Example 1 with RangerSecurityZoneService
use of org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService in project ranger by apache.
the class RangerSecurityZoneValidatorTest method testValidateSecurityZoneWitoutResourcesForCreateThrowsError.
@Test
public void testValidateSecurityZoneWitoutResourcesForCreateThrowsError() throws Exception {
RangerSecurityZoneService rangerSecurityZoneService = new RangerSecurityZoneService();
RangerService rangerSvc = getRangerService();
RangerServiceDef rangerSvcDef = rangerServiceDef();
Mockito.when(_store.getServiceDefByName("1")).thenReturn(rangerSvcDef);
Map<String, RangerSecurityZone.RangerSecurityZoneService> map = new HashMap<String, RangerSecurityZone.RangerSecurityZoneService>();
map.put("hdfsSvc", rangerSecurityZoneService);
RangerSecurityZone suppliedSecurityZone = getRangerSecurityZone();
suppliedSecurityZone.setServices(map);
Mockito.when(_store.getSecurityZone("MyZone")).thenReturn(null);
Mockito.when(_store.getServiceByName("hdfsSvc")).thenReturn(rangerSvc);
try {
rangerSecurityZoneValidator.validate(suppliedSecurityZone, RangerValidator.Action.CREATE);
} catch (Exception ex) {
Assert.assertEquals(ex.getMessage(), "(0) Validation failure: error code[3039], reason[No resources specified for service [hdfsSvc]], field[security zone resources], subfield[null], type[missing] ");
}
}
Also used :
RangerSecurityZone(org.apache.ranger.plugin.model.RangerSecurityZone)
HashMap(java.util.HashMap)
RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef)
RangerSecurityZoneService(org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService)
RangerService(org.apache.ranger.plugin.model.RangerService)
Test(org.junit.Test)
Example 2 with RangerSecurityZoneService
use of org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService in project ranger by apache.
the class TestSecurityZoneREST method createRangerSecurityZone.
private RangerSecurityZone createRangerSecurityZone() {
String testZone1 = "testzone1";
List<String> testZone1ResoursesList = new ArrayList(Arrays.asList("/path/to/resource1", "/path/to/resource2"));
List<String> userGroupList = new ArrayList(Arrays.asList("testuser", "testgroup"));
RangerSecurityZone zone = new RangerSecurityZone();
zone.setName(testZone1);
zone.setAdminUserGroups(userGroupList);
zone.setAdminUsers(userGroupList);
zone.setAuditUserGroups(userGroupList);
zone.setAuditUsers(userGroupList);
Map<String, RangerSecurityZoneService> services = new HashMap<>();
List<HashMap<String, List<String>>> resources = new ArrayList<>();
HashMap<String, List<String>> resource = new HashMap<String, List<String>>();
resource.put("resource_path", testZone1ResoursesList);
resources.add(resource);
RangerSecurityZoneService zoneService = new RangerSecurityZoneService();
zoneService.setResources(resources);
services.put("test_service_1", zoneService);
zone.setServices(services);
return zone;
}
Also used :
RangerSecurityZone(org.apache.ranger.plugin.model.RangerSecurityZone)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
RangerSecurityZoneService(org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService)
ArrayList(java.util.ArrayList)
RangerSecurityZoneList(org.apache.ranger.view.RangerSecurityZoneList)
List(java.util.List)
Example 3 with RangerSecurityZoneService
use of org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService in project ranger by apache.
the class SecurityZoneREST method ensureUserAllowOperationOnServiceForZone.
