Search in sources :

Example 36 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class ServiceREST method updatePolicy.

@PUT
@Path("/policies/{id}")
@Produces({ "application/json", "application/xml" })
public RangerPolicy updatePolicy(RangerPolicy policy) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.updatePolicy(" + policy + ")");
    }
    RangerPolicy ret = null;
    RangerPerfTracer perf = null;
    try {
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
            perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.updatePolicy(policyId=" + policy.getId() + ")");
        }
        RangerPolicyValidator validator = validatorFactory.getPolicyValidator(svcStore);
        validator.validate(policy, Action.UPDATE, bizUtil.isAdmin());
        ensureAdminAccess(policy);
        bizUtil.blockAuditorRoleUser();
        ret = svcStore.updatePolicy(policy);
    } catch (WebApplicationException excp) {
        throw excp;
    } catch (Throwable excp) {
        LOG.error("updatePolicy(" + policy + ") failed", excp);
        throw restErrorUtil.createRESTException(excp.getMessage());
    } finally {
        RangerPerfTracer.log(perf);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.updatePolicy(" + policy + "): " + ret);
    }
    return ret;
}
Also used : RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) WebApplicationException(javax.ws.rs.WebApplicationException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerPolicyValidator(org.apache.ranger.plugin.model.validation.RangerPolicyValidator) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) PUT(javax.ws.rs.PUT)

Example 37 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class ServiceREST method createService.

@POST
@Path("/services")
@Produces({ "application/json", "application/xml" })
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_SERVICE + "\")")
public RangerService createService(RangerService service) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.createService(" + service + ")");
    }
    RangerService ret = null;
    RangerPerfTracer perf = null;
    try {
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
            perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.createService(serviceName=" + service.getName() + ")");
        }
        RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore);
        validator.validate(service, Action.CREATE);
        UserSessionBase session = ContextUtil.getCurrentUserSession();
        XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(service.getType());
        if (session != null && !session.isSpnegoEnabled()) {
            bizUtil.hasAdminPermissions("Services");
            // TODO: As of now we are allowing SYS_ADMIN to create all the
            // services including KMS
            bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname());
        }
        if (session != null && session.isSpnegoEnabled()) {
            if (session.isKeyAdmin() && !EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xxServiceDef.getImplclassname())) {
                throw restErrorUtil.createRESTException("KeyAdmin can create/update/delete only KMS ", MessageEnums.OPER_NO_PERMISSION);
            }
            if ((!session.isKeyAdmin() && !session.isUserAdmin()) && EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(xxServiceDef.getImplclassname())) {
                throw restErrorUtil.createRESTException("User cannot create/update/delete KMS Service", MessageEnums.OPER_NO_PERMISSION);
            }
        }
        bizUtil.blockAuditorRoleUser();
        ret = svcStore.createService(service);
    } catch (WebApplicationException excp) {
        throw excp;
    } catch (Throwable excp) {
        LOG.error("createService(" + service + ") failed", excp);
        throw restErrorUtil.createRESTException(excp.getMessage());
    } finally {
        RangerPerfTracer.log(perf);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.createService(" + service + "): " + ret);
    }
    return ret;
}
Also used : XXServiceDef(org.apache.ranger.entity.XXServiceDef) WebApplicationException(javax.ws.rs.WebApplicationException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerService(org.apache.ranger.plugin.model.RangerService) RangerServiceValidator(org.apache.ranger.plugin.model.validation.RangerServiceValidator) UserSessionBase(org.apache.ranger.common.UserSessionBase) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Produces(javax.ws.rs.Produces) PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)

Example 38 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class ServiceREST method updateServiceDef.

