Example 21 with RangerRole
use of org.apache.ranger.plugin.model.RangerRole in project ranger by apache.
the class RoleREST method ensureRoleAccess.
private boolean ensureRoleAccess(String username, Set<String> userGroups, RangerRole role) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> ensureRoleAccess(" + username + ", " + role + ")");
}
boolean isAccessible = false;
List<RangerRole.RoleMember> userList = role.getUsers();
RangerRole.RoleMember userMember = new RangerRole.RoleMember(username, true);
if (!CollectionUtils.isEmpty(userList) && userList.contains(userMember)) {
isAccessible = true;
if (LOG.isDebugEnabled()) {
LOG.debug("==> ensureRoleAccess(): user " + username + " has permission for role " + role.getName());
}
return isAccessible;
}
if (!CollectionUtils.isEmpty(userGroups)) {
List<RangerRole.RoleMember> groupList = role.getGroups();
for (RangerRole.RoleMember groupMember : groupList) {
if (!groupMember.getIsAdmin()) {
continue;
}
if (userGroups.contains(groupMember.getName())) {
isAccessible = true;
if (LOG.isDebugEnabled()) {
LOG.debug("==> ensureRoleAccess(): group " + groupMember.getName() + " has permission for role " + role.getName());
}
return isAccessible;
}
}
}
Set<RangerRole.RoleMember> roleMemberList = new HashSet<>();
getRoleMembers(roleMemberList, role);
for (RangerRole.RoleMember roleMember : roleMemberList) {
if (!roleMember.getIsAdmin()) {
continue;
}
RangerRole roleMemberObj = roleStore.getRole(roleMember.getName());
if (getUserNames(roleMemberObj).contains(username)) {
isAccessible = true;
if (LOG.isDebugEnabled()) {
LOG.debug("==> ensureRoleAccess(): role " + roleMember.getName() + " has permission for role " + role.getName());
}
return isAccessible;
}
if (!CollectionUtils.isEmpty(userGroups) && !CollectionUtils.intersection(userGroups, getGroupNames(roleMemberObj)).isEmpty()) {
isAccessible = true;
if (LOG.isDebugEnabled()) {
LOG.debug("==> ensureRoleAccess(): role " + roleMember.getName() + " has permission for role " + role.getName());
}
return isAccessible;
}
}
if (!isAccessible) {
throw restErrorUtil.createRESTException("User " + username + " does not have privilege to role " + role.getName());
}
return isAccessible;
}
Also used :
RangerRole(org.apache.ranger.plugin.model.RangerRole)
HashSet(java.util.HashSet)
Example 22 with RangerRole
use of org.apache.ranger.plugin.model.RangerRole in project ranger by apache.
the class RoleREST method getUserRoles.
/* Get all the roles that this user or user's groups belong to
*/
@GET
@Path("/roles/user/{user}")
@Produces({ "application/json", "application/xml" })
public List<String> getUserRoles(@PathParam("user") String userName, @Context HttpServletRequest request) {
Set<String> ret = new HashSet<>();
if (LOG.isDebugEnabled()) {
LOG.debug("==> getUserRoles()");
}
try {
Set<RangerRole> roleList = roleStore.getRoleNames(userName, userMgr.getGroupsForUser(userName));
for (RangerRole role : roleList) {
ret.add(role.getName());
Set<String> roleMembers = new HashSet<>();
getRoleMemberNames(roleMembers, role);
ret.addAll(roleMembers);
}
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("getUserRoles() failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== getUserRoles():" + ret);
}
return new ArrayList<>(ret);
}
Also used :
RangerRole(org.apache.ranger.plugin.model.RangerRole)
ArrayList(java.util.ArrayList)
HashSet(java.util.HashSet)
Example 23 with RangerRole
use of org.apache.ranger.plugin.model.RangerRole in project ranger by apache.
the class RoleREST method removeUsersAndGroups.
/*
This API is used to remove users and groups, without regard to their GRANT privilege, from this Role.
*/
@PUT
@Path("/roles/{id}/removeUsersAndGroups")
public RangerRole removeUsersAndGroups(Long roleId, List<String> users, List<String> groups) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> removeUsersAndGroups(id=" + roleId + ", users=" + Arrays.toString(users.toArray()) + ", groups=" + Arrays.toString(groups.toArray()) + ")");
}
RangerRole role;
try {
// Real processing
ensureAdminAccess(null, null);
role = getRole(roleId);
for (String user : users) {
Iterator<RangerRole.RoleMember> iter = role.getUsers().iterator();
while (iter.hasNext()) {
RangerRole.RoleMember member = iter.next();
if (StringUtils.equals(member.getName(), user)) {
iter.remove();
break;
}
}
}
for (String group : groups) {
Iterator<RangerRole.RoleMember> iter = role.getGroups().iterator();
while (iter.hasNext()) {
RangerRole.RoleMember member = iter.next();
if (StringUtils.equals(member.getName(), group)) {
iter.remove();
break;
}
}
}
role = roleStore.updateRole(role, false);
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("removeUsersAndGroups() failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== removeUsersAndGroups(id=" + roleId + ", users=" + Arrays.toString(users.toArray()) + ", groups=" + Arrays.toString(groups.toArray()) + ")");
}
return role;
}
Also used :
RangerRole(org.apache.ranger.plugin.model.RangerRole)
Example 24 with RangerRole
use of org.apache.ranger.plugin.model.RangerRole in project ranger by apache.
the class RoleREST method revokeRole.
/*
* This API is used to remove users and roles, with regard to their REVOKE role from users and roles.
* Minimum required privilege is the execUser (or doAsUser) has admin option for the target roles
*/
@PUT
@Path("/roles/revoke/{serviceName}")
@Consumes({ "application/json", "application/xml" })
@Produces({ "application/json", "application/xml" })
public RESTResponse revokeRole(@PathParam("serviceName") String serviceName, GrantRevokeRoleRequest revokeRoleRequest, @Context HttpServletRequest request) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RoleREST.revokeRole(" + serviceName + ", " + revokeRoleRequest + ")");
}
RESTResponse ret = new RESTResponse();
try {
validateUsersGroupsAndRoles(revokeRoleRequest);
String userName = revokeRoleRequest.getGrantor();
for (String roleName : revokeRoleRequest.getTargetRoles()) {
/* For each target Role, check following to allow access
* If userName (execUser) is not same as logged in user then check
* If logged-in user is not ranger admin/service admin/service user, then deny the operation
* effective User is execUser
* else
* effective user is logged-in user
* If effective user is ranger admin/has role admin privilege, then allow the operation
* else deny the operation
* This logic is implemented as part of getRoleIfAccessible(roleName, serviceName, userName, userGroups)
*/
Set<String> userGroups = CollectionUtils.isNotEmpty(revokeRoleRequest.getGrantorGroups()) ? revokeRoleRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
RangerRole existingRole = getRoleIfAccessible(roleName, serviceName, userName, userGroups);
if (existingRole == null) {
throw restErrorUtil.createRESTException("User doesn't have permissions to revoke role " + roleName);
}
existingRole.setUpdatedBy(userName);
if (revokeRoleRequest.getGrantOption()) {
removeAdminFromUsersGroupsAndRoles(existingRole, revokeRoleRequest.getUsers(), revokeRoleRequest.getGroups(), revokeRoleRequest.getRoles());
} else {
removeUsersGroupsAndRoles(existingRole, revokeRoleRequest.getUsers(), revokeRoleRequest.getGroups(), revokeRoleRequest.getRoles());
}
}
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("revokeRole() failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
}
if (LOG.isDebugEnabled()) {
LOG.debug("==> revokeRole(serviceName=" + serviceName + ", users=" + Arrays.toString(revokeRoleRequest.getUsers().toArray()) + ", roles=" + Arrays.toString(revokeRoleRequest.getRoles().toArray()) + ", isAdmin=" + revokeRoleRequest.getGrantOption() + ")");
}
ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
return ret;
}
Also used :
RESTResponse(org.apache.ranger.admin.client.datatype.RESTResponse)
RangerRole(org.apache.ranger.plugin.model.RangerRole)
Example 25 with RangerRole
use of org.apache.ranger.plugin.model.RangerRole in project ranger by apache.
the class RolePredicateUtil method addPredicateForPartialGroupName.
private Predicate addPredicateForPartialGroupName(final String groupNamePartial, List<Predicate> predicates) {
if (StringUtils.isEmpty(groupNamePartial)) {
return null;
}
Predicate ret = new Predicate() {
@Override
public boolean evaluate(Object object) {
if (object == null) {
return false;
}
boolean ret = false;
if (object instanceof RangerRole) {
RangerRole role = (RangerRole) object;
List<RangerRole.RoleMember> groups = role.getGroups();
for (RangerRole.RoleMember member : groups) {
ret = StringUtils.containsIgnoreCase(member.getName(), groupNamePartial);
if (ret) {
break;
}
}
}
return ret;
}
};
if (predicates != null) {
predicates.add(ret);
}
return ret;
}
Also used :
RangerRole(org.apache.ranger.plugin.model.RangerRole)
Predicate(org.apache.commons.collections.Predicate)
Aggregations
RangerRole (org.apache.ranger.plugin.model.RangerRole)37
Predicate (org.apache.commons.collections.Predicate)7
ArrayList (java.util.ArrayList)6
HashSet (java.util.HashSet)5
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)5
IOException (java.io.IOException)4
SemanticException (org.apache.hadoop.hive.ql.parse.SemanticException)4
HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)4
HiveAuthzPluginException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)4
RESTResponse (org.apache.ranger.admin.client.datatype.RESTResponse)4
RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)4
RangerRoles (org.apache.ranger.plugin.util.RangerRoles)4
UserSessionBase (org.apache.ranger.common.UserSessionBase)3
Gson (com.google.gson.Gson)2
GsonBuilder (com.google.gson.GsonBuilder)2
ClientResponse (com.sun.jersey.api.client.ClientResponse)2
UnsupportedEncodingException (java.io.UnsupportedEncodingException)2
PrivilegedAction (java.security.PrivilegedAction)2
HashMap (java.util.HashMap)2
Map (java.util.Map)2