private void ensureUserAllowOperationOnServiceForZone(RangerSecurityZone securityZone) {
if (!bizUtil.isAdmin()) {
String userName = bizUtil.getCurrentUserLoginId();
RangerSecurityZone existingSecurityZone = null;
try {
existingSecurityZone = svcStore.getSecurityZone(securityZone.getId());
} catch (Exception ex) {
LOG.error("Unable to get Security Zone with id : " + securityZone.getId(), ex);
throw restErrorUtil.createRESTException(ex.getMessage());
}
if (existingSecurityZone != null) {
if (!securityZone.getName().equals(existingSecurityZone.getName())) {
throwRestError("User : " + userName + " is not allowed to edit zone name of zone : " + existingSecurityZone.getName());
} else if (!securityZone.getDescription().equals(existingSecurityZone.getDescription())) {
throwRestError("User : " + userName + " is not allowed to edit zone description of zone : " + existingSecurityZone.getName());
}
if (!serviceMgr.isZoneAdmin(existingSecurityZone.getName())) {
if (!securityZone.getAdminUserGroups().equals(existingSecurityZone.getAdminUserGroups())) {
throwRestError("User : " + userName + " is not allowed to edit zone Admin User Group of zone : " + existingSecurityZone.getName());
} else if (!securityZone.getAdminUsers().equals(existingSecurityZone.getAdminUsers())) {
throwRestError("User : " + userName + " is not allowed to edit zone Admin User of zone : " + existingSecurityZone.getName());
} else if (!securityZone.getAuditUsers().equals(existingSecurityZone.getAuditUsers())) {
throwRestError("User : " + userName + " is not allowed to edit zone Audit User of zone : " + existingSecurityZone.getName());
} else if (!securityZone.getAuditUserGroups().equals(existingSecurityZone.getAuditUserGroups())) {
throwRestError("User : " + userName + " is not allowed to edit zone Audit User Group of zone : " + existingSecurityZone.getName());
}
}
/*
* Validation on tag service association / disassociation with
* security zone
* */
List<String> dbTagServices = existingSecurityZone.getTagServices();
List<String> uiTagServices = securityZone.getTagServices();
List<String> addRmvTagSvc = new ArrayList<String>();
if (!dbTagServices.equals(uiTagServices)) {
for (String svc : dbTagServices) {
if (!uiTagServices.contains(svc)) {
addRmvTagSvc.add(svc);
}
}
for (String svc : uiTagServices) {
if (!dbTagServices.contains(svc)) {
addRmvTagSvc.add(svc);
}
}
}
if (!addRmvTagSvc.isEmpty()) {
for (String svc : addRmvTagSvc) {
/*
* if user is neither svc admin nor admin then
* add/remove of svc in zone is not allowed
*/
if (!svcStore.isServiceAdminUser(svc, userName)) {
throwRestError("User : " + userName + " is not allowed to add/remove tag service : " + svc + " in Ranger Security zone : " + existingSecurityZone.getName());
}
}
}
/*
* Validation on service association / disassociation with
* security zone
*/
Set<String> existingRangerSecurityZoneService = existingSecurityZone.getServices().keySet();
Set<String> newRangerSecurityZoneService = securityZone.getServices().keySet();
Set<String> diffServiceSet = new HashSet<>(Sets.difference(newRangerSecurityZoneService, existingRangerSecurityZoneService));
diffServiceSet.addAll(Sets.difference(existingRangerSecurityZoneService, newRangerSecurityZoneService));
if (diffServiceSet != null && diffServiceSet.size() > 0) {
for (String svc : diffServiceSet) {
/*
* if user is neither svc admin nor admin then
* add/remove of svc in zone is not allowed
*/
if (!svcStore.isServiceAdminUser(svc, userName)) {
throwRestError("User : " + userName + " is not allowed to add/remove service : " + svc + " in Ranger Security zone : " + existingSecurityZone.getName());
}
}
}
/* Validation for resources on existing svc in security zone */
for (String svc : existingRangerSecurityZoneService) {
RangerSecurityZoneService rangerSecurityZnSvcFromDB = existingSecurityZone.getServices().get(svc);
RangerSecurityZoneService rangerSecurityZnSvcFromUI = securityZone.getServices().get(svc);
if (rangerSecurityZnSvcFromUI != null) {
if (!rangerSecurityZnSvcFromDB.getResources().equals(rangerSecurityZnSvcFromUI.getResources())) {
if (!svcStore.isServiceAdminUser(svc, userName)) {
throwRestError("User : " + userName + " is not allowed to edit resource in service : " + svc + " in Ranger Security zone : " + existingSecurityZone.getName());
}
}
}
}
}
}
}
Also used :
RangerSecurityZone(org.apache.ranger.plugin.model.RangerSecurityZone)
ArrayList(java.util.ArrayList)
RangerSecurityZoneService(org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService)
WebApplicationException(javax.ws.rs.WebApplicationException)
HashSet(java.util.HashSet)
Example 4 with RangerSecurityZoneService
use of org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService in project ranger by apache.
