
role = roleStore.updateRole(role, false);
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("addUsersAndGroups() failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
}
if (LOG.isDebugEnabled()) {
LOG.debug("==> addUsersAndGroups(id=" + roleId + ", users=" + Arrays.toString(users.toArray()) + ", groups=" + Arrays.toString(groups.toArray()) + ", isAdmin=" + isAdmin + ")");
}
return role;
}
Also used :
RangerRole(org.apache.ranger.plugin.model.RangerRole)
HashSet(java.util.HashSet)
Example 12 with RangerRole
use of org.apache.ranger.plugin.model.RangerRole in project ranger by apache.
the class RoleREST method grantRole.
/*
* This API is used to GRANT role to users and roles with/without ADMIN option. It follows add-or-update semantics
* Minimum required privilege is the effective user has admin option for the target roles
*/
@PUT
@Consumes({ "application/json", "application/xml" })
@Produces({ "application/json", "application/xml" })
@Path("/roles/grant/{serviceName}")
public RESTResponse grantRole(@PathParam("serviceName") String serviceName, GrantRevokeRoleRequest grantRoleRequest, @Context HttpServletRequest request) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RoleREST.grantRole(" + serviceName + ", " + grantRoleRequest + ")");
}
RESTResponse ret = new RESTResponse();
try {
validateUsersGroupsAndRoles(grantRoleRequest);
String userName = grantRoleRequest.getGrantor();
for (String roleName : grantRoleRequest.getTargetRoles()) {
/* For each target Role, check following to allow access
* If userName (execUser) is not same as logged in user then check
* If logged-in user is not ranger admin/service admin/service user, then deny the operation
* effective User is execUser
* else
* effective user is logged-in user
* If effective user is ranger admin/has role admin privilege, then allow the operation
* else deny the operation
* This logic is implemented as part of getRoleIfAccessible(roleName, serviceName, userName, userGroups)
*/
Set<String> userGroups = CollectionUtils.isNotEmpty(grantRoleRequest.getGrantorGroups()) ? grantRoleRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
RangerRole existingRole = getRoleIfAccessible(roleName, serviceName, userName, userGroups);
if (existingRole == null) {
throw restErrorUtil.createRESTException("User doesn't have permissions to grant role " + roleName);
}
existingRole.setUpdatedBy(userName);
addUsersGroupsAndRoles(existingRole, grantRoleRequest.getUsers(), grantRoleRequest.getGroups(), grantRoleRequest.getRoles(), grantRoleRequest.getGrantOption());
}
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("grantRole() failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
}
if (LOG.isDebugEnabled()) {
LOG.debug("==> grantRole(serviceName=" + serviceName + ", users=" + Arrays.toString(grantRoleRequest.getUsers().toArray()) + ", groups=" + Arrays.toString(grantRoleRequest.getRoles().toArray()) + ", isAdmin=" + grantRoleRequest.getGrantOption() + ")");
}
ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
return ret;
}
Also used :
RESTResponse(org.apache.ranger.admin.client.datatype.RESTResponse)
RangerRole(org.apache.ranger.plugin.model.RangerRole)
Example 13 with RangerRole
use of org.apache.ranger.plugin.model.RangerRole in project ranger by apache.
the class RoleREST method removeAdminFromUsersAndGroups.
/*
This API is used to remove GRANT privilege from listed users and groups.
*/
@PUT
@Path("/roles/{id}/removeAdminFromUsersAndGroups")
public RangerRole removeAdminFromUsersAndGroups(Long roleId, List<String> users, List<String> groups) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> removeAdminFromUsersAndGroups(id=" + roleId + ", users=" + Arrays.toString(users.toArray()) + ", groups=" + Arrays.toString(groups.toArray()) + ")");
}
RangerRole role;
try {
// Real processing
ensureAdminAccess(null, null);
role = getRole(roleId);
for (String user : users) {
for (RangerRole.RoleMember member : role.getUsers()) {
if (StringUtils.equals(member.getName(), user) && member.getIsAdmin()) {
member.setIsAdmin(false);
}
}
}
for (String group : groups) {
for (RangerRole.RoleMember member : role.getGroups()) {
if (StringUtils.equals(member.getName(), group) && member.getIsAdmin()) {
member.setIsAdmin(false);
}
}
}
role = roleStore.updateRole(role, false);
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("removeAdminFromUsersAndGroups() failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
}
if (LOG.isDebugEnabled()) {
LOG.debug("==> removeAdminFromUsersAndGroups(id=" + roleId + ", users=" + Arrays.toString(users.toArray()) + ", groups=" + Arrays.toString(groups.toArray()) + ")");
}
return role;
}
Also used :
RangerRole(org.apache.ranger.plugin.model.RangerRole)
Example 14 with RangerRole
use of org.apache.ranger.plugin.model.RangerRole in project ranger by apache.
the class RoleREST method createRole.
