Examples with RangerRole org.apache.ranger.plugin.model.RangerRole used on opensource projects

Search in sources :

Example 16 with RangerRole

use of org.apache.ranger.plugin.model.RangerRole in project ranger by apache.

the class RangerHivePlugin method getRoleGrantInfoForPrincipal.

@Override
public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, HiveAccessControlException {
    LOG.debug("==> RangerHiveAuthorizer.getRoleGrantInfoForPrincipal() for Principal: " + principal);
    List<HiveRoleGrant> ret = new ArrayList<>();
    List<String> principalInfo = null;
    List<String> userNames = null;
    RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
    boolean result = false;
    if (hivePlugin == null) {
        throw new HiveAuthzPluginException("RangerHiveAuthorizer.getRoleGrantInfoForPrincipal(): HivePlugin initialization failed...");
    }
    UserGroupInformation ugi = getCurrentUserGroupInfo();
    if (ugi == null) {
        throw new HiveAccessControlException("RangerHiveAuthorizer.getRoleGrantInfoForPrincipal(): User information not available...");
    }
    String currentUserName = ugi.getShortUserName();
    try {
        String principalName = principal.getName();
        String type = principal.getType().name();
        userNames = Arrays.asList(currentUserName);
        principalInfo = Collections.singletonList(principal.getType() + " " + principalName);
        if (!hivePlugin.isServiceAdmin(currentUserName) && !principalName.equals(currentUserName)) {
            throw new HiveAccessControlException("Permission denied: user information not available");
        }
        Set<RangerRole> roles = hivePlugin.getRangerRoleForPrincipal(principalName, type);
        if (CollectionUtils.isNotEmpty(roles)) {
            for (RangerRole rangerRole : roles) {
                switch(type) {
                    case "USER":
                        RangerRole.RoleMember userRoleMember = new RangerRole.RoleMember(principalName, false);
                        ret.add(getHiveRoleGrant(rangerRole, userRoleMember, type));
                        break;
                    case "GROUP":
                        RangerRole.RoleMember groupRoleMember = new RangerRole.RoleMember(principalName, false);
                        ret.add(getHiveRoleGrant(rangerRole, groupRoleMember, type));
                        break;
                    case "ROLE":
                        RangerRole.RoleMember roleRoleMember = new RangerRole.RoleMember(principalName, false);
                        ret.add(getHiveRoleGrant(rangerRole, roleRoleMember, type));
                        break;
                }
            }
            result = true;
        }
    } catch (Exception excp) {
        throw new HiveAuthzPluginException(excp);
    } finally {
        RangerAccessResult accessResult = createAuditEvent(hivePlugin, currentUserName, userNames, HiveOperationType.SHOW_ROLE_GRANT, HiveAccessType.SELECT, principalInfo, result);
        hivePlugin.evalAuditPolicies(accessResult);
        auditHandler.processResult(accessResult);
        auditHandler.flushAudit();
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== getRoleGrantInfoForPrincipal(): Principal: " + principal + " Roles: " + ret);
    }
    return ret;
}
Also used : ArrayList(java.util.ArrayList) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException) SemanticException(org.apache.hadoop.hive.ql.parse.SemanticException) HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException) IOException(java.io.IOException) HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) RangerRole(org.apache.ranger.plugin.model.RangerRole) HiveRoleGrant(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 17 with RangerRole

use of org.apache.ranger.plugin.model.RangerRole in project ranger by apache.

the class RangerHivePlugin method getAllRoles.

