Search in sources :

Example 31 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class ServiceREST method secureRevokeAccess.

@POST
@Path("/secure/services/revoke/{serviceName}")
@Produces({ "application/json", "application/xml" })
public RESTResponse secureRevokeAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest revokeRequest, @Context HttpServletRequest request) throws Exception {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.secureRevokeAccess(" + serviceName + ", " + revokeRequest + ")");
    }
    RESTResponse ret = new RESTResponse();
    RangerPerfTracer perf = null;
    if (revokeRequest != null) {
        if (serviceUtil.isValidService(serviceName, request)) {
            try {
                if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
                    perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.secureRevokeAccess(serviceName=" + serviceName + ")");
                }
                validateGrantRevokeRequest(revokeRequest);
                String userName = revokeRequest.getGrantor();
                Set<String> userGroups = CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups()) ? revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
                RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()));
                boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
                boolean isAllowed = false;
                boolean isKeyAdmin = bizUtil.isKeyAdmin();
                bizUtil.blockAuditorRoleUser();
                XXService xService = daoManager.getXXService().findByName(serviceName);
                XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
                RangerService rangerService = svcStore.getServiceByName(serviceName);
                if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
                    if (isKeyAdmin) {
                        isAllowed = true;
                    } else {
                        isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName);
                    }
                } else {
                    if (isAdmin) {
                        isAllowed = true;
                    } else {
                        isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName);
                    }
                }
                if (isAllowed) {
                    RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, userName);
                    if (policy != null) {
                        boolean policyUpdated = false;
                        policyUpdated = ServiceRESTUtil.processRevokeRequest(policy, revokeRequest);
                        if (policyUpdated) {
                            svcStore.updatePolicy(policy);
                        } else {
                            LOG.error("processSecureRevokeRequest processing failed");
                            throw new Exception("processSecureRevokeRequest processing failed");
                        }
                    }
                } else {
                    LOG.error("secureRevokeAccess(" + serviceName + ", " + revokeRequest + ") failed as User doesn't have permission to revoke Policy");
                    throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to revoke access");
                }
            } catch (WebApplicationException excp) {
                throw excp;
            } catch (Throwable excp) {
                LOG.error("secureRevokeAccess(" + serviceName + ", " + revokeRequest + ") failed", excp);
                throw restErrorUtil.createRESTException(excp.getMessage());
            } finally {
                RangerPerfTracer.log(perf);
            }
            ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.secureRevokeAccess(" + serviceName + ", " + revokeRequest + "): " + ret);
    }
    return ret;
}
Also used : XXServiceDef(org.apache.ranger.entity.XXServiceDef) WebApplicationException(javax.ws.rs.WebApplicationException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) VXString(org.apache.ranger.view.VXString) WebApplicationException(javax.ws.rs.WebApplicationException) IOException(java.io.IOException) JsonSyntaxException(com.google.gson.JsonSyntaxException) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RESTResponse(org.apache.ranger.admin.client.datatype.RESTResponse) RangerService(org.apache.ranger.plugin.model.RangerService) XXService(org.apache.ranger.entity.XXService) RangerAccessResource(org.apache.ranger.plugin.policyengine.RangerAccessResource) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Produces(javax.ws.rs.Produces)

Example 32 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class ServiceREST method updateService.

@PUT
@Path("/services/{id}")
@Produces({ "application/json", "application/xml" })
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_SERVICE + "\")")
public RangerService updateService(RangerService service, @Context HttpServletRequest request) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.updateService(): " + service);
    }
    RangerService ret = null;
    RangerPerfTracer perf = null;
    try {
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
            perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.updateService(serviceName=" + service.getName() + ")");
        }
        RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore);
        validator.validate(service, Action.UPDATE);
        bizUtil.hasAdminPermissions("Services");
        // TODO: As of now we are allowing SYS_ADMIN to create all the
        // services including KMS
        XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(service.getType());
        bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname());
        bizUtil.blockAuditorRoleUser();
        Map<String, Object> options = getOptions(request);
        ret = svcStore.updateService(service, options);
    } catch (WebApplicationException excp) {
        throw excp;
    } catch (Throwable excp) {
        LOG.error("updateService(" + service + ") failed", excp);
        throw restErrorUtil.createRESTException(excp.getMessage());
    } finally {
        RangerPerfTracer.log(perf);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.updateService(" + service + "): " + ret);
    }
    return ret;
}
Also used : XXServiceDef(org.apache.ranger.entity.XXServiceDef) WebApplicationException(javax.ws.rs.WebApplicationException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerService(org.apache.ranger.plugin.model.RangerService) VXString(org.apache.ranger.view.VXString) RangerServiceValidator(org.apache.ranger.plugin.model.validation.RangerServiceValidator) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) PreAuthorize(org.springframework.security.access.prepost.PreAuthorize) PUT(javax.ws.rs.PUT)

