Examples with RangerRoleValidator org.apache.ranger.plugin.model.validation.RangerRoleValidator used on opensource projects

Example 1 with RangerRoleValidator

use of org.apache.ranger.plugin.model.validation.RangerRoleValidator in project ranger by apache.

the class RoleREST method deleteRole.

/* This operation is allowed only when -
     * Logged in user has ranger admin role
     */
@DELETE
@Path("/roles/{id}")
public void deleteRole(@PathParam("id") Long roleId) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> deleteRole(id=" + roleId + ")");
    }
    try {
        RangerRoleValidator validator = validatorFactory.getRangerRoleValidator(roleStore);
        validator.validate(roleId, RangerRoleValidator.Action.DELETE);
        ensureAdminAccess(null, null);
        roleStore.deleteRole(roleId);
    } catch (WebApplicationException excp) {
        throw excp;
    } catch (Throwable excp) {
        LOG.error("deleteRole(" + roleId + ") failed", excp);
        throw restErrorUtil.createRESTException(excp.getMessage());
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== deleteRole(id=" + roleId + ")");
    }
}

Example 2 with RangerRoleValidator

use of org.apache.ranger.plugin.model.validation.RangerRoleValidator in project ranger by apache.

the class RoleREST method deleteRole.

/* This operation is allowed only when effective User has ranger admin privilege
     * if execUser is not same as logged-in user then effective user is execUser
     * else  effective user is logged-in user.
     * This logic is implemented as part of ensureAdminAccess(String serviceName, String userName);
     */
@DELETE
@Path("/roles/name/{name}")
public void deleteRole(@QueryParam("serviceName") String serviceName, @QueryParam("execUser") String execUser, @PathParam("name") String roleName) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> deleteRole(user=" + execUser + " name=" + roleName + ")");
    }
    try {
        RangerRoleValidator validator = validatorFactory.getRangerRoleValidator(roleStore);
        validator.validate(roleName, RangerRoleValidator.Action.DELETE);
        ensureAdminAccess(serviceName, execUser);
        roleStore.deleteRole(roleName);
    } catch (WebApplicationException excp) {
        throw excp;
    } catch (Throwable excp) {
        LOG.error("deleteRole(" + roleName + ") failed", excp);
        throw restErrorUtil.createRESTException(excp.getMessage());
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== deleteRole(name=" + roleName + ")");
    }
}

Example 3 with RangerRoleValidator

use of org.apache.ranger.plugin.model.validation.RangerRoleValidator in project ranger by apache.

the class RoleREST method createRole.

/* This operation is allowed only when effective User has ranger admin privilege
     * if execUser is not same as logged-in user then effective user is execUser
     * else  effective user is logged-in user.
     * This logic is implemented as part of ensureAdminAccess(String serviceName, String userName);
     */
@POST
@Path("/roles")
public RangerRole createRole(@QueryParam("serviceName") String serviceName, RangerRole role, @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> createRole(" + role + ")");
    }
    RangerRole ret;
    try {
        RangerRoleValidator validator = validatorFactory.getRangerRoleValidator(roleStore);
        validator.validate(role, RangerValidator.Action.CREATE);
        String userName = role.getCreatedByUser();
        ensureAdminAccess(serviceName, userName);
        if (containsInvalidMember(role.getUsers())) {
            throw new Exception("Invalid role user(s)");
        }
        ret = roleStore.createRole(role, createNonExistUserGroup);
    } catch (WebApplicationException excp) {
        throw excp;
    } catch (Throwable excp) {
        LOG.error("createRole(" + role + ") failed", excp);
        throw restErrorUtil.createRESTException(excp.getMessage());
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== createRole(" + role + "):" + ret);
    }
    return ret;
}

Example 4 with RangerRoleValidator

use of org.apache.ranger.plugin.model.validation.RangerRoleValidator in project ranger by apache.

the class RoleREST method updateRole.

/* This operation is allowed only when -
     * Logged in user has ranger admin role
     */
@PUT
@Path("/roles/{id}")
public RangerRole updateRole(@PathParam("id") Long roleId, RangerRole role, @DefaultValue("false") @QueryParam("createNonExistUserGroup") Boolean createNonExistUserGroup) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> updateRole(id=" + roleId + ", " + role + ")");
    }
    if (role.getId() != null && !roleId.equals(role.getId())) {
        throw restErrorUtil.createRESTException("roleId mismatch!!");
    } else {
        role.setId(roleId);
    }
    RangerRole ret;
    try {
        UserSessionBase usb = ContextUtil.getCurrentUserSession();
        String loggedInUser = usb != null ? usb.getLoginId() : null;
        RangerRole existingRole = getRole(roleId);
        if (!bizUtil.isUserRangerAdmin(loggedInUser) && !ensureRoleAccess(loggedInUser, userMgr.getGroupsForUser(loggedInUser), existingRole)) {
            LOG.error("User " + loggedInUser + " does not have permission for this operation");
            throw new Exception("User does not have permission for this operation");
        }
        RangerRoleValidator validator = validatorFactory.getRangerRoleValidator(roleStore);
        validator.validate(role, RangerValidator.Action.UPDATE);
        if (containsInvalidMember(role.getUsers())) {
            throw new Exception("Invalid role user(s)");
        }
        ret = roleStore.updateRole(role, createNonExistUserGroup);
    } catch (WebApplicationException excp) {
        throw excp;
    } catch (Throwable excp) {
        LOG.error("updateRole(" + role + ") failed", excp);
        throw restErrorUtil.createRESTException(excp.getMessage());
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== updateRole(id=" + roleId + ", " + role + "):" + ret);
    }
    return ret;
}