the class SecurityZoneREST method removeEmptyEntries.
private void removeEmptyEntries(RangerSecurityZone securityZone) {
bizUtil.removeEmptyStrings(securityZone.getTagServices());
bizUtil.removeEmptyStrings(securityZone.getAdminUsers());
bizUtil.removeEmptyStrings(securityZone.getAdminUserGroups());
bizUtil.removeEmptyStrings(securityZone.getAuditUsers());
bizUtil.removeEmptyStrings(securityZone.getAuditUserGroups());
Map<String, RangerSecurityZoneService> serviceResouceMap = securityZone.getServices();
if (serviceResouceMap != null) {
Set<Map.Entry<String, RangerSecurityZoneService>> serviceResouceMapEntries = serviceResouceMap.entrySet();
Iterator<Map.Entry<String, RangerSecurityZoneService>> iterator = serviceResouceMapEntries.iterator();
while (iterator.hasNext()) {
Map.Entry<String, RangerSecurityZoneService> serviceResouceMapEntry = iterator.next();
RangerSecurityZoneService rangerSecurityZoneService = serviceResouceMapEntry.getValue();
List<HashMap<String, List<String>>> resources = rangerSecurityZoneService.getResources();
if (resources != null) {
for (Map<String, List<String>> resource : resources) {
if (resource != null) {
for (Map.Entry<String, List<String>> entry : resource.entrySet()) {
List<String> resourceValues = entry.getValue();
bizUtil.removeEmptyStrings(resourceValues);
}
}
}
}
}
}
}
Also used :
HashMap(java.util.HashMap)
RangerSecurityZoneService(org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService)
ArrayList(java.util.ArrayList)
RangerSecurityZoneList(org.apache.ranger.view.RangerSecurityZoneList)
List(java.util.List)
HashMap(java.util.HashMap)
Map(java.util.Map)
Example 5 with RangerSecurityZoneService
use of org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService in project ranger by apache.
the class SecurityZoneRefUpdater method createNewZoneMappingForRefTable.
public void createNewZoneMappingForRefTable(RangerSecurityZone rangerSecurityZone) throws Exception {
if (rangerSecurityZone == null) {
return;
}
cleanupRefTables(rangerSecurityZone);
final Long zoneId = rangerSecurityZone == null ? null : rangerSecurityZone.getId();
final Map<String, RangerSecurityZoneService> zoneServices = rangerSecurityZone.getServices();
final Set<String> adminUsers = new HashSet<>();
final Set<String> adminUserGroups = new HashSet<>();
final Set<String> auditUsers = new HashSet<>();
final Set<String> auditUserGroups = new HashSet<>();
final Set<String> tagServices = new HashSet<>();
XXServiceDef xServiceDef = new XXServiceDef();
adminUsers.addAll(rangerSecurityZone.getAdminUsers());
adminUserGroups.addAll(rangerSecurityZone.getAdminUserGroups());
auditUsers.addAll(rangerSecurityZone.getAuditUsers());
auditUserGroups.addAll(rangerSecurityZone.getAuditUserGroups());
tagServices.addAll(rangerSecurityZone.getTagServices());
for (Map.Entry<String, RangerSecurityZoneService> service : zoneServices.entrySet()) {
String serviceName = service.getKey();
if (StringUtils.isBlank(serviceName)) {
continue;
}
XXService xService = daoMgr.getXXService().findByName(serviceName);
RangerService rService = svcService.getPopulatedViewObject(xService);
xServiceDef = daoMgr.getXXServiceDef().findByName(rService.getType());
XXSecurityZoneRefService xZoneService = rangerAuditFields.populateAuditFieldsForCreate(new XXSecurityZoneRefService());