/* This operation is allowed only when effective User has ranger admin privilege
* if execUser is not same as logged-in user then effective user is execUser
* else effective user is logged-in user.
* This logic is implemented as part of ensureAdminAccess(String serviceName, String userName);
*/
@POST
@Path("/roles")
public RangerRole createRole(@QueryParam("serviceName") String serviceName, RangerRole role, @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> createRole(" + role + ")");
}
RangerRole ret;
try {
RangerRoleValidator validator = validatorFactory.getRangerRoleValidator(roleStore);
validator.validate(role, RangerValidator.Action.CREATE);
String userName = role.getCreatedByUser();
ensureAdminAccess(serviceName, userName);
if (containsInvalidMember(role.getUsers())) {
throw new Exception("Invalid role user(s)");
}
ret = roleStore.createRole(role, createNonExistUserGroup);
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("createRole(" + role + ") failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== createRole(" + role + "):" + ret);
}
return ret;
}
Also used :
RangerRole(org.apache.ranger.plugin.model.RangerRole)
RangerRoleValidator(org.apache.ranger.plugin.model.validation.RangerRoleValidator)
Example 15 with RangerRole
use of org.apache.ranger.plugin.model.RangerRole in project ranger by apache.
the class RoleDBStore method updateRole.
@Override
public RangerRole updateRole(RangerRole role, Boolean createNonExistUserGroup) throws Exception {
XXRole xxRole = daoMgr.getXXRole().findByRoleId(role.getId());
if (xxRole == null) {
throw restErrorUtil.createRESTException("role with id: " + role.getId() + " does not exist");
}
if (!role.getName().equals(xxRole.getName())) {
// ensure only if role name is changed
ensureRoleNameUpdateAllowed(xxRole.getName());
}
Gson gsonBuilder = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z").create();
RangerRole oldRole = gsonBuilder.fromJson(xxRole.getRoleText(), RangerRole.class);
Runnable roleVersionUpdater = new RoleVersionUpdater(daoMgr);
transactionSynchronizationAdapter.executeOnTransactionCommit(roleVersionUpdater);
RangerRole updatedRole = roleService.update(role);
if (updatedRole == null) {
throw new Exception("Cannot update role:[" + role + "]");
}
roleRefUpdater.createNewRoleMappingForRefTable(updatedRole, createNonExistUserGroup);
roleService.updatePolicyVersions(updatedRole.getId());
if (ServiceDBStore.isSupportsRolesDownloadByService()) {
roleService.updateRoleVersions(updatedRole.getId());
}
List<XXTrxLog> trxLogList = roleService.getTransactionLog(updatedRole, oldRole, "update");
bizUtil.createTrxLog(trxLogList);
return role;
}
Also used :
GsonBuilder(com.google.gson.GsonBuilder)
RangerRole(org.apache.ranger.plugin.model.RangerRole)
Gson(com.google.gson.Gson)
Aggregations
RangerRole (org.apache.ranger.plugin.model.RangerRole)37
Predicate (org.apache.commons.collections.Predicate)7
ArrayList (java.util.ArrayList)6
HashSet (java.util.HashSet)5
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)5
IOException (java.io.IOException)4
SemanticException (org.apache.hadoop.hive.ql.parse.SemanticException)4
HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)4
HiveAuthzPluginException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)4
RESTResponse (org.apache.ranger.admin.client.datatype.RESTResponse)4
RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)4
RangerRoles (org.apache.ranger.plugin.util.RangerRoles)4
UserSessionBase (org.apache.ranger.common.UserSessionBase)3
Gson (com.google.gson.Gson)2
GsonBuilder (com.google.gson.GsonBuilder)2
ClientResponse (com.sun.jersey.api.client.ClientResponse)2
UnsupportedEncodingException (java.io.UnsupportedEncodingException)2
PrivilegedAction (java.security.PrivilegedAction)2
HashMap (java.util.HashMap)2
Map (java.util.Map)2