@Override
public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerHiveAuthorizer.getAllRoles()");
    }
    List<String> ret = new ArrayList<>();
    RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
    List<String> userNames = null;
    boolean result = false;
    if (hivePlugin == null) {
        throw new HiveAuthzPluginException("RangerHiveAuthorizer.getAllRoles(): HivePlugin initialization failed...");
    }
    UserGroupInformation ugi = getCurrentUserGroupInfo();
    if (ugi == null) {
        throw new HiveAccessControlException("RangerHiveAuthorizer.getAllRoles(): User information not available...");
    }
    String currentUserName = ugi.getShortUserName();
    try {
        if (!hivePlugin.isServiceAdmin(currentUserName)) {
            throw new HiveAccessControlException("RangerHiveAuthorizer.getAllRoles(): User not authorized to run show roles...");
        }
        userNames = Arrays.asList(currentUserName);
        RangerRoles rangerRoles = hivePlugin.getRangerRoles();
        if (rangerRoles != null) {
            Set<RangerRole> roles = rangerRoles.getRangerRoles();
            if (CollectionUtils.isNotEmpty(roles)) {
                for (RangerRole rangerRole : roles) {
                    ret.add(rangerRole.getName());
                }
            }
        }
        result = true;
    } catch (Exception excp) {
        throw new HiveAuthzPluginException(excp);
    } finally {
        RangerAccessResult accessResult = createAuditEvent(hivePlugin, currentUserName, userNames, HiveOperationType.SHOW_ROLES, HiveAccessType.SELECT, null, result);
        hivePlugin.evalAuditPolicies(accessResult);
        auditHandler.processResult(accessResult);
        auditHandler.flushAudit();
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerHiveAuthorizer.getAllRoles() roles: " + ret);
    }
    return ret;
}
Also used : RangerRoles(org.apache.ranger.plugin.util.RangerRoles) ArrayList(java.util.ArrayList) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException) SemanticException(org.apache.hadoop.hive.ql.parse.SemanticException) HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException) IOException(java.io.IOException) HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) RangerRole(org.apache.ranger.plugin.model.RangerRole) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 18 with RangerRole

use of org.apache.ranger.plugin.model.RangerRole in project ranger by apache.

the class RangerHivePlugin method getPrincipalGrantInfoForRole.

@Override
public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerHiveAuthorizer.getPrincipalGrantInfoForRole() for RoleName: " + roleName);
    }
    List<HiveRoleGrant> ret = new ArrayList<>();
    List<String> roleNames = Arrays.asList(roleName);
    List<String> userNames = null;
    RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
    boolean result = false;
    if (hivePlugin == null) {
        throw new HiveAuthzPluginException("RangerHiveAuthorizer.getPrincipalGrantInfoForRole(): HivePlugin initialization failed...");
    }
    UserGroupInformation ugi = getCurrentUserGroupInfo();
    if (ugi == null) {
        throw new HiveAccessControlException("RangerHiveAuthorizer.getPrincipalGrantInfoForRole(): User information not available...");
    }
    String currentUserName = ugi.getShortUserName();
    try {
        if (!hivePlugin.isServiceAdmin(currentUserName)) {
            throw new HiveAccessControlException("Permission denied: User not authorized to perform this operation!");
        }
        userNames = Arrays.asList(currentUserName);
        if (StringUtils.isNotEmpty(roleName)) {
            RangerRole rangerRole = getRangerRoleForRoleName(roleName);
            if (rangerRole != null) {
                for (RangerRole.RoleMember roleMember : rangerRole.getRoles()) {
                    HiveRoleGrant hiveRoleGrant = getHiveRoleGrant(rangerRole, roleMember, HivePrincipal.HivePrincipalType.ROLE.name());
                    ret.add(hiveRoleGrant);
                }
                for (RangerRole.RoleMember group : rangerRole.getGroups()) {
                    HiveRoleGrant hiveRoleGrant = getHiveRoleGrant(rangerRole, group, HivePrincipal.HivePrincipalType.GROUP.name());
                    ret.add(hiveRoleGrant);
                }
                for (RangerRole.RoleMember user : rangerRole.getUsers()) {
                    HiveRoleGrant hiveRoleGrant = getHiveRoleGrant(rangerRole, user, HivePrincipal.HivePrincipalType.USER.name());
                    ret.add(hiveRoleGrant);
                }
                result = true;
            }
        }
    } catch (Exception excp) {
        throw new HiveAuthzPluginException(excp);
    } finally {
        RangerAccessResult accessResult = createAuditEvent(hivePlugin, currentUserName, userNames, HiveOperationType.SHOW_ROLE_PRINCIPALS, HiveAccessType.SELECT, roleNames, result);
        hivePlugin.evalAuditPolicies(accessResult);
        auditHandler.processResult(accessResult);
        auditHandler.flushAudit();
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerHiveAuthorizer.getPrincipalGrantInfoForRole() for Rolename: " + roleName + " Roles: " + ret);
    }
    return ret;
}
Also used : ArrayList(java.util.ArrayList) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException) SemanticException(org.apache.hadoop.hive.ql.parse.SemanticException) HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException) IOException(java.io.IOException) HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException) RangerRole(org.apache.ranger.plugin.model.RangerRole) HiveRoleGrant(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 19 with RangerRole

use of org.apache.ranger.plugin.model.RangerRole in project ranger by apache.

the class PublicAPIsv2 method createRole.