xZoneService.setZoneId(zoneId);
xZoneService.setServiceId(xService.getId());
xZoneService.setServiceName(serviceName);
daoMgr.getXXSecurityZoneRefService().create(xZoneService);
for (Map<String, List<String>> resourceMap : service.getValue().getResources()) {
// add all resourcedefs in pre defined set
for (Map.Entry<String, List<String>> resource : resourceMap.entrySet()) {
String resourceName = resource.getKey();
if (StringUtils.isBlank(resourceName)) {
continue;
}
XXResourceDef xResourceDef = daoMgr.getXXResourceDef().findByNameAndServiceDefId(resourceName, xServiceDef.getId());
XXSecurityZoneRefResource xZoneResource = rangerAuditFields.populateAuditFieldsForCreate(new XXSecurityZoneRefResource());
xZoneResource.setZoneId(zoneId);
xZoneResource.setResourceDefId(xResourceDef.getId());
xZoneResource.setResourceName(resourceName);
daoMgr.getXXSecurityZoneRefResource().create(xZoneResource);
}
}
}
if (CollectionUtils.isNotEmpty(tagServices)) {
for (String tagService : tagServices) {
if (StringUtils.isBlank(tagService)) {
continue;
}
XXService xService = daoMgr.getXXService().findByName(tagService);
if (xService == null || xService.getType() != RangerConstants.TAG_SERVICE_TYPE) {
throw restErrorUtil.createRESTException("Tag Service named: " + tagService + " does not exist ", MessageEnums.INVALID_INPUT_DATA);
}
XXSecurityZoneRefTagService xZoneTagService = rangerAuditFields.populateAuditFieldsForCreate(new XXSecurityZoneRefTagService());
xZoneTagService.setZoneId(zoneId);
xZoneTagService.setTagServiceId(xService.getId());
xZoneTagService.setTagServiceName(xService.getName());
daoMgr.getXXSecurityZoneRefTagService().create(xZoneTagService);
}
}
if (CollectionUtils.isNotEmpty(adminUsers)) {
for (String adminUser : adminUsers) {
if (StringUtils.isBlank(adminUser)) {
continue;
}
XXUser xUser = daoMgr.getXXUser().findByUserName(adminUser);
if (xUser == null) {
throw restErrorUtil.createRESTException("user with name: " + adminUser + " does not exist ", MessageEnums.INVALID_INPUT_DATA);
}
XXSecurityZoneRefUser xZoneAdminUser = rangerAuditFields.populateAuditFieldsForCreate(new XXSecurityZoneRefUser());
xZoneAdminUser.setZoneId(zoneId);
xZoneAdminUser.setUserId(xUser.getId());
xZoneAdminUser.setUserName(adminUser);
xZoneAdminUser.setUserType(1);
daoMgr.getXXSecurityZoneRefUser().create(xZoneAdminUser);
}
}
if (CollectionUtils.isNotEmpty(adminUserGroups)) {
for (String adminUserGroup : adminUserGroups) {
if (StringUtils.isBlank(adminUserGroup)) {
continue;
}
XXGroup xGroup = daoMgr.getXXGroup().findByGroupName(adminUserGroup);
if (xGroup == null) {
throw restErrorUtil.createRESTException("group with name: " + adminUserGroup + " does not exist ", MessageEnums.INVALID_INPUT_DATA);
}
XXSecurityZoneRefGroup xZoneAdminGroup = rangerAuditFields.populateAuditFieldsForCreate(new XXSecurityZoneRefGroup());
xZoneAdminGroup.setZoneId(zoneId);
xZoneAdminGroup.setGroupId(xGroup.getId());
xZoneAdminGroup.setGroupName(adminUserGroup);
xZoneAdminGroup.setGroupType(1);
daoMgr.getXXSecurityZoneRefGroup().create(xZoneAdminGroup);
}
}
if (CollectionUtils.isNotEmpty(auditUsers)) {
for (String auditUser : auditUsers) {
if (StringUtils.isBlank(auditUser)) {
continue;
}
XXUser xUser = daoMgr.getXXUser().findByUserName(auditUser);
if (xUser == null) {
throw restErrorUtil.createRESTException("user with name: " + auditUser + " does not exist ", MessageEnums.INVALID_INPUT_DATA);
}
XXSecurityZoneRefUser xZoneAuditUser = rangerAuditFields.populateAuditFieldsForCreate(new XXSecurityZoneRefUser());
xZoneAuditUser.setZoneId(zoneId);
xZoneAuditUser.setUserId(xUser.getId());
xZoneAuditUser.setUserName(auditUser);
xZoneAuditUser.setUserType(0);
daoMgr.getXXSecurityZoneRefUser().create(xZoneAuditUser);
}
}
if (CollectionUtils.isNotEmpty(auditUserGroups)) {
for (String auditUserGroup : auditUserGroups) {
if (StringUtils.isBlank(auditUserGroup)) {
continue;
}
XXGroup xGroup = daoMgr.getXXGroup().findByGroupName(auditUserGroup);
if (xGroup == null) {
throw restErrorUtil.createRESTException("group with name: " + auditUserGroup + " does not exist ", MessageEnums.INVALID_INPUT_DATA);
}
XXSecurityZoneRefGroup xZoneAuditGroup = rangerAuditFields.populateAuditFieldsForCreate(new XXSecurityZoneRefGroup());
xZoneAuditGroup.setZoneId(zoneId);
xZoneAuditGroup.setGroupId(xGroup.getId());
xZoneAuditGroup.setGroupName(auditUserGroup);
xZoneAuditGroup.setGroupType(0);
daoMgr.getXXSecurityZoneRefGroup().create(xZoneAuditGroup);
}
}
}
Also used :
XXServiceDef(org.apache.ranger.entity.XXServiceDef)
XXUser(org.apache.ranger.entity.XXUser)
XXSecurityZoneRefGroup(org.apache.ranger.entity.XXSecurityZoneRefGroup)
RangerSecurityZoneService(org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService)
XXSecurityZoneRefUser(org.apache.ranger.entity.XXSecurityZoneRefUser)
XXResourceDef(org.apache.ranger.entity.XXResourceDef)
XXSecurityZoneRefService(org.apache.ranger.entity.XXSecurityZoneRefService)
XXGroup(org.apache.ranger.entity.XXGroup)
XXSecurityZoneRefTagService(org.apache.ranger.entity.XXSecurityZoneRefTagService)
List(java.util.List)
RangerService(org.apache.ranger.plugin.model.RangerService)
XXSecurityZoneRefResource(org.apache.ranger.entity.XXSecurityZoneRefResource)
XXService(org.apache.ranger.entity.XXService)
Map(java.util.Map)
HashSet(java.util.HashSet)
Aggregations
RangerSecurityZoneService (org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService)8
RangerSecurityZone (org.apache.ranger.plugin.model.RangerSecurityZone)6
ArrayList (java.util.ArrayList)5
HashMap (java.util.HashMap)5
List (java.util.List)5
Map (java.util.Map)3
HashSet (java.util.HashSet)2
RangerService (org.apache.ranger.plugin.model.RangerService)2
RangerSecurityZoneList (org.apache.ranger.view.RangerSecurityZoneList)2
WebApplicationException (javax.ws.rs.WebApplicationException)1
XXGroup (org.apache.ranger.entity.XXGroup)1
XXResourceDef (org.apache.ranger.entity.XXResourceDef)1
XXSecurityZoneRefGroup (org.apache.ranger.entity.XXSecurityZoneRefGroup)1
XXSecurityZoneRefResource (org.apache.ranger.entity.XXSecurityZoneRefResource)1
XXSecurityZoneRefService (org.apache.ranger.entity.XXSecurityZoneRefService)1
XXSecurityZoneRefTagService (org.apache.ranger.entity.XXSecurityZoneRefTagService)1
XXSecurityZoneRefUser (org.apache.ranger.entity.XXSecurityZoneRefUser)1
XXService (org.apache.ranger.entity.XXService)1
XXServiceDef (org.apache.ranger.entity.XXServiceDef)1
XXUser (org.apache.ranger.entity.XXUser)1