Example 33 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class ServiceREST method applyAdminAccessFilter.

private List<RangerPolicy> applyAdminAccessFilter(List<RangerPolicy> policies) {
    List<RangerPolicy> ret = new ArrayList<RangerPolicy>();
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.applyAdminAccessFilter(policyCount=" + (policies == null ? 0 : policies.size()) + ")");
    }
    if (CollectionUtils.isNotEmpty(policies)) {
        boolean isAdmin = bizUtil.isAdmin();
        boolean isKeyAdmin = bizUtil.isKeyAdmin();
        String userName = bizUtil.getCurrentUserLoginId();
        boolean isAuditAdmin = bizUtil.isAuditAdmin();
        boolean isAuditKeyAdmin = bizUtil.isAuditKeyAdmin();
        Set<String> userGroups = null;
        Map<String, List<RangerPolicy>> servicePoliciesMap = new HashMap<String, List<RangerPolicy>>();
        for (int i = 0; i < policies.size(); i++) {
            RangerPolicy policy = policies.get(i);
            String serviceName = policy.getService();
            List<RangerPolicy> policyList = servicePoliciesMap.get(serviceName);
            if (policyList == null) {
                policyList = new ArrayList<RangerPolicy>();
                servicePoliciesMap.put(serviceName, policyList);
            }
            policyList.add(policy);
        }
        for (Map.Entry<String, List<RangerPolicy>> entry : servicePoliciesMap.entrySet()) {
            String serviceName = entry.getKey();
            List<RangerPolicy> listToFilter = entry.getValue();
            if (CollectionUtils.isNotEmpty(listToFilter)) {
                if (isAdmin || isKeyAdmin || isAuditAdmin || isAuditKeyAdmin) {
                    XXService xService = daoManager.getXXService().findByName(serviceName);
                    Long serviceDefId = xService.getType();
                    boolean isKmsService = serviceDefId.equals(EmbeddedServiceDefsUtil.instance().getKmsServiceDefId());
                    if (isAdmin) {
                        if (!isKmsService) {
                            ret.addAll(listToFilter);
                        }
                    } else if (isAuditAdmin) {
                        if (!isKmsService) {
                            ret.addAll(listToFilter);
                        }
                    } else if (isAuditKeyAdmin) {
                        if (isKmsService) {
                            ret.addAll(listToFilter);
                        }
                    } else {
                        // isKeyAdmin
                        if (isKmsService) {
                            ret.addAll(listToFilter);
                        }
                    }
                    continue;
                }
                RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(serviceName);
                if (policyEngine != null) {
                    if (userGroups == null) {
                        userGroups = daoManager.getXXGroupUser().findGroupNamesByUserName(userName);
                    }
                    for (RangerPolicy policy : listToFilter) {
                        if (policyEngine.isAccessAllowed(policy, userName, userGroups, RangerPolicyEngine.ADMIN_ACCESS)) {
                            ret.add(policy);
                        }
                    }
                }
            }
        }
    }
    RangerPerfTracer.log(perf);
    return ret;
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) LinkedHashMap(java.util.LinkedHashMap) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) RangerPolicyEngine(org.apache.ranger.plugin.policyengine.RangerPolicyEngine) VXString(org.apache.ranger.view.VXString) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerPluginInfoList(org.apache.ranger.view.RangerPluginInfoList) RangerServiceList(org.apache.ranger.view.RangerServiceList) ArrayList(java.util.ArrayList) VXPolicyLabelList(org.apache.ranger.view.VXPolicyLabelList) List(java.util.List) RangerExportPolicyList(org.apache.ranger.view.RangerExportPolicyList) RangerPolicyList(org.apache.ranger.view.RangerPolicyList) RangerServiceDefList(org.apache.ranger.view.RangerServiceDefList) RangerAPIList(org.apache.ranger.security.context.RangerAPIList) PList(org.apache.ranger.plugin.store.PList) XXService(org.apache.ranger.entity.XXService) Map(java.util.Map) LinkedHashMap(java.util.LinkedHashMap) TreeMap(java.util.TreeMap) HashMap(java.util.HashMap)

Example 34 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class ServiceREST method revokeAccess.