/*
	 * Role Creation API
	 */
@POST
@Path("/api/roles")
@Produces({ "application/json", "application/xml" })
public RangerRole createRole(@QueryParam("serviceName") String serviceName, RangerRole role, @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup, @Context HttpServletRequest request) {
    logger.info("==> PublicAPIsv2.createRole");
    RangerRole ret;
    ret = roleREST.createRole(serviceName, role, createNonExistUserGroup);
    logger.info("<== PublicAPIsv2.createRole" + ret.getName());
    return ret;
}
Also used : RangerRole(org.apache.ranger.plugin.model.RangerRole) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Produces(javax.ws.rs.Produces)

Example 20 with RangerRole

use of org.apache.ranger.plugin.model.RangerRole in project ranger by apache.

the class RoleREST method updateRole.

/* This operation is allowed only when -
     * Logged in user has ranger admin role
     */
@PUT
@Path("/roles/{id}")
public RangerRole updateRole(@PathParam("id") Long roleId, RangerRole role, @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> updateRole(id=" + roleId + ", " + role + ")");
    }
    if (role.getId() != null && !roleId.equals(role.getId())) {
        throw restErrorUtil.createRESTException("roleId mismatch!!");
    } else {
        role.setId(roleId);
    }
    RangerRole ret;
    try {
        UserSessionBase usb = ContextUtil.getCurrentUserSession();
        String loggedInUser = usb != null ? usb.getLoginId() : null;
        RangerRole existingRole = getRole(roleId);
        if (!bizUtil.isUserRangerAdmin(loggedInUser) && !ensureRoleAccess(loggedInUser, userMgr.getGroupsForUser(loggedInUser), existingRole)) {
            LOG.error("User " + loggedInUser + " does not have permission for this operation");
            throw new Exception("User does not have permission for this operation");
        }
        RangerRoleValidator validator = validatorFactory.getRangerRoleValidator(roleStore);
        validator.validate(role, RangerValidator.Action.UPDATE);
        if (containsInvalidMember(role.getUsers())) {
            throw new Exception("Invalid role user(s)");
        }
        ret = roleStore.updateRole(role, createNonExistUserGroup);
    } catch (WebApplicationException excp) {
        throw excp;
    } catch (Throwable excp) {
        LOG.error("updateRole(" + role + ") failed", excp);
        throw restErrorUtil.createRESTException(excp.getMessage());
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== updateRole(id=" + roleId + ", " + role + "):" + ret);
    }
    return ret;
}
Also used : RangerRole(org.apache.ranger.plugin.model.RangerRole) RangerRoleValidator(org.apache.ranger.plugin.model.validation.RangerRoleValidator) UserSessionBase(org.apache.ranger.common.UserSessionBase)

Aggregations

RangerRole (org.apache.ranger.plugin.model.RangerRole)37 Predicate (org.apache.commons.collections.Predicate)7 ArrayList (java.util.ArrayList)6 HashSet (java.util.HashSet)5 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)5 IOException (java.io.IOException)4 SemanticException (org.apache.hadoop.hive.ql.parse.SemanticException)4 HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)4 HiveAuthzPluginException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)4 RESTResponse (org.apache.ranger.admin.client.datatype.RESTResponse)4 RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)4 RangerRoles (org.apache.ranger.plugin.util.RangerRoles)4 UserSessionBase (org.apache.ranger.common.UserSessionBase)3 Gson (com.google.gson.Gson)2 GsonBuilder (com.google.gson.GsonBuilder)2 ClientResponse (com.sun.jersey.api.client.ClientResponse)2 UnsupportedEncodingException (java.io.UnsupportedEncodingException)2 PrivilegedAction (java.security.PrivilegedAction)2 HashMap (java.util.HashMap)2 Map (java.util.Map)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial