Example 1 with RangerRoles
use of org.apache.ranger.plugin.util.RangerRoles in project ranger by apache.
the class RangerHivePlugin method getRangerRoleForRoleName.
private RangerRole getRangerRoleForRoleName(String roleName) {
RangerRole ret = null;
RangerRoles rangerRoles = hivePlugin.getRangerRoles();
if (rangerRoles != null) {
Set<RangerRole> roles = rangerRoles.getRangerRoles();
for (RangerRole role : roles) {
if (roleName.equals(role.getName())) {
ret = role;
break;
}
}
}
return ret;
}
Also used :
RangerRoles(org.apache.ranger.plugin.util.RangerRoles)
RangerRole(org.apache.ranger.plugin.model.RangerRole)
Example 2 with RangerRoles
use of org.apache.ranger.plugin.util.RangerRoles in project ranger by apache.
the class RoleREST method getRangerRolesIfUpdated.
@GET
@Path("/download/{serviceName}")
@Produces({ "application/json", "application/xml" })
public RangerRoles getRangerRolesIfUpdated(@PathParam("serviceName") String serviceName, @QueryParam("lastKnownRoleVersion") Long lastKnownRoleVersion, @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime, @QueryParam("pluginId") String pluginId, @DefaultValue("") @QueryParam("clusterName") String clusterName, @DefaultValue("") @QueryParam(RangerRESTUtils.REST_PARAM_CAPABILITIES) String pluginCapabilities, @Context HttpServletRequest request) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RoleREST.getRangerRolesIfUpdated(" + serviceName + ", " + lastKnownRoleVersion + ", " + lastActivationTime + ")");
}
RangerRoles ret = null;
boolean isValid = false;
int httpCode = HttpServletResponse.SC_OK;
Long downloadedVersion = null;
String logMsg = null;
try {
bizUtil.failUnauthenticatedIfNotAllowed();
isValid = serviceUtil.isValidService(serviceName, request);
} catch (WebApplicationException webException) {
httpCode = webException.getResponse().getStatus();
logMsg = webException.getResponse().getEntity().toString();
} catch (Exception e) {
httpCode = HttpServletResponse.SC_BAD_REQUEST;
logMsg = e.getMessage();
}
if (isValid) {
if (lastKnownRoleVersion == null) {
lastKnownRoleVersion = Long.valueOf(-1);
}
try {
RangerRoles roles = roleStore.getRoles(serviceName, lastKnownRoleVersion);
if (roles == null) {
downloadedVersion = lastKnownRoleVersion;
httpCode = HttpServletResponse.SC_NOT_MODIFIED;
logMsg = "No change since last update";
} else {
downloadedVersion = roles.getRoleVersion();
roles.setServiceName(serviceName);
ret = roles;
httpCode = HttpServletResponse.SC_OK;
logMsg = "Returning RangerRoles =>" + (ret.toString());
}
} catch (Throwable excp) {
LOG.error("getRangerRolesIfUpdated(" + serviceName + ", " + lastKnownRoleVersion + ", " + lastActivationTime + ") failed", excp);
httpCode = HttpServletResponse.SC_BAD_REQUEST;
logMsg = excp.getMessage();
}
}
assetMgr.createPluginInfo(serviceName, pluginId, request, RangerPluginInfo.ENTITY_TYPE_ROLES, downloadedVersion, lastKnownRoleVersion, lastActivationTime, httpCode, clusterName, pluginCapabilities);
if (httpCode != HttpServletResponse.SC_OK) {
boolean logError = httpCode != HttpServletResponse.SC_NOT_MODIFIED;
throw restErrorUtil.createRESTException(httpCode, logMsg, logError);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RoleREST.getRangerRolesIfUpdated(" + serviceName + ", " + lastKnownRoleVersion + ", " + lastActivationTime + ")" + ret);
}
return ret;
}
Also used :
RangerRoles(org.apache.ranger.plugin.util.RangerRoles)
Example 3 with RangerRoles
use of org.apache.ranger.plugin.util.RangerRoles in project ranger by apache.
the class RoleDBStore method getRoles.
