Example 21 with RangerSecurityZone
use of org.apache.ranger.plugin.model.RangerSecurityZone in project ranger by apache.
the class SecurityZoneREST method ensureUserAllowOperationOnServiceForZone.
private void ensureUserAllowOperationOnServiceForZone(RangerSecurityZone securityZone) {
if (!bizUtil.isAdmin()) {
String userName = bizUtil.getCurrentUserLoginId();
RangerSecurityZone existingSecurityZone = null;
try {
existingSecurityZone = svcStore.getSecurityZone(securityZone.getId());
} catch (Exception ex) {
LOG.error("Unable to get Security Zone with id : " + securityZone.getId(), ex);
throw restErrorUtil.createRESTException(ex.getMessage());
}
if (existingSecurityZone != null) {
if (!securityZone.getName().equals(existingSecurityZone.getName())) {
throwRestError("User : " + userName + " is not allowed to edit zone name of zone : " + existingSecurityZone.getName());
} else if (!securityZone.getDescription().equals(existingSecurityZone.getDescription())) {
throwRestError("User : " + userName + " is not allowed to edit zone description of zone : " + existingSecurityZone.getName());
}
if (!serviceMgr.isZoneAdmin(existingSecurityZone.getName())) {
if (!securityZone.getAdminUserGroups().equals(existingSecurityZone.getAdminUserGroups())) {
throwRestError("User : " + userName + " is not allowed to edit zone Admin User Group of zone : " + existingSecurityZone.getName());
} else if (!securityZone.getAdminUsers().equals(existingSecurityZone.getAdminUsers())) {
throwRestError("User : " + userName + " is not allowed to edit zone Admin User of zone : " + existingSecurityZone.getName());
} else if (!securityZone.getAuditUsers().equals(existingSecurityZone.getAuditUsers())) {
throwRestError("User : " + userName + " is not allowed to edit zone Audit User of zone : " + existingSecurityZone.getName());
} else if (!securityZone.getAuditUserGroups().equals(existingSecurityZone.getAuditUserGroups())) {
throwRestError("User : " + userName + " is not allowed to edit zone Audit User Group of zone : " + existingSecurityZone.getName());
}
}
/*
* Validation on tag service association / disassociation with
* security zone
* */
List<String> dbTagServices = existingSecurityZone.getTagServices();
List<String> uiTagServices = securityZone.getTagServices();
List<String> addRmvTagSvc = new ArrayList<String>();
if (!dbTagServices.equals(uiTagServices)) {
for (String svc : dbTagServices) {
if (!uiTagServices.contains(svc)) {
addRmvTagSvc.add(svc);
}
}
for (String svc : uiTagServices) {
if (!dbTagServices.contains(svc)) {
addRmvTagSvc.add(svc);
}
}
}
if (!addRmvTagSvc.isEmpty()) {
for (String svc : addRmvTagSvc) {
/*
* if user is neither svc admin nor admin then
* add/remove of svc in zone is not allowed
*/
if (!svcStore.isServiceAdminUser(svc, userName)) {
throwRestError("User : " + userName + " is not allowed to add/remove tag service : " + svc + " in Ranger Security zone : " + existingSecurityZone.getName());
}
}
}
/*
* Validation on service association / disassociation with
* security zone
*/
Set<String> existingRangerSecurityZoneService = existingSecurityZone.getServices().keySet();
Set<String> newRangerSecurityZoneService = securityZone.getServices().keySet();
Set<String> diffServiceSet = new HashSet<>(Sets.difference(newRangerSecurityZoneService, existingRangerSecurityZoneService));
diffServiceSet.addAll(Sets.difference(existingRangerSecurityZoneService, newRangerSecurityZoneService));
if (diffServiceSet != null && diffServiceSet.size() > 0) {
for (String svc : diffServiceSet) {
/*
* if user is neither svc admin nor admin then
* add/remove of svc in zone is not allowed
*/
if (!svcStore.isServiceAdminUser(svc, userName)) {
throwRestError("User : " + userName + " is not allowed to add/remove service : " + svc + " in Ranger Security zone : " + existingSecurityZone.getName());
}
}
}
/* Validation for resources on existing svc in security zone */
for (String svc : existingRangerSecurityZoneService) {
RangerSecurityZoneService rangerSecurityZnSvcFromDB = existingSecurityZone.getServices().get(svc);
RangerSecurityZoneService rangerSecurityZnSvcFromUI = securityZone.getServices().get(svc);
if (rangerSecurityZnSvcFromUI != null) {
if (!rangerSecurityZnSvcFromDB.getResources().equals(rangerSecurityZnSvcFromUI.getResources())) {
if (!svcStore.isServiceAdminUser(svc, userName)) {
throwRestError("User : " + userName + " is not allowed to edit resource in service : " + svc + " in Ranger Security zone : " + existingSecurityZone.getName());
}
}
}
}
}
}
}
Also used :
RangerSecurityZone(org.apache.ranger.plugin.model.RangerSecurityZone)
ArrayList(java.util.ArrayList)
RangerSecurityZoneService(org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService)
WebApplicationException(javax.ws.rs.WebApplicationException)
HashSet(java.util.HashSet)
Example 22 with RangerSecurityZone
use of org.apache.ranger.plugin.model.RangerSecurityZone in project ranger by apache.
the class SecurityZoneREST method updateSecurityZone.
@PUT
@Path("/zones/{id}")
public RangerSecurityZone updateSecurityZone(@PathParam("id") Long zoneId, RangerSecurityZone securityZone) {
if (LOG.isDebugEnabled()) {
LOG.debug("==> updateSecurityZone(id=" + zoneId + ", " + securityZone + ")");
}
if (zoneId != null && zoneId.equals(RangerSecurityZone.RANGER_UNZONED_SECURITY_ZONE_ID)) {
throw restErrorUtil.createRESTException("Cannot update unzoned zone");
}
ensureUserAllowOperationOnServiceForZone(securityZone);
removeEmptyEntries(securityZone);
if (securityZone.getId() != null && !zoneId.equals(securityZone.getId())) {
throw restErrorUtil.createRESTException("zoneId mismatch!!");
} else {
securityZone.setId(zoneId);
}
RangerSecurityZone ret;
try {
RangerSecurityZoneValidator validator = validatorFactory.getSecurityZoneValidator(svcStore, securityZoneStore);
validator.validate(securityZone, RangerValidator.Action.UPDATE);
ret = securityZoneStore.updateSecurityZoneById(securityZone);
} catch (WebApplicationException excp) {
throw excp;
} catch (Throwable excp) {
LOG.error("updateSecurityZone(" + securityZone + ") failed", excp);
throw restErrorUtil.createRESTException(excp.getMessage());
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== updateSecurityZone(id=" + zoneId + ", " + securityZone + "):" + ret);
}
return ret;
}
Also used :
RangerSecurityZone(org.apache.ranger.plugin.model.RangerSecurityZone)
WebApplicationException(javax.ws.rs.WebApplicationException)
RangerSecurityZoneValidator(org.apache.ranger.plugin.model.validation.RangerSecurityZoneValidator)
Path(javax.ws.rs.Path)
PUT(javax.ws.rs.PUT)
Example 23 with RangerSecurityZone
use of org.apache.ranger.plugin.model.RangerSecurityZone in project ranger by apache.
the class SecurityZoneDBStore method deleteSecurityZoneByName.
@Override
public void deleteSecurityZoneByName(String zoneName) throws Exception {
XXSecurityZone xxSecurityZone = daoMgr.getXXSecurityZoneDao().findByZoneName(zoneName);
if (xxSecurityZone == null) {
throw restErrorUtil.createRESTException("security-zone with name: " + zoneName + " does not exist");
}
RangerSecurityZone securityZone = securityZoneService.read(xxSecurityZone.getId());
daoMgr.getXXGlobalState().onGlobalStateChange(RANGER_GLOBAL_STATE_NAME);
securityZoneRefUpdater.cleanupRefTables(securityZone);
securityZoneService.delete(securityZone);
List<XXTrxLog> trxLogList = securityZoneService.getTransactionLog(securityZone, null, "delete");
bizUtil.createTrxLog(trxLogList);
}
Also used :
RangerSecurityZone(org.apache.ranger.plugin.model.RangerSecurityZone)
XXTrxLog(org.apache.ranger.entity.XXTrxLog)
XXSecurityZone(org.apache.ranger.entity.XXSecurityZone)
Example 24 with RangerSecurityZone
use of org.apache.ranger.plugin.model.RangerSecurityZone in project ranger by apache.
the class SecurityZoneDBStore method getSecurityZones.
@Override
public List<RangerSecurityZone> getSecurityZones(SearchFilter filter) throws Exception {
List<RangerSecurityZone> ret = new ArrayList<>();
List<XXSecurityZone> xxSecurityZones = daoMgr.getXXSecurityZoneDao().getAll();
for (XXSecurityZone xxSecurityZone : xxSecurityZones) {
if (!xxSecurityZone.getId().equals(RangerSecurityZone.RANGER_UNZONED_SECURITY_ZONE_ID)) {
ret.add(securityZoneService.read(xxSecurityZone.getId()));
}
}
if (CollectionUtils.isNotEmpty(ret) && filter != null && !filter.isEmpty()) {
List<RangerSecurityZone> copy = new ArrayList<>(ret);
predicateUtil.applyFilter(copy, filter);
ret = copy;
}
return ret;
}
Also used :
RangerSecurityZone(org.apache.ranger.plugin.model.RangerSecurityZone)
ArrayList(java.util.ArrayList)
XXSecurityZone(org.apache.ranger.entity.XXSecurityZone)
Example 25 with RangerSecurityZone
use of org.apache.ranger.plugin.model.RangerSecurityZone in project ranger by apache.
the class ServiceMgr method isZoneAdmin.
public boolean isZoneAdmin(String zoneName) {
boolean isZoneAdmin = false;
RangerSecurityZone securityZone = null;
try {
securityZone = zoneStore.getSecurityZoneByName(zoneName);
} catch (Exception e) {
LOG.error("Unexpected error when fetching security zone with name:[" + zoneName + "] from database", e);
}
if (securityZone != null) {
String userId = rangerBizUtil.getCurrentUserLoginId();
List<XXGroupUser> groupUsers = groupUserDao.findByUserId(rangerBizUtil.getXUserId());
List<String> loggedInUsersGroups = new ArrayList<>();
for (XXGroupUser groupUser : groupUsers) {
loggedInUsersGroups.add(groupUser.getName());
}
for (String loggedInUsersGroup : loggedInUsersGroups) {
if (securityZone != null && securityZone.getAdminUserGroups() != null && securityZone.getAdminUserGroups().contains(loggedInUsersGroup)) {
isZoneAdmin = true;
break;
}
}
if ((securityZone != null && securityZone.getAdminUsers() != null && securityZone.getAdminUsers().contains(userId))) {
isZoneAdmin = true;
}
}
return isZoneAdmin;
}
Also used :
XXGroupUser(org.apache.ranger.entity.XXGroupUser)
RangerSecurityZone(org.apache.ranger.plugin.model.RangerSecurityZone)
ArrayList(java.util.ArrayList)
HadoopException(org.apache.ranger.plugin.client.HadoopException)
Aggregations
RangerSecurityZone (org.apache.ranger.plugin.model.RangerSecurityZone)68
Test (org.junit.Test)40
ArrayList (java.util.ArrayList)27
XXSecurityZone (org.apache.ranger.entity.XXSecurityZone)16
WebApplicationException (javax.ws.rs.WebApplicationException)14
XXSecurityZoneDao (org.apache.ranger.db.XXSecurityZoneDao)12
RangerService (org.apache.ranger.plugin.model.RangerService)11
RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)10
SearchFilter (org.apache.ranger.plugin.util.SearchFilter)10
XXTrxLog (org.apache.ranger.entity.XXTrxLog)9
RangerSecurityZoneService (org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService)7
HashMap (java.util.HashMap)6
ValidationErrorCode (org.apache.ranger.plugin.errors.ValidationErrorCode)5
HashSet (java.util.HashSet)4
List (java.util.List)4
XXGlobalStateDao (org.apache.ranger.db.XXGlobalStateDao)4
Map (java.util.Map)3
Path (javax.ws.rs.Path)3
XXServiceDao (org.apache.ranger.db.XXServiceDao)3
XXServiceDefDao (org.apache.ranger.db.XXServiceDefDao)3