@PUT
@Path("/definitions/{id}")
@Produces({ "application/json", "application/xml" })
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_SERVICE_DEF + "\")")
public RangerServiceDef updateServiceDef(RangerServiceDef serviceDef) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.updateServiceDef(serviceDefName=" + serviceDef.getName() + ")");
    }
    RangerServiceDef ret = null;
    RangerPerfTracer perf = null;
    try {
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
            perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.updateServiceDef(" + serviceDef.getName() + ")");
        }
        RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore);
        validator.validate(serviceDef, Action.UPDATE);
        bizUtil.hasAdminPermissions("Service-Def");
        bizUtil.hasKMSPermissions("Service-Def", serviceDef.getImplClass());
        bizUtil.blockAuditorRoleUser();
        ret = svcStore.updateServiceDef(serviceDef);
    } catch (WebApplicationException excp) {
        throw excp;
    } catch (Throwable excp) {
        LOG.error("updateServiceDef(" + serviceDef + ") failed", excp);
        throw restErrorUtil.createRESTException(excp.getMessage());
    } finally {
        RangerPerfTracer.log(perf);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.updateServiceDef(" + serviceDef + "): " + ret);
    }
    return ret;
}
Also used : WebApplicationException(javax.ws.rs.WebApplicationException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerServiceDef(org.apache.ranger.plugin.model.RangerServiceDef) RangerServiceDefValidator(org.apache.ranger.plugin.model.validation.RangerServiceDefValidator) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) PreAuthorize(org.springframework.security.access.prepost.PreAuthorize) PUT(javax.ws.rs.PUT)

Example 39 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class ServiceREST method secureGrantAccess.

@POST
@Path("/secure/services/grant/{serviceName}")
@Produces({ "application/json", "application/xml" })
public RESTResponse secureGrantAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest grantRequest, @Context HttpServletRequest request) throws Exception {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.secureGrantAccess(" + serviceName + ", " + grantRequest + ")");
    }
    RESTResponse ret = new RESTResponse();
    RangerPerfTracer perf = null;
    boolean isAllowed = false;
    boolean isKeyAdmin = bizUtil.isKeyAdmin();
    bizUtil.blockAuditorRoleUser();
    if (grantRequest != null) {
        if (serviceUtil.isValidService(serviceName, request)) {
            try {
                if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
                    perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.scureGrantAccess(serviceName=" + serviceName + ")");
                }
                validateGrantRevokeRequest(grantRequest);
                String userName = grantRequest.getGrantor();
                Set<String> userGroups = CollectionUtils.isNotEmpty(grantRequest.getGrantorGroups()) ? grantRequest.getGrantorGroups() : userMgr.getGroupsForUser(userName);
                RangerAccessResource resource = new RangerAccessResourceImpl(StringUtil.toStringObjectMap(grantRequest.getResource()));
                boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
                XXService xService = daoManager.getXXService().findByName(serviceName);
                XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
                RangerService rangerService = svcStore.getServiceByName(serviceName);
                if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
                    if (isKeyAdmin) {
                        isAllowed = true;
                    } else {
                        isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName);
                    }
                } else {
                    if (isAdmin) {
                        isAllowed = true;
                    } else {
                        isAllowed = bizUtil.isUserAllowedForGrantRevoke(rangerService, Allowed_User_List_For_Grant_Revoke, userName);
                    }
                }
                if (isAllowed) {
                    RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource, userName);
                    if (policy != null) {
                        boolean policyUpdated = false;
                        policyUpdated = ServiceRESTUtil.processGrantRequest(policy, grantRequest);
                        if (policyUpdated) {
                            svcStore.updatePolicy(policy);
                        } else {
                            LOG.error("processSecureGrantRequest processing failed");
                            throw new Exception("processSecureGrantRequest processing failed");
                        }
                    } else {
                        policy = new RangerPolicy();
                        policy.setService(serviceName);
                        // TODO: better policy name
                        policy.setName("grant-" + System.currentTimeMillis());
                        policy.setDescription("created by grant");
                        policy.setIsAuditEnabled(grantRequest.getEnableAudit());
                        policy.setCreatedBy(userName);
                        Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>();
                        Set<String> resourceNames = resource.getKeys();
                        if (!CollectionUtils.isEmpty(resourceNames)) {
                            for (String resourceName : resourceNames) {
                                RangerPolicyResource policyResource = new RangerPolicyResource((String) resource.getValue(resourceName));
                                policyResource.setIsRecursive(grantRequest.getIsRecursive());
                                policyResources.put(resourceName, policyResource);
                            }
                        }
                        policy.setResources(policyResources);
                        RangerPolicyItem policyItem = new RangerPolicyItem();
                        policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin());
                        policyItem.getUsers().addAll(grantRequest.getUsers());
                        policyItem.getGroups().addAll(grantRequest.getGroups());
                        for (String accessType : grantRequest.getAccessTypes()) {
                            policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE));
                        }
                        policy.getPolicyItems().add(policyItem);
                        svcStore.createPolicy(policy);
                    }
                } else {
                    LOG.error("secureGrantAccess(" + serviceName + ", " + grantRequest + ") failed as User doesn't have permission to grant Policy");
                    throw restErrorUtil.createGrantRevokeRESTException("User doesn't have necessary permission to grant access");
                }
            } catch (WebApplicationException excp) {
                throw excp;
            } catch (Throwable excp) {
                LOG.error("secureGrantAccess(" + serviceName + ", " + grantRequest + ") failed", excp);
                throw restErrorUtil.createRESTException(excp.getMessage());
            } finally {
                RangerPerfTracer.log(perf);
            }
            ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.secureGrantAccess(" + serviceName + ", " + grantRequest + "): " + ret);
    }
    return ret;
}
Also used : XXServiceDef(org.apache.ranger.entity.XXServiceDef) WebApplicationException(javax.ws.rs.WebApplicationException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) LinkedHashMap(java.util.LinkedHashMap) HashMap(java.util.HashMap) RangerPolicyResource(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource) VXString(org.apache.ranger.view.VXString) RangerPolicyItem(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem) WebApplicationException(javax.ws.rs.WebApplicationException) IOException(java.io.IOException) JsonSyntaxException(com.google.gson.JsonSyntaxException) RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RESTResponse(org.apache.ranger.admin.client.datatype.RESTResponse) RangerPolicyItemAccess(org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess) RangerService(org.apache.ranger.plugin.model.RangerService) XXService(org.apache.ranger.entity.XXService) RangerAccessResource(org.apache.ranger.plugin.policyengine.RangerAccessResource) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Produces(javax.ws.rs.Produces)

Example 40 with RangerPerfTracer

use of org.apache.ranger.plugin.util.RangerPerfTracer in project ranger by apache.

the class ServiceREST method getPolicies.

public List<RangerPolicy> getPolicies(SearchFilter filter) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> ServiceREST.getPolicies(filter)");
    }
    List<RangerPolicy> ret = null;
    RangerPerfTracer perf = null;
    try {
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
            perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.getPolicies()");
        }
        ret = svcStore.getPolicies(filter);
        ret = applyAdminAccessFilter(ret);
    } catch (WebApplicationException excp) {
        throw excp;
    } catch (Throwable excp) {
        LOG.error("getPolicies() failed", excp);
        throw restErrorUtil.createRESTException(excp.getMessage());
    } finally {
        RangerPerfTracer.log(perf);
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== ServiceREST.getPolicies(filter): count=" + (ret == null ? 0 : ret.size()));
    }
    return ret;
}
Also used : RangerPolicy(org.apache.ranger.plugin.model.RangerPolicy) WebApplicationException(javax.ws.rs.WebApplicationException) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer)

Aggregations

RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)75 WebApplicationException (javax.ws.rs.WebApplicationException)36 Path (javax.ws.rs.Path)33 Produces (javax.ws.rs.Produces)33 RangerPolicy (org.apache.ranger.plugin.model.RangerPolicy)21 VXString (org.apache.ranger.view.VXString)18 GET (javax.ws.rs.GET)17 PreAuthorize (org.springframework.security.access.prepost.PreAuthorize)16 RangerService (org.apache.ranger.plugin.model.RangerService)11 POST (javax.ws.rs.POST)10 ArrayList (java.util.ArrayList)9 XXServiceDef (org.apache.ranger.entity.XXServiceDef)9 RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)9 SearchFilter (org.apache.ranger.plugin.util.SearchFilter)9 JsonSyntaxException (com.google.gson.JsonSyntaxException)8 IOException (java.io.IOException)8 RangerPolicyResource (org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyResource)7 RangerResourceDef (org.apache.ranger.plugin.model.RangerServiceDef.RangerResourceDef)7 RangerServiceDef (org.apache.ranger.plugin.model.RangerServiceDef)6 XXService (org.apache.ranger.entity.XXService)5