@Override
public RangerRoles getRoles(String serviceName, Long lastKnownRoleVersion) throws Exception {
RangerRoles ret = null;
Long rangerRoleVersionInDB = getRoleVersion(serviceName);
if (LOG.isDebugEnabled()) {
LOG.debug("==> RoleDBStore.getRoles() lastKnownRoleVersion= " + lastKnownRoleVersion + " rangerRoleVersionInDB= " + rangerRoleVersionInDB);
}
if (rangerRoleVersionInDB != null) {
ret = RangerRoleCache.getInstance().getLatestRangerRoleOrCached(serviceName, this, lastKnownRoleVersion, rangerRoleVersionInDB);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<= RoleDBStore.getRoles() lastKnownRoleVersion= " + lastKnownRoleVersion + " rangerRoleVersionInDB= " + rangerRoleVersionInDB + " RangerRoles= " + ret);
}
return ret;
}
Also used :
RangerRoles(org.apache.ranger.plugin.util.RangerRoles)
Example 4 with RangerRoles
use of org.apache.ranger.plugin.util.RangerRoles in project ranger by apache.
the class RangerHivePlugin method getAllRoles.
@Override
public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RangerHiveAuthorizer.getAllRoles()");
}
List<String> ret = new ArrayList<>();
RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
List<String> userNames = null;
boolean result = false;
if (hivePlugin == null) {
throw new HiveAuthzPluginException("RangerHiveAuthorizer.getAllRoles(): HivePlugin initialization failed...");
}
UserGroupInformation ugi = getCurrentUserGroupInfo();
if (ugi == null) {
throw new HiveAccessControlException("RangerHiveAuthorizer.getAllRoles(): User information not available...");
}
String currentUserName = ugi.getShortUserName();
try {
if (!hivePlugin.isServiceAdmin(currentUserName)) {
throw new HiveAccessControlException("RangerHiveAuthorizer.getAllRoles(): User not authorized to run show roles...");
}
userNames = Arrays.asList(currentUserName);
RangerRoles rangerRoles = hivePlugin.getRangerRoles();
if (rangerRoles != null) {
Set<RangerRole> roles = rangerRoles.getRangerRoles();
if (CollectionUtils.isNotEmpty(roles)) {
for (RangerRole rangerRole : roles) {
ret.add(rangerRole.getName());
}
}
}
result = true;
} catch (Exception excp) {
throw new HiveAuthzPluginException(excp);
} finally {
RangerAccessResult accessResult = createAuditEvent(hivePlugin, currentUserName, userNames, HiveOperationType.SHOW_ROLES, HiveAccessType.SELECT, null, result);
hivePlugin.evalAuditPolicies(accessResult);
auditHandler.processResult(accessResult);
auditHandler.flushAudit();
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RangerHiveAuthorizer.getAllRoles() roles: " + ret);
}
return ret;
}
Also used :
RangerRoles(org.apache.ranger.plugin.util.RangerRoles)
ArrayList(java.util.ArrayList)
RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)
HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)
SemanticException(org.apache.hadoop.hive.ql.parse.SemanticException)
HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)
HiveAuthzPluginException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)
IOException(java.io.IOException)
HiveAccessControlException(org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)
RangerRole(org.apache.ranger.plugin.model.RangerRole)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 5 with RangerRoles
use of org.apache.ranger.plugin.util.RangerRoles in project ranger by apache.
the class RoleREST method getSecureRangerRolesIfUpdated.