@POST
@Path("/services/revoke/{serviceName}")
@Produces({ "application/json", "application/xml" })
public RESTResponse revokeAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest revokeRequest, @Context HttpServletRequest request) throws Exception {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.revokeAccess(" + serviceName + ", " + revokeRequest + ")");
    }
    RESTResponse ret = new RESTResponse();
    RangerPerfTracer perf = null;
    if (revokeRequest != null) {
        if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) {
            try {
                if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
                    perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.revokeAccess(serviceName=" + serviceName + ")");
                }
                validateGrantRevokeRequest(revokeRequest);
                String userName = revokeRequest.getGrantor();
                Set<String> userGroups = CollectionUtils.isNotEmpty(revokeRequest.getGrantorGroups()) ? revokeRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
                RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(revokeRequest.getResource()));
                VXUser vxUser = xUserService.getXUserByUserName(userName);
                if (vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) || vxUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) {
                    VXResponse vXResponse = new VXResponse();
                    vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
                    vXResponse.setMsgDesc("Operation" + " denied. LoggedInUser=" + vxUser.getId() + " ,isn't permitted to perform the action.");
                    throw restErrorUtil.generateRESTException(vXResponse);
                }
                boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
                if (!isAdmin) {
                    throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to revoke access");
                }
                RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, userName);
                if (policy != null) {
                    boolean policyUpdated = false;
                    policyUpdated = ServiceRESTUtil.processRevokeRequest(policy, revokeRequest);
                    if (policyUpdated) {
                        svcStore.updatePolicy(policy);
                    } else {
                        LOG.error("processRevokeRequest processing failed");
                        throw new Exception("processRevokeRequest processing failed");
                    }
                }
            } catch (WebApplicationException excp) {
                throw excp;
            } catch (Throwable excp) {
                LOG.error("revokeAccess(" + serviceName + ", " + revokeRequest + ") failed", excp);
                throw restErrorUtil.createRESTException(excp.getMessage());
            } finally {
                RangerPerfTracer.log(perf);
            }
            ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.revokeAccess(" + serviceName + ", " + revokeRequest + "): " + ret);
    }
    return ret;
}
Also used : VXResponse(org.apache.ranger.view.VXResponse) WebApplicationException(javax.ws.rs.WebApplicationException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) VXString(org.apache.ranger.view.VXString) VXUser(org.apache.ranger.view.VXUser) WebApplicationException(javax.ws.rs.WebApplicationException) IOException(java.io.IOException) JsonSyntaxException(com.google.gson.JsonSyntaxException) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RESTResponse(org.apache.ranger.admin.client.datatype.RESTResponse) RangerAccessResource(org.apache.ranger.plugin.policyengine.RangerAccessResource) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Produces(javax.ws.rs.Produces)

Example 35 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class ServiceREST method getServices.

@GET
@Path("/services")
@Produces({ "application/json", "application/xml" })
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_SERVICES + "\")")
public RangerServiceList getServices(@Context HttpServletRequest request) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.getServices()");
    }
    RangerServiceList ret = null;
    RangerPerfTracer perf = null;
    PList<RangerService> paginatedSvcs = null;
    SearchFilter filter = searchUtil.getSearchFilter(request, svcService.sortFields);
    try {
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
            perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getServices()");
        }
        paginatedSvcs = svcStore.getPaginatedServices(filter);
        if (paginatedSvcs != null) {
            ret = new RangerServiceList();
            ret.setServices(paginatedSvcs.getList());
            ret.setPageSize(paginatedSvcs.getPageSize());
            ret.setResultSize(paginatedSvcs.getResultSize());
            ret.setStartIndex(paginatedSvcs.getStartIndex());
            ret.setTotalCount(paginatedSvcs.getTotalCount());
            ret.setSortBy(paginatedSvcs.getSortBy());
            ret.setSortType(paginatedSvcs.getSortType());
        }
    } catch (WebApplicationException excp) {
        throw excp;
    } catch (Throwable excp) {
        LOG.error("getServices() failed", excp);
        throw restErrorUtil.createRESTException(excp.getMessage());
    } finally {
        RangerPerfTracer.log(perf);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.getServices(): count=" + (ret == null ? 0 : ret.getListSize()));
    }
    return ret;
}
Also used : WebApplicationException(javax.ws.rs.WebApplicationException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerServiceList(org.apache.ranger.view.RangerServiceList) SearchFilter(org.apache.ranger.plugin.util.SearchFilter) RangerService(org.apache.ranger.plugin.model.RangerService) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)

Aggregations

RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)75 WebApplicationException (javax.ws.rs.WebApplicationException)36 Path (javax.ws.rs.Path)33 Produces (javax.ws.rs.Produces)33 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)21 VXString (org.apache.ranger.view.VXString)18 GET (javax.ws.rs.GET)17 PreAuthorize (org.springframework.security.access.prepost.PreAuthorize)16 RangerService (org.apache.ranger.plugin.model.RangerService)11 POST (javax.ws.rs.POST)10 ArrayList (java.util.ArrayList)9 XXServiceDef (org.apache.ranger.entity.XXServiceDef)9 RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)9 SearchFilter (org.apache.ranger.plugin.util.SearchFilter)9 JsonSyntaxException (com.google.gson.JsonSyntaxException)8 IOException (java.io.IOException)8 RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)7 RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)7 RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)6 XXService (org.apache.ranger.entity.XXService)5