@GET
@Path("/secure/download/{serviceName}")
@Produces({ "application/json", "application/xml" })
public RangerRoles getSecureRangerRolesIfUpdated(@PathParam("serviceName") String serviceName, @QueryParam("lastKnownRoleVersion") Long lastKnownRoleVersion, @DefaultValue("0") @QueryParam("lastActivationTime") Long lastActivationTime, @QueryParam("pluginId") String pluginId, @DefaultValue("") @QueryParam("clusterName") String clusterName, @DefaultValue("") @QueryParam(RangerRESTUtils.REST_PARAM_CAPABILITIES) String pluginCapabilities, @Context HttpServletRequest request) throws Exception {
if (LOG.isDebugEnabled()) {
LOG.debug("==> RoleREST.getSecureRangerRolesIfUpdated(" + serviceName + ", " + lastKnownRoleVersion + ", " + lastKnownRoleVersion + ")");
}
RangerRoles ret = null;
int httpCode = HttpServletResponse.SC_OK;
String logMsg = null;
boolean isAllowed = false;
boolean isAdmin = bizUtil.isAdmin();
boolean isKeyAdmin = bizUtil.isKeyAdmin();
Long downloadedVersion = null;
request.setAttribute("downloadPolicy", "secure");
boolean isValid = false;
try {
isValid = serviceUtil.isValidService(serviceName, request);
} catch (WebApplicationException webException) {
httpCode = webException.getResponse().getStatus();
logMsg = webException.getResponse().getEntity().toString();
} catch (Exception e) {
httpCode = HttpServletResponse.SC_BAD_REQUEST;
logMsg = e.getMessage();
}
if (isValid) {
if (lastKnownRoleVersion == null) {
lastKnownRoleVersion = Long.valueOf(-1);
}
try {
XXService xService = daoManager.getXXService().findByName(serviceName);
if (xService == null) {
LOG.error("Requested Service not found. serviceName=" + serviceName);
throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Service:" + serviceName + " not found", false);
}
XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
RangerService rangerService = svcStore.getServiceByName(serviceName);
if (org.apache.commons.lang.StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
if (isKeyAdmin) {
isAllowed = true;
} else {
isAllowed = bizUtil.isUserAllowed(rangerService, POLICY_DOWNLOAD_USERS);
}
} else {
if (isAdmin) {
isAllowed = true;
} else {
isAllowed = bizUtil.isUserAllowed(rangerService, POLICY_DOWNLOAD_USERS);
}
}
if (isAllowed) {
RangerRoles roles = roleStore.getRoles(serviceName, lastKnownRoleVersion);
if (roles == null) {
downloadedVersion = lastKnownRoleVersion;
httpCode = HttpServletResponse.SC_NOT_MODIFIED;
logMsg = "No change since last update";
} else {
downloadedVersion = roles.getRoleVersion();
roles.setServiceName(serviceName);
ret = roles;
httpCode = HttpServletResponse.SC_OK;
logMsg = "Returning RangerRoles =>" + (ret.toString());
}
} else {
LOG.error("getSecureRangerRolesIfUpdated(" + serviceName + ", " + lastKnownRoleVersion + ") failed as User doesn't have permission to UserGroupRoles");
httpCode = HttpServletResponse.SC_UNAUTHORIZED;
logMsg = "User doesn't have permission to download UserGroupRoles";
}
} catch (Throwable excp) {
LOG.error("getSecureRangerRolesIfUpdated(" + serviceName + ", " + lastKnownRoleVersion + ", " + lastActivationTime + ") failed", excp);
httpCode = HttpServletResponse.SC_BAD_REQUEST;
logMsg = excp.getMessage();
}
}
assetMgr.createPluginInfo(serviceName, pluginId, request, RangerPluginInfo.ENTITY_TYPE_ROLES, downloadedVersion, lastKnownRoleVersion, lastActivationTime, httpCode, clusterName, pluginCapabilities);
if (httpCode != HttpServletResponse.SC_OK) {
boolean logError = httpCode != HttpServletResponse.SC_NOT_MODIFIED;
throw restErrorUtil.createRESTException(httpCode, logMsg, logError);
}
if (LOG.isDebugEnabled()) {
LOG.debug("<== RoleREST.getSecureRangerRolesIfUpdated(" + serviceName + ", " + lastKnownRoleVersion + ", " + lastActivationTime + ")" + ret);
}
return ret;
}
Also used :
XXServiceDef(org.apache.ranger.entity.XXServiceDef)
RangerRoles(org.apache.ranger.plugin.util.RangerRoles)
RangerService(org.apache.ranger.plugin.model.RangerService)
XXService(org.apache.ranger.entity.XXService)
Aggregations
RangerRoles (org.apache.ranger.plugin.util.RangerRoles)9
RangerRole (org.apache.ranger.plugin.model.RangerRole)4
ServicePolicies (org.apache.ranger.plugin.util.ServicePolicies)3
HashSet (java.util.HashSet)2
Map (java.util.Map)2
Set (java.util.Set)2
RangerBasePlugin (org.apache.ranger.plugin.service.RangerBasePlugin)2
IOException (java.io.IOException)1
ArrayList (java.util.ArrayList)1
SemanticException (org.apache.hadoop.hive.ql.parse.SemanticException)1
HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)1
HiveAuthzPluginException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException)1
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)1
XXService (org.apache.ranger.entity.XXService)1
XXServiceDef (org.apache.ranger.entity.XXServiceDef)1
RangerService (org.apache.ranger.plugin.model.RangerService)1
RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)1
